Rockwell Automation Allen-Bradley ControlLogix SIL 2 User manual
Using ControlLogix SIL 2 with 1715 I/O
Catalog Numbers ControlLogix 5570, 1715-AENTR, 1715-IB16D, 1715-IF16, 1715-OB8DE, 1715-OF8I
Reference Manual
Original Instructions
Important User Information
Read this document and the documents listed in the additional resources section about installation, configuration, and
operation of this equipment before you install, configure, operate, or maintain this product. Users are required to
familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws,
and standards.
Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are
required to be carried out by suitably trained personnel in accordance with applicable code of practice.
If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may
be impaired.
In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from
the use or application of this equipment.
The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and
requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or
liability for actual use based on the examples and diagrams.
No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or
software described in this manual.
Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation,
Inc., is prohibited.
Throughout this manual, when necessary, we use notes to make you aware of safety considerations.
Labels may also be on or inside the equipment to provide specific precautions.
WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous
environment, which may lead to personal injury or death, property damage, or economic loss.
ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property
damage, or economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.
IMPORTANT Identifies information that is critical for successful application and understanding of the product.
SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous
voltage may be present.
BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may
reach dangerous temperatures.
ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to
potential Arc Flash. Arc Flash will cause severe injury or death.Wear proper Personal Protective Equipment (PPE). Follow ALL
Regulatory requirements for safe work practices and for Personal Protective Equipment (PPE).
Rockwell Automation Publication 1715-RM001A-EN-P - June 2019 3
Table of Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Disclaimer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Chapter 1
The ControlLogix/1715 SIL2
System
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
ControlLogix Controllers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Simplex ControlLogix Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Redundant ControlLogix Controllers. . . . . . . . . . . . . . . . . . . . . . . . 8
Chapter 2
Features of the ControlLogix
SIL2 System
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Operating Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Redundant Power Supply Recommendations . . . . . . . . . . . . . . . . . . . . 14
Safety Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Application Development Requirements. . . . . . . . . . . . . . . . . . . . . . . . 15
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Safety SIL Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Setting the SIL2 Task 'Period' Configuration . . . . . . . . . . . . . . . . . . . . 17
Forcing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Verify Download. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
HMI Precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Reading Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Writing Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Chapter 3
Using the 1715 I/O Select the Mix of 1715 I/O Required . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1715 Redundant I/O. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Chapter 4
Using 1715 Hardware in a
ControlLogix SIL2 System
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Duplex Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Ethernet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Power Supplies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
I/O Module Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Configuring 1715 I/O for SIL2 operation . . . . . . . . . . . . . . . . . . . 34
Setting up 1715 SIL2 Periodic Task Configuration. . . . . . . . . . . 35
Add-On Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Energize-to-Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4Rockwell Automation Publication 1715-RM001A-EN-P - June 2019
Table of Contents
Notes:
Rockwell Automation Publication 1715-RM001A-EN-P - June 2019 5
Preface
Additional Resources These documents contain additional information concerning related products
from Rockwell Automation.
You can view or download publications at
http://www.rockwellautomation.com/global/literature-library/overview.page.
To order paper copies of technical documentation, contact your local
Allen-Bradley distributor or Rockwell Automation sales representative.
Disclaimer Rockwell Automation is not responsible or liable for indirect or consequential
damage that results from the use or application of this equipment. The examples
that are given in this manual are included solely for illustrative purposes. Because
of the many variables and requirements that are related to any particular
installation, Rockwell Automation does not assume responsibility or liability for
actual use that based on the examples and diagrams. No patent liability is
assumed by Rockwell Automation concerning the use of information, circuits,
equipment, or software described in this manual. All trademarks are
acknowledged.
It is not intended that the information in this publication covers every possible
detail about the construction, operation, or maintenance of a SIL 2 system
installation. You must follow your own local laws and regulations and refer to
your own local (or supplied) system safety manual, installation and operator/
maintenance manuals. Ultimately you are responsible to apply the correct
installation to satisfy your safety requirements.
Usage This manual is intended primarily for system designers and technical sales people
who are required to understand the requirements of a ControlLogix® /1715 SIL 2
system. The information that is contained in this guide is intended to be used
with (and not as an alternative for) reading the ControlLogix SIL 2 user manual
and 1715 User Manual, expertise and knowledge about safety-related systems. It
is expected that the reader has an in-depth knowledge of the intended application
and can understand the generic terms that are used inside this guide and the
terminology that is used in the integrator's or project's application area.
Resource Description
Industrial AutomationWiring and Grounding Guidelines,
publication 1770-4.1 Provides general guidelines for installing a Rockwell
Automation® industrial system.
Product Certifications website, http://
www.rockwellautomation.com/global/certification/
overview.page
Provides declarations of conformity, certificates, and
other certification details.
IMPORTANT In this guide, the term Duplex or Redundant can be used
interchangeably. In this usage, it is considered an automatic
feature that you do not have to apply user-generated code to use
it.
6Rockwell Automation Publication 1715-RM001A-EN-P - June 2019
Preface
Introduction The ControlLogix/1715 SIL 2 system uses Standard ControlLogix processor
modules along with 1715 I/O modules. A SIL 2 system is formed by one or more
controllers, I/O modules, their power sources, communications networks, and
workstations. This tips guide helps to give a quick start for using the
ControlLogix/1715 SIL 2 controller and systems.
There is usually some confusion between GuardLogix® and ControlLogix SIL 2
since GuardLogix can be used in a SIL 2 system and it is based on ControlLogix.
In this guide we refer to ControlLogix only, NOT the red safety GuardLogix
controller, and it uses only 1715 I/O.
ControlLogix SIL 2 can be used with 1756 or 1794 IO as well. 1756 and1794 IO
are covered in the ControlLogix SIL 2 Safety Reference Manual (1756-rm001)
and are not discussed here. Note if you are using 1715 IO instead of 1756 or 1794
IO then the information on those IO platforms in the information in the Safety
Reference Manual does not apply.
Rockwell Automation Publication 1715-RM001A-EN-P - June 2019 7
Chapter 1
The ControlLogix/1715 SIL 2 System
Overview A ControlLogix® SIL 2 system consists of a standard ControlLogix controller
with proper SIL 2 approved firmware, field connections, 1715 I/O modules with
proper SIL 2 approved firmware, power sources, and network connections. This
system is not a GuardLogix® controller system. The flexibility of the design means
that a system can meet a wide variety of business needs while maintaining a
desirable level of commonality and or simplicity. This is known as a configured
safety system, meaning the control system must be configured in a specific
manner to meet SIL 2 requirements. This tips guide helps introduce the primary
components that can be used to assemble a ControlLogix/1715 SIL 2 Safety
System.
The 1715 I/O system takes much the configuration work out of the
ControlLogix SIL 2 system. Since the I/O was specifically designed to operate in
a safety system, there is no longer any need for special wiring or IFMs to use
ControlLogix in a SIL 2 manner. Either or Both the I/O system or controller
system can be simplex or duplex, making the system scalable to fit the customer's
application.
ControlLogix Controllers Simplex ControlLogix Controller
The following components are needed for a Simplex ControlLogix controller.
Redundancy is not required for SIL 2.
For hardware selection, refer Appendix B of Using ControlLogix in SIL 2
Applications Safety Reference Manual (1756-RM001) for the SIL2-certified
ControlLogix catalog/revision numbers.
• 1756 Chassis
•Power Supply
– If the 1756-PA75 or 1756-PB75 power supply is used with a Series B
controller, the Series B version of the power supply must be used (1756-
PA75/B or 1756-PB75/B)
• 1756-L7x Controller
•EtherNet/IP communication card
– Use of a 1756-EN2TR or 1756-EN2TRXT is required to achieve
SIL 2 in the application. EN2TR is the only communication module
Rockwell Automation will continue to certify for ControlLogix SIL 2
safety functions in the future
TIP Redundancy can be selected for availability if needed.
8Rockwell Automation Publication 1715-RM001A-EN-P - June 2019
Chapter 1 The ControlLogix/1715 SIL 2 System
– Other EtherNet/IP communication modules can be used for non-
safety loop communication
Redundant ControlLogix Controllers
See the following manuals for the components necessary for a redundant
ControlLogix controller.
•ControlLogix Redundancy User Manual (1756-UM535).
•Appendix B of Using ControlLogix in SIL 2 Applications Safety Reference
Manual (1756-RM001) for the SIL2-certified ControlLogix catalog/
revision numbers.
Controllers, power supplies, adapters, and I/O modules can all be architected in
duplex configurations. Diagnostics can indicate whether each module is running
duplex, simplex, or is faulted. For de-energize to action applications, you can
programmatically decide to Fail to Safe or Run Degraded in the event of a fault.
Note that if Running Degraded on one controller or 1715 I/O module, the
system is still SIL 2 capable since 1756 ControlLogix is capable of running SIL 2
with one controller or 1715 I/O module. It is up to the user if they want to
continue running in this state.
ControlLogix Redundancy uses different firmware than a non-redundant system
does. The major revision is the same but the minor will differ. An example would
be V20.050. This example is the redundancy version of V20 firmware. You must
download the entire bundle from the download site. The bundle contains all
redundancy tested versions for that controller revision.
Theory of Operation
ControlLogix redundancy operates on a Primary and Secondary basis. The
Primary chassis contains the modules that are currently controlling the
application. All the modules in the Secondary chassis are ready to take control
but are currently not running the application. The primary controller keeps the
secondary controller synchronized by sending the data that has changed during
its scan multiple times per scan. That allows the secondary chassis to take control
quickly. For more information on switchover times, see ControlLogix
Redundancy User Manual (1756-UM535.)
Rockwell Automation Publication 1715-RM001A-EN-P - June 2019 9
The ControlLogix/1715 SIL 2 System Chapter 1
Diagnostics
See the following table when programming the controller to obtain the status of
the redundancy system.
Add a GSV instruction in the standard task (non-safety task) and use the output
to determine what you want to do if it returns with any code other than 16#2.
Always monitor the status of the redundancy system. If the system is running
properly, the secondary controller is always present and synchronized.
If the system is running normally, the 1756-RM modules show the following
status codes.
Figure 1 - Primary Controller
IMPORTANT If there is a redundancy switch over, it is always recommended to investigate
why it switched over.
IMPORTANT When programming your redundant system, program so your redundancy
system status is continuously monitored and displayed on your HMI device.
If your redundancy system becomes disqualified or a switchover occurs, the
change in status is not automatically annunciated.You must program the
system to communicate the change of status via your HMI or other status-
monitoring device
For this information Get This Attribute Data
Type
GSV/SSV Description
Redundancy Status of
the Controller ModuleRedundancy
State INT GSV IF Then
16#2 Primary with synchronized
secondary
16#3 Primary with disqualified
secondary
16#4 Primary with no secondary
16#6 Primary with synchronizing
secondary
16#F Primary looking for update
16#10 Primary locked for update
10 Rockwell Automation Publication 1715-RM001A-EN-P - June 2019
Chapter 1 The ControlLogix/1715 SIL 2 System
Figure 2 - Synchronized Secondary Controller
Features not Supported
The following features are not supported in a ControlLogix Redundancy system.
• Any motion feature or instructions
• Any SIL 3 functional safety feature
•Firmware Supervisor
• You cannot use the Match Project to Controller feature available in Studio
5000 Logix Designer® in a redundancy system.
• You cannot use consumed Unicast connections in a redundancy system.
The redundancy controllers can be the producer.
• Unicast I/O is not supported in a redundancy system.
– If you attempt to use consumed Unicast connections, disqualification
occurs and qualification of an unsynchronized redundant chassis pair is
not allowed. You can use produced Unicast connections that remote
controllers consume.
• Local I/O is not supported in either of the Controller chassis
The redundant controller application cannot contain these tasks:
•Event tasks
• Inhibited tasks
IMPORTANT There are different versions for redundant and non-redundant firmware. Only
certain ones are certified for use in an SIL 2 system. See the revision release list
from the product certifications link for more information.
1715 Redundant I/O System - Safety certificate - 1715-CT007
Logix Safety certificate - Logix-CT008
Rockwell Automation Publication 1715-RM001A-EN-P - June 2019 11
The ControlLogix/1715 SIL 2 System Chapter 1
Redundancy System Considerations
• You can experience difficulty synchronizing your chassis if you use the
redundant controller at or very near the connection limits.
• A redundant controller uses more memory than the same application in a
simplex system. If you are at or near the memory limit, you can run out of
memory even though the controller reports it has free memory. This is due
to the crossload mechanism.
• Do not use the USB ports of communication modules in the controller
chassis to access the redundant controllers or networks. Use of the USB
ports in either of the controller chassis to go online results in a loss of
communication after a switchover for the device plugged into the USB
port.
• Task scan time is longer when redundancy is enabled. Make sure that you
consider this when designing your safety system. Do not do your testing
and settings based on a simplex system and then make it redundant.
• You should never communicate with the controller in the secondary
chassis other than to obtain diagnostics.
Redundancy System Details
Two 1756 chassis that have the following equipment provisioned the same:
• Chassis size
• Modules in the same slots
• One 1756-RM2 or 17560RM2XT module per chassis
• Up to two controllers per chassis (for safety systems only one is
recommended)
• Up to seven EtherNet/IP communications modules per chassis.
• 1756-RMCx cables
– These connect the RM modules together between chassis
– You can choose one or two cables
– The cables are fiber-optic Cables
– The redundancy module cables are available in three different pre-made
lengths or you can make your own up to 4KM in length:
1756 Power supplies
• Use simplex power supplies or redundant power supplies
• If the 1756-PA75 or 1756-PB75 (non-redundant) power supply is used
with a ControlLogix 5560 Series B or ControlLogix 5570 Series B
controller, the Series B version of the power supply must be used (1756-
PA75/B or 1756-PB75/B)
Controllers
Catalog Number Cable Length
1756-RMC1 1 meter
1756-RMC3 3 meters
1756-RMC10 10 meters
12 Rockwell Automation Publication 1715-RM001A-EN-P - June 2019
Chapter 1 The ControlLogix/1715 SIL 2 System
• Only 1756-L7x controllers are supported
EtherNet/IP communication cards
• Use of a 1756-EN2TR or 1756-EN2TRXT is required to achieve SIL 2 in
the application
• Other EtherNet/IP communication modules (1756-ENBT, 1756-EN2T,
1756-EN2TXT) can be used for non-safety loop communication
• 1715 IO only communicates via EtherNet/IP so no ControlNet modules
are listed here.
Figure 3 - Redundancy System Configuration Example
Rockwell Automation Publication 1715-RM001A-EN-P - June 2019 13
Chapter 2
Features of the ControlLogix SIL 2 System
Overview The ControlLogix® controller consists of a central processor, I/O interfaces, and
memory.
The ControlLogix controller can be a simplex (Single Chassis) or redundant
configuration (Dual Chassis with RM). This makes no impact on the SIL
calculation of the safety function. This adds availability to the safety function,
but no change to safety. In a Duplex configuration, the system switches from a
1oo1 controller to another 1oo1 controller if there is a fault in the controller
chassis.
Operating Modes A three-position keyswitch on the front of the controller governs ControlLogix
system operational modes. The following modes are available:
• Run – This is known as Hard Run. No online changes are possible
• Program – This stops the execution of the application code and allow
online changes
• Remote - This software-enabled mode can be Program or Run. In this
mode, you can make online changes while the application is running but
the change requires a confirmation. You can also put the controller into
program mode via a command. Because of these functions, it is required
for the controller to be in Hard Run when operating in Safety Mode.
Making any edit always involves following your own MOC (Management of
Change) procedures. There must be a validation before putting the changed code
into service. Online edits are the most risky method of doing this and are not
recommended.
IMPORTANT The keyswitch must be in the RUN position to be SIL 2 certified. If you put the
keyswitch into the REMOTE position to make an online edit, you are not in
safety mode.When you are finished with the online edit, you must put the
keyswitch into RUN position and remove the key.
14 Rockwell Automation Publication 1715-RM001A-EN-P - June 2019
Chapter 2 Features of the ControlLogix SIL 2 System
Figure 4 - Controller in RUN Mode
Redundant Power Supply
Recommendations
If you are using Redundant 1756 Power supplies, wire the solid-state fault relay
on each power supply from an appropriate voltage source to an input point in the
ControlLogix system so that the application program can detect faults and react
appropriately.
Safety Configurations When used with 1715 I/O the ControlLogix SIL 2 system supports the
following safety configurations. These SIL 2 architectures are for fail-safe low and
high demand applications. All SIL 2 architectures can be used for de-energize to
trip applications. With special precautions, CLX/1715 SIL 2 can be used in
energize-to-trip applications.
• SIL 2 low demand applications
• SIL 2 high demand – up to 10 demands per year
• SIL 2 fail-safe applications
• SIL 2 with fault tolerant inputs
• SIL 2 with fault tolerant outputs
• SIL 2 with fault tolerant inputs/outputs
IMPORTANT There are different versions for redundant and non-redundant firmware. Only
certain ones are certified for use in an SIL 2 system. See the revision release list
from the product certifications link for more information.
1715 Redundant I/O System - Safety certificate - 1715-CT007
Logix Safety certificate - Logix-CT008
Rockwell Automation Publication 1715-RM001A-EN-P - June 2019 15
Features of the ControlLogix SIL 2 System Chapter 2
Application Development
Requirements
The application software for the SIL2-related automation system is created using
the programming tool, that is, RSLogix 5000® software or the Studio 5000 Logix
Designer® application, according to IEC 61131-3.
The application program has to be created by using the programming tool and
contains the specific equipment functions that the ControlLogix system
implements. Parameters for the operating function are also entered into the
system with the programming software.
The safety concept of the SIL 2 ControlLogix system assumes the following:
• The user who is responsible for creating, operating, and maintaining the
application is fully qualified, specially trained, and experienced in safety
systems.
• The programming software is installed correctly.
• Control system hardware is installed in accordance with product
installation guidelines.
• User application code (user program) uses common and good design
practices.
• A test plan is documented and adhered to, including well-understood
proof test requirements and procedures.
• A well-designed validation process is defined and implemented.
• A well-designed Management of Change (MOC) procedure is in place
Security In the ControlLogix system and in the programming software, protection
mechanisms are available that help prevent unintentional or unauthorized
modifications to the safety system.
The following tools can be employed for security reasons in a SIL2-certified
ControlLogix application:
• Source Protection
• FactoryTalk® AssetCentre
•FactoryTalk® Security
In RSLogix 5000® software, V18 and later, and in the Studio 5000 Logix
Designer® application, tags have two attributes: External Access and Constant.
External Access controls access from external applications like HMIs. It can have
values of read/write, read-only, or none. Set all SIL 2 safety-related tags to
read-only. The Constant attribute is either on or off. When enabled, it helps
IMPORTANT This document does not cover the specifics of creating the application code. It is
assumed the use knows the requirements of IEC-61511 and their specific
application when designing their system.This document only covers the steps
if it is necessary for ControlLogix to meet SIL 2.
16 Rockwell Automation Publication 1715-RM001A-EN-P - June 2019
Chapter 2 Features of the ControlLogix SIL 2 System
prevent programmatic changes of a tag's value. Where possible, it is highly
recommended to configure SIL 2 safety-related tags as Constant.
Always take proper physical security precautions to achieve safe operation of the
system. The following is a list of recommended precautions.
• Keep the controller and IO chassis in a locked cabinet and limit access to
only those that need access
• Secure all network access points either by physically disabling them or
making sure that they are in locked cabinets
• Keep all passwords secure
• Configure role-based access to the system
• Install network-based firewalls with proper configurations
Safety SIL Task Include one Periodic task designated as the Safety task composed of programs
and routines to contain the user application. The SIL 2 task must be the highest
priority task of the controller and the user-defined watchdog must be set to
accommodate the SIL 2 task.
Having a non-safety task in the safety controller for things like determining the
status of the redundancy system or diagnostics does not violate the above
statement since there are no BPCS (Basic Process Control System) control
elements present.
Confirm that the properties of the task that is used for safety is configured
correctly for your application.
• Watchdog: the value that is entered for the SIL 2 safety task must be large
enough for all logic in the task to be scanned.
If the task execution time exceeds the watchdog time, a major fault occurs on the
controller. Even if you are using redundant controllers the watchdog is set the
same in both controllers automatically and the new primary will eventually fault
as well if the cause was just a too tight watchdog setting. You must monitor the
watchdog and program the system outputs to transition to the safe state (typically
the OFF state) if there is a major fault occurring on the controller. See Chapter 3
- Using the1715 I/O.
IMPORTANT You must dedicate a specific task for safety-related functions and set that task
to the highest priority (1). If you decide to use non-safety logic in the same
controller, that code must be separate.
It is recommended to use separate controllers for safety-related code and
Process Control non-safety code.
Rockwell Automation Publication 1715-RM001A-EN-P - June 2019 17
Features of the ControlLogix SIL 2 System Chapter 2
Setting the SIL 2 Task
'Period' Configuration
The following are recommendations to serve as a starting point to configure the
periodic task ‘period’ for SIL 2 applications. Set the period to the minimum 1715
SIL 2 module RPI divided by 2. For example, if the default RPIs are used it would
be 60/2=30 ms. Fine-tune your task period based on other factors such as your
safety reaction time requirements.
Forcing Forcing of SIL 2 tags is not possible in a ControlLogix/1715 SIL 2 system.
Because the Inputs and Outputs are controlled by the Add-On Instructions and
not directly, any attempt to force one causes it to fail the data integrity checks
built into the Add-On Instructions. The 1715 output module will generate a
CRC error when it receives packets with this inconsistency, and discard the data.
From the controller, you will notice ‘SIL 2 Reset Needed’ on both the AOI and
AOP.
The ability to manually control 1715 inputs and outputs would have to be added
within Logix routines. Examples of this are shown here.
Since this is considered a “force,” the following rules must be followed.
• You must remove forces on all SIL 2 tags before beginning normal
operation for the project.
• You must not force SIL 2 tags after validation is performed and during
normal controller operation.
• Forcing must not be used as a temporary bypass for equipment that
malfunctions.
• This method may be used for a proof test but must be removed as soon as
that is over.
Verify Download Verify the download of the application program for proper operation. A typical
technique is to upload the completed program file and perform a compare of that
file against what is stored in the programming terminal. (Offline and uploaded
program)
1715 Module RPI
Adapters 180 ms
Digital Modules 60 ms (lowest)
Analog Modules 120 ms
18 Rockwell Automation Publication 1715-RM001A-EN-P - June 2019
Chapter 2 Features of the ControlLogix SIL 2 System
To perform program verification, follow these steps in RSLogix 5000 software or
the Studio 5000 Logix Designer application.
1. With the programming software closed rename the project.
2. Start the programming software, upload the controller project, and save it.
3. Open the compare tool and select both files.
4. Start the compare operation.
5. Review the compare output results and verify that everything matches
without error. (Project documentation differences can exist.)
6. Save the compare results as part of the verification process.
7. Delete the upload file.
8. To maintain project documentation, rename the original project file
(change back) to the original project name.
HMI Precautions You must exercise precautions and implement specific techniques on HMI
devices. These precautions include, but are not limited to the following:
• Limited access and security
• Specifications, testing, and validation
• Restrictions on data and access
• Limits on data and parameters
HMI- related functions consist of two primary activities: reading and writing
data.
Reading Data
Reading data is unrestricted because reading doesn't affect the operation or
behavior of the safety system. However, the number, frequency, and size of the
data being read can affect controller performance. To avoid safety-related
nuisance trips, use good communication practices to limit the impact of
communication processing on the controller. Do not set read rates to the fastest
rate possible.
IMPORTANT Do not use memory cards to transfer the safety application automatically.
The AutoFlash firmware feature is not supported for SIL 2 safety applications.
Rockwell Automation Publication 1715-RM001A-EN-P - June 2019 19
Features of the ControlLogix SIL 2 System Chapter 2
Writing Data
A parameter change in a safety-related loop via an external (that is, outside the
safety loop) device (for example, an HMI) is allowed only with the following
restrictions:
• The customer MOC procedure is followed.
• Only authorized, specially trained personnel (operators) can change the
parameters in safety-related systems via HMIs.
• The operator who changes a safety-related system via an HMI is
responsible for the effect of those changes on the safety loop.
• You must clearly document variables that need changed.
• You must use a clear, comprehensive, and explicit operator procedure to
make safety-related changes via an HMI (MOC Procedure).
• Changes can only be accepted in a safety-related system if the following
sequence of events occurs.
1. The new variable must be sent twice to two different tags; that is, both
values must not be written to with one command.
2. Safety-related code that executes in the controller, must check both tags for
equivalency and make sure that they are within range (boundary checks).
3. Both new variables must be read back and displayed on the HMI device.
4. Trained operators must visually check that both variables are the same and
are the correct value.
5. Trained operators must manually acknowledge that the values are correct
on the HMI display that sends a command to the safety logic, which allows
the new values to be used in the safety function.
In every case, the operator must confirm the validity of the change before they are
accepted and applied in the safety loop.
The remainder of the steps need to follow IEC 61511 standard on process safety,
section 11.7.1 Operator Interface requirements.
IMPORTANT The High-Speed Jog function is not allowed and must not be used in the
project.
20 Rockwell Automation Publication 1715-RM001A-EN-P - June 2019
Chapter 2 Features of the ControlLogix SIL 2 System
Notes:
Table of contents
Other Rockwell Automation Control System manuals
Rockwell Automation
Rockwell Automation Allen-Bradley Ultra5000 User manual
Rockwell Automation
Rockwell Automation Allen-Bradley CENTERLINE 2100 User manual
Rockwell Automation
Rockwell Automation AB Quality Allen-Bradley 1608P User manual
Rockwell Automation
Rockwell Automation MSR300 User manual
Rockwell Automation
Rockwell Automation Allen-Bradley iTRAK User manual
Rockwell Automation
Rockwell Automation CENTERLINE 2100 User manual
Rockwell Automation
Rockwell Automation Allen-Bradley CENTERLINE 2500 User manual
Rockwell Automation
Rockwell Automation Allen-Bradley CENTERLINE 2500 User manual
