Configure sil 2 operation – Rockwell Automation 1715-OF8I Redundant I/O System User Manual User Manual
Page 213
Rockwell Automation Publication 1715-UM001C-EN-P - March 2014
213
1715 Redundant I/O System in SIL 2 Safety Applications
Chapter 6
Shutdown Mode
When the module is in the Shutdown mode, the Ready and Run indicators turn
red. The default state is OFF (de-energized).
Considerations for Sensor
and Actuator Configurations
The function of a signal must be considered. In many cases, redundant sensor and
actuator configurations can be used, or differing sensor and actuator types
provide alternate detection and control possibilities. Plant facilities frequently
have related signals such as start and stop signals. In these cases, it is important to
make sure that failures beyond the system's fault-tolerant capability do not result
in either inability to respond safely or in inadvertent operation. In some cases,
this requires that channels be on the same module, to make sure that a module
failure results in the associated signals failing-safe.
It is often necessary to separate signals across modules. Where non-redundant
configurations are employed, it is especially important to make sure that the fail-
safe action is generated in case of failures within the system.
Field loop power and its affect on inputs (sensors and modules) and outputs
(modules and actuators) must be considered. For normally-energized
configurations, field loop power loss leads to fail-safe reaction.
Where field signals are powered by separate supplies, power separation must be
maintained between modules so that isolation is maintained.
Configure SIL 2 Operation
To configure 1715 modules for SIL 2 applications you need to enable each 1715
module in your system for SIL 2 operation, and set its connection reaction time
limit (CRTL) and module requested packet interval (RPI). In addition, for input
modules, you must configure safe state input values.
IMPORTANT
In safety-critical applications that use a single sensor or single actuator, it is
important that the sensor failure modes be predictable and well understood so
that there is little probability of a failed sensor not responding to a critical
process condition. Test the sensor regularly, either by dynamic process
conditions that are verified in the 1715 system, or by manual intervention
testing. It is recommended that a written test plan is used for all testing.
IMPORTANT
Refer to