Digital output modules – Rockwell Automation 1715-OF8I Redundant I/O System User Manual User Manual

210

Rockwell Automation Publication 1715-UM001C-EN-P - March 2014

Chapter 6

1715 Redundant I/O System in SIL 2 Safety Applications

Safety Accuracy

The I/O input modules determine the channel state and the line fault state by

comparing the reported input values with user-programmed threshold values. For

each channel of a module, two independent measurements are made. The

discrepancy between these measurements is monitored to determine if it is

within the safety accuracy limit.

The channel is in fault and the last valid value is held until after the CRTL period

if the values are outside these limits:

• Digital input module = 4%
• Analog input module = 1%

After the CRTL period, the value changes to 0.

When using dual modules that are both reporting valid channel data, the lowest

value is used. If one module of a pair reports a fault on a channel, the operational

module’s value is used.

Digital Output Modules

The digital output module is rated at SIL 2 as a fail-safe module. Each module

provides the following safety functions:

• Output channel signals are based on commands from the controller.
• Redundant voltage and current measurements are sent to the controller for

monitoring and diagnostics.

• Modules feature over-current and over-voltage channel protection.
• Diagnostic tests are executed on command from the adapter and results are

reported back to the adapter.

• On powerup or module insertion, all output channels are set to the de-

energized (fail-safe) state until command states are received from the

controller. Each channel is driven individually according to the command

state values.

• The module enters a Shutdown mode when the time between controller

communication exceeds the CRTL.

• If a module fails, then all of its channels are set to the de-energized state.

The digital output termination assembly is safety critical and comes in two sizes -

simplex or duplex. Termination assemblies have fuses for field output power and

eight field termination connections for the output signals.

Output modules support high availability when configured for duplex operation

and using the appropriate termination assembly.

ATTENTION: In safety critical applications, the discrepancy alarms must be
monitored by the application program and used to provide an alarm to
operations personnel.