Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 71
AADvance System Architectures Chapter 4
In the event of a failure in any element of a channel, the channel processor will
still produce a valid output which could be voted on because of the coupling
between the channels. This is why the triple modular redundant
implementation supplies a configuration that is inherently better than a typical
2oo3 voting system.
Digital Output Modules
A digital output module fault must be repaired within the MTTR which was
used in the PFD calculation. This rule applies to simplex digital output
modules in de-energize to trip applications and to dual digital output modules
in energize to action applications.
Analogue Output Modules
An analogue output module fault must be repaired within the MTTR which
was used in the PFD calculation. This rule applies to simplex analogue output
modules where the safe state is less than or equal to 4 mA and to dual analogue
output modules where the safe state is more than 4 mA. (A ‘safe state’ is an
output configured to go to a specific value, or configured to hold last state).
Table 11 - Modules for TMR Input and Processor, Fault Tolerant Output
Position Module Type
I/P A 3 × T9401/2 Digital Input Module, 24 Vdc, 8/16 Channel +
T9803 Digital Input TA, 16 Channel, TMR
or
3 × T9431/2 Analogue Input Module, 8/16 Channel +
T9833 Analogue Input TA, 16 Channel, TMR
2 × T9300 I/O Base Unit
CPU A & CPU B 3 × T9110 Processor Module, T9100 Processor Base Unit
O/P A 2 × T9451 Digital Output Module, 24 Vdc, 8 Channel +
9852 Digital Output TA, 24 Vdc 8 Channel, Dual; 1 x T9300 Base Unit
Or
2 x T9481/T9842 Analogue Output Module, 3/8 Ch, Isolated +
T9882 Analogue Output TA, 8 Ch, Dual; 1 x T9300 Base Unit
NOTE All configurations that use dual or triplicate processor modules are
applicable for SIL 3 architectures with de-energize to trip outputs. Dual
outputs are always required for SIL 3 energize to action outputs.