SIL Policy Chapter 1

Typical SIL 2 Configurations
SIL 2-certified ControlLogix systems can be used in standard (simplex) or high-
availability (duplex) configurations. For the purposes of documentation, the
various levels of availability that can be achieved by using various ControlLogix
system configurations are referred to as simplex or duplex. When using a duplex
ControlLogix configuration, the ControlLogix controller remains simplex
(1oo1) from a safety perspective.

This table lists each system configuration and the hardware that is part of the
safety loop.
System Configuration Safety Loop Includes
Simplex Configuration on page 17 • Single controller
• Single communication module
• Dual I/O modules
Duplex Logic-Solver Configurations on page 27 • Dual controllers
• Dual communication modules
• Dual I/O modules
Duplex System Configuration on page 31 • Dual controllers
• Dual communication modules
• Dual I/O modules
• I/O termination boards

IMPORTANT The system operator is responsible for the following tasks when any of the
ControlLogix SIL 2 system configurations are used:
• The setup, SIL rating, and validation of any sensors or actuators that are
connected to the ControlLogix control system
• Project Management and functional testing
• Programming the application software and the module configuration
according to the descriptions in this manual
The SIL 2 portion of the certified system excludes the development tools
and display/human machine interface (HMI) devices; these tools and
devices must not be part of the safety loop.

Simplex Configuration

In a simplex configuration, the hardware that is used in the safety loop is

programmed to fail to safe. The failure to safe is typically an emergency shutdown
(ESD) where outputs are de-energized.

Figures 2 …9 each show typical simplex SIL loops for limited high demand
applications with up to 10 demands per year. The figures show the following:
• Overall safety loop
• ControlLogix portion of the overall safety loop

SIL 2 I/O modules in the safety loop must meet the requirements that are
specified in Chapter 5, ControlLogix I/O Modules and Chapter 6, FLEX I/O
Modules. Chassis can have modules within SIL2 certified ControlLogix safety
loop that are not being used within SIL safety functions, if these modules are
listed in the SIL 2-certified ControlLogix System Components on page 121.

Rockwell Automation Publication 1756-RM001O-EN-P - March 2017 17

Chapter 1 SIL Policy

This table defines the module abbreviations used in the graphics in this section.
Table 2 - Legend for the Module Abbreviations
Item Description
DIAGO Diagnostic Output Module
IN Input Module
ISOLO Isolated Output Module
MONIN Monitoring Input Module
Out Non Diagnostic Output Module
RLY Relay Module
RM ControlLogix Redundancy Module

18 Rockwell Automation Publication 1756-RM001O-EN-P - March 2017

 SIL Policy Chapter 1

Figure 2 - Single-chassis Configuration

Overall SIL 2-certified ControlLogix Safety Loop
Safety Loop
Controller Chassis
Logix5570 EtherNet/IP™ DC INTPUT DC INTPUT DC OUTPUT DC INTPUT DC
DC
DCOUTPUT
OUTPUT
OUTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST
ST
ST 000111222333444555666777OOO
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST
ST
ST 88899910
10
10
1112131415
1112131415KKK
1112131415

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

DIAGNOSTIC
DIAGNOSTIC

Sensor
I I O M O Actuator
N N U O U
E T N T
N
2 1 1 2 I 2
T A B A N B

Monitoring
input module
Non-isolated digital output modules

Standard Communication

1756 SIL2 I/O module pairs can be in the same chassis because only SIL2 capable
hardware is within the controller chassis. The number on the label indicates a module
pair in a 1oo2 configuration; Module A and Module B. For example, Input 1A and
Input 1B are a 1oo2 duplex module pair.
• See Figure 6 on page 23 for additional information on how to wire field devices.

Chassis within the 'SIL2 certified ControlLogix Safety Loop' can have modules that
are not being used within SIL2 safety functions, if these modules are listed in the SIL
2-certified ControlLogix System Components on page 121.

Rockwell Automation Publication 1756-RM001O-EN-P - March 2017 19

Chapter 1 SIL Policy

Figure 3 - Fail-safe ControlLogix EtherNet/IP DLR Configuration

Overall Safety Loop

SIL 2-certified ControlLogix Safety Loop

Controller Chassis Remote I/O Chassis

Logix5570 EtherNet/IP™ EtherNet/IP™
EtherNet/IP™
EtherNet/IP™ DC OUTPUT EtherNet/IP™ DC INTPUT DC INTPUT DC OUTPUT DC
DC
DCOUTPUT
OUTPUT
OUTPUT DC OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST
ST
ST 000111222333444555666777OOO ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST
ST
ST 88899910
10
10
1112131415
1112131415KKK
1112131415 ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

Sensor I I D O Actuator
N N I U
E E E A
N N T
N G
2 2 2 O
T T 1 1 2
T A B 2 B
R R A

Standard
Remote I/O Chassis
Communication
EtherNet/IP™ DC INTPUT DC INTPUT DC OUTPUT DC INTPUT DC
DC
DCOUTPUT
OUTPUT
OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST
ST 0 11
1 22
2 33
3 44
4 55
5 66
6 777 O ST 0 1 2 3 4 5 6 7 O ST
ST
ST 000111222333444555666777OOO ST 0 1 2 3 4 5 6 7 O
ST 00 O
O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST
ST 8 99
9 10
101112131415 K
1112131415 KK ST 8 9 10 1112131415 K ST
ST
ST 88899910
10
10
1112131415
1112131415KKK
1112131415 ST 8 9 10 1112131415 K
ST 88 10 1112131415

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC
DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC

I I O M O
N N U O U
E T N T
N
2 3 3 4 I 4
EtherNet/IP T A B A N B
R

1756 SIL2 I/O module pairs can be in same chassis because non SIL2 hardware is on a
separate network.
• See Figure 6 on page 23 for additional information on how to wire field devices.

20 Rockwell Automation Publication 1756-RM001O-EN-P - March 2017

 SIL Policy Chapter 1

Figure 4 - Fail-safe ControlLogix ControlNet Configuration

(Safety and Standard Connections on the Same Network)

Overall Safety Loop

SIL 2-certified ControlLogix Safety Loop

Controller Chassis Remote I/O Chassis

Logix5570 DC OUTPUT
DC INTPUT DC INTPUT DC
DC
DCOUTPUT
OUTPUT
OUTPUT DC INTPUT DC OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O
ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST
ST
ST 000111222333444555666777OOO ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 11121314 15 K
ST 8 9 10 11121314 15 K ST 8 9 10 11121314 15 K ST
ST
ST 888999
10
10
10
11121314
11121314
11121314
15
15KKK
15 ST 8 9 10 11121314 15 K ST 8 9 10 11121314 15 K ST 8 9 10 11121314 15 K

DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC
DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

I O M
C C C N U O
N N N T N
2 2 2
R R 1 2 I
A A N

ControlNet

Standard Communication
Remote I/O Chassis
DC INTPUT DC
DC
DCOUTPUT
OUTPUT
OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O ST
ST
ST 000111222333444555666777OOO ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 11121314 15 K ST
ST
ST 888999
10
10
10
11121314
11121314
11121314
15
15KKK
15 ST 8 9 10 11121314 15 K

DIAGNOSTIC DIAGNOSTIC
DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC

I O
N U
C
N T
2
1 2
B B

Dual networks are required because one of the two networks includes non-SIL2 hardware. The
1756 SIL2 I/O module pairs must be split over two networks.
• See Figure 6 on page 23 for additional information on how to wire field devices.

Rockwell Automation Publication 1756-RM001O-EN-P - March 2017 21

Chapter 1 SIL Policy

In Figure 5, non-SIL 2 communication on separate subnets lets you place

redundant channel I/O in the same rack.

Figure 5 - Fail-safe ControlLogix ControlNet Configuration with Non-SIL 2 Communication

(Safety and Standard Connections on Separate Networks)
Overall Safety Loop
SIL 2-certified ControlLogix Safety Loop

Controller Chassis Remote I/O Chassis

Logix5570 EtherNet/IP™ DC OUTPUT DC INTPUT DC INTPUT DC OUTPUT DC
DC
DCOUTPUT
OUTPUT
OUTPUT DC OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST
ST
ST 000111222333444555666777OOO ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O

ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST

ST
ST 88899910
10
10
1112131415
1112131415KKK
1112131415 ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

I I D O
N N I U
E C C A
N T
N N G
2 2 2 O
1 1 2
T A B 2 B
A

ControlNet
Standard Communication
Remote I/O Chassis
DC INTPUT DC INTPUT DC OUTPUT DC INTPUT DC
DC
DCOUTPUT
OUTPUT
OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST
ST
ST 000111222333444555666777OOO ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST
ST
ST 88899910
10
10
1112131415
1112131415KKK
1112131415 ST 8 9 10 1112131415 K

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC

I I O M O
N N U O U
C
N T N T
2
3 3 4 I 4
A B A N B

ControlNet

1756 SIL2 I/O module pairs can be in the same chassis because non-SIL2 hardware are on
a separate network.
• See Figure 6 on page 23 for additional information on how to wire field devices.

22 Rockwell Automation Publication 1756-RM001O-EN-P - March 2017

 SIL Policy Chapter 1

Figure 6 - Fail-safe ControlLogix EtherNet/IP Configuration: Single DLR Loop for Safety and
Standard Communication

Overall Safety Loop

SIL 2-certified ControlLogix Safety Loop

Controller Chassis Remote I/O Chassis

Logix5570 EtherNet/IP™ EtherNet/IP™
EtherNet/IP™
EtherNet/IP™ DC OUTPUT EtherNet/IP™ DC INTPUT DC
DCOUTPUT
OUTPUT
DC INTPUT DC OUTPUT DC
DC
DCOUTPUT
OUTPUT
OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST
ST
ST 000111222333444555666777OOO ST
ST 00 11 22 33 44 55 66 77OO ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 11121314 15 K ST 8 9 10 11121314 15 K ST 8 9 10 11121314 15 K ST 8 9 10 11121314 15 K ST
ST
ST 888999
10
10
10
11121314
11121314
11121314
15
15KKK
15 ST
ST 88 9910
1011121314 15KK
1112131415 ST 8 9 10 11121314 15 K

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC

I O O
N U U
E E E T T
N N N
2 2 2
T 1 2 3
T T
R R A A A
Standard R
Communication EtherNet/IP +V
DLR
Relay +V

Input Device

DC INTPUT DC INTPUT DC OUTPUT DC

DCOUTPUT
OUTPUT DC INTPUT EtherNet/IP™

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST
ST 0 11
ST 00 1 22
2 33
3 44
4 55
5 66
6 77
7O ST
ST 00 11 22 33 44 55 66 77OO ST 0 1 2 3 4 5 6 7 O
O
O
ST 8 9 10 11121314 15 K ST 8 9 10 11121314 15 K ST
ST 8 99
ST 88 9 10
1011121314
10 1112131415
1112131415 KK
15 K ST
ST 88 9910 1112131415KK
101112131415 ST 8 9 10 11121314 15 K

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC

I I O M
Remote I/O Chassis N S U O EtherNet/IP
O T N E
L N
1 O 3 I 2
B 2 B N T
B R

Standard Actuator
Communication Actuator
DLR

The DLR mixes SIL2 and non-SIL2 hardware. Independent paths are required to the SIL2 I/O module pairs. The
1756 adapters and I/O module pairs can be placed into one chassis or split among two. Splitting them over two chassis
is shown.

See IMPORTANT on page 24 for additional information about SIL2 requirements.

Unused channels on a SIL2 input module pair can be used as the monitoring input. There is no need for the
monitoring input to be wired to both input modules in a SIL2 module pair.  A separate monitoring input module is
not required.

Rockwell Automation Publication 1756-RM001O-EN-P - March 2017 23

 SIL Policy Chapter 1

Duplex System Configuration

This configuration of the ControlLogix system uses fully redundant controllers,

communication modules, and remote I/O devices to achieve enhanced
availability.

Figure 13 - Duplex System EtherNet/IP Configuration

Overall Safety Loop

SIL 2-certified ControlLogix Safety Loop

ControlLogix Primary Chassis ControlLogix Secondary Chassis
Logix5570 EtherNet/IP™ EtherNet/IP™ DC OUTPUT DC INTPUT EtherNet/IP™
Logix5570 EtherNet/IP™ DC OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K

PRI COM OK
DIAGNOSTIC DIAGNOSTIC PRI COM OK
DIAGNOSTIC DIAGNOSTIC

E E R E E R
N N M N N M
2 2 2 2
T T T T
R R R R

EtherNet/IP non-SIL 2 EtherNet/IP connections non-SIL 2 EtherNet/IP connections

I/O Chassis A I/O Chassis B

EtherNet/IP™ DC INTPUT DC OUTPUT DC INTPUT DC OUTPUT DC OUTPUT DC INTPUT EtherNet/IP™ DC INTPUT DC OUTPUT DC INTPUT DC INTPUT
DC OUTPUT DC OUTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

I O I O I O I O
B B F U B B F U
E 3 1 1 T E 3 1 1 T
N 2 6 6 2 N 6 6 2
2
2 D 3 2 D 3
1 1
T 2 A T 2 B
A B
R A R B

Analog Input Termination Board Digital Input Termination Board Digital Output Termination Board

Field Device Field Device Field Device

See the ControlLogix SIL 2 System Configuration Using SIL2 Add-On

Instructions, publication 1756-AT012 for additional information about this
SIL2 application solution. This publication explains how to configure a SIL 2-
certified system by using Add-On Instructions and hardware termination boards.

Rockwell Automation Publication 1756-RM001O-EN-P - March 2017 31

Chapter 1 SIL Policy

Figure 14 - Duplex System ControlNet Configuration

Overall Safety Loop

SIL 2-certified ControlLogix Safety Loop

Primary ControlLogix Chassis Secondary ControlLogix Chassis

Logix5570 EtherNet/IP™ EtherNet/IP™ DC OUTPUT DC INTPUT
Logix5570 EtherNet/IP™ EtherNet/IP™ DC OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K
PRI COM OK
DIAGNOSTIC DIAGNOSTIC PRI COM OK
DIAGNOSTIC DIAGNOSTIC

C E R E R
N M C
N N N M
2 2 2
T 2
R R T
R R

ControlNet non-SIL 2 EtherNet/IP connections non-SIL 2 EtherNet/IP connections

I/O Chassis A I/O Chassis B

DC INTPUT DC OUTPUT DC INTPUT DC OUTPUT DC OUTPUT DC INTPUT
DC INTPUT DC OUTPUT DC INTPUT DC OUTPUT DC OUTPUT DC INTPUT
ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

O
DIAGNOSTIC DIAGNOSTIC

I I O I O I O
B B F U B B F U
C 3 1 1 T 3 1 1 T
C
N 2 6 6 2 2 6 6 2
N
2 1 D 3 2 1 D 3
R A 2 A R B 2 B
A B

Analog Input Digital Input Digital Output

Termination Board Termination Board Termination Board

Field Device Field Device Field Device

The duplex system configuration uses safety and programming principles that are
described in this manual, and programming and hardware that is described in the
application technique manuals.

For more information about the ControlLogix SIL 2-certified system including
termination boards and Add-On Instructions, see the ControlLogix SIL 2
System Configuration Using SIL 2 Add-On Instructions,
publication 1756-AT012.

32 Rockwell Automation Publication 1756-RM001O-EN-P - March 2017

 SIL Policy Chapter 1

Proof Tests IEC 61508 requires that you perform various proof tests of the equipment that is
used in the system. Proof tests are performed at user-defined times (for example,
proof test intervals can be once a year, once every 2 years or whatever time frame
is appropriate based on the SIL verification calculation) and could include some
of the following tests:

• Test all safety application-fault routines to verify that process parameters

are monitored properly and the system reacts properly when a fault
condition arises.

• Test all digital input or output channels to verify that they are not stuck in
the ON or OFF state.

– Manually cycle inputs to make sure that all inputs are operational and
not stuck in the ON state.
– Manually test outputs that do not support runtime pulse testing.
– You can automatically perform proof tests by switching ground open on
input modules and check to make sure that all input points go to zero
(turn OFF.).
• The relays in the redundant power supplies must be tested to make sure
that they are not stuck in the closed state.

• Calibrate analog input and output modules to verify that accurate data is
obtained from and used on the modules.

IMPORTANT Each specific application has its own time frame for the proof test interval.

Proof Testing with Redundancy Systems

A ControlLogix redundancy system uses an identical pair of ControlLogix

chassis to keep your process running if a problem occurs with one of the chassis.
When a failure occurs in the primary chassis, control switches to the
secondary controller in the secondary chassis.

The switchover can be monitored so that the system notifies the user when it has
occurred. In this case (that is, when a switchover takes place), we recommend that
you replace the failed controller within the mean time to restoration (MTTR)
for your application.

If you are using controller redundancy in a SIL 2 application, you must perform
the proof test on the primary controller and on the secondary controller.

TIP If you are concerned about the availability of the secondary controller if the
primary controller fails, it is good engineering practice to implement a
switchover periodically (for example, once per proof test interval).

Rockwell Automation Publication 1756-RM001O-EN-P - March 2017 33

Chapter 1 SIL Policy

For more information on switchovers in ControlLogix redundancy systems and

ControlLogix redundancy systems in general, see these redundancy system
manuals:
• ControlLogix Standard Redundancy System User Manual, publication
1756-UM523
• ControlLogix Enhanced Redundancy System User Manual, publication
1756-UM535

Reaction Times The response time of the system is defined as the amount of time it takes for a
change in an input condition to be recognized and processed by the controller’s
logic program, and then to initiate the appropriate output signal to an actuator.

The system response time is the sum of the following:

• Input hardware delays
• Input filtering
• I/O and communication module RPI settings
• Controller program scan times
• Output module propagation delays
• Redundancy system switchover times (applicable in duplex systems)

Each of the times listed is variably dependent on factors such as the type of I/O
module and instructions used in the logic program. For examples of how to
perform these calculations, see Appendix A, Reaction Times of the ControlLogix
System.

For more information on the available instructions and for a full description of
logic operation and execution, see the following publications:
• Logix5000™ Controllers General Instruction Set Reference Manual,
publication 1756-RM003
• ControlLogix System User Manual, publication 1756-UM001

Reaction Times in The worst-case reaction time of a duplex system is different than a simplex
system. The redundancy system has a longer reaction time because of the
Redundancy Systems following:

• There are a series of crossloading operations that continuously occur

between the primary and secondary controllers. Crossloading fresh data at
the end of each program scan increases scan time.
To minimize scan time by reducing crossloading overhead, you can plan
your project more efficiently. For example, minimize the use of SINT,
INT, and single tags, and use arrays and user-defined data structures.
Generally, the primary controller in a duplex system has a 20% slower
response time than the controller in a simplex system.

34 Rockwell Automation Publication 1756-RM001O-EN-P - March 2017

 SIL Policy Chapter 1

• The switchover between controllers slows system response. If using a

ControlNet network, the switchover time of a redundancy system depends
on the network update time (NUT).
For more information about switchover times in redundancy systems, see
one of these ControlLogix redundancy system user manuals:
– ControlLogix Standard Redundancy System User Manual,
publication 1756-UM523
– ControlLogix Enhanced Redundancy System User Manual,
publication 1756-UM535

IMPORTANT To avoid nuisance trips, you must account for the additional cross checking
time of a duplex system when setting the watchdog time.

Safety Watchdog Configure the properties of the SIL 2 safety task correctly for your application.
• Priority: must be the highest-priority task in the application (lowest
number)
• Watchdog: the value that is entered for the SIL 2 safety task must be large
enough for all logic in the task to be scanned

If the task execution time exceeds the watchdog time, a major fault occurs on the
controller. You must monitor the watchdog and program the system outputs to
transition to the safe state (typically the OFF state) in the event of a major fault
occurring on the controller. For more information on faults, see
Chapter 8, Faults in the ControlLogix System.

See the ControlLogix System User Manual, publication 1756-UM001, for more
information about setting the watchdog.

Safety Certifications and
Compliances
Diagnostic hardware and firmware functions, and how you apply ControlLogix
components, enable the system to achieve CL SIL 2 compliance.
IMPORTANT You must implement these requirements, or at a minimum the intent of the
requirements that are defined in this manual,
to achieve CL (claim limit) SIL 2.

ControlLogix products that are referenced in this manual can have safety
certifications and the SIL certification. If a product has achieved agency
certification, the product label is not necessarily marked as certified. To view
safety certifications for products, go to http://www.ab.com and click the Product
Certifications link or on the certificate’s revision release list.

Rockwell Automation Publication 1756-RM001O-EN-P - March 2017 35