The Tricon is designed with a fully triplicated architecture
throughout, from the input modules through the Main Processors
(MPs) to the output modules.
Theory of Operation
Fault tolerance in the Tricon is achieved
by means of a Triple-Modular Redundant (TMR) architecture. The Tricon
provides error-free, uninterrupted
control in the presence of either hard
failures of components, or transient
faults from internal or external sources.
tion. The hot-spare position can also be
used for online system repairs.
Main Processor Modules
A Tricon system contains three Main
Processor (MP) Modules to control
three separate legs of the system. Each
Main Processor operates in parallel
with the other two Main Processors, as
a member of a triad.
The Tricon is designed with a fully triplicated architecture throughout, from
the input modules through the Main
Processors to the output modules.
Every I/O module houses the
circuitry for three independent legs.
Each leg on the input modules reads
the process data and passes that
information to its respective Main
Processor. The three Main Processors communicate with each other
using a proprietary high-speed bus
Input
system called the TriBus.
Termination
Once per scan, the three Main
Processors synchronize and communicate with their two neighbors over
the TriBus. The Tricon votes digital
input data, compares output data,
and sends copies of analog input
data to each Main Processor.
The Main Processors execute the application and send outputs generated by
the application to the output modules.
The output data is voted on the output
modules as close to the field as
possible, which enables the Tricon to
detect and compensate for any errors
that might occur between the voting
and the final output driven to the field.
For each I/O Module, the system can
support an optional hot-spare module
which takes control if a fault is detected
on the primary module during opera-
The individual input table in each Main
Processor is transferred to its neighboring Main Processors over the proprietary TriBus. During this transfer,
hardware voting takes place. The
TriBus uses a Direct Memory Access
programmable device to synchronize,
transmit, vote and compare data among
the three Main Processors.
If a disagreement is discovered, the
signal value found in two out of three
Auto Spare
Auto Spare
Input
Leg
A
Input
Leg
B
I/O Bus
TriBus
Main
Processor
B
TriBus
Input
Leg
C
I/O Bus
Output
Leg
A
Main
Processor
A
TriBus
I/O Bus
Main
Processor
C
Output
Leg
B
Voter
Output
Termination
Output
Leg
C
Simplified Trident Architecture
A dedicated Processor (IOPCOMM) on
each Main Processor manages the data
exchanged between the Main Processors and the I/O modules. A triplicated
I/O Bus is located on the chassis backplane and is extended from chassis to
chassis by means of I/O Bus Cables.
As each input module is polled, the new
input data is transmitted to the Main
Processor over the appropriate leg of
the I/O Bus. The input data from each
Input Module is assembled into a table
in the Main Processor and stored in
memory for use in the hardware voting
process.
tables prevails, and the third table is
corrected accordingly. One-time differences which result from sample timing
variations can be distinguished from a
pattern of differing data. The three
independent Main Processors each
maintain data about necessary corrections in local memory. Any disparity is
flagged and used at the end of the scan
by the built-in Fault Analyzer routines
to determine whether a fault exists on a
particular module.
After the TriBus transfer and input data
voting have corrected the input values,
these corrected values are used by the
1
Theory of Operation
Main Processors as input to the userwritten application. (The application is
developed in the TriStation and downloaded to the Main Processors.) The 32bit main microprocessor executes the
user-written application in parallel with
the neighboring Main Processor
Modules.
The Model 3008 Main Processors
provide 16 Megabytes DRAM each for
V9 Tricon Systems. The DRAM is used
for the user-written application,
sequence-of-events data, I/O data, diagnostics and communication buffers. In
the event of an external power failure,
the integrity of the user-written
program and the retentive variables is
protected for a minimum of six months.
Using the table of output values, the
IOP generates smaller tables, each
corresponding to an individual output
module in the system. Each small table
is transmitted to the appropriate leg of
the corresponding Output Module over
the I/O Bus. For example, Main
Processor A transmits the appropriate
table to Leg A of each Output Module
The Main Processor Modules receive
power from dual Power Modules and
power rails in the Main Chassis. A
failure on one Power Module or power
rail will not affect the performance of
the system.
Dual Power Rails
+3.3 Volts
+5 Volts
DIAG Read (DB25)
Diag Bus
(to other
MPS)
Up
Stream
Down
Stream
Clock/
NVRAM
32 KB
Main Processor
MPC860A
TriBus
(to other MPS)
TriBus
FPGA
I/O & COMM
Processor
MPC860A
Shared
Memory
128K
32 Bit bus
FLASH
6 MB
DRAM
16 MB
Up Stream
Down Stream
Up Stream
Down Stream
The TriBus consists of three independent serial links operating at 25MBaud.
The TriBus synchronizes the Main
Processors at the beginning of a scan.
Then each Main Processor sends its
data to its upstream and downstream
neighbors. The TriBus performs one of
two functions with the data:
• Transfer of data only—for I/O,
diagnostic and communication data.
• Comparing data and flagging
disagreements—for previous scan’s
output data and memory of userwritten application.
An important feature of the Tricon’s
fault-tolerant architecture is the use of a
single transmitter to send data to both
the upstream and downstream Main Processors.
This ensures receipt of the
same data by the upstream
processor and downstream
processor.
802.3 Network
(RJ-45)
Modbus (DB9)
Reserved for
future use
Fault Tolerant
I/O Bus 375Kb
I/O Modules
COMM Bus
2Mb
Communication
Modules
32-Bit Bus
DRAM
16 MB
Main Processor (Model 3008) Architecture
2
Three triplicated bus systems are etched
on the chassis backplane: the TriBus,
the I/O Bus and the Communication
Bus.
The IOPCOMM manages the data
exchanged between the Main Processors and the communication modules
using the communication bus, which
supports a broadcast mechanism.
The user-written application generates
a table of output values based on the
table of input values, according to the
rules built into the application by the
customer. The IOP on each Main
Processor manages the transmission of
output data to the output modules by
means of the I/O Bus.
Dual-Power
Regulators
Bus Systems and
Power Distribution
over I/O Bus A. The transmittal of
output data has priority over the routine
scanning of all I/O modules.
I/O Bus
The 375 KBaud I/O Bus
transfers data between the
I/O Modules and the Main
Processors. The triplicated
I/O Bus is carried along the
bottom of the backplane.
Each leg of the I/O Bus runs
between one of the three
Main Processors and the
corresponding legs on the
I/O module.
The I/O Bus can be
extended between chassis
using a set of three I/O Bus
Cables.
Communication Bus
ELCO Connectors for I/O Termination
The 2 MBaud Communication
(COMM) Bus runs between the Main
Processors and the Communication
Modules.
Power for the chassis is distributed
across two independent power rails
down the center of the backplane.
Every module in the chassis draws
power from both power rails through
dual power regulators. There are four
sets of power regulators on each input
and output module: one set for each of
the legs A, B and C and one set for the
status-indicating LEDs.
Term inal
Strip
#1
Pow er
Term ina l Strip
1
Term inal
Strip
#2
2
3
4
5
6
TriBus
P ow er
S upply
#1
D ual
P ow er
R ails
Channel A
P ow er
S upply
#2
Channel B
Channel C
Channel A
Channel B
Field Signals
Each I/O module transfers signals to or
from the field through its associated
field termination assembly. Two positions in the chassis tie together as one
logical slot. The first position holds the
active I/O module and the second position holds the hot-spare I/O module.
Termination cables are connected to
the top of the backplane. Each connection extends from the termination
module to both active and hot-spare I/O
modules. Therefore, both the active
module and the hot-spare module
receive the same information from the
field termination wiring.
Digital Input Modules
The Tricon supports two basic types of
digital input modules: TMR and single.
The following paragraphs describe
digital input modules in general,
followed by specifics for TMR and
single modules.
Every digital input module houses the
circuitry for three identical legs (A, B
and C). Although the legs reside on the
same module, they are completely
isolated from each other and operate
independently. A fault on one leg
cannot pass to another. In addition, each
Channel C
M ain
P rocessors
A, B, & C
C om m
B us
I/O
B us
Right I/O Module *
Left I/O Module *
Typical Logical Slot
Communication Module
* Either the left module or right module functions as the active or hot-spare module.
Backplane of the Main Chassis
leg contains an 8-bit microprocessor
called the I/O communication
processor which handles communication with its corresponding Main
Processor.
tions signals independently and
provides isolation between the field and
the Tricon. (The 64-point High-Density
Digital Input Module is an exception—
it has no channel-to-channel isolation.)
Each of the three input legs asynchronously measures the input signals from
each point on the input termination
module, determines the respective
states of the input signals, and places
the values into input tables A, B and C
respectively. Each input table is regularly interrogated over the I/O bus by
the I/O communication processor
located on the corresponding Main
Processor module. For example, Main
Processor A interrogates Input Table A
over I/O Bus A.
DC models of the TMR digital input
modules can self-test to detect “stuck
ON” conditions where the circuitry
cannot tell whether a point has gone to
the OFF state. Since most safety systems are set up with a “de-energize-totrip” capability, the ability to detect
stuck ON points is an important feature.
To test for “stuck ON” inputs, a switch
within the input circuitry is closed to
allow a zero input (OFF) to be read by
the isolation circuitry. The last data
reading is frozen in the I/O communication processor while the test is running.
On TMR Digital Input Modules, all critical signal paths are 100 percent triplicated for guaranteed safety and
maximum availability. Each leg condi-
On Single Digital Input Modules, only
those portions of the signal path which
are required to ensure safe operation are
3
Theory of Operation
FIELD CIRCUITRY  TYPICAL POINT (1 of 32)
AC/DC Input Circuit
-
INTELLIGENT I/O CONTROLLER(S)
Individual Opto-Isolation
Intelligent I/O Controller(s)
+
Input
Mux
Individual Point Field Termination
Threshold Detect
Opto-Isolator
OptoIsolator
-
Input
Mux
OptoIsolator
Bridge
Rectifier
-
Bus
Xcvr
A
Dual
Port
RAM
AC
+ Smoothing
Optical
Isolation
Input
Mux
Threshold Detect
Opto-Isolator
Control Signal
OptoIsolator
µ Proc
Bus
Xcvr
B
Dual
Port
RAM
µ Proc
Bus
Xcvr
C
Dual
Port
RAM
Architecture of TMR Digital Input Module with Self-Test (DC Model)
triplicated. Single modules are optimized for those safety-critical applications where low cost is more important
than maximum availability. Special
self-test circuitry detects all stuck-ON
and stuck-OFF fault conditions within
the non-triplicated signal conditioners
ANALOG INPUT
CIRCUIT 
TYPICAL POINT
SIGNAL
CONDITIONING
in less than half a second. This is a
mandatory feature of a fail-safe system,
which must detect all faults in a timely
manner and upon detection of an input
fault, force the measured input value to
the safe state. Because the Tricon is
optimized for de-energize-to-trip appli-
INDIVIDUAL ADC
FOR EACH LEG
INTELLIGENT
I/O CONTROLLER(S)
Amp
ADC
µ Proc
Bus
Xcvr
Amp
ADC
µ Proc
Bus
Xcvr
Amp
ADC
µ Proc
Bus
Xcvr
Mux
Individual Point
Field Terminations
Mux
Mux
Architecture of TMR Analog Input Module
4
cations, detection of a
fault in the input
circuitry forces to
OFF (the de-energized
state) the value
reported to the Main
Processors by each
leg.
+
Threshold Detect
Opto-Isolator
Leg-to-Leg
Isolation
µ Proc
TRIPLICATED
I/O BUS
Digital Output
Modules
There are four basic
types of Digital
Output Modules: dual,
supervised, DC
voltage and AC
voltage. The following
paragraphs describe
digital output modules
in general, followed
by specifics for the
four types.
Every digital output module houses the
circuitry for three identical, isolated
legs. Each leg includes an I/O microprocessor which receives its output
table from the I/O communication
processor on its corresponding Main
Processor. All of the digital output
modules, except the dual DC
modules, use special quadrupliTRIPLICATED
cated output circuitry which votes
I/O BUS
on the individual output signals
just before they are applied to the
A
load. This voter circuitry is based
on parallel-series paths which pass
power if the drivers for Legs A and
B, or Legs B and C, or Legs A and
C command them to close—in
B
other words, 2-out-of-3 drivers
voted ON. The quadruplicated
voter circuitry provides multiple
redundancy for all critical signal
C
paths, guaranteeing safety and
maximum availability.
Each type of Digital Output
Module executes a particular
Output Voter Diagnostic (OVD)
TRIPLICATED
I/O BUS
Analog Input
Modules
On an Analog Input
Module, each of the three
legs asynchronously
measures the input signals
and places the results into a
table of values. Each of the
three input tables is passed
to its associated Main
Processor Module using the
corresponding I/O Bus. The
input table in each Main
Processor Module is transferred to its neighbors
across the Tricon. The
middle value is selected by each Main
Processor, and the input table in each
Main Processor is corrected accordingly. In TMR mode, the mid-value
data is used by the application; in
duplex mode, the average is used.
Each Analog Input Module is automatically calibrated using multiple reference voltages read through the
multiplexer. These voltages determine
the gain and bias that are required to
adjust readings of the analog-to-digital
converter (ADC).
Analog Input Modules and Termination
Modules are available to support a wide
variety of analog inputs, in both
isolated and non-isolated versions: 0-5
VDC, 0-10 VDC, 4-20 ma, thermocouples (types K, J, T, E), and Resistive
Thermal Devices (RTDs).
FIELD CIRCUITRY  TYPICAL POINT (16)
INTELLIGENT I/O CONTROLLER(S)
A
A
Bus
Xcvr
µProc
Point
Register
Output
Switch
Drive
Circuitry
+V
*
A
A and B
B
Bus
Xcvr
µProc
*
B
A
Output
Switch
Drive
Circuitry
Point
Register
B
C
Loopback
Detector
for every point. Loop-back
on the module allows each
microprocessor to read the
output value for the point to
determine whether a latent
fault exists within the
output circuit.
to
other
points
B
Output
Switch
Drive
Circuitry
C
Bus
Xcvr
µProc
*
Point
Register
C
*
A and B
C
Output
Switch
Drive
Circuitry
LD
A
B
C
Loopback
Detector
RTN
* All output switches are opto-isolated.
to
other
points
Architecture of 16-point Supervised Digital Output Module
Analog Output Module
The Analog Output Module receives
three tables of output values, one for
each leg from the corresponding Main
Processor. Each leg has its own digitalto-analog converter (DAC). One of the
three legs is selected to drive the analog
outputs. The output is continuously
checked for correctness by “loop-back”
inputs on each point which are read by
all three microprocessors. If a fault
occurs in the driving leg, that leg is
declared faulty and a new leg is selected
to drive the field device. The designation of “driving leg” is rotated among
the legs, so that all three legs are tested.
circuit board to which field wiring is
easily attached. A termination module
merely passes input signals from the
field to an input module or passes
signals generated by an output module
directly to field wiring, thereby permitting removal or replacement of the
input or output module without
disturbing field wiring.
In addition, External Termination
Assemblies are available for specialized applications. See “Special Termination Panels” on page 46 for more
information.
Termination Modules
Various termination options are available for field wiring of the Tricon High
Density chassis, including external
panels and direct cabling. A field termination module is an electrically passive
5
Theory of Operation
DCS
Environment
Enhanced Intelligent
Communication
Module (EICM)
DCS
Operator Workstation
Supports RS-232, RS-422
and RS-485 serial communication with external
devices at speeds up to 19.2
Kbaud. The EICM
provides four serial, optoisolated ports which can
interface with Modbus
masters, slaves, or both; or
a TriStation. The module
also provides a Centronicscompatible parallel port.
DCS Bus
TRICON Chassis
A
Network
Communication
Module (NCM)
B
TriStation
MPs
*
TS/TSAA Connection
802.3 Network
Programming Workstation
Modbus Master
Host Computer
* The module in this slot is a generic module representing any
Modbus Slave
Triconex module that can communicate with a DCS. For example,
the ACM communicates with Foxboro’s I/A Series Nodebus; the
SMM communicates with Honeywell’s UCN; the NCM can
communicate with any DCS that uses TCP-IP protocol; and the
EICM can communicate with any DCS that uses Modbus protocol.
alarm alarm alarm alarm alarm
alarm alarm alarm alarm alarm
alarm alarm alarm alarm alarm
Annunciator
Communication Capabilities of Tricon Modules
Communication Modules
By means of the communication
modules described in this section, the
Tricon can interface with Modbus
masters and slaves, other Tricons in
peer-to-peer networks, external hosts
running applications over 802.3
networks, and Honeywell and Foxboro
6
Distributed Control Systems (DCS).
The Main Processors broadcast data to
the communication modules across the
communication bus. Data is typically
refreshed every scan; it is never more
than two scan-times old.
NCM
EICM
This module supports
802.3 networking over a
high-speed 10
Megabit/second data link
for the use of Triconexproprietary protocols and
applications (described in
the section called
“Communication Capabilities” later in this document). NCM also supports
OPC Server which can be
used by any OPC client. In
addition, users can write
their own applications
using the TSAA protocol—
see “Protocols for Open
Networks” on page 55 for
details.
Hiway Interface
Module (HIM)
This module acts as an
interface between a Tricon controller
and Honeywell’s TDC 3000 Distributed
Control System (DCS) by means of the
Hiway Gateway and Local Control
Network (LCN). The HIM enables
higher-order devices, such as
computers and operator workstations,
to communicate with the Tricon.
Safety Manager Module (SMM)
This module acts as an interface
between a Tricon controller and Honeywell’s Universal Control Network
(UCN), one of three principal networks
of the TDC 3000 DCS. The SMM
appears to the TDC 3000 as a safety
node on the Universal Control Network
(UCN), allowing the Tricon to manage
process-critical points within the
overall TDC 3000 environment. The
SMM transmits all Tricon aliased data
and diagnostic information to TDC
3000 operator workstations in display
formats that are familiar to Honeywell
operators.
Advanced Communication
Module (ACM)
This module acts as an interface
between a Tricon controller and
Foxboro’s Intelligent Automation (I/A)
Series DCS. The ACM appears to the
Foxboro system as a safety node on the
I/A Series Nodebus, allowing the
Tricon to manage process-critical
points within the overall I/A DCS environment. The ACM transmits all Tricon
aliased data and diagnostic information
to I/A operator workstations in display
formats that are familiar to Foxboro
operators.
See the section called “Product Specifications” for specifications of the EICM,
NCM, SMM and ACM.
Power Supply Modules
Each Tricon chassis houses two Power
Modules arranged in a dual-redundant
configuration. Each module derives
power from the backplane and has independent power regulators for each leg.
Each can support the power requirements for all the modules in the chassis
in which it resides, and each feeds a
separate power rail on the chassis backplane. The Power Modules have builtin diagnostic circuitry which checks for
out-of-range voltages and over-temperature conditions. A short on a leg
disables the power regulator rather than
affecting the power bus.
Architecture of Power Subsystem
7
Download PDF
Similar pages