Rockwell Automation Publication 1756-UM001M-EN-P - February 2012 195
SIL 2 Certification Chapter 13
Fail-safe Configuration
In a fail-safe configuration, the hardware used in the safety loop is not redundant.
Therefore, if a fault occurs anywhere in the SIL2 system, the system is
programmed to fail to safe.
The failure to safe is typically an emergency shutdown where all outputs are de-
energized.
Figure 43 - Fail-safe ControlLogix Configuration
This figure shows a typical SIL loop that does not use redundancy. This figure
shows the following:
• Overall safety loop
• ControlLogix portion of the overall safety loop
SIL2-certified ControlLogix Safety Loop
Sensor Actuator
EN
BT
ControlNet
Overall Safety Loop
CN
BR
I/O
Controller Chassis Remote I/O Chassis
CN
BR
EN
BT
I/O
EtherNet/IP
When certain considerations are made, it possible to connect to remote I/O
via an EtherNet/IP network. To connect to remote I/O using an EtherNet/IP
network, you must make considerations similar to those required for a SIL2-
certified ControlNet network.
To Next Page
Loading...
Need help?
General
