210 Rockwell Automation Publication 1715-UM001J-EN-P - December 2020
Chapter 7 1715 Redundant I/O System in SIL 2 Safety Applications
When using dual modules that are both reporting valid channel data, the
lowest value is used. If one module of a pair reports a fault on a channel, the
value of the operational module is used.
Digital Output Modules
The digital output module is rated at SIL 2 as a fail-safe module. Each module
provides the following safety functions:
• Output channel signals are based on commands from the controller.
• Redundant voltage and current measurements are sent to the controller
for monitoring and diagnostics.
• Modules feature over-current and over-voltage channel protection.
• Diagnostic tests are executed on command from the adapter and results
are reported back to the adapter.
• On powerup or module insertion, all output channels are set to the de-
energized (fail-safe) state until command states are received from the
controller. Each channel is driven individually according to the
command state values.
• The module enters a Shutdown mode when the time between controller
communication exceeds the CRTL.
• If a module fails, then all of its channels are set to the de-energized state.
The digital output termination assembly is safety critical and comes in two
sizes - simplex or duplex. Termination assemblies have fuses for field output
power and eight field termination connections for the output signals.
Output modules support high availability when configured for duplex
operation and using the appropriate termination assembly.
Reaction to Faults
If an output module faults, the following status information is reported:
• Module presence
• Module health and status
• Channel health and status
•Field faults
• An echo of the front panel indicators for each module
If any of the following internal conditions exist, the output module fails safe:
• Internal software error is detected
• Over-temperature condition is detected
• Power supply rails are out of tolerance
The digital output module incorporates line test functionality that can detect
and indicate 'no load' field faults. This functionality can be enabled or disabled.
ATTENTION: In safety critical applications, the discrepancy alarms must
be monitored by the application program and used to provide an alarm
to operations personnel.
To Next Page
Loading...
