Appendix a 7. low-density i/o, 1 effect of input architectures, 2 effect of output architectures – Rockwell Automation T8094 8000 Series TMR System Safety Manual User Manual
Page 85
SAFETY MANUAL
D oc N umber T8094
I ssue 27 – June 2013
Page 64 of 103
APPENDIX A
7. LOW-DENSITY I/O
The Low-Density I/O modules provide internal TMR interfacing. Other elements of
individual modules may be non-redundant (depending on module type) to support ‘slice
redundancy’ in redundant module configurations. To optimise the system’s safety
availability, the self-test functions are timed to take only a small part of the system
resources.
In non-redundant configurations, it is important that the resulting test interval be
sufficiently short to ensure the system’s ability to respond within the process safety
time. For these configurations, the test interval (TI) is given by:
TI = (172
Ч
Ч
Ч
Ч
IOU
Ч
Ч
Ч
Ч
Tscan) + 2
Where:
TI
= test interval in seconds
IOU
= number of Low Density I/O chassis
Tscan
= system scan time in seconds
The Regent+Plus User’s Guide provides additional information on the
configuration and use of Low Density I/O, including I/O module specific
restrictions that must be followed.
7.1.1 Effect of Input Architectures
If the four basic low density input configurations and the effect of the fault detection
time are considered, then:
1. For a simplex input configuration, the logic signal into the application will remain
at the state prior to detection until the fault detection time has expired, and will
then take up the logic ‘0’ condition. This is not fault tolerant and only becomes
fail safe after the fault detection period or test interval. If the sum of the TI, and
2× Tscan is not less than PST
E
, then an alternative I/O architecture shall be
chosen. If the demand rate is low, this can be acceptable for shutdown
functions.
2. In one-out-of-two (1-oo-2) situations, the system remains active during the fault
detection time but will trip when the fault detection time expired.
3. In two-out-of-two (2-oo-2) situations, the input remains static during the fault
detection period, but returns to operation when the fault detection period
expires. This is fault tolerant but the system is inactive during the fault detection
time. As before, if the sum of the TI, and 2× Tscan is not less than PST
E
, then
an alternative I/O architecture shall be chosen. In this configuration, the input
modules SHALL be in separate chassis.
4. When two-out-of-three (2-oo-3) is used the system remains operational at all
times and tolerates the failure.
7.1.2 Effect of Output Architectures
If the three basic low density output configurations and the effect of the fault detection
time are considered, then:
1. For a simplex output configuration, the output may be indeterminate in the event
of failure. Additional outputs may be used to provide a fail-safe mechanism on
an output group basis. The output will remain indeterminate until the fault
detection time has expired, with the additional output fail-safe the output group