The Triconex V10 system, developed by Invensys Operations Management (now part of Schneider Electric), is a highly reliable and available Triple Modular Redundant (TMR) Programmable Logic Controller (PLC) widely used in industries with extremely high safety and reliability requirements such as nuclear power, petrochemical, and power generation. This system was selected for the Process Protection System (PPS) upgrade project at Pacific Gas & Electric Company's (PG&E) Diablo Canyon Nuclear Power Plant, replacing the original Westinghouse Eagle 21 safety system.
The Triconex V10 system employs a Triple Modular Redundant (TMR) architecture through redundant hardware and software design, ensuring continuous operation and reliable protection even when single or multiple point failures occur.
Basic Principles of TMR Architecture
The core of the Triconex system is its Triple Modular Redundant (TMR) architecture, which achieves extremely high fault tolerance and system reliability through physical isolation, parallel processing, and majority voting mechanisms. The entire system consists of three completely independent processing channels, each containing a complete signal processing chain: from sensor signal input, analog/digital conversion, main processor execution of control logic, to final output drive. These three channels are completely isolated both physically and electrically, ensuring that a failure in any one channel does not affect the normal operation of the other two channels.
At the beginning of each scan cycle, the three Main Processor modules synchronize time and exchange data through the dedicated TriBus high-speed synchronous bus. The TriBus itself is also designed with triple redundancy, containing three independent serial communication links, each specifically serving one Main Processor channel. This design ensures that even if one TriBus link fails, the remaining links can still maintain system communication and synchronization functions. After synchronization, each Main Processor begins reading input data from its corresponding channel. For digital input signals, the system uses a hardware voting mechanism where three channels read the same signal separately, then determine the final valid value through majority voting. This design can automatically shield error signals caused by channel failures or external interference.
For analog input signals, the system uses a median selection algorithm for processing. Three channels separately sample and perform analog-to-digital conversion on the analog signal, then compare the three conversion results and select the median value as the valid input. This processing method effectively suppresses noise interference while avoiding signal deviations caused by failures in a single channel. After all input signals are voted or selected, a consistent input data table is formed for the three Main Processors to execute control logic.
The execution of the control program is completely independent and parallel across the three channels. Each Main Processor, based on consistent input data, executes the same control algorithm and generates output results. Output data must undergo another voting process before being sent to the output modules. Each Main Processor sends its output data to the other two Main Processors through the TriBus, and the three processors cross-compare and vote on the output data. If a processor's output data is inconsistent with the other two, the system marks it as a faulty channel, isolates its output, and allows the remaining two healthy channels to continue performing the control function.
The output modules also adopt a triple redundant design, with each output point driven by three independent output circuits. The output modules have built-in Output Voter Diagnostics (OVD) functionality, capable of periodically performing forced tests on each output point. The system sequentially forces the output points to energized and de-energized states and detects whether the output response is normal. This test can be completed within 500 microseconds to 2 milliseconds, ensuring the reliability of the output circuit. All diagnostic tests are conducted in TMR mode, guaranteeing 100% fault detection coverage under any single point failure condition.
The system's fault tolerance is achieved through multiple layers of diagnostic and protection mechanisms. Each Main Processor module is equipped with independent memory detection, clock monitoring, and watchdog timers. I/O modules also have their own processors and watchdog circuits to monitor firmware execution and communication status. All bus systems (TriBus, I/O Bus, Communication Bus) adopt a triple redundant design and have continuous integrity monitoring functions. When a fault is detected, the system can automatically isolate the faulty component and notify operators through indicator lights and alarm signals. Faulty modules can be replaced while the system is running, enabling true online repair and maximizing system availability.
System Composition and Functions
The Triconex V10 system's hardware architecture adopts a modular design, offering good scalability and flexibility. Each complete Protection Set consists of three main components: the Main Chassis, the safety-related Primary Remote Expansion Chassis (Primary RXM), and the non-safety-related Remote Expansion Chassis (Remote RXM). This hierarchical design ensures the reliability of safety-related functions while providing interface capabilities for communication with non-safety systems.
The Main Chassis is the core processing unit of the entire system, featuring a rugged industrial-grade design with high immunity to interference and environmental adaptability. On the far left of the chassis are two independent power supply modules configured in redundancy; each can independently power the entire chassis. Power is distributed along the center of the backplane through dual power rails, with each module drawing power from both rails via dual power regulators, ensuring power system reliability. Immediately adjacent to the power modules are three 3008N Main Processor modules (MP A, B, C). These modules use 32-bit safety-grade microprocessors, each containing two processing units: an Application Processor and an I/O & Communications Controller (IOCCOM). The Application Processor is responsible for running the ETSX operating system and executing the control application, while the IOCCOM processor manages the I/O Bus and Communication Bus.
The remainder of the Main Chassis is divided into six logical slots for installing various I/O modules and communication modules. Each logical slot provides two physical positions, one for the active module and another for an optional hot-standby module. This design allows for the replacement of faulty modules without interrupting system operation. The communication module slot is dedicated and does not provide a hot-standby position. All modules connect to the backplane bus system through precision backplane connectors, ensuring signal integrity and reliability.
The safety-related Primary Remote Expansion Chassis (Primary RXM) is connected to the Main Chassis via triple-redundant I/O bus cables and is used to expand safety-related I/O points. The structure of the RXM chassis is similar to the Main Chassis, but RXM modules are installed in the Main Processor positions. These modules are responsible for managing communication and data transmission between the expansion chassis and the Main Chassis. The Primary RXM chassis is typically installed near the Main Chassis and is used to accommodate I/O modules that are safety-related but do not need to be located in the Main Chassis.
The non-safety-related Remote Expansion Chassis (Remote RXM) is connected to the Primary RXM via multimode fiber optics, providing electrical and physical isolation between the safety system and non-safety systems. The Remote RXM chassis uses 4200-series RXM modules, which convert copper-based I/O bus signals into optical signals for transmission over fiber. Each I/O bus channel (A, B, C) requires a pair of 4200-4201 RXM modules and two fibers (one transmit, one receive), totaling six fibers to connect the Primary RXM and Remote RXM chassis. This design provides complete electrical isolation, effectively preventing ground loops and electromagnetic interference issues, while ensuring signal integrity over long distances.
The system's bus architecture employs a multi-level redundant design. The TriBus is an internal high-speed bus connecting the three Main Processors, used for data synchronization, program loading, and cross-voting. The I/O Bus is a system bus connecting the Main Processors to the I/O modules, using a master-slave serial communication protocol with a transmission rate of 375 kbps. The Communication Bus connects the Main Processors to the communication modules at a rate of 2 Mbps and is used for communication with external systems. All buses are triple-redundant, with each bus having independent fault detection and isolation mechanisms.
In terms of communication and isolation, the system provides strict safety guarantees. The Tricon Communication Module (TCM) is the only communication interface certified for nuclear safety applications, providing electrical and data isolation. The TCM uses fiber optic media to connect to external networks, ensuring that communication errors do not affect the execution of safety functions. The Maintenance Workstation (MWS) communicates with the Tricon system through the TCM, used for monitoring system status, viewing diagnostic information, and performing parameter modifications. All communication with non-safety systems undergoes strict access control and security auditing, ensuring the integrity of the safety system is not compromised.
The system offers a rich variety of I/O modules, including Analog Input (AI), Analog Output (AO), Digital Input (DI), and Digital Output (DO), among others. Each I/O module adopts a triple-redundant design, with three completely independent channels, each having its own processor and diagnostic circuits. Analog input modules support various signal types such as 4-20mA, RTD, and thermocouple, featuring high precision and high noise immunity. Digital output modules use Output Voter Diagnostics (OVD) technology, capable of periodically testing the reliability of each output point. All I/O modules support hot-swapping functionality, allowing replacement while the system is running, greatly enhancing system maintainability and availability.
Software Architecture
1. Operating System and Firmware
ETSX Operating System: Runs on the Application Processor of each MP, responsible for system scheduling, redundancy management, and fault handling.
IOCCOM Processor: Manages the I/O and Communication Buses, exchanging data with the MP via Dual-Port RAM (DPRAM).
2. Application Software
TriStation 1131: Used for developing safety-related application software, supporting both Function Block Diagram (FBD) and Structured Text (ST) programming languages.
Software Integrity Level (SIL4): Complies with IEEE 1012-1998 standard, suitable for nuclear safety-related systems.
3. Online Maintenance and Testing Functions
Out-of-Service (OOS) Switch: Allows a specific protection function to be temporarily taken out of service for testing or parameter modification without affecting other safety functions.
Bypass Function: A channel can be bypassed via software or hardware switches for maintenance or testing purposes.
Diagnostics and Alarming: The system continuously monitors the status of each module and provides detailed fault information through the MWS.
Application Scenarios and Advantages
1. Nuclear Power Plant Process Protection System (PPS)
Function: Monitors plant parameters (such as temperature, pressure, water level, etc.), compares them against setpoints, and triggers Reactor Trip System (RTS) or Engineered Safety Features Actuation System (ESFAS) if limits are exceeded.
Channel Separation: Four Protection Sets (I–IV) handle different safety functions respectively, ensuring redundancy and independence.
2. Advantages and Features
High Reliability: TMR architecture ensures no single point of failure.
High Availability: Supports online repair and module hot-swapping.
Flexibility: Supports various I/O types and communication protocols.
Safety: Complies with nuclear safety regulations (e.g., 10 CFR 50 Appendix B), RG 1.152, and other requirements.
Ease of Maintenance: Provides detailed diagnostic information and remote monitoring capabilities.
Reference:https://www.nrc.gov/docs/ML1131/ML11318A029.pdf
