Rockwell Automation T8094 8000 Series TMR System Safety Manual User Manual
Page 26
SAFETY MANUAL
D oc N umber T8094
I ssue 27 – June 2013
Page 5 of 103
applications. To detect the presence of these covert faults, it is necessary to perform
tests, or diagnostics on the system. Detection of the covert fault is then used to force
the system to its fail-safe condition. For a non-fault tolerant (simplex) system with
diagnostics, this is referred to as 1-oo-1D.
Fault tolerant systems have redundant elements that allow the system to continue
operation or to ensure that the system fails safety in the presence of faults. For
example, a dual system may be 1-oo-2 (also known as 2v2), with either channel able
to initiate the fail-safe reaction, or 2-oo-2 (1v2) requiring both channels to initiate the
fail-safe reaction. The 1-oo-2 system provides a greater period between potential
failure to respond to a hazard, but a higher probability of spurious responses. The 2-
oo-2 system providing a greater period between spurious responses, but a higher
chance of not responding when required. It is also possible to have dual systems with
diagnostics to address covert failures and help redress the balance between failure to
respond and spurious response. A dual system could therefore be 2-oo-2D reverting
to 1-oo-1D reverting to fail-safe, or 2→1→0.
Consider a simple triplicated system, as shown in Figure 1. The input and output
devices are assumed to be simply wired to the input and output channels to provide
the requisite distribution and voting. We have assumed that the output vote is a simple
majority vote for this purpose. Note with non-8000 series systems there may be a
need for a common output-voting element.
INPUT
(Ch. C)
1
PROCESSOR
(Ch. C)
1
OUTPUT
(Ch. C)
1
INPUT
(Ch. B)
1
PROCESSOR
(Ch. B)
1
OUTPUT
(Ch. B)
1
INPUT
(Ch. A)
1
PROCESSOR
(Ch. A)
1
OUTPUT
(Ch. A)
1
Figure 1 - Simple Triplicated System