Triconex Tricon v9-v11 fault-tolerant control system: triple module redundant architecture and high availability design

Triconex Tricon v9-v11 fault-tolerant control system: triple module redundant architecture and high availability design

Introduction

In key process industries such as refining, chemical, power, and offshore oil and gas, the reliability and safety of control systems are directly related to production safety, environmental protection, and economic benefits. Traditional single PLC or relay systems often face the risk of single point failure when facing component hard faults or electrical transient interference, which may lead to unplanned shutdowns or even safety accidents. To address this challenge, the Tricon controller is designed based on a triple module redundancy architecture, aiming to provide error free and uninterrupted control outputs, and automatically detect and compensate for errors in the event of permanent hardware failures or environmental disturbances, ensuring the continuous operation of the system. This article will combine the Tricon v9-v11 system planning and installation guide to provide a detailed analysis of its fault-tolerant architecture, hardware composition, operating principles, and high availability design features.

Core architecture: Triple module redundancy and deep fault tolerance

The fault tolerance of the Tricon controller is fully built upon its unique triple module redundant architecture. This architecture runs through the entire system, from input acquisition, processing through the main processor, to final output driving, forming three completely isolated parallel control branches. Each branch independently executes user written control programs and exchanges and synchronizes data through a proprietary high-speed bus system - TriBus.

1.1 Triple Parallel Processing and Hardware Voting Mechanism

The three main processors in the system form a "triple", with each main processor controlling a system channel. At the beginning of each scanning cycle, the three main processors synchronize through TriBus. For digital input data, TriBus performs hardware voting, which compares data from three branches and determines the final valid value based on the principle of "2-out-of-3". Only when at least two branches have consistent data, the corresponding input state is adopted to filter out abnormal signals caused by single branch faults or interference.

For analog inputs, TriBus uses the median selection algorithm. The three main processors asynchronously transmit the analog values measured by their respective channels to the neighboring processors. After receiving the three measurement values, each processor automatically selects the intermediate value as the effective control input. This design not only filters out measurement bias caused by single point faults, but also ensures that even if a sensor drifts or experiences local faults, the control data remains reliable.

1.2 Four fold redundant voting and online diagnosis of output module

To ensure fault tolerance at the output end, the Tricon controller adopts a more complex voting mechanism at the output module level. Except for some dual DC modules, all digital output modules use a patented quad Voter circuit. This circuit is based on a parallel series path, and only drives the load when the drive channels A and B, or B and C, or A and C issue a closing command. This "2 out of 3" hardware voting provides multiple redundancies for all critical signal paths, ensuring safe output not only in the event of a single failure, but also enabling online detection and isolation of faulty output drivers.

The output module also has a comprehensive online diagnostic function built-in. Each output point performs a specific output voting diagnosis. During the OVD execution process, the command state of each point is instantly reversed on a certain output driver. Through the internal read back function of the module, each microprocessor reads the output value to determine whether there is a potential fault in the output circuit. The OVD strategy ensures unrestricted operations in various fault scenarios.

1.3 Online hot standby and uninterrupted maintenance capability

Another key advantage of the Tricon architecture is its excellent online maintenance capability. The system supports two online repair methods: hot standby usage and online module replacement.

In hot standby usage, a logical slot contains two identical I/O modules. One is active, and the other is powered on but inactive. The Tricon system cycles control between these two healthy I/O modules approximately once per hour to ensure that each module undergoes comprehensive diagnostic testing on a regular basis. If a fault is detected on one module, Tricon will automatically switch to another module, ensuring that the system continues to have three healthy channels. Subsequently, the faulty module can be removed and replaced.

The online module replacement rule provides another flexibility. Even if only one I/O module is usually installed in the slot, the fault indicator light may light up when a fault occurs, but the module may still be working properly on both channels. At this point, technicians can insert a new module into the unused space in the slot. Once the replacement module passes the self diagnostic test, Tricon will grant it control. When the new I/O module becomes the active module, the original faulty module can be pulled out and sent for repair. This repair method demonstrates that the Tricon controller can automatically downgrade from triple redundancy mode to dual redundancy mode and then return to triple mode without interrupting the entire process.

System configuration and modular component ecosystem

A complete Tricon system consists of one main rack and up to 14 expansion racks or remote expansion racks, supporting up to 118 I/O modules and communication modules. The system configuration follows strict rules to maximize reliability and availability.

2.1 Rack Layout and Power Redundancy

There are two power modules installed on the left side of all racks, using a dual redundancy configuration. Each module has the ability to independently supply power to all modules in the rack and supply power to two independent power rails on the backplane. This design ensures that any power failure will not affect system performance. On the right side of the power module in the mainframe, there are three main processors. The rest of the host is divided into six logical slots for installing I/O and communication modules, as well as a communication (COM) slot without a hot spare position. The layout of the expansion rack is similar, but it provides eight logical slots for the I/O modules.

In addition, the Tricon v11 series also introduces high-performance host racks (such as the 8120E), which support higher speed main processors (such as the 3009) and unified communication modules (UCM). In the 8120E rack, the TriBus speed can reach 1000 Mbps, significantly improving the system's data throughput and response speed in large and complex applications.

2.2 Rich family of I/O and communication modules

Tricon offers an extremely comprehensive module product line to meet various application needs.

Digital quantity module: Provides multiple digital input modules, including TMR (Triple Redundancy) and single module. The TMR digital input module supports self checking to detect the "stuck ON" state, which is crucial for implementing a safety system with "disabled tripping". There are various types of output modules, including dual channel, supervisory, DC, and AC voltage modules. The supervised digital output module is designed specifically for outputs that require long-term maintenance of a single state, with complex online diagnostic functions that can detect on-site faults such as power outages, fuse failures, load loss, or short circuits.

Analog module: including analog input and output modules. The analog input module measures asynchronously through three channels and uses the median selection algorithm. Supports multiple signal types, such as 0-5VDC, 4-20mA, as well as thermocouples and thermistors. The analog output module continuously checks the correctness of the output by reading back the input, and automatically switches to other channels when the drive channel fails.

Communication module: Provides multiple interfaces to connect different host systems and networks.

Tricon Communication Module (TCM): Compatible with v10.0 and later systems, supports Ethernet (802.3) and serial (RS-232/RS-485) communication, and can be used for Modbus master/slave devices, TriStation programming tools, GPS clock synchronization, and network printing.

Enhanced Intelligent Communication Module (EICM): Supports serial communication, interfaces with Modbus master/slave devices, TriStation, and printers.

Network Communication Module (NCM): Supports Ethernet communication for Triconex proprietary protocols and applications, and supports OPC servers.

Advanced Communication Module (ACM): serves as an interface with the Foxboro Intelligent Automation I/A Series Distributed Control System.

Safety Management Module (SMM) and High Speed Interface Module (HIM): used to connect Honeywell General Control Network and Data High Speed respectively, achieving integration with TDC 3000 DCS.

2.3 Remote Expansion (RXM) and Long Distance Transmission

The Tricon controller supports placing I/O at a distance of up to 7.5 miles (12 kilometers) from the host rack using RXM (Remote Expansion Module) and SRXM (Single Mode Fiber) modules. The RXM rack can contain one RXM module set and six logical slot I/O modules. Multimode fiber optic cables can be used to support three remote RXM racks or expansion racks, while single-mode fiber optic cables support one remote rack. This remote expansion capability provides great flexibility for decentralized on-site layout, while ensuring excellent electromagnetic interference resistance through fiber optic transmission.

2.4 On site wiring options

To facilitate on-site wiring and allow for replacement of I/O modules without interfering with on-site wiring, Tricon offers two options: external wiring panel and fan out cable. ETP is an electrically passive printed circuit board, and on-site wiring can be easily connected to its terminal blocks. Fan out cable is a low-cost alternative solution, with one end connected to the Tricon rack backplane and the other end providing 50 fan out leads. The system also provides multiple options including a wiring panel with isolation relays, a digital input bypass panel, and an explosion-proof wiring panel for hazardous locations.

Communication capability and network integration

The Tricon controller is not only a fault-tolerant execution unit, but also a powerful communication hub that supports multiple industry standard protocols and can seamlessly integrate with upper level management systems and other security systems.

3.1 Modbus and Ethernet Integration

Through TCM or EICM, Tricon can serve as a Modbus master or slave, compatible with Modbus interfaces from numerous suppliers' DCS such as ABB, Bailey, Fisher Rosemount, and Yokogawa. This integration method allows DCS to monitor the status of Tricon as the host, or allow Tricon to control Modbus slave devices (such as alarms, bypass switches on non critical PLCs) during non critical tasks.

NCM and TCM support IEEE 802.3 Ethernet protocol for higher bandwidth and open network requirements. This allows Tricon to connect to external host computers, operator workstations, and participate in OPC networks based on TCP-IP/UDP-IP protocols.

3.2 proprietary protocols and peer-to-peer networks

Triconex provides a proprietary protocol to optimize data exchange between security systems.

Peer to peer protocol: allows limited but critical process and security information to be exchanged between multiple Tricon controllers in a proprietary peer-to-peer network. This protocol is equal for every node in the network, and any node can initiate data transmission. This is very suitable for large factories that require sharing alarms or process status among multiple safety controllers.

Time synchronization protocol: used to maintain a unified and consistent time reference throughout the entire Tricon network or connected DCS. This is crucial for event analysis that requires precise time-series recording (SOE).

TriStation protocol: TriStation protocol is a master/slave protocol in which the host communicates with the slave via Ethernet.

TSAA: Allow external host applications (such as operating interfaces, data loggers) to interact with one or more Tricon controllers for reading and writing data through an open network.

3.3 Deep integration with DCS system

In addition to the universal Modbus and OPC, Tricon has achieved tight integration with mainstream DCS through dedicated modules.

Foxboro I/A series: Through ACM, Tricon serves as a secure node on the I/A series Nodebus, transmitting all Tricon alias data, diagnostic information, and system variables to the Foxboro operator workstation in a format familiar to Foxboro operators.

Honeywell TDC 3000: Connected to UCN through SMM or high-speed data through HIM, Tricon can transmit the processing results of critical I/O points to DCS, propagate alarms, and support peer-to-peer communication between DCS and Tricon.

3.4 Data Security and Redundancy Design

At the communication level, Tricon also adheres to its fault-tolerant philosophy. Module redundancy can be achieved by installing paired TCM, NCM, or ACM in the same logical slot and connecting their network nodes with two sets of cables. This design allows for communication continuity to be maintained in the event of cable breakage, intermittent connections, port failures, or module failures. External host redundancy can also be achieved by connecting a backup host on the network.

International certification and adaptability to harsh environments

The Tricon controller has obtained multiple international certifications to ensure its compliance and reliability worldwide. These certifications include:

CSA and FM certification: Compliant with electrical safety standards and approved for use in hazardous locations and general industrial environments.

T Ü V Certification: Compliant with IEC 61508 Functional Safety Standard (SIL 1-3), suitable for emergency safety shutdown, fire and gas detection, burner management, and other applications.

European Union CE Marking: Compliant with Electromagnetic Compatibility (EMC) and Low Voltage Equipment Directive.

In addition, the Tricon system has been tested and can operate in G3 level (harsh) environments that comply with the ISA S71.04 standard. This includes exposure testing of temperature, humidity, and corrosive gas mixtures, demonstrating their long-term durability under harsh industrial conditions. For marine environments, specific coating modules and Bureau Veritas certification ensure stable operation under high salt spray and vibration conditions.

Detailed explanation of main processor and bus system

5.1 Evolution of Main Processor: From Model 3006 to 3009

The Tricon v9-v11 series supports multiple generations of main processors, continuously improving performance and capacity:

Model 3006/3007: Supports v9.0 to v9.5. x systems, with a 32-bit central processing unit, SRAM capacity of 2MB or 1MB, and TriBus speed of 4 Mbps.

Model 3008: Supports v9.6 to v10. x systems, using Motorola processors, 16 MB DRAM, 32 KB SRAM, and TriBus speed increased to 25 Mbps.

Model 3009: Dedicated to v11. x systems, featuring a dual core processor, 256 MB DRAM, 2 MB SRAM, and equipped with SD card flash memory. When used in the 8120E rack, TriBus has a speed of up to 1000 Mbps and supports unified communication modules.

All main processors include independent I/O processors, communication processors, and TriBus FPGAs for data synchronization and voting. They are powered by dual power rails and have an RS-232 diagnostic port for technical analysis.

5.2 TriBus, I/O Bus, and Communication Bus

The Tricon backplane has etched a triple bus system:

TriBus: Used for data exchange between three main processors, hardware digital input voting, and control program variable comparison. Its speed varies from 4 Mbps to 1000 Mbps depending on the processor model, using fully isolated serial channels and DMA transmission.

I/O bus: Triple RS-485 bidirectional communication port with a speed of 375 kbps, connecting the host rack and expansion rack. It transfers input data from the I/O module to the main processor and outputs data from the main processor to the output module.

Communication bus: runs between the main processor and communication module, with a speed of 2 Mbps and supports broadcast mechanism.

These bus systems together form the high-speed, fault-tolerant data transmission network of the Tricon system, ensuring real-time and consistent control logic.

Power system and comprehensive alarm

Power supply is the foundation of any control system, and Tricon adopts a dual redundant and high-efficiency power supply design. Each rack contains two power modules, such as 120 VAC, 24 VDC, or 230 VAC modules. Each power module obtains power from the backplane and has an independent power regulator for each channel. They supply power to two independent power rails on the backplane and have built-in diagnostic circuits to check for voltage out of range and over temperature conditions. The power module also provides a set of alarm contacts (normally open and normally closed), which are activated in the event of any power failure or overheating warning to summon maintenance personnel. This design ensures that the controller can continue to operate even in the event of a complete failure of a single power supply.

Model Supplement

1. Controller model

Tricon v9.x

Tricon v10.x

Tricon v11.x

2. Chassis model

Model Description

8110 Main Chassis

8120E Enhanced Performance Main Chassis

8111 Expansion Chassis

8121 Enhanced Low-Density Expansion Chassis

8112 RXM Chassis

8110ATEX ATEX Main Chassis

8111ATEX ATEX Expansion Chassis

8112ATEX ATEX RXM Chassis

3. Model of power module

Model Description

8310 120 VAC/DC Power Module

8311 24 VDC Power Module

8312 230 VAC Power Module

8310N2 120 VAC/DC Power Module (Nuclear)

8311N2 24 VDC Power Module (Nuclear)

8312N2 230 VAC Power Module (Nuclear)

4. Main processor model

Model Description

3006 Main Processor (Tricon v9)

3007 Main Processor (Tricon v9)

3008 Enhanced Main Processor III, 16 MB

3009 Enhanced Main Processor, 256 MB

5. RXM/SRXM module model

Model Description

4200-3 Primary RXM Module Set (multi-mode)

4201-3 Remote RXM Module Set (multi-mode)

4210-3 Primary SRXM Module Set (single-mode)

4211-3 Remote SRXM Module Set (single-mode)

6. Model of analog input module

Model Description

3700 0-5 VDC TMR Analog Input

3700A 0-5 VDC TMR Analog Input

3701 0-10 VDC TMR Analog Input

3703E 0-5/10 VDC Isolated TMR Analog Input

3704E 0-5/10 VDC High-Density TMR Analog Input

3720 0-5 VDC High-Density Single-Ended TMR AI

3721 0-5 VDC or -5 to +5 VDC Differential TMR AI

7. Model of analog output module

Model Description

3805E 4-20 mA TMR Analog Output

3805H 4-20 mA TMR Analog Output (high load)

3806E 6×4-20 mA + 2×20-320 mA TMR Analog Output

3807 Bipolar -60 to +60 mA TMR Analog Output

8. Model of digital input module

Model Description

3501E/T 115 VAC/VDC TMR Digital Input

3502E 48 VAC/VDC TMR Digital Input

3503E 24 VAC/VDC TMR Digital Input

3504E 24/48 VDC High-Density TMR Digital Input

3505E 24 VDC Low-Threshold TMR Digital Input

3564 24 VDC Single Digital Input

9. Model of digital output module

Model Description

3601E/T 115 VAC TMR Digital Output

3603B 120 VDC TMR Digital Output

3603E/T 120 VDC TMR Digital Output

3604E 24 VDC TMR Digital Output

3607E 48 VDC TMR Digital Output

3611E 115 VAC Supervised TMR Digital Output

3613E 120 VDC Supervised TMR Digital Output

3614E 24 VDC Supervised TMR Digital Output

3615E 24 VDC Low-Power Supervised TMR Digital Output

3617E 48 VDC Supervised TMR Digital Output

3623/T 120 VDC Supervised TMR Digital Output

3624 24 VDC Supervised TMR Digital Output

3625/A 24 VDC Supervised/Non-Supervised TMR Digital Output

3636R/T Relay Output (Non-Triplicated)

3664 24 VDC Dual Digital Output

3674 24 VDC Dual Digital Output

10. Model of pulse input module

Model Description

3510 Pulse Input TMR

3511 Pulse Input TMR

3515 Pulse Totalizer Input TMR

11. Model of thermocouple input module

Model Description

3706A Non-Isolated Thermocouple Input TMR

3708E Isolated Thermocouple Input TMR

12. Communication module model

Model Description

ACM (4609) Advanced Communication Module

EICM (4119/A) Enhanced Intelligent Communication Module

HIM Hiway Interface Module

NCM (4329) Network Communication Module

SMM Safety Manager Module

TCM (4351B, 4352B, 4353, 4354) Tricon Communication Module

UCM (4610) Unified Communication Module

13. Model of HART interface module

Model Description

2770H HART Interface Module

2870H HART Interface Module

14. Terminal panel model (some examples)

Model Description

9251-210 DO ETP for 3603B

9553-610 DI ETP, Basic, 24V

9561-110 DI ETP, 115V

9662-610 DO ETP for 3625/C

9765-210 AI ETP, Current Input

9853-610 AO ETP for 3805HC

15. Other accessory models

Model Description

9000 I/O Bus Cable Set

9001 I/O and Comm Bus Cable Set

8405 Chassis Mounting Bracket Kit

9420017-xxx ETA Blank Panel