System recommendations, 1 introduction, 2 i/o architectures – Rockwell Automation T8094 8000 Series TMR System Safety Manual User Manual

SAFETY MANUAL

D oc N umber T8094
I ssue 27 – June 2013

Page 18 of 103

3. SYSTEM RECOMMENDATIONS

3.1 INTRODUCTION

This paragraph expands on and applies the safety principles described earlier in this
Manual. Many of the recommendations within this paragraph are equally applicable to
other safety-related systems. However, the details of the recommendations or
requirements are specific to the TMR system.

3.2 I/O ARCHITECTURES

The TMR system has very comprehensive internal diagnostics that reveal both covert
and overt failures. The hardware implementation of many of the fault tolerance and
fault detection mechanisms provides for rapid fault detection for most system
elements. Self-test facilities used to diagnose faults within the remainder of the
system are defined to provide optimum safety availability. These self-test facilities may
require short periods of off-line operation or introduce conditions, i.e. alarm or fault test
conditions, which effectively result in the point being off-line within that redundant
channel. Within TMR configurations, this period of off-line operation only affects the
system’s ability to response under multiple fault conditions.

The TMR Processors, TMR Interfaces, Expander Interfaces and Expander Processors
are all naturally redundant and have been designed to withstand multiple faults and
support a fixed on-line repair configuration in adjacent slots and therefore require little
further consideration. The input and output modules support a number of architecture
options, the effects of the chosen architecture should be evaluated against the system
and application specific requirements.