Rockwell Trusted TMR Processor

Rockwell Trusted TMR Processor

Introduction: When the security system processor lights up with a red light

In process industries, oil and gas pipelines, nuclear power auxiliary facilities, and large rotating machinery protection systems, once the core processor of the Safety Instrumented System (SIS) fails or needs to be replaced, engineers face much greater pressure than ordinary control systems. Because any incorrect operation may result in device shutdown, production interruption, and even personal injury. And Rockwell Automation's Trusted ®  The TMR processor (common models T8111 and early T811B) is the most important computing and control center in this type of security system. A clear set of technical guidance and troubleshooting methods is crucial when it malfunctions or when a discontinued model needs to be upgraded.

Based on the Trusted TMR Processor product manual (ICSTT ‑ RM038) and engineering practice experience, this paper analyzes the the third mock examination redundancy (TMR) architecture, hardware characteristics, installation configuration, fault diagnosis and scanning time estimation methods of the processor in detail. Whether you are an engineer maintaining an outdated Trusted system or someone designing a new Safety Logic Controller (SIL 3), this article can provide you with actionable references.

Product Overview: Why Trusted processors can achieve SIL 3

2.1 Overview of Core Features

The Trusted TMR processor is a Trusted processor ®  The main processing component of the system, which adopts triple module redundancy (TMR) and hardware implemented fault tolerance (HIFT) architecture, can contain three independent processor fault containment regions (FCRs) in a single module. Each FCR includes an NXP PowerQUICC II series processor, local memory (EPROM, DRAM, Flash ROM, Flash RAM), and voting logic circuitry.

Key features include:

TMR fault tolerance: Supports 3-2-0 degradation mode (two out of three operation, can tolerate one failure; safe shutdown after a second failure).

Extremely fast fault identification and response: dedicated hardware and software testing mechanism, fault detection time is much shorter than the time required for safety actions.

Hot Replacement: No need to reload the program, automatically synchronizes with education after inserting a new module.

IEC 61131-3 programming language: Complies with international standards and facilitates the development of safety logic.

IRIG-B time synchronization: supports two formats, B002 (RS422 level) and B122 (amplitude modulation), for high-precision event sequence recording.

Front panel diagnostic port: RS232 serial port, used for system monitoring, configuration, and programming.

Redundant fault relays: Fault and Fail relays, respectively indicating non fatal and fatal faults in the system.

Two configurable RS422/485 serial ports and one RS485 serial port, supporting Modbus RTU slave.

SIL 3 certification: Suitable for applications with the highest safety integrity level according to IEC 61508.

2.2 Internal structure and voting mechanism of the module

Each processor FCR within the module runs independently, but synchronously executes the same application code in a lock step manner. Each processor performs 2oo3 voting on data from the I/O bus through an input voting device, and sends its own output to the I/O module through three independent bus channels. In the output module, compare the channels again. If one channel of data is inconsistent with the other two channels, the system recognizes it as a fault and automatically cuts off the faulty channel, continuing to operate in 2oo3 mode.

In addition, there is an independent fault containment zone FCR D inside the front panel, which does not participate in safety logic calculations but is responsible for driving the front panel LED, diagnostic serial port, IRIG-B interface, and fault/safety relays. This partition design ensures that non safety function failures do not affect the integrity of safety functions.

Hardware installation and precautions

3.1 Module insertion and removal

The Trusted TMR processor must be installed in the T8100 processor slot (usually located on the leftmost side of the controller rack, slot 0). Installation steps:

Ensure that the adapter unit (such as T8120, used to output IRIG-B and serial signals) is correctly installed on the back of the rack.

Use the unlock key to release the pop-up buckles at the top and bottom of the module, allowing it to fully open.

Grasp the buckle and smoothly push the module into the slot. After the current panel LED lights up, continue pushing it all the way until the module is fully seated.

Close the buckle and hear a "click" sound to confirm locking.

Notes:

The module contains static sensitive components inside, and it is strictly prohibited to touch the connector pins. The housing cannot be disassembled.

If you feel too much resistance, do not forcefully push in. Instead, pull out and check if the pin is bent.

Record the module model, version, and serial number before installation.

3.2 External I/O connector (PL1)

PL1 is a 48 pin DIN41612 E-type connector that provides the following key signals (partially):