Triconex Tricon v9-v11 fault-tolerant control system: triple module redundant architecture and high availability design

Triconex Tricon v9-v11 fault-tolerant control system: triple module redundant architecture and high availability design

Introduction

In key process industries such as refining, chemical, power, and offshore oil and gas, the reliability and safety of control systems are directly related to production safety, environmental protection, and economic benefits. Traditional single PLC or relay systems often face the risk of single point failure when facing component hard faults or electrical transient interference, which may lead to unplanned shutdowns or even safety accidents. To address this challenge, the Tricon controller is designed based on a triple module redundancy architecture, aiming to provide error free and uninterrupted control outputs, and automatically detect and compensate for errors in the event of permanent hardware failures or environmental disturbances, ensuring the continuous operation of the system. This article will combine the Tricon v9-v11 system planning and installation guide to provide a detailed analysis of its fault-tolerant architecture, hardware composition, operating principles, and high availability design features.

Core architecture: Triple module redundancy and deep fault tolerance

The fault tolerance of the Tricon controller is fully built upon its unique triple module redundant architecture. This architecture runs through the entire system, from input acquisition, processing through the main processor, to final output driving, forming three completely isolated parallel control branches. Each branch independently executes user written control programs and exchanges and synchronizes data through a proprietary high-speed bus system - TriBus.

1.1 Triple Parallel Processing and Hardware Voting Mechanism

The three main processors in the system form a "triple", with each main processor controlling a system channel. At the beginning of each scanning cycle, the three main processors synchronize through TriBus. For digital input data, TriBus performs hardware voting, which compares data from three branches and determines the final valid value based on the principle of "2-out-of-3". Only when at least two branches have consistent data, the corresponding input state is adopted to filter out abnormal signals caused by single branch faults or interference.

For analog inputs, TriBus uses the median selection algorithm. The three main processors asynchronously transmit the analog values measured by their respective channels to the neighboring processors. After receiving the three measurement values, each processor automatically selects the intermediate value as the effective control input. This design not only filters out measurement bias caused by single point faults, but also ensures that even if a sensor drifts or experiences local faults, the control data remains reliable.

1.2 Four fold redundant voting and online diagnosis of output module

To ensure fault tolerance at the output end, the Tricon controller adopts a more complex voting mechanism at the output module level. Except for some dual DC modules, all digital output modules use a patented quad Voter circuit. This circuit is based on a parallel series path, and only drives the load when the drive channels A and B, or B and C, or A and C issue a closing command. This "2 out of 3" hardware voting provides multiple redundancies for all critical signal paths, ensuring safe output not only in the event of a single failure, but also enabling online detection and isolation of faulty output drivers.

The output module also has a comprehensive online diagnostic function built-in. Each output point performs a specific output voting diagnosis. During the OVD execution process, the command state of each point is instantly reversed on a certain output driver. Through the internal read back function of the module, each microprocessor reads the output value to determine whether there is a potential fault in the output circuit. The OVD strategy ensures unrestricted operations in various fault scenarios.

1.3 Online hot standby and uninterrupted maintenance capability

Another key advantage of the Tricon architecture is its excellent online maintenance capability. The system supports two online repair methods: hot standby usage and online module replacement.

In hot standby usage, a logical slot contains two identical I/O modules. One is active, and the other is powered on but inactive. The Tricon system cycles control between these two healthy I/O modules approximately once per hour to ensure that each module undergoes comprehensive diagnostic testing on a regular basis. If a fault is detected on one module, Tricon will automatically switch to another module, ensuring that the system continues to have three healthy channels. Subsequently, the faulty module can be removed and replaced.

The online module replacement rule provides another flexibility. Even if only one I/O module is usually installed in the slot, the fault indicator light may light up when a fault occurs, but the module may still be working properly on both channels. At this point, technicians can insert a new module into the unused space in the slot. Once the replacement module passes the self diagnostic test, Tricon will grant it control. When the new I/O module becomes the active module, the original faulty module can be pulled out and sent for repair. This repair method demonstrates that the Tricon controller can automatically downgrade from triple redundancy mode to dual redundancy mode and then return to triple mode without interrupting the entire process.