Rockwell Automation T8094 8000 Series TMR System Safety Manual User Manual
Page 45
SAFETY MANUAL
D oc N umber T8094
I ssue 27 – June 2013
Page 24 of 103
Standby Module
Ch. A
Ch. B
Ch. C
Active Module
Ch. A
Ch. B
Ch. C
Figure 4 - SmartSlot or Adjacent Slot TMR Module Configuration
The High Density I/O modules support the system’s inherent TMR architecture. To
annunciate the failure, diagnostic and status information is available within the
corresponding module information available to the application programmer. Faults will
also result in the generation of the corresponding front panel indication on the I/O
module and the system healthy indicator and status output.
A majority fault condition on an I/O point, i.e. a fault beyond its fault tolerant
capability, results in a fail-safe logical state (logical 0). The input state is forced
to “unknown”, state 0x07 in this condition and the analog level to -2048. The
module fault status and fault codes will be set accordingly, and may be
optionally used for remote diagnosis purposes.
The maximum duration for single-channel operation of High Density Dual I/O
modules depends on the specific process and must be specified individually for
each application. For a specific system configuration this time can be
determined through a quantitative analysis performed by Rockwell Automation
using a TÜV approved modelling technique. If no calculation is available, the
maximum duration for single channel operation is 72 hours for (SIL 3) safety-
related applications.
When a module is operating in a Dual mode (or degraded to a dual mode) and a
state discrepancy occurs. If no module fault is detected, the state reported to
the application will always be the lower of the two states for a digital module,
and the higher of the two states for an analogue module.
In safety critical applications, the channel discrepancy alarms shall be
monitored and alarmed to the operator.
The I/O modules use the active-standby arrangement to support bumpless on-line
repair. The module architecture allows the faulty module to continue normal service
until a replacement module is available and unlike conventional hot-standby
configurations, allows for a controlled transfer even in the presence of a fault condition.
The standby module may be permanently installed to reduce the repair time to an
absolute minimum.