Rockwell Automation T9481/2, T9310, T9110, T9431/2, T9300 Solutions Handbook

...

Download

Page 1

Solutions Handbook

Original Instructions

AADvance Controller

Catalog Numbers T9110 T9300 T9310 T9401/2 T9431/2 T9451 T9481/2

Page 2

Important User Information

Read this document and the documents listed in the additional resources section about installation, configuration, and operation of this equipment before you install, configure, operate, or maintain this product. Users are required to familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws, and standards.

Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required to be carried out by suitably trained personnel in accordance with applicable code of practice.

If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be impaired.

In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment.

The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liability for actual use based on the examples and diagrams.

No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software described in this manual.

Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc., is prohibited

Throughout this manual, when necessary, we use notes to make you aware of safety and other considerations.

WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment, which may lead to personal injury or death, property damage, or economic loss.

ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property damage, or economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.

CAUTION: Identifies information about practices or circumstances that can cause property damage or economic loss.

IMPORTANT Identifies information that is critical for successful application and understanding of the product.

NOTE Provides key information about the product or service.

TIP Tips give helpful information about using or setting up the equipment.

2 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 3

Labels may also be on or inside the equipment to provide specific precautions.

SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous voltage may be present.

BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may reach dangerous temperatures.

ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to potential Arc Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL Regulatory requirements for safe work practices and for Personal Protective Equipment (PPE).

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 3

Page 4

4 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 5

Summary of Changes

This manual contains new and updated information as indicated in the following table.

Issue Date Comments

01 Dec 2008 First Issue

02 Feb 2009

03 Feb 2010

04 Mar 2010 Updates after peer review

05 June 2010 updates for release 1.1.1

06 Oct 2010 updates to meet UL requirements

07 Nov 2010 updates for ATEX and UL Certification and release 1.2

08 July 2012 Release 1.3 version

09 June 2013 Changes to TUV certification topic, add on-line update feature and module

10 July 2014 Release 1.33 updates

11 March 2015 Release 1.34 updates

12 June 2015 Correct Issue Record

L April 2018 Release 1.40 updates.

M July 2019 Updated for Release 1.34 IEC 61508 Edition 2.0 certification

specification data.

Summary of changes in this Document Issue

Top ic Pa ge

Updated release number in Preface to 1.34 7

Updated Performance and Electrical Specifications section. 23

Added references to ATEX and IECEx UL certificates in the Literature Library 27

Updated module label 27

Updated SIL 2 Architectures section. 63

Updated Certified Configurations section. 72

Updated Example Architectures with Approved Modules section. 73

Updated Mixed Architectures section. 81

Updated Define a New System chart. 95

Updated T9110 Processor Module Specification table. 112

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 5

Page 6

Summary of Changes

6 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 7

Preface

In no event will Rockwell Automation be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment. The examples given in this manual are included solely for illustrative purposes. Because of the many variables and requirements related to any particular installation, Rockwell Automation does not assume responsibility or reliability for actual use based on the examples and diagrams.

No patent liability is assumed by Rockwell Automation, with respect to use of information, circuits, equipment, or software described in this manual.

All trademarks are acknowledged.

DISCLAIMER

It is not intended that the information in this publication covers every possible detail about the construction, operation, or maintenance of a control system installation. You should also refer to your own local (or supplied) system safety manual, installation and operator/maintenance manuals.

REVISION AND UPDATING POLICY

This document is based on information available at the time of its publication. The document contents are subject to change from time to time. The latest versions of the manuals are available at the Rockwell Automation Literature Library under "Product Information" information "Critical Process Control & Safety Systems".

DOWNLOADS

The product compatibility and download center is

www.rockwellautomation.com/rockwellautomation/support/pcdc.page?

Select the Find Downloads option under Download

In the Product Search field enter "AADvance" and the AADvance® option is displayed.

Double click on the AADvance option and the latest version is shown.

Select the latest version and download the latest version.

AADVANCE RELEASE

This technical manual applies to AADvance Release: 1.34.

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 7

Page 8

Preface

Introduction

An AADvance system consists of an AADvance controller, an external operator's workstation, field connections, power sources and external network connections. The flexibility of the design means that a system can meet a wide variety of business needs. An AADvance system is assembled to a scale and configuration that is applicable to your initial requirements and can be easily changed to meet your changing business requirements in the future. A system is built from an approved range of modules and assemblies.

This chapter introduces the primary components that can be used to assemble an AADvance controller.

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 17

Page 18

Chapter 1 The AADvance System

18 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 19

Chapter 2

The AADvance Safety Controller

The AADvance controller is specifically designed for functional safety and critical control applications; it gives a flexible solution for smaller scale requirements. The system can also be used for safety implemented functions as well as applications that are not related to safety but are nevertheless critical to a business process. This AADvance controller offers the ability to make a costeffective system to a customer's specification for any of the following applications:

• Emergency shutdown system

• Fire and gas installation protection system

• Critical process control

• Burner management

• Boiler and furnace control

• Distributed process monitoring and control

• Turbo-machinery governor control and over-speed protection (not yet released)

An AADvance controller is particularly useful for emergency shut down and fire and gas detection protection applications as it offers a system solution with integrated and distributed fault tolerance. It is designed and validated to international standards and is certified by independent certifying bodies for functional safety control installations and UL for use in hazardous environments.

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 19

Page 20

Chapter 2 The AADvance Safety Controller

A controller is built from a range of compact plug-in modules (see illustration) that are straightforward to assemble into a system. A system can have just one or more controllers, a combination of I/O modules, power sources, communications networks and user workstations. It can operate as a standalone system or as a distributed node of a larger control system.

NOTEThe printed circuit boards of all AADvance modules, termina-

tion assemblies and backplanes are coated during manufacture. The coating meets defense and aerospace requirements, is approved to US MIL-1-46058C standard and meets IPC-CC-830. The coating is also UL approved.

A Key benefit of the AADvance system is its flexibility. All of the configurations are readily achieved by combining modules and assemblies without using special cables or interface units. System architectures are user configurable and can be changed without major system modifications. I/O redundancy is configurable so you can make a decision between fail safe

20 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 21

The AADvance Safety Controller Chapter 2

and fault tolerant solutions. There is no change to the complexity of operations or programming that the controller can handle if you add redundant capacity to create a fault tolerant solution.

They can be mounted onto DIN rails in a cabinet or directly mounted onto a wall in a control room. Forced air cooling or special environmental control equipment is not necessary. However, important consideration must be given to the choice of cabinet or when the controller is installed in a hazardous environment.

Specific guidelines are given in this user documentation to help you choose an enclosure that will make sure that the system operates to its full capability and reliability and that it also complies with the ATEX and UL certification requirements for use in hazardous environments.

The Ethernet and serial ports are configurable for a number of protocols in both simplex and redundant configurations for connection to other AADvance controllers or external third party equipment. Communications internally between the processors and I/O modules uses a proprietary communications protocol over a custom wired harness. The AADvance system supports transport layer communication protocols such as TCP and UDP for MODBUS, CIP, IXL, Telnet and SNTP services.

A secure network communications protocol (SNCP), developed by Rockwell Automation for the AADvance system, permits distributed control and safety using new or existing network infrastructure while ensuring the security and integrity of the data. Individual sensors and actuators can connect to a local controller, minimizing the lengths of dedicated field cabling. There is no need for a large central equipment room; rather, the complete distributed system can be administered from one or more PC workstations placed at convenient locations.

The AADvance controller is developed and built for IEC 61131 compliance and includes support for all five programming languages. (Instruction List (IL) and Sequential Function Chart (SFC) languages are not supported by AADvance® Workbench 2.0). Program access is secured by a "Program Enable" key that you can remove. Simulation software lets you prove a new application before reprogramming and downloading, again maximizing system uptime. Additional security functions are also included to help prevent unauthorized access.

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 21

Page 22

Chapter 2 The AADvance Safety Controller

Safety Features

The AADvance controller meets non-safety business requirements and SIL 2 and SIL 3 safety related system requirements. The system has comprehensive built-in redundant capabilities that improve system availability.

The AADvance safety system features are:

• Easily transformed from a simplex non-safety system to a fault tolerant safety related system.

• An AADvance platform provides a set of components that can be configured to meet a range of safety and fault tolerance user requirements within a single system such as - fault tolerant topologies 1oo1, 1oo2D and 2oo3.

• IEC 61508 certified, reviewed and approved for safety systems up to SIL 3 by independent certifying bodies.

• The scalable characteristics of the system enables independent safety functions within the same system to be configured with different architectures to meet a user specific safety and availability requirements.

• The main components that provide the safety architecture are the processor and I/O modules; the remaining components provide secure external interfaces and connectivity between the field elements and the main components and add to the safety functionality.

• AADvance processor modules are designed to meet the requirements for SIL 2 and SIL 3 in a dual or triplicated configuration.

• Individual input modules are designed to meet the requirements for SIL 3 in simplex, dual or triple configurations.

• Individual output modules have been designed to meet the requirements for SIL 3 in a simplex or dual configurations.

• Safe SIL 3 rated 'Black Channel' external communication over Ethernet.

Safety Configurations

22 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

An AADvance system supports the following safety configurations:

Fai l-saf e

I/O modules fail-safe in the most basic simplex system.

SIL 2

SIL 2 architectures for fail-safe low demand applications. All SIL 2 architectures can be used for energize or de-energize to trip applications.

• SIL 2 low demand architectures

• SIL 2 fail safe architectures

• SIL 2 fault tolerant input architectures

• SIL 2 triplicated input architectures

• SIL 2 fault tolerant output architectures

• SIL 2 fault tolerant input/output architectures

Page 23

The AADvance Safety Controller Chapter 2

SIL 3

SIL 3 architectures:

• SIL 3 de-energize to trip applications.

• SIL 3 energize to action applications when fitted with dual digital output modules.

• SIL 3 simplex or dual output module architectures

• SIL 3 fail safe I/O fault tolerant processor architecture

• SIL 3 fault tolerant architecture

• SIL 3 fault tolerant simplex, dual and triple input architectures

• SIL 3 dual or triple processor architectures

• SIL 3 high demand applications where the required safe state is greater than 4 mA, when fitted with dual analogue output modules (A ‘safe state’ is an output configured to go to a specific value, or configured to hold last state)

Performance and Electrical Specifications

Table 1 - Controller Performance and Electrical Specifications

Attribute Value

Performance Characteristics

Safety Integrity Level IEC 61508 SIL 2

Safety level Degradation 1oo1D, 1oo2D, 2oo3D

Processor Modules supported Three

I/O Modules supported 48 (8 or 16 channels modules)

Safety Accuracy Limit: Digital inputs Analogue inputs

Sequence of Event Resolution Processor Module (for internal Variables):

Event Resolution Time Stamp Accuracy

Digital Input Module: Event Resolution Time Stamp Accuracy

Electrical Characteristics

Supply voltage Redundant 24 Vdc nominal, 18 Vdc to 32 Vdc range

IEC 61508 SIL 3 (depending on processor and I/O module configuration)

(1)

1.0 Vdc 200 μA

1 ms Application Scan

1 ms 10 ms

Channel isolation (channel to channel and channel to chassis

Maximum withstanding

(1) When a controller's processor modules have degraded to 1oo1D, the system must be restored to at least 1oo2D by replacing the

faulty processor module(s) within the MTTR assumed in the PFD calculations; also, unless compensating measures are defined in the Safety Requirements Specification (SRS) and documented in operating procedures, the application program must be designed to shut down safety instrumented functions if a module failure due to dangerous fault has not been replaced within the MTTR.

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 23

± 1.5 kVdc withstand for 1 minute.

Page 24

Chapter 2 The AADvance Safety Controller

IMPORTANT Overall system power consumption, heat dissipation and weight can be

estimated using the values given in the heat dissipation and weight data tables shown in this manual.

Scan Times

The controller processing scan times listed in the table are taken from a test system which used only production modules. The tests which were used to measure the scan times did not measure the effects of logic complexity and communications loading.

Table 2 - Typical Module Scan Times

Module Scan

9402 Digital input module, 24 Vdc, 16 channel

9432 Analogue input module 24 Vdc, 16 channel

9451 Digital output module, 24 Vdc, 8 channel

9482 Analogue output module, 24 Vdc, 8 channel

Simplex Dual Tri pl e

Simplex Dual

Minimum cycle time overhead

Scan overhead for each module 0.04 ms

0.924 ms

1.676 ms

2.453 ms

1.170 ms

1.965 ms

2.656 ms

1.174 ms

2.202 ms

0.981 ms

1.761 ms

39.3 ms

The minimum overhead to the cycle time is a feature of the AADvance

Wo r k b e n c h .

The scan time is:

Scan time = 39.3 ms

+ Sync time

+ Total number of modules * 0.04 ms

+ Σ (Number of module groups x scan time shown above)

Where:

Sync time is a function of the total number of modules defined according to the following table:

0..10 modules 20 ms

11..20 modules 22 ms

21..30 modules 24 ms

31..40 modules 27 ms

24 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 25

The AADvance Safety Controller Chapter 2

41..48 modules 32 ms.

Though the average scan time will be within 1 ms of the scan time calculated above the calculation does not take into account the effects of application logic and network communication, and individual scans can vary by up to +/- 4 ms around the average scan time.

Throughput time is the time from input change to output action. For asynchronous inputs the throughput times can be derived from the Scan time calculated above according to the following formulae:

• Minimum throughput time = Scan period + 7 ms

• Maximum throughput time = 2 x Scan time + 13 ms

An example configuration scan time:

System configuration includes T9432 Analogue input simplex modules x 30 and T9451 Digital output simplex modules x 18.

Total I/O modules = 48

Environmental Specification

Sync time = 32 ms

Scan time = 39.3 ms + 32 ms + (48 x 0.04) ms + (30 x 1.170) ms + (18 x

1.174) ms => 129.5 ms

Minimum throughput time = 129.5 ms + 7 ms => 136.5 ms

Maximum throughput time = (2 x 129.5) ms + 13 ms = 272.0 ms.

An AADvance system can be installed in a non-hazardous or a hazardous environment. In a non-hazardous environment a system does not have to be installed in an enclosure; however, the area where it is installed must maintain a Pollution Degree 2 environment (IEC 60664-1).

The following environmental specification defines the minimum environmental conditions for an AADvance controller installation. Additional conditions apply to systems installed in a Hazardous environment.

Table 3 - Environmental Specification

Attributes Value

Operating Temperature Range: For use in Hazardous Environments: Processor Modules I/O Modules and Termination Assemblies For use in Non-hazardous Environments: Processor Modules, I/O modules and Termination Assemblies

Storage and Transport Temperature Range –40 °C to +70 °C (–40 °F to +158 °F)

Module Surface Temperature (during usual operation) 43° C (109 °F) ± 2 °C

Humidity

–25 °C to +60 °C (–13 °F to +140 °F) –25 °C to +70 °C (–13 °F to +158 °F)

–25 °C to +70 °C (–13 °F to +158 °F)

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 25

Page 26

Chapter 2 The AADvance Safety Controller

Attributes Value

Operating 10 % to 95 % RH, non-condensing

Storage and Transport 10 % to 95 % RH, non-condensing

Vibration

Functional Stress 5 Hz to 9 Hz

Continuous 1.7 mm amplitude

Occasional 3.5 mm amplitude

Withstand 10 Hz to 150 Hz

Acceleration 0.1 g in 3 axes

Endurance 10 Hz to 150 Hz

Acceleration 0.5 g in 3 axes

Shock 15 g peak, 11 ms duration, ½ sine

Altitude

Operating 0 to 2,000 m (0 to 6,600 ft.)

Storage and Transport 0 to 3,000 m (0 to 10,000 ft.)

This equipment must not be transported in unpressurized aircraft flown above 10,000 ft.

Electromagnetic Interference Tested to the following standards: EN 61326-1:2006,

Class A; EN 61326-3-1:2008, EN 54-4: 1997, A1; EN 61131-2:2007; EN 62061:2005.

Hazardous Location Capability Suitable for Class I Div 2 Groups A, B, C and D

There is no specific protection against liquids.

26 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 27

The AADvance Safety Controller Chapter 2

Certifications for Safety System Applications in Hazardous Environments

Module Label

ATEX Certificate

Refer to AADvance Series T9000 Programmable Control and Safety System ATEX certificate, publication 9000-CT003

IECEx UL Certificate

Refer to AADvance Series T9000 Programmable Control and Safety System IECEx certificate, publication 9000-CT006

The following label information must be attached to each module.

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 27

Page 28

Chapter 2 The AADvance Safety Controller

KCC-EMC Registration

Main Components

Physical Features

An AADvance controller is built from durable processor and I/O modules and assemblies designed to IEC 61508 standards for safety systems and runs the AADvance Workstation software. Field devices connect direct to a controller and external communication links over Ethernet and serial links use a secure protocol.

A new and innovative style characteristic of the AADvance controller is the design of the hardware. All the modules and assemblies connect together easily without the need for inter-module wiring.

CAUTION: The controller contains static sensitive components. When the controller is installed attach a label that is clearly visible to tell operators to follow anti-static precautions when they touch or move modules. Failure to follow these instructions can result in damage to the equipment.

Compact Module Design

Each processor and I/O module has a flame-retardant and impact-resistant plastic cover. The cover is designed to help ventilation and heat dissipation occur naturally without the need for fan assisted cooling. Processor and I/O modules fit onto standardized base units. Base units plug together by side connectors and are securely held in position by specially designed plastic clips which cannot corrode or seize up. Modules are retained by a locking screw which is easy to access from the front.

28 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 29

Figure 1 - An AADvance Module

The AADvance Safety Controller Chapter 2

NOTE Standard AADvance modules have a plastic casing and are rated IP20:

Protected against solid objects over 12 mm (1/2 in.) for example "fingers". There is no specific protection against liquids.

Module Polarization Keying

For each I/O Module there is a matched termination assembly. The controller incorporates module polarization keying to make sure that they are correctly mated when installed. Sockets on the rear end plate align and

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 29

Page 30

Chapter 2 The AADvance Safety Controller

mate with coding pins found on the termination assembly. The alignment of the sockets and pins make sure that only the matched I/O modules and termination assemblies can be mated.

Figure 2 - Coding Sockets

30 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 31

Module Locking Mechanism

Figure 3 - Locking Screw

The AADvance Safety Controller Chapter 2

Each module carries a locking mechanism, which secures the module onto its base unit. The locking mechanism is in the form of a clamp screw, which can be seen on the front panel of the module and engaged by a quarter turn of a flat blade screwdriver. The module senses the locking mechanism position and notifies the controller accordingly. This acts as an interlock device and helps prevent the module from going on-line when it is not in the locked position.

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 31

Page 32

Chapter 2 The AADvance Safety Controller

Processor Base Unit

A processor base unit holds up to three processor modules:

32 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 33

The AADvance Safety Controller Chapter 2

External Ethernet, Serial Data and Power Connections

The processor base unit external connections are:

•Earthing Stud

• Ethernet Ports (E1-1 to E3-2)

• Serial Ports (S1-1 to S3-2)

• Redundant +24 Vdc powers supply (PWR-1 and PWR-2)

• Program Enable security key (KEY)

• The FLT connector (currently not used).

Figure 4 - External Connectors on the Processor Base Unit

The power connections supply all three modules with redundant power, each processor module each have two Serial ports and two Ethernet port connectors. The KEY connector supports all three processor modules and helps prevent access to the application unless the Program Enable key is inserted.

Serial Communications Ports

The serial ports (S1-1 and S1-2; S2-1 and S2-2; S3-1 and S3-2) support the following signal modes depending on use:

• RS485fd: A four-wire full duplex connection that features different busses for transmit and receive. This selection must also be used when the controller is acting as a MODBUS master using the optional fourwire definition specified in Section 3.3.3 of the MODBUS-over-serial standard.

• RS485fdmux: A four-wire full-duplex connection with tri-state outputs on the transmit connections. This must be used when the controller is acting as a MODBUS Slave on a four-wire bus.

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 33

Page 34

Chapter 2 The AADvance Safety Controller

• RS485hdmux: A two-wire half duplex connection applicable for master slave or slave use. This is shown in the MODBUS-over-serial standard.

34 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 35

The AADvance Safety Controller Chapter 2

I/O Base Unit

An I/O base unit holds up to three I/O modules:

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 35

Page 36

Chapter 2 The AADvance Safety Controller

Termination Assemblies

The AADvance system provides a range of termination assemblies to connect field wiring to the I/O modules. A termination assembly is a printed circuit equipped with screw terminal blocks for the field wiring (and in some cases fuses) and connectors for the plug-in I/O modules. Termination assemblies give the system designer flexibility when configuring redundant and fault tolerant systems.

Termination assemblies come in three types: simplex, dual or triple to accommodate one two or three I/O modules. Each termination assembly provides connections for up to 16 channels but can accommodate 8 or 16 channel modules.

The version illustrated is a simplex termination assembly for a digital input module. The field wiring connectors are located to the left, the fuses have a cover (shown open) and the module sockets are to the right. Each fuse cover has a label that identifies the fuse numbers.

Figure 5 - Single Termination Assembly

36 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 37

Figure 6 - Top View

The AADvance Safety Controller Chapter 2

T9892 Digital Output Termination Assembly

The T9892 Terminal Assembly module operates in conjunction with the T9451 Digital Output Module and provides 8 dual configuration output channels. It shares the same pin-out as the standard AADvance T9852 Digital Output Terminal Assembly and has the same coding peg configuration. The difference is that the T9892 has a separate connector for the field power input voltage connections (the left most terminal block shown below). It also has additional fusing to give extra protection against field faults.

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 37

Page 38

Chapter 2 The AADvance Safety Controller

Figure 7 - T9892 Dual Termination Assembly

Field Wiring

Field device wiring connections are made to industry-standard screw terminal blocks on the termination assemblies. Terminals are easy to access without needing to dismantle assemblies. The specification for the field wiring sizes is given in the topic "Power and External Connector Wiring Requirements".

This illustration shows field wiring connections at the termination assemblies.

38 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 39

Figure 8 - Field Wiring Connections

The AADvance Safety Controller Chapter 2

NOTE The recommended torque for termination assembly screw connectors is 5

Nm.

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 39

Page 40

Chapter 2 The AADvance Safety Controller

Product Dimensions

A typical controller arrangement is shown with processor modules installed on the processor base unit and an I/O base unit mated with the processor base unit. I/O modules are installed on the base unit and a termination assembly plugged into the I/O base unit.

40 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 41

The AADvance Safety Controller Chapter 2

Table 4 - Summary of Dimensions

Attribute Value

Base unit dimensions (H × W × D), approx. 233 mm × 126 mm × 18 mm (see text)

Module dimensions (H × W × D), approx. 166 mm × 42 mm × 118 mm

(9-¼ in. × 5 in. × ¾ in.)

(6-½ in. × 1-⅝ in. × 4-⅝ in.)

The depth of the base unit (18 mm) excludes the parts of the backplane connectors that mate inside the module connectors. Adding the depth of a module (118 mm) to the depth of the base unit gives the overall depth of the controller assembly at 136 mm.

Module Dimensions

All modules have the same dimensions.

Figure 9 - Module Dimensions

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 41

Page 42

Chapter 2 The AADvance Safety Controller

Corrective Maintenance and Module Replacement

Scheduled maintenance consists of checking the I/O Module calibrations and proof tests. Detailed scheduled and corrective maintenance information is given in the AADvance Troubleshooting and Maintenance Manual Doc No: ICSTT-RM406. Corrective maintenance is by module replacement and where required fuse replacement in Termination Assemblies. In dual and triple modular redundant configurations, you can remove a module and install a new one without interrupting the system operation. In simplex configurations removing a module will interrupt the system operation. However, certain restrictions apply on module replacement timing for Safety Related systems (see the AADvance Safety Manual - ICSTT-RM446 for guidance).

Field connection wiring is attached at the connectors on the termination assemblies. Ethernet and Serial data connections are made at the T9100 Processor Base Unit. There are no physical links needed to be set up on any modules or base units. Standard modules are used for all the different configurations.

IMPORTANT Processor modules must be replaced with a module containing

the same firmware revision, you cannot use processor modules with different firmware revisions on the same controller.

Processor Back-up Battery

The 9110 processor module has a back-up battery that powers its internal Real Time Clock (RTC) and a part of the volatile memory (RAM). The battery only supplies power when the processor module is no longer powered from the system power supplies. The specific functions that the battery maintains on complete loss of power are:

• Real Time Clock - The battery supplies power to the RTC chip itself.

• Retained Variables - Data for retained variables is stored at the end of each application scan in a portion of RAM, backed up by the battery. On restoration of power' the retained data is loaded back into the variables assigned as retained variables for use by the application.

• Diagnostic logs - The processor diagnostic logs are stored in the portion of RAM backed by the battery.

The battery has a design life of 10 years when the processor module is continually powered; for processor modules that are un-powered, the design life is up to 6 months. Battery design life is based on operating at a constant 25°C and low humidity. High humidity, temperature and frequent power cycles will shorten the operational life of the battery.

42 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 43

The AADvance Safety Controller Chapter 2

Low Battery Alarm

A variable is available in the Workbench that can be set up and report the battery status. It will give an alarm and set a warning light on the processor front panel when the battery voltage is low.

Disabling the Low Battery Alarm

For applications that do not require Real Time Clock functionality, or there are specific constraints, for example, the controller is in an inaccessible location, that make it necessary to remove the battery when the system is installed and set up, the battery failure alarm can be disabled at the Workbench.

Battery Location

The battery is supplied separately and inserted into a slot behind a removable cover on the front panel of the processor module. The battery position is shown in the illustration:

CAUTION: The battery may explode if mistreated. Do not recharge, disassemble or dispose of in a fire.

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 43

Page 44

Chapter 2 The AADvance Safety Controller

Battery Specification

A Polycarbon monofluoride Lithium Coin Battery with a nominal voltage of 3V; Nominal capacity (mAh) 190; Continuous standard load (mA) 0.03; Operating temperature range -30ºC to +80ºC, manufactured by Panasonic.

Expansion Cable

This is used to add extra rows of I/O base units and modules.

44 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 45

The AADvance Safety Controller Chapter 2

Technical Features

TUV Approved Operating System

The AADvance system runs an IEC 61508 approved operating system and the overall system is certified to IEC 61508, Part 1-7: 1998 - 2000 SIL 3.

Internal Diagnostics and Fault Reset

The AADvance controller contains comprehensive internal diagnostic systems to identify faults that occur during operation and trigger warnings and status indications. The diagnostic systems run automatically and test the system for faults related to the controller, and field faults related to field I/O circuits. Serious problems are reported immediately, but faults that are not on noncritical items are filtered to help prevent spurious alarms. The diagnostic systems monitor such items at regular times, and need a number of occurrences of a possible fault before reporting it as a problem.

The diagnostic systems use simple LED status indications to report a problem. The LED indications identify the module and can also identify the channel where the fault has occurred. There is also a summary system healthy indication for all of the controller. The application software uses its variable structures to report a fault problem; these variables give status reports and are configured using the AADvance Workbench.

Faults in the processor modules are none latching. The controller will recover automatically and the fault indication will clear once the fault condition has been removed. Faults in the I/O modules are latched. To clear them a fault reset signal is sent from the processor module by pressing the Fault Reset button on the processor module front panel. Field faults are not latched and will clear as soon as the field fault is repaired.

When the Fault Reset button on each processor module is pressed it attempts to clear a fault indication immediately, however, the diagnostic systems will report a serious problem again so quickly there will be no visible change in the fault status indications.

Remote Fault Reset

Using the Workbench software you can set up a fault reset variable to mimic pressing the Fault Reset button on the front panel. This feature is provided for systems located in inaccessible locations. Refer to the AADvance Configuration Guide Doc No: ICSTT-RM458 for Workbench 2.x; regarding instructions on how to set up the variable.

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 45

Page 46

Chapter 2 The AADvance Safety Controller

Controller Internal Bus Structure

Internal communication between the processor modules and I/O modules is supported by command and response busses that are routed across the processor and I/O base units.

The processor modules acts like a communications master, sending commands to its I/O modules and processing their returned responses. The two command busses I/O Bus 1 and I/O Bus 2 take the commands from the processor to the I/O modules on a multi-drop basis. An inter-processor link (IPL) supplies the communication links between dual or triple processor modules.

Each I/O module has a dedicated response line which returns to the processor. The unique response line for each I/O module supplies an unambiguous identification of the source of the I/O data and assists with fault containment.

46 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 47

The AADvance Safety Controller Chapter 2

On-line updates I/O Configuration Changes

The AADvance controller modular design makes it easy to create and change the I/O configuration. The on-line update facility enables you to make changes to the I/O configuration after the system is commissioned.

An on-line update can be used for the following changes.

• Expand a system and add new I/O modules, base units and termination assemblies.

• Change the module type in a simplex or group arrangement.

• Expand a simplex or group arrangement.

• Downgrade a group arrangement.

• Move a module to a different slot.

• Change an application variable.

You only have to plug an additional I/O base unit into the side socket on an installed I/O base unit. The command busses on the I/O base units do not need different terminations on the open ends of transmission lines, and the data response busses and power sources are supplied across all I/O base units. Termination assemblies are pushed into the I/O base unit for the additional I/ O modules. To put the new modules on-line and make the changes to the system fully operational, the hardware configuration in the AADvance Workbench software must be updated by an on-line update.

IMPORTANT For Release 1.3 you can change the I/O module configuration with an on-line

update. However, if you are using an earlier product release the I/O configuration cannot be changed with an on-line update.

IMPORTANT An on-line update could affect the operation of the controller such that the

application is stopped or the I/O data flow is interrupted. The AADvance Safety Manual outlines the precautions you need to follow when doing online updates on a Safety System.

When there is not sufficient space for extra I/O base units on a row you can use the Expansion Cable to connect a new row of I/O base units and modules to further expand the I/O system.

Hot Swap I/O for Business Critical Channels

You can add a "hot swap" capability for business critical data channels. By installing a single I/O module into a dual TA. When a dual TA is configured you are leaving an empty spare slot for a replacement I/O module when a fault occurs. You can insert a new I/O module into the spare slot and restore a failed channel without interrupting the operation of the other channels.

TIP Configure this "hot swap" arrangement when you configure your system at

installation and set up time.

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 47

Page 48

Chapter 2 The AADvance Safety Controller

Processor Firmware Upgrades

You can check the firmware revision of you processor modules without removing them to read the label and you can upgrade the firmware revision of the processor modules. Upgrading the firmware in the 9110 processor module is done in the Recovery Mode and is a two-stage process:

• Stage 1: Run the latest version of 350720_xxx_ControlFLASH.msi program to install the ControlFLASH™ firmware upgrade kit for the Recovery Mode on your PC. Then run the ControlFLASH utility to upgrade your processor module and install the Recovery Mode. If your module is delivered with the Recovery Mode installed then this stage is not necessary.

Stage 1 must be performed individually on each processor; it does not matter if you download the Recovery Mode one at a time in a specific slot or in their own slots.

• Stage 2: Reboot the processor and press and hold the Fault Reset button to enter the Recovery Mode. Then run the latest version of 354400_xxxx_ControlFLASH.msi program to install the ControlFLASH to upgrade your processor's OS, FPGA, LSP and BUSP.

When stage 1 is completed ControlFLASH can be used to upgrade three processor modules in the same processor base unit all at the same time.

NOTE Detailed information and procedures on firmware revision are given in the

AADvance Configuration Guide Doc No: ICSTT-RM405 and AADvance Configuration Guide Doc No: ICSTT-RM458 for Workbench 2.0.

Tools and Resources

You will need the ControlFLASH firmware upgrade kit.

• Quick Start and RSLinx Classic Lite software or better.

• ControlFLASH programming tool, along with its required support drivers and on line HELP.

• Firmware for the processor modules being upgraded.

Ethernet Communication Protocols

AADvance Ethernet ports are used to support several transport layer services; these services are listed in the following table:

Protocol Port Number Purpose

TCP 502 MODBUS Slave

TCP 1132 ISaGRAF, application downloads, debug, SoE

TCP 10001-10006 Transparent Communication Interface (Serial Tunnelling)

48 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 49

The AADvance Safety Controller Chapter 2

Protocol Port Number Purpose

TCP 4818 CIP™ Produce & Consume

TCP N/A Telnet (diagnostic Interface)

UDP 1123,1124 IXL Bindings

UDP 2010 Discovery and configuration Protocol

UDP 2222 CIP Produce & Consume I/O

UDP 5000 Trusted® peer-to-peer

UDP 44818 CIP Produce & Consume

The AADvance Workbench and Software Development Environment

The AADvance software lets you design one complete control strategy, and then target parts of the strategy to individual controllers. Interaction between the resources is automatic, significantly reducing the complexity of configuration in a multi-resource system. Programs can be simulated and tested on the workstation computer before downloading to the controller.

The workstation software is compliant with the IEC-61131 industrial standard and has several powerful features:

• the regulation of the flow of control decisions for an interacting distributed control system

• providing for the consistency of data

• providing a means for synchronous operation between devices

• mitigating the need to have separate synchronous schemes

• easing the development and maintenance of robust systems

The Workbench is a software development environment for a controller. It lets you create local and distributed control applications using the five languages of IEC 61131-3. (Instruction List (IL) and Sequential Function Chart (SFC) languages are not supported by AADvance Workbench 2.0). Engineers can use one language or a combination that best suits their knowledge and programming style and the type of application.

The Workbench is a secure development environment. There is also a Program Enable key that must be plugged into the processor base unit to allow the user to modify and download the application resource or access the AADvance Discover tool to set or change the controller IP address. The Program Enable Key when it is removed protects the application from unauthorized access.

The development environment includes:

• tools for program development

•program documentation

•function block library management

• application archiving

• database configuration

• import/export utilities

• on-line monitoring

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 49

Page 50

Chapter 2 The AADvance Safety Controller

• off-line simulation and controlled on-line changes

• Programs can be simulated and tested on the computer before downloading to the controller hardware. Also supplied are a set of configuration tools that enables you to define the hardware architecture in the software; set up the processor functionality; and connect application variables to the Workbench application resource program that will monitor processor and I/O module status information and report I/O channel data values to the Workbench. Resource Control applications can be distributed across several hardware platforms, communicating with each other through secure networks.

Operating Systems (32 or 64 bit)

The minimum workstation requirements for the application development software are as follows:

• Microsoft® Windows XP Service Pack 3

CAUTION: Do not use XP Professional x64 Edition.

•Windows Vista

•Windows 7

• Microsoft Windows Server 2003

• Microsoft Windows Server 2008

IMPORTANT For Workbench 1.3 Network Licensing - Windows 64-bit version will only

work with the USB license key and will not recognize a Workbench software license key.

Hardware :

•1.6 GHz CPU

• 1 GB RAM (32-bit) or 2 GB RAM (64-bit) (add 512 MB if running in a virtual machine)

• DirectX 9 capable video card running at 1024 x 768 resolution display

• 5,400 RPM hard disk

• 3 GB available hard disk space

• DVD drive or network connection, to read software distribution files

NOTE If the application is Workbench 1.3 and adopts the USB dongle licensing

option the workstation PC will require one free USB port.

• Network port (10/100 Base T Ethernet), for communications with the controller

50 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 51

The AADvance Safety Controller Chapter 2

It is recommended that the PC has a 2.2 GHz or higher CPU; 1,024 MB or more RAM, a 1,280 x 1,024 display and a 7,200 RPM or higher hard disk.

It is also recommended that the hard disk has at least 10 GB free space. This provides sufficient space to hold the distribution zip file, the unzipped source files and the installed program files, and also enough space for Windows to operate reasonably quickly. You can get back a lot of this space by deleting the source files after finishing the installation.

Importing and Exporting Data

The AADvance Workbench can import and export existing data in standard file formats such as Microsoft Excel.

AADvance Workbench Licensing

The AADvance Workbench is licensed software. There are three types of license: full, single controller and demo.

• The single controller license is applicable for applications which use only one controller. The software features which add a second or subsequent controller to the project are disabled, and you cannot open an existing project which uses more than one controller.

• The full license supplies all of the features of the AADvance Workbench. It is applicable for applications with one or more controllers.

• The demo license is a like a full license, but with a time limit. You can use all of the features of the AADvance Workbench for up to 30 days after first running the AADvance Workbench is first run.

A demo license is supplied free of charge for a first installation on a computer. You change the demo license to a single controller license or a full license by purchasing an unlock code from Rockwell Automation, and entering the code into the software. When you use the demo license, the AADvance Workbench displays a Demo License window each time you try to open a project. The window includes the contact details at Rockwell Automation required for purchasing a license.

If you try to use the demo license for more than 30 days, the license expires. You cannot open a project or create a new one until you purchase a license.

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 51

Page 52

Chapter 2 The AADvance Safety Controller

52 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 53

Chapter 3

Controller Functionality

This chapter describes the controller functions that give you the flexibility to create a system to meet your specific business needs.

Field Data Handling

Process Safety Time

The AADvance controller is a logic solver and I/O processing device. The field data and field element control commands are routed across the field wiring to the termination assemblies which are uniquely matched to their respective I/O modules. An internal bus structure and a secure communication protocol transport the data and command signals to and from the processing software.

The processor has a SIL 3 rated operating system and runs user developed applications to analyze and respond to the field data and produce the necessary field commands and user information. These application programs, developed by the user to meet their safety and business requirements are downloaded from a Workstation that has the AADvance Workbench application development software installed. A security device on the processor backplane helps prevent unauthorized access to the application software.

The Process Safety Time (PST) setting defines the maximum time that the processor will let the outputs stay in the ON state if certain internal diagnostic faults or systematic application faults occur. If the process safety time expires the controller will go to its "safe state". The PST must be specified for the whole controller, this is a top level setting that you make once for the whole controller and is set at the processor module. I/O modules can be set at a lower PST but must not go over this overall setting.

An AADvance controller adopts a default value for the PST = 2500 ms which can be adjusted to meet your system requirements by using the following simple equation:

where PSTeuc is the process safety time for the equipment under control.

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 53

Page 54

Chapter 3 Controller Functionality

SNTP

CIP and its Producer and Consumer Variables

The AADvance controller supports the Simple Network Time Protocol (SNTP) service that can circulate an accurate time around the network. As an SNTP client the controller will accept the current time from external Network Time Protocol (NTP) and SNTP network time servers.

SNTP clients settings tell the controller the IP address of the external server; the version of SNTP offered by the server; and the operating mode for the time synchronization signal that the processors will use for their real time clock.

An AADvance controller can also fulfill the role of one or more SNTP servers (one for each processor) to supply a network time signal throughout the network. To enable server time on an interface it is necessary to give the direct broadcast address for that interface. This works for broadcast or unicast modes. This way of configuring is derived from the NTP configuration command language.

You can configure CIP produce and consume variables for an AADvance controller.

One or more controller Ethernet ports may be used for CIP communications so long as they are on separate subnets.

Consideration must be given to the number and mix of produce/consume variables being used.

Each CIP consumer variable identifies the ControlLogix® controller and the tag produced by that controller, which provides a value to be consumed.

The AADvance controller sets its consumer variables to the most recent received value at the start of its application scan, before executing the logic. The controller updates its producer variables at the end of its application scan, after executing the logic. The AADvance controller uses the most recent value of a producer variable when sending a packet.

You cannot define a default value for a consumer variable. If the connection fails (typically because the communications link fails), the most recently received value of the consumer variable is retained. The maximum size of a CIP variable is 500 bytes.

If the variable is a structure having a mixture of element types, then each element starts on a new byte or word depending on its size. For example, a DINT following a single bit BOOL will start on a new 4 byte boundary. Also:

•A LINT Must ALWAYS

• Any UDT that contains a LINT must ALWAYS divisible by 8 bytes

align on a 64 bit (8byte) boundary.

be of a size that is

54 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 55

Controller Functi onality Chapter 3

IMPORTANT Only use CIP produce/consume between AADvance and ControlLogix

Controllers. For data being exchanged between AADvance Controllers use bindings and SNCP network.

For produce/consume with status the producing/consuming UDTs must be identical. This means that not only must elements of the UDT be of the same type but the UDT name itself must be identical in both controllers.

HART

HART variables can be configured on each analogue input and output channel to monitor the HART field device.

Make sure that your HART field devices support HART command 0 ('read unique ID') and HART command 3 ('read current and four dynamic variables'). The AADvance controller uses these commands to communicate with the HART devices.

The AADvance analogue input and output modules use HART command #03 to collect data from the field device as specified by Revision 5 of the HART specification. The extra data available from HART-enabled field devices is reported to the application in custom data structures: T9K_AI_HART and T9K_AI_HART_FULL.

The structures supply the following data:

• Loop current in milliamps

• Process measurement in engineering units

• Errors on HART communication seen by the field device

• Status of the field device

• Time since the most recent update, in milliseconds

You can use the loop current variable for diagnostic checks in the application, to compare the value of the variable with the value on the 4 to 20 mA loop and react if there is a discrepancy. You can also monitor the status of the field device and use this to report diagnostic errors and manual configuration changes.

Bindings and the SNCP Network

IMPORTANT The update rate for HART data from field devices is slower than the update

rate for the 4 to 20 mA analogue signal itself. HART data can take a maximum of 4 seconds to update, depending on the device type and configuration.

Bindings are based on a producer/consumer model. The controller consuming the data establishes a binding link with the controller producing the data and manages all of the sending and receiving of data. It schedules the sending and receiving of data, sending the diagnostic data, managing the safety response if

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 55

Page 56

Chapter 3 Controller Functionality

faults occur and managing the communications redundancy. An SNCP network is illustrated in the diagram.

First there must be a physical connection between the two controllers. The design of the Ethernet network and the equipment used does not impact the SIL rating of the communications interface, but the design of the network does change the reliability of the network and does impact the spurious trip rate. SNCP Network data can be combined on a common network resulting in safety and non-safety data sharing a common physical network. This does not compromise the SIL rating of the network but again does introduce failure modes and possibly security risks which can increase the spurious trip rate. Therefore, careful consideration must be given to the network topology during the applications specification and design phase.

SNCP Networks can be configured as Simplex (Fail Safe) or Redundant (Fault tolerant). The network configuration is dependent on the applications safety and availability requirements. The giving and receiving of data occurs independently from the physical network configuration as the connection between the controllers is treated as a logical network

56 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 57

Controller Functi onality Chapter 3

Serial Communication Interface

Time Synchronization SNTP

Two serial ports on each processor module support the following signal modes depending on their use:

• RS485fd: A four-wire full duplex connection that features different busses for transmit and receive. This selection must also be used when the controller is acting as a MODBUS Master using the optional fourwire definition specified in Section 3.3.3 of the MODBUS-over-serial standard.

• RS485fdmux: A four-wire full-duplex connection with tri-state outputs on the transmit connections. This must be used when the controller is acting as a MODBUS Slave on a four-wire bus.

• RS485hdmux: A two-wire half duplex connection applicable for or master slave or slave use. This is shown in the MODBUS-over-serial standard.

The AADvance controller can be configured to operate as an SNTP client or server or both.

• The SNTP client settings inform the controller of the following information: the IP address of the SNTP server the version of SNTP offered by the server and the operating mode for the time synchronization signal that the processors will use for their real-time clock. The processor module can be configured as a unicast or broadcast client.

• The AADvance controller can also fulfill the role of an SNTP server. To enable serving of time on an interface, you need to enable the interface and then you need to specify the direct broadcast address for that interface. This works for broadcast or unicast modes. When the controller is configured as a broadcast server, the controller can still respond to unicast requests from clients.

• Configure the controller as both a client and a server if using an external time server and you want to use the controller to supply the time data to other controllers and devices.

MODBUS Master

IMPORTANT Changes to the SNTP settings are not active until after the power is cycled.

The AADvance controller can be used as a MODBUS Master to one or more MODBUS Slave devices. Slave devices can include programmable logic controllers, remote devices (typically with little or no processing ability) and, more rarely, other functional safety controllers (Trusted or AADvance).

The controller supports the MODBUS RTU and MODBUS TCP protocols, as well as a subset of MODBUS commands. You can use MODBUS RTU with point-to-point and multi-drop serial links, and MODBUS TCP with Ethernet.

NOTE The AADvance controller does not support the MODBUS ASCII protocol.

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 57

Page 58

Chapter 3 Controller Functionality

You can set up a list of messages (commands) for each slave device. MODBUS read commands cause data to read from the slave device to the MODBUS Master, while MODBUS write commands cause data to be copied from the MODBUS Master to the slave device. You can also define a sequence of broadcast write commands, which a MODBUS Master can send to multiple MODBUS RTU slaves without requiring an acknowledgment. The AADvance controller can control and monitor each of the MODBUS Master objects and their slave links.

WARNING: The MODBUS Master functionality has a safety integrity level of zero (SIL 0) and must only be used for non-safety applications.

MODBUS Master Hardware and Physical Connections

The MODBUS Master functionality is built into the 9110 Processor Module. The physical communication ports are located on the 9100 Processor Base Unit. You do not need to add any other hardware to the AADvance controller apart from other components to make the physical connections to the

58 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 59

Controller Functi onality Chapter 3

processor base unit. The following illustration shows some possible arrangements for MODBUS Master connections.

Controller IP Address

The MODBUS RTU slave devices are connected to one or more of the serial ports on the controller; a usual arrangement uses a multi-drop (RS-485) arrangement. The engineering workstation and the MODBUS TCP devices are shown connected to the Ethernet ports on different networks. Alternatively, these devices can be combined onto one network. Refer to the AADvance System Build Manual for more details about physical connections

The AADvance controller stores its IP address data in non-volatile memory in the 9100 processor base unit. The data is independent of the 9110 processor modules in the controller, and so the controller keeps the address information when you remove a processor module.

You must set up the IP address data when you create a new system, or if you fit a new processor base unit.

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 59

Page 60

Chapter 3 Controller Functionality

After having set up the IP address data in the controller, you can configure the AADvance Workbench to find the controller on the network.

Recovery Mode

Differential Services (DiffServ)

Recovery Mode is a shutdown mode and uses a base level firmware. It is entered automatically when a critical firmware failure occurs or it can be entered manually by pressing the processor Fault Reset button immediately after the module has booted up. The Recovery Mode is also used when you want to download a new firmware upgrade.

As an alternative firmware version it allows the following maintenance activities:

• Update the firmware using the ControlFLASH utility

• Program the processor IP Address with the AADvance Discover utility

• Extract diagnostic information

In Recovery Mode the Ready, Run, Force and Aux LEDs go Amber and the Healthy and System Healthy LEDs stay Green. The System Healthy and Healthy LEDs could go Red if a fault is detected while in the Recovery Mode.

NOTE When in Recovery Mode the I/O communications are disabled and the

Application code is not running.

Differentiated services (DiffServ) gives a simple and coarse method to classify the services of different applications, and thus specify the priority of IP traffic. DiffServ is useful to make sure that high priority services are not delayed (or less delayed) during periods of network congestion. When applied, the service uses bit patterns in the "DS-byte" of IP, which for IPv4 is Type-of-Service (ToS) octet.

When you configure DiffServ you apply a priority value to a service and thus identify it as different to less important services. You do this by arranging routers or switches that can examine IP headers and prioritize them by the ToS header octet. The network devices will then apply their rules to prioritize IP traffic. The AADvance controller maintains the priority when it responds to incoming messages, and sets a priority according to the configuration for the messages it sends out.

If you use DiffServ, the controller scan rate can be up to 5 ms larger or smaller than the scan rate when DiffServ feature is disabled.

The TCP/IP stack can apply the user-specified ToS data in its datagrams during the TCP negotiation (this is the 3-way handshake, RFC 793). You can specify this behavior when you set up DiffServ.

IMPORTANT The DiffServ feature is only available with release 1.3 onwards of the

AADvance Workbench and controller.

60 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 61

Controller Functi onality Chapter 3

Serial Tunneling

Ethernet Forwarding

Not available for Workbench 2.0.

The Ethernet forwarding property lets an AADvance controller forward Ethernet packets intended for a third party device, as shown in the illustration, together with all broadcast and multicast messages.

When Ethernet forwarding is enabled, each 9110 processor module in the controller forwards unicast messages intended for other devices, and all broadcast and multicast messages, between its two Ethernet ports. A device connected through the processor module can get its IP configuration through BOOTP or DHCP, or statically.

The processor module in the first position (slot) in the 9100 processor base unit forwards these messages from port E1-1 to E1-2, and in the opposite direction from port E1-2 to E1-1. Similarly (if fitted), the processor module in the second position in the 9100 processor base unit forwards traffic from port E2-1 to E2-2, and from port E2-2 to E2-1. The third processor module (if

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 61

Page 62

Chapter 3 Controller Functionality

fitted) forwards traffic from port E3-1 to E3-2, and from port E3-2 to E3-1. In each case, the second of these ports represents an uplink to the remainder of the network or (if applicable) to a different network. A device connected to this port sees all the traffic which can be of use to it: broadcasts, multicasts, and unicast traffic not destined for the 9110.

The processor module continues to consume the unicast messages intended for itself, and all broadcast and multicast messages, as it does when Ethernet Forwarding is disabled.

Ethernet forwarding is not designed to make links from one processor module to a different processor module, for example from ports E1-2 to E2-1 and E2-2 to E3-1. Do not do this.

The controller keeps its Ethernet forwarding setting if you change one or more of the 9110 processor modules. You do not have to change the setting during corrective maintenance.

Compiler Verification Tool

The OPC Portal Server

The Compiler Verification Tool (CVT) is a software utility that validates the output of the application compilation procedure. It is automatically enabled for resources when a project is created and when you add a resource to an existing project. This procedure in conjunction with the validated execution code produced by the AADvance Workbench confirms that there are no errors introduced by the Compiler during the development of the application.

To achieve this CVT decompiles the application project file and then compares each individual application project (POU) source files with its decomposed version. The CVT analysis is displayed in the Workbench window.

The OPC Portal Server is a windows-based application that allows OPC compatible clients, such as HMIs and SCADA systems, to connect to one or more AADvance controllers to access process data. It conforms to version 1.10 of the Alarms and Events Standard published by the OPC Foundation.

62 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 63

Chapter 4

AADvance System Architectures

An AADvance controller can be configured to manage non-safety and up to SIL 3 safety related system requirements for low demand or high demand fault tolerant applications.

This chapter describes the different system architectures that can be configured for SIL 2 and SIL 3 applications.

NOTE Architectures are independent of I/O module capacity so 8 or 16 channel I/O

modules can be used.

SIL 2 Architectures

SIL 2 architectures are recommended for fail-safe low demand applications. All SIL 2 architectures can be used for energize or de-energize to trip applications. In any configuration when a faulty processor or input module is replaced then the previous fault tolerance level is restored. For example in a fault tolerant input arrangement and one module is faulty then the system will degrade to 1oo1 (1 out of 1 with diagnostics), by replacing the faulty module the configuration is restored to 1oo2D (1 out of two with diagnostics).

In all SIL 2 architectures, when the processor modules have degraded to 1oo1D on the first detected fault, the system must be restored to 1oo2D by replacing the faulty processor module within the MTTR assumed in the PFD calculations; also, unless compensating measures are defined in the Safety Requirements Specification (SRS) and documented in operating procedures, the application program must be designed to shut down safety instrumented functions if a module failure due to a dangerous fault has not been replaced within the MTTR.

SIL 2 Fail-safe Architecture

The following is a simplex fail-safe SIL 2 architecture, where I/O modules operate in 1oo1D under no fault conditions and will fail-safe on the first detected fault. The processor will operate in 1oo2D under no fault conditions, will degrade to 1oo1D on the first fault in either processor module and will fail-safe when there are faults on both processor modules.

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 63

Page 64

Chapter 4 AADvance System Architectures

NOTE Simplex output modules used for energize to action applications can only be

used for low demand applications.

Table 5 - Modules for SIL 2 Fail-Safe Architecture

Position Module Type

I/P A T9401/2 Digital Input Module, 24 Vdc, 8/16 Channel +

T9801 Digital Input TA, 16 Channel, Simplex. or T9431/2 Analogue Input Module, 8/16 Channel +

T9831 Analogue Input TA, 16 Channel, Simplex T9300 I/O Base Unit

CPU A 2 x T9110 Processor Module, T9100 Processor Base Unit

O/P A T9451 Digital Output Module, 24 Vdc, 8 Channel, Isolated +

T9851 Digital Output TA, 24 Vdc 8 Channel, Simplex 1 x T9481/T9842 Analogue Output Module, 3/8 Ch, Isolated + T9881 Analogue Output TA, 8 Ch,

Simplex

SIL 2 Fault Tolerant Input Architectures

A SIL 2 fault tolerant input architecture can have dual or triple input modules with a dual processor and single output modules. The illustration shows a dual input arrangement where the dual input modules operate in 1oo2D under no fault conditions, they degrade to 1oo1D on detection of the first fault in either module of the redundant pair, and when a fault occurs on the second module the controller fails-safe.

The processor operates in 1oo2D under no fault conditions, will degrade to 1oo1D on the first fault in either processor module and will fail-safe when there are faults on both processor modules. The output module operates in 1oo1D under no fault conditions and fail-safe on the first detected fault.

When a triple input module arrangement is configured the group of input modules operate in 2oo3D under no fault conditions, degrade to 1oo2D on the detection of first fault in any module, then degrade to 1oo1D on the detection of faults in any two modules and fail-safe when there are faults on all three modules.

NOTE Simplex output modules used for energize to action applications can only be

used for low demand applications.

64 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 65

V = voting

Table 6 - Modules for SIL 2 Architecture

Position Module Type

I/P A and B 2 × T9401/2 Digital Input Module, 24 Vdc, 8/16 Channel +

T9802 Digital Input TA, 16 Channel, Dual or 2 × T9431/2 Analogue Input Module, 8/16 Channel, Isolated, + T9832 Analogue Input TA, 16

Channel, Dual T9300 I/O Base Unit

CPU A 2 x T9110 Processor Module, T9100 Base Unit

O/P A T9451 Digital Output Module, 24 Vdc, 8 Channel +

T9851 Digital Output TA, 24 Vdc, 8 Channel, Simplex; T9300 I/O Base Unit or 1 x T9481/T9842 Analogue Output Module, 3/8 Ch, Isolated + T9881 Analogue Output TA, 8 Ch,

Simplex

AADvance System Architectures Chapter 4

SIL 2 Fault Tolerant Output Architecture

A SIL 2 Fault Tolerant output architecture has a single output module with dual processor and single or redundant input modules.

The illustration shows a SIL 2 single output arrangement where the output module operates in 1oo1D under no fault conditions and fail-safe on the first detected fault. The processor will operate in 1oo2D under no fault conditions, will degrade to 1oo1D on the first fault in either processor module and will fail-safe when there are faults on both processor modules.

Digital Output

For digital output modules the following applies:

• If the required safe state is ON, you must use dual digital output modules for High Demand applications.

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 65

Page 66

Chapter 4 AADvance System Architectures

Analogue Output

For Analogue Output the following applies:

• The fail-safe state current of the analogue output module is less than 2 mA.

•A safe state is an output configured to go to a specific value, or configured to hold last state. If the required safe state is larger than 4 mA, you must use dual analogue output modules for High Demand applications.

Table 7 - Modules for SIL 2 Fault Tolerant Output Architecture

Position Module Type

I/P A & B T9401/2 Digital Input Module, 24 Vdc, 8/16 Channel +

T9801 Digital Input TA, 16 Channel, Simplex or T9431/2 Analogue Input Module, 8/16 Channel +

T9831 Analogue Input TA, 16 Channel, Simplex T9300 Base Unit

CPU A 2 x T9110 Processor Module, T9100 Processor Base Unit

O/P A T9451 Digital Output Module, 24 Vdc, 8 Channel + T9851 Digital Output TA, 24 Vdc, 8 Channel,

Dual and T9300 I/O Base Unit or 1 x T9481/T9842 Analogue Output Module, 3/8 Channel, Isolated +

T9881 Analogue Output TA, 8 Ch, Simplex

SIL 2 Fault Tolerant Input and SIL 2 High Demand Architecture

A SIL 2 fault tolerant "High Demand" architecture has dual input, dual processor and dual output modules. In a dual arrangement the input modules operate in 1oo2D under no fault conditions, degrade to 1oo1D on the detection of the first fault in either module, and will fail-safe when there are faults on both modules.

A triple input module arrangement can also be configured if it is required to increase the fault tolerance of the input. When a triple input module arrangement is configured the input modules operate in a 2oo3D under no fault conditions, degrade to 1oo2D on detection of the first fault in any module, then degrade to 1oo1D on the detection of faults in any two modules, and will fail-safe when there are faults on all three modules.

The processor will operate in 1oo2D under no fault conditions, will degrade to 1oo1D on the first fault in either processor module and will fail-safe when there are faults on both processor modules. For high demand applications the processor must be repaired within the MTTR assumed in the PFD calculations or the high demand safety instrumented functions must be shut down.

WARNING: For High Demand applications you must use a minimum of a dual processor configuration. High demand energize to action applications will require dual output modules. (Analogue Output Modules where the normal output current is less than 4 mA are classed as energize to action applications).

66 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 67

AADvance System Architectures Chapter 4

WARNING: For Continuous Mode applications the measures specified in this section for High Demand applications must be applied.

Table 8 - Modules for SIL 2 Fault Tolerant High demand Architecture

Position Module Type

I/P A & B 2 × T9401/2 Digital Input Module, 24 Vdc, 8/16 Channel +

CPU A & CPU B 2 x T9110 Processor, T9100 Processor Base Unit

O/P A & B 2 × T9451 Digital Output Module, 24 Vdc, 8 Channel + T9852 Digital Output TA, 24

T9802 Digital Input TA, 16 Channel, Dual or 2 × T9431/2 Analogue Input Module, 8/16 channel +

T9832 Analogue Input TA, 16 Channel, Dual 1 × T9300 I/O Base unit

Vdc, 8 channel, T9300 Base Unit or 2 x T9481/T9842 Analogue Output Module, 3/8 Ch, Isolated +

T9882 Analogue Output TA, 8 Ch, Dual and T9300 Base Unit

SIL 3 Architectures

SIL 3 architectures have at least two or three processor modules and are applicable for use with:

• SIL 3 de-energize to trip applications.

• SIL 3 energize to action applications when fitted with dual digital output modules.

• SIL 3 high demand applications where the required safe state is more than 4 mA, when fitted with dual analogue output modules (A ‘safe state’ is an output configured to go to a specific value, or configured to hold last state).

Faulted input modules in a SIL 3 arrangement can be replaced without a time limit; faulted output modules must be replaced within the MTTR assumed in the PFD calculations.

In all SIL 3 architectures, when the processor modules have degraded to 1oo1D on the first detected fault, the system must be restored to at least 1oo2D by replacing the faulty processor module within the MTTR assumed in the PFD calculations or all SIL 3 safety instrumented function and high demand safety instrumented functions must be shut down.

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 67

Page 68

Chapter 4 AADvance System Architectures

SIL 3 Fail-safe I/O, Fault Tolerant Processor

A SIL 3, fail-safe I/O with a fault tolerant processor architecture has a simplex input and output arrangement with dual or triple processor modules. The dual processor modules operate in 1oo2D under no fault conditions and degrade to 1oo1D on detection of the first fault in either module. When there are faults on both modules the configuration fails-safe.

If required you can configure triple processor modules as a variation of this SIL 3 architecture. Using this arrangement the processor modules operate in 2oo3D under no fault conditions and 1oo2D on the detection of the first fault in any module. They degrade to 1oo1D on the detection of faults in any two modules and fail-safe when there are faults on all three modules.

Digital Output Modules

• For de-energize to action operation one 9451 output module is sufficient for SIL 3 requirements. However, for energize to action operation, dual digital output modules are required.

• A digital output module fault must be repaired within the MTTR which was used in the PFD calculation. This rule applies to simplex digital output modules in de-energize to trip applications and to dual digital output modules in energize to action applications.

Analogue Output Modules

• The fail-safe state current of the analogue output module is less than 2 mA.

• If the required safe state is more than 4 mA, you must use dual analogue output modules for high demand applications.

• An analogue output module fault must be repaired within the MTTR which was used in the PFD calculation. This rule applies to simplex analogue output modules where the safe state is less than or equal to 4 mA and to dual analogue output modules where the safe state is more than 4 mA.

68 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 69

AADvance System Architectures Chapter 4

Table 9 - Modules for SIL 3 Fail-safe I/O, Fault Tolerant Processor

Position Module Type

I/P A T9401/2 Digital Input Module, 24 Vdc, 8/16 Channel +

CPU A & CPU B 2 x T9110 Processor Module, T9100 Base Unit

O/P A 1 x T9451 Digital Output Module, 24 Vdc, 8 Channel +

T9801 Digital Input TA, 16 Channel, Simplex or T9431/2 Analogue Input Module, 8/16 channel +

T9831 Analogue Input TA, 16 Channel, Simplex T9300 Base unit

T9851 Digital Output TA, 24 Vdc, 8 Channel, Simplex or 1 x T9481/T9842 Analogue Output Module, 3/8 Ch, Isolated +

T9881 Analogue Output TA, 8 Ch, Simplex

SIL 3 Fault Tolerant I/O Architectures

A SIL 3 fault tolerant I/O is achieved by dual input and output module configurations with dual or triple processor modules. The processor modules operate in 1oo2D under no fault conditions, degrade to 1oo1D on the detection of the first fault in either module and fail-safe when there are faults on both modules.

Input modules operate in 1oo2D under non faulted conditions and 1oo1D on detection of the first fault in one module and fail-safe when there are faults on both modules.

For high demand applications the processor must be repaired within the MTTR assumed in the PFD calculations or SIL 3 safety instrumented functions must be shut down.

WARNING: For SIL 3 applications you must use a minimum of a dual processor configuration.

For de-energize to action operation one digital output module is sufficient for SIL 3 requirements. However, for energize to action operation, dual digital output modules are required.

The single output module operates in 1oo1D under no fault conditions and fail-safe when there are is a fault on the module. For energize to action operation, the output modules operate in 1oo2D under no fault conditions, degrade to 1oo1D on the detection of the first fault in either module and failsafe when there are faults on both modules.

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 69

Page 70

Chapter 4 AADvance System Architectures

Digital Output Modules

A digital output module fault must be repaired within the MTTR which was used in the PFD calculation. This rule applies to simplex digital output modules in de-energize to trip applications and to dual digital output modules in energize to action applications.

Analogue Output Modules

An analogue output module fault must be repaired within the MTTR which was used in the PFD calculation. This rule applies to simplex analogue output modules where the safe state is less than or equal to 4 mA and to dual analogue output modules where the safe state is more than 4 mA.

Table 10 - Modules for SIL 3 Fault Tolerant Architectures

Position Module Type

I/P A and I/P B

CPU A & CPU B 2 × T9110 Processor Module, 9100 Processor Base Unit

O/P A and O/P B

2 × T9401/2 Digital Input Module, 24 Vdc, 8/16 Channel + T9802 Digital Input TA, 16 Channel, Dual or

2 × T9431/2 Analogue Input Module, 8/16 Channel + T9832 Analogue Input TA, 16 Channel, Dual

2 x T9300 I/O Base Unit

1 x T9451 Digital Output Module, 24 Vdc, 8 Channel + T9851 Single Digital Output TA, 24 Vdc, 8 Channel for de-energize to action

T9300 Base unit 2 x T9451 Digital Output Module, 24 Vdc, 8 Channel +

T9852 Dual Digital Output TA for energize to action T9300 Base Unit Or 2 x T9481/T9842 Analogue Output Module, 3/8 Ch, Isolated +

T9882 Analogue Output TA, 8 Ch, Dual T9300 Base Unit

SIL 3 TMR Input and Processor, Fault Tolerant Output

A SIL 3 TMR architecture offers the highest level of fault tolerance for an AADvance controller and consists of triple input modules, triple processors and dual output modules.

• The input and processor modules operate in a 2oo3D under no fault conditions, degrade to 1oo2D on detection of the first fault in any module, and degrade to 1oo1 on the detection of faults in any two modules and will fail-safe when there are faults on all three modules.

70 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 71

AADvance System Architectures Chapter 4

In the event of a failure in any element of a channel, the channel processor will still produce a valid output which could be voted on because of the coupling between the channels. This is why the triple modular redundant implementation supplies a configuration that is inherently better than a typical 2oo3 voting system.

Digital Output Modules

Analogue Output Modules

Table 11 - Modules for TMR Input and Processor, Fault Tolerant Output

Position Module Type

I/P A 3 × T9401/2 Digital Input Module, 24 Vdc, 8/16 Channel +

CPU A & CPU B 3 × T9110 Processor Module, T9100 Processor Base Unit

O/P A 2 × T9451 Digital Output Module, 24 Vdc, 8 Channel +

T9803 Digital Input TA, 16 Channel, TMR or 3 × T9431/2 Analogue Input Module, 8/16 Channel +

T9833 Analogue Input TA, 16 Channel, TMR 2 × T9300 I/O Base Unit

9852 Digital Output TA, 24 Vdc 8 Channel, Dual; 1 x T9300 Base Unit Or 2 x T9481/T9842 Analogue Output Module, 3/8 Ch, Isolated +

T9882 Analogue Output TA, 8 Ch, Dual; 1 x T9300 Base Unit

NOTE All configurations that use dual or triplicate processor modules are

applicable for SIL 3 architectures with de-energize to trip outputs. Dual outputs are always required for SIL 3 energize to action outputs.

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 71

Page 72

Chapter 4 AADvance System Architectures

Certified Configurations

Revisions of modules are subject to change. A list of the released versions can be obtained from Rockwell Automation.

Table 12 - Central Modules

Modules Certified

Processor Module

T9110

Configuration

1oo2D, 2oo3D Safety-related and can be used for safety-critical

Table 13 - Input Modules

Modules Certified Configuration Conditions

Digital Inputs

T9401/2, 24 Vdc, 8/16 Channel, isolated.

+ T9801/2/3 Digital Input TA, 16

channel, Simplex/Dual/TMR

Analogue Inputs

T9431/2, 8/16 Channel, isolated + T9831/2/3 Analogue Input TA, 16

Channel, Simplex/Dual/TMR

1oo1D, 1oo2D, 2oo3D De-energized to action (normally

1oo1D, 1oo2D, 2oo3D Within the manufactures specified safety

Conditions

applications in SIL 2 with 2 modules fitted and SIL 3 applications with 2 or 3 modules fitted.

Note: For both Low and High Demand applications you must use a minimum of two processors.

energized): SIL 3 with 1, 2 or 3 modules fitted.

Energize to action (normally deenergized): with 1, 2 or 3 modules fitted

Note: When the integrity level is at 1oo1D then the faulty module must be replaced to restore the integrity level back to 1oo2D.

accuracy limits of 1 %. The safety st ate of the analogue input has to be set to a safe value which is a calculated value based on a count value of 0 mA. (refer to the AADvance Configuration Guide Doc Nos: ICSTT-RM405 and ICSTT-RM458 for more details)

SIL 3 with 1, 2 or 3 modules fitted. Note: When the integrity level is at 1oo1D

then the faulty module must be replaced within the MTTR assumed for the PFD calculations to restore the integrity level back to 1oo2D.

72 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 73

AADvance System Architectures Chapter 4

Table 14 - Output Modules

Modules Certified Configuration Conditions

Digital Outputs

T8451, 24 Vdc, 8 channel + T9851/2 TA,24 Vdc, 8 Channel,

Simplex/Dual

Analogue Outputs

T9481/T9842 Analogue Output Module, 3/8 Ch, Isolated

+ T9881/T9882, TA, 8Ch, Simplex/

Dual

1oo1, 1oo2 or 1oo2D De -energize to action (normally

energized): SIL 3 with 1 or 2 modules fitted. (1oo2D with dual output modules fitted).

Energize to action (normally deenergized): SIL 2 with 1 module fitted and SIL 3 with 2 modules fitted.

A faulty digital output module must be repaired or replaced within the MTTR which was used in the PFD calculation. This rule applies to all simplex digital output modules and to dual digital output modules in energize to action applications.

1oo1, 1oo2 or 1oo2D SIL 3 with 1 or 2 modules fitted where the

safe state is less than or equal to 4 mA SIL 3 with 2 modules fitted where the safe

state is more than 4 mA (1oo2D with dual output modules fitted).

A faulty analogue output module must be repaired or replaced within the MTTR which was used in the PFD calculation. This rule applies to all simplex analogue output modules and to dual analog output modules where the safe state is > 4 mA

Example Architectures with Approved Modules

Table 15 - Auxiliary Modules

Modules Conditions

Processor Base

T9100

I/O Base

T9300 (3-way)

Safety-related and can be used for safety critical applications in SIL 2 applications with 2 modules fitted or SIL 3 applications with 2 or 3 modules fitted

Safety-related and can be used for safety critical applications in SIL 3.

The controller supports a range of architectures as defined in the previous chapter. This chapter describes how to assemble a range of architectures configurations and includes selected examples that illustrate the alternative options. The modular construction of the controller makes it easy to create module arrangements and these can be tailored for a specific application.

Standard Architectures

The standard AADvance modules can be arranged to supply two fundamental architectures based on dual and triple modular redundant processors modules. To these can be added I/O modules for redundant and/or fault tolerant configurations based on the following arrangements:

• Input modules in simplex, dual and triple modular redundant formations

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 73

Page 74

Chapter 4 AADvance System Architectures

Figure 10 - Example Simplex SIL 2 System

• Output modules in simplex and/or dual arrangements

Figure 11 - Example SIL 3 with Dual Input and Output Modules

An AADvance system can mix different I/O architectures within one controller — for example simplex and dual input modules with dual processor

74 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 75

AADvance System Architectures Chapter 4

modules. The modular construction of the controller enables you to create numerous other arrangements that can be tailored for a particular application.

Once a system has been built and commissioned it can be expanded using additional modules from the range to create many different architectures and meet specific additional safety and fault tolerant business requirements.

Simplex I/O Architecture

A simplex configuration uses one input module for a field input, one output module for a field output, and two processor modules. Each input and output module will fail safe on the first detected fail danger fault and the process under control will shut down. The processor operates in 1oo2D under no fault conditions, will degrade to 1oo1D on the first fault in either processor module and will fail-safe when there are faults on both processor modules.

Low Demand SIL 2 Architecture

This is an example of a SIL 2 controller which is suited to low demand mode applications with de-energize and energize to action outputs. The T9801 and T9851 illustrated are the related simplex termination assemblies that mate with the T9401 and T9451 I/O modules. This arrangement is also applicable for non-safety applications.

Figure 12 - Low Demand SIL 2 Architecture System

This example supports 8 field inputs and 8 outputs. There is space for one more processor module and one more I/O module. To expand the I/O

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 75

Page 76

Chapter 4 AADvance System Architectures

capacity you have to add I/O base units then the required number of I/O modules and termination assemblies.

Data Input and Output

A controller can support up to 48 I/O modules in total (on 16 I/O base units); as an example, here is a controller with four 8 channel T9401 digital input modules and two 8 channel T9451 Digital Output Modules, giving 32 inputs and 16 outputs.

Figure 13 - Data Input and Output System

Two or three processor modules in a redundant arrangement are rated SIL 3, however, a minimum of two processor modules in a redundant arrangement are still required for architectures designed to meet SIL 2.

The T9401/2 digital input module (the same as the module for the SIL 2 controller) is rated SIL 3 as it stands. The only constraint is that the simplex output stage will not drive an energize to action output for SIL 3 - this requires a dual arrangement of output modules. This output configuration is applicable for a de-energize to action output at SIL 3.

The second processor module supplies the increased fault tolerance and gives the configuration its SIL 3 rating. If either processor module fails, the module must be replaced in the MTTR.

This controller suits many applications needing a mixture of SIL 3 de-energize to action and SIL 2 outputs which do not need the additional fault tolerance offered by dual and triple modular redundant configurations. The possibilities for expansion are the same as those for the SIL 2 controller.

76 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 77

Figure 14 - Dual Processor System

AADvance System Architectures Chapter 4

Dual Architecture for Fault Tolerant Applications

Fault Tolerant Input and SIL 3 Outputs

A dual architecture configuration shown uses two dual redundant modules for each stage. The use of two processor modules supplies SIL 3 integrity for the processor stage (as for the previous example) while the second input module supplies fault tolerance for the inputs.

A SIL 3 fault tolerant processor and I/O is achieved by dual input and output module configurations with dual or triple processor modules.

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 77

Page 78

Chapter 4 AADvance System Architectures

Figure 15 - Dual Inputs, Processor and Output System

Increasing I/O Capacity

The capacity of this controller is increased by adding pairs of I/O modules and related dual termination assemblies. The subsequent example shows how to supply 16 inputs and 16 outputs (this could also be 32 inputs if 16 channel input modules are used). The outputs shown are digital output modules.

78 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 79

Figure 16 - Increased I/O System

AADvance System Architectures Chapter 4

The T9852 dual termination assembly can be used with both 8 channel and 16 channel input modules.

Triple Modular Redundant Architecture

A SIL 3 TMR architecture offers the highest level of fault tolerance for an AADvance controller and consists of triple input modules, triple processors and dual output modules.

If a failure occurs in an element of a channel, the channel processor will still supply a satisfactory output which could be voted on because of the coupling between the channels. This is why the triple modular redundant implementation has a configuration that is inherently better than a typical 2oo3 voting system.

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 79

Page 80

Chapter 4 AADvance System Architectures

Figure 17 - Triple Modular Redundant System

IMPORTANT All configurations that use dual or triplicate processor modules are

applicable for SIL 3 architectures with de-energize to action outputs. Dual output modules are required for SIL 3 energize to action outputs.

You can add more groups of three input modules and pairs of output modules to increase I/O capacity. For example, a triple modular redundant controller using 8-channel modules for 16 inputs and 16 outputs could be arranged like this. For 16 channel TMR input you must use the T9402 16 channel digital input modules in the same arrangement.

80 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 81

Figure 18 - Increasing I/O capacity with an Expansion Cable

AADvance System Architectures Chapter 4

Mixed Architectures

Using an Expansion Cable

In the example a T9310 expansion cable assembly is used to connect the righthand I/O base unit to another I/O base unit and modules.

It is straightforward to make dual and triple I/O controller architectures. A system can have a mixed level of redundancy, fault tolerance and safety integrity levels to meet your business application needs without over-specifying the I/O.

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 81

Page 82

Chapter 4 AADvance System Architectures

Mixed I/O Architectures

An application could readily justify dual I/O for some field circuits, but not for all. It is easy and economical to configure one controller to offer a solution to cover both options. Consider a dual processor system that needs 16 inputs and 16 outputs, half of which must be duplicated and half of which can be simplex. This can be fulfilled by controller architecture like this.

Figure 19 - Mixed I/O System Equation

Mixed Safety Integrity Levels

Such is the flexibility of AADvance that a single controller can support mixed safety integrity levels, for example, if a system needs SIL 3 energize to trip outputs alongside SIL 2 outputs.

The following example shows how a small a viable controller for mixed integrity levels can be when built from AADvance modules. There are 16

82 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 83

AADvance System Architectures Chapter 4

inputs (or 32), two duplicated 8 channel inputs (or duplicated 16 channel versions), and two groups of 8 outputs (one dual, one simplex) for field devices.

Figure 20 - Mixed Safety System

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 83

Page 84

Chapter 4 AADvance System Architectures

Distributed Architectures

AADvance is designed to support a distributed safety architecture. Using an SNCP network a SIL 3 architecture can be maintained across multiple controllers by sharing safety data over an Ethernet network shown in the example below:

Figure 21 - Distributed Safety Architecture

84 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 85

AADvance System Architectures Chapter 4

Example Distributed Controller Systems

The following example shows a process protected by one distributed AADvance system. It uses an 8000 Series Trusted controller to handle bulk I/ O, and four AADvance controllers for other parts of the plant.

Controllers 1 and 2 show two similar controllers which are almost the same applied to the same, duplicated areas of plant. The duplication of plant (represented by the two compressors K1 and K2) in this system allows controllers 1 and 2 to be fail safe designs.

The parts of the plant managed by Controllers 3 and 5 are assumed (for the sake of this illustration) to need safety instrumented systems certified to a mixture of SIL 2 and SIL 3. Controller 3 exploits the flexibility of the AADvance system to supply mixed SILs in one controller.

Controller 4 manages the fire and gas system in the plant. The example uses an 8000 Series Trusted controller here in a role which uses a large quantity of field devices. The 8000 Series Trusted controller is fully integrated into the system and shares the applications with the AADvance controllers.

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 85

Page 86

Chapter 4 AADvance System Architectures

Figure 22 - Distributed System

Typical Network Applications

A usual distributed AADvance system uses two networks:

• An information network, which supplies connectivity to the BPCS (basic process control system) and to OPC devices

• A dedicated safety network, which handles data shared between the AADvance controllers

86 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 87

Figure 23 - Distributed Network System

AADvance System Architectures Chapter 4

The engineering workstation could connect to the safety network (as illustrated), to the data network or to the two networks.

As drawn, the OPC portal server collects data from the controllers and displays it on the HMIs and, conversely, delivers commands from the HMIs to the controllers. The data network carries real time data (MODBUS TCP) from the BPCS to the controllers.

Controller External Network Connectors

The controller features six auto-sensing 10/100BASE-TX Ethernet ports which let it to connect to a local area network through standard RJ45 Ethernet cable. There are two ports for each processor module.

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 87

Page 88

Chapter 4 AADvance System Architectures

The controller Ethernet ports are found on the T9110 processor base unit and identified like this:

Table 16 - Allocation of 10/100BASE-TX Ports to Processor Modules

10/100BASE-TX Ports T9110 Processor Module

E1–1, E1–2 Processor A

E2–1, E2–2 Processor B (if fitted)

E3–1, E3–2 Processor C (if fitted)

Specifying a Safety Network

Once a system uses distributed controllers with shared data, the topology of the safety network must be robust. To do this, make sure the network has no single point of failure, refer to the AADvance Safety Manual (Document: ICSTT-RM446) for further details about specifying a safety Network.

88 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 89

Chapter 5

AADvance Scalability

The AADvance design concept gives an expandable solution for each application through its current range of I/O modules and termination assemblies. Increased I/O capacity is possible because it is easy to add new modules and it gives you the flexibility to create different architectures by changing the I/O capacity and arrangement.

I/O Channel Capacity

When creating a system, AADvance offers horizontal scalability. The maximum I/O channel capacity of a single controller depends on if you assemble I/O modules in simplex, dual or triple modular redundant configurations.

You increase the I/O capacity of a controller by adding I/O base units, termination assemblies and I/O modules. You can also use 16 channel modules on a termination assembly and thus increase the I/O channel capacity per module. An expansion cable allows you to use the controller second I/O bus (I/O Bus 2) and add up to 24 I/O modules giving a total of 48 I/O modules per controller.

An AADvance system also supports and integrates fully with existing MODBUS subsystems and, through its own server, supplies interoperability with HMIs and other OPC devices.

Simplex I/O Channel Capacity

When you need I/O modules arranged in simplex configurations you must use the simplex termination assembly for each module type. You can use a physical arrangement of 8-channel and 16-channel input modules with their simplex termination assemblies, also any arrangement of output modules with simplex termination assemblies. For example, you can put all digital inputs together in a rack and all analogue inputs together, or mix them together.

The maximum number of simplex I/O channels is limited only by the selection of modules. For example, 16 x 16 Channel input modules and 32 x 8 Channel output modules, equals a maximum of 512 channels.

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 89

Page 90

Chapter 5 AADvance Scalability

Figure 24 - Simplex I/O Modules

Dual I/O Channel Capacity

When you need I/O modules arranged in dual redundant formations, each pair of modules shares a dual termination assembly and occupies two-thirds of an I/O base unit. The termination assemblies can bridge adjacent I/O base units, so two base units will hold three pairs of dual redundant module configurations, while three base units will hold four pairs. Arrange base units in groups of two or four to optimize capacity for dual redundant modules.

If you assemble base units in groups of two or four, a single controller supports 24 pairs of I/O modules. The capacity using for example eight pairs of 16channel input modules and sixteen pairs of output modules is 256 I/O channels (8 x 16 = 128, 16 x 8 = 128).

The capacity using 8-channel modules in dual configurations (24 pairs) is 24 × 8 = 192 I/O channels. This can, for example, be 64 digital inputs, 64 analogue inputs and 64 digital outputs, or any combination of these values with a granularity of eight, the capacity of one I/O module.

90 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 91

Figure 25 - Dual I/O Modules

Triple Modular Redundant Channel Capacity

AADvance Scalability Chapter 5

Adding I/O Channel Capacity

When you need input modules arranged in triple modular redundant formations, each group of three modules will share a single triple termination assembly and occupies all of an I/O base unit. A single controller supports 16 groups of three modules, so a hypothetical controller using 16-channel input modules and needing no output channels will have a capacity of 16 x 16 = 256 input channels.

A solution using 8-channel modules and needing dual output modules as well as triplicated input modules will, with a ratio of 2:1 of inputs to outputs, supply 96 input channels and 48 output channels. These capacities are derived like this:

Input Channels

• 12 groups of three 8-channel input modules have 12 base units and yield 12 x 8 = 96 input channels.

Output Channels

• 6 pairs of output modules have the remaining 4 base units and yield 6 x 8 = 48 output channels.

You can identify a new controller to have the correct quantity of I/O channels that you need and also configure spare I/O channels that you anticipate you could need in the future. Having done this, it is straightforward to add more T9300 I/O base units and modules when you expand the controller.

However, if you haven't configured spare slots for new hardware you can still expand your system. You can install the new hardware and change the

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 91

Page 92

Chapter 5 AADvance Scalability

controller hardware configuration in the AADvance Workbench and load the changed application.

On-line updates I/O Configuration Changes

An on-line update can be used for the following changes.

• Expand a system and add new I/O modules, base units and termination assemblies.

• Change the module type in a simplex or group arrangement.

• Expand a simplex or group arrangement.

• Downgrade a group arrangement.

• Move a module to a different slot.

• Change an application variable.

Bus Connectors and Expansion Cable

IMPORTANT For Release 1.3 you can change the I/O module configuration with an on-line

update. However, if you are using an earlier product release the I/O configuration cannot be changed with an on-line update.

IMPORTANT An on-line update could affect the operation of the controller such that the

application is stopped or the I/O data flow is interrupted. The AADvance Safety Manual outlines the precautions you need to follow when doing online updates on a Safety System.

When there is not sufficient space for extra I/O base units on a row you can use the Expansion Cable to connect a new row of I/O base units and modules to further expand the I/O system

The T9100 processor base unit command and response busses and system power for I/O modules are output by the two connectors on each side of the base unit:

• The right-hand connector (specified I/O bus 1 in the project tree configuration) mates with a connector on the T9300 I/O base unit. I/O bus 1 supports a maximum of eight I/O base units and 24 I/O modules.

92 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 93

AADvance Scalability Chapter 5

• The left-hand connector (specified I/O bus 2 in the project tree configuration), mates with the T9310-02 Backplane Expansion Cable, which will connect it to another T9300 I/O base unit. I/O Bus 2 supports a maximum of 8 I/O base units and has response lines for a maximum of 24 I/O modules.

The expansion cable carries module power, command busses and individual response busses for each I/O module.

Figure 26 - Expansion Cables for I/O Bus 1 & 2

Redundancy and Fault Tolerance

An important advantage of the AADvance design is the option to add redundant modules to increase fault tolerance as an when they are required. Redundant configurations let you replace faulty modules without affecting the system operation.

This flexibility and operational persistence is made possible by Termination Assemblies that supply redundant I/O module capacity. By installing a triple termination assembly you can configure the I/O and use it in a simplex, dual or triple redundant arrangement.

The AADvance controller, therefore, gives an economical solution for redundancy and fault tolerance expansion. You can install the termination

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 93

Page 94

Chapter 5 AADvance Scalability

assemblies and base units for increased capacity in the future, then add the extra I/O modules only when you actually need them.

Expansion using Distributed Controllers

You can expand an AADvance system by adding more controllers to create a distributed system. The AADvance Discover (Discovery and Configuration utility) enables you to connect to external controllers.

IMPORTANT The recommended maximum size of a typical distributed AADvance system

is 20 controllers.

94 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 95

Chapter 6

Specifying a New Controller

This chapter goes through a list of key information needed to specify a new AADvance controller. The flowcharts and tables that follow will guide you through the process of defining a system for your business application and system requirements.

Information to Specify a New Controller

Define a New System

The following sets of information are needed to specify a new controller:

• The intended safety integrity level (SIL 2 or SIL 3) for your application

• The desirable degree of fault tolerance

• Whether any final elements are energize to action (affects output module arrangements for SIL 3 requirements)

• The type and quantity of inputs and outputs

• The process safety time for each safety function

• Do you need a "hot swap" feature for any channels

All of these items must be assessed and known for the specified plant and the intended application.

The charts use minimal designs to illustrate solutions.

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 95

Page 96

Chapter 6 Specifying a New Controller

96 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 97

Specifying a New Controller Chapter 6

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 97

Page 98

Chapter 6 Specifying a New Controller

98 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Page 99

Specifying a New Controller Chapter 6

Specify I/O Base Units

Choosing Termination Assemblies

The T9300 I/O base unit (3 way) is a single, standardised design which suits all termination assemblies and I/O modules. The base unit can have one triple modular redundant assembly, one dual assembly and one simplex assembly or up to three to simplex assemblies. The dual and triple modular redundant assemblies can bridge adjacent base units, so two base units can (for example) hold three dual assemblies.

The use of termination assemblies gives the AADvance system flexibility for creating different architectures and expanding the system. Each termination assembly is a very simple circuit that is matched to a type of I/O module and to a specified module configuration. This table shows a summary of the termination assemblies which are available and the related I/O module configurations.

Table 17 - Choosing a Termination Assembly

Simplex I/O Module Configuration

Digital input T9801, Digital Input TA, 16

channel, Simplex Commoned (non-isolated)

Analogue input T9831, Analogue Input TA, 16

channel, Simplex, commoned (non-isolated)

Digital output T9851, Digital Output TA, 8

channel, Simplex, commoned (non-isolated)

Analogue Output T9881, Analogue Output TA,

8 Channel, Simplex, commoned

Dual I/O Module Configuration

T9802, Digital Input TA, 16 channel, Dual

T9832, Analogue Input TA, 16 channel, Dual

T9852, Digital Output TA, 8 channel, Dual (non-isolated)

T9882, Analogue Output TA, 8 channel, Dual

Trip le I/O Modul e Configuratio n

T9803, Digital Input TA, 16 channel, Triple

T9833, Analogue Input TA, 16 channel, Triple

Not applicable

IMPORTANT The termination assemblies for inputs have 8-channel I/O modules and 16-

channel I/O modules. A dual or triple arrangement can be made of 8- or 16channel modules, but not a mixture of the two.

You need one termination assembly for each group of related modules. For example:

• Four T9401 digital input modules used in two, dual redundant configurations need two T9802 termination assemblies — one for each pair of modules

• Four T9401 digital input modules used for simplex inputs need four T9801 termination assemblies — one for each module

Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019 99

Page 100

Chapter 6 Specifying a New Controller

Estimate AADvance Controller Weight

Use the following table to make an estimate of the weight of your controller.

Table 18 - AADvance Controller Module Weight

Item Number Used Weight Allowance g (oz.) Subtotal

T9100 Processor Base Unit × 460 g (16 oz.)

T9110 Processor Module × 430 g (15 oz.)

T9401 Digital input module, 24 Vdc, 8 channel × 280 g (10 oz.)

T9402 Digital input module, 24 Vdc, 16 channel × 340 g (12 oz.)

T9431 Analogue input module, 8 channel × 280 g (10 oz.)

T9432 Analogue input module, 16 channel × 340 g (12 oz.)

T9451 Digital output module, 24 Vdc, 8 channel × 340 g (12 oz.)

T9482 Analogue output module, 8 channel × 290 g (10.5 oz.)

T9300 I/O base unit (3 way) × 133 g (5 oz.)

T98x1 Simplex Termination assembly × 133 g (5 oz.)

T98x2 Dual Termination Assembly × 260 g (10 oz.)

T98x3 Triple Termination Assembly × 360 g (13 oz.)

T9310 Expansion cable assembly and 2 m cable × 670 g (24 oz.)

T9841 Termination Assemblies (average weight) × 175 g (6 oz.)

System Installation Environment

Tot al es tima ted cont rol ler w eig ht

The installation environment can be a source of common cause failure so it is necessary that the installation assessment covers the environmental specification for the AADvance system and includes the following:

• the prevailing climatic conditions

• type of area, e.g. is it a hazardous or non-hazardous area

•location of power sources

• earthing and EMC conditions

In some customer installations parts of the system can be installed in differing locations; in these cases the assessment must include each location.

Power Sources and Heat Dissipation Calculations

It is highly recommended that module supply power and field loop power consumption calculations are done to find out the heat dissipation before designing a suitable enclosure and making a decision about the installation environment (see topic "System Design for Heat Dissipation").

100 Rockwell Automation Publication ICSTT-RM447M-EN-P - July 2019

Rockwell Automation T9481/2, T9310, T9110, T9431/2, T9300 Solutions Handbook

Specifications and Main Features

Frequently Asked Questions

User Manual

Summary of Changes

Preface

Table of Contents

Introduction

Safety Features

Safety Configurations

Performance and Electrical Specifications

Scan Times

Environmental Specification

Certifications for Safety System Applications in Hazardous Environments

Module Label

ATEX Certificate

IECEx UL Certificate

KCC-EMC Registration

Main Components

Physical Features

Compact Module Design

Module Polarization Keying

Module Locking Mechanism

Processor Base Unit

External Ethernet, Serial Data and Power Connections

Serial Communications Ports

I/O Base Unit

Termination Assemblies

Product Dimensions

Corrective Maintenance and Module Replacement

Processor Back-up Battery

Expansion Cable

Technical Features

TUV Approved Operating System

Internal Diagnostics and Fault Reset

Remote Fault Reset

Controller Internal Bus Structure

On-line updates I/O Configuration Changes

Hot Swap I/O for Business Critical Channels

Processor Firmware Upgrades

Ethernet Communication Protocols

The AADvance Workbench and Software Development Environment

Operating Systems (32 or 64 bit)

Importing and Exporting Data

AADvance Workbench Licensing

Field Data Handling

Process Safety Time

SNTP

CIP and its Producer and Consumer Variables

HART

Bindings and the SNCP Network

Serial Communication Interface

Time Synchronization SNTP

MODBUS Master

MODBUS Master Hardware and Physical Connections

Controller IP Address

Recovery Mode

Differential Services (DiffServ)

Serial Tunneling

Ethernet Forwarding

Compiler Verification Tool

The OPC Portal Server

SIL 2 Architectures

SIL 2 Fail-safe Architecture

SIL 2 Fault Tolerant Input Architectures

SIL 2 Fault Tolerant Output Architecture

SIL 2 Fault Tolerant Input and SIL 2 High Demand Architecture

SIL 3 Architectures

SIL 3 Fail-safe I/O, Fault Tolerant Processor

SIL 3 Fault Tolerant I/O Architectures

SIL 3 TMR Input and Processor, Fault Tolerant Output

Certified Configurations

Example Architectures with Approved Modules

Standard Architectures

Simplex I/O Architecture

Dual Architecture for Fault Tolerant Applications

Triple Modular Redundant Architecture

Mixed Architectures

Mixed I/O Architectures

Mixed Safety Integrity Levels