Rockwell Automation AADvance Controller Safety Manual User Manual





Document: 553630
ICSTT-RM446K-EN-P Issue: 10

_C

3-3

SIL2 Fault Tolerant Input Architectures

A SIL2 fault tolerant input architecture can have dual or triple input

modules with a single processor and single output modules. The
illustration shows a dual input arrangement where the dual input modules

operate in 1oo2D under no fault conditions, they degrade to 1oo1D on

detection of the first fault in either module of the redundant pair, and
when a fault occurs on the second module it will fail-safe.
The processor module operates in 1oo1D under no fault conditions and

degrades to fail safe on the first detected fault. The output module

operates in 1oo1D under no fault conditions and will fail-safe on the first
detected fault.
When a triple input module arrangement is configured the group of input

modules operate in 2oo3D under no fault conditions, degrade to 1oo2D
on the detection of first fault in any module, then degrade to 1oo1D on

the detection of faults in any two modules, and will fail-safe when there

are faults on all three modules.

Note: Simplex processors can only be used for low demand applications.

Simplex output modules used for energize to action applications can only
be used for low demand applications.

Table 4:

Modules for SIL2 Architecture

Position

Module Type

I/P A and B

2 × T9401/2 Digital Input Module, 24V dc, 8/16 Channel +

T9802 Digital Input TA, 16 Channel, Dual or 2 × T9431/2
Analogue Input Module, 8/16 Channel, Isolated, + T9832
Analogue Input TA, 16 Channel, Dual

T9300 I/O Base Unit