You are on page 1of 150

Safety Reference Manual

Using ControlLogix in SIL 2 Applications
Catalog Numbers 1756-L6x, 1756-L7x

Important User Information
Read this document and the documents listed in the additional resources section about installation, configuration, and
operation of this equipment before you install, configure, operate, or maintain this product. Users are required to
familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws,
and standards.

Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required
to be carried out by suitably trained personnel in accordance with applicable code of practice.

If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be
impaired.

In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the
use or application of this equipment.

The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and
requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or
liability for actual use based on the examples and diagrams.

No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or
software described in this manual.

Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation,
Inc., is prohibited.

Throughout this manual, when necessary, we use notes to make you aware of safety considerations.

WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment,
which may lead to personal injury or death, property damage, or economic loss.

ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property
damage, or economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.

IMPORTANT Identifies information that is critical for successful application and understanding of the product.

Labels may also be on or inside the equipment to provide specific precautions.

SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous
voltage may be present.

BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may
reach dangerous temperatures.

ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to
potential Arc Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL
Regulatory requirements for safe work practices and for Personal Protective Equipment (PPE).

Allen-Bradley, ControlLogix, ControlLogix-XT, ControlNet, Data Highway Plus, DeviceNet, EtherNet/IP, FactoryTalk, FLEX, FLEX I/O-XT, GuardLogix, Logix 5000, Rockwell Software, RSNetWorx and SynchLink are
trademarks of Rockwell Automation, Inc.

ControlNet, DeviceNet and EtherNet are trademarks of the ODVA.

Trademarks not belonging to Rockwell Automation are property of their respective companies.

Summary of Changes

This manual contains new and updated information. Changes throughout this
revision are marked by change bars as shown to the right of this paragraph.

New and Updated This table lists the major changes made with this revision.
Information Change Page
Updated table listing communication modules in the Introduction to Communication Modules section 43
Updated Table - 1-Year PFD Calculations 119
Updated Table - 2-Year PFD Calculations 124
Updated Table - 5-year PFD Calculations 129

Rockwell Automation Publication 1756-RM001L-EN-P - July 2014 3

July 2014 .Summary of Changes Notes: 4 Rockwell Automation Publication 1756-RM001L-EN-P .

. . . . . . . 14 Boiler and Combustion Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Recommendations for Using Power Supplies . . . . . . . . . 31 Chapter 2 Features of the ControlLogix Module Fault Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Proof Testing with Redundancy Systems . . . . . . . . . . . . . . . . . 24 Duplex System Configuration . . . . . . . . . . . . . . . . . . . . . . . 13 Programming and Debugging Tool (PADT). . . . . . . . . 36 Communication Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Pulse Test . . . . . . . . 14 Gas and Fire Considerations. . . . . . . . . . . . . . . . . . . . . . 35 Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 ControlLogix Power Supplies . . . Table of Contents Preface Terminology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Rockwell Automation Publication 1756-RM001L-EN-P . .July 2014 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 EtherNet/IP Network . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Proof Tests . . . . . . . . . . ControlLogix Controllers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Typical SIL 2 Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Electronic Keying of Modules in SIL 2 Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 and Power Supplies Operating Modes. . . . . . . . . . . . . . . . . . . . . . . . 9 Additional Resources . . . . 40 ControlLogix Chassis . . 33 SIL 2 System Data Echo Communication Check . . . . . . . 30 Reaction Times in Redundancy Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chassis. . . . 17 Simplex Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Chapter 1 SIL Policy Introduction to Safety Integrity Level (SIL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 About the ControlLogix System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Redundant Power Supplies . . . . . . . . . . . . . . . . . . . . . 35 Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Safety Watchdog . . . . . . . . . 37 Chapter 3 ControlLogix Controllers. . . . . . . . . . . . . . . . . . 36 ControlNet Network . . . . . . . . . . . . . . . . . . . 29 Reaction Times . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Duplex Logic Solver Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Requirements for Use. . . . . . . . . 31 Safety Certifications and Compliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . 52 Requirements When Using ControlLogix Digital Output Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table of Contents Chapter 4 ControlLogix Communication Introduction to Communication Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Using 1756 Digital Input Modules. . . . . 67 Wiring ControlLogix Analog Output Modules . . 54 Using 1756 Analog Input Modules . . . . . . . . . . . . . . . . . 44 EtherNet/IP Communication Modules . . . . 46 Peer-to-Peer Communication Requirements. . . . . 58 Conduct Proof Tests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 ControlNet Module Diagnostic Coverage . . . . 60 Using 1756 HART Analog Input Modules . . . . . . 69 Using 1756 HART Analog Output Modules . . . . . . . . . . . 58 Calibrate Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Requirements When Using Any ControlLogix Digital Input Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Wiring ControlLogix Analog Input Modules . . . 45 Data Highway Plus . . . . . 58 Use the Floating Point Data Format. . . . . . . . . . . . . . . . . . . . . . 71 Wiring the HART Analog Output Modules . . . . . . . . . . 66 Considerations for Using Analog Output Modules . . . . . . . . . . . . 65 Wiring the HART Analog Input Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Modules ControlNet Modules and Components . . . . . . . . . . . . . . . . . .Remote I/O Module (1756-DHRIO) . 51 Using 1756 Digital Output Modules . . . . . . . . . . . . . . . . . 59 Configure Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .July 2014 . . . . . . . . . . . . . . . . . . . . . . . . 45 DeviceNet Scanner Module . . . . . . . . . . . . . . . . . . . 45 General Requirements for Communication Networks . . . . . . . . . . 65 Using 1756 Analog Output Modules. . . . . . . . . . . . . . . . . . . . . 44 ControlNet Cabling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Chapter 5 ControlLogix I/O Modules Overview of ControlLogix I/O Modules . . . . . . . . . . 59 Program to Compare Analog Input Data . . . . . . 44 ControlNet Repeater . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 SynchLink Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Wiring ControlLogix Digital Output Modules. . . . . 58 Program to Respond to Faults Appropriately. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Specify the Same Controller as the Owner . . . . . . . . . . 71 6 Rockwell Automation Publication 1756-RM001L-EN-P . . . . . . . . . . . . . . . . . . . 51 Wiring ControlLogix Digital Input Modules. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . 92 Sensors (digital or analog) . . 99 Module Fault Reporting for Any ControlLogix or FLEX I/O Module . . . . . . . . . 93 Logic and Instructions . . . 95 Commissioning Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Chapter 7 Requirements for Application Software for SIL 2-Related Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Using 1794 Analog Input Modules . . . . . . . . . . . . . . . . . . . . . 91 Functional Specification Guidelines . . . . . . . 73 Using 1794 Digital Input Modules . . . . . 94 Checking the Application Program . . . . . . . . . . . . . 93 Creating the Application Program . . . . 75 Wiring FLEX I/O Digital Output Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Verify Download and Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 SIL Task/Program Instructions. . . . . . . . . . . . . . 73 Requirements When Using FLEX I/O Digital Input Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Examining an 1756 Analog Input Module’s High Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Requirements When Using FLEX I/O Digital Output Modules . . . . . Table of Contents Chapter 6 FLEX I/O Modules Overview of FLEX I/O Modules . . . 84 Requirements When Using FLEX I/O Analog Output Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Rockwell Automation Publication 1756-RM001L-EN-P . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Program Language. . . . . . . . . . . . . . . . 89 Programming Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Additional Resources . 93 Program Identification. . . . . . . . . . . 73 Wiring FLEX I/O Digital Input Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Wiring FLEX I/O Analog Input Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Basics of Application Program Development and Testing. 94 Forcing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Requirements When Using FLEX I/O Analog Input Modules . . . . . . 100 Checking Keyswitch Position with GSV Instruction . . . . 90 Programming Options. . . . . . . . . . . . . . . . . . . . . . . 80 Using 1794 Analog Output Modules . . . . . . . . . 93 Actuators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Chapter 8 Faults in the ControlLogix System Detecting and Reacting to Faults . . . . . . . . . . . . . 89 Development SIL 2 Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Changing Your Application Program . . . 74 Using 1794 Digital Output Module . . . . . . . . . . . . . . . . . . . . . . . 90 Security . . . . . . . .July 2014 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Wiring FLEX I/O Analog Output Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Index . . . . . . . . . . . . . . . . . . 139 Checklist for SIL Inputs . . . . . . . . . . . . . . 111 System Components Appendix C PFD and PFH Calculations About PFD and PFH Calculations. . . . . . . . . . .July 2014 . . . . . . . . . . . . . . . . . . . . 119 2-Year PFD Calculations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 5-year PFD Calculations . . . . . . . . . . . . . . . . . . . . . 103 Reading Parameters in Safety-related Systems . . . . . . . . . . . . . . 117 for a SIL 2 System Determine Which Values To Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Example: 1-year PFD Calculation for a ControlLogix System (1oo2 Configuration) . . . . . . . . . . . . . . 104 Appendix A Reaction Times of the Local Chassis Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Checklist for SIL Outputs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Appendix B SIL 2-certified ControlLogix . . . . . . . . . . 134 Appendix D Using ControlLogix and FLEX I/O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 For Analog Modules . . . 142 Checklist for the Creation of an Application Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 For Digital Modules . . 135 Modules in SIL 1 Applications Appendix E Checklists Checklist for the ControlLogix System . . 118 About the Calculations in This Manual . . . . . . . . . . . . . . . . . . . . . . . . .Table of Contents Chapter 9 Use of Human-to-Machine Interfaces Precautions . . . . . . . . . . . . . 145 8 Rockwell Automation Publication 1756-RM001L-EN-P . . . 134 Example: 1-year PFD Calculation for a ControlLogix System (1oo1 Configuration) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Using Component Values To Calculate System PFD . . . . . . . 108 Calculating Worst-case Reaction Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Changing Safety-related Parameters in SIL-rated Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 ControlLogix System Remote Chassis Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 1-Year PFD Calculations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Accessing Safety-related Systems . . . . . . . . . . . . . .

Keep in mind that the descriptions presented in this manual do not preclude other methods of implementing a SIL 2-compliant system by using ControlLogix equipment. DC Diagnostic Coverage The ratio of the detected failure rate to the total failure rate. such as TÜV Rheinland Group. up to and including SIL 2 applications • Provide safety-related information specific to the use of ControlLogix modules in SIL 2 systems . MTBF Mean Time Between Average time between failure occurrences. GSV Get System Value A ladder logic instruction that retrieves specified controller information and places it in a destination tag. ControlNet. CL Claim Limit The maximum level that can be achieved. Preface This safety reference manual is intended to do the following: • Describe the ControlLogix® Control System components available from Rockwell Automation that are suitable for use in low demand and high demand (no more than 10 demands per year) safety-related control. EN European Norm. The official European Standard.Abbreviations Used throughout This Reference Manual Abbreviation Full Term Definition CIP Common Industrial A industrial communication protocol used by Logix5000™-based automation Protocol systems on EtherNet. A normal control action/function is not a safety demand. — Demand A safe-state safety action initiated by the safety function. A safety demand occurs when safety conditions are met. Terminology This table defines abbreviations used in this manual.including PFD calculations that need to be considered for SIL 2-certified systems • Explain some possible SIL 2-certified system configurations • Describe basic programming techniques for the implementation of ControlLogix SIL 2-certified systems with references and links to more- detailed programming and implementation techniques IMPORTANT This manual describes typical SIL 2 implementations using ControlLogix equipment. Typically this only occurs when standard control fails to perform its control function — Demand Rate The expected rate (per year) that a safe-state safety action will be executed by the safety function. and DeviceNet communication networks. Failures Rockwell Automation Publication 1756-RM001L-EN-P . Table 1 .July 2014 9 . Other methods should be reviewed and approved by a recognized certifying body.

TCE Channel Equivalent The sum of downtime contributions from both the dangerous detected Mean Downtime failure rate and the dangerous undetected failure rate.July 2014 .Preface Table 1 .Abbreviations Used throughout This Reference Manual Abbreviation Full Term Definition MTTR Mean Time to Average time needed to restore normal operation after a failure has occurred. PC Personal Computer Computer used to interface with. STR Spurious Trip Rate That part of the overall failure rate that does not lead to a dangerous undetected failure. SIL Safety Integrity Level A discrete level for specifying the safety integrity requirements of the safety functions allocated to the electrical/electronic/ programmable electronic (E/ E/PE) part of the safety system. PFH Probability of Failure The probability of a system to have a dangerous failure occur per hour. per Hour SFF Safe Failure Fraction The ratio of safe failure plus dangerous detected failure to total failures. on a per channel basis TGE System Equivalent The sum of downtimes resulting from dangerous detected and dangerous Downtime undetected failure rates associated with both channels. and control. 10 Rockwell Automation Publication 1756-RM001L-EN-P . Restoration PADT Programming and RSLogix™ 5000 software is used to program and debug a SIL 2-certified Debugging Tool ControlLogix application. PFD Probability of Failure The average probability of a system to fail to perform its design function on on Demand demand. a ControlLogix system via the RSLogix 5000 software.

Rockwell Automation Publication 1756-RM001L-EN-P . Provides general guidelines for installing a Rockwell publication 1770-4. Logix5000 Controllers Common Procedures Programming Explains a variety of programming-related topics. http://www. You can view or download publications at http:// www. Logix5000 Controllers Execution Time and Memory Use Provides estimated execution times that can be used in Reference. Explains how to install. configure. Explains how to use the ControlLogix controllers. ControlLogix Enhanced Redundancy System User Manual. Logix5000 Controllers General Instruction Set Reference Contains descriptions and use considerations of general Manual. and use a standard publication 1756-UM523 redundancy system.ab. and use an enhanced publication 1756-UM535 redundancy system. Provides information about the use of ControlLogix digital UM058 I/O modules. ControlLogix Analog I/O Modules User Manual. publication 1756-AT010 subroutines provided by Rockwell Automation. publication 1756-RM003 instructions available for Logix5000 controllers. publication 1756-RM087 worst-case scenario calculations. publication 1756. Explains how to install. publication 1756. contact your local Allen-Bradley® distributor or Rockwell Automation sales representative. and other certification details.com/literature/.com Provides declarations of conformity.July 2014 11 . publication 1756-AT012 Add-On Instructions provided by Rockwell Automation. Manual. configure. ControlLogix System User Manual. ControlLogix SIL 2 System Configuration Using RSLogix Explains how to configure a SIL 2-certified system by using 5000 Subroutines. ControlLogix Digital I/O User Manual. Product Certifications website. publication Provides information about the use of ControlLogix analog 1756-UM009 I/O modules.rockwellautomation. To order paper copies of technical documentation. UM001 ControlLogix Standard Redundancy System User Manual. certificates. In addition to the manuals listed. Preface Additional Resources These resources contain more information related to the ControlLogix system. publication 1756-PM001 Industrial Automation Wiring and Grounding Guidelines.1 Automation industrial system. Resource Description ControlLogix SIL 2 System Configuration Using RSLogix Explains how to configure a SIL 2-certified system by using 5000 Subroutines. you may want to reference installation instructions listed in Appendix B.

Preface Notes: 12 Rockwell Automation Publication 1756-RM001L-EN-P .July 2014 .

The TÜV Rheinland Group has approved the ControlLogix system for use in up to. A ControlLogix system can be configured to execute standard control as well as safety functions. Life expectancy for the ControlLogix system components is 20 years. Rockwell Automation Publication 1756-RM001L-EN-P . SIL 2 safety-related applications in which the de-energized state is typically considered to be the safe state. 2010 (this manual describes architectures required to achieve edition 2) • IEC 61511 Approval requirements are based on the standards current at the time of certification. All of the examples related to I/O included in this manual are based on achieving de-energization as the safe state for typical emergency shutdown (ESD) systems. The demand rate is determined by how often the safety function is executed and not how often the control function is executed. The results make the ControlLogix system suitable up to and including SIL 2 for demand rates up to and including ten demands per year. edition 2. and including. diagnostic coverage and safe failure fractions that fulfill SIL 2 criteria. failure rates. IMPORTANT Keep in mind that a demand is an event where the safety function is executed. Chapter 1 SIL Policy Topic Page Introduction to Safety Integrity Level (SIL) 13 Typical SIL 2 Configurations 17 Typical SIL 2 Configurations 17 Proof Tests 28 Reaction Times 30 Reaction Times in Redundancy Systems 30 Safety Watchdog 31 Safety Certifications and Compliances 31 Introduction to Safety Certain catalog numbers of the ControlLogix system (listed in Appendix B) are type-approved and certified for use in SIL 2 applications according to these Integrity Level (SIL) standards: • IEC 61508. probability of failure.July 2014 13 . These requirements consist of mean time between failures (MTBF).

and so on) must also be met.Chapter 1 SIL Policy Programming and Debugging Tool (PADT) For support in creation of programs. refer to ControlLogix SIL 2 System Configuration Using SIL 2 Add-On Instructions. By understanding the behavior of the ControlLogix system for an emergency shutdown application. For more information about programming a system by using optional pre- developed Add-On Instructions. • The use of a manual override is necessary to make sure the operator can maintain the desired control in the event of a controller failure.July 2014 . The system knows it has a failure. publication 1756-AT012. a shorted output driver) that would prevent this from normally occurring. About the ControlLogix System The ControlLogix system is a modular programmable automation system with the ability to pre-configure outputs and other responses to fault conditions. As such. but the failure state requires an independent means to maintain control and either remove power or provide an alternate path to maintain power to the end actuator. Other requirements for SIL 2 (inputs from sensors. and including. Gas and Fire Considerations Listed below are the measures and modifications related to the use of the ControlLogix system in Gas and Fire applications. 14 Rockwell Automation Publication 1756-RM001L-EN-P . software used. where the demand rate is no more than 10 times per year. and this Safety Reference Manual. per IEC 61131-3. the ControlLogix system is suitable for applications up to and including SIL 2. IMPORTANT When used in accordance with the information in this manual and the relevant safety standards. which must remain ON to be in a safe state. The PADT for ControlLogix is RSLogix™ 5000 software. you can incorporate appropriate system design measures to meet other application requirements. SIL 2-level Gas and Fire and other applications that require that output signals to actuators remain ON. These measures relate to the control of outputs and actuators. a system can be designed to meet requirements for ‘hold last state’ in the event of a fault so that the system can be used in up to. the PADT (Programming and Debugging Tool) is required. This is similar in concept to the function of the external relay or redundant outputs required to make sure a de-energized state is achieved for an ESD system should a failure occur (for example.

then an external means such as a relay or other output must be wired in series to remove power when the fail shorted condition occurs. • Any time a fault is detected. • An application program needs to be generated to monitor the diagnostic output modules for dangerous failures such as shorted or open-output driver channels. Diagnostic output modules must be configured to hold last state in the event of a fault. The user must supply the alternative means and develop the application program to initiate the alternate means of removing or continuing to supply power in the event the main output fails. SIL Policy Chapter 1 • If the application cannot tolerate an output that can fail shorted (energized). the system must annunciate the fault to an operator by some means (for example. It is composed of a hard-wired set of contacts from a selector switch or push-button. • If the application cannot tolerate an output that fails open (de-energized). • This manual override circuit is shown in Figure 1.Manual Override Circuit L1 Manual Override Actuator L2 or Ground 43379 Fault Alarm to Operator Rockwell Automation Publication 1756-RM001L-EN-P . • A diagnostic alarm must be generated to inform the operator that manual control is required. then an external means such as a manual override or output must be wired in parallel. See Wiring ControlLogix Digital Output Modules on page 54 for more information.July 2014 15 . an alarm light). See Figure 1. • The faulted module must be replaced within the Mean Time to Restoration (MTTR). The other is a normally-closed contact to remove or isolate the controller output. Figure 1 . One normally-open contact provides for the bypass of power from the controller output directly to the actuator.

Refer to the GuardLogix Safety Reference Manual. you must provide a documented life-cycle system safety analysis that addresses all the requirements of NFPA 85 related to Burner Management System Logic. you must also follow the requirements defined in this manual. you are responsible for meeting appropriate safety standards including National Fire Protection Association (NFPA) standard NFPA 85 and 86. you must use a GuardLogix® controller. 16 Rockwell Automation Publication 1756-RM001L-EN-P . publication 1756-RM093. then you must also meet the requirements identified in the current version of EN 50156. IMPORTANT When using a GuardLogix controller with SIL 2-rated 1756 or 1794 I/O. If your system must meet standard EN 50156.Chapter 1 SIL Policy Boiler and Combustion Considerations If your SIL 2-certified ControlLogix system is used in combustion-related applications. In addition. To use FLEX™ I/O or 1756-series I/O modules in SIL 2 EN50156 applications. the safety demand rate must be no more than 10 demands per year.July 2014 . To comply with the requirements of IEC 61508. You should also consider system reaction capability as explained in Appendix A.

the hardware used in the safety loop is programmed to fail to safe. This table lists each system configuration and the hardware that is part of the system’s safety loop. Rockwell Automation Publication 1756-RM001L-EN-P . Simplex Configuration In a simplex configuration. SIL rating. and validation of any sensors or actuators connected to the ControlLogix control system • Project management and functional testing • Programming the application software and the module configuration according to the descriptions in this manual The SIL 2 portion of the certified system excludes the development tools and display/human machine interface (HMI) devices. For the purposes of documentation. The figures show the following: • Overall safety loop • ControlLogix portion of the overall safety loop SIL 2 I/O modules in the safety loop must meet the requirements specified in Chapter 5. System Configuration Safety Loop Includes Simplex Configuration on page 17 • Single controller • Single communication module • Dual I/O modules Duplex Logic Solver Configurations on page 24 • Dual controllers • Dual communication modules • Dual I/O modules Duplex System Configuration on page 25 • Dual controllers • Dual communication modules • Dual I/O modules • I/O termination boards IMPORTANT The system user is responsible for the following tasks when any of the ControlLogix SIL 2 system configurations are used: • The setup. SIL Policy Chapter 1 Typical SIL 2 Configurations SIL 2-certified ControlLogix systems can be used in standard (simplex) or high- availability (duplex) configurations. the various levels of availability that can be achieved by using various ControlLogix system configurations are referred to as simplex or duplex. ControlLogix I/O Modules and Chapter 6. Figures 2 …9 each show typical simplex SIL loops. FLEX I/O Modules. The failure to safe is typically an emergency shutdown (ESD) where outputs are de-energized.July 2014 17 . these tools and devices must not be part of the safety loop.

Single-chassis Configuration Overall Safety Loop SIL 2-certified ControlLogix Safety Loop Controller Chassis 1756-EN2TR 1756-EN2T Sensor Actuator Output B Output A Input B Input A Standard Communication Figure 3 .Fail-safe ControlLogix EtherNet/IP DLR Configuration Overall Safety Loop SIL 2-certified ControlLogix Safety Loop Remote I/O Chassis Controller Chassis 1756-EN2TR Sensor Actuator Output2B Output2A Input 1A Input1B 1756-EN2TR 1756-EN2T Standard Communication Remote I/O Chassis 1756-EN2TR Output 4A Input 3A EtherNet/IP Remote I/O Chassis 1756-EN2TR Output 4B Input 3B EtherNet/IP EtherNet/IP 18 Rockwell Automation Publication 1756-RM001L-EN-P .Chapter 1 SIL Policy Figure 2 .July 2014 .

Figure 5 .Fail-safe ControlLogix ControlNet Configuration with Non-SIL 2 Communication (Safety and Standard Connections on Separate Networks) Overall Safety Loop SIL 2-certified ControlLogix Safety Loop Controller Chassis Remote I/O Chassis 1756-EN2T 1756-CN2 1756-CN2 Output 2B Output 2A Input 1B Input 1A Standard ControlNet Communication Remote I/O Chassis 1756-CN2 Output 4A Input 3A Dual networks are not required because a separate network is being used for ControlNet standard devices. non-SIL 2 communication on separate subnets lets you place redundant channel I/O in the same rack. Remote I/O Chassis 1756-CN2 Output4B Input 3B ControlNet Rockwell Automation Publication 1756-RM001L-EN-P .July 2014 19 . that is. In Figure 5. SIL Policy Chapter 1 Figure 4 .Fail-safe ControlLogix ControlNet Configuration (Safety and Standard Connections on the Same Network) Overall Safety Loop SIL 2-certified ControlLogix Safety Loop Controller Chassis Remote I/O Chassis 1756-CN2R 1756-CN2R 1756-CN2 Output Ch A Input Ch A ControlNet Standard Communication Remote I/O Chassis Dual networks are required because one of the ControlNet networks includes standard devices. those Output Ch B 1756-CN2 Input Ch B that are not SIL 2-rated.

Chapter 1 SIL Policy Figure 6 .Fail-safe ControlLogix EtherNet/IP Configuration: Single DLR Loop for Safety and Standard Communication Overall Safety Loop SIL 2-certified ControlLogix Safety Loop Controller Chassis 1756-EN2TR 1756-EN2TR Standard Communication DLR Remote I/O Chassis EtherNet/IP 1756-EN2TR Output A Input A Remote I/O Chassis 1756-EN2TR Output B Input B EtherNet/IP Standard Communication DLR 20 Rockwell Automation Publication 1756-RM001L-EN-P .July 2014 .

• Direct Internet connectivity must be limited to EtherNet/IP bridge modules listed in Appendix B of this manual. • Channel A and Channel B I/O must reside in separate chassis or connected to separate adapters.Fail-safe ControlLogix EtherNet/IP Configuration with FLEX I/O Modules: Single DLR Loop for Safety and Standard Communication Overall Safety Loop SIL 2-certified ControlLogix Safety Loop Controller Chassis 1756-EN2TR 1756-EN2TR Standard Communication DLR EtherNet/IP 1794-AENTR DI1 DO1 1794-AENTR DI1 DO1 EtherNet/IP Standard Communication DLR IMPORTANT As shown in Figure 6 and Figure 7. – Independent connection paths must be established for channels A and B I/O through each ControlLogix chassis bridge module. Direct Internet connections via other standard devices are not allowed.July 2014 21 . SIL Policy Chapter 1 Figure 7 . standard devices can reside within an EtherNet/IP™ SIL 2 subnet provided the following requirements are met: • The EtherNet/IP subnet topology must be DLR. Rockwell Automation Publication 1756-RM001L-EN-P . • The ControlLogix chassis must have two 1756-EN2TR modules.

Note 2: Two adapters are required for meeting SIL 2 as shown in the figure. Other configurations are possible as long as they are SIL 2 approved. writing to safety-related controllers in the safety loop) Plant-wide Ethernet/Serial Overall Safety Loop SIL 2-certified ControlLogix components’ portion of the overall safety loop.Fail-safe ControlLogix Configuration with FLEX I/O Modules on ControlNet Network HMI Programming Software For Diagnostics and Visualization For SIL applications. 22 Rockwell Automation Publication 1756-RM001L-EN-P . Note 1: Multiple 1756-CNB or -CNBR modules can be installed into the chassis as needed. 1794 FLEX I/O – Rail A DI1 DO1 1756-CN2R 1756-ENBT Actuator Actuator To other safety-related ControlNet ControlLogix or FLEX I/O remote I/ O chassis Input Device 1794 FLEX I/O – Rail B DI2 DO2 Input Device ControlNet +V To other safety-related ControlLogix or FLEX I/O remote I/O chassis. The adapters can be either ControlNet or Ethernet and must be from the list of approved products.July 2014 . a programming (see special instructions in Chapter 9 for terminal is not normally connected.Chapter 1 SIL Policy Figure 8 .

Fail-safe ControlLogix Configuration with FLEX I/O Modules on EtherNet/IP Network HMI Programming Software For Diagnostics and Visualization For SIL applications. SIL Policy Chapter 1 Figure 9 . writing to safety-related controllers in the safety loop) Plant-wide Ethernet/Serial Overall Safety Loop SIL 2-certified ControlLogix components’ portion of the overall safety loop.July 2014 23 . 1794 FLEX I/O 1794- AENTR DI1 DO1 1756-EN2TR 1756-ENBT Actuator Actuator EtherNet/IP Input Device 1794- AENTR DI2 DO2 Input Device EtherNet/IP +V Rockwell Automation Publication 1756-RM001L-EN-P . a programming (see special instructions in Chapter 9 for terminal is not normally connected.

Chapter 1 SIL Policy Duplex Logic Solver Configurations In duplex configurations. a programming For Diagnostics and Visualization (see special instructions in Chapter 9 for terminal is not normally connected. To other safety- 1756-EN2T related 1756-CN2 1756-CN2 1756-RM ControlLogix and remote I/O chassis. 24 Rockwell Automation Publication 1756-RM001L-EN-P . Figure 10 . To nonsafety-related systems outside the ControlLogix ControlNet portion of the SIL 2-certified loop. IMPORTANT The redundant (duplex) ControlLogix system in Figure 10 provides logic solver fault tolerance.July 2014 . as well as the ControlLogix controllers. Revision 20. ControlLogix I/O Modules.Typical SIL Loop with Controller Chassis Redundancy Programming Software HMI For SIL applications. redundant system components are used to increase the availability of the control system. SIL 2 I/O modules in the safety loop must meet the requirements specified in Chapter 5. Primary Chassis Remote I/O Chassis Ch A Remote I/O Chassis Ch B 1756-EN2T 1756-CN2 1756-CN2 1756-CN2 1756-CN2 1756-RM I/O I/O ControlNet IMPORTANT: You can also access a remote I/O chassis via an Secondary Chassis EtherNet/IP network if you use ControlLogix Enhanced Redundancy System. writing to safety-related controllers in the safety loop) Plant-wide Ethernet/Serial Overall Safety Loop SIL 2-certified ControlLogix components’ portion of the overall safety loop. The modules in the redundant controller chassis include redundancy modules and network communication modules for redundant communication.54 or later.

HMI) connect to the loop. The figure also shows the following: • Overall safety loop • ControlLogix portion of the overall safety loop • How other devices (for example. and remote I/O devices to achieve enhanced availability. Figure 11 . communication modules.Duplex System EtherNet/IP Configuration Overall Safety Loop ControlLogix Chassis Secondary Chassis SIL 2-certified ControlLogix Safety Loop 1756-EN2TR 1756-EN2TR 1756-EN2TR 1756-EN2TR EtherNet/IP non-SIL 2 EtherNet/IP connections non-SIL 2 EtherNet/IP connections I/O Chassis A I/O Chassis B 1756-EN2TR 1756-EN2TR Output Ch A Input Ch A Input Ch A Output Ch B Output Ch B Input Ch B Analog Input Digital Input Digital Output Termination Board Termination Board Termination Board Field Device Field Device Field Device Rockwell Automation Publication 1756-RM001L-EN-P .July 2014 25 . SIL Policy Chapter 1 Figure 10 shows a typical duplex SIL loop. while operating outside the loop Duplex System Configuration This configuration of the ControlLogix system uses fully-redundant controllers.

26 Rockwell Automation Publication 1756-RM001L-EN-P .Duplex System EtherNet/IP Fiber Configuration ControlLogix Chassis Secondary Chassis 1756-EN2TR 1756-EN2TR 1756-EN2TR 1756-EN2TR 1783-ETAP1F 1783-ETAP1F Fiber Fiber I/O Chassis B1 I/O Chassis A1 Output Ch B Output Ch A Input Ch B Input Ch A 1756-EN2TR 1756-EN2TR 1783-ETAP1F 1783-ETAP1F 1783-ETAP2F 1783-ETAP2F I/O Chassis A2 I/O Chassis B2 Output Ch A Input Ch A Output Ch B 1756-EN2TR 1756-EN2TR Input Ch B 1783-ETAP 1783-ETAP 1783-ETAP Note: All SIL 2 guidelines for 1756 or FLEX I/O modules remain the same. Because channel A and channel B are two independent networks.July 2014 . 1783-ETAP modules can be considered black channel equipment and do not need to be part of the SIL 2 system calculation.Chapter 1 SIL Policy Figure 12 .

SIL Policy Chapter 1 Figure 13 .Duplex System with Stratix Switches ControlLogix ControlLogix Chassis Chassis 1756-EN2TR 1756-EN2TR 1756-EN2TR 1756-EN2TR 1756-RM 1756-RM Fiber Copper Chassis 1A Chassis 1B 1756-EN2TR Output Ch B 1756-EN2TR Output Ch A Input Ch B Input Ch A Chassis 2A Chassis 2B 1756-EN2TR 1756-EN2TR Output Ch A Output ChB Input Ch A Input Ch B Rockwell Automation Publication 1756-RM001L-EN-P .July 2014 27 .

Proof Tests IEC 61508 requires the user to perform various proof tests of the equipment used in the system. Proof tests are performed at user-defined times (for example.July 2014 . as well as programming and hardware described in the application technique manuals. publication 1756-AT012. refer to ControlLogix SIL 2 System Configuration Using SIL 2 Add-On Instructions.Duplex System ControlNet Configuration Overall Safety Loop ControlLogix Chassis Secondary Chassis SIL 2-certified ControlLogix Safety Loop ControlNet I/O Chassis A I/O Chassis B Output Ch A Output Ch B Input Ch A Input Ch B Analog Input Digital Input Digital Output Termination Board Termination Board Termination Board Field Device Field Device Field Device The duplex system configuration uses safety and programming principles described in this manual. proof test intervals can be once a year. 28 Rockwell Automation Publication 1756-RM001L-EN-P . For more information about the ControlLogix SIL 2-certified system. once every two years or whatever time frame is appropriate based on the SIL verification calculation) and could include some of the following tests: • Test all safety application fault routines to verify that process parameters are monitored properly and the system reacts properly when a fault condition arises.Chapter 1 SIL Policy Figure 14 .

SIL Policy Chapter 1

• Test all digital input or output channels to verify that they are not stuck in
the ON or OFF state.

– Manually cycle inputs to make sure that all inputs are operational and
not stuck in the ON state.
– Manually test outputs that do not support runtime pulse testing. The
relays in the redundant power supplies must be tested to make sure
they are not stuck in the closed state.
Users can automatically perform proof tests by switching ground open
on input modules and checking to make sure all input points go to zero
(turn OFF.).

• Calibrate analog input and output modules to verify that accurate data is
obtained from and used on the modules.

IMPORTANT Each specific application has its own time frame for the proof test interval.

Proof Testing with Redundancy Systems

A ControlLogix redundancy system uses an identical pair of ControlLogix
chassis to keep your process running if a problem occurs with one of those chassis.
When a failure occurs in the primary chassis, control switches to the
secondary controller.

The switchover can be monitored so that the system notifies the user when it has
occurred. In this case (that is, when a switchover takes place), we recommend that
you replace the failed controller within the mean time to restoration (MTTR)
for your application.

If you are using controller redundancy in a SIL 2 application, you must perform
the proof test on the primary controller and on the secondary controller.

TIP If you are concerned about the availability of the secondary controller if the
primary controller fails, it is good engineering practice to implement a
switchover periodically (for example, once per proof test interval).

For more information on switchovers in ControlLogix redundancy systems and
ControlLogix redundancy systems in general, see these redundancy system
manuals:
• ControlLogix Standard Redundancy System User Manual, publication
1756-UM523
• ControlLogix Enhanced Redundancy System User Manual, publication
1756-UM535

Rockwell Automation Publication 1756-RM001L-EN-P - July 2014 29

Chapter 1 SIL Policy

Reaction Times The response time of the system is defined as the amount of time it takes for a
change in an input condition to be recognized and processed by the controller’s
logic program, and then to initiate the appropriate output signal to an actuator.

The system response time is the sum of the following:
• Input hardware delays
• Input filtering
• I/O and communication module RPI settings
• Controller program scan times
• Output module propagation delays
• Redundancy system switchover times (applicable in duplex systems)

Each of the times listed is variably dependent on factors such as the type of I/O
module and instructions used in the logic program. For examples of how to
perform these calculations, see Appendix A, Reaction Times of the ControlLogix
System.

For more information on the available instructions and for a full description of
logic operation and execution, see the following publications:
• Logix5000™ Controllers General Instruction Set Reference Manual,
publication 1756-RM003
• ControlLogix System User Manual, publication 1756-UM001

Reaction Times in The worst-case reaction time of a duplex system is different than a simplex
system. The redundancy system has a longer reaction time because of the
Redundancy Systems following:

• There are a series of cross-loading operations that continuously occur
between the primary and secondary controllers. Cross-loading fresh data
at the end of each program scan increases scan time.
To minimize scan time by reducing cross-loading overhead, you can plan
your project more efficiently (for example, minimize the use of SINT,
INT, and single tags, and use arrays and user-defined data structures).
Generally, the primary controller in a duplex system has a 20% slower
response time than the controller in a simplex system.

30 Rockwell Automation Publication 1756-RM001L-EN-P - July 2014

SIL Policy Chapter 1

• The switchover between controllers slows system response. The
switchover time of a redundancy system depends on the network update
time (NUT) of the ControlNet™ network.
For more information about switchover times in redundancy systems, see
one of these ControlLogix redundancy system user manuals:
– ControlLogix Standard Redundancy System User Manual,
publication 1756-UM523
– ControlLogix Enhanced Redundancy System User Manual,
publication 1756-UM535

IMPORTANT To avoid nuisance trips, you must account for the additional cross checking
time of a duplex system when setting the watchdog time.

Safety Watchdog Configure the properties of the task used for safety correctly for your application.
• Priority: must be the highest-priority task in the application (lowest
number)
• Watchdog: the value entered for the SIL 2 safety task must be large enough
for all logic in the task to be scanned

If the task execution time exceeds the watchdog time, a major fault occurs on the
controller. Users must monitor the watchdog and program the system outputs to
transition to the safe state (typically the OFF state) in the event of a major fault
occurring on the controller. For more information on faults, see
Chapter 8, Faults in the ControlLogix System.

See the ControlLogix System User Manual, publication 1756-UM001, for more
information about setting the watchdog.

Safety Certifications and Diagnostic hardware and firmware functions, as well as how you apply
ControlLogix components, enable the system to achieve CL SIL 2 compliance.
Compliances
IMPORTANT You must implement these requirements or at minimum the intent of the
requirements defined in this manual to achieve CL SIL 2.

ControlLogix products referenced in this manual may have safety certifications
in addition to the SIL certification. If a product has achieved agency certification,
it is marked on the product label. To view additional safety certifications for
products, go to http://www.ab.com and click the Product Certifications link.

Rockwell Automation Publication 1756-RM001L-EN-P - July 2014 31

Chapter 1 SIL Policy Notes: 32 Rockwell Automation Publication 1756-RM001L-EN-P .July 2014 .

for any reason. The RPI defines a time interval in which the controller and I/O module must communicate with each other. wiring. When a controller ‘owns’ an I/O module. Output modules can turn OFF selected outputs in the event of a failure. Inherent in this configuration and ownership is the establishment of a ‘heartbeat’ between the controller and module. Diagnostic I/O modules self-test to make sure that field wiring is functioning. If an anomaly (other than automatic shutdown) is detected. the system can be programmed to run specialized routines. the I/O module has failed. Multiple controllers can share data. Output modules use pulse testing to make sure output switching devices are not shorted. the system can be programmed to initiate user-defined fault handling routines. in addition to consuming data from non-owned modules. communication cannot be established or maintained (that is. as well as monitoring input sensors and output devices. and so forth). For example.July 2014 33 . including configuration. which can determine whether the system should continue functioning or whether the fault condition warrants a shutdown of the application. If. the communication path is unavailable. defined by the user. as to whether to continue operating. and performance. this data dictates how the module behaves in the system. based on the type of fault. Rockwell Automation Publication 1756-RM001L-EN-P . Timestamping of I/O and diagnostic data also aid in diagnostics. that controller stores the module’s configuration data. Chapter 2 Features of the ControlLogix SIL 2 System Topic Page Module Fault Reporting 33 Data Echo Communication Check 34 Pulse Test 35 Software 35 Communication 36 Electronic Keying of Modules in SIL 2 Applications 37 The diagnostic methods and techniques used in the ControlLogix platform let you configure and program ControlLogix controllers to perform checks on the total system. the system can be programmed to retrieve the fault code of the failed module and make a determination. known as the requested packet interval (RPI). Module Fault Reporting Every module in the system is ‘owned’ by one controller.

it is your responsibility to establish the course of action appropriate for your safety application. the data echo validates the integrity of communication up to the system-side of the module. Data Echo Communication Output data echo allows the user to verify that an ON/OFF command from the controller was received by the correct output module. you can validate that the signal has reached the correct module and that the module will attempt to activate the appropriate field-side device. the output module receiving that command will ‘echo’ the output command back to the controller upon its receipt. When you use this feature with diagnostic output modules. Field-side output verification informs you that commands received by the module are accurately represented on the power side of the module’s switching devices. During normal operation. The echo data is technically input data from the output module and is located with the other output module data. 34 Rockwell Automation Publication 1756-RM001L-EN-P . an output module at local slot 3 will have Local:3:O and Local:3:I. and that the module will Check attempt to execute the command to the field device. In other words. By comparing the requested state from the controller to the data echo received from the module. It is your responsibility to establish the course of action appropriate to your safety application. For more information on Fault Handling. When used with standard ControlLogix output modules. Diagnostic output modules contain circuitry that performs field-side output verification. Faults in the ControlLogix System on page 99. see Chapter 8. where 3:O are outputs and 3:I are inputs. you can verify the integrity from the controller to the output terminal on the module. For example. for each output point. this feature confirms that the output is ON when it is commanded to be ON or OFF when commanded to be OFF. but not to the field-side.Chapter 2 Features of the ControlLogix SIL 2 System This ability of the controller to monitor the health of I/O modules in the system and take appropriate action based on the severity of a fault condition gives the user complete control of the application’s behavior. when a controller sends an output command. Again.July 2014 . This verifies that the module has received the command and will try to execute it.

The test pulse is extremely fast (milliseconds). but only by using one of the processes described in Changing Your Application Program on page 97. Software The location. • Authorized personnel may change an application program. You can disable pulse testing. if necessary. and typically does not affect actuators. testing and debugging of application logic. The output circuitry will momentarily change its state long enough to verify that it can change state on demand.July 2014 35 . – remove the controller key from the key switch. – set the key switch to the RUN position. An extremely short-duration pulse is directed to a particular output on the module. Features of the ControlLogix SIL 2 System Chapter 2 Figure 15 . ownership and configuration of I/O modules and controllers is performed using RSLogix 5000 software. Rockwell Automation Publication 1756-RM001L-EN-P .Output Module Behavior in the ControlLogix System Output Commands from Controller Standard ControlLogix I/O Information Data Echo validation from System-side Field-side Output Verification. When using the programming software. Pulse Test Additional Field-Side Status Plus No Load Detection Information Provided by Diagnostic Output Modules Actuator Pulse Test Discrete diagnostic output modules feature called a pulse test can verify output circuit functionality without actually changing the state of the actuator connected to the output. The software is used for all creation. you must remember these points: • During normal control program (controller in Run mode): – disconnect the programming terminal. Some actuators may have electronic front ends and be capable of detecting these fast pulses.

refer to ControlNet Network Configuration Guide. Refer to the ControlLogix System User Manual. for information on making communication connections. Communication Ports A built-in serial port is available on 1756-L6x controllers for download or visualization purposes only.Chapter 2 Features of the ControlLogix SIL 2 System Communication Several communication options are available for connecting with the ControlLogix SIL 2 system and for the exchange of data within the SIL 2 system.July 2014 . publication 1756-UM001. • form the basis for communication in duplex (redundant) configurations. use RSNetWorx™ for ControlNet software. 36 Rockwell Automation Publication 1756-RM001L-EN-P . ATTENTION: The USB port is intended for temporary local programming purposes only and not intended for permanent connection. WARNING: Do not use the USB port in hazardous locations. ControlNet Network The ControlNet network can be used to: • provide communication between the controller and remote I/O chassis. To schedule the ControlLogix ControlNet network. Do not use the serial port for any exchange of safety- related data. publication CNET-UM001. A built-in USB port is available for program upload and download on 1756-L7x controllers. For more information on ControlNet networks.

EtherNet/IP networks support messaging. If any attribute does not match precisely. Major Revision. that is. of the physical module and the module created in the software to match precisely before establishing communication. monitor. For more information about electronic keying. see the ControlLogix Digital I/O Modules User Manual. Vendor. Features of the ControlLogix SIL 2 System Chapter 2 EtherNet/IP Network An EtherNet/IP connection can be used to: • download. Rockwell Automation Publication 1756-RM001L-EN-P . and Minor Revision. Product Code (catalog number). I/O communication is not permitted with the module or with modules connected through it.July 2014 37 . See EtherNet/IP Communication Modules on page 45 for details on using EtherNet/IP modules in SIL 2 applications. and visualize the controller. in SIL 2 Applications Exact Match keying requires all keying attributes. produced/consumed tags. publication 1756-UM058. as in the case of a communication module. Exact Match keying is recommended. Product Type. • connect to remote I/O chassis. Electronic Keying of Modules If a module in your SIL 2-certified ControlLogix system is replaced. and distributed I/O.

July 2014 .Chapter 2 Features of the ControlLogix SIL 2 System Notes: 38 Rockwell Automation Publication 1756-RM001L-EN-P .

Operating Modes The controller performs power-up and run-time functional tests. Chapter 3 ControlLogix Controllers.July 2014 39 . and memory. Chassis. These are examples of specific functions: • I/O control • Logic • Timing • Counting • Report generation • Communication • Arithmetic • Data file manipulation The ControlLogix controller consists of a central processor. I/O interface. Rockwell Automation Publication 1756-RM001L-EN-P . solid-state control system. and Power Supplies Topic Page ControlLogix Controllers 39 ControlLogix Chassis 41 ControlLogix Power Supplies 41 Recommendations for Using Power Supplies 42 ControlLogix Controllers The SIL 2-certified ControlLogix system is a user-programmed. The tests are used with user-supplied application programs to verify proper controller operation.

ab. the controller keyswitch must be in the RUN position and the key removed. For more information on the ControlLogix controllers.This software-enabled mode can be Program or Run. • There are currently separate firmware revisions for standard and redundant operation. The following modes are available: • Run • Program • Remote . such as input and output modules. see Appendix B and the Revision Release List available at http://www. Chassis. Requirements for Use Consider these requirements when using a SIL 2-certified ControlLogix controller: • All components.com from the Product Certifications link. 40 Rockwell Automation Publication 1756-RM001L-EN-P . refer to the user manual listed in Additional Resources on page 11. see the publications listed in the Additional Resources on page 11. and Power Supplies A three-position keyswitch on the front of the controller governs ControlLogix system operational modes. For more information.July 2014 . Figure 16 .Chapter 3 ControlLogix Controllers.Keyswitch in Run Mode Logix557x RUN FORCE SD OK REM PR RUN OG 1756-L6x 1756-L7x When a SIL 2-certified ControlLogix application is operating in the Run mode. for each safety function must be owned by the specific controller performing the safety function. • When installing ControlLogix controller.

two power supplies are connected to the same chassis. Rockwell Automation Publication 1756-RM001L-EN-P .July 2014 41 . All ControlLogix power supplies are designed to perform these tasks: • Detect anomalies. including the controller and I/O modules. Upon detection of a failure in one supply. IMPORTANT If you are using any of the 1756-Px75 power supplies. The chassis itself is passive and is not relevant to the safety discussion because any physical failure would be unlikely under normal environmental conditions and would be manifested and detected as a failure within one or more of the active components. When installing ControlLogix chassis. If an anomaly occurs in the supplied voltages. • Communicate to the controllers with enough stored power to allow for an orderly and deterministic shutdown of the system. The power supplies share the current load required by the chassis and an internal solid state relay that can annunciate a fault. Redundant Power Supplies ControlLogix redundant power supplies can be used in SIL 2-certified applications. In a redundant power supply configuration. that is. with a 1756-L6x/B or 1756-L7x/B controller. The 1756-PSCA and 1756-PSCA2 redundant power supply chassis adapter modules connect the redundant power supply to the chassis. the power supply immediately shuts down. Chassis. the other redundant power supply automatically assumes the full current load required by the chassis without disruption to installed devices. ControlLogix Controllers. 1756-Px75/B power supplies. and Power Supplies Chapter 3 ControlLogix Chassis The ControlLogix 1756-Axx chassis provide the physical connections between controllers and I/O modules. you must use the Series B version of the nonredundant power supplies. No extra configuration or wiring is required for SIL 2 operation of the ControlLogix power supplies. ControlLogix Power Supplies ControlLogix power supplies are certified for use in SIL 2 applications. follow the instructions provided in the product documentation.

42 Rockwell Automation Publication 1756-RM001L-EN-P . Chassis. and Power Supplies Recommendations for Using Power Supplies When using SIL 2-certified ControlLogix power supplies: • follow the information provided in the product’s installation instructions.July 2014 . • wire the solid-state fault relay on each power supply from an appropriate voltage source to an input point in the ControlLogix system so that the application program can detect faults and react appropriately based on the your application requirements.Chapter 3 ControlLogix Controllers. For more information about installing ControlLogix chassis and power supplies. see the publications listed in Additional Resources on page 11.

com.rockwellautomation. series C • 1756-EN3TR. (2) Some catalog numbers have a K suffix. series C • 1756-EN2TR. series C • 1756-EN2TXT. These communication modules are available. series D(1) • 1756-EN2TRXT. This indicates a version of the product that has conformal coating.July 2014 43 . For more information on which products have conformal coating go to: http://ab. series D(1) DeviceNet(1) 1756-DNB (1) Data Highway Plus™ – Remote I/O 1756-DHRIO (1) SynchLink™ 1756-SYNCH (1) Not for use in safety functions. series C • 1756-EN2T. series A(1) • 1756-EN2TR.com/ ControlLogix communication modules can be used in peer-to-peer communication between ControlLogix devices. These K versions have the same SIL 2 certification as the non-K versions.Remote I/O Module (1756-DHRIO) 45 SynchLink Module 45 General Requirements for Communication Networks 46 Peer-to-Peer Communication Requirements 46 Additional Resources 47 Introduction to The communication modules in a SIL 2-certified ControlLogix system provide communication bridges from a ControlLogix chassis to other chassis or devices Communication Modules via the ControlNet and Ethernet networks. Rockwell Automation Publication 1756-RM001L-EN-P . Network SIL 2 Modules(2) ControlNet • 1756-CNB • 1756-CN2R • 1756-CNBR • 1756-CN2RXT • 1756-CN2 EtherNet/IP • 1756-ENBT. The communication modules can also be used for expansion of I/O to additional ControlLogix remote I/O chassis. Chapter 4 ControlLogix Communication Modules Topic Page Introduction to Communication Modules 43 ControlNet Modules and Components 44 EtherNet/IP Communication Modules 45 DeviceNet Scanner Module 45 Data Highway Plus . series B • 1756-EN2T. series B(1) • 1756-EN2TXT.

Long-distance Fiber Repeater Module • 1786-RPFRXL. which verifies that at least one valid packet is seen during the greater of either 100 ms or 4 times the requested packet interval (RPI). Although it is not a requirement to use redundant media with the 1756-CNBR or 1756-CN2R modules. ControlNet Repeater The following ControlNet repeater modules are approved for use in safety applications up to and including SIL 2: • 1786-RPCD.12 ControlNet Module Diagnostic Coverage All communication over the passive ControlNet media occur via CIP. Redundant media is not required for SIL 2 operation. Extra-long-distance Fiber Repeater Module Use of the 1786-RPA adapter is required with all of the repeater modules listed.July 2014 . Installation Guide Use of repeaters in safety applications. data transitions to the safe state.06. a single RG6 coax cable is required for ControlNet communication. and 1756-CN2RXT) provide communication Components between any nodes properly scheduled on the ControlNet network. 1756-CN2. 1756-CN2R. Short-distance Fiber Repeater Module • 1786-RPFM. it does provide higher system reliability. Medium-distance Fiber Repeater Module • 1786-RPFRL. 1756-CNBR. ControlNet Cabling For remote racks. TÜV Report 968/EZ 968/EX 135. If a valid packet is not seen during this period.Chapter 4 ControlLogix Communication Modules ControlNet Modules and The ControlNet bridge modules (catalog numbers 1756-CNB. ControlNet Hub Repeater Module • 1786-RPFS.For More Information About Repeater Modules Topic Publication Title Publication Number Planning for and installing ControlNet ControlNet Fiber Media Planning and CNET-IN001 repeater modules. 44 Rockwell Automation Publication 1756-RM001L-EN-P . Table 2 .

and 1756-EN2TXT) to: Modules • connect controller chassis to remote I/O.Remote The 1756-DHRIO module supports both Data Highway Plus™ and the Remote I/O network of communication. • establish connections between the programming terminal and controller. IMPORTANT Use of a 1756-EN2TR or 1756-EN2TRXT is required to achieve SIL 2 in your application. • make connections for visualization purposes. SynchLink Module The SynchLink™ module (catalog number 1756-SYNCH) is used for CST time propagation between multiple chassis for event recording. You can use the 1756-DHRIO module I/O Module (1756-DHRIO) to communicate only nonsafety data to devices outside of the safety loop. It must not be used for any safety-related activity in a SIL 2-certified ControlLogix system.July 2014 45 . DeviceNet Scanner Module The 1756-DNB scanner module connects the controller to devices on a DeviceNet™ network. Rockwell Automation Publication 1756-RM001L-EN-P . For example it may be used to communicate alarms to the Distributed Control System (DCS). and Figure 12 on page 26. You can use the 1756-DNB module to communicate only nonsafety data to devices outside of the safety loop. 1756-EN2TR. Figure 6 on page 20. See Figure 3 on page 18 for an example. ControlLogix Communication Modules Chapter 4 EtherNet/IP Communication Use an EtherNet/IP communication module (catalog numbers 1756-EN2T. Data Highway Plus . The module can be used only outside of the safety loop. See the examples in Figure 5 on page 19.

• Only SIL 2 devices or other devices that provide non-interference should write to SIL 2 controllers The only exception to this is the use of HMI devices. or by consuming data from a SIL 2 controller that is configured to produce data. • Controllers within the safety loop can be configured to: – consume safety data from other safety controllers within the safety loop. such as a reset signal. if necessary.July 2014 . • DH+ can be used for communication to Human-to-Machine Interfaces (HMI) and for communicating with the nonsafety portion of the system. see Chapter 9. Peer-to-Peer Communication Peer-to-peer communication via a ControlNet or EtherNet/IP network is permitted when these requirements are met: Requirements • Non-SIL 2 controllers can read data from SIL 2 controllers by directly reading the data via a message instruction. • For controllers that are not part of the SIL 2 safety function. For more information on how to use HMI in the safety loop. 46 Rockwell Automation Publication 1756-RM001L-EN-P . • Programming that verifies the correct reception of data must be used. see Chapter 9.Chapter 4 ControlLogix Communication Modules General Requirements for Follow these requirements when using SIL 2-certified communication modules: Communication Networks • When installing ControlLogix communication modules. Use of Human-to- Machine Interfaces on page 103. – produce data to controllers outside the safety loop by using a write message (MSG) or produced connections. Use of Human-to-Machine Interfaces on page 103. use listen- only connections to monitor SIL 2 I/O modules. – consume non-safety data from outside the safety loop. For more information on using HMI. Use this connection status to take appropriate safety action. • You must not use the Quick Connect feature when using a Ethernet communication for SIL 2 safety I/O. carefully follow the information provided in the module’s installation instructions. IMPORTANT Always monitor connection status when consuming safety data from another controller.

Remote I/O Communication Interface Module 1756-UM514 1756-DNB DeviceNet Scanner Module DNET-UM004 1756-ENBT Ethernet Communication Module ENET-UM001 1756-EN2T 1756-EN2TR 1756-EN3TR 1756-EN2TRXT 1756-EN2TXT 1756-RM Redundancy Module 1756-UM535 1756-RM2 1756-SYNCH SynchLink Module 1756-UM521 You can view or download Rockwell Automation publications at http:// www. you must use two independent data paths between the SIL 2 devices. Module Description User Manual 1756-CNB ControlNet Communication Module CNET-UM001 1756-CN2 1756-CNBR Redundant ControlNet Communication Module 1756-CN2R 1756-DHRIO Data Highway Plus . to exchange SIL 2 data between two ControlLogix SIL 2 controllers. Additional Resources This table lists additional resources specific to the ControlLogix communication modules.com/literature/. No. For example. Each controller produces data to the other. Rockwell Automation Publication 1756-RM001L-EN-P . Cat.rockwellautomation. If you are not using the ring capability of the 1756-EN2TR when producing or consuming SIL 2 safety data on an EtherNet/IP network. ControlLogix Communication Modules Chapter 4 • Use of a device-level ring (DLR) is required to produce and consume SIL 2 data on an EtherNet/IP network.July 2014 47 . you could use two produced connections sending data to two consume connections.

July 2014 .Chapter 4 ControlLogix Communication Modules Notes: 48 Rockwell Automation Publication 1756-RM001L-EN-P .

The principles and logic shown in this chapter can be encased in Add-On Instructions for easier use. These Add-On Instructions are certified by TÜV. is described in greater detail throughout the rest of this chapter. Because the differences propagate to varying levels in each module type. there are differences between specific modules. there are two types of SIL 2-certified ControlLogix I/O modules: I/O Modules • Digital I/O modules • Analog I/O modules With each type. Chapter 5 ControlLogix I/O Modules Topic Page Overview of ControlLogix I/O Modules 49 Using 1756 Digital Input Modules 50 Using 1756 Digital Output Modules 52 Using 1756 Analog Input Modules 58 Using 1756 HART Analog Input Modules 65 Using 1756 Analog Output Modules 66 Using 1756 HART Analog Output Modules 71 IMPORTANT The programming information and examples in this chapter are provided to illustrate diagnostic and other logic-related principles that must be demonstrated in SIL 2 application programs. Each type. digital or analog. If you are using a duplex configuration and certain I/O termination boards. a graphical representation can best provide an overview of the many SIL 2-certified ControlLogix I/O modules. Rockwell Automation Publication 1756-RM001L-EN-P . Overview of ControlLogix At the most basic level. This figure shows the SIL 2-certified ControlLogix I/O modules. the programming explained in this chapter is available in Add-On Instructions. Refer to ControlLogix SIL 2 System Configuration Using SIL 2 Add-On Instructions. however.July 2014 49 . publication 1756-AT012 for more information.

The two channels must be compared by Input Modules software before reconciling the data.Types of SIL 2-certified I/O Modules SIL 2-Certified ControlLogix I/O Modules 1756 Digital I/O Modules 1756 Analog I/O Modules Diagnostic Digital Standard Digital Modules Modules Input Modules. wire- off ) detection and. These K versions have the same SIL 2 certification as the non-K versions. ControlLogix digital input modules are divided into two categories: • Diagnostic input modules • Standard input modules These modules share many of the same inherent architectural characteristics. 50 Rockwell Automation Publication 1756-RM001L-EN-P .Chapter 5 ControlLogix I/O Modules Figure 17 . including: including: including: including: 1756-IF16 1756-OF6CI 1756-IF16H 1756-OF6VI 1756-IA8D 1756-OA8D 1756-IA16I 1756-OA16I 1756-IF6CIS 1756-OF8 1756-IB16D 1756-OB16D 1756-IB16I 1756-OB16I 1756-IF6I 1756-OF8H 1756-IB16ISOE 1756-OB16E 1756-IF8 1756-IB32 1756-OB32 1756-IF8H 1756-IH16ISOE 1756-OB8EI 1756-IR6I 1756-OW16I 1756-IT6I 1756-OX8I 1756-IT6I2 IMPORTANT: Some catalog numbers have a K suffix. For a full list of installation instructions for SIL 2-certified modules. the diagnostic input modules incorporate features that allow diagnosing of field-side failures. Output Modules.July 2014 . Input Modules.rockwellautomation. Output Modules. two digital input modules must be used. Using 1756 Digital To achieve SIL 2. with field sensors wired to channels on each module. This indicates a version of the product that has conformal coating. However.com/ For SIL 2 compliance when installing ControlLogix I/O modules. see Appendix B. including: including: Input Modules.com. These features include broken-wire (that is. Output Modules. follow the procedures provided in the module’s installation instructions. For more information on which products have conformal coating go to: http://ab. loss of line power. in the case of AC Diagnostic modules.

In either case. Manually or automatically test all inputs to make sure they are operational and not stuck in the ON or OFF state. The use of two digital input modules is required. you must follow these general application requirements when applying these modules in a SIL 2 application: • Ownership – The same controller must own both modules.July 2014 51 . • Separate input points – Wire sensors to separate input points on two separate modules. • Proof tests – Periodically perform a system validation test. Inputs must be cycled from ON to OFF or OFF to ON. ControlLogix I/O Modules Chapter 5 Requirements When Using Any ControlLogix Digital Input Module Regardless of the type of ControlLogix input module used. the more comprehensive the test will be. • Field device testing – Test field devices by cycling them. Figure 18 . For more information. • Direct connection – Always use a direct connection with any SIL 2 CL modules. Input A2 Input B2 Two-sensor Wiring Example Sensor Sensor 43366 Rockwell Automation Publication 1756-RM001L-EN-P . The closer you can get to the device being monitored to perform the test. see Proof Tests on page 28. regardless of the number of field sensors. Wiring ControlLogix Digital Input Modules This diagram shows two examples of wiring digital inputs.ControlLogix Digital Input Module Wiring Example + Power Optional Relay contact or output point to switch supply voltage for Input A1 Input B1 periodic One-sensor Wiring Example Sensor automated testing. You must not use rack optimized connections in a SIL 2 application. the type of sensors being used will determine whether the use of 1 or 2 sensors is appropriate to fulfill SIL 2 requirements.

Faults in the ControlLogix System. • Output pulse test. To achieve SIL 2. Figure 19 . the diagnostic output modules incorporate features that allow diagnosing of field-side failures.Chapter 5 ControlLogix I/O Modules Application logic is used to compare input values for concurrence. a standard output module must be wired back to an input module for monitoring. Diagnostic digital output modules provide their own monitoring. Figure 20 . Using 1756 Digital ControlLogix digital output modules are divided into two categories: Output Modules • Diagnostic output modules • Standard output modules These modules share many of the same inherent architectural characteristics. • Blown Fuse reporting.Rungs Annunciating a Fault Input A Input B Timer Input A Input B Timer preset in milliseconds to compensate for filter time and hardware delay differences. Timer Done Fault Fault Alarm to Operator The control. For more information on faults.Logic Comparing Input Values or States Input A Input B No Faults Actuator The user program must also contain rungs to annunciate a fault in the event of a sustained miscompare between two points. • Output verify. However. see Chapter 8. diagnostics and alarming functions must be performed in sequence. including: • No-Load (loss of load) reporting.July 2014 . 52 Rockwell Automation Publication 1756-RM001L-EN-P .

The discrepancy timer must be set to accommodate the delay between the controller output data and the module’s Data Echo response. Manually or automatically test all outputs to make sure that they are operational and not stuck in the ON or OFF state. regardless of the type of ControlLogix output module used. see Chapter 8. For more information. However. Outputs must be cycled from ON to OFF or OFF to ON.July 2014 53 . In Figure 21. ControlLogix I/O Modules Chapter 5 Requirements When Using ControlLogix Digital Output Modules Wiring the two types of digital output modules differs. you must follow these general application requirements when applying these modules in a SIL 2 application: • Proof tests . Rockwell Automation Publication 1756-RM001L-EN-P . depending on your application requirements (these wiring methods are explained in detail in later sections). For more information on faults. The time value chosen needs to consider various system RPIs and network latency.Data Echo Discrepancy Timer Logic Application Logic No Faults Actuator Output Bit Data Echo Timer Output Bit Data Echo Fault Secondary Output Timer Done Fault Fault Alarm to Operator The control. Faults in the ControlLogix System. diagnostics and alarming functions must be performed in sequence. If a miscompare exists for longer than that time.Periodically perform a system validation test. Figure 21 . a fault bit is set. a timer begins to increment for any miscompare between the controller’s output and the module’s Data Echo feedback. see Proof Tests on page 28. • Examination of output data echo signal in application logic – The application logic must examine the Data Echo value associated with each output point to make sure that the requested ON/OFF command from the controller was received and acted upon by the module.

Chapter 5 ControlLogix I/O Modules

• Use of external relays to disconnect module power if output de-
energized state is critical. To verify that outputs will de-energize, users
must wire an external relay or other measure, that can remove power from
the output module if a short or other fault is detected. See Figure 22 on
page 55 for an example method of wiring an external relay.

• Test outputs at specific times to make sure they are operating properly.
The method and frequency of testing is determined by the requirements of
the safety application. For more information on testing diagnostic module
outputs, see page 54. For more information on testing standard module
outputs, see page 56.

• For typical emergency shutdown (ESD) application outputs must be
configured to de-energize: When configuring any ControlLogix output
module, each output must be configured to de-energize in the event of a
fault and in the event of the controller going into Program mode. For
exceptions to the typical ESD applications, see Chapter 1, SIL Policy on
page 13.

• When wiring two digital output modules in series so that one may break
source voltage (as shown in Figure 26 on page 57), one controller must
own both modules.

Wiring ControlLogix Digital Output Modules

Diagnostic digital output modules and standard output modules have different
wiring considerations. Reference the module-type considerations that apply to
your system configuration.

Wiring Diagnostic Digital Output Modules

Diagnostic output modules have circuitry that is not included in standard output
modules. Because of this feature, you are not required to use an input module to
monitor output status, as is required with standard output modules.

Diagnostic output modules can be used as-is in a SIL 2 application. No special
wiring considerations need be employed other than the wiring of the external
relay or other measures to remove line power from the module in the event of a
fault to make sure outputs will de-energize if shorted.

In addition to referencing the Requirements When Using ControlLogix Digital
Output Modules on page 53 for limited high demand applications, testing of
output modules (that is, the user turns the outputs ON and OFF to verify proper
operation) should be executed once every eight hours. Note that high demand
applications are limited to 10 demands per year for ControlLogix SIL 2 systems.

For more information on performing the pulse test, see the ControlLogix Digital
I/O Modules User Manual, publication 1756-UM058.

54 Rockwell Automation Publication 1756-RM001L-EN-P - July 2014

ControlLogix I/O Modules Chapter 5

Figure 22 - ControlLogix Diagnostic Output Module Wiring

V-/L2 V+/L1 Relays may also be
Secondary
included as shown in
Output
position A to interrupt
V+/L1 power on a per point
basis.

This normally-open contact (held closed) must represent
the healthy operation of the controller and safety I/O Output
modules. Safety I/O status can be restricted to inputs Actuator
directly affecting outputs on the specific module, or this
contact can represent the healthy status of all safety
inputs and the controller. The module used to control
this relay must follow SIL 2 output guidelines. This
module must also be considered during PFD analysis for
each safety function. We recommend the use of a
recognized safety relay or contactor. 43365

Figure 23 - Diagnostic Output Logic
Application Logic Output Fault
Actuator

Data Echo Actuator
Timer
Data Echo Actuator

Fault
Secondary
Output

Timer Done
Fault

Fault
Alarm to
Operator

Output Fault contact must represent module and channel diagnostics.

Rockwell Automation Publication 1756-RM001L-EN-P - July 2014 55

Chapter 5 ControlLogix I/O Modules

Wiring Standard Digital Output Modules

When using standard (non-diagnostic) output modules, you must wire each
output to its field device and also to a system input to monitor the output’s
performance. To verify output performance, use one of these methods:
• Write logic to test the output’s ability to turn ON and OFF at power-up.
• At the proof test interval, force the output ON and OFF and use a
voltmeter to verify output performance.

For limited high demand applications, testing of output modules (that is, the user
turns the outputs ON and OFF to verify proper operation) should be executed
once every eight hours. Note that high demand applications are limited to 10
demands per year for ControlLogix SIL 2 systems.

See Requirements When Using ControlLogix Digital Output Modules on
page 53.

Figure 24 - ControlLogix Standard Output Module Wiring

Standard Isolated Standard Isolated
Output Module Input Module

Wire output point to
input point to verify
V-/L2 V+/L1 the correct state of
Secondary
Output the output.
V+/L1 Input
This normally-open contact (held closed) must
represent the healthy operation of the controller
and safety I/O modules. Safety I/O status can be Output Actuator V-/L2
restricted to inputs directly affecting outputs on
the specific module, or this contact can represent
the healthy status of all safety inputs and the
controller. The module used to control this relay
must follow SIL 2 output guidelines. This module
also must be considered during PFD analysis for
each safety function.
43363

Write the application logic to generate a fault in the event of a miscompare
between the controller, the actual output state, and the monitored input.

56 Rockwell Automation Publication 1756-RM001L-EN-P - July 2014

The control. For more information on faults. In the event that a failure is detected.ControlLogix Standard Output Module Wiring with Two Modules Standard Isolated Standard Isolated Standard Isolated Output Module #1 Output Module #2 Input Module Wire output point to input point to verify V-/L2 V+/L1 the correct state of the output. the outputs from each of the output modules must be set to OFF to make sure the field devices de-energize. V+/L1 V+/L1 Input Output Output Actuator V-/L2 43364 Rockwell Automation Publication 1756-RM001L-EN-P . Faults in the ControlLogix System on page 99.Comparison Logic for Requested versus Actual Output Application Logic Output Fault Actuator Output Data Echo Monitoring Input Timer must be preset in milliseconds to Timer accommodate communication times of Output Data Echo Monitoring Input echo signal and filter time of input. Fault Secondary Output Timer Done Fault Fault Alarm to Operator Output Fault contact must represent module and channel diagnostics. diagnostics. Figure 26 shows how to wire two isolated. standard outputs in series to critical actuators. ControlLogix I/O Modules Chapter 5 Figure 25 .July 2014 57 . standard outputs in series to critical actuators. and alarming functions must be performed in sequence. Figure 26 . You can also wire two isolated. see Chapter 8.

you are responsible for making sure your ControlLogix I/O modules are properly calibrated for your specific application. select the Floating Point Data format in the Module Properties dialog box. two analog input modules are required. Field signal levels should be varied over the full operating range to make sure that the corresponding channel data varies accordingly. Calibration (and subsequent recalibration) is not a safety issue. You can employ tests in application program logic to determine when a module requires recalibration. you can determine a tolerance band of accuracy for a specific application. To achieve SIL 2. to determine whether an input module needs to be recalibrated. For more information. 58 Rockwell Automation Publication 1756-RM001L-EN-P . Calibrate Inputs Analog input modules should be calibrated periodically. ControlLogix I/O modules ship from the factory with a highly accurate level of calibration. To use the Floating Point Data format. Manually or automatically test all inputs to make sure that they are operational. You can then measure input values on multiple channels and compare those values to acceptable values within the tolerance band. you could then determine whether recalibration is necessary. Based on the differences in the comparison. because each application is different. However. However. These features are only available in Floating Point mode. Use the Floating Point Data Format ControlLogix analog input modules perform on-board alarm processing to validate that the input signal is within the proper range. For example.Chapter 5 ControlLogix I/O Modules Using 1756 Analog There are a number of general application considerations that you must make when using analog input modules in a SIL 2 application. as their use and application requires. The following section Input Modules describes those considerations specific to the use of analog input modules. see Proof Tests on page 28.July 2014 . Conduct Proof Tests Periodically perform a system validation test. Field sensors must be wired to channels on each module and compared within a deadband. we recommend that each analog input be calibrated at least every three years to verify the accuracy of the input signal and avoid nuisance application shutdowns. Whether one or two field sensors are required is dependent on the Probability of Failure on Demand (PFD) value of the sensor.

and channel status bits and responds by initiating the appropriate fault routine.July 2014 59 . Application logic must examine the appropriate bits to initiate a fault routine for a given application. If the inputs miscompare for longer than the preset value. the results define an acceptable High and Low limit of deviation. a fault is registered with a corresponding alarm. Faults in the ControlLogix System on page 99. before an output is actuated. The second input channel is then compared to these limits to determine if the inputs are working properly. In Figure 27. tolerance) is applied to the configured input range of the analog inputs (that is. channel fault. a user-defined percentage of acceptable deviation (that is. The input’s OK bit preconditions a Timer run that is preset to accommodate an acceptable fault response time and any communication filtering lags in the system. delta). Program to Compare Analog Input Data When wiring sensors to two input channels on different modules. the values from those channels must be compared to each other within the program for concurrence within an acceptable range for the application. This delta value is then added to and subtracted from one of the input channels. see Chapter 8. For more information on faults. Any miscompare between the two inputs outside the programmed acceptable range must be annunciated as a fault. range) and the result is stored (that is. ControlLogix I/O Modules Chapter 5 Program to Respond to Faults Appropriately When programming the SIL 2 system. Each module communicates the operating status of each channel to the controller during normal operation. Rockwell Automation Publication 1756-RM001L-EN-P . verify that your program examines the appropriate module fault.

Chapter 5 ControlLogix I/O Modules Figure 27 . Faults in the ControlLogix System on page 99. diagnostics and alarming functions must be performed in sequence. filter values. make sure the module’s scaling of data does not introduce error or fault conditions. Wiring ControlLogix Analog Input Modules The wiring diagrams shown in this section apply to applications requiring two transmitters. For more information on faults.Comparison Logic for Two Analog Inputs Inputs OK Timer MULT ADD SUB Range Delta Delta Tolerance% Input 1 Input 1 Delta High Limit Low Limit LIM Low Limit Inputs OK Input 2 High Limit Timer Done Analog Inputs Faulted Analog Inputs Faulted Alarm to Operator The control. configure the modules identically. 60 Rockwell Automation Publication 1756-RM001L-EN-P . You must use Analog Inputs Faulted as a safety status/permissive in respective safety-related outputs. The type of transmitter along with the application requirements will determine whether one or two transmitters are required. that is. by using the same RPI. Specify the Same Controller as the Owner The same controller must own both analog input modules. Configure Modules When using identical modules. see Chapter 8.July 2014 . When using different modules for improved diversity. and so on.

ControlLogix Analog Input Module Wiring in Voltage Mode Ch0 + Ch0 + (+) Voltage Transmitter A (–) Ch0 – Ch0 – (+) Voltage Transmitter B (–) 43368 Rockwell Automation Publication 1756-RM001L-EN-P . • tie all (-) leads of the transmitters together when operating in single-ended Voltage mode. Figure 28 . ControlLogix I/O Modules Chapter 5 In general. Special consideration must be given in applying this technique.July 2014 61 . depending on the type of module being used. good design practice dictates that each of the two transmitters must be wired to input terminals on separate modules such that the channel values may be validated by comparing the two within an acceptable range. Figure 28 shows how to wire an analog input for use in Voltage mode. • use the correct documentation (listed in Additional Resources on page 11) to wire the module. Wiring the Single-Ended Input Module in Voltage Mode Make sure you: • review the considerations in Using 1756 Analog Input Modules on page 58.

Terminal Block 1.5V operation. Terminal Block 2.. Reference Voltages 1492 Cable to 1756-IF16.Analog Input Wiring Example with Termination Boards Analog Input Module A Analog Input Module B Input Values from Field Devices Input Values from Field Devices All configured for 0. Module A Module B DIP Switch for Sensor Wiring Precision 249  Resistor Terminal Block 1.. All configured for 0. Row C Row C Row B Row B Two-wire Transmitters Operating in 4.ControlLogix Analog Input Module Wiring in Voltage Mode Ch0 + Ch0 + (+) SIL 2 Transmitter Voltage Output Source Ch0 – Ch0 – (–) Figure 30 .July 2014 . Solid-state switch controlled by DC output. Figure 29 ... 1492 Cable to 1756-IF16.5V operation... Terminal Block 2.20 mA Current Mode Output from 1756-OB16D Module Pair Two-wire Transmitter Trigger Reference Tests = 0 (Off) 62 Rockwell Automation Publication 1756-RM001L-EN-P .Chapter 5 ControlLogix I/O Modules Figure 29 shows how to wire a SIL 2 transmitter to two analog input modules configured for voltage mode.

Rockwell Automation Publication 1756-RM001L-EN-P .ControlLogix Analog Input Module Wiring in Current Mode Ch0 + Ch0 + Current Source A Ch0 – Ch0 – Current Source B 43369 Figure 32 . • use the correct documentation (listed in Additional Resources on page 11) to wire the module. ControlLogix I/O Modules Chapter 5 Wiring the Single-ended Input Module in Current Mode Make sure you: • review the considerations in Using 1756 Analog Input Modules on page 58. You can locate other devices in an input channel’s current loop anywhere as long as the current source can provide sufficient voltage to accommodate all of the voltage drops (each module input is 250 ohms) Figure 31 and Figure 32 show how to wire an analog input for use in Current mode. • place devices correctly in the current loop.ControlLogix Analog Input Module Wiring for Isolated Channels (in Current mode) Ch0 + Ch0 + SIL 2 Transmitter Current Output Source Ch0 – Ch0 – If you use single-ended channels. use a 1492-TAIFM16-F-3 termination board and two 1492-ACABLE010UA cables to split the current sensor into two single- ended channels configured for Voltage mode. Figure 31 .July 2014 63 .

July 2014 . Use the same channel on each module to make sure of consistent temperature readings. Figure 34 shows how to wire the 1756-IR6I module. Figure 33 on page 64 shows how to wire the 1756-IT6I module. Figure 33 . • use two sensors.ControlLogix Analog Thermocouple Module Wiring Ch0 + Ch0 + Thermocouple A RTN RTN Thermocouple B 43370 Wiring the RTD Input Module Make sure you: • review the considerations in Using 1756 Analog Input Modules on page 58. When wiring thermocouples.Chapter 5 ControlLogix I/O Modules Wiring the Thermocouple Input Module Make sure you: • review the considerations in Using 1756 Analog Input Modules on page 58. • wire to same input channel on both modules. • use the correct documentation (listed in Additional Resources on page 11) to wire the module. • use the correct documentation (listed in Additional Resources on page 11) to wire the module. RTDs cannot be wired in parallel without severely affecting their accuracy. wire two in parallel to two modules. 64 Rockwell Automation Publication 1756-RM001L-EN-P .

• use the correct documentation (listed in Additional Resources on page 11) to wire the module. Input Modules IMPORTANT HART protocol must not be used for safety-related data.July 2014 65 . Rockwell Automation Publication 1756-RM001L-EN-P . ControlLogix I/O Modules Chapter 5 Figure 34 . Wiring the HART Analog Input Modules Make sure you: • review the considerations in Using 1756 Analog Input Modules on page 58.ControlLogix Analog RTD Module Wiring Ch0 A Ch0 A RTD A Ch0 B Ch0 B RTN RTN RTD B 43371 Using 1756 HART Analog The Highway Addressable Remote Transducer (HART) analog modules should be used according to the same considerations as other analog input modules.

The following sections describe those considerations specific to the use analog output modules.July 2014 .Chapter 5 ControlLogix I/O Modules Figure 35 . 66 Rockwell Automation Publication 1756-RM001L-EN-P . Modules A single analog output module.HART Input Analog Module Wiring Ch0 + Ch0 + Sensor Ch0 - Ch0 - Sensor Using 1756 Analog Output There are a number of general application considerations that you must make when using analog output modules in a SIL 2 application. along with an analog input module for monitoring is required to achieve SIL 2.

To use the Floating Point Data format. to determine whether an output module needs to be recalibrated. The use of digital output modules and actuators to achieve the ESD de- energized state is recommended. Manually or automatically test all outputs to make sure that they are operational. and channel status bits and responds by initiating the appropriate fault routine. channel fault. Conduct Proof Tests Periodically perform a system validation test. However. Field signal levels should be varied over the full operating range to make sure that the corresponding channel data varies accordingly. ControlLogix I/O Modules Chapter 5 Considerations for Using Analog Output Modules IMPORTANT It is strongly recommended that you do not use analog outputs to execute the safety function that results in a safe state. Analog output modules are slow to respond to an ESD command and are therefore not recommended for use ESD output modules. Rockwell Automation Publication 1756-RM001L-EN-P . For example. Calibration (and subsequent recalibration) is not a safety issue. ControlLogix I/O modules ship from the factory with a highly accurate level of calibration. You can then measure output values on multiple channels and compare those values to acceptable values within the tolerance band. as their use and application requires. Calibrate Outputs Analog output modules should be calibrated periodically. you could then determine whether recalibration is necessary.July 2014 67 . you can determine a tolerance band of accuracy for a specific application. You can employ tests in application program logic to determine when a module requires recalibration. see Proof Tests on page 28. you are responsible for making sure your ControlLogix I/O modules are properly calibrated for your specific application. For more information. select the Floating Point Data format in the Module Properties dialog box. Based on the differences in the comparison. Use the Floating Point Data Format ControlLogix analog output modules perform on-board alarm processing to validate that the input signal is within the proper range. we recommend that each analog output be calibrated at least every 3 years to verify the accuracy of the signal and avoid nuisance application shutdowns. verify that your program examines the appropriate module fault. Program to Respond to Faults Appropriately When programming the SIL 2 system. However. These features are only available in Floating Point mode. because each application is different.

outputs must be configured to de-energize. delta). This delta value is then added to and subtracted from the monitoring analog input channel. each output must be configured to de-energize in the event of a fault and in the event of the controller going into Program mode. Application logic must examine the appropriate bits to initiate a fault routine for a given application. In the ladder diagram in Figure 36. The analog Output Echo is then compared to these limits to determine if the output is working properly. The application logic must examine the analog input (feedback value) associated with each analog output to make sure that the output from the controller was received correctly at the actuator. a fault is registered with a corresponding alarm. Monitor Channel Status You must wire each analog output to an actuator and then back to an analog input to monitor the output’s performance. Configure Outputs to De-energize in ESD Applications For typical emergency shutdown (ESD) applications. 68 Rockwell Automation Publication 1756-RM001L-EN-P . For more information on faults.July 2014 . as shown in Figure 37. For exceptions to the typical ESD applications. tolerance) is applied to the configured range of the analog input and output and the result is stored (that is. Faults in the ControlLogix System on page 99. or output. a user-defined percentage of acceptable deviation (that is. lags in the system. see Chapter 8. see Chapter 1. When configuring any ControlLogix output module. The analog output value must be compared to the analog input that is monitoring the output to make sure the value is within an acceptable range for the application. the results define an acceptable high and low limit of deviation. SIL Policy on page 13. The output’s OK bit preconditions a Timer run that is preset to accommodate an acceptable fault response time and any communication filtering. If the monitoring input value and the Output Echo miscompare for longer than the preset value.Chapter 5 ControlLogix I/O Modules Each module communicates the operating status of each channel to the controller during normal operation.

• Use the correct documentation (listed in Additional Resources on page 11) to wire the module. Specify the Same Controller as the Owner The same controller must own both analog modules. diagnostics. Wiring ControlLogix Analog Output Modules In general. Rockwell Automation Publication 1756-RM001L-EN-P .July 2014 69 . Wiring the Analog Output Module in Voltage Mode Make sure you: • review the considerations in Considerations for Using Analog Output Modules on page 67. ControlLogix I/O Modules Chapter 5 Figure 36 . and alarming functions must be performed in sequence. good design practice dictates that each analog output must be wired to a separate input terminal to make sure that the output is functioning properly.Monitoring an Analog Output with an Analog Input Outputs OK Timer MULT ADD SUB Range Delta Delta Tolerance% Monitoring input Monitoring input Delta High Limit Low Limit LIM Low Limit Outputs OK Output Echo High Limit Fault Secondary Output Timer Done Outputs Faulted Outputs Faulted Alarm to Operator The control.

The module used to control this relay must follow SIL 2 output guidelines. Figure 37 . 43376 70 Rockwell Automation Publication 1756-RM001L-EN-P . This module also must be (+) (+) Actuator considered during PFD analysis for each Secondary safety function. Figure 38 . If a short-circuit or fault occurs on the module. Output The relay used should be a signal-grade (–) (–) relay using bifurcated or similar grade contacts. or can remove power to multiple actuators depending on the granularity needed.Chapter 5 ControlLogix I/O Modules Figure 37 shows how to wire the 1756-OF8 module for use in Voltage mode. You can locate other devices in an output channel’s current loop anywhere as long as the current source can provide sufficient voltage to accommodate all of the voltage drops (each module output is 250 ).ControlLogix Analog Output Module Wiring in Voltage Mode Analog Output Module Analog Input Module This normally-open relay is controlled by the status of the rest of the ControlLogix system.ControlLogix Analog Output Module Wiring in Current Mode Analog Output Module Analog Input Module This normally-open relay is controlled by the status of the rest of the ControlLogix system. • use the correct documentation (listed in Additional Resources on page 11) to wire the module. The relay used should be a signal-grade relay using (–) Actuator bifurcated or similar grade contacts. The module used to control this relay must follow SIL 2 output guidelines. the relay can disconnect power to the module. Figure 38 shows how to wire the 1756-OF8 module for use in Current mode. This module also must be considered during PFD analysis for each (+) (+) safety function. • place devices correctly in the current loop. 43377 Wiring the Analog Output Module in Current Mode Make sure you: • review the considerations in Considerations for Using Analog Output Modules on page 67. The relay can be located in a position to remove power to a single actuator. The relay can be (–) Secondary located in a position to remove power to a single Output actuator. If a short-circuit or fault occurs on the module.July 2014 . or can remove power to multiple actuators depending on the granularity needed. the relay can disconnect power to the module.

• use the correct documentation (listed in Appendix B) as a reference when wiring the module. ControlLogix I/O Modules Chapter 5 Using 1756 HART Analog The Highway Addressable Remote Transducer (HART) analog modules should be used according to the same considerations as other analog output modules. IMPORTANT HART protocol must not be used for safety-related data. For Output Modules an illustration of how to wire the HART analog output modules.July 2014 71 . see Wiring the HART Analog Output Modules on page 71. Figure 39 . Ch0- Ch0- Ch1+ Actuator Ch1- Rockwell Automation Publication 1756-RM001L-EN-P . Wiring the HART Analog Output Modules Make sure you: • review the considerations in Wiring ControlLogix Analog Output Modules on page 69.HART Output Analog Module Wiring Input Module Output Module Output Module Actuator Ch0+ Ch0+ Ch0+ Ch0.

Chapter 5 ControlLogix I/O Modules Notes: 72 Rockwell Automation Publication 1756-RM001L-EN-P .July 2014 .

• Configuration parameters (for example. For example. the modules all have a common backplane interface. or automatically. Requirements When Using FLEX I/O Digital Input Modules Regardless of the type of FLEX I/O input module used. execute power-up and runtime diagnostics.Periodically a system validation test must be performed. Using 1794 Digital To achieve SIL 2. test inputs to make sure that all inputs are operational and not stuck in the ON or OFF state. two digital input modules must be used. RPI. with field sensors wired to channels on each module. there are a number of general application considerations that users must follow when applying these modules in a SIL 2 application: • Proof tests .July 2014 73 . Manually. • Wire sensors to separate input points on two separate modules that are on different network nodes. Chapter 6 FLEX I/O Modules Topic Page Overview of FLEX I/O Modules 73 Using 1794 Digital Input Modules 73 Using 1794 Digital Output Module 75 Using 1794 Analog Input Modules 77 Using 1794 Analog Output Modules 84 Overview of FLEX I/O Modules There are two types of SIL 2-certified FLEX I/O modules: • Digital I/O modules • Analog I/O modules FLEX I/O modules are designed with inherent features that assist them in complying with the requirements of the 61508 Standard. Rockwell Automation Publication 1756-RM001L-EN-P . filter values) must be identical between the two modules. and offer electronic keying. Inputs must be cycled from ON to OFF or OFF to ON. The two channels must be compared by Input Modules software before reconciling the data.

SENSOR 43366 Application logic can compare input values or states for concurrence.Compare Input Values Input A Input B Actuator The user program must also contain rungs to annunciate a fault in the event of a sustained miscompare between two points.Annunciate a Fault Input A Input B Timer Input A Input B Timer preset in milliseconds to compensate for filter time and hardware delay differences. Figure 40 .ControlLogix Digital Input Module Wiring One-Sensor Wiring Example +24V dc Input 1 Input 2 Optional relay contact 24VDC SINK INPUT 1794-IB16 24VDC SINK INPUT 1794-IB16 to switch line voltage for periodic automated 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 testing Input SIL2 SENSOR COM +24V Two-Sensor Wiring Example Input 1 Input 2 1794-IB16 1794-IB16 24VDC SINK INPUT 24VDC SINK INPUT Input 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1 SENSOR COM +24V 1 Note 1: Both sensors are monitoring the same safety application.July 2014 . Figure 42 . you must determine whether the use of 1 or 2 sensors is appropriate to fulfill SIL 2 requirements.Chapter 6 FLEX I/O Modules • The same controller must own both modules. 74 Rockwell Automation Publication 1756-RM001L-EN-P . Wiring FLEX I/O Digital Input Modules The wiring diagrams in Figure 40 show two methods of wiring the digital input module. diagnostics and alarming functions must be performed in sequence. Figure 41 . • Monitor the network status bits for the associated module and ensure that appropriate action is invoked via the application logic by these status bits. Timer Done Fault Fault Alarm to Operator The control. In either case.

Periodically a System Validation test must be performed. Manually. Outputs must be cycled from ON to OFF or OFF to ON. Rockwell Automation Publication 1756-RM001L-EN-P . FLEX I/O Modules Chapter 6 Using 1794 Digital To achieve SIL 2. Output Module Requirements When Using FLEX I/O Digital Output Modules Regardless of the type of FLEX I/O output module used. • Wire sensors to separate input points on two separate modules that are on different network nodes. • Monitor the network status bits for the associated module and make sure that appropriate action is invoked via the application logic by these status bits.July 2014 75 .Testing Outputs Application Logic Output Fault Actuator Output Bit Monitoring Input Timer Output Bit Monitoring Input Timer done Fault Fault Alarm to Operator The control. the output module must be wired back to an input module for monitoring. or automatically. test outputs to make sure that all outputs are operational and not stuck in the ON or OFF state. The method and frequency of testing is determined by the type of module. • Test outputs at specific times to make sure they are operating properly. diagnostics and alarming functions must be performed in sequence. • Use external relays to disconnect actuator power if output de- energization is critical. Figure 43 . there are a number of general application considerations that you must follow when applying these modules in a SIL 2 application: • Proof tests. you must wire an external method that can remove power from the actuator if a short or other fault is detected. To make sure outputs will de-energize.

Figure 44 . This relay is controlled by another output in the ControlLogix/FLEX I/O system. Write application logic so that it generates a fault in the event of a miscompare between the requested state of an output (echo) and the actual output state monitored by an input channel (see Figure 43 on page 75). B IB C CE P C IN INP A COM 24V DC Output B Actuator 43363 IMPORTANT: Other configurations are possible as long they are SIL 2 approved. If a short circuit or fault occurs on output modules.Chapter 6 FLEX I/O Modules Wiring FLEX I/O Digital Output Modules When using standard output modules.July 2014 . An isolated relay output module (1794-OW8) can be used for this purpose when it is connected to a different 1794-ACN15 or 1794-ACNR15 ControlNet Adapter module. In the event that a failure is detected. This is shown in Figure 45 on page 77. Install a relay in position A or B.FLEX I/O Standard Output Module Wiring Standard Digital Output Module Wire output point to input Standard Digital Input Module point to verify the correct COM +24V state of the output. 76 Rockwell Automation Publication 1756-RM001L-EN-P . diagnostics and alarming functions must be performed in sequence. The control. you must wire an output to an actuator and then back to an input to monitor the output’s performance. the relay can disconnect power to the modules. the output from both output modules must be set to OFF to guarantee the Output Loads de-energize. You can also wire a standard digital output module in series with an isolated relay output module in series with a critical actuator.

Requirements When Using FLEX I/O Analog Input Modules You must follow these general application considerations when applying these modules in a SIL 2 application: • Proof tests.ControlLogix/FLEX I/O Standard Output Module Wiring with an Isolated Relay Module Standard Digital Isolated Relay Output Standard Digital Output Module Module Input Module COM +24V Wire output point to input point to verify C CE P B C CE P B the correct state of the C IN INP IB output. or automatically. Using 1794 Analog To achieve SIL 2. Field sensors must be wired to channels on each module and compared within a deadband. Rockwell Automation Publication 1756-RM001L-EN-P . Periodically a System Validation test must be performed.July 2014 77 . FLEX I/O Modules Chapter 6 Figure 45 . Manually. test inputs to make sure that all inputs are operational. COM Output +24V Output Actuator 43364 Note 1: An external relay can be replaced with an isolated relay module that is mounted in another FLEX I/O rail. Whether Input Modules one or two field sensors are required is dependent on the Probability of Failure on Demand (PFD) value of the sensor. two analog input modules are required. Field signal levels should be varied over the full operating range to make sure that the corresponding channel data varies accordingly.

Calibration (and subsequent recalibration) is not a safety issue. You can employ tests in application program logic to determine when a module requires recalibration.Chapter 6 FLEX I/O Modules • Calibrate inputs periodically. In Figure 46 on page 79. we recommend that each analog input be calibrated at least every 3 years to verify the accuracy of the input signal and avoid nuisance application shutdowns. range) and the result is stored (that is. 78 Rockwell Automation Publication 1756-RM001L-EN-P .July 2014 . Any miscompare between the two inputs outside the programmed acceptable range must be annunciated as a fault. as necessary. because each application is different. The input’s OK bit preconditions a Timer run that is preset to accommodate an acceptable fault response time and any communication filtering lags in the system. For example. delta). • Compare analog input data and annunciate miscompares. to determine whether an input module needs to be recalibrated. The second input channel is then compared to these limits to determine if the input are working properly. the results define an acceptable High and Low limit of deviation. a fault is registered with a corresponding alarm. You can then measure input values on multiple channels and compare those values to acceptable values within the tolerance band. This delta value is then added to and subtracted from one of the input channels. you are responsible for making sure their FLEX I/O modules are properly calibrated for their specific application. a user-defined percentage of acceptable deviation (that is. If the inputs miscompare for longer than the preset value. Based on the differences in the comparison. you could then determine whether recalibration is necessary. FLEX I/O modules ship from the factory with a highly accurate level of calibration. However. tolerance) is applied to the configured input range of the analog inputs (that is. However. the values from those channels must be compared to each other for concurrence within an acceptable range for the application before actuating an output. a user can determine a tolerance band of accuracy for a specific application. When wiring sensors to two inputs channels.

Logic for Comparing Analog Input Data Inputs OK Timer MULT ADD SUB Range Delta Delta Tolerance % Input 1 Input 1 Delta High Limit Low Limit LIM Low Limit Inputs OK Input 2 High Limit Timer Done Inputs Faulted Inputs Faulted Alarm to Operator The control. • Wire sensors to separate input channels on two separate modules that are on different network nodes. • Wire sensors to separate input points on two separate modules that are on different network nodes. FLEX I/O Modules Chapter 6 Figure 46 . diagnostics and alarming functions must be performed in sequence. RPI. filter values) must be identical between the two modules. Rockwell Automation Publication 1756-RM001L-EN-P . • The same controller must own both modules. • Configuration parameters (for example.July 2014 79 . • Monitor the network status bits for the associated module and make sure that appropriate action is invoked via the application logic by these status bits.

+ - Voltage Voltage Transmitter A Transmitter B Analog Input Analog Input 1794-IF4I 1794-IF4I 1794-TB3 1794-TB3 + . Figure 47 . make sure you use the correct documentation to wire the module. Wiring the Single-ended Input Module in Voltage Mode In addition to following the Requirements When Using FLEX I/O Analog Input Modules on page 77. you must determine whether the use of 1 or 2 sensors is appropriate to fulfill SIL 2 requirements.FLEX I/O Analog Input Module Wiring One-Sensor Wiring Example Input 1 Input 2 Input SIL2 SENSOR COM +24V Two-Sensor Wiring Example Input 1 Input 2 Input 1 SENSOR COM +24V 1 SENSOR 43366A Note 1: Both sensors are monitoring the same safety application. + - Voltage Voltage Transmitter A Transmitter B 80 Rockwell Automation Publication 1756-RM001L-EN-P .Chapter 6 FLEX I/O Modules Wiring FLEX I/O Analog Input Modules The wiring diagrams in this section show two methods of wiring the analog input module.FLEX I/O Analog Input Module Wiring in Voltage Mode Analog Input Analog Input 1794-IE8 1794-IE8 1794-TB3 1794-TB3 + . Figure 48 . In either case.July 2014 .

You can locate other devices in an input channel’s current loop anywhere as long as the current source can provide sufficient voltage to accommodate all of the voltage drops (each module input is 250 ohms) Figure 49 . FLEX I/O Modules Chapter 6 Wiring the Single-ended Input Module in Current Mode In addition to following the Requirements When Using FLEX I/O Analog Input Modules on page 77. before wiring the module.July 2014 81 . consider the following application guideline: • Place other devices in current loop.FLEX I/O Analog Input Wiring in Current Mode 1794-IE8 Analog Input Analog Input 1794-IE8 1794-IE8 1794-TB3 1794-TB3 Current RET RET Current Source A Source B Analog Input Analog Input 1794-IF4I 1794-IF4I 1794-TB3 1794-TB3 Current RET Current RET Source A Source B Rockwell Automation Publication 1756-RM001L-EN-P .

FLEX I/O Analog Thermocouple Module Wiring Thermocouple Thermocouple 1794-IT8 1794-IT8 Input Module Input Module 1794-TB3T 1794-TB3T + + . When wiring thermocouples. - 82 Rockwell Automation Publication 1756-RM001L-EN-P . consider the following application guideline: • Wire to the same input channel on both modules.Chapter 6 FLEX I/O Modules Wiring the Thermocouple Input Module In addition to following the Requirements When Using FLEX I/O Analog Input Modules on page 77 and before wiring the module. Figure 50 . - Thermocouple/ Thermocouple/ RTD/mV 1794-IRT8 RTD/mV 1794-IRT8 Input Module Input Module 1794-TB3G 1794-TB3G + + . Use the same channel on each module to make sure of consistent temperature readings. wire two in parallel to two modules.July 2014 .

or four-wire RTDs can be used as applicable to the associated RTD input module. FLEX I/O Modules Chapter 6 Wiring the RTD Input Module In addition to following the Requirements When Using FLEX I/O Analog Input Modules on page 77 and before wiring the module. three-. Two sensors must be used. Figure 51 .FLEX I/O Analog RTD Module Wiring RTD 1794-IR8 RTD 1794-IR8 Input Module Input Module 1794-TB3T 1794-TB3T 3-wire RTD Thermocouple/ Thermocouple/ RTD/mV RTD/mV 1794-IRT8 1794-IRT8 Input Module Input Module 1794-TB3G 1794-TB3G 4-wire RTD Two-. consider the following application guideline: • RTDs cannot be wired in parallel without severely affecting their accuracy. Rockwell Automation Publication 1756-RM001L-EN-P .July 2014 83 .

outputs must be configured to de-energize.July 2014 . or automatically. However. because each application is different. along with an analog input module for monitoring is required to achieve SIL 2. Output Modules IMPORTANT We strongly recommended that you do not use analog outputs to execute the safety function that results in a safe state.Periodically a System Validation test must be performed. as necessary. you could then determine whether recalibration is necessary. • Calibrate outputs periodically. When configuring any FLEX I/O output module. • For typical emergency shutdown (ESD) applications.Chapter 6 FLEX I/O Modules Using 1794 Analog A single analog output module. You can employ tests in application program logic to determine when a module requires recalibration. Requirements When Using FLEX I/O Analog Output Modules Follow these general application considerations when applying the analog output modules in a SIL 2 application: • Proof tests . test outputs to make sure that all outputs are operational. a user can determine a tolerance band of accuracy for a specific application. For example. we recommend that each analog output be calibrated at least every 3 years to verify the accuracy of the input signal and avoid nuisance application shutdowns. Channel data should be varied over the full operating range to make sure that the corresponding field signal levels vary accordingly. Manually. Analog output modules are slow to respond to an ESD command and are therefore not recommended for use ESD output modules. Calibration (and subsequent recalibration) is not a safety issue. Based on the differences in the comparison. However. FLEX I/O modules ship from the factory with a highly accurate level of calibration. you are responsible for making sure their FLEX I/O modules are properly calibrated for their specific application. to determine whether an output module needs to be recalibrated. each output must be configured to de-energize in the event of a fault and in the event of the controller going into Program mode. You can then measure output values on multiple channels and compare those values to acceptable values within the tolerance band. The use of digital output modules and actuators to achieve the ESD de- energized state is recommended. 84 Rockwell Automation Publication 1756-RM001L-EN-P .

) The application logic must examine the Data Feedback value associated with each output point to make sure that the requested output command from the controller was received by the module. delta). The analog Output Feedback is then compared to these limits to determine if the output are working properly.July 2014 85 . FLEX I/O Modules Chapter 6 • Wire outputs back to inputs and examine output data feedback signal. Rockwell Automation Publication 1756-RM001L-EN-P . You must wire an analog output to an actuator and then back to an analog input to monitor the output’s performance. range) and the result is stored (that is. The value must be compared to the analog input that is monitoring the output to make sure the value is in an acceptable range for the application. the results define an acceptable High and Low limit of deviation. This delta value is then added to and subtracted from the monitoring analog input channel. (The use of feedback transmitters to verify an output’s performance is acceptable. In the ladder diagram in Figure 52. a user-defined percentage of acceptable deviation (that is. tolerance) is applied to the configured range of the analog input and output (that is.

86 Rockwell Automation Publication 1756-RM001L-EN-P . • The two analog output modules must be on separate FLEX I/O rails. diagnostics and alarming functions must be performed in sequence. make sure: – Both modules use identical configuration. a fault is registered with a corresponding alarm. • Monitor the network status bits for the associated module and make sure that appropriate action is invoked via the application logic by these status bits.July 2014 . • When wiring two analog output modules in the same application. or output. If the monitoring input value and the Output Feedback miscompare for longer than the preset value.Chapter 6 FLEX I/O Modules The output’s OK bit preconditions a Timer run that is preset to accommodate an acceptable fault response time and any communication filtering. Figure 52 .Monitoring an Analog Output with an Analog Input Outputs OK Timer MULT ADD SUB Range Delta Delta Tolerance % Monitoring input Monitoring input Delta High Limit Low Limit LIM Low Limit Outputs OK Output Echo High Limit Timer Done Outputs Faulted Outputs Faulted Alarm to Operator The control. – The same controller owns both modules. They must not share the same FLEX adapter. lags in the system.

Analog Input Module Wiring Example 1794-OE4 1794-IE8 Analog Output Analog Input Module Module 1794-TB3 1794-TB3 V RET + Actuator _ 1794-OF4I 1794-IF4I Isolated Analog Isolated Analog Output Module Input Module 1794-TB3 1794-TB3 V RET + Actuator _ Rockwell Automation Publication 1756-RM001L-EN-P . Figure 53 .July 2014 87 . FLEX I/O Modules Chapter 6 Wiring FLEX I/O Analog Output Modules In general. good design practice dictates that each analog output must be wired to a separate input terminal to make sure that the output is functioning properly. Wiring the Analog Output Module in Voltage Mode You must wire analog outputs to an actuator and then back to an analog input to monitor the output performance.

consider the following application guideline before wiring the module in Current mode: • Place other devices in current loop. Figure 54 .Chapter 6 FLEX I/O Modules Wiring the Analog Output Module in Current Mode In addition to following the Requirements When Using FLEX I/O Analog Output Modules on page 84.Analog Output Wiring Example 1794-OE4 1794-IE8 Analog Input Analog Output Module Module + _ 1794-TB3 1794-TB3 Actuator 1794-OF4I 1794-IF4I Isolated Analog Isolated Analog Output Module Input Module + _ 1794-TB3 1794-TB3 Actuator 88 Rockwell Automation Publication 1756-RM001L-EN-P . You can locate other devices in an output channel’s current loop anywhere as long as the current source can provide sufficient voltage to accommodate all of the voltage drops.July 2014 .

July 2014 89 . that is. • A test plan is documented and adhered to. The application software for the SIL 2-related automation system is created using the programming tool. • Control system hardware is installed in accordance with product installation guidelines. Rockwell Automation Publication 1756-RM001L-EN-P . Chapter 7 Requirements for Application Development Topic Page Software for SIL 2-Related Systems 89 SIL 2 Programming 89 Programming Languages 90 Programming Options 90 Security 90 Basics of Application Program Development and Testing 91 Functional Specification Guidelines 92 Creating the Application Program 93 Forcing 94 Checking the Application Program 94 Verify Download and Operation 95 Commissioning Life Cycle 96 Changing Your Application Program 97 Software for SIL 2. • A well-designed validation process is defined and implemented. Parameters for the operating function are also entered into the system using the programming software. SIL 2 Programming The safety concept of the SIL 2 ControlLogix system assumes the following: • The programming software is installed correctly. The application program has to be created by using the programming tool and contains the specific equipment functions that are to be carried out by the ControlLogix system. RSLogix 5000 software. • User application code (user program) uses common and good design practices. including well-understood proof test requirements and procedures. according to Related Systems IEC 61131 3.

Using the SIL 2 Add-On Instructions greatly simplifies the programming required for a SIL 2 system. these instructions may not be suitable for use in all SIL 2 applications and system configurations.Chapter 7 Requirements for Application Development For the initial start-up of a safety-related ControlLogix system. the entire system must be checked by a complete functional test. You need to evaluate the suitability of a SIL 2 Add-On Instruction that is used in a safety-related function. All Add-On Instructions require the use of hardware termination boards. the modified program or logic must be checked. Programming Languages It is good engineering practice to keep safety-related logic as simple and easy to understand as possible. Security The user must define what measures are to be applied for the protection against manipulation. refer to ControlLogix SIL 2 System Configuration Using SIL 2 Add-On Instructions. at varying levels of granularity throughout the application. Contact your local Rockwell Automation representative for more information. However. protection mechanisms are available that help prevent unintentional or unauthorized modifications to the safety system: • The following tools may be employed for security reasons in a SIL 2-certified ControlLogix application: – Logix CPU Security – Routine Source Protection – FactoryTalk® AssetCentre Each of these features or products offers different security features. The preferred language for safety-related functions is ladder logic. If you choose to use Add-On Instructions. publication 1756-AT012. version 20 or later. 90 Rockwell Automation Publication 1756-RM001L-EN-P . In the ControlLogix system and in the programming software. followed by function block. After a modification of the application program.July 2014 . including password protection. see Changing Your Application Program on page 97. Programming Options Pre-programmed SIL 2 I/O Add-On Instructions can be used in RSLogix 5000 software. For more information on how users should handle changes to their application program. The description of these tools is too large in scope to list in detail here. Structured text and sequential function chart are not recommended for safety-related functions.

All SIL 2 safety-related tags should be set to read-only. Where possible.July 2014 91 . Read-only blocks external devices (for example. or constant values. including the following: – Specifications – Flow and timing charts – Engineering diagrams – Sequence charts – Program description – Program review process • Writing the application program • Checking by independent reviewer • Verification and validation Rockwell Automation Publication 1756-RM001L-EN-P . configure SIL 2 safety tags as constant value tags. Figure 55 . Basics of Application The application program is intended to be developed by the system integrator and/or user. version 18 and later. read-only. Constants block everything. • Specification of the SIL 2 safety control function. The requirements of the safety and application standards regarding the protection against manipulations must be observed. you can set tags to be standard. The authorization of employees and the necessary protection measures are the responsibility of the individuals starting and maintaining the SIL 2 safety system. Requirements for Application Development Chapter 7 • The controller keyswitch must be in the RUN position and the key removed during normal operating conditions. The developer must consider general procedures for programming Program Development ControlLogix SIL 2 applications listed below (this does not require independent and Testing third party review). including user logic from changing a tag value.Keyswitch in Run Mode Logix557x RUN FORCE SD OK REM PR RUN OG 1756-L6x 1756-L7x • In RSLogix 5000 software. HMIs and other controllers) from changing a tag.

Counters. EMERGENCY STOP. Use this specification to verify that program logic correctly and fully addresses your application’s Guidelines functional and safety control requirements. including the sequence and timing diagrams • Definition of marginal conditions. operating modes. for example. and so on) whenever possible. Timers. The specification may be presented in a variety of formats. developers should limit the set of instructions to basic Boolean/ladder logic (such as examine On/Off. the type of sensors and actuators. This set should include instructions that can be used to accommodate analog variables. and others The I/O-portion of the specification must contain the analysis of field circuits. To facilitate reviews and reduce unintended responses. see Proof Tests on page 28. including the following: – Input definitions – Output definitions – I/O wiring diagrams and references – Theory of operation • Matrix.Chapter 7 Requirements for Application Development All application logic must be independently reviewed and tested. 92 Rockwell Automation Publication 1756-RM001L-EN-P . depending on your application. that is.or table form of stepped conditions and the actuators to be controlled. such as the following: • Limit tests • Comparisons • Math instructions For more information. Functional Specification You must create a specification for your control function.July 2014 . The specification must include a detailed description that includes the following (if applicable): • Sequence of operations • Flow and timing diagrams • Sequence charts • Program description • Program print out • Written descriptions of the steps with step conditions and actuators to be controlled.

• well-documented. • easy to test. sensors OFF means no signal) • Determination of redundancies required for SIL levels • Discrepancy monitoring and visualization. including the user’s diagnostic logic Creating the Consider the following when developing the application program logic. for example. • easy to trace. We use ladder. • other IEC 61131-3-compliant language. including the user’s diagnostic logic Actuators • Position and activation in standard operation (normally OFF) • Safe reaction or positioning when switching OFF • Discrepancy monitoring and visualization. Program Language You must implement simple. • easy to change. Rockwell Automation Publication 1756-RM001L-EN-P . • function blocks with specified characteristics. because it is easier to visualize and make partial program changes with this format. easy to understand: • ladder.July 2014 93 . Application Program Logic and Instructions The logic and instructions used in programming the application must be: • easy to understand. Requirements for Application Development Chapter 7 Sensors (digital or analog) • Signal in standard operation (dormant current principle for digital sensors.

• You must not force SIL 2 tags after validation is performed and during controller operation in Run mode. Forcing The following rules apply to forcing in a project: • You must remove forces on all SIL 2 tags and disable forcing before beginning normal operation for the project. at the limits. and outside the defined value ranges. or everything in the task containing safety must be treated as safety-related. IMPORTANT Forcing must not be used during normal operation.July 2014 . The test cases must be selected to prove the correctness of the calculation. SIL 2 safety logic and logic intended for use in non- SIL 2 functions must be separate. The SIL 2 task must be the controller’s top priority task and the user- defined watchdog must be set to accommodate the SIL 2 task. IMPORTANT You must dedicate a specific task for safety-related functions and set that task to the highest priority (1). Equivalent range tests are acceptable. The set of test cases needs to be well-written and filed as the test specification. IMPORTANT Motion-related functions are not allowed and must not be used. Suitable tests must also be generated for the numeric evaluation of formulas. 94 Rockwell Automation Publication 1756-RM001L-EN-P . The necessary number of test cases depends on the formula used and must comprise critical value pairs. as well as during final system test and validation. Checking the Application To check safety-related application logic for adherence to specific safety functions.Chapter 7 Requirements for Application Development Program Identification The application program is clearly identified by one of the following: • Name • Date • Revision • Any other user identification information SIL Task/Program Instructions The user application should contain a single SIL task composed of programs and routines. These are tests within defined value ranges. you must generate a suitable set of test cases that cover the safety Program specification.

and save it. Rockwell Automation Publication 1756-RM001L-EN-P . Furthermore. 7. 1. 2. With the programming software not running. 6. Rename the original project file (change back) to the original project name to maintain project documentation. 5. Review the compare output results and verify that everything matches without error. A typical technique is to upload the completed program file and perform a compare and Operation of that file against what is stored in the programming terminal. Open the compare tool and select both files. you must verify the download. These are typical steps for performing a verification in RSLogix 5000 software. this is the only means of testing the system configuration. Verify Download Verify the download of the application program and its proper operation. Start the programming software. Save the compare results as part of the verification process.July 2014 95 . Project documentation differences will likely exist. rename the offline project. active simulation with sources cannot be omitted as this is the only means of detecting correct wiring of the sensors and actuators to the system. Start the compare operation. The AutoFlash firmware feature is not supported for SIL-2 safety applications and must not be used. 8. Delete the upload file. 4. upload the controller project. IMPORTANT If the controller has a USB port. IMPORTANT Do not use memory cards to automatically transfer the safety application. Requirements for Application Development Chapter 7 However. After a safety application is downloaded. Users should verify the correct programmed functions by forcing I/O or by manual manipulation of sensors and actuators. 3. it is intended for temporary local programming purposes only and not intended for permanent connection.

see Chapter 1. Figure 56 . 96 Rockwell Automation Publication 1756-RM001L-EN-P .Application Development Life Cycle Generate Functional Specification Create Flow Diagram Create Timing Diagrams Establish Sequence of Operations Develop Project Develop Project Online Offline Review Program with Independent Party Download to Controller Develop Test Plan Perform Validation Testing on all Logic Yes Tests Pass? Verification No okay? Make more online edits & accept edits or make more offline edits and download to CTR Begin Normal Project Determine what logic has Operation No been Changed or Affected Perform Validation Testing on all Changed or Affected Download to Make project Logic Controller changes Finish the Validation Test1 1 You must periodically repeat the validation test (also known as proof tests) to make sure module inputs and outputs are functioning properly and as commanded by the Secure PADT application programming. Commissioning Life Cycle debugging and commissioning.Chapter 7 Requirements for Application Development Figure 56 shows the steps required during application program development. For more information on proof tests for I/O modules.July 2014 . SIL Policy on page 13.

• Program edits are not recommended and should be limited. you must perform an impact analysis by following the safety specification and other lifecycle steps described in Figure 56 on page 96 as if the edits were an entirely new program. including: – authorization. Requirements for Application Development Chapter 7 Changing Your The following rules apply to changing your application program in RSLogix 5000 software: Application Program IMPORTANT You cannot make program edits while the program is online if the changes prevent the system from executing the safety function or if alternative protection methods are not in place.July 2014 97 . • Prior to making any program edits.7. • Changes to the safety application software–in this case. using the controller keyswitch and software password protections. • Only authorized. – impact analysis. RSLogix 5000 software– must comply with IEC 61511 standard on process safety section 11. • Anyone making data or programming edits to an operational system assumes the central safety responsibility while the changes are in progress. – revision information. These personnel must also maintain safe application operation. minor changes such as changing a timer preset or analog setpoint are allowed. – execution. you cannot make online edits. • You can edit the relay ladder logic portion of the safety program using one of the following methods described in Table 3. specially-trained personnel can make program edits. For example. • Multiple users cannot edit a program from multiple programming terminals simultaneously. for example.1 Operator Interface requirements. • When the ControlLogix controller keyswitch is in the RUN position (controller is in Run mode). – test information. • Users must sufficiently document all program edits. These personnel should use all supervisory methods available. Rockwell Automation Publication 1756-RM001L-EN-P .

Use the Online Edit Toolbar to start. the original program is still active in the controller. We recommend you upload the new program to your programming terminal to help ensure consistency between the application in the controller and on the programming terminal. changes or ladder logic rung additions. IMPORTANT:This option to change the application program is available for changes to relay ladder logic only. Click Yes to assemble the edits. However. Remove the key. Click the start pending rung edits button . PROG You must re-validate the entire application before returning to normal operation.’ 98 Rockwell Automation Publication 1756-RM001L-EN-P . The controller now has the changed program and the original program. You cannot use this method to change function block programming. Your program changes are made in the copied rungs. Online 1. the controller continues to execute the original program. Click the test program edits button . if you are not satisfied with the result of testing the edits. Turn the controller key to the REM position. At this point.7. 3. you are required to validate only the changed portion of the application program. Click Yes to test the edits. and changes do not affect the outputs. see the Logix5000 Controllers Quick Start. The toolbar is shown remote Run mode. edits. the controller returns to the original program. deletions and modifications. below. Your program changes are verified and downloaded to the controller. Perform a partial proof test of the portion of the application affected by the program edits. which states: ‘The Safety Instrumentation System (SIS) operator interface design shall be such as to prevent changes to SIS application software. Click the assemble program edits button . you can discard the new program by clicking on the untest program edits button if necessary. However. You can see the state of the inputs. REM The project remains online but operates in the 2. 4. edits. Click the accept pending rung edits button . and the original program is discarded. The changes are the only program in the controller.1. d. Turn the controller key back to the RUN position to return the project to Run mode. IMPORTANT If any changes are needed to the program in the safety loop. 5.July 2014 . they must be done in accordance with IEC 61511-1. accept. g. For more detailed information on how to edit ladder logic while online. test and assemble your edits. b.Methods of Changing Your Application Program Method Required Steps Controller Key Points to this Method Keyswitch Position Offline Perform the tasks described in the flow chart in Figure 56 on page 96. When edits are completed. c. Where safety information needs to be transmitted from the basic process control system (BPCS) to the SIS then systems should be used that can selectively allow writing from the BPCS to specific SIS variables. Equipment or procedures should be applied to confirm the proper selection has been transmitted and received by the SIS and does not compromise the safety function of the SIS. e. 1756-QS001. f. Start Accept Assemble Test program Untest pending pending rung program edits. If you untest the edits. publication a. edits. Changes do not affect the outputs until you test program edits in step d. Changes are now executed and affect the outputs. paragraph 11.5. the original program is no longer executed.Chapter 7 Requirements for Application Development Table 3 . Change your application program as needed. program We recommend that online edits be limited to minor program modifications such as setpoint rung edit. A copy is made of the rung you want to edit.

for more information. Chapter 8 Faults in the ControlLogix System Topic Page Detecting and Reacting to Faults 99 Module Fault Reporting for Any ControlLogix or FLEX I/O Module 100 Checking Keyswitch Position with GSV Instruction 100 Examining an 1756 Analog Input Module’s High Alarm 101 Additional Resources 102 In addition to providing information on module fault reporting. TIP To help handle faults. to Faults • Various device objects can be interrogated to determine the current operating status. • You can configure a ControlLogix system to identify and handle faults. including such tasks as: – developing a fault routine. – creating a user-defined major fault. Rockwell Automation Publication 1756-RM001L-EN-P . publication 1756-PM001.July 2014 99 . make sure you have completed the input (see Checklist for SIL Inputs on page 140) and output (see Checklist for SIL Outputs on page 142) checklists for their application. See the Logix5000 Controllers Common Procedures Programming Manual. this chapter explains two example conditions that will generate a fault in a SIL 2-certified ControlLogix system: • Keyswitch changing out of Run mode • High alarm condition on an analog input module Detecting and Reacting The ControlLogix architecture provides many ways of detecting and reacting to faults in the system. • Modules provide run-time status of their operation and of the process that is executing. It is your responsibility to determine what data is most appropriate for your application to initiate a shutdown sequence. – developing a power-up routine. – monitoring minor faults.

13 Fault Fault Alarm to Operator 100 Rockwell Automation Publication 1756-RM001L-EN-P . An example of how this might be done is shown in Figure 57. must be used to interrogate the health of each I/O module in the system. monitor the SlotStatusBits for the Input tag of the associated adapter. or something similar. with GSV Instruction Figure 58 .Chapter 8 Faults in the ControlLogix System Module Fault Reporting for You must verify that all components in the system are operating properly. in this example. as shown. Figure 57 . • SlotStatusBits is a 32-bit value. a 1794-ACNR15. where the lower 8 bits correspond to a FLEX I/O module. This method.Keyswitch State (Operation mode) Change Logic GSV Class: CONTROLLERDEVICE Attribute: STATUS Destination: KEYSTATE KEYSTATE. For more information on the GSV instruction. For example. This can be accomplished in ladder logic through the use of the Get System Value Any ControlLogix or FLEX I/O instruction (GSV) and an examination of the MODULE Object’s Entry Status’ Module attribute for a running condition. The lower 8 bits of this tag correspond to the associated slot.July 2014 . the tag “Node3:I. • I indicates the Input file.Slot1StatusBits” is defined as follows: • Node 3 is the name given to the adapter.Example of Checking a Module’s Health in Ladder Logic GSV AND NEQ Check Entry Status to Obtain MODULE Object’s Mask Off Lower 12 Bits make sure module is Fault Entry Status of Value running. Module 7 Module 6 Module 5 Module 4 Module 3 Module 2 Module 1 Module 0 Checking Keyswitch Position The following rungs generate a fault if the keyswitch on the front of the controller is switched from the RUN position.

publication 1756-RM003.Keyswitch State Bits Bit 13 Bit 12 Description 0 1 Keyswitch in Run position 1 0 Keyswitch in Program position 1 1 Keyswitch in Remote position If bit 13 is ever ON. Examining an 1756 Analog ControlLogix analog modules perform processing and comparison of field data values right on the module.July 2014 101 . the High Alarm bits for channels 1 and 2 are being examined for a condition to initiate a fault. when exceeded. It is your responsibility to determine appropriate behavior when a fault is present. You can examine the state of these bits to initiate a fault as shown in Figure 59. Table 4 . For more information on the accessing the CONTROLLERDEVICE object. During operation. then the keyswitch is not in the RUN position. For example. which is then sent back to the controller. if the value exceeds the user-defined value for High Alarm. Figure 59 .High Alarm Bit to Trigger Fault Ch1HAlarmA Ch1HAlarmB Module A Module B Fault Fault Alarm to Operator In the example above. the alarm bit is set and a fault is declared. allowing for easy examination of status bits to initiate Input Module’s High Alarm a fault. the Get System Value (GSV) instruction interrogates the STATUS attribute of the CONTROLLERDEVICE object and stores the result in a word called KEYSTATE. will set a status bit on the module. where bits 12 and 13 define the state of the keyswitch as shown in Table 4. It is your responsibility to determine appropriate behavior when a fault is present. Rockwell Automation Publication 1756-RM001L-EN-P . the 1756-IF8 module can be configured with user-defined alarm values that. see the Logix5000 Controllers General Instructions Reference Manual. Faults in the ControlLogix System Chapter 8 In Figure 58 on page 100. as the analog input module processes analog signals from the field sensors. Examining bit 13 of KEYSTATE for an ON state will generate a fault.

publication 1756-UM009 Provides information on accessing modules’ run-time ControlLogix Digital I/O Modules User Manual. modules provide run-time status of their operation and of the process. Resource Description Logix5000 Controllers General Instructions Reference Provides information on how to use specific instructions Manual. including Manual.July 2014 . operational and process status publication 1756-UM058 102 Rockwell Automation Publication 1756-RM001L-EN-P .Chapter 8 Faults in the ControlLogix System Additional Resources The ControlLogix architecture provides the user many ways of detecting and reacting to faults in the system. Various device objects can be interrogated to determine the current operating status. publication 1756-RM003 to get and set controller system data stored in device objects Logix5000 Controllers Common Procedures Programming Provides information on controller fault codes. publication 1756-PM001 major and minor codes and on creating fault and power- up routines ControlLogix Analog I/O Modules User Manual. Additionally.

use good communication practices to limit the impact of communication processing on the controller.July 2014 103 . To avoid safety-related nuisance trips. the number. Use sound techniques in the application software within the HMI and controller. frequency. However. see Figure 10 on page 24. Systems Reading Parameters in Safety-related Systems Reading data is unrestricted because reading doesn’t affect the operation or behavior of the safety system. Accessing Safety-related HMI. These precautions include. and size of the data being read can impact controller performance.related functions consist of two primary activities: reading and writing data. Rockwell Automation Publication 1756-RM001L-EN-P . Chapter 9 Use of Human-to-Machine Interfaces Topic Page Precautions 103 Accessing Safety-related Systems 103 Precautions You must exercise precautions and implement specific techniques on HMI devices. testing and validation • Restrictions on data and access • Limits on data and parameters For more information on how HMI devices fit into a typical SIL loop. Do not set read rates to the fastest rate possible. but are not restricted to the following: • Limited access and security • Specifications.

Chapter 9 Use of Human-to-Machine Interfaces

Changing Safety-related Parameters in SIL-rated Systems

A parameter change in a safety-related loop via an external (that is, outside the
safety loop) device (for example, an HMI) is allowed only with the following
restrictions:

• Only authorized, specially-trained personnel (operators) can change the
parameters in safety-related systems via HMIs.

• The operator who makes changes in a safety-related system via an HMI is
responsible for the effect of those changes on the safety loop.

• You must clearly document variables that are to be changed.

• You must use a clear, comprehensive, and explicit operator procedure to
make safety-related changes via an HMI.

• Changes can only be accepted in a safety-related system if the following
sequence of events occurs.

a. The new variable must be sent twice to two different tags; that is, both
values must not be written to with one command.
b. Safety-related code, executing in the controller, must check both tags
for equivalency and make sure they are within range (boundary checks).
c. Both new variables must be read back and displayed on the HMI
device.
d. Trained operators must visually check that both variables are the same
and are the correct value.
e. Trained operators must manually acknowledge that the values are
correct on the HMI screen that sends a command to the safety logic,
which allows the new values to be used in the safety function.

In every case, the operator must confirm the validity of the change before
they are accepted and applied in the safety loop.

104 Rockwell Automation Publication 1756-RM001L-EN-P - July 2014

Use of Human-to-Machine Interfaces Chapter 9

• Test all changes as part of the safety validation procedure.

• Sufficiently document all safety-related changes made via HMI, including
the following:

– Authorization
– Impact analysis
– Execution
– Test information
– Revision information

• Changes to the safety-related system, must comply with IEC 61511
standard on process safety section 11.7.1 Operator Interface requirements.

• The developer must follow the same sound development techniques and
procedures used for other application software development, including the
verification and testing of the operator interface and its access to other
parts of the program. The controller application software should set up a
table that is accessible by the HMI and limits access to required data points
only.

• Similar to the controller program, the HMI software needs to be secured
and maintained for SIL-level compliance after the system has been
validated and tested.

Rockwell Automation Publication 1756-RM001L-EN-P - July 2014 105

Chapter 9 Use of Human-to-Machine Interfaces

Notes:

106 Rockwell Automation Publication 1756-RM001L-EN-P - July 2014

Local Chassis Configuration of Digital or Analog Modules Input Module Controller Output Module Rockwell Automation Publication 1756-RM001L-EN-P . • The output module processes data from the controller and turns the output device on or off. • The data is transmitted to the controller. • The controller transmits data to the output module.July 2014 107 . • The controller runs its program scan and reacts to the data change. Appendix A Reaction Times of the ControlLogix System Topic Page Local Chassis Configuration 107 Remote Chassis Configuration 108 Calculating Worst-case Reaction Time 108 The calculation formulas in this chapter can be used to calculate the worst-case reaction times for a given change in input or fault condition and the corresponding output action. Figure 60 . Local Chassis Configuration Figure 60 shows an example system with digital or analog modules where the following occurs: • Field signal changes state.

and so on.Appendix A Reaction Times of the ControlLogix System Remote Chassis Figure 61 shows an example system where the following occurs: Configuration • Input data changes on the input module. 108 Rockwell Automation Publication 1756-RM001L-EN-P . (1) Multiply the module RPI by 4. then 8.July 2014 . including sending new data to the output module via the network communication modules. publication 1756-TD002. • The data is transmitted to the controller via the network communication modules. until the result is at least 100 ms. Module delay times are listed in the ControlLogix I/O Modules Specifications Technical Data.Remote Chassis Configuration of Digital or Analog Modules Controller Network Network Input Input Output Output Communication Communication Module Module Module Module Module Module Calculating Worst-case The formulas for calculating worst-case reaction times with no system faults or errors differ slightly for digital or analog I/O modules. Figure 61 . • The controller runs its program scan and reacts to the data change. • The output module behavior changes based on the new data received from the controller. For Digital Modules Use this formula to determine worst-case reaction time for digital modules in local or remote configurations: Worst-Case Reaction Time with no faults or errors = (Input Module Delay + Input Filter Time) + (Input Module RPI x 4/8/16… 100 ms)(1) + (SIL 2 Task Period + SIL 2 Task Watchdog) + (Output Module RPI x 4/8/16… 100 ms)(1) + (Output Module Delay). as shown in the following Reaction Time sections. then 16.

Reaction Times of the ControlLogix System Appendix A Input filter time is configurable via the Configuration tab on the Module Properties dialog box in the programming software. Figure 62 . • If the safe state in your application is high.Digital Module Configuration Module RPI is configurable via the Connection tab. • If the safe state in your application is low. Rockwell Automation Publication 1756-RM001L-EN-P . use the On -> Off Input Filter Time. use the Off -> On Input Filter Time.July 2014 109 .

Filter time and RTS are configurable via the Configuration tab on the Module Properties dialog box in the programming software.July 2014 . publication 1756-UM009. Module RPI is configurable via the Connection tab. (1) Multiply the module RPI by 4. until the result is at least 100 ms. 110 Rockwell Automation Publication 1756-RM001L-EN-P . and so on.Appendix A Reaction Times of the ControlLogix System For Analog Modules Use this formula to determine worst-case reaction time for analog modules in local or remote configurations: Worst-Case Reaction Time with no faults or errors = (Real Time Sample (RTS) Rate) + (Input Module RPI x 4/8/16… 100 ms)(1) + (SIL 2 Task Period + SIL 2 Task Watchdog) + (Output Module RPI x 4/8/16… 100 ms)(1) + (Output Module Delay).Analog Module Configuration Refer to the ControlLogix Analog I/O Module User Manual. then 8. for information on setting filter and RTS values. Figure 63 . then 16.

if your existing SIL 2 application uses these power supplies. However.com/ (2) The 1756-PA75/A and 1756-PB75/A power supplies are no longer available. This indicates a version of the product that has conformal coating. These tables list publications related to these components.com/literature. No.com. when implementing new SIL 2-certified systems or upgrading existing systems. Table 5 .July 2014 111 .SIL 2-certified ControlLogix Components . However. 1756-A7 ControlLogix chassis 1756-A10.rockwellautomation. Appendix B SIL 2-certified ControlLogix System Components System components listed in this appendix are certified according to IEC 61508 2010 Edition 2. Rockwell Automation Publication 1756-RM001L-EN-P . we recommend that you use the 1756-PSCA2 module if possible.rockwellautomation. they are SIL 2 certified. 1756-A17 1756-PA75(2) ControlLogix AC power supply 1756-PB75(2) ControlLogix DC power supply 1756-PA75R ControlLogix AC redundant power supply 1756-PB75R ControlLogix DC redundant power supply 1756-IN005 1756-PA72 ControlLogix AC power supply 1756-PB72 ControlLogix DC power supply 1756-PC75 ControlLogix DC power supply 1756-PH75 ControlLogix DC power supply (3) 1756-PSCA ControlLogix redundant power supply chassis adapter module 1756-PSCA2(3) ControlLogix redundant power supply chassis adapter module (1) Some catalog numbers have a K suffix.(1) Description Related Documentation 1756-A4. For more information on which products have conformal coating go to http://ab. 1756-A13. Use only the series versions listed in Appendix C. Publications are available from Rockwell Automation by visiting http://www.Hardware Cat. (3) Existing systems that use the 1756-PSCA and 1756-PSCA2 are SIL 2-certified. These K versions have the same SIL 2 certification as the non-K versions. unless noted in the following tables.

No.SIL 2-certified ControlLogix Components . and Communication Modules Related Cat.(1) Description Documentation 1756-L61(2) (3) ControlLogix 2 MB controller 1756-L62(2) (3) ControlLogix 4 MB controller 1756-L63(2) (3) ControlLogix 8 MB controller (2) 1756-L71 ControlLogix 2 MB controller 1756-UM001 1756-L72(2) ControlLogix 4 MB controller 1756-L73(2) ControlLogix 8 MB controller 1756-L74(2) ControlLogix 16 MB controller (2) 1756-L75 ControlLogix 32 MB controller 1756-IA16I ControlLogix AC isolated input module 1756-IA8D ControlLogix AC diagnostic input module 1756-IB16D ControlLogix DC diagnostic input module 1756-UM058 1756-IB16I ControlLogix DC isolated input module 1756-IB32 ControlLogix DC input module 1756-IB16ISOE ControlLogix Sequence of Events module 1756-UM528 1756-IH16ISOE ControlLogix Sequence of Events module 1756-OA16I ControlLogix AC isolated output module 1756-OA8D ControlLogix AC diagnostic input module 1756-OB16D ControlLogix DC diagnostic output module 1756-OB16E ControlLogix DC electronically-fused output module 1756-OB16I ControlLogix DC isolated output module 1756-UM058 1756-OB32 ControlLogix DC output module 1756-OB8EI ControlLogix DC isolated output module 1756-OW16I ControlLogix isolated relay output module 1756-OX8I ControlLogix isolated relay output module 1756-IF8 ControlLogix analog input module 1756-IF16 ControlLogix analog input module 1756-UM009 1756-IF6I ControlLogix Isolated analog input module 1756-IF6CIS ControlLogix Isolated analog input module 1756-IF8H ControlLogix HART analog input module 1756-UM533 1756-IF16H ControlLogix HART analog input module 112 Rockwell Automation Publication 1756-RM001L-EN-P .July 2014 . I/O.Appendix B SIL 2-certified ControlLogix System Components Table 6 .1756 Nonredundant Controllers.

These K versions have the same SIL 2 certification as the non-K versions.com. ControlLogix Communication Modules for more information. Rockwell Automation Publication 1756-RM001L-EN-P .com/ (2) Use of any series B controller requires the use of the series B versions of the 1756-Px75 power supplies.SIL 2-certified ControlLogix Components . and Communication Modules Related Cat. SIL 2-certified ControlLogix System Components Appendix B Table 6 . No. For more information on which products have conformal coating go to http://ab. (3) Certified according to IEC 61508 1999 Edition 1. See Chapter 4. (4) Specified ControlNet repeaters may be used in SIL 2 applications.rockwellautomation.1756 Nonredundant Controllers. This indicates a version of the product that has conformal coating.(1) Description Documentation 1756-IR6I ControlLogix RTD input module 1756-IT6I ControlLogix Thermocouple input module 1756-IT6I2 ControlLogix enhanced Thermocouple input module 1756-UM009 1756-OF8 ControlLogix analog output module 1756-OF6CI ControlLogix isolated analog output module 1756-OF6VI ControlLogix isolated analog output module 1756-OF8H ControlLogix HART analog output module 1756-UM533 (4) 1756-CNB ControlLogix ControlNet communication module CNET-IN005 1756-CN2 ControlLogix ControlNet communication module CNET-UM001 1756-CN2R ControlLogix redundant media ControlNet communication module 1786-RPFS ControlNet short-distance fiber repeater module 1786-IN012 1786-RPFM ControlNet medium-distance fiber repeater module 1786-IN011 1786-RPFRL ControlNet long-distance fiber repeater module 1786-IN003 1786-RPFRXL ControlNet extra-long-distance fiber repeater module 1786-RPA ControlNet repeater adapter 1786-IN013 1786-RPCD ControlNet Hub repeater module 1786-IN001 1756-EN2TR Series B ControlLogix redundant media EtherNet/IP communication module ENET-IN002 1756-EN2TR Series C ControlLogix redundant media EtherNet/IP communication module ENET-UM001 1756-EN2T Series C ControlLogix EtherNet/IP communication module (1) Some catalog numbers have a K suffix. I/O.July 2014 113 .

(1) Description Documentation 1756-L61(2) (3) ControlLogix 2 MB controller 1756-L62(2) (3) ControlLogix 4 MB controller 1756-L63(2) (3) ControlLogix 8 MB controller (2) 1756-L71 ControlLogix 2 MB controller (2) 1756-UM001 1756-L72 ControlLogix 4 MB controller 1756-L73(2) ControlLogix 8 MB controller 1756-L74(2) ControlLogix 16 MB controller (2) 1756-L75 ControlLogix 32 MB controller 1756-CNB ControlLogix ControlNet communication module 1756-CNBR ControlLogix redundant media ControlNet communication module CNET-IN005 1756-CN2 ControlLogix ControlNet communication module CNET-UM001 1756-CN2R ControlLogix redundant media ControlNet communication module 1756-EN2T Series C ControlLogix EtherNet/IP communication module ENET-IN002 ENET-UM001 1756-EN2TR Series B ControlLogix redundant media EtherNet/IP communication module 1756-EN2TR Series C (1) Some catalog numbers have a K suffix.rockwellautomation.com/ (2) Use of any series B controller requires the use of the series B versions of the 1756-Px75 power supplies or the redundant power supplies. 114 Rockwell Automation Publication 1756-RM001L-EN-P . This indicates a version of the product that has conformal coating.1756 Redundancy System Components Related Cat. Table 8 . Description Documentation 1756-A4LXT ControlLogix-XT chassis 1756-A5XT. (3) Certified according to IEC 61508 1999 Edition 1. For more information on which products have conformal coating go to http://ab.SIL 2-certified ControlLogix Components . No. 1756-A7XT 1756-A7LXT 1756-IN005 1756-PAXT ControlLogix-XT power supply 1756-PBXT 1756-CN2RXT ControlLogix-XT ControlNet communication module CNET-IN005 CNET-UM001 1756-EN2TXT Series C ControlLogix-XT EtherNet/IP communication module ENET-IN002 ENET-UM001 1756-EN2TRXT Series C ControlLogix-XT EtherNet/IP communication module for redundant systems 1756-L63XT(1) ControlLogix-XT controller 1756-UM001 1756-L73XT ControlLogix-XT controller (1) Certified according to IEC 61508 1999 Edition 1. No.com. the 1756-Lx75R power supplies.SIL 2-certified ControlLogix-XT System Components Related Cat. These K versions have the same SIL 2 certification as the non-K versions.July 2014 . that is.Appendix B SIL 2-certified ControlLogix System Components Table 7 .

if you are using a 1756-EN2TXT module in your system. Table 9 . For more information about ControlLogix-XT module firmware revisions.com/support/.FLEX I/O Components For Use in the SIL 2 System Cat.July 2014 115 . ControlLogix-XT module release notes are available at: http://www.rockwellautomation.com/literature or http://www. No. For example. see the firmware release notes specific to the module.(1) Description Related Documentation(2) 1794-ACN15 FLEX I/O ControlNet single media adapter 1794-ACNR15 FLEX I/O ControlNet redundant media adapter 1794-IN128 1794-ACNR15XT FLEX I/O-XT™ ControlNet redundant media adapter 1794-AENT FLEX I/O EtherNet/IP communication adapter 1794-IN082 1794-AENTR FLEX I/O EtherNet/IP redundant communication adapter 1794-IN131 1794-AENTRXT FLEX I/O-XT EtherNet/IP redundant communication adapter 1794-IB16 FLEX I/O input module 1794-IN093 1794-IB16XT FLEX I/O-XT input module 1794-IN124 1794-IB10XOB6 FLEX I/O input/output module 1794-IN083 1794-IB10XOB6XT FLEX I/O-XT input/output module 1794-IN124 1794-OB16 FLEX I/O output module 1794-IN094 1794-OB16P FLEX I/O protected output module 1794-IN094 1794-OB16PXT FLEX I/O-XT protected output module 1794-IN124 1794-OB8EP FLEX I/O electronically-fused output module 1794-IN094 1794-OB8EPXT FLEX I/O-XT electronically-fused output module 1794-IN124 1794-OW8 FLEX I/O relay output module 1794-IN019 1794-OW8XT FLEX I/O-XT relay output module 1794-IE8 FLEX I/O analog input module 1794-IN100 1794-UM002 1794-IF4I FLEX I/O isolated analog input module 1794-IN038 1794-UM008 1794-IF4IXT FLEX I/O-XT isolated analog input module 1794-IN129 1794-UM008 1794-IF4ICFXT FLEX I/O-XT isolated analog input module 1794-IN130 1794-UM008 1794-IF2XOF2I FLEX I/O isolated analog input/output module 1794-IN039 1794-UM008 1794-IF2XOF2IXT FLEX I/O-XT isolated analog input/output module 1794-IN129 1794-UM008 1794-OE4 FLEX I/O analog output module 1794-IN100 1794-UM002 1794-OF4I FLEX I/O isolated analog output module 1794-IN037 1794-UM008 1794-IT8 FLEX I/O Thermocouple input module 1794-IN021 1794-UM007 Rockwell Automation Publication 1756-RM001L-EN-P . When obtaining firmware for ControlLogix-XT modules. SIL 2-certified ControlLogix System Components Appendix B \ IMPORTANT ControlLogix-XT™ modules use the same firmware as traditional ControlLogix components. download and use the firmware specific to each module. use SIL 2-certified firmware for the 1756-EN2T module.rockwellautomation.

(1) Description Related Documentation(2) 1794-IR8 FLEX I/O RTD input module 1794-IN021 1794-UM004 1794-IR8XT FLEX I/O-XT RTD input module 1794-IRT8 FLEX I/O Thermocouple/RTD input module 1794-IN050 1794-UM012 1794-IRT8XT FLEX I/O-XT Thermocouple/RTD analog input module 1794-IJ2 FLEX I/O counter module 1794-IN049 1794-UM011 1794-IJ2XT FLEX I/O-XT counter module 1794-IP4 FLEX I/O counter module 1794-IN064 1794-UM016 1794-IE4XOE2XT FLEX I/O-XT analog input/output module 1794-IN125 1794-IE8XT FLEX I/O-XT analog input module 1794-IN125 1794-OE4XT FLEX I/O-XT analog output module 1794-IN125 1794-OF4IXT FLEX I/O-XT isolated analog output module 1794-IN129 1794-UM008 1794-TB3 FLEX I/O terminal base unit 1794-TB3S FLEX I/O terminal base unit 1794-TB3T FLEX I/O temperature terminal base unit 1794-TB3TS FLEX I/O spring-clamp temperature terminal base unit 1794-IN092 1794-TB3G FLEX I/O cage-clamp generic terminal base unit 1794-TB3GS FLEX I/O spring-clamp generic terminal base unit 1794-TBN FLEX I/O NEMA terminal base unit 1794-TBNF FLEX I/O NEMA fused terminal base unit (1) Some catalog numbers have a K suffix. 116 Rockwell Automation Publication 1756-RM001L-EN-P . For more information on which products have conformal coating go to http://ab.rockwellautomation.Appendix B SIL 2-certified ControlLogix System Components Table 9 .July 2014 . No. These K versions have the same SIL 2 certification as the non-K versions.rockwellautomation.com/ (2) These publications are available from Rockwell Automation by visiting http://www.com.com/literature. This indicates a version of the product that has conformal coating.FLEX I/O Components For Use in the SIL 2 System Cat.

and the logic element). that is. they can be associated with each component of the logic element. the actuators. IEC 61508 quantifies this classification by stating that the frequency of demands for operation of the safety system is no greater than once per year in the Low Demand mode. PFH values for those applications are provided. Tables in this chapter present PFD and PFH values for ControlLogix and ControlLogix-XT components that are evaluated by TÜV. PFD calculations are commonly used for process safety applications and applications where emergency stop devices (ESDs) are used. Appendix C PFD and PFH Calculations for a SIL 2 System Topic Page About PFD and PFH Calculations 117 Determine Which Values To Use 118 About the Calculations in This Manual 118 1-Year PFD Calculations 119 2-Year PFD Calculations 124 5-year PFD Calculations 129 Using Component Values To Calculate System PFD 134 About PFD and PFH Probability of failure on demand (PFD) is the SIL value for a safety-related system as related directly to order-of-magnitude ranges of its average probability Calculations of failure to satisfactorily perform its safety function on demand. Because ControlLogix is suitable for high demand applications up to and including 10 demands per year. Although PFD values are usually associated with each of the three elements making up a safety-related system (the sensors. Probability of failure per hour (PFH) is typically used to describe safety performance for high demand applications.July 2014 117 . each module of a programmable controller. Rockwell Automation Publication 1756-RM001L-EN-P .

for more information about calculating PFD values for your system.Appendix C PFD and PFH Calculations for a SIL 2 System Determine Which Values To Use IMPORTANT You are responsible for determining which of the values provided are appropriate for your SIL 2-certified system. 118 Rockwell Automation Publication 1756-RM001L-EN-P . Part 6.July 2014 . • Communication and controller communication modules have PFD values specific to use in a 1oo1 configuration. that is 1oo1 or 1oo2. About the Calculations in For the calculations presented in this chapter. Annex B. Refer to IEC 61508. detected failure rate = λ/2 x DC λdu= dangerous. Common Terms λ = failure rate = 1/MTBF λs = rate of safe failures = λ x 50% λd = rate of dangerous failures = λ x 50% λdd= dangerous. Determine which values to use based on the modules used your system and the system configuration. Each of the PFD and PFH calculated values provided in this manual is based on the configuration that the module can be used in. undetected failure rate = λ/2 x (1-DC) SFF = safe failure fraction =(λs +λdd)/λ TCE1oo1 = channel equivalent down time = λdu/λd x (T1/2 + MRT) + (λd/λd x MTTR) DC = diagnostic coverage ß = common cause failure rate ßd = common cause failure rate. • Proof test interval (T1) is listed for each table. Part 6. these values were used as the two application-dependent variables: This Manual • Mean time to restoration (MTTR) is ten hours. dangerous 1oo1 Configuration STR1oo1 = spurious trip rate = λs + λdd PFD1oo1 = (λdd + λdu) x TCE PFH1oo1 = λdu 1oo2 Configuration STR1oo2 = spurious trip rate = 2 x (λs + λdd) TGE1oo2 = system equivalent down time = λdu/ λd x (T1/3 + MRT) + (λdd/ λd x MTTR) PFD1oo2= 2 x [(1-ßD) x λdd + (1-ß) x λdu]2 x TCE x TGE + (ßD x λdd x MTTR) + ß x λdu x (T1/2 + MRT) PFH1oo2 = 2 x [(1-ßD) x λdd + (1-ß) x λdu] x (1-ß) x λdu x TCE + ß x λdu The PFD and PFH values in this manual are calculated with formulas explained in IEC 61508. • Input or output modules have PFD values specific to use in a 1oo2 configuration.

012 ControlLogix controller.48E-08 95% 8.34E-06 96% 1.69E-06 1.48E-09 3.80E-06 1.91E-06 1.54E-07 95% 3.034.35E-08 4.34E-05 medium 1786-RPFRL A ControlNet Fiber repeater .19E-08 2.19E-09 2.16E-04 20.1.360 5.69E-08 448 5.50E-04 20.069.26E-06 448 2.440 8.35E-07 4.50E-04 20.012 ControlLogix controller.54E-08 1.055 FMEA (4) 1756-L74 B 20.81E-09 1.25E-06 340 2.012 ControlLogix-XT controller.012 ControlLogix controller.91E-06 1.081.short 26.40E-06 95% 1.146.63E-08 448 3. 2MB 2.30E-09 5.50E-07 5.21E-08 95% 2.89E-08 95% 1.74E-08 2.46E-08 4.628.055 Not Applicable 1756-L72(4) B 20.45E-08 448 5.81E-07 95% 6.19E-09 1.91E-06 1.79E-08 4.095 3.43E-05 power supply 1756-PB75R A 18-32V DC 13A Redundant 1.00E-07 4.41E-08 448 5.12E-07 2.91E-06 1.99E-09 2.03E-08 4.87E-08 448 6.00E-06 5.62E-08 1.00E-08 4.01E-07 1.(1) Version(6) Description Failure Spurious Spurious Failure λ(9) λs .35E-07 448 9.62E-08 2. 16.58E-09 7.35E-08 2.69E-08 2. Table 10 .055 1756-L63(3) B 20.20E-05 power supply (75W) 1756-PA75R A 85-265V AC 13A Redundant 1.67E-09 1.227 1.055.520 4.25E-06 340 2.59E-04 ControlLogix power supply 1756-PB75 B 18-32V DC 13A ControlLogix 15. 32MB 2.25E-06 340 2. PFD and PFH Calculations for a SIL 2 System Appendix C 1-Year PFD Calculations The PFD calculations in this table are calculated for a 1-year proof test interval (8760 hours) and are specific to ControlLogix system components.99E-08 2.62E-07 95% 4.280 2.78E-08 1.48E-07 2.055 MTBF and 1756-L73XT(4) B 20.81E-08 3.012 ControlLogix controller.80E-05 power supply 1756-PH75 B 90-143V DC 13A ControlLogix 2.717.87E-08 448 1.855.080 3.83E-07 95% 4.40E-08 95% 4.89E-07 4.21E-09 1.055 (4) 1756-L71 B 20.47E-06 1786-RPFM A ControlNet Fiber repeater .40E-07 1.72E-07 2.01E-07 1. 16MB 2.19E-08 95% 3.120 9.73E-08 95% 2.48E-09 7.Year PFD Calculations Common Terms(8) 1oo1 Configuration 1oo2 Configuration Mean Time Firmware between Safe Cat No.34E-06 96% 1.12E-04 20.760 2.01E-07 4.020 5.88E-08 2.055 1756-L62(3) B 20.83E-08 2.836 1.89E-09 1.50E-07 448 9.600 9.736.75E-08 95% 8.81E-08 95% 1.21E-09 9.25E-06 340 2.412.08E-08 2.89E-09 8.96E-06 adapter 1756-PSCA2 A Redundant power supply 38.420 1.69E-07 95% 2.01E-07 4.11E-09 9.21E-08 1.727 2.67E-08 95% 2.91E-06 1.38E-08 3.044 5.826.07E-04 1756-PB72 C 18-32V DC 10A ControlLogix 31.693.75E-09 3.47E-07 2.01E-07 4.67E-09 2. λd Trip Rate PFH(10) PFH(10) Fraction λdu λdd TCE1oo1 PFD Trip Rate TGE PFD Series (MTBF)(7) STR STR (SFF) 1756-AXX(2) C ControlLogix chassis 22.75E-07 8.23E-09 1.74E-09 1.extra 11.760 3.00E-08 2.32E-08 1.894.18E-07 448 6.01E-07 4.44E-08 1.89E-06 1756-A4LXT B 4-slot ControlLogix-XT chassis 1.01E-07 1.70E-08 448 3.72E-07 3.012 ControlLogix controller. 2MB 1.01E-07 1.89E-05 1786-RPFRXL B ControlNet Fiber repeater .59E-08 1.01E-07 1.50E-04 20.652.11E-06 1756-A7XT C 7-slot ControlLogix-XT chassis 1.74E-09 7.36E-06 6.69E-06 1.01E-07 4.26E-07 448 9.88E-07 95% 2.69E-06 1.76E-07 2.36E-08 2.055 (4) 1756-L75 B 20.00E-07 95% 5.58E-08 95% 1.25E-07 4.36E-08 1.69E-06 1.35E-08 2.82E-06 1786-RPA B ControlNet repeater adapter 11. 4MB 2. 8MB Calculated 2.39E-07 2.561.000.34E-06 96% 1.62E-08 4.47E-07 4.99E-09 1.66E-06 1.10E-08 1.10E-04 1756-A5XT C 5-slot ControlLogix-XT chassis 734.675.97E-09 448 2.69E-08 1.10E-06 power supply 1756-PA72 C 85-265V AC 10A ControlLogix 18.146 8.475 6.336.044 5.010 4.06E-04 power supply 1756-PSCA A Redundant power supply 45.12E-07 448 4.99E-08 95% 2.91E-06 1.74E-08 4.06E-08 3.25E-06 340 2.146 5.70E-07 8.81E-08 6.99E-08 448 4.54E-08 3.22E-05 power supply 1756-PA75 B 85-265V AC 13A ControlLogix 18.long 5.17E-08 448 2.43E-07 448 5.69E-06 1.47E-08 1.50E-04 20.05E-04 1756-A7LXT B 7-slot ControlLogix-XT chassis 27.01E-07 1.461.29E-06 6.82E-06 adapter 1786-RPFS A ControlNet Fiber repeater .01E-07 4.24E-04 20.23E-08 95% 4.78E-07 4.45E-08 2.67E-09 2.60E-08 1. 8MB 357.053 1.58E-09 1.877 7.13E-07 448 1.67E-08 95% 2.40E-09 1.055 Rockwell Automation Publication 1756-RM001L-EN-P .461.40E-09 3.30E-08 95% 1.73E-09 2.26E-04 20.49E-08 1.41E-08 2.119.862 5.67E-09 1.43E-08 448 3.178 3.08E-08 2.63E-08 448 1.18E-08 2.59E-07 448 5.50E-04 20.57E-08 448 3.74E-08 95% 1.012 ControlLogix controller.910 9.75E-09 7.055 1756-L73(4) B 20.68E-07 95% 4.11E-09 4.25E-06 340 2.21E-04 supply 1756-PC75 B 30-60V DC 13A ControlLogix 5.41E-08 448 5.50E-04 20.83E-08 4.654.88E-08 1.July 2014 119 .29E-04 ControlLogix power supply 1756-PAXT B Not ControlLogix-XT AC power supply 18. 8MB PFD via 2.61E-07 8.66E-07 4.17E-08 1.69E-06 1.73E-09 1.373.012 ControlLogix-XT controller.34E-06 96% 1.08E-07 3.830 9.34E-06 96% 1.18E-07 4.30E-09 1.012 ControlLogix controller.81E-08 448 8.23E-09 3. 4MB 1. 8MB 1.97E-05 long 1756-L61(3) B 20.40E-07 6.96E-08 448 8.36E-07 95% 2.74E-07 95% 4.01E-08 1.055 1756-L63XT(3) B 20.697.16E-07 448 8.34E-06 96% 1.21E-07 448 8.92E-05 1786-RPCD A ControlNet Hub repeater 28.68E-08 4.81E-09 8.69E-08 2.68E-08 2.20E-05 Applicable Not Applicable 1756-PBXT B ControlLogix-XT DC power 1.66E-07 8.11E-08 95% 1.012 ControlLogix controller.693.

87E-07 96.59E-05 redundant communication module 1756-CN2 B 20.81E-08 2.Year PFD Calculations Common Terms(8) 1oo1 Configuration 1oo2 Configuration Mean Time Firmware between Safe Cat No.69E-07 3.13E-08 80% 1.23E-10 5.90E-07 5.977 5.81E-07 95% 3.53E-07 95% 2.23E-08 6.2 1.92E-08 1.31E-10 1.011 ControlLogix-XT ControlNet 1.28E-10 2.27E-07 448 4.79E-07 Remote I/O Module 1756-DHRIOXT(5) E 7.018 ControlLogix SyncLink Module 6.83E-07 1.46E-06 input module 1756-IB16I A 3.299 9.53E-08 2.396 2.53E-08 1.62E-07 3.005 ControlLogix ControlNet 2.62E-08 9.04E-04 redundant communication Not Applicable module 1756-CN2R C 25.920 4.13E-04 redundant communication module 1756-CN2RXT C 25.85E-08 3.12E-07 4.6% 6.56E-07 95% 4.005 ControlLogix DeviceNet 2.10E-07 448 8.011 ControlLogix ControlNet 1.40E-08 80% 9.007 ControlLogix-XT EtherNet/IP 269.46E-07 448 7.664.62E-09 2.786.096.July 2014 .00E-06 redundancy module 1756-RM2XT A 20.007 ControlLogix EtherNet/IP 269.160 5.006 ControlLogix EtherNet/IP Calculated 1.97E-06 9.28E-07 module Not applicable 1756-RM2 A 20.080 6.32E-07 2.094 1.31E-07 6.(1) Version(6) Description Failure Spurious Spurious Failure λ(9) λs .300.97E-06 9.97E-06 9.003 ControlLogix isolated V AC input 20.007 ControlLogix EtherNet/IP 269.003 ControlLogix isolated V DC input 81.21E-07 303.62E-09 9.46E-09 3.192.82E-06 258.21E-07 303.0E-04 3.31E-07 3.801.62E-08 3.36E-07 95% 1.43E-07 448 7.62E-08 9.198 3.11E-05 communication module with fault tolerance 1756-EN2TR C 10.840 7.91E-05 5.21E-07 303.31E-08 1.08E-05 1.61E-09 4.182 4.81E-10 2.80E-07 2.774 Non-interference only 3.096.21E-07 303.46E-09 1.62E-08 3.00E-07 1178 6.62E-08 3.36E-09 6.71E-06 Not applicable communication module Not applicable 1756-EN2TR B 5.62E-08 3.543 3.006 communication module 1756-EN2T C 5.76E-06 input module 1756-IB16D A 3.503.69E-08 1178 4.09E-07 Not applicable 1756-IA16I A 3.85E-08 1.6% 6.21E-07 303.01E-08 1.14E-09 80% 2.92E-07 95% 1.008 ControlLogix EtherNet/IP 3.011 ControlLogix ControlNet 1.80E-07 95% 2.12E-06 module 1756-IA8D A 3.04E-04 communication module 1756-CN2 C 25.91E-06 6.82E-09 2.68E-09 1762 9.608.60E-07 2.61E-09 1.65E-08 6.82E-06 258.24E-05 7.774 3.52E-07 448 5.92E-08 8.004 ControlLogix ControlNet Calculated 1.63 1.932.6% 6.008 ControlLogix-XT EtherNet/IP 1.91E-06 6.396 2.10E-07 448 8.12E-07 4.004 ControlLogix-XT enhanced 250.71E-04 communication module 1756-EN2T D 10.25E-08 1.712 7.56E-08 2.003 ControlLogix diagnostic V AC 15.24E-07 3.80E-08 2.25E-08 5.81E-08 1.67E-07 4.97E-06 9.87E-07 96.79E-07 Plus Remote I/O Module Non-interference only Not applicable Not applicable 1756-DNB(5) D 12.02E-06 module 1756-SYNCH(5) A 2.29E-08 1178 3.23E-07 448 2.0E-04 redundant communication MTBF and module PFD via FMEA 1756-CN2RXT B 20.62E-08 9.91E-06 6.63 1.6% 6.2 1.47E-07 6.182 4.85E-08 9.640 1.003 ControlLogix diagnostic V DC 30.003 ControlLogix redundancy 1.0E-04 3.71E-06 communication module with fault tolerance 1756-RM(5) B 3.73E-07 448 3.004 ControlLogix-XT ControlNet Calculated 1.91E-06 6.88E-08 1762 5.63 1.36E-09 6.002 ControlLogix Data Highway Plus 2.503.71E-06 communication module 1756-EN3TR B 10.62E-08 3.63 1.0E-04 communication module MTBF and PFD via FMEA 1756-CN2R B 20.003 ControlLogix-XT redundancy 980.63 1.00E-06 redundancy module 1756-RMXT(5) B 3.36E-08 1.81E-08 3.65E-08 80% 6.774 3.52E-05 1.25E-04 communication module 1756-CNBR E 11.202 3.87E-07 96.008 ControlLogix EtherNet/IP 1.0E-04 redundant communication MTBF and module PFD via FMEA 1756-DHRIO(5) E 7.228.Appendix C PFD and PFH Calculations for a SIL 2 System Table 10 .004 ControlLogix ControlNet Calculated 1.41E-07 module 120 Rockwell Automation Publication 1756-RM001L-EN-P .002 ControlLogix-XT Data Highway 2.62E-08 9.96E-08 1178 1.92E-09 1762 2.299 9.97E-06 9.966.61E-07 communication module 1756-ENBT(5) A 4.87E-07 96.11E-06 communication module with fault tolerance 1756-EN2TXT C 5.56E-08 4.11E-06 communication module with MTBF and fault tolerance PFD via FMEA 1756-EN2TRXT C 10.006 ControlLogix EtherNet/IP 1.373.05E-07 2.44E-08 1762 3.87E-07 96.980.960 2.008 ControlLogix EtherNet/IP 2.36E-08 6.67E-07 4.64E-07 1.05E-07 Not applicable 2.443.59E-07 1.088.91E-06 6.312.94E-07 6.73E-07 1.85E-07 95% 3.72E-04 Not applicable communication module 1756-EN2TXT D 10.62E-08 9.096 1.26E-08 3.56E-08 4.80E-08 1. λd TCE1oo1 Trip Rate PFH(10) PFH(10) Fraction λdu λdd PFD Trip Rate TGE PFD Series (MTBF)(7) STR STR (SFF) 1756-CNB E 11.90E-07 5.004 Non-interference only ControlLogix enhanced 250.000 7.005 ControlLogix ControlNet 1.56E-07 95% 4.56E-08 2.1.6% 6.640 3.

002 ControlLogix V DC diagnostic 8.03E-08 1762 3.070 7.22E-09 5.93E-09 3.32E-07 80% 9.79E-05 1.53E-05 Ring media 1794-AENTRXT A 1.08E-06 module 1756-IF8H A 1.33E-08 1.223.013 ControlLogix isolated analog 4.35E-08 1.26E-06 1178 8.64E-10 2.95E-07 9.July 2014 121 .39E-08 1762 3.04E-07 1178 2.223.604.91E-08 1.684 1.019.87E-05 1.070 7.22E-07 6.45E-04 2.005 ControlLogix analog input 8.56E-07 3.13E-09 4.(1) Version(6) Description Failure Spurious Spurious Failure λ(9) λs .06E-05 input module 1756-IH16ISOE A 2.013 FLEX I/O EtherNET/IP adapter.09E-07 80% 4.91E-08 8.53E-07 1178 9.002 ControlLogix V AC output 32.17E-07 80% 4.13E-07 1762 3.71E-08 4.04E-08 1.10E-07 1762 5.43E-08 6.002 ControlLogix HART analog input 1.81E-07 80% 1.003 FLEX I/O ControlNet adapter 8.005 ControlLogix analog input 4.77E-08 80% 3.013 ControlLogix isolated analog 21.69E-08 7.1.002 ControlLogix isolated relay 13.20E-07 5.99E-07 1178 5.007 ControlLogix V DC Sequence Of 2.43E-08 3.91E-08 5.48E-07 1178 2.67E-08 4.30E-08 4.19E-04 2.827 5.824 2.05E-04 1.525 2.63E-05 thermocouple input module 1756-OA16I A 3.45E-08 1762 9.26E-09 4.52E-08 80% 6.20E-07 80% 4.65E-07 2.891.20E-09 5.32E-07 3.223.65E-08 80% 1.72E-07 9.41E-09 1.12E-07 1762 2.34E-07 1.695.71E-08 1.19E-08 1762 5.58E-07 2.26E-09 1.013 ControlLogix isolated analog 8.08E-08 80% 2.89E-07 3.29E-04 5.04E-04 module 1756-IF6CIS A 1.24E-06 1178 7.13E-06 80% 4.33E-08 80% 1.55E-07 2.046 3. 1.79E-08 2.899 7. 1.07E-08 1.013 ControlLogix isolated analog 2.98E-06 output module 1756-OB32 A 3.82E-08 1762 7.82E-06 Sequence Of Events input module 1756-IB32 B 3.37E-07 1762 1.003 FLEX I/O ControlNet redundant 8.73E-08 2.32E-04 6.72E-09 2.78E-08 80% 1.46E-08 3.19E-09 9.002 ControlLogix V DC isolated 7.30E-08 4.28E-05 1.59E-08 1762 9.72E-09 1.33E-08 2.33E-08 80% 1.92E-07 1178 1.22E-06 1756-IF8 A 1.31E-08 80% 9.94E-07 80% 1.00E-08 1762 5.667 1.37E-06 1794-ACNR15 D 10.002 ControlLogix HART analog input 442.65E-07 8.592.65E-08 1762 7.254 1.04E-05 module 1756-IT6I A 1.002 ControlLogix V DC output 2.65E-08 1762 1.77E-07 1.01E-04 1.684 1.42E-08 80% 1.462.30E-08 1.65E-08 1762 1.013 ControlLogix isolated RTD input 4.30E-08 1.43E-08 3.15E-06 electronic ally-fused output module 1756-OX8I A 3.92E-04 3.54E-08 1.684 1.33E-08 5.14E-07 1178 7.681.81E-06 4.80E-07 1178 1.32E-07 1762 6.007 ControlLogix isolated V DC 11.53E-08 1762 1.94E-07 80% 1.17E-07 1178 7.26E-06 1.18E-08 1762 1.714 6.635 1.354.95E-07 1178 1.41E-08 4.36E-09 1.67E-08 3.187 1.960 4.08E-08 80% 2.08E-08 80% 2.22E-07 6.77E-09 1.47E-05 module 1756-IF16 A 1.329 9.07E-05 Events input module 1756-IR6I A 1.15E-09 5.84E-08 4.150.86E-07 80% 7.84E-07 1178 1.080 3.91E-08 2.059.22E-09 5.003 FLEX I/O EtherNET/IP adapter 1.64E-07 1178 1.22E-07 6.013 FLEX I/O EtherNET/IP adapter.73E-08 7.93E-08 1.699.41E-07 1178 8.291.39E-08 1.95E-07 1178 1.74E-07 4.75E-07 1178 2.15E-07 5.97E-06 output module 1756-OB16E A 3.08E-07 2.99E-03 3.62E-07 2.86E-08 1178 3.25E-08 9.22E-06 output module 1756-OF8 A 1.88E-07 80% 7.42E-05 1.64E-06 module 1756-IF16H A 1.04E-10 1.002 ControlLogix V DC isolated 14.71E-08 1.43E-05 1.70E-08 80% 1.58E-08 1762 Not allowed for 1oo1 4.629.32E-10 3.200 7.66E-05 module 1756-OB8EI A 3.14.70E-08 9.53E-07 1.002 ControlLogix isolated relay 6.12E-07 1.41E-08 1178 4.26E-06 1178 8.12E-05 thermocouple input module configurations 1756-IT6I2 A 1.002 ControlLogix HART analog 5.58E-08 2.46E-08 1.90E-06 output module 1756-OB16D A 3.00E-08 2.61E-06 1178 2.63E-08 2.98E-07 7.957.39E-07 1.39E-08 3.05E-08 7.37E-07 1762 1.30E-08 1.89E-07 3.22E-09 5.13E-07 1178 1.65E-08 1.04E-06 output module 1756-OF6CI A 1.08E-09 3.506 2.52E-07 1.44E-07 1178 4.11E-04 3.69E-10 3.720.34E-06 module 1756-OA8D A 3.55E-09 1.884.18E-07 1.95E-07 1178 1.29E-06 output module 1756-OW16I A 3.005 ControlLogix analog output 10.03E-07 1178 3.75E-08 80% 2.87E-08 1762 7.88E-08 8.81E-09 1.68E-10 2.06E-08 1762 1. PFD and PFH Calculations for a SIL 2 System Appendix C Table 10 .68E-07 1.08E-09 9.268.13E-08 3.42E-08 1.005 ControlLogix V DC input module 10.914 2.44E-10 4.97E-09 8.92E-07 4.040 8.268.19E-07 1.58E-07 2.15E-10 3.118.13E-07 5.01E-07 7.311.63E-08 80% 2.56E-08 4.316 3.15E-06 module 1756-OF6VI A 1.54E-08 3.82E-04 1.760 8.185 2.55E-07 6.84E-08 1.25E-08 3.779.720 4.92E-05 1.12E-09 1762 2.97E-07 1178 3.46E-08 6.87E-07 80% 1.654.43E-08 6.795 9.95E-08 1762 1.77E-08 7.50E-05 1794-AENTR A 1.73E-07 1.268.39E-07 1178 8.37E-06 Not allowed for 1oo1 1794-AENT B 4.86E-08 1762 1.39E-07 1762 3.35E-08 6.08E-09 3.374 1.08E-09 2.456 3.35E-07 6.87E-10 3.69E-07 1762 configurations 8.94E-06 fused output module 1756-OB16I A 3.Year PFD Calculations Common Terms(8) 1oo1 Configuration 1oo2 Configuration Mean Time Firmware between Safe Cat No.013 ControlLogix isolated enhanced 2.79E-08 7.003 ControlLogix V AC diagnostic 11.74E-07 3.65E-08 1762 1.003 ControlLogix V DC electronic ally.10E-04 7.83E-07 1178 2.88E-08 2.52E-07 6.66E-09 7.29E-05 1.20E-08 2.38E-08 1762 9.59E-10 4.98E-08 80% 2.68E-05 4.08E-05 7.72E-09 2.72E-04 3.53E-05 Ring media Rockwell Automation Publication 1756-RM001L-EN-P .43E-08 3.997.160 1.07E-07 1178 6.37E-06 adapter 1794-ACNR15XT D 10.26E-07 80% 5.51E-07 1178 9.013 ControlLogix isolated 3.30E-08 3.35E-08 1.36E-09 5.84E-07 80% 7.29E-06 output module 1756-OF8H A 1.88E-07 1178 3.30E-08 3.25E-08 80% 3.67E-05 input module 1756-IF6I A 1.77E-08 2.388.64E-05 1.77E-07 1762 1.17E-07 1178 1.43E-08 2.60E-08 1762 6.14E-08 1762 5.53E-08 1.176.003 FLEX I/O-XT ControlNet adapter 8.537. λd TCE1oo1 Trip Rate PFH(10) PFH(10) Fraction λdu λdd PFD Trip Rate TGE PFD Series (MTBF)(7) STR STR (SFF) 1756-IB16ISOE A 2.57E-08 80% 1.978 7.64E-06 output module 1794-ACN15 D 10.46E-08 2.77E-08 80% 2.

52E-06 module 1794-OW8XT A FLEX I/O-XT isolated relay output 18.00E-10 4.91E-07 1178 1.81E-10 3.37E-07 6.74E-08 1.56E-08 80% 1.000.27E-09 3.17E-08 4.322.26E-08 1178 4.088.518.049 6.03E-08 1762 1.14E-06 module 1794-IF4I A I FLEX I/O isolated analog input 9.59E-08 1762 8.95E-08 1178 1.37E-09 1.08E-07 1178 6.027.610 5.381.64E-08 1762 1.18E-05 input module 1794-IRT8XT B E.74E-06 module 1794-OE4 B Not Applicable FLEX I/O analog output module 18.05E-06 module 122 Rockwell Automation Publication 1756-RM001L-EN-P .19E-07 1178 1.78E-10 2.487 4.54E-08 1762 1.79E-08 4.89E-08 1178 1.709.317.22E-08 80% 2.63E-07 1178 4.344.50E-08 1178 2.587.09E-08 80% 8.33E-06 Not 1794-IE8XT B Applicable FLEX I/O-XT analog input 14.35E-08 1762 7.802 8.81E-08 9.509 4.00E-09 80% 2.55E-07 80% 1.640 1.Appendix C PFD and PFH Calculations for a SIL 2 System Table 10 .902 1.71E-08 80% 1.433.08E-08 1.800.84E-10 8.53E-07 1178 1.269 7.64E-08 5.60E-08 1178 1.04E-07 5.409 4.54E-08 1.81E-10 7.77E-06 configurations 1794-IP4 B 4 FLEX I/O counter module 22.1 FLEX I/O-XT RTD/Thermocouple 8.22E-07 6.44E-08 1.27E-08 80% 9.016.01E-09 8.128 8.60E-08 1178 1.000.61E-09 5.844 1.60E-08 1178 1.1 FLEX I/O RTD/Thermocouple 1.884.62E-09 8.00 1.914.96E-07 1794-IJ2XT A E Not allowed for 1oo1 FLEX I/O-XT counter module 11.15 5.895 3.00E-06 input/output module 1794-IE4XOE2XT B FLEX I/O-XT analog input/output 11.464.13E-08 1762 1.83E-09 8.03E-08 1762 5.July 2014 .63E-08 1762 8.99E-06 electronically-fused output module 1794-OB16 A FLEX I/O 24V DC output module 54.05E-06 input module 1794-IF4ICFXT A I FLEX I/O-XT isolated analog 7.59E-09 7.06E-08 80% 2.71E-08 2.87E-08 80% 7.44E-10 1.204.19E-10 1.88E-06 module Not allowed for 1oo1 1794-OF4I A I FLEX I/O analog output module 23.00E-09 1762 1.27E-08 80% 1.41E-07 module 0 1794.00E-09 1762 Not allowed for 1oo1 1.12E-08 1762 5.39E-08 80% 1.01E-09 4.61E-06 Not allowed for 1oo1 1794-IRT8 B E.47E-08 4.79E-09 80% 1.00E-08 5. A FLEX I/O-XT 22.000.918 1.67E-07 1178 1.401 3.885.89E-07 1178 1.38E-09 6.493.09E-08 3.08E-08 1.01E-09 1.21E-08 1178 4.519 5.40E-08 80% 5.36E-07 1178 8.05E-09 4.12E-05 module 1794-IF2XOF2I A I FLEX I/O isolated analog input/ 8.00E-09 80% 2.14E-08 1762 1.42E-07 2.45E-07 Not 8 1794-IB16XT A Applicable FLEX I/O-XT 35.44E-08 3.959 1.36E-08 1762 7.54E-08 4.097.57E-11 2.03E-08 1762 1.74E-08 4.08E-09 1.77E-07 2.37E-07 1178 8.99E-06 IB10XOB6XT 24V DC input/output module Not 1794-OB8EP A Applicable FLEX I/O 24V DC electronically.03E-09 80% 3.42E-08 2.11E-07 3.140 1.632 1.62E-07 1178 1.41E-07 1178 8.47E-06 module 1794-IF4IXT A I FLEX I/O-XT isolated analog 7.56E-08 1762 1.407.41E-07 fused output module 0 1794-OB8EPXT A FLEX I/O-XT 24V DC 14.00E-08 5.82E-07 9.00E-10 4.41E-10 2.38E-09 6.11E-09 1.00 1.792 1.43E-09 1762 4.65E-06 Not Applicable 24V DC protected output module 1794-OW8 A FLEX I/O isolated relay output 29. λd TCE1oo1 Trip Rate PFH(10) PFH(10) Fraction λdu λdd PFD Trip Rate TGE PFD Series (MTBF)(7) STR STR (SFF) 1794-IB16 A FLEX I/O 24V DC input module 179.97E-08 80% 3.46E-08 1762 2.14E-07 1178 7.91E-09 1178 5.20E-09 80% 3.46E-08 1178 5.69E-08 2.77E-08 3.18E-07 5.10E-08 80% 3.00E-09 3.00E-06 1794-IB10XOB6 A FLEX I/O 24V DC input/output 100.189 2.54E-08 2.770 5.00E-09 3.39E-06 1794-OE4XT B FLEX I/O-XT analog output 11.64E-08 1178 5.19E-07 1178 1.13E-07 1762 configurations 1.19E-09 5.50E-08 1178 3.35E-08 2.70E-08 80% 1.74E-08 4.68E-09 5.55E-10 2.76E-08 2.51E-10 1.19E-07 1178 2.75E-10 1.890 1.202.42E-09 1762 2.11E-07 1794-OB16P A FLEX I/O 24V DC protected 100.11E-08 1762 2.70E-08 1178 4. 100.62E-08 1762 8.26E-08 1762 configurations 6.09E-08 80% 2.140 1.81E-10 1.54E-08 1762 1.43E-10 2.91E-08 80% 3.30E-10 2.(1) Version(6) Description Failure Spurious Spurious Failure λ(9) λs .585.000 7.14E-06 1178 7.00E-09 80% 2.12E-08 3.06E-08 1.297.38E-07 80% 9.43E-07 1762 7.29E-08 2.64E-08 80% 1.041.75E-08 1762 2.40E-08 2.05E-06 input module 1794-IR8 A K FLEX I/O RTD input module 5.231 1.Year PFD Calculations Common Terms(8) 1oo1 Configuration 1oo2 Configuration Mean Time Firmware between Safe Cat No.58E-07 7.11E-08 1762 2.42E-08 2.297.744 8.67E-09 1762 8.81E-08 1.68E-08 1178 5.24E-08 80% 1.84E-09 2.49E-09 1.99E-08 1178 3.85E-06 1794-OF4IXT A I FLEX I/O-XT analog output 5.57E-09 2.98E-08 1762 3.24E-06 24V DC input module 1794-IJ2 A D FLEX I/O counter module 55.01E-07 5.82E-06 1794-IR8XT A K FLEX I/O-XT RTD input module 9.50E-10 3.200 4.56E-10 3.37E-07 6.00E-08 5.506.00E-09 3.14E-10 3.88E-09 1.85E-08 80% 2.00E-10 4.38E-08 80% 1.22E-09 5.52E-09 1762 2.72E-08 80% 6.02E-08 3.84E-08 9.25E-08 80% 9.99E-07 9.36E-08 3.714.38E-06 input module 1794-IT8 A K FLEX I/O Thermocouple input 2.66E-08 1762 1.771.1.41E-07 output module 0 configurations 1794-OB16PXT A FLEX I/O-XT 26.91E-08 80% 2.95E-07 1178 1.99E-08 5.22E-06 output module 1794-IF2XOF2IXT A I FLEX I/O-XT isolated analog 6.38E-06 module 1794-IE8 B FLEX I/O analog input module 18.85E-08 80% 2.19E-08 2.50E-08 2.00 1.00E-09 1762 1.

00E-09 3.60E-08 1178 1. -A13 and -A17 chassis.000.312.com/ (2) Average of 1756-A4. (3) Suitable for use only in applications requiring compliance to IEC 61508 1999 Edition 1.03E-07 7.000.41E-07 terminal base unit 0 1794-TB3S A FLEX I/O terminal base unit 100.000.00E-09 1762 1.90E-08 7.60E-08 1178 1. consult the Revision Release List. (10) Demand rate must be less than 10 per year.000 7.00E-09 3.00E-09 3.000.00E-09 2.04E-08 1.00E-09 1762 configurations 1.779.56E-09 80% 3.July 2014 123 .00E-09 80% 8.A Not Analog Input Termination Board 11.41E-07 Not 0 Not allowed for 1oo1 1794-TB3T A Applicable FLEX I/O temperature terminal 100.(1) Version(6) Description Failure Spurious Spurious Failure λ(9) λs .Year PFD Calculations Common Terms(8) 1oo1 Configuration 1oo2 Configuration Mean Time Firmware between Safe Cat No. A DC Output Termination Board 10.000.82E-09 5.06E-08 1178 1. (7) MTBF measured in hours unless calculated (as noted).03E-07 Non-interference only Not Applicable Not Applicable 3(5) Applicable 1492-TIFM4OF.73E-09 1762 3.00E-09 3.00 1.00 1.00E-10 4.00E-09 1762 1.00E-09 3.76E-07 0 1794-TB3G A FLEX I/O cage-clamp generic 100. This indicates a version of the product that has conformal coating.60E-08 1178 1.362.00E-10 4. Certificate Number 968/EZ/35.page.com/rockwellautomation/certification/safety. Field return values – January 2012. (9) λ = Failure Rate = 1/MTBF.91E-10 8. PFD and PFH Calculations for a SIL 2 System Appendix C Table 10 .00E-09 1762 1.rockwellautomation.00 1.00E-09 80% 2.00E-09 1762 1.41E-07 unit 0 1794-TBNF A FLEX I/O NEMA fused terminal 100. Rockwell Automation Publication 1756-RM001L-EN-P .00E-10 4.00E-09 80% 2. Data not required within a safety function.00E-08 5. λd TCE1oo1 Trip Rate PFH(10) PFH(10) Fraction λdu λdd PFD Trip Rate TGE PFD Series (MTBF)(7) STR STR (SFF) 1794-TB3 A FLEX I/O terminal base unit 250. -A10. (4) Calculated MTBF and PFD by FMEA to 61508-2010.40E-09 1178 4. A DC Input Termination Board 7.com.00E-08 5.00E-09 80% 2.00 1.00 1.00E-08 5.42E-07 temperature terminal base unit 1794-TBN A FLEX I/O NEMA terminal base 100.20E-09 1762 6.60E-08 1178 1.91E-08 9.127.41E-07 terminal base unit 0 1794-TB3GS A FLEX I/O spring-clamp generic 100.00E-10 4.000 1. -A7.1.00E-09 80% 2.41E-07 base unit 0 1492-TIFM40F.rockwellautomation.41E-07 base unit 0 1794-TB3TS A FLEX I/O spring-clamp 52. (5) SIL 2-rated for non-interference in the chassis.00 1.60E-08 1178 1.00E-08 5.00E-09 80% 2.000.00E-08 5.00 4.000 1.04E-08 24-2(5) (1) Some catalog numbers have a K suffix.000.00E-10 4.60E-08 1178 1.00E-10 1.90E-08 F24A-2(5) 1492-TAIFM16-F. (8) Calculations performed on a per module basis.00E-10 4. These K versions have the same SIL 2 certification as the non-K versions. For more information on which products have conformal coating go to http://ab.00E-09 3.00E-11 1.00E-09 1762 1.000 7.xx/xx available at http://www.00E-09 80% 2. (6) For the latest official approved firmware versions.00E-08 5.

25E-06 670 2.461.055 1756-L63(3) B 20.19E-09 2.67E-05 1786-RPFM A ControlNet Fiber repeater .81E-06 adapter 1756-PSCA2 A Redundant power supply 38.69E-08 2. 8MB PFD via 2. Table 11 .(1) Version(6) Description Failure Spurious Spurious Failure λ(9) λs .long 5.73E-08 95% 2.74E-09 1.58E-09 1.08E-08 2.68E-08 4.90E-04 20.75E-05 1786-RPCD A ControlNet Hub repeater 28.69E-08 2.55E-05 1786-RPA B ControlNet repeater adapter 11.89E-08 95% 1.012 ControlLogix controller.00E-08 4.99E-09 2.012 ControlLogix controller.96E-05 1756-A4LXT B 4-slot ControlLogix-XT chassis 1. 4MB 1.74E-09 1.55E-04 ControlLogix power supply 1756-PAXT B Not ControlLogix-XT AC power supply 18.01E-07 1.21E-08 1.760 2.010 4.600 9.055 (4) 1756-L71 B 20.57E-08 886 3.62E-08 4. 8MB Calculated 2.34E-06 96% 1.60E-05 1756-A7XT C 7-slot ControlLogix-XT chassis 1.717.83E-08 4.23E-08 95% 4.34E-06 96% 1.29E-06 6.055 (4) 1756-L75 B 20.73E-09 2.88E-08 2.62E-08 4.48E-08 95% 8.40E-06 95% 1.49E-08 1.01E-07 1.01E-07 8.020 5.11E-09 9.87E-08 886 6.75E-09 7.54E-07 95% 3.45E-08 886 5.91E-06 1.35E-08 4.34E-06 96% 1.736.69E-07 95% 2.69E-06 1.99E-08 2.2-Year PFD Calculations Common Terms(8) 1oo1 Configuration 1oo2 Configuration Mean Time Firmware between Safe Cat No.75E-09 7.96E-08 886 8.855.99E-09 2.15E-05 adapter 1786-RPFS A ControlNet Fiber repeater .39E-07 2.00E-06 5.66E-06 1.83E-07 95% 4.044 5.836 1.23E-09 3.66E-07 8.59E-08 1. 16MB 2.08E-07 3.74E-07 95% 4. 8MB 1.89E-09 1. 2MB 1.July 2014 .36E-07 95% 2.36E-08 2.19E-09 2.03E-04 1756-A7LXT B 7-slot ControlLogix-XT chassis 27.76E-07 2.39E-04 supply 1756-PC75 B 30-60V DC 13A ControlLogix 5. 16.68E-08 4.83E-05 power supply 1756-PB75R A 18-32V DC 13A Redundant 1.66E-07 4.81E-08 95% 1.36E-08 2.654.91E-06 1.675.01E-08 1.67E-08 95% 2.10E-04 1756-PB72 C 18-32V DC 10A ControlLogix 31.67E-09 2.91E-06 1.26E-06 886 2.70E-07 8.17E-08 1.877 7.693.37E-05 Applicable Not Applicable 1756-PBXT B ControlLogix-XT DC power 1.30E-08 95% 1.146 8.01E-07 1.012 ControlLogix-XT controller.67E-09 2.120 9.25E-06 670 2.41E-08 886 5.360 5.146 5.069.79E-08 4.12E-07 886 4.81E-08 6.61E-07 8.69E-06 1.41E-08 2.40E-08 95% 4.48E-07 2.18E-07 886 6.48E-09 7.26E-07 886 9.30E-09 1.83E-08 4.44E-08 1.012 ControlLogix controller.760 3.69E-08 886 5.40E-07 1.35E-08 2.012 ControlLogix controller.894.62E-07 95% 4.43E-08 886 3.227 1.16E-07 886 8.72E-07 2.43E-07 886 5.38E-08 3.28E-04 20.910 9.00E-07 95% 5.01E-07 8.17E-08 886 2.01E-07 8.21E-09 1.34E-06 96% 1.80E-06 1.34E-06 96% 1.90E-05 long 1756-L61(3) B 20.65E-05 medium 1786-RPFRL A ControlNet Fiber repeater .280 2.727 2.35E-07 886 9.20E-04 20.081.053 1.06E-08 3.50E-07 5.01E-07 8. 2MB 2.055 1756-L73(4) B 20.54E-08 3.03E-08 4.81E-07 95% 6.13E-07 886 1.14E-04 ControlLogix power supply 1756-PB75 B 18-32V DC 13A ControlLogix 15.034. 8MB 357.99E-08 886 4.81E-08 886 8.52E-05 power supply 1756-PH75 B 90-143V DC 13A ControlLogix 2.extra 11.36E-06 6.336.012 ControlLogix controller.01E-07 8.74E-08 4.32E-08 1.35E-07 4.10E-08 1.830 9.561.69E-06 1.25E-06 670 2.25E-06 670 2.25E-06 670 2.25E-06 670 2.862 5.19E-08 95% 3.60E-08 1.693. λd λdu λdd TCE1oo1 Trip Rate PFH(10) PFD Trip Rate TGE PFH(10) PFD Series (MTBF)(7) Fraction STR STR (SFF) 1756-AXX(2) C ControlLogix chassis 22.72E-07 3.91E-06 1.01E-07 8.87E-08 886 1.99E-08 95% 2. 4MB 2. 32MB 2.628.18E-08 2.54E-08 3.21E-07 886 8.055 1756-L62(3) B 20.Appendix C PFD and PFH Calculations for a SIL 2 System 2-Year PFD Calculations The PFD calculations in this table are calculated for a 2-year proof test interval (17.47E-07 4.18E-07 4.420 1.58E-08 95% 1.09E-04 power supply 1756-PSCA A Redundant power supply 45.81E-09 1.14E-04 1756-A5XT C 5-slot ControlLogix-XT chassis 734.095 3.37E-05 power supply (75W) 1756-PA75R A 85-265V AC 13A Redundant 1.412.short 26.24E-03 20.40E-05 power supply 1756-PA72 C 85-265V AC 10A ControlLogix 18.62E-08 1.00E-08 4.146.63E-08 886 1.373.81E-09 1.30E-09 1.12E-07 2.50E-07 886 9.90E-04 20.475 6.45E-08 2.19E-08 2.697.01E-07 1.67E-09 2.67E-09 2.40E-07 1.41E-08 886 5.440 8.000.74E-08 95% 1.91E-06 1.78E-08 1.055 1756-L63XT(3) B 20.68E-07 95% 4.73E-09 2.91E-06 1.70E-08 886 3.88E-08 2.89E-09 1.055 FMEA (4) 1756-L74 B 20.69E-08 2.012 ControlLogix controller.90E-04 20.43E-04 20.520 4.11E-09 9.75E-05 1786-RPFRXL B ControlNet Fiber repeater .75E-07 8.63E-08 886 3.67E-08 95% 2.81E-08 6.21E-08 95% 2.69E-06 1.40E-09 3.47E-08 1.11E-08 95% 1.178 3.46E-08 4.35E-08 2.89E-07 4.42E-05 power supply 1756-PA75 B 85-265V AC 13A ControlLogix 18.40E-09 3.520 hours) and are specific to ControlLogix system components.88E-07 95% 2.90E-04 20.47E-07 2.00E-07 4.90E-04 20.055 Not Applicable 1756-L72(4) B 20.21E-09 1.055.080 3.055 MTBF and 1756-L73XT(4) B 20.69E-06 1.01E-07 1.08E-08 2.119.012 ControlLogix controller.59E-07 886 5.652.012 ControlLogix-XT controller.97E-09 886 2.055 124 Rockwell Automation Publication 1756-RM001L-EN-P .044 5.826.34E-06 96% 1.23E-09 3.25E-07 4.012 ControlLogix controller.01E-07 1.90E-04 20.69E-06 1.75E-08 95% 8.58E-09 1.78E-07 4.48E-09 7.74E-08 4.461.

00E-06 redundancy module 1756-RMXT(5) B 3.65E-08 6.6% 6.12E-07 4.40E-08 80% 9.21E-07 597.396 3.80E-07 2.65E-08 80% 6.096.12E-07 4.82E-09 2.90E-04 redundant communication MTBF and module PFD via FMEA 1756-DHRIO(5) E 7.008 ControlLogix EtherNet/IP 2.52E-07 886 5.003 ControlLogix diagnostic V DC 30.91E-06 6.(1) Version(6) Description Failure Spurious Spurious Failure λ(9) λs .202 4.81E-07 95% 3.6% 6.79E-07 7.97E-06 9.91E-06 6.6% 6.932.192.71E-06 communication module with fault tolerance 1756-RM(5) B 3.003 ControlLogix isolated V DC input 81.004 Non-interference only ControlLogix enhanced 250.56E-07 95% 4.41E-04 Not Applicable communication module 1756-EN2TXT D 10.81E-08 3.83E-07 1.59E-07 Plus Remote I/O Module Non-interference only Not applicable Not applicable 1756-DNB(5) D 12.774 Non-interference only 3.62E-08 5.004 ControlLogix-XT ControlNet Calculated 1.60E-07 2.62E-09 9.56E-08 4.56E-08 4.64E-07 1.50 1.21E-07 597.85E-07 95% 3.198 4.92E-07 95% 1.48E-04 communication module 1756-CNBR E 11.91E-06 input module 1756-IB16I A 3.56E-08 4.37E-07 Not applicable 2.228.26E-08 3.74E-07 Not applicable 1756-IA16I A 3.62E-08 5.312.299 9.25E-08 1.61E-09 1.97E-06 9.43E-07 886 7.443.966.29E-10 5.97E-06 9.096 9.25 1.73E-07 886 3.14E-09 80% 2.21E-04 communication module with fault tolerance 1756-EN2TR C 10.007 ControlLogix EtherNet/IP 269.786.62E-08 9.008 ControlLogix-XT EtherNet/IP 1.503.90E-04 3.91E-07 module Not applicable 1756-RM2 A 20.006 communication module 1756-EN2T C 5.96E-08 2346 1.91E-06 6.91E-06 6.840 6.87E-07 96.10E-07 886 8.005 ControlLogix ControlNet 2.44E-08 3514 3.56E-08 4.90E-04 3.56E-07 95% 4.67E-07 communication module 1756-ENBT(5) A 4.23E-07 886 2.008 ControlLogix EtherNet/IP 1.920 4.005 ControlLogix DeviceNet 2.182 4.22E-05 communication module with fault tolerance 1756-EN2TXT C 5.62E-09 5.92E-08 1.53E-08 2.29E-08 2346 3.25E-08 1.00E-07 2346 6.46E-09 2.46E-07 886 7.011 ControlLogix-XT ControlNet 1.67E-07 4.62E-08 9.011 ControlLogix ControlNet 1.018 ControlLogix SyncLink Module 6.85E-08 3.640 3.62E-08 5.608.70E-04 redundant communication module 1756-CN2 B 20.182 4.6% 6.87E-07 96.003 ControlLogix diagnostic V AC 15.25 1.71E-06 communication module 1756-EN3TR B 10.160 5.096.003 ControlLogix isolated V AC input 20.299 9.62E-08 9.87E-07 96.977 5. λd λdu λdd TCE1oo1 Trip Rate PFH(10) PFD Trip Rate TGE PFH(10) PFD Series (MTBF)(7) Fraction STR STR (SFF) 1756-CNB E 11.92E-08 1.59E-07 1.50 1. PFD and PFH Calculations for a SIL 2 System Appendix C Table 11 .36E-08 1.21E-07 597.90E-04 communication module MTBF and PFD via FMEA 1756-CN2R B 20.62E-08 9.92E-09 3514 2.61E-09 8.46E-09 3.22E-05 communication module with MTBF and fault tolerance PFD via FMEA 1756-EN2TRXT C 10.80E-07 95% 2.31E-07 3.23E-10 1.62E-07 3.97E-06 9.088.712 7.53E-08 2.81E-08 2.774 3.36E-08 1.62E-08 5.81E-08 3.79E-07 7.68E-09 3514 9.6% 6.21E-07 597.080 6.04E-04 communication module 1756-CN2 C 25.300.003 ControlLogix redundancy 1.004 ControlLogix-XT enhanced 250.69E-07 3.007 ControlLogix EtherNet/IP 269.25 1.002 ControlLogix-XT Data Highway 2.25 1.24E-07 3.27E-07 886 4.007 ControlLogix-XT EtherNet/IP 269.87E-07 96.2-Year PFD Calculations Common Terms(8) 1oo1 Configuration 1oo2 Configuration Mean Time Firmware between Safe Cat No.05E-07 2.10E-07 886 8.664.55E-07 9.33E-07 8.04E-04 redundant communication Not Applicable module 1756-CN2R C 25.01E-08 1.004 ControlLogix ControlNet Calculated 1.25 1.396 3.52E-06 input module 1756-IB16D A 3.87E-07 96.40E-09 1.82E-06 401.80E-08 2.73E-07 1.503.59E-07 Remote I/O Module 1756-DHRIOXT(5) E 7.16E-05 1.000 7.008 ControlLogix EtherNet/IP 3.53E-07 95% 2.82E-10 4.00E-06 redundancy module 1756-RM2XT A 20.71E-06 Not applicable communication module Not Applicable 1756-EN2TR B 5.32E-07 2.24E-04 redundant communication module 1756-CN2RXT C 25.003 ControlLogix-XT redundancy 980.543 3.62E-08 9.81E-05 5.45E-05 7.37E-04 communication module 1756-EN2T D 10.002 ControlLogix Data Highway Plus 2.13E-08 80% 1.23E-08 6.85E-08 9.10E-04 1.094 1.004 ControlLogix ControlNet Calculated 1.62E-08 5.85E-08 3.005 ControlLogix ControlNet 1.08E-06 module Rockwell Automation Publication 1756-RM001L-EN-P .006 ControlLogix EtherNet/IP 1.80E-08 2.801.67E-07 4.32E-10 2.10E-07 6.97E-06 9.69E-08 2346 4.31E-08 1.960 2.69E-07 module 1756-SYNCH(5) A 2.40E-09 1.980.011 ControlLogix ControlNet 1.82E-06 401.640 1.36E-07 95% 1.774 3.006 ControlLogix EtherNet/IP Calculated 1.373.90E-04 redundant communication MTBF and module PFD via FMEA 1756-CN2RXT B 20.23E-06 module 1756-IA8D A 3.21E-07 597.88E-08 3514 5.91E-06 6.July 2014 125 .

73E-05 output module 1794-ACN15 D 10.16E-09 1.23E-09 1.78E-08 80% 1.44E-07 2346 4.74E-07 3.43E-08 1.13E-07 3514 3.002 ControlLogix isolated relay 13.92E-07 4.04E-08 1.86E-08 2346 3.65E-04 1.(1) Version(6) Description Failure Spurious Spurious Failure λ(9) λs .681.388.604.79E-08 7.07E-05 1794-ACNR15 D 10.80E-07 2346 1.98E-07 7.39E-08 3514 3.71E-10 7.62E-07 2.75E-08 80% 2.91E-08 3.18E-08 3514 1.695.75E-07 2346 2.35E-07 6.005 ControlLogix analog input 4.118.34E-10 6.007 ControlLogix isolated V DC 11.62E-04 6.02E-04 1.17E-07 2346 7.60E-08 3514 6.268.95E-07 2346 1.72E-07 9.71E-08 2.997.48E-07 2346 2.200 7.884.33E-08 80% 1.21E-09 1.55E-04 1.003 FLEX I/O ControlNet adapter 8.26E-09 1.23E-09 1.67E-08 3.30E-08 2.41E-08 4.95E-07 9.13E-07 2346 1.91E-08 1.86E-07 80% 7.354.311.08E-08 80% 2.84E-08 1.07E-05 Not allowed for 1oo1 1794-AENT B 4.33E-08 1.21E-09 1.635 1.84E-07 2346 1.67E-08 4.268.002 ControlLogix isolated relay 6.20E-08 2.65E-07 8.89E-07 3.57E-08 80% 1.629.43E-04 3.43E-08 3.46E-05 output module 1756-OW16I A 3.46E-08 1.70E-08 9.46E-08 2.87E-07 80% 1.899 7.34E-07 1.89E-10 7.43E-08 6.00E-08 2.59E-08 3514 9.52E-08 80% 6.07E-05 adapter 1794-ACNR15XT D 10.43E-08 2.18E-07 1.81E-06 4.86E-09 3.17E-07 80% 4.720 4.05E-05 1794-AENTR A 1.84E-07 80% 7.79E-08 4.30E-08 4.77E-08 2. 1.71E-08 4.223.525 2.30E-08 2.41E-08 2346 4.77E-08 80% 3.10E-04 1.70E-08 80% 1.013 FLEX I/O EtherNET/IP adapter.99E-07 2346 5.43E-08 3.54E-08 1.43E-06 1756-IF8 A 1.32E-07 3514 6.63E-08 2.14E-08 3514 5.33E-08 80% 1.21E-04 3.29E-06 electronic ally-fused output module 1756-OX8I A 3.007 ControlLogix V DC Sequence Of 2.699.32E-07 3.88E-07 2346 3.82E-09 3.046 3.013 ControlLogix isolated 3.55E-04 5.80E-06 output module 1756-OB16D A 3.39E-07 2346 8.08E-05 module 1756-IT6I A 1.26E-09 8.94E-06 output module 1756-OB16E A 3.070 7.254 1.07E-07 2346 6.87E-06 fused output module 1756-OB16I A 3.12E-09 3514 2.17E-04 module 1756-IF6CIS A 1.82E-08 3514 7.32E-07 80% 9.94E-07 80% 1.67E-06 module 1756-OA8D A 3.88E-07 80% 7.002 ControlLogix V AC output 32.87E-08 3514 7.58E-08 3514 Not allowed for 1oo1 4.56E-08 4.04E-07 2346 2.22E-07 6.53E-08 3514 1.83E-07 2346 2.77E-07 1.61E-06 2346 2.223.160 1.30E-08 8.98E-09 1.Appendix C PFD and PFH Calculations for a SIL 2 System Table 11 .185 2.17E-07 2346 1.16E-05 Ring media 126 Rockwell Automation Publication 1756-RM001L-EN-P .39E-08 2.20E-07 5.002 ControlLogix V DC diagnostic 8.002 ControlLogix HART analog input 442.019.63E-08 80% 2.77E-08 80% 2.28E-05 thermocouple input module 1756-OA16I A 3.58E-08 2.456 3.760 8.34E-05 4.08E-09 5.56E-07 3.002 ControlLogix V DC isolated 7.005 ControlLogix analog output 10.39E-08 3.35E-08 6.667 1.64E-07 2346 1.2-Year PFD Calculations Common Terms(8) 1oo1 Configuration 1oo2 Configuration Mean Time Firmware between Safe Cat No.13E-09 9.65E-08 3514 1.39E-07 3514 3.960 4.654.58E-08 2.684 1.79E-09 4.003 ControlLogix V AC diagnostic 11.81E-07 80% 1.83E-04 3.92E-07 2346 1.77E-07 3514 1.506 2.26E-07 80% 5.30E-08 1.38E-09 2.91E-08 2.187 1.12E-09 7.05E-10 2.10E-07 3514 5.37E-07 3514 1.537.73E-08 1.25E-04 1.374 1.54E-08 6.28E-09 7.13E-08 3.97E-03 3.70E-10 5.059.35E-08 3.957.19E-07 1.74E-07 4.914 2.86E-08 3514 1.93E-05 module 1756-IF16H A 1.30E-08 3.46E-08 1.65E-07 2.08E-08 80% 2.38E-04 2.013 ControlLogix isolated analog 2.05E-08 7.176.22E-07 6.98E-04 1.28E-04 1.462.795 9.013 FLEX I/O EtherNET/IP adapter.45E-08 3514 9.07E-06 output module 1756-OF6CI A 1.26E-06 2346 8.65E-08 80% 1.14E-07 2346 7.22E-07 6.08E-07 2.291.73E-07 1.68E-07 1.13E-05 7.978 7.17E-10 6.002 ControlLogix V DC isolated 14.58E-07 2.52E-07 3.42E-08 80% 1.53E-07 2346 9.43E-09 2.38E-08 3514 9.69E-08 7.06E-05 output module 1756-OF8H A 1.65E-08 1.003 FLEX I/O ControlNet redundant 8.005 ControlLogix V DC input module 10.76E-09 3.31E-08 80% 9.94E-07 80% 1.52E-07 6.30E-06 module 1756-OF6VI A 1.July 2014 .150.30E-08 3.36E-03 1.82E-09 5.268.23E-09 1.43E-06 output module 1756-OF8 A 1.88E-08 1.25E-08 1.684 1.65E-08 3514 7.25E-08 3.13E-07 5.77E-08 1.64E-06 Sequence Of Events input module 1756-IB32 B 3.003 ControlLogix V DC electronic ally.26E-06 2346 8.73E-08 2.93E-08 1.002 ControlLogix V DC output 2.37E-07 3514 1.62E-10 8.013 ControlLogix isolated analog 8.39E-07 1.88E-08 2.41E-07 2346 8.720.714 6.28E-09 7.91E-08 5.84E-08 4.68E-04 1.002 ControlLogix HART analog 5.003 FLEX I/O EtherNET/IP adapter 1.65E-08 3514 1.684 1.00E-08 3514 5.25E-08 80% 3.53E-07 1.592.64E-10 4.53E-08 1.15E-07 5.02E-05 module 1756-IF16 A 1.08E-08 80% 2.005 ControlLogix analog input 8.01E-07 7.14.98E-08 80% 2.827 5.95E-08 3514 1.46E-08 6.17E-05 Events input module 1756-IR6I A 1.040 8.316 3.329 9.01E-05 module 1756-IF8H A 1.36E-05 input module 1756-IF6I A 1.070 7.58E-07 2.67E-09 1.19E-08 3514 5.89E-07 3.20E-07 80% 4.17E-04 7. λd λdu λdd TCE1oo1 Trip Rate PFH(10) PFD Trip Rate TGE PFH(10) PFD Series (MTBF)(7) Fraction STR STR (SFF) 1756-IB16ISOE A 2.69E-07 3514 configurations 8.46E-10 8.37E-09 1.71E-08 1.013 ControlLogix isolated analog 21.43E-08 3.09E-07 80% 4.03E-07 2346 3.35E-08 1.013 ControlLogix isolated RTD input 4.95E-07 2346 1.003 FLEX I/O-XT ControlNet adapter 8.080 3.013 ControlLogix isolated enhanced 2.95E-07 2346 1.824 2.16E-05 Ring media 1794-AENTRXT A 1.03E-08 3514 3.52E-04 1.97E-07 2346 3.12E-05 input module 1756-IH16ISOE A 2. 1.20E-05 output module 1756-OB32 A 3.223.57E-09 2.002 ControlLogix HART analog input 1.65E-08 3514 1.12E-07 3514 2.26E-06 1.779.90E-04 2.08E-09 9.51E-07 2346 9.55E-07 1.17E-04 1.24E-05 thermocouple input module configurations 1756-IT6I2 A 1.55E-07 2.33E-05 module 1756-OB8EI A 3.06E-08 3514 1.33E-08 2.24E-06 2346 8.13E-06 80% 4.013 ControlLogix isolated analog 4.12E-07 1.891.33E-08 1.07E-08 1.

00E-09 80% 2.09E-08 80% 2.771.00 1.128 8.99E-08 2346 3.03E-09 80% 3.43E-09 6.585.79E-07 output module 0 configurations 1794-OB16PXT A FLEX I/O-XT 26.42E-08 2.47E-08 4.39E-08 80% 1.28E-06 module 1794-IF4I A I FLEX I/O isolated analog input 9.04E-05 output module 1794-IF2XOF2IXT A I FLEX I/O-XT isolated analog 6.709.08E-09 1.84E-10 1.74E-08 4.19E-07 2346 2.53E-07 2346 1.98E-08 3514 3.59E-06 1794-IJ2XT A E Not allowed for 1oo1 FLEX I/O-XT counter module 11.38E-07 80% 9.75E-10 3.00 1.84E-08 9.027.000.85E-08 80% 2.464.65E-06 Not 1794-IE8XT B Applicable FLEX I/O-XT analog input 14.99E-08 5.38E-09 1.02E-08 3.914. A FLEX I/O-XT 22.00E-08 5.67E-09 3514 8.03E-08 3514 5.64E-08 3514 1.63E-07 2346 4.714.77E-07 2.140 1.802 8.47E-06 24V DC input module 1794-IJ2 A D FLEX I/O counter module 55.918 1.792 1.76E-08 2.14E-08 3514 1.81E-10 1.46E-08 2346 5.518.19E-08 2.43E-09 3514 4.88E-09 1.54E-08 3514 1.38E-09 1.00E-09 3514 1. 100.49E-09 1.000.770 5.40E-05 input/output module 1794-IE4XOE2XT B FLEX I/O-XT analog input/output 11.79E-09 80% 1.19E-07 2346 1.55E-10 4.487 4.54E-08 1.82E-07 9.493.00E-09 3.64E-08 2346 5.21E-08 2346 4.38E-08 80% 1.61E-09 5.20E-10 3.189 2.01E-07 5.75E-06 module Not allowed for 1oo1 1794-OF4I A I FLEX I/O analog output module 23.610 5.27E-08 80% 1.2-Year PFD Calculations Common Terms(8) 1oo1 Configuration 1oo2 Configuration Mean Time Firmware between Safe Cat No.36E-08 3.14E-07 2346 7.35E-08 2.02E-09 1.77E-08 3.37E-09 1.95E-07 2346 1.03E-08 3514 1.97E-08 80% 3.62E-06 1794-OB16P A FLEX I/O 24V DC protected 100.06E-08 80% 2.140 1.50E-08 2.08E-07 2346 6.72E-08 80% 6.74E-08 4. λd λdu λdd TCE1oo1 Trip Rate PFH(10) PFD Trip Rate TGE PFH(10) PFD Series (MTBF)(7) Fraction STR STR (SFF) 1794-IB16 A FLEX I/O 24V DC input module 179.00E-06 1794-IB10XOB6 A FLEX I/O 24V DC input/output 100.96E-06 electronically-fused output module 1794-OB16 A FLEX I/O 24V DC output module 54.03E-08 3514 1.92E-06 module 1794-IF4IXT A I FLEX I/O-XT isolated analog 7.81E-08 9.401 3.80E-10 5.02E-09 8.99E-07 9.959 1.20E-09 80% 3. PFD and PFH Calculations for a SIL 2 System Appendix C Table 11 .54E-08 3514 1.00E-09 3.84E-09 1.36E-08 3514 7.409 4.50E-08 2346 3.52E-10 7.57E-11 4.00E-09 3.55E-07 80% 1.11E-08 3514 2.407.519 5.13E-07 3514 configurations 1.1 FLEX I/O-XT RTD/Thermocouple 8.81E-08 1.40E-08 80% 5.79E-07 module 0 1794.68E-08 2346 5.21E-05 input module 1794-IF4ICFXT A I FLEX I/O-XT isolated analog 7.19E-09 1.00E-09 3514 1.91E-08 80% 2.70E-08 80% 1.91E-07 2346 1.890 1.22E-07 6.69E-08 2.000 7.06E-08 1.26E-08 3514 configurations 6.60E-08 2346 1.89E-08 2346 1.37E-07 6.09E-08 3.78E-06 1794-OE4XT B FLEX I/O-XT analog output 11.July 2014 127 .204.744 8.59E-08 3514 8.70E-08 2346 4.895 3.381.60E-08 2346 1.44E-10 4.12E-08 3514 5.37E-07 2346 8.58E-07 7.27E-05 module 1794-IF2XOF2I A I FLEX I/O isolated analog input/ 8.640 1.53E-06 configurations 1794-IP4 B 4 FLEX I/O counter module 22.54E-08 4.23E-09 1.25E-08 80% 9.08E-08 1.00E-08 5.00E-10 8.10E-08 80% 3.71E-08 80% 1.30E-10 4.42E-07 2.297.088.04E-07 5.85E-08 80% 2.68E-06 1794-OF4IXT A I FLEX I/O-XT analog output 5.00E-09 3514 Not allowed for 1oo1 1.00 1.79E-08 4.097.60E-09 1.47E-06 module 1794-OE4 B Not Applicable FLEX I/O analog output module 18.79E-07 fused output module 0 1794-OB8EPXT A FLEX I/O-XT 24V DC 14.1 FLEX I/O RTD/Thermocouple 1.09E-08 80% 8.00E-09 80% 2.56E-08 80% 1.269 7.05E-09 9.62E-07 2346 1.66E-08 3514 1.77E-05 1794-IR8XT A K FLEX I/O-XT RTD input module 9.20E-06 Not allowed for 1oo1 1794-IRT8 B E.200 4.844 1.041.91E-08 80% 3.46E-08 3514 2.83E-10 7.50E-08 2346 2.22E-08 80% 2.885.91E-09 2346 5.35E-08 3514 7.52E-10 3.509 4.42E-09 3514 2.44E-08 1.016.00E-10 8.02E-06 module 1794-OW8XT A FLEX I/O-XT isolated relay output 18.45E-10 3.00E-10 8.40E-08 2.68E-09 5.56E-08 3514 1.64E-08 5.71E-08 2.21E-05 input module 1794-IR8 A K FLEX I/O RTD input module 5.42E-10 4.00E-08 5.15E-10 6.89E-07 2346 1.82E-10 2.63E-08 3514 8.67E-07 2346 1.800.632 1.61E-05 module Rockwell Automation Publication 1756-RM001L-EN-P .08E-08 1.75E-06 module 1794-IE8 B FLEX I/O analog input module 18.11E-07 3.52E-09 3514 2.42E-08 2.43E-07 3514 7.884.64E-08 80% 1.54E-08 2.29E-08 2.13E-08 3514 1.08E-05 input module 1794-IT8 A K FLEX I/O Thermocouple input 2.62E-08 3514 8.19E-07 2346 1.297.17E-08 4.15 5.344.587.26E-08 2346 4.29E-06 Not Applicable 24V DC protected output module 1794-OW8 A FLEX I/O isolated relay output 29.91E-09 4.11E-09 1.12E-08 3.14E-06 2346 7.433.58E-10 7.36E-07 2346 8.01E-09 1.87E-08 80% 7.24E-08 80% 1.(1) Version(6) Description Failure Spurious Spurious Failure λ(9) λs .202.60E-08 2346 1.231 1.00E-09 80% 2.44E-08 3.902 1.000.506.74E-08 1.317.43E-05 input module 1794-IRT8XT B E.96E-06 IB10XOB6XT 24V DC input/output module Not 1794-OB8EP A Applicable FLEX I/O 24V DC electronically.57E-09 2.322.11E-08 3514 2.27E-08 80% 9.18E-07 5.37E-07 6.049 6.41E-07 2346 8.75E-08 3514 2.62E-09 8.95E-08 2346 1.90E-07 Not 8 1794-IB16XT A Applicable FLEX I/O-XT 35.

00E-10 8.00E-09 80% 2.000. (5) SIL 2-rated for non-interference in the chassis.82E-09 5.000.00E-10 8. (8) Calculations performed on a per module basis.000 1.60E-08 2346 1. This indicates a version of the product that has conformal coating.79E-07 base unit 0 1794-TB3TS A FLEX I/O spring-clamp 52.00E-09 3514 1.362.79E-07 terminal base unit 0 1794-TB3S A FLEX I/O terminal base unit 100.00E-09 80% 8.000.00E-09 80% 2.00 1.779.90E-08 7.00E-09 3. (6) For the latest official approved firmware versions. These K versions have the same SIL 2 certification as the non-K versions.(1) Version(6) Description Failure Spurious Spurious Failure λ(9) λs .00E-09 80% 2.000 7. Certificate Number 968/EZ/35. Field return values – January 2012.rockwellautomation.00E-10 8.000.04E-08 7.00E-08 5.000 1.July 2014 .60E-08 2346 1.03E-07 F24A-2(5) 1492-TAIFM16-F. -A10.90E-08 24-2(5) (1) Some catalog numbers have a K suffix. (3) Suitable for use only in applications requiring compliance to IEC 61508 1999 Edition 1 (4) Calculated MTBF and PFD by FMEA to 61508-2010.60E-08 2346 1.00E-09 3.00 1. (7) MTBF measured in hours unless calculated (as noted).68E-06 temperature terminal base unit 1794-TBN A FLEX I/O NEMA terminal base 100.00E-08 5.00E-08 5.312.60E-08 2346 1.xx/xx available at http://www. (10) Demand rate must be less than 10 per year 128 Rockwell Automation Publication 1756-RM001L-EN-P . A DC Output Termination Board 10. Data not required within a safety function.00E-09 3514 configurations 1.00E-09 80% 2.000 7.04E-08 Non-interference only Not Applicable Not Applicable 3(5) Applicable 1492-TIFM4OF.03E-07 1.60E-08 2346 1. A DC Input Termination Board 7.79E-07 base unit 0 1492-TIFM40F.00 1.com/ (2) Average of 1756-A4.56E-09 80% 3.00E-09 80% 2.00E-11 3.91E-10 1.00E-09 2.00E-09 3514 1.79E-07 unit 0 1794-TBNF A FLEX I/O NEMA fused terminal 100.com.00E-10 8.40E-09 2346 4. For more information on which products have conformal coating go to http://ab.00 1.79E-07 Not 0 Not allowed for 1oo1 1794-TB3T A Applicable FLEX I/O temperature terminal 100.51E-07 0 1794-TB3G A FLEX I/O cage-clamp generic 100.page.00 4.00 1.00E-09 80% 2.rockwellautomation.60E-08 2346 1.00E-08 5.73E-09 3514 3.000.2-Year PFD Calculations Common Terms(8) 1oo1 Configuration 1oo2 Configuration Mean Time Firmware between Safe Cat No. consult the Revision Release List.00E-09 3514 1.20E-09 3514 6.00E-10 8. λd λdu λdd TCE1oo1 Trip Rate PFH(10) PFD Trip Rate TGE PFH(10) PFD Series (MTBF)(7) Fraction STR STR (SFF) 1794-TB3 A FLEX I/O terminal base unit 250.00E-08 5.00E-09 3514 1.A Not Analog Input Termination Board 11. -A7. (9) λ = Failure Rate = 1/MTBF.91E-08 9.00E-09 3.00E-10 1.000.00E-08 5.06E-08 2346 1.00E-09 3.Appendix C PFD and PFH Calculations for a SIL 2 System Table 11 . -A13 and -A17 chassis.127.000.com/rockwellautomation/certification/safety.00E-10 8.79E-07 terminal base unit 0 1794-TB3GS A FLEX I/O spring-clamp generic 100.00E-09 3.00E-09 3514 1.00 1.00E-09 3.

00E-08 1.600 9.69E-06 1.012 ControlLogix controller.75E-08 95% 8.01E-08 1.74E-08 4.373.760 3.93E-04 supply 1756-PC75 B 30-60V DC 13A ControlLogix 5.69E-06 1.000.62E-08 4.91E-06 1.69E-06 1.20E-03 20.119.16E-05 1786-RPFM A ControlNet Fiber repeater .86E-05 1756-A4LXT B 4-slot ControlLogix-XT chassis 1.97E-09 2200 2.81E-08 1.July 2014 129 .055 (3) 1756-L63XT B 20.69E-08 2.04E-03 20.20E-03 20.120 9.34E-06 96% 1.03E-08 4.21E-09 1.81E-09 1.012 ControlLogix controller.48E-09 1.26E-06 2200 2.67E-08 95% 2.63E-08 2200 3.760 2.20E-03 20.055 FMEA (4) 1756-L74 B 20.012 ControlLogix-XT controller.89E-08 95% 1.40E-07 3.01E-07 1.81E-08 95% 1.01E-07 2. 16MB 2.830 9.40E-06 95% 1.826.25E-06 1661 2.06E-08 3.36E-07 95% 2.25E-06 1661 2.00E-07 4.78E-08 1.36E-08 5.01E-07 2.92E-04 1786-RPCD A ControlNet Hub repeater 28.693.36E-08 2.88E-05 Applicable Not Applicable 1756-PBXT B ControlLogix-XT DC power 1. 8MB PFD via 2.055 1756-L75(4) B 20.21E-08 1.26E-07 2200 9.69E-08 2200 5.146 5.178 3.62E-08 1.long 5.45E-08 2.74E-08 95% 1.13E-07 2200 1.69E-06 1.280 2.25E-06 1661 2.08E-08 2.extra 11.18E-08 2.67E-09 5.59E-08 1.62E-08 1.74E-08 1.012 ControlLogix controller.461.00E-06 5.70E-08 2200 3.01E-07 1.44E-05 adapter 1756-PSCA2 A Redundant power supply 38.23E-09 3.012 ControlLogix controller.67E-09 2.693.41E-08 2.227 1.43E-07 2200 5.35E-07 4.short 26.72E-07 3.83E-07 95% 4.66E-07 4.012 ControlLogix-XT controller.19E-08 2.38E-08 3.74E-07 95% 4.055 1756-L73(4) B 20.35E-08 4.01E-07 2.36E-06 6.68E-08 4. Version(6) Description Failure Failure λ(9) λs .25E-06 1661 2.43E-08 2200 3.74E-09 1.45E-08 2200 5.74E-09 3.78E-07 4.91E-06 1.68E-07 95% 4.25E-06 1661 2.58E-08 95% 1.055 1756-L62(3) B 20. PFD and PFH Calculations for a SIL 2 System Appendix C 5-year PFD Calculations The PFD calculations in this table are calculated for a 5-year proof test interval (43.76E-07 2.055 Not Applicable 1756-L72(4) B 20.58E-09 3.19E-09 2.00E-07 95% 5.20E-03 20.83E-08 4.61E-07 8.41E-08 2200 5. 4MB 1.19E-04 power supply 1756-PSCA A Redundant power supply 45.40E-07 1.81E-07 95% 6.49E-05 power supply 1756-PA72 C 85-265V AC 10A ControlLogix 18.02E-03 1756-PB72 C 18-32V DC 10A ControlLogix 31.99E-08 2200 4.055 MTBF and 1756-L73XT(4) B 20.01E-07 2.30E-09 2.80E-06 1.66E-07 8.79E-04 ControlLogix power supply 1756-PB75 B 18-32V DC 13A ControlLogix 15.35E-08 2.35E-07 2200 9.012 ControlLogix controller.25E-06 1661 2.081. Table 12 .69E-08 2.010 4.01E-07 1.02E-05 power supply 1756-PB75R A 18-32V DC 13A Redundant 1.360 5.67E-08 95% 2.91E-06 1.91E-06 1.053 1.50E-07 2200 9. 8MB 1.67E-09 5.72E-07 2.01E-07 1.99E-09 6.89E-09 4.21E-07 2200 8.727 2.855.47E-07 4.99E-08 2.440 8.34E-06 96% 1.628.69E-06 1.67E-09 2.81E-09 3.07E-03 20.30E-08 95% 1.48E-08 95% 8.25E-07 4.34E-06 96% 1.30E-05 1786-RPFRXL B ControlNet Fiber repeater .717.91E-06 1.01E-07 1.89E-07 4.836 1.59E-05 medium 1786-RPFRL A ControlNet Fiber repeater .080 3.12E-07 2200 4.44E-08 1.20E-03 20.32E-08 1.87E-08 2200 1.044 5.57E-08 2200 3.59E-07 2200 5.675.99E-09 2.00E-08 4.62E-07 95% 4.96E-08 2200 8. λd λdu λdd TCE1oo1 Trip Rate PFH(10) PFD Trip Rate TGE PFH(10) PFD Series (MTBF)(7) Fraction STR STR (SFF) 1756-AXX(2) C ControlLogix chassis 22.520 4.561.10E-03 20.50E-07 5.88E-08 6. 2MB 2.89E-09 1. 8MB 357.69E-06 1.862 5.49E-08 1.68E-08 1.055 (4) 1756-L71 B 20.800 hours) and are specific to ControlLogix system components.055 1756-L63(3) B 20.35E-08 2.01E-07 2.69E-08 5.461.020 5.75E-09 7.23E-08 95% 4.11E-08 95% 1.73E-09 2.83E-08 1.87E-04 power supply 1756-PH75 B 90-143V DC 13A ControlLogix 2.697.75E-07 8.894.63E-08 2200 1.03E-03 1756-A5XT C 5-slot ControlLogix-XT chassis 734.11E-09 9. 8MB Calculated 2. 2MB 1.91E-06 1.60E-08 1.34E-04 ControlLogix power supply 1756-PAXT B Not ControlLogix-XT AC power supply 18.18E-07 2200 6.20E-03 20.475 6.84E-05 1786-RPA B ControlNet repeater adapter 11.910 9.81E-08 2200 8.21E-09 4.46E-08 4.73E-09 6.81E-08 6.736.67E-05 long 1756-L61(3) B 20.095 3.34E-06 96% 1.16E-07 2200 8.40E-09 9.40E-09 3.06E-03 20.012 ControlLogix controller.39E-07 2.044 5.54E-07 95% 3.336.17E-08 2200 2.50E-03 1756-A7LXT B 7-slot ControlLogix-XT chassis 27.01E-07 2.73E-08 95% 2.88E-07 95% 2.88E-08 2.75E-09 1.420 1.48E-07 2.48E-09 7.412.12E-07 2.01E-07 1.98E-05 1756-A7XT C 7-slot ControlLogix-XT chassis 1.034.877 7.58E-09 1.88E-05 power supply (75W) 1756-PA75R A 85-265V AC 13A Redundant 1. 16.66E-06 1.069.00E-05 power supply 1756-PA75 B 85-265V AC 13A ControlLogix 18.34E-06 96% 1.47E-07 2.17E-08 1.055.29E-06 6.40E-08 95% 4.79E-08 4.5-Year PFD Calculations Common Terms(8) 1oo1 Configuration 1oo2 Configuration Mean Time (1) Firmware between Safe Spurious Spurious Cat No.146.21E-08 95% 2.19E-09 7.08E-07 3.54E-08 3.41E-08 2200 5.08E-08 2.012 ControlLogix controller.87E-08 2200 6.23E-09 9.012 ControlLogix controller. 4MB 2.70E-07 8.11E-09 2.10E-08 1.146 8.69E-07 95% 2.652.30E-09 1.99E-08 95% 2.86E-05 adapter 1786-RPFS A ControlNet Fiber repeater .47E-08 1.34E-06 96% 1. 32MB 2.54E-08 7.654.19E-08 95% 3.18E-07 4.055 Rockwell Automation Publication 1756-RM001L-EN-P .

97E-06 9.23E-07 2200 2.28E-06 input module 1756-IB16I A 3.11E-04 7.62E-08 9.006 communication module 1756-EN2T C 5.000 7.14 1.(1) Version(6) Description Failure Spurious Spurious Failure λ(9) λs .16E-04 communication module 1756-CNBR E 11.60E-07 2.73E-07 1.396 3.56E-07 95% 4.71E-06 communication module with fault tolerance 1756-RM(5) B 3.003 ControlLogix isolated V AC input 20.56E-08 4.85E-08 8.76 1.005 ControlLogix ControlNet 2.003 ControlLogix diagnostic V AC 15.25E-08 2.64E-07 1.46E-07 2200 7.543 3.87E-07 96.62E-07 3.160 5.96E-08 5850 1.62E-09 1.62E-09 9.62E-08 1.81E-07 95% 3.82E-06 988.004 ControlLogix ControlNet Calculated 1.33E-07 2.21E-07 1478.56E-08 1.92E-07 95% 1.55E-07 2.56E-08 4.31E-07 3.00E-08 7.12E-07 4.840 6.91E-06 6.00E-08 7.37E-07 Not applicable 2.73E-07 2200 3.91E-06 6.443.85E-07 95% 3.004 ControlLogix-XT ControlNet Calculated 1.774 3.312.71E-06 Not applicable Non-interference only communication module Not Applicable 1756-EN2TR B 5.74E-07 Not applicable 1756-IA16I A 3.62E-08 9.19E-05 communication module with MTBF and fault tolerance PFD via FMEA 1756-EN2TRXT C 10. λd λdu λdd TCE1oo1 Trip Rate PFH(10) PFD Trip Rate TGE PFH(10) PFD Series (MTBF)(7) Fraction STR STR (SFF) 1756-CNB E 11.299 9.32E-07 2.960 2.50E-03 3.76 1.966.39E-08 9.21E-07 1478.21E-07 1478.003 ControlLogix redundancy 1.004 ControlLogix enhanced 250.00E-04 communication module with fault tolerance 1756-EN2TR C 10.503.00E-03 redundant communication Not Applicable module 1756-CN2R C 25.62E-08 9.096.33E-10 7.21E-07 1478.14 1.50E-03 redundant communication MTBF and module PFD via FMEA 1756-CN2RXT B 20.80E-07 2.81E-08 8.46E-04 Not Applicable communication module 1756-EN2TXT D 10.46E-09 5.05E-07 2.01E-08 1.640 1.62E-08 9.85E-08 9.75E-04 1.61E-09 2.6% 6.007 ControlLogix EtherNet/IP 269.24E-07 3.92E-08 1.43E-07 2200 7.007 ControlLogix EtherNet/IP 269.97E-06 9.69E-07 module 1756-SYNCH(5) A 2.91E-06 6.92E-09 8770 2.69E-08 5850 4.13E-08 80% 1.36E-07 95% 1.19E-05 communication module with fault tolerance 1756-EN2TXT C 5.38E-04 communication module 1756-EN2T D 10.80E-08 6.002 ControlLogix Data Highway Plus 2.801.096 9.81E-08 2.006 ControlLogix EtherNet/IP 1.62E-08 1.40E-08 80% 9.56E-04 redundant communication module 1756-CN2RXT C 25.004 ControlLogix-XT enhanced 250.608.198 4.6% 6.81E-08 3.14 1.011 ControlLogix ControlNet 1.97E-06 9.51E-09 3.712 7.50E-03 redundant communication MTBF and module PFD via FMEA 1756-DHRIO(5) E 7.61E-09 1.932.67E-07 communication module 1756-ENBT(5) A 4.46E-09 3.23E-10 2.83E-07 1.396 3.56E-07 95% 4.003 ControlLogix isolated V DC input 81.87E-07 96.977 5.004 ControlLogix ControlNet Calculated 1.45E-04 5.21E-07 1478.12E-07 4.62E-08 1.6% 6.50E-03 3.003 ControlLogix diagnostic V DC 30.920 4.59E-07 Plus Remote I/O Module Not Non-interference only Not applicable 1756-DNB(5) D 12.018 ControlLogix SyncLink Module 6.59E-07 Remote I/O Module 1756-DHRIOXT(5) E 7.008 ControlLogix EtherNet/IP 3.192.82E-09 2.300.38E-05 input module 1756-IB16D A 3.56E-08 1.228.97E-06 9.65E-08 6.182 4.008 ControlLogix EtherNet/IP 2.005 ControlLogix DeviceNet 2.00E-07 5850 6.29E-08 5850 3.97E-06 9.53E-08 2.62E-08 1.67E-07 4.26E-08 3.10E-07 6.10E-07 2200 8.14E-09 80% 2.70E-06 module 130 Rockwell Automation Publication 1756-RM001L-EN-P .008 ControlLogix EtherNet/IP 1.088.51E-09 3.774 3.640 3.Appendix C PFD and PFH Calculations for a SIL 2 System Table 12 .53E-07 95% 2.38E-05 1.80E-07 95% 2.67E-07 4.79E-07 2.50E-03 communication module MTBF and PFD via FMEA 1756-CN2R B 20.59E-07 1.71E-06 communication module 1756-EN3TR B 10.23E-08 6.22E-04 redundant communication module 1756-CN2 B 20.88E-08 8770 5.007 ControlLogix-XT EtherNet/IP 269.00E-06 redundancy module 1756-RMXT(5) B 3.008 ControlLogix-XT EtherNet/IP 1.182 4.10E-07 2200 8.82E-06 988.79E-07 2.5-Year PFD Calculations Common Terms(8) 1oo1 Configuration 1oo2 Configuration Mean Time Firmware between Safe Cat No.28E-08 applicable 8.503.005 ControlLogix ControlNet 1.65E-08 80% 6.84E-10 1.53E-08 5.00E-06 redundancy module 1756-RM2XT A 20.094 1.373.62E-08 9.14 1.36E-08 1.202 4.87E-07 96.36E-08 3.774 3.06E-05 module 1756-IA8D A 3.011 ControlLogix ControlNet 1.002 ControlLogix-XT Data Highway 2.85E-08 3.27E-07 2200 4.080 6.80E-08 2.91E-06 6.92E-08 4.00E-03 communication module 1756-CN2 C 25.096.44E-08 8770 3.6% 6.14 1.62E-08 1.980.006 ControlLogix EtherNet/IP Calculated 1.299 9.91E-06 6.664.91E-07 module Not applicable Non-interference only 1756-RM2 A 20.87E-07 96.011 ControlLogix-XT ControlNet 1.69E-07 3.52E-07 2200 5.31E-08 1.25E-08 1.003 ControlLogix-XT redundancy 980.July 2014 .33E-10 1.6% 6.68E-09 8770 9.87E-07 96.786.

003 FLEX I/O ControlNet redundant 8.63E-09 5.37E-05 thermocouple input module 1756-OA16I A 3.32E-07 8770 6.14E-08 8770 5.013 ControlLogix isolated analog 8.35E-08 6.25E-08 4.56E-08 4.97E-07 5850 3.24E-06 5850 8.997.30E-08 2.013 ControlLogix isolated RTD input 4.13E-04 1.19E-04 1.55E-07 2.34E-07 1.59E-05 input module 1756-IF6I A 1.013 ControlLogix isolated enhanced 2.03E-08 8770 3.94E-04 1.84E-07 5850 1.592.03E-07 5850 3.01E-07 7.39E-07 8770 3.30E-08 3.537.91E-08 5.013 ControlLogix isolated analog 2.65E-08 8770 1.005 ControlLogix analog output 10.50E-05 module 1756-OB8EI A 3.070 7.316 3.007 ControlLogix 2.22E-07 6.03E-04 7.002 ControlLogix HART analog input 442.79E-08 1.187 1.720.525 2.65E-08 8770 1.84E-07 80% 7.223.19E-08 8770 5.462.55E-05 module 1756-IF8H A 1.93E-08 1.08E-08 80% 2.002 ControlLogix V DC output 2.65E-07 2.57E-04 3.58E-07 2.66E-10 1.714 6.82E-08 8770 7.795 9.53E-07 1.080 3.63E-08 80% 2.39E-07 1.684 1.960 4.38E-09 3.43E-08 3.957.73E-08 3.94E-04 2.79E-10 1.15E-09 2.002 ControlLogix HART analog 5.69E-08 7.91E-08 2.92E-04 1.46E-08 1.86E-08 8770 1.54E-08 1.14.74E-10 1.24E-09 2.37E-07 8770 1.69E-09 1.99E-09 1.160 1.013 ControlLogix isolated analog 21.52E-08 80% 6.95E-09 8.71E-08 1.12E-09 8770 2.978 7.20E-08 2.67E-08 4.08E-08 80% 2.374 1.33E-08 2.43E-08 3.08E-07 2.311.90E-03 3.10E-07 8770 5.002 ControlLogix HART analog input 1.20E-07 80% 4.25E-08 80% 3.003 FLEX I/O-XT ControlNet adapter 8.005 ControlLogix analog input 8.74E-07 4.04E-03 7. 1.699.83E-07 5850 2.046 3.25E-04 1.329 9.71E-08 5.223.33E-08 1.08E-09 1.July 2014 131 .89E-07 3.94E-07 80% 1.38E-08 8770 9.55E-07 3.13E-04 module 1756-IF6CIS A 1.70E-05 adapter 1794-ACNR15XT D 10.914 2.84E-08 4.30E-08 1.60E-08 8770 6.013 FLEX I/O EtherNET/IP adapter.31E-08 80% 9.50E-05 output module 1756-OB16E A 3.77E-08 3.69E-09 3.73E-08 2.25E-09 4.635 1.059.18E-08 8770 1.06E-08 6.94E-07 80% 1.46E-08 2.05E-08 7.77E-08 80% 3.176.87E-09 1.003 ControlLogix V AC diagnostic 11.77E-07 8770 1.13E-08 3.150.58E-05 electronic ally-fused output module 1756-OX8I A 3.69E-05 thermocouple input module configurations 1756-IT6I2 A 1.71E-08 4.002 ControlLogix V DC isolated 14.77E-08 80% 2.21E-10 1.91E-08 4.49E-09 5.95E-07 5850 1.684 1.41E-07 5850 8.17E-07 80% 4.80E-04 1.80E-07 5850 1.26E-06 5850 8.13E-07 8770 3.884.268.56E-07 3.70E-08 9.604.12E-05 1756-IF8 A 1.013 ControlLogix isolated analog 4.53E-08 1.22E-09 2.26E-09 1.41E-08 4.37E-05 output module 1794-ACN15 D 10.39E-08 3.33E-08 80% 1.98E-07 7.695.51E-07 5850 9.891.002 ControlLogix V DC diagnostic 8.43E-08 2.07E-04 V DC Sequence Of Events input module 1756-IR6I A 1.43E-08 6.254 1.04E-08 1.019.013 ControlLogix isolated 3.42E-08 80% 1.02E-05 output module 1756-OF6CI A 1.456 3.87E-08 8770 7.200 7.08E-08 80% 2.99E-07 5850 6.002 ControlLogix V AC output 32.81E-07 80% 1.95E-07 9.26E-07 80% 5.89E-09 8.26E-06 5850 8.84E-04 module 1756-IF16 A 1.66E-05 output module 1756-OF8H A 1.09E-07 80% 4.22E-07 6.32E-07 80% 9.75E-07 5850 2.44E-07 5850 4.12E-09 1.88E-08 2.88E-07 5850 3.17E-09 2.08E-09 9.39E-10 1.30E-08 5.681.13E-04 1.81E-06 4.33E-04 4.17E-07 5850 7.388.223.13E-07 5.88E-05 module 1756-IF16H A 1.89E-07 3.87E-09 1.30E-08 4.39E-07 5850 8.48E-07 5850 2.(1) Version(6) Description Failure Spurious Spurious Failure λ(9) λs .65E-08 8770 7.96E-10 1.013 FLEX I/O EtherNET/IP adapter.12E-07 8770 2.005 ControlLogix V DC input module 10.32E-07 3.65E-08 80% 1.58E-08 8770 Not allowed for 1oo1 4. λd λdu λdd TCE1oo1 Trip Rate PFH(10) PFD Trip Rate TGE PFH(10) PFD Series (MTBF)(7) Fraction STR STR (SFF) 1756-IB16ISOE A 2.007 ControlLogix isolated V DC 11.003 FLEX I/O ControlNet adapter 8.05E-10 6.69E-06 module 1756-OA8D A 3.87E-04 Ring media 1794-AENTRXT A 1.00E-08 2.20E-04 1.00E-08 8770 5.68E-07 1.38E-05 input module 1756-IH16ISOE A 2.53E-08 8770 1.26E-05 module 1756-IT6I A 1.43E-08 3.24E-09 2.70E-05 Not allowed for 1oo1 1794-AENT B 4.24E-04 2.25E-08 3.88E-04 1.95E-08 8770 1.39E-08 8770 3.05E-03 3.899 7.72E-07 9.43E-09 5.13E-06 80% 4. PFD and PFH Calculations for a SIL 2 System Appendix C Table 12 .35E-08 1.827 5.17E-07 5850 1.45E-08 8770 9.30E-08 7.96E-05 output module 1756-OB16D A 3.01E-05 output module 1756-OB32 A 3.75E-08 80% 2.185 2.07E-07 5850 6.65E-08 1.22E-07 6.779.30E-04 1794-AENTR A 1.64E-07 5850 1.291.12E-07 1.57E-08 80% 1.26E-09 2.67E-08 3.35E-07 6.87E-04 Ring media Rockwell Automation Publication 1756-RM001L-EN-P .720 4.04E-07 5850 2.003 FLEX I/O EtherNET/IP adapter 1.268.15E-07 5.63E-08 2.88E-08 4.70E-05 1794-ACNR15 D 10.002 ControlLogix isolated relay 6.13E-07 5850 2.98E-08 80% 2.354.24E-09 2.39E-08 5.35E-08 9.46E-08 1.62E-07 2.88E-07 80% 7.654.92E-07 5850 1.30E-08 3.667 1.629.87E-07 80% 1.95E-07 5850 1.92E-05 Sequence Of Events input module 1756-IB32 B 3.268.53E-07 5850 9.08E-05 module 1756-OF6VI A 1.79E-08 7.002 ControlLogix isolated relay 13.506 2.73E-07 1.91E-08 8.26E-06 1.64E-03 5.58E-08 2.06E-08 8770 1.118.86E-07 80% 7.69E-07 8770 configurations 8.70E-10 2.18E-07 1.33E-08 2.824 2.070 7.55E-04 3.39E-03 1.54E-08 1.70E-08 80% 1.01E-09 4.07E-08 1.760 8.95E-07 5850 1. 1.52E-07 6.74E-07 3.52E-07 9.43E-08 3.84E-08 1.41E-08 5850 4.65E-08 8770 1.92E-07 4.040 8.003 ControlLogix V DC electronic ally.002 ControlLogix V DC isolated 7.77E-08 2.55E-10 2.58E-07 2.37E-07 8770 1.04E-04 1.14E-07 5850 7.68E-05 output module 1756-OW16I A 3.46E-08 3.99E-09 8.65E-03 6.19E-07 1.61E-06 5850 3.47E-05 fused output module 1756-OB16I A 3.684 1.005 ControlLogix analog input 4.5-Year PFD Calculations Common Terms(8) 1oo1 Configuration 1oo2 Configuration Mean Time Firmware between Safe Cat No.78E-08 80% 1.77E-07 1.86E-08 5850 3.59E-08 8770 9.20E-07 5.61E-05 output module 1756-OF8 A 1.65E-07 8.33E-08 80% 1.

00E-09 8770 configurations 1.(1) Version(6) Description Failure Spurious Spurious Failure λ(9) λs .26E-08 8770 configurations 6.01E-09 1.20E-09 80% 3.140 1.902 1.53E-07 5850 1.89E-07 5850 1. 100.64E-08 5.95E-08 5850 1.47E-10 1.19E-05 module 1794-IE8 B FLEX I/O analog input module 18.82E-07 9.09E-08 80% 8.70E-08 80% 1.041.77E-07 2.11E-08 8770 2.640 1.12E-08 8770 5.54E-08 4.02E-08 3.00E-10 2.42E-07 2.17E-08 4.518.55E-07 80% 1.13E-07 8770 configurations 1.13E-08 8770 1.08E-08 1.64E-08 5850 5.60E-08 5850 1.00E-09 80% 2.75E-08 8770 2.81E-10 3.40E-08 80% 5.37E-07 5850 8.202.10E-08 80% 3.49E-09 1.36E-07 5850 8.08E-09 1.50E-08 5850 2.27E-08 80% 9.13E-09 1.65E-10 1.914.52E-09 8770 2.24E-06 Not Applicable 24V DC protected output module 1794-OW8 A FLEX I/O isolated relay output 29.91E-09 5850 5.000 7.09E-08 80% 2.56E-06 module 1794-OW8XT A FLEX I/O-XT isolated relay output 18.46E-05 1794-IR8XT A K FLEX I/O-XT RTD input module 9.800.88E-09 1.918 1.89E-08 5850 1.20E-09 2.5-Year PFD Calculations Common Terms(8) 1oo1 Configuration 1oo2 Configuration Mean Time Firmware between Safe Cat No.Appendix C PFD and PFH Calculations for a SIL 2 System Table 12 .771.49E-05 electronically-fused output module 1794-OB16 A FLEX I/O 24V DC output module 54.57E-10 1.00E-09 80% 2.19E-07 5850 1.71E-08 2.79E-08 4.57E-09 2.98E-08 8770 3.92E-06 IB10XOB6XT 24V DC input/output module Not 1794-OB8EP A Applicable FLEX I/O 24V DC electronically.027.62E-07 5850 1.37E-07 6.77E-08 3.99E-08 5.17E-05 Not 1794-IE8XT B Applicable FLEX I/O-XT analog input 14.744 8.58E-11 1.00 1.91E-09 1.519 5.68E-08 5850 5.97E-08 80% 3.464.46E-08 5850 5.72E-08 80% 6.59E-08 8770 8.24E-05 module 1794-IF4IXT A I FLEX I/O-XT isolated analog 7.06E-08 80% 2.770 5.128 8.82E-10 6.14E-06 5850 7.610 5.11E-09 1.87E-08 80% 7.05E-05 input module 1794-IR8 A K FLEX I/O RTD input module 5.03E-08 8770 1.22E-07 6.00E-09 3.344.37E-09 1.00E-09 3.493.016.00E-08 5.38E-08 80% 1.15 5.18E-07 5.09E-08 3.10E-04 module 1794-IF2XOF2I A I FLEX I/O isolated analog input/ 8.89E-05 configurations 1794-IP4 B 4 FLEX I/O counter module 22.62E-08 8770 8.74E-08 4.July 2014 .506.54E-10 9.35E-08 8770 7.12E-08 3.97E-06 1794-IJ2XT A E Not allowed for 1oo1 FLEX I/O-XT counter module 11.00E-09 3.39E-08 80% 1.189 2.26E-08 5850 4.40E-09 3.407.19E-07 5850 1.64E-08 8770 1.409 4.94E-05 module Not allowed for 1oo1 1794-OF4I A I FLEX I/O analog output module 23.433.03E-08 8770 1.24E-09 2.04E-07 5.42E-08 2.231 1.67E-09 8770 8.14E-07 5850 7.54E-08 8770 1.00E-08 5.71E-08 80% 1.204.097.85E-10 4.317.54E-08 2.76E-08 2.844 1.884.27E-08 80% 1.85E-08 80% 2.05E-05 input module 1794-IF4ICFXT A I FLEX I/O-XT isolated analog 7.63E-08 8770 8.40E-08 2.140 1.50E-08 5850 3.19E-06 fused output module 0 1794-OB8EPXT A FLEX I/O-XT 24V DC 14.61E-09 5.03E-09 80% 3.99E-08 5850 3.67E-07 5850 1.77E-10 8.44E-08 3.297.895 3.24E-08 80% 1.049 6.85E-08 80% 2.57E-05 module 1794-IF4I A I FLEX I/O isolated analog input 9.1 FLEX I/O RTD/Thermocouple 1.33E-10 1.91E-07 5850 1.70E-08 5850 4.000.11E-08 8770 2.00 1.885.21E-08 5850 4.56E-08 8770 1.714.53E-05 input/output module 1794-IE4XOE2XT B FLEX I/O-XT analog input/output 11.43E-07 8770 7.959 1.43E-09 8770 4.84E-08 9.91E-08 80% 3.03E-09 2.08E-07 5850 6.37E-07 6.42E-09 8770 2.802 8.401 3.00E-05 1794-IB10XOB6 A FLEX I/O 24V DC input/output 100.00E-08 5.91E-10 1.87E-09 4.64E-08 80% 1.36E-08 3.088.84E-10 1.31E-05 Not allowed for 1oo1 1794-IRT8 B E.11E-07 3.03E-08 8770 5.47E-08 4.44E-08 1.40E-09 3.20E-10 1.74E-08 4.56E-08 80% 1.35E-08 2.06E-09 2.62E-09 3.25E-08 80% 9.20E-05 1794-OE4XT B FLEX I/O-XT analog output 11.632 1.22E-06 Not 8 1794-IB16XT A Applicable FLEX I/O-XT 35.74E-08 1.269 7.91E-08 80% 2.792 1.000.95E-07 5850 1.59E-10 1.06E-08 1.297.66E-08 8770 1.67E-04 input module 1794-IRT8XT B E.14E-08 8770 1.38E-07 80% 9.487 4.509 4.69E-08 2.50E-08 2.1 FLEX I/O-XT RTD/Thermocouple 8.00E-09 80% 2.00E-09 8770 1.60E-08 5850 1.36E-08 8770 7.79E-09 80% 1.890 1.322.00E-10 2.21E-10 9. λd λdu λdd TCE1oo1 Trip Rate PFH(10) PFD Trip Rate TGE PFH(10) PFD Series (MTBF)(7) Fraction STR STR (SFF) 1794-IB16 A FLEX I/O 24V DC input module 179.45E-10 1.07E-05 module 132 Rockwell Automation Publication 1756-RM001L-EN-P .54E-08 8770 1.46E-10 7.42E-08 2.00E-09 8770 1.60E-08 5850 1.381.19E-06 module 0 1794.62E-05 output module 1794-IF2XOF2IXT A I FLEX I/O-XT isolated analog 6.709.18E-06 24V DC input module 1794-IJ2 A D FLEX I/O counter module 55.587.04E-06 Not allowed for 1oo1 1794-OB16P A FLEX I/O 24V DC protected 100.87E-05 module 1794-OE4 B Not Applicable FLEX I/O analog output module 18. A FLEX I/O-XT 22.19E-06 output module 0 1794-OB16PXT A FLEX I/O-XT 26.68E-09 5.54E-08 1.00 1.81E-08 1.22E-08 80% 2.99E-07 9.01E-07 5.46E-08 8770 2.63E-07 5850 5.585.62E-09 8.22E-06 1794-OF4IXT A I FLEX I/O-XT analog output 5.000.06E-09 4.58E-07 7.29E-08 2.00E-10 2.81E-08 9.41E-07 5850 8.71E-05 input module 1794-IT8 A K FLEX I/O Thermocouple input 2.08E-08 1.19E-08 2.200 4.19E-07 5850 2.

19E-06 Not 0 Not allowed for 1oo1 1794-TB3T A Applicable FLEX I/O temperature terminal 100.73E-09 8770 3.000.127. (9) λ = Failure Rate = 1/MTBF.77E-07 0 1794-TB3G A FLEX I/O cage-clamp generic 100.000.00E-11 8.20E-06 temperature terminal base unit 1794-TBN A FLEX I/O NEMA terminal base 100.00E-08 5. -A7.00E-10 2.00E-10 2.00E-08 5.92E-10 4.000. Certificate Number 968/EZ/35.00E-10 2.60E-08 5850 1.com/ (2) Average of 1756-A4.00E-08 5.rockwellautomation. (10) Demand rate must be less than 10 per year Rockwell Automation Publication 1756-RM001L-EN-P .00E-09 80% 2.00 4.00E-09 8770 1.com/rockwellautomation/certification/safety. consult the Revision Release List.00E-09 3.19E-06 unit 0 1794-TBNF A FLEX I/O NEMA fused terminal 100. (7) MTBF measured in hours unless calculated (as noted).19E-06 terminal base unit 0 1794-TB3GS A FLEX I/O spring-clamp generic 100.00 1.00E-09 3.362.000 7.5-Year PFD Calculations Common Terms(8) 1oo1 Configuration 1oo2 Configuration Mean Time Firmware between Safe Cat No.000.00E-09 8770 1.00E-10 2.00E-09 3.000 0.60E-08 5850 1.A Not Analog Input Termination Board 11.00E-09 3.19E-06 base unit 0 1794-TB3TS A FLEX I/O spring-clamp 52.04E-08 1.20E-09 8770 6.00E-09 80% 2.00E-09 80% 2.56E-09 80% 3.60E-08 5850 1.00E-10 2.00 1.04E-08 Non-interference only Not Applicable Not Applicable 3(5) Applicable 1492-TIFM4OF.91E-08 9. These K versions have the same SIL 2 certification as the non-K versions.00E-09 8770 1.00E-09 2. -A13 and -A17 chassis.00E-08 5.60E-08 5850 1.00E+00 24-2(5) (1) Some catalog numbers have a K suffix.page.00E-09 8770 1.40E-09 5850 4. (5) SIL 2-rated for non-interference in the chassis.000 7.000.00E-09 80% 2.00E-08 5.00E-09 80% 8.(1) Version(6) Description Failure Spurious Spurious Failure λ(9) λs .00E+00 0.00 1.00 1.00E-10 2.312.com. A DC Input Termination Board 7. Data not required within a safety function.00E-09 80% 2. (6) For the latest official approved firmware versions.779. λd λdu λdd TCE1oo1 Trip Rate PFH(10) PFD Trip Rate TGE PFH(10) PFD Series (MTBF)(7) Fraction STR STR (SFF) 1794-TB3 A FLEX I/O terminal base unit 250. (8) Calculations performed on a per module basis.00E-09 80% 2. (3) Suitable for use only in applications requiring compliance to IEC 61508 1999 Edition 1 (4) Calculated MTBF and PFD by FMEA to 61508-2010.00 1.00 1. PFD and PFH Calculations for a SIL 2 System Appendix C Table 12 .60E-08 5850 1. For more information on which products have conformal coating go to http://ab.00E-10 1.00E-09 3. Field return values – January 2012.03E-07 F24A-2(5) 1492-TAIFM16-F.19E-06 terminal base unit 0 1794-TB3S A FLEX I/O terminal base unit 100.xx/xx available at http://www.rockwellautomation.19E-06 base unit 0 1492-TIFM40F.82E-09 5.00E-09 8770 configurations 1.60E-08 5850 1.000.00E-09 8770 1. This indicates a version of the product that has conformal coating.000 1. -A10.000.00E-08 5. A DC Output Termination Board 10.July 2014 133 .00E-09 3.06E-08 5850 1.90E-08 7.

controller chassis 6. Description Calculated 1756-IB16D ControlLogix V DC diagnostic input module 1.46E-06 (1oo2) 1756-EN2TR ControlLogix EtherNet/IP communication module . Table 13 .Appendix C PFD and PFH Calculations for a SIL 2 System Using Component Values To The system PFD value is calculated by totaling the PFD value of each component in the system.00E-04 (1oo1) Series C 1756-L72 ControlLogix controller. To calculate a system PFD value. No.controller chassis 3. When calculating your system PFD. Example: 1-year PFD Calculation for a ControlLogix System (1oo1 Configuration) This example shows an example of a PFD calculation for a traditional ControlLogix system in a fail-safe configuration. verify that all the components used in the system are totaled. 4 MB 4. No. use this equation: Calculate System PFD • modA PFD + modB PFD + modC PFD = system PFD where modX PFD is the PFD value for one component or module in the system.97E-06 (1oo2) Total safety loop PFD: 4.July 2014 .11E-06 (1oo2) Series C 1756-L72 ControlLogix controller.69E-04 Percent of SIL 2 budget: 4.I/O chassis 3.97E-06 (1oo2) Total safety loop PFD: 1. Description Calculated 1756-IB16D ControlLogix V DC diagnostic input module 1.Example of PFD Calculations for a Fail-safe System (1oo1 Configuration) Cat.00E-04 (1oo1) Series C 1756-OB16D ControlLogix V DC diagnostic output module 4.46E-06 (1oo2) 1756-EN2TR ControlLogix EtherNet/IP communication module .11E-06 (1oo2) Series C 1756-OB16D ControlLogix V DC diagnostic output module 4.056E-03 Percent of SIL 2 budget: 10. Cat.69% 134 Rockwell Automation Publication 1756-RM001L-EN-P . This example system uses one chassis for the controller and a second chassis for the I/O.I/O chassis 6.50E-04 (1oo1) 1756-EN2TR ControlLogix EtherNet/IP communication module .50E-04 (1oo1) 1756-EN2TR ControlLogix EtherNet/IP communication module .56% Example: 1-year PFD Calculation for a ControlLogix System (1oo2 Configuration) See Figure 6 on page 20 for a system diagram of the example calculation shown below. 4 MB 4.

Appendix D Using ControlLogix and FLEX I/O Modules in SIL 1 Applications Approved 1756 I/O modules may be used in a 1oo1 architecture. Then. • You must consider the time it takes a diagnostic to execute when determining the safety reaction time because safety demands will not be detectable if they occur during a diagnostic. You need to consider and mitigate any impact to your system while the diagnostic is executing. when the output turns back on.July 2014 135 . you must follow the guidelines listed in Table 14 on page 138. in addition to following the guidelines in Table 14. ControlLogix I/O Modules. Rockwell Automation Publication 1756-RM001L-EN-P . you must also implement appropriate field diagnostics as defined below: • Field diagnostics must execute once every eight hours. make sure that all SIL 1 inputs properly detect the change. If you plan to use 1794 FLEX I/O modules in a SIL 1 1oo1 configuration. The diagnostic you implement must monitor the ability of all SIL 1 inputs to detect a change of state. One method would be to turn off the output and monitor that all SIL 1 inputs detect the loss of signal within a short period of time. however. See the SIL 2 output guidelines in Chapter 5.SIL 1 Digital Input Wiring Example for 1794 I/O Modules Field Power Field Devices 1 SIL1 Output SIL1 Input 1 2 SIL1 Input 2 3 SIL1 Input 3 TIP Field diagnostics as described for 1794 I/O modules can also be used to meet the requirements for periodic proof testing with either 1794 or 1756 I/O modules. • An output or other sensing device must be used to provide field power control to the digital inputs. Figure 64 .

.5 m. Reference Voltages Analog Input Module DIP Switch for Sensor Wiring Precision 249  Resistor Terminal Block 1. Terminal Block 2. 010=1.0 m.July 2014 . Figure 65 . Terminal Block 1.SIL 1 1756 Analog Input Wiring Example (Simplex) 1756 Analog Input Module Input Values from Field Devices All configured for 0.20 mA Current Mode Output from 1756-OB16D Module Pair Trigger Reference Tests = 0 (Off) Two-wire Transmitter xxx is cable length (005=0. 025=2.0 m). Terminal Block 2. 136 Rockwell Automation Publication 1756-RM001L-EN-P .. 1756 Analog Input Module Solid-state switch controlled 1492-CABLExxxUA(1) to 1756 by DC output. 050=5.5 m.. Row C Row C Row B Row B Two-wire Transmitters Operating in 4.5V operation..Appendix D Using ControlLogix and FLEX I/O Modules in SIL 1 Applications Termination boards 1492-TIFM16-F-3 can be used to provide a voltage reference for periodic testing as shown below.

Terminal Block 2. follow the termination board pinout shown below.. Row C Row C Row B Row B Two-wire Transmitters Operating in 4... Terminal Block 2. Terminal Block 1.. Reference Voltages User-supplied cable DIP Switch for Sensor Wiring Precision 249  Resistor Terminal Block 1.20 mA Current Mode Output from 1756-OB16D Module Pair Trigger Reference Tests = 0 (Off) Two-wire Transmitter To make your own cable. P1 Pins Description 3 Input 0 2 Input 1 1 Input 2 14 Input 3 15 Input 4 16 Input 5 17 Input 6 18 Input 7 12 Input 8 13 Input 9 25 Input 10 24 Input 11 23 Input 12 22 Input 13 Rockwell Automation Publication 1756-RM001L-EN-P .SIL 1 1794 Analog Input Wiring Example (Simplex) 1756 Analog Input Module Input Values from Field Devices All configured for 0. Using ControlLogix and FLEX I/O Modules in SIL 1 Applications Appendix D Figure 66 . Solid-state switch controlled by DC output.5V operation.July 2014 137 .

Implement a secondary shutdown path if the SIL1 application requires a fail-safe OFF in the event of a shorted output. Digital input modules(2) Only one module is required in a SIL1 application. you must implement a secondary means to shut off the outputs. Use the modules exactly as described previously in this manual. (2) The test interval of module inputs must be specified according to application-dependent standards. (2) Analog input modules Only 1 module is required in a SIL1 application. (1) Analog output modules Analog output modules should be wired as described previously in this manual. Periodic tests of the inputs should be performed as described previously in this manual. 138 Rockwell Automation Publication 1756-RM001L-EN-P . Table 14 . follow the guidelines listed in this safety manual. Use the modules exactly as described previously in this manual. according to EN50156. Use the controller exactly as described previously in this manual.July 2014 . Periodic tests of the inputs should be performed as described previously in this manual. the time for fault detection and tripping must be less than or equal to the fault tolerance time. ControlNet modules None. (1) The user should be alerted to any detected output failures. Ethernet modules None. Table 14 lists additional considerations that must be made with various ControlLogix modules in a SIL1 application. For example.Appendix D Using ControlLogix and FLEX I/O Modules in SIL 1 Applications P1 Pins Description 20 Input 14 21 Input 15 4 RTN 6 RTN 8 RTN 10 RTN When using controllers and network communication modules.Considerations for SIL1 Applications by Module Module Additional considerations Controllers None. (1) Digital output modules Diagnostic output modules are recommended in a SIL1 application. IMPORTANT When using 1756 or 1794 outputs in SIL 1 configurations.

com) for your safety application? 2 Have you calculated the system’s response time? 3 Does the system’s response time include both the user-defined. (1) For more information on the specific tasks in this checklist. If used as a planning guide. programming and start up of a SIL 2-certified ControlLogix system. Check List for ControlLogix System(1) Company: Site: Loop definition: No. SIL-task program watchdog (software watchdog) time and the SIL-task duration time? 4 Is the system response time in proper relation to the process tolerance time? 5 Have PFD values been calculated according to the system’s configuration? 6 Have you performed all appropriate proof tests? 7 Have you defined your process parameters that are monitored by fault routines? 8 Have you determined how your system will handle faults? 9 Have you taken into consideration the checklists for using SIL inputs and outputs listed on pages 140 and 142. It may be used as a planning guide as well as System during proof testing.July 2014 139 . Appendix E Checklists Topic Page Checklist for the ControlLogix System 139 Checklist for SIL Inputs 140 Checklist for SIL Outputs 142 Checklist for the Creation of an Application Program 143 Checklist for the ControlLogix The following checklist is required for planning. Fulfilled Comment Yes No 1 Are you only using the SIL 2-certified ControlLogix modules with the corresponding firmware release listed in Revision Release List (available from the Product Certification link at http://www. Rockwell Automation Publication 1756-RM001L-EN-P . see the previous sections in the chapter or Chapter 1. SIL Policy on page 13. the checklist can be saved as a record of the plan.ab.

are enabled diagnostic bits monitored by fault routines? 6 For the diagnostic input modules. Input Module Check List for ControlLogix System Company: Site: Loop definition: SIL input channels in the: No. Additional Digital Input Module-Only Requirements Yes No Comment 1 When two digital input modules are wired in the same application. an individual checklist can be filled in for every single SIL input channel in a system. the checklist can be saved as a record of the plan. This is the only way to make sure that the requirements were fully and clearly implemented. For programming or start-up. is the Communication Format set to Full Diagnostics-Input Data? 4 For the diagnostic input modules. RPI.Appendix E Checklists Checklist for SIL Inputs The following checklist is required for planning. • The operational state is ON. is the Communication Format set to one of the Input Data choices? 3 For the diagnostic input modules. • Sensors are wired to separate input points. diagnostics and alarming functions performed in sequence in application logic? 7 For applications using FLEX I/O modules. If used as a planning guide. are all diagnostics enabled on the module? 5 For the diagnostic input modules. do the following conditions exist: • Both modules are owned by the same controller. and is appropriate action invoked via the application logic by these bits? No. both module are on different ControlNet nodes 2 For the standard input modules. It may be used as a planning guide as well as during proof testing. All Input Module Requirements (apply to both digital and analog input modules) Yes No Comment 1 Is Exact Match selected as the electronic keying option whenever possible? 2 Is the RPI value set to an appropriate value for your application? 3 Are all modules owned by the same controller? 4 Have you performed proof tests on the system and modules? 5 Have you set up the fault routines? 6 Are control. OFF. is the application logic monitoring one ControlNet status bit for the associated module. programming and start up of SIL inputs. filter values) are identical. • The non-operational state is. • For FLEX input modules. This checklist can also be used as documentation on the connection of external wiring to the application program.July 2014 . • Configuration parameters (for example. is the connection to remote modules a direct connection? 140 Rockwell Automation Publication 1756-RM001L-EN-P .

are loop devices placed properly? 8 When wiring thermocouple modules in parallel. Additional Analog Input Module-Only Requirements Yes No Comment 1 Is the Communication Format set to Float Data? 2 Have you calibrated the modules as often as required by your application? 3 Are you using ladder logic to compare the analog input data on two channels to make sure there is concurrence within an acceptable range and that redundant data is used properly? 4 Have you written application logic to examine bits for any condition that may cause a fault and appropriate fault routines to handle the fault condition? 5 When two FLEX I/O analog input modules are wired in the same application. Checklists Appendix E Input Module Check List for ControlLogix System No. are both module on different ControlNet nodes? 6 When wiring an analog input module in Voltage mode. as shown in Figure 34 on page 65? Rockwell Automation Publication 1756-RM001L-EN-P . are two sensors used. are transmitter grounds tied together? 7 When wiring an analog input module in Current mode.July 2014 141 . have you wired to the same channel on each module as shown in Figure 33 on page 64? 9 When wiring two RTD modules.

If used as a planning guide. This is the only way to make sure that the requirements are fully and clearly implemented. It may be used as a planning guide as well as during proof testing. Digital Output Module-Only Requirements Yes No Comment 1 For the standard output modules. used in the same application. have you used external relays in your application to disconnect module power if a short or other fault is detected on the module or isolated output in series? 6 Is the control of the external relay implemented in ladder logic? 7 Have you examined the Output Data Echo signal in application logic? 8 Are all outputs configured to de-energize in the event of a fault or the controller entering Program mode? 9 Do two modules of the same type. is the connection to remote modules a direct connection? 142 Rockwell Automation Publication 1756-RM001L-EN-P . the checklist can be saved as a record of the plan. programming and start up of SIL outputs. have you periodically performed a Pulse Test to make sure that the output is capable of change state? 7 For diagnostic output modules. are all diagnostics enabled on the module? 4 For the diagnostic output modules. including comparing output data with a corresponding input point? 5 If required.Appendix E Checklists Checklist for SIL Outputs The following checklist is required for planning.July 2014 . are enabled diagnostic bits monitored by fault routines? 5 For the diagnostic output modules. diagnostics and alarming functions performed in sequence in application logic? No. is the Communication Format set to Output Data? 2 For standard output modules. This checklist can also be used as documentation on the connection of external wiring to the application program. use identical configurations? 10 Does one controller own both modules if two of the same type are used in an application? 11 Are control. Output Check List for ControlLogix System Company: Site: Loop definition: SIL output channels in the: No. is the Communication Format set to Full Diagnostics-Output Data? 6 For diagnostic output modules. For programming or start-up. All Output Module Requirements Yes No Comment: (apply to both digital and analog output modules) 1 Have you performed proof tests on the modules? 2 Is Exact Match selected as the electronic keying option whenever possible? 3 Is the RPI value set to an appropriate value for your application? 4 Have you set up fault routines. have you wired the outputs to a corresponding input to validate that the output is following its commanded state? 3 For the diagnostic output modules. an individual requirement checklist must be filled in for every single SIL output channel in a system.

Analog Output Module Requirements .Analog Only Yes No Comment 1 Is the Communication Format set to Float Data? 2 Have you calibrated the modules as often as required by your application? 3 When wiring an analog output module in Current mode. before and after loading the new or modified program. an Application Program Checklist for Creation of an Application Program Safety Manual ControlLogix System Company: Site: Project definition: File definition / Archive number: Notes / Checks Yes No Comment Before a Modification Are the configuration of the ControlLogix system and the application program created on the basis of safety aspects? Are programming guidelines used for the creation of the application program? After a Modification .Before Loading Has a review of the application program with regard to the binding system specification been carried out by a person not involved in the program creation? Has the result of the review been documented and released (date/signature)? Was a backup of the complete program created before loading a program in the ControlLogix system? After a Modification .After Loading Was a sufficient number of tests carried out for the safety relevant logical linking (including I/O) and for all mathematical calculations? Was all force information reset before safety operation? Has it been verified that the system is operating properly? Have the appropriate security routines and functions been installed? Is the controller keyswitch in Run mode and the key removed? Rockwell Automation Publication 1756-RM001L-EN-P .July 2014 143 . Checklists Appendix E Output Check List for ControlLogix System No. are loop devices placed properly? 4 Have you written application logic to examine bits for any condition that may cause a fault and appropriate fault routines to handle the fault condition? Checklist for the Creation of The following checklist is recommended to maintain safety technical aspects when programming.

July 2014 .Appendix E Checklists Notes: 144 Rockwell Automation Publication 1756-RM001L-EN-P .

direct 51 application program rack-optimized 51 Control and Information Protocol (CIP) 9 programming languages 90 SIL task/program instructions 94 control function applications specification 92 boiler 16 CONTROLLERDEVICE object 101 combustion 16 controllers gas and fire 14 requirements 40 ControlLogix analog input modules B alarms 58. fault-tolerant 25 analog output modules high-availability 24 connections See ControlLogix analog output modules. 68 cable 44 chassis 41 repeater module 44 chassis adapter 41 coordinated system time 45 checklists 139 CIP. CL SIL 2 31 D combustion applications 16 data echo 34. 53 commissioning life cycle 96 Rockwell Automation Publication 1756-RM001L-EN-P .July 2014 145 . 101 FLEX I/O 115-116 analog input modules configurations See ControlLogix analog input modules. See FLEX I/O analog output modules. fail-safe 17 See FLEX I/O analog input modules. See Control and Information Protocol. 101 boiler applications 16 calibrate 58 ownership 60 wiring 60 C analog output modules calibrate 67 cable ownership 69 ControlNet network 44 wiring 69 calculations digital input modules 1-year PFD 119 requirements 51 2-year PFD 124 wiring 51 5-year PFD 129 digital output modules explanation of 118 requirements 53 PFD 117 wiring 54 calibrate RTD input modules 1756 analog input modules 58 wiring 64 1756 analog output modules 67 thermocouple input modules 1794 analog input modules 78 wiring 64 1794 analog output modules 84 ControlNet communication modules certification 31 diagnostic coverage 44 change parameters 104 ControlNet network 36 channel status 1756 communication modules 43 1756 components 44 monitoring 59. Index Numerics communication ControlNet components 44 1oo1 architecture 135 data echo 34 1oo1 configuration 118 Data Highway Plus . 90 1756 chassis 41 alarms 1756 power supply 41 1756 analog input modules 58.Remote I/O components 1oo2 configuration 118 45 1-year PFD calculations 119 EtherNet/IP components 45 2-year PFD calculations 124 field-side output verification 34 network 36 5-year PFD calculations 129 requirements 46 output data echo 53 SynchLink modules 45 A compliances 31 actuators 93 components Add-On Instructions 49.

Index

Data Highway Plus - Remote I/O 43 FLEX I/O
components 45 analog input modules
network 43, 45 calibrate 78
DCS. See Distributed Control System wiring 80
DH+. See Data Highway Plus. analog output modules
DHRIO. See Data Highway Plus - Remote I/O calibrate 84
wiring 87
diagnostic coverage components 115-116
ControlNet communication modules 44 digital input modules
defined 9 wiring 74
digital input modules digital output modules
See ControlLogix digital input modules. wiring 76
See FLEX I/O digital input modules. EN 50156 standard 16
digital output modules module fault reporting 74, 75, 76, 78, 85
See ControlLogix digital output modules. RTD input modules
See FLEX I/O digital output modules. wiring 83
direct connection 51 terminal base units 116
Distributed Control System 45 thermocouple input modules
wiring 82
duplex configurations 17 floating-point data format 58, 67
enhanced availability 49 forcing via software 94
fault-tolerant
safety loop 25
fault-tolerant systems 17
logic solver 17 G
safety loop 24 gas and fire applications 14
Get System Value (GSV)
defined 9
E keyswitch position 101
edit GSV. See Get System Value (GSV).
application program 97, 98
emergency shutdown applications 13, 14, 17,
54, 68 H
EN 50156 16 hardware
ESD. See emergency shutdown (ESD) 1756 chassis 41
applications. 1756 power supply 41
EtherNet/IP network 37 HART analog input modules 65-66
1756 communication modules 43 wiring 65
components 45 HART analog output modules 71
wiring 71
high-availability configuration 24
F HMI
fail-safe configuration changing parameters via 104
about 17 devices 17, 46, 103
fault detection 99-101 use and application 103-105
hold last state 14
fault handling
additional resources 102
detection of faults 99-101 I
fault reporting 33, 100
1794 analog input modules 78 I/O modules
1794 analog output modules 85 calibrate 58
1794 digital input modules 74 fault reporting 100
1794 digital output modules 75, 76 proof test
additional resources 102 1756 analog input modules 58
detection of faults 99-101 1756 analog output modules 67
fault-tolerant configuration 25 1756 digital input modules 51
field devices 1756 digital output modules 53
1794 analog output modules 84
testing 51 1794 digital input modules 73
field-side output verification 34 1794 digital output modules 75
fire wiring
considerations for 14 1756 analog input modules 60
1756 analog output modules 69

146 Rockwell Automation Publication 1756-RM001L-EN-P - July 2014

Index

1756 digital input modules 51 ownership
1756 digital output modules 54 1756 analog input modules 60
1756 RTD input modules 64 1756 analog output modules 69
1756 thermocouple input modules 64 1756 digital input modules 51
1794 analog input modules 80 1756 digital output modules 54
1794 analog output modules 87
1794 digital input modules 74
1794 digital output modules 76 P
1794 RTD input modules 83
1794 thermocouple input modules 82 PADT. See Programming and Debugging Tool.
HART analog input modules 66 parameters
HART analog output modules 71 changing 104
IEC 61131-3 89 reading 103
IEC 61508 13, 28, 118 peer-to-peer communication 43
IEC 61511 13, 97, 98, 105 requirements 46
interface PFD. See Probability of Failure on Demand.
HMI use and application 103-105 position
keyswitch 100
power supply 41
K redundant 41
KEYSTATE word 101 Probability of Failure on Demand (PFD)
keyswitch 35, 40, 91 1-year calculations 119
2-year calculations 124
checking position 100 5-year calculations 129
calculations 117, 118
defined 10
L values 118
life cycle produce and consume data 47
commissioning 96 program
logic changes 97
developing 93 development life cycle 96
Logix CPU Security 90 editing 97
edits 97, 98
identification 94
M language 90, 93
logic 93
manual override circuit 15 online 97
Mean Time Between Failures (MTBF) SIL 2 89
defined 9 Programming and Debugging Tool (PADT) 14,
Mean Time To Restoration (MTTR) 89
defined 10 defined 10
modes 39 proof test 28, 73, 75, 84
module fault reporting 33, 100 1756 analog input modules 58
monitor 1756 analog inputs 58
channel status 59, 68 1756 analog output modules 67
motion 94 1756 analog outputs 67
MTBF. See Mean Time Between Failures 1756 digital inputs 51
1756 digital output modules 53
(MTBF). 1756 digital outputs 53
MTTR. See Mean Time To Restoration. redundancy systems 29
pulse test 35
N
network update time 31 R
NFPA 85, NFPA 86 16 reaction time 30
See also worst-case reaction time.
reading parameters 103
O repeater modules 44
operating modes 39 reporting
output data echo module faults 33
digital outputs and 53 requested packet interval 33
response time 30, 107-110

Rockwell Automation Publication 1756-RM001L-EN-P - July 2014 147

Index

routine source protection 90 SynchLink modules 43, 45
RS AssetCentre 90 system PFD
RSLogix 5000 software 35 example 134
commissioning life cycle 96 system validation test
editing in 98 See proof test.
forcing 94
general requirements 89-143
program changes 97 T
programming languages 90 tags 91
security 90
SIL 2 programming 89 terminal base units
SIL task/program instructions 94 FLEX I/O 116
RSNetWorx for ControlNet software 36 tests
RTD input module 1756 analog input modules 58
See ControlLogix RTD input module. 1756 analog output modules 67
See FLEX I/O RTD input module. 1756 digital output modules 53
application logic 94
field devices 51
S proof 28
pulse 35
safety certifications 31 thermocouple input module
safety instrumentation system (SIS) See ControlLogix thermocouple input module.
safety task See FLEX I/O thermocouple input module.
See SIL task.
safety watchdog 31
security via software 90 V
sensors 93 verify
serial download and operation 95
communication 36
port 36
SIL 1 applications 135 W
SIL 2 watchdog 31
certification 31 wiring
nonredundant system components 112 1756 analog input modules 60
programming 89 1756 analog output modules 69
safety data 47 1756 digital input modules 51
SIL task 94 1756 digital output modules 54
simplex configurations 17 1756 RTD input modules 64
safety loop 17 1756 thermocouple input modules 64
SIS. See safety instrumentation system (SIS). 1794 analog input modules 80
1794 analog output modules 87
software 1794 digital input modules 74
commissioning life cycle 96 1794 digital output modules 76
forcing 94 worst-case reaction time 30, 107
general requirements 89-143 analog modules 110
program changes 97 digital modules 108
programming languages 90
RSLogix 5000 35
security 90 X
SIL 2 programming 89
SIL task/program instructions 94 XT components 115
watchdog 31 ControlLogix 115
switchover 29, 30, 31 FLEX I/O 115, 116

148 Rockwell Automation Publication 1756-RM001L-EN-P - July 2014

.

However. follow these procedures. New Product Satisfaction Return Rockwell Automation tests all of its products to help ensure that they are fully operational when shipped from the manufacturing facility.July 2014 Supersedes Publication 1756-RM001K-EN-P . United States Contact your distributor.. İstanbul.440. publication RA-DU002. Installation Assistance If you experience a problem within the first 24 hours of installation. Rockwell Otomasyon Ticaret A.rockwellautomation. review the information that is contained in this manual. configuration.S.646. sample code.rockwellautomation. and troubleshooting. Kar Plaza İş Merkezi E Blok Kat:6 34752 İçerenköy. complete this form. United States or Canada 1.3434 Outside United States or Canada Use the Worldwide Locator at http://www.Rockwell Automation Support Rockwell Automation provides technical information on the Web to assist you in using its products.rockwellautomation. You must provide a Customer Support case number (call the phone number above to obtain one) to your distributor to complete the return process. You can also visit our Support Center at https://rockwellautomation. or visit http://www. Printed in the U. and to sign up for product notification updates.rockwellautomation. Rockwell Automation maintains current product environmental information on its website at http://www. Inc. All rights reserved. Documentation Feedback Your comments will help us serve your documentation needs better.com/support you can find technical and application notes. If you have any suggestions on how to improve this document.com/ for software updates.com/services/online-phone.page. In addition.com/literature/. FAQs. Tel: +90 (216) 5698400 Publication 1756-RM001L-EN-P . if your product is not functioning and needs to be returned.Ş.com/rockwellautomation/about-us/sustainability-ethics/product-environmental-compliance.com/rockwellautomation/support/overview.A.page. or contact your local Rockwell Automation representative. contact your local distributor or Rockwell Automation representative.custhelp.March 2014 Copyright © 2014 Rockwell Automation. available at http://www. . For more information.rockwellautomation. and links to software service packs. we offer multiple support programs for installation. At http://www. support chats and forums. You can contact Customer Support for initial help in getting your product up and running. technical information. Outside United States Please contact your local Rockwell Automation representative for the return procedure.