0% found this document useful (0 votes)

240 views

Using ControlLogix in SIL 2 Applications

Uploaded by

Jorge Jarrin

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

240 views

Using ControlLogix in SIL 2 Applications

Uploaded by

Jorge Jarrin

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 140

Using ControlLogix in

SIL 2 Applications
ControlLogix 5560 and 5570 Controllers

Reference Manual Original Instructions

Using ControlLogix in SIL 2 Applications Reference Manual

Important User Information

Read this document and the documents listed in the additional resources section about installation, configuration, and
operation of this equipment before you install, configure, operate, or maintain this product. Users are required to familiarize
themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws, and standards.

Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required to
be carried out by suitably trained personnel in accordance with applicable code of practice.

If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be
impaired.

In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the use
or application of this equipment.

The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and
requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liability for
actual use based on the examples and diagrams.

No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software
described in this manual.

Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc., is
prohibited.

Throughout this manual, when necessary, we use notes to make you aware of safety considerations.

WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment,
which may lead to personal injury or death, property damage, or economic loss.

ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property
damage, or economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.

IMPORTANT Identifies information that is critical for successful application and understanding of the product.

Labels may also be on or inside the equipment to provide specific precautions.

SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous
voltage may be present.

BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may
reach dangerous temperatures.

ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to
potential Arc Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL
Regulatory requirements for safe work practices and for Personal Protective Equipment (PPE).

2 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Table of Contents
About This Publication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Download Firmware, AOP, EDS, and Other Files . . . . . . . . . . . . . . . . . . . . 7
Summary of Changes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Terminology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Chapter 1
SIL Policy Introduction to Safety Integrity Level (SIL) . . . . . . . . . . . . . . . . . . . . . . . . . 9
Programming and Debugging Tool (PADT) . . . . . . . . . . . . . . . . . . . . 10
About the ControlLogix System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Gas and Fire Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Boiler and Combustion Considerations . . . . . . . . . . . . . . . . . . . . . . . . 11
Typical SIL 2 Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Simplex Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Duplex Logic-Solver Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Duplex System Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Proof Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Proof Testing with Redundancy Systems. . . . . . . . . . . . . . . . . . . . . . . 27
Reaction Times . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Reaction Times in Redundancy Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Safety Watchdog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Safety Certifications and Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Chapter 2
Features of the ControlLogix SIL Module Fault Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2 System Data Echo Communication Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Pulse Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Communication Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
ControlNet Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
EtherNet/IP Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Electronic Keying of Modules in SIL 2 Applications. . . . . . . . . . . . . . . . . 35

Chapter 3
ControlLogix Controllers, ControlLogix Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Chassis, and Power Supplies Operating Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Requirements for Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
ControlLogix Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
ControlLogix Power Supplies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Redundant Power Supplies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Recommendations for Using Power Supplies. . . . . . . . . . . . . . . . . . . 39

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 3

Chapter 4
ControlLogix Communication Introduction to Communication Modules . . . . . . . . . . . . . . . . . . . . . . . . . 41
Modules ControlNet Modules and Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
ControlNet Cabling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
ControlNet Repeater . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
ControlNet Module Diagnostic Coverage . . . . . . . . . . . . . . . . . . . . . . 42
EtherNet/IP Communication Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
DeviceNet Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Data Highway Plus - Remote I/O Module (1756-DHRIO) . . . . . . . . . . . . 43
SynchLink Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
General Requirements for Communication Networks . . . . . . . . . . . . . . 43
Peer-to-peer Communication Requirements. . . . . . . . . . . . . . . . . . . . . . . 44
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Chapter 5
ControlLogix I/O Modules Overview of ControlLogix I/O Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Using 1756 Digital Input Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Requirements When Using Any ControlLogix Digital Input Module . . . 47
Wiring ControlLogix Digital Input Modules. . . . . . . . . . . . . . . . . . . . 47
Using 1756 Digital Output Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Requirements When Using ControlLogix Digital Output Modules. . . . . 49
Wiring ControlLogix Digital Output Modules . . . . . . . . . . . . . . . . . . 50
Using 1756 Analog Input Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Conduct Proof Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Calibrate Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Use the Floating Point Data Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Program to Respond to Faults Appropriately . . . . . . . . . . . . . . . . . . . 54
Program to Compare Analog Input Data . . . . . . . . . . . . . . . . . . . . . . . 55
Configure Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Specify the Same Controller as the Owner. . . . . . . . . . . . . . . . . . . . . . 56
Wiring ControlLogix Analog Input Modules. . . . . . . . . . . . . . . . . . . . 56
Using 1756 HART Analog Input Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Wiring the HART Analog Input Modules . . . . . . . . . . . . . . . . . . . . . . . 61
Using 1756 Analog Output Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Considerations for Using Analog Output Modules . . . . . . . . . . . . . . 62
Wiring ControlLogix Analog Output Modules . . . . . . . . . . . . . . . . . . 64
Using 1756 HART Analog Output Modules . . . . . . . . . . . . . . . . . . . . . . . . . 66
Wiring the HART Analog Output Modules . . . . . . . . . . . . . . . . . . . . . 66

Chapter 6
FLEX I/O Modules Overview of FLEX I/O Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Using 1794 Digital Input Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Requirements When Using FLEX I/O Digital Input Modules. . . . . 67
Wiring FLEX I/O Digital Input Modules . . . . . . . . . . . . . . . . . . . . . . . 68
Using 1794 Digital Output Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Considerations When Using FLEX I/O Digital Output Modules . . 69
Wiring FLEX I/O Digital Output Modules . . . . . . . . . . . . . . . . . . . . . . 70

4 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Using 1794 Analog Input Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Considerations When Using FLEX I/O Analog Input Modules . . . 71
Wiring FLEX I/O Analog Input Modules . . . . . . . . . . . . . . . . . . . . . . . 73
Using 1794 Analog Output Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Requirements When Using FLEX I/O Analog Output Modules . . . 77
Wiring FLEX I/O Analog Output Modules. . . . . . . . . . . . . . . . . . . . . . 79

Chapter 7
Requirements for Application Software for SIL 2-Related Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Development SIL 2 Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Programming Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Programming Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Basics of Application Program Development and Testing . . . . . . . . . . . 83
Functional Specification Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Sensors (digital or analog) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Actuators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Creating the Application Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Logic and Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Program Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Program Identification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
SIL Task/Program Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Forcing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Checking the Application Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Verify Download and Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Commissioning Lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Changing Your Application Program. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Chapter 8
Faults in the . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
ControlLogix System
Chapter 9
Use of Human-to-Machine Precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Interfaces Accessing Safety-related Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Reading Parameters in Safety-related Systems . . . . . . . . . . . . . . . . . 95
Changing Safety-related Parameters in SIL-rated Systems . . . . . . 96

Appendix A
Reaction Times of the Local Chassis Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
ControlLogix System Remote Chassis Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Calculating Worst-case Reaction Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
For Digital Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
For Analog Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Appendix B
SIL 2-certified ControlLogix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
System Components
Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 5
Appendix C
PFD and PFH Calculations About PFD and PFH Calculations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
for a SIL 2 System Determine Which Values To Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
About the Calculations in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
1-Year PFD Calculations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
2-Year PFD Calculations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
5-year PFD Calculations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Using Component Values to Calculate System PFD. . . . . . . . . . . . . . . . 126
Example: 1-year PFD Calculation for a ControlLogix System
(1oo1 Configuration) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Example: 1-year PFD Calculation for a ControlLogix System
(1oo2 Configuration) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Appendix D
Using ControlLogix and FLEX I/O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
Modules in SIL 1 Applications
Appendix E
Checklists Checklist for the ControlLogix System . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Checklist for SIL Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Checklist for SIL Outputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Checklist for the Creation of an Application Program. . . . . . . . . . . . . . 134

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135

6 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Preface

About This Publication This safety reference manual describes the ControlLogix® Control System
components that are suitable for use in low demand and high demand (no
more than 10 demands per year) safety-related control, up to and including
SIL 2 applications. The manual also provides safety-related information, such
as PFD calculations, system configurations, programming, and
implementation.

IMPORTANT This manual describes typical SIL 2 implementations using ControlLogix equipment. Keep in mind that the
descriptions presented in this manual do not preclude other methods of implementing a SIL 2-compliant system
by using ControlLogix equipment.
Make sure that other methods are reviewed and approved by a recognized certifying body, such as TÜV Rheinland
Group.

Download Firmware, AOP, Download firmware, associated files (such as AOP, EDS, and DTM), and access
EDS, and Other Files product release notes from the Product Compatibility and Download Center at
rok.auto/pcdc.

Summary of Changes This publication contains the following new or updated information. This list
includes substantive updates only and is not intended to reflect all changes.
Topic Page
Added PFD and PFH calculations for series B modules 110…123

Terminology This table defines abbreviations that are used in this manual.

Abbreviation Full Term Definition

An industrial communication protocol that is used by Logix 5000™-based automation systems on EtherNet/IP™,
CIP™ Common Industrial Protocol ControlNet®, and DeviceNet® communication networks.
CL Claim Limit The maximum level that can be achieved.
DC Diagnostic Coverage The ratio of the detected failure rate to the total failure rate.
A safe-state safety action that the safety function initiates.
— Demand A normal control action/function is not a safety demand. A safety demand occurs when safety conditions are met.
Typically, a safety demand only occurs when standard control fails to perform its control function.
— Demand Rate The expected rate (per year) that a safe-state safety action is executed by the safety function.
EN European Norm. The official European Standard.
GSV Get System Value A ladder logic instruction that retrieves specified controller information and places it in a destination tag.
MTBF Mean Time Between Failures Average time between failure occurrences.
MTTR Mean Time to Restoration Average time that is needed to restore normal operation after a failure has occurred.
Programming and Debugging RSLogix 5000® and Studio 5000 Logix Designer® application is used to program and debug a SIL 2-certified
PADT Tool ControlLogix application.
PFD Probability of Failure on Demand The average probability of a system to fail to perform its design function on demand.
PFH Probability of Failure per Hour The probability of a system to have a dangerous failure occur per hour.
SFF Safe Failure Fraction The ratio of safe failure plus dangerous detected failure to total failures.
A discrete level for specifying the safety integrity requirements of the safety functions allocated to the electrical/
SIL Safety Integrity Level electronic/ programmable electronic (E/E/PE) part of the safety system.
STR Spurious Trip Rate That part of the overall failure rate that does not lead to a dangerous undetected failure.
TCE Channel Equivalent Mean The sum of downtime contributions from both the dangerous detected failure rate and the dangerous undetected
Downtime failure rate, on a per channel basis.
TGE The sum of downtimes resulting from dangerous detected and dangerous undetected failure rates that are associated
System Equivalent Downtime with both channels.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 7

Additional Resources These documents contain additional information concerning related products
from Rockwell Automation.
Resource Description
ControlLogix SIL 2 System Configuration Using RSLogix 5000 Explains how to configure a SIL 2-certified system by using subroutines that are provided by
Subroutines, publication 1756-AT010 Rockwell Automation.
ControlLogix SIL 2 System Configuration Using SIL2 Add-On Instructions, Explains how to configure a SIL 2-certified system by using Add-On Instructions that are provided
publication 1756-AT012 by Rockwell Automation.
Logix 5000 Controllers General Instruction Set Reference Manual, Contains descriptions and use considerations of general instructions available for Logix 5000
publication 1756-RM003 controllers.
High-Resolution Analog I/O Modules User Manual 1756-UM540 Describes how to install, configure, and troubleshoot ControlLogix analog I/O modules.
ControlLogix System User Manual, publication 1756-UM001 Explains how to use the ControlLogix controllers.
ControlLogix Standard Redundancy System User Manual,
publication 1756-UM523 Explains how to install, configure, and use a standard redundancy system.
ControlLogix Enhanced Redundancy System User Manual,
publication 1756-UM535 Explains how to install, configure, and use an enhanced redundancy system.
ControlLogix Digital I/O User Manual, publication 1756-UM058 Provides information about the use of ControlLogix digital I/O modules.
ControlLogix Analog I/O Modules User Manual, publication 1756-UM009 Provides information about the use of ControlLogix analog I/O modules.
EtherNet/IP Device Level Ring Application Technique, Describes Device Level Ring (DLR) topologies, configuration considerations, and diagnostic
publication ENET-AT007 methods.
Logix 5000 Controllers Execution Time and Memory Use Reference,
publication 1756-RM087 Provides estimated execution times that can be used in worst-case scenario calculations.
Logix 5000 Controllers Common Procedures Programming Manual,
publication 1756-PM001 Explains various programming-related topics.
Provides guidance on how to conduct security assessments, implement Rockwell Automation
System Security Design Guidelines Reference Manual, SECURE-RM001 products in a secure system, harden the control system, manage user access, and dispose of
equipment.
Industrial Automation Wiring and Grounding Guidelines, publication
1770-4.1 Provides general guidelines for installing a Rockwell Automation industrial system.
Product Certifications website, rok.auto/certifications. Provides declarations of conformity, certificates, and other certification details.

You can view or download publications at rok.auto/literature.

8 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 1

SIL Policy

Introduction to Safety Certain catalog numbers of the ControlLogix® system (listed in Appendix B)
Integrity Level (SIL) are type-approved and certified for use in SIL 2 applications according to these
standards:
• IEC 61508, edition 2, 2010 (this manual describes architectures that are
required to achieve edition 2)
• IEC 61511

Approval requirements are based on the standards current at the time of

certification.

These requirements consist of a detailed design process requirements, test

requirements, software analysis, and hardware probability of failure analysis.
Further, it is required to have the mean time between failures (MTBF),
probability of failure, failure rates, diagnostic coverage, and safe failure
fractions that fulfill SIL 2 criteria. The results make the ControlLogix system
suitable up to and including SIL 2 for demand rates up to and including ten
demands per year.

The TÜV Rheinland Group has approved the ControlLogix system for use in up
to, and including, SIL 2 safety-related applications in which the de-energized
state is typically considered to be the safe state.

Life expectancy for the ControlLogix system components is 20 years.

IMPORTANT Keep in mind that a demand is an event where the safety function is
executed. A ControlLogix system can be configured to execute standard
control and safety functions. The demand rate is determined by how
often the safety function is executed and not how often the control
function is executed.
When used in accordance with the information in this manual and the
relevant safety standards, the ControlLogix system is suitable for
applications up to and including SIL 2, where the demand rate is no
more than 10 times per year.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 9

Chapter 1 SIL Policy

Programming and Debugging Tool (PADT)

For support in creation of programs, the PADT (Programming and Debugging

Tool) is required. The PADT for ControlLogix is RSLogix 5000® software or
Studio 5000 Logix Designer® application, per IEC 61131-3, and this Safety
Reference Manual.

For more information about programming a system by using optional pre-

developed Add-On Instructions, see the ControlLogix SIL 2 System
Configuration Using SIL 2 Add-On Instructions, publication 1756-AT012.

About the ControlLogix System

The ControlLogix system is a modular programmable automation system with

the ability to pre-configure outputs and other responses to fault conditions. As
such, a system can be designed to meet requirements for ‘hold last state’ in the
event of a fault so that the system can be used in up to, and including, SIL 2-
level Gas and Fire and other applications that require that output signals to
actuators remain ON. By understanding the behavior of the ControlLogix
system for an emergency shutdown application, you can incorporate
appropriate system design measures to meet other application requirements.
These measures relate to the control of outputs and actuators, which must
remain ON to be in a safe state. Other requirements for SIL 2 (inputs from
sensors, software that is used, and so on) must also be met.

Gas and Fire Considerations

These are the measures and modifications that are related to the use of the
ControlLogix system in Gas and Fire applications.
• The use of a manual override is necessary to make sure that the operator
can maintain the desired control in the event of a controller failure. This
is similar in concept to the function of the external relay or redundant
outputs that are required to make sure that a de-energized state is
achieved for an ESD system when a failure occurs (for example, a shorted
output driver) that prevents this from normally occurring. The system
knows that it has a failure, but the failure state requires an independent
means to maintain control and either remove power or provide an
alternate path to maintain power to the end actuator.
• If the application cannot tolerate an output that can fail shorted
(energized), then an external means such as a relay or other output must
be wired in series to remove power when the fail shorted condition
occurs. See Wiring ControlLogix Digital Output Modules on page 50 for
more information.
• If the application cannot tolerate an output that fails open (de-
energized), then an external means such as a manual override or output
must be wired in parallel. See Figure 1. You must supply alternative
means and develop the application program to initiate the alternate
means to remove or continue to supply power in the event the main
output fails.

10 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 1 SIL Policy

• This manual override circuit is shown in Figure 1. It is composed of a

hard-wired set of contacts from a selector switch or push button. One
normally open contact provides for the bypass of power from the
controller output directly to the actuator. The other is a normally closed
contact to remove or isolate the controller output.
• Generate an application program to monitor the diagnostic output
modules for dangerous failures such as shorted or open-output driver
channels. Diagnostic output modules must be configured to hold last
state in the event of a fault.
• A diagnostic alarm must be generated to inform the operator that
manual control is required.
• The faulted module must be replaced within the Mean Time to
Restoration (MTTR).
• Any time a fault is detected, the system must annunciate the fault to an
operator by some means (for example, an alarm light).
Figure 1 - Manual Override Circuit
L1

Manual Override

Actuator

L2 or Ground 43379

Fault

Alarm to Operator

Boiler and Combustion Considerations

If your SIL 2-certified ControlLogix system is used in combustion-related

applications, you are responsible for meeting appropriate safety standards
including National Fire Protection Association (NFPA) standard NFPA 85 and
86. In addition, you must provide a documented lifecycle-system safety
analysis that addresses the requirements of NFPA 85 related to Burner
Management System Logic.

To comply with the requirements of IEC 61508, the safety demand rate must be
no more than 10 demands per year.

You must also consider system reaction capability as explained in Appendix A.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 11

Chapter 1 SIL Policy

If your system must meet standard EN 50156, then you must also meet the
requirements that are identified in the current version of EN 50156. To use
FLEX™ I/O or 1756-series I/O modules in SIL 2 EN50156 applications, you must
use a GuardLogix® controller. See the GuardLogix Safety Reference Manual,
publication 1756-RM093.

IMPORTANT When using a GuardLogix controller with SIL 2-rated 1756 or 1794 I/O,
you must also follow the requirements defined in this manual.

Typical SIL 2 Configurations SIL 2-certified ControlLogix systems can be used in standard (simplex) or
high-availability (duplex) configurations. For the purposes of documentation,
the various levels of availability that can be achieved by using various
ControlLogix system configurations are referred to as simplex or duplex.
When using a duplex ControlLogix configuration, the ControlLogix controller
remains simplex (1oo1) from a safety perspective.

This table lists each system configuration and the hardware that is part of the
safety loop.

System Configuration Safety Loop Includes

• Single controller
Simplex Configuration on page 13 • Single communication module
• Dual I/O modules
• Dual controllers
Duplex Logic-Solver Configurations on page 21 • Dual communication modules
• Dual I/O modules
• Dual controllers
• Dual communication modules
Duplex System Configuration on page 25
• Dual I/O modules
• I/O termination boards

IMPORTANT The system operator is responsible for the following tasks when any of
the ControlLogix SIL 2 system configurations are used:
• The setup, SIL rating, and validation of any sensors or actuators that are
connected to the ControlLogix control system
• Project Management and functional testing
• Programming the application software and the module configuration
according to the descriptions in this manual
The SIL 2 portion of the certified system excludes the development
tools and display/human machine interface (HMI) devices; these tools
and devices must not be part of the safety loop.

12 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 1 SIL Policy

Simplex Configuration

In a simplex configuration, the hardware that is used in the safety loop is

programmed to fail to safe. The failure to safe is typically an emergency
shutdown (ESD) where outputs are de-energized.

Figures 2 …9 each show typical simplex SIL loops for limited high demand
applications with up to 10 demands per year. The figures show the following:
• Overall safety loop
• ControlLogix portion of the overall safety loop

SIL 2 I/O modules in the safety loop must meet the requirements that are
specified in Chapter 5, ControlLogix I/O Modules and Chapter 6, FLEX I/O
Modules. Chassis can have modules within SIL 2 certified ControlLogix safety
loop that are not being used within SIL safety functions, if these modules are
listed in the SIL 2-certified ControlLogix System Components on page 101.

Table 1 defines the module abbreviations used in the graphics in this section.

Table 1 - Legend for the Module Abbreviations

Item Description
DIAGO Diagnostic Output Module
IN Input Module
ISOLO Isolated Output Module
MONIN Monitoring Input Module
Out Non Diagnostic Output Module
RLY Relay Module
RM ControlLogix Redundancy Module

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 13

Chapter 1 SIL Policy

Figure 2 - Single-chassis Configuration

Overall SIL 2-certified ControlLogix Safety Loop
Safety Loop
Controller Chassis

Logix5570 EtherNet/IP™ DC INTPUT DC INTPUT DC OUTPUT DC INTPUT DC

DC
DCOUTPUT
OUTPUT
OUTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST
ST
ST 000111222333444555666777OOO
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST
ST
ST 88899910
10
10
1112131415
1112131415KKK
1112131415

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

DIAGNOSTIC
DIAGNOSTIC

Sensor
I I O M O Actuator

N N U O U
E T N T
N
2 1 1 2 I 2
T A B A N B

Monitoring input
module
Non-isolated digital output modules

Standard Communication

1756 SIL 2 I/O module pairs can be in the same chassis because only SIL 2
capable hardware is within the controller chassis. The number on the label
indicates a module pair in a 1oo2 configuration; Module A and Module B. For
example, Input 1A and Input 1B are a 1oo2 duplex module pair. For more
information on how to wire field devices, see Figure 6 on page 18.

Chassis within the 'SIL 2 certified ControlLogix Safety Loop' can have modules
that are not being used within SIL 2 safety functions, if these modules are listed
in the SIL 2-certified ControlLogix System Components on page 101.

14 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 1 SIL Policy

Figure 3 - Fail-safe ControlLogix EtherNet/IP Device Level Ring (DLR) Configuration

Overall Safety Loop

SIL 2-certified ControlLogix Safety Loop

Controller Chassis Remote I/O Chassis

Logix5570 EtherNet/IP™ EtherNet/IP™
EtherNet/IP™
EtherNet/IP™ DC OUTPUT EtherNet/IP™ DC INTPUT DC INTPUT DC OUTPUT DC
DC
DCOUTPUT
OUTPUT
OUTPUT DC OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST
ST
ST 000111222333444555666777OOO ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST
ST
ST 88899910
10
10
1112131415
1112131415KKK
1112131415 ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

Sensor I I D O Actuator
N N I U
E EE E A
N N T
N N G
2 22 2 O
T TT 1 1 2
T A B 2 B
RR R A

Remote I/O Chassis

Standard
Communication
EtherNet/IP™ DC INTPUT DC INTPUT DC OUTPUT DC INTPUT DC
DC
DCOUTPUT
OUTPUT
OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST
ST 0 11
1 22
2 33
3 44
4 55
5 66
6 77
7O ST 0 1 2 3 4 5 6 7 O ST
ST
ST 000111222333444555666777OOO ST 0 1 2 3 4 5 6 7 O
ST 00 O
O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST
ST 8 99
9 10
101112131415 K
1112131415 KK ST 8 9 10 1112131415 K ST
ST
ST 88899910
10
10
1112131415
1112131415KKK
1112131415 ST 8 9 10 1112131415 K
ST 88 10 1112131415

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC
DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC

I I O M O
N N U O U
E T N T
N
2 3 3 4 I 4
EtherNet/IP T A B A N B
R

1756 SIL 2 I/O module pairs can be in same chassis because non SIL 2 hardware is on a separate
network. For more information on how to wire field devices, see Figure 6 on page 18.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 15

Chapter 1 SIL Policy

Figure 4 - Fail-safe ControlLogix ControlNet Configuration (Safety and Standard Connections on the Same Network)

Overall Safety Loop

SIL 2-certified ControlLogix Safety Loop

Controller Chassis Remote I/O Chassis

Logix5570 DC OUTPUT
DC INTPUT DC INTPUT DC
DC
DCOUTPUT
OUTPUT
OUTPUT DC INTPUT DC OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O
ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST
ST
ST 000111222333444555666777OOO ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K
ST 8 9 10 11121314 15 K ST 8 9 10 11121314 15 K ST
ST
ST 888999
10
10
10
11121314
11121314
11121314
15
15KKK
15 ST 8 9 10 11121314 15 K ST 8 9 10 11121314 15 K ST 8 9 10 11121314 15 K

DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC
DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

I O M
C C C N U O
N N N T N
2 2 2
R R 1 2 I
A A N

ControlNet

Standard Communication
Remote I/O Chassis
DC INTPUT DC
DC
DCOUTPUT
OUTPUT
OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O ST
ST
ST 000111222333444555666777OOO ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 11121314 15 K ST
ST
ST 888999
10
10
10
11121314
11121314
11121314
15
15KKK
15 ST 8 9 10 11121314 15 K

DIAGNOSTIC DIAGNOSTIC
DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC

I O
N U
C
N T
2
1 2
B B

Dual networks are required because one of the two networks includes non-SIL 2 hardware.
The 1756 SIL 2 I/O module pairs must be split over two networks. For more information on
how to wire field devices, see Figure 6 on page 18.

16 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 1 SIL Policy

In Figure 5, non-SIL 2 communication on separate subnets lets you place

redundant channel I/O in the same rack.

Figure 5 - Fail-safe ControlLogix ControlNet Configuration with Non-SIL 2 Communication (Safety and Standard Connections on Separate Networks)

Overall Safety Loop SIL 2-certified ControlLogix Safety Loop

Controller Chassis Remote I/O Chassis

Logix5570 EtherNet/IP™ DC OUTPUT DC INTPUT DC INTPUT DC OUTPUT DC
DC
DCOUTPUT
OUTPUT
OUTPUT DC OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST
ST
ST 000111222333444555666777OOO ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O

ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST

ST
ST 88899910
10
10
1112131415
1112131415KKK
1112131415 ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

I I D O
N N I U
E C C A
N T
N N G
2 2 2 O
1 1 2
T A B 2 B
A
Standard Communication
ControlNet

Remote I/O Chassis

DC INTPUT DC INTPUT DC OUTPUT DC INTPUT DC
DC
DCOUTPUT
OUTPUT
OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST
ST
ST 000111222333444555666777OOO ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST
ST
ST 88899910
10
10
1112131415
1112131415KKK
1112131415 ST 8 9 10 1112131415 K

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC

I I O M O
N N U O U
C
N T N T
2
3 3 4 I 4
A B A N B

ControlNet

1756 SIL 2 I/O module pairs can be in the same chassis because the non-SIL 2
hardware is on a separate network. For more information on how to wire field
devices, see Figure 6 on page 18.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 17

Chapter 1 SIL Policy

Figure 6 - Fail-safe ControlLogix EtherNet/IP Configuration: Single DLR Loop for Safety and Standard Communication

Overall Safety Loop SIL 2-certified ControlLogix Safety Loop

Controller Chassis Remote I/O Chassis

Logix5570 EtherNet/IP™ EtherNet/IP™
EtherNet/IP™
EtherNet/IP™ DC OUTPUT EtherNet/IP™ DC INTPUT DC
DCOUTPUT
OUTPUT
DC INTPUT DC OUTPUT DC
DC
DCOUTPUT
OUTPUT
OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST
ST
ST 000111222333444555666777OOO ST
ST 00 11 22 33 44 55 66 77OO ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 11121314 15 K ST 8 9 10 11121314 15 K ST 8 9 10 11121314 15 K ST 8 9 10 1112131415 K ST
ST
ST 888999
10
10
10
11121314
11121314
11121314
15
15KKK
15 ST
ST 88 9910
1011121314 15KK
1112131415 ST 8 9 10 11121314 15 K

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC

I O O
N U U
E EE E T T
N N
N N
2 22 2
TT 1 2 3
T T
R R A A A
R R

Standard EtherNet/IP +V
Communication DLR
Relay +V

Input Device

DC INTPUT DC INTPUT DC OUTPUT DC

DCOUTPUT
OUTPUT DC INTPUT EtherNet/IP™

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST
ST 00
ST 0 11
1 22
2 33
3 44
4 55
5 66
6 77
7O ST
ST 00 11 22 33 44 55 66 77OO ST 0 1 2 3 4 5 6 7 O
O
O
ST 8 9 10 11121314 15 K ST 8 9 10 11121314 15 K ST
ST 8 99
ST 88 9 10
1011121314
10 1112131415
11121314 15
K
15 KK ST
ST 88 9910
1011121314 15KK
1112131415 ST 8 9 10 11121314 15 K

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC

I I O M
N S U O EtherNet/IP
Remote I/O Chassis O T N E
L N
1 O 3 I 2
B 2 B N T
B R

Actuator

Actuator
Standard
Communication DLR

DLR mixes SIL 2 and non-SIL 2 hardware. Independent paths are required to the SIL 2 I/O module pairs. The
1756 adapters and I/O module pairs can be placed into one chassis or split among two. Splitting them over
two chassis is shown.

For more information on SIL 2 requirements, see IMPORTANT on page 19.

Unused channels on a SIL 2 input module pair can be used as the monitoring input. There is no need for the
monitoring input to be wired to both input modules in a SIL 2 module pair. A separate monitoring input
module is not required.

18 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 1 SIL Policy

Figure 7 - Fail-safe ControlLogix EtherNet/IP Configuration with FLEX I/O Modules: Single DLR Loop for Safety and Standard Communication

Overall Safety Loop

SIL 2-certified ControlLogix Safety Loop

Controller Chassis
Logix5570 EtherNet/IP™ EtherNet/IP™
EtherNet/IP™
EtherNet/IP™ DC OUTPUT

ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K

DIAGNOSTIC

E EE
N N
N
2 22
T TT 1794-AENTR
R RR MOD IN 1A OUT 2A OUT 3A
Standard LINK 1 LINK 2
REDUNDANY MEDIA
ADAPTER
1794-AENTR

Communication
DLR +V
EtherNet/IP

Input Relay +V
Device

1794-AENTR
1794-IOW8

MOD IN 1B RLY OUT 2B OUT 3B MON IN

LINK 1 LINK 2
REDUNDANY MEDIA
ADAPTER
1794-AENTR

Standard EtherNet/IP
Communication
DLR
Actuator Actuator

DLR mixes SIL 2 and non-SIL2 hardware. Independent paths are required to the SIL 2 I/O
module pairs. FLEX SIL 2 I/O module pairs must always be split over different nodes.

Unused channels on a SIL 2 input module pair can be used as the monitoring input. There is
no need for the monitoring input to be wired to both input modules in a SIL 2 module pair. A
separate monitoring input module is not required.

IMPORTANT As shown in Figure 6 and Figure 7, standard devices can reside within an EtherNet/IP™ SIL 2 subnet provided the
following requirements are met:
• The EtherNet/IP™ subnet topology must be DLR.
• The ControlLogix chassis must have two 1756-EN2TR modules.
• Independent connection paths must be established for channels A and B I/O through each ControlLogix chassis bridge.
• Channel A and Channel B I/O must reside in separate chassis or connected to separate adapters.
• Direct Internet connectivity must be limited to EtherNet/IP bridges listed in Appendix B of this manual.
Direct Internet connections via other standard devices are not allowed.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 19

Chapter 1 SIL Policy

Figure 8 - Fail-safe ControlLogix Configuration with FLEX I/O Modules on the ControlNet Network

HMI
Programming Software
For Diagnostics and Visualization
For SIL applications, a programming
(see special instructions in Chapter 9 for
terminal is not normally connected.
writing to safety-related controllers in the
safety loop).

Plant-wide Ethernet/Serial
Overall Safety Loop

SIL 2-certified ControlLogix components’ portion of the overall safety loop.

Logix5570 EtherNet/IP™ DC OUTPUT

ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K

1794-ACN15 IN 1A OUT 2A MON IN

DIAGNOSTIC

E
N C
B N
T 2
R
To other safety-related ControlLogix or FLEX
ControlNet
I/O remote I/O chassis.

1794-IOW8

1794-ACN15 IN 1B OUT 2B

ControlNet

To other safety-related ControlLogix or FLEX I/O remote I/O chassis.

Non-SIL 2 hardware is on separate networks. FLEX I/O module pairs must always be split over
different nodes. For more information on how to wire field devices, see Figure 7 on page 19

20 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 1 SIL Policy

Figure 9 - Fail-safe ControlLogix Configuration with FLEX I/O Modules the EtherNet/IP Network

HMI
Programming Software
For Diagnostics and Visualization
For SIL applications, a programming
(see special instructions in Chapter for
terminal is not normally connected.
writing to safety-related controllers in the
safety loop).

Plant-wide Ethernet/Serial

Overall Safety Loop

SIL 2-certified ControlLogix components’ portion of the overall safety loop.

Logix5570 EtherNet/IP™ EtherNet/IP™

EtherNet/IP™
EtherNet/IP™ DC OUTPUT

ST 0 1 2 3 4 5 6 7 O
1794 FLEX I/O
ST 8 9 10 1112131415 K

DIAGNOSTIC

1794-AENTR IN 1A OUT 2A MON IN

MOD

E EE LINK 1 LINK 2
REDUNDANY MEDIA

N N
ADAPTER

N
1794-AENTR

B 22
T TT
RR

EtherNet/IP

1794-AENTR
1794-IOW8

MOD IN 1B OUT 2B
LINK 1 LINK 2
REDUNDANY MEDIA
ADAPTER
1794-AENTR

EtherNet/IP

Non-SIL 2 hardware is on separate networks. FLEX I/O module pairs must always be split over
different nodes. For more information on how to wire field devices, see Figure 7 on page 19.

Duplex Logic-Solver Configurations

In duplex configurations, redundant system components are used to increase

the availability of the control system. The modules in the redundant controller
chassis include redundancy modules and network communication modules
for redundant communication, and the ControlLogix controllers.

Figure 10 shows a typical duplex SIL loop. The figure also shows the following:
• Overall safety loop
• ControlLogix portion of the overall safety loop
• How other devices (for example, HMI) connect to the loop, while
operating outside the loop

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 21

Chapter 1 SIL Policy

Figure 10 - Typical SIL Loop with Controller Chassis Redundancy

Programming Software HMI

For SIL applications, a For Diagnostics and Visualization
programming terminal is not (see special instructions in Chapter
normally connected. for writing to safety-related
controllers in the safety loop).

Plant-wide Ethernet/Serial

SIL 2-certified ControlLogix components’ portion of the overall safety loop.

Overall
Safety
Primary Chassis Remote I/O Chassis Ch A
Loop
Logix5570 EtherNet/IP™ DC OUTPUT DC INTPUT DC INTPUT DC INTPUT DC OUTPUT DC
DC
DCOUTPUT
OUTPUT
OUTPUT DC INTPUT DC OUTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST
ST
ST 000111222333444555666777OOO ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 11121314 15 K
ST 8 9 10 11121314 15 K ST 8 9 10 11121314 15 K ST 8 9 10 1112131415 K ST
ST
ST 888999
10
10
10
1112131415
1112131415KKK
1112131415 ST 8 9 10 11121314 15 K ST 8 9 10 1112131415 K

PRI COM OK
DIAGNOSTIC DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC
DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

I I D O
N N I U
E C C R A C
N N N T
M G N
2 2 2 O 2
T 1 1 2
A B 2 B
A
ControlNet ControlNet

Secondary Chassis Remote I/O Chassis Ch B

Logix5570 EtherNet/IP™ DC OUTPUT DC INTPUT DC INTPUT DC
DC
DCOUTPUT
OUTPUT
OUTPUT DC INTPUT DC OUTPUT DC INTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST
ST
ST 000111222333444555666777OOO ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 11121314 15 K ST 8 9 10 11121314 15 K ST
ST
ST 888999
10
10
10
1112131415
1112131415KKK
1112131415 ST 8 9 10 11121314 15 K ST 8 9 10 1112131415 K ST 8 9 10 11121314 15 K ST 8 9 10 11121314 15 K

PRI COM OK
DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC
DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

O M O I I
U O U N N
E C C R C
T N T
N N N M N
2 2 2 2
3 I 3 4 4
T N
A B A B

ControlNet ControlNet

To other safety-related ControlLogix and remote I/O chassis.

To nonsafety-related systems outside the ControlLogix

ControlNet portion of the SIL 2-certified loop.

1756 SIL 2 I/O module pairs can be in same chassis because non-SIL 2 hardware
is on separate networks. SIL 2 I/O modules in the safety loop must meet the
requirements that are specified in Chapter 5, ControlLogix I/O Modules.

For more information on how to wire field devices, see Figure 6 on page 18.

IMPORTANT You can also access a remote I/O chassis via an EtherNet/IP network if
you use ControlLogix Enhanced Redundancy System, Revision 20.54 or
later.

IMPORTANT The redundant (duplex) ControlLogix system in Figure 10 provides logic

solver fault tolerance. It remains 1oo1 (simplex) from a safety
perspective.

22 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 1 SIL Policy

Figure 11 - Duplex System EtherNet/IP Fiber Configuration

Primary ControlLogix Chassis Secondary Chassis

Logix5570 EtherNet/IP™ EtherNet/IP™ DC OUTPUT DC INTPUT
Logix5570 EtherNet/IP™ EtherNet/IP™ DC OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K

PRI COM OK
PRI COM OK
DIAGNOSTIC DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC

E E R E E R
N N M N N M
2 2 2 2
T T T T
R R R R

1783-ETAP1F
MOD

LINK 1
LINK 2
DEVICE
PORT

1783-ETAP1F
MOD

LINK 1
LINK 2
DEVICE
PORT

Fiber Fiber
I/O Chassis A1
1 2
(front) (rear)

I/O Chassis B1 1 2
(front) (rear)

EtherNet/IP™ DC INTPUT DC OUTPUT DC INTPUT

EtherNet/IP™ DC INTPUT DC OUTPUT DC INTPUT
ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K

MOD DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC
LINK 1

1783-ETAP2F I M
LINK 2

I O I
DEVICE
PORT

N U N S O
1783-ETAP E E O
N T N
1 3 1783-ETAP1F MOD
N 1 L
2
LINK 1

2
LINK 2

A 3 I
DEVICE

A B
PORT

T 1783-ETAP2F T B
1
(front)
2
(rear)

R N
R

1 2

I/O Chassis A2
MOD (front) (rear)

1783-ETAP I/O Chassis B2

LINK 1
LINK 2
DEVICE
PORT

EtherNet/IP™ DC INTPUT DC OUTPUT DC INTPUT EtherNet/IP™ DC INTPUT DC OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

I O I I M
N U N S O
E E
1 2

O N
(front) (rear)

T
MOD

N LINK 1

N L
1783-ETAP 2
LINK 2

2 4
DEVICE

2
PORT

2 4 I
T A A B
T B N
MOD
R R
LINK 1
LINK 2
DEVICE
PORT

1783-ETAP 1
(front)
2
(rear)

1 2
Note: All SIL 2 guidelines for 1756 or FLEX I/O modules remain the same.
(front) (rear)

Because channel A and channel B are two independent networks, 1783-ETAP

modules can be considered black channel equipment and do not need to be
part of the SIL 2 system calculation. Any non SIL 2 component can affect only
one of the two networks. For more information on how to wire field devices,
see Figure 6 on page 18.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 23

Chapter 1 SIL Policy

Figure 12 - Duplex System with Stratix® Switches

Fiber
Copper
Primary ControlLogix Chassis Secondary ControlLogix Chassis
Logix5570 EtherNet/IP™ EtherNet/IP™ DC OUTPUT DC INTPUT
Logix5570 EtherNet/IP™ EtherNet/IP™ DC OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K

PRI COM OK
PRI COM OK
DIAGNOSTIC DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC

E E R E E R
N N M N N M
2 2 2 2
T T T T
R R R R

Chassis 1A Chassis 1B
EtherNet/IP™ DC INTPUT DC OUTPUT DC INTPUT EtherNet/IP™ DC INTPUT DC OUTPUT DC INTPUT

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

I O I I M
N U N S O
E E O N
N T N
1 3 1 L
2 2 3 I
T A A B
T B N
R R

Chassis 2A Chassis 2B
EtherNet/IP™ DC INTPUT DC OUTPUT DC INTPUT EtherNet/IP™ DC INTPUT DC INTPUT
DC OUTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

I O I I M
N U N S O
E E O N
N T N
2 4 2 L
2 2 4 I
T A A B
T B N
R R

Because channel A and channel B are two independent networks, 1783-ETAP

24 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 1 SIL Policy

Duplex System Configuration

This configuration of the ControlLogix system uses fully redundant

controllers, communication modules, and remote I/O devices to achieve
enhanced availability.

Figure 13 - Duplex System EtherNet/IP Configuration

Overall Safety Loop

SIL 2-certified ControlLogix Safety Loop

ControlLogix Primary Chassis ControlLogix Secondary Chassis
Logix5570 EtherNet/IP™ EtherNet/IP™ DC OUTPUT DC INTPUT EtherNet/IP™
Logix5570 EtherNet/IP™ DC OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K

PRI COM OK
DIAGNOSTIC DIAGNOSTIC PRI COM OK
DIAGNOSTIC DIAGNOSTIC

E E R E E R
N N M N N M
2 2 2 2
T T T T
R R R R

EtherNet/IP non-SIL 2 EtherNet/IP connections non-SIL 2 EtherNet/IP connections

I/O Chassis A I/O Chassis B

EtherNet/IP™ DC INTPUT DC OUTPUT DC INTPUT DC OUTPUT DC OUTPUT DC INTPUT EtherNet/IP™ DC INTPUT DC OUTPUT DC INTPUT DC INTPUT
DC OUTPUT DC OUTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

I O I O I O I O
B B F U B B F U
E 3 1 1 T E 3 1 1 T
N 2 6 6 2 N 6 6 2
2
2 D 3 2 D 3
1 1
T 2 A T 2 B
A B
R A R B

Analog Input Termination Board Digital Input Termination Board Digital Output Termination Board

Field Device Field Device Field Device

For more information about this SIL 2 application solution, see the
ControlLogix SIL 2 System Configuration Using SIL 2 Add-On Instructions,
publication 1756-AT012.This publication explains how to configure a
SIL 2-certified system by using Add-On Instructions and hardware
termination boards.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 25

Chapter 1 SIL Policy

Figure 14 - Duplex System ControlNet Configuration

Overall Safety Loop

SIL 2-certified ControlLogix Safety Loop

Primary ControlLogix Chassis Secondary ControlLogix Chassis

Logix5570 EtherNet/IP™ EtherNet/IP™ DC OUTPUT DC INTPUT
Logix5570 EtherNet/IP™ EtherNet/IP™ DC OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K
PRI COM OK
DIAGNOSTIC DIAGNOSTIC PRI COM OK
DIAGNOSTIC DIAGNOSTIC

C E R E R
N C
N M
N N M
2 2 2
T 2
R R T
R R

ControlNet non-SIL 2 EtherNet/IP connections non-SIL 2 EtherNet/IP connections

I/O Chassis A I/O Chassis B

DC INTPUT DC OUTPUT DC INTPUT DC OUTPUT DC OUTPUT DC INTPUT
DC INTPUT DC OUTPUT DC INTPUT DC OUTPUT DC OUTPUT DC INTPUT
ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

DIAGNOSTIC DIAGNOSTIC

O
DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

I I O I O I O
B B F U B B F U
C 3 1 1 T 3 1 1 T
C
N 2 6 6 2 2 6 6 2
N
2 1 D 3 2 1 D 3
R A 2 A R B 2 B
A B

Analog Input Digital Input Digital Output

Termination Board Termination Board Termination Board

Field Device Field Device Field Device

The duplex system configuration uses safety and programming principles that
are described in this manual, and programming and hardware that is
described in the application technique manuals.

For more information on the ControlLogix SIL 2-certified system, including

termination boards and Add-On Instructions, see the ControlLogix SIL 2
System Configuration Using SIL 2 Add-On Instructions,
publication 1756-AT012.

26 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 1 SIL Policy

Proof Tests IEC 61508 requires that you perform various proof tests of the equipment that
is used in the system. Proof tests are performed at user-defined times (for
example, proof test intervals can be once a year, once every 2 years or whatever
time frame is appropriate based on the SIL verification calculation) and could
include some of the following tests:
• Test all safety application-fault routines to verify that process parameters
are monitored properly and the system reacts properly when a fault
condition arises.
• Test all digital input or output channels to verify that they are not stuck
in the ON or OFF state.
- Manually cycle inputs to make sure that all inputs are operational and
not stuck in the ON state.
- Manually test outputs that do not support runtime pulse testing.
- You can automatically perform proof tests by switching ground open
on input modules and check to make sure that all input points go to
zero (turn OFF.).
• The relays in the redundant power supplies must be tested to make sure
that they are not stuck in the closed state.
• Calibrate analog input and output modules to verify that accurate data is
obtained from and used on the modules.

IMPORTANT Each specific application has its own time frame for the proof test
interval.

Proof Testing with Redundancy Systems

A ControlLogix redundancy system uses an identical pair of ControlLogix

chassis to keep your process running if a problem occurs with one of the
chassis. When a failure occurs in the primary chassis, control switches to the
secondary controller in the secondary chassis.

The switchover can be monitored so that the system notifies the user when it
has occurred. In this case (that is, when a switchover takes place), we
recommend that you replace the failed controller within the mean time to
restoration (MTTR) for your application.

If you are using controller redundancy in a SIL 2 application, you must

perform the proof test on the primary controller and on the secondary
controller.

If you are concerned about the availability of the secondary controller if the
primary controller fails, it is good engineering practice to implement a switchover
periodically (for example, once per proof test interval).

For more information on switchovers in ControlLogix redundancy systems

and ControlLogix redundancy systems in general, see these redundancy
system manuals:
• ControlLogix Standard Redundancy System User Manual, publication
1756-UM523
• ControlLogix Enhanced Redundancy System User Manual, publication
1756-UM535

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 27

Chapter 1 SIL Policy

Reaction Times The response time of the system is defined as the amount of time it takes for a
change in an input condition to be recognized and processed by the
controller’s logic program, and then to initiate the appropriate output signal to
an actuator.

The system response time is the sum of the following:

• Input hardware delays
• Input filtering
• I/O and communication module RPI settings
• Controller program scan times
• Output module propagation delays
• Redundancy system switchover times (applicable in duplex systems)

Each of the times listed is variably dependent on factors such as the type of I/O
module and instructions used in the logic program. For examples of how to
perform these calculations, see Appendix A, Reaction Times of the
ControlLogix System.

For more information on the available instructions and for a full description of
logic operation and execution, see the following publications:
• Logix 5000™ Controllers General Instruction Set Reference Manual,
publication 1756-RM003
• ControlLogix System User Manual, publication 1756-UM001

Reaction Times in The worst-case reaction time of a duplex system is different than a simplex
Redundancy Systems system. The redundancy system has a longer reaction time because of the
following:
• There are a series of crossloading operations that continuously occur
between the primary and secondary controllers. Crossloading fresh data
at the end of each program scan increases scan time.

To minimize scan time by reducing crossloading overhead, you can plan

your project more efficiently. For example, minimize the use of SINT,
INT, and single tags, and use arrays and user-defined data structures.
Generally, the primary controller in a duplex system has a 20% slower
response time than the controller in a simplex system.
• The switchover between controllers slows system response. If using a
ControlNet® network, the switchover time of a redundancy system
depends on the network update time (NUT).

For more information about switchover times in redundancy systems,

see one of these ControlLogix redundancy system user manuals:
- ControlLogix Standard Redundancy System User Manual,
publication 1756-UM523
- ControlLogix Enhanced Redundancy System User Manual,
publication 1756-UM535

IMPORTANT To avoid nuisance trips, you must account for the additional cross
checking time of a duplex system when setting the watchdog time.

28 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 1 SIL Policy

Safety Watchdog Configure the properties of the SIL 2 safety task correctly for your application.
• Priority: must be the highest-priority task in the application (lowest
number)
• Watchdog: the value that is entered for the SIL 2 safety task must be large
enough for all logic in the task to be scanned

If the task execution time exceeds the watchdog time, a major fault occurs on
the controller. You must monitor the watchdog and program the system
outputs to transition to the safe state (typically the OFF state) in the event of a
major fault occurring on the controller. For more information on faults, see
Chapter 8, Faults in the ControlLogix System.

For more information about setting the watchdog, see the ControlLogix
System User Manual, publication 1756-UM001.

Safety Certifications and Diagnostic hardware and firmware functions, and how you apply
Compliance ControlLogix components, enable the system to achieve CL SIL 2 compliance.

IMPORTANT You must implement these requirements, or at a minimum the intent of

the requirements that are defined in this manual, to achieve CL (claim
limit) SIL 2.

ControlLogix products that are referenced in this manual can have safety
certifications and the SIL certification. If a product has achieved agency
certification, the product label is not necessarily marked as certified. To view
safety certifications for products, go to http://www.ab.com and click the
Product Certifications link or on the certificate’s revision release list.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 29

Chapter 1 SIL Policy

Notes:

30 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 2

Features of the ControlLogix SIL 2 System

The diagnostic methods and techniques that are used in the ControlLogix®
platform let you configure and program ControlLogix controllers to perform
checks on the total system. The checks include configuration, wiring, and
performance, monitoring input sensors and output devices. Timestamping of
I/O and diagnostic data also aid in diagnostics.

Examples of these methods and techniques include the following:

• If an anomaly (other than automatic shutdown) is detected, the system
can be programmed to initiate user-defined fault handling routines.
• Output modules can turn OFF selected outputs in the event of a failure.
• Diagnostic I/O modules self-test to make sure that field wiring is
functioning.
• Output modules use pulse testing to make sure that output switching
devices are not shorted.

Module Fault Reporting Every module in the system is ‘owned’ by one controller. Multiple controllers
can share data, and consume data from non-owned modules. When a
controller ‘owns’ an I/O module, that controller stores the module’s
configuration data, which you define; this data dictates how the module
behaves in the system. Inherent in this configuration and ownership is the
establishment of a ‘heartbeat’ between the controller and module, which is
known as the requested packet interval (RPI).

The RPI defines a time interval in which the controller and I/O module must
communicate with each other. If, communication cannot be established or
maintained, for example, the I/O module has failed, the communication path
is unavailable, the system can be programmed to run specialized routines.
These specialized routines can determine whether the system can continue
functioning or whether the fault condition warrants a shutdown of the
application. For example, the system can be programmed to retrieve the fault
code of the failed module. It can also make a determination, which is based on
the type of fault, whether to continue operating.

The controller can monitor the health of I/O modules in the system. The
controller can take appropriate action that is based on the severity of a fault
condition and gives you complete control of the application. It is your
responsibility to establish the course of action appropriate to your safety
application.

For more information on Fault Handling, see Chapter 8, Faults in the

ControlLogix System on page 91.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 31

Chapter 2 Features of the ControlLogix SIL 2 System

Data Echo Communication Output data echo allows you to verify that the correct output module received
Check the ON/OFF command from the controller was received and that the module
attempts to execute the command to the field device.

During normal operation, when a controller sends an output command, the

output module that receives the command will ‘echo’ the output command
back to the controller upon its receipt. This verifies that the module has
received the command and tries to execute it. By comparing the requested
state from the controller to the data echo received from the module, you can
validate that the signal has reached the correct module. You can also verify that
the module attempts to activate the appropriate field-side device. The echo
data is technically input data from the output module and is located with the
other output module data. For example, an output module at local slot 3 has
Local:3:O and Local:3:I, where 3:O are outputs and 3:I are inputs. Again, it is
your responsibility to establish the course of action appropriate for your safety
application.

When used with standard ControlLogix output modules, the data echo
validates the integrity of communication up to the system-side of the module,
but not to the field-side. When you use this feature with diagnostic output
modules, you can verify the integrity from the controller to the output terminal
on the module.

Diagnostic output modules contain circuitry that performs field-side output

verification. Field-side output verification informs you that commands
received by the module are accurately represented on the power side of the
module’s switching devices. In other words, for each output point, this feature
confirms that the output is ON when it is commanded to be ON or OFF when
commanded to be OFF.

When using non-diagnostic output modules, you must verify the ON and OFF
state. This verification must be accomplished by monitoring the output
command from the non-diagnostic output module in an input module or
validation by alternative methods. Approve all methods according to IEC
61508. A separate input module is required for a non-diagnostic output
module.

32 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 2 Features of the ControlLogix SIL 2 System

Figure 15 - Output Module Behavior in the ControlLogix System

Output Commands from Controller

Standard ControlLogix I/O

Information Data Echo validation from System-side

Field-side Output Verification, Pulse Test

Additional Field-Side Information Status Plus No Load Detection
Provided by Diagnostic Output
Modules

Actuator

Pulse Test Discrete diagnostic output modules contain a feature called a pulse test. A
pulse test can verify the output circuit functionality without actually changing
the state of the actuator connected to the output. A short-duration pulse is
directed to a particular output on the module. The output circuitry
momentarily changes its state long enough to verify that it can change state on
demand. The test pulse is fast (milliseconds), and typically does not affect
actuators. Some actuators can have electronic front ends and can detect these
fast pulses. You can disable pulse testing, if necessary.

Software The location, ownership, and configuration of I/O modules and controllers is
performed by using RSLogix 5000® software or the Studio 5000 Logix
Designer® application. Use the software to create, test, and debug application
logic.

When using the programming software, you must remember these points:
• During normal control program (controller in Run mode):
- Disconnect the programming terminal.
- Set the keyswitch to the RUN position.
- Remove the controller key from the keyswitch.
• Authorized personnel can change an application program, but only by
using one of the processes that are described in Changing Your
Application Program on page 88.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 33

Chapter 2 Features of the ControlLogix SIL 2 System

Communication Several communication options are available for connecting with the
ControlLogix SIL 2 system and for the exchange of data within the SIL 2
system.

Communication Ports

A built-in serial port is available on 1756-L6x controllers for download or

visualization purposes only. Do not use the serial port for any exchange of
safety-related data.

A built-in USB port is available for program upload and download on 1756-L7x
controllers.

ATTENTION: The USB port is intended for temporary local-programming

purposes only and not intended for permanent connection.

WARNING: Do not use the USB port in hazardous locations.

For information on how to make communication connections, see the

ControlLogix System User Manual, publication 1756-UM001.

ControlNet Network

The ControlNet® network can be used to do the following:

• Provide communication between the controller and remote I/O chassis.
• Form the basis for communication in duplex (redundant)
configurations.

To schedule the ControlLogix ControlNet network, use RSNetWorx™ for

ControlNet software.

IMPORTANT In SIL 2 applications, all I/O and produce/consume tags that are
associated with safety data must use scheduled connections on the
ControlNet network.

For more information on ControlNet networks, refer to ControlNet Network

Configuration Guide, publication CNET-UM001.

EtherNet/IP Network

An EtherNet/IP™ connection can be used to do the following:

• Download, monitor, and visualize the controller.
• Connect to remote I/O chassis.

EtherNet/IP networks support messaging, produced/consumed tags, and

distributed I/O.

34 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 2 Features of the ControlLogix SIL 2 System

See EtherNet/IP Communication Modules on page 43 for details on how to use

EtherNet/IP modules in SIL 2 applications.

Electronic Keying of Modules If a module in your SIL 2-certified ControlLogix system is replaced, Exact
in SIL 2 Applications Match keying is recommended.

Exact Match keying requires all keying attributes of the physical module and
the module that is created in the software to match precisely before
establishing communication. The keying attributes are Vendor, Product Type,
Product Code (catalog number), Major Revision, and Minor Revision.

If any attribute does not match precisely, I/O communication is not permitted
with the module or with modules connected through it, as in the case of a
communication module.

Compatible Keying can be used in a SIL 2 safety function, but the

responsibility for re-verifying safety functions after replacing SIL 2 modules, is
assumed by the user.

For more information about electronic keying, see the ControlLogix Digital
I/O Modules User Manual, publication 1756-UM058.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 35

Chapter 2 Features of the ControlLogix SIL 2 System

Notes:

36 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 3

ControlLogix Controllers, Chassis,

and Power Supplies

ControlLogix Controllers The SIL 2-certified ControlLogix® system is a user-programmed, solid-state

control system. Examples of specific functions include the following:
• I/O control
• Logic
• Timing
• Counting
• Report generation
• Communication
• Arithmetic
• Data file manipulation

The ControlLogix controller has a central processor, I/O interface, and

memory.

Operating Modes

The controller performs power-up and runtime functional tests. The tests are
used with user-supplied application programs to verify proper controller
operation.

A three-position keyswitch on the front of the controller governs ControlLogix

system operational modes. The following modes are available:
• Run
• Program
• Remote - This software-enabled mode can be Program or Run.
Figure 16 - Keyswitch in Run Mode
Logix557x

RUN FORCE SD OK

REM PR
RUN OG

1756-L6x 1756-L7x

When a SIL 2-certified ControlLogix application is operating in the Run mode,

the controller keyswitch must be in the RUN position and the key removed.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 37

Chapter 3 ControlLogix Controllers, Chassis, and Power Supplies

Requirements for Use

Consider these requirements when using a SIL 2-certified ControlLogix

controller:
• All components, such as input and output modules, the specific
controller that performs the safety function must own each safety
function.
• When installing ControlLogix controller, refer to the user manual listed
in Additional Resources on page 8.
• There are currently separate firmware revisions for standard and
redundant operation. For more information, see Appendix and the
Revision Release List available at http://www.ab.com from the Product
Certifications link.

For more information on the ControlLogix controllers, see the publications in

Additional Resources on page 8.

ControlLogix Chassis The ControlLogix 1756-Axx chassis provide the physical connections between
controllers and I/O modules. The chassis is passive and is not relevant to the
safety discussion because any physical failure would be unlikely under normal
environmental conditions and would be manifested and detected as a failure
within one or more of the active components.

When installing ControlLogix chassis, follow the instructions that are

provided in the product documentation.

ControlLogix Power Supplies ControlLogix power supplies are certified for use in SIL 2 applications. No
extra configuration or wiring is required for SIL 2 operation of the
ControlLogix power supplies. If an anomaly occurs in the supplied voltages,
the power supply immediately shuts down. For this reason, the power supply is
not part of the safety calculation.

All ControlLogix power supplies are designed to perform these tasks:

• Detect anomalies.
• Communicate to the controllers with enough stored power to allow for
an orderly and deterministic shutdown of the system, including the
controller and I/O modules.

IMPORTANT If you are using any of the 1756-Px75 (non-redundant) power supplies,
with a 1756-L6x/B or 1756-L7x/B controller, you must use the Series B
version of the power supply, that is, 1756-Px75/B power supplies.

38 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 3 ControlLogix Controllers, Chassis, and Power Supplies

Redundant Power Supplies

ControlLogix redundant power supplies can be used in SIL 2-certified

applications. In a redundant power supply configuration, two power supplies
are connected to the same chassis.

The power supplies share the current load that the chassis requires and an
internal solid-state relay that can annunciate a fault. Upon detection of a
failure in one supply, the other redundant power supply automatically
assumes the full current load that the chassis requires without disruption to
installed devices.

The 1756-PSCA and 1756-PSCA2 redundant power-supply chassis adapters

connect the redundant power supply to the chassis.

Recommendations for Using Power Supplies

When using SIL 2-certified ControlLogix power supplies:

• Follow the information that is provided in the installation instructions.
• Wire the solid-state fault relay on each power supply from an appropriate
voltage source to an input point in the ControlLogix system so that the
application program can detect faults and react appropriately based on
the application requirements.

For more information about how to install ControlLogix chassis and power
supplies, see the publications that are listed in Additional Resources on page 8.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 39

Chapter 3 ControlLogix Controllers, Chassis, and Power Supplies

Notes:

40 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 4

ControlLogix Communication Modules

Introduction to The communication modules in a SIL 2-certified ControlLogix® system

Communication Modules provide communication bridges from a ControlLogix chassis to other chassis
or devices via the ControlNet® and Ethernet networks. These communication
modules are available.

Network SIL 2 Modules(1)

• 1756-CNB
• 1756-CN2R
ControlNet • 1756-CNBR
• 1756-CN2RXT
• 1756-CN2
• 1756-ENBT, series A(2)
• 1756-EN2TR, series B
• 1756-EN2T, series C
• 1756-EN2TR, series C
EtherNet/IP™ • 1756-EN2T, series D(2) • 1756-EN2TRXT, series C
• 1756-EN2TXT, series C
• 1756-EN3TR, series B(2)
• 1756-EN2TXT, series D(2)
DeviceNet®(2) 1756-DNB
Data Highway Plus™ – Remote I/O(2) 1756-DHRIO
SynchLink™(2) 1756-SYNCH
(1) Some catalog numbers have a K suffix. This indicates a version of the product that has conformal coating. These K versions
have the same SIL 2 certification as the non-K versions. For more information on which products have conformal coating go
to:http://ab.com.rockwellautomation.com/
(2) Not for use in safety functions.

ControlLogix communication modules can be used in peer-to-peer

communication between ControlLogix devices. The communication modules
can also be used for expansion of I/O to additional ControlLogix remote I/O
chassis.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 41

Chapter 4 ControlLogix Communication Modules

ControlNet Modules and ControlNet modules provide communication between any nodes that are
Components properly scheduled on the ControlNet network.

IMPORTANT In SIL 2 applications, all I/O and produce/consume tags that are
associated with safety data must use scheduled connections on the
ControlNet network.

ControlNet Cabling

For remote racks, one RG6 coax cable is required for ControlNet
communication. Although it is not a requirement to use redundant media with
the 1756-CNBR or 1756-CN2R modules, it does provide higher system
reliability. Redundant media is not required for SIL 2 operation.

ControlNet Repeater

The following ControlNet repeater modules are approved for use in safety
applications up to and including SIL 2:
• 1786-RPCD, ControlNet Hub Repeater Module
• 1786-RPFS, Short-distance Fiber Repeater Module
• 1786-RPFM, Medium-distance Fiber Repeater Module
• 1786-RPFRL, Long-distance Fiber Repeater Module
• 1786-RPFRXL, Extra-long-distance Fiber Repeater Module

Use of the 1786-RPA adapter is required with the repeater modules listed.

Table 2 - For More Information about Repeater Modules

Topic Publication Title Publication Number
Plan for and install ControlNet repeater ControlNet Fiber Media Planning and CNET-IN001
modules. Installation Guide
Use of repeaters in safety applications. TÜV Report 968/EZ 968/EX 135.06.12

ControlNet Module Diagnostic Coverage

All communication over the passive ControlNet media occurs via CIP™. CIP
verifies that at least one valid packet is seen during the greater of either 100 ms
or 4 times the requested packet interval (RPI). If a valid packet is not seen
during this period, data transitions to the safe state.

42 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 4 ControlLogix Communication Modules

EtherNet/IP Communication Use an EtherNet/IP communication module to do the following:

Modules • Connect controller chassis to remote I/O.
• Make connections for visualization purposes.
• Establish connections between the programming terminal and
controller.

IMPORTANT Use of a 1756-EN2TR or 1756-EN2TRXT is required to achieve SIL 2 in

your application. See Figure 3 on page 15 for an example.

See the examples in Figure 5 on page 17, Figure 6 on page 18, and Figure 11 on
page 23.

DeviceNet Scanner The 1756-DNB scanner connects the controller to devices on a DeviceNet
network. You can use the 1756-DNB module to communicate only nonsafety
data to devices outside of the safety loop.

Data Highway Plus - Remote The 1756-DHRIO module supports both Data Highway Plus and the
I/O Module (1756-DHRIO) Remote I/O network of communication. You can use the 1756-DHRIO module
to communicate only nonsafety data to devices outside of the safety loop. For
example, it can be used to communicate alarms to the Distributed Control
System (DCS).

SynchLink Module The SynchLink module (catalog number 1756-SYNCH) is used for CST time
propagation between multiple chassis for event recording. The module can be
used only outside of the safety loop. It must not be used for any safety-related
activity in a SIL 2-certified ControlLogix system.

General Requirements for Follow these requirements when using SIL 2-certified communication
Communication Networks modules:
• When installing ControlLogix communication modules, carefully follow
the information that is provided in the installation instructions.
• DH+™ can be used for communication to Human-to-Machine Interfaces
(HMI) and for communicating with the nonsafety portion of the system.
For more information on how to use HMI, see Chapter 9, Use of Human-
to-Machine Interfaces on page 95.
• For controllers that are not part of the SIL 2 safety function, use listen-
only connections to monitor SIL 2 I/O modules.
• You must not use the Quick Connect feature when using an Ethernet
communication for SIL 2 safety I/O.
• Only SIL 2 devices or other devices that provide non-interference write to
SIL 2 controllers. The only exception is the use of HMI devices. For more
information on how to use HMI in the safety loop, see Chapter 9, Use of
Human-to-Machine Interfaces on page 95.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 43

Chapter 4 ControlLogix Communication Modules

Peer-to-peer Peer-to-peer communication via a ControlNet or EtherNet/IP network is

Communication permitted when these requirements are met:
Requirements • Non-SIL 2 controllers can read data from SIL 2 controllers by directly
reading the data via a message instruction. The controller can also read
data by consuming data from a SIL 2 controller that is configured to
produce data.
• Controllers within the safety loop can be configured to:
- Consume safety data from other safety controllers within the safety
loop.

IMPORTANT Always monitor connection status when consuming safety data

from another controller. Use this connection status to take
appropriate safety action, if necessary.
- Consume non-safety data from outside the safety loop, such as a reset
signal.
- Produce data to controllers outside the safety loop by using a write
message (MSG) or produced connections.
• Programming that verifies the correct reception of data must be used.
• Use of a Device Level Ring (DLR) is required to produce and consume
SIL 2 data on an EtherNet/IP network. If you are not using the ring
capability of the 1756-EN2TR when producing or consuming SIL 2 safety
data on an EtherNet/IP network, you must use two independent data
paths between the SIL 2 devices. For example, to exchange SIL 2 data
between two ControlLogix SIL 2 controllers, you could use two produced
connections sending data to two consume connections. Each controller
produces data to the other.

Additional Resources This table lists additional resources specific to the ControlLogix
communication modules.

Cat. No. Module Description User Manual

1756-CNB ControlNet Communication Module
1756-CN2
CNET-UM001
1756-CNBR Redundant ControlNet Communication Module
1756-CN2R
1756-DHRIO Data Highway Plus - Remote I/O Communication Interface Module 1756-UM514
1756-DNB DeviceNet Scanner DNET-UM004
1756-ENBT
1756-EN2T
1756-EN2TR Ethernet Communication Module ENET-UM001
1756-EN3TR
1756-EN2TRXT
1756-EN2TXT
1756-RM Redundancy Module 1756-UM535
1756-RM2
1756-SYNCH SynchLink Module 1756-UM521

You can view or download Rockwell Automation publications at

http://www.rockwellautomation.com/literature/.

44 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 5

ControlLogix I/O Modules

IMPORTANT The programming information and examples in this chapter are provided to illustrate diagnostic and other
logic-related principles that must be demonstrated in SIL 2 application programs.
• The principles and logic that is shown in this chapter can be encased in Add-On Instructions for easier use.
• The wiring diagrams are provided to illustrate SIL 2 concepts. For wiring information, see the I/O module
users manual listings in Additional Resources on page 8.
• If you are using a duplex configuration and certain I/O termination boards, the programming that is
explained in this chapter is available in Add-On Instructions. These Add-On Instructions are certified by TÜV.
See the ControlLogix SIL 2 System Configuration Using SIL 2 Add-On Instructions, publication 1756-AT012.

Overview of ControlLogix At the most basic level, there are two types of SIL 2-certified ControlLogix® I/O
I/O Modules modules:
• Digital I/O modules
• Analog I/O modules

With each type, however, there are differences between specific modules.
Because the differences propagate to varying levels in each module type, a
graphical representation can best provide an overview of the many
SIL 2-certified ControlLogix I/O modules.

The expansion of the 1756-IF8I, 1756-IRT8I, and 1756-OF8I are “logical”

8-channel drop-in replacement modules that emulate the 6-channel modules.
The wiring is different though between the two modules so the process is not
necessarily “drop-in” replacements. These modules can also be used as
8-channel modules and we recommend that you upgrade new installations to
take advantage of the new features when possible.

The 1756-IF8I provides the current and voltage input option, the 1756-IRT8I
covers the RTD and Thermocouple temperature options while the 1756-OF8I
covers current and voltage outputs. The 8-channel modules can emulate the
6-channel modules and are SIL 1, Systematic Capability 2 type certified.

Figure 17 on page 46 shows the types of SIL 2-certified ControlLogix I/O

modules. Each type, digital or analog, is described in greater detail throughout
the rest of this chapter.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 45

Chapter 5 ControlLogix I/O Modules

Figure 17 - Types of SIL 2-certified I/O Modules

SIL 2-Certified ControlLogix I/O Modules

1756 Digital I/O Modules 1756 Analog I/O Modules

Diagnostic Digital Modules Standard Digital Modules

Input Modules Output Modules,

1756-IF16 including:
Input Modules, Output Modules, Input Modules, Output Modules,
1756-IF16H 1756-OF6CI
including: including: including: including:
1756-IF6CIS 1756-OF6VI
1756-IA8D 1756-OA8D 1756-IA16I 1756-OA16I
1756-IF6I 1756-OF8
1756-IB16D 1756-OB16D 1756-IB16I 1756-OB16I
1756-IF8 1756-OF8I
1756-IB16ISOE 1756-OB16E
1756-IF8I 1756-OF8H
1756-IB32 1756-OB32
1756-IF8H
1756-IH16ISOE 1756-OB8EI
1756-IR6I
1756-OW16I
1756-IRT8I
1756-OX8I
1756-IT6I
1756-IT6I2

IMPORTANT: Some catalog numbers have a K suffix that indicates a version of the product that has conformal coating. These K versions have the same SIL 2
certification as the non-K versions. For more information on which products have conformal coating go to: http://ab.com.rockwellautomation.com/

For SIL 2 compliance when installing ControlLogix I/O modules, follow the
procedures that are provided in the installation instructions. For a full list of
installation instructions for SIL 2-certified modules, see Appendix B.

Using 1756 Digital To achieve SIL 2, two digital input modules must be used, with field sensors
Input Modules wired to channels on each module. The software must compare the two
channels before reconciling the data.

ControlLogix digital input modules are divided into two categories:

• Diagnostic input modules
• Standard input modules

These modules share many of the same inherent architectural characteristics.

However, the diagnostic input modules incorporate features that allow you to
diagnose field-side failures. These features include broken-wire (that is, wire-
off) detection and, in the case of AC Diagnostic modules, loss of line power.

46 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 5 ControlLogix I/O Modules

Requirements When Using Any ControlLogix Digital Input Module

Regardless of the type of ControlLogix input module that is used, you must
follow these general application requirements when applying these modules in
a SIL 2 application:
• Ownership – The same controller must own both modules.
• Direct connection – Always use a direct connection with any SIL 2 CL
modules. You must not use rack-optimized connections in a SIL 2
application.
• Separate input points – Wire sensors to separate input points on two
separate modules. The use of two digital input modules is required,
regardless of the number of field sensors.
• Field device testing – Test field devices by cycling them. The closer you
can get to the device being monitored to perform the test, the more
comprehensive the test is.
• Proof tests – Periodically perform a system validation test. Manually or
automatically test all inputs to make sure that they are operational and
not stuck in the ON or OFF state. Inputs must be cycled from ON to OFF
or OFF to ON. For more information, see Proof Tests on page 27.

Wiring ControlLogix Digital Input Modules

This diagram shows two examples of wiring digital inputs. In either case, the
type of sensors being used determines whether the use of 1 or 2 sensors is
appropriate to fulfill SIL 2 requirements.

Figure 18 - ControlLogix Digital Input Module Wiring Example

+ Power

Optional Relay contact or

output point to switch supply
voltage for periodic
automated testing.
Input A1 Input B1
One-sensor Wiring Example Sensor

Input A2 Input B2

Two-sensor Wiring Example Sensor

Sensor
43366

Application logic is used to compare input values for concurrence.

Figure 19 - Logic-comparing Input Values or States

Input A Input B No Faults

Actuator

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 47

Chapter 5 ControlLogix I/O Modules

The user program must also contain rungs to annunciate a fault in the event of
a sustained miscompare between two points.

Figure 20 - Rungs Annunciating a Fault

Input A Input B

Timer

Input A Input B Timer preset in milliseconds to

compensate for filter time and
hardware delay differences.

Timer Done

Fault

Alarm to Operator

The control, diagnostics, and alarming functions must be performed in

sequence. For more information on faults, see Chapter , Faults in the
ControlLogix System.

Using 1756 Digital ControlLogix digital output modules are divided into two categories:
Output Modules • Diagnostic output modules
• Standard output modules

These modules share many of the same inherent architectural characteristics.

However, the diagnostic output modules incorporate features that allow you to
diagnose field-side failures, including:
• No-Load (loss of load) reporting.
• Blown Fuse reporting.
• Output verify.
• Output pulse test.

To achieve SIL 2, a standard output module must be wired back to an input

module for monitoring. Diagnostic digital output modules provide their own
monitoring.

48 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 5 ControlLogix I/O Modules

Requirements When Using ControlLogix Digital Output Modules

Wiring the two types of digital output modules differs, depending on your
application requirements (these wiring methods are explained in detail in later
sections). However, regardless of the type of ControlLogix output module
used, you must follow these general application requirements when applying
these modules in a SIL 2 application:
• Proof tests - Periodically perform a system validation test. Manually or
automatically test all outputs to make sure that they are operational and
not stuck in the ON or OFF state. Outputs must be cycled from ON to OFF
or OFF to ON. For more information, see Proof Tests on page 27.
• Examination of output data echoes signal in application logic – The
application logic must examine the Data Echo value that is associated
with each output point to make sure that the requested ON/OFF
command from the controller was received and acted upon by the
module.

In Figure 21, a timer begins to increment for any miscompare between

the controller’s output and the module’s Data Echo feedback. The
discrepancy timer must be set to accommodate the delay between the
controller output data and the module’s Data Echo response. The time
value that is chosen must consider various system RPIs and network
latency. If a miscompare exists for longer than that time, a fault bit is set.

Figure 21 - Data Echo Discrepancy-Timer Logic

Application Logic No Faults

Actuator

Output Bit Data Echo

Timer

Output Bit Data Echo

Fault
Secondary
Output
Timer Done

Fault

Alarm to Operator

The control, diagnostics, and alarm functions must be performed in

sequence. For more information on faults, see Chapter , Faults in the
ControlLogix System.
• Use of external relays to disconnect module power if output
de-energized state is critical. To verify that outputs de-energize, you
must wire an external relay or other measure, that can remove power
from the output module if a short or other fault is detected. See Figure 22
on page 51 for an example method of wiring an external relay.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 49

Chapter 5 ControlLogix I/O Modules

• Test outputs at specific times to make sure that they are operating
properly. The method and frequency of testing is determined by the
requirements of the safety application. For more information on how to
test diagnostic module outputs, see page 50. For more information on
how to test standard module outputs, see page 51.
• For typical emergency shutdown (ESD) application outputs must be
configured to de-energize: When configuring any ControlLogix output
module, each output must be configured to de-energize in the event of a
fault and in the event of the controller going into Program mode. For
exceptions to the typical ESD applications, see Chapter 1, SIL Policy on
page 9.
• When wiring two digital output modules in series so that one can break
source voltage (as shown in Figure 26 on page 53), one controller must
own both modules.

Wiring ControlLogix Digital Output Modules

Diagnostic digital output modules and standard output modules have

different wiring considerations. Reference the module-type considerations
that apply to your system configuration.

Wiring Diagnostic Digital Output Modules

Diagnostic output modules have circuitry that is not included in standard

output modules. Because of this feature, you are not required to use an input
module to monitor output status, as is required with standard output modules.

Diagnostic output modules can be used as-is in a SIL 2 application. No special

wiring considerations have to be employed other than the wiring of the
external relay or other measures to remove line power from the module in the
event of a fault to make sure that outputs de-energize if shorted.

In addition to referencing the Requirements When Using ControlLogix Digital

Output Modules on page 49 for limited high demand applications, test output
modules (that is, when you turn the outputs ON and OFF to verify proper
operation) once every 8 hours. High demand applications are limited to 10
demands per year for ControlLogix SIL 2 systems.

For more information on performing the pulse test, see the ControlLogix
Digital I/O Modules User Manual, publication 1756-UM058.

50 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 5 ControlLogix I/O Modules

Figure 22 - ControlLogix Diagnostic Output Module Wiring

V-/L2 V+/L1 Relays may also be included as

Secondary
shown in position A to interrupt
Output
power on a per point basis.
V+/L1

This normally-open contact (held closed) must represent

the healthy operation of the controller and safety I/O Output
modules. Safety I/O status can be restricted to inputs Actuator
directly affecting outputs on the specific module, or this
contact can represent the healthy status of all safety
inputs and the controller. The module used to control this
relay must follow SIL 2 output guidelines. This module
must also be considered during PFD analysis for each
safety function. We recommend the use of a recognized
safety relay or contactor. 43365

Figure 23 - Diagnostic Output Logic

Application Logic Output Fault

Actuator

Data Echo Actuator

Timer

Data Echo Actuator

Fault
Secondary
Output

Timer Done

Fault

Fault
Alarm to
Operator

Output Fault contact must represent module and channel diagnostics.

Wiring Standard Digital Output Modules

When using standard (non-diagnostic) output modules, you must wire each
output to its field device and also to a system input to monitor the
performance. To verify output performance, use one of these methods:
• Write logic to test the ability of the output to turn ON and OFF at
power-up.
• At the proof test interval, force the output ON and OFF and use a
voltmeter to verify output performance.

For limited high demand applications, test the output modules (that is, you
turn the outputs ON and OFF to verify proper operation) once every 8 hours.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 51

Chapter 5 ControlLogix I/O Modules

High demand applications are limited to 10 demands per year for ControlLogix
SIL 2 systems.

See Requirements When Using ControlLogix Digital Output Modules on

page 49.

Figure 24 - ControlLogix Standard Output Module Wiring

Standard Output Standard Input

Module Module

Wire output point to

input point to verify
V-/L2 V+/L1 the correct state of
Secondary
Output the output.
V+/L1 Input
This normally open contact (held closed) must
represent the healthy operation of the controller
and safety I/O modules. Safety I/O status can be Output Actuator V-/L2
restricted to inputs that affect outputs directly on
the specific module. This contact can represent
the healthy status of all safety inputs and the
controller. The module that is used to control this
relay must follow SIL 2 output guidelines. This
module must be also considered during PFD
analysis for each safety function.
43363

Write the application logic to generate a fault in the event of a miscompare

between the controller, the actual output state, and the monitored input. The
monitoring input module does not have to meet SIL 2 guidelines. The only
requirement is that the module is in the list that is located in SIL 2-certified
ControlLogix System Components on page 101.

Figure 25 - Comparison Logic for Requested Versus Actual Output

Application Logic Output Fault

Actuator

Output Data Echo Monitoring Input Timer must be preset in

milliseconds to
Timer accommodate
communication times of
Output Data Echo Monitoring Input echo signal and filter time
of input.

Fault
Secondary
Output

Timer Done

Fault

Fault
Alarm to
Operator

Output Fault contact must represent module and channel diagnostics.

52 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 5 ControlLogix I/O Modules

The control, diagnostics, and alarm functions must be performed in sequence.

For more information on faults, see Chapter 8, Faults in the ControlLogix
System on page 91.

You can also wire two standard outputs in series to critical actuators. If a
failure is detected, the outputs from each of the output modules must be set to
OFF to make sure that the field devices de-energize. Figure 26 shows how to
wire two isolated, standard outputs in series to critical actuators.

Figure 26 - ControlLogix Standard Output Module Wiring with Two Modules

Standard Isolated Standard Isolated Standard Input
Output Module #1 Output Module #2 Module

Wire output point to

input point to verify the
V-/L2 V+/L1 correct state of the
output.
V+/L1 V+/L1 Input

Output Output Actuator V-/L2

43364

Using 1756 Analog There are a number of general application considerations that you must make
Input Modules when using analog input modules in a SIL 2 application. The following section
describes those considerations specific to the use of analog input modules.

To achieve SIL 2, two analog input modules are required. Field sensors must be
wired to channels on each module and compared within a deadband. Whether
one or two field sensors are required is dependent on the Probability of Failure
on Demand (PFD) value of the sensor.

Conduct Proof Tests

Periodically perform a system validation test. Manually or automatically test all

inputs to make sure that they are operational. Field signal levels must be varied
over the full operating range to make sure that the corresponding channel data
varies accordingly. For more information, see Proof Tests on page 27.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 53

Chapter 5 ControlLogix I/O Modules

Calibrate Inputs

The 6-channel analog input modules must be calibrated periodically, as their

use and application requires. The 8-channel modules do not have a periodic
calibration requirement. ControlLogix I/O modules ship from the factory with
a highly accurate level of calibration. However, because each application is
different, you are responsible for making sure your ControlLogix I/O modules
are properly calibrated for your specific application.

You can employ tests in application program logic to determine when a

module requires recalibration. For example, you can determine a tolerance
band of accuracy for a specific application. You can then measure input values
on multiple channels and compare those values to acceptable values within the
tolerance band. Based on the differences in the comparison, you could then
determine whether recalibration is necessary.

Calibration (and subsequent recalibration) is not a safety issue. However, we

recommend that you calibrate each analog input at least every three years to
verify the accuracy of the input signal and avoid nuisance application
shutdowns.

Use the Floating Point Data Format

ControlLogix analog input modules perform onboard alarm processing to

validate that the input signal is within the proper range. These features are
only available in Floating Point mode. To use the Floating-Point Data format,
select the Floating Point Data format in the Module Properties dialog box.

Program to Respond to Faults Appropriately

When programming the SIL 2 system, verify that your program examines the
appropriate module fault, channel fault, and channel status bits and responds
by initiating the appropriate fault routine.

Each module communicates the operating status of each channel to the

controller during normal operation. Application logic must examine the
appropriate bits to initiate a fault routine for a given application. For more
information on faults, see Chapter 8, Faults in the ControlLogix System on
page 91.

54 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 5 ControlLogix I/O Modules

Program to Compare Analog Input Data

When wiring sensors to two input channels on different modules, the values
from those channels must be compared to each other within the program for
concurrence within an acceptable range for the application, before an output is
actuated. Any miscompare between the two inputs outside the programmed
acceptable range must be annunciated as a fault.

In Figure 27, a user-defined percentage of acceptable deviation (that is,

tolerance) is applied to the configured input range of the analog inputs (that is,
range) and the result is stored (that is, delta). This delta value is then added to
and subtracted from one of the input channels; the results define an acceptable
High and Low limit of deviation. The second input channel is then compared
to these limits to determine if the inputs are working properly.

The input’s OK bit preconditions a Timer run that is preset to accommodate an

acceptable fault response time and any communication filtering lags in the
system. If the inputs miscompare for longer than the preset value, a fault is
registered with a corresponding alarm.

Figure 27 - Comparison Logic for Two Analog Inputs

Inputs OK

Timer

MULT ADD SUB

Range Delta Delta
Tolerance% Input 1 Input 1
Delta High Limit Low Limit

LIM
Low Limit
Inputs OK
Input 2
High Limit

Timer Done
Analog Inputs
Faulted

Analog Inputs Faulted

Alarm to Operator

The control, diagnostics, and alarming functions must be performed in

sequence. For more information on faults, see Chapter 8, Faults in the
ControlLogix System on page 91.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 55

Chapter 5 ControlLogix I/O Modules

Configure Modules

When using identical modules, configure the modules identically, that is, by
using the same RPI, filter values, and so on.

When using different modules for improved diversity, make sure the module’s
scaling of data does not introduce error or fault conditions.

Specify the Same Controller as the Owner

The same controller must own both analog input modules.

You must use Analog Inputs Faulted as a safety status/permissive in respective

safety-related outputs.

Wiring ControlLogix Analog Input Modules

The wiring diagrams that are shown in this section apply to applications that
require two transmitters. The type of transmitter along with the application
requirements determine whether one or two transmitters are required.

Good design practice dictates that each of the two transmitters must be wired
to input terminals on separate modules such that the channel values can be
validated by comparing the two within an acceptable range. Special
consideration must be given when you apply this technique, depending on the
type of module being used.

Wiring the Single-Ended Input Module in Voltage Mode

Make sure you:

• Review the considerations in Using 1756 Analog Input Modules on
page 53.
• Use the correct documentation (listed in Additional Resources on page 8)
to wire the module.
• Tie all (-) leads of the transmitters together when operating in single-
ended Voltage mode.

Figure 28 shows how to wire an analog input for use in Voltage mode.

56 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 5 ControlLogix I/O Modules

Figure 28 - ControlLogix Analog Input Module Wiring in Voltage Mode

Ch0 + Ch0 + (+)

Voltage
Transmitter A
(–)
Ch0 – Ch0 –

(+)
Voltage
Transmitter B
(–)

43368

Figure 29 shows how to wire a SIL 2 transmitter to two analog input modules
configured for voltage mode.

Figure 29 - ControlLogix Analog Input Module Wiring in Voltage Mode

Ch0 + Ch0 + (+)

SIL 2 Transmitter Voltage

Output Source
Ch0 – Ch0 –
(–)

Wiring the Single-ended Input Module in Current Mode

Make sure you:

• Review the considerations in Using 1756 Analog Input Modules on
page 53.
• Use the correct documentation (listed in Additional Resources on page 8)
to wire the module.
• Place devices correctly in the current loop. You can locate other devices in
the current loop of an input channel anywhere as long as the current
source can provide sufficient voltage to accommodate all voltage drops.
Each module input is 250 .

Figure 30 and Figure 31 show how to wire an analog input for use in Current
mode.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 57

Chapter 5 ControlLogix I/O Modules

Figure 30 - ControlLogix Analog Input Module Wiring in Current Mode

Ch0 + Ch0 +

Current
Source A
Ch0 – Ch0 –

Current
Source B

43369

Figure 31 - ControlLogix Analog Input Module Wiring for Isolated Channels (in Current mode)

Ch0 + Ch0 +

SIL 2 Transmitter-Current
Output Source
Ch0 – Ch0 –

If you use single-ended channels, use a 1492-TAIFM16-F-3 termination board

and two 1492-ACABLE010UA cables to split the current sensor into two single-
ended channels that are configured for Voltage mode.

58 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 5 ControlLogix I/O Modules

Figure 32 - Analog Input Wiring Example with Termination Boards(1)

Analog Input Module A Analog Input Module B
Input Values from Field Devices Input Values from Field Devices

All configured for 0...5V operation. All configured for 0...5V operation.

Solid-state switch controlled

by DC output.

Reference Voltages

1492 Cable to 1756-IF16,

Module A

Module B
DIP Switch for Sensor
Wiring

Precision 249 
Resistor*
*4-20mA converted to 0-5Vdc

Terminal Block 1, Terminal Block 2, Terminal Block 1, Terminal Block 2,

Row C Row C Row B Row B

Two-wire Transmitters Operating in

4...20 mA Current Mode
Output from 1756-OB16D Module Pair
Trigger Reference Tests = 0 (Off)
Transmitter
Two-wire

Wiring the Thermocouple Input Module

Make sure you:

• Review the considerations in Using 1756 Analog Input Modules on
page 53.
• Use the correct documentation (listed in Additional Resources on page 8)
to wire the module.
• Wire to same input channel on both modules. When you wire
thermocouples, wire two in parallel to two modules. Use the same
channel on each module to make sure of consistent temperature
readings.

Figure 33 on page 60 shows how to wire the 1756-IT6I, 1756-IT6I2,

or 1756-IR8TI modules.

(1) See ControlLogix SIL 2 System Configuration Using RSLogix 5000® Subroutines, publication 1756-AT012 for more information.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 59

Chapter 5 ControlLogix I/O Modules

Figure 33 - ControlLogix Analog Thermocouple Module Wiring

Ch0 + Ch0 +

Thermocouple A

RTN RTN

Thermocouple B

43370

Wiring the RTD Input Module

Make sure you:

• Review the considerations in Using 1756 Analog Input Modules on
page 53.
• Use the correct documentation (listed in Additional Resources on page 8)
to wire the module.
• Use two sensors. RTDs cannot be wired in parallel without severely
affecting their accuracy.

Figure 34 shows how to wire the 1756-IR6I or 1756-IR8TI modules.

Figure 34 - ControlLogix Analog RTD Module Wiring

Ch0 A Ch0 A

RTD A

Ch0 B Ch0 B

RTN RTN

RTD B

43371

60 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 5 ControlLogix I/O Modules

Using 1756 HART Analog The Highway Addressable Remote Transducer (HART) analog modules must
Input Modules be used according to the same considerations as other analog input modules.

IMPORTANT HART protocol must not be used for safety-related data.

Wiring the HART Analog Input Modules

Make sure you:

• Review the considerations in Using 1756 Analog Input Modules on
page 53.
• Use the correct documentation (listed in Additional Resources on page 8)
to wire the module.
Figure 35 - HART Input Analog Module Wiring

Ch0 + Ch0 +

Sensor

Ch0 -
Ch0 -

Sensor

Using 1756 Analog Output There are a number of general application considerations that you must make
Modules when using analog output modules in a SIL 2 application. An analog output
module, along with an analog input module is required to monitor to achieve
SIL 2. The following sections describe those considerations specific to the use
of analog output modules.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 61

Chapter 5 ControlLogix I/O Modules

Considerations for Using Analog Output Modules

IMPORTANT It is strongly recommended that you do not use analog outputs to

execute the safety function that results in a safe state. Analog output
modules are slow to respond to an ESD command and are therefore not
recommended for use ESD output modules.
The use of digital output modules and actuators to achieve the ESD
de-energized state is recommended.

Conduct Proof Tests

Periodically perform a system validation test. Manually or automatically test all

outputs to make sure that they are operational. Field signal levels should be
varied over the full operating range to make sure that the corresponding
channel data varies accordingly. For more information, see Proof Tests on
page 27.

Calibrate Outputs

Calibrate the analog output modules periodically, as their use and application
requires. ControlLogix I/O modules ship from the factory with a highly
accurate level of calibration. However, because each application is different,
you are responsible for making sure your ControlLogix I/O modules are
properly calibrated for your specific application.

You can employ tests in application program logic to determine when a

module requires recalibration. For example, to determine whether you need to
recalibrate an output module, you can determine a tolerance band of accuracy
for a specific application. You can then measure output values on multiple
channels and compare those values to acceptable values within the tolerance
band. Based on the differences in the comparison, you could then determine
whether recalibration is necessary.

Calibration (and subsequent recalibration) is not a safety issue. However, we

recommend that you calibrate each analog output module at least every three
years to verify the accuracy of the signal and avoid nuisance application
shutdowns.

Use the Floating Point Data Format

ControlLogix analog output modules perform onboard alarm processing to

validate that the input signal is within the proper range. These features are
only available in Floating Point mode. To use the Floating Point Data format,
select the Floating Point Data format in the Module Properties dialog box. The
1756-OF8I profile only offers a floating point option which is labeled ‘Output
Data’ as the Connection choice.

62 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 5 ControlLogix I/O Modules

Program to Respond to Faults Appropriately

When programming the SIL 2 system, verify that your program examines the
appropriate module fault, channel fault, and channel status bits and responds
by initiating the appropriate fault routine.

Each module communicates the operating status of each channel to the

Configure Outputs to De-energize in ESD Applications

For typical emergency shutdown (ESD) applications, outputs must be

configured to de-energize. When configuring any ControlLogix output
module, each output must be configured to de-energize in the event of a fault
and if the controller goes into Program mode. For exceptions to the typical
ESD applications, see Chapter 1, SIL Policy on page 9.

Monitor Channel Status

You must wire each analog output to an actuator and then back to an analog
input to monitor the performance of the output, as shown in Figure 37. The
application logic must examine the analog input (feedback value) associated
with each analog output to make sure that the output from the controller was
received correctly at the actuator. The analog output value must be compared
to the analog input that is monitoring the output to make sure that the value is
within an acceptable range for the application.

In the ladder diagram in Figure 36, a user-defined percentage of acceptable

deviation (that is, tolerance) is applied to the configured range of the analog
input and output and the result is stored (that is, delta). This delta value is then
added to and subtracted from the monitoring analog input channel; the results
define an acceptable high and low limit of deviation. The analog Output Echo
is then compared to these limits to determine if the output is working
properly.

The OK output bit preconditions or the Timer run is preset to accommodate an

acceptable fault response time and any communication filtering, or output,
lags in the system. If the monitoring input value and the Output Echo
miscompare for longer than the preset value, a fault is registered with a
corresponding alarm.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 63

Chapter 5 ControlLogix I/O Modules

Figure 36 - Monitoring an Analog Output with an Analog Input

Outputs OK

Timer

MULT ADD SUB

Range Delta Delta
Tolerance% Monitoring input Monitoring input
Delta High Limit Low Limit

LIM
Low Limit
Outputs OK
Output Echo
High Limit

Fault
Secondary
Output
Timer Done

Outputs Faulted

Alarm to Operator

The control, diagnostics, and alarm functions must be performed in sequence.

Specify the Same Controller as the Owner

The same controller must own both analog modules.

Wiring ControlLogix Analog Output Modules

In general, good design practice dictates that each analog output must be
wired to a separate input terminal to make sure that the output is functioning
properly.

Wiring the Analog Output Module in Voltage Mode

Make sure you:

• Review the considerations in Considerations for Using Analog Output
Modules on page 62.
• Use the correct documentation (listed in Additional Resources on page 8)
to wire the module.

Figure 37 shows how to wire the 1756-OF8 module for use in Voltage mode.

64 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 5 ControlLogix I/O Modules

Figure 37 - ControlLogix Analog Output Module Wiring in Voltage Mode

Analog Output Module Analog Input Module This normally open relay is controlled by the status of
the rest of the ControlLogix system. If a short-circuit
or fault occurs on the module, the relay can
disconnect power to the module. The module that is
used to control this relay must follow SIL 2 output
guidelines. This module must also be considered
during PFD analysis for each safety function.
(+) (+) Actuator Use a signal-grade relay using bifurcated or similar
Secondary grade contacts. The relay can be located in a position
Output to remove power to an actuator, or can remove
power to multiple actuators depending on the
(–) (–)
granularity needed.

43377

Wiring the Analog Output Module in Current Mode

Make sure you:

• Review the considerations in Considerations for Using Analog Output
Modules on page 62.
• Use the correct documentation (listed in Additional Resources on page 8)
to wire the module.
• Place devices correctly in the current loop. You can locate other devices in
a current loop of the output channel anywhere as long as the current
source can provide sufficient voltage to accommodate all voltage drops
(each module output is 250 ).

Figure 38 shows how to wire the 1756-OF8 module for use in Current mode.

Figure 38 - ControlLogix Analog Output Module Wiring in Current Mode

Analog Output Module Analog Input Module
This normally open relay is controlled by the status of the rest of the
ControlLogix system. If a short-circuit or fault occurs on the module,
the relay can disconnect power to the module. The module that is used
to control this relay must follow SIL 2 output guidelines. This module
must also be considered during PFD analysis for each safety function.
Use a signal-grade relay using bifurcated or similar grade contacts.
(+) (+)
The relay can be located in a position to remove power to an actuator,
or can remove power to multiple actuators depending on the
granularity needed.
(–) Actuator
(–)
Secondary
Output

43376

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 65

Chapter 5 ControlLogix I/O Modules

Using 1756 HART Analog Use the Highway Addressable Remote Transducer (HART) analog modules
Output Modules according to the same considerations as other analog output modules. For an
illustration of how to wire the HART analog output modules, see Wiring the
HART Analog Output Modules on page 66.

IMPORTANT HART protocol must not be used for safety-related data.

Wiring the HART Analog Output Modules

Make sure you:

• Review the considerations in Wiring ControlLogix Analog Output
Modules on page 64.
• Use the correct documentation (listed in Appendix ) as a reference when
wiring the module.
Figure 39 - HART Output Analog Module Wiring

Input Module Output Module

Secondary
Output

Ch0+ Ch0+

Actuator

Ch0- Ch0-

Ch1+ This normally open relay is controlled by the status of the rest of the ControlLogix system.
If a short-circuit or fault occurs on the module, the relay can disconnect power to the
module. The module that is used to control this relay must follow SIL 2 output guidelines.
This module must also be considered during PFD analysis for each safety function.
Use a signal-grade relay using bifurcated or similar grade contacts. The relay can be
Ch1-
located in a position to remove power to an actuator, or can remove power to multiple
actuators depending on the granularity needed.

66 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 6

FLEX I/O Modules

Overview of FLEX I/O There are two types of SIL 2-certified FLEX™ I/O modules:
Modules • Digital I/O modules
• Analog I/O modules

FLEX I/O modules are designed with inherent features that allow them to
comply with the requirements of the 61508 Standard. For example, the
modules all have a common backplane interface, execute power-up and
runtime diagnostics, and offer electronic keying.

Using 1794 Digital To achieve SIL 2, two digital input modules must be used, with field sensors
Input Modules wired to channels on each module. The two digital modules must be on
separate 1794 rails. Use the software to compare the two channels before you
reconcile the data.

Requirements When Using FLEX I/O Digital Input Modules

Regardless of the type of FLEX I/O input module that is used, there are a
number of general application considerations that you must follow when
applying these modules in a SIL 2 application:
• Proof tests—Periodically a system validation test must be performed.
Manually, or automatically, test inputs to make sure that all inputs are
operational and not stuck in the ON or OFF state. Inputs must be cycled
from ON to OFF or OFF to ON.
• Configuration parameters (for example, RPI, filter values) must be
identical between the two modules.
• The same controller must own both modules.
• Monitor the network status bits for the associated module and make sure
that appropriate action is invoked via the application logic by these
status bits.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 67

Chapter 6 FLEX I/O Modules

Wiring FLEX I/O Digital Input Modules

The wiring diagrams in Figure 40 show two methods of wiring the digital
input module. In either case, you must determine whether the use of 1 or 2
sensors is appropriate to fulfill SIL 2 requirements.

Figure 40 - ControlLogix® Digital Input Module Wiring

One-Sensor Wiring Example
+24V dc
Input 1 Input 2
Optional relay contact
24VDC SINK INPUT
1794-IB16
24VDC SINK INPUT
1794-IB16 to switch line voltage
for periodic automated
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
testing
Input SIL2 SENSOR
COM
+24V

Two-Sensor Wiring Example

Input 1 Input 2

1794-IB16 1794-IB16
24VDC SINK INPUT 24VDC SINK INPUT

Input
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
1
SENSOR
COM
+24V

1
Note 1: Both sensors are monitoring the same safety application. SENSOR 43366

Application logic can compare input values or states for concurrence.

Figure 41 - Compare Input Values

Input A Input B
Actuator

The user program must also contain rungs to annunciate a fault if there is a
sustained miscompare between two points.

Figure 42 - Annunciate a Fault

Input A Input B

Timer

Input A Input B
Timer preset in milliseconds to
compensate for filter time and
hardware delay differences.
Timer Done
Fault

Fault
Alarm to Operator

The control, diagnostics, and alarm functions must be performed in sequence.

68 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 6 FLEX I/O Modules

Using 1794 Digital To achieve SIL 2, the output module must be wired back to an input module for
Output Module monitoring.

Considerations When Using FLEX I/O Digital Output Modules

Regardless of the type of FLEX I/O output module that is used, there are a
number of general application considerations that you must follow when
applying these modules in a SIL 2 application:
• Proof tests- Periodically a System Validation test must be performed.
Manually, or automatically, test outputs to make sure that all outputs are
operational and not stuck in the ON or OFF state. Outputs must be cycled
from ON to OFF or OFF to ON.
Figure 43 - Testing Outputs
Application Logic
Application Logic Output
Output Fault
Fault

Actuator
Actuator

Output Bit
Output Bit Monitoring Input
Monitoring Input

Timer
Timer
Output Bit
Output Bit Monitoring Input
Monitoring Input

Timerdone
Timer Done

Fault
Fault

Fault
Fault
Alarm
Alarmto Operator
to Operator

The control, diagnostics, and alarm functions must be performed in

sequence.
• Use external relays to disconnect actuator power if output de-
energization is critical. To make sure that outputs can de-energize, you
must wire an external method that can remove power from the actuator
if a short or other fault is detected.
• Test outputs at specific times to make sure that they are operating
properly. The type of module determines the test method and frequency.
• Monitor the network status bits for the associated module and make sure
that appropriate action is invoked via the application logic by these
status bits.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 69

Chapter 6 FLEX I/O Modules

Wiring FLEX I/O Digital Output Modules

When using standard output modules, you must wire an output to an actuator
and then back to an input to monitor the performance of the output.

Figure 44 - FLEX I/O Standard Output Module Wiring

Standard Digital Output Module Wire output point to input Standard Digital Input Module
point to verify the correct
COM +24V state of the output.
1794-OB16 1794-IB16
24VDC SOURCE OUTPUT
24VDC SINK INPUT

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

A
COM
24V DC

Output B

Actuator

43363

IMPORTANT: Other configurations are possible as long they are SIL 2 approved.

Install a relay in position A or B. This relay is controlled by another output in the ControlLogix/FLEX I/O system. If a short circuit or fault occurs on output modules, the relay can
disconnect power to the modules. An isolated relay output module (1794-OW8) can be used for this purpose when it is connected to a different 1794-ACN15 or 1794-ACNR15 ControlNet®
adapter module.

Write application logic so that it generates a fault if there is a miscompare

between the requested state of an output (echo) and the actual output state
that is monitored by an input channel (see Figure 43 on page 69).

The control, diagnostics, and alarm functions must be performed in sequence.

You can also wire a standard-digital output module in series with an isolated
relay output module in series with a critical actuator. If a failure is detected,
the output from both output modules must be set to OFF to make sure the
Output Loads de-energize.

See Figure 45 on page 71 for detailed information about how to wire an output
module with an isolated relay module.

70 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 6 FLEX I/O Modules

Figure 45 - ControlLogix/FLEX I/O Standard Output Module Wiring with an Isolated Relay Module
Standard Digital Isolated Relay Output Standard Digital
Output Module Module Input Module
COM +24V Wire output point to
input point to verify the
24VDC SOURCE OUTPUT
1794-OB16
24VDC SOURCE OUTPUT
1794-OB16
correct state of the 24VDC SINK INPUT
1794-IB16

output.
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

COM
Output +24V

Output Actuator

43364

Note 1: An external relay can be replaced with an isolated relay module that is mounted in another FLEX I/O rail.

Using 1794 Analog To achieve SIL 2, two analog input modules are required. Field sensors must be
Input Modules wired to channels on each module and compared within a deadband. Whether
one or two field sensors are required is dependent on the Probability of Failure
on Demand (PFD) value of the sensor.

Considerations When Using FLEX I/O Analog Input Modules

You must follow these general application considerations when applying these
modules in a SIL 2 application:
• Proof tests. Periodically a System Validation test must be performed.
Manually, or automatically, test inputs to make sure that all inputs are
operational. Vary the field signal levels over the full operating range to
make sure that the corresponding channel data varies accordingly.
• Calibrate inputs periodically, as necessary. FLEX I/O modules ship from
the factory with a highly accurate level of calibration. However, because
each application is different, you are responsible for making sure their
FLEX I/O modules are properly calibrated for their specific application.

You can employ tests in application program logic to determine when a

module requires recalibration. For example, to determine whether an
input module needs to be recalibrated, you can determine a tolerance
band of accuracy for a specific application. You can then measure input
values on multiple channels and compare those values to acceptable
values within the tolerance band. Based on the differences in the
comparison, you could then determine whether recalibration is
necessary.

Calibration (and subsequent recalibration) is not a safety issue.

However, we recommend that you calibrate each analog input at least
every 3 years to verify the accuracy of the input signal and avoid nuisance
application shutdowns.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 71

Chapter 6 FLEX I/O Modules

• Compare analog input data and annunciate miscompares. When wiring

sensors to two input channels, the values from those channels must be
compared to each other for concurrence within an acceptable range for
the application before actuating an output. Any miscompare between the
two inputs outside the programmed acceptable range must be
annunciated as a fault.

In Figure 46 on page 72, a user-defined percentage of acceptable

deviation (tolerance) is applied to the configured input range of the
analog inputs (range) and the result is stored (delta). This delta value is
then added to and subtracted from one of the input channels; the results
define an acceptable High and Low limit of deviation. The second input
channel is then compared to these limits to determine if the inputs are
working properly.

The OK bit input preconditions a Timer run that is preset to

accommodate an acceptable fault response time and any communication
filtering lags in the system. If the inputs miscompare for longer than the
preset value, a fault is registered with a corresponding alarm.

Figure 46 - Logic for Comparing Analog Input Data

Inputs OK

Timer

MULT ADD SUB

Range Delta Delta
Tolerance % Input 1 Input 1
Delta High Limit Low Limit

LIM
Low Limit
Inputs OK
Input 2
High Limit

Timer Done

Inputs Faulted

Alarm to Operator

The control, diagnostics, and alarm functions must be performed in

sequence.
• Configuration parameters (for example, RPI, filter values) must be
identical between the two modules.
• The same controller must own both modules.
• Monitor the network status bits for the associated module and make sure
that appropriate action is invoked via the application logic by these
status bits.
• Wire sensors to separate input channels on two separate modules that
are on different network nodes.

72 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 6 FLEX I/O Modules

Wiring FLEX I/O Analog Input Modules

The wiring diagrams in this section show two methods of wiring the analog
input module. In either case, you must determine whether the use of one or
two sensors is appropriate to fulfill SIL 2 requirements.

Figure 47 - FLEX I/O Analog Input Module Wiring

One-Sensor Wiring Example

Input 1 Input 2

Input SIL2 SENSOR

COM
+24V

Two-Sensor Wiring Example

Input 1 Input 2

Input 1
SENSOR
COM
+24V

1
SENSOR
43366A
Note 1: Both sensors are monitoring the same safety application.

Wiring the Single-ended Input Module in Voltage Mode

Along with following the Considerations When Using FLEX I/O Analog Input
Modules on page 71, make sure that you use the correct documentation to wire
the module.

Figure 48 - FLEX I/O Analog Input Module Wiring in Voltage Mode

Analog Input Analog Input

1794-IE8 1794-IE8

1794-TB3 + - 1794-TB3
+ -
Voltage Voltage
Transmitter A Transmitter B

Analog Input Analog Input

1794-IF4I 1794-IF4I

1794-TB3 + - 1794-TB3
+ -

Voltage Voltage
Transmitter A Transmitter B

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 73

Chapter 6 FLEX I/O Modules

Wiring the Single-ended Input Module in Current Mode

Along with following the Considerations When Using FLEX I/O Analog Input
Modules on page 71, before wiring the module, consider the following
application guideline:

Place other devices in current loop. You can locate other devices in a current
loop of an input channel anywhere as long as the current source can provide
sufficient voltage to accommodate all voltage drops (each module input is 250
).

Figure 49 - FLEX I/O Analog Input Wiring in Current Mode

1794-IE8 Analog Input Analog Input

1794-IE8 1794-IE8

1794-TB3 1794-TB3

Current RET RET

Current
Source A
Source B

Analog Input Analog Input

1794-IF4I 1794-IF4I

1794-TB3 1794-TB3

Current RET Current RET

Source A Source B

74 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 6 FLEX I/O Modules

Wiring the Thermocouple Input Module

Along with following the Considerations When Using FLEX I/O Analog Input
Modules on page 71 and before wiring the module, consider the following
application guideline:

Wire to the same input channel on both modules. When wiring

thermocouples, wire two in parallel to two modules. Use the same channel on
each module to make sure of consistent temperature readings.

Figure 50 - FLEX I/O Analog Thermocouple Module Wiring

Thermocouple Thermocouple
1794-IT8 1794-IT8
Input Module Input Module

1794-TB3T 1794-TB3T

+ +

- -

Thermocouple/ Thermocouple/
RTD/mV 1794-IRT8 RTD/mV 1794-IRT8
Input Module Input Module

1794-TB3G 1794-TB3G

+ +

- -

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 75

Chapter 6 FLEX I/O Modules

Wiring the RTD Input Module

Along with following the Considerations When Using FLEX I/O Analog Input
Modules on page 71 and before wiring the module, consider the following
application guideline:

RTDs cannot be wired in parallel without severely affecting their accuracy.

Two sensors must be used.

Figure 51 - FLEX I/O Analog RTD Module Wiring

RTD 1794-IR8 RTD 1794-IR8

Input Module Input Module

1794-TB3T 1794-TB3T

3-wire RTD

Thermocouple/ Thermocouple/
RTD/mV RTD/mV
1794-IRT8 1794-IRT8
Input Module Input Module

1794-TB3G 1794-TB3G

4-wire RTD

Two-, three-, or four-wire RTDs can be used as applicable to the associated RTD input module.

Using 1794 Analog An analog output module, along with an analog input module for monitoring
Output Modules is required to achieve SIL 2.

IMPORTANT We strongly recommended that you do not use analog outputs to

76 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 6 FLEX I/O Modules

Requirements When Using FLEX I/O Analog Output Modules

Follow these general application considerations when applying the analog

output modules in a SIL 2 application:
• Proof tests - Periodically a System Validation test must be performed.
Manually, or automatically, test outputs to make sure that all outputs are
operational. Vary the channel data over the full operating range to make
sure that the corresponding field signal levels vary accordingly.
• Calibrate outputs periodically, as necessary. FLEX I/O modules ship
from the factory with a highly accurate level of calibration. However,
because each application is different, you are responsible for making
sure their FLEX I/O modules are properly calibrated for their specific
application.

You can employ tests in application program logic to determine when a

module requires recalibration. For example, you can determine a
tolerance band of accuracy for an application to determine if the output
module needs recalibrated.

Then you can measure output values on multiple channels and compare
those values to acceptable values within the tolerance band. Based on the
differences in the comparison, you could then determine whether
recalibration is necessary.

Calibration (and subsequent recalibration) is not a safety issue.

However, we recommend that you calibrate each analog output at least
every three years to verify the accuracy of the input signal and avoid
nuisance application shutdowns.
• For typical emergency shutdown (ESD) applications, outputs must be
configured to de-energize. When configuring any FLEX I/O output
module, each output must be configured to de-energize in the event of a
fault and if the controller goes into Program mode.
• Wire outputs back to inputs and examine output-data feedback signal.
You must wire an analog output to an actuator and then back to an
analog input to monitor the performance of the output. (The use of
feedback transmitters to verify that the performance is acceptable.) The
application logic must examine the Data Feedback value that is
associated with each output point. This examination makes sure that the
requested output command from the controller was sent and the module
received it. The value must be compared to the analog input that is
monitoring the output to make sure that the value is in an acceptable
range for the application.

The ladder diagram in Figure 52, a user-defined percentage of acceptable

deviation (tolerance) is applied to the configured range of the analog
input and output (range) and the result is stored (delta). This delta value
is then added to and subtracted from the monitoring analog-input
channel; the results define an acceptable High and Low limit of
deviation. The analog Output Feedback is then compared to these limits
to determine if the output is working properly.

The OK bit precondition for the output is a Timer run that is preset to
accommodate an acceptable fault response time, any communication
filtering, or output, and lags in the system. If the monitoring input value
and the Output Feedback miscompare are longer than the preset value, a
fault is registered with a corresponding alarm.
Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 77
Chapter 6 FLEX I/O Modules

Figure 52 - Monitoring an Analog Output with an Analog Input

Outputs OK

Timer

MULT ADD SUB

Range Delta Delta
Tolerance % Monitoring input Monitoring input
Delta High Limit Low Limit

LIM
Low Limit
Output Feedback Outputs OK
High Limit

Timer Done

Outputs Faulted

Alarm to Operator

The control, diagnostics, and alarm functions must be performed in

sequence.
• The same controller owns the AO modules, the DO module that drops
power to the AO, and the AI monitoring module
• The AO module and the DO that controls power to it must be on separate
FLEX rails. They must not share a FLEX adapter.
• Monitor the network status bits for the associated module and make sure
that appropriate action is invoked via the application logic by these
status bits.

78 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 6 FLEX I/O Modules

Wiring FLEX I/O Analog Output Modules

In general, good design practice dictates that each analog output must be
wired to a separate input terminal to make sure that the output is functioning
properly.

Wiring the Analog Output Module in Voltage Mode

You must wire analog outputs to an actuator and then back to an analog input
to monitor the output performance.

Figure 53 - Analog Input Module Wiring Example

1794-OE4 1794-IE8

Analog Output Analog Input

Module Module

1794-TB3 1794-TB3
V RET Secondary
Output

Actuator

1794-OF4I 1794-IF4I

Isolated Analog Isolated Analog

Output Module Input Module

1794-TB3 1794-TB3
V RET Secondary
Output

Actuator

This normally open relay is controlled by the status of the rest of the ControlLogix system. If a short-circuit or fault occurs on
the module, the relay can disconnect power to the module. The module that is used to control this relay must follow SIL 2 output
guidelines. This module must also be considered during PFD analysis for each safety function.
Use a signal-grade relay using bifurcated or similar grade contacts. The relay can be located in a position to remove power to
an actuator, or can remove power to multiple actuators depending on the granularity needed.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 79

Chapter 6 FLEX I/O Modules

Wiring the Analog Output Module in Current Mode

Along with following the Requirements When Using FLEX I/O Analog Output
Modules on page 77, consider the following application guideline before wiring
the module in Current mode:

Place other devices in current loop. You can locate other devices in a current
loop for the output channel anywhere as long as the current source can provide
sufficient voltage to accommodate all voltage drops.

Figure 54 - Analog Output Wiring Example

1794-OE4 1794-IE8

Analog Output Analog Input

Module Module

1794-TB3 1794-TB3

Actuator
Secondary
Output

1794-OF4I 1794-IF4I

Isolated Analog Isolated Analog

Output Module Input Module

1794-TB3 1794-TB3
Secondary
Output

Actuator

This normally open relay is controlled by the status of the rest of the ControlLogix system. If a short-circuit or fault occurs on the module,
the relay can disconnect power to the module. The module that is used to control this relay must follow SIL 2 output guidelines. This
module must also be considered during PFD analysis for each safety function.
Use a signal-grade relay using bifurcated or similar grade contacts. The relay can be located in a position to remove power to an actuator,
or can remove power to multiple actuators depending on the granularity needed.

80 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 7

Requirements for Application Development

Software for The application software for the SIL 2-related automation system is created
SIL 2-Related Systems using the programming tool, that is, RSLogix 5000® software or the Studio
5000 Logix Designer® application, according to IEC 61131-3.

The application program has to be created by using the programming tool and
contains the specific equipment functions that the ControlLogix® system
implements. Parameters for the operating function are also entered into the
system with the programming software.

SIL 2 Programming The safety concept of the SIL 2 ControlLogix system assumes the following:
• The user who is responsible for creating, operating, and maintaining the
application is fully qualified, specially trained, and experienced in safety
systems.
• The programming software is installed correctly.
• Control system hardware is installed in accordance with product
installation guidelines.
• User application code (user program) uses common and good design
practices.
• A test plan is documented and adhered to, including well-understood
proof test requirements and procedures.
• A well-designed validation process is defined and implemented.

For the initial startup of a safety-related ControlLogix system, the entire

system must successfully complete a functional test. After a modification of
the application program, the modified program or logic must be checked.

For more information on how you handle changes to the application program,
see Changing Your Application Program on page 88.

Programming Languages It is good engineering practice to keep safety-related logic as simple and easy
to understand as possible. The preferred language for safety-related functions
is ladder logic, followed by function block. Structured text and sequential
function chart are not recommended for safety-related functions. Use of the
SequenceManager™ feature is not recommended for safety-related functions.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 81

Chapter 7 Requirements for Application Development

Programming Options Pre-programmed SIL 2 I/O Add-On Instructions can be used in RSLogix 5000
software or the Studio 5000 Logix Designer application, version 20 or later. If
you choose to use Add-On Instructions, see the ControlLogix SIL 2 System
Configuration Using SIL 2 Add-On Instructions, publication 1756-AT012.

SIL 2 Add-On Instructions simplify the programming that is required for a SIL
2 system. However, these instructions are not necessarily suitable for use in all
SIL 2 applications and system configurations. Yo must evaluate the suitability
of a SIL 2 Add-On Instruction that is used in a safety-related function.

All Add-On Instructions require the use of hardware termination boards.

IMPORTANT If Program Parameters are used, safety-related tags can be read by

either standard or safety-related logic or other communication devices,
but can be written by only safety-related logic.

Security In the ControlLogix system and in the programming software, protection

mechanisms are available that help prevent unintentional or unauthorized
modifications to the safety system.
• The following tools can be employed for security reasons in a
SIL 2-certified ControlLogix application:
- Source Protection
- FactoryTalk® AssetCentre
- FactoryTalk Security

Each tool offers different levels of granularity. For more information

about these tools, contact your local Rockwell Automation
representative.
• The controller keyswitch must be in the RUN position, and remove the
key during normal operating conditions.
Figure 55 - Keyswitch in Run Mode
Logix557x

RUN FORCE SD OK

REM PR
RUN OG

1756-L6x 1756-L7x

• In RSLogix 5000 software, V18 and later, and in the Studio 5000 Logix
Designer application, tags have two attributes: External Access and
Constant. External Access controls access from external applications like
HMIs. It can have values of Read/Write, Read Only, or None. All SIL 2
safety-related tags should be set to Read Only. The Constant attribute is
either on or off. When enabled, it helps prevent programmatic changes
of a tag's value. Where possible, it is highly recommended to configure
SIL 2 safety-related tags as Constant.

The requirements of the safety and application standards regarding the

protection against manipulations must be observed. The authorization of
employees and the necessary protection measures are the responsibility of the
individuals who start and maintain the SIL 2 safety system.

82 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 7 Requirements for Application Development

Basics of Application A system integrator develops the application program. The developer must
Program Development consider general procedures for programming ControlLogix SIL 2
applications. (does not require independent third-party review).
and Testing
• Specification of the SIL 2 safety control function, including the
following:
- Specifications
- Flow and timing charts
- Engineering diagrams
- Sequence charts
- Program description
- Program review process
• Writing the application program
• Checking by independent reviewer
• Verification and validation

All application logic must be independently reviewed and tested. To facilitate

reviews and reduce unintended responses, limit the set of instructions to basic
Boolean/ladder logic (such as examine On/Off, timers, counters) whenever
possible. Include instructions that can be used to accommodate analog
variables, such as the following:
• Limit tests
• Comparisons
• Math instructions

For more information, see Proof Tests on page 27.

Functional Specification You must create a specification for your control function. Use this
Guidelines specification to verify that program logic correctly and fully addresses the
functional and safety control requirements of your application. The
specification can be in various formats, depending on your application. The
specification must include a detailed description of the following (if applicable):
• Sequence of operations
• Flow and timing diagrams
• Sequence charts
• Program description
• Program print-out
• Written descriptions of the steps with step conditions and actuators to
be controlled, including the following:
- Input definitions
- Output definitions
- I/O wiring diagrams and references
- Theory of operation
• Matrix- or table form of stepped conditions and the actuators to be
controlled, including the sequence and timing diagrams
• Definition of marginal conditions, for example, operating modes,
EMERGENCY STOP, and others
The I/O-portion of the specification must contain the analysis of field circuits,
that is, the type of sensors and actuators.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 83

Chapter 7 Requirements for Application Development

Sensors (digital or analog)

• Signal in standard operation (dormant current principle for digital
sensors, sensors OFF means no signal)
• Determination of redundancies that are required for SIL levels
• Discrepancy monitoring and visualization, including diagnostic logic

Actuators
• Position and activation in standard operation (normally OFF)
• Safe reaction or positions when switching OFF
• Discrepancy monitoring and visualization, including diagnostic logic

Creating the Consider the following when developing the application program logic.
Application Program
Logic and Instructions

The logic and instructions for programming the application must have these
features:
• Easy to understand
• Easy to trace
• Easy to change
• Easy to test
• Well-documented

IMPORTANT Motion-related functions are not allowed anywhere in the application

program and must not be used.

Program Language

You must implement simple, easy to understand program language with these
features:
• Ladder
• Other IEC 61131-3-compliant language
• Function blocks with specified characteristics

We use ladder, for example, because it is easier to visualize and make partial
program changes with this format.

Program Identification

Identify the application program by one of the following:

• Name
• Date
• Revision
• Any other user identification information
84 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021
Chapter 7 Requirements for Application Development

SIL Task/Program Instructions

Include a single SIL task composed of programs and routines in the user
application. The SIL 2 task must be the top priority task of the controller and
the user-defined watchdog must be set to accommodate the SIL 2 task.

IMPORTANT You must dedicate a specific task for safety-related functions and set
that task to the highest priority (1). SIL 2 safety logic and logic that is
intended for use in non-SIL 2 functions must be separate, or everything
in the task containing safety must be treated as safety-related.

Forcing The following rules apply to forcing in a project:

• You must remove forces on all SIL 2 tags and disable forcing before
beginning normal operation for the project.
• You must not force SIL 2 tags after validation is performed and during
controller operation in Run mode.

IMPORTANT Forcing must not be used during normal operation, during final system
test, and validation.

Checking the Application To check safety-related application logic for adherence to specific safety
Program functions, you must generate a suitable set of test cases that cover the safety
specification. The set of test cases must be well-written and filed as the test
specification.

Suitable tests must also be generated for the numeric evaluation of formulas.
Equivalent range tests are acceptable. Suitable tests are tests within defined
value ranges, at the limits, and outside the defined value ranges. The test cases
must be selected to prove the correctness of the calculation. The necessary
number of test cases depends on the formula that is used and must comprise
critical value pairs.

However, active simulation with sources cannot be omitted. It is the only

means to detect the correct wiring of the sensors and actuators to the system.
Furthermore, active simulation is the only means to test the system
configuration. You must verify the correct programmed functions by forcing
I/O or by manual manipulation of sensors and actuators.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 85

Chapter 7 Requirements for Application Development

Verify Download Verify the download of the application program and its proper operation. A
and Operation typical technique is to upload the completed program file and perform a
compare of that file against what is stored in the programming terminal.

IMPORTANT Do not use memory cards to transfer the safety application

automatically. After a safety application is downloaded, you must verify
the download.
The AutoFlash firmware feature is not supported for SIL 2 safety
applications and must not be used.

IMPORTANT If the controller has a USB port, it is intended for temporary local-
programming purposes only and not intended for permanent
connection.

To perform program verification, follow these steps in RSLogix 5000 software

or the Studio 5000 Logix Designer application.

1. With the programming software closed rename the project.

2. Start the programming software, upload the controller project, and save
it.
3. Open the compare tool and select both files.
4. Start the compare operation.
5. Review the compare output results and verify that everything matches
without error.

Project documentation differences can exist.

6. Save the compare results as part of the verification process.
7. Delete the upload file.
8. To maintain project documentation, rename the original project file
(change back) to the original project name.

86 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 7 Requirements for Application Development

Commissioning Lifecycle Figure 56 shows the steps that are required to develop, debug, and commission
an application program.

Figure 56 - Application Development Lifecycle

Generate Functional
Specification

Create Flow
Diagram

Create Timing
Diagrams

Establish Sequence
of Operations

Develop Project Develop Project

Online Offline

Review Program with Download to

Independent Party Controller

Develop Test Plan

Perform Validation
Testing on all Logic

Yes Tests
Pass?

No
Verification
okay? Make more online edits & accept
edits or make more offline edits
and download to CTR

Begin Normal No
Determine what logic has
Project Operation
been Changed or Affected

Perform Validation Testing on

Download to Make project all Changed or Affected Logic
Controller changes

Finish the
Validation Test1

Secure PADT

1
You must periodically repeat the validation test (also known as proof tests) to make sure that module inputs and outputs are functioning properly and as commanded by the
application programming. For more information on proof tests for I/O modules, see Chapter 1, SIL Policy on page 9.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 87

Chapter 7 Requirements for Application Development

Changing Your The following rules apply when you change your application program in
Application Program RSLogix 5000 software or the Studio 5000 Logix Designer application:

IMPORTANT You cannot make program edits while the program is online if the
changes prevent the system from executing the safety function or if
alternative protection methods are not in place.
• Program edits are not recommended and must be limited. For example,
minor changes such as changing a timer preset or analog setpoint are
allowed.
• Only authorized, specially trained personnel can make program edits.
These personnel must use all supervisory methods available, for example,
use the controller keyswitch and software password protections.
• Anyone making data or programming edits to an operational system
assumes the central safety responsibility while the changes are in
progress. These personnel must also maintain safe application
operation.
• Before you make any program edits, perform an impact analysis by
following the safety specification and other lifecycle steps that are
described in Figure 56 on page 87 as if the edits were an entirely
new program.
• Sufficiently document all program edits, including:
- Authorization.
- Impact analysis.
- Execution.
- Test information.
- Revision information.
• Multiple programmers cannot edit a program from multiple
programming terminals simultaneously.
• Changes to the safety application software–in this case, RSLogix 5000
software or the Studio 5000 Logix Designer application– must comply
with IEC 61511 standard on process safety section 11.7.1 Operator
Interface requirements.
• When the ControlLogix controller keyswitch is in the RUN position
(controller is in Run mode), you cannot make online edits.
• Use one of the following methods that are described in Table 3 on page 89
to edit the relay ladder logic portion of the safety program.

88 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 7 Requirements for Application Development

Table 3 - Methods of Changing Your Application Program

Controller
Method Required Steps Keyswitch Key Points to this Method
Position
You must revalidate the entire application
Offline Perform the tasks that are described in the flowchart in Figure 56 on page 87. PROG before returning to normal operation.
1. Turn the controller key to the REM position.
2. To start, accept, test, and assemble your edits, use the Online Edit Toolbar. This is the toolbar.
Start Accept Assemble Test Untest
pending pending rung program program program
rung edit. edits. edits. edits. edits.

The project remains online but operates

in the Remote Run mode. When edits are
completed, you are required to validate
a. Click the start pending rung edits button . A copy is made of the rung you want to only the changed portion of the
edit. application program.
b. Change your application program as needed. The original program is still active in the We recommend that online edits be
controller. Your program changes are made in the copied rungs. Changes do not affect the limited to minor program modifications
outputs until you test program edits in step d. such as setpoint changes or ladder logic
rung additions, deletions, and
c. Click the accept pending rung edits button . Your program changes are verified and REM modifications.
Online
downloaded to the controller. The controller now has the changed program and the original
program. However, the controller continues to execute the original program. You can see IMPORTANT:This option to change the
the state of the inputs, and changes do not affect the outputs. application program is available for
changes to relay ladder logic only. You
d. Click the test program edits button . cannot use this method to change
function block programming.
e. To test the edits, click Yes. For more detailed information on how to
Changes are now executed and affect the outputs; the original program is no longer executed. edit ladder logic while online, see the
However, if you are not satisfied with the test results of the edits, you can discardthe new Logix 5000™ Controllers Quick Start,
publication 1756-QS001.
program by clicking the untest program edits button, if necessary. If you untest the
edits, the controller returns to the original program.

f. Click the assemble program edits button .

g. To assemble the edits, click Yes. The changes are the only program in the controller, and
the original program is discarded.
3. Perform a partial proof test of the portion of the application that is affected by the program
edits.
4. To return the project to Run mode, turn the controller key back to the RUN position. We
recommend that you upload the new program to your programming terminal to help make
sure consistency between the application in the controller and on the programming terminal.
5. Remove the key.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 89

Chapter 7 Requirements for Application Development

Notes:

90 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 8

Faults in the ControlLogix System

Along with providing information on module fault reports, this chapter

explains two example conditions that generate a fault in a SIL 2-certified
ControlLogix® system:
• Keyswitch changing out of Run mode
• High alarm condition on an analog input module

Detect and React to Faults The ControlLogix architecture provides many ways to detect and react to faults
in the system.
• Various device objects can be interrogated to determine the current
operating status.
• Modules provide runtime status of their operation and of the process
that is executing.
• You can configure a ControlLogix system to identify and handle faults,
including such tasks as:
- Developing a fault routine.
- Creating a user-defined major fault.
- Monitoring minor faults.
- Developing a power-up routine.
See the Logix 5000™ Controllers Common Procedures Programming Manual,
publication 1756-PM001, for more information.

It is your responsibility to determine what data is most appropriate for your

application to initiate a shutdown sequence.

To help handle faults, make sure that you have completed the input (see Checklist
for SIL Inputs on page 132) and output (see Checklist for SIL Outputs on page 133)
checklists for their application.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 91

Chapter 8 Faults in the ControlLogix System

Module Fault Reporting for You must verify that all components in the system are operating properly.
Verification can be accomplished in ladder logic by using the Get System Value
Any ControlLogix or FLEX I/O instruction (GSV) and an examination of the MODULE Object Entry Status
Module attribute for a running condition.

An example of how to verify is shown in Figure 57. This method, or something

similar, must be used to interrogate the health of each I/O module in the
system.

Figure 57 - Example of How to Check the Health of a Module in Ladder Logic

GSV AND NEQ

Check Entry Status to

Obtain the MODULE Mask Off Lower 12 Bits of
make sure that the Fault
Object Entry Status Value
module is running.

For more information on the GSV instruction, monitor the SlotStatusBits for
the Input tag of the associated adapter. The lower 8 bits of this tag correspond
to the associated slot. For example, the tag “Node3:I.Slot1StatusBits” is defined
as follows:
• Node 3 is the name that is given to the adapter, in this example, a
1794-ACNR15.
• I indicates the Input file.
• SlotStatusBits is a 32-bit value, where the lower 8 bits correspond to a
FLEX™ I/O module, as shown.

Module 7 Module 6 Module 5 Module 4 Module 3 Module 2 Module 1 Module 0

Check Keyswitch Position The following rungs generate a fault if the keyswitch on the front of the
controller is switched from the RUN position.
with GSV Instruction
Figure 58 - Keyswitch State (Operation mode) Change Logic
GSV
Class: CONTROLLERDEVICE
Attribute: STATUS
Destination: KEYSTATE

KEYSTATE.13
Fault

Fault

Alarm to Operator

92 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 8 Faults in the ControlLogix System

In Figure 58 on page 92, the Get System Value (GSV) instruction interrogates
the STATUS attribute of the CONTROLLERDEVICE object and stores the
result in a word that is called KEYSTATE, where bits 12 and 13 define the state
of the keyswitch as shown in Table 4.

Table 4 - Keyswitch State Bits

Bit 13 Bit 12 Description
0 1 Keyswitch in Run position
1 0 Keyswitch in Program position
1 1 Keyswitch in Remote position

If bit 13 is ever ON, then the keyswitch is not in the RUN position. Examine bit
13 of KEYSTATE for an ON state generates a fault.

It is your responsibility to determine appropriate behavior when a fault is

present.

For more information on the accessing the CTROLLERDEVICE object, see the
Logix 5000 Controllers General Instructions RefeONrence Manual,
publication 1756-RM003.

Examine a 1756 Analog Input ControlLogix analog modules process and compare field data values right on
the module, which allows easy examination of status bits to initiate a fault.
Module’s High Alarm
For example, the 1756-IF8 module can be configured with user-defined alarm
values that, when exceeded, sets a status bit on the module, which is then sent
back to the controller. You can examine the state of these bits to initiate a fault
as shown in Figure 59.

Figure 59 - High Alarm Bit to Trigger Fault

Ch1HAlarmA Ch1HAlarmB Module A Module B
Fault

Fault
Alarm to
Operator

In the example above, the High Alarm bits for channels 1 and 2 are being
examined for a condition to initiate a fault. During operation, as the analog
input module processes analog signals from the field sensors, if the value
exceeds the user-defined value for High Alarm, the alarm bit is set and a fault is
declared.

It is your responsibility to determine appropriate behavior when a fault is

present.

The ControlLogix architecture provides for the detecting and reacting to faults
in the system. Various device objects can be interrogated to determine the
current operating status. Additionally, modules provide runtime status of their
operation and of the process.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 93

Chapter 8 Faults in the ControlLogix System

Additional Resources
Resource Description
Logix 5000 Controllers General Instructions Reference Manual, publication 1756-RM003 Provides information on how to use specific instructions to get and set controller system data
that is stored in device objects
Logix 5000 Controllers Common Procedures Programming Manual, publication 1756-PM001 Provides information on controller fault codes, including major and minor codes and on
creating fault and power-up routines
ControlLogix Analog I/O Modules User Manual, publication 1756-UM009 Provides information on how to access the runtime operational and process status of a
ControlLogix Digital I/O Modules User Manual, publication 1756-UM058 module.

94 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Chapter 9

Use of Human-to-Machine Interfaces

Precautions You must exercise precautions and implement specific techniques on HMI
devices. These precautions include, but are not restricted to the following:
• Limited access and security
• Specifications, testing, and validation
• Restrictions on data and access
• Limits on data and parameters

For more information on how HMI devices fit into a typical SIL loop, see
Figure 10 on page 22.

Use sound techniques in the application software within the HMI and
controller.

IMPORTANT If any changes are needed to the program in the safety loop, they must be done in accordance with IEC 61511-1,
paragraph 11.7.1.5, which states:
‘The Safety Instrumentation System (SIS) operator interface design shall be such as to prevent changes to SIS
application software. Where safety information needs to be transmitted from the basic process control system (BPCS)
to the SIS then systems should be used that can selectively allow writing from the BPCS to specific SIS variables.
Equipment or procedures should be applied to confirm the proper selection has been transmitted and received by the
SIS and does not compromise the safety function of the SIS.’

Accessing Safety-related HMI- related functions consist of two primary activities: reading and
Systems writing data.

Reading Parameters in Safety-related Systems

Reading data is unrestricted because reading doesn’t affect the operation or

behavior of the safety system. However, the number, frequency, and size of the
data being read can affect controller performance. To avoid safety-related
nuisance trips, use good communication practices to limit the impact of
communication processing on the controller. Do not set read rates to the
fastest rate possible.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 95

Chapter 9 Use of Human-to-Machine Interfaces

Changing Safety-related Parameters in SIL-rated Systems

A parameter change in a safety-related loop via an external (that is, outside the
safety loop) device (for example, an HMI) is allowed only with the following
restrictions:
• Only authorized, specially trained personnel (operators) can change the
parameters in safety-related systems via HMIs.
• The operator who changes a safety-related system via an HMI is
responsible for the effect of those changes on the safety loop.
• You must clearly document variables that need changed.
• You must use a clear, comprehensive, and explicit operator procedure to
make safety-related changes via an HMI.
• Changes can only be accepted in a safety-related system if the following
sequence of events occurs.
a. The new variable must be sent twice to two different tags; that is, both
values must not be written to with one command.
b. Safety-related code that executes in the controller, must check both
tags for equivalency and make sure that they are within range
(boundary checks).
c. Both new variables must be read back and displayed on the HMI
device.
d. Trained operators must visually check that both variables are the same
and are the correct value.
e. Trained operators must manually acknowledge that the values are
correct on the HMI screen that sends a command to the safety logic,
which allows the new values to be used in the safety function.

In every case, the operator must confirm the validity of the change before
they are accepted and applied in the safety loop.
• Test all changes as part of the safety validation procedure.
• Sufficiently document all safety-related changes that are made via HMI,
including the following:
- Authorization
- Impact analysis
- Execution
- Test information
- Revision information
• Changes to the safety-related system, must comply with IEC 61511
standard on process safety section 11.7.1 Operator Interface
requirements.
• The developer must follow the same sound development techniques and
procedures that are used for other application software development,
including the verification and testing of the operator interface and its
access to other parts of the program. The controller application software
builds a table that is accessible by the HMI and limits access to required
data points only.
• Similar to the controller program, you must secure and maintain the
HMI software for SIL-level compliance after the system has been
validated and tested.

IMPORTANT The High Speed Jog function is not allowed and must not be used in the
entire project.

96 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Appendix A

Reaction Times of the ControlLogix System

The calculation formulas in this chapter can be used to calculate the worst-case
reaction times for a given change in input or fault condition and the
corresponding output action.

Local Chassis Configuration Figure 60 shows an example system with digital or analog modules where the
following occurs:
• Field signal changes state.
• The data is transmitted to the controller.
• The controller runs its program scan and reacts to the data change.
• The controller transmits data to the output module.
• The output module processes data from the controller and turns the
output device on or off.
Figure 60 - Local Chassis Configuration of Digital or Analog Modules
Input Module Controller Output Module

Remote Chassis Figure 61 shows an example system where the following occurs:
Configuration • Input data changes on the input module.
• The data is transmitted to the controller via the network communication
modules.
• The controller runs its program scan and reacts to the data change,
including new data sent to the output module via the network
communication modules.
• The output module behavior changes based on the new data that is
received from the controller.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 97

Appendix A Reaction Times of the ControlLogix System

Figure 61 - Remote Chassis Configuration of Digital or Analog Modules

Controller Network Network Input Input Output Output
Communication Communication Module Module Module Module
Module Module

Calculating Worst-case The formulas for calculating worst-case reaction times with no system faults
Reaction Time or errors differ slightly for digital or analog I/O modules, as shown in the
following sections.

For Digital Modules

Use this formula to determine worst-case reaction time for digital modules in
local or remote configurations:
Worst-Case Reaction Time with no faults or errors =
(Input Module Delay + Input Filter Time) + (Input Module RPI x 4/8/16… 100 ms)(1) +
(SIL 2 Task Period + SIL 2 Task Watchdog) + (Output Module RPI x 4/8/16… 100 ms)(1) +
(Output Module Delay).

Module delay times are listed in the ControlLogix® I/O Modules Specifications
Technical Data, publication 1756-TD002.

Input filter time is configurable via the Configuration tab on the Module
Properties dialog box in the programming software.
• If the safe state in your application is low, use the On -> Off Input Filter
Time.
• If the safe state in your application is high, use the Off -> On Input Filter
Time.

(1) Multiply the module RPI by 4, then 8, then 16, and so on, until the result is at least 100 ms.

98 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Appendix A Reaction Times of the ControlLogix System

Figure 62 - Digital Module Configuration

Module RPI is configurable via the Connection tab.

For Analog Modules

Use this formula to determine worst-case reaction time for analog modules in
local or remote configurations:
Worst-Case Reaction Time with no faults or errors =
(Real Time Sample (RTS) Rate) +
(Input Module RPI x 4/8/16… 100 ms)(1) + (SIL 2 Task Period + SIL 2 Task Watchdog) +
(Output Module RPI x 4/8/16… 100 ms)(1) + (Output Module Delay).

For this calculation for the 1756-IRT8I or IF8I the RPI should be used in place of the
RTS.

Filter time and RTS are configurable via the Configuration tab on the Module
Properties dialog box in the programming software. Module RPI is
configurable via the Connection tab.

(1) Multiply the module RPI by 4, then 8, then 16, and so on, until the result is at least 100 ms.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 99

Appendix A Reaction Times of the ControlLogix System

Figure 63 - Analog Module Configuration

See the ControlLogix Analog I/O Module User Manual, publication

1756-UM009, for information on setting filter and RTS values.

This calculation for the 1756-IRT8I or 1756-IF8I modules, the RPI should be
used in place of the RTS.

100 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Appendix B

SIL 2-certified ControlLogix System Components

System components that are listed here are certified according to IEC 61508
2010 Edition 2, unless noted in the following tables.

Use only the series versions that are listed in Appendix C. These tables list
publications that are related to these components. Publications are available
from Rockwell Automation by visiting http://www.rockwellautomation.com/
literature.
Table 5 - SIL 2-certified ControlLogix® Components - Hardware
Cat. No.(1) Description Related Documentation
1756-A4, 1756-A7 1756-A10, 1756-A13, 1756-A17 ControlLogix chassis
1756-PA75(2) ControlLogix AC power supply
1756-PB75(2) ControlLogix DC power supply
1756-PA75R ControlLogix AC redundant power supply
1756-PB75R ControlLogix DC redundant power supply
1756-PA72 ControlLogix AC power supply
1756-IN005
1756-PB72 ControlLogix DC power supply
1756-PC75 ControlLogix DC power supply
1756-PH75 ControlLogix DC power supply
ControlLogix redundant power supply chassis adapter
1756-PSCA(3) module
ControlLogix redundant power supply chassis adapter
1756-PSCA2(3) module
(1) Some catalog numbers have a K suffix. This indicates a version of the product that has conformal coating. These K versions have the same SIL 2 certification as the non-K versions. For
more information on which products have conformal coating go to http://ab.com.rockwellautomation.com/
(2) The 1756-PA75/A and 1756-PB75/A power supplies are no longer available. However, if your existing SIL 2 application uses these power supplies, they are SIL 2 certified.
(3) Existing systems that use the 1756-PSCA and 1756-PSCA2 are SIL 2-certified. However, when implementing new SIL 2-certified systems or upgrading existing systems, we recommend that
you use the 1756-PSCA2 module if possible.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 101

Appendix B SIL 2-certified ControlLogix System Components

Table 6 - SIL 2-certified ControlLogix Components - 1756 Non-redundant Controllers, I/O, and Communication Modules
Cat. No.(1) Description Related Documentation
1756-L61(2) (3) ControlLogix 2 MB controller
1756-L62(2) (3) ControlLogix 4 MB controller
1756-L63(2) (3) ControlLogix 8 MB controller
1756-L71(2) ControlLogix 2 MB controller
1756-UM001
1756-L72(2) ControlLogix 4 MB controller
1756-L73(2) ControlLogix 8 MB controller
1756-L74(2) ControlLogix 16 MB controller
1756-L75(2) ControlLogix 32 MB controller
1756-L61S(2)(3) GuardLogix® controller, 2 MB standard
(2)(3) GuardLogix controller, 4 MB standard
1756-L62S
1756-L63S(2)(3) GuardLogix controller, 8 MB standard
1756-L71S(2) GuardLogix controller, 2 MB standard 1756-UM022
1756-L72S(2) GuardLogix controller, 4 MB standard
1756-L73S(2) GuardLogix controller, 8 MB standard
1756-L73SXT(2) GuardLogix-XT™ controller, 8 MB standard
1756-IA16I ControlLogix AC isolated input module
1756-IA8D ControlLogix AC diagnostic input module
1756-IB16D ControlLogix DC diagnostic input module 1756-UM058
1756-IB16I ControlLogix DC isolated input module
1756-IB32 ControlLogix DC input module
1756-IB16ISOE ControlLogix Sequence of Events module
1756-UM528
1756-IH16ISOE ControlLogix Sequence of Events module
1756-OA16I ControlLogix AC isolated output module
1756-OA8D ControlLogix AC diagnostic input module
1756-OB16D ControlLogix DC diagnostic output module
1756-OB16E ControlLogix DC electronically fused output module
1756-OB16I ControlLogix DC isolated output module 1756-UM058
1756-OB32 ControlLogix DC output module
1756-OB8EI ControlLogix DC isolated output module
1756-OW16I ControlLogix isolated relay output module
1756-OX8I ControlLogix isolated relay output module
1756-IF8 ControlLogix analog input module
1756-IF16 ControlLogix analog input module
1756-UM009
1756-IF6I ControlLogix isolated analog input module
1756-IF6CIS ControlLogix isolated analog input module
1756-IF8H ControlLogix HART analog input module
1756-UM533
1756-IF16H ControlLogix HART analog input module
1756-IF8I ControlLogix isolated analog input module
ControlLogix isolated analog RTD thermocouple input
1756-IRT8I 1756-UM540
module
1756-OF8I ControlLogix isolated analog output module

102 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Appendix B SIL 2-certified ControlLogix System Components

Table 6 - SIL 2-certified ControlLogix Components - 1756 Non-redundant Controllers, I/O, and Communication Modules (Continued)
Cat. No.(1) Description Related Documentation
1756-IR6I ControlLogix RTD input module
1756-IT6I ControlLogix Thermocouple input module
1756-IT6I2 ControlLogix enhanced Thermocouple input module
1756-UM009
1756-OF8 ControlLogix analog output module
1756-OF6CI ControlLogix isolated analog output module
1756-OF6VI ControlLogix isolated analog output module
1756-OF8H ControlLogix HART analog output module 1756-UM533
1756-CNB(4) ControlLogix ControlNet® communication module
1756-CN2 ControlLogix ControlNet communication module CNET-IN005
CNET-UM001
ControlLogix redundant media ControlNet
1756-CN2R communication module
1786-RPFS ControlNet short-distance fiber repeater module 1786-IN012
1786-RPFM ControlNet medium-distance fiber repeater module 1786-IN011
1786-RPFRL ControlNet long-distance fiber repeater module
1786-IN003
1786-RPFRXL ControlNet extra-long-distance fiber repeater module
1786-RPA ControlNet repeater adapter 1786-IN013
1786-RPCD ControlNet Hub repeater module 1786-IN001
ControlLogix redundant media EtherNet/IP™
1756-EN2TR Series B communication module
ENET-IN002
ControlLogix redundant media EtherNet/IP
1756-EN2TR Series C ENET-UM001
communication module
1756-EN2T Series C ControlLogix EtherNet/IP communication module
(1) Some catalog numbers have a K suffix. This indicates a version of the product that has conformal coating. These K versions have the same SIL 2 certification as the non-K versions. For
more information on which products have conformal coating go to http://ab.com.rockwellautomation.com/
(2) Use of any series B controller requires the use of the series B versions of the 1756-Px75 power supplies.
(3) Certified according to IEC 61508 1999 Edition 1.
(4) Specified ControlNet repeaters may be used in SIL 2 applications. See Chapter 4, ControlLogix Communication Modules for more information.

Table 7 - SIL 2-certified ControlLogix Components - 1756 Redundancy System Components

Cat. No.(1) Description Related Documentation
1756-L61(2) (3) ControlLogix 2 MB controller
(2) (3) ControlLogix 4 MB controller
1756-L62
1756-L63(2) (3) ControlLogix 8 MB controller
1756-L71(2) ControlLogix 2 MB controller
1756-UM001
1756-L72(2) ControlLogix 4 MB controller
1756-L73(2) ControlLogix 8 MB controller
1756-L74(2) ControlLogix 16 MB controller
1756-L75(2) ControlLogix 32 MB controller
1756-CNB ControlLogix ControlNet communication module
ControlLogix redundant media ControlNet
1756-CNBR communication module CNET-IN005
1756-CN2 ControlLogix ControlNet communication module CNET-UM001
ControlLogix redundant media ControlNet
1756-CN2R communication module
1756-EN2T Series C ControlLogix EtherNet/IP communication module
ENET-IN002
1756-EN2TR Series B ControlLogix redundant media EtherNet/IP ENET-UM001
1756-EN2TR Series C communication module
(1) Some catalog numbers have a K suffix. This indicates a version of the product that has conformal coating. These K versions have the same SIL 2 certification as the non-K versions. For
more information on which products have conformal coating go to http://ab.com.rockwellautomation.com/
(2) Use of any series B controller rzequires the use of the series B versions of the 1756-Px75 power supplies or the redundant power supplies, that is, the 1756-Lx75R power supplies.
(3) Certified according to IEC 61508 1999 Edition 1.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 103

Appendix B SIL 2-certified ControlLogix System Components

Table 8 - SIL 2-certified ControlLogix-XT™ System Components

Cat. No. Description Related Documentation
1756-A4LXT
1756-A5XT,
1756-A7XT ControlLogix-XT chassis
1756-A7LXT 1756-IN005
1756-A10XT
1756-PAXT ControlLogix-XT power supply
1756-PBXT
CNET-IN005
1756-CN2RXT ControlLogix-XT ControlNet communication module
CNET-UM001
1756-EN2TXT Series C ControlLogix-XT EtherNet/IP communication module
ENET-IN002
ControlLogix-XT EtherNet/IP communication module for ENET-UM001
1756-EN2TRXT Series C redundant systems
1756-L63XT(1) ControlLogix-XT controller
1756-UM001
1756-L73XT ControlLogix-XT controller
1756-L73SXT GuardLogix-XT controller, 8 MB standard 1756-UM022
(1) Certified according to IEC 61508 1999 Edition 1.

IMPORTANT ControlLogix-XT modules use the same firmware as traditional ControlLogix components. When obtaining firmware
for ControlLogix-XT modules, download and use the firmware specific to each module.
For example, if you are using a 1756-EN2TXT module in your system, use SIL 2-certified firmware for the 1756-EN2T
module.
For more information about ControlLogix-XT module firmware revisions, see the firmware release notes specific to
the module. ControlLogix-XT module release notes are available at:
http://www.rockwellautomation.com/literature or http://www.rockwellautomation.com/support/.

Table 9 - FLEX™ I/O Components For Use in the SIL 2 System

Cat. No.(1) Description Related Documentation(2)
1794-ACN15 FLEX I/O ControlNet single media adapter
1794-ACNR15 FLEX I/O ControlNet redundant media adapter 1794-IN128
1794-ACNR15XT FLEX I/O-XT™ ControlNet redundant media adapter
1794-AENT FLEX I/O EtherNet/IP communication adapter 1794-IN082
1794-AENTR FLEX I/O EtherNet/IP redundant communication adapter
FLEX I/O-XT EtherNet/IP redundant communication 1794-IN131
1794-AENTRXT adapter
1794-IB16 FLEX I/O input module 1794-IN093
1794-IB16XT FLEX I/O-XT input module 1794-IN124
1794-IB10XOB6 FLEX I/O input/output module 1794-IN083
1794-IB10XOB6XT FLEX I/O-XT input/output module 1794-IN124
1794-OB16 FLEX I/O output module 1794-IN094
1794-OB16P FLEX I/O protected output module 1794-IN094
1794-OB16PXT FLEX I/O-XT protected output module 1794-IN124
1794-OB8EP FLEX I/O electronically fused output module 1794-IN094
1794-OB8EPXT FLEX I/O-XT electronically fused output module 1794-IN124
1794-OW8 FLEX I/O relay output module
1794-IN019
1794-OW8XT FLEX I/O-XT relay output module
1794-IN100
1794-IE8 FLEX I/O analog input module
1794-UM002
1794-IN038
1794-IF4I FLEX I/O isolated analog input module
1794-UM008
1794-IN129
1794-IF4IXT FLEX I/O-XT isolated analog input module 1794-UM008
1794-IN130
1794-IF4ICFXT FLEX I/O-XT isolated analog input module 1794-UM008

104 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Appendix B SIL 2-certified ControlLogix System Components

Table 9 - FLEX™ I/O Components For Use in the SIL 2 System (Continued)
Cat. No.(1) Description Related Documentation(2)
1794-IN039
1794-IF2XOF2I FLEX I/O isolated analog input/output module
1794-UM008
1794-IN129
1794-IF2XOF2IXT FLEX I/O-XT isolated analog input/output module
1794-UM008
1794-IN100
1794-OE4 FLEX I/O analog output module 1794-UM002
1794-IN037
1794-OF4I FLEX I/O isolated analog output module 1794-UM008
1794-IN021
1794-IT8 FLEX I/O Thermocouple input module 1794-UM007
1794-IR8 FLEX I/O RTD input module 1794-IN021
1794-IR8XT FLEX I/O-XT RTD input module 1794-UM004
1794-IRT8 FLEX I/O Thermocouple/RTD input module 1794-IN050
1794-IRT8XT FLEX I/O-XT Thermocouple/RTD analog input module 1794-UM012
1794-IJ2 FLEX I/O counter module 1794-IN049
1794-IJ2XT FLEX I/O-XT counter module 1794-UM011
1794-IN064
1794-IP4 FLEX I/O counter module
1794-UM016
1794-IE4XOE2XT FLEX I/O-XT analog input/output module 1794-IN125
1794-IE8XT FLEX I/O-XT analog input module 1794-IN125
1794-OE4XT FLEX I/O-XT analog output module 1794-IN125
1794-IN129
1794-OF4IXT FLEX I/O-XT isolated analog output module
1794-UM008
1794-TB3 FLEX I/O terminal base unit
1794-TB3S FLEX I/O terminal base unit
1794-TB3T FLEX I/O temperature terminal base unit
1794-TB3TS FLEX I/O spring-clamp temperature terminal base unit
1794-IN092
1794-TB3G FLEX I/O cage-clamp generic terminal base unit
1794-TB3GS FLEX I/O spring-clamp generic terminal base unit
1794-TBN FLEX I/O NEMA terminal base unit
1794-TBNF FLEX I/O NEMA fused terminal base unit
(1) Some catalog numbers have a K suffix. This indicates a version of the product that has conformal coating. These K versions have the same SIL 2 certification as the non-K versions. For
more information on which products have conformal coating go to http://ab.com.rockwellautomation.com/
(2) These publications are available from Rockwell Automation by visiting http://www.rockwellautomation.com/literature.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 105

Appendix B SIL 2-certified ControlLogix System Components

Notes:

106 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Appendix C

PFD and PFH Calculations for a SIL 2 System

About PFD and PFH The probability of failure on demand (PFD) is the SIL value for a safety-related
Calculations system as related directly to order-of-magnitude ranges of its average
probability of failure to satisfactorily perform its safety function on demand.
IEC 61508 quantifies this classification by stating that the frequency of
demands for operation of the safety system is no greater than once per year in
the Low Demand mode.

PFD calculations are commonly used for process safety applications and
applications where emergency stop devices (ESDs) are used.

Although PFD values are associated with each of the three elements that
constitute a safety-related system (the sensors, the actuators, and the logic
element), they can be associated with each component of the logic element,
that is, each module of a programmable controller.

Probability of failure per hour (PFH) is typically used to describe safety

performance for high demand applications. Because ControlLogix® is suitable
for high demand applications up to and including 10 demands per year, PFH
values for those applications are provided.

Tables in this chapter present PFD and PFH values for ControlLogix and
ControlLogix-XT™ components that TÜV evaluates.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 107

Appendix C PFD and PFH Calculations for a SIL 2 System

Determine Which Values

To Use IMPORTANT You are responsible for determining which of the values that are
provided are appropriate for your SIL 2-certified system. Determine
which values to use based on the modules used your system and the
system configuration.

IMPORTANT If a safety-module in an existing application is replaced by a

replacement-type module, The whole safety loop must be re-calculated
with the new module's data.

Each of the PFD and PFH calculated values that are provided in this manual is
based on the configuration that the module can be used in, that is 1oo1 or 1oo2.
• Controllers only have a 1oo1 configuration, even when used in a 1756-RM
module redundancy architecture.
• You can architect communication modules in a 1oo1 or 1oo2
configuration. Use 1oo2 if the I/O module pair is split among two
separate chassis; thus a separate path to each module via a unique
communications module.
• Input or output modules have PFD values typically for use in a 1oo2
configuration. But 1oo1 values are provided in the event diversity is used
for input modules, or the output module that controls the actuator and
secondary relay are diverse.

108 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Appendix C PFD and PFH Calculations for a SIL 2 System

About the Calculations in For the example calculations presented in this chapter, these values were used
This Manual as the two application-dependent variables:
• Mean time to restoration (MTTR) is ten hours.
• Mean repair time (MRT) is ten hours.
• Proof test interval (T1) is listed for each table.

Both the common cause failure rate (ß) and common cause failure rate
dangerous (ßd) values used in the calculations presented in this chapter are
5%.

Common Terms
 = failure rate = 1/MTBF
s = rate of safe failures =  x 50%
d = rate of dangerous failures =  x 50%
dd= dangerous, detected failure rate = /2 x DC
du= dangerous, undetected failure rate = /2 x (1-DC)
SFF = safe failure fraction =(s +dd)/
TCE1oo1 = channel equivalent down time = du/d x (T1/2 + MRT) + (dd/d x MTTR)
DC = diagnostic coverage
ß = common cause failure rate
ßd = common cause failure rate, dangerous
1oo1 Configuration
STR1oo1 = spurious trip rate = s + dd
PFD1oo1 = (dd + du) x TCE
PFH1oo1 = du
1oo2 Configuration
STR1oo2 = spurious trip rate = 2 x (s + dd)
TGE1oo2 = system equivalent down time = du/d x (T1/3 + MRT) + (dd/d x MTTR)
PFD1oo2= 2 x [(1-ßD) x dd + (1-ß) x du]2 x TCE x TGE + (ßD x dd x MTTR) + ß x du x (T1/2 + MRT)
PFH1oo2 = 2 x [(1-ßD) x dd + (1-ß) x du] x (1-ß) x du x TCE + ß x du

The PFD and PFH values in this manual are calculated with formulas that are
explained in IEC 61508, Part 6, Annex B. See IEC 61508, Part 6, for more
information about how to calculate PFD values for your system.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 109

Appendix C PFD and PFH Calculations for a SIL 2 System

1-Year PFD Calculations The PFD calculations in this table are calculated for a 1-year proof test interval
(8760 hours) and are specific to ControlLogix system components.
Table 10 - 1- Year PFD Calculations
Common Terms(3) 1oo1 Configuration 1oo2 Configuration
Mean Time
between Safe
Cat No.(1)(2) Description Failure Spurious Spurious
s, d Failure  TCE1oo1 Trip Rate PFH(5)
(4) Fraction du
dd PFD Trip Rate TGE PFH(5) PFD
(MTBF)(2)
Series

STR STR
(SFF) %
1756-AXX(6) C ControlLogix chassis 22,652,010 4.41E-08 2.21E-08 95% 2.21E-09 1.99E-08 448 4.19E-08 2.21E-09 9.89E-06

B 4-slot ControlLogix-XT
1756-A4LXT 1,069,120 9.35E-07 4.68E-07 95% 4.68E-08 4.21E-07 448 8.89E-07 4.68E-08 2.10E-04
chassis

C 5-slot ControlLogix-XT
1756-A5XT 734,420 1.36E-06 6.81E-07 95% 6.81E-08 6.13E-07 448 1.29E-06 6.81E-08 3.05E-04
chassis

B 7-slot ControlLogix-XT
1756-A7LXT 27,628,178 3.62E-08 1.81E-08 95% 1.81E-09 1.63E-08 448 3.44E-08 1.81E-09 8.11E-06
chassis

C 7-slot ControlLogix-XT
1756-A7XT 1,081,600 9.25E-07 4.62E-07 95% 4.62E-08 4.16E-07 448 8.78E-07 4.62E-08 2.07E-04
chassis

C 18-32V DC 10 A ControlLogix 31,561,095

1756-PB72 3.17E-08 1.58E-08 95% 1.58E-09 1.43E-08 448 3.01E-08 1.58E-09 7.10E-06
power supply

C 85-265V AC 10 A
1756-PA72 18,336,146 5.45E-08 2.73E-08 95% 2.73E-09 2.45E-08 448 5.18E-08 2.73E-09 1.22E-05
ControlLogix power supply
85-265V AC 13 A
1756-PA75 B ControlLogix power supply 18,693,044 5.35E-08 2.67E-08 95% 2.67E-09 2.41E-08 448 5.08E-08 2.67E-09 1.20E-05
(75 W)

A 85-265V AC 13 A redundant
1756-PA75R 1,412,877 7.08E-07 3.54E-07 95% 3.54E-08 3.18E-07 448 6.72E-07 3.54E-08 1.59E-04
ControlLogix power supply

B 18-32V DC 13 A ControlLogix 15,675,475

1756-PB75 6.38E-08 3.19E-08 95% 3.19E-09 2.87E-08 448 6.06E-08 3.19E-09 1.43E-05
power supply

A 18-32V DC 13 A redundant
1756-PB75R 1,736,020 5.76E-07 2.88E-07 95% 2.88E-08 2.59E-07 448 5.47E-07 2.88E-08 1.29E-04
ControlLogix power supply
Not applicable
B ControlLogix-XT AC power
1756-PAXT 18,693,044 5.35E-08 2.67E-08 95% 2.67E-09 2.41E-08 448 5.08E-08 2.67E-09 1.20E-05
supply

B ControlLogix-XT DC power
1756-PBXT 1,855,360 5.39E-07 2.69E-07 95% 2.69E-08 2.43E-07 448 5.12E-07 2.69E-08 1.21E-04
supply

B 30-60V DC 13 A ControlLogix 5,894,836

1756-PC75 1.70E-07 8.48E-08 95% 8.48E-09 7.63E-08 448 1.61E-07 8.48E-09 3.80E-05
power supply

B 90-143V DC 13 A
1756-PH75 2,119,520 4.72E-07 2.36E-07 95% 2.36E-08 2.12E-07 448 4.48E-07 2.36E-08 1.06E-04
ControlLogix power supply

A Redundant power supply

1756-PSCA 45,146,727 2.21E-08 1.11E-08 95% 1.11E-09 9.97E-09 448 2.10E-08 1.11E-09 4.96E-06
adapter

A Redundant power supply

1756-PSCA2 38,461,280 2.60E-08 1.30E-08 95% 1.30E-09 1.17E-08 448 2.47E-08 1.30E-09 5.82E-06
adapter

A ControlNet® fiber repeater - 26,461,760

1786-RPFS 3.78E-08 1.89E-08 95% 1.89E-09 1.70E-08 448 3.59E-08 1.89E-09 8.47E-06
short

A ControlNet fiber repeater -

1786-RPFM 16,697,862 5.99E-08 2.99E-08 95% 2.99E-09 2.69E-08 448 5.69E-08 2.99E-09 1.34E-05
medium

A ControlNet fiber repeater -

1786-RPFRL 5,717,227 1.75E-07 8.75E-08 95% 8.75E-09 7.87E-08 448 1.66E-07 8.75E-09 3.92E-05
long
1786-RPCD A ControlNet hub repeater 28,654,080 3.49E-08 1.74E-08 95% 1.74E-09 1.57E-08 448 3.32E-08 1.74E-09 7.82E-06
1786-RPA B ControlNet repeater adapter 11,826,146 8.46E-08 4.23E-08 95% 4.23E-09 3.81E-08 448 8.03E-08 4.23E-09 1.89E-05

B ControlNet Fiber repeater -

1786-RPFRXL 11,373,440 8.79E-08 4.40E-08 95% 4.40E-09 3.96E-08 448 8.35E-08 4.40E-09 1.97E-05
extra long

110 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Appendix C PFD and PFH Calculations for a SIL 2 System

Table 10 - 1- Year PFD Calculations (Continued)

Common Terms(3) 1oo1 Configuration 1oo2 Configuration
Mean Time
between Safe
Cat No.(1)(2) Description Failure Spurious Spurious
s, d Failure  TCE1oo1 Trip Rate PFH(5)
(4) Fraction du
dd PFD Trip Rate TGE PFH(5) PFD
(MTBF)(2)

Series
STR STR
(SFF) %
1756-L61(7) B ControlLogix controller, 2 MB 1,000,053 1.00E-06 5.00E-07 95% 5.00E-08 4.50E-07 448 9.50E-07 5.00E-08 2.24E-04
1756-L62(7) B ControlLogix controller, 4 MB 1,034,830 9.66E-07 4.83E-07 95% 4.83E-08 4.35E-07 448 9.18E-07 4.83E-08 2.16E-04
1756-L63(7) B ControlLogix controller, 8 MB 1,055,910 9.47E-07 4.74E-07 95% 4.74E-08 4.26E-07 448 9.00E-07 4.74E-08 2.12E-04

B ControlLogix-XT controller,
1756-L63XT(7) 8 MB 357760 2.80E-06 1.40E-06 95% 1.40E-07 1.26E-06 448 2.66E-06 1.40E-07 6.26E-04

1756-L71(8) B ControlLogix controller, 2 MB 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 340 2.91E-06 1.01E-07 4.50E-04
1756-L72(8) B ControlLogix controller, 4 MB 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 340 2.91E-06 1.01E-07 4.50E-04
1756-L73(8) B ControlLogix controller, 8 MB
Calculated
2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 340 2.91E-06 1.01E-07 4.50E-04
MTBF and
B ControlLogix-XT controller,
1756-L73XT(8) 8 MB PFD via 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 340 2.91E-06 1.01E-07 4.50E-04
FMEA
B ControlLogix controller,
1756-L74(8) 16 MB 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 340 2.91E-06 1.01E-07 4.50E-04

B ControlLogix controller, Not applicable

1756-L75(7) 32 MB 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 340 2.91E-06 1.01E-07 4.50E-04

B GuardLogix® controller, 2 MB 1,000,053

1756-L61S(7) standard 1.00E-06 5.00E-07 95% 5.00E-08 4.50E-07 448 9.50E-07 5.00E-08 2.24E-04

B GuardLogix controller, 4 MB
1756-L62S(7) standard 1,034,830 9.66E-07 4.83E-07 95% 4.83E-08 4.35E-07 448 9.18E-07 4.83E-08 2.16E-04

B GuardLogix controller, 8 MB 1,055,910

1756-L63S(7) standard 9.47E-07 4.74E-07 95% 4.74E-08 4.26E-07 448 9.00E-07 4.74E-08 2.12E-04

B GuardLogix controller, 2 B
1756-L71S(8) standard 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 340 2.91E-06 1.01E-07 4.50E-04

B GuardLogix controller, 4 MB Calculated

1756-L72S(8) standard 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 340 2.91E-06 1.01E-07 4.50E-04
MTBF and
controller, 8 MB PFD via
1756-L73S(8) B GuardLogix FMEA 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 340 2.91E-06 1.01E-07 4.50E-04
standard

B GuardLogix-XT™ controller,
1756-L73SXT(8) 8 MB standard 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 340 2.91E-06 1.01E-07 4.50E-04

ControlLogix ControlNet
1756-CNB E 1,786,977 5.60E-07 2.80E-07 95% 2.80E-08 2.52E-07 448 5.32E-07 2.80E-08 1.25E-04
communication module
ControlLogix ControlNet
1756-CNBR E redundant communication 2,608,543 3.83E-07 1.92E-07 95% 1.92E-08 1.73E-07 448 3.64E-07 1.92E-08 8.59E-05
module

B ControlLogix ControlNet
1756-CN2 1,096,299 9.12E-07 4.56E-07 95% 4.56E-08 4.10E-07 448 8.67E-07 4.56E-08 2.04E-04
communication module
Calculated
C ControlLogix ControlNet MTBF and
1756-CN2(8) communication module PFD via 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 303.63 1.91E-06 6.62E-08 3.0E-04
FMEA
ControlLogix ControlNet
1756-CN2R B redundant communication 1,096,299 9.12E-07 4.56E-07 95% 4.56E-08 4.10E-07 448 8.67E-07 4.56E-08 2.04E-04 Not applicable
module
Calculated
ControlLogix ControlNet MTBF and
1756-CN2R(8) C redundant communication PFD via 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 303.63 1.91E-06 6.62E-08 3.0E-04
module FMEA
ControlLogix-XT ControlNet
1756-CN2RXT B redundant communication 1,980,160 5.05E-07 2.53E-07 95% 2.53E-08 2.27E-07 448 4.80E-07 2.53E-08 1.13E-04
module
Calculated
ControlLogix-XT ControlNet MTBF and
1756-CN2RXT(8) C redundant communication PFD via 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 303.63 1.91E-06 6.62E-08 3.0E-04
module FMEA
ControlLogix Data Highway
1756-DHRIO(9) E Plus™ remote I/O module 2,503,396 2.90E-07 5.79E-07

ControlLogix-XT Data
1756-DHRIOXT(9) E Highway Plus remote I/O 2,503,396 2.90E-07 5.79E-07
module Non-interference only Not applicable Not applicable
D ControlLogix
(9) DeviceNet®
1756-DNB 2,192,202 3.31E-07 6.61E-07
communication module

A ControlLogix EtherNet/IP™
1756-ENBT(9) communication module 2,088,198 3.47E-07 6.94E-07

C ControlLogix EtherNet/IP™
1756-EN2T 1,312,712 7.62E-07 3.81E-07 95% 3.81E-08 3.43E-07 448 7.24E-07 3.81E-08 1.71E-04
communication module

D ControlLogix EtherNet/IP
1756-EN2T(9) communication module 269,774 Non-interference only 3.71E-06 Not applicable Not applicable
ControlLogix EtherNet/IP
1756-EN2TR B communication module with 3,664,960 2.73E-07 1.36E-07 95% 1.36E-08 1.23E-07 448 2.59E-07 1.36E-08 6.11E-05
fault tolerance

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 111

Appendix C PFD and PFH Calculations for a SIL 2 System

Table 10 - 1- Year PFD Calculations (Continued)

Series
STR STR
(SFF) %
ControlLogix EtherNet/IP
1756-EN2TR(8) C communication module with Calculated 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 303.63 1.91E-06 6.62E-08 3.0E-04 3.82E-06 258.2 1.36E-09 6.11E-06
fault tolerance MTBF and
ControlLogix EtherNet/IP PFD via
1756-EN2TRXT(8) C communication module with FMEA 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 303.63 1.91E-06 6.62E-08 3.0E-04 3.82E-06 258.2 1.36E-09 6.11E-06
fault tolerance

C ControlLogix-XT EtherNet/IP 1,300,000

1756-EN2TXT 7.69E-07 3.85E-07 95% 3.85E-08 3.46E-07 448 7.31E-07 3.85E-08 1.72E-04 Not applicable
communication module

D ControlLogix-XT EtherNet/IP 269,774

1756-EN2TXT(9) communication module 3.71E-06

ControlLogix EtherNet/IP
1756-EN3TR(9) B communication module with 269,774 3.71E-06
fault tolerance

B ControlLogix redundancy
1756-RM(9) module 1,373,840 7.28E-07
Not applicable
A ControlLogix enhanced Non-interference only
1756-RM2(9) redundancy module 250,182 4.00E-06

A ControlLogix-XT enhanced
1756-RM2XT(9) redundancy module 250,182 4.00E-06

ControlLogix-XT redundancy
1756-RMXT(9) B module 980,096 1.02E-06

A ControlLogix SynchLink™
1756-SYNCH(9) Module 6,932,640 1.05E-07 Not applicable 2.09E-07 Not applicable

A ControlLogix isolated V AC
1756-IA16I 20,801,920 4.81E-08 2.40E-08 80% 9.61E-09 1.44E-08 1762 3.85E-08 9.61E-09 4.24E-05 7.69E-08 1178 4.81E-10 2.12E-06
input module

A ControlLogix diagnostic
1756-IA8D 15,966,080 6.26E-08 3.13E-08 80% 1.25E-08 1.88E-08 1762 5.01E-08 1.25E-08 5.52E-05 1.00E-07 1178 6.28E-10 2.76E-06
V AC input module

A ControlLogix diagnostic
1756-IB16D 30,228,640 3.31E-08 1.65E-08 80% 6.62E-09 9.92E-09 1762 2.65E-08 6.62E-09 2.91E-05 5.29E-08 1178 3.31E-10 1.46E-06
V DC input module

A ControlLogix isolated V DC
1756-IB16I 81,443,094 1.23E-08 6.14E-09 80% 2.46E-09 3.68E-09 1762 9.82E-09 2.46E-09 1.08E-05 1.96E-08 1178 1.23E-10 5.41E-07
input module
ControlLogix isolated V DC
1756-IB16ISOE A Sequence Of Events input 11,537,760 8.67E-08 4.33E-08 80% 1.73E-08 2.60E-08 1762 6.93E-08 1.73E-08 7.64E-05 1.39E-07 1178 8.69E-10 3.82E-06
module

B ControlLogix V DC input
1756-IB32 10,462,329 9.56E-08 4.78E-08 80% 1.91E-08 2.87E-08 1762 7.65E-08 1.91E-08 8.42E-05 1.53E-07 1178 9.59E-10 4.22E-06
module

A ControlLogix analog input

1756-IF8 8,699,254 1.15E-07 5.75E-08 80% 2.30E-08 3.45E-08 1762 9.20E-08 2.30E-08 1.01E-04 1.84E-07 1178 1.15E-09 5.08E-06
module

A ControlLogix isolated analog 2,337,541

1756-IF8I(8) input module 4.28E-07 2.14E-07 77% 9.81E-08 1.16E-07 2019 3.30E-07 9.81E-08 4.32E-04 6.59E-07 1349 2.04E-09 8.88E-06

Calculated
B ControlLogix isolated analog MTBF and
1756-IF8I(8) input module PFD via 5.83E-07 2.92E-07 78% 1.26E-07 1.66E-07 1897 4.58E-07 1.26E-07 5.56E-04 9.15E-07 1268 2.65E-09 1.15E-05
FMEA

A ControlLogix HART analog

1756-IF8H 1,291,978 7.74E-07 3.87E-07 80% 1.55E-07 2.32E-07 1762 6.19E-07 1.55E-07 6.82E-04 1.24E-06 1178 7.93E-09 3.47E-05
input module

A ControlLogix analog input

1756-IF16 4,592,506 2.18E-07 1.09E-07 80% 4.35E-08 6.53E-08 1762 1.74E-07 4.35E-08 1.92E-04 3.48E-07 1178 2.19E-09 9.64E-06
module

A ControlLogix HART analog

1756-IF16H 442,914 2.26E-06 1.13E-06 80% 4.52E-07 6.77E-07 1762 1.81E-06 4.52E-07 1.99E-03 3.61E-06 1178 2.42E-08 1.04E-04
input module

A ControlLogix isolated analog 2,654,080

1756-IF6CIS 3.77E-07 1.88E-07 80% 7.54E-08 1.13E-07 1762 3.01E-07 7.54E-08 3.32E-04 6.03E-07 1178 3.81E-09 1.67E-05
input module

A ControlLogix isolated analog 4,176,185

1756-IF6I 2.39E-07 1.20E-07 80% 4.79E-08 7.18E-08 1762 1.92E-07 4.79E-08 2.11E-04 3.83E-07 1178 2.41E-09 1.06E-05
input module

A ControlLogix V DC Sequence 2,150,720

1756-IH16ISOE 4.65E-07 2.32E-07 80% 9.30E-08 1.39E-07 1762 3.72E-07 9.30E-08 4.10E-04 7.44E-07 1178 4.72E-09 2.07E-05
Of Events input module

A ControlLogix isolated RTD

1756-IR6I 4,268,525 2.34E-07 1.17E-07 80% 4.69E-08 7.03E-08 1762 3.75E-07 1178 2.36E-09 1.04E-05
input module

A ControlLogix isolated RTD /

1756-IRT8I(8) thermocouple input module 1,896,813 5.27E-07 2.64E-07 76% 1.27E-07 1.36E-07 2127 8.00E-07 1421 2.69E-09 1.16E-05

Calculated
B ControlLogix isolated RTD / MTBF and
1756-IRT8I(8) thermocouple input module PFD via 6.11E-07 3.06E-07 80% 1.24E-07 1.82E-07 1783 Not allowed for 1oo1 9.75E-07 1192 2.61E-09 1.13E-05
configurations
FMEA

A ControlLogix isolated
1756-IT6I thermocouple input module 3,957,824 2.53E-07 1.26E-07 80% 5.05E-08 7.58E-08 1762 4.04E-07 1178 2.55E-09 1.12E-05

ControlLogix isolated
1756-IT6I2 A enhanced thermocouple 2,720,046 3.68E-07 1.84E-07 80% 7.35E-08 1.10E-07 1762 5.88E-07 1178 3.72E-09 1.63E-05
input module

A ControlLogix V AC output
1756-OA16I 32,891,456 3.04E-08 1.52E-08 80% 6.08E-09 9.12E-09 1762 2.43E-08 6.08E-09 2.68E-05 4.86E-08 1178 3.04E-10 1.34E-06
module

A ControlLogix V AC
1756-OA8D 11,311,040 8.84E-08 4.42E-08 80% 1.77E-08 2.65E-08 1762 7.07E-08 1.77E-08 7.79E-05 1.41E-07 1178 8.87E-10 3.90E-06
diagnostic output module

112 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Appendix C PFD and PFH Calculations for a SIL 2 System

Table 10 - 1- Year PFD Calculations (Continued)

Series
STR STR
(SFF) %

A ControlLogix V DC
1756-OB16D 8,884,374 1.13E-07 5.63E-08 80% 2.25E-08 3.38E-08 1762 9.00E-08 2.25E-08 9.92E-05 1.80E-07 1178 1.13E-09 4.97E-06
diagnostic output module
ControlLogix V DC
1756-OB16E A electronically fused output 14,997,714 6.67E-08 3.33E-08 80% 1.33E-08 2.00E-08 1762 5.33E-08 1.33E-08 5.87E-05 1.07E-07 1178 6.68E-10 2.94E-06
module

A ControlLogix V DC isolated
1756-OB16I 7,388,160 1.35E-07 6.77E-08 80% 2.71E-08 4.06E-08 1762 1.08E-07 2.71E-08 1.19E-04 2.17E-07 1178 1.36E-09 5.98E-06
output module

A ControlLogix V DC output
1756-OB32 2,681,316 3.73E-07 1.86E-07 80% 7.46E-08 1.12E-07 1762 2.98E-07 7.46E-08 3.29E-04 5.97E-07 1178 3.77E-09 1.66E-05
module
ControlLogix V DC isolated
1756-OB8EI A electronic ally fused output 14,019,200 7.13E-08 3.57E-08 80% 1.43E-08 2.14E-08 1762 5.71E-08 1.43E-08 6.28E-05 1.14E-07 1178 7.15E-10 3.15E-06
module

A ControlLogix isolated relay

1756-OX8I 6,059,635 1.65E-07 8.25E-08 80% 3.30E-08 4.95E-08 1762 1.32E-07 3.30E-08 1.45E-04 2.64E-07 1178 1.66E-09 7.29E-06
output module

A ControlLogix isolated relay

1756-OW16I 13,695,899 7.30E-08 3.65E-08 80% 1.46E-08 2.19E-08 1762 5.84E-08 1.46E-08 6.43E-05 1.17E-07 1178 7.32E-10 3.22E-06
output module

A ControlLogix analog output

1756-OF8 10,629,795 9.41E-08 4.70E-08 80% 1.88E-08 2.82E-08 1762 7.53E-08 1.88E-08 8.29E-05 1.51E-07 1178 9.44E-10 4.15E-06
module

A ControlLogix isolated analog 2,213,369

1756-OF8I(8) output module 4.52E-07 2.26E-07 76% 1.08E-07 1.18E-07 2106 3.44E-07 1.08E-07 4.76E-04 6.87E-07 1407 2.26E-09 9.80E-06

Calculated
B ControlLogix isolated analog MTBF and
1756-OF8I(8) output module PFD via 6.08E-07 3.04E-07 78% 1.37E-07 1.67E-07 1982 4.71E-07 1.37E-07 6.03E-04 9.42E-07 1325 2.90E-09 1.25E-05
FMEA

A ControlLogix isolated analog 21,604,960

1756-OF6VI 4.63E-08 2.31E-08 80% 9.26E-09 1.39E-08 1762 3.70E-08 9.26E-09 4.08E-05 7.41E-08 1178 4.64E-10 2.04E-06
output module

A ControlLogix isolated analog 8,354,667

1756-OF6CI 1.20E-07 5.98E-08 80% 2.39E-08 3.59E-08 1762 9.58E-08 2.39E-08 1.05E-04 1.92E-07 1178 1.20E-09 5.29E-06
output module

A ControlLogix HART analog

1756-OF8H 5,118,187 1.95E-07 9.77E-08 80% 3.91E-08 5.86E-08 1762 1.56E-07 3.91E-08 1.72E-04 3.13E-07 1178 1.97E-09 8.64E-06
output module

D FLEX™ I/O ControlNet

1794-ACN15 8,223,684 1.22E-07 6.08E-08 80% 2.43E-08 3.65E-08 1762 1.95E-07 1178 1.22E-09 5.37E-06
adapter

D FLEX I/O ControlNet

1794-ACNR15 8,223,684 1.22E-07 6.08E-08 80% 2.43E-08 3.65E-08 1762 1.95E-07 1178 1.22E-09 5.37E-06
redundant adapter

D FLEX I/O-XT™ ControlNet

1794-ACNR15XT 8,223,684 1.22E-07 6.08E-08 80% 2.43E-08 3.65E-08 1762 1.95E-07 1178 1.22E-09 5.37E-06
adapter Not allowed for 1oo1
configurations
B FLEX I/O EtherNet/IP
1794-AENT 1,779,827 5.62E-07 2.81E-07 80% 1.12E-07 1.69E-07 1762 8.99E-07 1178 5.72E-09 2.50E-05
adapter

A FLEX I/O EtherNet/IP

1794-AENTR 1,268,070 7.89E-07 3.94E-07 80% 1.58E-07 2.37E-07 1762 1.26E-06 1178 8.08E-09 3.53E-05
adapter, Ring media

A FLEX I/O EtherNet/IP

1794-AENTRXT 1,268,070 7.89E-07 3.94E-07 80% 1.58E-07 2.37E-07 1762 1.26E-06 1178 8.08E-09 3.53E-05
adapter, Ring media

A FLEX I/O 24V DC input

1794-IB16 179,506,158 5.57E-09 2.79E-09 80% 1.11E-09 1.67E-09 1762 8.91E-09 1178 5.57E-11 2.45E-07
module

A FLEX I/O-XT™
1794-IB16XT 35,587,189 2.81E-08 1.40E-08 80% 5.62E-09 8.43E-09 1762 4.50E-08 1178 2.81E-10 1.24E-06
24V DC input module
1794-IJ2 A FLEX I/O counter module 55,344,640 1.81E-08 9.03E-09 80% 3.61E-09 5.42E-09 1762 2.89E-08 1178 1.81E-10 7.96E-07
1794-IJ2XT A FLEX I/O-XT counter module 11,714,128 8.54E-08 4.27E-08 80% 1.71E-08 2.56E-08 1762 Not allowed for 1oo1 1.37E-07 1178 8.56E-10 3.77E-06
configurations
1794-IP4 B FLEX I/O counter module 22,027,200 4.54E-08 2.27E-08 80% 9.08E-09 1.36E-08 1762 7.26E-08 1178 4.55E-10 2.00E-06

A FLEX I/O 24V DC

1794-IB10XOB6 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 1762 1.60E-08 1178 1.00E-10 4.41E-07
input/output module

A FLEX I/O-XT
1794-IB10XOB6XT 24V DC input/output module 22,202,487 4.50E-08 2.25E-08 80% 9.01E-09 1.35E-08 1762 7.21E-08 1178 4.51E-10 1.99E-06

FLEX I/O 24V DC

1794-OB8EP A electronically fused output 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 1762 1.60E-08 1178 1.00E-10 4.41E-07
module
FLEX I/O-XT 24V DC
1794-OB8EPXT A electronically fused output 14,771,049 6.77E-08 3.38E-08 80% 1.35E-08 2.03E-08 1762 1.08E-07 1178 6.78E-10 2.99E-06
module

A FLEX I/O 24V DC output

1794-OB16 54,322,632 1.84E-08 9.20E-09 80% 3.68E-09 5.52E-09 1762 2.95E-08 1178 1.84E-10 8.11E-07
module
Not allowed for 1oo1
A FLEX I/O 24V DC protected
1794-OB16P 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 1762 configurations 1.60E-08 1178 1.00E-10 4.41E-07
output module
FLEX I/O-XT
1794-OB16PXT A 24V DC protected output 26,709,401 3.74E-08 1.87E-08 80% 7.49E-09 1.12E-08 1762 5.99E-08 1178 3.75E-10 1.65E-06
module

A FLEX I/O isolated relay

1794-OW8 29,088,895 3.44E-08 1.72E-08 80% 6.88E-09 1.03E-08 1762 5.50E-08 1178 3.44E-10 1.52E-06
output module

A FLEX I/O-XT isolated relay

1794-OW8XT 18,518,519 5.40E-08 2.70E-08 80% 1.08E-08 1.62E-08 1762 8.64E-08 1178 5.41E-10 2.38E-06
output module

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 113

Appendix C PFD and PFH Calculations for a SIL 2 System

Table 10 - 1- Year PFD Calculations (Continued)

Series
STR STR
(SFF) %

B FLEX I/O analog input

1794-IE8 18,914,770 5.29E-08 2.64E-08 80% 1.06E-08 1.59E-08 1762 8.46E-08 1178 5.30E-10 2.33E-06
module

B FLEX I/O-XT analog input

1794-IE8XT 14,041,000 7.12E-08 3.56E-08 80% 1.42E-08 2.14E-08 1762 1.14E-07 1178 7.14E-10 3.14E-06
module

A FLEX I/O isolated analog

1794-IF4I 9,885,959 1.01E-07 5.06E-08 80% 2.02E-08 3.03E-08 1762 1.62E-07 1178 1.01E-09 4.47E-06
input module

A FLEX I/O-XT isolated analog 7,297,140

1794-IF4IXT 1.37E-07 6.85E-08 80% 2.74E-08 4.11E-08 1762 2.19E-07 1178 1.38E-09 6.05E-06
input module

A FLEX I/O-XT isolated analog 7,297,140

1794-IF4ICFXT 1.37E-07 6.85E-08 80% 2.74E-08 4.11E-08 1762 2.19E-07 1178 1.38E-09 6.05E-06
input module

A Flex, 8 Isolated HART Analog 926,808

1794-IF8IHNFXT 1.08E-06 5.39E-07 80% 2.16E-07 3.24E-07 1762 1.73E-06 1178 1.12E-08 4.86E-05
Input, extended env
1794-IR8 A FLEX I/O RTD input module 5,016,231 1.99E-07 9.97E-08 80% 3.99E-08 5.98E-08 1762 3.19E-07 1178 2.01E-09 8.82E-06
Not allowed for 1oo1
A FLEX I/O-XT RTD input configurations
1794-IR8XT 9,585,890 1.04E-07 5.22E-08 80% 2.09E-08 3.13E-08 1762 1.67E-07 1178 1.05E-09 4.61E-06
module

B FLEX I/O RTD/Thermocouple 1,407,269

1794-IRT8 7.11E-07 3.55E-07 80% 1.42E-07 2.13E-07 1762 1.14E-06 1178 7.27E-09 3.18E-05
input module

B FLEX I/O-XT RTD/

1794-IRT8XT Thermocouple input module 8,204,792 1.22E-07 6.09E-08 80% 2.44E-08 3.66E-08 1762 1.95E-07 1178 1.22E-09 5.38E-06

A FLEX I/O Thermocouple

1794-IT8 2,097,509 4.77E-07 2.38E-07 80% 9.54E-08 1.43E-07 1762 7.63E-07 1178 4.84E-09 2.12E-05
input module

A FLEX I/O isolated analog

1794-IF2XOF2I 8,464,844 1.18E-07 5.91E-08 80% 2.36E-08 3.54E-08 1762 1.89E-07 1178 1.19E-09 5.22E-06
input/output module

A FLEX I/O-XT isolated analog 6,317,918

1794-IF2XOF2IXT 1.58E-07 7.91E-08 80% 3.17E-08 4.75E-08 1762 2.53E-07 1178 1.59E-09 7.00E-06
input/output module

B FLEX I/O-XT analog

1794-IE4XOE2XT 11,800,802 8.47E-08 4.24E-08 80% 1.69E-08 2.54E-08 1762 1.36E-07 1178 8.50E-10 3.74E-06
input/output module

B FLEX I/O analog output

1794-OE4 18,433,610 5.42E-08 2.71E-08 80% 1.08E-08 1.63E-08 1762 8.68E-08 1178 5.43E-10 2.39E-06
module

B FLEX I/O-XT analog output

1794-OE4XT 11,381,744 8.79E-08 4.39E-08 80% 1.76E-08 2.64E-08 1762 1.41E-07 1178 8.81E-10 3.88E-06
module Not allowed for 1oo1
configurations
A FLEX I/O analog output
1794-OF4I 23,884,409 4.19E-08 2.09E-08 80% 8.37E-09 1.26E-08 1762 6.70E-08 1178 4.19E-10 1.85E-06
module

A FLEX I/O-XT analog output

1794-OF4IXT 5,493,902 1.82E-07 9.10E-08 80% 3.64E-08 5.46E-08 1762 2.91E-07 1178 1.83E-09 8.05E-06
module
1794-TB3 A FLEX I/O terminal base unit 250,000,000 4.00E-09 2.00E-09 80% 8.00E-10 1.20E-09 1762 6.40E-09 1178 4.00E-11 1.76E-07

A FLEX I/O cage-clamp

1794-TB3G 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 1762 1.60E-08 1178 1.00E-10 4.41E-07
generic terminal base unit

A FLEX I/O spring-clamp

1794-TB3GS 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 1762 1.60E-08 1178 1.00E-10 4.41E-07
generic terminal base unit
1794-TB3S A FLEX I/O terminal base unit 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 1762 1.60E-08 1178 1.00E-10 4.41E-07

A FLEX I/O temperature Not allowed for 1oo1

1794-TB3T 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 1762 1.60E-08 1178 1.00E-10 4.41E-07
terminal base unit configurations
FLEX I/O spring-clamp
1794-TB3TS A temperature terminal base 52,312,000 1.91E-08 9.56E-09 80% 3.82E-09 5.73E-09 1762 3.06E-08 1178 1.91E-10 8.42E-07
unit

A FLEX I/O NEMA terminal

1794-TBN 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 1762 1.60E-08 1178 1.00E-10 4.41E-07
base unit

A FLEX I/O NEMA fused

1794-TBNF 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 1762 1.60E-08 1178 1.00E-10 4.41E-07
terminal base unit
1492-TIFM40F-F24A-2(9) A DC input termination board 7,779,000 1.03E-07 7.90E-08

A Analog input termination

1492-TAIFM16-F-3(9) board 11,362,000 Non-interference only 7.04E-08 Not applicable 1.03E-07 Not applicable

1492-TIFM4OF-24-2(9) A DC output termination board 10,127,000 7.90E-08 7.04E-08

(1) Some catalog numbers have a K suffix. This indicates a version of the product that has conformal coating. These K versions have the same SIL 2 certification as the non-K versions. For more information on which
products have conformal coating go to http://ab.com.rockwellautomation.com/.
(2) MTBF measured in hours unless calculated (as noted). Field return values – January 2012.
(3) Calculations performed on a per module basis.
(4)  = Failure Rate = 1/MTBF.
(5) Demand rate must be less than 10 per year.
(6) Average of 1756-A4, -A7, -A10, -A13, and -A17 chassis.
(7) Suitable for use only in applications requiring compliance to IEC 61508 1999 Edition 1.
(8) Calculated MTBF and PFD by FMEA to 61508-2010.
(9) SIL 2-rated for non-interference in the chassis. Data not required within a safety function.

114 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Appendix C PFD and PFH Calculations for a SIL 2 System

2-Year PFD Calculations The PFD calculations in this table are calculated for a 2-year proof test interval
(17,520 hours) and are specific to ControlLogix system components.
Table 11 - 2-Year PFD Calculations
Common Terms(3) 1oo1 Configuration 1oo2 Configuration
Mean Time
between Safe
Cat No.(1)(2) Description Failure Spurious Spurious
s, d Failure  TCE1oo1
(4) Fraction du
dd Trip Rate PFH(5) PFD Trip Rate TGE PFH(5) PFD
(MTBF)(2)
Series

STR STR
(SFF) %
1756-AXX(6) C ControlLogix chassis 22,652,010 4.41E-08 2.21E-08 95% 2.21E-09 1.99E-08 886 4.19E-08 2.21E-09 1.96E-05
4-slot ControlLogix-XT
1756-A4LXT B 1,069,120 9.35E-07 4.68E-07 95% 4.68E-08 4.21E-07 886 8.89E-07 4.68E-08 4.14E-04
chassis
5-slot ControlLogix-XT
1756-A5XT C 734,420 1.36E-06 6.81E-07 95% 6.81E-08 6.13E-07 886 1.29E-06 6.81E-08 6.03E-04
chassis
7-slot ControlLogix-XT
1756-A7LXT B 27,628,178 3.62E-08 1.81E-08 95% 1.81E-09 1.63E-08 886 3.44E-08 1.81E-09 1.60E-05
chassis
7-slot ControlLogix-XT
1756-A7XT C 1,081,600 9.25E-07 4.62E-07 95% 4.62E-08 4.16E-07 886 8.78E-07 4.62E-08 4.10E-04
chassis
18-32V DC 10 A ControlLogix
1756-PB72 C 31,561,095 3.17E-08 1.58E-08 95% 1.58E-09 1.43E-08 886 3.01E-08 1.58E-09 1.40E-05
power supply
85-265V AC 10 A ControlLogix 18,336,146
1756-PA72 C 5.45E-08 2.73E-08 95% 2.73E-09 2.45E-08 886 5.18E-08 2.73E-09 2.42E-05
power supply
85-265V AC 13 A ControlLogix 18,693,044
1756-PA75 B 5.35E-08 2.67E-08 95% 2.67E-09 2.41E-08 886 5.08E-08 2.67E-09 2.37E-05
power supply (75 W)
85-265V AC 13 A Redundant
1756-PA75R A 1,412,877 7.08E-07 3.54E-07 95% 3.54E-08 3.18E-07 886 6.72E-07 3.54E-08 3.14E-04
ControlLogix power supply
18-32V DC 13 A ControlLogix
1756-PB75 B 15,675,475 6.38E-08 3.19E-08 95% 3.19E-09 2.87E-08 886 6.06E-08 3.19E-09 2.83E-05
power supply
18-32V DC 13 A Redundant
1756-PB75R A 1,736,020 5.76E-07 2.88E-07 95% 2.88E-08 2.59E-07 886 5.47E-07 2.88E-08 2.55E-04
ControlLogix power supply
ControlLogix-XT AC power Not applicable
1756-PAXT B 18,693,044 5.35E-08 2.67E-08 95% 2.67E-09 2.41E-08 886 5.08E-08 2.67E-09 2.37E-05
supply
ControlLogix-XT DC power
1756-PBXT B 1,855,360 5.39E-07 2.69E-07 95% 2.69E-08 2.43E-07 886 5.12E-07 2.69E-08 2.39E-04
supply
30-60V DC 13 A ControlLogix 5,894,836
1756-PC75 B 1.70E-07 8.48E-08 95% 8.48E-09 7.63E-08 886 1.61E-07 8.48E-09 7.52E-05
power supply
90-143V DC 13 A ControlLogix 2,119,520
1756-PH75 B 4.72E-07 2.36E-07 95% 2.36E-08 2.12E-07 886 4.48E-07 2.36E-08 2.09E-04
power supply
Redundant power supply
1756-PSCA A 45,146,727 2.21E-08 1.11E-08 95% 1.11E-09 9.97E-09 886 2.10E-08 1.11E-09 9.81E-06
adapter
Redundant power supply
1756-PSCA2 A 38,461,280 2.60E-08 1.30E-08 95% 1.30E-09 1.17E-08 886 2.47E-08 1.30E-09 1.15E-05
adapter
ControlNet Fiber repeater -
1786-RPFS A 26,461,760 3.78E-08 1.89E-08 95% 1.89E-09 1.70E-08 886 3.59E-08 1.89E-09 1.67E-05
short
ControlNet Fiber repeater -
1786-RPFM A 16,697,862 5.99E-08 2.99E-08 95% 2.99E-09 2.69E-08 886 5.69E-08 2.99E-09 2.65E-05
medium
ControlNet Fiber repeater -
1786-RPFRL A 5,717,227 1.75E-07 8.75E-08 95% 8.75E-09 7.87E-08 886 1.66E-07 8.75E-09 7.75E-05
long
1786-RPCD A ControlNet Hub repeater 28,654,080 3.49E-08 1.74E-08 95% 1.74E-09 1.57E-08 886 3.32E-08 1.74E-09 1.55E-05
1786-RPA B ControlNet repeater adapter 11,826,146 8.46E-08 4.23E-08 95% 4.23E-09 3.81E-08 886 8.03E-08 4.23E-09 3.75E-05
ControlNet Fiber repeater -
1786-RPFRXL B 11,373,440 8.79E-08 4.40E-08 95% 4.40E-09 3.96E-08 886 8.35E-08 4.40E-09 3.90E-05
extra long

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 115

Appendix C PFD and PFH Calculations for a SIL 2 System

Table 11 - 2-Year PFD Calculations (Continued)

Common Terms(3) 1oo1 Configuration 1oo2 Configuration
Mean Time
between Safe
Cat No.(1)(2) Description Failure Spurious Spurious
s, d Failure  TCE1oo1
(4) Fraction du
dd Trip Rate PFH(5) PFD Trip Rate TGE PFH(5) PFD
(MTBF)(2)

Series
STR STR
(SFF) %
1756-L61(7) B ControlLogix controller, 2 MB 1,000,053 1.00E-06 5.00E-07 95% 5.00E-08 4.50E-07 886 9.50E-07 5.00E-08 4.43E-04
(7) B ControlLogix controller, 4 MB 1,034,830 9.66E-07 4.83E-07 95% 4.83E-08 4.35E-07 886 9.18E-07 4.83E-08 4.28E-04
1756-L62
1756-L63(7) B ControlLogix controller, 8 MB 1,055,910 9.47E-07 4.74E-07 95% 4.74E-08 4.26E-07 886 9.00E-07 4.74E-08 4.20E-04
ControlLogix-XT controller,
1756-L63XT(7) B 8 MB 357,760 2.80E-06 1.40E-06 95% 1.40E-07 1.26E-06 886 2.66E-06 1.40E-07 1.24E-03

1756-L71(8) B ControlLogix controller, 2 MB 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 670 2.91E-06 1.01E-07 8.90E-04
1756-L72(8) B ControlLogix controller, 4 MB 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 670 2.91E-06 1.01E-07 8.90E-04
1756-L73(8) B ControlLogix controller, 8 MB Calculated 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 670 2.91E-06 1.01E-07 8.90E-04
MTBF and
ControlLogix-XT controller, PFD via
1756-L73XT(8) B 8 MB 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 670 2.91E-06 1.01E-07 8.90E-04
FMEA
1756-L74(8) B ControlLogix controller, 16 MB 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 670 2.91E-06 1.01E-07 8.90E-04
ControlLogix controller,
1756-L75(8) B 32 MB 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 670 2.91E-06 1.01E-07 8.90E-04 Not applicable

GuardLogix controller, 2 MB
1756-L61S(7) B standard 1,000,053 1.00E-06 5.00E-07 95% 5.00E-08 4.50E-07 886 9.50E-07 5.00E-08 4.43E-04

GuardLogix controller, 4 MB
1756-L62S(7) B standard 1,034,830 9.66E-07 4.83E-07 95% 4.83E-08 4.35E-07 886 9.18E-07 4.83E-08 4.28E-04

GuardLogix controller, 8 MB
1756-L63S(7) B standard 1,055,910 9.47E-07 4.74E-07 95% 4.74E-08 4.26E-07 886 9.00E-07 4.74E-08 4.20E-04

GuardLogix controller, 2 MB
1756-L71S(8) B standard 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 670 2.91E-06 1.01E-07 8.90E-04

GuardLogix controller, 4 MB Calculated

1756-L72S(8) B standard 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 670 2.91E-06 1.01E-07 8.90E-04
MTBF and
GuardLogix controller, PFD via
1756-L73S(8) B 8 MB standard FMEA 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 670 2.91E-06 1.01E-07 8.90E-04

GuardLogix-XT controller,
1756-L73SXT(8) B 8 MB standard 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 670 2.91E-06 1.01E-07 8.90E-04

ControlLogix ControlNet
1756-CNB E 1,786,977 5.60E-07 2.80E-07 95% 2.80E-08 2.52E-07 886 5.32E-07 2.80E-08 2.48E-04
communication module
ControlLogix ControlNet
1756-CNBR E redundant communication 2,608,543 3.83E-07 1.92E-07 95% 1.92E-08 1.73E-07 886 3.64E-07 1.92E-08 1.70E-04
module
ControlLogix ControlNet
1756-CN2 B 1,096,299 9.12E-07 4.56E-07 95% 4.56E-08 4.10E-07 886 8.67E-07 4.56E-08 4.04E-04
communication module
Calculated
ControlLogix ControlNet MTBF and
1756-CN2(8) C communication module PFD via 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 597.25 1.91E-06 6.62E-08 5.90E-04
FMEA
ControlLogix ControlNet
1756-CN2R B redundant communication 1,096,299 9.12E-07 4.56E-07 95% 4.56E-08 4.10E-07 886 8.67E-07 4.56E-08 4.04E-04 Not applicable
module
Calculated
ControlLogix ControlNet MTBF and
1756-CN2R(8) C redundant communication PFD via 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 597.25 1.91E-06 6.62E-08 5.90E-04
module FMEA
ControlLogix-XT ControlNet
1756-CN2RXT B redundant communication 1,980,160 5.05E-07 2.53E-07 95% 2.53E-08 2.27E-07 886 4.80E-07 2.53E-08 2.24E-04
module
Calculated
ControlLogix-XT ControlNet MTBF and
1756-CN2RXT(8) C redundant communication PFD via 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 597.25 1.91E-06 6.62E-08 5.90E-04
module FMEA
ControlLogix Data Highway
1756-DHRIO(9) E Plus remote I/O module 2,503,396 3.79E-07 7.59E-07

ControlLogix-XT Data
1756-DHRIOXT(9) E Highway Plus remote I/O 2,503,396 3.79E-07 7.59E-07
module Non-interference only Not applicable Not applicable
ControlLogix DeviceNet
1756-DNB(9) D communication module 2,192,202 4.33E-07 8.67E-07

ControlLogix EtherNet/IP
1756-ENBT(9) A communication module 2,088,198 4.55E-07 9.10E-07

ControlLogix EtherNet/IP
1756-EN2T C 1,312,712 7.62E-07 3.81E-07 95% 3.81E-08 3.43E-07 886 7.24E-07 3.81E-08 3.37E-04
communication module
ControlLogix EtherNet/IP
1756-EN2T(9) D communication module 269,774 Non-interference only 3.71E-06 Not applicable Not applicable
ControlLogix EtherNet/IP
1756-EN2TR B communication module with 3,664,960 2.73E-07 1.36E-07 95% 1.36E-08 1.23E-07 886 2.59E-07 1.36E-08 1.21E-04
fault tolerance

116 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Appendix C PFD and PFH Calculations for a SIL 2 System

Table 11 - 2-Year PFD Calculations (Continued)

Series
STR STR
(SFF) %
ControlLogix EtherNet/IP
1756-EN2TR(8) C communication module with Calculated 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 597.25 1.91E-06 6.62E-08 5.90E-04 3.82E-06 401.50 1.40E-09 1.22E-05
fault tolerance MTBF and
ControlLogix EtherNet/IP PFD via
1756-EN2TRXT(8) C communication module with FMEA 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 597.25 1.91E-06 6.62E-08 5.90E-04 3.82E-06 401.50 1.40E-09 1.22E-05
fault tolerance
ControlLogix-XT EtherNet/IP 1,300,000
1756-EN2TXT C 7.69E-07 3.85E-07 95% 3.85E-08 3.46E-07 886 7.31E-07 3.85E-08 3.41E-04 Not applicable
communication module
ControlLogix-XT EtherNet/IP 269,774
1756-EN2TXT(9) D communication module 3.71E-06

ControlLogix EtherNet/IP
1756-EN3TR(9) B communication module with 269,774 3.71E-06
fault tolerance
ControlLogix redundancy
1756-RM(9) B module 1,373,840 6.91E-07
Not applicable
ControlLogix enhanced Non-interference only
1756-RM2(9) A redundancy module 250,182 4.00E-06

ControlLogix-XT enhanced
1756-RM2XT(9) A redundancy module 250,182 4.00E-06

ControlLogix-XT redundancy
1756-RMXT(9) B module 980,096 9.69E-07

ControlLogix SynchLink
1756-SYNCH(9) A Module 6,932,640 1.37E-07 Not applicable 2.74E-07 Not applicable

ControlLogix isolated V AC
1756-IA16I A 20,801,920 4.81E-08 2.40E-08 80% 9.61E-09 1.44E-08 3514 3.85E-08 9.61E-09 8.45E-05 7.69E-08 2346 4.82E-10 4.23E-06
input module
ControlLogix diagnostic V AC 15,966,080
1756-IA8D A 6.26E-08 3.13E-08 80% 1.25E-08 1.88E-08 3514 5.01E-08 1.25E-08 1.10E-04 1.00E-07 2346 6.29E-10 5.52E-06
input module
ControlLogix diagnostic V DC 30,228,640
1756-IB16D A 3.31E-08 1.65E-08 80% 6.62E-09 9.92E-09 3514 2.65E-08 6.62E-09 5.81E-05 5.29E-08 2346 3.32E-10 2.91E-06
input module
ControlLogix isolated V DC
1756-IB16I A 81,443,094 1.23E-08 6.14E-09 80% 2.46E-09 3.68E-09 3514 9.82E-09 2.46E-09 2.16E-05 1.96E-08 2346 1.23E-10 1.08E-06
input module
ControlLogix isolated V DC
1756-IB16ISOE A Sequence Of Events input 11,537,760 8.67E-08 4.33E-08 80% 1.73E-08 2.60E-08 3514 6.93E-08 1.73E-08 1.52E-04 1.39E-07 2346 8.71E-10 7.64E-06
module
ControlLogix V DC input
1756-IB32 B 10,462,329 9.56E-08 4.78E-08 80% 1.91E-08 2.87E-08 3514 7.65E-08 1.91E-08 1.68E-04 1.53E-07 2346 9.62E-10 8.43E-06
module
ControlLogix analog input
1756-IF8 A 8,699,254 1.15E-07 5.75E-08 80% 2.30E-08 3.45E-08 3514 9.20E-08 2.30E-08 2.02E-04 1.84E-07 2346 1.16E-09 1.01E-05
module
ControlLogix isolated analog 2,337,541
1756-IF8I(8) A input module 4.28E-07 2.139E-07 77% 9.81E-08 1.16E-07 4028 3.3E-07 9.81E-08 8.61E-04 6.59E-07 2688 2.12E-09 1.82E-05

Calculated
ControlLogix isolated analog MTBF and
1756-IF8I(8) B input module PFD via 5.83E-07 2.92E-07 78% 1.26E-07 1.66E-07 3784 4.58E-07 1.26E-07 1.11E-03 9.15E-07 2526 2.79E-09 2.37E-05
FMEA
ControlLogix HART analog
1756-IF8H A 1,291,978 7.74E-07 3.87E-07 80% 1.55E-07 2.32E-07 3514 6.19E-07 1.55E-07 1.36E-03 1.24E-06 2346 8.12E-09 7.02E-05
input module
ControlLogix analog input
1756-IF16 A 4,592,506 2.18E-07 1.09E-07 80% 4.35E-08 6.53E-08 3514 1.74E-07 4.35E-08 3.83E-04 3.48E-07 2346 2.21E-09 1.93E-05
module
ControlLogix HART analog
1756-IF16H A 442,914 2.26E-06 1.13E-06 80% 4.52E-07 6.77E-07 3514 1.81E-06 4.52E-07 3.97E-03 3.61E-06 2346 2.58E-08 2.17E-04
input module
ControlLogix isolated analog 2,654,080
1756-IF6CIS A 3.77E-07 1.88E-07 80% 7.54E-08 1.13E-07 3514 3.01E-07 7.54E-08 6.62E-04 6.03E-07 2346 3.86E-09 3.36E-05
input module
ControlLogix isolated analog 4,176,185
1756-IF6I A 2.39E-07 1.20E-07 80% 4.79E-08 7.18E-08 3514 1.92E-07 4.79E-08 4.21E-04 3.83E-07 2346 2.43E-09 2.12E-05
input module
ControlLogix V DC Sequence 2,150,720
1756-IH16ISOE A 4.65E-07 2.32E-07 80% 9.30E-08 1.39E-07 3514 3.72E-07 9.30E-08 8.17E-04 7.44E-07 2346 4.79E-09 4.17E-05
Of Events input module
ControlLogix isolated RTD
1756-IR6I A 4,268,525 2.34E-07 1.17E-07 80% 4.69E-08 7.03E-08 3514 3.75E-07 2346 2.38E-09 2.08E-05
input module
ControlLogix isolated RTD /
1756-IRT8I(8) A thermocouple input module 1,896,813 5.272E-07 2.636E-07 76% 1.27E-07 1.36E-07 4244 8.00E-07 2833 2.82E-09 2.40E-05

Calculated
ControlLogix isolated RTD / MTBF and
1756-IRT8I(8) B thermocouple input module PFD via 6.11E-07 3.06E-07 80% 1.24E-07 1.82E-07 3556 Not allowed for 1oo1 9.75E-07 2374 2.74E-09 2.33E-05
configurations
FMEA
ControlLogix isolated
1756-IT6I A 3,957,824 2.53E-07 1.26E-07 80% 5.05E-08 7.58E-08 3514 4.04E-07 2346 2.57E-09 2.24E-05
thermocouple input module
ControlLogix isolated
1756-IT6I2 A enhanced thermocouple 2,720,046 3.68E-07 1.84E-07 80% 7.35E-08 1.10E-07 3514 5.88E-07 2346 3.76E-09 3.28E-05
input module
ControlLogix V AC output
1756-OA16I A 32,891,456 3.04E-08 1.52E-08 80% 6.08E-09 9.12E-09 3514 2.43E-08 6.08E-09 5.34E-05 4.86E-08 2346 3.05E-10 2.67E-06
module
ControlLogix V AC diagnostic 11,311,040
1756-OA8D A 8.84E-08 4.42E-08 80% 1.77E-08 2.65E-08 3514 7.07E-08 1.77E-08 1.55E-04 1.41E-07 2346 8.89E-10 7.80E-06
output module

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 117

Appendix C PFD and PFH Calculations for a SIL 2 System

Table 11 - 2-Year PFD Calculations (Continued)

Series
STR STR
(SFF) %
ControlLogix V DC diagnostic 8,884,374
1756-OB16D A 1.13E-07 5.63E-08 80% 2.25E-08 3.38E-08 3514 9.00E-08 2.25E-08 1.98E-04 1.80E-07 2346 1.13E-09 9.94E-06
output module
ControlLogix V DC
1756-OB16E A electronically fused output 14,997,714 6.67E-08 3.33E-08 80% 1.33E-08 2.00E-08 3514 5.33E-08 1.33E-08 1.17E-04 1.07E-07 2346 6.70E-10 5.87E-06
module
ControlLogix V DC isolated
1756-OB16I A 7,388,160 1.35E-07 6.77E-08 80% 2.71E-08 4.06E-08 3514 1.08E-07 2.71E-08 2.38E-04 2.17E-07 2346 1.37E-09 1.20E-05
output module
ControlLogix V DC output
1756-OB32 A 2,681,316 3.73E-07 1.86E-07 80% 7.46E-08 1.12E-07 3514 2.98E-07 7.46E-08 6.55E-04 5.97E-07 2346 3.82E-09 3.33E-
module 05
ControlLogix V DC isolated
1756-OB8EI A electronic ally fused output 14,019,200 7.13E-08 3.57E-08 80% 1.43E-08 2.14E-08 3514 5.71E-08 1.43E-08 1.25E-04 1.14E-07 2346 7.17E-10 6.29E-06
module
ControlLogix isolated relay
1756-OX8I A 6,059,635 1.65E-07 8.25E-08 80% 3.30E-08 4.95E-08 3514 1.32E-07 3.30E-08 2.90E-04 2.64E-07 2346 1.67E-09 1.46E-05
output module
ControlLogix isolated relay
1756-OW16I A 13,695,899 7.30E-08 3.65E-08 80% 1.46E-08 2.19E-08 3514 5.84E-08 1.46E-08 1.28E-04 1.17E-07 2346 7.34E-10 6.43E-06
output module
ControlLogix analog output
1756-OF8 A 10,629,795 9.41E-08 4.70E-08 80% 1.88E-08 2.82E-08 3514 7.53E-08 1.88E-08 1.65E-04 1.51E-07 2346 9.46E-10 8.30E-06
module
ControlLogix isolated analog 2,213,369
1756-OF8I(8) A output module 4.52E-07 2.259E-07 76% 1.08E-07 1.18E-07 4202 3.44E-07 1.08E-07 9.49E-04 6.87E-07 2805 2.36E-09 2.01E-05

Calculated
ControlLogix isolated analog MTBF and
1756-OF8I(8) B output module PFD via 6.08E-07 3.04E-07 78% 1.37E-07 1.67E-07 3954 4.71E-07 1.37E-07 1.2E-03 9.42E-07 2639 3.06E-09 2.59E-05
FMEA
ControlLogix isolated analog 21,604,960
1756-OF6VI A 4.63E-08 2.31E-08 80% 9.26E-09 1.39E-08 3514 3.70E-08 9.26E-09 8.13E-05 7.41E-08 2346 4.64E-10 4.07E-06
output module
ControlLogix isolated analog 8,354,667
1756-OF6CI A 1.20E-07 5.98E-08 80% 2.39E-08 3.59E-08 3514 9.58E-08 2.39E-08 2.10E-04 1.92E-07 2346 1.21E-09 1.06E-05
output module
ControlLogix HART analog
1756-OF8H A 5,118,187 1.95E-07 9.77E-08 80% 3.91E-08 5.86E-08 3514 1.56E-07 3.91E-08 3.43E-04 3.13E-07 2346 1.98E-09 1.73E-05
output module
1794-ACN15 D FLEX I/O ControlNet adapter 8,223,684 1.22E-07 6.08E-08 80% 2.43E-08 3.65E-08 3514 1.95E-07 2346 1.23E-09 1.07E-05
FLEX I/O ControlNet
1794-ACNR15 D 8,223,684 1.22E-07 6.08E-08 80% 2.43E-08 3.65E-08 3514 1.95E-07 2346 1.23E-09 1.07E-05
redundant adapter
FLEX I/O-XT ControlNet
1794-ACNR15XT D 8,223,684 1.22E-07 6.08E-08 80% 2.43E-08 3.65E-08 3514 1.95E-07 2346 1.23E-09 1.07E-05
adapter Not allowed for 1oo1
1794-AENT B FLEX I/O EtherNet/IP adapter 1,779,827 5.62E-07 2.81E-07 80% 1.12E-07 1.69E-07 3514 configurations 8.99E-07 2346 5.82E-09 5.05E-05
FLEX I/O EtherNet/IP
1794-AENTR A 1,268,070 7.89E-07 3.94E-07 80% 1.58E-07 2.37E-07 3514 1.26E-06 2346 8.28E-09 7.16E-05
adapter, Ring media
FLEX I/O EtherNet/IP
1794-AENTRXT A 1,268,070 7.89E-07 3.94E-07 80% 1.58E-07 2.37E-07 3514 1.26E-06 2346 8.28E-09 7.16E-05
adapter, Ring media
FLEX I/O 24V DC input
1794-IB16 A 179,506,158 5.57E-09 2.79E-09 80% 1.11E-09 1.67E-09 3514 8.91E-09 2346 5.57E-11 4.90E-07
module
FLEX I/O-XT 24V DC input
1794-IB16XT A 35,587,189 2.81E-08 1.40E-08 80% 5.62E-09 8.43E-09 3514 4.50E-08 2346 2.82E-10 2.47E-06
module
1794-IJ2 A FLEX I/O counter module 55,344,640 1.81E-08 9.03E-09 80% 3.61E-09 5.42E-09 3514 2.89E-08 2346 1.81E-10 1.59E-06
1794-IJ2XT A FLEX I/O-XT counter module 11,714,128 8.54E-08 4.27E-08 80% 1.71E-08 2.56E-08 3514 Not allowed for 1oo1 1.37E-07 2346 8.58E-10 7.53E-06
configurations
1794-IP4 B FLEX I/O counter module 22,027,200 4.54E-08 2.27E-08 80% 9.08E-09 1.36E-08 3514 7.26E-08 2346 4.55E-10 4.00E-06
FLEX I/O 24V DC
1794-IB10XOB6 A 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 3514 1.60E-08 2346 1.00E-10 8.79E-07
input/output module
FLEX I/O-XT 24V DC
1794-IB10XOB6XT A 22,202,487 4.50E-08 2.25E-08 80% 9.01E-09 1.35E-08 3514 7.21E-08 2346 4.52E-10 3.96E-06
input/output module
FLEX I/O 24V DC
1794-OB8EP A electronically fused output 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 3514 1.60E-08 2346 1.00E-10 8.79E-07
module
FLEX I/O-XT 24V DC
1794-OB8EPXT A electronically fused output 14,771,049 6.77E-08 3.38E-08 80% 1.35E-08 2.03E-08 3514 1.08E-07 2346 6.80E-10 5.96E-06
module
FLEX I/O 24V DC output
1794-OB16 A 54,322,632 1.84E-08 9.20E-09 80% 3.68E-09 5.52E-09 3514 2.95E-08 2346 1.84E-10 1.62E-06
module
Not allowed for 1oo1
FLEX I/O 24V DC protected configurations
1794-OB16P A 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 3514 1.60E-08 2346 1.00E-10 8.79E-07
output module
FLEX I/O-XT 24V DC
1794-OB16PXT A 26,709,401 3.74E-08 1.87E-08 80% 7.49E-09 1.12E-08 3514 5.99E-08 2346 3.75E-10 3.29E-06
protected output module
FLEX I/O isolated relay
1794-OW8 A 29,088,895 3.44E-08 1.72E-08 80% 6.88E-09 1.03E-08 3514 5.50E-08 2346 3.45E-10 3.02E-06
output module
FLEX I/O-XT isolated relay
1794-OW8XT A 18,518,519 5.40E-08 2.70E-08 80% 1.08E-08 1.62E-08 3514 8.64E-08 2346 5.42E-10 4.75E-06
output module

118 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Appendix C PFD and PFH Calculations for a SIL 2 System

Table 11 - 2-Year PFD Calculations (Continued)

Series
STR STR
(SFF) %
1794-IE8 B FLEX I/O analog input module 18,914,770 5.29E-08 2.64E-08 80% 1.06E-08 1.59E-08 3514 8.46E-08 2346 5.30E-10 4.65E-06
FLEX I/O-XT analog input
1794-IE8XT B 14,041,000 7.12E-08 3.56E-08 80% 1.42E-08 2.14E-08 3514 1.14E-07 2346 7.15E-10 6.28E-06
module
FLEX I/O isolated analog
1794-IF4I A 9,885,959 1.01E-07 5.06E-08 80% 2.02E-08 3.03E-08 3514 1.62E-07 2346 1.02E-09 8.92E-06
input module
FLEX I/O-XT isolated analog
1794-IF4IXT A 7,297,140 1.37E-07 6.85E-08 80% 2.74E-08 4.11E-08 3514 2.19E-07 2346 1.38E-09 1.21E-05
input module
FLEX I/O-XT isolated analog
1794-IF4ICFXT A 7,297,140 1.37E-07 6.85E-08 80% 2.74E-08 4.11E-08 3514 2.19E-07 2346 1.38E-09 1.21E-05
input module
Flex, 8 Isolated HART Analog 926,808
1794-IF8IHNFXT A 1.08E-06 5.39E-07 80% 2.16E-07 3.24E-07 3514 1.73E-06 2346 1.15E-08 9.91E-05
Input, extended env
1794-IR8 A FLEX I/O RTD input module 5,016,231 1.99E-07 9.97E-08 80% 3.99E-08 5.98E-08 3514 3.19E-07 2346 2.02E-09 1.77E-05
FLEX I/O-XT RTD input Not allowed for 1oo1
1794-IR8XT A 9,585,890 1.04E-07 5.22E-08 80% 2.09E-08 3.13E-08 3514 configurations 1.67E-07 2346 1.05E-09 9.20E-06
module
FLEX I/O RTD/Thermocouple 1,407,269
1794-IRT8 B 7.11E-07 3.55E-07 80% 1.42E-07 2.13E-07 3514 1.14E-06 2346 7.43E-09 6.43E-05
input module
FLEX I/O-XT RTD/
1794-IRT8XT B Thermocouple input module 8,204,792 1.22E-07 6.09E-08 80% 2.44E-08 3.66E-08 3514 1.95E-07 2346 1.23E-09 1.08E-05

FLEX I/O Thermocouple input 2,097,509

1794-IT8 A 4.77E-07 2.38E-07 80% 9.54E-08 1.43E-07 3514 7.63E-07 2346 4.91E-09 4.27E-05
module
FLEX I/O isolated analog
1794-IF2XOF2I A 8,464,844 1.18E-07 5.91E-08 80% 2.36E-08 3.54E-08 3514 1.89E-07 2346 1.19E-09 1.04E-05
input/output module
FLEX I/O-XT isolated analog
1794-IF2XOF2IXT A 6,317,918 1.58E-07 7.91E-08 80% 3.17E-08 4.75E-08 3514 2.53E-07 2346 1.60E-09 1.40E-05
input/output module
FLEX I/O-XT analog
1794-IE4XOE2XT B 11,800,802 8.47E-08 4.24E-08 80% 1.69E-08 2.54E-08 3514 1.36E-07 2346 8.52E-10 7.47E-06
input/output module
FLEX I/O analog output
1794-OE4 B 18,433,610 5.42E-08 2.71E-08 80% 1.08E-08 1.63E-08 3514 8.68E-08 2346 5.44E-10 4.78E-06
module
FLEX I/O-XT analog output
1794-OE4XT B 11,381,744 8.79E-08 4.39E-08 80% 1.76E-08 2.64E-08 3514 1.41E-07 2346 8.83E-10 7.75E-06
module Not allowed for 1oo1
FLEX I/O analog output configurations
1794-OF4I A 23,884,409 4.19E-08 2.09E-08 80% 8.37E-09 1.26E-08 3514 6.70E-08 2346 4.20E-10 3.68E-06
module
FLEX I/O-XT analog output
1794-OF4IXT A 5,493,902 1.82E-07 9.10E-08 80% 3.64E-08 5.46E-08 3514 2.91E-07 2346 1.84E-09 1.61E-05
module
1794-TB3 A FLEX I/O terminal base unit 250,000,000 4.00E-09 2.00E-09 80% 8.00E-10 1.20E-09 3514 6.40E-09 2346 4.00E-11 3.51E-07
FLEX I/O cage-clamp generic 100,000,000 1.00E-08
1794-TB3G A 5.00E-09 80% 2.00E-09 3.00E-09 3514 1.60E-08 2346 1.00E-10 8.79E-07
terminal base unit
FLEX I/O spring-clamp
1794-TB3GS A 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 3514 1.60E-08 2346 1.00E-10 8.79E-07
generic terminal base unit
1794-TB3S A FLEX I/O terminal base unit 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 3514 1.60E-08 2346 1.00E-10 8.79E-07
FLEX I/O temperature Not allowed for 1oo1
1794-TB3T A 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 3514 1.60E-08 2346 1.00E-10 8.79E-07
terminal base unit configurations
FLEX I/O spring-clamp
1794-TB3TS A temperature terminal base 52,312,000 1.91E-08 9.56E-09 80% 3.82E-09 5.73E-09 3514 3.06E-08 2346 1.91E-10 1.68E-06
unit
FLEX I/O NEMA terminal base 100,000,000 1.00E-08
1794-TBN A 5.00E-09 80% 2.00E-09 3.00E-09 3514 1.60E-08 2346 1.00E-10 8.79E-07
unit
FLEX I/O NEMA fused
1794-TBNF A 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 3514 1.60E-08 2346 1.00E-10 8.79E-07
terminal base unit
1492-TIFM40F-F24A-2(9) A DC Input Termination Board 7,779,000 1.03E-07 1.03E-07
Analog Input Termination
1492-TAIFM16-F-3(9) A Board 11,362,000 Non-interference only 7.04E-08 Not applicable 7.04E-08 Not applicable

1492-TIFM4OF-24-2(9) A DC Output Termination Board 10,127,000 7.90E-08 7.90E-08

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 119

Appendix C PFD and PFH Calculations for a SIL 2 System

5-year PFD Calculations The PFD calculations in this table are calculated for a 5-year proof test interval
(43,800 hours) and are specific to ControlLogix system components.
Table 12 - 5-Year PFD Calculations
Common Terms(3) 1oo1 Configuration 1oo2 Configuration
Mean Time
between Safe
Cat No.(1)(2) Description Failure Spurious Spurious
s, d Failure  TCE1oo1
(4) Fraction du
dd Trip Rate PFH(5) PFD Trip Rate TGE PFH(5) PFD
(MTBF)(2)
Series

STR STR
(SFF) %
1756-AXX(6) C ControlLogix chassis 22,652,010 4.41E-08 2.21E-08 95% 2.21E-09 1.99E-08 2200 4.19E-08 2.21E-09 4.86E-05
4-slot ControlLogix-XT
1756-A4LXT B 1,069,120 9.35E-07 4.68E-07 95% 4.68E-08 4.21E-07 2200 8.89E-07 4.68E-08 1.03E-03
chassis
5-slot ControlLogix-XT
1756-A5XT C 734,420 1.36E-06 6.81E-07 95% 6.81E-08 6.13E-07 2200 1.29E-06 6.81E-08 1.50E-03
chassis
7-slot ControlLogix-XT
1756-A7LXT B 27,628,178 3.62E-08 1.81E-08 95% 1.81E-09 1.63E-08 2200 3.44E-08 1.81E-09 3.98E-05
chassis
7-slot ControlLogix-XT
1756-A7XT C 1,081,600 9.25E-07 4.62E-07 95% 4.62E-08 4.16E-07 2200 8.78E-07 4.62E-08 1.02E-03
chassis
18-32V DC 10 A
1756-PB72 C ControlLogix power 31,561,095 3.17E-08 1.58E-08 95% 1.58E-09 1.43E-08 2200 3.01E-08 1.58E-09 3.49E-05
supply
85-265V AC 10 A
1756-PA72 C ControlLogix power 18,336,146 5.45E-08 2.73E-08 95% 2.73E-09 2.45E-08 2200 5.18E-08 2.73E-09 6.00E-05
supply
85-265V AC 13 A
1756-PA75 B ControlLogix power 18,693,044 5.35E-08 2.67E-08 95% 2.67E-09 2.41E-08 2200 5.08E-08 2.67E-09 5.88E-05
supply (75 W)
85-265V AC 13 A
1756-PA75R A Redundant ControlLogix 1,412,877 7.08E-07 3.54E-07 95% 3.54E-08 3.18E-07 2200 6.72E-07 3.54E-08 7.79E-04
power supply
18-32V DC 13 A
1756-PB75 B ControlLogix power 15,675,475 6.38E-08 3.19E-08 95% 3.19E-09 2.87E-08 2200 6.06E-08 3.19E-09 7.02E-05
supply
18-32V DC 13 A
1756-PB75R A Redundant ControlLogix 1,736,020 5.76E-07 2.88E-07 95% 2.88E-08 2.59E-07 2200 5.47E-07 2.88E-08 6.34E-04
power supply Not applicable
ControlLogix-XT AC
1756-PAXT B 18,693,044 5.35E-08 2.67E-08 95% 2.67E-09 2.41E-08 2200 5.08E-08 2.67E-09 5.88E-05
power supply
ControlLogix-XT DC
1756-PBXT B 1,855,360 5.39E-07 2.69E-07 95% 2.69E-08 2.43E-07 2200 5.12E-07 2.69E-08 5.93E-04
power supply
30-60V DC 13 A
1756-PC75 B ControlLogix power 5,894,836 1.70E-07 8.48E-08 95% 8.48E-09 7.63E-08 2200 1.61E-07 8.48E-09 1.87E-04
supply
90-143V DC 13 A
1756-PH75 B ControlLogix power 2,119,520 4.72E-07 2.36E-07 95% 2.36E-08 2.12E-07 2200 4.48E-07 2.36E-08 5.19E-04
supply
Redundant power supply 45,146,727
1756-PSCA A 2.21E-08 1.11E-08 95% 1.11E-09 9.97E-09 2200 2.10E-08 1.11E-09 2.44E-05
adapter
Redundant power supply 38,461,280
1756-PSCA2 A 2.60E-08 1.30E-08 95% 1.30E-09 1.17E-08 2200 2.47E-08 1.30E-09 2.86E-05
adapter
ControlNet Fiber repeater 26,461,760
1786-RPFS A 3.78E-08 1.89E-08 95% 1.89E-09 1.70E-08 2200 3.59E-08 1.89E-09 4.16E-05
- short
ControlNet Fiber repeater 16,697,862
1786-RPFM A 5.99E-08 2.99E-08 95% 2.99E-09 2.69E-08 2200 5.69E-08 2.99E-09 6.59E-05
- medium
ControlNet Fiber repeater 5,717,227
1786-RPFRL A 1.75E-07 8.75E-08 95% 8.75E-09 7.87E-08 2200 1.66E-07 8.75E-09 1.92E-04
- long
1786-RPCD A ControlNet Hub repeater 28,654,080 3.49E-08 1.74E-08 95% 1.74E-09 1.57E-08 2200 3.32E-08 1.74E-09 3.84E-05
ControlNet repeater
1786-RPA B 11,826,146 8.46E-08 4.23E-08 95% 4.23E-09 3.81E-08 2200 8.03E-08 4.23E-09 9.30E-05
adapter
ControlNet Fiber repeater 11,373,440
1786-RPFRXL B 8.79E-08 4.40E-08 95% 4.40E-09 3.96E-08 2200 8.35E-08 4.40E-09 9.67E-05
- extra long

120 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Appendix C PFD and PFH Calculations for a SIL 2 System

Table 12 - 5-Year PFD Calculations (Continued)

Series
STR STR
(SFF) %
ControlLogix controller,
1756-L61(7) B 2 MB 1,000,053 1.00E-06 5.00E-07 95% 5.00E-08 4.50E-07 2200 9.50E-07 5.00E-08 1.10E-03

ControlLogix controller,
1756-L62(7) B 4 MB 1,034,830 9.66E-07 4.83E-07 95% 4.83E-08 4.35E-07 2200 9.18E-07 4.83E-08 1.06E-03

ControlLogix controller,
1756-L63(7) B 8 MB 1,055,910 9.47E-07 4.74E-07 95% 4.74E-08 4.26E-07 2200 9.00E-07 4.74E-08 1.04E-03

ControlLogix-XT
1756-L63XT(7) B controller, 8 MB 357,760 2.80E-06 1.40E-06 95% 1.40E-07 1.26E-06 2200 2.66E-06 1.40E-07 3.07E-03

ControlLogix controller,
1756-L71(8) B 2 MB
2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 1661 2.91E-06 1.01E-07 2.20E-03

ControlLogix controller,
1756-L72(8) B 4 MB 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 1661 2.91E-06 1.01E-07 2.20E-03

ControlLogix controller, Calculated

1756-L73(8) B 8 MB 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 1661 2.91E-06 1.01E-07 2.20E-03
MTBF and
ControlLogix-XT PFD via
1756-L73XT(8) B controller, 8 MB FMEA 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 1661 2.91E-06 1.01E-07 2.20E-03

ControlLogix controller,
1756-L74(8) B 16 MB 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 1661 2.91E-06 1.01E-07 2.20E-03 Not applicable

ControlLogix controller,
1756-L75(8) B 32 MB 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 1661 2.91E-06 1.01E-07 2.20E-03

GuardLogix controller,
1756-L61S(7) B 2 MB standard 1,000,053 1.00E-06 5.00E-07 95% 5.00E-08 4.50E-07 2200 9.50E-07 5.00E-08 1.10E-03

GuardLogix controller,
1756-L62S(7) B 4 MB standard 1,034,830 9.66E-07 4.83E-07 95% 4.83E-08 4.35E-07 2200 9.18E-07 4.83E-08 1.06E-03

GuardLogix controller,
1756-L63S(7) B 8 MB standard 1,055,910 9.47E-07 4.74E-07 95% 4.74E-08 4.26E-07 2200 9.00E-07 4.74E-08 1.04E-03

GuardLogix controller,
1756-L71S(8) B 2 MB standard 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 1661 2.91E-06 1.01E-07 2.20E-03

GuardLogix controller, Calculated

1756-L72S(8) B 4 MB standard 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 1661 2.91E-06 1.01E-07 2.20E-03
MTBF and
GuardLogix controller, 8 PFD via
1756-L73S(8) B MB standard FMEA 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 1661 2.91E-06 1.01E-07 2.20E-03

GuardLogix-XT controller,
1756-L73SXT(8) B 8 MB standard 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 1661 2.91E-06 1.01E-07 2.20E-03

ControlLogix ControlNet
1756-CNB E 1,786,977 5.60E-07 2.80E-07 95% 2.80E-08 2.52E-07 2200 5.32E-07 2.80E-08 6.16E-04
communication module
ControlLogix ControlNet
1756-CNBR E redundant 2,608,543 3.83E-07 1.92E-07 95% 1.92E-08 1.73E-07 2200 3.64E-07 1.92E-08 4.22E-04
communication module
ControlLogix ControlNet
1756-CN2 B 1,096,299 9.12E-07 4.56E-07 95% 4.56E-08 4.10E-07 2200 8.67E-07 4.56E-08 1.00E-03
communication module
Calculated
ControlLogix ControlNet MTBF and
1756-CN2(8) C communication module PFD via 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 1478.14 1.91E-06 6.62E-08 1.50E-03
FMEA
ControlLogix ControlNet
1756-CN2R B redundant 1,096,299 9.12E-07 4.56E-07 95% 4.56E-08 4.10E-07 2200 8.67E-07 4.56E-08 1.00E-03 Not applicable
communication module
Calculated
ControlLogix ControlNet MTBF and
1756-CN2R(8) C redundant PFD via 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 1478.14 1.91E-06 6.62E-08 1.50E-03
communication module FMEA
ControlLogix-XT
1756-CN2RXT B ControlNet redundant 1,980,160 5.05E-07 2.53E-07 95% 2.53E-08 2.27E-07 2200 4.80E-07 2.53E-08 5.56E-04
communication module
Calculated
ControlLogix-XT MTBF and
1756-CN2RXT(8) C ControlNet redundant PFD via 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 1478.14 1.91E-06 6.62E-08 1.50E-03
communication module FMEA
ControlLogix Data
1756-DHRIO(9) E Highway Plus Remote I/O 2,503,396 3.79E-07 2.00E-08 7.59E-07
Module
ControlLogix-XT Data
1756-DHRIOXT(9) E Highway Plus remote I/O 2,503,396 3.79E-07 2.00E-08 Not 7.59E-07
module Non-interference only Not applicable
applicable
(9) ControlLogix DeviceNet
1756-DNB D 2,192,202 4.33E-07 2.28E-08 8.67E-07
communication module
ControlLogix EtherNet/IP 2,088,198
1756-ENBT(9) A communication module 4.55E-07 2.39E-08 9.10E-07

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 121

Appendix C PFD and PFH Calculations for a SIL 2 System

Table 12 - 5-Year PFD Calculations (Continued)

Series
STR STR
(SFF) %
ControlLogix EtherNet/IP 1,312,712
1756-EN2T C 7.62E-07 3.81E-07 95% 3.81E-08 3.43E-07 2200 7.24E-07 3.81E-08 8.38E-04
communication module
ControlLogix EtherNet/IP 269,774
1756-EN2T(9) D communication module Non-interference only 3.71E-06 Not applicable Not applicable
ControlLogix EtherNet/IP
1756-EN2TR B communication module 3,664,960 2.73E-07 1.36E-07 95% 1.36E-08 1.23E-07 2200 2.59E-07 1.36E-08 3.00E-04
with fault tolerance
ControlLogix EtherNet/IP
1756-EN2TR(8) C communication module Calculated 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 1478.14 1.91E-06 6.62E-08 1.50E-03 3.82E-06 988.76 1.51E-09 3.19E-05
with fault tolerance MTBF and
ControlLogix EtherNet/IP PFD via
1756-EN2TRXT(8) C communication module FMEA 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 1478.14 1.91E-06 6.62E-08 1.50E-03 3.82E-06 988.76 1.51E-09 3.19E-05
with fault tolerance
ControlLogix-XT
1756-EN2TXT C EtherNet/IP 1,300,000 7.69E-07 3.85E-07 95% 3.85E-08 3.46E-07 2200 7.31E-07 3.85E-08 8.46E-04 Not applicable
communication module
ControlLogix-XT
1756-EN2TXT(9) D EtherNet/IP 269,774 3.71E-06
communication module
ControlLogix EtherNet/IP
1756-EN3TR B communication module 269,774 3.71E-06
with fault tolerance
ControlLogix redundancy 1,373,840
1756-RM(9) B module 6.91E-07
Not applicable
ControlLogix enhanced Non-interference only
1756-RM2(9) A redundancy module 250,182 4.00E-06

ControlLogix-XT
1756-RM2XT(9) A enhanced redundancy 250,182 4.00E-06
module
ControlLogix-XT
1756-RMXT(9) B redundancy module 980,096 9.69E-07

ControlLogix SynchLink
1756-SYNCH(9) A Module 6,932,640 1.37E-07 Not applicable 2.74E-07 Not applicable

ControlLogix isolated V
1756-IA16I A 20,801,920 4.81E-08 2.40E-08 80% 9.61E-09 1.44E-08 8770 3.85E-08 9.61E-09 2.11E-04 7.69E-08 5850 4.84E-10 1.06E-05
AC input module
ControlLogix diagnostic V 15,966,080
1756-IA8D A 6.26E-08 3.13E-08 80% 1.25E-08 1.88E-08 8770 5.01E-08 1.25E-08 2.75E-04 1.00E-07 5850 6.33E-10 1.38E-05
AC input module
ControlLogix diagnostic V 30,228,640
1756-IB16D A 3.31E-08 1.65E-08 80% 6.62E-09 9.92E-09 8770 2.65E-08 6.62E-09 1.45E-04 5.29E-08 5850 3.33E-10 7.28E-06
DC input module
ControlLogix isolated V
1756-IB16I A 81,443,094 1.23E-08 6.14E-09 80% 2.46E-09 3.68E-09 8770 9.82E-09 2.46E-09 5.38E-05 1.96E-08 5850 1.23E-10 2.70E-06
DC input module
ControlLogix isolated V
1756-IB16ISOE A DC Sequence Of Events 11,537,760 8.67E-08 4.33E-08 80% 1.73E-08 2.60E-08 8770 6.93E-08 1.73E-08 3.80E-04 1.39E-07 5850 8.79E-10 1.92E-05
input module
ControlLogix V DC input
1756-IB32 B 10,462,329 9.56E-08 4.78E-08 80% 1.91E-08 2.87E-08 8770 7.65E-08 1.91E-08 4.19E-04 1.53E-07 5850 9.70E-10 2.12E-05
module
ControlLogix analog input 8,699,254
1756-IF8 A 1.15E-07 5.75E-08 80% 2.30E-08 3.45E-08 8770 9.20E-08 2.30E-08 5.04E-04 1.84E-07 5850 1.17E-09 2.55E-05
module
ControlLogix isolated
1756-IF8I(8) A analog input module 2,337,541 4.28E-07 2.139E-07 77% 9.81E-08 1.16E-07 10054 3.3E-07 9.81E-08 2.15E-03 6.59E-07 6706 2.37E-09 4.89E-05

Calculated
ControlLogix isolated MTBF and
1756-IF8I(8) B analog input module PFD via 5.83E-07 2.92E-07 78% 1.26E-07 1.66E-07 9445 4.58E-07 1.26E-07 2.77E-03 9.15E-07 6300 3.19E-09 6.51E-05
FMEA
ControlLogix HART analog 1,291,978
1756-IF8H A 7.74E-07 3.87E-07 80% 1.55E-07 2.32E-07 8770 6.19E-07 1.55E-07 3.39E-03 1.24E-06 5850 8.69E-09 1.84E-04
input module
ControlLogix analog input 4,592,506
1756-IF16 A 2.18E-07 1.09E-07 80% 4.35E-08 6.53E-08 3514 1.74E-07 4.35E-08 3.83E-04 3.48E-07 2346 2.21E-09 1.93E-05
module
ControlLogix HART analog 442,914
1756-IF16H A 2.26E-06 1.13E-06 80% 4.52E-07 6.77E-07 8770 1.81E-06 4.52E-07 9.90E-03 3.61E-06 5850 3.06E-08 6.13E-04
input module
ControlLogix isolated
1756-IF6CIS A 2,654,080 3.77E-07 1.88E-07 80% 7.54E-08 1.13E-07 8770 3.01E-07 7.54E-08 1.65E-03 6.03E-07 5850 3.99E-09 8.59E-05
analog input module
ControlLogix isolated
1756-IF6I A 4,176,185 2.39E-07 1.20E-07 80% 4.79E-08 7.18E-08 8770 1.92E-07 4.79E-08 1.05E-03 3.83E-07 5850 2.49E-09 5.38E-05
analog input module
ControlLogix V DC
1756-IH16ISOE A Sequence Of Events input 2,150,720 4.65E-07 2.32E-07 80% 9.30E-08 1.39E-07 8770 3.72E-07 9.30E-08 2.04E-03 7.44E-07 5850 4.99E-09 1.07E-04
module

122 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Appendix C PFD and PFH Calculations for a SIL 2 System

Table 12 - 5-Year PFD Calculations (Continued)

Series
STR STR
(SFF) %
ControlLogix isolated RTD 4,268,525
1756-IR6I A 2.34E-07 1.17E-07 80% 4.69E-08 7.03E-08 8770 3.75E-07 5850 2.43E-09 5.26E-05
input module
ControlLogix isolated 2.636E-
1756-IRT8I(8) A RTD/thermocouple input 1,896,813 5.27E-07 07 76% 1.274E-07 1.362E-07 10594 8.00E-07 7066 3.23E-09 6.58E-05
module
Calculated
ControlLogix isolated MTBF and
1756-IRT8I(8) B RTD/thermocouple input PFD via 6.11E-07 3.06E-07 80% 1.24E-07 1.82E-07 8874 Not allowed for 1oo1 configurations 9.75E-07 5919 3.13E-09 6.39E-05
module FMEA
ControlLogix isolated
1756-IT6I A thermocouple input 3,957,824 2.53E-07 1.26E-07 80% 5.05E-08 7.58E-08 8770 4.04E-07 5850 2.63E-09 5.69E-05
module
ControlLogix isolated
1756-IT6I2 A enhanced thermocouple 2,720,046 3.68E-07 1.84E-07 80% 7.35E-08 1.10E-07 8770 5.88E-07 5850 3.89E-09 8.37E-05
input module
ControlLogix V AC output 32,891,456
1756-OA16I A 3.04E-08 1.52E-08 80% 6.08E-09 9.12E-09 8770 2.43E-08 6.08E-09 1.33E-04 4.86E-08 5850 3.05E-10 6.69E-06
module
ControlLogix V AC
1756-OA8D A diagnostic output module 11,311,040 8.84E-08 4.42E-08 80% 1.77E-08 2.65E-08 8770 7.07E-08 1.77E-08 3.88E-04 1.41E-07 5850 8.96E-10 1.96E-05

ControlLogix V DC
1756-OB16D A diagnostic output module 8,884,374 1.13E-07 5.63E-08 80% 2.25E-08 3.38E-08 8770 9.00E-08 2.25E-08 4.94E-04 1.80E-07 5850 1.15E-09 2.50E-05

ControlLogix V DC
1756-OB16E A electronically fused 14,997,714 6.67E-08 3.33E-08 80% 1.33E-08 2.00E-08 8770 5.33E-08 1.33E-08 2.92E-04 1.07E-07 5850 6.74E-10 1.47E-05
output module
ControlLogix V DC
1756-OB16I A 7,388,160 1.35E-07 6.77E-08 80% 2.71E-08 4.06E-08 8770 1.08E-07 2.71E-08 5.94E-04 2.17E-07 5850 1.38E-09 3.01E-05
isolated output module
ControlLogix V DC output 2,681,316
1756-OB32 A 3.73E-07 1.86E-07 80% 7.46E-08 1.12E-07 8770 2.98E-07 7.46E-08 1.64E-03 5.97E-07 5850 3.95E-09 8.50E-05
module
ControlLogix V DC
1756-OB8EI A isolated electronically 14,019,200 7.13E-08 3.57E-08 80% 1.43E-08 2.14E-08 8770 5.71E-08 1.43E-08 3.13E-04 1.14E-07 5850 7.21E-10 1.58E-05
fused output module
ControlLogix isolated
1756-OX8I A 6,059,635 1.65E-07 8.25E-08 80% 3.30E-08 4.95E-08 8770 1.32E-07 3.30E-08 7.24E-04 2.64E-07 5850 1.69E-09 3.68E-05
relay output module
ControlLogix isolated
1756-OW16I A 13,695,899 7.30E-08 3.65E-08 80% 1.46E-08 2.19E-08 8770 5.84E-08 1.46E-08 3.20E-04 1.17E-07 5850 7.39E-10 1.61E-05
relay output module
ControlLogix analog
1756-OF8 A 10,629,795 9.41E-08 4.70E-08 80% 1.88E-08 2.82E-08 8770 7.53E-08 1.88E-08 4.13E-04 1.51E-07 5850 9.55E-10 2.08E-05
output module
ControlLogix isolated
1756-OF8I(8) A analog output module 2,213,369 4.52E-07 2.259E-07 76% 1.08E-07 1.18E-07 10490 3.44E-07 1.08E-07 2.37E-03 6.87E-07 6997 2.65E-09 5.46E-05

Calculated MTBF
ControlLogix isolated
1756-OF8I(8) B analog output module and PFD via 6.08E-07 3.04E-07 78% 1.37E-07 1.67E-07 9869 4.71E-07 1.37E-07 3.0E-03 9.42E-07 6583 3.53E-09 7.16E-05
FMEA
ControlLogix isolated
1756-OF6VI A 21,604,960 4.63E-08 2.31E-08 80% 9.26E-09 1.39E-08 8770 3.70E-08 9.26E-09 2.03E-04 7.41E-08 5850 4.66E-10 1.02E-05
analog output module
ControlLogix isolated
1756-OF6CI A 8,354,667 1.20E-07 5.98E-08 80% 2.39E-08 3.59E-08 8770 9.58E-08 2.39E-08 5.25E-04 1.92E-07 5850 1.22E-09 2.66E-05
analog output module
ControlLogix HART analog 5,118,187
1756-OF8H A 1.95E-07 9.77E-08 80% 3.91E-08 5.86E-08 8770 1.56E-07 3.91E-08 8.57E-04 3.13E-07 5850 2.01E-09 4.37E-05
output module
FLEX I/O ControlNet
1794-ACN15 D 8,223,684 1.22E-07 6.08E-08 80% 2.43E-08 3.65E-08 8770 1.95E-07 5850 1.24E-09 2.70E-05
adapter
FLEX I/O ControlNet
1794-ACNR15 D 8,223,684 1.22E-07 6.08E-08 80% 2.43E-08 3.65E-08 8770 1.95E-07 5850 1.24E-09 2.70E-05
redundant adapter
FLEX I/O-XT ControlNet
1794-ACNR15XT D 8,223,684 1.22E-07 6.08E-08 80% 2.43E-08 3.65E-08 8770 1.95E-07 5850 1.24E-09 2.70E-05
adapter
Not allowed for 1oo1 configurations
FLEX I/O EtherNet/IP
1794-AENT B 1,779,827 5.62E-07 2.81E-07 80% 1.12E-07 1.69E-07 8770 8.99E-07 5850 6.12E-09 1.30E-04
adapter
FLEX I/O EtherNet/IP
1794-AENTR A 1,268,070 7.89E-07 3.94E-07 80% 1.58E-07 2.37E-07 8770 1.26E-06 5850 8.87E-09 1.87E-04
adapter, Ring media
FLEX I/O EtherNet/IP
1794-AENTRXT A 1,268,070 7.89E-07 3.94E-07 80% 1.58E-07 2.37E-07 8770 1.26E-06 5850 8.87E-09 1.87E-04
adapter, Ring media
FLEX I/O 24V DC input
1794-IB16 A 179,506,158 5.57E-09 2.79E-09 80% 1.11E-09 1.67E-09 8770 8.91E-09 5850 5.58E-11 1.22E-06
module
FLEX I/O-XT 24V DC input 35,587,189
1794-IB16XT A 2.81E-08 1.40E-08 80% 5.62E-09 8.43E-09 8770 4.50E-08 5850 2.82E-10 6.18E-06
module
1794-IJ2 A FLEX I/O counter module 55,344,640 1.81E-08 9.03E-09 80% 3.61E-09 5.42E-09 8770 2.89E-08 5850 1.81E-10 3.97E-06
FLEX I/O-XT counter
1794-IJ2XT A 11,714,128 8.54E-08 4.27E-08 80% 1.71E-08 2.56E-08 8770 Not allowed for 1oo1 configurations 1.37E-07 5850 8.65E-10 1.89E-05
module
1794-IP4 B FLEX I/O counter module 22,027,200 4.54E-08 2.27E-08 80% 9.08E-09 1.36E-08 8770 7.26E-08 5850 4.57E-10 1.00E-05
FLEX I/O 24V DC
1794-IB10XOB6 A 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 8770 1.60E-08 5850 1.00E-10 2.19E-06
input/output module
FLEX I/O-XT 24V DC
1794-IB10XOB6XT A 22,202,487 4.50E-08 2.25E-08 80% 9.01E-09 1.35E-08 8770 7.21E-08 5850 4.54E-10 9.92E-06
input/output module

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 123

Appendix C PFD and PFH Calculations for a SIL 2 System

Table 12 - 5-Year PFD Calculations (Continued)

Series
STR STR
(SFF) %
FLEX I/O 24V DC
1794-OB8EP A electronically fused 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 8770 1.60E-08 5850 1.00E-10 2.19E-06
output module
FLEX I/O-XT 24V DC
1794-OB8EPXT A electronically fused 14,771,049 6.77E-08 3.38E-08 80% 1.35E-08 2.03E-08 8770 1.08E-07 5850 6.84E-10 1.49E-05
output module
FLEX I/O 24V DC output
1794-OB16 A 54,322,632 1.84E-08 9.20E-09 80% 3.68E-09 5.52E-09 8770 2.95E-08 5850 1.85E-10 4.04E-06
module
FLEX I/O 24V DC Not allowed for 1oo1 configurations
1794-OB16P A protected output module 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 8770 1.60E-08 5850 1.00E-10 2.19E-06

FLEX I/O-XT 24V DC

1794-OB16PXT A protected output module 26,709,401 3.74E-08 1.87E-08 80% 7.49E-09 1.12E-08 8770 5.99E-08 5850 3.77E-10 8.24E-06

FLEX I/O isolated relay

1794-OW8 A 29,088,895 3.44E-08 1.72E-08 80% 6.88E-09 1.03E-08 8770 5.50E-08 5850 3.46E-10 7.56E-06
output module
FLEX I/O-XT isolated
1794-OW8XT A 18,518,519 5.40E-08 2.70E-08 80% 1.08E-08 1.62E-08 8770 8.64E-08 5850 5.45E-10 1.19E-05
relay output module
FLEX I/O analog input
1794-IE8 B 18,914,770 5.29E-08 2.64E-08 80% 1.06E-08 1.59E-08 8770 8.46E-08 5850 5.33E-10 1.17E-05
module
FLEX I/O-XT analog input 14,041,000
1794-IE8XT B 7.12E-08 3.56E-08 80% 1.42E-08 2.14E-08 8770 1.14E-07 5850 7.20E-10 1.57E-05
module
FLEX I/O isolated analog
1794-IF4I A 9,885,959 1.01E-07 5.06E-08 80% 2.02E-08 3.03E-08 8770 1.62E-07 5850 1.03E-09 2.24E-05
input module
FLEX I/O-XT isolated
1794-IF4IXT A 7,297,140 1.37E-07 6.85E-08 80% 2.74E-08 4.11E-08 8770 2.19E-07 5850 1.40E-09 3.05E-05
analog input module
FLEX I/O-XT isolated
1794-IF4ICFXT A 7,297,140 1.37E-07 6.85E-08 80% 2.74E-08 4.11E-08 8770 2.19E-07 5850 1.40E-09 3.05E-05
analog input module
Flex, 8 Isolated HART
1794-IF8IHNFXT A analog input, extended 926,808 1.08E-06 5.39E-07 80% 2.16E-07 3.24E-07 8770 1.73E-06 5850 1.26E-08 2.64E-04
env
FLEX I/O RTD input
1794-IR8 A 5,016,231 1.99E-07 9.97E-08 80% 3.99E-08 5.98E-08 8770 3.19E-07 5850 2.06E-09 4.46E-05
module
FLEX I/O-XT RTD input Not allowed for 1oo1 configurations 1.67E-07
1794-IR8XT A 9,585,890 1.04E-07 5.22E-08 80% 2.09E-08 3.13E-08 8770 5850 1.06E-09 2.31E-05
module
FLEX I/O RTD/
1794-IRT8 B Thermocouple input 1,407,269 7.11E-07 3.55E-07 80% 1.42E-07 2.13E-07 8770 1.14E-06 5850 7.91E-09 1.67E-04
module
FLEX I/O-XT RTD/
1794-IRT8XT B Thermocouple input 8,204,792 1.22E-07 6.09E-08 80% 2.44E-08 3.66E-08 8770 1.95E-07 5850 1.24E-09 2.71E-05
module
FLEX I/O Thermocouple
1794-IT8 A 2,097,509 4.77E-07 2.38E-07 80% 9.54E-08 1.43E-07 8770 7.63E-07 5850 5.13E-09 1.10E-04
input module
FLEX I/O isolated analog
1794-IF2XOF2I A 8,464,844 1.18E-07 5.91E-08 80% 2.36E-08 3.54E-08 8770 1.89E-07 5850 1.20E-09 2.62E-05
input/output module
FLEX I/O-XT isolated
1794-IF2XOF2IXT A analog input/output 6,317,918 1.58E-07 7.91E-08 80% 3.17E-08 4.75E-08 8770 2.53E-07 5850 1.62E-09 3.53E-05
module
FLEX I/O-XT analog
1794-IE4XOE2XT B 11,800,802 8.47E-08 4.24E-08 80% 1.69E-08 2.54E-08 8770 1.36E-07 5850 8.59E-10 1.87E-05
input/output module
FLEX I/O analog output
1794-OE4 B 18,433,610 5.42E-08 2.71E-08 80% 1.08E-08 1.63E-08 8770 8.68E-08 5850 5.47E-10 1.20E-05
module
FLEX I/O-XT analog
1794-OE4XT B 11,381,744 8.79E-08 4.39E-08 80% 1.76E-08 2.64E-08 8770 1.41E-07 5850 8.91E-10 1.94E-05
output module
Not allowed for 1oo1 configurations
FLEX I/O analog output
1794-OF4I A 23,884,409 4.19E-08 2.09E-08 80% 8.37E-09 1.26E-08 8770 6.70E-08 5850 4.21E-10 9.22E-06
module
FLEX I/O-XT analog
1794-OF4IXT A 5,493,902 1.82E-07 9.10E-08 80% 3.64E-08 5.46E-08 8770 2.91E-07 5850 1.87E-09 4.07E-05
output module

124 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Appendix C PFD and PFH Calculations for a SIL 2 System

Table 12 - 5-Year PFD Calculations (Continued)

Series
STR STR
(SFF) %
FLEX I/O terminal base
1794-TB3 A 250,000,000 4.00E-09 2.00E-09 80% 8.00E-10 1.20E-09 8770 6.40E-09 5850 4.00E-11 8.77E-07
unit
FLEX I/O cage-clamp
1794-TB3G A generic terminal base 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 8770 1.60E-08 5850 1.00E-10 2.19E-06
unit
FLEX I/O spring-clamp
1794-TB3GS A generic terminal base 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 8770 1.60E-08 5850 1.00E-10 2.19E-06
unit
FLEX I/O terminal base
1794-TB3S A 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 8770 1.60E-08 5850 1.00E-10 2.19E-06
unit Not allowed for 1oo1 configurations
FLEX I/O temperature
1794-TB3T A 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 8770 1.60E-08 5850 1.00E-10 2.19E-06
terminal base unit
FLEX I/O spring-clamp
1794-TB3TS A temperature terminal 52,312,000 1.91E-08 9.56E-09 80% 3.82E-09 5.73E-09 8770 3.06E-08 5850 1.92E-10 4.20E-06
base unit
FLEX I/O NEMA terminal
1794-TBN A 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 8770 1.60E-08 5850 1.00E-10 2.19E-06
base unit
FLEX I/O NEMA fused
1794-TBNF A 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 8770 1.60E-08 5850 1.00E-10 2.19E-06
terminal base unit
DC input termination
1492-TIFM40F-F24A-2(9) A board 7,779,000 7.04E-08 1.03E-07

Analog input termination 11,362,000

1492-TAIFM16-F-3(9) A board Non-interference only 7.90E-08 Not applicable 7.04E-08 Not applicable

DC output termination
1492-TIFM4OF-24-2(9) A board 10,127,000 0.00E+00 0.00E+00

(1) Some catalog numbers have a K suffix. This indicates a version of the product that has conformal coating. These K versions have the same SIL 2 certification as the non-K versions. For more information on which
products have conformal coating go to http://ab.com.rockwellautomation.com/
(2) MTBF measured in hours unless calculated (as noted). Field return values – January 2012.
(3) Calculations performed on a per module basis.
(4)  = Failure Rate = 1/MTBF.
(5) Demand rate must be less than 10 per year
(6) Average of 1756-A4, -A7, -A10, -A13, and -A17 chassis.
(7) Suitable for use only in applications requiring compliance to IEC 61508 1999 Edition 1
(8) Calculated MTBF and PFD by FMEA to 61508-2010.
(9) SIL 2-rated for non-interference in the chassis. Data not required within a safety function.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 125

Appendix C PFD and PFH Calculations for a SIL 2 System

Using Component Values The system PFD value is calculated by totaling the PFD value of each
to Calculate System PFD component in the system. To calculate a system PFD value, use this equation:
modA PFD + modB PFD + modC PFD = system PFD

where modX PFD is the PFD value for one component or module in the system.
When calculating your system PFD, verify that all components that are used in
the system are totaled.

Example: 1-year PFD Calculation for a ControlLogix System

(1oo1 Configuration)

This example shows an example of a PFD calculation for a traditional

ControlLogix system in a fail-safe configuration. This example system uses
one chassis for the controller and a second chassis for the I/O. For an example,
see the top two chassis in Figure 3 on page 15.

Cat. No. Description Calculated

1756-IB16D ControlLogix V DC diagnostic input module 1.46E-06 (1oo2)
1756-EN2TR Series C ControlLogix EtherNet/IP communication module - I/O chassis 3.00E-04 (1oo1)
1756-L72 ControlLogix controller, 4 MB 4.50E-04 (1oo1)
1756-EN2TR Series C ControlLogix EtherNet/IP communication module - controller chassis 3.00E-04 (1oo1)
1756-OB16D ControlLogix V DC diagnostic output module 4.97E-06 (1oo2)(1)
Total safety loop PFD: 1.056E-03
Percent of SIL 2 budget: 10.56%
(1) 1oo2 represents using a 1756-OB16D module to control the SIL 2 actuator, and using a second 1756-OB16D module to control the secondary relay output.

Example: 1-year PFD Calculation for a ControlLogix System

(1oo2 Configuration)

See Figure 6 on page 18 for a system diagram of the example calculation that is
shown here.

Cat. No. Description Calculated

1756-IB16D ControlLogix V DC diagnostic input module 1.46E-06 (1oo2)
1756-EN2TR Series C ControlLogix EtherNet/IP communication module - I/O chassis 6.11E-06 (1oo2)(1)
1756-L72 ControlLogix controller, 4 MB 4.50E-04 (1oo1)
1756-EN2TR Series C ControlLogix EtherNet/IP communication module - controller chassis 6.11E-06 (1oo2)
1756-OB16D ControlLogix V DC diagnostic output module 4.97E-06 (1oo2)
Total safety loop PFD: 4.69E-04
Percent of SIL 2 budget: 4.69%
(1) 1oo2 is being used because the I/O modules are being split among 2 chassis.

126 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Appendix D

Using ControlLogix and FLEX I/O Modules in SIL 1

Applications

If you plan to use the 1756 I/O or the 1794 FLEX™ I/O modules in a SIL 1 1oo1
configuration, Table 13 guidelines must be implemented, including either the
use diagnostic modules or implementing appropriate field diagnostics as
defined here for limited high demand applications with up to 10 demands per
year.
• Field diagnostics must execute once every 8 hours for limited high
demand applications with up to 10 demands per year.
• An output or other sensing device must be used to provide field power
control to the digital inputs. See the SIL 2 output guidelines in Chapter ,
ControlLogix I/O Modules.
• You must consider the time that it takes a diagnostic to execute when
determining the safety reaction time because safety demands will not be
detectable if they occur during a diagnostic.

The diagnostic you implement must monitor the ability of all SIL 1 inputs
to detect a change of state. One example method would be to turn off the
output and monitor that all SIL 1 inputs detect the loss of signal within a
short period. Then, when the output turns back on, make sure that all SIL
1 inputs properly detect the change. You must consider and mitigate any
impact to your system while the diagnostic is executing.

Figure 64 - SIL 1 Digital Input Wiring Example for 1794 I/O Modules
Field Power

Field Devices

1
SIL 1 Output SIL 1 Input 1

2
SIL 1 Input 2

3
SIL 1 Input 3

Field diagnostics as described for 1794 I/O modules can also be used to meet the
requirements for periodic proof testing with either 1794 or 1756 I/O modules.

Termination boards 1492-TIFM16-F-3 can be used to provide a voltage

reference for periodic tests as shown here.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 127

Appendix D Using ControlLogix and FLEX I/O Modules in SIL 1 Applications

Figure 65 - SIL 1 1756 Analog Input Wiring Example (Simplex)

1756 Analog Input Module

Input Values from Field Devices

All configured for 0...5V operation.

1756 Analog Input
Module Solid-state switch controlled
by DC output.

Reference Voltages

1492-CABLExxxUA() to 1756
Analog Input Module DIP Switch for Sensor
Wiring

Precision 249 
Resistor

Terminal Block 1, Terminal Block 2, Terminal Block 1, Terminal Block 2,

Row C Row C Row B Row B

Two-wire Transmitters Operating in

4...20 mA Current Mode
Output from 1756-OB16D Module Pair
Trigger Reference Tests = 0 (Off)
Two-wire Transmitter

xxx is cable length (005=0.5 m, 010=1.0 m, 025=2.5 m, 050=5.0 m).

128 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Appendix D Using ControlLogix and FLEX I/O Modules in SIL 1 Applications

Figure 66 - SIL 1 1794 Analog Input Wiring Example (Simplex)

1756 Analog Input Module

Input Values from Field Devices

All configured for 0...5V operation.

Solid-state switch controlled

by DC output.

Reference Voltages

User-supplied cable
DIP Switch for Sensor
Wiring

Precision 249 
Resistor

Terminal Block 1, Terminal Block 2, Terminal Block 1, Terminal Block 2,

Row C Row C Row B Row B

Two-wire Transmitters Operating in

4...20 mA Current Mode
Output from 1756-OB16D Module Pair
Trigger Reference Tests = 0 (Off)
Two-wire Transmitter

To make your own cable, follow the termination board pinout that is shown
here.
P1 Pins Description
3 Input 0
2 Input 1
1 Input 2
14 Input 3
15 Input 4
16 Input 5
17 Input 6
18 Input 7
12 Input 8
13 Input 9
25 Input 10
24 Input 11
23 Input 12
22 Input 13
20 Input 14
21 Input 15

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 129

Appendix D Using ControlLogix and FLEX I/O Modules in SIL 1 Applications

P1 Pins Description
4 RTN
6 RTN
8 RTN
10 RTN

When using controllers and network communication modules, follow the

guidelines that are listed in this safety manual.

IMPORTANT When using 1756 or 1794 non-diagnostic outputs in SIL 1 configurations,

you must implement a secondary means to shut off the outputs.

Table 13 lists additional considerations that must be made with various

ControlLogix® modules in a SIL 1 application.
Table 13 - Considerations for SIL 1 Applications by Module
Module Additional Considerations
Controllers None. Use the controller exactly as described previously in this manual.
ControlNet® modules None. Use the modules exactly as described previously in this manual.
Ethernet modules None. Use the modules exactly as described previously in this manual.
Diagnostic output modules are recommended, but not required, in a SIL 1 application. Implement a secondary shutdown path if the
Digital output modules(1) SIL 1 application requires a fail-safe OFF in the event of a shorted output.
Only one module is required in a SIL 1 application. Periodic tests of the inputs should be performed as described previously in this
Digital input modules(2) manual.
Analog output modules(1) Analog output modules should be wired as described previously in this manual.
Only 1 module is required in a SIL 1 application. Periodic tests of the inputs should be performed as described previously in this
Analog input modules(2) manual.
(1) The user should be alerted to any detected output failures.
(2) The test interval of module inputs must be specified according to application-dependent standards. For example, according to EN50156, the time for fault detection and tripping
must be less than or equal to the fault tolerance time.

130 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Appendix E

Checklists

Checklist for the The following checklist is required for planning, programming, and start up of
ControlLogix System a SIL 2-certified ControlLogix® system. It can be used as a planning guide and
during proof testing. If used as a planning guide, the checklist can be saved as
a record of the plan.

Check List for ControlLogix System(1)

Company:
Site:
Loop definition:
Fulfilled
No. Comment
Yes No
Are you only using the SIL 2-certified ControlLogix modules with the corresponding firmware release
1 listed in Revision Release List (available from the Product Certification link at http://www.ab.com) for
your safety application?
2 Have you calculated the system’s response time?
Does the system’s response time include both the user-defined, SIL-task program watchdog (software
3 watchdog) time and the SIL-task duration time?
4 Is the system response time in proper relation to the process tolerance time?
5 Have PFD values been calculated according to the system’s configuration?
6 Have you performed all appropriate proof tests?
7 Have you defined your process parameters that are monitored by fault routines?
8 Have you determined how your system will handle faults?
Have you taken into consideration the checklists for using SIL inputs and outputs listed on pages 132
9
and 133.
(1) For more information on the specific tasks in this checklist, see the previous sections in the chapter or Chapter 1, SIL Policy on page 9.

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 131

Appendix E Checklists

Checklist for SIL Inputs The following checklist is required for planning, programming, and startup of
SIL inputs. It can be used as a planning guide and during proof testing. If used
as a planning guide, the checklist can be saved as a record of the plan.

For programming or start-up, an individual checklist can be completed for

every SIL input channel in a system. This is the only way to make sure that the
requirements were fully and clearly implemented. This checklist can also be
used as documentation on the connection of external wiring to the application
program.

Input Module Check List for ControlLogix System

Company:
Site:
Loop definition:
SIL input channels in the:
No. All Input Module Requirements (apply to both digital and analog input modules) Yes No Comment
1 Is Exact Match selected as the electronic keying option whenever possible?
2 Is the RPI value set to an appropriate value for your application?
3 Are all modules owned by the same controller?
4 Have you performed proof tests on the system and modules?
5 Have you set up the fault routines?
6 Are control, diagnostics and alarming functions performed in sequence in application logic?
For applications using FLEX™ I/O modules, is the application logic monitoring one ControlNet® status bit for the
7 associated module, and is appropriate action invoked via the application logic by these bits?
No. Additional Digital Input Module-Only Requirements Yes No Comment
When two digital input modules are wired in the same application, do the following conditions exist:
• Both modules are owned by the same controller.
• Sensors are wired to separate input points.
1 • The operational state is ON.
• The non-operational state is. OFF.
• Configuration parameters (for example, RPI, filter values) are identical.
• For FLEX input modules, both module are on different rails/chassis
2 For the standard input modules, is the Communication Format set to one of the Input Data choices?
3 For the diagnostic input modules, is the Communication Format set to Full Diagnostics-Input Data?
4 For the diagnostic input modules, are all diagnostics enabled on the module?
5 For the diagnostic input modules, are enabled diagnostic bits monitored by fault routines?
6 For the diagnostic input modules, is the controller connection a direct connection?

132 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Appendix E Checklists

Input Module Check List for ControlLogix System

No. Additional Analog Input Module-Only Requirements Yes No Comment
1 Is the Communication Format set to Float Data?
2 Have you calibrated the modules as often as required by your application?
Are you using ladder logic to compare the analog input data on two channels to make sure there is concurrence
3 within an acceptable range and that redundant data is used properly?
Have you written application logic to examine bits for any condition that may cause a fault and appropriate fault
4 routines to handle the fault condition?
When two FLEX I/O analog input modules are wired in the same application, are both module on different rails/
5 chassis?
6 When wiring an analog input module in Voltage mode, are transmitter grounds tied together?
7 When wiring an analog input module in Current mode, are loop devices placed properly?
When wiring thermocouple modules in parallel, have you wired to the same channel on each module as shown in
8 Figure 33 on page 60?
9 When wiring two RTD modules, are two sensors used, as shown in Figure 34 on page 60?

Checklist for SIL Outputs The following checklist is required for planning, programming, and startup of
SIL outputs. It can be used as a planning guide and during proof testing. If
used as a planning guide, the checklist can be saved as a record of the plan.

For programming or start-up, an individual requirement checklist must be

completed for every SIL output channel in a system. This is the only way to
make sure that the requirements are fully and clearly implemented. This
checklist can also be used as documentation on the connection of external
wiring to the application program.
Output Check List for ControlLogix System
Company:
Site:
Loop definition:
SIL output channels in the:
All Output Module Requirements
No. Yes No Comment:
(apply to both digital and analog output modules)
1 Have you performed proof tests on the modules?
2 Is Exact Match selected as the electronic keying option whenever possible?
3 Is the RPI value set to an appropriate value for your application?
4 Have you built fault routines, including comparing output data with a corresponding input point?
It is required that if you have used external relays in your application to disconnect module power if a
5 short or other fault is detected on the module or isolated output in series?
6 Is the control of the external relay implemented in ladder logic?
7 Have you examined the Output Data Echo signal in application logic?
Are all outputs configured to de-energize in the event of a fault or the controller entering Program
8 mode?
9 Do two modules of the same type, which is used in the same application, use identical configurations?
Does one controller own both the output module that controls the actuator and the output module that
10 controls the secondary relay?
11 Are control, diagnostics and alarming functions performed in sequence in application logic?
No. Digital Output Module-Only Requirements Yes No Comment
1 For the standard output modules, is the Communication Format set to Output Data?
For standard output modules, have you wired the outputs to a corresponding input to validate that the
2 output is following its commanded state?
3 For the diagnostic output modules, are all diagnostics enabled on the module?
4 For the diagnostic output modules, are enabled diagnostic bits monitored by fault routines?

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 133

Appendix E Checklists

Output Check List for ControlLogix System

5 For the diagnostic output modules, is the Communication Format set to Full Diagnostics-Output Data?
For diagnostic output modules, have you periodically performed a Pulse Test to make sure that the
6 output is capable of change state?
7 For diagnostic output modules, is the controller connection a direct connection?
No. Analog Output Module Requirements - Analog Only Yes No Comment
1 Is the Communication Format set to Float Data?
2 Have you calibrated the modules as often as required by your application?
3 When wiring an analog output module in Current mode, are loop devices placed properly?
Have you written application logic to examine bits for any condition that may cause a fault and
4 appropriate fault routines to handle the fault condition?
5 Did you wire the analog output to a monitoring analog input to verify that the output is within range?

Checklist for the Creation of The following checklist is recommended to maintain safety technical aspects
an Application Program when programming, before and after loading the new or modified program.

Checklist for Creation of an Application Program Safety Manual ControlLogix System

Company:
Site:
Project definition:
File definition / Archive number:

Notes / Checks Yes No Comment

Before a Modification
Are the configuration of the ControlLogix system and the application program created on
the basis of safety aspects?
Are programming guidelines used for the creation of the application program?
After a Modification - Before Loading
Has a review of the application program with regard to the binding system specification
been carried out by a person not involved in the program creation?
Has the result of the review been documented and released (date/signature)?
Was a backup of the complete program created before loading a program in the
ControlLogix system?
After a Modification - After Loading
Was a sufficient number of tests carried out for the safety relevant logical linking
(including I/O) and for all mathematical calculations?
Was all force information reset before safety operation?
Has it been verified that the system is operating properly?
Have the appropriate security routines and functions been installed?
Is the controller keyswitch in Run mode and the key removed?

134 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Index

Numerics communication
ControlNet components 42
1oo1 configuration 108 data echo 32
1oo2 configuration 108 Data Highway Plus - Remote I/O components
1-year PFD calculations 110 43
2-year PFD calculations 115 EtherNet/IP components 43
5-year PFD calculations 120 field-side output verification 32
network 34
requirements 43
A output data echo 49
SynchLink modules 43
actuators 84 compliances 29
Add-On Instructions 45, 82 components
alarms 1756 chassis 38
1756 analog input modules 54, 93 1756 power supply 38
analog input modules FLEX I/O 104 - 105
See ControlLogix analog input modules. configurations
See FLEX I/O analog input modules. fail-safe 13
analog output modules fault-tolerant 25
See ControlLogix analog output modules. high-availability 21
See FLEX I/O analog output modules. connections
application program direct 47
programming languages 81 rack-optimized 47
SIL task/program instructions 85 Control and Information Protocol (CIP) 7
applications control function
boiler 11 specification 83
combustion 11 CONTROLLERDEVICE object 93
gas and fire 10 controllers
requirements 38
ControlLogix
B analog input modules
boiler applications 11 alarms 54, 93
calibrate 54
ownership 56
C wiring 56
analog output modules
cable calibrate 62
ControlNet network 42 ownership 64
calculations wiring 64
1-year PFD 110 digital input modules
2-year PFD 115 requirements 47
5-year PFD 120 wiring 47
explanation of 109 digital output modules
PFD 107 requirements 49
calibrate wiring 50
1756 analog input modules 54 RTD input modules
1756 analog output modules 62 wiring 60
1794 analog input modules 71 thermocouple input modules
1794 analog output modules 77 wiring 59
certification 29 ControlNet communication modules
change parameters 96 diagnostic coverage 42
channel status ControlNet network 34
monitoring 54, 63 1756 communication modules 41
chassis 38 1756 components 42
cable 42
chassis adapter 39 repeater module 42
checklists 131 coordinated system time 43
CIP. See Control and Information Protocol.
CL SIL 2 29
combustion applications 11 D
commissioning life cycle 87 data echo 32, 49

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 135

Data Highway Plus - Remote I/O 41 analog output modules
components 43 calibrate 77
network 41, 43 wiring 79
DCS. See Distributed Control System components 104 - 105
DH+. See Data Highway Plus. digital input modules
wiring 68
DHRIO. See Data Highway Plus - Remote I/O digital output modules
diagnostic coverage wiring 70
ControlNet communication modules 42 EN 50156 standard 12
defined 7 module fault reporting 68, 69, 70, 72, 77
digital input modules RTD input modules
See ControlLogix digital input modules. wiring 76
See FLEX I/O digital input modules. terminal base units 105
digital output modules thermocouple input modules
See ControlLogix digital output modules. wiring 75
See FLEX I/O digital output modules. floating-point data format 54, 62
direct connection 47 forcing via software 85
Distributed Control System 43
duplex configurations 12
enhanced availability 45
G
fault-tolerant gas and fire applications 10
safety loop 25 Get System Value (GSV)
fault-tolerant systems 12 defined 7
logic solver 12 keyswitch position 93
safety loop 21 GSV. See Get System Value (GSV).

E H
edit hardware
application program 88, 89 1756 chassis 38
emergency shutdown applications 10, 13, 50, 63 1756 power supply 38
EN 50156 12 HART analog input modules 61
ESD. See emergency shutdown (ESD) wiring 61
applications. HART analog output modules 66
EtherNet/IP network 34 wiring 66
1756 communication modules 41 high-availability configuration 21
components 43 HMI
changing parameters via 96
devices 12, 43, 95
F use and application 95 - 96
FactoryTalk Security 82 hold last state 10
fail-safe configuration
about 13
fault detection 93 I
fault handling I/O modules
additional resources 94 calibrate 54
detection of faults 91 - 93 fault reporting 92
fault reporting 31, 92 proof test
1794 analog input modules 72 1756 analog input modules 53
1794 analog output modules 77 1756 analog output modules 62
1794 digital input modules 68 1756 digital input modules 47
1794 digital output modules 69, 70 1756 digital output modules 49
additional resources 94 1794 analog output modules 77
detection of faults 91 - 93 1794 digital input modules 67
fault-tolerant configuration 25 1794 digital output modules 69
wiring
field devices 1756 analog input modules 56
testing 47 1756 analog output modules 64
field-side output verification 32 1756 digital input modules 47
fire 1756 digital output modules 50
considerations for 10 1756 RTD input modules 60
FLEX I/O 1756 thermocouple input modules 59
analog input modules 1794 analog input modules 73
calibrate 71 1794 analog output modules 79
wiring 73 1794 digital input modules 68
1794 digital output modules 70

136 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

1794 RTD input modules 76 position
1794 thermocouple input modules 75 keyswitch 92
HART analog input modules 61 power supply 38
HART analog output modules 66 redundant 39
IEC 61131-3 81 Probability of Failure on Demand (PFD)
IEC 61508 9, 27, 109 1-year calculations 110
IEC 61511 9, 88, 95, 96 2-year calculations 115
interface 5-year calculations 120
HMI use and application 95 - 96 calculations 107, 109
defined 7
values 108
K produce and consume data 44
KEYSTATE word 93 program
keyswitch 33, 37, 82 changes 88
development life cycle 87
checking position 92 editing 88
edits 88, 89
identification 84
L language 81, 84
life cycle logic 84
commissioning 87 online 88
logic SIL 2 81
developing 84 Programming and Debugging Tool (PADT) 10, 81
defined 7
proof test 27, 67, 69, 77
M 1756 analog input modules 53
manual override circuit 11 1756 analog inputs 53
1756 analog output modules 62
Mean Time Between Failures (MTBF) 1756 analog outputs 62
defined 7 1756 digital inputs 47
Mean Time To Restoration (MTTR) 1756 digital output modules 49
defined 7 1756 digital outputs 49
modes 37 redundancy systems 27
module fault reporting 31, 92 pulse test 33
monitor
channel status 54, 63
motion 84 R
MTBF. See Mean Time Between Failures (MTBF). reaction time 28
MTTR. See Mean Time To Restoration. See also worst-case reaction time.
reading parameters 95
repeater modules 42
N reporting
NFPA 85, NFPA 86 11 module faults 31
requested packet interval 31
response time 28, 97 - 100
O RS AssetCentre 82
operating modes 37 RSLogix 5000 software 33
output data echo commissioning life cycle 87
digital outputs and 49 editing in 89
ownership forcing 85
general requirements 81 - 134
1756 analog input modules 56 program changes 88
1756 analog output modules 64 programming languages 81
1756 digital input modules 47 security 82
1756 digital output modules 50 SIL 2 programming 81
SIL task/program instructions 85
RSNetWorx for ControlNet software 34
P RTD input module
PADT. See Programming and Debugging Tool. See ControlLogix RTD input module.
parameters See FLEX I/O RTD input module.
changing 96
reading 95
peer-to-peer communication 41 S
requirements 44 safety certifications 29
PFD. See Probability of Failure on Demand. safety instrumentation system (SIS)

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 137

safety task wiring
See SIL task. 1756 analog input modules 56
safety watchdog 29 1756 analog output modules 64
security via software 82 1756 digital input modules 47
sensors 84 1756 digital output modules 50
1756 RTD input modules 60
serial 1756 thermocouple input modules 59
communication 34 1794 analog input modules 73
port 34 1794 analog output modules 79
SIL 2 1794 digital input modules 68
certification 29 1794 digital output modules 70
nonredundant system components 102 worst-case reaction time 28, 97
programming 81 analog modules 99
safety data 44 digital modules 98
simplex configurations 12
safety loop 13
SIS. See safety instrumentation system (SIS). X
software XT components 104
commissioning life cycle 87 ControlLogix 104
forcing 85 FLEX I/O 104, 105
general requirements 81 - 134
program changes 88
programming languages 81
RSLogix 5000 33
security 82
SIL 2 programming 81
SIL task/program instructions 85
watchdog 29
source protection 82
switchover 27, 28
SynchLink modules 41, 43
system PFD
example 126
system validation test
See proof test.

T
terminal base units
FLEX I/O 105
tests
1756 analog input modules 53
1756 analog output modules 62
1756 digital output modules 49
application logic 85
field devices 47
proof 27
pulse 33
thermocouple input module
See ControlLogix thermocouple input
module.
See FLEX I/O thermocouple input module.

V
verify
download and operation 86

W
watchdog 29

138 Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021

Using ControlLogix in SIL 2 Applications Reference Manual

Notes:

Rockwell Automation Publication 1756-RM001Q-EN-P - August 2021 139

Rockwell Automation Support
Use these resources to access support information.
Technical Support Center Find help with how-to videos, FAQs, chat, user forums, and product notification updates. rok.auto/support
Knowledgebase Access Knowledgebase articles. rok.auto/knowledgebase
Local Technical Support Phone Numbers Locate the telephone number for your country. rok.auto/phonesupport
Literature Library Find installation instructions, manuals, brochures, and technical data publications. rok.auto/literature
Product Compatibility and Download Center Download firmware, associated files (such as AOP, EDS, and DTM), and access product rok.auto/pcdc
(PCDC) release notes.

Documentation Feedback
Your comments help us serve your documentation needs better. If you have any suggestions on how to improve our
content, complete the form at rok.auto/docfeedback.

Waste Electrical and Electronic Equipment (WEEE)

At the end of life, this equipment should be collected separately from any unsorted municipal waste.

Rockwell Automation maintains current product environmental compliance information on its website at rok.auto/pec.

Allen-Bradley, ControlLogix, ControlLogix-XT, Data Highway Plus, DH+, FactoryTalk, FLEX, FLEX I/O-XT, GuardLogix, GuardLogix-XT, Logix 5000, Rockwell Automation, Rockwell Software, RSLogix
5000, RSNetWorx, SequenceManager, Stratix, Studio 5000 Logix Designer, and SynchLink are trademarks of Rockwell Automation, Inc.
CIP, ControlNet, DeviceNet, and EtherNet/IP are trademarks of ODVA, Inc.
Trademarks not belonging to Rockwell Automation are property of their respective companies.
Rockwell Otomasyon Ticaret A.Ş. Kar Plaza İş Merkezi E Blok Kat:6 34752, İçerenköy, İstanbul, Tel: +90 (216) 5698400 EEE Yönetmeliğine Uygundur

Publication 1756-RM001Q-EN-P - August 2021

Walc 2
92% (26)
Walc 2
301 pages
Wisdom Oracle PDF
79% (57)
Wisdom Oracle PDF
248 pages
WALC 10 Memory
83% (12)
WALC 10 Memory
186 pages
Pachislo Manual PDF
100% (3)
Pachislo Manual PDF
30 pages
Service Manual IGT PDF
86% (7)
Service Manual IGT PDF
274 pages
EPA07 Maxxforce 11, 13 Engine Service Manual
79% (29)
EPA07 Maxxforce 11, 13 Engine Service Manual
490 pages
Unlock Codes All Cell Phones
100% (25)
Unlock Codes All Cell Phones
15 pages
Gideon's Guardians - New Meth Recipe - A - K - A Easter Bunny Meth
67% (6)
Gideon's Guardians - New Meth Recipe - A - K - A Easter Bunny Meth
50 pages
Service Manual All GM 1977 PDF
100% (1)
Service Manual All GM 1977 PDF
468 pages
DIY: Immobilizer Hacking For Lost Keys or Swapped ECU
50% (4)
DIY: Immobilizer Hacking For Lost Keys or Swapped ECU
14 pages
Cell Phone Unlock Code Instructions
63% (8)
Cell Phone Unlock Code Instructions
41 pages
Logix Diagnostics - Proces-Rm003 - En-P
No ratings yet
Logix Diagnostics - Proces-Rm003 - En-P
104 pages
Isuzu NPR - NPR HD - NQR Commercial Truck Tiltmaster Service Manual Supplement 2003
83% (6)
Isuzu NPR - NPR HD - NQR Commercial Truck Tiltmaster Service Manual Supplement 2003
215 pages
2019 Mac Pro Service Technician Manual
No ratings yet
2019 Mac Pro Service Technician Manual
341 pages
All CDMA Codes
75% (4)
All CDMA Codes
17 pages
Micr Basics Hand Book
100% (4)
Micr Basics Hand Book
21 pages
X32 Matrix Setup Guide: Step 1: Assign The Matrix Mix To An Output
No ratings yet
X32 Matrix Setup Guide: Step 1: Assign The Matrix Mix To An Output
2 pages
Replacement Guidelines: Controllogix 5560/5570 To Controllogix 5580
No ratings yet
Replacement Guidelines: Controllogix 5560/5570 To Controllogix 5580
74 pages
P - PF52x Syslib-Rm048 - En-P
No ratings yet
P - PF52x Syslib-Rm048 - En-P
64 pages
ServiceManualNamux4English PDF
100% (9)
ServiceManualNamux4English PDF
112 pages
All Mobile Tricks
91% (35)
All Mobile Tricks
19 pages
Device Unlock Code Instructions
100% (1)
Device Unlock Code Instructions
28 pages
Recommendation Report
No ratings yet
Recommendation Report
10 pages
Controllogix in Sil 2 Applications: Reference Manual
No ratings yet
Controllogix in Sil 2 Applications: Reference Manual
208 pages
1756-GuardLogix Controller Systems
No ratings yet
1756-GuardLogix Controller Systems
160 pages
ControLogixSIL2 PDF
No ratings yet
ControLogixSIL2 PDF
158 pages
Guardlogix 5580 and Compact Guardlogix 5380 Controller Systems
No ratings yet
Guardlogix 5580 and Compact Guardlogix 5380 Controller Systems
120 pages
Controllogix 5580 and Guardlogix 5580 Controllers: User Manual
No ratings yet
Controllogix 5580 and Guardlogix 5580 Controllers: User Manual
290 pages
ControlLogix and GuardLogix Controllers-1
No ratings yet
ControlLogix and GuardLogix Controllers-1
220 pages
Secure At001 - en P
No ratings yet
Secure At001 - en P
116 pages
1756 Um535 en P Redundancy
No ratings yet
1756 Um535 en P Redundancy
192 pages
C200pc-Isa01-E C200pc-Isa 2-Drm-E C200pc-Isa 2-Srm-E C200pc-Exp01 Sysmac Board Operation Manual
No ratings yet
C200pc-Isa01-E C200pc-Isa 2-Drm-E C200pc-Isa 2-Srm-E C200pc-Exp01 Sysmac Board Operation Manual
113 pages
Factorytalk Logix Echo Getting Results Guide
No ratings yet
Factorytalk Logix Echo Getting Results Guide
39 pages
1756-um543_-en-p
No ratings yet
1756-um543_-en-p
226 pages
Rockwell Automation Library of Process Objects: Motor Operated Valve (P - Valvemo)
No ratings yet
Rockwell Automation Library of Process Objects: Motor Operated Valve (P - Valvemo)
52 pages
1756-Um535 - REDUNDANCIA CONTROLLOGIX PDF
No ratings yet
1756-Um535 - REDUNDANCIA CONTROLLOGIX PDF
242 pages
GuardLogix 5580 and Compact GuardLogix Controller Systems-1
No ratings yet
GuardLogix 5580 and Compact GuardLogix Controller Systems-1
152 pages
Control Logix 5580
No ratings yet
Control Logix 5580
222 pages
Redundancy Systems: User Manual
No ratings yet
Redundancy Systems: User Manual
198 pages
secure-at001_-en-p (1)
No ratings yet
secure-at001_-en-p (1)
122 pages
ControlLogix 5580 and GuardLogix 5580 Controllers Manual
No ratings yet
ControlLogix 5580 and GuardLogix 5580 Controllers Manual
202 pages
Proces rm011 - en P
No ratings yet
Proces rm011 - en P
212 pages
Syslib-Rm015 P VALVESO
No ratings yet
Syslib-Rm015 P VALVESO
48 pages
Replacement Guidelines: Logix 5000 Controllers: Reference Manual
No ratings yet
Replacement Guidelines: Logix 5000 Controllers: Reference Manual
170 pages
Syslib rm026 - en P
No ratings yet
Syslib rm026 - en P
60 pages
Rockwell Automation Library of Logix Diagnostic Objects: Reference Manual
No ratings yet
Rockwell Automation Library of Logix Diagnostic Objects: Reference Manual
100 pages
Controllogix 5570/5560 Redundancy: User Manual
No ratings yet
Controllogix 5570/5560 Redundancy: User Manual
244 pages
P D4SD
No ratings yet
P D4SD
56 pages
Kinetix 5100
No ratings yet
Kinetix 5100
556 pages
TLink Option Module - 750com-Um100 - En-P
No ratings yet
TLink Option Module - 750com-Um100 - En-P
28 pages
Cr30 Allen Bradley
No ratings yet
Cr30 Allen Bradley
190 pages
Stratix 2500 Lightly Managed Switches: User Manual
No ratings yet
Stratix 2500 Lightly Managed Switches: User Manual
156 pages
Stratix 2500 Lightly Managed Switches: User Manual
No ratings yet
Stratix 2500 Lightly Managed Switches: User Manual
142 pages
Proces Rm003 en P
No ratings yet
Proces Rm003 en P
96 pages
Rockwell Automation Library of Process Objects: Two-Speed Motor (P - Motor2Spd)
No ratings yet
Rockwell Automation Library of Process Objects: Two-Speed Motor (P - Motor2Spd)
56 pages
Rockwell Automation Library of Process P - PIDE
No ratings yet
Rockwell Automation Library of Process P - PIDE
70 pages
Syslib-Rm031 - En-P P - Npos
No ratings yet
Syslib-Rm031 - En-P P - Npos
60 pages
Cc-qs033_-En-p - Motion Control PTO Application Building Block - Inicio Rápido
No ratings yet
Cc-qs033_-En-p - Motion Control PTO Application Building Block - Inicio Rápido
94 pages
P ValveSO 2.0 Syslib-Rm015c-En-E
No ratings yet
P ValveSO 2.0 Syslib-Rm015c-En-E
76 pages
Controllogix 5570 Redundancy: User Manual
No ratings yet
Controllogix 5570 Redundancy: User Manual
206 pages
Compact Guardlogix Controllers: User Manual
No ratings yet
Compact Guardlogix Controllers: User Manual
136 pages
User Manual ControlLogix 5580
50% (2)
User Manual ControlLogix 5580
164 pages
proces-rm012_-en-p
No ratings yet
proces-rm012_-en-p
116 pages
Using Controllogix Sil 2 With 1715 I/O: Reference Manual
No ratings yet
Using Controllogix Sil 2 With 1715 I/O: Reference Manual
42 pages
Syslib rm014 - en e
No ratings yet
Syslib rm014 - en e
52 pages
Guardmaster Configurable Safety Relay: User Manual
No ratings yet
Guardmaster Configurable Safety Relay: User Manual
188 pages
Manual Variador POWERFLEX527 PDF
No ratings yet
Manual Variador POWERFLEX527 PDF
178 pages
Controller-Based Temperature Control Application Building Block
No ratings yet
Controller-Based Temperature Control Application Building Block
56 pages
Ecostruxure™ Control Expert: Os Loader User Manual
No ratings yet
Ecostruxure™ Control Expert: Os Loader User Manual
104 pages
520com Um001 - en e
No ratings yet
520com Um001 - en e
164 pages
Guardmaster Configurable Safety Relay: User Manual
No ratings yet
Guardmaster Configurable Safety Relay: User Manual
190 pages
Controlnet Network Configuration: User Manual
No ratings yet
Controlnet Network Configuration: User Manual
91 pages
Cnet gr001 - en e
No ratings yet
Cnet gr001 - en e
98 pages
Motion Um003 en P
No ratings yet
Motion Um003 en P
270 pages
Rockwell Automation Publication LINX GR001Y en E January 2023 Linx Gr001 - en e
No ratings yet
Rockwell Automation Publication LINX GR001Y en E January 2023 Linx Gr001 - en e
67 pages
Syslib rm040 - en P
No ratings yet
Syslib rm040 - en P
68 pages
P LLS
No ratings yet
P LLS
56 pages
Compact GuardLogix 5370 Controllers
No ratings yet
Compact GuardLogix 5370 Controllers
208 pages
Programming the Intel Galileo: Getting Started with the Arduino -Compatible Development Board
From Everand
Programming the Intel Galileo: Getting Started with the Arduino -Compatible Development Board
Christopher Rush
5/5 (1)
Programming the Photon: Getting Started with the Internet of Things
From Everand
Programming the Photon: Getting Started with the Internet of Things
Christopher Rush
5/5 (1)
Okonite 1 PDF
No ratings yet
Okonite 1 PDF
15 pages
Ultra3000 To Kinetix 5100 Servo Drive Migratioin Guide
No ratings yet
Ultra3000 To Kinetix 5100 Servo Drive Migratioin Guide
96 pages
Dossier para Construcción de Facilidades (Mecánico)
No ratings yet
Dossier para Construcción de Facilidades (Mecánico)
311 pages
Versatility & Durability: Engineered Liquid Level Solutions
No ratings yet
Versatility & Durability: Engineered Liquid Level Solutions
12 pages
Enhanced GM User Guide
0% (1)
Enhanced GM User Guide
2 pages
ELM327 v2.1
No ratings yet
ELM327 v2.1
94 pages
Samsung Full Codes
100% (4)
Samsung Full Codes
7 pages
Secret Codes For Phone
No ratings yet
Secret Codes For Phone
13 pages
Charmed RPG Player Handbook
75% (4)
Charmed RPG Player Handbook
18 pages
Data Link, Fault Tracing V2
100% (1)
Data Link, Fault Tracing V2
22 pages
Hacking - How To Hack - Ultimate Hacking - Harry Jones
100% (2)
Hacking - How To Hack - Ultimate Hacking - Harry Jones
38 pages
Hidden Secret Service Menu Codes For Sony, Samsung, LG and Philips TV
100% (1)
Hidden Secret Service Menu Codes For Sony, Samsung, LG and Philips TV
8 pages
Hacking The HP DPS-1200FB A PSU
No ratings yet
Hacking The HP DPS-1200FB A PSU
8 pages
Credit Card Numbers
No ratings yet
Credit Card Numbers
4 pages
Make Magazine - Vol 33
100% (3)
Make Magazine - Vol 33
164 pages
What Is Automation
No ratings yet
What Is Automation
95 pages
Logistic Management
No ratings yet
Logistic Management
39 pages
2015 12 SCM Eng
No ratings yet
2015 12 SCM Eng
33 pages
RFP Template - Automation
No ratings yet
RFP Template - Automation
5 pages
Ece Projects: Software Solutions
No ratings yet
Ece Projects: Software Solutions
10 pages
Air Conditioning of Auditoriums - Issue Jan-Mar 2003
No ratings yet
Air Conditioning of Auditoriums - Issue Jan-Mar 2003
12 pages
Automated Agricultural Tractors
No ratings yet
Automated Agricultural Tractors
6 pages
Questions Set 13 Aug 2022
No ratings yet
Questions Set 13 Aug 2022
64 pages
PowerFlex 525 AC Drive Internal Presentation
100% (1)
PowerFlex 525 AC Drive Internal Presentation
70 pages
Proposal of Robot Thesis
No ratings yet
Proposal of Robot Thesis
5 pages
O&M Manual Service Compressed Air System
No ratings yet
O&M Manual Service Compressed Air System
12 pages
RDG200 Sales Presentation en
No ratings yet
RDG200 Sales Presentation en
33 pages
LOGIX5000 Data Access
No ratings yet
LOGIX5000 Data Access
66 pages
Important Topics HVAC
100% (1)
Important Topics HVAC
1 page
Selector Switch Schneider
No ratings yet
Selector Switch Schneider
4 pages
Agriculture Automation System
No ratings yet
Agriculture Automation System
18 pages
GreatLakesPlacementProfiles 2012
No ratings yet
GreatLakesPlacementProfiles 2012
122 pages
VAOW Pitch 22112023
No ratings yet
VAOW Pitch 22112023
27 pages
Thermostat STC-8080A User Manual - 2021 Update
No ratings yet
Thermostat STC-8080A User Manual - 2021 Update
2 pages
Flexible Manufacturing System (FMS)
No ratings yet
Flexible Manufacturing System (FMS)
96 pages
implementing-and-using-journeys
No ratings yet
implementing-and-using-journeys
232 pages
Group-2: Strategy of BHEL To Collaboration With Govt. Organisation and The Possibilities of Success
No ratings yet
Group-2: Strategy of BHEL To Collaboration With Govt. Organisation and The Possibilities of Success
29 pages
Internship Program Logbook: INT/ER-03 REV00
No ratings yet
Internship Program Logbook: INT/ER-03 REV00
9 pages
Wsma Unit-1 Part-1
No ratings yet
Wsma Unit-1 Part-1
14 pages
ISHRAE Mumbai Technical Talk1
No ratings yet
ISHRAE Mumbai Technical Talk1
65 pages