Rockwell Trusted TMR Processor

Active/Standby Switching and Troubleshooting

6.1 When to use dual processor configuration

In critical situations, a second Trusted TMR processor can be installed as a hot spare in the Companion Slot (right processor slot). The Standby module runs diagnostics and continuously receives data updates from the Active module. When the Active module fails, the system automatically performs undisturbed switching.

Trigger conditions for switching:

An unrecoverable error has been detected internally in the Active module (such as the Healthy LED flashing red)

The operator opens the pop-up buckle of the Active module (in dual machine configuration)

Send switch command through diagnostic port

Important warning: Never forcefully unplug when the Active module indicates Active mode, otherwise it will cause all I/O modules to enter the default shutdown state.

6.2 Standard steps for replacing faulty processors

Assuming that Active module A is faulty, prepare to insert a new module B:

Insert the new module B into the empty slot (Standby position). After initialization, B becomes Standby and the Educated LED stays on.

At this time, the Inhibit LED may flash (indicating that switching is prohibited due to I/O forcing or other reasons). If Inhibit is on, check if any I/O is forced and cancel the force before continuing.

Pull out the new module B and then reinsert it.

After the second insertion, B will be initialized to Standby, but this time switching is allowed (Inhibit is disabled).

The system automatically raises B to Active, and the original faulty module A becomes Standby (its Healthy LED will flash red).

It is now safe to remove faulty module A for repair.

Note: If the original Active module has not completely failed but needs to be replaced (such as firmware upgrade), a new module can be inserted as Standby, and then the pop-up buckle of the original Active module can be opened to trigger manual switching.

Common troubleshooting guide

Possible causes and solutions for the phenomenon

The module cannot be inserted into the back adapter and is not aligned properly; Pin bending inspection adapter; Observe the pins with a magnifying glass and do not correct them on your own. Contact for repair

After power on, the Healthy LED is completely turned off and the backplane power supply is missing or the fuse is blown. Measure the 24 Vdc input of the backplane; Check the rack power module

A Healthy LED flashing red corresponds to a non fatal fault occurring in FCR (such as memory ECC error, brief communication loss). Record the fault code and reset according to the fault; If it repeatedly occurs, replace the module

System Healthy LED flashing red System failure: IRIG synchronization timeout, I/O module error, Active/Standby mismatch View MP logs; Check IRIG signal; Check the status of all I/O modules

Active and Standby cannot switch I/O forced; Cancel the mandatory configuration for the Standby module system due to inconsistent configuration; Ensure that both modules run the same version of firmware and System. INI

Serial communication abnormal wiring error; Check the definition of pin PL1 for baud rate/protocol mismatch; Confirm Modbus slave address and serial port mode (RS485 half duplex/full duplex)

IRIG time does not update signal type error (B002 provides TTL instead of RS422); The IRIG-B002 differential voltage should be about 1.5 V for low amplitude measurement; the B122 peak to peak value should be ≥ 0.25 V

System isolation and security design

The Trusted TMR processor meets the requirements of IEC 61508 SIL 3 for hardware fault tolerance and systematic safety. Its isolation characteristics include:

Power supply isolation: Each FCR's 24 Vdc power supply is independent and isolated through a backplane.

Diagnostic serial port isolation: The isolation voltage between the RS232 port on the front panel and FCR D is 50 V basic insulation (continuous), and can reach 250 V basic insulation in case of a fault.

Rear serial port and IRIG port: isolated from the module to avoid external interference affecting safety logic.

Grounding suggestion: The GND of the module and the FG of the rack should be connected internally, and the user equipment should connect the two together and uniformly connect them to the system grounding terminal.

Upgrade and replacement strategy

For users who use the earlier model T811B and need to replace it with T8111, please note:

T8111 has a larger internal memory, with a maximum application size of 960 KB (T811B is smaller). However, applications larger than 860 KB may not be able to switch to T810B, so compatibility of application sizes should be ensured when mixed use.

T8111 provides more flexible support for IRIG-B and may not require an additional T8120 adapter (depending on hardware version). Suggest checking the latest release note.

Replacement steps: First, insert the new T8111 into the Standby slot, and switch after successful education; If the application is compatible with the firmware, it can be seamlessly upgraded.

In the scenario of replacing discontinued modules, the Trusted TMR processor is one of the most secure choices. However, due to its complexity and security responsibilities, any replacement operation must be carried out by trained personnel and strictly follow the "Active/Standby Transfer" procedure in the manual.