ControlLogix in SIL 2

Applications
ControlLogix 5570 Controllers
with 1756, 1794, or 1715 I/O

Reference Manual Original Instructions

ControlLogix in SIL 2 Applications Reference Manual

Important User Information

Read this document and the documents listed in the additional resources section about installation, configuration, and
operation of this equipment before you install, configure, operate, or maintain this product. Users are required to familiarize
themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws, and standards.

Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required to
be carried out by suitably trained personnel in accordance with applicable code of practice.

If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be
impaired.

In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the use
or application of this equipment.

The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and
requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liability for
actual use based on the examples and diagrams.

No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software
described in this manual.

Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc., is
prohibited.

Throughout this manual, when necessary, we use notes to make you aware of safety considerations.

WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment,
which may lead to personal injury or death, property damage, or economic loss.

ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property
damage, or economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.

IMPORTANT Identifies information that is critical for successful application and understanding of the product.

These labels may also be on or inside the equipment to provide specific precautions.

SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous
voltage may be present.

BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may
reach dangerous temperatures.

ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to
potential Arc Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL
Regulatory requirements for safe work practices and for Personal Protective Equipment (PPE).

The following icon may appear in the text of this document.

Identifies information that is useful and can help to make a process easier to do or easier to understand.

2 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Table of Contents

Preface
About This Publication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Download Firmware, AOP, EDS, and Other Files . . . . . . . . . . . . . . . . . . . . 9
Summary of Changes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Terminology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Chapter 1
SIL Policy Introduction to Safety Integrity Level (SIL) . . . . . . . . . . . . . . . . . . . . . . . . 13
Programming and Debugging Tool (PADT) . . . . . . . . . . . . . . . . . . . . 14
About the ControlLogix System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Gas and Fire Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Boiler and Combustion Considerations . . . . . . . . . . . . . . . . . . . . . . . . 15
Typical SIL 2 Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Simplex Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Duplex Logic-Solver Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Duplex System Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Proof Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Proof Testing with Redundancy Systems. . . . . . . . . . . . . . . . . . . . . . . 30
Reaction Times . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Reaction Times in Redundancy Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Safety Watchdog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Safety Certifications and Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Chapter 2
Features of the ControlLogix Module Fault Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
SIL 2 System Data Echo Communication Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Pulse Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Communication Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
ControlNet Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
EtherNet/IP Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Electronic Keying of Modules in SIL 2 Applications. . . . . . . . . . . . . . . . . 37

Chapter 3
ControlLogix Controllers, ControlLogix Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Chassis, and Power Supplies Operating Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Requirements for Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
ControlLogix Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
ControlLogix Power Supplies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Redundant Power Supplies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Recommendations for Using Power Supplies. . . . . . . . . . . . . . . . . . . 41

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 3

Table of Contents

Chapter 4
ControlLogix Communication Introduction to Communication Modules . . . . . . . . . . . . . . . . . . . . . . . . . 43
Modules ControlNet Modules and Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
ControlNet Cabling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
ControlNet Repeater . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
ControlNet Module Diagnostic Coverage . . . . . . . . . . . . . . . . . . . . . . 44
EtherNet/IP Communication Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
DeviceNet Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Data Highway Plus - Remote I/O Module (1756-DHRIO) . . . . . . . . . . . . 45
SynchLink Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
General Requirements for Communication Networks . . . . . . . . . . . . . . 45
Peer-to-peer Communication Requirements. . . . . . . . . . . . . . . . . . . . . . . 45
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Chapter 5
1756 ControlLogix I/O Modules Using 1756 Digital Input Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Requirements When Using Any 1756 Digital Input Module . . . . . . 48
Wire 1756 Digital Input Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Using 1756 Digital Output Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Requirements When Using 1756 Digital Output Modules . . . . . . . . 49
Wire 1756 Digital Output Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Using 1756 Analog Input Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Conduct Proof Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Calibrate Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Use the Floating Point Data Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Program to Respond to Faults Appropriately . . . . . . . . . . . . . . . . . . . 55
Program to Compare Analog Input Data . . . . . . . . . . . . . . . . . . . . . . . 55
Configure Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Specify the Same Controller as the Owner. . . . . . . . . . . . . . . . . . . . . . 57
Wire 1756 Analog Input Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Using 1756 HART Analog Input Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Wire the HART Analog Input Modules . . . . . . . . . . . . . . . . . . . . . . . . . 62
Using 1756 Analog Output Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Conduct Proof Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Calibrate Outputs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Use the Floating Point Data Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Program to Respond to Faults Appropriately . . . . . . . . . . . . . . . . . . . 63
Configure Outputs to De-energize in ESD Applications . . . . . . . . . 63
Monitor Channel Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Specify the Same Controller as the Owner. . . . . . . . . . . . . . . . . . . . . . 64
Wire ControlLogix Analog Output Modules . . . . . . . . . . . . . . . . . . . . 65
Using 1756 HART Analog Output Modules . . . . . . . . . . . . . . . . . . . . . . . . . 66
Wire the HART Analog Output Modules . . . . . . . . . . . . . . . . . . . . . . . 66

4 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Table of Contents

Chapter 6
1794 FLEX I/O Modules Using 1794 Digital Input Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Requirements for 1794 FLEX I/O Digital Input Modules . . . . . . . . . 69
Wiring 1794 FLEX I/O Digital Input Modules . . . . . . . . . . . . . . . . . . . 70
Using 1794 Digital Output Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Considerations for 1794 FLEX I/O Digital Output Modules. . . . . . . 71
Wiring 1794 FLEX I/O Digital Output Modules . . . . . . . . . . . . . . . . . 72
Using 1794 Analog Input Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Considerations When Using FLEX I/O Analog Input Modules . . . 73
Wiring 1794 FLEX I/O Analog Input Modules . . . . . . . . . . . . . . . . . . . 75
Using 1794 Analog Output Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Requirements for 1794 FLEX I/O Analog Output Modules. . . . . . . . 79
Wiring 1794 FLEX I/O Analog Output Modules . . . . . . . . . . . . . . . . . 81

Chapter 7
1715 Redundant I/O Modules SIL 2 Safety Application Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
1715 I/O Modules in SIL 2 Safety Applications . . . . . . . . . . . . . . . . . . . . . . 85
Typical Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Internal Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Power Supplies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Requirements for Using 1715 I/O Modules . . . . . . . . . . . . . . . . . . . . . . . . . 89
Energize-to-action Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Requirements for ControlLogix-based SIL 2 Applications . . . . . . . . . . . 90
Add-On Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Connection Reaction Time Limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Using the 1715 Adapter in SIL 2 Applications . . . . . . . . . . . . . . . . . . . . . . . 90
Reaction to Faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Using 1715 I/O Modules in SIL 2 Applications . . . . . . . . . . . . . . . . . . . . . . 91
Input Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Considerations for Sensor and Actuator Configurations . . . . . . . . . . . . 95
Configure SIL 2 Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Enable SIL 2 Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Specify the Connection Reaction Time Limit and
Requested Packet Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Set Safe State Values for Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Check SIL 2 Reset Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
View Module Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Diagnostic Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Configure the SIL 2 Task Period and Watchdog . . . . . . . . . . . . . . . . . . . 101
SIL Task/Program Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Configuring the Output Module Program/Fault Actions . . . . . . . . 102

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 5

Table of Contents

Chapter 8
SIL 2 Add-On Instructions SIL 2 Add-On Instructions Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
for 1715 Redundant I/O Modules SIL 2 Check Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Add-On Instruction Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Add-On Instruction Outputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Download and Import the Add-On Instructions. . . . . . . . . . . . . . . . . . . 110
Import Add-On Instructions to Upgraded Projects. . . . . . . . . . . . . . 111
Create a Periodic Task for SIL 2 Safety Functions . . . . . . . . . . . . . . . . . 112
1715 SIL 2 Periodic Task Period Configuration . . . . . . . . . . . . . . . . . 113
Create a Program for the SIL 2 Period Task . . . . . . . . . . . . . . . . . . . . . . . 114
Create a Routine for the SIL 2 Program. . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Configure an Input Module Add-On Instruction . . . . . . . . . . . . . . . . . . 115
Configure an Output Module Add-On Instruction. . . . . . . . . . . . . . . . . 118
Use the Add-On Instruction Data Tags in an Application Program . . 122
Performing a SIL 2 Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Chapter 9
Requirements for Application Software for SIL 2-Related Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Development SIL 2 Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Programming Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Basics of Application Program Development and Testing . . . . . . . . . . 129
Functional Specification Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Sensors (digital or analog) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Actuators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Creating the Application Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Logic and Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Program Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Program Identification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
SIL Task/Program Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Forcing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Checking the Application Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Verify Download and Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Commissioning Lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Changing Your Application Program. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Chapter 10
Faults in the ControlLogix Detect and React to Faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
System Module Fault Reporting for Any ControlLogix 1715
or 1794 FLEX I/O Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Check Keyswitch Position with GSV Instruction . . . . . . . . . . . . . . . . . . 138
Examine a 1756 Analog Input Module’s High Alarm. . . . . . . . . . . . . . . . 139

6 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Table of Contents

Chapter 11
Use of Human-to- Precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Machine Interfaces Accessing Safety-related Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Reading Parameters in Safety-related Systems . . . . . . . . . . . . . . . . 141
Changing Safety-related Parameters in SIL-rated Systems . . . . . 142

Appendix A
System Reaction Times 1756 ControlLogix I/O and 1794 FLEX I/O Reaction Times . . . . . . . . . . 143
Local Chassis Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Remote Chassis Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Calculate Worst-case Reaction Time. . . . . . . . . . . . . . . . . . . . . . . . . . 144
1715 Redundant I/O System Reaction Times . . . . . . . . . . . . . . . . . . . . . . 148
System Reaction Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Logix System Reaction Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Add-On Instruction Scan Times. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Safety Reaction Time Calculations . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Appendix B
SIL 2-certified ControlLogix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153
System Components
Appendix C
PFD and PFH Calculations for About PFD and PFH Calculations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
1756 ControlLogix and Determine Which Values To Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
1794 FLEX I/O Modules About the Calculations in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
1-Year PFD Calculations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
2-Year PFD Calculations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
5-year PFD Calculations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Use Component Values to Calculate System PFD . . . . . . . . . . . . . . . . . . 180
Example: 1-year PFD Calculation for a ControlLogix System
(1oo1 Configuration) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Example: 1-year PFD Calculation for a ControlLogix System
(1oo2 Configuration) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Appendix D
PFD and PFH Calculations for About PFD and PFH Calculations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
1715 Redundant I/O Modules Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
I/O Module Common Part and I/O Point Part . . . . . . . . . . . . . . . . . . . . . 182
Module failure rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
1715 Failure Rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
PFH and PFD Data—24-Hour MTTR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Communications Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Safe Failure Fraction (SFF) and Hardware Fault Tolerance (HFT) . . . 185
System Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Example 3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Example 4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Example 5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 7
Table of Contents

Appendix E
1756 ControlLogix and 1794 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
FLEX I/O Modules in SIL 1
Applications

Appendix F
Checklists Checklist for the ControlLogix System . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Checklist for SIL Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Checklist for SIL Outputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Checklist for the Creation of an Application Program. . . . . . . . . . . . . . 198
Checklist for 1715 I/O Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201

8 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Preface

About This Publication This safety reference manual describes the ControlLogix® Control System
components that are suitable for use in low demand and high demand (no
more than 10 demands per year) safety-related control, up to and including
SIL 2 applications. The manual also provides safety-related information, such
as PFD calculations, system configurations, programming, and
implementation.

IMPORTANT This manual describes typical SIL 2 implementations that use

ControlLogix equipment. The descriptions in this manual do not
preclude other methods of implementing a SIL 2-compliant system by
using ControlLogix equipment.
Make sure that a certifying body, such as TÜV Rheinland Group, reviews
and approves other methods.

Download Firmware, AOP, Download firmware, associated files (such as AOP, EDS, and DTM), and access
EDS, and Other Files product release notes from the Product Compatibility and Download Center at
rok.auto/pcdc.

Summary of Changes This publication contains the following new or updated information. This list
includes substantive updates only and is not intended to reflect all changes.
Topic Page
Updated screen shots from programming software Throughout
Added and revised abbreviations and term definitions 10
Updated Additional Resources table 11
Added statement about Useful Life 13
Added change management process to system operator responsibilities 16
Changed Fail to Safe to De-energize to Trip 17
Added content about ControlLogix redundancy 26
Moved SIL 2 content from the Redundant I/O System User Manual, publication 1715-UM001, to 83, 105, 148, 158,
this publication 181, 199
Added content to chapter about 1715 redundant I/O modules 83, 84
Added content about keyswitch position and online edits 134
Moved reaction time information for a 1715 redundant I/O system from publication 1715-UM001 to 148
Appendix A
Changed terminology from safety loop to Safety Instrumented Function (SIF) Throughout
Add 1756-OF4/B to list of SIL 2-certified I/O modules 155
Added 1756-IF8/B, 1756-IF16/B, 1756-OF4/B, and 1756-OF8/B to Appendix C 159
Updated checklist for 1715 I/O 199

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 9

Preface

Terminology This table defines abbreviations that are used in this manual.

Abbreviation Full Term Definition

An industrial communication protocol that Logix 5000-based automation systems on EtherNet/IP™, ControlNet®, and
CIP™ Common Industrial Protocol DeviceNet® communication networks uses.
CL Claim Limit The maximum level that can be achieved.
DC Diagnostic Coverage The ratio of the detected failure rate to the total failure rate.
A safe state safety action that the safety function initiates.
— Demand A normal control action/function is not a safety demand. A safety demand occurs when safety conditions are met.
Typically, a safety demand only occurs when standard control fails to perform its control function.
— Demand Rate The expected rate per year that the safety function executes a safe state safety action.
EN European Norm. The official European Standard.
GSV Get System Value A ladder logic instruction that retrieves specified controller information and places it in a destination tag.
MTBF Mean time between failures The predicted elapsed time between inherent failures of a system during operation.
MTTR Mean Time to Restoration Average time that is needed to restore normal operation after a failure has occurred.
Programming and Debugging RSLogix 5000® and Studio 5000 Logix Designer® application is used to program and debug a SIL 2-certified
PADT Tool ControlLogix application.
Probability of a Dangerous
PFD The average probability of a system to fail to perform its design function on demand.
Failure on Demand
Average Frequency of a Average frequency of a dangerous failure of an E/E/PE safety-related system to perform the specified safety function
PFH Dangerous Failure per Hour over a given period of time.
A function to be implemented by a Safety Instrumented System (SIS) which is intended to achieve and maintain a safe
SIF Safety Instrumented Function state with respect to a specific hazardous event. It has a specific safety integrity level necessary to meet functional
safety.
A discrete level for specifying the safety integrity requirements of the safety functions allocated to the electrical/
SIL Safety Integrity Level electronic/ programmable electronic (E/E/PE) part of the safety system.
Instrumented system used to implement one or more safety instrumented functions (SIFs). It is composed by any
SIS Safety Instrumented System combination of sensors, logic solvers, and final elements.
SFF Safe Failure Fraction The ratio of safe failure plus dangerous detected failure to total failures.
STR Spurious Trip Rate That part of the overall failure rate that does not lead to a dangerous undetected failure.
TCE Channel Equivalent Mean The sum of downtime contributions from both the dangerous detected failure rate and the dangerous undetected
Downtime failure rate, on a per channel basis.
TGE The sum of downtimes that result from dangerous detected and dangerous undetected failure rates that are
System Equivalent Downtime associated with both channels.
The useful lifetime is when burn-in failures have been corrected and wear-out failures have not yet begun. It is the flat
— Useful Life part of the safety bathtub curve.

10 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Preface

Additional Resources These documents contain additional information concerning related products
from Rockwell Automation.
Resource Description
ControlLogix SIL 2 System Configuration Using RSLogix 5000 Explains how to configure a SIL 2-certified system by using subroutines that are provided by
Subroutines, publication 1756-AT010 Rockwell Automation.
ControlLogix SIL 2 System Configuration with Add-On Instructions for Explains how to configure a SIL 2-certified system by using the Add-On Instructions that are
1756 I/O Modules, publication 1756-AT012 provided by Rockwell Automation.
Logix 5000 Controllers General Instruction Set Reference Manual, Contains descriptions and use considerations of general instructions available for Logix 5000®
publication 1756-RM003 controllers.
High-Resolution Analog I/O Modules User Manual 1756-UM540 Describes how to install, configure, and troubleshoot ControlLogix analog I/O modules.
ControlLogix System User Manual, publication 1756-UM001 Explains how to use the ControlLogix controllers.
ControlLogix Standard Redundancy System User Manual,
publication 1756-UM523 Explains how to install, configure, and use a standard redundancy system.
ControlLogix 5570 Redundancy User Manual, publication 1756-UM535 Explains how to install, configure, and use an enhanced redundancy system.
Redundant I/O System User Manual, publication 1715-UM001 Describes how to install, configure, program, operate, and troubleshoot a Redundant I/O system.
Using ControlLogix SIL 2 with 1715 I/O, publication 1715-RM001 Provides a quick start guide for using a ControlLogix SIL 2 system with 1715 I/O modules.
ControlLogix Digital I/O User Manual, publication 1756-UM058 Provides information about the use of ControlLogix digital I/O modules.
ControlLogix Analog I/O Modules User Manual, publication 1756-UM009 Provides information about the use of ControlLogix analog I/O modules.
EtherNet/IP Device Level Ring Application Technique, Describes Device Level Ring (DLR) topologies, configuration considerations, and diagnostic
publication ENET-AT007 methods.
Logix 5000 Controllers Execution Time and Memory Use Reference,
publication 1756-RM087 Provides estimated execution times that can be used in worst-case scenario calculations.
Logix 5000 Controllers General Instructions Reference Manual, Provides information on how to use specific instructions to get and set controller system data
publication 1756-RM003 that is stored in device objects
Logix 5000 Controllers Common Procedures Programming Manual,
publication 1756-PM001 Explains various programming-related topics.
Provides guidance on how to conduct security assessments, implement Rockwell Automation
System Security Design Guidelines Reference Manual, SECURE-RM001 products in a secure system, harden the control system, manage user access, and dispose of
equipment.
Industrial Automation Wiring and Grounding Guidelines, publication
1770-4.1 Provides general guidelines for installing a Rockwell Automation industrial system.
Product Certifications website, rok.auto/certifications. Provides declarations of conformity, certificates, and other certification details.

You can view or download publications at rok.auto/literature.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 11

Preface

Notes:

12 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 1

SIL Policy

ATTENTION: Personnel responsible for the application of safety-related

programmable electronic systems (PES) shall be aware of the safety
requirements in the application of the system and shall be trained in using
the system.

Introduction to Safety The TÜV Rheinland Group has approved the ControlLogix® system for use in
Integrity Level (SIL) safety-related applications up to and including SIL 2 according to these
standards:
• IEC 61508, edition 2.0
• IEC 61511

Approval requirements are based on the standards current at the time of

certification. These requirements consist of detailed design process
requirements, test requirements, software analysis, and hardware probability
of failure analysis. Further, it is required to have the mean time between
failures (MTBF), probability of failure, failure rates, diagnostic coverage, and
safe failure fractions that fulfill SIL 2 criteria. The results make the
ControlLogix system suitable up to and including SIL 2 for demand rates up to
and including ten demands per year.

The TÜV Rheinland Group has approved the ControlLogix system for use in up
to, and including, SIL 2 safety-related applications in which the de-energized
state is typically considered to be the safe state.

Useful life for the ControlLogix SIL 2 components is 20 years. After that time
period, the products must be replaced.

IMPORTANT Keep in mind that a demand is an event where the safety function is
executed. A ControlLogix system can be configured to execute standard
control and safety functions. The demand rate is determined by how
often the safety function is executed and not how often the control
function is executed.
When used in accordance with the information in this manual and the
relevant safety standards, the ControlLogix system is suitable for
applications up to and including SIL 2, where the demand rate is no
more than 10 times per year.

For a list of SIL 2 certified catalog numbers, see Appendix B.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 13

Chapter 1 SIL Policy

Programming and Debugging Tool (PADT)

For support in the creation of programs, the PADT (Programming and

Debugging Tool) is required. The PADT for ControlLogix is RSLogix 5000®
software or Studio 5000 Logix Designer® application, per IEC 61131-3, and this
Safety Reference Manual.

For more information about programming an SIS with 1756 ControlLogix

I/O modules by using optional pre-developed Add-On Instructions, see the
SIL 2 System Configuration with Add-On Instructions for 1756 ControlLogix
I/O Modules, publication 1756-AT012.

For more information about programming an SIS with 1715 I/O modules by
using pre-developed Add-On instructions, see Chapter 8.

About the ControlLogix System

The ControlLogix system is a modular programmable automation system with

the ability to pre-configure outputs and other responses to fault conditions. A
system can be designed to meet requirements for ‘hold last state’ if there is a
fault. Other requirements for SIL 2, such as inputs from sensors and software,
must also be met.

Gas and Fire Considerations

The following measures and modifications are related to the use of the
ControlLogix system in Gas and Fire applications:
• The use of a manual override is necessary to make sure that the operator
can maintain the desired control if there is a controller failure. This is
similar in concept to the function of the external relay or redundant
outputs that are required to make sure that a de-energized state is
achieved for an ESD system when a failure occurs (for example, a shorted
output driver) that helps prevent this from normally occurring. The
system knows that it has a failure, but the failure state requires an
independent means to maintain control and either remove power or
provide an alternate path to maintain power to the end actuator.
• If the application cannot tolerate an output that can fail shorted
(energized), then an external means such as a relay or other output must
be wired in series to remove power when the fail shorted condition
occurs. See Wire 1756 Digital Input Modules on page 48 for more
information.
• If the application cannot tolerate an output that fails open (de-
energized), then an external means such as a manual override or output
must be wired in parallel. See Figure 1. You must supply alternative
means and develop the application program to initiate the alternate
means to remove or continue to supply power in the event the main
output fails.
• This manual override circuit is shown in Figure 1. It is composed of a
hard-wired set of contacts from a selector switch or push button. One
normally open contact provides for the bypass of power from the
controller output directly to the actuator. The other is a normally closed
contact to remove or isolate the controller output.

14 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 1 SIL Policy

• Generate an application program to monitor the following:

- Diagnostic output modules for dangerous failures, such as shorted or
open-output driver channels
- Output channel for lost connections to the controller
• A diagnostic alarm must be generated to inform the operator that
manual control is required.
• The faulted module must be replaced within the Mean Time to
Restoration (MTTR).
• Anytime a fault is detected, the system must annunciate the fault to an
operator by some means (for example, an alarm light).
Figure 1 - Manual Override Circuit
L1

Manual Override

Actuator

L2 or Ground 43379

Fault

Alarm to Operator

Boiler and Combustion Considerations

If your SIL 2-certified ControlLogix system is used in combustion-related

applications, you are responsible for meeting appropriate safety standards
including National Fire Protection Association (NFPA) standard NFPA 85 and
86. In addition, you must provide a documented lifecycle-system safety
analysis that addresses the requirements of NFPA 85 related to Burner
Management System Logic.

To comply with the requirements of IEC 61508, the safety demand rate must be
no more than 10 demands per year.

You must also consider system reaction capability as explained in Appendix A.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 15

Chapter 1 SIL Policy

If your system requires compliance with standard EN 50156, then you must
also meet the requirements that are identified in the current version of
EN 50156. To use FLEX™ I/O or 1756-series I/O modules in SIL 2 EN50156
applications, you must use a GuardLogix® controller. See the GuardLogix
Safety Reference Manual, publication 1756-RM093.

IMPORTANT When using a GuardLogix controller with SIL 2-rated, standard 1756
ControlLogix I/O modules or 1794 FLEX I/O modules, you must also follow
the requirements that are defined in this manual.

Typical SIL 2 Configurations SIL 2-certified ControlLogix systems can be used in standard (simplex or
single controller) or high availability (duplex or redundant controller)
configurations. For the purposes of documentation, the various levels of
availability that can be achieved by using various ControlLogix system
configurations are referred to as simplex or duplex. When using a duplex
ControlLogix configuration, the ControlLogix controller remains simplex
(1oo1) from a safety perspective. This means only the primary controller is
solving the safety application code at any given time.

This table lists each system configuration and the hardware that is part of the
Safety Instrumented Function (SIF).

System Configuration SIF Includes

• Single controller
Simplex Configuration on page 17 • Single communication module
• Dual I/O modules
• Dual controllers
Duplex Logic-Solver Configurations on page 25 • Dual communication modules
• Dual I/O modules
• Dual controllers
• Dual communication modules
Duplex System Configuration on page 28
• Dual I/O modules
• I/O termination boards

IMPORTANT The system operator is responsible for the following tasks when any of
the ControlLogix SIL 2 system configurations are used:
• The setup, SIL rating, and validation of any sensors or actuators that are
connected to the ControlLogix control system
• Project management and functional testing
• Programming the application software and the module configuration
according to the descriptions in this manual
• Change management process
The design of the SIS maintenance/engineering interface must make
sure that any failure of this interface does not adversely affect the
ability of the SIS to carry out the required SIFs. This can require that you
disconnect maintenance and engineering interfaces, such as
programming panels, during normal SIS operation.

16 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 1 SIL Policy

Simplex Configuration

In a simplex configuration, the hardware that is used in the SIF is

programmed to De-energize to Trip. This state is typically an emergency
shutdown (ESD) where outputs are de-energized upon a safety demand.

Figures 2 …9 show typical simplex SIL loops for limited high demand
applications with up to 10 demands per year. The figures show the following:
• Overall SIF
• ControlLogix portion of the overall SIF

SIL 2 I/O modules in the SIF must meet the requirements that are specified in
Chapter 5, Chapter 6, and Chapter 7. Chassis can have modules within a SIL 2
certified ControlLogix SIS that are not participating in any safety functions, if
these modules are listed in the SIL 2-certified ControlLogix System
Components on page 153.

Table 1 defines the module abbreviations that are used in the graphics in this
section.

Table 1 - Legend for the Module Abbreviations

Item Description
DIAGO Diagnostic Output Module
IN Input Module
ISOLO Isolated Output Module
MONIN Monitoring Input Module
Out Non-Diagnostic Output Module
RLY Relay Module
RM ControlLogix Redundancy Module

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 17

Chapter 1 SIL Policy

Figure 2 - Single Chassis Configuration

Overall SIF SIL 2-Certified ControlLogix SIF
Controller Chassis

Logix5570 EtherNet/IP™ DC INTPUT DC INTPUT DC OUTPUT DC INTPUT DC

DC
DCOUTPUT
OUTPUT
OUTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST
ST
ST 000111222333444555666777OOO
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST
ST
ST 88899910
10
10
1112131415
1112131415KKK
1112131415

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

DIAGNOSTIC
DIAGNOSTIC

Sensor
I I O M O Actuator

N N U O U
E T N T
N
2 1 1 2 I 2
T A B A N B

Non-isolated digital output modules

Standard Communication

1756 SIL 2 I/O module pairs can be in the same chassis because only SIL 2
capable hardware is within the controller chassis. The number on the label
indicates a module pair in a 1oo2 configuration; Module A and Module B. For
example, Input 1A and Input 1B are a 1oo2 duplex module pair. For more
information on how to wire field devices, see Figure 6 on page 22.

18 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 1 SIL Policy

Figure 3 - Fail-safe ControlLogix EtherNet/IP™ Device Level Ring (DLR) Configuration

Overall SIF

SIL 2-certified ControlLogix® SIF

Controller Chassis Remote I/O Chassis

Logix5570 EtherNet/IP™ EtherNet/IP™
EtherNet/IP™
EtherNet/IP™ DC OUTPUT EtherNet/IP™ DC INTPUT DC INTPUT DC OUTPUT DC
DC
DCOUTPUT
OUTPUT
OUTPUT DC OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST
ST
ST 000111222333444555666777OOO ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST
ST
ST 88899910
10
10
1112131415
1112131415KKK
1112131415 ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

Sensor I I D O Actuator
N N I U
E EE E A
N N T
N N G
2 22 2 O
T TT 1 1 2
T A B 2 B
RR R A

Remote I/O Chassis

Standard
Communication
EtherNet/IP™ DC INTPUT DC INTPUT DC OUTPUT DC INTPUT DC
DC
DCOUTPUT
OUTPUT
OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST
ST 0 11
1 22
2 33
3 44
4 55
5 66
6 77
7O ST 0 1 2 3 4 5 6 7 O ST
ST
ST 000111222333444555666777OOO ST 0 1 2 3 4 5 6 7 O
ST 00 O
O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST
ST 8 99
9 10
101112131415 K
1112131415 KK ST 8 9 10 1112131415 K ST
ST
ST 88899910
10
10
1112131415
1112131415KKK
1112131415 ST 8 9 10 1112131415 K
ST 88 10 1112131415

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC
DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC

I I O M O
N N U O U
E T N T
N
2 3 3 4 I 4
EtherNet/IP T A B A N B
R

1756 SIL 2 I/O module pairs can be in the same chassis because non-SIL 2 hardware is on a
separate network. For more information on how to wire field devices, see Figure 6 on page 22.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 19

Chapter 1 SIL Policy

Figure 4 - Fail-safe ControlLogix ControlNet® Configuration (Safety and Standard Connections on the Same Network)

Overall SIF
SIL 2-certified ControlLogix SIF

Controller Chassis Remote I/O Chassis

Logix5570 DC OUTPUT
DC INTPUT DC INTPUT DC
DC
DCOUTPUT
OUTPUT
OUTPUT DC INTPUT DC OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O
ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST
ST
ST 000111222333444555666777OOO ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K
ST 8 9 10 11121314 15 K ST 8 9 10 11121314 15 K ST
ST
ST 888999
10
10
10
11121314
11121314
11121314
15
15KKK
15 ST 8 9 10 11121314 15 K ST 8 9 10 11121314 15 K ST 8 9 10 11121314 15 K

DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC
DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

I O M
C C C N U O
N N N T N
2 2 2
R R 1 2 I
A A N

ControlNet

Standard Communication
Remote I/O Chassis
DC INTPUT DC
DC
DCOUTPUT
OUTPUT
OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O ST
ST
ST 000111222333444555666777OOO ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 11121314 15 K ST
ST
ST 888999
10
10
10
11121314
11121314
11121314
15
15KKK
15 ST 8 9 10 11121314 15 K

DIAGNOSTIC DIAGNOSTIC
DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC

ControlNet I O
N U
C
N T
2
1 2
B B

Dual networks are required because one of the two networks includes non-SIL 2 hardware.
The 1756 SIL 2 I/O module pairs must be split over two networks. For more information on
how to wire field devices, see Figure 6 on page 22.

20 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 1 SIL Policy

In Figure 5, non-SIL 2 communication on separate subnets lets you place

redundant channel I/O in the same rack.

Figure 5 - Fail-safe ControlLogix ControlNet Configuration with Non-SIL 2 Communication (Safety and Standard Connections on Separate Networks)

Overall SIF SIL 2-certified ControlLogix SIF

Controller Chassis Remote I/O Chassis

Logix5570 EtherNet/IP™ DC OUTPUT DC INTPUT DC INTPUT DC OUTPUT DC
DC
DCOUTPUT
OUTPUT
OUTPUT DC OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST
ST
ST 000111222333444555666777OOO ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O

ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST

ST
ST 88899910
10
10
1112131415
1112131415KKK
1112131415 ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

I I D O
N N I U
E C C A
N T
N N G
2 2 2 O
1 1 2
T A B 2 B
A
Standard Communication
ControlNet

Remote I/O Chassis

DC INTPUT DC INTPUT DC OUTPUT DC INTPUT DC
DC
DCOUTPUT
OUTPUT
OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST
ST
ST 000111222333444555666777OOO ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST
ST
ST 88899910
10
10
1112131415
1112131415KKK
1112131415 ST 8 9 10 1112131415 K

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC

I I O M O
N N U O U
C
N T N T
2
3 3 4 I 4
A B A N B

ControlNet

1756 SIL 2 I/O module pairs can be in the same chassis because the non-SIL 2
hardware is on a separate network. For more information on how to wire field
devices, see Figure 6 on page 22.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 21

Chapter 1 SIL Policy

Figure 6 - Fail-safe ControlLogix EtherNet/IP Configuration: Single DLR Loop for Safety and Standard Communication

Overall SIF SIL 2-certified ControlLogix SIF

Controller Chassis Remote I/O Chassis

Logix5570 EtherNet/IP™ EtherNet/IP™
EtherNet/IP™
EtherNet/IP™ DC OUTPUT EtherNet/IP™ DC INTPUT DC
DCOUTPUT
OUTPUT
DC INTPUT DC OUTPUT DC
DC
DCOUTPUT
OUTPUT
OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST
ST
ST 000111222333444555666777OOO ST
ST 00 11 22 33 44 55 66 77OO ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 11121314 15 K ST 8 9 10 11121314 15 K ST 8 9 10 11121314 15 K ST 8 9 10 1112131415 K ST
ST
ST 888999
10
10
10
11121314
11121314
11121314
15
15KKK
15 ST
ST 88 9910
1011121314 15KK
1112131415 ST 8 9 10 11121314 15 K

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC

I O O
N U U
E EE E T T
N N
N N
2 22 2
TT 1 2 3
T T
R R A A A
R R

Standard EtherNet/IP +V
Communication DLR
Relay +V

Input Device

DC INTPUT DC INTPUT DC OUTPUT DC

DCOUTPUT
OUTPUT DC INTPUT EtherNet/IP™

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST
ST 00
ST 0 11
1 22
2 33
3 44
4 55
5 66
6 77
7O ST
ST 00 11 22 33 44 55 66 77OO ST 0 1 2 3 4 5 6 7 O
O
O
ST 8 9 10 11121314 15 K ST 8 9 10 11121314 15 K ST
ST 8 99
ST 88 9 10
1011121314
10 1112131415
11121314 15
K
15 KK ST
ST 88 9910
1011121314 15KK
1112131415 ST 8 9 10 11121314 15 K

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC

I I O M
N S U O EtherNet/IP
Remote I/O Chassis O T N E
L N
1 O 3 I 2
B 2 B N T
B R

Actuator

Actuator
Standard
Communication DLR

DLR mixes SIL 2 and non-SIL 2 hardware. Independent paths are required to the SIL 2 I/O module pairs. The
1756 adapters and I/O module pairs can be placed into one chassis or split among two. Splitting them over
two chassis is shown.

For more information on SIL 2 requirements, see IMPORTANT on page 23.

Unused channels on a SIL 2 input module pair can be used as the monitoring input. There is no need for the
monitoring input to be wired to both input modules in a SIL 2 module pair.  A separate monitoring input
module is not required.

22 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 1 SIL Policy

Figure 7 - Fail-safe ControlLogix EtherNet/IP Configuration with FLEX™ I/O Modules: Single DLR Loop for Safety and Standard Communication

Overall SIF
SIL 2-certified ControlLogix SIF

Controller Chassis
Logix5570 EtherNet/IP™ EtherNet/IP™
EtherNet/IP™
EtherNet/IP™ DC OUTPUT

ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K

DIAGNOSTIC

E EE
N N
N
2 22
T TT 1794-AENTR
R RR MOD IN 1A OUT 2A OUT 3A
Standard LINK 1 LINK 2
REDUNDANY MEDIA
ADAPTER
1794-AENTR

Communication
DLR +V
EtherNet/IP

Input Relay +V
Device

1794-AENTR
1794-IOW8

MOD IN 1B RLY OUT 2B OUT 3B MON IN

LINK 1 LINK 2
REDUNDANY MEDIA
ADAPTER
1794-AENTR

Standard EtherNet/IP
Communication
DLR
Actuator Actuator

DLR mixes SIL 2 and non-SIL2 hardware. Independent paths are required to the SIL 2 I/O
module pairs. FLEX SIL 2 I/O module pairs must always be split over different nodes.

Unused channels on a SIL 2 input module pair can be used as the monitoring input. There is
no need for the monitoring input to be wired to both input modules in a SIL 2 module pair. A
separate monitoring input module is not required.

IMPORTANT As shown in Figure 6 and Figure 7, standard devices can reside within an EtherNet/IP™ SIL 2 subnet provided the
following requirements are met:
• The EtherNet/IP™ subnet topology must be DLR.
• The ControlLogix chassis must have two 1756-EN2TR modules.
• Independent connection paths must be established for channels A and B I/O through each ControlLogix chassis bridge.
• Channel A and Channel B I/O must reside in separate chassis or connected to separate adapters.
• Direct Internet connectivity must be limited to EtherNet/IP bridges listed in Appendix B of this manual.
Direct Internet connections via other standard devices are not allowed.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 23

Chapter 1 SIL Policy

Figure 8 - Fail-safe ControlLogix Configuration with FLEX I/O Modules on the ControlNet Network

HMI
Programming Software
For Diagnostics and Visualization
For SIL applications, a programming
(see special instructions in Chapter 11 for writing
terminal is not normally connected.
to safety-related controllers in the SIF).

Plant-wide Ethernet/Serial
Overall SIF

SIL 2-certified ControlLogix components’ portion of the overall SIF.

Logix5570 EtherNet/IP™ DC OUTPUT

ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K

1794-ACN15 IN 1A OUT 2A MON IN

DIAGNOSTIC

E
N C
B N
T 2
R
To other safety-related ControlLogix or FLEX
ControlNet
I/O remote I/O chassis.

1794-IOW8

1794-ACN15 IN 1B OUT 2B

ControlNet

To other safety-related ControlLogix or FLEX I/O remote I/O chassis.

Non-SIL 2 hardware is on separate networks. FLEX I/O module pairs must always be split over
different nodes. For more information on how to wire field devices, see Figure 7 on page 23

24 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 1 SIL Policy

Figure 9 - Fail-safe ControlLogix Configuration with FLEX I/O Modules the EtherNet/IP Network

HMI
Programming Software
For Diagnostics and Visualization
For SIL applications, a programming
(see special instructions in Chapter 11 for writing
terminal is not normally connected.
to safety-related controllers in the SIF).

Plant-wide Ethernet/Serial

Overall SIF

SIL 2-certified ControlLogix components’ portion of the overall SIF.

Logix5570 EtherNet/IP™ EtherNet/IP™

EtherNet/IP™
EtherNet/IP™ DC OUTPUT

ST 0 1 2 3 4 5 6 7 O
1794 FLEX I/O
ST 8 9 10 1112131415 K

DIAGNOSTIC

1794-AENTR IN 1A OUT 2A MON IN

MOD

E EE LINK 1 LINK 2
REDUNDANY MEDIA

N N
ADAPTER

N
1794-AENTR

B 22
T TT
RR

EtherNet/IP

1794-AENTR
1794-IOW8

MOD IN 1B OUT 2B
LINK 1 LINK 2
REDUNDANY MEDIA
ADAPTER
1794-AENTR

EtherNet/IP

Non-SIL 2 hardware is on separate networks. FLEX I/O module pairs must always be split over
different nodes. For more information on how to wire field devices, see Figure 7 on page 23.

Duplex Logic-Solver Configurations

In duplex configurations, redundant system components are used to increase

the availability of the control system. The modules in the redundant controller
chassis include the following:
• ControlLogix controllers
• Redundancy modules
• Network communication modules for redundant communication

A ControlLogix redundancy system uses an identical pair of ControlLogix

chassis to keep your process running if a problem occurs with one of the
chassis. When a failure occurs in the primary chassis, control switches to the
secondary controller in the secondary chassis.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 25

Chapter 1 SIL Policy

IMPORTANT If there is a redundancy switchover, we recommend that you always

investigate the cause of the switchover.

IMPORTANT When programming your redundant system, program so that your

redundancy system status is continuously monitored and displayed on
your HMI device.
If your redundancy system becomes disqualified or a switchover
occurs, the change in status is not automatically annunciated. You must
program the system to communicate the change of status via your HMI
or other status monitoring device.

There are different versions for redundant and non-redundant firmware. Only
certain versions are certified for use in a SIL 2 system. See the revision release
list from these product certifications:
• 1715 Redundant I/O System - Safety Certificate, publication 1715-CT007
• ControlLogix Safety Certificate, publication LOGIX-CT007

Figure 10 shows a typical duplex SIL loop. The figure also shows the following:
• Overall SIF
• ControlLogix portion of the overall SIF
• How other devices, such as HMI, connect to the loop while operating
outside of the loop

26 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 1 SIL Policy

Figure 10 - Typical SIL Loop with Controller Chassis Redundancy

Programming Software HMI

For SIL applications, a For Diagnostics and Visualization
programming terminal is not (see special instructions in Chapter 11
normally connected. for writing to safety-related
controllers in the SIF).

Plant-wide Ethernet/Serial

SIL 2-certified ControlLogix components’ portion of the overall SIF.

Overall
Safety
Primary Chassis Remote I/O Chassis Ch A
Loop
Logix5570 EtherNet/IP™ DC OUTPUT DC INTPUT DC INTPUT DC INTPUT DC OUTPUT DC
DC
DCOUTPUT
OUTPUT
OUTPUT DC INTPUT DC OUTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST
ST
ST 000111222333444555666777OOO ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 11121314 15 K
ST 8 9 10 11121314 15 K ST 8 9 10 11121314 15 K ST 8 9 10 1112131415 K ST
ST
ST 888999
10
10
10
1112131415
1112131415KKK
1112131415 ST 8 9 10 11121314 15 K ST 8 9 10 1112131415 K

PRI COM OK
DIAGNOSTIC DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC
DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

I I D O
N N I U
E C C R A C
N N N T
M G N
2 2 2 O 2
T 1 1 2
A B 2 B
A
ControlNet ControlNet

Secondary Chassis Remote I/O Chassis Ch B

Logix5570 EtherNet/IP™ DC OUTPUT DC INTPUT DC INTPUT DC
DC
DCOUTPUT
OUTPUT
OUTPUT DC INTPUT DC OUTPUT DC INTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST
ST
ST 000111222333444555666777OOO ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 11121314 15 K ST 8 9 10 11121314 15 K ST
ST
ST 888999
10
10
10
1112131415
1112131415KKK
1112131415 ST 8 9 10 11121314 15 K ST 8 9 10 1112131415 K ST 8 9 10 11121314 15 K ST 8 9 10 11121314 15 K

PRI COM OK
DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC
DIAGNOSTIC
DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

O M O I I
U O U N N
E C C R C
T N T
N N N M N
2 2 2 2
3 I 3 4 4
T N
A B A B

ControlNet ControlNet

To other safety-related ControlLogix and remote I/O chassis.

To nonsafety-related systems outside the ControlLogix

ControlNet portion of the SIL 2-certified loop.

1756 SIL 2 I/O module pairs can be in the same chassis because non-SIL 2
hardware is on separate networks. SIL 2 I/O modules in the SIF must meet the
requirements that are specified in Chapter 5.

For more information on how to wire field devices, see Figure 6 on page 22.

IMPORTANT The redundant (duplex) ControlLogix system in Figure 10 provides logic

solver fault tolerance. It remains 1oo1 (simplex) from a safety
perspective.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 27

Chapter 1 SIL Policy

Duplex System Configuration

This configuration of the ControlLogix system uses fully redundant

controllers, communication modules, and remote I/O devices to achieve
enhanced availability.

Figure 11 - Duplex System EtherNet/IP Configuration

Overall SIF

SIL 2-certified ControlLogix SIF

ControlLogix Primary Chassis ControlLogix Secondary Chassis
Logix5570 EtherNet/IP™ EtherNet/IP™ DC OUTPUT DC INTPUT EtherNet/IP™
Logix5570 EtherNet/IP™ DC OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K

PRI COM OK
DIAGNOSTIC DIAGNOSTIC PRI COM OK
DIAGNOSTIC DIAGNOSTIC

E E R E E R
N N M N N M
2 2 2 2
T T T T
R R R R

EtherNet/IP non-SIL 2 EtherNet/IP connections non-SIL 2 EtherNet/IP connections

I/O Chassis A I/O Chassis B

EtherNet/IP™ DC INTPUT DC OUTPUT DC INTPUT DC OUTPUT DC OUTPUT DC INTPUT EtherNet/IP™ DC INTPUT DC OUTPUT DC INTPUT DC INTPUT
DC OUTPUT DC OUTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

I O I I O I
B B F B B F
E 3 1 1 E 3 1 1
N 2 6 6 N 6 6
2
2 D 3 2 D 3
1 1
T 2 A T 2 B
A B
R A R B

Analog Input Termination Board Digital Input Termination Board Digital Output Termination Board

Field Device Field Device Field Device

For more information about this SIL 2 application solution, see the SIL 2
System Configuration with Add-On Instructions for 1756 ControlLogix I/O
Modules, publication 1756-AT012. This publication explains how to configure a
SIL 2-certified system by using Add-On Instructions and hardware
termination boards with 1756 I/O modules.

28 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 1 SIL Policy

Figure 12 - Duplex System ControlNet Configuration

Overall SIF

SIL 2-certified ControlLogix SIF

Primary ControlLogix Chassis Secondary ControlLogix Chassis

Logix5570 EtherNet/IP™ EtherNet/IP™ DC OUTPUT DC INTPUT
Logix5570 EtherNet/IP™ EtherNet/IP™ DC OUTPUT DC INTPUT

ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K
PRI COM OK
DIAGNOSTIC DIAGNOSTIC PRI COM OK
DIAGNOSTIC DIAGNOSTIC

C E R E R
N C
N M
N N M
2 2 2
T 2
R R T
R R

ControlNet Non-SIL 2 EtherNet/IP Connections Non-SIL 2 EtherNet/IP Connections

I/O Chassis A I/O Chassis B

DC INTPUT DC OUTPUT DC INTPUT DC OUTPUT DC OUTPUT DC INTPUT
DC INTPUT DC OUTPUT DC INTPUT DC OUTPUT DC OUTPUT DC INTPUT
ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O ST 0 1 2 3 4 5 6 7 O
ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K ST 8 9 10 1112131415 K

DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

DIAGNOSTIC DIAGNOSTIC

O
DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC DIAGNOSTIC

I I I O I
B B F B B F
C 3 1 1 3 1 1
C
N 2 6 6 2 6 6
N
2 1 D 3 2 1 D 3
R A 2 A R B 2 B
A B

Analog Input Digital Input Digital Output

Termination Board Termination Board Termination Board

Field Device Field Device Field Device

The duplex system configuration uses the safety and programming principles
that are described in this manual and the programming and hardware that are
described in the application technique manuals.

For more information on the ControlLogix SIL 2-certified system, including

termination boards and Add-On Instructions, see the SIL 2 System
Configuration with Add-On Instructions for 1756 ControlLogix I/O Modules,
publication 1756-AT012.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 29

Chapter 1 SIL Policy

Proof Tests IEC 61508 requires that you perform various proof tests of the equipment that
is used in the system. Periodic proof tests must be conducted by using a
written procedure to reveal undetected faults that prevent the SIS from
operating in accordance with the SRS. Proof tests are performed at user-
defined times. For example, proof test intervals can be once a year, once every
2 years, or whatever time frame is appropriate based on the SIL verification
calculation. Proof tests can include the following:
• Test all safety application-fault routines to verify that process parameters
are monitored properly and the system reacts properly when a fault
condition arises.
• Test all digital input or output channels to verify that they are not stuck
in the ON or OFF state.
- Manually cycle inputs to make sure that all inputs are operational and
not stuck in the ON state.
- Manually test outputs that do not support runtime pulse testing.
- You can automatically perform proof tests by switching supply
common open on input modules and check to make sure that all input
points go to zero (turn OFF.).
• The relays in the redundant power supplies must be tested to make sure
that they are not stuck in the closed state.
• Calibrate the analog input and output modules to verify that accurate
data is obtained from and used on the modules.

IMPORTANT Each specific SIF has its own time frame for the proof test interval.

Proof Testing with Redundancy Systems

If you use ControlLogix Redundancy for your SIS, you must perform
switchover tests as part of the proof test strategy.

If you are concerned about the availability of the secondary controller if the
primary controller fails, it is good engineering practice to implement a switchover
periodically (for example, once per proof test interval).

For more information on switchovers and ControlLogix redundancy systems,

see the ControlLogix 5570 Redundancy User Manual, publication 1756-UM535.

30 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 1 SIL Policy

Reaction Times The response time of the system is the amount of time that it takes for a
change in an input condition to be recognized and processed by the
controller’s logic program, and then to initiate the appropriate output signal to
an actuator.

The system response time is the sum of the following:

• Input hardware delays
• Input filtering
• I/O and communication module RPI settings
• Controller program scan times
• Output module propagation delays
• Redundancy system switchover times (applicable in duplex systems)

Each of the times that are listed is variably dependent on factors such as the
type of I/O module and instructions that are used in the logic program. For
examples of how to perform these calculations, see Appendix A, System
Reaction Times.

For more information on the available instructions and for a full description of
logic operation and execution, see the following publications:
• Logix 5000 Controllers General Instruction Set Reference Manual,
publication 1756-RM003
• ControlLogix System User Manual, publication 1756-UM001

Reaction Times in The worst-case reaction time of a duplex system is different than a simplex
Redundancy Systems system. The redundancy system has a longer reaction time.

There are a series of crossloading operations that continuously occur between

the primary and secondary controllers. Crossloading fresh data at the end of
each program scan increases scan time.

To minimize scan time by reducing crossloading overhead, you can plan your
project more efficiently. For example, minimize the use of SINT, INT, and
single tags and use arrays and user-defined data structures. Generally, the
primary controller in a duplex system has a 20% slower response time than the
controller in a simplex system.

For more information about switchover times in redundancy systems, see the
ControlLogix 5570 Redundancy User Manual, publication 1756-UM535.

IMPORTANT To avoid spurious trips, you must account for the additional cross-
checking time of a duplex system when setting the watchdog time.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 31

Chapter 1 SIL Policy

Safety Watchdog Configure the properties of the SIL 2 safety task correctly for your application.
• Priority: must be the highest-priority task in the application (lowest
number)
• Watchdog: the value that is entered for the SIL 2 safety task must be large
enough for all logic in the task to be scanned

If the task execution time exceeds the watchdog time, a major fault occurs on
the controller. You must monitor the watchdog and program the system
outputs to transition to the safe state (typically the OFF state) if there is a
major fault occurring on the controller. For more information on faults, see
Chapter 10, Faults in the ControlLogix System.

For more information about setting the watchdog, see the ControlLogix
System User Manual, publication 1756-UM001.

Safety Certifications and Diagnostic hardware and firmware functions, and how you apply
Compliance ControlLogix components, enable the system to achieve CL SIL 2 compliance.

IMPORTANT You must implement these requirements, or at a minimum the intent of

the requirements that are defined in this manual, to achieve CL (claim
limit) SIL 2.

ControlLogix products that are referenced in this manual can have safety
certifications and the SIL certification. If a product has achieved agency
certification, the product label is not necessarily marked as certified. To view
safety certifications for products, see ControlLogix Safety Certificate,
publication LOGIX-CT007.

32 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 2

Features of the ControlLogix SIL 2 System

The diagnostic methods and techniques that are used in the ControlLogix®
platform let you configure and program ControlLogix controllers to perform
checks on the total system. The checks include configuration, wiring, and
performance, monitoring input sensors and output devices. Timestamping of
I/O and diagnostic data also aid in diagnostics.

Examples of these methods and techniques include the following:

• If an anomaly (other than automatic shutdown) is detected, the system
can be programmed to initiate user-defined fault handling routines.
• Output modules can turn OFF selected outputs if there is a failure.
• Diagnostic I/O modules self-test to make sure that field wiring is
functioning.
• Output modules use pulse testing to make sure that output switching
devices are not shorted.

Module Fault Reporting Every module in the system is owned by one controller. Multiple controllers
can produce consume tag data. Listen Only connections are not supported in
the context of this manual. When a controller owns an I/O module, the
controller stores the module’s configuration data, which you define. This data
dictates how the module behaves in the system. Inherent in this configuration
and ownership is the establishment of a heartbeat between the controller and
module, which is known as the requested packet interval (RPI).

The RPI defines a time interval in which the controller and I/O module must
communicate with each other. If communication cannot be established or
maintained, for example, the I/O module has failed, the communication path
is unavailable, the system can be programmed to run specialized routines.
These specialized routines can determine whether the system can continue
functioning or whether the fault condition warrants a system shutdown
through the application logic. For example, the system can be programmed to
retrieve the fault code of the failed module. It can also make a determination,
which is based on the type of fault, whether to continue operating.

The controller can monitor the health of I/O modules in the system. The
controller can take appropriate action that is based on the severity of a fault
condition and gives you complete control of the application. It is your
responsibility to establish the course of action appropriate to your safety
application.

For more information on Fault Handling, see Chapter 10, Faults in the
ControlLogix System on page 137.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 33

Chapter 2 Features of the ControlLogix SIL 2 System

Data Echo
Communication Check IMPORTANT This section applies to only 1756 and 1794 I/O modules. For
1715 I/O module requirements, see Chapter 7.

Output data echo allows you to verify that the correct output module received
the ON/OFF command from the controller was received and that the module
attempts to execute the command to the field device.

During normal operation, when a controller sends an output command, the

output module that receives the command echoes the output command back
to the controller upon its receipt. This verifies that the module has received the
command and tries to execute it. By comparing the requested state from the
controller to the data echo received from the module, you can validate that the
signal has reached the correct module. You can also verify that the module
attempts to activate the appropriate field-side device. The echo data is
technically input data from the output module and is located with the other
output module data. For example, an output module at local slot 3 has Local:3:O
and Local:3:I, where 3:O are outputs and 3:I are inputs. Again, it is your
responsibility to establish the course of action appropriate for your safety
application.

When used with standard ControlLogix output modules, the data echo
validates the integrity of communication up to the system-side of the module,
but not to the field-side. When you use this feature with diagnostic output
modules, you can verify the integrity from the controller to the output terminal
on the module.

Diagnostic output modules contain circuitry that performs field-side output

verification. Field-side output verification informs you that commands that
are received by the module are accurately represented on the power side of the
module’s switching devices. In other words, for each output point, this feature
confirms that the output is ON when it is commanded to be ON or OFF when
commanded to be OFF.

When using non-diagnostic output modules, you must verify the ON and OFF
state. This verification must be accomplished by monitoring the output
command from the non-diagnostic output module in an input module or
validation by alternative methods. Approve all methods according to IEC
61508. A separate input module is required for a non-diagnostic output
module.

34 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 2 Features of the ControlLogix SIL 2 System

Figure 13 - Output Module Behavior in the ControlLogix System

Output Commands from Controller

Standard ControlLogix I/O

Information Data Echo validation from System-side

Field-side Output Verification, Pulse Test

Additional Field-Side Information Status Plus No Load Detection
Provided by Diagnostic Output
Modules

Actuator

Pulse Test
IMPORTANT This section applies to only 1756 and 1794 I/O modules. For
1715 I/O module requirements, see Chapter 7.

Discrete diagnostic output modules contain a feature that is called a pulse test.
A pulse test can verify the output circuit functionality without actually
changing the state of the actuator that is connected to the output. A short-
duration pulse is directed to a particular output on the module. The output
circuitry momentarily changes its state long enough to verify that it can
change state on demand. The test pulse is fast (milliseconds), and typically
does not affect actuators. Some actuators can have electronic front ends and
can detect these fast pulses. You can disable pulse testing, if necessary.

Software The location, ownership, and configuration of I/O modules and controllers is
performed by using RSLogix 5000® software or the Studio 5000 Logix
Designer® application. Use the software to create, test, and debug application
logic.

When using the programming software, you must remember these points:
• When SIS is in operation:
- Disconnect the programming terminal.
- Set the keyswitch to the RUN position.
- Remove the controller key from the keyswitch.
• Authorized personnel can change an application program, but only by
using one of the processes that are described in Changing Your
Application Program on page 134.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 35

Chapter 2 Features of the ControlLogix SIL 2 System

Communication Several communication options are available for connecting with the
ControlLogix SIL 2 system and for the exchange of data within the SIL 2
system.

Communication Ports

A built-in serial port is available on 1756-L6x controllers for download or

visualization purposes only. Do not use the serial port for any exchange of
safety-related data.

A built-in USB port is available for program upload and download on 1756-L7x
controllers.

ATTENTION: The USB port is intended for temporary local-programming

purposes only and not intended for permanent connection.

WARNING: Do not use the USB port in hazardous locations.

For information on how to make communication connections, see the

ControlLogix System User Manual, publication 1756-UM001.

ControlNet Network

The ControlNet® network can be used to do the following:

• Provide communication between the controller and remote I/O chassis.
• Form the basis for communication in duplex (redundant)
configurations.

To schedule the ControlLogix ControlNet network, use RSNetWorx™ for

ControlNet software.

IMPORTANT In SIL 2 applications, all I/O and produce/consume tags that are
associated with safety data must use scheduled connections on the
ControlNet network.

For more information about ControlNet networks, refer to the ControlNet

Network Configuration Guide, publication CNET-UM001.

IMPORTANT 1715 I/O modules support only EtherNet/IP communication.

36 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 2 Features of the ControlLogix SIL 2 System

EtherNet/IP Network

An EtherNet/IP™ connection can be used to do the following:

• Download, monitor, and visualize the controller.
• Connect to remote I/O chassis.

EtherNet/IP networks support messaging, produced/consumed tags, and

distributed I/O.

See EtherNet/IP Communication Modules on page 45 for details on how to use

EtherNet/IP modules in SIL 2 applications.

Electronic Keying of Modules If a module in your SIL 2-certified ControlLogix system is replaced, Exact
in SIL 2 Applications Match keying is recommended.

Exact Match keying requires all keying attributes of the physical module and
the module that is created in the software to match precisely before
establishing communication. The keying attributes are Vendor, Product Type,
Product Code (catalog number), Major Revision, and Minor Revision.

If any attribute does not match precisely, I/O communication is not permitted
with the module or with modules that are connected through it, such as
communication modules.

Compatible Keying can be used in a SIL 2 safety function, but you are
responsible for reverifying safety functions after replacing SIL 2 modules.

For more information about electronic keying, see the ControlLogix Digital
I/O Modules User Manual, publication 1756-UM058.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 37

Chapter 2 Features of the ControlLogix SIL 2 System

Notes:

38 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 3

ControlLogix Controllers, Chassis,

and Power Supplies

ControlLogix Controllers The SIL 2-certified ControlLogix® system is a user-programmed, solid-state

control system. Examples of specific functions include the following:
• I/O control
• Logic
• Timing
• Counting
• Report generation
• Communication
• Arithmetic
• Data file manipulation

The ControlLogix controller has a central processor, I/O interface, and

memory.

Operating Modes
The controller performs power-up and runtime functional tests. The tests are
used with user-supplied application programs to verify proper controller
operation.

A three-position keyswitch on the front of the controller governs ControlLogix

system operational modes. The following modes are available:
• Run
• Program
• Remote - This software-enabled mode can be Program or Run.
Figure 14 - Keyswitch in Run Mode
Logix557x

RUN FORCE SD OK

REM PR
RUN OG

1756-L7x

When a SIL 2-certified ControlLogix application is operating in the Run mode,

the controller keyswitch must be in the RUN position and the key removed.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 39

Chapter 3 ControlLogix Controllers, Chassis, and Power Supplies

Requirements for Use

Consider these requirements for a SIL 2-certified ControlLogix controller:
• All components, such as input and output modules, must be owned by a
single controller that controls their safety function.
• When installing a ControlLogix controller, refer to the user manual listed
in Additional Resources on page 11.
• There are currently separate firmware revisions for standard and
redundant controllers and these revisions must not be interchanged. For
more information, see Appendix and the Revision Release List available
at https://ab.rockwellautomation.com from the Product Certifications
link.

For more information on the ControlLogix controllers, see the publications in

Additional Resources on page 11.

ControlLogix Chassis The ControlLogix 1756-Axx chassis provide the physical connections between
controllers, communications modules, and/or the I/O modules. The chassis is
passive and is not relevant to the safety discussion because any physical failure
would be unlikely under normal environmental conditions and would be
manifested and detected as a failure within one or more of the active
components.

When installing a ControlLogix chassis, see the ControlLogix Chassis

Installation Instructions, publication 1756-IN621.

ControlLogix Power Supplies ControlLogix power supplies are certified for use in SIL 2 applications. No
extra configuration or wiring is required for SIL 2 operation of the
ControlLogix power supplies. If an anomaly occurs in the supplied voltages,
the power supply immediately shuts down. For this reason, the power supply is
not part of the safety calculation.

All ControlLogix power supplies are designed to perform these tasks:

• Detect anomalies.
• Provide the controllers with enough stored power to allow for an orderly
and deterministic shutdown of the system, including the controller and
I/O modules.

IMPORTANT If you are using any of the 1756-Px75 (non-redundant) power supplies
with a 1756-L7x/B controller, you must use the Series B version of the
power supply, which are the 1756-Px75/B power supplies.

Redundant Power Supplies

ControlLogix redundant power supplies can be used in SIL 2-certified
applications. In a redundant power supply configuration, two power supplies
are connected to the same chassis.

The power supplies share the current load that the chassis requires and an
internal solid-state relay that can annunciate a fault. Upon detection of a
failure in one supply, the other redundant power supply automatically
assumes the full current load that the chassis requires without disruption to
installed devices.

The 1756-PSCA and 1756-PSCA2 redundant power-supply chassis adapters

connect the redundant power supply to the chassis.

40 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 3 ControlLogix Controllers, Chassis, and Power Supplies

Recommendations for Using Power Supplies

When using SIL 2-certified ControlLogix power supplies:
• Follow the information that is provided in the installation instructions.
• Wire the solid-state fault relay on each power supply from an appropriate
voltage source to an input point in the ControlLogix system so that the
application program can detect faults and react appropriately based on
the application requirements.

For more information about how to install ControlLogix chassis and power
supplies, see the publications that are listed in Additional Resources on
page 11.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 41

Chapter 3 ControlLogix Controllers, Chassis, and Power Supplies

Notes:

42 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 4

ControlLogix Communication Modules

Introduction to The communication modules in a SIL 2-certified ControlLogix® system

Communication Modules provide communication bridges from a ControlLogix chassis to other chassis
or devices via the ControlNet® and EtherNet/IP™ networks. The following table
lists the communication modules that are available.

Network SIL 2 Modules(1)

• 1756-CNB
• 1756-CN2R
ControlNet • 1756-CNBR
• 1756-CN2RXT
• 1756-CN2
• 1756-ENBT, series A(2)
• 1756-EN2TR, series B
• 1756-EN2T, series C
• 1756-EN2TR, series C
EtherNet/IP • 1756-EN2T, series D(2) • 1756-EN2TRXT, series C
• 1756-EN2TXT, series C
• 1756-EN3TR, series B(2)
• 1756-EN2TXT, series D(2)
DeviceNet®(2) 1756-DNB
Data Highway Plus™ – Remote I/O(2) 1756-DHRIO
SynchLink™(2) 1756-SYNCH
(1) Some catalog numbers have a K suffix. The suffix indicates a version of the product that has conformal coating. These K
versions have the same SIL 2 certification as the non-K versions. For more information on which products have conformal
coating go to:http://ab.com.rockwellautomation.com/
(2) Not for use in safety functions.

ControlLogix communication modules can be used in peer-to-peer

communication between ControlLogix devices. The communication modules
can also be used for expansion of I/O to additional ControlLogix remote I/O
chassis.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 43

Chapter 4 ControlLogix Communication Modules

ControlNet Modules and ControlNet modules provide communication between any nodes that are
Components properly scheduled on the ControlNet network.

IMPORTANT In SIL 2 applications, all I/O and produce/consume tags that are
associated with safety data must use scheduled connections on the
ControlNet network.

ControlNet Cabling

For remote racks, one RG6 coax cable is required for ControlNet
communication. Although it is not a requirement to use redundant media with
the 1756-CNBR or 1756-CN2R modules, it does provide higher system
reliability. Redundant media is not required for SIL 2 operation.

ControlNet Repeater

The following ControlNet repeater modules are approved for use in safety
applications up to and including SIL 2:
• 1786-RPCD, ControlNet Hub Repeater Module
• 1786-RPFS, Short-distance Fiber Repeater Module
• 1786-RPFM, Medium-distance Fiber Repeater Module
• 1786-RPFRL, Long-distance Fiber Repeater Module
• 1786-RPFRXL, Extra-long-distance Fiber Repeater Module

Use of the 1786-RPA adapter is required with the repeater modules listed.

Table 2 - For More Information about Repeater Modules

Topic Publication Title Publication Number
Plan for and install ControlNet repeater ControlNet Fiber Media Planning and CNET-IN001
modules. Installation Guide
Use of repeaters in safety applications. TÜV Report 968/EZ 968/EX 135.06.12

ControlNet Module Diagnostic Coverage

All communication over the passive ControlNet media occurs via CIP™. CIP
verifies that at least one valid packet is seen during the greater of either 100 ms
or 4 times the requested packet interval (RPI). If a valid packet is not seen
during this period, data transitions to the safe state.

44 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 4 ControlLogix Communication Modules

EtherNet/IP Communication Use an EtherNet/IP communication module to do the following:

Modules • Connect controller chassis to remote I/O.
• Make connections for visualization purposes.
• Establish connections between the programming terminal and
controller.

IMPORTANT Use of a 1756-EN2TR or 1756-EN2TRXT is required to achieve SIL 2 in

your application. See Figure 3 on page 19 for an example.

See the examples in Figure 5 on page 21, Figure 6 on page 22, and Figure 11 on
page 28.

DeviceNet Scanner The 1756-DNB scanner connects the controller to devices on a DeviceNet
network. You can use the 1756-DNB module to communicate only nonsafety
data to devices outside of the safety loop.

Data Highway Plus - Remote The 1756-DHRIO module supports both Data Highway Plus and the
I/O Module (1756-DHRIO) Remote I/O network of communication. You can use the 1756-DHRIO module
to communicate only nonsafety data to devices outside of the safety loop. For
example, it can be used to communicate alarms to the Distributed Control
System (DCS).

SynchLink Module The SynchLink™ module (catalog number 1756-SYNCH) is used for CST time
propagation between multiple chassis for event recording. The module can be
used only outside of the safety loop. It must not be used for any safety-related
activity in a SIL 2-certified ControlLogix system.

General Requirements for Follow these requirements when using SIL 2-certified communication
Communication Networks modules:
• When installing ControlLogix communication modules, carefully follow
the information that is provided in the installation instructions.
• DH+™ can be used for communication to human machine interfaces
(HMI) and for communicating with the nonsafety portion of the system.
For more information on how to use HMI, see Chapter 11, Use of Human-
to-Machine Interfaces on page 141.
• Only SIL 2 devices or other devices that provide non-interference write to
SIL 2 controllers. The only exception is the use of HMI devices. For more
information on how to use HMI in the safety loop, see Chapter 11, Use of
Human-to-Machine Interfaces on page 141.

Peer-to-peer Peer-to-peer communication via a ControlNet or EtherNet/IP network is

Communication permitted when these requirements are met:
Requirements • Non-SIL 2 controllers can read data from SIL 2 controllers by directly
reading the data via a message instruction. The controller can also read
data by consuming data from a SIL 2 controller that is configured to
produce data.
• Controllers within the safety loop can be configured to:

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 45

Chapter 4 ControlLogix Communication Modules

- Consume safety data from other safety controllers within the safety
loop.

IMPORTANT Always monitor connection status when consuming safety data

from another controller. Use this connection status to take
appropriate safety action, if necessary.
- Consume non-safety data from outside the safety loop, such as a reset
signal.
- Produce data to controllers outside the safety loop by using a write
message (MSG) or produced connections.
• Programming that verifies the correct reception of data must be used.
• Use of a Device Level Ring (DLR) is required to produce and consume
SIL 2 data on an EtherNet/IP network. If you are not using the ring
capability of the 1756-EN2TR when producing or consuming SIL 2 safety
data on an EtherNet/IP network, you must use two independent data
paths between the SIL 2 devices. For example, to exchange SIL 2 data
between two ControlLogix SIL 2 controllers, you could use two produced
connections sending data to two consume connections. Each controller
produces data to the other.

Additional Resources This table lists additional resources specific to the ControlLogix
communication modules.

Cat. No. Module Description User Manual

1756-CNB ControlNet Communication Module
1756-CN2
CNET-UM001
1756-CNBR Redundant ControlNet Communication Module
1756-CN2R
1756-DHRIO Data Highway Plus - Remote I/O Communication Interface Module 1756-UM514
1756-DNB DeviceNet Scanner DNET-UM004
1756-ENBT
1756-EN2T
1756-EN2TR Ethernet Communication Module ENET-UM001
1756-EN3TR
1756-EN2TRXT
1756-EN2TXT
1756-RM Redundancy Module 1756-UM535
1756-RM2
1756-SYNCH SynchLink Module 1756-UM521

You can view or download Rockwell Automation publications at

https://www.rockwellautomation.com/literature/.

46 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 5

1756 ControlLogix I/O Modules

IMPORTANT The programming information and examples in this chapter are

provided to illustrate diagnostic and other logic-related principles that
must be demonstrated in SIL 2 application programs.
• The principles and logic that is shown in this chapter can be encased in
Add-On Instructions for easier use.
• The wiring diagrams are provided to illustrate SIL 2 concepts. For wiring
information, see the I/O module users manual listings in Additional
Resources on page 11.
• If you are using a duplex configuration and certain I/O termination
boards, the programming that is explained in this chapter is available in
Add-On Instructions. These Add-On Instructions are certified by TÜV.
See the SIL 2 System Configuration with Add-On Instructions for 1756
ControlLogix I/O Modules, publication 1756-AT012.

There are two types of SIL 2-certified ControlLogix® I/O modules:

• Digital I/O modules
• Analog I/O modules

The 1756-IF8I provides the current and voltage input option, the 1756-IRT8I
covers the RTD and Thermocouple temperature options while the 1756-OF8I
covers current and voltage outputs. The 8-channel modules can emulate the
6-channel modules and are SIL 2, Systematic Capability 2 type certified.

Using 1756 Digital To achieve SIL 2, two digital input modules must be used, with field sensors
Input Modules wired to channels on each module. The software must compare the two
channels before reconciling the data.

1756 digital input modules are divided into two categories:

• Diagnostic input modules
• Standard input modules

These modules share many of the same inherent architectural characteristics.

However, the diagnostic input modules incorporate features that allow you to
diagnose field-side failures. These features include broken-wire detection and,
if there are AC Diagnostic modules, loss of line power.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 47

Chapter 5 1756 ControlLogix I/O Modules

Requirements When Using Any 1756 Digital Input Module

Regardless of the type of 1756 input module, you must follow these general
application requirements when applying 1756 digital I/O modules in a SIL 2
application:
• Ownership – The same controller must own both modules.
• Direct connection – Always use a direct connection with any SIL 2 CL
modules. You must not use rack-optimized connections in a SIL 2
application.
• Separate input points – Wire sensors to separate input points on two
separate modules. The use of two digital input modules is required,
regardless of the number of field sensors.
• Field device testing – Test field devices by cycling them. The closer you
can get to the device being monitored to perform the test, the more
comprehensive the test is.
• Proof tests – Periodically perform a system validation test. Manually or
automatically test all inputs to make sure that they are operational and
not stuck in the ON or OFF state. Inputs must be cycled from ON to OFF
or OFF to ON. For more information, see Proof Tests on page 30.

Wire 1756 Digital Input Modules

This diagram shows two examples of wiring digital inputs. In either case, the
type of sensors being used determines whether the use of one or two sensors is
appropriate to fulfill SIL 2 requirements.
Figure 15 - ControlLogix Digital Input Module Wiring Example
+ Power

Optional Relay contact or

output point to switch supply
voltage for periodic
automated testing.
Input A1 Input B1
One-sensor Wiring Example Sensor

Input A2 Input B2

Two-sensor Wiring Example Sensor

Sensor
43366

Application logic is used to compare input values for concurrence.

Figure 16 - Logic-comparing Input Values or States
Input A Input B No Faults

Actuator

The user program must also contain rungs to annunciate a fault if there is a
sustained miscompare between two points.

48 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 5 1756 ControlLogix I/O Modules

Figure 17 - Rungs Annunciating a Fault

Input A Input B

Timer

Input A Input B Timer preset in milliseconds to

compensate for filter time and
hardware delay differences.

Timer Done

Fault

Fault

Alarm to Operator

The control, diagnostics, and alarm functions must be performed in sequence.

For more information on faults, see Chapter , Faults in the ControlLogix
System.

Using 1756 Digital 1756 digital output modules are divided into two categories:
Output Modules • Diagnostic output modules
• Standard output modules

These modules share many of the same inherent architectural characteristics.

However, the diagnostic output modules incorporate features that allow you to
diagnose field-side failures, such as the following:
• No-Load (loss of load) reporting
• Blown Fuse reporting
• Output verify
• Output pulse test

To achieve SIL 2, a standard output module must be wired back to an input

module for monitoring. Diagnostic digital output modules provide their own
monitoring.

Requirements When Using 1756 Digital Output Modules

Wiring the two types of digital output modules differs, depending on your
application requirements. However, regardless of the type of ControlLogix
output module, you must follow these general application requirements when
applying these modules in a SIL 2 application:
• Proof tests - Periodically perform a system validation test. Manually or
automatically test all outputs to make sure that they are operational and
not stuck in the ON or OFF state. Outputs must be cycled from ON to OFF
or OFF to ON. For more information, see Proof Tests on page 30.
• Examination of output data echoes signal in application logic – The
application logic must examine the Data Echo value that is associated
with each output point to make sure that the requested ON/OFF
command from the controller was received and acted upon by the
module.
In Figure 18, a timer begins to increment for any miscompare between
the controller’s output and the module’s Data Echo feedback. The
discrepancy timer must be set to accommodate the delay between the
controller output data and the module’s Data Echo response. The time
value that is chosen must consider various system RPIs and network
latency. If a miscompare exists for longer than that time, a fault bit is set.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 49

Chapter 5 1756 ControlLogix I/O Modules

Figure 18 - Data Echo Discrepancy-Timer Logic

Application Logic No Faults

Actuator

Output Bit Data Echo

Timer

Output Bit Data Echo

Fault
Secondary
Output
Timer Done

Fault

Fault

Alarm to Operator

The control, diagnostics, and alarm functions must be performed in

sequence. For more information on faults, see Chapter , Faults in the
ControlLogix System.
• Use of external relays to disconnect module power if output
de-energized state is critical. To verify that outputs de-energize, you
must wire an external relay or other measure that can remove power
from the output module if a short or other fault is detected. See Figure 19
on page 52 for an example method of wiring an external relay.
• Test outputs at specific times to make sure that they are operating
properly. The method and frequency of testing is determined by the
requirements of the safety application. For more information on how to
test diagnostic module outputs, see page 51. For more information on
how to test standard module outputs, see page 53.
• For typical emergency shutdown (ESD) application outputs must be
configured to de-energize: When configuring any ControlLogix output
module, each output must be configured to de-energize if there is a fault
and if the controller goes into Program mode. For exceptions to the
typical ESD applications, see Chapter 1, SIL Policy on page 13.
• When wiring two digital output modules in series so that one can break
the source voltage (as shown in Figure 23 on page 54), one controller
must own both modules.

50 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 5 1756 ControlLogix I/O Modules

Wire 1756 Digital Output Modules

Diagnostic digital output modules and standard output modules have
different wiring considerations. Reference the module-type considerations
that apply to your system configuration.

Wire Diagnostic Digital Output Modules

Diagnostic output modules have circuitry that is not included in standard

output modules. Because of this feature, you are not required to use an input
module to monitor output status, as is required with standard output modules.

Diagnostic output modules can be used as-is in a SIL 2 application. No special

wiring considerations have to be employed other than the wiring of the
external relay or other measures to remove line power from the module if there
is a fault to make sure that outputs de-energize if shorted.

For limited high demand applications, see Requirements When Using 1756
Digital Output Modules on page 49. Once every 8 hours, test output modules by
turning the outputs ON and OFF to verify proper operation. High demand
applications are limited to 10 demands per year for ControlLogix SIL 2
systems.

For more information on pulse tests, see the ControlLogix Digital I/O Modules
User Manual, publication 1756-UM058.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 51

Chapter 5 1756 ControlLogix I/O Modules

Figure 19 - ControlLogix Diagnostic Output Module Wiring

V-/L2 V+/L1 Relays can also be included as

Secondary
shown in position A to interrupt
Output
power on a per point basis.
V+/L1

This normally open contact (held closed) must represent

the healthy operation of the controller and safety I/O Output
modules. Safety I/O status can be restricted to inputs Actuator
directly affecting outputs on the specific module, or this
contact can represent the healthy status of all safety
inputs and the controller. The module used to control this
relay must follow SIL 2 output guidelines. This module
must also be considered during PFD analysis for each
safety function. We recommend the use of a recognized
safety relay or contactor. 43365

Figure 20 - Diagnostic Output Logic

Application Logic Output Fault

Actuator

Data Echo Actuator

Timer

Data Echo Actuator

Fault
Secondary
Output

Timer Done

Fault

Fault
Alarm to
Operator

Output Fault contact must represent module and channel diagnostics.

52 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 5 1756 ControlLogix I/O Modules

Wire Standard Digital Output Modules

When using standard (non-diagnostic) output modules, you must wire each
output to its field device and also to a system input to monitor the
performance. To verify output performance, use one of these methods:
• Write logic to test the ability of the output to turn ON and OFF at
powerup.
• At the proof test interval, force the output ON and OFF and use a
voltmeter to verify output performance.

For limited high demand applications, test the output modules (that is, you
turn the outputs ON and OFF to verify proper operation) once every 8 hours.
High demand applications are limited to 10 demands per year for ControlLogix
SIL 2 systems.

See Requirements When Using 1756 Digital Output Modules on page 49.
Figure 21 - ControlLogix Standard Output Module Wiring

Standard Output Standard Input

Module Module

Wire output point to

input point to verify
V-/L2 V+/L1 the correct state of
Secondary
Output the output.
V+/L1 Input
This normally open contact (held closed) must
represent the healthy operation of the controller
and safety I/O modules. Safety I/O status can be Output Actuator V-/L2
restricted to inputs that affect outputs directly on
the specific module. This contact can represent
the healthy status of all safety inputs and the
controller. The module that is used to control this
relay must follow SIL 2 output guidelines. This
module must be also considered during PFD
analysis for each safety function.
43363

Write the application logic to generate a fault if there is a miscompare between

the controller, the actual output state, and the monitored input. The
monitoring input module does not have to meet SIL 2 guidelines. The only
requirement is that the module is listed in SIL 2-certified ControlLogix System
Components on page 153.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 53

Chapter 5 1756 ControlLogix I/O Modules

Figure 22 - Comparison Logic for Requested Versus Actual Output

Application Logic Output Fault

Actuator

Output Data Echo Monitoring Input Timer must be preset in

milliseconds to
Timer accommodate
communication times of
Output Data Echo Monitoring Input echo signal and filter time
of input.

Fault
Secondary
Output

Timer Done

Fault

Fault
Alarm to
Operator

Output Fault contact must represent module and channel diagnostics.

The control, diagnostics, and alarm functions must be performed in sequence.

For more information on faults, see Chapter 10, Faults in the ControlLogix
System on page 137.

You can also wire two standard outputs in series to critical actuators. If a
failure is detected, the outputs from each of the output modules must be set to
OFF to make sure that the field devices de-energize. Figure 23 shows how to
wire two isolated, standard outputs in series to critical actuators.
Figure 23 - ControlLogix Standard Output Module Wiring with Two Modules
Standard Isolated Standard Isolated Standard Input
Output Module #1 Output Module #2 Module

Wire output point to

input point to verify the
V-/L2 V+/L1 correct state of the
output.
V+/L1 V+/L1 Input

Output Output Actuator V-/L2

43364

54 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 5 1756 ControlLogix I/O Modules

Using 1756 Analog There are a number of general application considerations that you must make
Input Modules when using analog input modules in a SIL 2 application. The following section
describes those considerations.

To achieve SIL 2, two analog input modules are required. Field sensors must be
wired to channels on each module and compared within a deadband. Whether
one or two field sensors are required is dependent on the probability of a
dangerous failure on demand (PFD) value of the sensor.

Conduct Proof Tests

Periodically perform a system validation test. Manually or automatically test all
inputs to make sure that they are operational. Field signal levels must be varied
over the full operating range to make sure that the corresponding channel data
varies accordingly. For more information, see Proof Tests on page 30.

Calibrate Inputs
The 6-channel analog input modules must be calibrated periodically, as their
use and application requires. The 8-channel modules do not have a periodic
calibration requirement. ControlLogix I/O modules ship from the factory with
a highly accurate level of calibration. However, because each application is
different, you are responsible for making sure your ControlLogix I/O modules
are properly calibrated for your specific application.

You can employ tests in application program logic to determine when a

module requires recalibration. For example, you can determine a tolerance
band of accuracy for a specific application. You can then measure input values
on multiple channels and compare those values to acceptable values within the
tolerance band. Based on the differences in the comparison, you could then
determine whether recalibration is necessary. However, we recommend that
you calibrate each analog input at least every 3 years to verify the accuracy of
the input signal and avoid nuisance application shutdowns.

Use the Floating Point Data Format

ControlLogix analog input modules perform onboard alarm processing to
validate that the input signal is within the proper range. These features are
only available in Floating Point mode. To use the Floating Point Data format,
select the Floating Point Data format in the Module Properties dialog box.

Program to Respond to Faults Appropriately

When programming the SIL 2 system, verify that your program examines the
appropriate module fault, channel fault, and channel status bits and responds
by initiating the appropriate fault routine.

Each module communicates the operating status of each channel to the

controller during normal operation. Application logic must examine the
appropriate bits to initiate a fault routine for a given application. For more
information on faults, see Chapter 10, Faults in the ControlLogix System on
page 137.

Program to Compare Analog Input Data

When wiring sensors to two input channels on different modules, the values
from those channels must be compared to each other within the program for

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 55

Chapter 5 1756 ControlLogix I/O Modules

concurrence within an acceptable range for the application, before an output is

actuated. Any miscompare between the two inputs outside the programmed
acceptable range must be annunciated as a fault.

In Figure 24, a user-defined percentage of acceptable deviation (that is,

tolerance) is applied to the configured input range of the analog inputs (that is,
range) and the result is stored (that is, delta). This delta value is then added to
and subtracted from one of the input channels; the results define an acceptable
High and Low limit of deviation. The second input channel is then compared
to these limits to determine if the inputs are working properly.

The input’s OK bit preconditions a Timer run that is preset to accommodate an

acceptable fault response time and any communication filtering lags in the
system. If the inputs miscompare for longer than the preset value, a fault is
registered with a corresponding alarm.
Figure 24 - Comparison Logic for Two Analog Inputs
Inputs OK

Timer

MULT ADD SUB

Range Delta Delta
Tolerance% Input 1 Input 1
Delta High Limit Low Limit

LIM
Low Limit
Inputs OK
Input 2
High Limit

Timer Done
Analog Inputs
Faulted

Analog Inputs Faulted

Alarm to Operator

The control, diagnostics, and alarm functions must be performed in sequence.

For more information on faults, see Chapter 10, Faults in the ControlLogix
System on page 137.

Configure Modules
When using identical modules, configure the modules identically, that is, by
using the same RPI, filter values, and so on.

When using different modules for improved diversity, make sure the module’s
scaling of data does not introduce error or fault conditions.

56 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 5 1756 ControlLogix I/O Modules

Specify the Same Controller as the Owner

The same controller must own both analog input modules.

You must use Analog Inputs Faulted as a safety status/permissive in respective

safety-related outputs.

Wire 1756 Analog Input Modules

The wiring diagrams that are shown in this section apply to applications that
require transmitters. The type of transmitter along with the application
requirements determine whether one or two transmitters are required.

Good design practice dictates that each of the two transmitters must be wired
to input terminals on separate modules such that the channel values can be
validated by comparing the two within an acceptable range. Special
consideration must be given when you apply this technique, depending on the
type of module being used.

Wire the Single-Ended Input Module in Voltage Mode

Make sure you:

• Review the considerations in Using 1756 Analog Input Modules on
page 55.
• Use the correct documentation (listed in Additional Resources on
page 11) to wire the module.
• Tie all (-) leads of the transmitters together when operating in single-
ended Voltage mode.

Figure 25 shows how to wire an analog input for use in Voltage mode.
Figure 25 - ControlLogix Analog Input Module Wiring in Voltage Mode

Ch0 + Ch0 + (+)

Voltage
Transmitter A
(–)
Ch0 – Ch0 –

(+)
Voltage
Transmitter B
(–)

43368

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 57

Chapter 5 1756 ControlLogix I/O Modules

Figure 26 shows how to wire a SIL 2 transmitter to two analog input modules
configured for voltage mode.
Figure 26 - ControlLogix Analog Input Module Wiring in Voltage Mode

Ch0 + Ch0 + (+)

SIL 2 Transmitter Voltage

Output Source
Ch0 – Ch0 –
(–)

Wire the Single-ended Input Module in Current Mode

Make sure you:

• Review the considerations in Using 1756 Analog Input Modules on
page 55.
• Use the correct documentation (listed in Additional Resources on
page 11) to wire the module.
• Place the devices correctly in the current loop. You can locate other
devices in the current loop of an input channel anywhere as long as the
current source can provide sufficient voltage to accommodate all voltage
drops. Each module input is 250 .
Figure 27 and Figure 28 show how to wire an analog input for use in Current
mode.

58 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 5 1756 ControlLogix I/O Modules

Figure 27 - ControlLogix Analog Input Module Wiring in Current Mode

Ch0 + Ch0 +

Current
Source A
Ch0 – Ch0 –

Current
Source B

Figure 28 - ControlLogix Analog Input Module Wiring for Isolated Channels in Current Mode

Ch0 + Ch0 +

SIL 2 Transmitter-Current
Output Source
Ch0 – Ch0 –

If you use single-ended channels, use a 1492-TAIFM16-F-3 termination board

and two 1492-ACABLE010UA cables to split the current sensor into two single-
ended channels that are configured for Voltage mode.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 59

Chapter 5 1756 ControlLogix I/O Modules

Figure 29 - Analog Input Wiring Example with Termination Boards(1)

Analog Input Module A Analog Input Module B
Input Values from Field Devices Input Values from Field Devices

All configured for 0...5V operation. All configured for 0...5V operation.

Solid-state switch controlled

by DC output.

Reference Voltages

1492 Cable to 1756-IF16,

1492 Cable to 1756-IF16,

Module A

Module B
DIP Switch for Sensor
Wiring

Precision 249 
Resistor*
*4-20mA converted to 0-5Vdc

Terminal Block 1, Terminal Block 2, Terminal Block 1, Terminal Block 2,

Row C Row C Row B Row B

Two-wire Transmitters Operating in

4...20 mA Current Mode
Output from 1756-OB16D Module Pair
Trigger Reference Tests = 0 (Off)
Transmitter
Two-wire

Wire the Thermocouple Input Module

Make sure that you do the following:

• Review the considerations in Using 1756 Analog Input Modules on
page 55.
• Use the correct documentation listed in Additional Resources on page 11
to wire the module.
• Wire to the same input channel on both modules. When you wire
thermocouples, wire two in parallel to two modules. Use the same
channel on each module to make sure of consistent temperature
readings.

Figure 30 on page 61 shows how to wire the 1756-IT6I, 1756-IT6I2, or 1756-IR8TI

modules.

(1) See ControlLogix SIL 2 System Configuration Using RSLogix 5000® Subroutines, publication 1756-AT012 for more information.

60 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 5 1756 ControlLogix I/O Modules

Figure 30 - ControlLogix Analog Thermocouple Module Wiring

Ch0 + Ch0 +

Thermocouple A

RTN RTN

Thermocouple B

Wire the RTD Input Module

Make sure that you do the following:

• Review the considerations in Using 1756 Analog Input Modules on
page 55.
• Use the correct documentation listed in Additional Resources on page 11
to wire the module.
• Use two sensors. RTDs cannot be wired in parallel without severely
affecting their accuracy.

Figure 31 shows how to wire the 1756-IR6I or 1756-IR8TI modules.

Figure 31 - ControlLogix Analog RTD Module Wiring

Ch0 A Ch0 A

RTD A

Ch0 B Ch0 B

RTN RTN

RTD B

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 61

Chapter 5 1756 ControlLogix I/O Modules

Using 1756 HART Analog The Highway Addressable Remote Transducer (HART) analog modules must
Input Modules be used according to the same considerations as other analog input modules.

IMPORTANT HART protocol must not be used for safety-related data.

Wire the HART Analog Input Modules

Make sure that you do the following:
• Review the considerations in Using 1756 Analog Input Modules on
page 55.
• Use the correct documentation listed in Additional Resources on page 11
to wire the module.
Figure 32 - HART Input Analog Module Wiring

Ch0 + Ch0 +

Sensor

Ch0 -
Ch0 -

Sensor

Using 1756 Analog Output There are a number of general application considerations that you must make
Modules when using analog output modules in a SIL 2 application. An analog output
module, along with an analog input module is required to monitor to achieve
SIL 2. The following sections describe those considerations specific to the use
of analog output modules.

IMPORTANT We recommend that you do not use analog outputs to execute the
safety function that results in a safe state. Analog output modules are
slow to respond to an ESD command and are therefore not
recommended for use ESD output modules.
The use of digital output modules and actuators to achieve the ESD
de-energized state is recommended.

62 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 5 1756 ControlLogix I/O Modules

Conduct Proof Tests

Periodically perform a system validation test. Manually or automatically test all
outputs to make sure that they are operational. Field signal levels should be
varied over the full operating range to make sure that the corresponding
channel data varies accordingly. For more information, see Proof Tests on
page 30.

Calibrate Outputs
Calibrate the analog output modules periodically, as their use and application
requires. ControlLogix I/O modules ship from the factory with a highly
accurate level of calibration. However, because each application is different,
you are responsible for making sure your ControlLogix I/O modules are
properly calibrated for your specific application.

You can employ tests in application program logic to determine when a

module requires recalibration. For example, to determine whether you must
recalibrate an output module, you can determine a tolerance band of accuracy
for a specific application. You can then measure output values on multiple
channels and compare those values to acceptable values within the tolerance
band. Based on the differences in the comparison, you could then determine
whether recalibration is necessary.

Calibration (and subsequent recalibration) is not a safety issue. However, we

recommend that you calibrate each analog output module at least every 3 years
to verify the accuracy of the signal and avoid nuisance application shutdowns.

Use the Floating Point Data Format

ControlLogix analog output modules perform onboard alarm processing to
validate that the input signal is within the proper range. These features are
only available in Floating Point mode. To use the Floating Point Data format,
select the Floating Point Data format in the Module Properties dialog box. The
1756-OF8I profile only offers a floating point option, which is labeled ‘Output
Data’ as the Connection choice.

Program to Respond to Faults Appropriately

When programming the SIL 2 system, verify that your program examines the
appropriate module fault, channel fault, and channel status bits and responds
by initiating the appropriate fault routine.

Each module communicates the operating status of each channel to the

controller during normal operation. Application logic must examine the
appropriate bits to initiate a fault routine for a given application. For more
information on faults, see Chapter 10, Faults in the ControlLogix System on
page 137.

Configure Outputs to De-energize in ESD Applications

For typical emergency shutdown (ESD) applications, outputs must be
configured to de-energize. When configuring any ControlLogix output
module, each output must be configured to de-energize if there is a fault and if
the controller goes into Program mode. For exceptions to the typical ESD
applications, see Chapter 1, SIL Policy on page 13.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 63

Chapter 5 1756 ControlLogix I/O Modules

Monitor Channel Status

You must wire each analog output to an actuator and then back to an analog
input to monitor the performance of the output, as shown in Figure 34. The
application logic must examine the analog input (feedback value) associated
with each analog output to make sure that the output from the controller was
received correctly at the actuator. The analog output value must be compared
to the analog input that is monitoring the output to make sure that the value is
within an acceptable range for the application.

In the ladder diagram in Figure 33, a user-defined percentage of acceptable

deviation (that is, tolerance) is applied to the configured range of the analog
input and output and the result is stored (that is, delta). This delta value is then
added to and subtracted from the monitoring analog input channel; the results
define an acceptable high and low limit of deviation. The analog Output Echo
is then compared to these limits to determine if the output is working
properly.

The OK output bit preconditions or the Timer run is preset to accommodate an

acceptable fault response time and any communication filtering, or output,
lags in the system. If the monitoring input value and the Output Echo
miscompare for longer than the preset value, a fault is registered with a
corresponding alarm.
Figure 33 - Monitoring an Analog Output with an Analog Input
Outputs OK

Timer

MULT ADD SUB

Range Delta Delta
Tolerance% Monitoring input Monitoring input
Delta High Limit Low Limit

LIM
Low Limit
Outputs OK
Output Echo
High Limit

Fault
Secondary
Output
Timer Done

Outputs Faulted

Outputs Faulted

Alarm to Operator

The control, diagnostics, and alarm functions must be performed in sequence.

Specify the Same Controller as the Owner

The same controller must own both analog modules.

64 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 5 1756 ControlLogix I/O Modules

Wire ControlLogix Analog Output Modules

In general, good design practice dictates that each analog output must be
wired to a separate input terminal to make sure that the output is functioning
properly.

Wire the Analog Output Module in Voltage Mode

Make sure that you do the following:

• Review the considerations in on page 62.
• Use the correct documentation (listed in Additional Resources on
page 11) to wire the module.

Figure 34 shows how to wire the 1756-OF8 module for use in Voltage mode.
Figure 34 - ControlLogix Analog Output Module Wiring in Voltage Mode
Analog Output Module Analog Input Module This normally open relay is controlled by the status of
the rest of the ControlLogix system. If a short-circuit
or fault occurs on the module, the relay can
disconnect power to the module. The module that is
used to control this relay must follow SIL 2 output
guidelines. This module must also be considered
during PFD analysis for each safety function.
(+) (+) Actuator Use a signal-grade relay using bifurcated or similar
Secondary grade contacts. The relay can be in a position to
Output remove power to an actuator, or can remove power
to multiple actuators depending on the granularity
(–) (–)
needed.

43377

Wire the Analog Output Module in Current Mode

Make sure that you do the following:

• Review the considerations in on page 62.
• Use the correct documentation listed in Additional Resources on page 11
to wire the module.
• Place the devices correctly in the current loop. You can locate other
devices in a current loop of the output channel anywhere as long as the
current source can provide sufficient voltage to accommodate all voltage
drops (each module output is 250 ).

Figure 35 shows how to wire the 1756-OF8 module for use in Current mode.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 65

Chapter 5 1756 ControlLogix I/O Modules

Figure 35 - ControlLogix Analog Output Module Wiring in Current Mode

Analog Output Module Analog Input Module
This normally open relay is controlled by the status of the rest of the
ControlLogix system. If a short-circuit or fault occurs on the module,
the relay can disconnect power to the module. The module that is used
to control this relay must follow SIL 2 output guidelines. This module
must also be considered during PFD analysis for each safety function.
Use a signal-grade relay using bifurcated or similar grade contacts.
(+) (+)
The relay can be in a position to remove power to an actuator, or can
remove power to multiple actuators depending on the granularity
needed.
(–) Actuator
(–)
Secondary
Output

43376

Using 1756 HART Analog Use the Highway Addressable Remote Transducer (HART) analog modules
Output Modules according to the same considerations as other analog output modules. For an
illustration of how to wire the HART analog output modules, see Wire the
HART Analog Output Modules on page 66.

IMPORTANT HART protocol must not be used for safety-related data.

Wire the HART Analog Output Modules

Make sure that you do the following:
• Review the considerations in Wire ControlLogix Analog Output Modules
on page 65.
• Use the correct documentation listed in Appendix as a reference when
wiring the module.
Figure 36 - HART Output Analog Module Wiring

66 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 5 1756 ControlLogix I/O Modules

Input Module Output Module

Secondary
Output

Ch0+ Ch0+

Actuator

Ch0- Ch0-

Ch1+ This normally open relay is controlled by the status of the rest of the ControlLogix system.
If a short-circuit or fault occurs on the module, the relay can disconnect power to the
module. The module that is used to control this relay must follow SIL 2 output guidelines.
This module must also be considered during PFD analysis for each safety function.
Use a signal-grade relay with bifurcated or similar grade contacts. The relay can be in a
Ch1-
position to remove power to an actuator, or can remove power to multiple actuators
depending on the granularity needed.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 67

Chapter 5 1756 ControlLogix I/O Modules

Notes:

68 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 6

1794 FLEX I/O Modules

There are two types of SIL 2-certified 1794 FLEX™ I/O modules:
• Digital I/O modules
• Analog I/O modules

1794 FLEX I/O modules are designed with inherent features that allow them to
comply with the requirements of the 61508 Standard. For example, the
modules all have a common backplane interface, execute power-up and
runtime diagnostics, and offer electronic keying.

Using 1794 Digital To achieve SIL 2, two digital input modules must be used, with field sensors
Input Modules wired to channels on each module. The two digital modules must be on
separate 1794 rails. Use the software to compare the two channels before you
reconcile the data.

Requirements for 1794 FLEX I/O Digital Input Modules

Regardless of the type of 1794 FLEX I/O input module that is used, there are a
number of general application considerations that you must follow when
applying these modules in a SIL 2 application:
• Proof tests—Periodically a system validation test must be performed.
Manually, or automatically, test inputs to make sure that all inputs are
operational and not stuck in the ON or OFF state. Inputs must be cycled
from ON to OFF or OFF to ON.
• Configuration parameters (for example, RPI, filter values) must be
identical between the two modules.
• The same controller must own both modules.
• Monitor the network status bits for the associated module and make sure
that appropriate action is invoked via the application logic by these
status bits.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 69

Chapter 6 1794 FLEX I/O Modules

Wiring 1794 FLEX I/O Digital Input Modules

The wiring diagrams in Figure 37 show two methods of wiring the digital input
module. In either case, you must determine whether the use of one or two
sensors is appropriate to fulfill SIL 2 requirements.

Figure 37 - ControlLogix® Digital Input Module Wiring

One-Sensor Wiring Example
+24V dc
Input 1 Input 2
Optional relay contact
24VDC SINK INPUT
1794-IB16
24VDC SINK INPUT
1794-IB16 to switch line voltage
for periodic automated
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
testing
Input SIL2 SENSOR
COM
+24V

Two-Sensor Wiring Example

Input 1 Input 2

1794-IB16 1794-IB16
24VDC SINK INPUT 24VDC SINK INPUT

Input
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
1
SENSOR
COM
+24V

1
Note 1: Both sensors are monitoring the same safety application. SENSOR 43366

Application logic can compare input values or states for concurrence.

Figure 38 - Compare Input Values

Input A Input B
Actuator

The user program must also contain rungs to annunciate a fault if there is a
sustained miscompare between two points.

Figure 39 - Annunciate a Fault

Input A Input B

Timer

Input A Input B
Timer preset in milliseconds to
compensate for filter time and
hardware delay differences.
Timer Done
Fault

Fault
Alarm to Operator

The control, diagnostics, and alarm functions must be performed in sequence.

70 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 6 1794 FLEX I/O Modules

Using 1794 Digital To achieve SIL 2, a 1794 output module must be wired back to an input module
Output Modules for monitoring.

Considerations for 1794 FLEX I/O Digital Output Modules

Regardless of the type of FLEX I/O output module that is used, there are a
number of general application considerations that you must follow when
applying these modules in a SIL 2 application:
• Proof tests- Periodically a System Validation test must be performed.
Manually, or automatically, test outputs to make sure that all outputs are
operational and not stuck in the ON or OFF state. Outputs must be cycled
from ON to OFF or OFF to ON.
Figure 40 - Testing Outputs
Application Logic
Application Logic Output
Output Fault
Fault

Actuator
Actuator

Output Bit
Output Bit Monitoring Input
Monitoring Input

Timer
Timer
Output Bit
Output Bit Monitoring Input
Monitoring Input

Timerdone
Timer Done

Fault
Fault

Fault
Fault
Alarm
Alarmto Operator
to Operator

The control, diagnostics, and alarm functions must be performed in

sequence.
• Use external relays to disconnect actuator power if output de-
energization is critical. To make sure that outputs can de-energize, you
must wire an external method that can remove power from the actuator
if a short or other fault is detected.
• Test outputs at specific times to make sure that they are operating
properly. The type of module determines the test method and frequency.
• Monitor the network status bits for the associated module and make sure
that appropriate action is invoked via the application logic by these
status bits.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 71

Chapter 6 1794 FLEX I/O Modules

Wiring 1794 FLEX I/O Digital Output Modules

When using standard output modules, you must wire an output to an actuator
and then back to an input to monitor the performance of the output.

Figure 41 - FLEX I/O Standard Output Module Wiring

Standard Digital Output Module Wire output point to input Standard Digital Input Module
point to verify the correct
COM +24V state of the output.
1794-OB16 1794-IB16
24VDC SOURCE OUTPUT
24VDC SINK INPUT

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

A
COM
24V DC

Output B

Actuator

43363

IMPORTANT: Other configurations are possible as long they are SIL 2 approved.

Install a relay in position A or B. This relay is controlled by another output in the ControlLogix/FLEX I/O system. If a short circuit or fault occurs on output modules, the relay can disconnect
power to the modules. An isolated relay output module (1794-OW8) can be used for this purpose when it is connected to another 1794-ACN15 or 1794-ACNR15 ControlNet® adapter.

Write application logic so that it generates a fault if there is a miscompare

between the requested state of an output (echo) and the actual output state
that is monitored by an input channel (see Figure 40 on page 71).

The control, diagnostics, and alarm functions must be performed in sequence.

You can also wire a standard-digital output module in series with an isolated
relay output module in series with a critical actuator. If a failure is detected,
the output from both output modules must be set to OFF to make sure the
Output Loads de-energize.

See Figure 42 on page 73 for detailed information about how to wire an output
module with an isolated relay module.

72 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 6 1794 FLEX I/O Modules

Figure 42 - ControlLogix/FLEX I/O Standard Output Module Wiring with an Isolated Relay Module
Standard Digital Isolated Relay Output Standard Digital
Output Module Module Input Module
COM +24V Wire output point to
input point to verify the
24VDC SOURCE OUTPUT
1794-OB16
24VDC SOURCE OUTPUT
1794-OB16
correct state of the 24VDC SINK INPUT
1794-IB16

output.
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

COM
Output +24V

Output Actuator

43364

Note 1: An external relay can be replaced with an isolated relay module that is mounted in another FLEX I/O rail.

Using 1794 Analog To achieve SIL 2, two analog input modules are required. Field sensors must be
Input Modules wired to channels on each module and compared within a deadband. Whether
one or two field sensors are required is dependent on the probability of a
dangerous failure on demand (PFD) value of the sensor.

Considerations When Using FLEX I/O Analog Input Modules

You must follow these general application considerations when applying these
modules in a SIL 2 application:
• Proof tests. Periodically a System Validation test must be performed.
Manually, or automatically, test inputs to make sure that all inputs are
operational. Vary the field signal levels over the full operating range to
make sure that the corresponding channel data varies accordingly.
• Calibrate inputs periodically, as necessary. FLEX I/O modules ship from
the factory with a highly accurate level of calibration. However, because
each application is different, you are responsible for making sure their
FLEX I/O modules are properly calibrated for their specific application.

You can employ tests in application program logic to determine when a

module requires recalibration. For example, to determine whether an
input module must be recalibrated, you can determine a tolerance band
of accuracy for a specific application. You can then measure input values
on multiple channels and compare those values to acceptable values
within the tolerance band. Based on the differences in the comparison,
you could then determine whether recalibration is necessary.

Calibration (and subsequent recalibration) is not a safety issue.

However, we recommend that you calibrate each analog input at least
every three years to verify the accuracy of the input signal and avoid
nuisance application shutdowns.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 73

Chapter 6 1794 FLEX I/O Modules

• Compare analog input data and annunciate miscompares. When wiring

sensors to two input channels, the values from those channels must be
compared to each other for concurrence within an acceptable range for
the application before actuating an output. Any miscompare between the
two inputs outside the programmed acceptable range must be
annunciated as a fault.

In Figure 43 on page 74, a user-defined percentage of acceptable

deviation (tolerance) is applied to the configured input range of the
analog inputs (range) and the result is stored (delta). This delta value is
then added to and subtracted from one of the input channels; the results
define an acceptable High and Low limit of deviation. The second input
channel is then compared to these limits to determine if the inputs are
working properly.

The OK bit input preconditions a Timer run that is preset to

accommodate an acceptable fault response time and any communication
filtering lags in the system. If the inputs miscompare for longer than the
preset value, a fault is registered with a corresponding alarm.

Figure 43 - Logic for Comparing Analog Input Data

Inputs OK

Timer

MULT ADD SUB

Range Delta Delta
Tolerance % Input 1 Input 1
Delta High Limit Low Limit

LIM
Low Limit
Inputs OK
Input 2
High Limit

Timer Done

Inputs Faulted

Inputs Faulted

Alarm to Operator

The control, diagnostics, and alarm functions must be performed in

sequence.
• Configuration parameters (for example, RPI, filter values) must be
identical between the two modules.
• The same controller must own both modules.
• Monitor the network status bits for the associated module and make sure
that appropriate action is invoked via the application logic by these
status bits.
• Wire sensors to separate input channels on two separate modules that
are on different network nodes.

74 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 6 1794 FLEX I/O Modules

Wiring 1794 FLEX I/O Analog Input Modules

The wiring diagrams in this section show two methods of wiring the analog
input module. In either case, you must determine whether the use of one or
two sensors is appropriate to fulfill SIL 2 requirements.

Figure 44 - FLEX I/O Analog Input Module Wiring

One-Sensor Wiring Example

Input 1 Input 2

Input SIL2 SENSOR

COM
+24V

Two-Sensor Wiring Example

Input 1 Input 2

Input 1
SENSOR
COM
+24V

1
SENSOR
43366A
Note 1: Both sensors are monitoring the same safety application.

Wiring the Single-ended Input Module in Voltage Mode

Along with following the Considerations When Using FLEX I/O Analog Input
Modules on page 73, make sure that you use the correct documentation to wire
the module.

Figure 45 - FLEX I/O Analog Input Module Wiring in Voltage Mode

Analog Input Analog Input

1794-IE8 1794-IE8

1794-TB3 + - 1794-TB3
+ -
Voltage Voltage
Transmitter A Transmitter B

Analog Input Analog Input

1794-IF4I 1794-IF4I

1794-TB3 + - 1794-TB3
+ -

Voltage Voltage
Transmitter A Transmitter B

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 75

Chapter 6 1794 FLEX I/O Modules

Wiring the Single-ended Input Module in Current Mode

Along with following the Considerations When Using FLEX I/O Analog Input
Modules on page 73, before wiring the module, consider the following
application guideline:

Place other devices in a current loop. You can locate other devices in a current
loop of an input channel anywhere as long as the current source can provide
sufficient voltage to accommodate all voltage drops (each module input is 250
).

Figure 46 - FLEX I/O Analog Input Wiring in Current Mode

1794-IE8 Analog Input Analog Input

1794-IE8 1794-IE8

1794-TB3 1794-TB3

Current RET RET

Current
Source A
Source B

Analog Input Analog Input

1794-IF4I 1794-IF4I

1794-TB3 1794-TB3

Current RET Current RET

Source A Source B

76 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 6 1794 FLEX I/O Modules

Wiring the Thermocouple Input Module

Along with following the Considerations When Using FLEX I/O Analog Input
Modules on page 73 and before wiring the module, consider the following
application guideline:

Wire to the same input channel on both modules. When wiring

thermocouples, wire two in parallel to two modules. Use the same channel on
each module to make sure of consistent temperature readings.

Figure 47 - FLEX I/O Analog Thermocouple Module Wiring

Thermocouple Thermocouple
1794-IT8 1794-IT8
Input Module Input Module

1794-TB3T 1794-TB3T

+ +

- -

Thermocouple/ Thermocouple/
RTD/mV 1794-IRT8 RTD/mV 1794-IRT8
Input Module Input Module

1794-TB3G 1794-TB3G

+ +

- -

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 77

Chapter 6 1794 FLEX I/O Modules

Wiring the RTD Input Module

Along with following the Considerations When Using FLEX I/O Analog Input
Modules on page 73 and before wiring the module, consider the following
application guideline:

RTDs cannot be wired in parallel without severely affecting their accuracy.

Two sensors must be used.

Figure 48 - FLEX I/O Analog RTD Module Wiring

RTD 1794-IR8 RTD 1794-IR8

Input Module Input Module

1794-TB3T 1794-TB3T

3-wire RTD

Thermocouple/ Thermocouple/
RTD/mV RTD/mV
1794-IRT8 1794-IRT8
Input Module Input Module

1794-TB3G 1794-TB3G

4-wire RTD

Two-, three-, or four-wire RTDs can be used as applicable to the associated RTD input module.

Using 1794 Analog An analog output module, along with an analog input module for monitoring
Output Modules is required to achieve SIL 2.

IMPORTANT We strongly recommended that you do not use analog outputs to

execute the safety function that results in a safe state. Analog output
modules are slow to respond to an ESD command and are therefore not
recommended for use ESD output modules.
The use of digital output modules and actuators to achieve the ESD
de-energized state is recommended.

78 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 6 1794 FLEX I/O Modules

Requirements for 1794 FLEX I/O Analog Output Modules

Follow these general application considerations when applying the analog

output modules in a SIL 2 application:
• Proof tests - Periodically a System Validation test must be performed.
Manually, or automatically, test outputs to make sure that all outputs are
operational. Vary the channel data over the full operating range to make
sure that the corresponding field signal levels vary accordingly.
• Calibrate outputs periodically, as necessary. FLEX I/O modules ship
from the factory with a highly accurate level of calibration. However,
because each application is different, you are responsible for making
sure their FLEX I/O modules are properly calibrated for their specific
application.

You can employ tests in application program logic to determine when a

module requires recalibration. For example, you can determine a
tolerance band of accuracy for an application to determine if the output
module needs recalibrated.

Then you can measure output values on multiple channels and compare
those values to acceptable values within the tolerance band. Based on the
differences in the comparison, you could then determine whether
recalibration is necessary.

Calibration (and subsequent recalibration) is not a safety issue.

However, we recommend that you calibrate each analog output at least
every three years to verify the accuracy of the input signal and avoid
nuisance application shutdowns.
• For typical emergency shutdown (ESD) applications, outputs must be
configured to de-energize. When configuring any FLEX I/O output
module, each output must be configured to de-energize if there is a fault
and if the controller goes into Program mode.
• Wire outputs back to inputs and examine output-data feedback signal.
You must wire an analog output to an actuator and then back to an
analog input to monitor the performance of the output. (The use of
feedback transmitters to verify that the performance is acceptable.) The
application logic must examine the Data Feedback value that is
associated with each output point. This examination makes sure that the
requested output command from the controller was sent and the module
received it. The value must be compared to the analog input that is
monitoring the output to make sure that the value is in an acceptable
range for the application.

The ladder diagram in Figure 49, a user-defined percentage of acceptable

deviation (tolerance) is applied to the configured range of the analog
input and output (range) and the result is stored (delta). This delta value
is then added to and subtracted from the monitoring analog-input
channel; the results define an acceptable High and Low limit of
deviation. The analog Output Feedback is then compared to these limits
to determine if the output is working properly.

The OK bit precondition for the output is a Timer run that is preset to
accommodate an acceptable fault response time, any communication
filtering, or output, and lags in the system. If the monitoring input value
and the Output Feedback miscompare are longer than the preset value, a
fault is registered with a corresponding alarm.
Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 79
Chapter 6 1794 FLEX I/O Modules

Figure 49 - Monitoring an Analog Output with an Analog Input

Outputs OK

Timer

MULT ADD SUB

Range Delta Delta
Tolerance % Monitoring input Monitoring input
Delta High Limit Low Limit

LIM
Low Limit
Output Feedback Outputs OK
High Limit

Timer Done

Outputs Faulted

Outputs Faulted

Alarm to Operator

The control, diagnostics, and alarm functions must be performed in

sequence.
• The same controller owns the AO modules, the DO module that drops
power to the AO, and the AI monitoring module
• The AO module and the DO that controls power to it must be on separate
FLEX rails. They must not share a FLEX adapter.
• Monitor the network status bits for the associated module and make sure
that appropriate action is invoked via the application logic by these
status bits.

80 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 6 1794 FLEX I/O Modules

Wiring 1794 FLEX I/O Analog Output Modules

In general, good design practice dictates that each analog output must be
wired to a separate input terminal to make sure that the output is functioning
properly.

Wiring the Analog Output Module in Voltage Mode

You must wire analog outputs to an actuator and then back to an analog input
to monitor the output performance.

Figure 50 - Analog Input Module Wiring Example

1794-OE4 1794-IE8

Analog Output Analog Input

Module Module

1794-TB3 1794-TB3
V RET Secondary
Output

Actuator

1794-OF4I 1794-IF4I

Isolated Analog Isolated Analog

Output Module Input Module

1794-TB3 1794-TB3
V RET Secondary
Output

Actuator

This normally open relay is controlled by the status of the rest of the ControlLogix system. If a short-circuit or fault occurs on
the module, the relay can disconnect power to the module. The module that is used to control this relay must follow SIL 2 output
guidelines. This module must also be considered during PFD analysis for each safety function.
Use a signal-grade relay with bifurcated or similar grade contacts. The relay can be in a position to remove power to an
actuator or can remove power to multiple actuators depending on the granularity needed.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 81

Chapter 6 1794 FLEX I/O Modules

Wiring the Analog Output Module in Current Mode

Along with following the Requirements for 1794 FLEX I/O Analog Output
Modules on page 79, consider the following application guideline before
wiring the module in Current mode:

Place other devices in a current loop. You can locate other devices in a current
loop for the output channel anywhere as long as the current source can provide
sufficient voltage to accommodate all voltage drops.

Figure 51 - Analog Output Wiring Example

1794-OE4 1794-IE8

Analog Output Analog Input

Module Module

1794-TB3 1794-TB3

Actuator
Secondary
Output

1794-OF4I 1794-IF4I

Isolated Analog Isolated Analog

Output Module Input Module

1794-TB3 1794-TB3
Secondary
Output

Actuator

This normally open relay is controlled by the status of the rest of the ControlLogix system. If a short-circuit or fault occurs on the module,
the relay can disconnect power to the module. The module that is used to control this relay must follow SIL 2 output guidelines. This
module must also be considered during PFD analysis for each safety function.
Use a signal-grade relay with bifurcated or similar grade contacts. The relay can be in a position to remove power to an actuator or can
remove power to multiple actuators depending on the granularity needed.

82 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 7

1715 Redundant I/O Modules

This chapter provides information about 1715 I/O modules in a SIL CL (Claim
Limit) 2 system, such as a ControlLogix®-based SIL 2 system. The system can
be low demand or high demand with up to 10 demands per year.

The product complies with the requirements of SC 2 and SIL 2 according to

IEC 61508 and can be used in safety-related applications for process control,
burner management, fire and gas, emergency shutdown systems where the
safe state is the de-energized state, and applications where the demand state is
the de-energized or energized state, up to SIL 2.

When used with 1715 I/O, the ControlLogix SIL 2 system supports the following
safety configurations. These SIL 2 architectures are for fail-safe low and high
demand applications. All SIL 2 architectures can be used for de-energize to trip
applications. With special precautions, CLX/1715 SIL 2 can be used in energize-
to-trip applications:
• SIL 2 low demand applications
• SIL 2 high demand – up to 10 demands per year
• SIL 2 fail-safe applications
• SIL 2 with fault tolerant inputs
• SIL 2 with fault tolerant outputs
• SIL 2 with fault tolerant inputs/outputs

For general information about 1715 I/O modules, see the Redundant I/O
System User Manual, publication 1715-UM001.

SIL 2 Safety Application The 1715 I/O system reduces the configuration work for a ControlLogix SIL 2
Requirements system. Because 1715 I/O modules are designed to operate in a safety system,
there is no requirement for special wiring or IFMs to use ControlLogix in a
SIL 2 system. Either or both the I/O system or controller system can be simplex
or duplex, which makes the system scalable to fit your application.

To use the 1715 Redundant I/O system in SIL 2 safety applications, you must
have revision 2.001 or later, of the adapter firmware, the latest Add-on Profiles
(AOPs), and the 1715 SIL 2 Add-On Instructions.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 83

Chapter 7 1715 Redundant I/O Modules

IMPORTANT For SIL 2 safety applications, you must have the following:
• 1715-AENTR adapters, firmware revision 2.001 or later
• Add-on Profile, version 2.01.014 or later for the adapters
• Add-on Profile, version 3.01.014 or later for the I/O modules
• Add-On Instructions, version 2.001 or later if you use a ControlLogix
system
• ControlLogix 5570 controllers
ControlLogix 5560 controllers are not supported with 1715 I/O.

ATTENTION: ControlLogix 5570 controllers are certified in RSLogix 5000®,

version 20 or later for SIL 2 operations. See the latest certifications for
software and firmware at rok.auto/certifications. See the TÜV website at
https://www.tuvasi.com/ for SIL 2 certification listings.

IMPORTANT Listen Only is not supported for SIL 2 operations. Only one
ControlLogix 5570 controller can connect to any I/O module within the
1715 chassis for SIL 2 safety functions.

IMPORTANT Safety functions that are being edited online are not SIL 2 certified from
the start of the online edits to the completion of the validation of the
changes.

IMPORTANT 1715 I/O modules communicate only via the EtherNet/IP™ network.
ControlNet® modules are not supported.

84 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 7 1715 Redundant I/O Modules

1715 I/O Modules in SIL 2 1715 I/O modules, firmware revision 2.001 and later(a), can be used in safety
Safety Applications applications up to and including SIL 2. Your system can be configured with
any combination of I/O modules, and in either Simplex or Duplex mode.

You can configure modules for use in SIL 2 Safety applications on these tabs on
the Module Properties dialog box:
• SIL 2 Safety tab—Configure the RPI, connection reaction time limit,
access diagnostic data, and perform a SIL 2 reset.
• Input States When CRTL Expires tab— Define the safe state for inputs.

For more information on SIL 2 application requirements for 1715 I/O modules,
see these resources:
• For information about Add-On Instructions for SIL 2 1715 I/O module
applications, see Chapter 8.
• For PFD and PFH calculations, see Appendix C.
• For a SIL 2 application checklist, see Appendix F
• For specifications and certifications related to a 1715 Redundant I/O
system, refer to the 1715 Redundant I/O System Technical Specifications,
publication 1715-TD001.

See the latest certifications for software and firmware at

rok.auto/certifications. See the TÜV website at
https://www.tuvasi.com/ for SIL 2 certification listings.

All I/O modules include line monitoring capability. We recommend that you
use line monitoring for safety-related I/O. Safety-related I/O refers to an
annunciator being available to an input or output that is attached to a field
device. For energize-to-action (normally de-energized) I/O, you must enable
line monitoring.

(a) See the Module Revision Release List available from the Product Certifications link on at rok.auto/certifications.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 85

Chapter 7 1715 Redundant I/O Modules

Typical Configurations The 1715 system supports single (simplex) module configurations where it is
acceptable to either stop the system or allow the signals corresponding to that
module to change to their default fail-safe state. It also supports fault-tolerant
I/O (redundant) configurations where the system is required to continue
operating if there is a fault.

Fault tolerant systems have redundant modules that let the system continue
operation in the presence of a fault. The system fails safe (off) if another fault
occurs.

All configurations can be used for safety-related applications. Choose the

appropriate configurations that are based on the fault tolerance requirements
of your application.

DLR Topology
Figure 52 - Simplex DLR with a ControlLogix Controller
SIL 2 ControlLogix Safety
Instrumented Function (SIF)

Sensor

1756-EN2TR
Actuator

1756-L72

1715- 1715- 1715- 1715-

TASOB8DE TASIB16D TASIF16 TASOF8

TERMINAL IDENTITY TERMINAL IDENTITY TERMINAL IDENTITY TERMINAL IDENTITY TERMINAL IDENTITY TERMINAL IDENTITY
CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1

CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1

AOTA AOTA AOTA AOTA AOTA AOTA

Dual. Dual. Dual. Dual. Dual. Dual.
1715-AENTR

1715-AENTR

1715-OB8DE

1715-IB16D

1715-OF8I
1715-IF16
1715-A310

1715-A310
IO BASE

IO BASE

1715-A2A 1715-A3IO 1715-A3IO

For duplex configurations, a SIL 2 fault-tolerant architecture has dual-input,

dual adapter, and dual output modules. The input modules operate in 1oo2 (1
out of 2) under no fault conditions and degrade to 1oo1 (1 out of 1) upon
detection of the first fault in either module. The modules fail-safe if faults
occur on both modules. The adapters operate in 1oo2 under no-fault conditions
and degrade to 1oo1 upon detection of the first fault. A duplex system could
therefore be 1oo2 reverting to 1oo1 on the first detected fault and reverting to
fail-safe when both modules have a fault. Fail-safe is defined as the ‘de-
energized’ or ‘off’ state.

The Ethernet architecture has no effect on SIL 2 safety functions. You can use
either of these example drawings, or any other appropriate Ethernet network.
From a safety aspect, if the Ethernet packets are not sent successfully, then the
SIL 2 safety functions go to their respective safe states.

86 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 7 1715 Redundant I/O Modules

Figure 53 - Duplex DLR with a ControlLogix Controller

SIL 2 ControlLogix SIF

Sensor
Actuator

1756-EN2TR

1756-EN2TR
1756-RM2

1756-RM2
1756-L72

1756-L72
1715- 1715- 1715- 1715-
TADIB16D TADOB8DE TADOF8 TADIF16
TERMINAL IDENTITY TERMINAL IDENTITY TERMINAL IDENTITY TERMINAL IDENTITY TERMINAL IDENTITY
TERMINAL IDENTITY TERMINAL IDENTITY TERMINAL IDENTITY TERMINAL IDENTITY
CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1
CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1
CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1
CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1

AOTA AOTA AOTA AOTA AOTA

Dual. AOTA AOTA AOTA AOTA
Dual. Dual. Dual. Dual. Dual. Dual. Dual. Dual.

1715-AENTR

1715-AENTR

1715-OB8DE

1715-OB8DE
1715-IB16D

1715-IB16D

1715-OF8I

1715-OF8I

1715-IF16

1715-IF16
1715-A310

1715-A310

1715-A310
IO BASE

IO BASE

IO BASE
1715-A2A 1715-A3IO 1715-A3IO 1715-A3IO

Star Topology
Figure 54 - Simplex Star with a ControlLogix Controller

Sensor Actuator
1756-EN2TR
1756-L72

EtherNet/IP
Switch

1715- 1715- 1715- 1715-

TASOB8DE TASIB16D TASIF16 TASOF8

TERMINAL IDENTITY
TERMINAL IDENTITY TERMINAL IDENTITY TERMINAL IDENTITY TERMINAL IDENTITY
CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1

CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1

AOTA AOTA AOTA AOTA AOTA AOTA

Dual. Dual. Dual. Dual. Dual. Dual.
1715-AENTR

1715-AENTR

1715-OB8DE

1715-IB16D

1715-OF8I
1715-IF16
1715-A310

1715-A310
IO BASE

IO BASE

1715-A2A 1715-A3IO 1715-A3IO

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 87

Chapter 7 1715 Redundant I/O Modules

Figure 55 - Duplex Star Topology with a ControlLogix Controller

Actuator

1756-EN2TR

1756-EN2TR
Sensor

1756-RM2

1756-RM2
1756-L72

1756-L72
EtherNet/IP
Switch

1715- 1715- 1715- 1715-

TADIB16D TADOB8DE TADOF8 TADIF16
TERMINAL IDENTITY TERMINAL IDENTITY TERMINAL IDENTITY TERMINAL IDENTITY TERMINAL IDENTITY
TERMINAL IDENTITY TERMINAL IDENTITY TERMINAL IDENTITY TERMINAL IDENTITY
CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1
CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1
CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1
CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1

AOTA AOTA AOTA AOTA AOTA

Dual. AOTA AOTA AOTA AOTA
Dual. Dual. Dual. Dual. Dual. Dual. Dual. Dual.

1715-AENTR

1715-AENTR

1715-OB8DE

1715-OB8DE
1715-IB16D

1715-IB16D

1715-OF8I

1715-OF8I

1715-IF16

1715-IF16
1715-A310

1715-A310

1715-A310
IO BASE

IO BASE

IO BASE
1715-A2A 1715-A3IO 1715-A3IO 1715-A3IO

Internal Diagnostics The 1715 adapters feature internal diagnostics to identify faults that develop
during operation and raise appropriate alarm and status indications. The
diagnostic systems run automatically and check for system faults that are
associated with the I/O modules and field faults that are associated with field
I/O circuits.

The internal diagnostics detect and reveal both safe and dangerous failures. In
a duplex configuration, for example, diagnostics can address dangerous
failures and therefore the duplex system can be 1oo2 reverting to 1oo1 on the
first detected fault and reverting to fail-safe when both modules have a fault.

Power Supplies On de-energize-to-trip, two power supplies can be used if fault tolerance is
required on the power supplies.

If only one power supply is used, both of the power connections must be
connected to it (system power can be from another power supply to the I/O
modules).

For energize-to-action, dual power supplies are required for both the system
and field supplies. The system provides the power supply monitoring, but
monitoring needs to be connected in the application.

88 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 7 1715 Redundant I/O Modules

Requirements for Using You must follow these requirements when using 1715 I/O modules in a SIL 2
1715 I/O Modules application.

IMPORTANT • In safety applications, channel discrepancy alarms must be monitored

by the application program and used to provide an alarm to operations
personnel.
• Equipment must be installed and wired in accordance with the product
installation and wiring instructions. See the Redundant I/O System User
Manual, publication 1715-UM001.
• For energize-to-action systems, you must follow the additional
requirements that are described in this section.

The maximum duration for single-channel operation of I/O modules depends

on the specific process and must be specified individually for each application.
For high availability, Rockwell Automation suggests you use two 1715-AENTR
adapters. If one of the modules faults, the adapters can operate in a simplex
arrangement up to the duration of the mean time to restoration (MTTR) when
used in SIL 2 applications.

Energize-to-action Requirements

Certain applications can require energize-to-action for inputs or outputs or

both.

IMPORTANT Energize-to-action configurations can be used only if the following

apply:
• At least two independent power sources must be used for both the
system and field supplies. The system provides the power supply
monitoring, but the monitoring must be connected in the application.
These power sources must provide emergency power for a safe
process shutdown or a time span that is required by the application.
• Each power source must feature power integrity monitoring with
safety-critical input readback into the system controller or implicit
power monitoring that is provided by the I/O modules. Any power
failure must trigger an alarm.
• Unless provided implicitly in the I/O modules, all safety-critical inputs
and outputs must be fitted with external line and load integrity
monitoring and safety-critical readback of the line-status signals. Any
line or load failure must trigger an alarm.
• The application program must be designed to shut down energize-to-
action SIL 2 safety instrumented functions if a faulty simplex adapter
or output module has not been replaced within the mean time to
restoration (MTTR).
• For SIL 2 high demand, energize-to-action applications, you must use
two output modules.
In cases where one or more outputs is used in an energize-to-action
configuration, all specific requirements that are listed previously must
be implemented for all associated inputs.

IMPORTANT SIL 1 applications must use the wiring and measures that are defined
for SIL 2 applications. Energize-to-action requires line monitoring for
any SIL application.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 89

Chapter 7 1715 Redundant I/O Modules

Requirements for Add-On Instructions

ControlLogix-based SIL 2
Applications The Add-On Instructions provide a mechanism to verify the validity of data
that is transferred between the ControlLogix controller and the 1715 adapter.
When you use the Add-On Instructions, the sender of the data adds check data
to the produced data. The receiver of the data uses the check data to verify the
integrity of the consumed data.

IMPORTANT To meet SIL 2 application requirements in a ControlLogix system that

uses 1715 I/O, you must use the 1715 Add-On Instructions that are
described in Chapter 8.

Connection Reaction Time Limit

The Connection Reaction Time Limit (CRTL) setting defines the maximum
time that the connection can operate with old data, before substituting the
configured safe state values. If the CRTL expires, the receiver requires a SIL 2
Reset before valid data is provided again.

For an input module, if the CRTL expires before the Add-On Instruction
detects valid data, the value of the affected input assembly transitions to the
configured safe state value. A SIL 2 reset is required before inputs transition
from the safe state to field values.

For an output module, if the CRTL expires before the 1715 firmware detects
that valid output data is received from the Logix controller the output data
transitions to the configured safe state values. In this case, a SIL 2 Reset is
required before outputs can be re-energized.

Using the 1715 Adapter in The 1715-AENTR adapter performs the following functions:
SIL 2 Applications • External communication with the controller via an Ethernet network
• Communication with I/O modules, such as receiving input values,
sending output values, and coordinating diagnostics
• Enforcement of the output CRTL on data that is received from a
ControlLogix controller

For high availability, use two 1715-AENTR adapters in simplex and duplex SIL 2
applications.

Reaction to Faults

The 1715-AENTR adapter reports faults via status indicators that turn red when
a fault is detected in the adapter. Fault indications are also sent to the user
application. These variables provide the following information:
• Module presence
• Module health and status
• Channel health and status
• An echo of the front panel indications

90 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 7 1715 Redundant I/O Modules

Using 1715 I/O Modules in I/O modules can be replaced or installed online without an effect on controller
SIL 2 Applications operation, provided at least one module is installed and is fully operational.
However, each module must be installed one at a time and allowed to startup
before the next module is installed.

Input Modules

The simplex and duplex termination assemblies are safety critical, that is, an
input or output that is attached to a field device, and provide termination for
16 channels. They connect the field signals to the input modules. Both digital
and analog input termination assembly circuits have fuse protection.

Input modules support high availability when they are configured for duplex
operation and they use the appropriate termination assembly.

Input modules can be configured to operate in SIL 2 energize-to-action or

de-energize-to-trip applications.

Reactions to Faults

If an input channel is not capable of reporting a voltage within a safety

accuracy specification of 1% of the full-scale measurement range, then the
module returns safe values to the processor. Signals transition to a safe state if
the module scan time exceeds the connection reaction time limit (CRTL).

All I/O modules feature status indicators and can also report faults via
application variables. All modules provide the following status information:
• Module presence
• Module health and status
• Channel health and status
• Field faults
• An echo of the front panel indicators for each module

Safety Accuracy

The I/O input modules determine the channel state and the line fault state by
comparing the reported input values with user-programmed threshold values.
For each channel of a module, two independent measurements are made. The
discrepancy between these measurements is monitored to determine if it is
within the safety accuracy limit.

The channel is in fault and the last valid value is held until after the CRTL
period if the values are outside these limits:
• Digital input module = 4%
• Analog input module = 1%

After the CRTL period, the value changes to 0.

When using dual modules that are both reporting valid channel data, the
lowest value is used. If one module of a pair reports a fault on a channel, the
value of the operational module is used.
Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 91
Chapter 7 1715 Redundant I/O Modules

ATTENTION: In safety critical applications, the discrepancy alarms must be

monitored by the application program and used to provide an alarm to
operations personnel.

Digital Output Modules

The digital output module is rated at SIL 2 as a fail-safe module. Each module
provides the following safety functions:
• Output channel signals are based on commands from the controller.
• Redundant voltage and current measurements are sent to the controller
for monitoring and diagnostics.
• Modules feature overcurrent and overvoltage channel protection.
• Diagnostic tests are executed on command from the adapter and results
are reported back to the adapter.
• On power-up or module insertion, all output channels are set to the de-
energized (fail-safe) state until command states are received from the
controller. Each channel is driven individually according to the
command state values.
• The module enters a shutdown mode when the time between controller
communication exceeds the CRTL.
• If a module fails, then all of its channels are set to the de-energized state.

The digital output termination assembly is safety critical and comes in two
sizes - simplex or duplex. Termination assemblies have fuses for field output
power and eight field termination connections for the output signals.

Output modules support high availability when they are configured for duplex
operation and they use the appropriate termination assembly.

Reaction to Faults

If an output module faults, the following status information is reported:

• Module presence
• Module health and status
• Channel health and status
• Field faults
• An echo of the front panel indicators for each module

If any of the following internal conditions exist, the output module fails safe:
• Internal software error is detected
• Over-temperature condition is detected
• Power supply rails are out of tolerance

The digital output module incorporates line test functionality that can detect
and indicate 'no load' field faults. This functionality can be enabled or disabled.

92 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 7 1715 Redundant I/O Modules

Figure 56 - No Load Detection

Shutdown Modes

When the module is in shutdown mode, the Ready and Run indicators turn
red. During module configuration, you choose how you want the output
channels to behave in the shutdown mode, whether due to fault or Program
mode. Output module channels can be configured to provide the following
channel values:
• De-energized (Off), which is the default fail-safe value
• Hold Last State
Figure 57 - Output States

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 93

Chapter 7 1715 Redundant I/O Modules

Analog Output Modules

The analog output module can be used in applications where the output
current is in the range 4…20 mA during normal operation, including a trip/
action value and where 0 mA is the fail-safe value. In these applications, one
1715-OF8I output module is sufficient for SIL 2 requirements, two modules
provide a 1oo2 level.

The analog output module is rated at SIL 2 as a fail-safe simplex module and
when used in a 1oo2 configuration as a duplex module with these features:
• Commanded values and scaling factor

The fail-safe lowest commanded value irrespective of the scaling factor is

0 mA. The application cannot change the scaling factor; only an online
update can change the scaling factor.
• Fail-safe guard band

The fail-safe guard is 1% (0…2 mA) and not user-configurable.

Reaction to Faults

If an output module faults, the following status information is reported:

• Module presence
• Module health and status
• Channel health and status
• Field faults
• An echo of the front panel indicators for each module

If any of the following internal conditions exist, the output module fails safe:
• An internal software error is detected
• A power feed combiner over-temperature condition is detected

Shutdown Mode

When the module is in the shutdown mode, the Ready and Run indicators turn
red. The default state is OFF (de-energized).

94 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 7 1715 Redundant I/O Modules

Considerations for Sensor

and Actuator Configurations IMPORTANT In safety-critical applications that use one sensor or single actuator, it
is important that the sensor failure modes be predictable and
understood so that there is little probability of a failed sensor not
responding to a critical process condition. Test the sensor regularly,
either by dynamic process conditions that are verified in the 1715
system, or by manual intervention testing. It is recommended that a
written test plan is used for all testing.

The function of a signal must be considered. In many cases, redundant sensor

and actuator configurations can be used, or differing sensor and actuator
types provide alternate detection and control possibilities. Plant facilities
frequently have related signals, such as start and stop signals. In these cases, it
is important to make sure that failures beyond the fault-tolerant capability of
the system do not result in either the inability to respond safely or in
inadvertent operation. In some cases, this requires that channels are on the
same module to make sure that if a module faults, the associated signals fail
safe.

It is often necessary to separate signals across modules. Where non-redundant

configurations are employed, it is especially important to make sure that the
fail-safe action is generated if there are failures within the system.

Field-loop power and its effect on inputs (sensors and modules) and outputs
(modules and actuators) must be considered. For normally energized
configurations, field-loop power loss leads to fail-safe reaction.

Where separate supplies power field signals, power separation must be

maintained between modules so that isolation is maintained.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 95

Chapter 7 1715 Redundant I/O Modules

Configure SIL 2 Operation To configure 1715 modules for SIL 2 applications, you must enable each 1715
module in your system for SIL 2 operation and set its connection reaction time
limit (CRTL) and module requested packet interval (RPI). For input modules,
you must configure safe state input values.

Enable SIL 2 Operation

To enable a module for SIL 2 operation, complete the fields on the Module
Definition dialog box in the Logix Designer application as described in Table 3.
The fields that appear vary depending on the type of module.
Table 3 - Module Definition Fields for SIL 2 Operation
Field Description
Series Choose Series A.
Revision Choose 3.001 or later.
Electronic Keying Choose Compatible Module.
Connection Choose Data.
Input Data Choose any input data type.
Data Format Choose any data format.
• For single modules with simplex termination assemblies, choose No.
Redundant
• For two modules with duplex termination assemblies, choose Yes.
SIL2 Safety Choose Yes.
HART Enabled To enable an analog input module for HART communication, choose Yes.
Chassis Size Choose the chassis size.

Figure 58 - Module Definition Dialog Box - Examples for SIL 2 Operation

96 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 7 1715 Redundant I/O Modules

Specify the Connection Reaction Time Limit and Requested Packet

Interval

On the SIL2 Safety tab of the module, enter the following:

• Requested packet interval (RPI). The module RPI must be the same as the
setting on the Connection tab.
• Connection reaction time limit (CRTL). The default value for the CRTL is
10,000 ms. The valid range is 1000…60,000 ms.

IMPORTANT When online, the Reset button on the SIL 2 Safety tab appears solid
when only the output data on any 1715 output module must be reset.
The Reset button resets only output data for the 1715-OF8I and
1715-OB8DE module outputs.
To reset inputs for all 1715 modules, you must use the Reset Input
parameter within the Add-On Instructions.

Figure 59 - SIL2 Safety Tab - RPI and CRTL Values

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 97

Chapter 7 1715 Redundant I/O Modules

Considerations for Setting the CRTL

The value of the CRTL forms part of the safety considerations for the system.
You are responsible for calculating and verifying that the CRTL meets the
safety reaction time for your safety function.

IMPORTANT For information about how to configure the safety reaction time for
your safety application, see page 148.
• In a 1715 system, the CRTL value is assigned to individual modules during
module configuration.
• If the input CRTL is not met, the controller presents fail-safe input values
to the application logic. Each time a valid packet is received from an
input module, the controller resets the CRTL. If the CRTL ever times out,
the controllers present fail-safe input values to the application logic.
• Each time a valid packet is received from the controller, the output
module resets the CRTL. If the CRTL ever times out, the output module
assumes the fail-safe state.

IMPORTANT The default fail-safe state for all 1715 modules is de-energized.
• It is recommended that the CRTL remain at the default of four times the
RPI so that one invalid packet does not put the system into the safe state.
For example, if the RPI = 120 ms, then consider 480 ms as the minimum
CRTL. The information in the next section helps determine the
maximum setting for the CRTL.

Determining the Appropriate CRTL Value

Use the following method to confirm whether the default value is acceptable or
you must change the CRTL value for your application.

This equation governs the value of CRTL for the I/O connections:

where CRTLeuc is the process safety time for the equipment under control
(euc).

EXAMPLE Consider a system function that uses one sensor and one actuator with
the following parameters:
• CRTLeuc: 10,000 ms
• Sensor delay: 250 ms
• Time for an actuator (an ESD valve) to operate fully: 1750 ms
In this example, the setting of CRTL for the I/O connections is less than
or equal to 3000 ms.

98 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 7 1715 Redundant I/O Modules

Set Safe State Values for Inputs

You must define the safe state values for inputs if the SIL 2 data verification
checks have determined that the connection is not valid and the Connection
Reaction Time Limit (CRTL) has expired.

The default safe state value for digital inputs is OFF; for analog input modules,
the safe state value is 0. Follow these steps to change the default values.
1. Click the Input States When CRTL Expires tab.
2. In the Default Value column, choose values for each input point.
3. Click OK.
Figure 60 - Input States When CRTL Expires

Check SIL 2 Reset Status If one or more errors persist longer than the Connection Reaction Time Limit
(CRTL), the connection uses safe state values and requires a reset to recover.
When online, the SIL 2 reset status is displayed on the SIL 2 Safety tab for
output modules.

Click Reset to reset the connection and enable the output modules to control
their outputs based on logic. To reset the connection for input modules, create
a reset tag within the Add-On Instruction.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 99

Chapter 7 1715 Redundant I/O Modules

View Module Information The configuration signature that appears on the SIL 2 Safety tab is composed
of an ID number, date, and time. The signature is updated whenever the
module configuration is changed.

Figure 61 - Configuration Signature

You must use this signature to enforce the use of a specific configuration
within your application. The signature is located in the CRC member of the
SIL 2 configuration tag of the module.

Figure 62 - Configuration Signature Tag Location

If you want to keep a record of the signature, you can click Copy to copy the
signature to the Windows clipboard.

100 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 7 1715 Redundant I/O Modules

Diagnostic Data

While online, click Diagnostics on the SIL 2 Safety tab to view data on the SIL2
Safety Diagnostics dialog box (Figure 63).

Figure 63 - SIL2 Safety Diagnostics

IMPORTANT The Reset Counters button on the Diagnostics tab resets only the
counters that are shown in the 1715 I/O module profiles.
It does not reset the counters that are displayed within the ControlLogix
Add-On Instructions.
The values that are retrieved from the 1715 output modules populate the
diagnostic information. Equivalent input module diagnostic data is
made available by the Add-On Instructions.

Configure the SIL 2 Task This SIL 2 task is a periodic task with priority (1). For more information, see
Period and Watchdog Chapter 9.

SIL Task/Program Instructions

The user application must contain one SIL task that is composed of programs
and routines. The SIL 2 task must be the top priority task of the controller and
the user-defined watchdog must be set to accommodate the SIL 2 task.

IMPORTANT Motion-related functions are not allowed and must not be used.

IMPORTANT You must dedicate a specific task for safety-related functions and set
that task to the highest priority (1). SIL 2 safety logic and logic that is
intended for use in non-SIL 2 functions must be separate.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 101

Chapter 7 1715 Redundant I/O Modules

The task period and task watchdog are configured in the Task Properties
dialog box.

Figure 64 - Task Properties

Configuring the Output Module Program/Fault Actions

For a SIL 2 safety system, you are responsible for making sure that the SIL 2
related safety code, including the SIL 2 Add-On Instructions, are scanned by a
safety task watchdog.

See Using ControlLogix in SIL 2 Safety Applications Reference Manual for

safety watchdog requirements.

Safety Watchdog

Configure the properties of the task that is used for safety correctly for your
application.
• Priority: must be the highest-priority task in the application (lowest
number).
• Watchdog: the value that is entered for the SIL 2 safety task must be large
enough for all logic in the task to be scanned.

If the task execution time exceeds the watchdog time, a major fault occurs on
the controller. Users must monitor the watchdog and program the system
outputs to transition to the safe state (typically the OFF state) if there is a
major fault on the controller. For more information on faults, see Chapter 10.

IMPORTANT The preferred way to meet this controller requirement in a 1715 SIL 2
system is to configure both the PROGRAM MODE and FAULT MODE tables
for the 1715-OB8DE and 1715-OF8I with safe state values.

102 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 7 1715 Redundant I/O Modules

This handles all fault scenarios:

• If a controller fault, such as a watchdog fault occurs, the controller goes
to program mode, which causes the 1715 I/O to go to the Program Mode
states.
• If there is a system fault that causes a communications loss to the I/O
modules, then the 1715 I/O goes to the Fault Mode states.
• If there is a CRTL (Connection Reaction Time Limit) timeout in the 1715-
AENTR adapter, then the 1715 output modules go to the Fault Mode
states.
Figure 65 - Fault/Program Action Tab for 1715-OB8DE

Figure 66 - Fault/Program Action Tab for 1715-OF8I

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 103

Chapter 7 1715 Redundant I/O Modules

104 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 8

SIL 2 Add-On Instructions

for 1715 Redundant I/O Modules

SIL 2 Add-On Instructions

Overview
IMPORTANT To achieve SIL 2 with 1715 I/O modules in a ControlLogix® system, you must use the Add-On Instructions in Table 4. The
1715 Add-On Instructions verify the validity of data that is transferred between the ControlLogix controller and the 1715
I/O modules via the 1715-AENTR adapter. The 1715 Add-On Instructions are different than the Add-On Instructions for
1756 I/O.
See Download and Import the Add-On Instructions on page 110.
When you use 1715 SIL 2 Add-On Instructions, you do not read inputs directly from the input table, nor do you write
directly to the output tags. You read inputs from an Add-On Instruction tag that is called ‘reconciled input data,’ and
write outputs to an Add-On Instruction tag called ‘requested output data.’
There is also an Add-On Instruction that is required for the 1715-AENTR adapter. The status data from the 1715-AENTR
adapter must be validated by using this Add-On Instruction.
You cannot view the logic of each Add-On Instruction because it is source protected.

Table 4 - SIL 2 Add-On Instructions

Module System Configuration Add-On Instruction Name
Simplex IB16D_Simplex_SIL2
1715-IB16D
IB16D_Simplex_SIL2_V3
Duplex IB16D_Duplex_SIL2
IB16D_Duplex_SIL2_V3
Simplex OB8DE_Simplex_SIL2
1715-OB8DE
OB8DE_Simplex_SIL2_V3
Duplex OB8DE_Duplex_SIL2
OB8DE_Duplex_SIL2_V3
Simplex IF16_Simplex_SIL2
1715-IF16
IF16_Simplex_SIL2_V3
Simplex with HART IF16_Simplex_HART_SIL2_V3
Duplex IF16_Duplex_SIL2
IF16_Duplex_SIL2_V3
Duplex with HART IF16_Duplex_HART_SIL2_V3
Simplex OF8I_Simplex_SIL2
1715-OF8I
OF8I_Simplex_SIL2_V3
Simplex with HART OF8I_Simplex_HART_SIL2_V3
Duplex OF8I_Duplex_SIL2
OF8I_Duplex_SIL2_V3
Duplex with HART OF8I_Duplex_HART_SIL2_V3
1715-AENTR Duplex AENTR_SIL2
AENTR_SIL2_V3

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 105

Chapter 8 SIL 2 Add-On Instructions for 1715 Redundant I/O Modules

When you import any of the previously listed Add-On Instructions, the system
also imports the CRC_calculator instruction. The CRC_calculator instruction
calculates the CRC for incoming packets and compares the result against the
actual CRC received in the packet. The instruction also calculates the CRC that
is placed in the outgoing packet.

SIL 2 check data is added to data packets by the producer and the consumer
verifies this check data to determine the validity of the data transfer.

For input data from the 1715 modules, the 1715-AENTR adapter is the producer
and the ControlLogix controller is the consumer. The 1715-AENTR adapter
adds the check data, and the Add-On Instructions verify that valid data is
received within the connection reaction time limit (CRTL) of the module. If
valid data is not received within the CRTL, the instruction substitutes the
configured safe state values of the module in place of the invalid data.

For output data to the 1715 modules, the ControlLogix controller is the
producer and the 1715-AENTR adapter is the consumer. The Add-On
Instructions add SIL 2 diagnostic information (check data) to the module
assemblies, including a sequence number, source and destination IDs, and
CRC. The 1715-AENTR adapter verifies that valid data is received within the
CRTL. Outputs are placed into the safe state if the CRTL expires.

The 1715 input modules send data only in one direction, from the 1715-AENTR
adapter to the ControlLogix controller. In contrast, for the 1715 output
modules, data is sent in both directions: status to the controller and output
data from the controller.

The Add-On Instructions automatically perform error rate monitoring on the

input data that they process without any user configuration. The error rate
monitoring does the following:
• Helps to make sure that the maximum allowed error rate for SIL 2 has
not been exceeded.
• Shuts down a link immediately by forcing Add-On Instruction outputs to
shut down states and require a SIL 2 reset

The Add-On Instructions provide an output (CRC_error) that indicates if this

condition has occurred. A SIL 2 reset can be used to reset this condition.

106 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 8 SIL 2 Add-On Instructions for 1715 Redundant I/O Modules

The following figures illustrate how the Add-On Instructions work with input
and output data.

Figure 67 - Diagram of Input Module Add-On Instruction

1715-IF16 Data Packet IF16_Duplex_SIL2 Add-On Instruction

1756 Controller Tags
1715- 1715-
TASIF16 TASIF16

TERMINAL IDENTITY TERMINAL IDENTITY TERMINAL IDENTITY

CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1

Input Data Input Data

CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1

AOTA AOTA AOTA

Dual. Dual. Dual.
1715-AENTR

1715-AENTR

1715-IF16

1715-IF16

.
SIL 2 Check Data SIL 2 Check Data

lid
va
1715-A310
IO BASE

is
ta
Da
1715-A2A 1715-A3IO

The Add-On Reconciled Reconciled

Instruction verifies Input Data Input Data
1715-IF16 Configuration Tag the check data. Da
ta
is
no
tv
Module Configuration Module Configuration ali
d.
Check Data Check Data

Safe State Defaults Safe State Defaults

IMPORTANT: The 1715-IF16 module is shown, but the example also applies to the 1715-IB16D module.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 107

Chapter 8 SIL 2 Add-On Instructions for 1715 Redundant I/O Modules

Figure 68 - Diagram of Output Module Add-On Instruction

Input Data System

OF8_Duplex_SIL2 Add-On Instruction 1756 Controller Tags

1715-OF8 Input Data Packet
1715- 1715-
TASOF8 TASOF8

TERMINAL IDENTITY TERMINAL IDENTITY TERMINAL IDENTITY

CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1

CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1

Input Data (status) Input Data

AOTA AOTA AOTA
Dual. Dual. Dual.
1715-AENTR

1715-AENTR

1715-OF8

1715-OF8

.
lid
SIL 2 Check Data SIL 2 Check Data

va
1715-A310

is
IO BASE

ta
Da
1715-A2A 1715-A3IO

The Add-On Reconciled Reconciled

Instruction verifies Input Data Input Data
the check data. Da
1715-OF8 Configuration Tag ta
is
no
tv
Module Configuration Module Configuration ali
d.
Check Data Check Data

Safe State Defaults Safe State Defaults

Output Data System

1756 Controller Tags OF8_Duplex_SIL2 Add-On Instruction 1715-OF8 Data Packet

1715- 1715-
TASOF8 TASOF8

TERMINAL IDENTITY TERMINAL IDENTITY TERMINAL IDENTITY

CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1

CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1 CH1

AOTA AOTA AOTA

Dual. Dual. Dual.

Requested Requested

1715-AENTR

1715-AENTR
Output Data Output Data

1715-OF8

1715-OF8
1715-A310
IO BASE
1715-A2A 1715-A3IO
The Add-On Instruction
adds the check data to the Generate Sequence
requested output data and Number Output Data Output Data
generates a sequence
number and CRC to Generate CRC
generate the output
1715-OF8 Configuration Tag data packet.

Module Configuration Module Configuration

Check Data Check Data

IMPORTANT: The 1715-OF8 module is shown, but the example also applies to the 1715-OB8DE module.

108 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 8 SIL 2 Add-On Instructions for 1715 Redundant I/O Modules

SIL 2 Check Data The instructions gather data from the module-defined configuration tags for
the following check data values.
Table 5 - Check Data Values
Value Description
VariantID The revision of the module, which is always 2.
For input assemblies, this is the IP address of the 1715 adapter.
SourceIP For output assemblies, this is the IP address of the ControlLogix Ethernet module.
For input assemblies, this is the IP address of the ControlLogix Ethernet module.
DestinationIP For output assemblies, this is the IP address of the 1715 adapter.
For input assemblies, this is the slot number of the 1715 module.
SourceSlot For output assemblies, this is the slot number of the ControlLogix controller.
For input assemblies, this is the slot number of the ControlLogix controller.
DestinationSlot For output assemblies, this is the slot number of the 1715 module.

The instructions add or check data for these fields.

Table 6 - Add or Check Data Fields
Value Description
The instruction monitors a sequence number in the module-defined Input Data tag. In normal operation, the sequence
number increments by 1 with each incoming packet:
• If the sequence number is a duplicate or is lower than expected, data is discarded as invalid. The CRTL is not reset.
• If the sequence number is higher than expected but within a deadband of 100, the data packet is accepted. Data remains
SequenceNumber valid and the CRTL is reset.
• If the sequence number is more than 100 greater than the expected number, the data is discarded as invalid. The CRTL is
not reset.
For each output packet, the instruction increments the sequence number, starting with 0 when the connection is initially
established.
Important: The sequence number is not configurable.
The instruction calculates a CRC on the input data based on the module-defined input tag and compares this value against
the CRC in the input data. If the CRCs do not match, the data is discarded as invalid.
CRC The instruction calculates a CRC on the output data based on the complete module-defined output tag. This CRC is added to
the 1715 module-defined output tag.
SIL2ResetNeeded After the CRTL expires, the 1715-AENTR adapter adds this flag to the SIL 2 check data to indicate that it is providing the safe
(output modules only) state values, not valid application data to the output modules. A reset is necessary begin providing valid application data.

Add-On Instruction Inputs The Add-On Instructions use these inputs.

Table 7 - Add-On Instruction Inputs
Input Description
The Add-On Instruction gets the appropriate SIL 2 check data values from this module-defined configuration tag. The
Config_Data instruction uses this check data to populate the 1715 output data and verify the 1715 input data. You must point to this tag
when configuring the Add-On Instruction.
Only for output modules: This user-defined Requested Output Data tag contains data from the program logic. The output
Requested_Output_Data Add-On Instruction takes this requested output data, adds the check data, and places this data in the module -defined
Output Data tag.
Output_Data The raw data that is sent to the 1715 module. You must point to this tag when configuring the Add-On Instruction.
If the Add-On Instruction examines the check data and determines that the input data is valid, the data in this tag is a
duplicate of the original data that is received from the input module.
Reconciled_Input_Data If the Add-On Instruction examines the check data and determines that the data is not valid, the safe state values are
substituted in the Reconciled Input Data tag.
This is the input data to be used in the logic program.
Input_Data This is the raw data from the 1715 module. You must point to this tag when configuring the Add-On Instruction.
Module_RPI Enter this value manually from the module properties. Use the exact value to optimize system bandwidth.
The reset function requires a LO to HI transition of this tag. It resets faults and directs the ControlLogix controller to stop
Reset transferring the safe state data and start transferring the actual data if the SIL 2 check data is verified. This tag is also sent
to the 1715 output modules so that outputs can be reset from the safe state.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 109

Chapter 8 SIL 2 Add-On Instructions for 1715 Redundant I/O Modules

Add-On Instruction Outputs The Add-On Instructions generate these outputs.

Table 8 - Add-On Instruction Outputs
Output Description
This value is HI if the Add-On Instruction is moving the input data to the Reconciled Input Data tag without substituting safe
state values. This value remains HI if packets are being discarded but the CRTL has not timed out. During this time, the
Data Valid reconciled input data is not updated and data is no longer current. If the CRTL expires, the safe state values are placed into
the Reconciled Input Data tag.
If valid data is being received from the module this output is HI regardless of whether this data is being moved to the
Reconciled Input Data tag. This output must be HI before you perform a SIL 2 Reset to begin moving actual data to the
Reconciled Input Data tag.
Valid Data Being Received This output goes LO if a valid data packet is not received for a time equaling three module RPIs. If this output is toggling LO,
verify that the RPI entered into the Add-On Instruction matches the actual module RPI. The periodic task rate can also affect
this output. If the periodic task rate is too high, then the packets are not processed often enough. See the 1715 SIL 2 task
recommendations in this manual for configuration recommendations.
If the reset button is HI for longer than 3 seconds, a tiedown fault is declared. The fault is cleared when the reset button
Reset Tiedown Fault transitions to LO.
CRC Error CRC Error is HI if the accumulated error count (for detected CRC errors) has exceeded the allowable threshold.
Duplicate Sequence Number If the sequence number is a duplicate, data is discarded as invalid and this output is set HI to indicate the reason.
Low Sequence Number If the sequence number is lower than expected, data is discarded as invalid and this output is set HI to indicate the reason.
High Sequence Number If the sequence number is higher than expected, data is discarded as invalid and this output is set HI to indicate the reason.
Source IP Error
Source Slot Error
If any of these check data values, described on page 109, do not match the values in the 1715 module configuration, data is
Destination IP Error declared invalid and discarded. The appropriate output is set HI to indicate the reason.
Destination Slot Error
Variant ID Error
This output is set LO if the Add-On Instruction detects a connection loss. Input data is declared invalid and the CRTL is not
Module Connection Status reset. When the connection is re-established, this output is set HI.
If the 1715 module is at the correct firmware revision level (Variant ID = 2) and the logic in the Add-On Instruction is being
Add-On Instruction Running scanned, this output toggles at the rate of the RPI.
Only for output modules: This output is set HI if a SIL 2 Reset is necessary reset the outputs from the safe state and begin
SIL 2 Output Reset Needed controlling outputs programmatically. See Performing a SIL 2 Reset on page 123.
CRTL Countdown A countdown of the amount of time that remains before the CRTL expires.
Number of Discarded Data Packets A count of the data packets that have been discarded as invalid.

Download and Import the The SIL 2 Add-On Instructions are available from the
Add-On Instructions Product Compatibility and Download Center website.

IMPORTANT Before you import the Add-On Instructions to your project, you must do
the following.
1) Add your I/O modules to the project in the I/O configuration tree and
configure them properly.
2) SIL 2 = Yes must be selected when configuring the module.
This creates the data types and tags that you must use in the Add-On
Instruction.

Follow these steps to add the instructions to your project.

1. Expand Assets, right-click the Add-On Instructions folder and choose
Import Add-On Instruction.
2. Select the appropriate Add-On Instruction and click Import.
3. Click OK on the Import Configuration dialog box.
4. Repeat steps 1…3 for each Add-On Instruction that you require.

The Add-On Instructions folder now contains the instructions that you
imported. The instructions also appear on the Add-On tab of the instruction
toolbar. The CRC calculator Add-On Instruction also appears.

110 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 8 SIL 2 Add-On Instructions for 1715 Redundant I/O Modules

IMPORTANT You see the following warning for each Add-On Instruction import except
the first one. Each Add-On Instruction import overwrites the Add-On
Instruction that is called ‘CRC Calculator,’ and this warning appears
because it is source protected. Click OK.

The appropriate data types are now available in your project.

Figure 69 - Data Types for 1715-IB16D Module with Duplex Configuration

Import Add-On Instructions to Upgraded Projects

To upgrade a project with new Add-On Instructions, follow these steps.

1. Upgrade the Add-on Profiles to SIL 2-capable versions.
2. Configure SIL 2=Yes in the module configuration and click Apply to
create the required module defined data types.
3. Import the new Add-On Instructions.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 111

Chapter 8 SIL 2 Add-On Instructions for 1715 Redundant I/O Modules

Create a Periodic Task for We recommend that your user application contains one SIL task that is
SIL 2 Safety Functions composed of programs and routines that contain all the logic for the SIL 2-
rated safety functions.

IMPORTANT Create as many SIL 2 programs and routines as required for the SIL 2
logic. Keep in mind that the goal is to have logic with these
characteristics:
• Easy to understand
• Easy to trace
• Easy to change
• Easy to test
• Well-documented

The SIL 2 task must be the top-priority task of the controller, and the user-
defined watchdog must be set to accommodate the SIL task. This task must be
separate from all logic for the non-SIL 2-rated functions.

Follow these steps to create the SIL 2 periodic task.

1. In the Controller Organizer, right-click the Tasks folder and choose New
Task.

2. Name the task.

3. In the Type field, choose Periodic.

4. To define the Period, Priority, and Watchdog values, see the following
section.
5. Click OK.

112 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 8 SIL 2 Add-On Instructions for 1715 Redundant I/O Modules

1715 SIL 2 Periodic Task Period Configuration

The following are recommendations to configure the Period value for a

periodic task in SIL 2 applications. Set the period to the minimum 1715 SIL 2
module RPI divided by 2.

See the following example for when default RPIs are used.

Table 9 - Module Default RPIs

1715 Module RPI
Adapters 180 ms
Digital modules 60 ms (lowest)
Analog modules 120 ms

1. Make the period 60/2 = 30 ms.

IMPORTANT • All 1715 SIL 2 Add-On Instructions have unique timer presets set to
the module RPI / 2, so each Add-On Instruction processes packets
at a rate that is based on its module RPI. In Table 9, the AENTR only
processes a packet at 180/2=90 ms; every third task period. The
analog modules process a packet at 120/2 = 60 ms; every other
task period. The Add-On Instruction obtains the RPI from the RPI
input parameter on the Add-On Instruction, which is why it is
important to enter this value to match the actual module RPI.
• Although the timer preset within the Add-On Instructions equals
RPI/2, the periodic task rate affects the actual rate the Add-On
Instructions process packets and the periodic task scan time. As
these values get lower, the timer resolution improves and packets
are processed closer to the RPI/2 timer preset.

IMPORTANT Make sure that the SIL 2 task period allows enough time for the
SIL 2 task, including the Add-On Instructions, to complete.
Adjusting the period time above the suggested value can be
needed if many 1715 modules are used as this adds more Add-On
Instructions. Any increase to the safety task period impacts the
safety reaction time. See page 150.
2. Set the priority to 1.
3. Set the Task Watchdog based on the following:
• How long it takes to run the SIL 2 code (see Add-On Instruction Scan
Times on page 149)
• How small the task watchdog must be to help verify that safety
reaction times are met (see Safety Reaction Time Calculations on page
page 150).

If you do not have the information that is required to complete the

watchdog time, leave the default of 500 ms and adjust it later when you
have more information.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 113

Chapter 8 SIL 2 Add-On Instructions for 1715 Redundant I/O Modules

Create a Program for the 1. Right-click the newly created task and choose New Program.
SIL 2 Period Task 2. Name the program.
3. Verify that it is scheduled in the SIL 2 task.
4. Click OK.

Create a Routine for the 1. Right-click the newly created SIL 2 program and choose New Routine.
SIL 2 Program 2. Name the routine.
3. In the Type field, choose Ladder or Function Block as recommended for
SIL 2 safety functions.
4. In the In Program or Phase field, choose the SIL 2 program you created.
5. Click OK.

114 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 8 SIL 2 Add-On Instructions for 1715 Redundant I/O Modules

Configure an Input Module Use the following instructions to configure an input module.
Add-On Instruction
IMPORTANT The 1715-AENTR adapter functions as an input module when you use 1715
SIL 2 Add-On Instructions.

Follow these steps to configure an input module Add-On Instruction.

1. From your SIL 2 program, add a rung to the ladder logic.
2. From the Instruction toolbar Add-On tab, click AENTR_SIL2_V3 to insert
the Add-On Instruction in your logic.
3. Create a tag for the Add-On Instruction by using the default data type
and read/write external access.

The tag can be controller- or program-scoped.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 115

Chapter 8 SIL 2 Add-On Instructions for 1715 Redundant I/O Modules

4. Create a reset tag by using the default data type and read/write external
access.

The tag can be controller- or program-scoped.

5. Double-click the Config_Data field and choose the module configuration

tag.

If you have multiple modules, be sure to choose the configuration tag for
the appropriate module.

116 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 8 SIL 2 Add-On Instructions for 1715 Redundant I/O Modules

6. Double-click the Input Data field and choose the module input tag.

If you have multiple I/O modules, be sure to choose the input tag for the
appropriate module.

For the 1715 adapters, choose the status tag.

7. Create a tag for the Reconciled Input Data by using the default data type
and read/write external access.

The tag can be controller- or program-scoped.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 117

Chapter 8 SIL 2 Add-On Instructions for 1715 Redundant I/O Modules

8. Enter the module RPI.

To optimize system bandwidth, type the same RPI value from the Module
Configuration dialog box.

Configure an Output Module Follow these steps to configure an output module Add-On Instruction.
Add-On Instruction 1. Add the Add-On Instruction to your routine from the Add-On tab of the
instruction toolbar.
2. Create a tag for the Add-On Instruction by using the default data type
and read/write external access.

The tag can be controller- or program-scoped.

118 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 8 SIL 2 Add-On Instructions for 1715 Redundant I/O Modules

3. Create a reset tag by using the default data type and read/write external
access.

The tag can be controller- or program-scoped.

4. Choose the module configuration tag.

If you have multiple modules, be sure to choose the configuration tag for
the appropriate module.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 119

Chapter 8 SIL 2 Add-On Instructions for 1715 Redundant I/O Modules

5. Choose the module input tag.

If you have multiple modules, be sure to choose the input tag for the
appropriate module.

6. Create a tag for the Reconciled Input Data by using the default data type
and read/write external access.

The tag can be controller- or program-scoped.

7. Choose the module-defined output tag.

If you have multiple modules, be sure to choose the output tag for the
appropriate module.

120 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 8 SIL 2 Add-On Instructions for 1715 Redundant I/O Modules

8. Create a tag with the appropriate Add-On Instruction data type for the
.
Requested Output Data.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 121

Chapter 8 SIL 2 Add-On Instructions for 1715 Redundant I/O Modules

9. Enter the module RPI.

To optimize system bandwidth, type the same RPI value from the module
configuration.

Use the Add-On Instruction The following illustrations provide basic examples of how the
Data Tags in an Application Requested_Output_Data tag and the Reconciled_Input_Data tag could be used
in program logic. Data is written to the requested output and read from the
Program reconciled input, while the raw data in the module-defined input and output
tags is ignored.

Figure 70 - Requested_Output_Data in Ladder Logic Example

Figure 71 - Reconciled_Input_Data in Ladder Logic Example

122 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 8 SIL 2 Add-On Instructions for 1715 Redundant I/O Modules

Performing a SIL 2 Reset SIL 2 communication between a Logix controller and 1715 modules is achieved
by the sender of the data encoding additional check data into the produced tag
and the receiver of that tag by using that extra data (and time) to determine the
data that is received is valid.

Data can travel in either direction, that is, ControlLogix -> 1715 and 1715 ->
ControlLogix.

Each time the data passes the checks, it is deemed valid. If the checks fail for a
period > the CRTL value that is assigned to the module, a SIL 2 Reset is
required.

A SIL 2 Reset acknowledges that there has been a fault within the data and that
new data, if valid, must once again be used.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 123

Chapter 8 SIL 2 Add-On Instructions for 1715 Redundant I/O Modules

The following diagram shows 1715 module output behavior.

127( µ3RZHU2II¶WUDQVLWLRQPD\RFFXUDW
WLPHIURP VWDWH2QO\WKLV
3RZHU2II WUDQVLWLRQLVVKRZQWRFODULI\WKHGLDJUDP
6
>3RZHUHG2))@
2XWSXWV2))

3RZHU2Q

6
2XWSXWV2))

9DOLG6,/'DWD5HFHLYHG

6
9DOLG6,/'DWD8SGDWH5HFHLYHG 2XWSXWV$V
:LWKLQ&57/ 5HFHLYHG

6,/5HVHW1HHGHG
9DOLG6,/'DWD8SGDWH 5HFHLYHG
:LWKLQ&57/

9DOLG6,/'DWD8SGDWH 5HFHLYHG
:LWKLQ&57/
6,/5HVHW5HFHLYHG

9DOLG6,/'DWD8SGDWH5HFHLYHG
:LWKLQ&57/

12

A SIL 2 reset of output modules can be performed only by clicking Reset on the
SIL 2 Safety tab of the Module Properties dialog box, or a LO to HI transition of the
reset tag in the 1715 SIL 2 Add-On Instructions.

124 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 8 SIL 2 Add-On Instructions for 1715 Redundant I/O Modules

When using input tags, that is, data from a 1715 input module to a
ControlLogix controller, the 1715 module that produces the input tag generates
more check data as part of the tag. It is the responsibility of the ControlLogix
application to use appropriate Add-On Instructions to validate the received
data. The behavior of the Add-On Instructions in processing input data is as
follows.

6
&/;$SS,QLW 127( :KHQHYHU'DWD9DOLG )$/6(WKH$2,PXVW
5HFRQFLOHG,QSXW  EH5HVHWDVHUURUVKDYHEHHQIRXQGLQWKH6,/
&RQILJXUHG'HIDXOWV WUDQVPLVVLRQIURPPRGXOHWR&/;LQSXWWDJ
'DWD9DOLG )$/6(
&57/7LPHUVWDUWHG

,QLWLDOLVDWLRQ&RPSOHWH

6
$SSOLFDWLRQ
5XQQLQJ

9DOLG6,/'DWD5HFHLYHG

9DOLG6,/'DWD8SGDWH 5HFHLYHG
:LWKLQ&57/
6
9DOLG6,/'DWD8SGDWH5HFHLYHG $SSOLFDWLRQ5XQQLQJ
:LWKLQ&57/ 5HFRQFLOHG,QSXW 
5HFHLYHG,QSXW'DWD
9DOLG6,/'DWD8SGDWH 5HFHLYHG
'DWD9DOLG 758(
:LWKLQ&57/

9DOLG6,/'DWD8SGDWH 5HFHLYHG
:LWKLQ&57/

6,/5HVHW

9DOLG6,/'DWD8SGDWH5HFHLYHG
:LWKLQ&57/

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 125

Chapter 8 SIL 2 Add-On Instructions for 1715 Redundant I/O Modules

Notes:

126 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 9

Requirements for Application Development

Software for The application software for the SIL 2-related automation system is created
SIL 2-Related Systems using RSLogix 5000® software or the Studio 5000 Logix Designer® application,
according to IEC 61131-3.

The application program has to be created by using the programming tool and
contains the specific equipment functions that the ControlLogix® system
implements. Parameters for the operating function are also entered into the
system with the programming software.

SIL 2 Programming The safety concept of the SIL 2 ControlLogix system assumes the following:
• The user who is responsible for creating, operating, and maintaining the
application is fully qualified, specially trained, and experienced in safety
systems.
• The programming software is installed correctly.
• Control system hardware is installed in accordance with product
installation guidelines.
• User application code (user program) uses common and good design
practices.
• A test plan is documented and adhered to, including well-understood
proof test requirements and procedures.
• A well-designed validation process is defined and implemented.

For the initial startup of a safety-related ControlLogix system, the entire

system must successfully complete a functional test. After a modification of
the application program, the modified program or logic must be checked.

For more information on how you handle changes to the application program,
see Changing Your Application Program on page 134.

Programming Languages As a best practice, keep safety-related logic as simple and easy to understand as
possible. The preferred language for safety-related functions is ladder logic,
followed by function block. Structured text and sequential function chart are
not recommended for safety-related functions. Use of the SequenceManager™
feature is not recommended for safety-related functions.

IMPORTANT If Program Parameters are used, safety-related tags can be read by

either standard or safety-related logic or other communication devices,
but can be written by only safety-related logic.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 127

Chapter 9 Requirements for Application Development

Security In the ControlLogix system and in the programming software, protection

mechanisms are available that help prevent unintentional or unauthorized
modifications to the safety system.
• The following tools can be employed for security reasons in a
SIL 2-certified ControlLogix application:
- Source Protection
- FactoryTalk® AssetCentre
- FactoryTalk Security

Each tool offers different levels of granularity. For more information

about these tools, contact your local Rockwell Automation
representative.
• The controller keyswitch must be in the RUN position, and remove the
key during normal operating conditions.
Figure 72 - Keyswitch in Run Mode
Logix557x

RUN FORCE SD OK

REM PR
RUN OG

ControlLogix 5560 ControlLogix 5570

• In RSLogix 5000 software, V18 and later, and in the Studio 5000 Logix
Designer® application, tags have two attributes: External Access and
Constant. External Access controls access from external applications like
HMIs. It can have values of Read/Write, Read Only, or None. All SIL 2
safety-related tags should be set to Read Only. The Constant attribute is
either on or off. When enabled, it helps prevent programmatic changes
of a tag's value. Where possible, it is highly recommended to configure
SIL 2 safety-related tags as Constant.

The requirements of the safety and application standards regarding the

protection against manipulations must be observed. The authorization of
employees and the necessary protection measures are the responsibility of the
individuals who start and maintain the SIL 2 safety system.

128 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 9 Requirements for Application Development

Basics of Application A system integrator develops the application program. The developer must
Program Development consider general procedures for programming ControlLogix SIL 2
applications. (does not require independent third-party review).
and Testing
• Specification of the SIL 2 safety control function, including the
following:
- Specifications
- Flow and timing charts
- Engineering diagrams
- Sequence charts
- Program description
- Program review process
• Writing the application program
• Checking by independent reviewer
• Verification and validation

All application logic must be independently reviewed and tested. To facilitate

reviews and reduce unintended responses, limit the set of instructions to basic
Boolean/ladder logic (such as examine On/Off, timers, counters) whenever
possible. Include instructions that can be used to accommodate analog
variables, such as the following:
• Limit tests
• Comparisons
• Math instructions

For more information, see Proof Tests on page 30.

Functional Specification You must create a specification for your control function. Use this
Guidelines specification to verify that program logic correctly and fully addresses the
functional and safety control requirements of your application. The
specification can be in various formats, depending on your application. The
specification must include a detailed description of the following (if applicable):
• Sequence of operations
• Flow and timing diagrams
• Sequence charts
• Program description
• Program print-out
• Written descriptions of the steps with step conditions and actuators to
be controlled, including the following:
- Input definitions
- Output definitions
- I/O wiring diagrams and references
- Theory of operation
• Matrix- or table form of stepped conditions and the actuators to be
controlled, including the sequence and timing diagrams
• Definition of marginal conditions, for example, operating modes,
emergency stop, and others
The I/O-portion of the specification must contain the analysis of field circuits,
that is, the type of sensors and actuators.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 129

Chapter 9 Requirements for Application Development

Sensors (digital or analog)

• Signal in standard operation (dormant current principle for digital
sensors, sensors OFF means no signal)
• Determination of redundancies that are required for SIL levels
• Discrepancy monitoring and visualization, including diagnostic logic

Actuators
• Position and activation in standard operation (normally OFF)
• Safe reaction or positions when switching OFF
• Discrepancy monitoring and visualization, including diagnostic logic

Creating the Consider the following when developing the application program logic.
Application Program
Logic and Instructions

The logic and instructions for programming the application must have these
features:
• Easy to understand
• Easy to trace
• Easy to change
• Easy to test
• Well-documented

IMPORTANT Motion-related functions are not allowed anywhere in the application

program and must not be used.

Program Language

You must implement simple, easy to understand program language with these
features:
• Ladder
• Other IEC 61131-3-compliant language
• Function blocks with specified characteristics

We use ladder, for example, because it is easier to visualize and make partial
program changes with this format.

Program Identification

Identify the application program by one of the following:

• Name
• Date
• Revision
• Any other user identification information
130 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022
 Chapter 9 Requirements for Application Development

SIL Task/Program Instructions

Include one SIL task that is composed of programs and routines in the user
application. The SIL 2 task must be the top priority task of the controller and
the user-defined watchdog must be set to accommodate the SIL 2 task.

IMPORTANT You must dedicate a specific task for safety-related functions and set
that task to the highest priority (1). SIL 2 safety logic and logic that is
intended for use in non-SIL 2 functions must be separate, or everything
in the task containing safety must be treated as safety-related.

Forcing The following rules apply to forcing in a project:

• You must remove forces on all SIL 2 tags and disable forcing before
beginning normal operation for the project.
• You must not force SIL 2 tags after validation is performed and during
controller operation in Run mode.

IMPORTANT Forcing must not be used during normal operation, during final system
test, and validation.

Checking the Application To check safety-related application logic for adherence to specific safety
Program functions, you must generate a suitable set of test cases that cover the safety
specification. The set of test cases must be well-written and filed as the test
specification.

Suitable tests must also be generated for the numeric evaluation of formulas.
Equivalent range tests are acceptable. Suitable tests are tests within defined
value ranges, at the limits, and outside the defined value ranges. The test cases
must be selected to prove the correctness of the calculation. The necessary
number of test cases depends on the formula that is used and must comprise
critical value pairs.

However, active simulation with sources cannot be omitted. It is the only

means to detect the correct wiring of the sensors and actuators to the system.
Furthermore, active simulation is the only means to test the system
configuration. You must verify the correct programmed functions by forcing
I/O or by manual manipulation of sensors and actuators.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 131

Chapter 9 Requirements for Application Development

Verify Download Verify the download of the application program and its proper operation. A
and Operation typical technique is to upload the completed program file and perform a
compare of that file against what is stored in the programming terminal.

IMPORTANT Do not use memory cards to transfer the safety application

automatically. After a safety application is downloaded, you must verify
the download.
The AutoFlash firmware feature is not supported for SIL 2 safety
applications and must not be used.

IMPORTANT If the controller has a USB port, it is intended for temporary local-
programming purposes only and not intended for permanent
connection.

To perform program verification, follow these steps in RSLogix 5000 software

or the Studio 5000 Logix Designer application.

1. With the programming software closed, rename the project.

2. Start the programming software, upload the controller project, and save
it.
3. Open the Compare Tool and select both files.
4. Start the compare operation.
5. Review the compare output results and verify that everything matches
without error.

Project documentation differences can exist.

6. Save the compare results as part of the verification process.
7. Delete the upload file.
8. To maintain project documentation, rename the original project file
(change back) to the original project name.

132 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 9 Requirements for Application Development

Commissioning Lifecycle Figure 73 shows the steps that are required to develop, debug, and commission
an application program.

Figure 73 - Application Development Lifecycle

Generate Functional
Specification

Create Flow
Diagram

Create Timing
Diagrams

Establish Sequence
of Operations

Develop Project Develop Project

Online Offline

Review Program with Download to

Independent Party Controller

Develop Test Plan

Perform Validation
Testing on all Logic

Yes Tests
Pass?

No
Verification
okay? Make more online edits and
accept edits or make more offline
edits and download to CTR

Begin Normal No
Determine what logic has
Project Operation
been Changed or Affected

Perform Validation Testing on

Download to Make project all Changed or Affected Logic
Controller changes

Finish the
Validation Test1

Secure PADT

1
You must periodically repeat the validation test (also known as proof tests) to make sure that module inputs and outputs are functioning properly and as commanded by the
application programming. For more information on proof tests for I/O modules, see Chapter 1, SIL Policy on page 13.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 133

Chapter 9 Requirements for Application Development

Changing Your The following rules apply when you change your application program in
Application Program RSLogix 5000 software or the Studio 5000 Logix Designer application:

IMPORTANT You cannot make program edits while the program is online if the
changes help prevent the system from executing the safety function or
if alternative protection methods are not in place.
• Program edits are not recommended and must be limited. For example,
minor changes such as changing a timer preset or analog setpoint are
allowed.
• Only authorized, specially trained personnel can make program edits.
These personnel must use all supervisory methods available, for example,
use the controller keyswitch and software password protections.
• Anyone making data or programming edits to an operational system
assumes the central safety responsibility while the changes are in
progress. These personnel must also maintain safe application
operation.
• Before you make any program edits, perform an impact analysis by
following the safety specification and other lifecycle steps that are
described in Figure 73 on page 133 as if the edits were an entirely
new program.
• Sufficiently document all program edits, including:
- Authorization.
- Impact analysis.
- Execution.
- Test information.
- Revision information.
• Multiple programmers cannot edit a program from multiple
programming terminals simultaneously.
• Changes to the safety application software–in this case, RSLogix 5000
software or the Studio 5000 Logix Designer application– must comply
with IEC 61511 standard on process safety section 11.7.1 Operator
Interface requirements.
• When the ControlLogix controller keyswitch is in the RUN position
(controller is in Run mode), you cannot make online edits.
• Use one of the following methods that are described in Table 10 on
page 135 to edit the relay ladder logic portion of the safety program.
• The keyswitch must be in the RUN position to be SIL 2 certified. If you
put the keyswitch into the REMOTE position to make an online edit, you
are not in safety mode. When you are finished with the online edit, you
must put the keyswitch into the RUN position and remove the key.

IMPORTANT Making any edit always involves following your own MOC (Management of
Change) procedures. There must be a validation before putting the
changed code into service. Online edits are the most risky method of
doing this and are not recommended.

134 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 9 Requirements for Application Development

Table 10 - Methods of Changing Your Application Program

Controller
Method Required Steps Keyswitch Key Points to this Method
Position
You must revalidate the entire application
Offline Perform the tasks that are described in the flowchart in Figure 73 on page 133. PROG before returning to normal operation.
1. Turn the controller key to the REM position.
2. To start, accept, test, and assemble your edits, use the Online Edit Toolbar. This is the toolbar.
Start Accept Assemble Test Untest
pending pending rung program program program
rung edit. edits. edits. edits. edits.

The project remains online but operates

in the Remote Run mode. When edits are
completed, you are required to validate
a. Click the start pending rung edits button . A copy is made of the rung that you want only the changed portion of the
to edit. application program.
b. Change your application program as needed. The original program is still active in the We recommend that online edits be
controller. Your program changes are made in the copied rungs. Changes do not affect the limited to minor program modifications
outputs until you test the program edits in step d. such as setpoint changes or ladder logic
rung additions, deletions, and
c. Click the accept pending rung edits button . Your program changes are verified and REM modifications.
Online
downloaded to the controller. The controller now has the changed program and the original
program. However, the controller continues to execute the original program. You can see IMPORTANT:This option to change the
the state of the inputs, and changes do not affect the outputs. application program is available for
changes to relay ladder logic only. You
d. Click the test program edits button . cannot use this method to change
function block programming.
e. To test the edits, click Yes. For more detailed information on how to
Changes are now executed and affect the outputs; the original program is no longer executed. edit ladder logic while online, see the
However, if you are not satisfied with the test results of the edits, you can discard the new Logix 5000 Controllers Quick Start,
publication 1756-QS001.
program by clicking the untest program edits button, if necessary. If you untest the
edits, the controller returns to the original program.

f. Click the assemble program edits button .

g. To assemble the edits, click Yes. The changes are the only program in the controller, and
the original program is discarded.
3. Perform a partial proof test of the portion of the application that is affected by the program
edits.
4. To return the project to Run mode, turn the controller key back to the RUN position. We
recommend that you upload the new program to your programming terminal to help make
sure consistency between the application in the controller and on the programming terminal.
5. Remove the key.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 135

Chapter 9 Requirements for Application Development

Notes:

136 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 10

Faults in the ControlLogix System

Along with providing information on module fault reports, this chapter

explains two example conditions that generate a fault in a SIL 2-certified
ControlLogix® system:
• Keyswitch changing out of Run mode
• High alarm condition on an analog input module

Detect and React to Faults The ControlLogix architecture provides many ways to detect and react to faults
in the system.
• Various device objects can be interrogated to determine the current
operating status.
• Modules provide runtime status of their operation and of the process
that is executing.
• You can configure a ControlLogix system to identify and handle faults,
including such tasks as:
- Developing a fault routine.
- Creating a user-defined major fault.
- Monitoring minor faults.
- Developing a power-up routine.
See the Logix 5000™ Controllers Common Procedures Programming Manual,
publication 1756-PM001, for more information.

It is your responsibility to determine what data is most appropriate for your

application to initiate a shutdown sequence.
To help handle faults, make sure that you have completed the input (see Checklist
for SIL Inputs on page 196) and output (see Checklist for SIL Outputs on page 197)
checklists for their application.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 137

Chapter 10 Faults in the ControlLogix System

Module Fault Reporting for You must verify that all components in the system are operating properly.
Any ControlLogix 1715 or Verification can be accomplished in ladder logic by using the Get System Value
instruction (GSV) and an examination of the MODULE Object Entry Status
1794 FLEX I/O Module attribute for a running condition.

An example of how to verify is shown in Figure 74. This method, or something

similar, must be used to interrogate the health of each I/O module in the
system.
Figure 74 - Example of How to Check the Health of a Module in Ladder Logic

GSV AND NEQ

Check Entry Status to

Obtain the MODULE Mask Off Lower 12 Bits of
make sure that the Fault
Object Entry Status Value
module is running.

For more information on the GSV instruction, monitor the SlotStatusBits for
the Input tag of the associated adapter. The lower 8 bits of this tag correspond
to the associated slot. For example, the tag “Node3:I.Slot1StatusBits” is defined
as follows:
• Node 3 is the name that is given to the adapter, in this example, a
1794-ACNR15.
• I indicates the Input file.
• SlotStatusBits is a 32-bit value, where the lower 8 bits correspond to a
FLEX™ I/O module, as shown.
Module 7 Module 6 Module 5 Module 4 Module 3 Module 2 Module 1 Module 0

Check Keyswitch Position The following rungs generate a fault if the keyswitch on the front of the
with GSV Instruction controller is switched from the RUN position.
Figure 75 - Keyswitch State (Operation mode) Change Logic
GSV
Class: CONTROLLERDEVICE
Attribute: STATUS
Destination: KEYSTATE

KEYSTATE.13
Fault

Fault

Alarm to Operator

In Figure 75 on page 138, the Get System Value (GSV) instruction interrogates
the STATUS attribute of the CONTROLLERDEVICE object and stores the
result in a word that is called KEYSTATE, where bits 12 and 13 define the state
of the keyswitch as shown in Table 11.
Table 11 - Keyswitch State Bits
Bit 13 Bit 12 Description
0 1 Keyswitch in Run position
1 0 Keyswitch in Program position
1 1 Keyswitch in Remote position

138 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 10 Faults in the ControlLogix System

If bit 13 is ever ON, then the keyswitch is not in the RUN position. Examine bit
13 of KEYSTATE for an ON state generates a fault.

It is your responsibility to determine appropriate behavior when a fault is

present.

For more information on the accessing the CTROLLERDEVICE object, see the
Logix 5000 Controllers General Instructions RefeONrence Manual,
publication 1756-RM003.

Examine a 1756 Analog Input ControlLogix analog modules process and compare field data values right on
Module’s High Alarm the module, which allows easy examination of status bits to initiate a fault.

For example, the 1756-IF8 module can be configured with user-defined alarm
values that, when exceeded, sets a status bit on the module, which is then sent
back to the controller. You can examine the state of these bits to initiate a fault
as shown in Figure 76.
Figure 76 - High Alarm Bit to Trigger Fault
Ch1HAlarmA Ch1HAlarmB Module A Module B
Fault

Fault
Alarm to
Operator

In the example above, the High Alarm bits for channels 1 and 2 are being
examined for a condition to initiate a fault. During operation, as the analog
input module processes analog signals from the field sensors, if the value
exceeds the user-defined value for High Alarm, the alarm bit is set and a fault is
declared.

It is your responsibility to determine appropriate behavior when a fault is

present.

The ControlLogix architecture provides for the detecting and reacting to faults
in the system. Various device objects can be interrogated to determine the
current operating status. Additionally, modules provide runtime status of their
operation and of the process.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 139

Chapter 10 Faults in the ControlLogix System

Notes:

140 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Chapter 11

Use of Human-to-Machine Interfaces

Precautions You must exercise precautions on HMI devices. These precautions include, but
are not restricted to the following:
• Limited access and security
• Specifications, testing, and validation
• Restrictions on data and access
• Limits on data and parameters

For more information on how HMI devices fit into a typical SIL loop, see
Figure 10 on page 27.

Use sound techniques in the application software within the HMI and
controller.

For specific HMI-related design information, see IEC 61511-1 11.7.2.

Accessing Safety-related HMI-related functions consist of two primary activities: reading and
Systems writing data.

Reading Parameters in Safety-related Systems

Reading data is unrestricted because reading doesn’t affect the operation or

behavior of the safety system. However, the number, frequency, and size of the
data being read can affect controller performance. To avoid safety-related
spurious trips, use good communication practices to limit the impact of
communication processing on the controller. Do not set read rates to the
fastest rate possible.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 141

Chapter 11 Use of Human-to-Machine Interfaces

Changing Safety-related Parameters in SIL-rated Systems

A parameter change in a safety-related loop via an external device outside of

the SIF, such as an HMI, is allowed only with the following restrictions:
• Only authorized, specially trained personnel (operators) can change the
parameters in safety-related systems via HMIs.
• The operator who changes a safety-related system via an HMI is
responsible for the effect of those changes on the SIF.
• You must clearly document variables that need changed.
• You must use a clear, comprehensive, and explicit operator procedure to
make safety-related changes via an HMI.
• Changes can only be accepted in a safety-related system if the following
sequence of events occurs.
a. The new variable must be sent twice to two different tags; that is, both
values must not be written to with one command.
b. Safety-related code that executes in the controller, must check both
tags for equivalency and make sure that they are within range
(boundary checks).
c. Both new variables must be read back and displayed on the HMI
device.
d. Trained operators must visually check that both variables are the same
and are the correct value.
e. Trained operators must manually acknowledge that the values are
correct on the HMI display that sends a command to the safety logic,
which allows the new values to be used in the safety function.

In every case, the operator must confirm the validity of the change before
they are accepted and applied in the SIF.
• Test all changes as part of the safety validation procedure.
• Sufficiently document all safety-related changes that are made via HMI,
including the following:
- Authorization
- Impact analysis
- Execution
- Test information
- Revision information
• Changes to the safety-related system, must comply with IEC 61511
standard on process safety section 11.7.1 Operator Interface
requirements.
• The developer must follow the same sound development techniques and
procedures that are used for other application software development,
including the verification and testing of the operator interface and its
access to other parts of the program. The controller application software
builds a table that is accessible by the HMI and limits access to required
data points only.
• Similar to the controller program, you must secure and maintain the
HMI software for SIL-level compliance after the system has been
validated and tested.

IMPORTANT The High-Speed Jog function is not allowed and must not be used in the
entire project.

142 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Appendix A

System Reaction Times

You can use the calculation formulas in this chapter to calculate the worst-case
reaction times for a given change in input or fault condition and the
corresponding output action.

1756 ControlLogix I/O and For a system with 1756 ControlLogix I/O or 1794 FLEX I/O™ modules, refer to
1794 FLEX I/O the following sections.
Reaction Times
Local Chassis Configuration

Figure 77 shows an example system with digital or analog modules where the
following occurs:
• Field signal changes state.
• The data is transmitted to the controller.
• The controller runs its program scan and reacts to the data change.
• The controller transmits data to the output module.
• The output module processes data from the controller and turns the
output device on or off.
Figure 77 - Local Chassis Configuration for Digital or Analog Modules
Input Module Controller Output Module

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 143

Appendix A System Reaction Times

Remote Chassis Configuration

Figure 78 shows an example system where the following occurs:

• Input data changes on the input module.
• The data is transmitted to the controller via the network communication
modules.
• The controller runs its program scan and reacts to the data change,
including new data sent to the output module via the network
communication modules.
• The output module behavior changes based on the new data that is
received from the controller.
Figure 78 - Remote Chassis Configuration for Digital or Analog Modules

Network Network Input Input Output Output

Controller Communication Communication Module Module Module Module
Module Module

Calculate Worst-case Reaction Time

The formulas for calculating worst-case reaction times with no system faults
or errors differ slightly for digital and analog I/O modules.

Digital Modules

Use this formula to determine worst-case reaction time for digital modules in
local or remote configurations.
Worst-Case Reaction Time with no faults or errors =
(Input Module Delay + Input Filter Time) + (Input Module RPI x 4/8/16… 100 ms)(1) +
(SIL 2 Task Period + SIL 2 Task Watchdog) + (Output Module RPI x 4/8/16… 100 ms)(1) +
(Output Module Delay).

Module delay times are listed in the ControlLogix® I/O Modules Specifications
Technical Data, publication 1756-TD002.

RPI and input filter time values are configurable in the module properties via
the Logix Designer application, as shown in Figure 79:
• If the safe state in your application is low, use the On -> Off Input Filter
Time.
• If the safe state in your application is high, use the Off -> On Input Filter
Time.

(1) Multiply the module RPI by 4, then 8, then 16, and so on, until the result is at least 100 ms.

144 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Appendix A System Reaction Times

Figure 79 - Digital Module Configuration

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 145

Appendix A System Reaction Times

Analog Modules

Use this formula to determine worst-case reaction time for analog modules in
local or remote configurations.
Worst-Case Reaction Time with no faults or errors =
(Real Time Sample (RTS) Rate) +
(Input Module RPI x 4/8/16… 100 ms)(1) + (SIL 2 Task Period + SIL 2 Task Watchdog) +
(Output Module RPI x 4/8/16… 100 ms)(1) + (Output Module Delay).

In this calculation for the 1756-IRT8I or 1756-IF8I module, use the RPI instead of the
RTS.

RPI and filter time values are configurable in the module properties via the
Logix Designer application, as shown in Figure 80.

For information about setting filter and RTS values, see the ControlLogix
Analog I/O Module User Manual, publication 1756-UM009.

(1) Multiply the module RPI by 4, then 8, then 16, and so on, until the result is at least 100 ms.

146 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Appendix A System Reaction Times

Figure 80 - Analog Module Configuration

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 147

Appendix A System Reaction Times

1715 Redundant I/O System For a 1715 redundant I/O system, you can determine the reaction time for a
Reaction Times control chain by adding the reaction times of all of components of the safety
chain.

System Reaction Time

System Reaction Time = Sensor Reaction Time + Logix System Reaction Time
+ Actuator Reaction Time

Figure 81 - System Reaction Time

System Reaction Time

Sensor Reaction Input Reaction Safety Task Output Reaction Actuator Reaction
Time Time Reaction Time Time Time

Input Module Input Connection Safety Task Period Output Connection Output Module
Delay Reaction Time Limit + Reaction Time Limit Delay
Safety Task Watchdog

Logix System Reaction Time

The following sections provide information about calculating the Logix System
Reaction Time for a simple input-logic-output chain and for a more complex
application using produced/consumed safety tags in the logic chain.

Simple Input-logic-output Chain

Figure 82 - Logix System Worst-case Reaction Time for Simple Input to Logic to Output
GuardLogix® Controller

3. Safety Task Period +

Communication Module

Safety Task Watchdog

2. Safety Input Connection 4. Safety Output Connection

1. Safety Input Reaction Time Limit Reaction Time Limit 5. Safety Output
Module Delay Module Delay
CIP Safety Network

148 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Appendix A System Reaction Times

The Logix system reaction time for any simple input to logic to output chain
consists of these five components.
1. Safety input module reaction time + input delay time
2. Safety input connection reaction time limit
3. Safety task period + safety task watchdog time
4. Safety output connection reaction time limit
5. Safety output module reaction time

Items 3…5 are read from the Module Properties dialog box in the Logix
Designer application.

Add-On Instruction Scan Times

Table 12 - Maximum Scan Rates Measured - 1756-L75 controller was used to take measurements
Module Add-On Instruction Scan Rate µs (max measured)
1715-AENTR AENTR_SIL2 Duplex 455
1715-IB16D IB16D_Simplex_SIL2 Simplex 340
1715-IB16D IB16D_Duplex_SIL2 Duplex 378
1715-IF16 IF16_Simplex_SIL2 Simplex 831
1715-IF16 IF16_Duplex_SIL2 Duplex 832
1715-OB8DE OB8DE_Simplex_SIL2 Simplex 501
1715-OB8DE OB8DE_Duplex_SIL2 Duplex 541
1715-OF8 OF8I_Simplex_SIL2 Simplex 951
1715-OF8 OF8I_Duplex_SIL2 Duplex 964
N/A CRC Calculator N/A N/A

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 149

Appendix A System Reaction Times

Table 13 - Maximum Scan Rates V3 Measured - 1756-L75 controller was used to take measurements
Module Add-On Instruction Scan Rate µs (max measured)
1715-AENTR AENTR_SIL2_V3 Duplex 507
1715-IB16D IB16D_Simplex_SIL2_V3 Simplex 982
1715-IB16D IB16D_Duplex_SIL2_V3 Duplex 1035
1715-IF16 IF16_Simplex_SIL2_V3 Simplex 676
1715-IF16 IF16_Duplex_SIL2_V3 Duplex 696
1715-OB8DE OB8DE_Simplex_SIL2_V3 Simplex 950
1715-OB8DE OB8DE_Duplex_SIL2_V3 Duplex 1012
1715-OF8 OF8I_Simplex_SIL2_V3 Simplex 1048
1715-OF8 OF8I_Duplex_SIL2_V3 Duplex 1055
1715-IF16 IF16_Simplex_HART_SIL2_V3 Simplex 692
1715-IF16 IF16_Duplex_HART_SIL2_V3 Duplex 715
1715-OF8 OF8_Simplex_HART_SIL2_V3 Simplex 1058
1715-OF8 OF8_Duplex_HART_SIL2_V3 Duplex 1071
N/A CRC Calculator_V3 N/A N/A

Safety Reaction Time Calculations

The 1715 Add-On Instructions process data at a rate of the module RPI / 2. For
example, if the 1715-IF16 RPI = 100 ms, the 1715 IF16 AOI processes the most
recent packet every 50 ms. This provides a compromise between controller
bandwidth (not processing the packets too often using old data) and overall
1715 screw to screw performance. Because the 1715 Add-On Instructions run on
a time basis, the input module AOI and the output module Add-On Instruction
can be asynchronous. The periodic task rate affects the actual process rate and
periodic task scan time.

The worst-case safety reaction time can be calculated using the formulas that
are shown in the following example. For the following example, assume the
following:
• 1715 input module RPI = 60 ms
• 1715 output module RPI = 80 ms
• SIL 2 task period = 30 ms
• SIL 2 task watchdog = 20 ms
• Add-On Instruction module RPI=60 ms

150 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Appendix A System Reaction Times

Table 14 - Worst Case Reaction Time Calculations

Fixed Time User

Worst Case Factors Value Configurable Description
(ms) Time (ms)
1715 Input Module Delay 15
1715 Backplane Rate 65
1715-AENTR Delay 25
COS=NO 1715 Input Module RPI 60 COS = Change of State
Input Data to ControlLogix
COS=YES Fixed 60
Add-On Instruction Value that is entered into the Add-On Instruction Module_RPI
Add-On Instruction Module RPI 30
Module RPI/2 parameter
ControlLogix system runs input module Add-On Instruction and
ControlLogix SIL2 Task controls requested output
SIL 2 Task Watchdog 20
Watchdog Assumes requested output in same SIL 2 task as 1715 SIL 2 Add-On
Instructions
Add-On Instruction Value that is entered into the Add-On Instruction Module_RPI
Add-On Instruction Module RPI 30
Module RPI/2 parameter
ControlLogix SIL 2 Task ControlLogix system runs output module Add-On Instruction and
SIL 2 Task Watchdog 20
Watchdog places requested outputs in output module raw data
Output Data to 1715-AENTR 1715 Output Module RPI 80
1715-AENTR Delay 25
1715 Backplane Rate 65
1715 Output Module Delay 15

If you are not using COS, the worst-case reaction time from input screw
terminal to output screw terminal is equal to 210 ms plus the following:
- Input RPI
- Output RPI
- Add-On Instruction Module RPI/2
- SIL 2 Task Period x 2
- SIL 2 Task Watchdog x 2

If you are using COS, the worst-case reaction time from input screw terminal
to output screw terminal is equal to 270 ms plus the following:
- Output RPI
- Add-On Instruction Module RPI/2
- SIL 2 Task Period x 2
- SIL 2 Task Watchdog x 2

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 151

Appendix A System Reaction Times

Notes:

152 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Appendix B

SIL 2-certified ControlLogix System Components

System components that are listed here are certified according to IEC 61508
2010 Edition 2, unless noted in the following tables.

Use only the series versions that are listed in Appendix C. These tables list
publications that are related to these components. Publications are available
from Rockwell Automation by visiting https://www.rockwellautomation.com/
literature.
Table 15 - SIL 2-certified ControlLogix Components - Hardware
Cat. No.(1) Description Related Documentation
1756-A4, 1756-A7 1756-A10, 1756-A13, 1756-A17 ControlLogix® chassis
1756-PA75(2) ControlLogix AC power supply
1756-PB75(2) ControlLogix DC power supply
1756-PA75R ControlLogix AC redundant power supply
1756-PB75R ControlLogix DC redundant power supply
1756-PA72 ControlLogix AC power supply 1756-IN005
1756-PB72 ControlLogix DC power supply
1756-PC75 ControlLogix DC power supply
1756-PH75 ControlLogix DC power supply
1756-PSCA(3) ControlLogix redundant power supply chassis adapter
1756-PSCA2(3) ControlLogix redundant power supply chassis adapter
(1) Some catalog numbers have a K suffix. This indicates a version of the product that has conformal coating. These K versions have the same SIL 2 certification as the non-K versions. For
more information on which products have conformal coating go to http://ab.com.rockwellautomation.com/
(2) The 1756-PA75/A and 1756-PB75/A power supplies are no longer available. However, if your existing SIL 2 application uses these power supplies, they are SIL 2 certified.
(3) Existing systems that use the 1756-PSCA and 1756-PSCA2 are SIL 2-certified. However, when implementing new SIL 2-certified systems or upgrading existing systems, we recommend that
you use the 1756-PSCA2 module if possible.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 153

Appendix B SIL 2-certified ControlLogix System Components

Table 16 - SIL 2-certified ControlLogix Components - 1756 Non-redundant Controllers, I/O, and Communication Modules
Cat. No.(1) Description Related Documentation
1756-L61(2) (3) ControlLogix 2 MB controller
1756-L62(2) (3) ControlLogix 4 MB controller
1756-L63(2) (3) ControlLogix 8 MB controller
1756-L71(2) ControlLogix 2 MB controller
1756-UM001
1756-L72(2) ControlLogix 4 MB controller
1756-L73(2) ControlLogix 8 MB controller
1756-L74(2) ControlLogix 16 MB controller
1756-L75(2) ControlLogix 32 MB controller
1756-L61S(2)(3) GuardLogix® controller, 2 MB standard
(2)(3) GuardLogix controller, 4 MB standard
1756-L62S
1756-L63S(2)(3) GuardLogix controller, 8 MB standard
1756-L71S(2) GuardLogix controller, 2 MB standard 1756-UM022
1756-L72S(2) GuardLogix controller, 4 MB standard
1756-L73S(2) GuardLogix controller, 8 MB standard
1756-L73SXT(2) GuardLogix-XT™ controller, 8 MB standard
1756-IA16I ControlLogix AC isolated input module
1756-IA8D ControlLogix AC diagnostic input module
1756-IB16D ControlLogix DC diagnostic input module 1756-UM058
1756-IB16I ControlLogix DC isolated input module
1756-IB32 ControlLogix DC input module
1756-IB16ISOE ControlLogix Sequence of Events module
1756-UM528
1756-IH16ISOE ControlLogix Sequence of Events module
1756-OA16I ControlLogix AC isolated output module
1756-OA8D ControlLogix AC diagnostic input module
1756-OB16D ControlLogix DC diagnostic output module
1756-OB16E ControlLogix DC electronically fused output module
1756-OB16I ControlLogix DC isolated output module 1756-UM058
1756-OB32 ControlLogix DC output module
1756-OB8EI ControlLogix DC isolated output module
1756-OW16I ControlLogix isolated relay output module
1756-OX8I ControlLogix isolated relay output module
1756-IF8 ControlLogix analog input module
1756-IF16 ControlLogix analog input module
1756-UM009
1756-IF6I ControlLogix isolated analog input module
1756-IF6CIS ControlLogix isolated analog input module
1756-IF8H ControlLogix HART analog input module
1756-UM533
1756-IF16H ControlLogix HART analog input module
1756-IF8I ControlLogix isolated analog input module
ControlLogix isolated analog RTD thermocouple input
1756-IRT8I 1756-UM540
module
1756-OF8I ControlLogix isolated analog output module

154 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Appendix B SIL 2-certified ControlLogix System Components

Table 16 - SIL 2-certified ControlLogix Components - 1756 Non-redundant Controllers, I/O, and Communication Modules (Continued)
Cat. No.(1) Description Related Documentation
1756-IR6I ControlLogix RTD input module
1756-IT6I ControlLogix Thermocouple input module
1756-IT6I2 ControlLogix enhanced Thermocouple input module
1756-OF4 Series B ControlLogix analog output module 1756-UM009
1756-OF8 ControlLogix analog output module
1756-OF6CI ControlLogix isolated analog output module
1756-OF6VI ControlLogix isolated analog output module
1756-OF8H ControlLogix HART analog output module 1756-UM533
(4) ControlLogix ControlNet® communication module
1756-CNB
1756-CN2 ControlLogix ControlNet communication module CNET-IN005
CNET-UM001
ControlLogix redundant media ControlNet
1756-CN2R communication module
1786-RPFS ControlNet short-distance fiber repeater module 1786-IN012
1786-RPFM ControlNet medium-distance fiber repeater module 1786-IN011
1786-RPFRL ControlNet long-distance fiber repeater module
1786-IN003
1786-RPFRXL ControlNet extra-long-distance fiber repeater module
1786-RPA ControlNet repeater adapter 1786-IN013
1786-RPCD ControlNet Hub repeater module 1786-IN001
ControlLogix redundant media EtherNet/IP™
1756-EN2TR Series B communication module
ENET-IN002
ControlLogix redundant media EtherNet/IP
1756-EN2TR Series C ENET-UM001
communication module
1756-EN2T Series C ControlLogix EtherNet/IP communication module
(1) Some catalog numbers have a K suffix. This indicates a version of the product that has conformal coating. These K versions have the same SIL 2 certification as the non-K versions. For
more information on which products have conformal coating go to http://ab.com.rockwellautomation.com/
(2) Use of any series B controller requires the use of the series B versions of the 1756-Px75 power supplies.
(3) Certified according to IEC 61508 1999 Edition 1.
(4) Specified ControlNet repeaters can be used in SIL 2 applications. See Chapter 4, ControlLogix Communication Modules for more information.

Table 17 - SIL 2-certified ControlLogix Components - 1756 Redundancy System Components

Cat. No.(1) Description Related Documentation
1756-L61(2) (3) ControlLogix 2 MB controller
(2) (3) ControlLogix 4 MB controller
1756-L62
1756-L63(2) (3) ControlLogix 8 MB controller
1756-L71(2) ControlLogix 2 MB controller
1756-UM001
1756-L72(2) ControlLogix 4 MB controller
1756-L73(2) ControlLogix 8 MB controller
1756-L74(2) ControlLogix 16 MB controller
1756-L75(2) ControlLogix 32 MB controller
1756-CNB ControlLogix ControlNet communication module
ControlLogix redundant media ControlNet
1756-CNBR communication module CNET-IN005
1756-CN2 ControlLogix ControlNet communication module CNET-UM001
ControlLogix redundant media ControlNet
1756-CN2R communication module
1756-EN2T Series C ControlLogix EtherNet/IP communication module
ENET-IN002
1756-EN2TR Series B ControlLogix redundant media EtherNet/IP ENET-UM001
1756-EN2TR Series C communication module
(1) Some catalog numbers have a K suffix. This indicates a version of the product that has conformal coating. These K versions have the same SIL 2 certification as the non-K versions. For
more information on which products have conformal coating go to http://ab.com.rockwellautomation.com/
(2) Use of any series B controller requires the use of the series B versions of the 1756-Px75 power supplies or the redundant power supplies, that is, the 1756-Lx75R power supplies.
(3) Certified according to IEC 61508 1999 Edition 1.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 155

Appendix B SIL 2-certified ControlLogix System Components

Table 18 - SIL 2-certified ControlLogix-XT System Components

Cat. No. Description Related Documentation
1756-A4LXT
1756-A5XT,
1756-A7XT ControlLogix-XT™ chassis
1756-A7LXT 1756-IN005
1756-A10XT
1756-PAXT ControlLogix-XT power supply
1756-PBXT
CNET-IN005
1756-CN2RXT ControlLogix-XT ControlNet communication module
CNET-UM001
1756-EN2TXT Series C ControlLogix-XT EtherNet/IP communication module
ENET-IN002
ControlLogix-XT EtherNet/IP communication module for ENET-UM001
1756-EN2TRXT Series C redundant systems
1756-L63XT(1) ControlLogix-XT controller
1756-UM001
1756-L73XT ControlLogix-XT controller
1756-L73SXT GuardLogix-XT controller, 8 MB standard 1756-UM022
(1) Certified according to IEC 61508 1999 Edition 1.

IMPORTANT ControlLogix-XT modules use the same firmware as traditional ControlLogix components. When obtaining firmware
for ControlLogix-XT modules, download and use the firmware specific to each module.
For example, if you are using a 1756-EN2TXT module in your system, use SIL 2-certified firmware for the 1756-EN2T
module.
For more information about ControlLogix-XT module firmware revisions, see the firmware release notes specific to
the module. ControlLogix-XT module release notes are available at:
https://www.rockwellautomation.com/literature or https://www.rockwellautomation.com/support/.

Table 19 - FLEX™ I/O Components For Use in the SIL 2 System

Cat. No.(1) Description Related Documentation(2)
1794-ACN15 FLEX I/O ControlNet single media adapter
1794-ACNR15 FLEX I/O ControlNet redundant media adapter 1794-IN128
1794-ACNR15XT FLEX I/O-XT™ ControlNet redundant media adapter
1794-AENT FLEX I/O EtherNet/IP communication adapter 1794-IN082
1794-AENTR FLEX I/O EtherNet/IP redundant communication adapter
FLEX I/O-XT EtherNet/IP redundant communication 1794-IN131
1794-AENTRXT adapter
1794-IB16 FLEX I/O input module 1794-IN093
1794-IB16XT FLEX I/O-XT input module 1794-IN124
1794-IB10XOB6 FLEX I/O input/output module 1794-IN083
1794-IB10XOB6XT FLEX I/O-XT input/output module 1794-IN124
1794-OB16 FLEX I/O output module 1794-IN094
1794-OB16P FLEX I/O protected output module 1794-IN094
1794-OB16PXT FLEX I/O-XT protected output module 1794-IN124
1794-OB8EP FLEX I/O electronically fused output module 1794-IN094
1794-OB8EPXT FLEX I/O-XT electronically fused output module 1794-IN124
1794-OW8 FLEX I/O relay output module
1794-IN019
1794-OW8XT FLEX I/O-XT relay output module
1794-IN100
1794-IE8 FLEX I/O analog input module
1794-UM002
1794-IN038
1794-IF4I FLEX I/O isolated analog input module
1794-UM008
1794-IN129
1794-IF4IXT FLEX I/O-XT isolated analog input module
1794-UM008
1794-IN130
1794-IF4ICFXT FLEX I/O-XT isolated analog input module
1794-UM008

156 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Appendix B SIL 2-certified ControlLogix System Components

Table 19 - FLEX™ I/O Components For Use in the SIL 2 System (Continued)
Cat. No.(1) Description Related Documentation(2)
1794-IN039
1794-IF2XOF2I FLEX I/O isolated analog input/output module
1794-UM008
1794-IN129
1794-IF2XOF2IXT FLEX I/O-XT isolated analog input/output module
1794-UM008
1794-IN100
1794-OE4 FLEX I/O analog output module 1794-UM002
1794-IN037
1794-OF4I FLEX I/O isolated analog output module 1794-UM008
1794-IN021
1794-IT8 FLEX I/O Thermocouple input module 1794-UM007
1794-IR8 FLEX I/O RTD input module 1794-IN021
1794-IR8XT FLEX I/O-XT RTD input module 1794-UM004
1794-IRT8 FLEX I/O Thermocouple/RTD input module 1794-IN050
1794-IRT8XT FLEX I/O-XT Thermocouple/RTD analog input module 1794-UM012
1794-IJ2 FLEX I/O counter module 1794-IN049
1794-IJ2XT FLEX I/O-XT counter module 1794-UM011
1794-IN064
1794-IP4 FLEX I/O counter module
1794-UM016
1794-IE4XOE2XT FLEX I/O-XT analog input/output module 1794-IN125
1794-IE8XT FLEX I/O-XT analog input module 1794-IN125
1794-OE4XT FLEX I/O-XT analog output module 1794-IN125
1794-IN129
1794-OF4IXT FLEX I/O-XT isolated analog output module
1794-UM008
1794-TB3 FLEX I/O terminal base unit
1794-TB3S FLEX I/O terminal base unit
1794-TB3T FLEX I/O temperature terminal base unit
1794-TB3TS FLEX I/O spring-clamp temperature terminal base unit
1794-IN092
1794-TB3G FLEX I/O cage-clamp generic terminal base unit
1794-TB3GS FLEX I/O spring-clamp generic terminal base unit
1794-TBN FLEX I/O NEMA terminal base unit
1794-TBNF FLEX I/O NEMA fused terminal base unit
(1) Some catalog numbers have a K suffix. This indicates a version of the product that has conformal coating. These K versions have the same SIL 2 certification as the non-K versions. For
more information on which products have conformal coating go to http://ab.com.rockwellautomation.com/
(2) These publications are available from Rockwell Automation by visiting https://www.rockwellautomation.com/literature.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 157

Appendix B SIL 2-certified ControlLogix System Components

Table 20 lists the 1715 devices that can be included in a SIL 2 system.
Table 20 - 1715 Devices in a SIL 2 System
Termination Assembly
Cat. No. Firmware Revision Description
Cat. No. Description
1715-AENTR 2.001 or later Ethernet adapter redundant module N/A
1715-TASIB16D Digital input simplex
1715-IB16D 2.001 or later(1) 16-channel digital input module
1715-TADIB16D Digital input duplex
1715-TAS0B8DE Digital output simplex
1715-OB8DE 2.001 or later(1) 8-channel digital output module
1715-TADOB8DE Digital output duplex
1715-TASIF16 Analog input simplex
1715-IF16 2.001 or later(1) 16-channel analog input module
1715-TADIF16 Analog input duplex
1715-TASOF8 Analog output simplex
1715-OF8I 2.001 or later(1) 8-channel analog output module
1715-TADOF8 Analog output duplex
1715-A2A N/A Adapter base unit N/A
1715-A3IO N/A I/O module base unit N/A
1715-N2T N/A Tall slot filler cover N/A
1715-N2S N/A Short slot filler cover N/A
1715-C2 N/A Expansion cable - 2 m (6.56 ft) N/A
(1) For revision 3.001 and later, the 1715 I/O module firmware is the revision that is installed on the I/O module.
For earlier revisions, the 1715 I/O module firmware is the same revision as the 1715-AENTR module regardless of the firmware revision in the 1715 I/O module.

158 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Appendix C

PFD and PFH Calculations for

1756 ControlLogix and 1794 FLEX I/O Modules

About PFD and PFH The probability of a dangerous failure on demand (PFD) is the SIL value for a
Calculations safety-related system as related directly to the order-of-magnitude ranges of
its average probability of failure to satisfactorily perform its safety function on
demand. IEC 61508 quantifies this classification by stating that the frequency
of demands for operation of the safety system is no greater than once per year
in the Low Demand mode.

PFD calculations are commonly used for process safety applications and
applications where emergency stop devices (ESDs) are used.

Although PFD values are associated with each of the three elements that
constitute a safety-related system (the sensors, the actuators, and the logic
element), they can be associated with each module of a controller.

Average frequency of a dangerous failure per hour (PFH) is typically used to

describe safety performance for high demand applications. Because
ControlLogix® is suitable for high demand applications up to and including 10
demands per year, PFH values for those applications are provided.

Tables in this chapter present PFD and PFH values for ControlLogix and
ControlLogix-XT™ components that TÜV evaluates.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 159

Appendix C PFD and PFH Calculations for 1756 ControlLogix and 1794 FLEX I/O Modules

Determine Which Values

To Use IMPORTANT You are responsible for determining which of the values that are
provided are appropriate for your SIL 2-certified system. Determine
which values to use based on the modules used your system and the
system configuration.

IMPORTANT If a safety-module in an existing application is replaced by a

replacement-type module, The whole safety loop must be recalculated
with the new module's data.

Each of the PFD and PFH calculated values that are provided in this manual is
based on the configuration that the module can be used in (1oo1 or 1oo2).
• Controllers only have a 1oo1 configuration, even when used in a 1756-RM
module redundancy architecture.
• You can architect communication modules in a 1oo1 or 1oo2
configuration. If the I/O module pair is split among two separate chassis,
use 1002.
• Input or output modules have PFD values typically for use in a 1oo2
configuration. But 1oo1 values are provided in the event diversity is used
for input modules, or the output module that controls the actuator and
secondary relay are diverse.

160 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Appendix C PFD and PFH Calculations for 1756 ControlLogix and 1794 FLEX I/O Modules

About the Calculations in For the example calculations presented in this chapter, these values were used
This Manual as the two application-dependent variables:
• Mean time to restoration (MTTR) is ten hours.
• Mean repair time (MRT) is ten hours.
• Proof test interval (T1) is listed for each table.

Both the common cause failure rate (ß) and common cause failure rate
dangerous (ßd) values that are used in calculations are 5%.

Common Terms
 = failure rate = 1/MTBF
s = rate of safe failures =  x 50%
d = rate of dangerous failures =  x 50%
dd= dangerous, detected failure rate = /2 x DC
du= dangerous, undetected failure rate = /2 x (1-DC)
SFF = safe failure fraction =(s +dd)/
TCE1oo1 = channel equivalent down time = du/d x (T1/2 + MRT) + (dd/d x MTTR)
DC = diagnostic coverage
ß = common cause failure rate
ßd = common cause failure rate, dangerous
1oo1 Configuration
STR1oo1 = spurious trip rate = s + dd
PFD1oo1 = (dd + du) x TCE
PFH1oo1 = du
1oo2 Configuration
STR1oo2 = spurious trip rate = 2 x (s + dd)
TGE1oo2 = system equivalent down time = du/d x (T1/3 + MRT) + (dd/d x MTTR)
PFD1oo2= 2 x [(1-ßD) x dd + (1-ß) x du]2 x TCE x TGE + (ßD x dd x MTTR) + ß x du x (T1/2 + MRT)
PFH1oo2 = 2 x [(1-ßD) x dd + (1-ß) x du] x (1-ß) x du x TCE + ß x du

The PFD and PFH values in this manual are calculated with formulas that are
explained in IEC 61508, Part 6, Annex B. See IEC 61508, Part 6, for more
information about how to calculate PFD values for your system.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 161

Appendix C PFD and PFH Calculations for 1756 ControlLogix and 1794 FLEX I/O Modules

1-Year PFD Calculations The PFD calculations in this table are calculated for a 1-year proof test interval
(8760 hours) and are specific to ControlLogix system components.
Table 21 - 1- Year PFD Calculations
Common Terms(3) 1oo1 Configuration 1oo2 Configuration
Mean Time
between Safe
Cat No.(1)(2) Description Failure Spurious Spurious
s, d Failure  TCE1oo1 Trip Rate PFH(5)
(4) Fraction du
dd PFD Trip Rate TGE PFH(5) PFD
(MTBF)(2)
Series

STR STR
(SFF) %
1756-AXX(6) C ControlLogix chassis 22,652,010 4.41E-08 2.21E-08 95% 2.21E-09 1.99E-08 448 4.19E-08 2.21E-09 9.89E-06

B 4-slot ControlLogix-XT
1756-A4LXT 1,069,120 9.35E-07 4.68E-07 95% 4.68E-08 4.21E-07 448 8.89E-07 4.68E-08 2.10E-04
chassis

C 5-slot ControlLogix-XT
1756-A5XT 734,420 1.36E-06 6.81E-07 95% 6.81E-08 6.13E-07 448 1.29E-06 6.81E-08 3.05E-04
chassis

B 7-slot ControlLogix-XT
1756-A7LXT 27,628,178 3.62E-08 1.81E-08 95% 1.81E-09 1.63E-08 448 3.44E-08 1.81E-09 8.11E-06
chassis

C 7-slot ControlLogix-XT
1756-A7XT 1,081,600 9.25E-07 4.62E-07 95% 4.62E-08 4.16E-07 448 8.78E-07 4.62E-08 2.07E-04
chassis

C 18-32V DC 10 A ControlLogix 31,561,095

1756-PB72 3.17E-08 1.58E-08 95% 1.58E-09 1.43E-08 448 3.01E-08 1.58E-09 7.10E-06
power supply

C 85-265V AC 10 A
1756-PA72 18,336,146 5.45E-08 2.73E-08 95% 2.73E-09 2.45E-08 448 5.18E-08 2.73E-09 1.22E-05
ControlLogix power supply
85-265V AC 13 A
1756-PA75 B ControlLogix power supply 18,693,044 5.35E-08 2.67E-08 95% 2.67E-09 2.41E-08 448 5.08E-08 2.67E-09 1.20E-05
(75 W)

A 85-265V AC 13 A redundant
1756-PA75R 1,412,877 7.08E-07 3.54E-07 95% 3.54E-08 3.18E-07 448 6.72E-07 3.54E-08 1.59E-04
ControlLogix power supply

B 18-32V DC 13 A ControlLogix 15,675,475

1756-PB75 6.38E-08 3.19E-08 95% 3.19E-09 2.87E-08 448 6.06E-08 3.19E-09 1.43E-05
power supply

A 18-32V DC 13 A redundant
1756-PB75R 1,736,020 5.76E-07 2.88E-07 95% 2.88E-08 2.59E-07 448 5.47E-07 2.88E-08 1.29E-04
ControlLogix power supply
Not applicable
B ControlLogix-XT AC power
1756-PAXT 18,693,044 5.35E-08 2.67E-08 95% 2.67E-09 2.41E-08 448 5.08E-08 2.67E-09 1.20E-05
supply

B ControlLogix-XT DC power
1756-PBXT 1,855,360 5.39E-07 2.69E-07 95% 2.69E-08 2.43E-07 448 5.12E-07 2.69E-08 1.21E-04
supply

B 30-60V DC 13 A ControlLogix 5,894,836

1756-PC75 1.70E-07 8.48E-08 95% 8.48E-09 7.63E-08 448 1.61E-07 8.48E-09 3.80E-05
power supply

B 90-143V DC 13 A
1756-PH75 2,119,520 4.72E-07 2.36E-07 95% 2.36E-08 2.12E-07 448 4.48E-07 2.36E-08 1.06E-04
ControlLogix power supply

A Redundant power supply

1756-PSCA 45,146,727 2.21E-08 1.11E-08 95% 1.11E-09 9.97E-09 448 2.10E-08 1.11E-09 4.96E-06
adapter

A Redundant power supply

1756-PSCA2 38,461,280 2.60E-08 1.30E-08 95% 1.30E-09 1.17E-08 448 2.47E-08 1.30E-09 5.82E-06
adapter

A ControlNet® fiber repeater - 26,461,760

1786-RPFS 3.78E-08 1.89E-08 95% 1.89E-09 1.70E-08 448 3.59E-08 1.89E-09 8.47E-06
short

A ControlNet fiber repeater -

1786-RPFM 16,697,862 5.99E-08 2.99E-08 95% 2.99E-09 2.69E-08 448 5.69E-08 2.99E-09 1.34E-05
medium

A ControlNet fiber repeater -

1786-RPFRL 5,717,227 1.75E-07 8.75E-08 95% 8.75E-09 7.87E-08 448 1.66E-07 8.75E-09 3.92E-05
long
1786-RPCD A ControlNet hub repeater 28,654,080 3.49E-08 1.74E-08 95% 1.74E-09 1.57E-08 448 3.32E-08 1.74E-09 7.82E-06
1786-RPA B ControlNet repeater adapter 11,826,146 8.46E-08 4.23E-08 95% 4.23E-09 3.81E-08 448 8.03E-08 4.23E-09 1.89E-05

B ControlNet Fiber repeater -

1786-RPFRXL 11,373,440 8.79E-08 4.40E-08 95% 4.40E-09 3.96E-08 448 8.35E-08 4.40E-09 1.97E-05
extra long

162 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Appendix C PFD and PFH Calculations for 1756 ControlLogix and 1794 FLEX I/O Modules

Table 21 - 1- Year PFD Calculations (Continued)

Common Terms(3) 1oo1 Configuration 1oo2 Configuration
Mean Time
between Safe
Cat No.(1)(2) Description Failure Spurious Spurious
s, d Failure  TCE1oo1 Trip Rate PFH(5)
(4) Fraction du
dd PFD Trip Rate TGE PFH(5) PFD
(MTBF)(2)

Series
STR STR
(SFF) %
1756-L61(7) B ControlLogix controller, 2 MB 1,000,053 1.00E-06 5.00E-07 95% 5.00E-08 4.50E-07 448 9.50E-07 5.00E-08 2.24E-04
1756-L62(7) B ControlLogix controller, 4 MB 1,034,830 9.66E-07 4.83E-07 95% 4.83E-08 4.35E-07 448 9.18E-07 4.83E-08 2.16E-04
1756-L63(7) B ControlLogix controller, 8 MB 1,055,910 9.47E-07 4.74E-07 95% 4.74E-08 4.26E-07 448 9.00E-07 4.74E-08 2.12E-04

B ControlLogix-XT controller,
1756-L63XT(7) 8 MB 357760 2.80E-06 1.40E-06 95% 1.40E-07 1.26E-06 448 2.66E-06 1.40E-07 6.26E-04

1756-L71(8) B ControlLogix controller, 2 MB 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 340 2.91E-06 1.01E-07 4.50E-04
1756-L72(8) B ControlLogix controller, 4 MB 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 340 2.91E-06 1.01E-07 4.50E-04
1756-L73(8) B ControlLogix controller, 8 MB
Calculated
2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 340 2.91E-06 1.01E-07 4.50E-04
MTBF and
B ControlLogix-XT controller,
1756-L73XT(8) 8 MB PFD via 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 340 2.91E-06 1.01E-07 4.50E-04
FMEA
B ControlLogix controller,
1756-L74(8) 16 MB 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 340 2.91E-06 1.01E-07 4.50E-04

B ControlLogix controller, Not applicable

1756-L75(7) 32 MB 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 340 2.91E-06 1.01E-07 4.50E-04

B GuardLogix® controller, 2 MB 1,000,053

1756-L61S(7) standard 1.00E-06 5.00E-07 95% 5.00E-08 4.50E-07 448 9.50E-07 5.00E-08 2.24E-04

B GuardLogix controller, 4 MB
1756-L62S(7) standard 1,034,830 9.66E-07 4.83E-07 95% 4.83E-08 4.35E-07 448 9.18E-07 4.83E-08 2.16E-04

B GuardLogix controller, 8 MB 1,055,910

1756-L63S(7) standard 9.47E-07 4.74E-07 95% 4.74E-08 4.26E-07 448 9.00E-07 4.74E-08 2.12E-04

B GuardLogix controller, 2 MB
1756-L71S(8) standard 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 340 2.91E-06 1.01E-07 4.50E-04

B GuardLogix controller, 4 MB Calculated

1756-L72S(8) standard 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 340 2.91E-06 1.01E-07 4.50E-04
MTBF and
controller, 8 MB PFD via
1756-L73S(8) B GuardLogix FMEA 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 340 2.91E-06 1.01E-07 4.50E-04
standard

B GuardLogix-XT™ controller,
1756-L73SXT(8) 8 MB standard 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 340 2.91E-06 1.01E-07 4.50E-04

ControlLogix ControlNet
1756-CNB E 1,786,977 5.60E-07 2.80E-07 95% 2.80E-08 2.52E-07 448 5.32E-07 2.80E-08 1.25E-04
communication module
ControlLogix ControlNet
1756-CNBR E redundant communication 2,608,543 3.83E-07 1.92E-07 95% 1.92E-08 1.73E-07 448 3.64E-07 1.92E-08 8.59E-05
module

B ControlLogix ControlNet
1756-CN2 1,096,299 9.12E-07 4.56E-07 95% 4.56E-08 4.10E-07 448 8.67E-07 4.56E-08 2.04E-04
communication module
Calculated
C ControlLogix ControlNet MTBF and
1756-CN2(8) communication module PFD via 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 303.63 1.91E-06 6.62E-08 3.0E-04
FMEA
ControlLogix ControlNet
1756-CN2R B redundant communication 1,096,299 9.12E-07 4.56E-07 95% 4.56E-08 4.10E-07 448 8.67E-07 4.56E-08 2.04E-04 Not applicable
module
Calculated
ControlLogix ControlNet MTBF and
1756-CN2R(8) C redundant communication PFD via 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 303.63 1.91E-06 6.62E-08 3.0E-04
module FMEA
ControlLogix-XT ControlNet
1756-CN2RXT B redundant communication 1,980,160 5.05E-07 2.53E-07 95% 2.53E-08 2.27E-07 448 4.80E-07 2.53E-08 1.13E-04
module
Calculated
ControlLogix-XT ControlNet MTBF and
1756-CN2RXT(8) C redundant communication PFD via 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 303.63 1.91E-06 6.62E-08 3.0E-04
module FMEA
ControlLogix Data Highway
1756-DHRIO(9) E Plus™ remote I/O module 2,503,396 2.90E-07 5.79E-07

ControlLogix-XT Data
1756-DHRIOXT(9) E Highway Plus remote I/O 2,503,396 2.90E-07 5.79E-07
module Non-interference only Not applicable Not applicable
D ControlLogix
(9) DeviceNet®
1756-DNB 2,192,202 3.31E-07 6.61E-07
communication module

A ControlLogix EtherNet/IP™
1756-ENBT(9) communication module 2,088,198 3.47E-07 6.94E-07

C ControlLogix EtherNet/IP
1756-EN2T 1,312,712 7.62E-07 3.81E-07 95% 3.81E-08 3.43E-07 448 7.24E-07 3.81E-08 1.71E-04
communication module

D ControlLogix EtherNet/IP
1756-EN2T(9) communication module 269,774 Non-interference only 3.71E-06 Not applicable Not applicable
ControlLogix EtherNet/IP
1756-EN2TR B communication module with 3,664,960 2.73E-07 1.36E-07 95% 1.36E-08 1.23E-07 448 2.59E-07 1.36E-08 6.11E-05
fault tolerance

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 163

Appendix C PFD and PFH Calculations for 1756 ControlLogix and 1794 FLEX I/O Modules

Table 21 - 1- Year PFD Calculations (Continued)

Common Terms(3) 1oo1 Configuration 1oo2 Configuration
Mean Time
between Safe
Cat No.(1)(2) Description Failure Spurious Spurious
s, d Failure  TCE1oo1 Trip Rate PFH(5)
(4) Fraction du
dd PFD Trip Rate TGE PFH(5) PFD
(MTBF)(2)

Series
STR STR
(SFF) %
ControlLogix EtherNet/IP
1756-EN2TR(8) C communication module with Calculated 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 303.63 1.91E-06 6.62E-08 3.0E-04 3.82E-06 258.2 1.36E-09 6.11E-06
fault tolerance MTBF and
ControlLogix EtherNet/IP PFD via
1756-EN2TRXT(8) C communication module with FMEA 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 303.63 1.91E-06 6.62E-08 3.0E-04 3.82E-06 258.2 1.36E-09 6.11E-06
fault tolerance

C ControlLogix-XT EtherNet/IP 1,300,000

1756-EN2TXT 7.69E-07 3.85E-07 95% 3.85E-08 3.46E-07 448 7.31E-07 3.85E-08 1.72E-04 Not applicable
communication module

D ControlLogix-XT EtherNet/IP 269,774

1756-EN2TXT(9) communication module 3.71E-06

ControlLogix EtherNet/IP
1756-EN3TR(9) B communication module with 269,774 3.71E-06
fault tolerance

B ControlLogix redundancy
1756-RM(9) module 1,373,840 7.28E-07
Not applicable
A ControlLogix enhanced Non-interference only
1756-RM2(9) redundancy module 250,182 4.00E-06

A ControlLogix-XT enhanced
1756-RM2XT(9) redundancy module 250,182 4.00E-06

ControlLogix-XT redundancy
1756-RMXT(9) B module 980,096 1.02E-06

A ControlLogix SynchLink™
1756-SYNCH(9) Module 6,932,640 1.05E-07 Not applicable 2.09E-07 Not applicable

A ControlLogix isolated V AC
1756-IA16I 20,801,920 4.81E-08 2.40E-08 80% 9.61E-09 1.44E-08 1762 3.85E-08 9.61E-09 4.24E-05 7.69E-08 1178 4.81E-10 2.12E-06
input module

A ControlLogix diagnostic
1756-IA8D 15,966,080 6.26E-08 3.13E-08 80% 1.25E-08 1.88E-08 1762 5.01E-08 1.25E-08 5.52E-05 1.00E-07 1178 6.28E-10 2.76E-06
V AC input module

A ControlLogix diagnostic
1756-IB16D 30,228,640 3.31E-08 1.65E-08 80% 6.62E-09 9.92E-09 1762 2.65E-08 6.62E-09 2.91E-05 5.29E-08 1178 3.31E-10 1.46E-06
V DC input module

A ControlLogix isolated V DC
1756-IB16I 81,443,094 1.23E-08 6.14E-09 80% 2.46E-09 3.68E-09 1762 9.82E-09 2.46E-09 1.08E-05 1.96E-08 1178 1.23E-10 5.41E-07
input module
ControlLogix isolated V DC
1756-IB16ISOE A Sequence Of Events input 11,537,760 8.67E-08 4.33E-08 80% 1.73E-08 2.60E-08 1762 6.93E-08 1.73E-08 7.64E-05 1.39E-07 1178 8.69E-10 3.82E-06
module

B ControlLogix V DC input
1756-IB32 10,462,329 9.56E-08 4.78E-08 80% 1.91E-08 2.87E-08 1762 7.65E-08 1.91E-08 8.42E-05 1.53E-07 1178 9.59E-10 4.22E-06
module

A ControlLogix analog input

1756-IF8 8,699,254 1.15E-07 5.75E-08 80% 2.30E-08 3.45E-08 1762 9.20E-08 2.30E-08 1.01E-04 1.84E-07 1178 1.15E-09 5.08E-06
module
Calculated
B ControlLogix analog input MTBF and
1756-IF8(8) module PFD via 9.43E-07 4.71E-07 79% 1.98E-07 2.73E-07 1855 7.45E-07 1.99E-07 8.80E-04 1.49E-06 1240 1.00E-08 4.5E-05
FMEA

A ControlLogix isolated analog 2,337,541

1756-IF8I(8) input module 4.28E-07 2.14E-07 77% 9.81E-08 1.16E-07 2019 3.30E-07 9.81E-08 4.32E-04 6.59E-07 1349 2.04E-09 8.88E-06

Calculated
B ControlLogix isolated analog MTBF and
1756-IF8I(8) input module PFD via 5.83E-07 2.92E-07 78% 1.26E-07 1.66E-07 1897 4.58E-07 1.26E-07 5.56E-04 9.15E-07 1268 2.65E-09 1.15E-05
FMEA

A ControlLogix HART analog

1756-IF8H 1,291,978 7.74E-07 3.87E-07 80% 1.55E-07 2.32E-07 1762 6.19E-07 1.55E-07 6.82E-04 1.24E-06 1178 7.93E-09 3.47E-05
input module

A ControlLogix analog input

1756-IF16 4,592,506 2.18E-07 1.09E-07 80% 4.35E-08 6.53E-08 1762 1.74E-07 4.35E-08 1.92E-04 3.48E-07 1178 2.19E-09 9.64E-06
module
Calculated
B ControlLogix analog input MTBF and
1756-IF16(8) module PFD via 9.43E-07 4.71E-07 79% 1.98E-07 2.73E-07 1855 7.45E-07 1.99E-07 8.80E-04 1.49E-06 1240 1.00E-08 4.5E-05
FMEA

A ControlLogix HART analog

1756-IF16H 442,914 2.26E-06 1.13E-06 80% 4.52E-07 6.77E-07 1762 1.81E-06 4.52E-07 1.99E-03 3.61E-06 1178 2.42E-08 1.04E-04
input module

A ControlLogix isolated analog 2,654,080

1756-IF6CIS 3.77E-07 1.88E-07 80% 7.54E-08 1.13E-07 1762 3.01E-07 7.54E-08 3.32E-04 6.03E-07 1178 3.81E-09 1.67E-05
input module

A ControlLogix isolated analog 4,176,185

1756-IF6I 2.39E-07 1.20E-07 80% 4.79E-08 7.18E-08 1762 1.92E-07 4.79E-08 2.11E-04 3.83E-07 1178 2.41E-09 1.06E-05
input module

A ControlLogix V DC Sequence 2,150,720

1756-IH16ISOE 4.65E-07 2.32E-07 80% 9.30E-08 1.39E-07 1762 3.72E-07 9.30E-08 4.10E-04 7.44E-07 1178 4.72E-09 2.07E-05
Of Events input module

164 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Appendix C PFD and PFH Calculations for 1756 ControlLogix and 1794 FLEX I/O Modules

Table 21 - 1- Year PFD Calculations (Continued)

Common Terms(3) 1oo1 Configuration 1oo2 Configuration
Mean Time
between Safe
Cat No.(1)(2) Description Failure Spurious Spurious
s, d Failure  TCE1oo1 Trip Rate PFH(5)
(4) Fraction du
dd PFD Trip Rate TGE PFH(5) PFD
(MTBF)(2)

Series
STR STR
(SFF) %

A ControlLogix isolated RTD

1756-IR6I 4,268,525 2.34E-07 1.17E-07 80% 4.69E-08 7.03E-08 1762 3.75E-07 1178 2.36E-09 1.04E-05
input module

A ControlLogix isolated RTD /

1756-IRT8I(8) thermocouple input module 1,896,813 5.27E-07 2.64E-07 76% 1.27E-07 1.36E-07 2127 8.00E-07 1421 2.69E-09 1.16E-05

Calculated
B ControlLogix isolated RTD / MTBF and
1756-IRT8I(8) thermocouple input module PFD via 6.11E-07 3.06E-07 80% 1.24E-07 1.82E-07 1783 Not allowed for 1oo1 9.75E-07 1192 2.61E-09 1.13E-05
configurations
FMEA

A ControlLogix isolated
1756-IT6I thermocouple input module 3,957,824 2.53E-07 1.26E-07 80% 5.05E-08 7.58E-08 1762 4.04E-07 1178 2.55E-09 1.12E-05

ControlLogix isolated
1756-IT6I2 A enhanced thermocouple 2,720,046 3.68E-07 1.84E-07 80% 7.35E-08 1.10E-07 1762 5.88E-07 1178 3.72E-09 1.63E-05
input module

A ControlLogix V AC output
1756-OA16I 32,891,456 3.04E-08 1.52E-08 80% 6.08E-09 9.12E-09 1762 2.43E-08 6.08E-09 2.68E-05 4.86E-08 1178 3.04E-10 1.34E-06
module

A ControlLogix V AC
1756-OA8D 11,311,040 8.84E-08 4.42E-08 80% 1.77E-08 2.65E-08 1762 7.07E-08 1.77E-08 7.79E-05 1.41E-07 1178 8.87E-10 3.90E-06
diagnostic output module

A ControlLogix V DC
1756-OB16D 8,884,374 1.13E-07 5.63E-08 80% 2.25E-08 3.38E-08 1762 9.00E-08 2.25E-08 9.92E-05 1.80E-07 1178 1.13E-09 4.97E-06
diagnostic output module
ControlLogix V DC
1756 A electronically fused output 14,997,714 6.67E-08 3.33E-08 80% 1.33E-08 2.00E-08 1762 5.33E-08 1.33E-08 5.87E-05 1.07E-07 1178 6.68E-10 2.94E-06
module

A ControlLogix V DC isolated
1756-OB16I 7,388,160 1.35E-07 6.77E-08 80% 2.71E-08 4.06E-08 1762 1.08E-07 2.71E-08 1.19E-04 2.17E-07 1178 1.36E-09 5.98E-06
output module

A ControlLogix V DC output
1756-OB32 2,681,316 3.73E-07 1.86E-07 80% 7.46E-08 1.12E-07 1762 2.98E-07 7.46E-08 3.29E-04 5.97E-07 1178 3.77E-09 1.66E-05
module
ControlLogix V DC isolated
1756-OB8EI A electronic ally fused output 14,019,200 7.13E-08 3.57E-08 80% 1.43E-08 2.14E-08 1762 5.71E-08 1.43E-08 6.28E-05 1.14E-07 1178 7.15E-10 3.15E-06
module

A ControlLogix isolated relay

1756-OX8I 6,059,635 1.65E-07 8.25E-08 80% 3.30E-08 4.95E-08 1762 1.32E-07 3.30E-08 1.45E-04 2.64E-07 1178 1.66E-09 7.29E-06
output module

A ControlLogix isolated relay

1756-OW16I 13,695,899 7.30E-08 3.65E-08 80% 1.46E-08 2.19E-08 1762 5.84E-08 1.46E-08 6.43E-05 1.17E-07 1178 7.32E-10 3.22E-06
output module
Calculated
B ControlLogix analog output MTBF and
1756-OF4(8) module PFD via 1.03E-06 5.17E-07 78% 2.23E-07 2.93E-07 1902 8.11E-07 2.23E-07 9.8E-04 1.62E-06 1271 1.20E-08 5.0E-05
FMEA

A ControlLogix analog output 8.29E-05

1756-OF8 10,629,795 9.41E-08 4.70E-08 80% 1.88E-08 2.82E-08 1762 7.53E-08 1.88E-08 1.51E-07 1178 9.44E-10 4.15E-06
module
Calculated
B ControlLogix analog output MTBF and
1756-OF8(8) module PFD via 1.03E-06 5.17E-07 78% 2.23E-07 2.93E-07 1902 8.11E-07 2.23E-07 9.8E-04 1.62E-06 1271 1.20E-08 5.0E-05
FMEA

A ControlLogix isolated analog 2,213,369

1756-OF8I(8) output module 4.52E-07 2.26E-07 76% 1.08E-07 1.18E-07 2106 3.44E-07 1.08E-07 4.76E-04 6.87E-07 1407 2.26E-09 9.80E-06

Calculated
B ControlLogix isolated analog MTBF and
1756-OF8I(8) output module PFD via 6.08E-07 3.04E-07 78% 1.37E-07 1.67E-07 1982 4.71E-07 1.37E-07 6.03E-04 9.42E-07 1325 2.90E-09 1.25E-05
FMEA

A ControlLogix isolated analog 21,604,960

1756-OF6VI 4.63E-08 2.31E-08 80% 9.26E-09 1.39E-08 1762 3.70E-08 9.26E-09 4.08E-05 7.41E-08 1178 4.64E-10 2.04E-06
output module

A ControlLogix isolated analog 8,354,667

1756-OF6CI 1.20E-07 5.98E-08 80% 2.39E-08 3.59E-08 1762 9.58E-08 2.39E-08 1.05E-04 1.92E-07 1178 1.20E-09 5.29E-06
output module

A ControlLogix HART analog

1756-OF8H 5,118,187 1.95E-07 9.77E-08 80% 3.91E-08 5.86E-08 1762 1.56E-07 3.91E-08 1.72E-04 3.13E-07 1178 1.97E-09 8.64E-06
output module

D FLEX™ I/O ControlNet

1794-ACN15 8,223,684 1.22E-07 6.08E-08 80% 2.43E-08 3.65E-08 1762 1.95E-07 1178 1.22E-09 5.37E-06
adapter

D FLEX I/O ControlNet

1794-ACNR15 8,223,684 1.22E-07 6.08E-08 80% 2.43E-08 3.65E-08 1762 1.95E-07 1178 1.22E-09 5.37E-06
redundant adapter

D FLEX I/O-XT™ ControlNet

1794-ACNR15XT 8,223,684 1.22E-07 6.08E-08 80% 2.43E-08 3.65E-08 1762 1.95E-07 1178 1.22E-09 5.37E-06
adapter Not allowed for 1oo1
configurations
B FLEX I/O EtherNet/IP
1794-AENT 1,779,827 5.62E-07 2.81E-07 80% 1.12E-07 1.69E-07 1762 8.99E-07 1178 5.72E-09 2.50E-05
adapter

A FLEX I/O EtherNet/IP

1794-AENTR 1,268,070 7.89E-07 3.94E-07 80% 1.58E-07 2.37E-07 1762 1.26E-06 1178 8.08E-09 3.53E-05
adapter, Ring media

A FLEX I/O EtherNet/IP

1794-AENTRXT 1,268,070 7.89E-07 3.94E-07 80% 1.58E-07 2.37E-07 1762 1.26E-06 1178 8.08E-09 3.53E-05
adapter, Ring media

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 165

Appendix C PFD and PFH Calculations for 1756 ControlLogix and 1794 FLEX I/O Modules

Table 21 - 1- Year PFD Calculations (Continued)

Common Terms(3) 1oo1 Configuration 1oo2 Configuration
Mean Time
between Safe
Cat No.(1)(2) Description Failure Spurious Spurious
s, d Failure  TCE1oo1 Trip Rate PFH(5)
(4) Fraction du
dd PFD Trip Rate TGE PFH(5) PFD
(MTBF)(2)

Series
STR STR
(SFF) %

A FLEX I/O 24V DC input

1794-IB16 179,506,158 5.57E-09 2.79E-09 80% 1.11E-09 1.67E-09 1762 8.91E-09 1178 5.57E-11 2.45E-07
module

A FLEX I/O-XT™
1794-IB16XT 35,587,189 2.81E-08 1.40E-08 80% 5.62E-09 8.43E-09 1762 4.50E-08 1178 2.81E-10 1.24E-06
24V DC input module
1794-IJ2 A FLEX I/O counter module 55,344,640 1.81E-08 9.03E-09 80% 3.61E-09 5.42E-09 1762 2.89E-08 1178 1.81E-10 7.96E-07
1794-IJ2XT A FLEX I/O-XT counter module 11,714,128 8.54E-08 4.27E-08 80% 1.71E-08 2.56E-08 1762 Not allowed for 1oo1 1.37E-07 1178 8.56E-10 3.77E-06
configurations
1794-IP4 B FLEX I/O counter module 22,027,200 4.54E-08 2.27E-08 80% 9.08E-09 1.36E-08 1762 7.26E-08 1178 4.55E-10 2.00E-06

A FLEX I/O 24V DC

1794-IB10XOB6 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 1762 1.60E-08 1178 1.00E-10 4.41E-07
input/output module

A FLEX I/O-XT
1794-IB10XOB6XT 24V DC input/output module 22,202,487 4.50E-08 2.25E-08 80% 9.01E-09 1.35E-08 1762 7.21E-08 1178 4.51E-10 1.99E-06

FLEX I/O 24V DC

1794-OB8EP A electronically fused output 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 1762 1.60E-08 1178 1.00E-10 4.41E-07
module
FLEX I/O-XT 24V DC
1794-OB8EPXT A electronically fused output 14,771,049 6.77E-08 3.38E-08 80% 1.35E-08 2.03E-08 1762 1.08E-07 1178 6.78E-10 2.99E-06
module

A FLEX I/O 24V DC output

1794-OB16 54,322,632 1.84E-08 9.20E-09 80% 3.68E-09 5.52E-09 1762 2.95E-08 1178 1.84E-10 8.11E-07
module
Not allowed for 1oo1
A FLEX I/O 24V DC protected
1794-OB16P 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 1762 configurations 1.60E-08 1178 1.00E-10 4.41E-07
output module
FLEX I/O-XT
1794-OB16PXT A 24V DC protected output 26,709,401 3.74E-08 1.87E-08 80% 7.49E-09 1.12E-08 1762 5.99E-08 1178 3.75E-10 1.65E-06
module

A FLEX I/O isolated relay

1794-OW8 29,088,895 3.44E-08 1.72E-08 80% 6.88E-09 1.03E-08 1762 5.50E-08 1178 3.44E-10 1.52E-06
output module

A FLEX I/O-XT isolated relay

1794-OW8XT 18,518,519 5.40E-08 2.70E-08 80% 1.08E-08 1.62E-08 1762 8.64E-08 1178 5.41E-10 2.38E-06
output module

B FLEX I/O analog input

1794-IE8 18,914,770 5.29E-08 2.64E-08 80% 1.06E-08 1.59E-08 1762 8.46E-08 1178 5.30E-10 2.33E-06
module

B FLEX I/O-XT analog input

1794-IE8XT 14,041,000 7.12E-08 3.56E-08 80% 1.42E-08 2.14E-08 1762 1.14E-07 1178 7.14E-10 3.14E-06
module

A FLEX I/O isolated analog

1794-IF4I 9,885,959 1.01E-07 5.06E-08 80% 2.02E-08 3.03E-08 1762 1.62E-07 1178 1.01E-09 4.47E-06
input module

A FLEX I/O-XT isolated analog 7,297,140

1794-IF4IXT 1.37E-07 6.85E-08 80% 2.74E-08 4.11E-08 1762 2.19E-07 1178 1.38E-09 6.05E-06
input module

A FLEX I/O-XT isolated analog 7,297,140

1794-IF4ICFXT 1.37E-07 6.85E-08 80% 2.74E-08 4.11E-08 1762 2.19E-07 1178 1.38E-09 6.05E-06
input module

A Flex, 8 Isolated HART Analog 926,808

1794-IF8IHNFXT 1.08E-06 5.39E-07 80% 2.16E-07 3.24E-07 1762 1.73E-06 1178 1.12E-08 4.86E-05
Input, extended env
1794-IR8 A FLEX I/O RTD input module 5,016,231 1.99E-07 9.97E-08 80% 3.99E-08 5.98E-08 1762 3.19E-07 1178 2.01E-09 8.82E-06
Not allowed for 1oo1
A FLEX I/O-XT RTD input configurations
1794-IR8XT 9,585,890 1.04E-07 5.22E-08 80% 2.09E-08 3.13E-08 1762 1.67E-07 1178 1.05E-09 4.61E-06
module

B FLEX I/O RTD/Thermocouple 1,407,269

1794-IRT8 7.11E-07 3.55E-07 80% 1.42E-07 2.13E-07 1762 1.14E-06 1178 7.27E-09 3.18E-05
input module

B FLEX I/O-XT RTD/

1794-IRT8XT Thermocouple input module 8,204,792 1.22E-07 6.09E-08 80% 2.44E-08 3.66E-08 1762 1.95E-07 1178 1.22E-09 5.38E-06

A FLEX I/O Thermocouple

1794-IT8 2,097,509 4.77E-07 2.38E-07 80% 9.54E-08 1.43E-07 1762 7.63E-07 1178 4.84E-09 2.12E-05
input module

A FLEX I/O isolated analog

1794-IF2XOF2I 8,464,844 1.18E-07 5.91E-08 80% 2.36E-08 3.54E-08 1762 1.89E-07 1178 1.19E-09 5.22E-06
input/output module

A FLEX I/O-XT isolated analog 6,317,918

1794-IF2XOF2IXT 1.58E-07 7.91E-08 80% 3.17E-08 4.75E-08 1762 2.53E-07 1178 1.59E-09 7.00E-06
input/output module

B FLEX I/O-XT analog

1794-IE4XOE2XT 11,800,802 8.47E-08 4.24E-08 80% 1.69E-08 2.54E-08 1762 1.36E-07 1178 8.50E-10 3.74E-06
input/output module

B FLEX I/O analog output

1794-OE4 18,433,610 5.42E-08 2.71E-08 80% 1.08E-08 1.63E-08 1762 8.68E-08 1178 5.43E-10 2.39E-06
module

B FLEX I/O-XT analog output

1794-OE4XT 11,381,744 8.79E-08 4.39E-08 80% 1.76E-08 2.64E-08 1762 1.41E-07 1178 8.81E-10 3.88E-06
module Not allowed for 1oo1
configurations
A FLEX I/O analog output
1794-OF4I 23,884,409 4.19E-08 2.09E-08 80% 8.37E-09 1.26E-08 1762 6.70E-08 1178 4.19E-10 1.85E-06
module

A FLEX I/O-XT analog output

1794-OF4IXT 5,493,902 1.82E-07 9.10E-08 80% 3.64E-08 5.46E-08 1762 2.91E-07 1178 1.83E-09 8.05E-06
module

166 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Appendix C PFD and PFH Calculations for 1756 ControlLogix and 1794 FLEX I/O Modules

Table 21 - 1- Year PFD Calculations (Continued)

Common Terms(3) 1oo1 Configuration 1oo2 Configuration
Mean Time
between Safe
Cat No.(1)(2) Description Failure Spurious Spurious
s, d Failure  TCE1oo1 Trip Rate PFH(5)
(4) Fraction du
dd PFD Trip Rate TGE PFH(5) PFD
(MTBF)(2)

Series
STR STR
(SFF) %
1794-TB3 A FLEX I/O terminal base unit 250,000,000 4.00E-09 2.00E-09 80% 8.00E-10 1.20E-09 1762 6.40E-09 1178 4.00E-11 1.76E-07

A FLEX I/O cage-clamp

1794-TB3G 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 1762 1.60E-08 1178 1.00E-10 4.41E-07
generic terminal base unit

A FLEX I/O spring-clamp

1794-TB3GS 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 1762 1.60E-08 1178 1.00E-10 4.41E-07
generic terminal base unit
1794-TB3S A FLEX I/O terminal base unit 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 1762 1.60E-08 1178 1.00E-10 4.41E-07

A FLEX I/O temperature Not allowed for 1oo1

1794-TB3T 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 1762 1.60E-08 1178 1.00E-10 4.41E-07
terminal base unit configurations
FLEX I/O spring-clamp
1794-TB3TS A temperature terminal base 52,312,000 1.91E-08 9.56E-09 80% 3.82E-09 5.73E-09 1762 3.06E-08 1178 1.91E-10 8.42E-07
unit

A FLEX I/O NEMA terminal

1794-TBN 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 1762 1.60E-08 1178 1.00E-10 4.41E-07
base unit

A FLEX I/O NEMA fused

1794-TBNF 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 1762 1.60E-08 1178 1.00E-10 4.41E-07
terminal base unit
1492-TIFM40F-F24A-2(9) A DC input termination board 7,779,000 1.03E-07 7.90E-08

A Analog input termination

1492-TAIFM16-F-3(9) board 11,362,000 Non-interference only 7.04E-08 Not applicable 1.03E-07 Not applicable

1492-TIFM4OF-24-2(9) A DC output termination board 10,127,000 7.90E-08 7.04E-08

(1) Some catalog numbers have a K suffix. This indicates a version of the product that has conformal coating. These K versions have the same SIL 2 certification as the non-K versions. For more information on which
products have conformal coating go to http://ab.com.rockwellautomation.com/.
(2) MTBF measured in hours unless calculated (as noted). Field return values – January 2012.
(3) Calculations performed on a per module basis.
(4)  = Failure Rate = 1/MTBF.
(5) Demand rate must be less than 10 per year.
(6) Average of 1756-A4, -A7, -A10, -A13, and -A17 chassis.
(7) Suitable for use only in applications requiring compliance with IEC 61508 1999 Edition 1.
(8) Calculated MTBF and PFD by FMEA to 61508-2010.
(9) SIL 2-rated for non-interference in the chassis. Data not required within a safety function.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 167

Appendix C PFD and PFH Calculations for 1756 ControlLogix and 1794 FLEX I/O Modules

2-Year PFD Calculations The PFD calculations in this table are calculated for a 2-year proof test interval
(17,520 hours) and are specific to ControlLogix system components.
Table 22 - 2-Year PFD Calculations
Common Terms(3) 1oo1 Configuration 1oo2 Configuration
Mean Time
between Safe
Cat No.(1)(2) Description Failure Spurious Spurious
s, d Failure  TCE1oo1
(4) Fraction du
dd Trip Rate PFH(5) PFD Trip Rate TGE PFH(5) PFD
(MTBF)(2)
Series

STR STR
(SFF) %
1756-AXX(6) C ControlLogix chassis 22,652,010 4.41E-08 2.21E-08 95% 2.21E-09 1.99E-08 886 4.19E-08 2.21E-09 1.96E-05
4-slot ControlLogix-XT
1756-A4LXT B 1,069,120 9.35E-07 4.68E-07 95% 4.68E-08 4.21E-07 886 8.89E-07 4.68E-08 4.14E-04
chassis
5-slot ControlLogix-XT
1756-A5XT C 734,420 1.36E-06 6.81E-07 95% 6.81E-08 6.13E-07 886 1.29E-06 6.81E-08 6.03E-04
chassis
7-slot ControlLogix-XT
1756-A7LXT B 27,628,178 3.62E-08 1.81E-08 95% 1.81E-09 1.63E-08 886 3.44E-08 1.81E-09 1.60E-05
chassis
7-slot ControlLogix-XT
1756-A7XT C 1,081,600 9.25E-07 4.62E-07 95% 4.62E-08 4.16E-07 886 8.78E-07 4.62E-08 4.10E-04
chassis
18-32V DC 10 A ControlLogix
1756-PB72 C 31,561,095 3.17E-08 1.58E-08 95% 1.58E-09 1.43E-08 886 3.01E-08 1.58E-09 1.40E-05
power supply
85-265V AC 10 A ControlLogix 18,336,146
1756-PA72 C 5.45E-08 2.73E-08 95% 2.73E-09 2.45E-08 886 5.18E-08 2.73E-09 2.42E-05
power supply
85-265V AC 13 A ControlLogix 18,693,044
1756-PA75 B 5.35E-08 2.67E-08 95% 2.67E-09 2.41E-08 886 5.08E-08 2.67E-09 2.37E-05
power supply (75 W)
85-265V AC 13 A Redundant
1756-PA75R A 1,412,877 7.08E-07 3.54E-07 95% 3.54E-08 3.18E-07 886 6.72E-07 3.54E-08 3.14E-04
ControlLogix power supply
18-32V DC 13 A ControlLogix
1756-PB75 B 15,675,475 6.38E-08 3.19E-08 95% 3.19E-09 2.87E-08 886 6.06E-08 3.19E-09 2.83E-05
power supply
18-32V DC 13 A Redundant
1756-PB75R A 1,736,020 5.76E-07 2.88E-07 95% 2.88E-08 2.59E-07 886 5.47E-07 2.88E-08 2.55E-04
ControlLogix power supply
ControlLogix-XT AC power Not applicable
1756-PAXT B 18,693,044 5.35E-08 2.67E-08 95% 2.67E-09 2.41E-08 886 5.08E-08 2.67E-09 2.37E-05
supply
ControlLogix-XT DC power
1756-PBXT B 1,855,360 5.39E-07 2.69E-07 95% 2.69E-08 2.43E-07 886 5.12E-07 2.69E-08 2.39E-04
supply
30-60V DC 13 A ControlLogix 5,894,836
1756-PC75 B 1.70E-07 8.48E-08 95% 8.48E-09 7.63E-08 886 1.61E-07 8.48E-09 7.52E-05
power supply
90-143V DC 13 A ControlLogix 2,119,520
1756-PH75 B 4.72E-07 2.36E-07 95% 2.36E-08 2.12E-07 886 4.48E-07 2.36E-08 2.09E-04
power supply
Redundant power supply
1756-PSCA A 45,146,727 2.21E-08 1.11E-08 95% 1.11E-09 9.97E-09 886 2.10E-08 1.11E-09 9.81E-06
adapter
Redundant power supply
1756-PSCA2 A 38,461,280 2.60E-08 1.30E-08 95% 1.30E-09 1.17E-08 886 2.47E-08 1.30E-09 1.15E-05
adapter
ControlNet Fiber repeater -
1786-RPFS A 26,461,760 3.78E-08 1.89E-08 95% 1.89E-09 1.70E-08 886 3.59E-08 1.89E-09 1.67E-05
short
ControlNet Fiber repeater -
1786-RPFM A 16,697,862 5.99E-08 2.99E-08 95% 2.99E-09 2.69E-08 886 5.69E-08 2.99E-09 2.65E-05
medium
ControlNet Fiber repeater -
1786-RPFRL A 5,717,227 1.75E-07 8.75E-08 95% 8.75E-09 7.87E-08 886 1.66E-07 8.75E-09 7.75E-05
long
1786-RPCD A ControlNet Hub repeater 28,654,080 3.49E-08 1.74E-08 95% 1.74E-09 1.57E-08 886 3.32E-08 1.74E-09 1.55E-05
1786-RPA B ControlNet repeater adapter 11,826,146 8.46E-08 4.23E-08 95% 4.23E-09 3.81E-08 886 8.03E-08 4.23E-09 3.75E-05
ControlNet Fiber repeater -
1786-RPFRXL B 11,373,440 8.79E-08 4.40E-08 95% 4.40E-09 3.96E-08 886 8.35E-08 4.40E-09 3.90E-05
extra long

168 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Appendix C PFD and PFH Calculations for 1756 ControlLogix and 1794 FLEX I/O Modules

Table 22 - 2-Year PFD Calculations (Continued)

Common Terms(3) 1oo1 Configuration 1oo2 Configuration
Mean Time
between Safe
Cat No.(1)(2) Description Failure Spurious Spurious
s, d Failure  TCE1oo1
(4) Fraction du
dd Trip Rate PFH(5) PFD Trip Rate TGE PFH(5) PFD
(MTBF)(2)

Series
STR STR
(SFF) %
1756-L61(7) B ControlLogix controller, 2 MB 1,000,053 1.00E-06 5.00E-07 95% 5.00E-08 4.50E-07 886 9.50E-07 5.00E-08 4.43E-04
(7) B ControlLogix controller, 4 MB 1,034,830 9.66E-07 4.83E-07 95% 4.83E-08 4.35E-07 886 9.18E-07 4.83E-08 4.28E-04
1756-L62
1756-L63(7) B ControlLogix controller, 8 MB 1,055,910 9.47E-07 4.74E-07 95% 4.74E-08 4.26E-07 886 9.00E-07 4.74E-08 4.20E-04
ControlLogix-XT controller,
1756-L63XT(7) B 8 MB 357,760 2.80E-06 1.40E-06 95% 1.40E-07 1.26E-06 886 2.66E-06 1.40E-07 1.24E-03

1756-L71(8) B ControlLogix controller, 2 MB 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 670 2.91E-06 1.01E-07 8.90E-04
1756-L72(8) B ControlLogix controller, 4 MB 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 670 2.91E-06 1.01E-07 8.90E-04
1756-L73(8) B ControlLogix controller, 8 MB Calculated 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 670 2.91E-06 1.01E-07 8.90E-04
MTBF and
ControlLogix-XT controller, PFD via
1756-L73XT(8) B 8 MB 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 670 2.91E-06 1.01E-07 8.90E-04
FMEA
1756-L74(8) B ControlLogix controller, 16 MB 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 670 2.91E-06 1.01E-07 8.90E-04
ControlLogix controller,
1756-L75(8) B 32 MB 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 670 2.91E-06 1.01E-07 8.90E-04 Not applicable

GuardLogix controller, 2 MB
1756-L61S(7) B standard 1,000,053 1.00E-06 5.00E-07 95% 5.00E-08 4.50E-07 886 9.50E-07 5.00E-08 4.43E-04

GuardLogix controller, 4 MB
1756-L62S(7) B standard 1,034,830 9.66E-07 4.83E-07 95% 4.83E-08 4.35E-07 886 9.18E-07 4.83E-08 4.28E-04

GuardLogix controller, 8 MB
1756-L63S(7) B standard 1,055,910 9.47E-07 4.74E-07 95% 4.74E-08 4.26E-07 886 9.00E-07 4.74E-08 4.20E-04

GuardLogix controller, 2 MB
1756-L71S(8) B standard 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 670 2.91E-06 1.01E-07 8.90E-04

GuardLogix controller, 4 MB Calculated

1756-L72S(8) B standard 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 670 2.91E-06 1.01E-07 8.90E-04
MTBF and
GuardLogix controller, PFD via
1756-L73S(8) B 8 MB standard FMEA 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 670 2.91E-06 1.01E-07 8.90E-04

GuardLogix-XT controller,
1756-L73SXT(8) B 8 MB standard 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 670 2.91E-06 1.01E-07 8.90E-04

ControlLogix ControlNet
1756-CNB E 1,786,977 5.60E-07 2.80E-07 95% 2.80E-08 2.52E-07 886 5.32E-07 2.80E-08 2.48E-04
communication module
ControlLogix ControlNet
1756-CNBR E redundant communication 2,608,543 3.83E-07 1.92E-07 95% 1.92E-08 1.73E-07 886 3.64E-07 1.92E-08 1.70E-04
module
ControlLogix ControlNet
1756-CN2 B 1,096,299 9.12E-07 4.56E-07 95% 4.56E-08 4.10E-07 886 8.67E-07 4.56E-08 4.04E-04
communication module
Calculated
ControlLogix ControlNet MTBF and
1756-CN2(8) C communication module PFD via 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 597.25 1.91E-06 6.62E-08 5.90E-04
FMEA
ControlLogix ControlNet
1756-CN2R B redundant communication 1,096,299 9.12E-07 4.56E-07 95% 4.56E-08 4.10E-07 886 8.67E-07 4.56E-08 4.04E-04 Not applicable
module
Calculated
ControlLogix ControlNet MTBF and
1756-CN2R(8) C redundant communication PFD via 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 597.25 1.91E-06 6.62E-08 5.90E-04
module FMEA
ControlLogix-XT ControlNet
1756-CN2RXT B redundant communication 1,980,160 5.05E-07 2.53E-07 95% 2.53E-08 2.27E-07 886 4.80E-07 2.53E-08 2.24E-04
module
Calculated
ControlLogix-XT ControlNet MTBF and
1756-CN2RXT(8) C redundant communication PFD via 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 597.25 1.91E-06 6.62E-08 5.90E-04
module FMEA
ControlLogix Data Highway
1756-DHRIO(9) E Plus remote I/O module 2,503,396 3.79E-07 7.59E-07

ControlLogix-XT Data
1756-DHRIOXT(9) E Highway Plus remote I/O 2,503,396 3.79E-07 7.59E-07
module Non-interference only Not applicable Not applicable
ControlLogix DeviceNet
1756-DNB(9) D communication module 2,192,202 4.33E-07 8.67E-07

ControlLogix EtherNet/IP
1756-ENBT(9) A communication module 2,088,198 4.55E-07 9.10E-07

ControlLogix EtherNet/IP
1756-EN2T C 1,312,712 7.62E-07 3.81E-07 95% 3.81E-08 3.43E-07 886 7.24E-07 3.81E-08 3.37E-04
communication module
ControlLogix EtherNet/IP
1756-EN2T(9) D communication module 269,774 Non-interference only 3.71E-06 Not applicable Not applicable
ControlLogix EtherNet/IP
1756-EN2TR B communication module with 3,664,960 2.73E-07 1.36E-07 95% 1.36E-08 1.23E-07 886 2.59E-07 1.36E-08 1.21E-04
fault tolerance

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 169

Appendix C PFD and PFH Calculations for 1756 ControlLogix and 1794 FLEX I/O Modules

Table 22 - 2-Year PFD Calculations (Continued)

Common Terms(3) 1oo1 Configuration 1oo2 Configuration
Mean Time
between Safe
Cat No.(1)(2) Description Failure Spurious Spurious
s, d Failure  TCE1oo1
(4) Fraction du
dd Trip Rate PFH(5) PFD Trip Rate TGE PFH(5) PFD
(MTBF)(2)

Series
STR STR
(SFF) %
ControlLogix EtherNet/IP
1756-EN2TR(8) C communication module with Calculated 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 597.25 1.91E-06 6.62E-08 5.90E-04 3.82E-06 401.50 1.40E-09 1.22E-05
fault tolerance MTBF and
ControlLogix EtherNet/IP PFD via
1756-EN2TRXT(8) C communication module with FMEA 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 597.25 1.91E-06 6.62E-08 5.90E-04 3.82E-06 401.50 1.40E-09 1.22E-05
fault tolerance
ControlLogix-XT EtherNet/IP 1,300,000
1756-EN2TXT C 7.69E-07 3.85E-07 95% 3.85E-08 3.46E-07 886 7.31E-07 3.85E-08 3.41E-04 Not applicable
communication module
ControlLogix-XT EtherNet/IP 269,774
1756-EN2TXT(9) D communication module 3.71E-06

ControlLogix EtherNet/IP
1756-EN3TR(9) B communication module with 269,774 3.71E-06
fault tolerance
ControlLogix redundancy
1756-RM(9) B module 1,373,840 6.91E-07
Not applicable
ControlLogix enhanced Non-interference only
1756-RM2(9) A redundancy module 250,182 4.00E-06

ControlLogix-XT enhanced
1756-RM2XT(9) A redundancy module 250,182 4.00E-06

ControlLogix-XT redundancy
1756-RMXT(9) B module 980,096 9.69E-07

ControlLogix SynchLink
1756-SYNCH(9) A Module 6,932,640 1.37E-07 Not applicable 2.74E-07 Not applicable

ControlLogix isolated V AC
1756-IA16I A 20,801,920 4.81E-08 2.40E-08 80% 9.61E-09 1.44E-08 3514 3.85E-08 9.61E-09 8.45E-05 7.69E-08 2346 4.82E-10 4.23E-06
input module
ControlLogix diagnostic V AC 15,966,080
1756-IA8D A 6.26E-08 3.13E-08 80% 1.25E-08 1.88E-08 3514 5.01E-08 1.25E-08 1.10E-04 1.00E-07 2346 6.29E-10 5.52E-06
input module
ControlLogix diagnostic V DC 30,228,640
1756-IB16D A 3.31E-08 1.65E-08 80% 6.62E-09 9.92E-09 3514 2.65E-08 6.62E-09 5.81E-05 5.29E-08 2346 3.32E-10 2.91E-06
input module
ControlLogix isolated V DC
1756-IB16I A 81,443,094 1.23E-08 6.14E-09 80% 2.46E-09 3.68E-09 3514 9.82E-09 2.46E-09 2.16E-05 1.96E-08 2346 1.23E-10 1.08E-06
input module
ControlLogix isolated V DC
1756-IB16ISOE A Sequence Of Events input 11,537,760 8.67E-08 4.33E-08 80% 1.73E-08 2.60E-08 3514 6.93E-08 1.73E-08 1.52E-04 1.39E-07 2346 8.71E-10 7.64E-06
module
ControlLogix V DC input
1756-IB32 B 10,462,329 9.56E-08 4.78E-08 80% 1.91E-08 2.87E-08 3514 7.65E-08 1.91E-08 1.68E-04 1.53E-07 2346 9.62E-10 8.43E-06
module
ControlLogix analog input
1756-IF8 A 8,699,254 1.15E-07 5.75E-08 80% 2.30E-08 3.45E-08 3514 9.20E-08 2.30E-08 2.02E-04 1.84E-07 2346 1.16E-09 1.01E-05
module
Calculated
ControlLogix analog input MTBF and
1756-IF8(8) B module PFD via 9.43E-07 4.71E-07 79% 1.98E-07 2.73E-07 3699 7.45E-07 1.99E-07 1.7E-03 1.49E-06 2469 1.10E-08 9.1E-05
FMEA
ControlLogix isolated analog 2,337,541
1756-IF8I(8) A input module 4.28E-07 2.139E-07 77% 9.81E-08 1.16E-07 4028 3.3E-07 9.81E-08 8.61E-04 6.59E-07 2688 2.12E-09 1.82E-05

Calculated
ControlLogix isolated analog MTBF and
1756-IF8I(8) B input module PFD via 5.83E-07 2.92E-07 78% 1.26E-07 1.66E-07 3784 4.58E-07 1.26E-07 1.11E-03 9.15E-07 2526 2.79E-09 2.37E-05
FMEA
ControlLogix HART analog
1756-IF8H A 1,291,978 7.74E-07 3.87E-07 80% 1.55E-07 2.32E-07 3514 6.19E-07 1.55E-07 1.36E-03 1.24E-06 2346 8.12E-09 7.02E-05
input module
ControlLogix analog input
1756-IF16 A 4,592,506 2.18E-07 1.09E-07 80% 4.35E-08 6.53E-08 3514 1.74E-07 4.35E-08 3.83E-04 3.48E-07 2346 2.21E-09 1.93E-05
module
Calculated
ControlLogix analog input MTBF and
1756-IF16(8) B module PFD via 9.43E-07 4.71E-07 79% 1.98E-07 2.73E-07 3699 7.45E-07 1.99E-07 1.7E-03 1.49E-06 2469 1.10E-08 9.1E-05
FMEA
ControlLogix HART analog
1756-IF16H A 442,914 2.26E-06 1.13E-06 80% 4.52E-07 6.77E-07 3514 1.81E-06 4.52E-07 3.97E-03 3.61E-06 2346 2.58E-08 2.17E-04
input module
ControlLogix isolated analog 2,654,080
1756-IF6CIS A 3.77E-07 1.88E-07 80% 7.54E-08 1.13E-07 3514 3.01E-07 7.54E-08 6.62E-04 6.03E-07 2346 3.86E-09 3.36E-05
input module
ControlLogix isolated analog 4,176,185
1756-IF6I A 2.39E-07 1.20E-07 80% 4.79E-08 7.18E-08 3514 1.92E-07 4.79E-08 4.21E-04 3.83E-07 2346 2.43E-09 2.12E-05
input module
ControlLogix V DC Sequence 2,150,720
1756-IH16ISOE A 4.65E-07 2.32E-07 80% 9.30E-08 1.39E-07 3514 3.72E-07 9.30E-08 8.17E-04 7.44E-07 2346 4.79E-09 4.17E-05
Of Events input module

170 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Appendix C PFD and PFH Calculations for 1756 ControlLogix and 1794 FLEX I/O Modules

Table 22 - 2-Year PFD Calculations (Continued)

Common Terms(3) 1oo1 Configuration 1oo2 Configuration
Mean Time
between Safe
Cat No.(1)(2) Description Failure Spurious Spurious
s, d Failure  TCE1oo1
(4) Fraction du
dd Trip Rate PFH(5) PFD Trip Rate TGE PFH(5) PFD
(MTBF)(2)

Series
STR STR
(SFF) %
ControlLogix isolated RTD
1756-IR6I A 4,268,525 2.34E-07 1.17E-07 80% 4.69E-08 7.03E-08 3514 3.75E-07 2346 2.38E-09 2.08E-05
input module
ControlLogix isolated RTD /
1756-IRT8I(8) A thermocouple input module 1,896,813 5.272E-07 2.636E-07 76% 1.27E-07 1.36E-07 4244 8.00E-07 2833 2.82E-09 2.40E-05

Calculated
ControlLogix isolated RTD / MTBF and
1756-IRT8I(8) B thermocouple input module PFD via 6.11E-07 3.06E-07 80% 1.24E-07 1.82E-07 3556 Not allowed for 1oo1 9.75E-07 2374 2.74E-09 2.33E-05
configurations
FMEA
ControlLogix isolated
1756-IT6I A 3,957,824 2.53E-07 1.26E-07 80% 5.05E-08 7.58E-08 3514 4.04E-07 2346 2.57E-09 2.24E-05
thermocouple input module
ControlLogix isolated
1756-IT6I2 A enhanced thermocouple 2,720,046 3.68E-07 1.84E-07 80% 7.35E-08 1.10E-07 3514 5.88E-07 2346 3.76E-09 3.28E-05
input module
ControlLogix V AC output
1756-OA16I A 32,891,456 3.04E-08 1.52E-08 80% 6.08E-09 9.12E-09 3514 2.43E-08 6.08E-09 5.34E-05 4.86E-08 2346 3.05E-10 2.67E-06
module
ControlLogix V AC diagnostic 11,311,040
1756-OA8D A 8.84E-08 4.42E-08 80% 1.77E-08 2.65E-08 3514 7.07E-08 1.77E-08 1.55E-04 1.41E-07 2346 8.89E-10 7.80E-06
output module
ControlLogix V DC diagnostic 8,884,374
1756-OB16D A 1.13E-07 5.63E-08 80% 2.25E-08 3.38E-08 3514 9.00E-08 2.25E-08 1.98E-04 1.80E-07 2346 1.13E-09 9.94E-06
output module
ControlLogix V DC
1756-OB16E A electronically fused output 14,997,714 6.67E-08 3.33E-08 80% 1.33E-08 2.00E-08 3514 5.33E-08 1.33E-08 1.17E-04 1.07E-07 2346 6.70E-10 5.87E-06
module
ControlLogix V DC isolated
1756-OB16I A 7,388,160 1.35E-07 6.77E-08 80% 2.71E-08 4.06E-08 3514 1.08E-07 2.71E-08 2.38E-04 2.17E-07 2346 1.37E-09 1.20E-05
output module
ControlLogix V DC output
1756-OB32 A 2,681,316 3.73E-07 1.86E-07 80% 7.46E-08 1.12E-07 3514 2.98E-07 7.46E-08 6.55E-04 5.97E-07 2346 3.82E-09 3.33E-
module 05
ControlLogix V DC isolated
1756-OB8EI A electronic ally fused output 14,019,200 7.13E-08 3.57E-08 80% 1.43E-08 2.14E-08 3514 5.71E-08 1.43E-08 1.25E-04 1.14E-07 2346 7.17E-10 6.29E-06
module
ControlLogix isolated relay
1756-OX8I A 6,059,635 1.65E-07 8.25E-08 80% 3.30E-08 4.95E-08 3514 1.32E-07 3.30E-08 2.90E-04 2.64E-07 2346 1.67E-09 1.46E-05
output module
ControlLogix isolated relay
1756-OW16I A 13,695,899 7.30E-08 3.65E-08 80% 1.46E-08 2.19E-08 3514 5.84E-08 1.46E-08 1.28E-04 1.17E-07 2346 7.34E-10 6.43E-06
output module
Calculated
ControlLogix analog output MTBF and
1756-OF4(8) B module PFD via 1.03E-06 5.17E-07 78% 2.23E-07 2.93E-07 3794 8.11E-07 2.23E-07 2.0E-03 1.62E-06 2533 1.20E-08 1.0E-04
FMEA
ControlLogix analog output
1756-OF8 A 10,629,795 9.41E-08 4.70E-08 80% 1.88E-08 2.82E-08 3514 7.53E-08 1.88E-08 1.65E-04 1.51E-07 2346 9.46E-10 8.30E-06
module
Calculated
ControlLogix analog output MTBF and
1756-OF8(8) B module PFD via 1.03E-06 5.17E-07 78% 2.23E-07 2.93E-07 3794 8.11E-07 2.23E-07 2.0E-03 1.62E-06 2533 1.20E-08 1.0E-04
FMEA
ControlLogix isolated analog 2,213,369
1756-OF8I(8) A output module 4.52E-07 2.259E-07 76% 1.08E-07 1.18E-07 4202 3.44E-07 1.08E-07 9.49E-04 6.87E-07 2805 2.36E-09 2.01E-05

Calculated
ControlLogix isolated analog MTBF and
1756-OF8I(8) B output module PFD via 6.08E-07 3.04E-07 78% 1.37E-07 1.67E-07 3954 4.71E-07 1.37E-07 1.2E-03 9.42E-07 2639 3.06E-09 2.59E-05
FMEA
ControlLogix isolated analog 21,604,960
1756-OF6VI A 4.63E-08 2.31E-08 80% 9.26E-09 1.39E-08 3514 3.70E-08 9.26E-09 8.13E-05 7.41E-08 2346 4.64E-10 4.07E-06
output module
ControlLogix isolated analog 8,354,667
1756-OF6CI A 1.20E-07 5.98E-08 80% 2.39E-08 3.59E-08 3514 9.58E-08 2.39E-08 2.10E-04 1.92E-07 2346 1.21E-09 1.06E-05
output module
ControlLogix HART analog
1756-OF8H A 5,118,187 1.95E-07 9.77E-08 80% 3.91E-08 5.86E-08 3514 1.56E-07 3.91E-08 3.43E-04 3.13E-07 2346 1.98E-09 1.73E-05
output module
1794-ACN15 D FLEX I/O ControlNet adapter 8,223,684 1.22E-07 6.08E-08 80% 2.43E-08 3.65E-08 3514 1.95E-07 2346 1.23E-09 1.07E-05
FLEX I/O ControlNet
1794-ACNR15 D 8,223,684 1.22E-07 6.08E-08 80% 2.43E-08 3.65E-08 3514 1.95E-07 2346 1.23E-09 1.07E-05
redundant adapter
FLEX I/O-XT ControlNet
1794-ACNR15XT D 8,223,684 1.22E-07 6.08E-08 80% 2.43E-08 3.65E-08 3514 1.95E-07 2346 1.23E-09 1.07E-05
adapter Not allowed for 1oo1
1794-AENT B FLEX I/O EtherNet/IP adapter 1,779,827 5.62E-07 2.81E-07 80% 1.12E-07 1.69E-07 3514 configurations 8.99E-07 2346 5.82E-09 5.05E-05
FLEX I/O EtherNet/IP
1794-AENTR A 1,268,070 7.89E-07 3.94E-07 80% 1.58E-07 2.37E-07 3514 1.26E-06 2346 8.28E-09 7.16E-05
adapter, Ring media
FLEX I/O EtherNet/IP
1794-AENTRXT A 1,268,070 7.89E-07 3.94E-07 80% 1.58E-07 2.37E-07 3514 1.26E-06 2346 8.28E-09 7.16E-05
adapter, Ring media

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 171

Appendix C PFD and PFH Calculations for 1756 ControlLogix and 1794 FLEX I/O Modules

Table 22 - 2-Year PFD Calculations (Continued)

Common Terms(3) 1oo1 Configuration 1oo2 Configuration
Mean Time
between Safe
Cat No.(1)(2) Description Failure Spurious Spurious
s, d Failure  TCE1oo1
(4) Fraction du
dd Trip Rate PFH(5) PFD Trip Rate TGE PFH(5) PFD
(MTBF)(2)

Series
STR STR
(SFF) %
FLEX I/O 24V DC input
1794-IB16 A 179,506,158 5.57E-09 2.79E-09 80% 1.11E-09 1.67E-09 3514 8.91E-09 2346 5.57E-11 4.90E-07
module
FLEX I/O-XT 24V DC input
1794-IB16XT A 35,587,189 2.81E-08 1.40E-08 80% 5.62E-09 8.43E-09 3514 4.50E-08 2346 2.82E-10 2.47E-06
module
1794-IJ2 A FLEX I/O counter module 55,344,640 1.81E-08 9.03E-09 80% 3.61E-09 5.42E-09 3514 2.89E-08 2346 1.81E-10 1.59E-06
1794-IJ2XT A FLEX I/O-XT counter module 11,714,128 8.54E-08 4.27E-08 80% 1.71E-08 2.56E-08 3514 Not allowed for 1oo1 1.37E-07 2346 8.58E-10 7.53E-06
configurations
1794-IP4 B FLEX I/O counter module 22,027,200 4.54E-08 2.27E-08 80% 9.08E-09 1.36E-08 3514 7.26E-08 2346 4.55E-10 4.00E-06
FLEX I/O 24V DC
1794-IB10XOB6 A 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 3514 1.60E-08 2346 1.00E-10 8.79E-07
input/output module
FLEX I/O-XT 24V DC
1794-IB10XOB6XT A 22,202,487 4.50E-08 2.25E-08 80% 9.01E-09 1.35E-08 3514 7.21E-08 2346 4.52E-10 3.96E-06
input/output module
FLEX I/O 24V DC
1794-OB8EP A electronically fused output 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 3514 1.60E-08 2346 1.00E-10 8.79E-07
module
FLEX I/O-XT 24V DC
1794-OB8EPXT A electronically fused output 14,771,049 6.77E-08 3.38E-08 80% 1.35E-08 2.03E-08 3514 1.08E-07 2346 6.80E-10 5.96E-06
module
FLEX I/O 24V DC output
1794-OB16 A 54,322,632 1.84E-08 9.20E-09 80% 3.68E-09 5.52E-09 3514 2.95E-08 2346 1.84E-10 1.62E-06
module
Not allowed for 1oo1
FLEX I/O 24V DC protected configurations
1794-OB16P A 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 3514 1.60E-08 2346 1.00E-10 8.79E-07
output module
FLEX I/O-XT 24V DC
1794-OB16PXT A 26,709,401 3.74E-08 1.87E-08 80% 7.49E-09 1.12E-08 3514 5.99E-08 2346 3.75E-10 3.29E-06
protected output module
FLEX I/O isolated relay
1794-OW8 A 29,088,895 3.44E-08 1.72E-08 80% 6.88E-09 1.03E-08 3514 5.50E-08 2346 3.45E-10 3.02E-06
output module
FLEX I/O-XT isolated relay
1794-OW8XT A 18,518,519 5.40E-08 2.70E-08 80% 1.08E-08 1.62E-08 3514 8.64E-08 2346 5.42E-10 4.75E-06
output module
1794-IE8 B FLEX I/O analog input module 18,914,770 5.29E-08 2.64E-08 80% 1.06E-08 1.59E-08 3514 8.46E-08 2346 5.30E-10 4.65E-06
FLEX I/O-XT analog input
1794-IE8XT B 14,041,000 7.12E-08 3.56E-08 80% 1.42E-08 2.14E-08 3514 1.14E-07 2346 7.15E-10 6.28E-06
module
FLEX I/O isolated analog
1794-IF4I A 9,885,959 1.01E-07 5.06E-08 80% 2.02E-08 3.03E-08 3514 1.62E-07 2346 1.02E-09 8.92E-06
input module
FLEX I/O-XT isolated analog
1794-IF4IXT A 7,297,140 1.37E-07 6.85E-08 80% 2.74E-08 4.11E-08 3514 2.19E-07 2346 1.38E-09 1.21E-05
input module
FLEX I/O-XT isolated analog
1794-IF4ICFXT A 7,297,140 1.37E-07 6.85E-08 80% 2.74E-08 4.11E-08 3514 2.19E-07 2346 1.38E-09 1.21E-05
input module
Flex, 8 Isolated HART Analog 926,808
1794-IF8IHNFXT A 1.08E-06 5.39E-07 80% 2.16E-07 3.24E-07 3514 1.73E-06 2346 1.15E-08 9.91E-05
Input, extended env
1794-IR8 A FLEX I/O RTD input module 5,016,231 1.99E-07 9.97E-08 80% 3.99E-08 5.98E-08 3514 3.19E-07 2346 2.02E-09 1.77E-05
FLEX I/O-XT RTD input Not allowed for 1oo1
1794-IR8XT A 9,585,890 1.04E-07 5.22E-08 80% 2.09E-08 3.13E-08 3514 configurations 1.67E-07 2346 1.05E-09 9.20E-06
module
FLEX I/O RTD/Thermocouple 1,407,269
1794-IRT8 B 7.11E-07 3.55E-07 80% 1.42E-07 2.13E-07 3514 1.14E-06 2346 7.43E-09 6.43E-05
input module
FLEX I/O-XT RTD/
1794-IRT8XT B 8,204,792 1.22E-07 6.09E-08 80% 2.44E-08 3.66E-08 3514 1.95E-07 2346 1.23E-09 1.08E-05
Thermocouple input module
FLEX I/O Thermocouple input 2,097,509
1794-IT8 A 4.77E-07 2.38E-07 80% 9.54E-08 1.43E-07 3514 7.63E-07 2346 4.91E-09 4.27E-05
module
FLEX I/O isolated analog
1794-IF2XOF2I A 8,464,844 1.18E-07 5.91E-08 80% 2.36E-08 3.54E-08 3514 1.89E-07 2346 1.19E-09 1.04E-05
input/output module
FLEX I/O-XT isolated analog
1794-IF2XOF2IXT A 6,317,918 1.58E-07 7.91E-08 80% 3.17E-08 4.75E-08 3514 2.53E-07 2346 1.60E-09 1.40E-05
input/output module
FLEX I/O-XT analog
1794-IE4XOE2XT B 11,800,802 8.47E-08 4.24E-08 80% 1.69E-08 2.54E-08 3514 1.36E-07 2346 8.52E-10 7.47E-06
input/output module
FLEX I/O analog output
1794-OE4 B 18,433,610 5.42E-08 2.71E-08 80% 1.08E-08 1.63E-08 3514 8.68E-08 2346 5.44E-10 4.78E-06
module
FLEX I/O-XT analog output
1794-OE4XT B 11,381,744 8.79E-08 4.39E-08 80% 1.76E-08 2.64E-08 3514 1.41E-07 2346 8.83E-10 7.75E-06
module Not allowed for 1oo1
FLEX I/O analog output configurations
1794-OF4I A 23,884,409 4.19E-08 2.09E-08 80% 8.37E-09 1.26E-08 3514 6.70E-08 2346 4.20E-10 3.68E-06
module
FLEX I/O-XT analog output
1794-OF4IXT A 5,493,902 1.82E-07 9.10E-08 80% 3.64E-08 5.46E-08 3514 2.91E-07 2346 1.84E-09 1.61E-05
module

172 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Appendix C PFD and PFH Calculations for 1756 ControlLogix and 1794 FLEX I/O Modules

Table 22 - 2-Year PFD Calculations (Continued)

Common Terms(3) 1oo1 Configuration 1oo2 Configuration
Mean Time
between Safe
Cat No.(1)(2) Description Failure Spurious Spurious
s, d Failure  TCE1oo1
(4) Fraction du
dd Trip Rate PFH(5) PFD Trip Rate TGE PFH(5) PFD
(MTBF)(2)

Series
STR STR
(SFF) %
1794-TB3 A FLEX I/O terminal base unit 250,000,000 4.00E-09 2.00E-09 80% 8.00E-10 1.20E-09 3514 6.40E-09 2346 4.00E-11 3.51E-07
FLEX I/O cage-clamp generic 100,000,000 1.00E-08
1794-TB3G A 5.00E-09 80% 2.00E-09 3.00E-09 3514 1.60E-08 2346 1.00E-10 8.79E-07
terminal base unit
FLEX I/O spring-clamp
1794-TB3GS A 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 3514 1.60E-08 2346 1.00E-10 8.79E-07
generic terminal base unit
1794-TB3S A FLEX I/O terminal base unit 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 3514 1.60E-08 2346 1.00E-10 8.79E-07
FLEX I/O temperature Not allowed for 1oo1
1794-TB3T A 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 3514 1.60E-08 2346 1.00E-10 8.79E-07
terminal base unit configurations
FLEX I/O spring-clamp
1794-TB3TS A temperature terminal base 52,312,000 1.91E-08 9.56E-09 80% 3.82E-09 5.73E-09 3514 3.06E-08 2346 1.91E-10 1.68E-06
unit
FLEX I/O NEMA terminal base 100,000,000 1.00E-08
1794-TBN A 5.00E-09 80% 2.00E-09 3.00E-09 3514 1.60E-08 2346 1.00E-10 8.79E-07
unit
FLEX I/O NEMA fused
1794-TBNF A 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 3514 1.60E-08 2346 1.00E-10 8.79E-07
terminal base unit
1492-TIFM40F-F24A-2(9) A DC Input Termination Board 7,779,000 1.03E-07 1.03E-07
Analog Input Termination
1492-TAIFM16-F-3(9) A Board 11,362,000 Non-interference only 7.04E-08 Not applicable 7.04E-08 Not applicable

1492-TIFM4OF-24-2(9) A DC Output Termination Board 10,127,000 7.90E-08 7.90E-08

(1) Some catalog numbers have a K suffix. This indicates a version of the product that has conformal coating. These K versions have the same SIL 2 certification as the non-K versions. For more information on which
products have conformal coating go to http://ab.com.rockwellautomation.com/.
(2) MTBF measured in hours unless calculated (as noted). Field return values – January 2012.
(3) Calculations performed on a per module basis.
(4)  = Failure Rate = 1/MTBF.
(5) Demand rate must be less than 10 per year.
(6) Average of 1756-A4, -A7, -A10, -A13, and -A17 chassis.
(7) Suitable for use only in applications that require compliance with IEC 61508 1999 Edition 1.
(8) Calculated MTBF and PFD by FMEA to 61508-2010.
(9) SIL 2-rated for non-interference in the chassis. Data not required within a safety function.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 173

Appendix C PFD and PFH Calculations for 1756 ControlLogix and 1794 FLEX I/O Modules

5-year PFD Calculations The PFD calculations in this table are calculated for a 5-year proof test interval
(43,800 hours) and are specific to ControlLogix system components.
Table 23 - 5-Year PFD Calculations
Common Terms(3) 1oo1 Configuration 1oo2 Configuration
Mean Time
between Safe
Cat No.(1)(2) Description Failure Spurious Spurious
s, d Failure  TCE1oo1
(4) Fraction du
dd Trip Rate PFH(5) PFD Trip Rate TGE PFH(5) PFD
(MTBF)(2)
Series

STR STR
(SFF) %
1756-AXX(6) C ControlLogix chassis 22,652,010 4.41E-08 2.21E-08 95% 2.21E-09 1.99E-08 2200 4.19E-08 2.21E-09 4.86E-05
4-slot ControlLogix-XT
1756-A4LXT B 1,069,120 9.35E-07 4.68E-07 95% 4.68E-08 4.21E-07 2200 8.89E-07 4.68E-08 1.03E-03
chassis
5-slot ControlLogix-XT
1756-A5XT C 734,420 1.36E-06 6.81E-07 95% 6.81E-08 6.13E-07 2200 1.29E-06 6.81E-08 1.50E-03
chassis
7-slot ControlLogix-XT
1756-A7LXT B 27,628,178 3.62E-08 1.81E-08 95% 1.81E-09 1.63E-08 2200 3.44E-08 1.81E-09 3.98E-05
chassis
7-slot ControlLogix-XT
1756-A7XT C 1,081,600 9.25E-07 4.62E-07 95% 4.62E-08 4.16E-07 2200 8.78E-07 4.62E-08 1.02E-03
chassis
18-32V DC 10 A
1756-PB72 C ControlLogix power 31,561,095 3.17E-08 1.58E-08 95% 1.58E-09 1.43E-08 2200 3.01E-08 1.58E-09 3.49E-05
supply
85-265V AC 10 A
1756-PA72 C ControlLogix power 18,336,146 5.45E-08 2.73E-08 95% 2.73E-09 2.45E-08 2200 5.18E-08 2.73E-09 6.00E-05
supply
85-265V AC 13 A
1756-PA75 B ControlLogix power 18,693,044 5.35E-08 2.67E-08 95% 2.67E-09 2.41E-08 2200 5.08E-08 2.67E-09 5.88E-05
supply (75 W)
85-265V AC 13 A
1756-PA75R A Redundant ControlLogix 1,412,877 7.08E-07 3.54E-07 95% 3.54E-08 3.18E-07 2200 6.72E-07 3.54E-08 7.79E-04
power supply
18-32V DC 13 A
1756-PB75 B ControlLogix power 15,675,475 6.38E-08 3.19E-08 95% 3.19E-09 2.87E-08 2200 6.06E-08 3.19E-09 7.02E-05
supply
18-32V DC 13 A
1756-PB75R A Redundant ControlLogix 1,736,020 5.76E-07 2.88E-07 95% 2.88E-08 2.59E-07 2200 5.47E-07 2.88E-08 6.34E-04
power supply Not applicable
ControlLogix-XT AC
1756-PAXT B 18,693,044 5.35E-08 2.67E-08 95% 2.67E-09 2.41E-08 2200 5.08E-08 2.67E-09 5.88E-05
power supply
ControlLogix-XT DC
1756-PBXT B 1,855,360 5.39E-07 2.69E-07 95% 2.69E-08 2.43E-07 2200 5.12E-07 2.69E-08 5.93E-04
power supply
30-60V DC 13 A
1756-PC75 B ControlLogix power 5,894,836 1.70E-07 8.48E-08 95% 8.48E-09 7.63E-08 2200 1.61E-07 8.48E-09 1.87E-04
supply
90-143V DC 13 A
1756-PH75 B ControlLogix power 2,119,520 4.72E-07 2.36E-07 95% 2.36E-08 2.12E-07 2200 4.48E-07 2.36E-08 5.19E-04
supply
Redundant power supply 45,146,727
1756-PSCA A 2.21E-08 1.11E-08 95% 1.11E-09 9.97E-09 2200 2.10E-08 1.11E-09 2.44E-05
adapter
Redundant power supply 38,461,280
1756-PSCA2 A 2.60E-08 1.30E-08 95% 1.30E-09 1.17E-08 2200 2.47E-08 1.30E-09 2.86E-05
adapter
ControlNet Fiber repeater 26,461,760
1786-RPFS A 3.78E-08 1.89E-08 95% 1.89E-09 1.70E-08 2200 3.59E-08 1.89E-09 4.16E-05
- short
ControlNet Fiber repeater 16,697,862
1786-RPFM A 5.99E-08 2.99E-08 95% 2.99E-09 2.69E-08 2200 5.69E-08 2.99E-09 6.59E-05
- medium
ControlNet Fiber repeater 5,717,227
1786-RPFRL A 1.75E-07 8.75E-08 95% 8.75E-09 7.87E-08 2200 1.66E-07 8.75E-09 1.92E-04
- long
1786-RPCD A ControlNet Hub repeater 28,654,080 3.49E-08 1.74E-08 95% 1.74E-09 1.57E-08 2200 3.32E-08 1.74E-09 3.84E-05
ControlNet repeater
1786-RPA B 11,826,146 8.46E-08 4.23E-08 95% 4.23E-09 3.81E-08 2200 8.03E-08 4.23E-09 9.30E-05
adapter
ControlNet Fiber repeater 11,373,440
1786-RPFRXL B 8.79E-08 4.40E-08 95% 4.40E-09 3.96E-08 2200 8.35E-08 4.40E-09 9.67E-05
- extra long

174 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Appendix C PFD and PFH Calculations for 1756 ControlLogix and 1794 FLEX I/O Modules

Table 23 - 5-Year PFD Calculations (Continued)

Common Terms(3) 1oo1 Configuration 1oo2 Configuration
Mean Time
between Safe
Cat No.(1)(2) Description Failure Spurious Spurious
s, d Failure  TCE1oo1
(4) Fraction du
dd Trip Rate PFH(5) PFD Trip Rate TGE PFH(5) PFD
(MTBF)(2)

Series
STR STR
(SFF) %
ControlLogix controller,
1756-L61(7) B 2 MB 1,000,053 1.00E-06 5.00E-07 95% 5.00E-08 4.50E-07 2200 9.50E-07 5.00E-08 1.10E-03

ControlLogix controller,
1756-L62(7) B 4 MB 1,034,830 9.66E-07 4.83E-07 95% 4.83E-08 4.35E-07 2200 9.18E-07 4.83E-08 1.06E-03

ControlLogix controller,
1756-L63(7) B 8 MB 1,055,910 9.47E-07 4.74E-07 95% 4.74E-08 4.26E-07 2200 9.00E-07 4.74E-08 1.04E-03

ControlLogix-XT
1756-L63XT(7) B controller, 8 MB 357,760 2.80E-06 1.40E-06 95% 1.40E-07 1.26E-06 2200 2.66E-06 1.40E-07 3.07E-03

ControlLogix controller,
1756-L71(8) B 2 MB
2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 1661 2.91E-06 1.01E-07 2.20E-03

ControlLogix controller,
1756-L72(8) B 4 MB 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 1661 2.91E-06 1.01E-07 2.20E-03

ControlLogix controller, Calculated

1756-L73(8) B 8 MB 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 1661 2.91E-06 1.01E-07 2.20E-03
MTBF and
ControlLogix-XT PFD via
1756-L73XT(8) B controller, 8 MB FMEA 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 1661 2.91E-06 1.01E-07 2.20E-03

ControlLogix controller,
1756-L74(8) B 16 MB 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 1661 2.91E-06 1.01E-07 2.20E-03 Not applicable

ControlLogix controller,
1756-L75(8) B 32 MB 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 1661 2.91E-06 1.01E-07 2.20E-03

GuardLogix controller,
1756-L61S(7) B 2 MB standard 1,000,053 1.00E-06 5.00E-07 95% 5.00E-08 4.50E-07 2200 9.50E-07 5.00E-08 1.10E-03

GuardLogix controller,
1756-L62S(7) B 4 MB standard 1,034,830 9.66E-07 4.83E-07 95% 4.83E-08 4.35E-07 2200 9.18E-07 4.83E-08 1.06E-03

GuardLogix controller,
1756-L63S(7) B 8 MB standard 1,055,910 9.47E-07 4.74E-07 95% 4.74E-08 4.26E-07 2200 9.00E-07 4.74E-08 1.04E-03

GuardLogix controller,
1756-L71S(8) B 2 MB standard 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 1661 2.91E-06 1.01E-07 2.20E-03

GuardLogix controller, Calculated

1756-L72S(8) B 4 MB standard 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 1661 2.91E-06 1.01E-07 2.20E-03
MTBF and
GuardLogix controller, 8 PFD via
1756-L73S(8) B MB standard FMEA 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 1661 2.91E-06 1.01E-07 2.20E-03

GuardLogix-XT controller,
1756-L73SXT(8) B 8 MB standard 2.69E-06 1.34E-06 96% 1.01E-07 1.25E-06 1661 2.91E-06 1.01E-07 2.20E-03

ControlLogix ControlNet
1756-CNB E 1,786,977 5.60E-07 2.80E-07 95% 2.80E-08 2.52E-07 2200 5.32E-07 2.80E-08 6.16E-04
communication module
ControlLogix ControlNet
1756-CNBR E redundant 2,608,543 3.83E-07 1.92E-07 95% 1.92E-08 1.73E-07 2200 3.64E-07 1.92E-08 4.22E-04
communication module
ControlLogix ControlNet
1756-CN2 B 1,096,299 9.12E-07 4.56E-07 95% 4.56E-08 4.10E-07 2200 8.67E-07 4.56E-08 1.00E-03
communication module
Calculated
ControlLogix ControlNet MTBF and
1756-CN2(8) C communication module PFD via 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 1478.14 1.91E-06 6.62E-08 1.50E-03
FMEA
ControlLogix ControlNet
1756-CN2R B redundant 1,096,299 9.12E-07 4.56E-07 95% 4.56E-08 4.10E-07 2200 8.67E-07 4.56E-08 1.00E-03 Not applicable
communication module
Calculated
ControlLogix ControlNet MTBF and
1756-CN2R(8) C redundant PFD via 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 1478.14 1.91E-06 6.62E-08 1.50E-03
communication module FMEA
ControlLogix-XT
1756-CN2RXT B ControlNet redundant 1,980,160 5.05E-07 2.53E-07 95% 2.53E-08 2.27E-07 2200 4.80E-07 2.53E-08 5.56E-04
communication module
Calculated
ControlLogix-XT MTBF and
1756-CN2RXT(8) C ControlNet redundant PFD via 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 1478.14 1.91E-06 6.62E-08 1.50E-03
communication module FMEA
ControlLogix Data
1756-DHRIO(9) E Highway Plus Remote I/O 2,503,396 3.79E-07 2.00E-08 7.59E-07
Module
ControlLogix-XT Data
1756-DHRIOXT(9) E Highway Plus remote I/O 2,503,396 3.79E-07 2.00E-08 Not 7.59E-07
module Non-interference only Not applicable
applicable
(9) ControlLogix DeviceNet
1756-DNB D 2,192,202 4.33E-07 2.28E-08 8.67E-07
communication module
ControlLogix EtherNet/IP 2,088,198
1756-ENBT(9) A communication module 4.55E-07 2.39E-08 9.10E-07

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 175

Appendix C PFD and PFH Calculations for 1756 ControlLogix and 1794 FLEX I/O Modules

Table 23 - 5-Year PFD Calculations (Continued)

Common Terms(3) 1oo1 Configuration 1oo2 Configuration
Mean Time
between Safe
Cat No.(1)(2) Description Failure Spurious Spurious
s, d Failure  TCE1oo1
(4) Fraction du
dd Trip Rate PFH(5) PFD Trip Rate TGE PFH(5) PFD
(MTBF)(2)

Series
STR STR
(SFF) %
ControlLogix EtherNet/IP 1,312,712
1756-EN2T C 7.62E-07 3.81E-07 95% 3.81E-08 3.43E-07 2200 7.24E-07 3.81E-08 8.38E-04
communication module
ControlLogix EtherNet/IP 269,774
1756-EN2T(9) D communication module Non-interference only 3.71E-06 Not applicable Not applicable
ControlLogix EtherNet/IP
1756-EN2TR B communication module 3,664,960 2.73E-07 1.36E-07 95% 1.36E-08 1.23E-07 2200 2.59E-07 1.36E-08 3.00E-04
with fault tolerance
ControlLogix EtherNet/IP
1756-EN2TR(8) C communication module Calculated 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 1478.14 1.91E-06 6.62E-08 1.50E-03 3.82E-06 988.76 1.51E-09 3.19E-05
with fault tolerance MTBF and
ControlLogix EtherNet/IP PFD via
1756-EN2TRXT(8) C communication module FMEA 1.97E-06 9.87E-07 96.6% 6.62E-08 9.21E-07 1478.14 1.91E-06 6.62E-08 1.50E-03 3.82E-06 988.76 1.51E-09 3.19E-05
with fault tolerance
ControlLogix-XT
1756-EN2TXT C EtherNet/IP 1,300,000 7.69E-07 3.85E-07 95% 3.85E-08 3.46E-07 2200 7.31E-07 3.85E-08 8.46E-04 Not applicable
communication module
ControlLogix-XT
1756-EN2TXT(9) D EtherNet/IP 269,774 3.71E-06
communication module
ControlLogix EtherNet/IP
1756-EN3TR B communication module 269,774 3.71E-06
with fault tolerance
ControlLogix redundancy 1,373,840
1756-RM(9) B module 6.91E-07
Not applicable
ControlLogix enhanced Non-interference only
1756-RM2(9) A redundancy module 250,182 4.00E-06

ControlLogix-XT
1756-RM2XT(9) A enhanced redundancy 250,182 4.00E-06
module
ControlLogix-XT
1756-RMXT(9) B redundancy module 980,096 9.69E-07

ControlLogix SynchLink
1756-SYNCH(9) A Module 6,932,640 1.37E-07 Not applicable 2.74E-07 Not applicable

ControlLogix isolated V
1756-IA16I A 20,801,920 4.81E-08 2.40E-08 80% 9.61E-09 1.44E-08 8770 3.85E-08 9.61E-09 2.11E-04 7.69E-08 5850 4.84E-10 1.06E-05
AC input module
ControlLogix diagnostic V 15,966,080
1756-IA8D A 6.26E-08 3.13E-08 80% 1.25E-08 1.88E-08 8770 5.01E-08 1.25E-08 2.75E-04 1.00E-07 5850 6.33E-10 1.38E-05
AC input module
ControlLogix diagnostic V 30,228,640
1756-IB16D A 3.31E-08 1.65E-08 80% 6.62E-09 9.92E-09 8770 2.65E-08 6.62E-09 1.45E-04 5.29E-08 5850 3.33E-10 7.28E-06
DC input module
ControlLogix isolated V
1756-IB16I A 81,443,094 1.23E-08 6.14E-09 80% 2.46E-09 3.68E-09 8770 9.82E-09 2.46E-09 5.38E-05 1.96E-08 5850 1.23E-10 2.70E-06
DC input module
ControlLogix isolated V
1756-IB16ISOE A DC Sequence Of Events 11,537,760 8.67E-08 4.33E-08 80% 1.73E-08 2.60E-08 8770 6.93E-08 1.73E-08 3.80E-04 1.39E-07 5850 8.79E-10 1.92E-05
input module
ControlLogix V DC input
1756-IB32 B 10,462,329 9.56E-08 4.78E-08 80% 1.91E-08 2.87E-08 8770 7.65E-08 1.91E-08 4.19E-04 1.53E-07 5850 9.70E-10 2.12E-05
module
ControlLogix analog input 8,699,254
1756-IF8 A 1.15E-07 5.75E-08 80% 2.30E-08 3.45E-08 8770 9.20E-08 2.30E-08 5.04E-04 1.84E-07 5850 1.17E-09 2.55E-05
module
Calculated
ControlLogix analog input MTBF and
1756-IF8(8) B module PFD via 9.43E-07 4.71E-07 79% 1.98E-07 2.73E-07 9233 7.45E-07 1.99E-07 4.4E-03 1.49E-06 6159 1.10E-08 2.4E-04
FMEA
ControlLogix isolated
1756-IF8I(8) A analog input module 2,337,541 4.28E-07 2.139E-07 77% 9.81E-08 1.16E-07 10054 3.3E-07 9.81E-08 2.15E-03 6.59E-07 6706 2.37E-09 4.89E-05

Calculated
ControlLogix isolated MTBF and
1756-IF8I(8) B analog input module PFD via 5.83E-07 2.92E-07 78% 1.26E-07 1.66E-07 9445 4.58E-07 1.26E-07 2.77E-03 9.15E-07 6300 3.19E-09 6.51E-05
FMEA
ControlLogix HART analog 1,291,978
1756-IF8H A 7.74E-07 3.87E-07 80% 1.55E-07 2.32E-07 8770 6.19E-07 1.55E-07 3.39E-03 1.24E-06 5850 8.69E-09 1.84E-04
input module
ControlLogix analog input 4,592,506
1756-IF16 A 2.18E-07 1.09E-07 80% 4.35E-08 6.53E-08 3514 1.74E-07 4.35E-08 3.83E-04 3.48E-07 2346 2.21E-09 1.93E-05
module
Calculated
ControlLogix analog input MTBF and
1756-IF16(8) B module PFD via 9.43E-07 4.71E-07 79% 1.98E-07 2.73E-07 9233 7.45E-07 1.99E-07 4.4E-03 1.49E-06 6159 1.10E-08 2.4E-04
FMEA
ControlLogix HART analog 442,914
1756-IF16H A 2.26E-06 1.13E-06 80% 4.52E-07 6.77E-07 8770 1.81E-06 4.52E-07 9.90E-03 3.61E-06 5850 3.06E-08 6.13E-04
input module
ControlLogix isolated
1756-IF6CIS A 2,654,080 3.77E-07 1.88E-07 80% 7.54E-08 1.13E-07 8770 3.01E-07 7.54E-08 1.65E-03 6.03E-07 5850 3.99E-09 8.59E-05
analog input module
ControlLogix isolated
1756-IF6I A 4,176,185 2.39E-07 1.20E-07 80% 4.79E-08 7.18E-08 8770 1.92E-07 4.79E-08 1.05E-03 3.83E-07 5850 2.49E-09 5.38E-05
analog input module

176 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Appendix C PFD and PFH Calculations for 1756 ControlLogix and 1794 FLEX I/O Modules

Table 23 - 5-Year PFD Calculations (Continued)

Common Terms(3) 1oo1 Configuration 1oo2 Configuration
Mean Time
between Safe
Cat No.(1)(2) Description Failure Spurious Spurious
s, d Failure  TCE1oo1
(4) Fraction du
dd Trip Rate PFH(5) PFD Trip Rate TGE PFH(5) PFD
(MTBF)(2)

Series
STR STR
(SFF) %
ControlLogix V DC
1756-IH16ISOE A Sequence Of Events input 2,150,720 4.65E-07 2.32E-07 80% 9.30E-08 1.39E-07 8770 3.72E-07 9.30E-08 2.04E-03 7.44E-07 5850 4.99E-09 1.07E-04
module
ControlLogix isolated RTD 4,268,525
1756-IR6I A 2.34E-07 1.17E-07 80% 4.69E-08 7.03E-08 8770 3.75E-07 5850 2.43E-09 5.26E-05
input module
ControlLogix isolated 2.636E-
1756-IRT8I(8) A RTD/thermocouple input 1,896,813 5.27E-07 07 76% 1.274E-07 1.362E-07 10594 8.00E-07 7066 3.23E-09 6.58E-05
module
Calculated
ControlLogix isolated MTBF and
1756-IRT8I(8) B RTD/thermocouple input PFD via 6.11E-07 3.06E-07 80% 1.24E-07 1.82E-07 8874
Not allowed for 1oo1 configurations
9.75E-07 5919 3.13E-09 6.39E-05
module FMEA
ControlLogix isolated
1756-IT6I A thermocouple input 3,957,824 2.53E-07 1.26E-07 80% 5.05E-08 7.58E-08 8770 4.04E-07 5850 2.63E-09 5.69E-05
module
ControlLogix isolated
1756-IT6I2 A enhanced thermocouple 2,720,046 3.68E-07 1.84E-07 80% 7.35E-08 1.10E-07 8770 5.88E-07 5850 3.89E-09 8.37E-05
input module
ControlLogix V AC output 32,891,456
1756-OA16I A 3.04E-08 1.52E-08 80% 6.08E-09 9.12E-09 8770 2.43E-08 6.08E-09 1.33E-04 4.86E-08 5850 3.05E-10 6.69E-06
module
ControlLogix V AC
1756-OA8D A diagnostic output module 11,311,040 8.84E-08 4.42E-08 80% 1.77E-08 2.65E-08 8770 7.07E-08 1.77E-08 3.88E-04 1.41E-07 5850 8.96E-10 1.96E-05

ControlLogix V DC
1756-OB16D A diagnostic output module 8,884,374 1.13E-07 5.63E-08 80% 2.25E-08 3.38E-08 8770 9.00E-08 2.25E-08 4.94E-04 1.80E-07 5850 1.15E-09 2.50E-05

ControlLogix V DC
1756-OB16E A electronically fused 14,997,714 6.67E-08 3.33E-08 80% 1.33E-08 2.00E-08 8770 5.33E-08 1.33E-08 2.92E-04 1.07E-07 5850 6.74E-10 1.47E-05
output module
ControlLogix V DC
1756-OB16I A 7,388,160 1.35E-07 6.77E-08 80% 2.71E-08 4.06E-08 8770 1.08E-07 2.71E-08 5.94E-04 2.17E-07 5850 1.38E-09 3.01E-05
isolated output module
ControlLogix V DC output 2,681,316
1756-OB32 A 3.73E-07 1.86E-07 80% 7.46E-08 1.12E-07 8770 2.98E-07 7.46E-08 1.64E-03 5.97E-07 5850 3.95E-09 8.50E-05
module
ControlLogix V DC
1756-OB8EI A isolated electronically 14,019,200 7.13E-08 3.57E-08 80% 1.43E-08 2.14E-08 8770 5.71E-08 1.43E-08 3.13E-04 1.14E-07 5850 7.21E-10 1.58E-05
fused output module
ControlLogix isolated
1756-OX8I A 6,059,635 1.65E-07 8.25E-08 80% 3.30E-08 4.95E-08 8770 1.32E-07 3.30E-08 7.24E-04 2.64E-07 5850 1.69E-09 3.68E-05
relay output module
ControlLogix isolated
1756-OW16I A 13,695,899 7.30E-08 3.65E-08 80% 1.46E-08 2.19E-08 8770 5.84E-08 1.46E-08 3.20E-04 1.17E-07 5850 7.39E-10 1.61E-05
relay output module
Calculated
ControlLogix analog MTBF and
1756-OF4(8) B output module PFD via 1.03E-06 5.17E-07 78% 2.23E-07 2.93E-07 9470 8.11E-07 2.23E-07 4.9E-03 1.62E-06 6317 1.30E-08 2.7E-04
FMEA
ControlLogix analog
1756-OF8 A 10,629,795 9.41E-08 4.70E-08 80% 1.88E-08 2.82E-08 8770 7.53E-08 1.88E-08 4.13E-04 1.51E-07 5850 9.55E-10 2.08E-05
output module
Calculated
ControlLogix analog MTBF and
1756-OF8(8) B output module PFD via 1.03E-06 5.17E-07 78% 2.23E-07 2.93E-07 9470 8.11E-07 2.23E-07 4.9E-03 1.62E-06 6317 1.30E-08 2.7E-04
FMEA
ControlLogix isolated
1756-OF8I(8) A analog output module 2,213,369 4.52E-07 2.259E-07 76% 1.08E-07 1.18E-07 10490 3.44E-07 1.08E-07 2.37E-03 6.87E-07 6997 2.65E-09 5.46E-05

Calculated MTBF
ControlLogix isolated
1756-OF8I(8) B analog output module and PFD via 6.08E-07 3.04E-07 78% 1.37E-07 1.67E-07 9869 4.71E-07 1.37E-07 3.0E-03 9.42E-07 6583 3.53E-09 7.16E-05
FMEA
ControlLogix isolated
1756-OF6VI A 21,604,960 4.63E-08 2.31E-08 80% 9.26E-09 1.39E-08 8770 3.70E-08 9.26E-09 2.03E-04 7.41E-08 5850 4.66E-10 1.02E-05
analog output module
ControlLogix isolated
1756-OF6CI A 8,354,667 1.20E-07 5.98E-08 80% 2.39E-08 3.59E-08 8770 9.58E-08 2.39E-08 5.25E-04 1.92E-07 5850 1.22E-09 2.66E-05
analog output module
ControlLogix HART analog 5,118,187
1756-OF8H A 1.95E-07 9.77E-08 80% 3.91E-08 5.86E-08 8770 1.56E-07 3.91E-08 8.57E-04 3.13E-07 5850 2.01E-09 4.37E-05
output module
FLEX I/O ControlNet
1794-ACN15 D 8,223,684 1.22E-07 6.08E-08 80% 2.43E-08 3.65E-08 8770 1.95E-07 5850 1.24E-09 2.70E-05
adapter
FLEX I/O ControlNet
1794-ACNR15 D 8,223,684 1.22E-07 6.08E-08 80% 2.43E-08 3.65E-08 8770 1.95E-07 5850 1.24E-09 2.70E-05
redundant adapter
FLEX I/O-XT ControlNet
1794-ACNR15XT D 8,223,684 1.22E-07 6.08E-08 80% 2.43E-08 3.65E-08 8770 1.95E-07 5850 1.24E-09 2.70E-05
adapter
Not allowed for 1oo1 configurations
FLEX I/O EtherNet/IP
1794-AENT B 1,779,827 5.62E-07 2.81E-07 80% 1.12E-07 1.69E-07 8770 8.99E-07 5850 6.12E-09 1.30E-04
adapter
FLEX I/O EtherNet/IP
1794-AENTR A 1,268,070 7.89E-07 3.94E-07 80% 1.58E-07 2.37E-07 8770 1.26E-06 5850 8.87E-09 1.87E-04
adapter, Ring media
FLEX I/O EtherNet/IP
1794-AENTRXT A 1,268,070 7.89E-07 3.94E-07 80% 1.58E-07 2.37E-07 8770 1.26E-06 5850 8.87E-09 1.87E-04
adapter, Ring media

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 177

Appendix C PFD and PFH Calculations for 1756 ControlLogix and 1794 FLEX I/O Modules

Table 23 - 5-Year PFD Calculations (Continued)

Common Terms(3) 1oo1 Configuration 1oo2 Configuration
Mean Time
between Safe
Cat No.(1)(2) Description Failure Spurious Spurious
s, d Failure  TCE1oo1
(4) Fraction du
dd Trip Rate PFH(5) PFD Trip Rate TGE PFH(5) PFD
(MTBF)(2)

Series
STR STR
(SFF) %
FLEX I/O 24V DC input
1794-IB16 A 179,506,158 5.57E-09 2.79E-09 80% 1.11E-09 1.67E-09 8770 8.91E-09 5850 5.58E-11 1.22E-06
module
FLEX I/O-XT 24V DC input 35,587,189
1794-IB16XT A 2.81E-08 1.40E-08 80% 5.62E-09 8.43E-09 8770 4.50E-08 5850 2.82E-10 6.18E-06
module
1794-IJ2 A FLEX I/O counter module 55,344,640 1.81E-08 9.03E-09 80% 3.61E-09 5.42E-09 8770 2.89E-08 5850 1.81E-10 3.97E-06
FLEX I/O-XT counter
1794-IJ2XT A 11,714,128 8.54E-08 4.27E-08 80% 1.71E-08 2.56E-08 8770 Not allowed for 1oo1 configurations 1.37E-07 5850 8.65E-10 1.89E-05
module
1794-IP4 B FLEX I/O counter module 22,027,200 4.54E-08 2.27E-08 80% 9.08E-09 1.36E-08 8770 7.26E-08 5850 4.57E-10 1.00E-05
FLEX I/O 24V DC
1794-IB10XOB6 A 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 8770 1.60E-08 5850 1.00E-10 2.19E-06
input/output module
FLEX I/O-XT 24V DC
1794-IB10XOB6XT A 22,202,487 4.50E-08 2.25E-08 80% 9.01E-09 1.35E-08 8770 7.21E-08 5850 4.54E-10 9.92E-06
input/output module
FLEX I/O 24V DC
1794-OB8EP A electronically fused 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 8770 1.60E-08 5850 1.00E-10 2.19E-06
output module
FLEX I/O-XT 24V DC
1794-OB8EPXT A electronically fused 14,771,049 6.77E-08 3.38E-08 80% 1.35E-08 2.03E-08 8770 1.08E-07 5850 6.84E-10 1.49E-05
output module
FLEX I/O 24V DC output
1794-OB16 A 54,322,632 1.84E-08 9.20E-09 80% 3.68E-09 5.52E-09 8770 2.95E-08 5850 1.85E-10 4.04E-06
module
FLEX I/O 24V DC Not allowed for 1oo1 configurations
1794-OB16P A protected output module 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 8770 1.60E-08 5850 1.00E-10 2.19E-06

FLEX I/O-XT 24V DC

1794-OB16PXT A protected output module 26,709,401 3.74E-08 1.87E-08 80% 7.49E-09 1.12E-08 8770 5.99E-08 5850 3.77E-10 8.24E-06

FLEX I/O isolated relay

1794-OW8 A 29,088,895 3.44E-08 1.72E-08 80% 6.88E-09 1.03E-08 8770 5.50E-08 5850 3.46E-10 7.56E-06
output module
FLEX I/O-XT isolated
1794-OW8XT A 18,518,519 5.40E-08 2.70E-08 80% 1.08E-08 1.62E-08 8770 8.64E-08 5850 5.45E-10 1.19E-05
relay output module
FLEX I/O analog input
1794-IE8 B 18,914,770 5.29E-08 2.64E-08 80% 1.06E-08 1.59E-08 8770 8.46E-08 5850 5.33E-10 1.17E-05
module
FLEX I/O-XT analog input 14,041,000
1794-IE8XT B 7.12E-08 3.56E-08 80% 1.42E-08 2.14E-08 8770 1.14E-07 5850 7.20E-10 1.57E-05
module
FLEX I/O isolated analog
1794-IF4I A 9,885,959 1.01E-07 5.06E-08 80% 2.02E-08 3.03E-08 8770 1.62E-07 5850 1.03E-09 2.24E-05
input module
FLEX I/O-XT isolated
1794-IF4IXT A 7,297,140 1.37E-07 6.85E-08 80% 2.74E-08 4.11E-08 8770 2.19E-07 5850 1.40E-09 3.05E-05
analog input module
FLEX I/O-XT isolated
1794-IF4ICFXT A 7,297,140 1.37E-07 6.85E-08 80% 2.74E-08 4.11E-08 8770 2.19E-07 5850 1.40E-09 3.05E-05
analog input module
Flex, 8 Isolated HART
1794-IF8IHNFXT A analog input, extended 926,808 1.08E-06 5.39E-07 80% 2.16E-07 3.24E-07 8770 1.73E-06 5850 1.26E-08 2.64E-04
env
FLEX I/O RTD input
1794-IR8 A 5,016,231 1.99E-07 9.97E-08 80% 3.99E-08 5.98E-08 8770 3.19E-07 5850 2.06E-09 4.46E-05
module
FLEX I/O-XT RTD input Not allowed for 1oo1 configurations 1.67E-07
1794-IR8XT A 9,585,890 1.04E-07 5.22E-08 80% 2.09E-08 3.13E-08 8770 5850 1.06E-09 2.31E-05
module
FLEX I/O RTD/
1794-IRT8 B Thermocouple input 1,407,269 7.11E-07 3.55E-07 80% 1.42E-07 2.13E-07 8770 1.14E-06 5850 7.91E-09 1.67E-04
module
FLEX I/O-XT RTD/
1794-IRT8XT B Thermocouple input 8,204,792 1.22E-07 6.09E-08 80% 2.44E-08 3.66E-08 8770 1.95E-07 5850 1.24E-09 2.71E-05
module
FLEX I/O Thermocouple
1794-IT8 A 2,097,509 4.77E-07 2.38E-07 80% 9.54E-08 1.43E-07 8770 7.63E-07 5850 5.13E-09 1.10E-04
input module
FLEX I/O isolated analog
1794-IF2XOF2I A 8,464,844 1.18E-07 5.91E-08 80% 2.36E-08 3.54E-08 8770 1.89E-07 5850 1.20E-09 2.62E-05
input/output module
FLEX I/O-XT isolated
1794-IF2XOF2IXT A analog input/output 6,317,918 1.58E-07 7.91E-08 80% 3.17E-08 4.75E-08 8770 2.53E-07 5850 1.62E-09 3.53E-05
module
FLEX I/O-XT analog
1794-IE4XOE2XT B 11,800,802 8.47E-08 4.24E-08 80% 1.69E-08 2.54E-08 8770 1.36E-07 5850 8.59E-10 1.87E-05
input/output module
FLEX I/O analog output
1794-OE4 B 18,433,610 5.42E-08 2.71E-08 80% 1.08E-08 1.63E-08 8770 8.68E-08 5850 5.47E-10 1.20E-05
module
FLEX I/O-XT analog
1794-OE4XT B 11,381,744 8.79E-08 4.39E-08 80% 1.76E-08 2.64E-08 8770 1.41E-07 5850 8.91E-10 1.94E-05
output module
Not allowed for 1oo1 configurations
FLEX I/O analog output
1794-OF4I A 23,884,409 4.19E-08 2.09E-08 80% 8.37E-09 1.26E-08 8770 6.70E-08 5850 4.21E-10 9.22E-06
module
FLEX I/O-XT analog
1794-OF4IXT A 5,493,902 1.82E-07 9.10E-08 80% 3.64E-08 5.46E-08 8770 2.91E-07 5850 1.87E-09 4.07E-05
output module

178 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Appendix C PFD and PFH Calculations for 1756 ControlLogix and 1794 FLEX I/O Modules

Table 23 - 5-Year PFD Calculations (Continued)

Common Terms(3) 1oo1 Configuration 1oo2 Configuration
Mean Time
between Safe
Cat No.(1)(2) Description Failure Spurious Spurious
s, d Failure  TCE1oo1
(4) Fraction du
dd Trip Rate PFH(5) PFD Trip Rate TGE PFH(5) PFD
(MTBF)(2)

Series
STR STR
(SFF) %
FLEX I/O terminal base
1794-TB3 A 250,000,000 4.00E-09 2.00E-09 80% 8.00E-10 1.20E-09 8770 6.40E-09 5850 4.00E-11 8.77E-07
unit
FLEX I/O cage-clamp
1794-TB3G A generic terminal base 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 8770 1.60E-08 5850 1.00E-10 2.19E-06
unit
FLEX I/O spring-clamp
1794-TB3GS A generic terminal base 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 8770 1.60E-08 5850 1.00E-10 2.19E-06
unit
FLEX I/O terminal base
1794-TB3S A 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 8770 1.60E-08 5850 1.00E-10 2.19E-06
unit Not allowed for 1oo1 configurations
FLEX I/O temperature
1794-TB3T A 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 8770 1.60E-08 5850 1.00E-10 2.19E-06
terminal base unit
FLEX I/O spring-clamp
1794-TB3TS A temperature terminal 52,312,000 1.91E-08 9.56E-09 80% 3.82E-09 5.73E-09 8770 3.06E-08 5850 1.92E-10 4.20E-06
base unit
FLEX I/O NEMA terminal
1794-TBN A 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 8770 1.60E-08 5850 1.00E-10 2.19E-06
base unit
FLEX I/O NEMA fused
1794-TBNF A 100,000,000 1.00E-08 5.00E-09 80% 2.00E-09 3.00E-09 8770 1.60E-08 5850 1.00E-10 2.19E-06
terminal base unit
DC input termination
1492-TIFM40F-F24A-2(9) A board 7,779,000 7.04E-08 1.03E-07

Analog input termination 11,362,000

1492-TAIFM16-F-3(9) A board Non-interference only 7.90E-08 Not applicable 7.04E-08 Not applicable

DC output termination
1492-TIFM4OF-24-2(9) A board 10,127,000 0.00E+00 0.00E+00

(1) Some catalog numbers have a K suffix. This indicates a version of the product that has conformal coating. These K versions have the same SIL 2 certification as the non-K versions. For more information on which
products have conformal coating go to http://ab.com.rockwellautomation.com/
(2) MTBF measured in hours unless calculated (as noted). Field return values – January 2012.
(3) Calculations performed on a per module basis.
(4)  = Failure Rate = 1/MTBF.
(5) Demand rate must be less than 10 per year
(6) Average of 1756-A4, -A7, -A10, -A13, and -A17 chassis.
(7) Suitable for use only in applications that require compliance with IEC 61508 1999 Edition 1
(8) Calculated MTBF and PFD by FMEA to 61508-2010.
(9) SIL 2-rated for non-interference in the chassis. Data not required within a safety function.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 179

Appendix C PFD and PFH Calculations for 1756 ControlLogix and 1794 FLEX I/O Modules

Use Component Values The system PFD value is calculated by totaling the PFD value of each
to Calculate System PFD component in the system. To calculate a system PFD value, use this equation:
modA PFD + modB PFD + modC PFD = system PFD

where modX PFD is the PFD value for one component or module in the system.
When calculating your system PFD, verify that all components that are used in
the system are totaled.

Example: 1-year PFD Calculation for a ControlLogix System

(1oo1 Configuration)

This example shows an example of a PFD calculation for a traditional

ControlLogix system in a fail-safe configuration. This example system uses
one chassis for the controller and a second chassis for the I/O. For an example,
see the top two chassis in Figure 3 on page 19.

Cat. No. Description Calculated

1756-IB16D ControlLogix V DC diagnostic input module 1.46E-06 (1oo2)
1756-EN2TR Series C ControlLogix EtherNet/IP communication module - I/O chassis 3.00E-04 (1oo1)
1756-L72 ControlLogix controller, 4 MB 4.50E-04 (1oo1)
1756-EN2TR Series C ControlLogix EtherNet/IP communication module - controller chassis 3.00E-04 (1oo1)
1756-OB16D ControlLogix V DC diagnostic output module 4.97E-06 (1oo2)(1)
Total safety loop PFD: 1.056E-03
Percent of SIL 2 budget: 10.56%
(1) 1oo2 represents using a 1756-OB16D module to control the SIL 2 actuator and using a second 1756-OB16D module to control the secondary relay output.

Example: 1-year PFD Calculation for a ControlLogix System

(1oo2 Configuration)

See Figure 6 on page 22 for a system diagram of the example calculation that is
shown here.

Cat. No. Description Calculated

1756-IB16D ControlLogix V DC diagnostic input module 1.46E-06 (1oo2)
1756-EN2TR Series C ControlLogix EtherNet/IP communication module - I/O chassis 6.11E-06 (1oo2)(1)
1756-L72 ControlLogix controller, 4 MB 4.50E-04 (1oo1)
1756-EN2TR Series C ControlLogix EtherNet/IP communication module - controller chassis 6.11E-06 (1oo2)
1756-OB16D ControlLogix V DC diagnostic output module 4.97E-06 (1oo2)
Total safety loop PFD: 4.69E-04
Percent of SIL 2 budget: 4.69%
(1) 1oo2 is being used because the I/O modules are being split among two chassis.

180 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Appendix D

PFD and PFH Calculations for

1715 Redundant I/O Modules

About PFD and PFH The tables and examples in this document provide failure rates and PFH and
Calculations PFDavg channel data. You can use the data to calculate SIL performance for
SIFs using combinations of 1715 I/O modules in applications with a 24-hour
mean time to restoration (MTTR) and with a 20-year Mission Time. Where
appropriate, the data is provided for Single and Dual module configurations.

If a de-energize to action system is configured to provide a shutdown on the

first fault, the MTTR has a negligible effect, hence, the tables in the PFD Data
can be used for any MTTR.

Assumptions The following assumptions apply to the PFD and PFH calculations of the 1715
system:
• PFD and PFH values in this manual are calculated with formulas that are
explained in IEC 61508, Part 6, Annex B. For more information about
calculating PFD values for your system, see IEC 61508, Part 6.
• Base units and termination assemblies are included in the module
calculations or the binding and peer-to-peer communications data.
• The random hardware failure rates assume the ambient temperature of
the environment in which the system is operating is 40 °C (104 °F).
System operation at an elevated ambient is likely to have a detrimental
effect on failure rates.
• Exposure to Neutrons is assumed to be at sea level (NY, NY) in common
with industry standard (JESD89A). The exposure to Neutrons
experienced by a system under use at altitude is expected to be at much
greater levels.
• Capacitors are operated at 50% of the maximum ratings.
• The mission time is assumed to be 20 years.
• The Module Failure Rates are the sum of the individual component
failure rates for every component in the product.
• The  values are calculated based on the internal architecture of the
products for an individual SIF.
• For I/O Modules, the Common Part and the I/O Point Part s are
calculated separately.
• ß = 1%, ßD = 0.5%

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 181

Appendix D PFD and PFH Calculations for 1715 Redundant I/O Modules

I/O Module Common Part In addition to the Single and Dual data, the values in the tables are provided in
and I/O Point Part three forms for I/O modules:
• Common Part
• I/O Point Part
• Common + 1 I/O Point

The Common + 1 I/O Point values can be used when one I/O point on a module
is used in a Safety Function.

When multiple I/O on the same module are used in a Safety Function, the
Common Part and I/O Point Part values can be used.

182 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Appendix D PFD and PFH Calculations for 1715 Redundant I/O Modules

Module failure rates See this table for information about module failure rates.

MTBF
Module Module Description FPMH
Years
1715-AENTR Ethernet adapter - 45.72 2.50
Common + 1 I/O Point 106.24 1.07
1715-IB16D 16-channel digital input module
Common + All Points 51.11 2.23
Common + 1 I/O Point 106.24 1.07
1715-IF16 16-channel analog input module
Common + All Points 51.11 2.23
1715-OB8DE Common + 1 I/O Point 106.24 1.07
8-channel digital output module
Common + All Points 51.11 2.23
Common + 1 I/O Point 106.24 1.07
1715-OF8I 8-channel analog output module
Common + All Points 51.11 2.23

1715 Failure Rates See these tables for information about 1715 failure rates.
Table 24 - De-energize to Action Failure Rates
Module Module Configuration s d su du sd dd
1715-AENTR Duplex Adapter 1.26E-08 1.27E-08 1.51E-10 1.53E-10 1.24E-08 1.26E-08
Common 4.98E-07 4.99E-07 5.08E-10 5.08E-10 4.98E-07 4.98E-07
Simplex
1715-IB16D 1 IO Point 3.85E-08 3.88E-08 3.15E-10 3.18E-10 3.82E-08 3.85E-08
Digital Input Common 2.60E-09 2.69E-09 9.07E-11 9.40E-11 2.51E-09 2.60E-09
Duplex
1 IO Point 3.11E-10 4.04E-10 7.10E-11 9.20E-11 2.40E-10 3.11E-10
Common 4.98E-07 4.99E-07 5.08E-10 5.08E-10 4.98E-07 4.98E-07
Single
1715-IF16 1 IO Point 3.85E-08 3.88E-08 3.15E-10 3.18E-10 3.82E-08 3.85E-08
Analog Input Common 2.60E-09 2.69E-09 9.07E-11 9.40E-11 2.51E-09 2.60E-09
Dual
1 IO Point 3.11E-10 4.04E-10 7.10E-11 9.20E-11 2.40E-10 3.11E-10
Common 1.21E-06 2.31E-08 1.56E-08 2.99E-10 1.19E-06 2.28E-08
Single
1715-OB8DE 1 IO Point 2.04E-08 6.78E-10 5.59E-12 1.86E-13 2.04E-08 6.77E-10
Digital Output Common 3.49E-09 4.09E-09 5.11E-10 5.98E-10 2.98E-09 3.49E-09
Dual
1 IO Point 7.35E-11 7.39E-11 3.69E-13 3.71E-13 7.31E-11 7.35E-11
Common 5.27E-08 5.31E-08 4.11E-10 4.15E-10 5.23E-08 5.27E-08
Single
1715-OF8I 1 IO Point 7.41E-08 1.38E-07 5.00E-11 9.34E-11 7.40E-08 1.38E-07
Analog Output Common 3.53E-10 1.18E-09 2.47E-10 8.29E-10 1.05E-10 3.53E-10
Dual
1 IO Point 7.48E-10 9.35E-10 1.49E-10 1.87E-10 5.98E-10 7.48E-10

Table 25 - Energize to Action Failure Rates

Module Module Description s d su du sd dd
1715-AENTR Duplex Adapter 1.11E-08 1.13E-08 2.38E-10 2.43E-10 1.08E-08 1.11E-08
Common 5.22E-07 5.23E-07 7.62E-10 7.63E-10 5.21E-07 5.22E-07
Simplex
1715-IB16D 1 IO Point 3.85E-08 3.88E-08 3.15E-10 3.18E-10 3.82E-08 3.85E-08
Digital Input Common 2.56E-09 2.66E-09 9.31E-11 9.66E-11 2.47E-09 2.56E-09
Duplex
1 IO Point 3.11E-10 4.51E-10 9.63E-11 1.39E-10 2.15E-10 3.11E-10
Common 5.22E-07 5.23E-07 7.62E-10 7.63E-10 5.21E-07 5.22E-07
Single
1715-IF16 1 IO Point 3.85E-08 3.88E-08 3.15E-10 3.18E-10 3.82E-08 3.85E-08
Analog Input Common 2.56E-09 2.66E-09 9.31E-11 9.66E-11 2.47E-09 2.56E-09
Dual
1 IO Point 3.11E-10 4.51E-10 9.63E-11 1.39E-10 2.15E-10 3.11E-10
Common 2.39E-06 2.23E-07 7.74E-09 7.22E-10 2.38E-06 2.22E-07
Single
1715-OB8DE 1 IO Point 2.94E-08 1.57E-09 8.06E-12 4.30E-13 2.94E-08 1.57E-09
Digital Output Common 5.16E-06 8.25E-08 8.01E-09 1.28E-10 5.16E-06 8.23E-08
Dual
1 IO Point 6.22E-08 8.77E-11 6.02E-10 8.49E-13 6.16E-08 8.69E-11

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 183

Appendix D PFD and PFH Calculations for 1715 Redundant I/O Modules

Table 25 - Energize to Action Failure Rates (Continued)

Common 8.11E-07 8.13E-07 1.51E-09 1.51E-09 8.10E-07 8.11E-07
Single
1715-OF8I 1 IO Point 5.39E-08 1.57E-07 4.78E-11 1.39E-10 5.38E-08 1.57E-07
Analog Output Common 3.25E-06 7.73E-09 6.54E-09 1.55E-11 3.25E-06 7.71E-09
Dual
1 IO Point 4.21E-07 2.23E-09 2.63E-10 1.39E-12 4.21E-07 2.23E-09

PFH and PFD Data—24-Hour The following table provides the probability of failures per hour and the
MTTR probability of failures upon demand for the energize to action and de-energize
to action SIF configurations. The Mission Time is 20 years. The table includes
PFD and PFH values when two inputs or outputs are used in a 1oo2
configuration. Their values are provided when the 1oo2 I/O are connected to
the same module and when the 1oo2 I/O are connected to two different
modules. A ß value of 1% and a ßD of 0.5% are used in the 1oo2 calculations.

Table 26 - PFD Data for a SIF with Mission Time = 20 years

De-energize to action Energize to action
Module Module Configuration PFHde PFDde PFHe PFDe
1715-AENTR Duplex Adapter 1.53E-10 1.37E-05 2.43E-10 2.16E-05
Common + 1 I/O Point 8.26E-10 8.53E-05 1.08E-09 1.08E-04
Common Part 5.08E-10 5.65E-05 7.63E-10 7.94E-05
Simplex I/O Point Part 3.18E-10 2.88E-05 3.18E-10 2.88E-05
1oo2 Same Module 5.12E-10 5.68E-05 7.66E-10 7.97E-05
1715-IB16D 1oo2 Different Module 8.40E-12 7.99E-07 3.20E-12 2.84E-07
Digital Input Common + 1 I/O Point 1.86E-10 1.64E-05 2.36E-10 2.07E-05
Common Part 9.40E-11 8.29E-06 9.66E-11 8.52E-06
Duplex I/O Point Part 9.20E-11 8.07E-06 1.39E-10 1.22E-05
1oo2 Same Module 9.49E-11 8.38E-06 9.80E-11 8.64E-06
1oo2 Different Module 1.87E-12 1.64E-07 1.40E-12 1.22E-07
Common + 1 I/O Point 8.26E-10 8.53E-05 1.08E-09 1.08E-04
Common Part 5.08E-10 5.65E-05 7.63E-10 7.94E-05
Simplex I/O Point Part 3.18E-10 2.88E-05 3.18E-10 2.88E-05
1oo2 Same Module 5.12E-10 5.68E-05 7.66E-10 7.97E-05
1715-IF16 1oo2 Different Module 8.40E-12 7.99E-07 3.20E-12 2.84E-07
Analog Input Common + 1 I/O Point 1.86E-10 1.64E-05 2.36E-10 2.07E-05
Common Part 9.40E-11 8.29E-06 9.66E-11 8.52E-06
Duplex I/O Point Part 9.20E-11 8.07E-06 1.39E-10 1.22E-05
1oo2 Same Module 9.49E-11 8.38E-06 9.80E-11 8.64E-06
1oo2 Different Module 1.87E-12 1.64E-07 1.40E-12 1.22E-07
Common + 1 I/O Point 2.99E-10 2.68E-05 7.23E-10 6.87E-05
Common Part 2.99E-10 2.67E-05 7.22E-10 6.86E-05
Simplex I/O Point Part 1.86E-13 3.25E-08 4.30E-13 7.52E-08
1oo2 Same Module 2.99E-10 2.67E-05 7.22E-10 6.86E-05
1715-OB8DE 1oo2 Different Module 3.01E-12 2.66E-07 4.30E-15 5.64E-10
Digital Output Common + 1 I/O Point 5.98E-10 5.25E-05 1.29E-10 1.33E-05
Common Part 5.98E-10 5.25E-05 1.28E-10 1.32E-05
Duplex I/O Point Part 3.71E-13 3.43E-08 8.49E-13 7.64E-08
1oo2 Same Module 5.98E-10 5.25E-05 1.28E-10 1.32E-05
1oo2 Different Module 6.05E-12 5.28E-07 8.49E-15 7.54E-10

184 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Appendix D PFD and PFH Calculations for 1715 Redundant I/O Modules

Table 26 - PFD Data for a SIF with Mission Time = 20 years (Continued)
Common + 1 I/O Point 5.08E-10 4.91E-05 1.65E-09 1.68E-04
Common Part 4.15E-10 3.76E-05 1.51E-09 1.52E-04
Simplex I/O Point Part 9.34E-11 1.15E-05 1.39E-10 1.60E-05
1oo2 Same Module 4.15E-10 3.77E-05 1.51E-09 1.52E-04
1715-OF8I 1oo2 Different Module 5.13E-12 4.71E-07 1.40E-12 1.41E-07
Analog Output Common + 1 I/O Point 1.02E-09 8.90E-05 1.69E-11 1.72E-06
Common Part 8.29E-10 7.27E-05 1.55E-11 1.55E-06
Duplex I/O Point Part 1.87E-10 1.64E-05 1.39E-12 1.76E-07
1oo2 Same Module 8.31E-10 7.28E-05 1.55E-11 1.55E-06
1oo2 Different Module 1.03E-11 9.01E-07 1.39E-14 1.49E-09

Communications Data The PFH value for the I/O Communications Data with the Controller is
PFH = 1E-8.

Safe Failure Fraction (SFF) The following tables provide the SFF and HFT data for SIF configurations
and Hardware Fault energize to action and de-energize to action mode.
Tolerance (HFT) SFFde applies to a normally energized system that is de-energized to action.

Table 27 - Module SFFde, SFFe

Module Module Description SFFde SFFe
1715-AENTR Ethernet adapter redundant module >99% >99%
1715-IB16D 16-channel digital input module >99% >99%
1715-IF16 16-channel analog input module >99% >99%
1715-OB8DE 8-channel digital output module >99% >99%
1715-OF8I 8-channel analog output module >99% >99%

Table 28 - Module HFT

Module Module Description Simplex Dual
1715-AENTR Ethernet adapter redundant module 0 1
1715-IB16D 16-channel digital input module 0 1
1715-IF16 16-channel analog input module 0 1
1715-OB8DE 8-channel digital output module 1 1
1715-OF8I 8-channel analog output module 1 1

System Configurations The PFH and PFD calculations are derived from IEC61508-6:2010, and the

Examples below show how the calculations are used to define the probability of
failure for a Safety Instrumented Function.

IMPORTANT The Soft Error values used to calculate PFD/PFH figures are, in line with
industry common practice and JESD89a, calculated with Neutron flux
values at sea level (NY, NY).
Values that are measured at high altitude would be expected to yield
worse values. Similarly subsea applications are likely to experience
lower values of Neutron flux.
Contact Rockwell Automation for additional information.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 185

Appendix D PFD and PFH Calculations for 1715 Redundant I/O Modules

Example 1

This diagram illustrates a SIL 2 SIF with one signal input and one signal
output; it has a Mission Time of 20 years and an MTTR of 24 hours, it is
configured as a de-energized to action arrangement.

See Table 26.

1715 SIF PFDavg = PFDavg (1715-IB16D Single, Common + 1 I/O Point)

+ PFDavg (1715-AENTR Dual)
+ PFDavg (1715-OB16D Single, Common + 1 I/O Point)
+ PFDavg (ControlLogix Controller)

= 8.53E-05 + 1.37E-05 + 2.68E-05 + PFDavg (ControlLogix Controller)

= 1.26E-04 + PFDavg (ControlLogix Controller)

186 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Appendix D PFD and PFH Calculations for 1715 Redundant I/O Modules

Example 2

This diagram illustrates a SIL 2 SIF with 2 inputs that are configured as 1oo2
on dual-input modules and 1 output with a Mission Time of 20 years and MTTR
= 24 hours, configured as 1oo2 de-energize to action.

See Table 26.

1715 SIF PFDavg = PFDavg (1715-IB16D Dual, 1oo2 Same Module)

+ PFDavg (1715-AENTR Dual)
+ PFDavg (1715-OB16D Single, Common + 1 I/O Point)
+ PFDavg (ControlLogix Controller)

= 8.38E-06 + 1.37E-05 + 2.68E-05 + PFDavg (ControlLogix Controller)

= 4.89E -05 + PFDavg (ControlLogix Controller)

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 187

Appendix D PFD and PFH Calculations for 1715 Redundant I/O Modules

Example 3

This diagram illustrates a SIL 2 SIF with two inputs on dual-input modules and
one output, with a Mission Time of 20 years and MTTR = 24 hours. The two
inputs are configured as 1oo2 de-energize to action.

See Table 26.

1715 SIF PFDavg = PFDavg (1715-IB16D Dual, 1oo2 Different Modules)

+ PFDavg (1715-AENTR Dual)
+ PFDavg (1715-OB16D Single, Common + 1 I/O Point)
+ PFDavg (ControlLogix Controller)

= 7.99E-07 + 1.37E-05 + 2.68E-05 + PFDavg (ControlLogix Controller)

= 4.13E-05 + PFDavg (ControlLogix Controller)

188 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Appendix D PFD and PFH Calculations for 1715 Redundant I/O Modules

Example 4

This diagram illustrates a SIL 2 SIF with one dual-input and two outputs, with
a Mission Time of 20 years and MTTR = 24 hours. The two outputs are
configured as 1oo2 de-energize to action.

See Table 26.

1715 SIF PFDavg = PFDavg (1715-IB16D Dual, Common + 1 I/O Point)

+ PFDavg (1715-AENTR Dual)
+ PFDavg (1715-OB16D Dual, 1oo2 Same Module)
+ PFDavg (ControlLogix Controller)

= 1.64E-05 + 1.37E-05 + 5.25E-05 + PFDavg (ControlLogix Controller

= 8.26E-05 + PFDavg (ControlLogix Controller)

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 189

Appendix D PFD and PFH Calculations for 1715 Redundant I/O Modules

Example 5

This diagram illustrates a SIL 2 SIF distributed between two 1715 racks and a
ControlLogix® controller. It has one signal input, one signal output, a Mission
Time of 20 years, and an MTTR of 24 hours. It is configured as a de-energize to
action arrangement.

See Table 26.

1715 SIF PFDavg = PFDavg (1715-IB16D Dual, Common + 1 I/O Point)

+ PFDavg (1715-AENTR Dual)
+ PFDavg (ControlLogix Controller)
+ PFDavg (1715-AENTR Dual)
+ PFDavg (1715-OB16D Single, Common + 1 I/O Point)

= 8.53E-05 + 1.37E-05 + PFDavg (ControlLogix Controller) + 1.37E-05 + 2.68E-05

= 1.40E-04 + PFDavg (ControlLogix Controller)

190 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Appendix E

1756 ControlLogix and 1794 FLEX I/O Modules in

SIL 1 Applications

If you plan to use the 1756 ControlLogix® I/O or the 1794 FLEX™ I/O modules in
a SIL 1 1oo1 configuration, Table 29 guidelines must be implemented,
including either the use diagnostic modules or implementing appropriate field
diagnostics as defined here for limited high demand applications with up to 10
demands per year.
• Field diagnostics must execute once every 8 hours for limited high
demand applications with up to 10 demands per year.
• An output or other sensing device must be used to provide field power
control to the digital inputs. See the SIL 2 output guidelines in Chapter 5.
• When determining the safety reaction time, consider the time that a
diagnostic takes to execute. Safety demands are not detectable if they
occur during a diagnostic.

The diagnostic you implement must monitor the ability of all SIL 1 inputs
to detect a change of state. One example method is to turn off the output
and make sure that all SIL 1 inputs detect the loss of signal within a short
period. Then, when the output turns back on, make sure that all SIL 1
inputs properly detect the change. Consider and mitigate any impact to
your system while the diagnostic is executing.

Figure 83 - SIL 1 Digital Input Wiring Example for 1794 I/O Modules
Field Power

Field Devices

1
SIL 1 Output SIL 1 Input 1

2
SIL 1 Input 2

3
SIL 1 Input 3

Field diagnostics as described for 1794 FLEX I/O modules can also be used to meet
the requirements for proof tests with either 1794 FLEX I/O or 1756 ControlLogix I/O
modules.

Termination boards 1492-TIFM16-F-3 can be used to provide a voltage

reference for proof proof tests as shown here.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 191

Appendix E 1756 ControlLogix and 1794 FLEX I/O Modules in SIL 1 Applications

Figure 84 - SIL 1 1756 Analog Input Wiring Example (Simplex)

1756 Analog Input Module

Input Values from Field Devices

All configured for 0...5V operation.

1756 Analog Input
Module Solid-state switch controlled
by DC output.

Reference Voltages

1492-CABLExxxUA() to 1756
Analog Input Module DIP Switch for Sensor
Wiring

Precision 249 
Resistor

Terminal Block 1, Terminal Block 2, Terminal Block 1, Terminal Block 2,

Row C Row C Row B Row B

Two-wire Transmitters Operating in

4...20 mA Current Mode
Output from 1756-OB16D Module Pair
Trigger Reference Tests = 0 (Off)
Two-wire Transmitter

xxx is cable length (005=0.5 m, 010=1.0 m, 025=2.5 m, 050=5.0 m).

192 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Appendix E 1756 ControlLogix and 1794 FLEX I/O Modules in SIL 1 Applications

Figure 85 - SIL 1 1794 Analog Input Wiring Example (Simplex)

1756 Analog Input Module

Input Values from Field Devices

All configured for 0...5V operation.

Solid-state switch controlled

by DC output.

Reference Voltages

User-supplied cable
DIP Switch for Sensor
Wiring

Precision 249 
Resistor

Terminal Block 1, Terminal Block 2, Terminal Block 1, Terminal Block 2,

Row C Row C Row B Row B

Two-wire Transmitters Operating in 4...20

mA Current Mode
Output from 1756-OB16D Module Pair
Trigger Reference Tests = 0 (Off)
Two-wire Transmitter

To make your own cable, follow the termination board pinout that is shown
here.
P1 Pins Description
3 Input 0
2 Input 1
1 Input 2
14 Input 3
15 Input 4
16 Input 5
17 Input 6
18 Input 7
12 Input 8
13 Input 9
25 Input 10
24 Input 11
23 Input 12
22 Input 13
20 Input 14
21 Input 15

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 193

Appendix E 1756 ControlLogix and 1794 FLEX I/O Modules in SIL 1 Applications

P1 Pins Description
4 RTN
6 RTN
8 RTN
10 RTN

When using controllers and network communication modules, follow the

guidelines that are listed in this safety manual.

IMPORTANT When using 1756 or 1794 non-diagnostic outputs in SIL 1 configurations,

you must implement a secondary means to shut off the outputs.

Table 29 lists additional considerations that must be made with various

ControlLogix® modules in a SIL 1 application.
Table 29 - Considerations for SIL 1 Applications by Module
Module Additional Considerations
Controllers None. Use the controller exactly as described previously in this manual.
ControlNet® modules None. Use the modules exactly as described previously in this manual.
Ethernet modules None. Use the modules exactly as described previously in this manual.
Diagnostic output modules are recommended, but not required, in a SIL 1 application. Implement a secondary shutdown path if the
Digital output modules(1) SIL 1 application requires a fail-safe OFF if there is a shorted output.
Only one module is required in a SIL 1 application. Proof tests of the inputs must be performed as described previously in this
Digital input modules(2) manual.
Analog output modules(1) Analog output modules should be wired as described previously in this manual.
Analog input modules(2) Only 1 module is required in a SIL 1 application. Proof tests of the inputs must be performed as described previously in this manual.
(1) The user should be alerted to any detected output failures.
(2) The test interval of module inputs must be specified according to application-dependent standards. For example, according to EN50156, the time for fault detection and tripping
must be less than or equal to the fault tolerance time.

194 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Appendix F

Checklists

Checklist for the The following checklist is required for planning, programming, and startup of
ControlLogix System a SIL 2-certified ControlLogix® system. It can be used as a planning guide and
during proof testing. If used as a planning guide, the checklist can be saved as
a record of the plan.

Check List for ControlLogix System(1)

Company:
Site:
Loop definition:
Fulfilled
No. Comment
Yes No
Do you use only SIL 2-certified ControlLogix modules with the corresponding firmware revision in the
1 revision release list? See ControlLogix Safety Certificate, publication LOGIX-CT007.
2 Have you calculated the system’s response time?
Does the system’s response time include both the user-defined, SIL-task program watchdog (software
3 watchdog) time and the SIL-task duration time?
4 Is the system response time in proper relation to the process safety time?
5 Have PFD values been calculated according to the system’s configuration?
6 Have you performed all the appropriate proof tests?
7 Have you defined your process parameters that are monitored by fault routines?
8 Have you determined how your system handles faults?
9 Have you considered the checklists for SIL inputs and outputs that are listed on pages 196 and 197?
(1) For more information on the specific tasks in this checklist, see the previous sections in the chapter or Chapter 1, SIL Policy on page 13.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 195

Appendix F Checklists

Checklist for SIL Inputs The following checklist is required for planning, programming, and startup of
SIL inputs. It can be used as a planning guide and during proof testing. If used
as a planning guide, the checklist can be saved as a record of the plan.

For programming or startup, an individual checklist can be completed for

every SIL input channel in a system. This is the only way to make sure that the
requirements were fully and clearly implemented. This checklist can also be
used as documentation on the connection of external wiring to the application
program.

Input Module Check List for ControlLogix System

Company:
Site:
Loop definition:
SIL input channels in the:
No. All Input Module Requirements (apply to both digital and analog input modules) Yes No Comment
1 Is Exact Match selected as the electronic keying option whenever possible?
2 Is the RPI value set to an appropriate value for your application?
3 Are all modules owned by the same controller?
4 Have you performed proof tests on the system and modules?
5 Have you set up the fault routines?
6 Are control, diagnostics, and alarm functions performed in sequence in application logic?
For applications using FLEX™ I/O modules, is the application logic monitoring one ControlNet® status bit for the
7 associated module, and is the appropriate action invoked via the application logic by these bits?
No. Additional Digital Input Module-Only Requirements Yes No Comment
When two digital input modules are wired in the same application, do the following conditions exist:
• Both modules are owned by the same controller.
• Sensors are wired to separate input points.
1 • The operational state is ON.
• The non-operational state is. OFF.
• Configuration parameters (for example, RPI, filter values) are identical.
• For FLEX input modules, both modules are on different rails/chassis
2 For the standard input modules, is the Communication Format set to one of the Input Data choices?
3 For the diagnostic input modules, is the Communication Format set to Full Diagnostics-Input Data?
4 For the diagnostic input modules, are all diagnostics enabled on the module?
5 For the diagnostic input modules, are enabled diagnostic bits monitored by fault routines?
6 For the diagnostic input modules, is the controller connection a direct connection?

196 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Appendix F Checklists

Input Module Check List for ControlLogix System

No. Additional Analog Input Module-Only Requirements Yes No Comment
1 Is the Communication Format set to Float Data?
2 Have you calibrated the modules as often as required by your application?
Do you use ladder logic to compare the analog input data on two channels to make sure that there is
3 concurrence within an acceptable range and that redundant data is used properly?
Have you written application logic to examine bits for any condition that can cause a fault and appropriate fault
4 routines to handle the fault condition?
When two FLEX I/O analog input modules are wired in the same application, are both modules on different rails/
5 chassis?
6 When wiring an analog input module in Voltage mode, are the transmitter grounds tied together?
7 When wiring an analog input module in Current mode, are loop devices placed properly?
When wiring thermocouple modules in parallel, have you wired to the same channel on each module as shown in
8 Figure 30 on page 61?
9 When wiring two RTD modules, are two sensors used, as shown in Figure 31 on page 61?

Checklist for SIL Outputs The following checklist is required for planning, programming, and startup of
SIL outputs. It can be used as a planning guide and during proof testing. If
used as a planning guide, the checklist can be saved as a record of the plan.

For programming or startup, an individual requirement checklist must be

completed for every SIL output channel in a system. This is the only way to
make sure that the requirements are fully and clearly implemented. This
checklist can also be used as documentation on the connection of external
wiring to the application program.
Output Check List for ControlLogix System
Company:
Site:
Loop definition:
SIL output channels in the:
All Output Module Requirements
No. Yes No Comment:
(apply to both digital and analog output modules)
1 Have you performed proof tests on the modules?
2 Is Exact Match selected as the electronic keying option whenever possible?
3 Is the RPI value set to an appropriate value for your application?
4 Have you built fault routines, including comparing output data with a corresponding input point?
It is required that if you have used external relays in your application to disconnect module power if a
5 short or other fault is detected on the module or isolated output in series?
6 Is the control of the external relay implemented in ladder logic?
7 Have you examined the Output Data Echo signal in application logic?
8 Are all outputs configured to de-energize if there is a fault or the controller entering Program mode?
9 Do two modules of the same type, which are used in the same application, use identical configurations?
Does one controller own both the output module that controls the actuator and the output module that
10 controls the secondary relay?
11 Are control, diagnostics, and alarm functions performed in sequence in application logic?
No. Digital Output Module-Only Requirements Yes No Comment
1 For the standard output modules, is the Communication Format set to Output Data?
For standard output modules, have you wired the outputs to a corresponding input to validate that the
2 output is following its commanded state?
3 For the diagnostic output modules, are all diagnostics enabled on the module?
4 For the diagnostic output modules, are enabled diagnostic bits monitored by fault routines?
5 For the diagnostic output modules, is the Communication Format set to Full Diagnostics-Output Data?

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 197

Appendix F Checklists

Output Check List for ControlLogix System

For diagnostic output modules, have you periodically performed a Pulse Test to make sure that the
6 output is capable of change state?
7 For diagnostic output modules, is the controller connection a direct connection?
No. Analog Output Module Requirements - Analog Only Yes No Comment
1 Is the Communication Format set to Float Data?
2 Have you calibrated the modules as often as required by your application?
3 When wiring an analog output module in Current mode, are loop devices placed properly?
Have you written application logic to examine bits for any condition that can cause a fault and
4 appropriate fault routines to handle the fault condition?
5 Did you wire the analog output to a monitoring analog input to verify that the output is within range?

Checklist for the Creation of The following checklist is recommended to maintain safety technical aspects
an Application Program when programming, before and after loading the new or modified program.

Checklist for Creation of an Application Program Safety Manual ControlLogix System

Company:
Site:
Project definition:
File definition / Archive number:

Notes / Checks Yes No Comment

Before a Modification
Are the configuration of the ControlLogix system and the application program created
based on safety aspects?
Are programming guidelines used for the creation of the application program?
After a Modification - Before Loading
Has a review of the application program regarding the binding system specification been
carried out by a person not involved in the program creation?
Has the result of the review been documented and released (date/signature)?
Was a backup of the complete program created before loading a program in the
ControlLogix system?
After a Modification - After Loading
Was a sufficient number of tests conducted for the safety relevant logical linking
(including I/O) and for all mathematical calculations?
Was all force information removed before safety operation?
Has it been verified that the system is operating properly?
Have the appropriate security procedures been followed?
Is the controller keyswitch in Run mode and the key removed?

198 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Appendix F Checklists

Checklist for 1715 I/O The following checklist is required for planning, programming, and startup of
Modules a SIL 2-certified system that uses 1715 I/O modules. It can be used as a planning
guide and during proof testing. If used as a planning guide, the checklist can
be saved as a record of the plan.

Checklist for 1715 I/O Modules

Company:
Site:
Loop
definition:
Fulfilled
No. For SIL 2 Applications Comment
Yes No
Do you use only SIL 2-certified 1715 modules with the corresponding firmware revision in the revision
1. release list? See 1715 Redundant I/O System - Safety Certificate, publication 1715-CT007.
2. Have all modules been installed in accordance with the instructions in this manual?
3. Has a risk analysis been completed to determine the required SIL for your application?
4. Has fault detection time been specified?
Where fault detection time is greater than the controller reaction time limit (CRTL), does the safety-
5. related I/O configuration provide a fail-safe configuration?
Has the safety-related timing for each safety-related function, including CRTL and fault tolerance
6. period been established?
Does the application program shut down the SIL 2 safety functions if a faulty module has not been
7. replaced within the Mean Time to Restoration (MTTR) assumed for the system in the probability of a
dangerous failure on demand (PFD) calculations?
Has the application program been configured to monitor the discrepancy alarms and alert operators
8. when a discrepancy alarm occurs?
9. Is the safety accuracy adequate for the application?
10. Have variables been configured to report the safety accuracy value for each channel?
Have variables been configured to report safe values when the safety accuracy value of a channel
11. fails because it is reported to be below the 1% accuracy figure?
Has the maximum duration for single channel operation of an I/O module been specified in
12. accordance with the application requirements?
13. Have you used two 1715-AENTR adapters in SIL 2 simplex and duplex configurations?
14. Have you set the shutdown mode option for each output channel to OFF?
If digital output channels have been configured for Hold Last State, has the impact on the safety
15. functions been addressed?
16. Have you used the SIL 2 Add-On Instructions in accordance with the information in this manual?
17. Have you performed all appropriate proof tests?
Does your application program take the SIS to safe state if the configuration signature (CRC) of your
18. module has changed after validation?
Fulfilled
No. For Energize-to-action SIL 2 Applications Comment
Yes No
1. Are the redundant power sources inherently constrained to output less than 32 volts
If there any safety-related, normally de-energized outputs, have you provided redundant power
2. sources, power failure warning, and line monitoring?
Do energize-to-action configurations conform to the restrictions (defined in this manual) that must
3. be applied when using these configurations?
4. For energize-to-action SIL 2 applications, have dual output modules been configured?

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 199

Appendix F Checklists

Notes:

200 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 Index

Numerics combustion applications 15

commanded values 94
1oo1 configuration 160
commissioning life cycle 133
1oo2 configuration 160
communication
1-year PFD calculations 162
ControlNet components 44
2-year PFD calculations 168 data echo 34
5-year PFD calculations 174 Data Highway Plus - Remote I/O components
45
EtherNet/IP components 45
A field-side output verification 34
actuators 130 network 36
requirements 45
Add-On Instructions 47 output data echo 49
add-on instructions 90 SynchLink modules 45
alarms compliances 32
1756 analog input modules 55, 139 components
analog input modules 1756 chassis 40
See ControlLogix analog input modules. 1756 power supply 40
See FLEX I/O analog input modules. FLEX I/O 156 - 157
analog output modules configuration signature, 1715 100
See ControlLogix analog output modules. configurations
See FLEX I/O analog output modules. fail-safe 17
application program fault-tolerant 28
programming languages 127 high-availability 25
SIL task/program instructions 131 connection reaction time limit
applications 1715 systems 90, 97, 98
boiler 15 connections
combustion 15 direct 48
gas and fire 14 rack-optimized 48
consumer 106
B Control and Information Protocol (CIP) 10
control function
boiler applications 15 specification 129
controller reaction time limit
C CRTL 199
CONTROLLERDEVICE object 138
cable controllers
ControlNet network 44 requirements 40
calculations ControlLogix
1-year PFD 162 analog input modules
2-year PFD 168 alarms 55, 139
5-year PFD 174 calibrate 55
explanation of 161 ownership 57
PFD 159, 181 wiring 57
calibrate analog output modules
1756 analog input modules 55 calibrate 63
1756 analog output modules 63 ownership 64
1794 analog input modules 73 wiring 65
1794 analog output modules 79 digital input modules
certification 32 requirements 48
change parameters 142 wiring 48
channel status digital output modules
requirements 49
monitoring 55, 64
wiring 51
chassis 40 RTD input modules
chassis adapter 40 wiring 61
checklist thermocouple input modules
SIL 2 199 wiring 60
checklists 195 ControlNet communication modules
CIP. See Control and Information Protocol. diagnostic coverage 44
CL SIL 2 32

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 201

 ControlNet network 36 fault handling
1756 communication modules 43 detection of faults 137 - 139
1756 components 44 fault reporting 33, 138
cable 44 1794 analog input modules 74
repeater module 44 1794 analog output modules 79
coordinated system time 45 1794 digital input modules 70
CRTL 1794 digital output modules 71, 72
controller reaction time limit 199 detection of faults 137 - 139
faults
1715 analog output module 94
D 1715 digital output modules 92
data echo 34, 49 1715 input modules 91
fault-tolerant configuration 28
Data Highway Plus - Remote I/O 43
field devices
components 45
network 43, 45 testing 48
DCS. See Distributed Control System field-side output verification 34
de-energize-to-trip 91 fire
power supply 88 considerations for 14
DH+. See Data Highway Plus. FLEX I/O
DHRIO. See Data Highway Plus - Remote I/O analog input modules
calibrate 73
diagnostic coverage wiring 75
ControlNet communication modules 44 analog output modules
defined 10 calibrate 79
diagnostics wiring 81
1715 SIL 2 safety 101 components 156 - 157
digital input modules digital input modules
See ControlLogix digital input modules. wiring 70
See FLEX I/O digital input modules. digital output modules
digital output modules wiring 72
See ControlLogix digital output modules. EN 50156 standard 16
See FLEX I/O digital output modules. module fault reporting 70, 71, 72, 74, 79
direct connection 48 RTD input modules
wiring 78
Distributed Control System 45 terminal base units 157
duplex configurations 16 thermocouple input modules
enhanced availability 47 wiring 77
fault-tolerant floating-point data format 55, 63
SIF 28 forcing via software 131
fault-tolerant systems 16
logic solver 16
safety loop 25 G
Get System Value (GSV)
E defined 10
edit keyswitch position 138
GSV. See Get System Value (GSV).
application program 134, 135
emergency shutdown applications 14, 17, 50, 63
EN 50156 16 H
energize-to-action 89, 91
hardware
ESD. See emergency shutdown (ESD)
1756 chassis 40
applications. 1756 power supply 40
EtherNet/IP network 37 HART analog input modules 62
1756 communication modules 43 wiring 62
components 45 HART analog output modules 66
wiring 66
high-availability configuration 25
F HMI
FactoryTalk Security 128 changing parameters via 142
fail-safe configuration devices 16, 45, 141
about 17 use and application 141 - 142
fail-safe guard 94 hold last state 14, 93
fail-safe state
1715 modules 98
fault detection 139

202 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 I N
I/O modules NFPA 85, NFPA 86 15
calibrate 55
fault reporting 138
proof test O
1756 analog input modules 55 operating modes 39
1756 analog output modules 63
1756 digital input modules 48 output data echo
1756 digital output modules 49 digital outputs and 49
1794 analog output modules 79 ownership
1794 digital input modules 69 1756 analog input modules 57
1794 digital output modules 71 1756 analog output modules 64
wiring 1756 digital input modules 48
1756 analog input modules 57 1756 digital output modules 50
1756 analog output modules 65
1756 digital input modules 48
1756 digital output modules 51 P
1756 RTD input modules 61 PADT. See Programming and Debugging Tool.
1756 thermocouple input modules 60
1794 analog input modules 75 parameters
1794 analog output modules 81 changing 142
1794 digital input modules 70 reading 141
1794 digital output modules 72 peer-to-peer communication 43
1794 RTD input modules 78 requirements 45
1794 thermocouple input modules 77 PES
HART analog input modules 62 programmable electronic systems 13
HART analog output modules 66 PFD
IEC 61131-3 127 Probability of Failure on Demand (PFD) 181
IEC 61508 30, 161 PFD. See Probability of Failure on Demand.
IEC 61511 134, 142 PFH
interface probability of failure per hour 181
HMI use and application 141 - 142 position
keyswitch 138
power supply 40
K de-energize-to-trip 88
KEYSTATE word 138 redundant 40
keyswitch 35, 39, 128 Probability of Failure on Demand (PFD)
checking position 138 1-year calculations 162
2-year calculations 168
5-year calculations 174
L calculations 159, 161, 181
defined 10
life cycle PFD 181
commissioning 133 values 160
line monitoring 85 probability of failure per hour
1715 digital output modules 92 PFH 181
logic produce and consume data 46
developing 130 producer 106
program
M changes 134
development life cycle 133
manual override circuit 14 editing 134
Mean Time Between Failures (MTBF) edits 134, 135
defined 10 identification 130
Mean Time to Restoration 199 language 127, 130
MTTR 199 logic 130
Mean Time To Restoration (MTTR) online 134
SIL 2 127
defined 10 programmable electronic systems
modes 39
PES 13
module fault reporting 33, 138 Programming and Debugging Tool (PADT) 14, 127
monitor defined 10
channel status 55, 64
motion 130
MTBF. See Mean Time Between Failures (MTBF).
MTTR. See Mean Time To Restoration.

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 203

 proof test 30, 69, 71, 79 software
1756 analog input modules 55 commissioning life cycle 133
1756 analog inputs 55 forcing 131
1756 analog output modules 63 general requirements 127 - 198
1756 analog outputs 63 program changes 134
1756 digital inputs 48 programming languages 127
1756 digital output modules 49 RSLogix 5000 35
1756 digital outputs 49 security 128
redundancy systems 30 SIL 2 programming 127
pulse test 35 SIL task/program instructions 131
watchdog 32
source protection 128
R switchover 31
reaction time 31 SynchLink modules 43, 45
See also worst-case reaction time. system PFD
reading parameters 141 example 180
repeater modules 44 system validation test
reporting See proof test.
module faults 33
requested packet interval 33
1715 modules 97
T
reset terminal base units
1715 SIL 2 99 FLEX I/O 157
SIL 2 123 tests
response time 31, 143 - 148 1756 analog input modules 55
RS AssetCentre 128 1756 analog output modules 63
RSLogix 5000 software 35 1756 digital output modules 49
application logic 131
commissioning life cycle 133 field devices 48
editing in 135 proof 30
forcing 131 pulse 35
general requirements 127 - 198 thermocouple input module
program changes 134
programming languages 127 See ControlLogix thermocouple input
security 128 module.
SIL 2 programming 127 See FLEX I/O thermocouple input module.
SIL task/program instructions 131
RSNetWorx for ControlNet software 36
RTD input module
U
See ControlLogix RTD input module. ucer 106
See FLEX I/O RTD input module.
V
S verify
safety certifications 32 download and operation 132
safety task
See SIL task.
safety watchdog 32 W
scaling factor 94 watchdog 32
security via software 128 wiring
sensors 130 1756 analog input modules 57
serial 1756 analog output modules 65
1756 digital input modules 48
communication 36 1756 digital output modules 51
port 36 1756 RTD input modules 61
shutdown mode 93 1756 thermocouple input modules 60
SIL 2 1794 analog input modules 75
certification 32 1794 analog output modules 81
checklist 199 1794 digital input modules 70
nonredundant system components 154 1794 digital output modules 72
programming 127 worst-case reaction time 31, 143
reset 123 analog modules 146
safety data 46 digital modules 144
SIL 2 reset status 99
simplex configurations 16
safety loop 17

204 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 X
XT components 156
ControlLogix 156
FLEX I/O 156, 157

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 205

Notes:

206 Rockwell Automation Publication 1756-RM001R-EN-P - December 2022

 ControlLogix in SIL 2 Applications Reference Manual

Rockwell Automation Publication 1756-RM001R-EN-P - December 2022 29

Rockwell Automation Support
Use these resources to access support information.
Find help with how-to videos, FAQs, chat, user forums, Knowledgebase, and product
Technical Support Center rok.auto/support
notification updates.
Local Technical Support Phone Numbers Locate the telephone number for your country. rok.auto/phonesupport
Quickly access and download technical specifications, installation instructions, and user
Technical Documentation Center rok.auto/techdocs
manuals.
Literature Library Find installation instructions, manuals, brochures, and technical data publications. rok.auto/literature
Product Compatibility and Download Center Download firmware, associated files (such as AOP, EDS, and DTM), and access product rok.auto/pcdc
(PCDC) release notes.

Documentation Feedback
Your comments help us serve your documentation needs better. If you have any suggestions on how to improve our content, complete the
form at rok.auto/docfeedback.

Waste Electrical and Electronic Equipment (WEEE)

At the end of life, this equipment should be collected separately from any unsorted municipal waste.

Rockwell Automation maintains current product environmental compliance information on its website at rok.auto/pec.

Allen-Bradley, ControlLogix, ControlLogix-XT, Data Highway Plus, DH+, FactoryTalk, FLEX, FLEX I/O-XT, GuardLogix, GuardLogix-XT, Logix 5000, Rockwell Automation, Rockwell Software,
RSLogix 5000, RSNetWorx, SequenceManager, Stratix, Studio 5000 Logix Designer, and SynchLink are trademarks of Rockwell Automation, Inc.
CIP, ControlNet, DeviceNet, and EtherNet/IP are trademarks of ODVA, Inc.
Trademarks not belonging to Rockwell Automation are property of their respective companies.
Rockwell Otomasyon Ticaret A.Ş. Kar Plaza İş Merkezi E Blok Kat:6 34752, İçerenköy, İstanbul, Tel: +90 (216) 5698400 EEE Yönetmeliğine Uygundur

Publication 1756-RM001R-EN-P - December 2022

Supersedes Publication 1756-RM001Q-EN-P - August 2021 Copyright © 2022 Rockwell Automation, Inc. All rights reserved. Printed in the U.S.A.