Rockwell Automation 1794 User Manual
FLEX I/O System with ControlLogix for SIL 2
Catalog Number Bulletin 1794
Reference Manual
Important User Information
WARNING
IMPORTANT
ATTENTION
SHOCK HAZARD
BURN HAZARD
Solid state equipment has operational characteristics differing from those of electromechanical equipment. Safety Guidelines for the Application,
Installation and Maintenance of Solid State Controls (publication SGI-1.1
http://literature.rockwellautomation.com
) describes some important differences between solid state equipment and hard-wired electromechanical
devices. Because of this difference, and also because of the wide variety of uses for solid state equipment, all persons responsible for applying this
equipment must satisfy themselves that each intended application of this equipment is acceptable.
In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the use or application of this
equipment.
The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and requirements associated
with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liability for actual use based on the examples and
diagrams.
No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software described in this
manual.
Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc., is prohibited.
Throughout this manual, when necessary, we use notes to make you aware of safety considerations.
available from your local Rockwell Automation sales office or online at
Identifies information about practices or circumstances that can cause an explosion in a hazardous environment, which may
lead to personal injury or death, property damage, or economic loss.
Identifies information that is critical for successful application and understanding of the product.
Identifies information about practices or circumstances that can lead to: personal injury or death, property damage, or
economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.
Labels may be on or inside the equipment, such as a drive or motor, to alert people that dangerous voltage may be present.
Labels may be on or inside the equipment, such as a drive or motor, to alert people that surfaces may reach dangerous
temperatures.
Allen-Bradley, Rockwell Automation, FLEX I/O, RSLinx, RSLogix 5000 and TechConnect are trademarks of Rockwell Automation, Inc.
Trademarks not belonging to Rockwell Automation are property of their respective companies.
Preface
Introduction
Manual Set-Up
Table Preface.1
This application manual is intended to describe the FLEX I/O with ControlLogix
Control System components available from Rockwell Automation that are
suitable for use in SIL2 applications. Use this manual in conjunction with
publication 1756-RM001
Alternate architecture can be used in SIL2 applications if they are approved by
a certifying agency.
This manual is designed to make clear how the FLEX I/O with ControlLogix
Control System can be SIL2-certified. Table Preface.1 lists the information
available in each section.
Section: Title: Description:
Chapter 1 SIL Policy Introduction to the SIL policy and how that
policy relates to FLEX I/O with a ControlLogix
system.
Chapter 2 ControlLogix Communications Description of the ControlLogix communications
modules used in the SIL2-certified FLEX I/O
with ControlLogix system.
Chapter 3 FLEX I/O Modules Description of the FLEX I/O modules used in the
SIL2-certified FLEX I/O with ControlLogix
system.
Chapter 4 General Requirements for
Application Software
Application software requirements for using
ControlLogix and FLEX modules.
Chapter 5 Technical SIL2 Requirements
for the Application Program
Appendix A Failure Estimates Failure rates based on field returns.
Understanding Terminology
1 Publication 1794-RM001G-EN-P - December 2011
The following table defines acronyms used in this manual.
Table Preface.2 List of Acronyms Used Throughout the Safety Application Manual
Acronym: Full Term: Definition:
CIP Control and
Information
Protocol
DC Diagnostic
Coverage
EN European Norm. The official European Standard
GSV Get System Value A ladder logic output instruction that retrieves
Guidelines for application development in
RSLogix 5000 as they relate to SIL2.
A messaging protocol used by Logix5000™
systems. It is a native communications protocol
used on ControlNet™ communications networks,
among others.
The ratio of the detected failure rate to the total
failure rate.
specified controller status information and places
it in a destination tag.
Preface 2
Table Preface.2 List of Acronyms Used Throughout the Safety Application Manual
Acronym: Full Term: Definition:
MTBF Mean Time
Average time between failure occurrences.
Between Failures
MTTR Mean Time to
Restoration
Average time needed to restore normal operation
after a failure has occurred.
PADT Programming and
Debugging Tool
RSLogix 5000 software used to program and
debug a SIL2-certified FLEX I/O with ControlLogix
application.
PC Personal
Computer
Computer used to interface with, and control, a
ControlLogix system via RSLogix 5000
programming software.
PFD Probability of
Failure on
The average probability of a system to fail to
perform its design function on demand.
Demand
PFH Probability of
Failure per Hour
The probability of a system to have a dangerous
failure occur per hour.
1oo1 One out of one A 1oo1 (one out of one) architecture consists of a
single channel where any dangerous failure leads
to a failure of the safety function.
1oo2 One out of two A 1oo2 (one out of two) architecture consists of
two channels connected in parallel such that
either channel can process the safety function.
Publication 1794-RM001G-EN-P - December 2011
Chapter
SIL Policy
This chapter introduces you to the SIL policy and how the
ControlLogix/FLEX I/O system meets the requirements for SIL2
certification.
For information about: See page:
Introduction to SIL 1-1
SIL2 Certification 1-2
Proof Tests 1-3
SIL2-Certified FLEX I/O System Components 1-5
Hardware Designs and Firmware Functions 1-8
Hardware Designs and Firmware Functions 1-8
1
Introduction to SIL
Difference Between PFD and PFH 1-8
SIL Compliance Distribution and Weight 1-13
Response Times 1-13
Certain catalog numbers (listed in Table 1.1 on page 1-5) of the FLEX I/O with
ControlLogix system are type-approved and certified for use in SIL2
applications, according to IEC 61508. SIL requirements are based on the
standards current at the time of certification.
These requirements consist of mean time between failures (MTBF),
probability of failure, failure rates, diagnostic coverage and safe failure
fractions that fulfill SIL2 criteria. The results make the ControlLogix/FLEX
I/O system suitable up to, and including, SIL2. When the
ControlLogix/FLEX I/O system is in the maintenance or programming
mode, the user is responsible for maintaining a safe state.
For support in creation of programs, the PADT (Programming and
Debugging Tool) is required. The PADT for ControlLogix/FLEX I/O is
RSLogix 5000, per IEC 61131-3, and this Safety Reference Manual.
The TUV Rheinland has approved the ControlLogix/FLEX I/O system for
use in up to and including SIL 2 safety related applications in which the
de-energized state is considered to be the safe state. All of the examples related
to I/O included in this manual are based on achieving de-energization as the
safe state for typical Emergency Shutdown (ESD) Systems.
1 Publication 1794-RM001G-EN-P - December 2011
1-2 SIL Policy
Plant-wide Ethernet/Serial
ControlNet
SIL2-certified ControlLogix components’ portion of the overall safety loop
Programming Software
For SIL applications, a programming
terminal is not normally connected.
HMI
For Diagnostics and Visualization (read-only access to controllers in the
safety loop). For more information, see publication 1756-RM001.
E
N
B
C
N
B
To other safety related
ControlLogix or FLEX I/O
remote I/O chassis
Overall Safety Loop
Actuator
Actuator
1794 FLEX I/O
Input
Device
DI1
DO2
DO1
DI2
ControlNet
Input
Device
To other safety related
ControlLogix or FLEX I/O
remote I/O chassis
See Figures 3.1 and 3.5 for details.
1
Note 1: Multiple 1756-CNB or -CNBR modules can be installed into the chassis as needed.
Other configurations are possible as long as they are SIL2 approved.
+V
SIL2 Certification
Figure 1.1 shows a typical SIL loop, including:
• the overall safety loop
• the ControlLogix/FLEX I/O portion of the overall safety loop
• how other devices (for example, HMI) connect to the loop, while
operating outside the loop
Figure 1.1
Note 2: Two adapters are required for meeting SIL2 as shown in the figure.
The adapters can be either ControlNet or Ethernet and must be from the list of approved products.
Publication 1794-RM001G-EN-P - December 2011
SIL Policy 1-3
IMPORTANT
IMPORTANT
Important Note related to published PFDs.
• The user must choose the appropriate PFD depending
on combinations and the appropriate 1oo1 or 1oo2
configuration.
• Descrete and analog inputs must be used in a 1oo2
configuration for SIL 2.
• Adapters must be used in a 1oo2.
• Outputs may be 1oo2 in series or 1oo1 monitored by
an input with an external relay as a secondary device to
remove power.
• Some specialized inputs can only be wired to a single
sensor such as thermocuples and two 1oo1 PFDs must
be used for each.
• The total PFD for two 1oo1s is the sum of both.
The system user is responsible for:
Proof Tests
• the set-up, SIL rating and validation of any sensors or
actuators connected to the ControlLogix/FLEX I/O
control system.
• project management and functional testing.
programming the application software and the module
configuration according to the description in the
following chapters.
The SIL2 portion of the certified system excludes the
development tools and display/human machine interface
(HMI) devices; these tools and devices are not part of the
run time control loop.
IEC 61508 requires the user to perform various proof tests of the equipment
used in the system. Proof tests are performed at user-defined times (for
example, proof test intervals can be once a year, once every two years or
whatever timeframe is appropriate) and include some of the following tests:
• Testing of all fault routines to verify that process parameters are
monitored properly and the system reacts properly when a fault
condition arises.
• Testing of digital input or output channels to verify that they are not
stuck in the ON or OFF state.
Publication 1794-RM001G-EN-P - December 2011
1-4 SIL Policy
IMPORTANT
• Calibration of analog input and output modules to verify that accurate
data is obtained from and used on the modules.
Users’ specific applications will determine the timeframe
for the proof test interval.
However, keep in mind that the Probability of Failure on
Demand (PFD) calculations listed in Table 1.2 on page 1-8
use a proof test interval of once per year. If the proof test
interval is changed, the information must be recalculated.
For more information on system proof tests, see Publication 1756-RM001
more information on the necessary I/O module, see Table 1.1.
. For
Publication 1794-RM001G-EN-P - December 2011
SIL Policy 1-5
SIL2-Certified FLEX I/O
Table 1.1 lists the components available for use in a SIL2-certified FLEX I/O
system. For a list of ControlLogix SIL2 certified products, see publication
System Components
Table 1.1 FLEX I/O Components For Use in the SIL 2 System
Device Type: Catalog Number:
Adapter 1794-ACN15 ControlNet Single Media
1794-ACNR15 ControlNet Redundant Media
1794-ACNR15XT C 5.1, 5.2, 5.3,
(1)
Adapter
Adapter
1756-RM001
Description:
.
Firmware
Revision:
(2)
Series
C4.3
D 10.1, 10.2,
C4.3
D 10.1, 10.2,
(2) (3)
5.1, 5.2, 5.3,
5.x
10.3, 10.x
5.1, 5.2, 5.3,
5.x
10.3, 10.x
5.x
Related Documentation
with More Information on
Catalog Number:
Installation
Instructions:
1794-IN101 NA
1794-IN128
User Manual:
(4)
I/O Modules Digital
D 10.1, 10.2,
10.3, 10.x
1794-AENT 10/100Mb Ethernet
Communication Adapter
1794-AENTR A 1.011, 1.x 1794-IN131 1794-UM066
1794-AENTRXT
1794-IB16 16 Sink Input Module A NA 1794-IN093 NA
1794-IB10XOB6 10 Input/6 Output Module A NA 1794-IN083
1794-OB16 16 Source Output Module A NA 1794-IN094
1794-OB16P 16 Protected Output Module A NA 1794-IN094
1794-OB8EP 8 Protected Output Module A NA 1794-IN094
1794-OW8 Isolated Relay Output Module A NA 1794-IN019
1794-OB8EPXT 8 Protected Output Module A NA 1794-IN124
1794-IB16XT 16 Sink Input Module A NA
1794-OB16PXT 16 Protected Output Module A NA
1794-IB10XOB6XT 10 Input/6 Output Combo
Module
1794-OW8XT 8 Relay Output Module A NA 1794-IN019
B4.1
4.2, 4.x
ANA
1794-IN082
Publication 1794-RM001G-EN-P - December 2011
1-6 SIL Policy
Table 1.1 FLEX I/O Components For Use in the SIL 2 System
Device Type: Catalog Number:
I/O Modules Analog
1794-IE8 8 Input Analog Module B NA 1794-IN100 1794-UM002
1794-IF4I 4 Isolated Input Analog
1794-IF2XOF2I 2 In/2 Out Isolated Combo
1794-OE4 4 Output Analog Module B NA 1794-IN100 1794-UM002
1794-OF4I 4 Isolated Output Analog
1794-IT8 Thermocouple Input Module A K, K.x 1794-IN021 1794-UM007
1794-IR8 RTD Input Module A K, K.x 1794-IN021 1794-UM004
1794-IRT8 TC/RTD Input Module B B, D, E, E.1,
1794-IJ2 2 Ch. Frequency Counter
(1)
Module
Module
Module
Module
Description:
Related Documentation
(4)
with More Information on
Catalog Number:
Series
(2)
Firmware
Revision:
(2) (3)
Installation
Instructions:
User Manual:
A F, G, H, I, I.x 1794-IN038 1794-UM008
A F, G, H, I, I.x 1794-IN039 1794-UM008
A F, G, H, I, I.x 1794-IN037 1794-UM008
1794-IN050 1794-UM012
E.x
A D 1794-IN049 1794-UM011
I/O Modules Analog
1794-IP4 4 Ch. Pulse Counter Module B 4, 4.x 1794-IN064 1794-UM016
1794-IE4XOE2XT 4 Input/2 Output Analog
B NA 1794-IN125 NA
Combo Module
1794-IE8XT 8 Input analog Module B NA
1794-OE4XT 4 Output Analog Module B NA
1794-IF2XOF2IXT 2 Input/2 Output Isolated
A I, I.x 1794-IN129
Analog Combo Module
1794-IF4IXT 4 Isolated Input Analog
A I, I.x
Module
1794-OF4IXT 4 Isolated Output Analog
A I, I.x
Module
1794-IF4ICFXT 4 Isolated Input Analog
A I, I.x 1794-IN130
Module
1794-IJ2XT 2 Ch. Frequency Counter
A E, E.x 1794-IN049
Module
1794-IRT8XT 8 TC/RTD Input Analog
B D, E, E.1, E.x 1794-IN050
Module
Publication 1794-RM001G-EN-P - December 2011
Table 1.1 FLEX I/O Components For Use in the SIL 2 System
SIL Policy 1-7
Related Documentation
with More Information on
Catalog Number:
Device Type: Catalog Number:
Terminal Base
Units
1794-TB3 3-Wire Terminal Base Unit A NA 1794-IN092 NA
1794-TB3S 3-Wire Terminal Base Unit A NA
1794-TB3T Temperature Terminal Base
Firmware
Revision:
(1)
Description:
Series
(2)
(2) (3)
ANA
Installation
Instructions:
User Manual:
Unit
1794-TB3TS Spring-clamp Temperature
ANA
Base Unit
1794-TB3G Cage-clamp Gen. Terminal
ANA
Base Unit
1794-TB3GS Spring-clamp Gen. Terminal
ANA
Base Unit
1794-TBN NEMA Terminal Base Unit A NA
1794-TBNF Fused NEMA Terminal Base
ANA
Unit
(1)
Certain catalog numbers have a K suffix. This indicates a conformally coated version of the product. These K versions have the same SIL2 certification as the non-K
versions.
(2)
The FW versions marked with extension .x (x can be 0 ... 99) are constitute to minor changes for enhancements. The test institute will be informed on any change.
(3)
Users must use these series and firmware revisions for their application to be SIL2 certified. Firmware revisions are available by visiting
http://support.rockwellautomation.com/ControlFlash/
(4)
These publications are available from Rockwell Automation by visiting http://literature.rockwellautomation.com.
(4)
Publication 1794-RM001G-EN-P - December 2011
1-8 SIL Policy
Hardware Designs and Firmware Functions
Difference Between PFD and PFH
Diagnostic hardware designs and firmware functions designed into the
ControlLogix/FLEX I/O platform allow it to achieve at least SIL2
certification in a single-controller configuration. These diagnostic features are
incorporated into specific FLEX I/O components, such as the:
• adapter
• power supply
• I/O modules
• terminal base units
and are covered in subsequent sections. The ControlLogix/FLEX I/O
platform’s designs, features and characteristics make it one of the most
intelligent platforms.
Table 1.2 and Table 1.3 present values of the PFDs and PFHs for the specific
FLEX I/O products evaluated by TUV.
FLEX I/O uses the same PFD and PFH assumptions as stated in publication
1756-RM001
.
Table 1.2 FLEX I/O Product Probability of Failure on Demand (PFD) Calculations (T1 = 1 yr)
Catalog Number Description Mean Time
Between Failure
(1)
(MTBF)
1794-ACN15 ControlNet Single Media Adapter 8,223,684 1.22E-07 2.15E-06
1794-ACNR15 ControlNet Redundant Media Adapter 8,223,684 1.22E-07 2.15E-06
1794-AENT 10/100Mb Ethernet Communication Adapter 691,134 1.45E-06 2.76E-05
1794-AENTR 10/100Mb Ethernet Redundant Communication Adapter 1,268,070 7.89E-07 1.45E-05
1794-IB10XOB6 10 Input/6 Output Module 4,943,442 2.02E-07 3.60E-06
1794-IB16 16 Sink Input Module 4,105,090 2.44E-07 4.34E-06
1794-IE8 Analog Input Module 37,952,679 2.63E-08 4.64E-07
1794-IF2XOF2I Isolated Analog Input/Output Module 25,296,960 3.95E-08 6.97E-07
1794-IF4I Isolated Analog Input Module 11,746,343 8.51E-08 1.50E-06
1794-IJ2 Frequency Counter Module 2,418,321 4.14E-07 7.45E-06
1794-IP4 Pulse Counter Module 2,375,360 4.21E-07 7.58E-06
1794-IR8 RTD Input Module 6,191,655 1.62E-07 2.87E-06
1794-IRT8 TC/RTD/mV Input Module 1,182,438 8.46E-07 1.56E-05
1794-IT8 Thermocouple Input Module 1,564,324 6.39E-07 1.17E-05
1794-OB16 16 Source Output Module 1,883,594 5.31E-07 9.62E-06
1794-OB16P Protected Output Module 2,135,280 4.68E-07 8.46E-06
(3)
λ
Calculated PFD
1oo2 architecture
Publication 1794-RM001G-EN-P - December 2011
Table 1.2 FLEX I/O Product Probability of Failure on Demand (PFD) Calculations (T1 = 1 yr)
SIL Policy 1-9
Catalog Number Description Mean Time
Between Failure
(1)
(MTBF)
1794-OB8EP Protected Output Module
2,389,669
(2)
(3)
λ
4.18E-07 7.54E-06
Calculated PFD
1oo2 architecture
1794-OE4 Analog Output Module 23,807,086 4.20E-08 7.41E-07
1794-OF4I Isolated Analog Output Module 7,191,128 1.39E-07 2.47E-06
1794-OW8 Relay Output Module 14,766,876 6.77E-08 1.20E-06
1794-TB3 Terminal Base Units
21,128,346
(2)
4.73E-08 8.35E-07
1794-TB3G Generic Terminal Base Units 27,320,800 3.66E-08 6.45E-07
1794-TB3GS Generic Terminal Base Units 46,425,600 2.15E-08 3.79E-07
1794-TB3S Terminal Base Unit
1794-TB3T Temperature Terminal Base Units
1794-TB3TS Temperature Terminal Base Units
71,433,747
73,096,226
75,763,399
(2)
(2)
(2)
1.40E-08 2.46E-07
1.37E-08 2.41E-07
1.32E-08 2.32E-07
1794-TBN Terminal Base Units 75,716,615 1.32E-08 2.32E-07
1794-TBNF Fused Terminal Base Units
4,812,320
(2)
2.08E-07 3.70E-06
1794-ACNR15XT ControlNet Redundant Media Adapter 8,223,684 1.22E-07 2.15E-06
1794-AENTRXT 10/100Mb Ethernet Redundant Communication Adapter 1,268,070 7.89E-07 1.45E-05
1794-OB8EPXT 8 Protected Output Module 14,771,049 6.77E-08 1.20E-06
1794-IB16XT 16 Sink Input Module 35,587,189 2.81E-08 4.95E-07
1794-OB16PXT 16 Protected Output Module 26,709,401 3.74E-08 6.60E-07
1794-IB10XOB6XT 10 Input/6 Output Combo Module 22,202,487 4.50E-08 7.94E-07
1794-OW8XT 8 Relay Output Module 18,518,519 5.40E-08 9.53E-07
1794-IE4XOE2XT 4 Input/2 Output Analog Combo Module 11,800,802 8.47E-08 1.50E-06
1794-IE8XT 8 Input analog Module 14,041,000 7.12E-08 1.26E-06
1794-OE4XT 4 Output Analog Module 11,381,744 8.79E-08 1.55E-06
1794-IF2XOF2IXT 2 Input/2 Output Isolated Analog Combo Module 6,317,918 1.58E-07 2.81E-06
1794-IF4IXT 4 Isolated Input Analog Module 7,297,140 1.37E-07 2.43E-06
1794-IF4ICFXT 4 Isolated Input Analog Module 7,297,140 1.37E-07 2.43E-06
1794-OF4IXT 4 Isolated Output Analog Module 5,493,902 1.82E-07 3.24E-06
1794-IJ2XT 2 Ch. Frequency Counter Module 11,714,128 8.54E-08 1.51E-06
1794-IRT8XT 8 TC/RTD Input Analog Module 8,204,792 1.22E-07 2.16E-06
(1)
MTBF measured in hours.
(2)
Calculated using field-based values for components
(3)
λ = Failure Rate = 1/MTBF
Publication 1794-RM001G-EN-P - December 2011
1-10 SIL Policy
Table 1.3 FLEX I/O Product Probability of Undetected Dangerous Failure per Hour (PFH) Calculations (T1 = 1 yr)
Catalog Number Description Mean Time
Between Failure
(1)
(MTBF)
(3)
λ
Calculated PFH
1oo2 architecture
1794-ACN15 ControlNet Single Media Adapter 8,223,684 1.22E-07 8.64E-10
1794-ACNR15 ControlNet Redundant Media Adapter 8,223,684 1.22E-07 8.64E-10
1794-AENT 10/100Mb Ethernet Communication Adapter 691,134 1.45E-06 1.19E-08
1794-AENTR 10/100Mb Ethernet Redundant Communication Adapter
1,268,070
(2)
7.89E-07 6.05E-09
1794-IB10XOB6 10 Input/6 Output Module 4,943,442 2.02E-07 1.45E-09
1794-IB16 16 Sink Input Module 4,105,090 2.44E-07 1.76E-09
1794-IE8 Analog Input Module 37,952,679 2.63E-08 1.85E-10
1794-IF2XOF2I Isolated Analog Input/Output Module 25,296,960 3.95E-08 2.78E-10
1794-IF4I Isolated Analog Input Module 11,746,343 8.51E-08 6.02E-10
1794-IJ2 Frequency Counter Module 2,418,321 4.14E-07 3.04E-09
1794-IP4 Pulse Counter Module 2,375,360 4.21E-07 3.10E-09
1794-IR8 RTD Input Module 6,191,655 1.62E-07 1.15E-09
1794-IRT8 TC/RTD/mV Input Module 1,182,438 8.46E-07 6.53E-09
1794-IT8 Thermocouple Input Module 1,564,324 6.39E-07 4.82E-09
1794-OB16 16 Source Output Module 1,883,594 5.31E-07 3.96E-09
1794-OB16P Protected Output Module 2,135,280 4.68E-07 3.47E-09
1794-OB8EP Protected Output Module
2,389,669
(2)
4.18E-07 3.08E-09
1794-OE4 Analog Output Module 23,807,086 4.20E-08 2.96E-10
1794-OF4I Isolated Analog Output Module 7,191,128 1.39E-07 9.90E-10
1794-OW8 Relay Output Module 14,766,876 6.77E-08 4.78E-10
1794-TB3 Terminal Base Units
21,128,346
(2)
4.73E-08 3.33E-10
1794-TB3G Generic Terminal Base Units 27,320,800 3.66E-08 2.57E-10
1794-TB3GS Generic Terminal Base Units 46,425,600 2.15E-08 1.51E-10
1794-TB3S Terminal Base Unit
1794-TB3T Temperature Terminal Base Units
1794-TB3TS Temperature Terminal Base Units
71,433,747
73,096,226
75,763,399
(2)
(2)
(2)
1.40E-08 9.82E-11
1.37E-08 9.59E11
1.32E-08 9.25E-11
1794-TBN Terminal Base Units 75,716,615 1.32E-08 9.26E-11
1794-TBNF Fused Terminal Base Units
4,812,320
(2)
2.08E-07 1.49E-09
1794-ACNR15XT ControlNet Redundant Media Adapte 8,223,684 1.22E-07 8.64E-10
1794-AENTRXT 10/100Mb Ethernet Redundant Communication Adapter
1,268,070
(2)
7.89E-07 6.05E-09
1794-OB8EPXT 8 Protected Output Module 14,771,049 6.77E-08 4.78E-10
1794-IB16XT 16 Sink Input Module 35,587,189 2.81E-08 1.97E-10
1794-OB16PXT 16 Protected Output Module 26,709,401 3.74E-08 2.63E-10
1794-IB10XOB6XT 10 Input/6 Output Combo Module 22,202,487 4.50E-08 3.17E-10
1794-OW8XT 8 Relay Output Module 18,518,519 5.40E-08 3.80E-10
Publication 1794-RM001G-EN-P - December 2011
Table 1.3 FLEX I/O Product Probability of Undetected Dangerous Failure per Hour (PFH) Calculations (T1 = 1 yr)
SIL Policy 1-11
Catalog Number Description Mean Time
Between Failure
(1)
(MTBF)
(3)
λ
Calculated PFH
1oo2 architecture
1794-IE4XOE2XT 4 Input/2 Output Analog Combo Module 11,800,802 8.47E-08 5.99E-10
1794-IE8XT 8 Input analog Module 14,041,000 7.12E-08 5.03E-10
1794-OE4XT 4 Output Analog Module 11,381,744 8.79E-08 6.22E-10
1794-IF2XOF2IXT 2 Input/2 Output Isolated Analog Combo Module 6,317,918 1.58E-07 1.13E-09
1794-IF4IXT 4 Isolated Input Analog Module 7,297,140 1.37E-07 9.75E-10
1794-IF4ICFXT 4 Isolated Input Analog Module 7,297,140 1.37E-07 9.75E-10
1794-OF4IXT 4 Isolated Output Analog Module 5,493,902 1.82E-07 1.30E-09
1794-IJ2XT 2 Ch. Frequency Counter Module 11,714,128 8.54E-08 6.04E-10
1794-IRT8XT 8 TC/RTD Input Analog Module 8,204,792 1.22E-07 8.66E-10
(1)
MTBF measured in hours.
(2)
Calculated using field-based values for components
(3)
λ = Failure Rate = 1/MTBF
Table 1.4 shows an example of a PFD calculation for a safety loop involving
two DC input modules used in a 1oo2 configuration and a DC output module.
Table 1.4
Catalog Number: Description: MTBF: Calculated
1oo2 PFD:
1794-ACNR15 ControlNet Dual Media
3,259,605 1.56E-06
Adapter 1.5
1794-IB16 24V DC Input Module 6,409,846 4.34E-06
1794-IB16 24V DC Input Module 6,409,846 4.34E-06
1794-OB16 24V DC Output Module 4,284,857 9.62E-06
1794-OW8 Relay Output Module 1,312,973 1.20E-06
1756-L63B
1
ControlLogix Controller 2,460,065 2.33E-04
1756-CNB ControlNet Bridge Module 3,596,087 1.15E-04
1756-CNB ControlNet Bridge Module 3,596,087 1.15E-04
Total PFD calculation for a safety loop consisting of these products: 3.70E-04
1 See Publication 1756-RM001
for more information.
Publication 1794-RM001G-EN-P - December 2011
1-12 SIL Policy
B
B
1794-OB16
1794-IB16
1794-TB3 (1)
1794-TB3 (2)
1794-ACNR15 (1)
1794-ACNR15 (2)
1794-IB16
1794-OW8
1756-CNB
1756-L63B
ControlNet
ControlNet
1756-CNB
Publication 1794-RM001G-EN-P - December 2011
SIL Policy 1-13
SIL Compliance Distribution and Weight
Response Times
The programmable controller may conservatively be assumed to contribute
10% of the reliability burden. A SIL 2 system may need to incorporate multiple
inputs for critical sensors and input devices, as well as dual outputs connected
in series to dual actuators dependent on SIL assessments for the safety related
system.
The response time of the system is defined as the amount of time it takes for a
change in an input condition to be recognized and processed by the
controller’s ladder logic program, and then to initiate the appropriate output
signal to an actuator. The system response time is the sum of the following:
• input hardware delays
• input filtering
• I/O and communication module RPI settings
• controller program scan times
• output module propagation delays
See Table 1.1 for associated module information.
Each of the times listed above is variably dependent on factors such as the type
of I/O module and instructions used in the ladder program. For examples of
how to perform these calculations, see publication 1756-RM001
.
Publication 1794-RM001G-EN-P - December 2011
1-14 SIL Policy
Notes:
Publication 1794-RM001G-EN-P - December 2011
Loading...