Fault Tolerance

Fault tolerance, the most important capability of the Tricon controller, is the ability to detect

transient and steady-state error conditions and to take appropriate corrective action online.

With fault tolerance, there is an increase in safety and an increase in the availability of the

controller and the process being controlled.

The Tricon controller provides fault tolerance through Triple Modular Redundant (TMR)

architecture. The controller consists of three identical system channels, except for the Power

Modules which are dual-redundant. Each channel independently executes the control program

(also referred to as the TriStation application) in parallel with the other two channels. Hardware

voting mechanisms qualify and verify all digital inputs and outputs from the field; analog

inputs are subject to a mid-value selection process.

Because each channel is isolated from the others, no single-point failure in any channel can pass

to another. If a hardware failure occurs in one channel, the faulty channel is overridden by the

other channels. Repairs consist of removing and replacing the failed module in the faulty

channel while the Tricon controller is online and without process interruption. The controller

then reconfigures itself to full TMR operation.

Extensive diagnostics on each channel, module, and functional circuit immediately detect and

report operational faults by means of indicators or alarms. The diagnostics also store

information about faults in system variables. If faults are detected, the operator can use the

diagnostic information to modify control actions or direct maintenance procedures.

Because the triplicated system operates as one control system, the Tricon controller can be

programmed with one control program that terminates sensors and actuators at a single wiring

terminal.