Sil3 architectures – Rockwell Automation AADvance Controller Safety Manual User Manual
Page 41
Document: 553630
ICSTT-RM446K-EN-P Issue: 10
_C
3-7
For Continuous Mode applications the measures defined in this
section for High Demand applications must be applied.
Table 6:
Modules for SIL2 Fault Tolerant High demand Architecture
Position Module Type
I/P A
2 × T9401/2 Digital Input Module, 24V dc, 8/16 Channel +
T9802 Digital Input TA, 16 Channel, Dual or 2 × T9431/2
Analogue Input Module, 8/16 channel + T9832 Analogue Input TA,
16 Channel, Dual
2 × T9300 I/O Base unit
CPU A &
CPU B
2 x T9110 Processor,, T9100 Processor Base Unit
O/P A
2 × T9451 Digital Output Module, 24V dc, 8 Channel + T9852
Digital Output TA, 24V dc, 8 channel,
T9300 Base Unit, or
2 x T9481/T9842 Analogue Output Module, 3/8 Ch, Isolated +
T9882 Analogue Output TA, 8 Ch, Dual
SIL3 Architectures
SIL3 architectures have at least two processor modules and are suitable for
use with:
SIL3 de-energize to trip applications.
SIL3 energize to action applications which have dual digital/analogue output
modules.
Faulted input modules in a SIL3 arrangement may be replaced without a time
limit; faulted output modules must be replaced within the MTTR assumed in
the PFD calculations.
In all SIL3 architectures, when the processor modules have degraded to
1oo1D on the first detected fault, the system must be restored to at least
1oo2D by replacing the faulty processor module within the MTTR assumed in
the PFD calculations or all SIL3 safety instrumented function and high demand
safety instrumented functions must be shut down.
SIL3 Fail-safe I/O, Fault Tolerant Processor
A SIL3, fail-safe I/O with a fault tolerant processor architecture has a simplex
input and output arrangement with dual or triple processor modules. The dual
processor modules operate in 1oo2D under no fault conditions and degrades
to 1oo1D on detection of the first fault in either module. When there are
faults on both modules the configuration will fail-safe.