Triple modular redundant architecture – Rockwell Automation AADvance Controller Solutions Handbook User Manual





Document: 553631
(ICSTT-RM447J_EN_P) Issue: 09:

3-7

Triple Modular Redundant Architecture

A SIL3 TMR architecture offers the highest level of fault tolerance for an AADvance
controller and consists of triple input modules, triple processors and dual output

modules.



The input and processor modules operate in a 2oo3D under no fault conditions,
degrade to 1oo2D on detection of the first fault in any module, and degrade to

1oo1D on the detection of faults in any two modules and will fail-safe when there

are faults on all three modules.



For de-energized to action operation the output modules operate in 2oo2D under

non faulted conditions and degrade to 1oo1D on detection of the first fault in

either module and fail-safe when there are faults on both modules.



For energize to action operation the output modules operate a 1oo2D under no

fault conditions and degrade to 1oo1D on the detection of the first fault in either

module and fail-safe when there are faults on both modules.

In the event of a failure in any element of a channel, the channel processor will still
produce a valid output which could be voted on because of the coupling between the

channels. This is why the triple modular redundant implementation provides a
configuration that is inherently better than a typical 2oo3 voting system.

IMPORTANT: All configurations that use dual or triplicate processor modules are

suitable for SIL3 architectures with de-energize to action outputs. Dual output
modules are required for SIL3 energize to action outputs.