Rockwell Automation AADvance Controller Safety Manual User Manual







3-6

Document: 553630

ICSTT-RM446K-EN-P Issue: 10

_C

Safety Manual (AADvance Controller)

SIL2 Fault Tolerant Input and SIL2 High Demand Architecture

A SIL2 fault tolerant "High Demand" architecture has dual input, dual

processor and dual output modules. In a dual arrangement the input
modules operate in 1oo2D under no fault conditions, degrade to 1oo1D

on the detection of the first fault in either module, and will fail-safe when

there are faults on both modules.
A triple input module arrangement can also be configured if it is required

to increase the fault tolerance of the input. When a triple input module

arrangement is configured the input modules operate in a 2oo3D under
no fault conditions, degrade to 1oo2D on detection of the first fault in

any module, then degrade to 1oo1D on the detection of faults in any two

modules, and will fail-safe when there are faults on all three modules.
The processor will operate in 1oo2D under non-faulted conditions and
will degrade to 1oo1D on the first detected fault. For high demand

applications the processor must be repaired within the MTTR assumed in

the PFD calculations or the high demand safety instrumented functions
must be shut down.

For High Demand mode applications you must use a minimum of

a dual processor configuration. High demand energise to action

applications will require dual output modules. (Analogue Output Modules
where the normal output current is less than 4mA are classed as energise

to action applications).