Rockwell Trusted TMR Processor

Rockwell Trusted TMR Processor

Introduction: When the security system processor lights up with a red light

In process industries, oil and gas pipelines, nuclear power auxiliary facilities, and large rotating machinery protection systems, once the core processor of the Safety Instrumented System (SIS) fails or needs to be replaced, engineers face much greater pressure than ordinary control systems. Because any incorrect operation may result in device shutdown, production interruption, and even personal injury. And Rockwell Automation's Trusted ®  The TMR processor (common models T8111 and early T811B) is the most important computing and control center in this type of security system. A clear set of technical guidance and troubleshooting methods is crucial when it malfunctions or when a discontinued model needs to be upgraded.

Based on the Trusted TMR Processor product manual (ICSTT ‑ RM038) and engineering practice experience, this paper analyzes the the third mock examination redundancy (TMR) architecture, hardware characteristics, installation configuration, fault diagnosis and scanning time estimation methods of the processor in detail. Whether you are an engineer maintaining an outdated Trusted system or someone designing a new Safety Logic Controller (SIL 3), this article can provide you with actionable references.

Product Overview: Why Trusted processors can achieve SIL 3

2.1 Overview of Core Features

The Trusted TMR processor is a Trusted processor ®  The main processing component of the system, which adopts triple module redundancy (TMR) and hardware implemented fault tolerance (HIFT) architecture, can contain three independent processor fault containment regions (FCRs) in a single module. Each FCR includes an NXP PowerQUICC II series processor, local memory (EPROM, DRAM, Flash ROM, Flash RAM), and voting logic circuitry.

Key features include:

TMR fault tolerance: Supports 3-2-0 degradation mode (two out of three operation, can tolerate one failure; safe shutdown after a second failure).

Extremely fast fault identification and response: dedicated hardware and software testing mechanism, fault detection time is much shorter than the time required for safety actions.

Hot Replacement: No need to reload the program, automatically synchronizes with education after inserting a new module.

IEC 61131-3 programming language: Complies with international standards and facilitates the development of safety logic.

IRIG-B time synchronization: supports two formats, B002 (RS422 level) and B122 (amplitude modulation), for high-precision event sequence recording.

Front panel diagnostic port: RS232 serial port, used for system monitoring, configuration, and programming.

Redundant fault relays: Fault and Fail relays, respectively indicating non fatal and fatal faults in the system.

Two configurable RS422/485 serial ports and one RS485 serial port, supporting Modbus RTU slave.

SIL 3 certification: Suitable for applications with the highest safety integrity level according to IEC 61508.

2.2 Internal structure and voting mechanism of the module

Each processor FCR within the module runs independently, but synchronously executes the same application code in a lock step manner. Each processor performs 2oo3 voting on data from the I/O bus through an input voting device, and sends its own output to the I/O module through three independent bus channels. In the output module, compare the channels again. If one channel of data is inconsistent with the other two channels, the system recognizes it as a fault and automatically cuts off the faulty channel, continuing to operate in 2oo3 mode.

In addition, there is an independent fault containment zone FCR D inside the front panel, which does not participate in safety logic calculations but is responsible for driving the front panel LED, diagnostic serial port, IRIG-B interface, and fault/safety relays. This partition design ensures that non safety function failures do not affect the integrity of safety functions.

Hardware installation and precautions

3.1 Module insertion and removal

The Trusted TMR processor must be installed in the T8100 processor slot (usually located on the leftmost side of the controller rack, slot 0). Installation steps:

Ensure that the adapter unit (such as T8120, used to output IRIG-B and serial signals) is correctly installed on the back of the rack.

Use the unlock key to release the pop-up buckles at the top and bottom of the module, allowing it to fully open.

Grasp the buckle and smoothly push the module into the slot. After the current panel LED lights up, continue pushing it all the way until the module is fully seated.

Close the buckle and hear a "click" sound to confirm locking.

Notes:

The module contains static sensitive components inside, and it is strictly prohibited to touch the connector pins. The housing cannot be disassembled.

If you feel too much resistance, do not forcefully push in. Instead, pull out and check if the pin is bent.

Record the module model, version, and serial number before installation.

3.2 External I/O connector (PL1)

PL1 is a 48 pin DIN41612 E-type connector that provides the following key signals (partially):

Pin signal function

2 Fault Relay (NC): When the system is healthy, the relay is excited, and when there is a fault, it is released

4 Fault Relays (COM)

6 Fault Relay (NO)

8, 10 serial port 1 (RS485)

12,14 serial port 2 (RS422/485 TX/RX)

16,18,20,22 serial port 3 (RS422/485)

24,26 24V PSU low voltage warning, fault shutdown

To use IRIG-B and serial port, the processor interface adapter T8120 must be installed (for the T8111 model, a special adapter is not required in some cases, please refer to the manual for details). T811B requires a T812X adapter.

3.3 Fault/Safety Relay Wiring

Fault and Fail relays are both in normal excitation mode. When the system is healthy, the relay coil is energized, NO is closed, and NC is disconnected. Once a fault occurs, the relay loses power and the contact state flips.

Fault relay: When the system detects a recoverable fault (such as a single FCR fault or channel inconsistency), it will activate and the front panel system health LED will flash red.

Fail relay: When two out of three processors are declared faulty and the system is about to shut down, it will activate and the system cannot continue to operate safely.

It should be noted that in the Active/Standby configuration, the Standby processor drives the relay output, so even if the Active module fails, the relay status seen by the external monitoring circuit will not change due to switching.

Key points of system configuration

The Trusted TMR processor does not require hardware jumpers, and all configurations are completed through the System. INI file and Toolset (IEC 61131-3 programming environment). The following are the parameters that most affect system behavior and security functions.

4.1 Channel inconsistency time (discrepancy_val)

For TMR input/output modules, when the difference in readings between the three channels exceeds the set time, the system will report a channel inconsistency fault. The default value is 2000 ms. This value should be greater than the maximum normal establishment time of the on-site signal, but less than half of the process safety time. Format:

text

Discrepancy_val=2000 (unit: ms)

Similar parameters include:

Dualdiscrapancy_val - Used for Dual I/O modules

Ana_iscrepancy_val - Analog input, in units of 512 counts/volt, default 40 → approximately 78 mV

Do-discrepuval - Inconsistent threshold for digital output channels

4.2 IRIG-B time synchronization configuration

Check the "Inter Range Instrumentation Group" area in the Toolset system configuration, select the mode (B002 or B122), and enable LED monitoring (User2 LED flashing once per second indicates receiving a valid IRIG signal).

Common fault: IRIG source outputs TTL level instead of RS422 level, which can cause the module to fail to decode. After the correct settings, the time will automatically synchronize after the module is started. If the system health LED flashes red and "48 IRIG: Maximum update interval exceeded" appears in the MP log, you can enter the diagnostic port to perform IRIG S to check the status or IRIG I to view register details.

Definition of Status Register Bit:

Bit1: IRIG-B002 input exists

Bit2: IRIG-B122 input exists

Bit3: Time valid (only for seconds)

4.3 Scanning time estimation

The Composite Scan Time of the security system directly determines the security response speed. It consists of four parts:

Input module scanning time=1.3 ms x number of high-density input modules

Output module scanning time=1.6 ms x number of high-density output modules

Application execution time ≈ 0.08 ms x (number of input and output modules) or 0.013 ms x application size (KB)

Communication overhead ≈ 1.25 ms x number of I/O modules x number of communication modules

For example, a system with 4 T8403 digital inputs, 1 T8431 analog input, and 2 T8451 digital outputs (a total of 7 I/O modules and 2 communication modules):

Input scan: 1.3 × 5=6.5 ms

Output scan: 1.6 × 2=3.2 ms

Application execution: 7 × 0.08=0.56 ms

Communication: 7 × 1.25 × 2=17.5 ms

The total is about 27.8 ms. It can be further optimized through "scheduled polling" and "exception writing".

Operation and monitoring

5.1 Interpretation of Front Panel LED

LED green constantly on, green flashing, red off

Healthy A/B/C FCR Health - Fatal Fault -

Health flashing red: Non fatal malfunction (such as single channel abnormality)

Active is in active mode - inactive

Standby is in standby mode and has just switched from Active to Standby

Educate already received education in progress - uneducated/program stopped

Run - Normal Run - Program Stop

Prohibit - I/O lock or switch disable -

System Healthy system health startup/malfunction/self-test failure/module error - illegal status

User1/2 Application Control

When the Healthy LED flashes red, the system will automatically switch to the Standby processor (if present), and the faulty processor needs to be replaced.

5.2 Maintenance Enable Key Switch and Fault Reset Button

Key switch: Run position locks memory; The Maintain location allows downloading programs from the engineering workstation.

Fault reset button: Clear all recorded faults and reset the fault counter. Attention: Although the system LED may return to green after pressing, the accumulated intermittent fault records will be lost. It is recommended to record the fault code first and then reset.

Active/Standby Switching and Troubleshooting

6.1 When to use dual processor configuration

In critical situations, a second Trusted TMR processor can be installed as a hot spare in the Companion Slot (right processor slot). The Standby module runs diagnostics and continuously receives data updates from the Active module. When the Active module fails, the system automatically performs undisturbed switching.

Trigger conditions for switching:

An unrecoverable error has been detected internally in the Active module (such as the Healthy LED flashing red)

The operator opens the pop-up buckle of the Active module (in dual machine configuration)

Send switch command through diagnostic port

Important warning: Never forcefully unplug when the Active module indicates Active mode, otherwise it will cause all I/O modules to enter the default shutdown state.

6.2 Standard steps for replacing faulty processors

Assuming that Active module A is faulty, prepare to insert a new module B:

Insert the new module B into the empty slot (Standby position). After initialization, B becomes Standby and the Educated LED stays on.

At this time, the Inhibit LED may flash (indicating that switching is prohibited due to I/O forcing or other reasons). If Inhibit is on, check if any I/O is forced and cancel the force before continuing.

Pull out the new module B and then reinsert it.

After the second insertion, B will be initialized to Standby, but this time switching is allowed (Inhibit is disabled).

The system automatically raises B to Active, and the original faulty module A becomes Standby (its Healthy LED will flash red).

It is now safe to remove faulty module A for repair.

Note: If the original Active module has not completely failed but needs to be replaced (such as firmware upgrade), a new module can be inserted as Standby, and then the pop-up buckle of the original Active module can be opened to trigger manual switching.

Common troubleshooting guide

Possible causes and solutions for the phenomenon

The module cannot be inserted into the back adapter and is not aligned properly; Pin bending inspection adapter; Observe the pins with a magnifying glass and do not correct them on your own. Contact for repair

After power on, the Healthy LED is completely turned off and the backplane power supply is missing or the fuse is blown. Measure the 24 Vdc input of the backplane; Check the rack power module

A Healthy LED flashing red corresponds to a non fatal fault occurring in FCR (such as memory ECC error, brief communication loss). Record the fault code and reset according to the fault; If it repeatedly occurs, replace the module

System Healthy LED flashing red System failure: IRIG synchronization timeout, I/O module error, Active/Standby mismatch View MP logs; Check IRIG signal; Check the status of all I/O modules

Active and Standby cannot switch I/O forced; Cancel the mandatory configuration for the Standby module system due to inconsistent configuration; Ensure that both modules run the same version of firmware and System. INI

Serial communication abnormal wiring error; Check the definition of pin PL1 for baud rate/protocol mismatch; Confirm Modbus slave address and serial port mode (RS485 half duplex/full duplex)

IRIG time does not update signal type error (B002 provides TTL instead of RS422); The IRIG-B002 differential voltage should be about 1.5 V for low amplitude measurement; the B122 peak to peak value should be ≥ 0.25 V

System isolation and security design

The Trusted TMR processor meets the requirements of IEC 61508 SIL 3 for hardware fault tolerance and systematic safety. Its isolation characteristics include:

Power supply isolation: Each FCR's 24 Vdc power supply is independent and isolated through a backplane.

Diagnostic serial port isolation: The isolation voltage between the RS232 port on the front panel and FCR D is 50 V basic insulation (continuous), and can reach 250 V basic insulation in case of a fault.

Rear serial port and IRIG port: isolated from the module to avoid external interference affecting safety logic.

Grounding suggestion: The GND of the module and the FG of the rack should be connected internally, and the user equipment should connect the two together and uniformly connect them to the system grounding terminal.

Upgrade and replacement strategy

For users who use the earlier model T811B and need to replace it with T8111, please note:

T8111 has a larger internal memory, with a maximum application size of 960 KB (T811B is smaller). However, applications larger than 860 KB may not be able to switch to T810B, so compatibility of application sizes should be ensured when mixed use.

T8111 provides more flexible support for IRIG-B and may not require an additional T8120 adapter (depending on hardware version). Suggest checking the latest release note.

Replacement steps: First, insert the new T8111 into the Standby slot, and switch after successful education; If the application is compatible with the firmware, it can be seamlessly upgraded.

In the scenario of replacing discontinued modules, the Trusted TMR processor is one of the most secure choices. However, due to its complexity and security responsibilities, any replacement operation must be carried out by trained personnel and strictly follow the "Active/Standby Transfer" procedure in the manual.