Rockwell Automation AADvance Controller Solutions Handbook User Manual





Document: 553631
(ICSTT-RM447J_EN_P) Issue: 09:

2-5

SIL2 Fault Tolerant Input High Demand Architecture

A SIL2 fault tolerant "High Demand" architecture has dual input, dual processor and

dual output modules. In a dual arrangement the input modules operate in 1oo2D
under no fault conditions, degrade to 1oo1D on the detection of the first fault in

either module, and will fail-safe when there are faults on both modules.
A triple input module arrangement can also be configured if it is required to increase
the fault tolerance of the input. When a triple input module arrangement is configured

the input modules operate in a 2oo3D under no fault conditions, degrade to 1oo2D on

detection of the first fault in any module, then degrade to 1oo1D on the detection of

faults in any two modules, and will fail-safe when there are faults on all three modules.
The processor will operate in 1oo2D under non-faulted conditions and will degrade to

1oo1D on the first detected fault. For high demand applications the processor must be

repaired within the MTTR assumed in the PFD calculations or the high demand safety
instrumented functions must be shut down.

For High Demand applications you must use a minimum of a dual processor

configuration.

Table 8:

Modules for SIL2 Fault Tolerant High demand Architecture