Rockwell Automation T8094 8000 Series TMR System Safety Manual User Manual

SAFETY MANUAL

D oc N umber T8094
I ssue 27 – June 2013

Page 65 of 103

will then take up the fail-safe (logic ‘0’) condition. This is not fault tolerant and
only becomes fail safe after the fault detection period or test interval. If the sum
of the TI, and 2× Tscan is not less than PST

E

, then an alternative I/O

architecture shall be chosen.

2. Guarded output modules provide a one-out-of-two (1-oo-2) structure within a

single module. A single fault may in an indeterminate condition on a redundant
output channel, leading to either immediate fail-safe action, or action by the
other channel on demand. A faulty output will be detected within the fault
detection period, and shall be replaced within the second fault occurrence period
to ensure continued functional safety. This provides a fail-safe output structure
and may be used within safety-related configurations.

3. Dual guarded outputs, this structure uses two guarded output modules in

parallel, i.e. a quad output structure. This structure is both fault-tolerant and fail-
safe. As with other dual structures, a failed output shall be replaced within the
second fault occurrence period to ensure continue safe operation.

TÜV Certified

Configuration

Conditions

Digital Inputs

T7401, 24 VDC

T7402, 48 VDC

T7404, 110 VAC

T7408, 120 VDC

1oo2

or

2oo3

or

1oo3

Normally energized (de-energize to trip): certified
only if the inputs are dynamically transitioned at a
period not greater than the second fault occurrence
time.
1oo3 configuration means that the 3 input signals
cannot be voted. Any mismatch of the signals leads
to an alarm annunciation.

Monitored Inputs

T7411, 24 VDC

T7411F, 24 VDC

T7418F, 120 VDC

1oo2

or

2oo3

Normally energized (de-energize to trip): certified
only if the inputs are dynamically transitioned at a
period not greater than the second fault occurrence
time.

Normally de-energized (energize to trip): certified
only for applications that fulfil the requirements
under section 3.2.4.

T7419, fire detector

MooN

Analog Inputs

T7420A, standard

T7420AF, fast

response

2oo3 with mid-value

select

or

dual with high/low

select

Certified only if the inputs are dynamically ranged
over full scale at a period not greater than the

second fault occurrence time.

Other Inputs

T7431A,

thermocouple

Not safety related but

interference free

Certified as non-interfering and can be used for
non-safety-critical input devices.

Input and Output

Multiplexer

T7491

Not safety related but

interference free

Certified as non-interfering and can be used for
non-safety-critical input devices.

Table 11 - Input Module, Low Density I/O