Rockwell Automation AADvance Controller Solutions Handbook User Manual





Document: 553631
(ICSTT-RM447J_EN_P) Issue: 09:

2-3

SIL2 Fault Tolerant Input Architectures

A SIL2 fault tolerant input architecture can have dual or triple input modules with a

single processor and single output modules. The illustration shows a dual input
arrangement where the dual input modules operate in 1oo2D under no fault

conditions, they degrade to 1oo1D on detection of the first fault in either module of

the redundant pair, and when a fault occurs on the second module it will fail-safe.
The processor module operates in 1oo1D under no fault conditions and degrades to

fail safe on the first detected fault. The output module operates in 1oo1D under no

fault conditions and will fail-safe on the first detected fault.
When a triple input module arrangement is configured the group of input modules
operate in 2oo3D under no fault conditions, degrade to 1oo2D on the detection of

first fault in any module, then degrade to 1oo1D on the detection of faults in any two

modules, and will fail-safe when there are faults on all three modules.

Table 6:

Modules for SIL2 Architecture

Position

Module Type

I/P A and B

2 × T9401/2 Digital Input Module, 24V dc, 8/16 Channel +

T9802 Digital Input TA, 16 Channel, Dual or 2 × T9431/2
Analogue Input Module, 8/16 Channel, Isolated, + T9832

Analogue Input TA, 16 Channel, Dual

T9300 I/O Base Unit

CPU A

1 x T9110 Processor Module, T9100 Base Unit

O/P A

T9451 Digital Output Module, 24V dc, 8 Channel +

T9851 Digital Output TA, 24V dc, 8 Channel, Simplex

T9300 I/O Base Unit