Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 63
Chapter 4
AADvance System Architectures
An AADvance controller can be configured to manage non-safety and up to
SIL 3 safety related system requirements for low demand or high demand fault
tolerant applications.
This chapter describes the different system architectures that can be configured
for SIL 2 and SIL 3 applications.
SIL 2 Architectures
SIL 2 architectures are recommended for fail-safe low demand applications. All
SIL 2 architectures can be used for energize or de-energize to trip applications.
In any configuration when a faulty processor or input module is replaced then
the previous fault tolerance level is restored. For example in a fault tolerant
input arrangement and one module is faulty then the system will degrade to
1oo1 (1 out of 1 with diagnostics), by replacing the faulty module the
configuration is restored to 1oo2D (1 out of two with diagnostics).
In all SIL 2 architectures, when the processor modules have degraded to
1oo1D on the first detected fault, the system must be restored to 1oo2D by
replacing the faulty processor module within the MTTR assumed in the PFD
calculations; also, unless compensating measures are defined in the Safety
Requirements Specification (SRS) and documented in operating procedures,
the application program must be designed to shut down safety instrumented
functions if a module failure due to a dangerous fault has not been replaced
within the MTTR.
SIL 2 Fail-safe Architecture
The following is a simplex fail-safe SIL 2 architecture, where I/O modules
operate in 1oo1D under no fault conditions and will fail-safe on the first
detected fault. The processor will operate in 1oo2D under no fault conditions,
will degrade to 1oo1D on the first fault in either processor module and will
fail-safe when there are faults on both processor modules.
NOTE Architectures are independent of I/O module capacity so 8 or 16 channel I/O
modules can be used.
To Next Page
Loading...
Need help?
General
