beautypg.com

Configure sil 2 operation – Rockwell Automation 1715-OF8I Redundant I/O System User Manual User Manual

Page 213

background image

Rockwell Automation Publication 1715-UM001C-EN-P - March 2014

213

1715 Redundant I/O System in SIL 2 Safety Applications

Chapter 6

Shutdown Mode

When the module is in the Shutdown mode, the Ready and Run indicators turn

red. The default state is OFF (de-energized).

Considerations for Sensor

and Actuator Configurations

The function of a signal must be considered. In many cases, redundant sensor and

actuator configurations can be used, or differing sensor and actuator types

provide alternate detection and control possibilities. Plant facilities frequently

have related signals such as start and stop signals. In these cases, it is important to

make sure that failures beyond the system's fault-tolerant capability do not result

in either inability to respond safely or in inadvertent operation. In some cases,

this requires that channels be on the same module, to make sure that a module

failure results in the associated signals failing-safe.

It is often necessary to separate signals across modules. Where non-redundant

configurations are employed, it is especially important to make sure that the fail-

safe action is generated in case of failures within the system.

Field loop power and its affect on inputs (sensors and modules) and outputs

(modules and actuators) must be considered. For normally-energized

configurations, field loop power loss leads to fail-safe reaction.

Where field signals are powered by separate supplies, power separation must be

maintained between modules so that isolation is maintained.

Configure SIL 2 Operation

To configure 1715 modules for SIL 2 applications you need to enable each 1715

module in your system for SIL 2 operation, and set its connection reaction time

limit (CRTL) and module requested packet interval (RPI). In addition, for input

modules, you must configure safe state input values.

IMPORTANT

In safety-critical applications that use a single sensor or single actuator, it is
important that the sensor failure modes be predictable and well understood so

that there is little probability of a failed sensor not responding to a critical
process condition. Test the sensor regularly, either by dynamic process
conditions that are verified in the 1715 system, or by manual intervention

testing. It is recommended that a written test plan is used for all testing.

IMPORTANT

Refer to

Electronic Keying on page 265

.

This manual is related to the following products:
See also other documents in the category Rockwell Automation Equipment: