Rockwell Automation T8094 8000 Series TMR System Safety Manual User Manual
Page 27
SAFETY MANUAL
D oc N umber T8094
I ssue 27 – June 2013
Page 6 of 103
A failure in any element of each channel, e.g. Ch. A Input, will result in that complete
channel’s failure. If this failure is fail-safe, only 1 of the remaining channels needs to
respond to a demand condition to generate the safe reaction. If a second channel fails
safe then the overall system will fail-safe. This is therefore a 3-2-0 architecture.
Typically diagnostics are used to ensure that the fail-safe state can be assured, the
operation is therefore 2-oo-3D, reverting to 1-oo-2D, reverting to fail-safe.
The 8000 series is a TMR system; this means that each stage of the system is
triplicated, with the results from each preceding stage majority voted to provide both
fault tolerance and fault detection. Diagnostics are also used to ensure that covert
failures are detected and result in the correct fail-safe reaction. For example, a fault
within Input Ch. A will be localised to that input, and unlike the standard triplicated
system, will allow Processor Ch. A and Output Ch. A to continue operation, i.e. the
input is now operating 1-oo-2D whilst the remainder of the system continues to operate
2-oo-3.
Diagnostics
Diagnostics
Diagnostics
Diagnostics
Diagnostics
Diagnostics
Diagnostics
Diagnostics
Diagnostics
INPUT
(Ch. A)
1
INPUT
(Ch. B)
1
INPUT
(Ch. C)
1
PROCESSOR
(Ch. A)
1
PROCESSOR
(Ch. B)
1
PROCESSOR
(Ch. C)
1
OUTPUT
(Ch. A)
1
OUTPUT
(Ch. B)
1
OUTPUT
(Ch. C)
1
Figure 2 – TMR Architecture
The 8000 Series utilises this Triple Modular Redundant architecture with diagnostics,
supporting a 2-oo-3D reverting to 1-oo-2D reverting to fail-safe, or 3-2-0 operation.
The 1-oo-2D operation is a transient mode of operation where active and standby
modules are installed; in this case, the degradation is 3-2-3-2-0.
The architecture, and hence degradation modes for low density I/O may be selected as
required, see para. 3.2 in this Manual for further details.