Requirements for using 1715 i/o modules, Energize-to-action requirements – Rockwell Automation 1715-OF8I Redundant I/O System User Manual User Manual

Rockwell Automation Publication 1715-UM001C-EN-P - March 2014

207

1715 Redundant I/O System in SIL 2 Safety Applications

Chapter 6

For energize-to-action, dual power supplies are required for both the system and

field supplies. The system provides the power supply monitoring, but this needs

to be connected in the application.

Requirements for Using 1715

I/O Modules

You must follow these requirements when using 1715 I/O modules in a SIL 2

application.

The maximum duration for single-channel operation of I/O modules depends on

the specific process and must be specified individually for each application. For

high availability, Rockwell Automation suggests you use two (2)

1715-AENTR adapter modules. If one of the modules faults, adapter modules

can operate in a simplex arrangement up to the duration of the mean time to

repair (MTTR) when used in SIL 2 applications.

Energize-to-action Requirements

Certain applications can require energize-to-action for inputs or outputs or both.

IMPORTANT

• In safety applications, channel discrepancy alarms must be monitored by

the application program and used to provide an alarm to operations

personnel.

• Equipment must be installed and wired in accordance with the product

installation and wiring instructions in this manual.

• For energize-to-action systems, you must follow the additional

requirements on

page 207

.

IMPORTANT

Energize-to-action configurations can be used only if the following apply:
• At least two independent power sources must be used for both the system

and field supplies. The system provides the power supply monitoring, but

this needs to be connected in the application. These power sources must

provide emergency power for a safe process shutdown or a time span

required by the application.

• Each power source must feature power integrity monitoring with safety-

critical input read-back into the system controller or implicit power

monitoring provided by the I/O modules. Any power failure must trigger an

alarm.

• Unless provided implicitly in the I/O modules, all safety-critical inputs and

outputs must be fitted with external line and load integrity monitoring and

safety-critical read-back of the line-status signals. Any line or load failure

must trigger an alarm.

• The application program must be designed to shut down energize-to-

action SIL 2 safety instrumented functions if a faulty simplex adapter or

output module has not been replaced within the mean time to repair

(MTTR).

• For SIL 2 high demand, energize-to-action applications, you must use two

output modules.

In cases where one or more outputs is used in an energize-to-action
configuration, all the specific requirements above must be implemented for all
associated inputs.