Appendix b, Triguard i/o, 2 effect of output states – Rockwell Automation T8094 8000 Series TMR System Safety Manual User Manual

Page 90

Advertising
background image

SAFETY MANUAL

D oc N umber T8094
I ssue 27 – June 2013

Page 69 of 103

APPENDIX B

For guidance on how to upgrade a Triguard SC300E system to a hybrid
Trusted/SC300E system, see application note AN-T80015.

8. TRIGUARD I/O

The Triguard I/O modules provide internal TMR interfacing. Other elements of
individual modules may be non-redundant (depending on module type) to support ‘slice
redundancy’ in redundant module configurations. To optimise the system’s safety
availability, the self-test functions are timed to take only a small part of the system
resources.

The test interval (TI) to ensure the system’s ability to respond to latent errors within the
process safety time is given by:

TI = 20

Ч

Ч

Ч

Ч

IOU

Ч

Ч

Ч

Ч

I/0

Where:

TI

= test interval in seconds

IOU

= number of Triguard I/O chassis

I/0

= number of I/O modules in a chassis

8.1 AFFECT OF THE INPUT AND OUTPUT STATES

8.1.1 Effect of Input States

If the three basic Triguard input states and the effect of the fault detection time are
considered, then:

1.

For a simplex input configuration (used in non-SIL applications), the logic signal into

the application will remain at the state prior to detection. This is not fault tolerant and
does not test the simplex elements. The module is however interference-free.

2.

In one-out-of-three, second critical fault (1-oo-3) situations, the system remains active

until the fault is detected during normal data or status reads by the MP and accessed
by the application. The application then carries out a controlled plant shutdown if it is a
critical input.

3.

In two-out-of-three (2-oo-3) the system remains operational at all times and tolerates

the single failure.

8.1.2 Effect of Output States

If the single basic state and the effect of the fault detection time are considered, then:

1.

Output modules provide a two-out-of-three (2-oo-3) structure within a single module

with one slice fault. A faulty output will be detected within the fault detection period,
and shall be replaced within the second fault occurrence timeout period to ensure
continued functional safety.

Advertising
Popular Brands
Popular manuals