Rockwell Automation AADvance Controller Solutions Handbook User Manual

Page 58

Advertising
background image

2-8

Document: 553631

(ICSTT-RM447J_EN_P) Issue: 09:

Solutions Handbook (AADvance Controller)


Table 9:

Modules for SIL3 Fail-safe I/O, Fault Tolerant Processor

Position Module Type

I/P A

T9401/2 Digital Input Module, 24V c, 8/16 Channel +

T9802 Digital Input TA, 16 Channel, Dual or

T9431/2 Analogue Input Module, 8/16 channel + T9832

Analogue Input TA, 16 Channel, Dual

T9300 Base unit

CPU A &
CPU B

2 x T9110 Processor Module, T9100 Base Unit

O/P A

T9451 Digital Output Module, 24V dc, 8 Channel + T9851
Digital Output TA, 24V dc, 8 Channel, Simplex

SIL3 Fault Tolerant I/O Architectures

A SIL3 fault tolerant processor and I/O is achieved by dual input and output module
configurations with dual or triple processor modules. The processor modules operate

in 1oo2D under no fault conditions, degrade to 1oo1D on the detection of the first

fault in either module and fail-safe when there are faults on both modules.
Similarly the input modules operate in 1oo2D under non faulted conditions and 1oo1D

on detection of the first fault in either module and will fail-safe when there are faults

on both modules.
The processor will operate in 1oo2D under non-faulted conditions and will degrade to

1oo1D on the first detected fault. For high demand applications the processor must be

repaired within the MTTR assumed in the PFD calculations or SIL3 safety instrumented

functions must be shut down.

For SIL3 applications you must use a minimum of a dual processor

configuration.

For de-energize to action operation one 9451 digital output module is sufficient for
SIL3 requirements. However, for energize to action operation, dual digital output

modules are required.
The single output module operates in 1oo1D under no fault conditions and fail-safe
when there is a fault on the module. For energize to action operation, the output

modules operate in 1oo2D under no fault conditions, degrade to 1oo1D on the

detection of the first fault in either module and fail-safe when there are faults on both
modules.

Advertising
Popular Brands
Popular manuals