Using ControlLogix in SIL2 Applications Safety ... - Tuv-fs.com

Using ControlLogix in SIL2ApplicationsSafety Reference Manual1756 Series

Important User InformationSolid state equipment has operational characteristics differing from those of electromechanical equipment. Safety Guidelinesfor the Application, Installation and Maintenance of Solid State Controls (publication SGI-1.1 available from your localRockwell Automation sales office or online at http://literature.rockwellautomation.com) describes some important differencesbetween solid state equipment and hard-wired electromechanical devices. Because of this difference, and also because of thewide variety of uses for solid state equipment, all persons responsible for applying this equipment must satisfy themselvesthat each intended application of this equipment is acceptable.In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from theuse or application of this equipment.The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables andrequirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liabilityfor actual use based on the examples and diagrams.No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, orsoftware described in this manual.Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc., isprohibited.Throughout this manual, when necessary, we use notes to make you aware of safety considerations.WARNINGIdentifies information about practices or circumstances that can cause an explosion in ahazardous environment, which may lead to personal injury or death, property damage, oreconomic loss.IMPORTANTATTENTIONIdentifies information that is critical for successful application and understanding of the product.Identifies information about practices or circumstances that can lead to personal injury or death,property damage, or economic loss. Attentions help you identify a hazard, avoid a hazard, andrecognize the consequenceSHOCK HAZARDLabels may be on or inside the equipment, for example, a drive or motor, to alert people thatdangerous voltage may be present.BURN HAZARDLabels may be on or inside the equipment, for example, a drive or motor, to alert people thatsurfaces may reach dangerous temperatures.Allen-Bradley, ControlLogix, ControlLogix-XT, ControlFlash, RSLogix 5000, RSLinx Classic, Rockwell Automation, and TechConnect are trademarks of Rockwell Automation, Inc.Trademarks not belonging to Rockwell Automation are property of their respective companies.

Summary of ChangesChanges with this RevisionThis table lists the changes made with this revision.ChangePageAdded reference to standard IEC 61511. 13Added information about ControlLogix SIL2 configurations. 18Added information specific to the use of EtherNet/IP networks for remote 19I/O.Updated lists of ControlLogix and ControlLogix-XT components certified for 23-28use in SIL2 systems.Added references to publication 1756-AT012 (for use when programming) Throughoutthroughout the manual.Separated PFD and PFH calculation information into a speparate chapter 39for easier use. An explanation of the PFD and PFH calculations andcalculations for a 1-year proof test interval are included in this chapter.Removed explanation of PFD and PFH calculations and added reference to 39IEC 61508 for calculation explanations.Updated PFD and PFH calculations with current data. 39Added headings to information about communication in the ControlLogix 56system.Added EtherNet/IP network information. 56Updated the available SIL2 communication modules. 67Added the 1756-CN2 catalog number to the ControlNet module description. 68Added information about remote I/O via EtherNet/IP connection. 69Created comparison table to compare SIL2 network options. 69Removed out-dated information about communication module use. 70Updated Additional Resources table. 71Updated illustration to include HART modules. 74Reformatted the section Using Analog Input Modules for clarity. 85Added multiplexer consideration for HART input modules. 87Added HART analog input module wiring diagram. 97Reformatted section Using Analog Output Modules for clarity. 93Added multiplexer consideration for HART output modules. 96Added HART analog output module wiring diagram. 99Updated spurious failure calculations. 137Updated 2 and 5-year PFD calculations. 141Revised and updated index. 161Changes throughout this revision are indicated by change bars asshown next to this paragraph.3Publication 1756-RM001F-EN-P - June 2009 3

Summary of Changes4 Publication 1756-RM001F-EN-P - June 2009

Table of ContentsPreface Purpose of this Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Chapter 1SIL Policy Introduction to SIL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Programming and Debugging Tool (PADT). . . . . . . . . . . 14About the ControlLogix System. . . . . . . . . . . . . . . . . . . . 14Gas and Fire Considerations. . . . . . . . . . . . . . . . . . . . . . 15Boiler and Combustion Considerations . . . . . . . . . . . . . . 17Typical SIL2 Configurations . . . . . . . . . . . . . . . . . . . . . . . . . 18Fail-safe Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 19High-availability Configuration . . . . . . . . . . . . . . . . . . . . 20Fault-tolerant Configuration . . . . . . . . . . . . . . . . . . . . . . 22SIL2-certified ControlLogix System Components . . . . . . . . . . 23SIL2-certified ControlLogix Hardware Components . . . . . 23SIL2-certified, Nonredundant ControlLogix Components . 24SIL2-certified ControlLogix Redundancy Components . . . 27SIL2-certified ControlLogix-XT Components . . . . . . . . . . 28Proof Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Proof Testing with Redundancy Systems . . . . . . . . . . . . . 31Safety Certifications and Compliances . . . . . . . . . . . . . . . . . 32Hardware Designs and Firmware Functions . . . . . . . . . . . . . 32SIL Compliance Distribution and Weight . . . . . . . . . . . . . . . 33Other Agency Certifications . . . . . . . . . . . . . . . . . . . . . . . . . 34Response Times . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Response Times in Redundancy Systems. . . . . . . . . . . . . 35Program Watchdog Time in a ControlLogix System. . . . . . . . 37PFD and PFH Calculations for aSIL2 SystemChapter 2About PFD and PFH Calculations. . . . . . . . . . . . . . . . . . . . . 39Probability of Failure on Demand (PFD) . . . . . . . . . . . . . 39Probability of Dangerous FailureOccurring per Hour (PFH) . . . . . . . . . . . . . . . . . . . . . . . 40Component-level Calculations . . . . . . . . . . . . . . . . . . . . 40About the Calculations in this Manual . . . . . . . . . . . . . . . . . 40Determine Which PFD and PFH Values To Use. . . . . . . . 41ControlLogix Components PFD Calculations - 1 Year. . . . 41ControlLogix-XT PFD Calculations - 1 Year . . . . . . . . . . . 45Using Component Values To CalculateSystem PFD or PFH . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Example: 1-year PFD Calculationfor a ControlLogix System . . . . . . . . . . . . . . . . . . . . . . . 46ControlLogix Component PFH Calculations - 1 Year . . . . 47ControlLogix-XT Components PFH Calculations - 1 Year . 505Publication 1756-RM001F-EN-P - June 2009 5

Table of ContentsChapter 7ControlLogix I/O Modules Overview of ControlLogix I/O Modules . . . . . . . . . . . . . . . . 74Module Fault Reporting for any ControlLogix I/O Module. . . 76Using Digital Input Modules . . . . . . . . . . . . . . . . . . . . . . . . 77General Considerations When Using AnyControlLogix Digital Input Module . . . . . . . . . . . . . . . . . 77Wiring ControlLogix Digital Input Modules. . . . . . . . . . . . . . 78Using Digital Output Modules . . . . . . . . . . . . . . . . . . . . . . . 79General Considerations When Using AnyControlLogix Digital Output Module . . . . . . . . . . . . . . . . 79Wiring ControlLogix Digital Output Modules . . . . . . . . . . . . 81Wiring Diagnostic Digital Output Modules . . . . . . . . . . . 81Wiring Standard Digital Output Modules. . . . . . . . . . . . . 83Using Analog Input Modules . . . . . . . . . . . . . . . . . . . . . . . . 85Conduct Proof Tests. . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Calibrate Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Use the Floating Point Data Format . . . . . . . . . . . . . . . . 86Program to Respond to Faults Appropriately . . . . . . . . . . 86Program to Compare Analog Input Data . . . . . . . . . . . . . 86Configure Modules Identically . . . . . . . . . . . . . . . . . . . . 87Specify the Same Controller as the Owner . . . . . . . . . . . 87Using HART Analog Input Modules . . . . . . . . . . . . . . . . . . . 87Wiring ControlLogix Analog Input Modules . . . . . . . . . . . . . 88Wiring the Single-Ended Input Module in Voltage Mode . 88Wiring the Single-Ended Input Module in Current Mode . 89Wiring the Thermocouple Input Module . . . . . . . . . . . . . 90Wiring the RTD Input Module . . . . . . . . . . . . . . . . . . . . 91Wiring the HART Analog Input Modules . . . . . . . . . . . . . 92Using Analog Output Modules. . . . . . . . . . . . . . . . . . . . . . . 93Conduct Proof Tests. . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Calibrate Outputs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Use the Floating Point Data Format . . . . . . . . . . . . . . . . 94Program to Respond to Faults Appropriately . . . . . . . . . . 94Configure Outputs to De-energize in ESD Applications . . 94Monitor Channel Status via Wiring Back toInput and Data Echo . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Configure Modules Identically . . . . . . . . . . . . . . . . . . . . 96Specify the Same Controller as the Owner . . . . . . . . . . . 96Using HART Analog Output Modules. . . . . . . . . . . . . . . . . . 96Wiring ControlLogix Analog Output Modules . . . . . . . . . . . . 97Wiring the Analog Output Module in Voltage Mode . . . . 97Wiring the Analog Output Module in Current Mode . . . . 98Wiring the HART Analog Output Modules. . . . . . . . . . . . 99Checklist for SIL Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Checklist for SIL Outputs. . . . . . . . . . . . . . . . . . . . . . . . . . 102Publication 1756-RM001F-EN-P - June 2009 7

Table of ContentsChapter 8Faults in the ControlLogix System Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Checking Keyswitch Position with GSV Instruction. . . . . . . 106Examining an Analog Input Module’s High Alarm. . . . . . . . 107General Requirements forApplication SoftwareTechnical SIL2 Requirements forthe Application ProgramUse and Application ofHuman-to-Machine InterfacesResponse Times of theControlLogix SystemChapter 9Software for SIL2-Related Systems . . . . . . . . . . . . . . . . . . . 109SIL2 Programming. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Safety Concept of the ControlLogix System . . . . . . . . . . 109Programming Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110General Guidelines for Application Software Development . 110Check the Created Application Program . . . . . . . . . . . . 111Possibilities of Program Identification . . . . . . . . . . . . . . 112Forcing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112ControlLogix System Operational Modes . . . . . . . . . . . . . . 113Checklist for the Creation of an Application Program . . . . . 114Chapter 10General Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115Basics of Programming. . . . . . . . . . . . . . . . . . . . . . . . . 116SIL Task/Program Instructions . . . . . . . . . . . . . . . . . . . . . . 118Programming Languages . . . . . . . . . . . . . . . . . . . . . . . . . . 118Commissioning Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . 119Changing Your Application Program . . . . . . . . . . . . . . . . . 120Forcing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122Chapter 11Using Precautions and Techniques with HMI . . . . . . . . . . . 123Accessing Safety-Related Systems . . . . . . . . . . . . . . . . . 124Changing Parameters in Safety-Related Systems. . . . . . . 124Changing Parameters in Non-Safety-Related Systems . . . 126Appendix ADigital Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127Local Chassis Configuration . . . . . . . . . . . . . . . . . . . . . 127Remote Chassis Configuration . . . . . . . . . . . . . . . . . . . 129Analog Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Local Chassis Configuration . . . . . . . . . . . . . . . . . . . . . 130Remote Chassis Configuration . . . . . . . . . . . . . . . . . . . 131Redundancy Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1328 Publication 1756-RM001F-EN-P - June 2009

Table of Contents10 Publication 1756-RM001F-EN-P - June 2009

PrefacePurpose of this ManualThis safety reference manual is intended to:• Describe the ControlLogix Control System components availablefrom Rockwell Automation that are suitable for use in SIL2applications.• Provide safety-related data specific to the use of ControlLogixmodules in SIL2 systems - including PFD and PFH calculationsthat need to be considered for SIL2-certified systems.• Explain, briefly, the possible SIL2-certified ControlLogix systemconfigurations.• Describe basic programming techniques for the implementationof ControlLogix SIL2-certified systems with references and linksto more-detailed programming and implementation techniques.IMPORTANTThis manual describes typical SIL2 implementations usingcertified ControlLogix equipment. Keep in mind that thedescriptions presented in this manual do not preclude othermethods of implementing a SIL2-compliant system usingControlLogix.Other methods may include TUV-approved application-certifiedarchitectures, or the use of the FLEX I/O system as described inFLEX I/O System with ControlLogix for SIL2 reference manual,publication 1794-RM001.TerminologyThis table defines acronyms used in this manual.Acronyms Used Throughout this Reference ManualAcronym: Full Term: Definition:CIP Control andInformationProtocolA messaging protocol used by Logix5000 systems. It isa native communications protocol used on ControlNetcommunications networks, among others.DCDiagnosticCoverageThe ratio of the detected failure rate to the total failurerate.EN European Norm. The official European StandardGSV Get System Value A ladder logic output instruction that retrievesspecified controller status information and places it in adestination tag.MTBF Mean Time Average time between failure occurrences.Between FailuresMTTR Mean Time toRestorationAverage time needed to restore normal operation aftera failure has occurred.PADTProgramming andDebugging ToolRSLogix 5000 software is used to program and debug aSIL2-certified ControlLogix application.11Publication 1756-RM001F-EN-P - June 2009 11

4 PrefaceAcronyms Used Throughout this Reference ManualAcronym: Full Term: Definition:PCPFDPFHPersonalComputerProbability ofFailure onDemandProbability ofFailure per HourComputer used to interface with, and control, aControlLogix system via RSLogix 5000 programmingsoftware.The average probability of a system to fail to performits design function on demand.The probability of a system to have a dangerous failureoccur per hour.12 Publication 1756-RM001F-EN-P - June 2009

Chapter 1SIL PolicyThis chapter introduces you to the SIL policy and how theControlLogix system meets the requirements for SIL2 certification.TopicPageIntroduction to SIL 13Programming and Debugging Tool (PADT) 14About the ControlLogix System 14Gas and Fire Considerations 15Boiler and Combustion Considerations 17Typical SIL2 Configurations 18Fail-safe Configuration 19High-availability Configuration 20Fault-tolerant Configuration 22SIL2-certified ControlLogix System Components 23Proof Tests 30Safety Certifications and Compliances 32Hardware Designs and Firmware Functions 32SIL Compliance Distribution and Weight 33Other Agency Certifications 34Response Times 34Program Watchdog Time in a ControlLogix System 37Introduction to SILCertain catalog numbers of the ControlLogix system (listed later in thischapter) are type-approved and certified for use in SIL2 applicationsaccording to these standards:• IEC 61508• IEC 61511• DIN V 19250 (for RC4 applications)Approval requirements are based on the standards current at the timeof certification.13Publication 1756-RM001F-EN-P - June 2009 13

Chapter 1SIL PolicyThese requirements consist of mean time between failures (MTBF),probability of failure, failure rates, diagnostic coverage and safe failurefractions that fulfill SIL2 and AK4 criteria. The results make theControlLogix system suitable up to, and including, SIL2 and AK4.When the ControlLogix system is in the maintenance or programmingmode, the user is responsible for maintaining a safe state.The TÜV Rheinland Group has approved the ControlLogix system foruse in up to, and including, SIL 2 safety related applications in whichthe de-energized state is typically considered to be the safe state. Allof the examples related to I/O included in this manual are based onachieving de-energization as the safe state for typical EmergencyShutdown (ESD) Systems.Programming and Debugging Tool (PADT)For support in creation of programs, the PADT (Programming andDebugging Tool) is required. The PADT for ControlLogix isRSLogix 5000, per IEC 61131-3, and this Safety Reference Manual.For more information about programming a system usingpre-developed subroutines or Add-On Instructions, see thesepublications:• ControlLogix SIL2 System Configuration Using RSLogix 5000Subroutines, publication 1756-AT010• ControlLogix SIL2 System Configuration Using RSLogix 5000Subroutines, publication 1756-AT012About the ControlLogix SystemThe ControlLogix system is a modular and configurable system withthe ability to pre-configure outputs and other responses to faultconditions. As such, a system can be designed to meet requirementsfor “hold last state" in the event of a fault so that the system can beused in up to, and including, SIL 2 level Fire and Gas and otherApplications that require that output signals to actuators remain on.By understanding the behavior of the ControlLogix system for anemergency shutdown application, the system design can incorporateappropriate measures to meet other application requirements. Thesemeasures relate to the control of outputs and actuators which mustremain on to be in a safe state. The other requirements for SIL2regarding inputs from sensors, software etc. must also be met.14 Publication 1756-RM001F-EN-P - June 2009

SIL Policy Chapter 1Gas and Fire ConsiderationsListed below are the measures and modifications related to the use ofthe ControlLogix system in Gas and Fire applications.• The use of a manual over-ride is necessary to ensure theoperator can maintain the desired control in the event of aController Failure. This is similar in concept to the function ofthe external relay or redundant outputs required to ensure ade-energized state is achieved for an ESD system should afailure occur (e.g., such as a shorted output driver) that wouldprevent this from normally occurring. The system knows it has afailure but the failure mode requires an independent means tomaintain control and either remove power or provide analternate path to maintain power to the end actuator.• If the application cannot tolerate an output that can fail shorted(energized) then an external means such as a relay or otheroutput must be wired in series to remove power when the failshorted condition occurs. Refer to Figure for and illustration.• If the application cannot tolerate an output that fails open(de-energized) then an external means such as a manualoverride or output must be wired in parallel. (Refer to thesection Wiring ControlLogix Digital Output Modules on page 97for more information). The user must supply the alternativemeans and develop the application program to initiate thealternate means of removing or continuing to supply power inthe event the main output fails.• This manual over-ride circuit is shown in Figure . It iscomposed of a hard-wired set of contacts from a selector switchor push-button. One normally-open contact provides for thebypass of power from the controller output directly to theactuator. The other is a normally-closed contact to remove orisolate the controller output• An application program needs to be generated to monitor thediagnostic output modules for dangerous failures such asshorted or open output driver channels. Diagnostic outputmodules must be configured to hold last state in the event of afault.• A diagnostic alarm must be generated to inform the operatorthat manual control is required.• The faulted module must be replaced within a reasonable timeframe.Publication 1756-RM001F-EN-P - June 2009 15

Chapter 1SIL Policy• Any time a fault is detected the user must annunciate the fault toan operator by some means (for example, an alarm light).Manual Over-ride CircuitL1Manual OverrideActuatorL2 or Ground43379FaultAlarm to Operator16 Publication 1756-RM001F-EN-P - June 2009

SIL Policy Chapter 1Boiler and Combustion ConsiderationsIf your SIL2-certified ControlLogix system is used incombustion-related applications, you are responsible for meetingNational Fire Protection Assosciation (NFPA) standard NFPA 85 orNFPA 86. This includes the additional requirements identified in thosestandards that require the extra diagnostic measure of using anexternal and independent watchdog that provides an additionalmeans to fail-to-safe (trip). This watchdog should be designed tomonitor the controller, program, and I/O communications.In addition to the SIL 2 requirements of IEC 61508, when theControlLogix system is used to meet standard EN 50156, these useconsiderations are required:• For a simplex 1oo1 ControlLogix system, a proof test interval ofa half a year is required.• For a proof test interval of one year, a 2oo2 or 1oo2 duplexsystem must be used.Publication 1756-RM001F-EN-P - June 2009 17

Chapter 1SIL PolicyTypical SIL2 ConfigurationsSIL2-certified ControlLogix systems can be used in non-redundancy orredundancy configurations. For the purposes of documentation, thevarious levels of availability that can be achieved by using variousControlLogix system configurations are referred to as fail-safe,high-availability, or fault-tolerant.This table lists each system configuration and the hardware that is partof the system’s safety loop.System configurationFail-safe Configuration, page 19High-availability Configuration,page 20Fault-tolerant Configuration, page 22Safety loop includes• Non-redundant controller• Non-redundant communication module(s)• Non-redundant remote I/O• Redundant controllers• Redundant communication modules• Non-redundant remote I/O• Redundant controllers• Redundant communication modules• Redundant remoter I/O• I/O termination boardsIMPORTANTNote that the system user is responsible the tasks listed herewhen any of the ControlLogix SIL2 system configurations areused:• The set-up, SIL rating, and validation of any sensors oractuators connected to the ControlLogix control system.• Project management and functional testing.• Programming the application software and the moduleconfiguration according to the descriptions in the followingchapters.The SIL2 portion of the certified system excludes thedevelopment tools and display/human machine interface (HMI)devices; these tools and devices are not part of the safety loop.18 Publication 1756-RM001F-EN-P - June 2009

SIL Policy Chapter 1Fail-safe ConfigurationIn a fail-safe configuration, the hardware used in the safety loop is notredundant. Therefore, if a fault occurs anywhere in the SIL2 system,the system is programmed to fail to safe.The failure to safe is typically an emergency shutdown (ESD) whereall outputs are de-energized.Fail-safe ControlLogix ConfigurationOverall Safety LoopSIL2-certified ControlLogix Safety LoopController chassisRemote I/O chassisSensorENBTCNBRI/OCNBRActuatorControlNetI/OENBTEtherNet/IPThis figure shows a typical SIL loop that does not use redundancy.This figure shows:• the overall safety loop.• the ControlLogix portion of the overall safety loop.TIPWhen certain considerations are made, it possible to connect toremote I/O via an EtherNet/IP network. To connect to remoteI/O using an EtherNet/IP network, you must makeconsiderations similar to those required for a SIL2-certifiedControlNet network.Publication 1756-RM001F-EN-P - June 2009 19

Chapter 1SIL PolicyHigh-availability ConfigurationProgramming SoftwareFor SIL applications, a programmingterminal is not normally connected.In the high-availability configuration, redundant controller chassis areused to increase the availability of the control system. The modules inthe redundant controller chassis include the redundancy modules andControlNet modules for redundant communication, as well as theControlLogix controllers.Typical SIL Loop With Controller Chassis RedundancyHMIFor Diagnostics and Visualization (read-only access to controllers inthe safety loop). For more information, see Chapter 1.Plant-wide Ethernet/SerialOverall Safety LoopSIL2-certified ControlLogix components’ portion of the overall safety loopPrimary chassisRemote I/O chassisSensorENBTCNBCNBRMI/OCNBActuatorControlNetSecondary chassisENBTCNBCNBRMTo othersafety relatedControlLogixand remoteI/O chassisControlNetTo non-safety related systems outside the ControlLogix portionof the SIL2-certified loop. For more information, see Chapter 1.20 Publication 1756-RM001F-EN-P - June 2009

SIL Policy Chapter 1IMPORTANTThe high-availability ControlLogix system is fault-tolerant onlyfor the devices in the primary/secondary controller chassis. Therest of the high-availability system is not considered to befault-tolerant.Figure shows a typical SIL loop that uses redundancy, including:• the overall safety loop.• the ControlLogix portion of the overall safety loop.• how other devices (for example, HMI) connect to the loop,while operating outside the loop.Publication 1756-RM001F-EN-P - June 2009 21

DC OUTPUTDC INTPUTST 0 1 2 3 4 5 6 7ST 0 1 2 3 4 5 6 7OOST 8 9 10 1112 13 14 15 KST 8 9 10 1112 13 14 15 KDIAGNOSTICDIAGNOSTICANALOG INTPUT DC OUTPUTCALST 0 1 2 3 4 5 6 7OOKST 8 9 10 1112 13 14 15 KDIAGNOSTICPRI COM OKANALOG INTPUT DC INTPUTCALST 0 1 2 3 4 5 6 7OOKST 8 9 10 1112 13 14 15 KDIAGNOSTICDC OUTPUTDC INTPUTST 0 1 2 3 4 5 6 7ST 0 1 2 3 4 5 6 7OOST 8 9 10 1112 13 14 15 KST 8 9 10 1112 13 14 15 KDIAGNOSTICDIAGNOSTICPRI COM OKANALOG INTPUT DC OUTPUTCALST 0 1 2 3 4 5 6 7OOKST 8 9 10 1112 13 14 15 KDIAGNOSTICANALOG INTPUT DC INTPUTCALST 0 1 2 3 4 5 6 7OOKST 8 9 10 1112 13 14 15 KDIAGNOSTICChapter 1SIL PolicyFault-tolerant ConfigurationThe most recently-certified ControlLogix SIL2 configuration is thefault-tolerant configuration. The fault-tolerant configuration of theControlLogix system uses fully-redundant controllers, communicationmodules, and remote I/O.Fault-tolerant ConfigurationSIL2-certified ControlLogix safety loopPrimary ChassisSecondary ChassisControlNetI/O Chassis AI/O Chassis BAnalog InputTerminationBoardDigital InputTerminationBoardDigital OutputTerminationBoardFieldDeviceFieldDeviceFieldDeviceThe fault-tolerant configuration uses safety and programmingprinciples described in this manual, as well as programming andhardware described in the application technique manuals.For more information about the ControlLogix SIL2- certifiedfault-tolerant system, see the application technique manual thatcorresponds with your application.ControlLogix SIL2 System Configuration ManualsIf usingSIL2 Fault-tolerant I/O subroutines(available for use with RSLogix 5000software, version 15 and later)SIL2 Fault-tolerant I/O Add-On Instructions(available for use with RSLogix 5000software, version 16 and later)Then reference this manualControlLogix SIL2 System ConfigurationUsing RSLogix 5000 Subroutines,publication 1756-AT010ControlLogix SIL2 System ConfigurationUsing RSLogix 5000 Subroutines,publication 1756-AT01222 Publication 1756-RM001F-EN-P - June 2009

SIL Policy Chapter 1SIL2-certified ControlLogixSystem ComponentsThe tables in this section list the components and firmware revisionsavailable for use in a SIL2-certified ControlLogix or ControlLogix-XTsystem. These tables also list publications related to the SIL2-certifiedcomponents.SIL2-certified ControlLogix Hardware ComponentsSIL2-certified ControlLogix Components - HardwareCatalog No.1756-A4,1756-A7,1756-A10,1756-A13,1756-A17DescriptionThese traditional ControlLogix hardware components are certified foruse in a SIL2 system.SeriesFirmwareRevision (2),(3)Related Documentation (4)Installation User ManualInstructionsControllogix Chassis B NA 1756-IN080 None availablefor thesecatalognumbers1756-PA75 AC Power Supply A NA 1756-IN6131756-PB75 DC Power Supply NA1756-PA75R AC Redundant Power Supply1756-PB75R DC Redundant Power Supply1756-PA75 AC Power Supply B NA1756-PB75 DC Power Supply NA1756-PC75 DC Power Supply NA 1756-IN6131756-PH75 DC Power Supply NA1756-PSCA (1) Redundant Power Supply Chassis Adapter Module A NA 1756-IN5741756-PSCA2 (1) Redundant Power Supply Chassis Adapter Module A NA 1756-IN590(1)(2)Existing systems that use the 1756-PSCA and 1756-PSCA2are SIL2-certified. However, when implementing new SIL2-certified systems or upgrading existing systems, werecommend that you use the 1756-PSCA2 if possible.Catalog numbers that list multiple firmware revisions have multiple revisions that are SIL2-certified. When implementing new SIL2-certified systems or upgrading existingSIL2-certified systems, we recommend that you use the latest certified firmware revision (that is, the higher number). However, systems that continue to use the olderfirmware revision remain SIL2-certified.(3) Users must use these series and firmware revisions for their application to be SIL2 certified. Firmware revisions are available by visitinghttp://www.rockwellautomation.com/support/(4) These publications are available from Rockwell Automation by visiting http://www.literature.rockwellautomation.com.Publication 1756-RM001F-EN-P - June 2009 23

Chapter 1SIL PolicySIL2-certified, Nonredundant ControlLogix ComponentsThese traditional ControlLogix controllers, I/O modules, andcommunication modules are certified for use in a nonredundant SIL2system.SIL2-certified ControlLogix Components - Nonredundant Controllers, I/O, and Communication ModulesCatalog No.DescriptionSeries1756-L55M13 ControlLogix 1.5 MB controller A 16.2116.2015.0513.3111.3210.271756-L55M16 ControlLogix 7.5 MB controller A 16.2116.2015.0513.3111.3210.271756-L61 (1) ControlLogix 2 MB controller B 16.2116.2015.0413.401756-L62 (1) ControlLogix 4 MB controller B 16.2116.2015.0413.401756-L63 (1) ControlLogix 8 MB controller B 16.2116.2015.0413.401756-IA16I AC Isolated Input Module A 3.22.21756-IA8D AC Diagnostic Input Module A 3.22.61756-IB16D DC Diagnostic Input Module A 3.33.22.61756-IB16I DC Isolated Input Module A 3.22.2FirmwareRevision (6)(7)Related Documentation (8)Installation User ManualInstructions1756-IN1011756-IN6141756-IN0591756-IN0551756-IN0691756-IN0101756-UM0011756-UM0581756-IB32 DC Input Module B 3.5 1756-IN027 1756-UM0581756-IB16ISOE Sequence of Events Module A 1.61.51756-IH16ISOE Sequence of Events Module A 1.61.51756-IN5911756-IN5921756-UM5281756-UM52824 Publication 1756-RM001F-EN-P - June 2009

SIL Policy Chapter 1SIL2-certified ControlLogix Components - Nonredundant Controllers, I/O, and Communication ModulesCatalog No.1756-OA16I AC Isolated Output Module A 3.22.11756-OA8D AC Diagnostic Input Module A 3.22.41756-OB16D DC Diagnostic Output Module A 3.22.31756-OB16I DC Isolated Output Module A 3.22.11756-OB32 DC Output Module A 3.22.41756-OB8EI DC Isolated Output Module A 3.22.31756-OW16I Isolated Relay Output Module A 3.22.11756-OX8I Isolated Relay Output Module A 3.22.11756-IN0091756-IN0571756-IN0581756-IN5121756-IN0261756-IN0121756-IN0111756-IN5131756-UM0581756-IF8 Analog Input Module A 1.5 1756-IN040 1756-UM0091756-IF16 Single-ended Analog Input Module A 1.5 1756-IN0391756-IF6I Isolated Analog Input Module A 1.131.121.91756-IF6CIS Isolated Sourcing Analog Input Module A 1.131.121756-IF8HDescription8-Channel Differential HART Analog InputModuleSeries1756-IR6I RTD Input Module A 1.131.121.91756-IT6I Thermocouple Input Module A 1.131.121.91756-IT6I2 Enhanced Thermocouple Input Module A 1.131.121.111756-IN0341756-IN579A 1.2 1756-IN608 1756-UM5331756-IN0141756-IN0371756-IN5861756-OF8 Analog Output Module A 1.5 1756-IN0151756-OF6CI Isolated Analog Output Module (Current) A 1.131.121.91756-OF6VI Isolated Analog Output Module (Voltage) A 1.131.121.9FirmwareRevision (6)(7)Related Documentation (8)Installation User ManualInstructions1756-IN0361756-IN0351756-UM0091756-OF8H 8-Channel HART Analog Output Module A 1.2 1756-IN609 1756-UM533Publication 1756-RM001F-EN-P - June 2009 25

Chapter 1SIL PolicySIL2-certified ControlLogix Components - Nonredundant Controllers, I/O, and Communication ModulesCatalog No.1756-CNB (2) ControlNet Communication Module D 7.157.121756-CNBR Redundant ControlNet Communication Module D 5.505.455.38.405.271756-CNBDescriptionControlNet Communication CommunicationModuleSeriesE 11.0411.021756-IN5711756-IN604CNET-UM0011756-CNBR Redundant ControlNet Communication Module E1756-CN2 ControlNet Communication Module B 20.0091756-CN2R ControlNet Redundancy Communication Module B1756-DHRIO (3) Data Highway Plus - Remote I/O Communication C 5.03 1756-IN003 1756-UM514Interface Module1756-EN2T EtherNet/IP Bridge Module A 2.003 1756-IN603 ENET-UM0011756-ENBT (4) EtherNet/IP Communication Module A 4.074.033.41.331756-IN0191756-SYNCH (5) SynchLink Module A 2.18 1756-IN575 1756-UM521(1) Use of any 1756-L6x/B controller requires the use of the Series B versions of the 1756-Px75 power supplies.FirmwareRevision (6)(7)Related Documentation (8)Installation User ManualInstructions(2)Specified ControlNet repeaters may be used in SIL2 applications. See chapter 6, ControlLogix Communication Modules (on page 67) for more information.(3) The 1756-DHRIO module is included in this table because this module can be used to connect the safety system to the Data Highway Plus network. However, the DataHighway Plus network is not SIL2-certified and cannot be used as part of the SIL2-certified system. It can only be used to connect non-safety devices to the safety system.Because the module is not part of the safety system, it is not listed in PFD and PFH calculation tables provided throughout this publication.(4) The 1756-ENBT module is included in this table because this module can be used to connect the safety system to the EtherNet/IP network. Also, the EtherNet/IP networkcan be used to connect to remote I/O chassis. EtherNet/IP networks cannot be used to connect SIL2-certified redundant chassis. See chapter 6, ControlLogixCommunication Modules (on page 67) for more information.(5) The 1756-SYNCH module is included in this table because this module can be used to propagate time between chassis and to record events that occur in each chassis.Because this module is not used for any safety-related activities, it is not listed in PFD and PFH calculations provided throughout this manual.(6) Catalog numbers that list multiple firmware revisions have multiple revisions that are SIL2-certified. When implementing new SIL2-certified systems or upgrading existingSIL2-certified systems, we recommend that you use the latest certified firmware revision (that is, the higher number). However, systems that continue to use the olderfirmware revision remain SIL2-certified.(7)Users must use these series and firmware revisions for their application to be SIL2 certified. Firmware revisions are available by visitinghttp://www.rockwellautomation.com/support/(8) These publications are available from Rockwell Automation by visiting http://www.literature.rockwellautomation.com.26 Publication 1756-RM001F-EN-P - June 2009

SIL Policy Chapter 1SIL2-certified ControlLogix Redundancy ComponentsSIL2-certified ControlLogix Components - Redundancy System ComponentsCatalog No.DescriptionThese redundant ControlLogix controllers and communicationmodules are certified for use in a nonredundant SIL2 system.SeriesFirmware Revision (1)(2)(3) Related Documentation (6) :EnhancedRedundancy (4)1756-L55M13 ControlLogix 1.5 Mb Controller A N/A 15.571756-L55M16 ControlLogix 7.5 Mb Controller A13.53StandardRedundancy (5)InstallationInstructions1756-IN101User Manual1756-UM0011756-L61 ControlLogix 2 Mb Controller B 16.54 16.531756-L62 ControlLogix 4 Mb Controller B15.561756-L63 ControlLogix 8 Mb Controller B1756-RM Redundancy Module A 2.03 N/A 1756-UM535(this is not yetpublished)1757-SRM System Redundancy Module B N/A 5.014.03.053.37.51757-IN092 1756-UM5231756-CNB (2)1756-CNBR1756-CNB (2)1756-CNBR1756-CN21756-CN2R1756-ENBT1756-EN2TControlNet CommunicationModuleRedundant ControlNetCommunication ModuleControlNet CommunicationModuleRedundant ControlNetCommunication ModuleControlNet CommunicationModuleRedundant ControlNetCommunication ModuleEtherNet/IP CommunicationModuleEtherNet/IP CommunicationModuleD N/A 7.157.12D5.38.40E 11.0411.02E1756-IN5711756-IN604A 20.009 N/A 1756-IN602AA N/A 4.074.031756-IN019CNET-UM0011756-UM0502.003 N/A 1756-IN603 ENET-UM001(1) Catalog numbers that list multiple firmware revisions have multiple revisions that are SIL2-certified. When implementing new SIL2-certified systems or upgrading existingSIL2-certified systems, we recommend that you use the latest certified firmware revision (that is, the higher number). However, systems that continue to use the olderfirmware revision remain SIL2-certified.(2) Users must use these series and firmware revisions for their application to be SIL2 certified. Firmware revisions are available by visitinghttp://www.rockwellautomation.com/support/Publication 1756-RM001F-EN-P - June 2009 27

Chapter 1SIL Policy(3) Redundancy firmware for each module that can be used in a redundant system is packaged in a redundancy system firmware bundle. The redundancy firmware bundles areidentified by the controller firmware revision number. See the redundancy firmware release notes for information about individual module firmware revisions packaged ina bundle.(4) See the Enhanced Redundancy System Firmware Release Notes, publication 1756-RN650 for more information about redundancy firmware specific to the enhancedredundancy system.(5) See the Standard Redundancy System Release Notes, publication 1756-RN628 for more information about redundancy firmware specific to the standard redundancy system.(6)These publications are available from Rockwell Automation by visiting http://www.literature.rockwellautomation.com.SIL2-certified ControlLogix-XT ComponentsThese ControlLogix-XT components are certified for use in anonredundant SIL2 system.IMPORTANTControlLogix-XT modules use the same firmware as traditionalControlLogix components. When obtaining firmware forControlLogix-XT modules, download and use the firmwarespecific to the traditional ControlLogix module.For example, if you are using a 1756-EN2TXT module in yoursystem, use SIL2-certified firmware for the 1756-EN2T module.For more information about ControlLogix-XT module firmwarerevisions, see the firmware release notes specific to themodule. ControlLogix-XT module release notes are available at:http://literature.rockwellautomation.comSIL2-certified ControlLogix-XT System ComponentsCatalog No.1756-A5XT,1756-A7LXT1756-PBXT1756-CN2RXT1756-DHRIOXTDescriptionSeriesFirmware Revision (1)(2) Related Documentation (3)Nonredundancy FirmwareUse Firmwarefor Cat. No.FirmwareRevisionEnhancedRedundancyFirmwareInstallationInstructionsUser ManualControlLogix-XT Chassis B N/A N/A N/A 1756-IN637 None for thiscomponentControlLogix-XT Power B N/A N/A N/A 1756-IN639SupplyControlLogix-XTControlNetCommunication ModuleControlLogix-XT DataHighway - Plus RemoteI/O ModuleB 1756-CN2R 20.0009 20.0009 1756-IN634 CNET-UM001E 1756-DHRIO N/A 1756-IN638 1756-UM51428 Publication 1756-RM001F-EN-P - June 2009

SIL Policy Chapter 1SIL2-certified ControlLogix-XT System ComponentsCatalog No.1756-EN2TXT1756-L63XT1756-RMXTDescriptionControlLogix-XTEtherNet/IPCommunication ModuleControlLogix-XTControllerControlLogix-XTRedundancy ModuleSeriesB 1756-EN2T 2.005 2.003 1756-IN635 ENET-UM001B 1756-L63 16.2116.20Firmware Revision (1)(2) Related Documentation (3)Nonredundancy FirmwareUse Firmwarefor Cat. No.FirmwareRevisionEnhancedRedundancyFirmwareInstallationInstructionsUser Manual16.54 1756-IN633 1756-UM001A 1756-RM N/A 2.03 1756-IN636 1756-UM535(this is not yetpublished)(1) Catalog numbers that list multiple firmware revisions have multiple revisions that are SIL2-certified. When implementing new SIL2-certified systems or upgrading existingSIL2-certified systems, we recommend that you use the latest certified firmware revision (that is, the higher number). However, systems that continue to use the olderfirmware revision remain SIL2-certified.(2)(3)Users must use these series and firmware revisions for their application to be SIL2 certified. Firmware revisions are available by visitinghttp://www.rockwellautomation.com/support/These publications are available from Rockwell Automation by visiting http://www.literature.rockwellautomation.com.Publication 1756-RM001F-EN-P - June 2009 29

Chapter 1SIL PolicyProof TestsIEC 61508 requires the user to perform various proof tests of theequipment used in the system. Proof tests are performed atuser-defined times (for example, proof test intervals can be once ayear, once every two years or whatever time frame is appropriate) andinclude some of the following tests:• Testing of all fault routines to verify that process parameters aremonitored properly and the system reacts properly when a faultcondition arises.• Testing of digital input or output channels to verify that they arenot stuck in the ON or OFF state.• Calibration of analog input and output modules to verify thataccurate data is obtained from and used on the modules.IMPORTANTUsers’ specific applications will determine the timeframe forthe proof test interval.However, keep in mind that the Probability of Failure onDemand (PFD) calculations listed in chapter 2 use a proof testinterval of once per year. If the proof test interval is not onceper year, the information must be recalculated.For sample PFD calculations for proof test intervals of 2 and 5years, see Appendix E (page 141)30 Publication 1756-RM001F-EN-P - June 2009

SIL Policy Chapter 1Proof Testing with Redundancy SystemsA ControlLogix redundancy system uses an identical pair ofControlLogix chassis to keep your machine or process running if aproblem occurs with those chassis. When a failure occurs in any ofthe components of the primary chassis, control switches to thesecondary controller.The switchover can be monitored so that the system notifies the userwhen it has occurred. In this case (that is, when a switchover takesplace), we recommend that you replace the failed controller with themean time to restoration (MTTR) for your application.If you are using controller redundancy in a SIL2 application, you mustperform half the proof test on the primary controller and half theproof test on the secondary controller.TIPIf you are concerned about the availability of the secondarycontroller if the primary controller fails, it is good engineeringpractice to implement a switchover periodically (for example,once per proof test interval).For more information on switchovers in ControlLogix redundancysystems and ControlLogix redundancy systems in general, see theControlLogix Redundancy System user manual, publication1756-UM523.Publication 1756-RM001F-EN-P - June 2009 31

Chapter 1SIL PolicySafety Certifications andCompliancesHardware Designs andFirmware FunctionsControlLogix products referenced in this manual may have safetycertifications in addition to the SIL certification. To view additionalsafety certifications for products, go to http://www.ab.com and selectthe Product Certifications link.Diagnostic hardware designs and firmware functions designed into theControlLogix platform allow it to achieve at least SIL2 certification.IMPORTANTWhile diagnostic hardware designs and firmware functionsprovide the ability for a ControlLogix system to beSIL2-certified, achieving SIL2 certification also requires theproper implementation of programming principles described inthis manual.Diagnostic features that are incorporated into specific ControlLogixcomponents include:• processor•power supply•I/O modules•backplaneand are covered in subsequent sections.Some ControlLogix system features include:• multiple microprocessors that check themselves and each other• I/O modules with internal microprocessors• an I/O architecture that includes modules with backplaneconnections to the main central processing unit (CPU).The backplane connections, along with configuration identities,permit a new level of I/O module diagnostics unavailable in earlierplatforms.32 Publication 1756-RM001F-EN-P - June 2009

SIL Policy Chapter 1SIL ComplianceDistribution and WeightThe programmable controller may conservatively be assumed tocontribute 10% of the reliability burden. (See Figure .) A SIL 2 systemmay need to incorporate multiple inputs for critical sensors and inputdevices, as well as dual outputs connected in series to dual actuatorsdependent on SIL assessments for the safety related system. (SeeFigure )ControlLogix Systems or Loop+V10% of the PFD40% ofthe PFDSensorInputModulePowerSupplyControllerDig.OutputModuleActuator50% of the PFDSensorInputModule43383+V10% of the PFD40% ofthe PFDSensorInputModulePowerSupplyControllerStandardOutputModuleActuator50% of the PFDSensorInputModuleMonitoringInputModule43384Publication 1756-RM001F-EN-P - June 2009 33

Chapter 1SIL PolicyOther Agency CertificationsUser documentation shipped with ControlLogix products typically liststhe agency certifications for which the products are approved. If aproduct has achieved agency certification, it is marked on the productlabel. Product certifications are listed in the product’s specificationstable, as shown in the example below.Example Certification SpecificationsCertificationc-UL-usc-UL-usCSADescriptionUL Listed Industrial Control Equipment, certified for US and Canada.See UL File E65584.UL Listed for Class I, Division 2 Group A,B,C,D Hazardous Locations,certified for U.S. and Canada. See UL File E194810.CSA Certified Process Control Equipment. See CSA File LR54689C.CSA Certified Process Control Equipment for Class I, Division 2Group A,B,C,D Hazardous Locations. See CSA File LR69960C.FMCEC-TickEExFM Approved Equipment for use in Class I Division 2 Group A,B,C,DHazardous LocationsEuropean Union 2004/108/IEC EMC Directive, compliant with:• EN 61326-1; Meas./Control/Lab., Industrial Requirements• EN 61000-6-2; Industrial Immunity• EN 61000-6-4; Industrial Emissions• EN 61131-2; Programmable Controllers (Clause 8, Zone A & B)Australian Radiocommunications Act, compliant with:• AS/NZS CISPR 11; Industrial EmissionsEuropean Union 94/9/EC ATEX Directive, compliant with:• EN 60079-15; Potentially Explosive Atmospheres, Protection “n”(Zone 2)Response TimesThe response time of the system is defined as the amount of time ittakes for a change in an input condition to be recognized andprocessed by the controller’s ladder logic program, and then to initiatethe appropriate output signal to an actuator.The system response time is the sum of the following:• input hardware delays• input filtering• I/O and communication module RPI settings• controller program scan times• output module propagation delays• redundancy system switchover times (applicable inhigh-availability and fault-tolerant systems)34 Publication 1756-RM001F-EN-P - June 2009

SIL Policy Chapter 1Each of the times listed is variably dependent on factors such as thetype of I/O module and instructions used in the ladder program. Forexamples of how to perform these calculations, see Appendix A,Response Times in ControlLogix (page 101).For more information on the available instructions and for a fulldescription of logic operation and execution, see the followingpublications:• Logix5000 Controllers General Instruction Set Reference Manual,publication 1756-RM003.• ControlLogix System User Manual, publication 1756-UM001.Response Times in Redundancy SystemsThe response time of a system that uses redundancy is different froma system that does not use redundancy. The redundancy system has alonger response time because:• The primary controller must keep the secondary up-to-date andready to take over control in case of a switchover. This processof cross-loading fresh data at the end of each program scanincreases scan time.You can plan your project effectively (e.g., minimize the use ofSINT or INT tags, use arrays and user-defined data types) tominimize the scan time in a redundancy system. Generally, theprimary controller in a redundancy system has a 20% slowerresponse time than the controller in a non-redundancy system.• The switchover between controllers slows system response. Theswitchover time of a redundancy system depends on thenetwork update time (NUT) of the ControlNet network. Toestimate the switchover time, use the following formulas:Switchover Time FormulasFor this type of failure: If the NUT is: The switchover time is: Example:loss of power–or–module failure1756-CNB module cannotcommunicate with any other node< 6 60 ms For a NUT of 4 ms, the switchovertime is approximately 60 ms.> 7 5 (NUT) + MAX (2[NUT], 30) For a NUT of 10 ms, the switchovertime is approximately 80 ms.14 (NUT) + MAX (2[NUT], 30) + 50 For a NUT of 10 ms, the switchovertime is approximately 220 ms.Publication 1756-RM001F-EN-P - June 2009 35

Chapter 1SIL PolicyFor more information on response times in redundancy systems, seethe ControlLogix Redundancy System User Manual, publication1756-UM523.Program Watchdog Time ina ControlLogix SystemThe program watchdog (also known as the software watchdog) timeis a user-defined time that is set in the controller attributes menu ofthe RSLogix 5000 software.The program watchdog time is the maximum permissible timeallowed for a RUN cycle (cycle time). If the cycle time exceeds theprogram watchdog time, a major fault occurs on the controller. Usersmust monitor the watchdog and program the system outputs totransition to the safe state (typically the OFF state) in the event of amajor fault occurring on the controller. For more information onfaults, see chapter 8, Faults in the ControlLogix System (page 105).The program watchdog time must be ≥ 10 ms and must be < 50% ofthe safety time required for a ControlLogix system. The safety time isthe maximum amount of time in which the process tolerates a wrongsignal.See the ControlLogix System User Manual, publication number1756-UM001 for more information about setting the watchdog.36 Publication 1756-RM001F-EN-P - June 2009

Chapter 2PFD and PFH Calculations for a SIL2 SystemThis chapter provides information about the PFD and PFHcalculations required for SIL2 certification.TopicPageAbout PFD and PFH Calculations 39About the Calculations in this Manual 40ControlLogix Components PFD Calculations - 1 Year 41ControlLogix-XT PFD Calculations - 1 Year 45Using Component Values To Calculate System PFD or PFH 46Example: 1-year PFD Calculation for a ControlLogix System 46ControlLogix Component PFH Calculations - 1 Year 47ControlLogix-XT Components PFH Calculations - 1 Year 50About PFD and PFHCalculationsSafety-related systems can be classified as operating in either a lowdemand mode, or in a high demand/continuous mode. IEC 61508quantifies this classification by stating that the frequency of demandsfor operation of the safety system is no greater than once per year inthe low demand mode, or greater than once per year in highdemand/continuous mode. Generally speaking however, the once peryear is expanded to ten times per year.Probability of Failure on Demand (PFD)Probability of failure on demand (PFD) is the SIL value for a lowdemand safety-related system as related directly to order-of-magnituderanges of its average probability of failure to satisfactorily perform itssafety function on demand.PFD calculations are commonly used for process safety applicationsand applications where ESDs are used.39Publication 1756-RM001F-EN-P - June 2009 39

Chapter 2PFD and PFH Calculations for a SIL2 SystemProbability of Dangerous Failure Occurring per Hour (PFH)The probability of dangerous failure occurring per hour (PFH) isdirectly related to the SIL value for a high demand/continuous modesafety-related system.PFH calculations are commonly used for machine safety applications.Component-level CalculationsAlthough PFD and PFH values are usually associated with each of thethree elements making up a safety-related system (the sensors, theactuators, the logic element), they can be associated with eachcomponent of the logic element, that is, each module of aprogrammable controller.Tables in this chapter present 1-year PFD and PFH values forControlLogix and ControlLogix-XT components that are evaluated byTÜV.About the Calculations inthis ManualFor the calculations presented in this chapter, these values were usedas the two application-dependent variables:• the Mean Time to Restoration (MTTR) is ten hours.• the Proof Test Interval (T 1 ) is one year (8760 hours).For calculations representing other proof test intervals, see theappendices of this manual.The PFD and PFH values in this manual are calculated using formulasexplained in IEC 61508, Part 6, Annex B. Refer to IEC 61508, Part 6,for more information about calculating PFD and PHF values for yoursystem.40 Publication 1756-RM001F-EN-P - June 2009

PFD and PFH Calculations for a SIL2 System Chapter 2Determine Which PFD and PFH Values To UseIMPORTANTYou are responsible for determining which PFD and PFH valuesprovided are appropriate for your SIl2-certified system.Determine which values to use based on the modules used yoursystem and the system configuration .Each of the PFD and PFH calculated values provided in this manual isbased on the configuration the module can be used in, that is 1oo1 or1oo2.• Communication and controller communication modules havePFD and PFH values specific to use in a 1oo1 configuration.• Input modules have PFD and PFH values specific to use in a1oo2 configuration.• Diagnostic output modules have PFD and PFH values specific touse in a 1oo1 configuration.• Standard output modules have PFD and PFH values specific touse in either 1oo1 or 1oo2 configurations.ControlLogix Components PFD Calculations - 1 YearPFD Calculations - 1-year for Traditional ControlLogix ComponentsThe PFD calculations in this table are calculated for a 1-year proof testinterval and are specific to traditional ControlLogix systemcomponents.Cat. No. (1)DescriptionCalculated PFD:Mean Time BetweenFailure (MTBF) (5) λ (6) 1oo11oo2Architecture Architecture1756-AXX/B (2) ControlLogix chassis 100,250,000 9.98E-09 2.23E-06 x1756-CNB/D (3) ControlLogix ControlNet bridgemodule1756-CNB/E ControlLogix ControlNet bridgemodule1,954,656 5.12E-07 1.15E-04 x1756-CNBR/D (3)1756-CNBR/EControlLogix redundant ControlNetbridge moduleControlLogix redundant ControlNetbridge module1,873,738 5.34E-07 1.20E-04 xPublication 1756-RM001F-EN-P - June 2009 41

Chapter 2PFD and PFH Calculations for a SIL2 SystemPFD Calculations - 1-year for Traditional ControlLogix ComponentsCat. No. (1)1756-CN2/A1756-CN2R/A1756-CN2/B1756-CN2R/BDescriptionControlLogix ControlNet bridgemoduleControlLogix redundant ControlNetbridge moduleControlLogix ControlNet bridgemoduleControlLogix redundant ControlNetbridge moduleCalculated PFD:Mean Time BetweenFailure (MTBF) (5) λ (6) 1oo11oo2Architecture Architecture4,964,960 2.01E-07 4.51E-05 x1,277,120 7.83E-07 1.75E-04 x7,434,944 1.35E-07 3.01E-05 x6,921,373 1.44E-07 3.24E-05 x1756-DHRIO/D (3) ControlLogix Data Highway plusremote I/O module1756-DNB (3) ControlLogix DeviceNet bridgemodule1756-EN2T ControlLogix EtherNet/IP bridge 628,854 1.59E-06 3.56E-04 xmodule1756-ENBT ControlLogix EtherNet/IP bridge 7,571,957 1.32E-07 2.96E-05 xmodule1756-IA16I ControlLogix AC isolated input 29,206,766 3.42E-08 x 6.03E-07module1756-IA8D ControlLogix AC diagnostic input 14,322,880 6.98E-08 x 1.23E-06module1756-IB16D ControlLogix DC diagnostic input 43,459,520 2.30E-08 x 4.05E-07module1756-IB16I ControlLogix DC isolated input 19,277,903 5.19E-08 x 9.15E-07module1756-IB16ISOE ControlLogix sequence of events 1,883,787 5.31E-07 x 9.62E-06module1756-IB32/B ControlLogix DC input module 6,335,056 1.58E-07 x 2.80E-061756-IF8 ControlLogix analog input module 2,916,596 3.43E-07 x 6.15E-061756-IF8H ControlLogix HART analog input 419,368 2.38E-06 x 4.77E-051756-IF16 ControlLogix isolated analog input 3,258,386 3.07E-07 x 5.49E-061756-IF6CIS ControlLogix isolated sourcing 2,433,600 4.11E-07 x 7.40E-06analog input1756-IF6I ControlLogix isolated analog input 2,505,568 3.99E-07 x 7.18E-061756-IH16ISOE ControlLogix sequence of events 3,644,160 2.74E-07 x 4.90E-06module1756-IR6I ControlLogix RTD input module 12,312,640 8.12E-08 x 1.44E-061756-IT6I ControlLogix thermocouple input 5,561,378 1.80E-07 x 3.20E-06module1756-IT6I2 ControlLogix enhancedthermocouple input module1,684,404 5.94E-07 x 1.08E-0542 Publication 1756-RM001F-EN-P - June 2009

PFD and PFH Calculations for a SIL2 System Chapter 2PFD Calculations - 1-year for Traditional ControlLogix ComponentsCat. No. (1)DescriptionCalculated PFD:Mean Time BetweenFailure (MTBF) (5) λ (6) 1oo11oo2Architecture Architecture1756-L55M13 ControlLogix L55 controller, 1.5 2,316,912 4.32E-07 9.67E-05 xMB memory1756-L55M16 ControlLogix L55 controller, 7.5 2,015,520 4.96E-07 1.11E-04 xMB memory1756-L61/B ControlLogix 2 MB controller 885,161 1.13E-06 2.53E-04 x1756-L62/B ControlLogix 4 MB controller 1,076,224 9.29E-07 2.08E-04 x1756-L63/B ControlLogix 8 MB controller 962,838 1.04E-06 2.33E-04 x1756-OA16I ControlLogix AC isolated input 10,552,187 9.48E-08 2.12E-05 1.68E-06module1756-OA8D ControlLogix AC diagnostic input 9,322,560 1.07E-07 2.40E-05 1.90E-06module1756-OB16D ControlLogix DC diagnostic output 17,204,374 5.81E-08 1.30E-05 1.03E-06module1756-OB16I ControlLogix DC isolated output 3,595,335 2.78E-07 6.23E-05 4.97E-06module1756-OB32 ControlLogix DC output module 1,973,090 5.07E-07 1.14E-04 9.17E-061756-OB8EI ControlLogix DC fused output 10,695,360 9.35E-08 2.09E-05 1.65E-06module1756-OF6CI ControlLogix isolated analog input 8,313,193 1.20E-07 2.69E-05 2.13E-06module1756-OF6VI ControlLogix isolated analog 17,900,480 5.59E-08 1.25E-05 9.86E-07output module1756-OF8 ControlLogix analog output 6,575,280 1.52E-07 3.41E-05 2.70E-06module1756-OF8H ControlLogix HART analog output 2,637,440 3.79E-07 8.49E-05 6.81E-061756-OW16I ControlLogix isolated relay output 3,620,265 2.76E-07 6.19E-05 4.94E-06module1756-OX8I ControlLogix contact output 9,220,343 1.08E-07 2.43E-05 1.92E-06module1756-PA75/B ControlLogix AC power supply 3,287,212 3.04E-07 6.81E-05 xmodule1756-PA75R ControlLogix AC redundant powersupply (4) 610,161 1.64E-06 3.67E-04 x1756-PB75/A (3) ControlLogix DC power supply1756-PB75/B ControlLogix DC power supply 2,884,851 1.70E-07 3.81E-05 x1756-PB75R ControlLogix DC redundant power 14,709,760 6.80E-08 1.52E-05 xsupply1756-PC75/B ControlLogix DC power supply 5,894,836 1.70E-07 3.80E-05 x1756-PH75B ControlLogix DC power supply 1,374,880 7.27E-07 1.63E-04 xPublication 1756-RM001F-EN-P - June 2009 43

Chapter 2PFD and PFH Calculations for a SIL2 SystemPFD Calculations - 1-year for Traditional ControlLogix ComponentsCat. No. (1)Description1756-PSCA2 ControlLogix Redundant power 5,477,680 1.83E-07 4.09E-05 xsupply adapter1757-SRM/B ControlLogix System redundancy 573,964 1.74E-06 3.90E-04 xmodule1756-RM ControlLogix System redundancy 5,887,894 1.70E-07 3.80E-05 xmodule1756-SYNCH ControlLogix SynchLink module 9,239,360 1.08E-07 2.42E-05 x(1) References a series A component if no other series is indicated by /X.(2) The PFD calculations ControlLogix chassis are completed using an arithmetic average of the MTBFs for all five chassis types (that is chassis 1756-A4, 1756-A7, 1756-A10,1756-A13, and 1756-A17).(3) Data for this component is no longer available.Calculated PFD:Mean Time BetweenFailure (MTBF) (5) λ (6) 1oo11oo2Architecture Architecture(4) Calculations for the redundant power supply are completed with the presumption that both power supplies fail simultaneously.(5)(6)MTBF measured in hours. The values used here represent values available in March 2009.λ = Failure Rate = 1/MTBF.44 Publication 1756-RM001F-EN-P - June 2009

PFD and PFH Calculations for a SIL2 System Chapter 2ControlLogix-XT PFD Calculations - 1 YearPFD Calculations - 1-year for ControlLogix-XT ComponentsThe PFD calculations in this table are calculated for a 1-year proof testinterval and are specific to ControlLogix-XT system components.Mean TimeCalculated PFD:Cat. No. (1)DescriptionBetween Failure λ (3)(MTBF) (2) 1oo11oo2Architecture Architecture1756-A5XT/B ControlLogix-XT chassis 64,683,216 1.55E-08 3.46E-06 x1756-A7XT/B ControlLogix-XT chassis 63,938,619 1.56E-08 3.50E-06 x1756-CN2RXT/B ControlLogix-XT ControlNet 8,063,216 1.24E-07 2.78E-05 xbridge module1756-EN2TXT/B ControlLogix-XT EtherNet/IP 8,788,891 1.14E-07 2.55E-05 xbridge module1756-L63XT/B ControlLogix-XT controller 2,102,696 4.76E-07 1.07E-04 x1756-DHRIOXT/E ControlLogix-XT DataHighway - plus remote I/Omodule8,063,216 1.24E-07 2.78E-05 x1756-PBXT/B1756-RMXTControlLogix-XT powersupplyControlLogix-XT redundancymodule(1) References a series A component if no other series is indicated by /X.(2) MTBF measured in hours. The values used here represent values available in April 2009.8,632,597 1.70E-07 3.81E-05 x7,033,338 1.42E-07 3.18E-05 x(3)λ = Failure Rate = 1/MTBF.Publication 1756-RM001F-EN-P - June 2009 45

Chapter 2PFD and PFH Calculations for a SIL2 SystemUsing Component Values To Calculate System PFD or PFHThe system PFD or PFH value is calculated by totaling the PFD orPFH values of each component in the system. To calculate a systemPFD value, use this equation:modA PFD + modB PFD + modC PFD = system PFDwhere modX PFD is the PFD value for one component or or modulein the system. When calculating your system PFD, verify that all thecomponents used in the system are totaled.Example: 1-year PFD Calculation for a ControlLogix SystemThis example shows an example of a PFD calculation for a traditionalControlLogix system in a fail-safe configuration. The example systemincludes two DC input modules used in a 1oo2 configuration and aDC output module..Example of PFD Calculations for a Fail-safe SystemCat. No. Description MTBF Calculated PFD1756-AXX ControlLogix chassis 100,250,000 2.23E-061756-L55M16 ControlLogix 5555 controller 2,015,520 1.11E-041756-OB16D DC output module 17,204,374 1.30E-051756-IB16D DC diagnostic input module 43,459,520 4.05E-07Total PFD calculation for a safety loop consisting of 1.25E-04these products:46 Publication 1756-RM001F-EN-P - June 2009

PFD and PFH Calculations for a SIL2 System Chapter 2ControlLogix Component PFH Calculations - 1 YearPFH Calculations - 1-year for Traditional ControlLogix ComponentsThe PFH calculations in this table are calculated for a 1-year proof testinterval and are specific to traditional ControlLogix systemcomponents.Calculated PFH:Mean TimeCat. No. (1)BetweenDescriptionFailure λ (6) 1oo11oo2(MTBF) (5) architecture architecture1756-AXX/B (2) ControlLogix chassis 100,250,000 9.98E-09 4.99E-10 x1756-CNB/D (3) ControlLogix ControlNet bridgemodule1756-CNB/E ControlLogix ControlNet bridgemodule1,954,656 5.12E-07 2.56E-08 x1756-CNBR/D (3)1756-CNBR/E1756-CN2/A1756-CN2R/A1756-CN2/B¹1756-CN2R/B1756-DHRIO/D (3)1756-DNB (3)1756-EN2T/A1756-ENBT/A1756-IA16I1756-IA8D1756-IB16D1756-IB16I1756-IB16ISOEControlLogix redundant ControlNetbridge moduleControlLogix redundant ControlNetbridge moduleControlLogix ControlNet bridgemoduleControlLogix redundant ControlNetbridge moduleControlLogix ControlNet bridgemoduleControlLogix redundant ControlNetbridge moduleControlLogix Data Highway plusremote I/O moduleControlLogix DeviceNet bridgemoduleControlLogix EtherNet/IP bridgemoduleControlLogix EtherNet/IP bridgemoduleControlLogix AC isolated inputmoduleControlLogix AC diagnostic inputmoduleControlLogix DC diagnostic inputmoduleControlLogix DC isolated inputmoduleControlLogix sequence of eventsmodule1,873,738 5.34E-07 2.67E-08 x4,964,960 2.01E-07 1.01E-08 x1,277,120 7.83E-07 3.92E-08 x7,434,944 1.35E-07 6.73E-09 x6,921,373 1.44E-07 7.22E-09 x628,854 1.59E-06 7.95E-08 x7,571,957 1.32E-07 6.60E-09 x29,206,766 3.42E-08 x 2.41E-1014,322,880 6.98E-08 x 4.93E-1043,459,520 2.30E-08 x 1.62E-1019,277,903 5.19E-08 x 3.65E-101,883,787 5.31E-07 x 3.96E-09Publication 1756-RM001F-EN-P - June 2009 47

Chapter 2PFD and PFH Calculations for a SIL2 SystemPFH Calculations - 1-year for Traditional ControlLogix ComponentsCat. No. (1)DescriptionMean TimeCalculated PFH:BetweenFailure λ (6) 1oo11oo2(MTBF) (5) architecture architecture1756-IB32/B ControlLogix DC input module 6,335,056 1.58E-07 x 1.13E-091756-IF8 ControlLogix analog input module 2,916,596 3.43E-07 x 2.50E-091756-IF8H ControlLogix HART analog input 419,368 2.38E-06 x 2.16E-081756-IF16 ControlLogix isolated analog input 3,258,386 3.07E-07 x 2.23E-091756-IF6CIS ControlLogix isolated sourcing analog 2,433,600 4.11E-07 x 3.02E-09input1756-IF6I ControlLogix isolated analog input 2,505,568 3.99E-07 x 2.93E-091756-IH16ISOE ControlLogix sequence of events 3,644,160 2.74E-07 x 1.99E-09module1756-IR6I ControlLogix RTD input module 12,312,640 8.12E-08 x 5.74E-101756-IT6I ControlLogix thermocouple input 5,561,378 1.80E-07 x 1.29E-09module1756-IT6I2 ControlLogix enhanced thermocouple 1,684,404 5.94E-07 x 4.46E-09input module1756-L55M13 ControlLogix L55 controller, 1.5 MB 2,316,912 4.32E-07 2.16E-08 xmemory1756-L55M16 ControlLogix L55 controller, 7.5 MB 2,015,520 4.96E-07 2.48E-08 xmemory1756-L61/B ControlLogix 2 MB controller 885,161 1.13E-06 5.65E-08 x1756-L62/B ControlLogix 4 MB controller 1,076,224 9.29E-07 4.65E-08 x1756-L63/B ControlLogix 8 MB controller 962,838 1.04E-06 5.19E-08 x1756-OA16I ControlLogix AC isolated input 10,552,187 9.48E-08 4.74E-09 6.71E-10module1756-OA8D ControlLogix AC diagnostic input 9,322,560 1.07E-07 5.36E-09 7.61E-10module1756-OB16D ControlLogix DC diagnostic output 17,204,374 5.81E-08 2.91E-09 4.10E-10module1756-OB16I ControlLogix DC isolated output 3,595,335 2.78E-07 1.39E-08 2.01E-09module1756-OB32 ControlLogix DC output module 1,973,090 5.07E-07 2.53E-08 3.77E-091756-OB8EI ControlLogix DC fused output module 10,695,360 9.35E-08 4.67E-09 6.62E-101756-OF6CI ControlLogix isolated analog input 8,313,193 1.20E-07 6.01E-09 8.54E-10module1756-OF6VI ControlLogix isolated analog output 17,900,480 5.59E-08 2.79E-09 3.94E-10module1756-OF8 ControlLogix analog output module 6,575,280 1.52E-07 7.60E-09 1.08E-091756-OF8H ControlLogix HART analog output 2,637,440 3.79E-07 1.90E-08 2.78E-0948 Publication 1756-RM001F-EN-P - June 2009

PFD and PFH Calculations for a SIL2 System Chapter 2PFH Calculations - 1-year for Traditional ControlLogix ComponentsCat. No. (1)DescriptionMean TimeCalculated PFH:BetweenFailure λ (6) 1oo11oo2(MTBF) (5) architecture architecture1756-OW16I ControlLogix isolated relay output 3,620,265 2.76E-07 1.38E-08 2.00E-09module1756-OX8I ControlLogix contact output module 9,220,343 1.08E-07 5.42E-09 7.69E-101756-PA75/B ControlLogix AC power supply module 3,287,212 3.04E-07 1.52E-08 x1756-PA75R ControlLogix AC redundant powersupply (4) 610,161 1.64E-06 8.19E-08 x1756-PB75/A (3) ControlLogix DC power supply1756-PB75/B ControlLogix DC power supply 2,884,851 1.70E-07 8.50E-09 x1756-PB75R ControlLogix DC redundant power 14,709,760 6.80E-08 3.40E-09 xsupply1756-PC75/B ControlLogix DC power supply 5,894,836 1.70E-07 8.48E-09 x1756-PH75B ControlLogix DC power supply 1,374,880 7.27E-07 3.64E-08 x1756-PSCA2 ControlLogix Redundant power supply 5,477,680 1.83E-07 9.13E-09 xadapter1757-SRM/B ControlLogix System redundancy 573,964 1.74E-06 8.71E-08 xmodule1756-RM ControlLogix System redundancy 5,887,894 1.70E-07 8.49E-09 xmodule1756-SYNCH ControlLogix SynchLink module 9,239,360 1.08E-07 5.41E-09 x(1)Uses value for series A if no other series are specified.(2) The PFD calculations ControlLogix chassis are completed using an arithmetic average of the MTBFs for all five chassis types (that is chassis 1756-A4, 1756-A7, 1756-A10,1756-A13, and 1756-A17).(3) Data for this component is no longer available.(4) Calculations for the redundant power supply are completed with the presumption that both power supplies fail simultaneously.(5) MTBF measured in hours. The values used here represent values available in March 2009.(6)λ = Failure Rate = 1/MTBFPublication 1756-RM001F-EN-P - June 2009 49

Chapter 2PFD and PFH Calculations for a SIL2 SystemControlLogix-XT Components PFH Calculations - 1 YearPFH Calculations - 1-year for ControlLogix-XT ComponentsThe PFH calculations in this table are calculated for a 1-year proof testinterval and are specific to ControlLogix-XT system components.Mean TimeCalculated PFD:Cat. No. (1)DescriptionBetween Failure λ (3)(MTBF) (2) 1oo11oo2Architecture Architecture1756-A5XT/B ControlLogix-XT chassis 64,683,216 1.55E-08 7.73E-10 x1756-A7XT/B ControlLogix-XT chassis 63,938,619 1.56E-08 7.82E-10 x1756-CN2RXT/B ControlLogix-XT ControlNet 8,063,216 1.24E-07 6.20E-09 xbridge module1756-EN2TXT/B ControlLogix-XT EtherNet/IP 8,788,891 1.14E-07 5.69E-09 xbridge module1756-L63XT/B ControlLogix-XT controller 2,102,696 4.76E-07 2.38E-08 x1756-DHRIOXT/E ControlLogix-XT DataHighway - plus remote I/Omodule8,063,216 1.24E-07 6.20E-09 x1756-PBXT/B1756-RMXTControlLogix-XT powersupplyControlLogix-XT redundancymodule(1) References a series A component if no other series is indicated by /X.(2) MTBF measured in hours. The values used here represent values available in April 2009.8,632,597 1.70E-07 8.50E-09 x7,033,338 1.42E-07 7.11E-09 x(3)λ = Failure Rate = 1/MTBF.50 Publication 1756-RM001F-EN-P - June 2009

Chapter 3The ControlLogix SystemThis chapter offers an overview of some standard features in theControlLogix architecture that make it suitable for use in SIL2applications.TopicPageGeneral Overview of ControlLogix Platform 51Overview of the ControlLogix Architecture 52Module Fault Reporting 53Fault-handling 53Data Echo Communication Check 54Pulse Test 55Software 56Communication 56Other Unique Features that Aid Diagnostics 58General Overview ofControlLogix PlatformMany of the diagnostic methods and techniques used in theControlLogix platform are improved versions of techniques anddesigns previously incorporated into Allen-Bradley PLC platforms overthe last three decades.These are designs that have evolved to maintain the robustness anddeterministic response that our customers have come to expect asthey migrated from electromechanical to solid state technology.The self-checking routines and diagnostics performed bymicroprocessor-based systems (for example, ControlLogix) havegreatly advanced over the years. Programmable controllers such asControlLogix can be programmed and configured to perform checkson the total system, including its own configuration, wiring, andperformance, as well as monitor input sensors and output devices.51Publication 1756-RM001F-EN-P - June 2009 51

Chapter 3The ControlLogix SystemIf an anomaly (other than automatic shutdown) is detected, the systemcan be programmed to initiate user-defined fault handling routines.Output modules can turn OFF selected outputs in the event of afailure. New diagnostic I/O modules self-test to make sure that fieldwiring is functioning. Output modules use pulse testing to make sureoutput switching devices are not shorted. Using these internalfeatures, as well as application software when needed, today’sControlLogix customers are able to achieve highly reliable controlsystems.Overview of theControlLogix ArchitectureRockwell Automation’s latest generation of programmable controllersis the ControlLogix system. Inherent in its design and implementationare several features that surpass anything offered in previous productarchitectures. The inclusion of these features represent improvementsdriven by customer demand for uptime and reliability as well asRockwell’s long-developed design experience in producing thesetypes of products.One of the most significant changes in the architecture is theimplementation of the Producer/Consumer (P/C) communicationmodel between controller and I/O. The P/C communication modelreplaces traditional ‘polling’ of I/O modules and, consequently, haschanged the overall behavior of these components compared to theircounterparts in previous architectures. Input modules “produce” data,controller and output modules both “produce” and “consume” data.These changes were embraced because of the enhanced data integrityand fault reporting capabilities they provide. I/O modules nowexchange much more than simply the ON/OFF state of the devicesthey are connected to. Module identification information,communication status, fault codes and, through the use ofspecially-designed modules, field-side diagnostics can now all beretrieved from the I/O system as part of the standard feature set of theProducer/Consumer communication model. (See Figure 3.1).Figure 3.1 Producer/Consumer ModelLogix ControllerInput ModulesOutput ModulesCommonly Shared Data4337452 Publication 1756-RM001F-EN-P - June 2009

The ControlLogix System Chapter 3Module Fault ReportingOne of the key concepts in this model is Ownership. Every module inthe control system is now “owned” by at least one controller in thearchitecture. When a controller “owns” an I/O module, it means thatthat controller stores the module’s configuration data, defined by theuser; this data dictates how the module behaves in the system.Inherent in this configuration and ownership is the establishment of a“heartbeat” between the controller and module; this heartbeat is alsoknown as the Requested Packet Interval (RPI).The existence of the RPI forms the basis for Module-level Faultreporting in the ControlLogix architecture, a capability which isinherent to all ControlLogix I/O modules.For more information on module fault reporting in the ControlLogixcontroller, specifically the GSV instructions, see chapter 8, Faults inthe ControlLogix System (page 105).Fault-handlingThe RPI defines a minimum time interval in which the controller andI/O module must communicate with each other. If, for any reason,communications cannot be established or maintained (that is, the I/Omodule has failed), the system can be programmed to run a specialFault-handling routine. This routine determines whether the systemmust continue functioning or whether the fault condition warrants ashutdown of the application.For example, the system can be programmed to retrieve the fault codeof the failed module and make a determination, based on the type offault, as to whether to continue operating. In addition, standardControlLogix output modules are also capable of reporting blown-fusestatus and loss of field power back to the controller.This ability of the controller to monitor the health of I/O modules inthe system and take appropriate action based on the severity of a faultcondition gives the user complete control of the application’s behaviorwhen trouble occurs. It is the user’s responsibility to establish thecourse of action appropriate to their safety application.For more information on Fault Handling, see chapter 8, Faults in theControlLogix System (page 79).Publication 1756-RM001F-EN-P - June 2009 53

Chapter 3The ControlLogix SystemData Echo Communication CheckAnother powerful by-product of the p/c communication model andthe implementation of the Control and Information Protocol (CIP)protocol is the Output Data Echo, a communication methodemployed between owner-controllers and every output module in thesystem. Output Data Echo allows the user to verify that an ON/OFFoutput command from the controller was actually received by thecorrect output module, and that the module will attempt to executethe command to the field device connected to it.During normal operation, when a controller sends an outputcommand, the output module that is targeted for that command will“echo” that requested state back to the system upon its receipt. Thisverifies that the module has received the command and will try toexecute it. By comparing the requested state from the controller to thedata echo received from the module, the user can validate that thesignal has reached the correct module and that the module willattempt to activate the appropriate field-side device. Again, it is theuser’s responsibility to establish the course of action appropriate totheir safety application.When used with standard ControlLogix output modules, the DataEcho validates the command up to the system-side of the module, butnot to the field-side. However, when this feature is used in tandemwith diagnostic output modules, the user can virtually verify theoutput command integrity from the controller to the actuatorconnected to the module.Diagnostic output modules contain special circuitry that performsField-side Output Verification. Field-side Output Verificationinforms the user that system-side commands received by the moduleare accurately represented on the power side of the switching device.In other words, for each output point, this feature confirms that theoutput is ON when it is commanded to be ON or OFF whencommanded to be OFF.The capability of comparing the actual state of the field-side of thediagnostic module’s output against what the controller commandsgives the user the ability to make sure that the module is performingwhat the control system is requesting, once that output command hasbeen issued.54 Publication 1756-RM001F-EN-P - June 2009

The ControlLogix System Chapter 3Figure 3.2 Output Module Behavior in the ControlLogix SystemOutput Commands from ControllerStandardControlLogix I/OInformationData Echo validation from system-sideAdditional Field-SideInformation provided byDiagnostic Output modulesField-side Output Verification, PulseTest status plus No Load detectionActuatorPulse TestA diagnostic output module feature called a Pulse Test can verifyoutput circuit functionality without actually changing the state of theactuator connected to the output. Under user program control, anextremely short-duration pulse is directed to a particular output on themodule. The output circuitry will momentarily change its current statelong enough to verify that it CAN change state when requested, butshort enough in duration (the actual pulse is measured inmilliseconds) not to effect the actuator connected to the output. Thispowerful feature allows a user to perform a preemptive diagnosis ofpossible future module conditions before they occur.Publication 1756-RM001F-EN-P - June 2009 55

Chapter 3The ControlLogix SystemSoftwareThe location, ownership and configuration of I/O modules andcontrollers is performed using RSLogix 5000 programming software.The software is used for all creation, testing and debugging ofapplication logic.When using RSLogix 5000 software, users must remember thefollowing:• During normal SIL2-certified operation:– we recommend the programming terminal be disconnected.– the keyswitch must be set to the RUN position.– the controller key must be removed from the keyswitch.• Authorized personnel may change an application program butonly by using one of the processes described in sectionChanging Your Application Program on page 120.CommunicationSeveral communication options are available for connecting with theControlLogix SIL2 system and for the exchange of data within the SIL2system.ControlNet NetworkThe ControlNet network can be used to:• enable communication between redundant chassis.• form the basis for I/O communications both in redundantchassis and in remote chassis.ControlNet networks are industry-proven networks that incorporate16-bit CRC and a standard CIP network protocol.To schedule the ControlLogix ControlNet network, use RSNetWorx forControlNet software. The correct scheduling of the network isindependently verified by the controller after the program isdownloaded; the schedule must match the RSLogix 5000 program.RSLogix 5000 software also provides user-defined fault handing (forexample, execute fault routine) for error handling.56 Publication 1756-RM001F-EN-P - June 2009

The ControlLogix System Chapter 3Serial CommunicationA serial port is available on the controller for download orvisualization purposes only. It uses an industry-proven DF-1 serial linkprotocol that has a selection of either 8-bit BCC checksum or 16-bitCRC. The serial port also uses an industry standard CIP networkprotocol running on the DF-1 link.EtherNet/IP NetworkAn EtherNet/IP connection can be used to:• download to, monitor, and visualize the redundant chassis.• connect to remote I/O chassis.The EtherNet/IP network supports messaging, produced/consumedtags, and distributed I/O. Messages are encapsulated within standardTCP/UDP/IP protocols and share a common application layer withControlNet networks via CIP communication.At this time, EtherNet/IP communication cannot be used to connectredundant chassis. However, future advances in EtherNet/IP modulesand networks will likely make it possible to use EtherNet/IPconnections to communicate between redundant chassis.Publication 1756-RM001F-EN-P - June 2009 57

Chapter 3The ControlLogix SystemOther Unique Features that Aid DiagnosticsOther unique features of the ControlLogix system that differentiate itfrom previous iterations of programmable controllers and provide anunprecedented capability to diagnose and react to fault conditions inan application include:• Timestamping of I/O and diagnostic data• Electronic keying based on module identification.Electronic KeyingDuring module configuration, you must choose one of the followingkeying options for your module:– Exact Match– Compatible Module– Disable KeyingWhen the controller attempts to connect to and configure aControlLogix module (for example, after a program download), themodule compares the specific parameters, defined by the keyingoption selected, before allowing the connection and configuration tobe accepted.We recommend that you use Exact Match whenever possible. WithExact Match, all module comparisons between the configuration andthe module physically located in the slot that the controller isattempting to configure must be identical or the connection isrejected.IMPORTANTSome I/O modules listed in Table on page 23, may not haveconfiguration profiles for the version of RSLogix 5000 softwarebeing used. You may choose to use Compatible Keying orDisable Keying in these instances.For example, the 1756-IB32/B module does not have a profile inRSLogix 5000 software, version 11. In this case, the1756-IB32/A profile can be used to configure the series Bmodule as long as the Disable Keying option is selected.However, if you use the Disable Keying option, you must verifythat the correct module is used with your configuration in aSIL2-certified system.For more information on these features, see the Digital I/O usermanual, publication 1756-UM058.58 Publication 1756-RM001F-EN-P - June 2009

The ControlLogix System Chapter 3Checklist for theControlLogix SystemThe following checklist is required for planning, programming andstart up of a SIL2-certified ControlLogix system. It may be used as aplanning guide as well as during proof testing. If used as a planningguide, the checklist can be saved as a record of the plan.Company:Site:Loopdefinition:Check List for ControlLogix System (1)No. Fulfilled Comment1 Are you only using the SIL2-certified ControlLogix modules listed in Table 1.1 onpage 21, with the corresponding firmware release listed in the table, for your safetyapplication?2 Have you calculated the system’s response time?3 Does the system’s response time include both the user-defined, SIL-task programwatchdog (software watchdog) time and the SIL-task duration time?4 Is the system response time in proper relation to the process tolerance time?5 Have PFD values been calculated according to the system’s configuration?6 Have you performed all appropriate proof tests?7 Have you defined your process parameters that are monitored by fault routines?8 Have you determined how your system will handle faults?9 Have you taken into consideration the checklists for using SIL inputs and outputslisted on pages 77 and 78.YesNo(1)For more information on the specific tasks in this checklist, see the previous sections in the chapter or Chapter 1, SIL Policy.Publication 1756-RM001F-EN-P - June 2009 59

Chapter 3The ControlLogix System60 Publication 1756-RM001F-EN-P - June 2009

Chapter 4ControlLogix System Chassis and PowerSuppliesThis chapter describes the chassis and power supplies required forSIL2-certified ControlLogix systems and considerations for use.TopicPageControlLogix Chassis 61ControlLogix Power Supplies 61Non-Redundant Power Supply 62Redundant Power Supply 62Recommendations for System Hardware Use 63Additional Resources 63ControlLogix ChassisThe ControlLogix 1756-Axx chassis provide the physical connectionsbetween modules and ControlLogix backplane. These connectionsallow for P/C communications between controllers and I/O modules.The chassis itself is passive and is not relevant to further discussionsince any physical failure would be unlikely under normalenvironmental conditions and would be manifested and detected as afailure within one or more of the active components.ControlLogix PowerSuppliesControlLogix power supplies are designed with noise filtering andisolation to reduce the opportunity for induced contamination of thesupplied voltages. The power supply monitors the backplane powerand generates control signals (for example, DC_FAIL_L) to indicate ifpower failure is imminent.If an anomaly occurs in the supplied voltages, the power supplyimmediately shuts down. The power supply monitors all powersupply voltages via sense lines.IMPORTANTNo extra configuration or wiring is required for SIL2 operationof the ControlLogix power supplies.61Publication 1756-RM001F-EN-P - June 2009 61

Chapter 4ControlLogix System Chassis and Power SuppliesAll ControlLogix power supplies are designed to:• detect anomalies.• communicate to the controllers with enough stored power toallow for an orderly and deterministic shutdown of the system,including the controller and I/O.Non-Redundant Power SupplyControlLogix non-redundant power supplies are certified for use inSIL2 applications. In a non-redundant configuration, one powersupply is connected to one chassis.IMPORTANTWhen non-redundant power supplies are used with 1756-L6xcontrollers, they must be Series B.Redundant Power SupplyControlLogix redundant power supplies can be used in SIL2-certifiedapplications. IN a redundant power supply configuration, two powersupplies are connected to the same chassis.The power supplies share the current load required by the chassis andan internal solid state relay that can annunciate a fault. Upon detectionof a failure in one supply, the other redundant power supplyautomatically assumes the full current load required by the chassiswithout disruption to devices installed.The 1756-PSCA and 1756-PSCA2 redundant power supply chassisadapter modules connect the redundant power supply to the chassis.ReIMPORTANTUse redundant power supplies with 1756-L55 controllers.Redundant power supplies cannot be used with the 1756-L6xcontrollers.62 Publication 1756-RM001F-EN-P - June 2009

ControlLogix System Chassis and Power Supplies Chapter 4Recommendations forSystem Hardware UseUsers must consider the recommendations listed below when usingSIL2-certified ControlLogix hardware:ChassisWhen installing ControlLogix chassis, follow the instructions providedin the product documentation.Power SuppliesUsers must consider these recommendations when using SIL2-certifiedControlLogix power supplies:• When installing ControlLogix power supplies, follow theinformation provided in the product’s installation instructions.• A non-redundant power supply can be used if it meets theuser-defined PFD criteria.• For high availability SIL2 applications, the redundant powersupply is recommended.• It is recommended that the solid-state fault relay on each powersupply be wired from an appropriate voltage source to an inputpoint in the ControlLogix system so the user can program todetect and display a power supply fault.Additional ResourcesFor more information about installing ControlLogix chassis and powersupplies, see the publications listed in Table , SIL2-certifiedControlLogix Components - Hardware (page 23).Publication 1756-RM001F-EN-P - June 2009 63

Chapter 4ControlLogix System Chassis and Power SuppliesNotes:64 Publication 1756-RM001F-EN-P - June 2009

Chapter 5ControlLogix ControllerThis chapter describes the ControlLogix controller as used in aSIL2-certified system.TopicPageIntroduction to the Controller 65Recommendations for Controller Use 66Additional Resources 66Introduction to theControllerThe ControlLogix controllers used in a SIL2-certified ControlLogixsystem is a solid-state control system with a user-programmablememory for storage of data to implement specific functions, such as:•I/O control•Logic• Timing• Counting• Report generation• Communications•Arithmetic• Data file manipulationThe controller consists of a central processor, I/O interface andmemory.The controller performs power-up and run-time functional tests. Thetests are used with user-supplied application programs to verifyproper controller operation.CompactFlash CardTwo CompactFlash cards, 1784-CF64 and 1784-CF128, can be used fornonvolatile memory with the 1756-L61, 1756-L62, and 1756-L63controllers. However, the use of this card is not yet certified, and maynot be used in a SIL2-certified application.65Publication 1756-RM001F-EN-P - June 2009 65

Chapter 5ControlLogix ControllerRecommendations forController UseConsider these recommendations when using a SIL2-certifiedControlLogix controller:• In non-redundant applications, use only one controller in theControlLogix loop. The controller must own the configurationinformation for all I/O modules associated with the safety loop.• When installing ControlLogix controller, refer to the installationinstructions listed in the Additional Resources section.• There are currently separate firmware revisions for redundantand non-redundant operation. For more information on therevisions, see Table 1.1 on page 21.Additional ResourcesFor more information on the ControlLogix controllers, see thesepublications:• ControlLogix Controllers Installation Instructions,publication 1756-IN614• ControlLogix Controllers User Manual, publication 1756-UM001These publications are available from Rockwell Automation athttp://www.rockwellautomation.com/literature.66 Publication 1756-RM001F-EN-P - June 2009

Chapter 6ControlLogix Communication ModulesThis chapter describes the communication modules used in aControlLogix SIL2 system.TopicPageIntroduction to Communication Modules 67ControlNet Modules and Components 68ControlNet Cabling 68ControlNet Module Diagnostic Coverage 68EtherNet/IP Networks 69EtherNet/IP Versus ControlNet Networks 69Requirements for Communication Networks 70Additional Resources 71Introduction toCommunication ModulesThe communications modules in a SIL2-certified ControlLogix systemprovide communication bridges from a ControlLogix chassis to otherchassis or devices via the ControlNet and Ethernet networks. Thesecommunication modules are available.Table 6.1 Communication Networks and SIL2 ModulesNetwork TypeControlNetEtherNet/IPData Highway Plus – Remote I/OSynchLinkSIL2 Modules• 1756-CNB• 1756-CNBR• 1756-CN2T• 1756-ENBT• 1756-EN2T1756-DHRIO1756-SYNCHControlLogix communications modules can be used in peer-to-peercommunications between ControlLogix devices. The communicationsmodules can also be used for expansion of I/O to additionalControlLogix remote I/O chassis.67Publication 1756-RM001F-EN-P - June 2009 67

Chapter 6ControlLogix Communication ModulesControlNet Modules andComponentsThe ControlNet bridge modules (1756-CNB, 1756-CNBR, and1756-CN2T) provide communication between any nodes properlyscheduled on the ControlNet network.ControlNet CablingFor remote racks, a single RG6 coax cable is required for ControlNet.Although it is not a requirement to use redundant media with the1756-CNBR, it does provide higher system reliability. Redundantmedia is not required for SIL2 operation.ControlNet RepeaterThe following ControlNet repeater modules are approved for use insafety applications up to and including SIL2:• 1786-RPFS, Short-distance Fiber Repeater Module• 1786-RPFM, Medium-distance Fiber Repeater Module• 1786-RPFRL, Long-distance Fiber Repeater Module• 1786-RPFRXL, Extra-long-distance Fiber Repeater ModuleUse of adapter 1756-RPA is required with all of the repeater moduleslisted. For more information about the use of ControlNet Repeatermodules, reference the documents listed in this table.Table 6.2 For More Information About Repeater ModulesTopic Publication Title PublicationNumberPlanning for and installingControlNet repeater modules.Use of repeaters in safetyapplications.ControlNet Fiber MediaPlanning and Installation GuideCNET-IN001TÜV Report 986/EZ 986/EZ 135.03.05ControlNet Module Diagnostic CoverageAll communications over the passive ControlNet media occur via CIP,which guarantees delivery of the data. All modules independentlyverify proper transmission of the data.68 Publication 1756-RM001F-EN-P - June 2009

ControlLogix Communication Modules Chapter 6EtherNet/IP NetworksThe EtherNet/IP bridge module (catalog numbers 1756-ENBT and1756-EN2T) can be used to:• connect controller chassis to remote I/O.• make connections for visualization purposes.• establish connections between the programming terminal andcontroller.The Ethernet link is based on industry-standard CIP network protocolrunning on top of TCP and UDP using 32-bit CRC. Also, TCP and UDPwith 16-bit Checksums are running on top of Ethernet.EtherNet/IP VersusControlNet NetworksThe network options that you choose depends on your SIL2 system.Use this table to determine your options when deciding between anEtherNet/IP or ControlNet network.EtherNet/IP versus ControlNet Networks for SIL2 SystemsIf using aRedundant controller and communicationchassisRemote I/O chassis in a fail-safeconfigurationRemote I/O chassis in a high-availability orfault-tolerant configurationComputer to connect to the controlleroutside of the SIL2 safety loop.HMI or other visualization device outside ofthe SIL2 safety loop.Then useA ControlNet network to connect theredundant chassis.Either a:• ControlNet connection to the remote I/Ochassis.• EtherNet/IP connection to the remoteI/O chassis.A ControlNet network for redundant chassisand connections to remote I/OEither a:• ControlNet connection from thecomputer to the controller.• EtherNet/IP connection to controller.Either a:• ControlNet connection from thecomputer to the controller.• EtherNet/IP connection to controller.Note that the use of an EtherNet/IP network requires a switch for starconfiguration. Also, Ethernet is an ‘active’ media whereas ControlNetuses a ‘passive’ media and has a lower failure rate.Publication 1756-RM001F-EN-P - June 2009 69

Chapter 6ControlLogix Communication ModulesData Highway Plus -Remote I/OThe Data Highway Plus - Remote I/O Communication Interfacemodule (1756-DHRIO) supports multiple types of communication.However, you can only use the DH+ portion of the module’sfunctionality in SIL2 applications.SynchLinkThe SynchLink module (1756-SYNCH) is used for CST timepropagation between multiple chassis for event recording. Themodule cannot be used for any safety-related activity in aSIL2-certified ControlLogix system.Requirements forCommunication NetworksUsers must consider the recommendations listed below when usingSIL2-certified communications modules:• When installing ControlLogix communications modules,carefully follow the information provided in the module’sinstallation instructions.• Use DH+ for communication to Human-to-Machine Interfaces(HMI) and for communicating with the non-safety portion of thesystem. For more information on using HMI, see chapter 11, Useand Application of Human to Machine Interfaces (page 123).\• For exchanging I/O data, use listen-only connections.• For exchanging non-I/O data, use producer/consumer tags.• Typically, no devices must be permitted to write data to thecontroller in the safety loop. The only exception to thisrecommendation is the use of HMI devices. For moreinformation on how to use HMI in the safety loop,see chapter 11, Use and Application of Human toMachine Interfaces (page 123).70 Publication 1756-RM001F-EN-P - June 2009

ControlLogix Communication Modules Chapter 6Peer-to-Peer Communication RequirementsPeer-to-peer communication via the ControlNet or EtherNet/IPnetwork is permitted when these requirements are met.• Peer-to-peer communication is acheived usingproducer/consumer comunication and data that is configuredwith the same integrity level as I/O data.• The controller within the safety loop does not consume datafrom controllers outside the safety loop. Controllers within thesafety loop can be configured to:– consume data from other controllers within the safety loop.– produce data to controllers outside the safety loop.• Programming that verifies the reception of data must be used.This programming may be used within an Add-On Instruction orroutine that echos data back to the producer in the same manneras is used with the output data echo. In addition, this verificationprogramming must be monitored by a watchdog that is withinthe limits of the safety time interval.In addition to the requirements listed above, any use of peer-to-peercommunication must be reviewed and approved by TÜV.Additional ResourcesThis table lists additional resources specific to the ControlLogixcommunication modules.Table 6.3 Additional Resources Specific to Communication ModulesCat. No. Module Description User Manual1756-CNB,1756-CN21756-CNBR,1756-CN2RControlNet Communication ModuleRedundant ControlNet Communication ModuleCNET-UM0011756-DHRIOData Highway Plus - Remote I/O CommunicationInterface Module1756-UM5141756-ENBT EtherNet Communication Module ENET-UM0011756-RM Redundancy Module 1756-UM5351756-SRM1756-UM5231756-SYNCH SynchLink Module 1756-UM521These publications are available from Rockwell Automation athttp://www.rockwellautomation.com/literature.Publication 1756-RM001F-EN-P - June 2009 71

Chapter 6ControlLogix Communication ModulesNotes:72 Publication 1756-RM001F-EN-P - June 2009

Chapter 7ControlLogix I/O ModulesThis chapter describes the ControlLogix I/O modules that are SIL2certified.TopicPageOverview of ControlLogix I/O Modules 74Module Fault Reporting for any ControlLogix I/O Module 76Using Digital Input Modules 77Wiring ControlLogix Digital Input Modules 78Using Digital Output Modules 79Wiring ControlLogix Digital Output Modules 81Using Analog Input Modules 85Wiring ControlLogix Analog Input Modules 88Using Analog Output Modules 93Wiring ControlLogix Analog Output Modules 97Checklist for SIL Inputs 104Checklist for SIL Outputs 102TheIMPORTANTThe programming information and examples in this chapter areprovided to illustrate diagnostic and other logic-relatedprinciples that must be made in SIL2 application programs.Note that the principles and logic shown in this chapter can beencased in routines or Add-On Instructions for easier use.If you are using a fault-tolerant configuration and certain I/Otermination boards, the programming explained in this chapteris available in pre-programmed routines or Add-On Instructions.These pre-programmed routines and Add-On Instructions arecertified by TÜV.See the Using Fault-tolerant SIL2 System ConfigurationApplication Techniques manuals, publications 1756-AT010 and1756-AT012 for more information.73Publication 1756-RM001F-EN-P - June 2009 73

Chapter 7ControlLogix I/O ModulesOverview of ControlLogixI/O ModulesAt the most basic level, there are two types of SIL2-certifiedControlLogix I/O modules:• Digital I/O modules• Analog I/O modulesWith each type, however, there are differences between specificmodules. Because the differences propagate to varying levels in eachmodule type, a graphical representation can best provide an overviewof the many SIL2-certified ControlLogix I/O modules.This figure shows the SIL2-certified ControlLogix I/O modules. Eachtype, digital or analog, is described in greater detail throughout therest of this chapter.Figure 7.1 Types of SIL2-certified I/O ModulesSIL2-Certified ControlLogix I/O ModulesDigital I/O ModulesAnalog I/O ModulesDiagnostic DigitalModulesStandard DigitalModulesDiagnostic DigitalInput Modules,including:1756-IA8D1756-IB16DDiagnostic DigitalOutput Modules,including:1756-OA8D1756-OB16DStandard DigitalInput Modules,including:1756-IA16I1756-IB16I1756-IB16ISOE1756-IB321756-IH16ISOEStandard DigitalOutput Modules,including:1756-OA16I1756-OB16I1756-OB321756-OB8EI1756-OW16I1756-OX8IAnalog InputModules,including:1756-IF161756-IF6CIS1756-IF6I1756-IF81756-IF8H1756-IR6I1756-IT6I1756-IT6I2Analog OutputModules,including:1756-OF6CI1756-OF6VI1756-OF81756-OF8H4337274 Publication 1756-RM001F-EN-P - June 2009

ControlLogix I/O Modules Chapter 7ControlLogix I/O modules are designed with inherent features thatassist them in complying with the requirements of the 61508 standard.For example, the modules all have a common backplane interfaceASIC, execute power-up and runtime diagnostics, offer electronickeying and offer producer-consumer communication.For SIL2 compliance when installing ControlLogix I/O modules,follow the procedures provided in the module’s installationinstructions. For a full list of installation instructions for SIL2-certifiedmodules, see Table , SIL2-certified ControlLogix Components -Hardware, on page 23.Publication 1756-RM001F-EN-P - June 2009 75

Chapter 7ControlLogix I/O ModulesModule Fault Reporting forany ControlLogix I/OModuleYou must verify that all ControlLogix I/O modules are operatingproperly in the system. If the modules are not operating properly, theuser-programmed fault routine should execute when a fault occurs.This can be accomplished in ladder logic through the use of the GetSystem Value instruction (GSV) and an examination of the MODULEObject’s ’Entry Status’ attribute for a running condition.An example of how this might be done is shown in Figure 7.2. Thismethod, or something similar, must be used to interrogate the healthof each I/O module in the system.Figure 7.2 Example of Checking a Module’s Health in Ladder LogicGSVObtain MODULEObject’s Entry StatusANDMask Off Lower 12Bits of ValueNEQCheck Entry Status tomake sure module isrunningFaultFor more information on the GSV instruction and MODULE Objects,see chapter 8, Faults in the ControlLogix System. For more informationon creating Fault Routines, see Appendix B, System Self-Testing andUser-Programmed Responses.76 Publication 1756-RM001F-EN-P - June 2009

ControlLogix I/O Modules Chapter 7Using DigitalInput ModulesControlLogix digital input modules are divided into two categories:• Diagnostic input modules• Standard input modulesThese modules share many of the same inherent architecturalcharacteristics. However, the diagnostic input modules incorporatefeatures that allow diagnosing of field-side failures. These featuresinclude broken wire (that is, wire-off) detection and, in the case of ACDiagnostic modules, loss of line power.General Considerations When Using Any ControlLogix DigitalInput ModuleRegardless of the type of ControlLogix input module used, there are anumber of general application considerations that users must followwhen applying these modules in a SIL2 application:• Proof Tests - Periodically (for example, once every severalyears) a System Validation test must be performed. Manually, orautomatically, test inputs to make sure that all inputs areoperational and not stuck in the ON or OFF state. Inputs mustbe cycled from ON to OFF or OFF to ON. For additionalinformation on Proof Tests, see page 30.• Always use a direct connection with diagnostic input moduleslocated in remote chassis.• Wire sensors to separate input points on two separate modules.• Configuration parameters (for example, RPI, filter values) mustbe identical between the two modules.• The same controller must own both modules.For operational state information, see Chapter 1, SIL Policy.Publication 1756-RM001F-EN-P - June 2009 77

Chapter 7ControlLogix I/O ModulesWiring ControlLogix DigitalInput ModulesThis diagram shows two methods of wiring the digital input Module.In either case, users must determine whether the use of 1 or 2sensors is appropriate to fulfill SIL2 requirements.Figure 7.3 ControlLogix Digital Input Module Wiring+ LineOne-Sensor Wiring ExampleInput A1Input B1SensorOptional Relaycontact toswitch linevoltage forperiodicautomatedtestingInput A2Input B2Two-Sensor Wiring ExampleSensorSensor43366Application logic is used to compare input values or states forconcurrence.Figure 7.4Input AInput BActuatorThe user program must also contain rungs to annunciate a fault in theevent of a sustained miscompare between two points.Figure 7.5Input AInput BInput ATimer DoneFaultInput BTimerTimer preset in milliseconds tocompensate for filter time andhardware delay differences.FaultAlarm to Operator78 Publication 1756-RM001F-EN-P - June 2009

ControlLogix I/O Modules Chapter 7The control, diagnostics and alarming functions must be performed insequence. For more information on faults, see chapter 8, Faults in theControlLogix System (page 105).Using Digital OutputModulesControlLogix digital output modules are divided into two categories:• Diagnostic output modules• Standard output modulesThese modules share many of the same inherent architecturalcharacteristics. However, the diagnostic output modules incorporatefeatures that allow diagnosing of field-side failures. These featuresinclude reporting No-Load conditions and point-level fuse-blown. Inaddition, the diagnostic modules can validate the state of the outputwith the Output Verify feature and the Output Pulse test.General Considerations When Using Any ControlLogix DigitalOutput ModuleWiring the two types of digital output modules differs, depending onyour application requirements (these wiring methods are explained indetail in later sections). However, regardless of the type ofControlLogix output module used, there are a number of generalapplication considerations that you must follow when applying thesemodules in a SIL2 application:• Proof Tests - Periodically (for example, once every severalyears) a System Validation test must be performed. Manually, orautomatically, test outputs to make sure that all outputs areoperational and not stuck in the ON or OFF state. Outputs mustbe cycled from ON to OFF or OFF to ON. For additionalinformation on Proof Tests, see page 30.• Examination of Output Data Echo signal in Applicationlogic: The application logic must examine the Data Echo valueassociated with each output point to make sure that therequested On/Off command from the controller was received bythe module.Publication 1756-RM001F-EN-P - June 2009 79

Chapter 7ControlLogix I/O ModulesIn the rungs below, a timer begins to increment for anymiscompare between the actual output bit and its associatedData Echo bit. The timer must be preset to accommodate thedelay between setting the output bit in controller memory andreceipt of the Data Echo from the module. If a miscompareexists for longer than that time, a fault is reported.Figure 7.6Application LogicActuatorOutput BitData EchoTimerOutput BitData EchoTimer doneFaultFaultAlarm to OperatorThe control, diagnostics and alarming functions must beperformed in sequence. For more information on faults, seechapter 8, Faults in the ControlLogix System (page 105).• Use of external relays to disconnect module power ifoutput de-energized state is critical. To verify that outputswill de-energize, users must wire an external relay or othermeasure, that can remove power from the output module if ashort or other fault is detected. See page 82 for an examplemethod of wiring an external relay.• Test outputs at specific times to make sure they areoperating properly. The method and frequency of testing isdetermined by the type of module–diagnostic or standard. Formore information on testing diagnostic module outputs, seepage 81. For more information on testing standard moduleoutputs, see page 83.• For typical emergency shutdown (ESD) applicationsoutputs must be configured to de-energize: Whenconfiguring any ControlLogix output module, each output mustbe configured to de-energize in the event of a fault and in theevent of the controller going into program mode. For exceptionsto the typical ESD applications, see Chapter 1, SIL Policy.80 Publication 1756-RM001F-EN-P - June 2009

ControlLogix I/O Modules Chapter 7• When wiring two digital output modules in series so that onemay break source voltage (as shown in Figure 7.9 on page 84),make sure:– Both modules use identical configuration.– The same controller owns both modules.Wiring ControlLogix DigitalOutput ModulesDiagnostic digital output modules and standard output modules havedifferent wiring considerations. Reference the module-typeconsiderations that apply to your system configuration.Wiring Diagnostic Digital Output ModulesDiagnostic output modules have advanced circuitry that is notincluded in standard output modules. Because of the advanceddesign, users are not required to use an input module to monitoroutput status, as is required with standard output modules.Diagnostic Output modules can be used as-is in a SIL2 application (inother words, no special wiring considerations need be employedother than the wiring of the external relay to remove line power fromthe module in the event of a fault to make sure outputs willde-energize if shorted).In addition to referencing the General Considerations When UsingAny ControlLogix Digital Output Module on page 79, the user mustperform a Pulse Test on each output periodically to make sure that theoutput is capable of changing state. Automatic diagnostic testing ofoutput modules should be made at intervals that are an order ofmagnitude less than the demand rate. For example, pulse testingshould be scheduled at least once a month for a low demandsystem and at least once hour for a high demand system.For more information on performing the pulse test, see theControlLogix Digital I/O Modules User Manual, publication1756-UM058.Users should also make sure they always use a direct connection withdiagnostic output modules located in remote chassis.Publication 1756-RM001F-EN-P - June 2009 81

Chapter 7ControlLogix I/O ModulesControlLogix Diagnostic Output Module WiringV-/L2V+/L2V+/L1This normally-open relay iscontrolled by the status ofthe rest of the ControlLogixsystem. If a short circuit orfault occurs on the module,the relay can disconnectpower to the module.OutputActuatorAlso, this relay can be wiredto disconnect power tomultiple modules.43365Relays may also be included asshown in position A to interruptpower on a per point basis.82 Publication 1756-RM001F-EN-P - June 2009

ControlLogix I/O Modules Chapter 7Wiring Standard Digital Output ModulesWhen using standard (also known as non-diagnostic) output modules,users must wire an output to an actuator and then back to an input tomonitor the output’s performance. The user can write the appropriatelogic to test the output’s ability to turn ON and OFF at power-up, or,at the proof test interval (see page 30), the user can force the outputON and OFF and use a voltmeter to verify output performance.Automatic testing of output modules (i.e. the user turns the outputsON and OFF to verify proper operation) should be made at intervalsthat are an order of magnitude less than the demand rate. Forexample, output testing should be scheduled at least once a monthfor a low demand system and at least once an hour for a highdemand system.In addition to referencing the General Considerations When UsingAny ControlLogix Digital Output Module on page 79, the user mustwire each standard output to a corresponding input to validate thatthe output is following its commanded state.Figure 7.7 ControlLogix Standard Output Module WiringStandard IsolatedOutput ModuleStandard IsolatedInput ModuleV-/L2V+/L1V+/L1Wire output pointto input point toverify the correctstate of the outputInputOutputActuatorV-/L2This normally-open relay is controlledby another output in the ControlLogixsystem. If a short circuit or fault occurson output modules, the relay candisconnect power to the modules.Also, this relay can be wired todisconnect power to multiple modules.43363Publication 1756-RM001F-EN-P - June 2009 83

Chapter 7ControlLogix I/O ModulesApplication logic must be written to generate a fault in the event of amiscompare between the requested state of an output (echo) and theactual output state monitored by an input channel.Figure 7.8Application LogicOutput FaultActuatorData EchoData EchoMonitoring InputMonitoring InputTimerTimer must be presetin milliseconds toaccommodatecommunication timesof echo signal andfilter time of input.Timer doneFaultFaultAlarm to OperatorThe control, diagnostics and alarming functions must be performed insequence. For more information on faults, see chapter 8, Faults in theControlLogix System.Users can also wire two isolated standard outputs in series to criticalactuators. In the event that a failure is detected, the output from bothoutput modules must be set to OFF to guarantee the Output Loadsde-energize. Figure 7.9 shows how to wire two isolated standardoutputs in series to critical actuators.Figure 7.9 ControlLogix Standard Output Module Wiring With Two ModulesStandard IsolatedOutput Module #1Standard IsolatedOutput Module #2Standard IsolatedInput ModuleV-/L2V+/L1V+/L1V+/L1Wire output pointto input point toverify the correctstate of the outputInputOutputOutputActuatorV-/L24336484 Publication 1756-RM001F-EN-P - June 2009

ControlLogix I/O Modules Chapter 7Using Analog InputModulesThere are a number of general application considerations that youmust make when using analog input modules in a SIL2 application.These sections describe those considerations specific to the useanalog input modules.Conduct Proof TestsPeriodically (for example, once every several years), a SystemValidation, or proof test, must be performed. Proof testing consists ofmanually or automatically testing inputs to make sure that all inputsare operational. Field signal levels should be varied over the fulloperating range to make sure that the corresponding channel datavaries accordingly. For additional information on Proof Tests, seepage 30.Calibrate InputsAnalog input modules should be calibrated periodically, as their useand application requires. ControlLogix I/O modules ship from thefactory with a highly accurate level of calibration. However, becauseeach application is different, users are responsible for making suretheir ControlLogix I/O modules are properly calibrated for theirspecific application.Users can employ tests in application program logic to determinewhen a module requires recalibration. For example, to determinewhether an input module needs to be recalibrated, a user candetermine a tolerance band of accuracy for a specific application. Theuser can then measure input values on multiple channels andcompare those values to acceptable values within the tolerance band.Based on the differences in the comparison, the user could thendetermine whether recalibration is necessary.Calibration (and subsequent recalibration) is not a safety issue.However, we recommend that each analog input be calibrated at leastevery 3 years to verify the accuracy of the input signal and avoidnuisance application shutdowns.Publication 1756-RM001F-EN-P - June 2009 85

Chapter 7ControlLogix I/O ModulesUse the Floating Point Data FormatControlLogix analog input modules perform a host of on-board alarmprocessing to validate that the input signal is within the proper rangefor the application. However, these features are only available inFloating Point mode. To use the Floating Point Data format, whenconfiguring the module, select the Floating Point Data format in theModule Properties dialog box.Program to Respond to Faults AppropriatelyWhen programming the SIL2 system, verify that your programexamines the appropriate module fault, channel fault, and channelstatus bits and responds by initiating the appropriate fault routine.Each module communicates the operating status of each channel tothe controller during normal operation. Application logic mustexamine the appropriate bits to initiate a fault routine for a givenapplication. For more information on faults, see chapter 8, Faults inthe ControlLogix System.Program to Compare Analog Input DataWhen wiring sensors to two inputs channels, the values from thosechannels must be compared to each other within the program forconcurrence within an acceptable range for the application before anoutput is actuated. Any miscompare between the two inputs outsidethe programmed acceptable range must be annunciated as a fault.In Figure 7.10, a user-defined percentage of acceptable deviation (thatis, tolerance) is applied to the configured input range of the analoginputs (that is, range) and the result is stored (that is, delta). This deltavalue is then added to and subtracted from one of the input channels;the results define an acceptable High and Low limit of deviation. Thesecond input channel is then compared to these limits to determine ifthe input are working properly.The input’s OK bit preconditions a Timer run that is preset toaccommodate an acceptable fault response time and anycommunication filtering lags in the system. If the inputs miscomparefor longer than the preset value, a fault is registered with acorresponding alarm.86 Publication 1756-RM001F-EN-P - June 2009

ControlLogix I/O Modules Chapter 7Figure 7.10Inputs OKTimerMULTRangeTolerance %DeltaADDDeltaInput 1High LimitSUBDeltaInput 1Low LimitLIMLow LimitInput 2High LimitInputs OKTimer doneInputs FaultedInputs FaultedAlarm to OperatorThe control, diagnostics and alarming functions must be performed insequence. For more information on faults, see chapter 8, Faults in theControlLogix System.Configure Modules IdenticallyConfiguration parameters (for example, RPI, filter values) must beidentical between the two corresponding analog input modules.Specify the Same Controller as the OwnerThe same controller must own both corresponding analog inputmodules.Using HART Analog InputModulesThe Highway Addressable Remote Transducer (HART) analogmodules should be used according to the same considerations asother analog input modules. In addition, if the HART analog inputmodules are being used in a 1oo2 configuration, a HART multiplexermust be used inline between the sensor and the HART modules. Foran illustration of how the multiplexer should be wired with the HARTanalog input modules, see Wiring the HART Analog Input Modules onpage 92.Publication 1756-RM001F-EN-P - June 2009 87

Chapter 7ControlLogix I/O ModulesWiring ControlLogix AnalogInput ModulesIn general, good design practice dictates that each of the 2 transmittersmust be wired to input terminals on separate modules such that thechannel values may be validated by comparing the two within anacceptable range. Special consideration must be given in applying thistechnique, depending on the type of module being used. Thosedetails are shown in the following wiring diagrams.Wiring the Single-Ended Input Module in Voltage ModeIn addition to referencing the considerations in Using Analog InputModules on page 85, make sure you use the correct documentation(listed in chapter 1, page 23) to wire the module.When operating in Single-ended voltage mode, all (-) leads of thetransmitters must be tied together. This figure shows how to wire the1756-IF8 module for use in voltage mode.Figure 7.11 ControlLogix Analog Input Module Wiring in Voltage ModeCh0 +Ch0 +Ch0 – Ch0 –(+)(–)VoltageTransmitter A(+)(–)VoltageTransmitter B4336888 Publication 1756-RM001F-EN-P - June 2009

ControlLogix I/O Modules Chapter 7Wiring the Single-Ended Input Module in Current ModeIn addition to referencing the considerations in Using Analog InputModules on page 85, make sure you use the correct documentation(listed in chapter 1, page 23) to wire the module. Also, remember thismodule-specific guideline:• Placement of Other Devices in Current Loop: you can locateother devices in an input channel’s current loop anywhere aslong as the current source can provide sufficient voltage toaccommodate all of the voltage drops (each module input is 250ohms)Figure 7.12 shows how to wire the 1756-IF8 module for use in currentmode.Figure 7.12 ControlLogix Analog Input Module Wiring in Current ModeCh0 +Ch0 +Ch0 – Ch0 –CurrentSource ACurrentSource B43369Publication 1756-RM001F-EN-P - June 2009 89

Chapter 7ControlLogix I/O ModulesWiring the Thermocouple Input ModuleIn addition to referencing the considerations in Using Analog InputModules on page 85, make sure you use the correct documentation(listed in chapter 1, page 23) to wire the module. Also, remember thismodule-specific guideline:• Wire to Same Input Channel on Both Modules: When wiringthermocouples, wire two in parallel to two modules. Use thesame channel on each module to make sure of consistenttemperature readings.Figure 7.13 shows how to wire the 1756-IT6I module.Figure 7.13 ControlLogix Analog Thermocouple Module WiringCh0 +RTNCh0 +RTNThermocouple AThermocouple B4337090 Publication 1756-RM001F-EN-P - June 2009

ControlLogix I/O Modules Chapter 7Wiring the RTD Input ModuleIn addition to referencing the considerations in Using Analog InputModules on page 85, make sure you use the correct documentation(listed in chapter 1, page 23) to wire the module. Also, remember thismodule-specific guideline:• RTDs cannot be wired in parallel without severely affecting theiraccuracy. Two sensors must be used.Figure 7.14 shows how to wire the 1756-IR6I module.Figure 7.14 ControlLogix Analog RTD Module WiringCh0 ACh0 ARTD ACh0 BRTNCh0 BRTNRTD B43371Publication 1756-RM001F-EN-P - June 2009 91

Chapter 7ControlLogix I/O ModulesWiring the HART Analog Input ModulesIn addition to referencing the considerations in Using Analog InputModules on page 85, make sure you use the correct documentation(listed in chapter 1, page 23) to wire the module.This diagram illustrates how to wire the HART analog input moduleswith the required multiplexer.Figure 7.15 HART Input Analog Module WiringCh0 + Ch0 +Ch0 - Ch0 -MultiplexerSensor92 Publication 1756-RM001F-EN-P - June 2009

ControlLogix I/O Modules Chapter 7Using Analog OutputModulesThere are a number of general application considerations that youmust make when using analog output modules in a SIL2 application.These sections describe those considerations specific to the useanalog output modules.IMPORTANTIt is strongly recommended that you do not use analog outputsto execute the safety function that results in a safe state.Analog output modules are slow to respond to an ESDcommand and are therefore not recommended for use ESDoutput modules.The use of digital output modules and actuators to achieve theESD de-energized state is recommended.Conduct Proof TestsPeriodically (for example, once every several years) a SystemValidation test must be performed. Manually, or automatically, testoutputs to make sure that all outputs are operational. Channel datashould be varied over the full operating range to make sure that thecorresponding field signal levels vary accordingly. For additionalinformation on Proof Tests, see page 30.Calibrate OutputsAnalog output modules should be calibrated periodically, as their useand application requires. ControlLogix I/O modules ship from thefactory with a highly accurate level of calibration. However, becauseeach application is different, users are responsible for making suretheir ControlLogix I/O modules are properly calibrated for theirspecific application.Users can employ tests in application program logic to determinewhen a module requires recalibration. For example, to determinewhether an output module needs to be recalibrated, a user candetermine a tolerance band of accuracy for a specific application. Theuser can then measure output values on multiple channels andcompare those values to acceptable values within the tolerance band.Based on the differences in the comparison, the user could thendetermine whether recalibration is necessary.Calibration (and subsequent recalibration) is not a safety issue.However, we recommend that each analog output be calibrated atleast every 3 years to verify the accuracy of the input signal and avoidnuisance application shutdowns.Publication 1756-RM001F-EN-P - June 2009 93

Chapter 7ControlLogix I/O ModulesUse the Floating Point Data FormatControlLogix analog output modules perform a host of on-boardalarm processing to validate that the input signal is within the properrange for the application. However, these features are only availablein Floating Point mode. To use the Floating Point Data format, whenconfiguring the module, select the Floating Point Data format in theModule Properties dialog box.Program to Respond to Faults AppropriatelyWhen programming the SIL2 system, verify that your programexamines the appropriate module fault, channel fault, and channelstatus bits and responds by initiating the appropriate fault routine.Each module communicates the operating status of each channel tothe controller during normal operation. Application logic mustexamine the appropriate bits to initiate a fault routine for a givenapplication. For more information on faults, see chapter 8, Faults inthe ControlLogix System.Configure Outputs to De-energize in ESD ApplicationsFor typical emergency shutdown (ESD) applications outputs must beconfigured to de-energize. When configuring any ControlLogix outputmodule, each output must be configured to de-energize in the eventof a fault and in the event of the controller going into program mode.For exceptions to the typical ESD applications, see chapter 1, SILPolicy.Monitor Channel Status via Wiring Back to Input and Data EchoWire analog outputs back to an input and program to examine theOutput Data Echo signal in order to monitor the channel and modulestatus.You must wire an analog output to an actuator and then back to ananalog input to monitor the output’s performance, as shown inFigure 7.17. The application logic must examine the Data Echo valueassociated with each output point to make sure that the requestedoutput command from the controller was received by the module. Thevalue must be compared to the analog input that is monitoring the94 Publication 1756-RM001F-EN-P - June 2009

ControlLogix I/O Modules Chapter 7output to make sure the value is in an acceptable range for theapplication.In the ladder diagram in Figure 7.16, a user-defined percentage ofacceptable deviation (that is, tolerance) is applied to the configuredrange of the analog input and output (that is, range) and the result isstored (that is, delta). This delta value is then added to and subtractedfrom the monitoring analog input channel; the results define anacceptable High and Low limit of deviation. The analog Output Echois then compared to these limits to determine if the output areworking properly.The output’s OK bit preconditions a Timer run that is preset toaccommodate an acceptable fault response time and anycommunication filtering, or output, lags in the system. If themonitoring input value and the Output Echo miscompare for longerthan the preset value, a fault is registered with a corresponding alarm.Figure 7.16 Monitoring an Analog Output with an Analog InputOutputs OKTimerMULTRangeTolerance %DeltaADDDeltaMonitoring inputHigh LimitSUBDeltaMonitoring inputLow LimitLIMLow LimitOutput EchoHigh LimitOutputs OKTimer doneOutputs FaultedOutputs FaultedAlarm to OperatorThe control, diagnostics and alarming functions must be performed insequence.Publication 1756-RM001F-EN-P - June 2009 95

Chapter 7ControlLogix I/O ModulesConfigure Modules IdenticallyConfiguration parameters (for example, RPI, filter values) must beidentical between the two corresponding analog output modules.Specify the Same Controller as the OwnerThe same controller must own both corresponding analog outputmodules.Using HART Analog OutputModulesThe Highway Addressable Remote Transducer (HART) analogmodules should be used according to the same considerations asother analog output modules. In addition, if the HART analog inputmodules are being used in a 1oo2 configuration, a HART multiplexermust be used inline between the HART modules and the actuator. Foran illustration of how the multiplexer should be wired with the HARTanalog input modules, see Wiring the Analog Output Module inVoltage Mode on page 99.96 Publication 1756-RM001F-EN-P - June 2009

ControlLogix I/O Modules Chapter 7Wiring ControlLogix AnalogOutput ModulesIn general, good design practice dictates that each analog output mustbe wired to a separate input terminal to make sure that the output isfunctioning properly.Wiring the Analog Output Module in Voltage ModeIn addition to referencing the considerations in Wiring ControlLogixAnalog Output Modules on page 97, make sure you use the correctdocumentation (listed in chapter 1, page 23) to wire the module.This figure shows how to wire the 1756-OF8 module for use involtage mode.Figure 7.17 ControlLogix Analog Output Module Wiring in Voltage ModeAnalog Output ModuleAnalog Input ModuleThis normally-open relay iscontrolled by the status ofthe rest of the ControlLogixsystem. If a short circuit orfault occurs on the module,the relay can disconnectpower to the module.(+)(+)ActuatorAlso, this relay can be wiredto disconnect power tomultiple modules.(–)(–)43377Publication 1756-RM001F-EN-P - June 2009 97

Chapter 7ControlLogix I/O ModulesWiring the Analog Output Module in Current ModeIn addition to referencing the considerations in Wiring ControlLogixAnalog Output Modules on page 97, make sure you use the correctdocumentation (listed in chapter 1, page 23) to wire the module. Also,remember this module-specific guideline:• Placement of Other Devices in Current Loop: You can locateother devices in an output channel’s current loop anywhere aslong as the current source can provide sufficient voltage toaccommodate all of the voltage drops (each module output is250 ohms)This figure shows how to wire the 1756-OF8 module for use in currentmode.Figure 7.18 ControlLogix Analog Output Module Wiring in Current ModeAnalog Output Module(+)(–)Analog Input Module(+)(–)ActuatorThis normally-open relay iscontrolled by the status ofthe rest of the ControlLogixsystem. If a short circuit orfault occurs on the module,the relay can disconnectpower to the module.Also, this relay can be wiredto disconnect power tomultiple modules.4337698 Publication 1756-RM001F-EN-P - June 2009

ControlLogix I/O Modules Chapter 7Wiring the HART Analog Output ModulesIn addition to referencing the considerations in Wiring ControlLogixAnalog Output Modules on page 97, make sure you use the correctdocumentation (listed in chapter 1, page 23) to wire the module.This diagram illustrates how to wire the HART analog output moduleswith the required multiplexer.Figure 7.19 HART Input Analog Module WiringCh0 + Ch0 +Ch0 - Ch0 -MultiplexerActuatorPublication 1756-RM001F-EN-P - June 2009 99

Chapter 7ControlLogix I/O ModulesChecklist for SIL InputsThe following checklist is required for planning, programming andstart up of SIL inputs. It may be used as a planning guide as well asduring proof testing. If used as a planning guide, the checklist can besaved as a record of the plan.For programming or start-up, an individual checklist can be filled infor every single SIL input channel in a system. This is the only way tomake sure that the requirements were fully and clearly implemented.This checklist can also be used as documentation on the connectionof external wiring to the application program.Input Module Check List for ControlLogix SystemCompany:Site:Loop definition:SIL input channels in the:No. All Input Module Requirements (apply to both digital and analog input modules) Yes No Comment1 Is Exact Match selected as the electronic keying option whenever possible?2 Is the RPI value set to an appropriate value for your application?3 Are all modules owned by the same controller?4 Have you performed proof tests on the system and modules?5 Have you set up the fault routines?6 Are control, diagnostics and alarming functions performed in sequence in applicationlogic?No. Additional Digital Input Module-Only Requirements Yes No Comment1 When two digital input modules are wired in the same application, do the followingconditions exist:• Both modules are owned by the same controller.• Sensors are wired to separate input points.• The operational state is ON.• The non-operational state is. OFF.• Configuration parameters (for example, RPI, filter values) are identical.2 For the standard input modules, is the Communication Format set to one of the Input Datachoices?3 For the diagnostic input modules, is the Communication Format set to FullDiagnostics-Input Data?4 For the diagnostic input modules, are all diagnostics enabled on the module?5 For the diagnostic input modules, are enabled diagnostic bits monitored by fault routines?6 For the diagnostic input modules, is the connection to remote modules a direct connection?100 Publication 1756-RM001F-EN-P - June 2009

ControlLogix I/O Modules Chapter 7Input Module Check List for ControlLogix SystemNo. Additional Analog Input Module-Only Requirements Yes No Comment1 Is the Communication Format set to Float Data?2 Have you calibrated the modules as often as required by your application?3 Are you using ladder logic to compare the analog input data on two channels to make surethere is concurrence within an acceptable range and that redundant data is used properly?4 Have you written application logic to examine bits for any condition that may cause a faultand appropriate fault routines to handle the fault condition?5 When wiring the 1756-IF8 in voltage mode, are transmitter grounds tied together?6 When wiring the 1756-IF8 in current mode, are loop devices placed properly?7 When wiring 1756-IT6I modules in parallel, have you wired to the same channel on eachmodule as shown in Figure 7.13 on page 90?8 When wiring two 1756-IR6I modules, are two sensors used, as shown in Figure 7.14 onpage 91?Publication 1756-RM001F-EN-P - June 2009 101

Chapter 7ControlLogix I/O ModulesChecklist for SIL OutputsThe following checklist is required for planning, programming andstart up of SIL outputs. It may be used as a planning guide as well asduring proof testing. If used as a planning guide, the checklist can besaved as a record of the plan.For programming or start-up, an individual requirement checklist mustbe filled in for every single SIL output channel in a system. This is theonly way to make sure that the requirements are fully and clearlyimplemented. This checklist can also be used as documentation onthe connection of external wiring to the application program.Output Check List for ControlLogix SystemCompany:Site:Loop definition:SIL output channels in the:No. All Output Module Requirements(apply to both digital and analog output modules)1 Have you performed proof tests on the modules?2 Is Exact Match selected as the electronic keying option whenever possible?3 Is the RPI value set to an appropriate value for your application?4 Have you set up fault routines, including comparing output data with acorresponding input point?5 If required, have you used external relays in your application to disconnect modulepower if a short or other fault is detected on the module or isolated output inseries?6 Is the control of the external relay implemented in ladder logic?7 Have you examined the Output Data Echo signal in application logic?8 Are all outputs configured to deenergize in the event of a fault or the controllerentering program mode?9 Do two modules of the same type, used in the same application, use identicalconfigurations?10 Does one controller own both modules if two of the same type are used in anapplication?11 Are control, diagnostics and alarming functions performed in sequence inapplication logic?Yes No Comment:No. Digital Output Module-Only Requirements Yes No Comment1 For the standard output modules, is the Communication Format set to Output Data?2 For standard output modules, have you wired the outputs to a corresponding inputto validate that the output is following its commanded state?3 For the diagnostic output modules, are all diagnostics enabled on the module?102 Publication 1756-RM001F-EN-P - June 2009

ControlLogix I/O Modules Chapter 7Output Check List for ControlLogix System4 For the diagnostic output modules, are enabled diagnostic bits monitored by faultroutines?5 For the diagnostic output modules, is the Communication Format set to FullDiagnostics-Output Data?6 For diagnostic output modules, have you periodically performed a Pulse Test tomake sure that the output is capable of change state?7 For diagnostic output modules, is the connection to remote modules a directconnection?No. Analog Output Module Requirements - Analog Only Yes No Comment1 Is the Communication Format set to Float Data?2 Have you calibrated the modules as often as required by your application?3 When wiring the 1756-OF8 in current mode, are loop devices placed properly?4 Have you written application logic to examine bits for any condition that may causea fault and appropriate fault routines to handle the fault condition?Publication 1756-RM001F-EN-P - June 2009 103

Chapter 7ControlLogix I/O ModulesNotes:104 Publication 1756-RM001F-EN-P - June 2009

Chapter 8Faults in the ControlLogix SystemThis chapter describes faults in the ControlLogix SIL2-certified system.TopicPageIntroduction 105Checking Keyswitch Position with GSV Instruction 106Examining an Analog Input Module’s High Alarm 107IntroductionThe ControlLogix architecture provides the user many ways ofdetecting and reacting to faults in the system. The first way that userscan handle faults is to make sure they have completed the input andoutput checklists listed on pages 77 and 78 for their application.In addition to the checklists mentioned above, various device objectscan be interrogated to determine the current operating status.Additionally, modules provide run-time status of their operation andof the process. It is up to users to determine what data is mostappropriate for their application to initiate a shutdown sequence.This chapter explains two example conditions that will generate afault in a SIL2-certified ControlLogix system:• Keyswitch changing out of RUN mode• High alarm condition on an analog input moduleFor more information on the analog status bits available forexamination, see the ControlLogix Analog I/O Modules User Manual,publication 1756-UM009.For information on System Self-Testing andUser-Programmed Responses, see Appendix B.For more information on faults, see Appendix A, AdditionalInformation on Handling Faults in the ControlLogix System.105Publication 1756-RM001F-EN-P - June 2009 105

Chapter 8Faults in the ControlLogix SystemChecking KeyswitchPosition with GSVInstructionThe following rungs generate a fault if the keyswitch on the front ofthe controller is switched from the Run mode:Figure 8.1GSVClass: CONTROLLERDEVICEAttribute: STATUSDestination: KEYSTATEKEYSTATE.13FaultFaultAlarm to OperatorIn this example, the Get System Value (GSV) instruction interrogatesthe STATUS attribute of the CONTROLLERDEVICE object and storesthe result in a word called KEYSTATE, where bits 12 and 13 define thestate of the keyswitch as shown in Table 8.1.Table 8.1Bit 13 Bit 12 Description0 1 Keyswitch in Run position1 0 Keyswitch in Program position1 1 Keyswitch in Remote positionIf bit 13 is ever ON, then the keyswitch is not in the RUN position.Examining bit 13 of KEYSTATE for an ON state will generate a fault.For more information on the accessing the CONTROLLERDEVICEobject, see the Logix5000 Controllers General Instructions ReferenceManual, publication 1756-RM003.106 Publication 1756-RM001F-EN-P - June 2009

Faults in the ControlLogix System Chapter 8Examining an Analog InputModule’s High AlarmControlLogix analog modules perform processing and comparison offield data values right on the module, allowing for easy examinationof status bits to initiate a fault.For example, the 1756-IF8 module can be configured withuser-defined alarm values that, when exceeded, will set a status bit onthe module which is then sent back to the controller. The user maythen examine the state of these bits to initiate a fault as shown inFigure 8.2:Figure 8.2Ch1HAlarmFaultFaultAlarm to OperatorIn the example above, the High Alarm bit for channel 1 (CH1HAlarm)is being examined for an On condition to initiate a fault. Duringoperation, as the analog input module processes analog signals fromthe field sensors, if the value for channel 1 exceeds the user-definedvalue configured for Channel 1’s High Alarm, the (CH1HAlarm) bit isset and sent to the controller and a fault is declared.Publication 1756-RM001F-EN-P - June 2009 107

Chapter 8Faults in the ControlLogix SystemNotes:108 Publication 1756-RM001F-EN-P - June 2009

Chapter 9General Requirements forApplication SoftwareThis chapter discusses the details of the application program.TopicPageSoftware for SIL2-Related Systems 109ControlLogix System Operational Modes 113General Guidelines for Application Software Development 110General Guidelines for Application Software Development 110Forcing 112Security 112Checklist for the Creation of an Application Program 114Software for SIL2-RelatedSystemsThe application software for the SIL2-related automation systems isgenerated using the programming tool (RSLogix 5000 software)according to IEC 61131-3.The application program has to be created by using the programmingtool RSLogix 5000 software and contains the specific equipmentfunctions that are to be carried out by the ControlLogix system.Parameters for the operating function are also entered into the systemusing RSLogix 5000 software.SIL2 ProgrammingSafety Concept of the ControlLogix SystemThe safety concept of SIL2 assumes, that:• the programming system (PS) hardware and firmware workscorrectly (that is, programming system errors can be detected).• the user applies the logic correctly, that is, user programmingerrors can be detected.For the initial start-up of a safety-related ControlLogix system, theentire system must be checked by a complete functional test. After amodification of the application program, the modified program orlogic must be checked.109Publication 1756-RM001F-EN-P - June 2009 109

Chapter 9General Requirements for Application SoftwareFor more information on how users should handle changes to theirapplication program, see the Changing Your Application Programsection on page 94.Programming OptionsIf you are using RSLogix 5000 software, version 15 or later, there areprogramming options you may want to consider for your application.These options include the availability of:• Specialized termination boards for fault-tolerant systemconfiguration.• Pre-programmed SIL2 I/O subroutines that can be used withRSLogix software, version 15 and later.• Pre-programmed SIL2 I/O Add-On Instructions that can be usedwith RSLogix software, version 16 and later.If you choose to use any of those options, see these publicationsspecific to your application for information about programming yoursystem:• ControlLogix SIL2 System Configuration Using RSLogix 5000Subroutines, publication 1756-AT010• ControlLogix SIL2 System Configuration Using RSLogix 5000Subroutines, publication 1756-AT012Using the SIL2 subroutines or Add-On Instructions greatly simplifiesthe programming required for a SIL2 system. However, thesesubroutines and instructions are not compatible with all SIL2applications and system configurations. See the publications listed formore information.General Guidelines forApplication SoftwareDevelopmentThe application software for the intended SIL2 systems is intended tobe developed by the system integrator and/or user. The developermust follow good design practices including the use of:• Functional specifications•Flow charts• Timing diagrams• Sequence charts• Program review•Program validation110 Publication 1756-RM001F-EN-P - June 2009

General Requirements for Application Software Chapter 9All logic should be reviewed and tested. To facilitate reviews andreduce unintended responses, developers should limit the set ofinstructions to basic Boolean/ladder logic (such as examine On/Off,Timers, Counters, and so on) whenever possible. This set shouldinclude instructions that can be used to accommodate analogvariables, such as:• Limit tests•Comparisons• Math instructionsSee Appendix A, System Self-Testing andUser-Programmed Responses, for details.Users must verify the downloading of the application program and itsproper operation. A typical validation technique is to upload thedownloaded program file and perform a compare of that file againstwhat is stored in the programming terminal. The upload compare canbe accomplished after an interval by saving the first one andcomparing it to the second or subsequent uploads. This approachcould also be performed through different paths (that is, overControlNet and via the serial port).Safety logic and non safety-related logic should be separate.Check the Created Application ProgramTo check the created application program for adherence to thespecific function, you must generate a suitable set of test casescovering the specification. The set of test cases is filed as the testspecification.A suitable test set must also be generated for the numeric evaluationof formulas. Equivalent range tests are acceptable. These are testswithin the defined value ranges, at the limits, or in impermissiblevalue ranges. The test cases must be selected to prove the correctnessof the calculation. The necessary number of test cases depends on theformula used and must comprise critical value pairs.However, active simulation with sources cannot be omitted as this isthe only means of detecting correct wiring of the sensors andactuators to the system. Furthermore, this is the only means of testingthe system configuration. Users should verify the correct programmedfunctions by forcing I/O or by manual manipulation of sensors andactuators.Publication 1756-RM001F-EN-P - June 2009 111

Chapter 9General Requirements for Application SoftwarePossibilities of Program IdentificationThe application program is clearly identified by one of the following:•Name•Date• Revision• Any other user identification informationForcingForcing must be disabled after system test and validation.SecurityThe user must define what measures are to be applied for theprotection against manipulation.In the ControlLogix system and in RSLogix 5000, protectionmechanisms are available that prevent unintentional or unauthorizedmodifications to the safety system:• The following tools may be employed for security reasons in aSIL2-certified ControlLogix application:– Logix CPU Security Tool– Source Protection Tool– RSI Security ServerEach of these tools offers different security features, includingpassword protection, at varying levels of granularity throughoutthe application. The description of these tools is too large inscope to list here. Users can contact their local RockwellAutomation representative for more information.• The controller keyswitch should be in the RUN position and thekey removed during normal operating conditions.• Operator options are set up per user login in the ControlLogixsystem.• The online connection between RSLogix5000 and theControlLogix system is not permitted during normal SIL2 RUNoperation except as described in Chapter 1.The requirements of the safety and application standards regardingthe protection against manipulations must be observed. The112 Publication 1756-RM001F-EN-P - June 2009

General Requirements for Application Software Chapter 9authorization of employees and the necessary protection measures arethe responsibility of the individuals starting the system.ControlLogix SystemOperational ModesA three-position keyswitch on the front of the controller governsControlLogix system operational modes. The following modes areavailable:•Run•Program• Remote - This software-enabled mode can be program or run.Figure 9.1 shows a controller with the keyswitch in the Run mode.Figure 9.142525When a SIL2-certified ControlLogix application is operating in the Runmode, the controller keyswitch must be in the RUN position and thekey removed. Outputs are only enabled in this mode.Publication 1756-RM001F-EN-P - June 2009 113

Chapter 9General Requirements for Application SoftwareChecklist for the Creation ofan Application ProgramThe following checklist is recommended to maintain safety technicalaspects when programming, before and after loading the new ormodified program.Company:Site:Project definition:File definition / Archive number:Checklist for Creation of an Application ProgramSafety Manual ControlLogix SystemNotes / Checks Yes No CommentBefore a ModificationAre the configuration of the ControlLogix system and the applicationprogram created on the basis of safety aspects?Are programming guidelines used for the creation of the applicationprogram?After a Modification - Before LoadingHas a review of the application program with regard to the bindingsystem specification been carried out by a person not involved in theprogram creation?Has the result of the review been documented and released(date/signature)?Was a backup of the complete program created before loading aprogram in the ControlLogix system?After a Modification - After LoadingWas a sufficient number of tests carried out for the safety relevantlogical linking (including I/O) and for all mathematical calculations?Was all force information reset before safety operation?Has it been verified that the system is operating properly?Have the appropriate security routines and functions been installed?Is the controller keyswitch in Run mode and the key removed?114 Publication 1756-RM001F-EN-P - June 2009

Chapter 10Technical SIL2 Requirements for theApplication ProgramThis chapter discusses technical safety for the application program.TopicPageGeneral Procedure 115SIL Task/Program Instructions 118Programming Languages 118Commissioning Life Cycle 119Changing Your Application Program 120Forcing 122General ProcedureThe general procedure for programming the ControlLogix system SIL2applications is listed below.• Specification of the control function, including:– specification– flow and timing charts– diagrams– sequence charts– program description– program review process• Writing the application program• Checking by independent reviewer• Verification and validationOnce the program is tested, the ControlLogix system can be put intooperation.115Publication 1756-RM001F-EN-P - June 2009 115

Chapter 10Technical SIL2 Requirements for the Application ProgramBasics of ProgrammingThe control program must be available as a specification or aperformance specification. This documentation forms the basis for thecheck of correct transformation into the program. The type ofpresentation of the specification depends on the task to be carriedout. This can be:Logic and InstructionsThe logic and instructions used in programming the application mustbe:• easy to understand• easy to trace•easy to change•easy to testProgram LogicUser must implement simple, easy to understand:•ladder• other IEC 1131-compliant languageor• function blocks with specified characteristics.We use ladder, for example, because, it is easier to visualize and makepartial program changes with this format.116 Publication 1756-RM001F-EN-P - June 2009

Technical SIL2 Requirements for the Application Program Chapter 10SpecificationThe specification must include a detailed description that includes (ifapplicable):• Sequence of operations• Flow and timing diagrams• Sequence charts• Program description• Program print out• Verbal descriptions of the steps with step conditions andactuators to be controlled, including:– input definitions– output definitions– I/O wiring diagrams and references– theory of operation• Matrix- or table form of stepped conditions and the actuators tobe controlled, including the sequence and timing diagrams• Definition of marginal conditions, for example, operatingmodes, EMERGENCY STOP etc.The I/O-portion of the specification must contain the analysis of fieldcircuits, that is, the type of sensors and actuators:Sensors (Digital or Analog)• Signal in standard operation (dormant current principle fordigital sensors, sensors OFF means no signal)• Determination of redundancies required for SIL levels• Discrepancy monitoring and visualization, including the user’sdiagnostic logicActuators• Position and activation in standard operation (normally OFF)• Safe reaction/positioning when switching OFF, power failurerespectively.• Discrepancy monitoring and visualization, including the user’sdiagnostic logicPublication 1756-RM001F-EN-P - June 2009 117

Chapter 10Technical SIL2 Requirements for the Application ProgramSIL Task/ProgramInstructionsThe user program may contain a single SIL task composed of multipleprograms and routines. This is a timed task with a user-selectable taskpriority and watchdog. The SIL2 task must be the controller’s toppriority and the user-defined program watchdog (software watchdog)must be set to accommodate the SIL2 task and any other tasks. Formore information, see Chapter 1, SIL Policy.Safety logic and non safety-related programs must be separate.Programming LanguagesAll programming languages (for example, ladder logic, functionblock) available in the ControlLogix system will also be available forprogramming the ControlLogix controller for SIL2 applications.118 Publication 1756-RM001F-EN-P - June 2009

Technical SIL2 Requirements for the Application Program Chapter 10Commissioning Life CycleFigure 10.1 shows the steps required during application programdevelopment, debugging and commissioning.Figure 10.1Generate FunctionalSpecificationCreate FlowDiagramCreate TimingDiagramsEstablish Sequenceof OperationsDevelop ProjectOnlineDevelop ProjectOfflineReview Programwith IndependentPartyDownload toControllerDevelop Test PlanPerformValidation Testingon all LogicYesTestsPass?Verificationokay?NoMake more online edits& accept edits or makemore offline edits anddownload to CTRBegin NormalProject OperationNoDetermine what logichas been Changed orAffectedDownload toControllerMake projectchangesPerform ValidationTesting on all Changedor Affected LogicFinish theValidation Test 1Secure PADT1 You must periodically repeat the validation test (also known as proof tests) to make sure module inputs and outputs are functioning properly andas commanded by the application programming. For more information on proof tests for I/O modules, see chapter 1, SIL Policy (page 13).Publication 1756-RM001F-EN-P - June 2009 119

Chapter 10Technical SIL2 Requirements for the Application ProgramChanging YourApplication ProgramThe following rules apply to changing your application program inRSLogix 5000 software:• Program edits are not recommended. However, they arepossible if necessary and should be limited. For example, minorchanges such as changing a timer preset or analog setpointare possible.• Only authorized, specially-trained personnel can make programedits. These personnel should use all supervisory methodsavailable, for example, using the controller keyswitch andsoftware password protections.• When authorized, specially-trained personnel make programedits, they assume the central safety responsibility while thechanges are in progress. These personnel must also maintainsafe application operation.• Prior to making any program edits, an impact analysis must beperformed by following the specification and other lifecyclesteps described in Figure 10.1 as if the edits were an entirelynew program.• Users must sufficiently document all program edits, including:– authorization– impact analysis– execution– test information– revision information•Users cannot make program edits while the program is online ifthe changes prevent the system from executing the safetyfunction or if alternative protection methods are not in place.•Users cannot edit their program from multiple programmingterminals simultaneously.• Changes to the SIS application software, in thiscase--RSLogix 5000, must comply with IEC 61511 standard onprocess safety section 11.7.1 Operator Interface requirements.•Users cannot edit their program when a project is operating inthe RUN state. In other words, if an application is running andthe ControlLogix controller keyswitch is in the RUN position,users cannot make online edits.120 Publication 1756-RM001F-EN-P - June 2009

Technical SIL2 Requirements for the Application Program Chapter 10Table 10.1 Methods of Changing Your Application Program in RSLogix 5000•Users can edit the relay ladder logic portion of their programusing one of the following methods described in Table 10.1:Method: Required Steps: ControllerKeyswitchPosition:Offline The user performs the tasks described in the flow chart in Figure 10.1on page 119.Online1. Turn the controller key to the REM position.2. Use the Online Edit Toolbar to start, accept, test and assemble youredits. The toolbar is shown below.startpendingrung editacceptpendingrung editsassembleprogrameditstestprogrameditsuntestprogrameditsa. Click the start pending rung edits button . A copy is madeof the rung you want to edit.b. Change your application program as needed. At this point, theoriginal program is still active in the controller. Your programchanges are made in the copied rungs. Changes do not affect theoutputs until you test program edits in step d.c. Click the accept pending rung edits button . Yourprogram changes are verified and downloaded to the controller.The controller now has the changed program and the originalprogram. However, the controller continues to execute theoriginal program. You can see the state of the inputs, andchanges do not affect the outputs.d. Click the test program edits button .e. Click Yes to test the edits. Changes are now executed and affectthe outputs; the original program is no longer executed. However,if you are not satisfied with the result of testing the edits, youcan discard the new program by clicking on the un test programedits button if necessary. If you untest the edits, thecontroller returns to the original program.PROGREMKey Points to this Method:Users must re-validate the entireapplication before returning tonormal operation.The project remains online butoperates in the remote run mode.When edits are completed, usersare only required to validate thechanged portion of the applicationprogram.We recommend that online edits belimited to minor programmodifications such as setpointchanges or ladder logic rungadditions, deletions andmodifications.IMPORTANT: This option tochange theapplication programis available forchanges to relayladder logic only.Users cannot usethis method tochange functionblock programming.For more detailedinformation on howto edit ladder logicwhile online, seethe Logix5000Controllers QuickStart, publication1756-QS001.f. Click the assemble program edits button .g. Click Yes to assemble the edits. The changes are the onlyprogram in the controller, and the original program is discarded.3. Perform a partial proof test of the portion of the application affectedby the program edits.4. Turn the controller key back to the RUN position to return the projectto Run mode. We recommend you upload the new program to yourprogramming terminal to ensure consistency between theapplication in the controller and on the programming terminal.5. Remove the key.Publication 1756-RM001F-EN-P - June 2009 121

Chapter 10Technical SIL2 Requirements for the Application Program• If online edits exist in the standard routines only, those edits arenot required to be validated before returning to normaloperation. Users must verify that changes in the standard routinedo not affect SIL routines.IMPORTANTIf any changes are needed to the program in the safety loop,they must be done so in accordance with IEC 61511-1,paragraph 11.7.1.5 which states:"The Safety Instrumentation System (SIS) operator interfacedesign shall be such as to prevent changes to SIS applicationsoftware. Where safety information needs to be transmittedfrom the basic process control system (BPCS) to the SIS thensystems should be used which can selectively allow writingfrom the BPCS to specific SIS variables. Equipment orprocedures should be applied to confirm the proper selectionhas been transmitted and received by the SIS and does notcompromise the safety function of the SIS."Also, for more information on changing the SIL2 applicationprogram, see Chapter 1.ForcingThe following rules apply to forcing in an RSLogix 5000 project:• Users must remove forces on all SIL2 tags before beginningnormal operation for the project.• Users cannot force SIL2 tags while a project is in the Run mode.122 Publication 1756-RM001F-EN-P - June 2009

Chapter 11Use and Application ofHuman-to-Machine InterfacesThis chapter describes how human-machine interfaces may be usedwith the SIL2 system.TopicPageUsing Precautions and Techniques with HMI 123Accessing Safety-Related Systems 124Changing Parameters in Safety-Related Systems 124Changing Parameters in Non-Safety-Related Systems 126No specific device is part of the certification because the variety ofdevices is so large, ranging from simple thumb-wheel and LEDreadouts to PC/CRT-based human to machine interface (HMI) deviceson a variety of networks. The range and breadth of these devices issimilar to that of sensors and actuators; it would be impractical toimpose device restrictions.Using Precautions andTechniques with HMIHowever, users must exercise the same precautions and techniqueson HMI devices as on simple devices such as sensor and switchinputs. The precautions include, but are not restricted to:• Limited access and security• Specifications, testing and validation• Restrictions on data and access• Limits on data and parametersFor more information on how HMI devices fits into a typical SIL loop,see Figure 1.2 on page 17.Sound techniques should be used in either the application softwarewithin the HMI or PLC in safety-related systems and non-safety-relatedsystems.123Publication 1756-RM001F-EN-P - June 2009 123

Chapter 11Use and Application of Human-to-Machine InterfacesAccessing Safety-Related SystemsNormally, when accessing the safety-related system, the HMI shouldbe restricted to read data and information such as diagnostics. Theuser should use techniques to limit access to only those sections ofmemory that are appropriate. For more information, see Figure 1.2 onpage 17.If parameters in safety-related system require a change from an HMI,users should follow the guidelines indicated in the next section.Changing Parameters in Safety-Related SystemsA parameter change in a safety-related loop via an external (that is,outside the safety loop) device (for example, an HMI) is only allowedwith the following restrictions:• Only authorized, specially-trained personnel can change theparameters in safety-related systems via HMIs.• The user who makes changes in a safety-related system via anHMI is responsible for the effect of those changes on thesafety loop.• Users must clearly identify the variable that are to be changed asunder the control of the ControlLogix controller inside thesafety loop.• Users must use a clear, comprehensive and explicit operatorprocedure to make safety-related changes via an HMI.• Changes can only be accepted in a safety-related system if thefollowing sequence of events occurs:1. Changes are sent from the HMI to the ControlLogix controllerin the safety loop.2. The ControlLogix controller in the safety loop sends thechanges back to the HMI before accepting the changes oracting on them.3. The user verifies that the changes are correct.In every case, the operator must confirm the validity of thechange before they are accepted and applied in the safety loop.124 Publication 1756-RM001F-EN-P - June 2009

Use and Application of Human-to-Machine Interfaces Chapter 11• The software used in the HMI and the ControlLogix controller(in this case, RSLogix 5000) should be designed to verify thatchanges to the safety system are within acceptable limits and donot otherwise compromise the safety system.• The user should test all changes as part of the safety validationprocedure.• Users must sufficiently document all safety-related changesmade via HMI, including:– authorization– impact analysis– execution– test information– revision information• Changes to the safety-related system, must comply with IEC61511 standard on process safety section 11.7.1 OperatorInterface requirements.Publication 1756-RM001F-EN-P - June 2009 125

Chapter 11Use and Application of Human-to-Machine InterfacesChanging Parameters in Non-Safety-Related SystemsWhen the HMI device is used to change parameters in anon-safety-related system, remember the following techniques:• When the HMI is used to input parameters such as setpoints fora PID loop or drive speeds, the application program shouldinclude sound techniques used for other types of changevalidation, including:– Display the data to be changed– Acceptable ranges and limits used in the program for datachecks (in other words, checks to make sure entered data iswithin an acceptable range)– Display the new value along with the existing value– Prompt the operator to acknowledge and accept the changedvalue before allowing the change to take effect• The developer must follow the same sound developmenttechniques and procedures used for other application softwaredevelopment, including the verification and testing of theoperator interface and its access to other parts of the program.The PLC application software should set up a table that isaccessible by the HMI and limits access to required data pointsonly.• Similar to the PLC program, the HMI software needs to besecured and maintained for SIL2 compliance after the system hasbeen validated and tested.126 Publication 1756-RM001F-EN-P - June 2009

Appendix AResponse Times of the ControlLogix SystemThis appendix describes how to calculate system response times.TopicPageDigital Modules 127Local Chassis Configuration 129Remote Chassis Configuration 129Analog Modules 130Local Chassis Configuration 130Remote Chassis Configuration 131Redundancy Systems 132The calculation formulas in this chapter can be used to calculate thethe worst-case reaction times for a given change in input or faultcondition and the corresponding output action.Digital ModulesLocal Chassis ConfigurationFigure 0.1 shows an example system where the following occurs:• input data changes on the digital input module.• the data is transmitted to the controller.• the controller runs its program scan and reacts to the datachange, including sending new data to the output module.• the output module behavior changes based on the new datareceived from the controller.Figure 0.1Digital InputModuleControllerDigital OutputModulePublication 1756-RM001F-EN-P - June 2009 127

Appendix AResponse Times of the ControlLogix SystemUse this formula to determine worst-case reaction time:Worst-Case Reaction Time = Input Module Filter Setting (1) + Input Module Hardware Delay (2)+ Input Module RPI (1) + Controller Program Scan (3)+ Output Module Hardware Delay (2)(1) This setting is user-defined. For more information, see the ControlLogix Digital I/O Modules user manual,publication 1756-UM058.(2) Hardware delay is module-dependent. Specific hardware delay times are listed in the installation instructions for eachcatalog number. For a complete list of installation instructions, see Table 1.1 on page 21.(3) This figure is calculated by adding instruction execution times. For more information on instruction execution times inRSLogix 5000, see the Logix5000 Controllers Execution Time and Memory Use Reference, publication 1756-RM087.EXAMPLEFor example, a system may reflect the set-up used in Figure 0.1with an 1756-IB16D and 1756-OB16D and following settings:• Input Module Filter Setting = 1ms• Input Module Hardware Delay = 1ms• Input RPI = 2ms• Program Scan = 20ms• Output Module Hardware Delay = 1msIn this example, the worst-case reaction time = 25ms128 Publication 1756-RM001F-EN-P - June 2009

Response Times of the ControlLogix SystemAppendix ARemote Chassis ConfigurationFigure 0.2 shows an example system where the following occurs:ControllerControlNetBridge Module• input data changes on the digital input module.• the data is transmitted to the controller via the 1756-CNBmodules.• the controller runs its program scan and reacts to the datachange, including sending new data to the output module viathe 1756-CNB modules.• the output module behavior changes based on the new datareceived from the controller.Figure 0.2ControlNetBridge ModuleDigital InputModuleDigital OutputModuleUse the following formula to determine worst-case reaction time:Worst-Case Reaction Time =Input Module Filter Setting (1) + Input Module Hardware Delay (2)+ Input Module RPI (1) + Remote 1756-CNB RPI + Controller Program Scan (3)+ Remote 1756-CNB RPI + Output Module Hardware Delay (2)(1) This setting is user-defined. For more information, see the ControlLogix Digital I/O Modules user manual, publication 1756-UM058.(2) Hardware delay is module-dependent. Specific hardware delay times are listed in the installation instructions for each catalog number.For a complete list of installation instructions, see Table 1.1 on page 21.(3) This figure is calculated by adding instruction execution times. For more information on instruction execution times in RSLogix 5000, seethe Logix5000 Controllers Execution Time and Memory Use Reference, publication 1756-RM087.Publication 1756-RM001F-EN-P - June 2009 129

Appendix AResponse Times of the ControlLogix SystemAnalog ModulesLocal Chassis ConfigurationFigure 0.3 shows an example system where the following occurs:• input data changes on the analog input module.• the data is transmitted to the controller.• the controller runs its program scan and reacts to the datachange, including sending new data to the output module.• the output module behavior changes based on the new datareceived from the controller.Figure 0.3Analog InputModuleControllerAnalog OutputModuleUse the following formula to determine worst-case reaction time:Worst-Case Reaction Time =Input Module Filter Setting (1) + Input Module Real Time Sample (RTS) rate (1)+ Controller Program Scan (2) +Output Module RPI (1)+ Output Module Hardware Delay (3)(1) This setting is user-defined. For more information, see the ControlLogix Digital I/O Modules user manual, publication 1756-UM058.(2) This figure is calculated by adding instruction execution times. For more information on instruction execution times in RSLogix 5000, see theLogix5000 Controllers Execution Time and Memory Use Reference, publication 1756-RM087.(3) Hardware delay is module-dependent. Specific hardware delay times are listed in the installation instructions for each catalog number. Fora complete list of installation instructions, see Table 1.1 on page 21.130 Publication 1756-RM001F-EN-P - June 2009

Response Times of the ControlLogix SystemAppendix ARemote Chassis ConfigurationFigure 0.2 shows an example system where the following occurs:ControllerControlNetBridge Module• input data changes on the analog input module.• the data is transmitted to the controller via the 1756-CNBmodules.• the controller runs its program scan and reacts to the datachange, including sending new data to the output module viathe 1756-CNB modules.• the output module behavior changes based on the new datareceived from the controller.Figure 0.4ControlNetBridge ModuleAnalog InputModuleAnalog OutputModuleUse the following formula to determine worst-case reaction time:Worst-Case Reaction Time =Input Module Filter Setting (1) + Input Module Real Time Sample (RTS) rate (1)+ Remote 1756-CNB RPI (1) + Controller Program Scan (2) + Output Module RPI (1)+ Remote 1756-CNB RPI (1) + Output Module Hardware Delay (3)(1)This setting is user-defined. For more information, see the ControlLogix Digital I/O Modules user manual, publication 1756-UM058.(2) This figure is calculated by adding instruction execution times. For more information on instruction execution times in RSLogix 5000, see theLogix5000 Controllers Execution Time and Memory Use Reference, publication 1756-RM087.(3) Hardware delay is module-dependent. Specific hardware delay times are listed in the installation instructions for each catalog number. For acomplete list of installation instructions, see Table 1.1 on page 21.Publication 1756-RM001F-EN-P - June 2009 131

Appendix AResponse Times of the ControlLogix SystemRedundancy SystemsThe response time of a system that uses redundancy is different froma system that does not use redundancy. The redundancy system has alonger response time because:• The primary controller must keep the secondary up-to-date andready to take over control in case of a switchover. This processof cross-loading fresh data at the end of each program scanincreases scan time.You can plan your project effectively (e.g., minimize the use ofSINT or INT tags, use arrays and user-defined data types) tominimize the scan time in a redundancy system. Generally, theprimary controller in a redundancy system has a 20% slowerresponse time than the controller in a non-redundancy system.• The switchover between controllers slows system response. Theswitchover time of a redundancy system depends on thenetwork update time (NUT) of the ControlNet network. Toestimate the switchover time, use the following formulas:For this type of failure: If the NUT is: The switchover time is: Example:loss of power< 6 60 ms For a NUT of 4 ms, the switchovertime is approximately 60 ms.–or–module failure> 7 5 (NUT) + MAX (2[NUT], 30) For a NUT of 10 ms, the switchovertime is approximately 80 ms.1756-CNB module cannotcommunicate with any other node14 (NUT) + MAX (2[NUT], 30) + 50 For a NUT of 10 ms, the switchovertime is approximately 220 ms.For more information on response times in ControlLogix redundancysystems and ControlLogix redundancy systems in general, see theControlLogix Redundancy System user manual, publication1756-UM523.132 Publication 1756-RM001F-EN-P - June 2009

Appendix BSystem Self-Testing andUser-Programmed ResponsesThis chapter explains self-testing in a ControlLogix system and pointsto more information about user-programmed responses.TopicPageValidation Tests 133System Self Tests 133Validation TestsValidation tests are performed at every proof test interval.• Manually Cycle Inputs to ensure that all inputs are operationaland not stuck in the ON state• Manually Pulse Test outputs which do not support runtime PulseTesting. The relays in the Redundant Power Supplies mustbe tested to ensure they are not stuck in the Closed state.Users can automatically perform proof tests by switching groundopen on input modules and checking to make sure all inputpoints go to zero (turn OFF.).All system components which do not have runtime diagnostics mustbe tested as part of the System Initialization Tests.System Self TestsThe SIL2-certified ControlLogix system is designed to automaticallyshut down in the event of a failure or fault. The following informationprovides details on how to program and configure routines to monitordiagnostic and system status.Publication 1756-RM001F-EN-P - June 2009 133

Appendix BSystem Self-Testing and User-Programmed ResponsesReaction to FaultsFor more information on how to configure a ControlLogix system toidentify and handle faults, including such tasks as:• Developing a Fault Routine• Creating a User-Defined Major Fault• Monitoring Minor Faults• Developing a Power-Up RoutineSee the Logix5000 Controllers Common Procedures ProgrammingManual, publication 1756-PM001.134 Publication 1756-RM001F-EN-P - June 2009

Appendix CAdditional Information for Handling Faults inthe ControlLogix SystemThis appendix describes the ways that faults are reported to thecontroller.IntroductionThe ControlLogix architecture provides the user many ways ofdetecting and reacting to faults in the system. Various device objectscan be interrogated to determine the current operating status.Additionally, modules provide run-time status of their operation andof the process.• For information on how to use specific instructions to get andset controller system data stored in device objects, see theLogix5000 Controllers General Instructions Reference Manual,publication 1756-RM003.• For information on controller fault codes, including major andminor codes, see the Logix5000 Controllers Common ProceduresProgramming Manual, publication 1756-PM001.• For information on accessing modules’ run-time operational andprocess status, see:– ControlLogix Analog I/O Modules User Manual,publication 1756-UM009– ControlLogix Digital I/O Modules User Manual,publication 1756-UM058.Publication 1756-RM001F-EN-P - June 2009 135

Appendix CAdditional Information for Handling Faults in the ControlLogix System136 Publication 1756-RM001F-EN-P - June 2009

Appendix DSpurious Failure EstimatesIntroductionThis table lists the spurious failure estimates for the ControlLogixproducts included in this manual. These rates are based on fieldreturn data. Therefore, new products, that is, products released lessthan 18 months before the publication of this manual, are notincluded.Spurious Failure Calculations for Traditional ControlLogix ComponentsCat. No. (1)DescriptionMTBF(Spurious) (5)λ(Spurious) (6)1756-AXX/B (2) ControlLogix chassis 6,293,292 1.59E-071756-CNB/D (3) ControlLogix ControlNet bridgemodule1756-CNB/E ControlLogix ControlNet bridgemodule95,720 1.04E-051756-CNBR/D (3)1756-CNBR/E1756-CN2/A1756-CN2R/A1756-DHRIO/D (3)1756-DNB (3)1756-EN2T/A1756-ENBT/A1756-IA16I1756-IA8D1756-IB16D1756-IB16I1756-IB16ISOEControlLogix redundantControlNet bridge moduleControlLogix redundantControlNet bridge moduleControlLogix ControlNet bridgemoduleControlLogix redundantControlNet bridge moduleControlLogix Data Highway plusremote I/O moduleControlLogix DeviceNet bridgemoduleControlLogix EtherNet/IP bridgemoduleControlLogix EtherNet/IP bridgemoduleControlLogix AC isolated inputmoduleControlLogix AC diagnostic inputmoduleControlLogix DC diagnostic inputmoduleControlLogix DC isolated inputmoduleControlLogix sequence of eventsmodule92,922 1.08E-05171,206 5.84E-06255,424 3.92E-06390,323 2.56E-06252,935 3.95E-067,049,909 1.42E-077,161,440 1.40E-077,243,253 1.38E-077,229,213 1.38E-073,767,573 2.65E-07Publication 1756-RM001F-EN-P - June 2009 137

Appendix DSpurious Failure EstimatesSpurious Failure Calculations for Traditional ControlLogix ComponentsCat. No. (1)DescriptionMTBF(Spurious) (5)λ(Spurious) (6)1756-IB32/B ControlLogix DC input module 4,065,277 2.46E-071756-IF8 ControlLogix analog input 1,466,850 6.82E-07module1756-IF8H ControlLogix HART analog input 284,088 3.52E-061756-IF16 ControlLogix isolated analog 2,113,547 4.73E-07input1756-IF6CIS ControlLogix isolated sourcing 1,327,418 7.53E-07analog input1756-IF6I ControlLogix isolated analog 1,761,728 5.68E-07input1756-IH16ISOE ControlLogix sequence of events 1,214,720 8.23E-07module1756-IR6I ControlLogix RTD input module 3,332,073 3.00E-071756-IT6I ControlLogix thermocouple input 1,360,763 7.35E-07module1756-IT6I2 ControlLogix enhanced1,219,741 8.20E-07thermocouple input module1756-L55M13 ControlLogix L55 controller, 1.5 1,007,353 9.93E-07MB memory1756-L55M16 ControlLogix L55 controller, 7.5 895,787 1.12E-06MB memory1756-L61/B ControlLogix 2 MB controller 107,536 9.30E-061756-L62/B ControlLogix 4 MB controller 92,410 1.08E-051756-L63/B ControlLogix 8 MB controller 114,757 8.71E-061756-OA16I ControlLogix AC isolated input 5,281,293 1.89E-07module1756-OA8D ControlLogix AC diagnostic input 9,322,560 1.07E-07module1756-OB16D ControlLogix DC diagnostic 6,193,574 1.61E-07output module1756-OB16I ControlLogix DC isolated output 2,134,730 4.68E-07module1756-OB32 ControlLogix DC output module 1,537,540 6.50E-071756-OB8EI ControlLogix DC fused output 5,347,680 1.87E-07module1756-OF6CI ControlLogix isolated analog 3,810,213 2.62E-07input module1756-OF6VI ControlLogix isolated analog 8,950,240 1.12E-07output module1756-OF8 ControlLogix analog outputmodule4,070,411 2.46E-07138 Publication 1756-RM001F-EN-P - June 2009

Spurious Failure EstimatesAppendix DSpurious Failure Calculations for Traditional ControlLogix ComponentsCat. No. (1)1756-OF8H1756-OW16I1756-OX8I1756-PA75/B1756-PA75RDescriptionMTBF(Spurious) (5)λ(Spurious) (6)ControlLogix HART analogoutput2,637,440 3.79E-07ControlLogix isolated relay 14,144,290 7.07E-08output moduleControlLogix contact output 2,689,267 3.72E-07moduleControlLogix AC power supply 134,775,680 7.42E-09moduleControlLogix AC redundant 501,026 2.00E-06power supply (4)1756-PB75/A (3) ControlLogix DC power supply1756-PB75/B ControlLogix DC power supply 54,812,160 1.82E-081756-PB75R ControlLogix DC redundant 14,709,760 6.80E-08power supply1756-PC75/B ControlLogix DC power supply1756-PH75B ControlLogix DC power supply 1,374,880 7.27E-071756-PSCA2 ControlLogix Redundant powersupply adapter1757-SRM/B ControlLogix System redundancy 211,834 4.72E-06module1756-SYNCH ControlLogix SynchLink module 439,970 2.27E-06(1)References a series A component if no other series is indicated by /X.(2) The PFD calculations ControlLogix chassis are completed using an arithmetic average of the MTBFs for all fivechassis types (that is chassis 1756-A4, 1756-A7, 1756-A10, 1756-A13, and 1756-A17).(3) Data for this component is no longer available.(4) Calculations for the redundant power supply are completed with the presumption that both power supplies failsimultaneously.(5) MTBF measured in hours. The values used here represent values available in March 2009.(6) λ = Failure Rate = 1/MTBF.Publication 1756-RM001F-EN-P - June 2009 139

Appendix DSpurious Failure EstimatesNotes:140 Publication 1756-RM001F-EN-P - June 2009

Appendix E2-year and 5-year PFD and PFH CalculationsThis appendix provides 5 year PFD and PFH calculations forSIL2-certified hardware.TopicPage2-Year PFD and PFH Calculations 141ControlLogix Components PFD Calculations - 2 Year 141Example: 2-year PFD Calculation for a ControlLogix System 144ControlLogix Component PFH Calculations - 2 Year 1455-Year PFD Calculations 148ControlLogix Components PFD Calculations - 5 Year 148ControlLogix Component PFH Calculations - 5 Year 1512-Year PFD and PFHCalculationsThe tables in this section provide PFD calculations for ControlLogixand components for a 2-year proof test interval.ControlLogix Components PFD Calculations - 2 YearPFD Calculations - 2-year for Traditional ControlLogix ComponentsThe PFD calculations in this table are calculated for a 2-year proof testinterval and are specific to traditional ControlLogix systemcomponents.Cat. No. (1)DescriptionCalculated PFD:Mean Time BetweenFailure (MTBF) (6) λ (7) 1oo11oo2Architecture Architecture1756-AXX/B (2) ControlLogix chassis 100,250,000 9.98E-09 4.42E-06 x1756-CNB/D (3) ControlLogix ControlNet bridgemodule1756-CNB/E ControlLogix ControlNet bridgemodule1,954,656 5.12E-07 2.27E-04 x1756-CNBR/D (3)1756-CNBR/EControlLogix redundant ControlNetbridge moduleControlLogix redundant ControlNetbridge module1,873,738 5.34E-07 2.36E-04 xPublication 1756-RM001F-EN-P - June 2009 141

Appendix E2-year and 5-year PFD and PFH CalculationsPFD Calculations - 2-year for Traditional ControlLogix ComponentsCat. No. (1)1756-CN2/A1756-CN2R/A1756-CN2/B¹1756-CN2R/BDescriptionControlLogix ControlNet bridgemoduleControlLogix redundant ControlNetbridge moduleControlLogix ControlNet bridgemoduleControlLogix redundant ControlNetbridge moduleCalculated PFD:Mean Time BetweenFailure (MTBF) (6) λ (7) 1oo11oo2Architecture Architecture4,964,960 2.01E-07 8.92E-05 x1,277,120 7.83E-07 3.47E-04 x7,434,944 1.35E-07 5.96E-05 x6,921,373 1.44E-07 6.40E-05 x1756-DHRIO/D (4) ControlLogix Data Highway plusremote I/O module1756-DNB (4) ControlLogix DeviceNet bridgemodule1756-EN2T/A ControlLogix EtherNet/IP bridge 628,854 1.59E-06 7.04E-04 xmodule1756-ENBT/A ControlLogix EtherNet/IP bridge 7,571,957 1.32E-07 5.85E-05 xmodule1756-IA16I ControlLogix AC isolated input 29,206,766 3.42E-08 x 1.21E-06module1756-IA8D ControlLogix AC diagnostic input 14,322,880 6.98E-08 x 2.47E-06module1756-IB16D ControlLogix DC diagnostic input 43,459,520 2.30E-08 x 8.10E-07module1756-IB16I ControlLogix DC isolated input 19,277,903 5.19E-08 x 1.83E-06module1756-IB16ISOE ControlLogix sequence of events 1,883,787 5.31E-07 x 1.98E-05module1756-IB32/B ControlLogix DC input module 6,335,056 1.58E-07 x 5.64E-061756-IF8 ControlLogix analog input module 2,916,596 3.43E-07 x 1.25E-051756-IF8H ControlLogix HART analog input 419,368 2.38E-06 x 1.06E-041756-IF16 ControlLogix isolated analog input 3,258,386 3.07E-07 x 1.12E-051756-IF6CIS ControlLogix isolated sourcing 2,433,600 4.11E-07 x 1.51E-05analog input1756-IF6I ControlLogix isolated analog input 2,505,568 3.99E-07 x 1.46E-051756-IH16ISOE ControlLogix sequence of events 3,644,160 2.74E-07 x 9.94E-06module1756-IR6I ControlLogix RTD input module 12,312,640 8.12E-08 x 2.88E-061756-IT6I ControlLogix thermocouple input 5,561,378 1.80E-07 x 6.44E-06module1756-IT6I2 ControlLogix enhancedthermocouple input module1,684,404 5.94E-07 x 2.23E-05142 Publication 1756-RM001F-EN-P - June 2009

2-year and 5-year PFD and PFH CalculationsAppendix EPFD Calculations - 2-year for Traditional ControlLogix ComponentsCat. No. (1)DescriptionCalculated PFD:Mean Time BetweenFailure (MTBF) (6) λ (7) 1oo11oo2Architecture Architecture1756-L55M13 ControlLogix L55 controller, 1.5 2,316,912 4.32E-07 1.91E-04 xMB memory1756-L55M16 ControlLogix L55 controller, 7.5 2,015,520 4.96E-07 2.20E-04 xMB memory1756-L61/B ControlLogix 2 MB controller 885,161 1.13E-06 5.00E-04 x1756-L62/B ControlLogix 4 MB controller 1,076,224 9.29E-07 4.12E-04 x1756-L63/B ControlLogix 8 MB controller 962,838 1.04E-06 4.60E-04 x1756-OA16I ControlLogix AC isolated input 10,552,187 9.48E-08 4.20E-05 3.36E-06module1756-OA8D ControlLogix AC diagnostic input 9,322,560 1.07E-07 4.75E-05 xmodule1756-OB16D ControlLogix DC diagnostic output 17,204,374 5.81E-08 2.57E-05 xmodule1756-OB16I ControlLogix DC isolated output 3,595,335 2.78E-07 1.23E-04 1.01E-05module1756-OB32 ControlLogix DC output module 1,973,090 5.07E-07 2.25E-04 1.88E-051756-OB8EI ControlLogix DC fused output 10,695,360 9.35E-08 4.14E-05 3.32E-06module1756-OF6CI ControlLogix isolated analog input 8,313,193 1.20E-07 5.33E-05 4.28E-06module1756-OF6VI ControlLogix isolated analog 17,900,480 5.59E-08 2.47E-05 1.97E-06output module1756-OF8 ControlLogix analog output 6,575,280 1.52E-07 6.74E-05 5.43E-06module1756-OF8H ControlLogix HART analog output 2,637,440 3.79E-07 1.68E-04 1.39E-051756-OW16I ControlLogix isolated relay output 3,620,265 2.76E-07 1.22E-04 1.00E-05module1756-OX8I ControlLogix contact output 9,220,343 1.08E-07 4.80E-05 3.85E-06module1756-PA75/B ControlLogix AC power supply 3,287,212 3.04E-07 1.35E-04 xmodule1756-PA75R ControlLogix AC redundant powersupply (5) 610,161 1.64E-06 7.26E-04 x1756-PB75/A (3) ControlLogix DC power supply1756-PB75/B ControlLogix DC power supply 2,884,851 1.70E-07 7.53E-05 x1756-PB75R ControlLogix DC redundant power 14,709,760 6.80E-08 3.01E-05 xsupply1756-PC75/B ControlLogix DC power supply 5,894,836 1.70E-07 7.52E-05 x1756-PH75B ControlLogix DC power supply 1,374,880 7.27E-07 3.22E-04 xPublication 1756-RM001F-EN-P - June 2009 143

Appendix E2-year and 5-year PFD and PFH CalculationsPFD Calculations - 2-year for Traditional ControlLogix ComponentsCat. No. (1)1756-PSCA2 ControlLogix Redundant power 5,477,680 1.83E-07 8.09E-05 xsupply adapter1757-SRM/B ControlLogix System redundancy 573,964 1.74E-06 7.72E-04 xmodule1756-RM ControlLogix System redundancy 5,887,894 1.70E-07 7.52E-05 xmodule1756-SYNCH ControlLogix SynchLink module 9,239,360 1.08E-07 4.79E-05 x(1) References a series A component if no other series is indicated by /X.(2) The PFD calculations ControlLogix chassis are completed using an arithmetic average of the MTBFs for all five chassis types (that is chassis 1756-A4, 1756-A7, 1756-A10,1756-A13, and 1756-A17).(3) Data for this component is no longer available.(4) This module is no longer SIL2-certified.DescriptionCalculated PFD:Mean Time BetweenFailure (MTBF) (6) λ (7) 1oo11oo2Architecture Architecture(5)(6)Calculations for the redundant power supply are completed with the presumption that both power supplies fail simultaneously.MTBF measured in hours. The values used here represent values available in March 2009.(7) λ = Failure Rate = 1/MTBF.Example: 2-year PFD Calculation for a ControlLogix SystemThis example shows an example of a PFD calculation for a traditionalControlLogix system in a fail-safe configuration. The system includestwo DC input modules used in a 1oo2 configuration and a DC outputmodule.Example of PFD Calculation That Uses the 2 Year Proof Test IntervalCat. No. Description MTBF Calculated PFD1756-AXX ControlLogix chassis 100,250,000 4.42E-061756-L55M16 ControlLogix 5555 controller 2,015,520 2.20E-041756-OB16D DC output module 17,204,374 2.57E-051756-IB16D DC diagnostic input 43,459,520 8.10E-07Total PFD calculation for a safety loop consisting of these 2.49 E-04products:144 Publication 1756-RM001F-EN-P - June 2009

2-year and 5-year PFD and PFH CalculationsAppendix EControlLogix Component PFH Calculations - 2 YearPFH Calculations - 2-year for Traditional ControlLogix ComponentsThe PFH calculations in this table are calculated for a 2-year proof testinterval and are specific to traditional ControlLogix systemcomponents.Calculated PFH:Mean TimeCat. No. (1)BetweenDescriptionFailure λ (7) 1oo11oo2(MTBF) (6) architecture architecture1756-AXX/B (2) ControlLogix chassis 100,250,000 9.98E-09 4.99E-10 x1756-CNB/D (3) ControlLogix ControlNet bridgemodule1756-CNB/E ControlLogix ControlNet bridgemodule1,954,656 5.12E-07 2.56E-08 x1756-CNBR/D (3)1756-CNBR/E1756-CN2/A1756-CN2R/A1756-CN2/B¹1756-CN2R/B1756-DHRIO/D (4)1756-DNB (4)1756-EN2T/A1756-ENBT/A1756-IA16I1756-IA8D1756-IB16D1756-IB16I1756-IB16ISOEControlLogix redundant ControlNetbridge moduleControlLogix redundant ControlNetbridge moduleControlLogix ControlNet bridgemoduleControlLogix redundant ControlNetbridge moduleControlLogix ControlNet bridgemoduleControlLogix redundant ControlNetbridge moduleControlLogix Data Highway plusremote I/O moduleControlLogix DeviceNet bridgemoduleControlLogix EtherNet/IP bridgemoduleControlLogix EtherNet/IP bridgemoduleControlLogix AC isolated inputmoduleControlLogix AC diagnostic inputmoduleControlLogix DC diagnostic inputmoduleControlLogix DC isolated inputmoduleControlLogix sequence of eventsmodule1,873,738 5.34E-07 2.67E-08 x4,964,960 2.01E-07 1.01E-08 x1,277,120 7.83E-07 3.92E-08 x7,434,944 1.35E-07 6.73E-09 x6,921,373 1.44E-07 7.22E-09 x628,854 1.59E-06 7.95E-08 x7,571,957 1.32E-07 6.60E-09 x29,206,766 3.42E-08 x 2.42E-1014,322,880 6.98E-08 x 4.97E-1043,459,520 2.30E-08 x 1.62E-1019,277,903 5.19E-08 x 3.68E-101,883,787 5.31E-07 x 4.20E-09Publication 1756-RM001F-EN-P - June 2009 145

Appendix E2-year and 5-year PFD and PFH CalculationsPFH Calculations - 2-year for Traditional ControlLogix ComponentsCat. No. (1)DescriptionMean TimeCalculated PFH:BetweenFailure λ (7) 1oo11oo2(MTBF) (6) architecture architecture1756-IB32/B ControlLogix DC input module 6,335,056 1.58E-07 x 1.15E-091756-IF8 ControlLogix analog input module 2,916,596 3.43E-07 x 2.60E-091756-IF8H ControlLogix HART analog input 419,368 2.38E-06 x 2.64E-081756-IF16 ControlLogix isolated analog input 3,258,386 3.07E-07 x 2.31E-091756-IF6CIS ControlLogix isolated sourcing analog 2,433,600 4.11E-07 x 3.16E-09input1756-IF6I ControlLogix isolated analog input 2,505,568 3.99E-07 x 3.07E-091756-IH16ISOE ControlLogix sequence of events 3,644,160 2.74E-07 x 2.05E-09module1756-IR6I ControlLogix RTD input module 12,312,640 8.12E-08 x 5.80E-101756-IT6I ControlLogix thermocouple input 5,561,378 1.80E-07 x 1.31E-09module1756-IT6I2 ControlLogix enhanced thermocouple 1,684,404 5.94E-07 x 4.76E-09input module1756-L55M13 ControlLogix L55 controller, 1.5 MB 2,316,912 4.32E-07 2.16E-08 xmemory1756-L55M16 ControlLogix L55 controller, 7.5 MB 2,015,520 4.96E-07 2.48E-08 xmemory1756-L61/B ControlLogix 2 MB controller 885,161 1.13E-06 5.65E-08 x1756-L62/B ControlLogix 4 MB controller 1,076,224 9.29E-07 4.65E-08 x1756-L63/B ControlLogix 8 MB controller 962,838 1.04E-06 5.19E-08 x1756-OA16I ControlLogix AC isolated input 10,552,187 9.48E-08 4.74E-09 6.79E-10module1756-OA8D ControlLogix AC diagnostic input 9,322,560 1.07E-07 5.36E-09 xmodule1756-OB16D ControlLogix DC diagnostic output 17,204,374 5.81E-08 2.91E-09 xmodule1756-OB16I ControlLogix DC isolated output 3,595,335 2.78E-07 1.39E-08 2.08E-09module1756-OB32 ControlLogix DC output module 1,973,090 5.07E-07 2.53E-08 3.99E-091756-OB8EI ControlLogix DC fused output module 10,695,360 9.35E-08 4.67E-09 6.69E-101756-OF6CI ControlLogix isolated analog input 8,313,193 1.20E-07 6.01E-09 8.67E-10module1756-OF6VI ControlLogix isolated analog output 17,900,480 5.59E-08 2.79E-09 3.96E-10module1756-OF8 ControlLogix analog output module 6,575,280 1.52E-07 7.60E-09 1.10E-091756-OF8H ControlLogix HART analog output 2,637,440 3.79E-07 1.90E-08 2.90E-09146 Publication 1756-RM001F-EN-P - June 2009

2-year and 5-year PFD and PFH CalculationsAppendix EPFH Calculations - 2-year for Traditional ControlLogix ComponentsCat. No. (1)DescriptionMean TimeCalculated PFH:BetweenFailure λ (7) 1oo11oo2(MTBF) (6) architecture architecture1756-OW16I ControlLogix isolated relay output 3,620,265 2.76E-07 1.38E-08 2.06E-09module1756-OX8I ControlLogix contact output module 9,220,343 1.08E-07 5.42E-09 7.79E-101756-PA75/B ControlLogix AC power supply module 3,287,212 3.04E-07 1.52E-08 x1756-PA75R ControlLogix AC redundant powersupply (5) 610,161 1.64E-06 8.19E-08 x1756-PB75/A (3) ControlLogix DC power supply1756-PB75/B ControlLogix DC power supply 2,884,851 1.70E-07 8.50E-09 x1756-PB75R ControlLogix DC redundant power 14,709,760 6.80E-08 3.40E-09 xsupply1756-PC75/B ControlLogix DC power supply 5,894,836 1.70E-07 8.48E-09 x1756-PH75B ControlLogix DC power supply 1,374,880 7.27E-07 3.64E-08 x1756-PSCA2 ControlLogix Redundant power supply 5,477,680 1.83E-07 9.13E-09 xadapter1757-SRM/B ControlLogix System redundancy 573,964 1.74E-06 8.71E-08 xmodule1756-RM ControlLogix System redundancy 5,887,894 1.70E-07 8.49E-09 xmodule1756-SYNCH ControlLogix SynchLink module 9,239,360 1.08E-07 5.41E-09 x(1)Uses value for series A if no other series are specified.(2) The PFD calculations ControlLogix chassis are completed using an arithmetic average of the MTBFs for all five chassis types (that is chassis 1756-A4, 1756-A7, 1756-A10,1756-A13, and 1756-A17).(3) Data for this component is no longer available.(4) This module is no longer SIL2-certified.(5) Calculations for the redundant power supply are completed with the presumption that both power supplies fail simultaneously.(6)MTBF measured in hours. The values used here represent values available in March 2009.(7) λ = Failure Rate = 1/MTBFPublication 1756-RM001F-EN-P - June 2009 147

Appendix E2-year and 5-year PFD and PFH Calculations5-Year PFD CalculationsThe tables in this section provide PFD and PFH calculations forControlLogix and components for a 5-year proof test interval.ControlLogix Components PFD Calculations - 5 YearPFD Calculations - 5-year for Traditional ControlLogix ComponentsThe PFD calculations in this table are calculated for a 5-year proof testinterval and are specific to traditional ControlLogix systemcomponents.Cat. No. (1)DescriptionCalculated PFD:Mean Time BetweenFailure (MTBF) (6) λ (7) 1oo11oo2Architecture Architecture1756-AXX/B (2) ControlLogix chassis 100,250,000 9.98E-09 1.10E-05 x1756-CNB/D (3) ControlLogix ControlNet bridgemodule1756-CNB/E ControlLogix ControlNet bridgemodule1,954,656 5.12E-07 5.64E-04 x1756-CNBR/D (3)1756-CNBR/E1756-CN2/A1756-CN2R/A1756-CN2/B¹1756-CN2R/B1756-DHRIO/D (4)1756-DNB (4)1756-EN2T/A1756-ENBT/A1756-IA16I1756-IA8D1756-IB16DControlLogix redundant ControlNetbridge moduleControlLogix redundant ControlNetbridge moduleControlLogix ControlNet bridgemoduleControlLogix redundant ControlNetbridge moduleControlLogix ControlNet bridgemoduleControlLogix redundant ControlNetbridge moduleControlLogix Data Highway plusremote I/O moduleControlLogix DeviceNet bridgemoduleControlLogix EtherNet/IP bridgemoduleControlLogix EtherNet/IP bridgemoduleControlLogix AC isolated inputmoduleControlLogix AC diagnostic inputmoduleControlLogix DC diagnostic inputmodule1,873,738 5.34E-07 5.88E-04 x4,964,960 2.01E-07 2.22E-04 x1,277,120 7.83E-07 8.63E-04 x7,434,944 1.35E-07 1.48E-04 x6,921,373 1.44E-07 1.59E-04 x628,854 1.59E-06 1.75E-03 x7,571,957 1.32E-07 1.46E-04 x29,206,766 3.42E-08 x 3.04E-0614,322,880 6.98E-08 x 6.25E-0643,459,520 2.30E-08 x 2.03E-06148 Publication 1756-RM001F-EN-P - June 2009

2-year and 5-year PFD and PFH CalculationsAppendix EPFD Calculations - 5-year for Traditional ControlLogix ComponentsCat. No. (1)DescriptionCalculated PFD:Mean Time BetweenFailure (MTBF) (6) λ (7) 1oo11oo2Architecture Architecture1756-IB16I ControlLogix DC isolated input 19,277,903 5.19E-08 x 4.62E-06module1756-IB16ISOE ControlLogix sequence of events 1,883,787 5.31E-07 x 5.37E-05module1756-IB32/B ControlLogix DC input module 6,335,056 1.58E-07 x 1.45E-051756-IF8 ControlLogix analog input module 2,916,596 3.43E-07 x 3.30E-051756-IF8H ControlLogix HART analog input 419,368 2.38E-06 x 3.51E-041756-IF16 ControlLogix isolated analog input 3,258,386 3.07E-07 x 2.93E-051756-IF6CIS ControlLogix isolated sourcing 2,433,600 4.11E-07 x 4.03E-05analog input1756-IF6I ControlLogix isolated analog input 2,505,568 3.99E-07 x 3.90E-051756-IH16ISOE ControlLogix sequence of events 3,644,160 2.74E-07 x 2.60E-05module1756-IR6I ControlLogix RTD input module 12,312,640 8.12E-08 x 7.30E-061756-IT6I ControlLogix thermocouple input 5,561,378 1.80E-07 x 1.66E-05module1756-IT6I2 ControlLogix enhanced1,684,404 5.94E-07 x 6.09E-05thermocouple input module1756-L55M13 ControlLogix L55 controller, 1.5 2,316,912 4.32E-07 4.76E-04 xMB memory1756-L55M16 ControlLogix L55 controller, 7.5 2,015,520 4.96E-07 5.47E-04 xMB memory1756-L61/B ControlLogix 2 MB controller 885,161 1.13E-06 1.24E-03 x1756-L62/B ControlLogix 4 MB controller 1,076,224 9.29E-07 1.02E-03 x1756-L63/B ControlLogix 8 MB controller 962,838 1.04E-06 1.14E-03 x1756-OA16I ControlLogix AC isolated input 10,552,187 9.48E-08 x 8.55E-06module1756-OA8D ControlLogix AC diagnostic input 9,322,560 1.07E-07 1.18E-04 xmodule1756-OB16D ControlLogix DC diagnostic output 17,204,374 5.81E-08 6.41E-05 xmodule1756-OB16I ControlLogix DC isolated output 3,595,335 2.78E-07 3.07E-04 2.64E-05module1756-OB32 ControlLogix DC output module 1,973,090 5.07E-07 5.59E-04 5.09E-051756-OB8EI ControlLogix DC fused output 10,695,360 9.35E-08 1.03E-04 8.43E-06module1756-OF6CI ControlLogix isolated analog inputmodule8,313,193 1.20E-07 1.33E-04 1.09E-05Publication 1756-RM001F-EN-P - June 2009 149

Appendix E2-year and 5-year PFD and PFH CalculationsPFD Calculations - 5-year for Traditional ControlLogix ComponentsCat. No. (1)Description1756-OF6VI ControlLogix isolated analog 17,900,480 5.59E-08 6.16E-05 4.98E-06output module1756-OF8 ControlLogix analog output 6,575,280 1.52E-07 1.68E-04 1.39E-05module1756-OF8H ControlLogix HART analog output 2,637,440 3.79E-07 4.18E-04 3.69E-051756-OW16I ControlLogix isolated relay output 3,620,265 2.76E-07 3.04E-04 2.62E-05module1756-OX8I ControlLogix contact output 9,220,343 1.08E-07 1.20E-04 9.82E-06module1756-PA75/B ControlLogix AC power supply 3,287,212 3.04E-07 3.35E-04 xmodule1756-PA75R ControlLogix AC redundant powersupply (5) 610,161 1.64E-06 1.81E-03 x1756-PB75/A (3) ControlLogix DC power supply1756-PB75/B ControlLogix DC power supply 2,884,851 1.70E-07 1.87E-04 x1756-PB75R ControlLogix DC redundant power 14,709,760 6.80E-08 7.49E-05 xsupply1756-PC75/B ControlLogix DC power supply 5,894,836 1.70E-07 1.87E-04 x1756-PH75B ControlLogix DC power supply 1,374,880 7.27E-07 8.02E-04 x1756-PSCA2 ControlLogix Redundant power 5,477,680 1.83E-07 2.01E-04 xsupply adapter1757-SRM/B ControlLogix System redundancy 573,964 1.74E-06 1.92E-03 xmodule1756-RM ControlLogix System redundancy 5,887,894 1.70E-07 1.87E-04 xmodule1756-SYNCH ControlLogix SynchLink module 9,239,360 1.08E-07 1.19E-04 x(1) References a series A component if no other series is indicated by /X.Calculated PFD:Mean Time BetweenFailure (MTBF) (6) λ (7) 1oo11oo2Architecture Architecture(2)(3)(4)The PFD calculations ControlLogix chassis are completed using an arithmetic average of the MTBFs for all five chassis types (that is chassis 1756-A4, 1756-A7, 1756-A10,1756-A13, and 1756-A17).Data for this component is no longer available.This module is no longer SIL2-certified.(5) Calculations for the redundant power supply are completed with the presumption that both power supplies fail simultaneously.(6) MTBF measured in hours. The values used here represent values available in March 2009.(7) λ = Failure Rate = 1/MTBF.150 Publication 1756-RM001F-EN-P - June 2009

2-year and 5-year PFD and PFH CalculationsAppendix EControlLogix Component PFH Calculations - 5 YearPFH Calculations - 5-year for Traditional ControlLogix ComponentsThe PFH calculations in this table are calculated for a 5-year proof testinterval and are specific to traditional ControlLogix systemcomponents.Calculated PFH:Mean TimeCat. No. (1)BetweenDescriptionFailure λ (7) 1oo11oo2(MTBF) (6) architecture architecture1756-AXX/B (2) ControlLogix chassis 100,250,000 9.98E-09 4.99E-10 x1756-CNB/D (3) ControlLogix ControlNet bridgemodule1756-CNB/E ControlLogix ControlNet bridgemodule1,954,656 5.12E-07 2.56E-08 x1756-CNBR/D (3)1756-CNBR/E1756-CN2/A1756-CN2R/A1756-CN2/B¹1756-CN2R/B1756-DHRIO/D (4)1756-DNB (4)1756-EN2T/A1756-ENBT/A1756-IA16I1756-IA8D1756-IB16D1756-IB16I1756-IB16ISOEControlLogix redundant ControlNetbridge moduleControlLogix redundant ControlNetbridge moduleControlLogix ControlNet bridgemoduleControlLogix redundant ControlNetbridge moduleControlLogix ControlNet bridgemoduleControlLogix redundant ControlNetbridge moduleControlLogix Data Highway plusremote I/O moduleControlLogix DeviceNet bridgemoduleControlLogix EtherNet/IP bridgemoduleControlLogix EtherNet/IP bridgemoduleControlLogix AC isolated inputmoduleControlLogix AC diagnostic inputmoduleControlLogix DC diagnostic inputmoduleControlLogix DC isolated inputmoduleControlLogix sequence of eventsmodule1,873,738 5.34E-07 2.67E-08 x4,964,960 2.01E-07 1.01E-08 x1,277,120 7.83E-07 3.92E-08 x7,434,944 1.35E-07 6.73E-09 x6,921,373 1.44E-07 7.22E-09 x628,854 1.59E-06 7.95E-08 x7,571,957 1.32E-07 6.60E-09 x29,206,766 3.42E-08 x 2.45E-1014,322,880 6.98E-08 x 5.10E-1043,459,520 2.30E-08 x 1.63E-1019,277,903 5.19E-08 x 3.75E-101,883,787 5.31E-07 x 4.92E-09Publication 1756-RM001F-EN-P - June 2009 151

Appendix E2-year and 5-year PFD and PFH CalculationsPFH Calculations - 5-year for Traditional ControlLogix ComponentsCat. No. (1)DescriptionMean TimeCalculated PFH:BetweenFailure λ (7) 1oo11oo2(MTBF) (6) architecture architecture1756-IB32/B ControlLogix DC input module 6,335,056 1.58E-07 x 1.21E-091756-IF8 ControlLogix analog input module 2,916,596 3.43E-07 x 2.90E-091756-IF8H ControlLogix HART analog input 419,368 2.38E-06 x 4.10E-081756-IF16 ControlLogix isolated analog input 3,258,386 3.07E-07 x 2.55E-091756-IF6CIS ControlLogix isolated sourcing analog 2,433,600 4.11E-07 x 3.60E-09input1756-IF6I ControlLogix isolated analog input 2,505,568 3.99E-07 x 3.47E-091756-IH16ISOE ControlLogix sequence of events 3,644,160 2.74E-07 x 2.24E-09module1756-IR6I ControlLogix RTD input module 12,312,640 8.12E-08 x 5.97E-101756-IT6I ControlLogix thermocouple input 5,561,378 1.80E-07 x 1.40E-09module1756-IT6I2 ControlLogix enhanced thermocouple 1,684,404 5.94E-07 x 5.66E-09input module1756-L55M13 ControlLogix L55 controller, 1.5 MB 2,316,912 4.32E-07 2.16E-08 xmemory1756-L55M16 ControlLogix L55 controller, 7.5 MB 2,015,520 4.96E-07 2.48E-08 xmemory1756-L61/B ControlLogix 2 MB controller 885,161 1.13E-06 5.65E-08 x1756-L62/B ControlLogix 4 MB controller 1,076,224 9.29E-07 4.65E-08 x1756-L63/B ControlLogix 8 MB controller 962,838 1.04E-06 5.19E-08 x1756-OA16I ControlLogix AC isolated input 10,552,187 9.48E-08 x 7.02E-10module1756-OA8D ControlLogix AC diagnostic input 9,322,560 1.07E-07 5.36E-09 xmodule1756-OB16D ControlLogix DC diagnostic output 17,204,374 5.81E-08 2.91E-09 xmodule1756-OB16I ControlLogix DC isolated output 3,595,335 2.78E-07 1.39E-08 2.28E-09module1756-OB32 ControlLogix DC output module 1,973,090 5.07E-07 2.53E-08 4.64E-091756-OB8EI ControlLogix DC fused output module 10,695,360 9.35E-08 4.67E-09 6.92E-101756-OF6CI ControlLogix isolated analog input 8,313,193 1.20E-07 6.01E-09 9.04E-10module1756-OF6VI ControlLogix isolated analog output 17,900,480 5.59E-08 2.79E-09 4.04E-10module1756-OF8 ControlLogix analog output module 6,575,280 1.52E-07 7.60E-09 1.16E-091756-OF8H ControlLogix HART analog output 2,637,440 3.79E-07 1.90E-08 3.27E-09152 Publication 1756-RM001F-EN-P - June 2009

2-year and 5-year PFD and PFH CalculationsAppendix EPFH Calculations - 5-year for Traditional ControlLogix ComponentsCat. No. (1)DescriptionMean TimeCalculated PFH:BetweenFailure λ (7) 1oo11oo2(MTBF) (6) architecture architecture1756-OW16I ControlLogix isolated relay output 3,620,265 2.76E-07 1.38E-08 2.26E-09module1756-OX8I ControlLogix contact output module 9,220,343 1.08E-07 5.42E-09 8.09E-101756-PA75/B ControlLogix AC power supply module 3,287,212 3.04E-07 1.52E-08 x1756-PA75R ControlLogix AC redundant powersupply (5) 610,161 1.64E-06 8.19E-08 x1756-PB75/A (3) ControlLogix DC power supply1756-PB75/B ControlLogix DC power supply 2,884,851 1.70E-07 8.50E-09 x1756-PB75R ControlLogix DC redundant power 14,709,760 6.80E-08 3.40E-09 xsupply1756-PC75/B ControlLogix DC power supply 5,894,836 1.70E-07 8.48E-09 x1756-PH75B ControlLogix DC power supply 1,374,880 7.27E-07 3.64E-08 x1756-PSCA2 ControlLogix Redundant power supply 5,477,680 1.83E-07 9.13E-09 xadapter1757-SRM/B ControlLogix System redundancy 573,964 1.74E-06 8.71E-08 xmodule1756-RM ControlLogix System redundancy 5,887,894 1.70E-07 8.49E-09 xmodule1756-SYNCH ControlLogix SynchLink module 9,239,360 1.08E-07 5.41E-09 x(1)Uses value for series A if no other series are specified.(2) The PFD calculations ControlLogix chassis are completed using an arithmetic average of the MTBFs for all five chassis types (that is chassis 1756-A4, 1756-A7, 1756-A10,1756-A13, and 1756-A17).(3) Data for this component is no longer available.(4) This module is no longer SIL2-certified.(5) Calculations for the redundant power supply are completed with the presumption that both power supplies fail simultaneously.(6)MTBF measured in hours. The values used here represent values available in March 2009.(7) λ = Failure Rate = 1/MTBFPublication 1756-RM001F-EN-P - June 2009 153

Appendix E2-year and 5-year PFD and PFH Calculations154 Publication 1756-RM001F-EN-P - June 2009

Appendix FUsing ControlLogix in SIL1 ApplicationsThis appendix describes changes in the system hardwarerequirements for SIL1 certification.TopicPageAbout the ControlLogix System and SIL1 155Additional Considerations 156PFD and PFH Calculations for a SIL1 Application 157About the ControlLogixSystem and SIL1When using ControlLogix products in a SIL1 application, you must usethe products as described in this manual, including following all testguidelines listed. For example, perform pulse testing on diagnosticoutput modules as described in Chapter 1.This appendix describes changes in the system hardwarerequirements for SIL1 certification.It is assumed that the following conditions exist in SIL1 applications:• Modules operate in a low demand applications• Hardware Fault Tolerance (HFT) = 0• Safe Failure Fraction (SFF) is > 60% and < 90%• Probability of Failure on Demand (PFD) must be > 10 -2 and

Appendix FUsing ControlLogix in SIL1 ApplicationsAdditional ConsiderationsThis table lists additional considerations that must be made withvarious ControlLogix modules in a SIL1 application.Considerations for SIL1 Applications by ModuleModuleControllersControlNet modulesData Highway Plus andEthernet modulesDigital output modules (1)Digital input modules (2)Analog output modules (1)Analog input modules (2)Additional considerationsNone. Use the controller exactly as described previously in this manual.None. Use the modules exactly as described previously in this manual.None. Use the modules exactly as described previously in this manual.Diagnostic output modules are recommended in a SIL1 application. Implement a secondary shutdown pathif the SIL1 application requires a fail-safe OFF in the event of a shorted output.Only 1 module is required in a SIL1 application. Periodic tests of the inputs should be performed asdescribed previously in this manual.Analog output modules should be wired as described previously in this manual.Only 1 module is required in a SIL1 application. Periodic tests of the inputs should be performed asdescribed previously in this manual.(1) The user should be alerted to any detected output failures.(2) The test interval of module inputs must be specified according to application-dependent standards. For example, according to EN50156, the time for fault detection andtripping must be less than or equal to the fault tolerance time.156 Publication 1756-RM001F-EN-P - June 2009

Using ControlLogix in SIL1 ApplicationsAppendix FPFD and PFH Calculationsfor a SIL1 ApplicationThis table lists the PFD and PFH calculations for ControlLogixproducts in a SIL1-certified system. These calculations use a Proof TestInterval of 1 year.SIL2 PFD Calculations - 1-year for Traditional ControlLogix ComponentsCat. No. (1)DescriptionMean Time BetweenFailure (MTBF) (5) λ (6) Calculated for 1oo1PFDPFH1756-AXX/B (2) ControlLogix chassis 100,250,000 9.98E-09 2.23E-06 4.99E-101756-CNB/D (3) ControlLogix ControlNet bridgemodule1756-CNB/E ControlLogix ControlNet bridgemodule1,954,656 5.12E-07 1.15E-04 2.56E-081756-CNBR/D (3)1756-CNBR/E1756-CN2/A1756-CN2R/A1756-CN2/B¹1756-CN2R/BControlLogix redundant ControlNetbridge moduleControlLogix redundant ControlNetbridge moduleControlLogix ControlNet bridgemoduleControlLogix redundant ControlNetbridge moduleControlLogix ControlNet bridgemoduleControlLogix redundant ControlNetbridge module1,873,738 5.34E-07 1.20E-04 2.67E-084,964,960 2.01E-07 4.51E-05 1.01E-081,277,120 7.83E-07 1.75E-04 3.92E-087,434,944 1.35E-07 1.35E+02 3.01E-056,921,373 1.44E-07 1.44E+02 3.24E-051756-DHRIO/D (3) ControlLogix Data Highway plusremote I/O module1756-DNB (3) ControlLogix DeviceNet bridgemodule1756-EN2T/A ControlLogix EtherNet/IP bridge 628,854 1.59E-06 3.56E-04 7.95E-08module1756-ENBT/A ControlLogix EtherNet/IP bridge 7,571,957 1.32E-07 2.96E-05 6.60E-09module1756-IA16I ControlLogix AC isolated input 29,206,766 3.42E-08 7.67E-06 1.71E-09module1756-IA8D ControlLogix AC diagnostic input 14,322,880 6.98E-08 1.56E-05 3.49E-09module1756-IB16D ControlLogix DC diagnostic input 43,459,520 2.30E-08 5.15E-06 1.15E-09module1756-IB16I ControlLogix DC isolated input 19,277,903 5.19E-08 1.16E-05 2.59E-09module1756-IB16ISOE ControlLogix sequence of events 1,883,787 5.31E-07 1.19E-04 2.65E-08module1756-IB32/B ControlLogix DC input module 6,335,056 1.58E-07 3.54E-05 7.89E-091756-IF8 ControlLogix analog input module 2,916,596 3.43E-07 7.68E-05 1.71E-08Publication 1756-RM001F-EN-P - June 2009 157

Appendix FUsing ControlLogix in SIL1 ApplicationsSIL2 PFD Calculations - 1-year for Traditional ControlLogix ComponentsCat. No. (1)DescriptionMean Time BetweenFailure (MTBF) (5) λ (6) Calculated for 1oo1PFDPFH1756-IF8H ControlLogix HART analog input 419,368 2.38E-06 5.34E-04 1.19E-071756-IF16 ControlLogix isolated analog input 3,258,386 3.07E-07 6.87E-05 1.53E-081756-IF6CIS ControlLogix isolated sourcing 2,433,600 4.11E-07 9.20E-05 2.05E-08analog input1756-IF6I ControlLogix isolated analog input 2,505,568 3.99E-07 8.94E-05 2.00E-081756-IH16ISOE ControlLogix sequence of events 3,644,160 2.74E-07 6.15E-05 1.37E-08module1756-IR6I ControlLogix RTD input module 12,312,640 8.12E-08 1.82E-05 4.06E-091756-IT6I ControlLogix thermocouple input 5,561,378 1.80E-07 4.03E-05 8.99E-09module1756-IT6I2 ControlLogix enhanced1,684,404 5.94E-07 1.33E-04 2.97E-08thermocouple input module1756-L55M13 ControlLogix L55 controller, 1.5 2,316,912 4.32E-07 9.67E-05 2.16E-08MB memory1756-L55M16 ControlLogix L55 controller, 7.5 2,015,520 4.96E-07 1.11E-04 2.48E-08MB memory1756-L61/B ControlLogix 2 MB controller 885,161 1.13E-06 2.53E-04 5.65E-081756-L62/B ControlLogix 4 MB controller 1,076,224 9.29E-07 2.08E-04 4.65E-081756-L63/B ControlLogix 8 MB controller 962,838 1.04E-06 2.33E-04 5.19E-081756-OA16I ControlLogix AC isolated input 10,552,187 9.48E-08 2.12E-05 4.74E-09module1756-OA8D ControlLogix AC diagnostic input 9,322,560 1.07E-07 2.40E-05 5.36E-09module1756-OB16D ControlLogix DC diagnostic output 17,204,374 5.81E-08 1.30E-05 2.91E-09module1756-OB16I ControlLogix DC isolated output 3,595,335 2.78E-07 6.23E-05 1.39E-08module1756-OB32 ControlLogix DC output module 1,973,090 5.07E-07 1.14E-04 2.53E-081756-OB8EI ControlLogix DC fused output 10,695,360 9.35E-08 2.09E-05 4.67E-09module1756-OF6CI ControlLogix isolated analog input 8,313,193 1.20E-07 2.69E-05 6.01E-09module1756-OF6VI ControlLogix isolated analog 17,900,480 5.59E-08 1.25E-05 2.79E-09output module1756-OF8 ControlLogix analog output 6,575,280 1.52E-07 3.41E-05 7.60E-09module1756-OF8H ControlLogix HART analog output 2,637,440 3.79E-07 8.49E-05 1.90E-081756-OW16I ControlLogix isolated relay outputmodule3,620,265 2.76E-07 6.19E-05 1.38E-08158 Publication 1756-RM001F-EN-P - June 2009

Using ControlLogix in SIL1 ApplicationsAppendix FSIL2 PFD Calculations - 1-year for Traditional ControlLogix ComponentsCat. No. (1)1756-OX8I1756-PA75/B1756-PA75RDescriptionMean Time BetweenFailure (MTBF) (5) λ (6) Calculated for 1oo1PFDPFHControlLogix contact outputmodule9,220,343 1.08E-07 2.43E-05 5.42E-09ControlLogix AC power supply 3,287,212 3.04E-07 6.81E-05 1.52E-08moduleControlLogix AC redundant power 610,161 1.64E-06 3.67E-04 8.19E-08supply (4)1756-PB75/A (3) ControlLogix DC power supply1756-PB75/B ControlLogix DC power supply 2,884,851 1.70E-07 3.81E-05 8.50E-091756-PB75R ControlLogix DC redundant power 14,709,760 6.80E-08 1.52E-05 3.40E-09supply1756-PC75/B ControlLogix DC power supply 5,894,836 1.70E-07 3.80E-05 8.48E-091756-PH75B ControlLogix DC power supply 1,374,880 7.27E-07 1.63E-04 3.64E-081756-PSCA2 ControlLogix Redundant power 5,477,680 1.83E-07 4.09E-05 9.13E-09supply adapter1757-SRM/B ControlLogix System redundancy 573,964 1.74E-06 3.90E-04 8.71E-08module1756-RM ControlLogix System redundancy 5,887,894 1.70E-07 3.80E-05 8.49E-09module1756-SYNCH ControlLogix SynchLink module 9,239,360 1.08E-07 2.42E-05 5.41E-09(1)References a series A component if no other series is indicated by /X.(2) The PFD calculations ControlLogix chassis are completed using an arithmetic average of the MTBFs for all five chassis types (that is chassis 1756-A4, 1756-A7, 1756-A10,1756-A13, and 1756-A17).(3)Data for this component is no longer available.(4) Calculations for the redundant power supply are completed with the presumption that both power supplies fail simultaneously.(5) MTBF measured in hours. The values used here represent values available in March 2009.(6) λ = Failure Rate = 1/MTBF.Publication 1756-RM001F-EN-P - June 2009 159

Appendix FUsing ControlLogix in SIL1 ApplicationsNotes:160 Publication 1756-RM001F-EN-P - June 2009

IndexAagency certification 34analog input modulesHART module use 87use 85-92wiring 88, 97analog output modulescalibration 93HART module use 96use 93-99application programprogramming languages 118SIL task/program instructions 118technical SIL2 requirements 115-122applicationsgas and fire 15architectureoverview of ControlLogix architecture 52Ccalculations1-yearPFD 41, 45, 50, 141, 1482-year PFD 141component-level 40explanation of 40PFD and PFH, about 39spurious failure 137calibration 85analog outputs 93certificationagency 34chassisabout 61use 63CIP. See Control and InformationProtocol.commissioning life cycle 119communicationControlNet components 68data echo 54Data Highway Plus - Remote I/Ocomponents 70EtherNet/IP components 69field-side output verification 54modules 67-71recommendations for use 70networks 56output data echo 79producer/consumer model 52SynchLink components 70componentschassisabout 61use 63PFD and PFH calculations 40power suppliesabout 61use 63SIL2-certified 23using 63configurationsfail-safe 19fault-tolerant 22high-availability 20Control and Information Protocol (CIP)defined 11controller 65-66recommendations for use 66ControlLogixarchitecture 52systemgeneral information 51ControlNetcomponents 68use in SIL2 system 56Ddata echo 54Data Highway Plus - Remote I/Ocomponents 70DHRIO. See Data Highway Plus - RemoteI/Odiagnostic coveragedefined 11digital input modulesuse 77-79wiring 78digital output modulesuse 79-84wiring 81distributionSIL compliance and 33EEtherNet/IPcomponents 69use in SIL2 system 57European norm.defined 11Publication 1756-RM001F-EN-P - June 2009 161

IndexFfail-safe configruationabout 19fault handlingadditional resources 135detection of faults 105-107programming feature 53reaction to faults 134fault reportingadditional resources 135detection of faults 105-107programming for 76reaction to faults 134fault-tolerant configruationabout 22field-side output verification 54fireconsiderations for 15firmware, SIL2-certified 23forcing via software 112Ggasconsiderations for 15gas and fire 15Get System Value (GSV)defined 11GSV. See Get System Value.Hhardwarechassis 61use 63power supplies 61use 63using 63HART modulesanalog inputuse 87wiring 92analog outputuse 96wiring 99high-availability configruationabout 20human-to-machine interfacesuse and application 123-126II/O modules 73-102analog inputproof tests 85use 85-92analog outputproof tests 93use 93-99calibration 85digital inputproof tests 77use 77-79digital outputproof tests 79use 79-84fault reporting and 76response times 127-131wiringanalog input modules 88analog output modules 97digital input modules 78digital output modules 81interfaceHMI use and application 123-126MMean Time Between Failures (MTBF)defined 11Mean Time To Restoration (MTTR)defined 11module fault reporting 53MTBF. See Mean Time BetweenFailures.MTTR. See Mean Time To Restoration.Ooperational modes 113output data echodigital outputs and 79PPADT. See Programming and DebuggingTool.PFD. See Probability of Failure onDemand.PFH. See Probability of DangerousFailure per Hour.162 Publication 1756-RM001F-EN-P - June 2009

Indexpower suppliesabout 61non-redundant 62redundant 62use 63Probability of Dangerous Failure perHour (PFH)about calculations 39defined 12use 40Probability of Failure on Demand (PFD)1-year calculations 412-year calculations 141about calculations 39defined 12use 39producer/consumer communicationmodel 52programmingchanges 120languages 118Programming and Debugging Tool(PADT)defined 11proof testsabout 30analog inputs and 85analog outputs and 93digital inputs and 77digital outputs and 79pulse test 55Rrecommendationschassis and power supply use 63communication module use 70controller use 66reportingmodule faults 53response times 127-131routinefault-handling 53RSLogix 5000commissioning life cycle 119forcing 112general requirements 109-114program changes 120programming languages 118security 112SIL task/program instructions 118SIL2 programming 109use 56Ssafety certifications and compliancescertifications 32security via software 112serial communicationuse in SIL2 system 57SILcompliancedistribution and weight 33policy 13-37SIL2certified componentslisted 23programming 109requirementsapplication program 115-122softwarecommissioning life cycle 119forcing 112general requirements 109-114program changes 120programming languages 118RSLogix 5000 56security and 112SIL task/program instructions 118SIL2 programming 109system watchdog 37watchdog 37spurious failure estimates 137SynchLinkcomponents 70system hardwarechassisabout 61use 63ControlLogix 51power suppliesabout 61use 63using 63Publication 1756-RM001F-EN-P - June 2009 163

IndexTtestsproof 30pulse 55Wwatchdog 37wiring I/O modulesanalog input modules 88analog output modules 97digital input modules 78digital output modules 81164 Publication 1756-RM001F-EN-P - June 2009

Pub. Title/Type Using ControlLogix in SIL2 ApplicationsHow Are We Doing?Your comments on our technical publications will help us serve you better in the future.Thank you for taking the time to provide us feedback.You can complete this form and mail (or fax) it back to us or email us atRADocumentComments@ra.rockwell.com.Cat. No. 1756 Series Pub. No. 1756-RM001F-EN-P Pub. Date June 2009 Part No. N/APlease complete the sections below. Where applicable, rank the feature (1=needs improvement, 2=satisfactory, and 3=outstanding).Overall Usefulness 1 2 3 How can we make this publication more useful for you?Completeness(all necessary informationis provided)1 2 3 Can we add more information to help you?procedure/step illustration featureexample guideline otherexplanationdefinitionTechnical Accuracy(all provided informationis correct)1 2 3 Can we be more accurate?textillustrationClarity(all provided information iseasy to understand)1 2 3 How can we make things clearer?Other CommentsYou can add additional comments on the back of this form.Your NameYour Title/FunctionWould you like us to contact you regarding your comments?Location/Phone___No, there is no need to contact me___Yes, please call me___Yes, please email me at __________________________Yes, please contact me via _____________________Return this form to: Rockwell Automation Technical Communications, 1 Allen-Bradley Dr., Mayfield Hts., OH 44124-9705Fax: 440-646-3525 Email: RADocumentComments@ra.rockwell.comPublication CIG-CO521D-EN-P- July 2007

PLEASE FASTEN HERE (DO NOT STAPLE)Other CommentsPLEASE FOLD HERENO POSTAGENECESSARYIF MAILEDIN THEUNITED STATESPLEASE REMOVEBUSINESS REPLY MAILFIRST-CLASS MAIL PERMIT NO. 18235 CLEVELAND OHPOSTAGE WILL BE PAID BY THE ADDRESSEE1 ALLEN-BRADLEY DRMAYFIELD HEIGHTS OH 44124-9705

Rockwell AutomationSupportRockwell Automation provides technical information on the Web to assistyou in using its products. At http://support.rockwellautomation.com, you canfind technical manuals, a knowledge base of FAQs, technical and applicationnotes, sample code and links to software service packs, and a MySupportfeature that you can customize to make the best use of these tools.For an additional level of technical phone support for installation,configuration, and troubleshooting, we offer TechConnect support programs.For more information, contact your local distributor or Rockwell Automationrepresentative, or visit http://support.rockwellautomation.com.Installation AssistanceIf you experience a problem within the first 24 hours of installation, pleasereview the information that's contained in this manual. You can also contact aspecial Customer Support number for initial help in getting your product upand running.United States 1.440.646.3434Monday – Friday, 8am – 5pm ESTOutside UnitedStatesPlease contact your local Rockwell Automation representative for anytechnical support issues.New Product Satisfaction ReturnRockwell Automation tests all of its products to ensure that they are fullyoperational when shipped from the manufacturing facility. However, if yourproduct is not functioning and needs to be returned, follow theseprocedures.United StatesOutside UnitedStatesContact your distributor. You must provide a Customer Support casenumber (call the phone number above to obtain one) to your distributorin order to complete the return process.Please contact your local Rockwell Automation representative for thereturn procedure.Publication 1756-RM001F-EN-P - June 2009 168Supersedes Publication 1756-RM001E-EN-P - December 2006PN N/ACopyright © 2009 Rockwell Automation, Inc. All rights reserved. Printed in the U.S.A.