Rockwell Automation AADvance Controller Solutions Handbook User Manual





Document: 553631
(ICSTT-RM447J_EN_P) Issue: 09:

3-5

Dual Architecture for Fault Tolerant Applications

Fault Tolerant Input and SIL3 Outputs

A dual architecture configuration shown uses two dual redundant modules for each
stage. The use of two processor modules provides SIL3 integrity for the processor

stage, (as for the previous example), while the addition of the second input module

provides fault tolerance for the inputs.
A SIL3 fault tolerant processor and I/O is achieved by dual input and output module

configurations with dual or triple processor modules. The processor modules operate

in 1oo2D under no fault conditions, degrade to 1oo1D on the detection of the first

fault in either module and fail-safe when there are faults on both modules.
The input modules operate in 1oo2D under non faulted conditions and 1oo1D on

detection of the first fault in either module and will fail-safe when there are faults on

both modules.
The processor will operate in 1oo2D under non-faulted conditions and will degrade to

1oo1D on the first detected fault. For high demand applications the processor must be

repaired within the MTTR or SIL3 safety instrumented functions must be shut down.
For de-energize to action operation one T9451 digital output module is sufficient for

SIL3 requirements. However, for energize to action operation, dual digital output

modules are required.
The single output module operates in 1oo1D under no fault conditions and fail-safe
when there is a fault on the module. For energize to action operation, the output

modules operate in 1oo2D under no fault conditions, degrade to 1oo1D on the

detection of the first fault in either module and fail-safe when there are faults on both
modules.