ICS Triplex ICS Regent+Plus Monitored Guarded Output Modules Reference Manual
ICS Triplex ICS Regent+Plus Monitored Guarded Output Modules provide safe and reliable control for field loads. This device offers fail-safe and fault tolerant operation with sixteen outputs, ensuring that power to loads is maintained even if one module fails. The modules are designed for applications where high safety standards are required, such as industrial automation and process control.
PDF
Download
Document
Advertisement
Advertisement
ICS Regent + Plus ® PD-7033 Monitored Guarded Output Modules 24 VDC, 110 VAC and 120 VDC (T7481/T7481A, T7484 and T7488/T7488A) Issue 2, March, 06 Monitored Guarded output modules provide Guarded control and line monitoring for sixteen field loads. Three types of modules are available for interfacing to outputs powered from 24 VDC, 110 VAC, or 120 VDC field power supplies. These modules are called Guarded because each module's dualredundant design ensures that no single fault within the module will inadvertently apply power to an output. These modules also monitor the output field wiring for open and short circuit faults. Individual output line status is available to application programs. Features · Sixteen Guarded outputs (in two groups of eight). • Fault tolerant operation when connected in parallel with another module of the same type. • • • Hot-replaceable. • Individual front panel indicators on each module show module fault/active status and shutdown state; additional indicators show output status and load/fuse fault for each point. · Fuses accessible from front panel. • 2500 minimum electrical isolation between field and logic circuits. · TÜV certified, Risk Class 5. Complete, automatic testing of all output circuits. Automatic line monitoring detects open and short field wiring circuits. Each module's triplicated Safetybus interface ensures that no Regent system failure will inadvertently apply power to an Industrial Control Services (Issue 2) 1 Monitored Guarded Output Modules (T7481/81A, 84, and 88/88A) output. Extensive fault detection and redundant critical circuits ensure that each module operates in a fail-safe manner. Two monitored Guarded output modules can be connected in parallel to obtain fault tolerant control of power to loads. In this parallel module configuration, either module can be removed and replaced while the other Guarded module continues to control the loads without interruption. Module Operation A block diagram of a typical monitored Guarded digital output module is shown in Figure 1. Figure 1. Block Diagram of a Monitored Guarded Digital Output Module. 2 (Issue 2) Industrial Control Services Monitored Guarded Output Modules (T7481/81A, 84 and 88/88A) The processor modules send triplicated write data commands over the I/O Safetybus to the monitored Guarded output module. Onboard the output module the triplicated data are routed to two independent voters which provide voted data to associated field programmable gate arrays (FPGA). Each FPGA independently operates one of the two output control switches. The two output switches are connected in series with the load. When both output switches are on, current will flow through the output and energize a field load. If either switch is off, current will not flow through the output and the load will be de-energized. This combination of series output switches and independent drive signals produces fail-safe activation of the load. Single failures can only affect one of the output drive signals or switches. A single failure will result in either continued correct control or a fail-safe output as shown in Table 1. Table 1. Output States After Switch Failure. Case Commanded Output State Switch Failed State Actual Output to Load 1 On On On Continued correct control. Automatic testing detects stuck-on switch. If output is subsequently commanded off, output will turn off. 2 On Off Off Fail-safe output. Automatic testing detects stuck-off switch. 3 Off On Off Continued correct control. Automatic testing detects stuck-on switch. If output is subsequently commanded on, output will turn on. 4 Off Off Off Fail-safe output. Automatic testing detects stuck-off switch. If output is subsequently commanded on, output will remain off. Remarks To achieve fault tolerance, two monitored Guarded output modules are used with their outputs connected in parallel. This configuration provides for continued correct control even PD-6033 Mar-06 (Issue 2) 3 Monitored Guarded Output Modules (T7481/81A, 84, and 88/88A) when one output switch fails off (cases two and four in Table 1). The module failure is automatically detected and the module can be removed and replaced without interrupting output control. Testing and Diagnostics Automatic testing is performed on the monitored guarded output modules as well as the field load connections. Module Testing Each voter and FPGA logic section of the Guarded output modules are automatically tested by the processor modules. Discrepant data are sent through one of three legs of the I/O Safetybus to determine whether the module’s voters are able to outvote the incorrect data. A failure to return the correct majority-voted result to the processors produces an I/O module error indication at the processor modules and a module fault indication at the I/O module. Each type of module has a unique identification code that is read by the controller. This code lets the controller know which type of module is installed in each I/O chassis slot and how to address that module and its points specifically. If a module is removed, or is replaced with a module of a different type, the processor modules will indicate an I/O module error. Loopback logic tests periodically write data to the module and then read it back to determine whether the module’s I/O bus interface logic is functioning correctly. Output Circuit Testing The output circuits of the monitored guarded output module are automatically tested to detect failures in the redundant output switch circuits on-board the module and also to detect open and short circuits in the output field wiring and load devices. Output Switch Testing To detect a failure in the redundant output switch circuits, each output switch is checked for turn-on and turn-off capability. Periodically, each output switch circuit on the module is tested for its ability to change its current state. 4 (Issue 2) Industrial Control Services Monitored Guarded Output Modules (T7481/81A, 84 and 88/88A) During testing, the output state is changed; outputs that are on are turned off and outputs that are off are turned on. When two monitored guarded output modules are wired in parallel for fault tolerance, the output circuit testing of the dual modules is coordinated. The test coordination is automatically performed by the system when the modules are properly configured for dual mode (see Configuration, starting on page 17). When dual modules are tested, the second module’s outputs are turned off momentarily while the first module’s outputs are tested. Subsequently, the first module’s outputs are turned off while second module’s outputs are tested. When an output switch is tested, the test pulse duration is nominally 250 msec, and is insufficient to affect the state of most field loads. With modules configured in dual mode, the maximum test pulse may be 425 msec if one module has a switch failure. The output circuit test interval will range from 1 to 60 seconds, depending on the quantity of I/O configured in the system. If an output switch doesn’t change state when tested, an output switch fault is detected. An output switch failure is annunciated as a module fault. An I/O module fault is indicated by the module FAULT LED on the module, the red I/O fault LEDs on the processor modules and the system control relay fault bit for the module assembly and slot. Load and Fuse Monitoring and Testing During output switch testing, the module also monitors the change in current flow in the field power for the outputs. The sensed state changes of the output switches and the field power current are reported back to the processor modules. The triplicated processor modules use this information to identify if an open load, shorted load or blown fuse condition exists. Any of these load/fuse fault conditions are annunciated via the LOAD/FUSE fault LEDs on the face of the module and the Fault Name variables configured for each point. Load/Fuse faults are not reported as module faults and so do not turn on the red Module FAULT LED or associated system variable control relay fault bit. The Fault Name variables should be PD-6033 Mar-06 (Issue 2) 5 Monitored Guarded Output Modules (T7481/81A, 84, and 88/88A) monitored by the application program or external operator interface equipment to dispatch maintenance personnel to correct the field connection problem. Note: Field faults such as open load, shorted load, blown fuse and absence of field power, will mask an output switch fault. When load/fuse faults are detected, they should be repaired as soon as possible. If the health of spare, unused output points is important, then a minimum load device should be connected to these points. Front Panel Figure 2 shows the physical features of the monitored Guarded output modules. The front panel of each module contains a module active and fault status indicator, a shutdown indicator, as well as output fuses, output status indicators and load/fuse fault indicators for the output circuits. Active/Fault Status Indicators These green and red LEDs indicate the overall health of the module and output circuits. During normal operation, the green ACTIVE indicator flashes at the controller's scan rate. If a module fault is detected, the red FAULT indicator turns on and the green ACTIVE indicator turns off. Shutdown Indicator Upon loss of communications with the controller, output modules enter either a shutdown or hold fault mode. If the I/O unit is set to shutdown, the red SHUTDOWN indicator will turn on when communications with the controller are lost. If the I/O unit is set to hold, the SHUTDOWN indicator will always be off (see page 16, Fault Mode Jumper). 6 (Issue 2) Industrial Control Services Monitored Guarded Output Modules (T7481/81A, 84 and 88/88A) Note: When the module is installed in the I/O chassis or when logic power (from the I/O power supply modules) is first applied to the module, it will be in the shutdown mode until the first output scan, regardless of the fault mode jumper settings. Also, removing two I/O transceiver modules, two I/O power supply modules, or two power legs will cause the module to be in the shutdown mode. PD-6033 Mar-06 (Issue 2) 7 Monitored Guarded Output Modules (T7481/81A, 84, and 88/88A) Figure 2. Monitored Guarded Output Modules. 8 (Issue 2) Industrial Control Services Monitored Guarded Output Modules (T7481/81A, 84 and 88/88A) Output Status Indicators The output status indicators are yellow LEDs, located on the front of the module. The state of the output circuit is sensed on the field side of the output circuit and optically coupled to both of the FPGAs. The FPGAs logically drive the output status LEDs. The indicator is on when the output circuit is energized. During output testing, the module monitors the current flow to the load device. If no current is detected, or if an excessive current is detected, the red load/fuse fault LED is energized. This indicator annunciates a blown fuse or an open or short circuit in the field wiring to the output field device. Application Monitored Guarded digital output modules provide a suitable interface to safety-critical output devices. These safetycritical devices typically include solenoids, actuators, or other process interlock outputs. Monitored Guarded output modules can be used for fail-safe or fault tolerant operation. Fail-Safe Configuration As shown in Figure 3, fail-safe configuration uses a single monitored Guarded output module. In this configuration, the worst case failure will cause the output to fail to the off state. In a fail-safe configuration, removing the module disables all outputs. Figure 3. Fail-Safe Configuration. PD-6033 Mar-06 (Issue 2) 9 Monitored Guarded Output Modules (T7481/81A, 84, and 88/88A) Fault Tolerant Configuration For fault tolerant operation, two monitored Guarded output modules are connected in parallel as shown in Figure 4. In this configuration, operation continues even if one module fails. In the fault tolerant configuration, a failed module can be removed and replaced without interrupting operation of the loads. Figure 4. Fault Tolerant Configuration. 10 (Issue 2) Industrial Control Services Monitored Guarded Output Modules (T7481/81A, 84 and 88/88A) Fault Tolerant Configuration with Redundant Actuators When redundant actuators are installed in the field, the level of fault protection can be extended to include the field wiring and actuators. Each actuator should be connected to an individual monitored guarded output module as shown in Figure 5. In this configuration continuous operation can be maintained even if a module, field wiring or load fault occurs. Figure 5. Fault Tolerant Configuration with Redundant Actuators. Output Load Considerations The monitored guarded output module will operate correctly (no FAULT indication) with loads as small as 20 mA. The 81A and 88A version will operate with loads as small as 5 mA. PD-6033 Mar-06 (Issue 2) 11 Monitored Guarded Output Modules (T7481/81A, 84, and 88/88A) However, care should be exercised in applying the module to small load devices. Off-state test current (Leakage current ) of the output circuit may prevent some load devices from turning off completely. Table 2 lists the off-state voltages (worst case) for various load ratings and module configurations. These should be compared to the “guaranteed off” voltage for the load device being applied. Table 2. Off-State Voltage Ratings. Load Rating (mA) OFF State Voltage (nominal field voltage and shorted switch) T7481/81A (24 Vdc) Single T7484 (110 Vac) Dual T7488/88A (120 Vdc) Single Dual Single Dual 5 na 2.6 na 3.7 na na na 12.8 na 18.3 10 na 1.4 na 2.0 na na na 6.8 na 9.9 20 4.7 .71 6.4 1.0 23.5 31.8 na. 3.5 na 5.2 35 3.0 .41 4.1 .6 14.8 20.8 17.5 2.0 24.4 3.0 50 2.2 .29 3.1 .43 10.8 15.5 12.8 1.4 18.2 2.1 100 1.2 .15 1.7 .21 5.7 8.4 6.7. .71 9.8 1.0 Field Wiring Field wiring terminal blocks on the I/O chassis are used to connect power sources and loads to the module. The terminal blocks are located directly above and below the slot where the module is installed. Each terminal block consists of ten #6 wire clamp screw terminals capable of holding two 12 AWG wires. Each module has separate power terminals for each output group (group 1: channels 1-8, group 2: channels 9-16). The two groups are electrically isolated from each other. Figure 6 shows the proper field wiring for a single module and Figure 7 shows the field wiring for fault tolerant modules connected in parallel. Note: This module does not require a return connection from the field power source. Do not connect any field wiring to terminals A and D. 12 (Issue 2) Industrial Control Services Monitored Guarded Output Modules (T7481/81A, 84 and 88/88A) Note: Output circuit testing monitors current flow to the outputs. If the field power supply is not connected, then all of the outputs in the associated group without power will indicate a load/fuse fault condition. PD-6033 Mar-06 (Issue 2) 13 Monitored Guarded Output Modules (T7481/81A, 84, and 88/88A) Figure 6. Fail-Safe Field Wiring. 14 (Issue 2) Industrial Control Services Monitored Guarded Output Modules (T7481/81A, 84 and 88/88A) Figure 7. Fault Tolerant Field Wiring. PD-6033 Mar-06 (Issue 2) 15 Monitored Guarded Output Modules (T7481/81A, 84, and 88/88A) Fault Mode Jumper The fault mode jumper is located behind the ID switch cover in the lower left-hand corner of each I/O chassis. The position of the fault mode jumper determines the module's response to system level faults. The fault mode jumper’s position will cause all output modules in the I/O chassis to either shutdown (turn off all outputs) or to hold (hold the last state) after a system level failure occurs. An example of a system level failure is the failure of two processor modules. Keying The I/O chassis can be physically keyed to prevent accidental damage caused by inserting a module into a slot wired for a different module type. Figure 8 illustrates how the slot keys are installed on the I/O chassis slot field wiring connectors. The slot key positions for the Monitored Guarded output modules are listed in Table 3. Table 3. Slot Key Positions. 16 (Issue 2) Module Upper Connector Lower Connector T3481/81A 4 3 T3484 10 3 T3488/88A 11 3 Industrial Control Services Monitored Guarded Output Modules (T7481/81A, 84 and 88/88A) Figure 8. Installing Slot Keys. Configuration Each output module is configured using the WINTERPRET I/O Configuration Editor. In the editor you will perform the four steps described below to configure the output module. PD-6033 Mar-06 (Issue 2) 17 Monitored Guarded Output Modules (T7481/81A, 84, and 88/88A) 1) Set the Module Type: Position the cursor on the module slot you wish to define. Choose Set Module Type from the Edit Menu and select the appropriate monitored guarded output module from the list. 2) Edit the Module Definition: Choose Edit Module Definition from the Edit Menu. A dialog box will open where you can define the output point definitions. Figure 9. Monitored Guarded Output Module Definition. 3) Configure the module for single or dual mode. With the cursor at the top of the list in the Module Definition dialog shown in Figure 9, open the Monitored Guarded Output Module Definition dialog by pressing Enter or double clicking on the “(Module)” selection. If the output module is to be used in dual mode (wired in parallel with another similar module for fault tolerance), then you must check the Dual Mode selection in the dialog box shown in Figure 10. Also, you must enter the I/O Assembly number (1-16) and I/O Slot number (1-10) of the redundant module. This must be done for each of the two modules that will operate in dual mode. 18 (Issue 2) Industrial Control Services Monitored Guarded Output Modules (T7481/81A, 84 and 88/88A) Figure 10. Defining the Guarded Output Module Definition. Note: If you do not configure the modules for Dual Mode then the output testing performed on the modules will not be coordinated and each of the modules wired in parallel will report a fault. Note: For the T3484, 110 VAC Monitored Guarded Output Module you must also select the line frequency of the field power supply. In the Line Frequency drop-down list, select either 50 Hz or 60 Hz. 4) Edit each point: Choose Edit from the Module Definition dialog box to define a name and description for each output point. In the Monitored Guarded Output Point dialog, enter names and values for the configuration fields as described below. PD-6033 Mar-06 (Issue 2) 19 Monitored Guarded Output Modules (T7481/81A, 84, and 88/88A) Figure 11. Defining a Guarded Digital Output Point. Name Also called the tag name, this is the name used in the application program to reference the output point. The name can be up to 12 characters long. Description This 40-character field provides a place to describe the output point definition. The description is used to help document your system (it does not affect application program operation). Comm Protect Marking the Comm Protect check box protects the point from changes by communications functions such as data write, forcing, and load initial value when Comm Protect is enabled. Initial Value The initial value for the output is loaded to the Regent when you load the I/O configuration and also when you load the application program that controls the output. Final Value The final value for the output is loaded to the Regent when the application program that controls the output is deleted. Unless special circumstances exist, you should always enter 20 (Issue 2) Industrial Control Services Monitored Guarded Output Modules (T7481/81A, 84 and 88/88A) zero, so that the output is turned off when you delete the application program that controls it. Fault Name This is the name used in the application program to reference the output point line fault status. The name can be up to 12 characters long. During operations the output module is regularly tested for open load, shorted load and blown fuse conditions. If any of these conditions occur, the Fault Name variable will turn on. Fault Name Description This 40-character field provides a place to describe the output point fault name definition. The description is used to help document your system (it does not affect application program operation). Disable Fault LED Marking the Disable Fault LED check box disables the load/fuse fault LED for this output point on the face of the output module. Marking this box does not stop the module from performing load monitoring and blown fuse detection, it only stops the module from displaying load/fuse faults on the face of the output module. Load/fuse faults are still reported to the Regent and are available to the application program through the fault name variable. This box can be checked for those output points that are spare and have no field loads connected. In this configuration the load/fuse fault LED will always be off. If you do not check this box for unconnected spare points, the load/fuse fault will always be on. Output Module Definition In addition to configuring output point definitions, you can configure the output module definition to represent the combined state of all 16 output points. This configuration is done in the Monitored Guarded Output Module dialog shown in Figure 10. The module definition represents the 16 output point definitions as signed, 16-bit integers. The Module Output name represents the 16 output names and the Module Fault PD-6033 Mar-06 (Issue 2) 21 Monitored Guarded Output Modules (T7481/81A, 84, and 88/88A) Name represents the 16 output fault names. In each module variable, output 1 is the least significant bit (LSB) and output point 16 is the most significant bit (MSB). The module definition names are not normally used for control purposes. However, they do provide convenient single name references to all 16 outputs points when reporting status information to operator interface equipment. Programming Outputs are controlled by writing application programs that solve for output values. For example, placing an output tag name on a coil in ladder logic will cause the output to turn on when there is power flow to the coil in the ladder logic rung. To program fault tolerant outputs two output coils driven by the same control logic are used as shown in Figure 12. Figure 12. Programming Fault Tolerant Outputs. In this illustration A, B, C, D represent various logic elements used to drive the outputs; XV103A represents the output on one Guarded output module; and XV103B represents the output on the other Guarded output module. Maintenance No periodic maintenance or calibration is required for this module. Fuses can be removed and replaced without removing the module from the I/O chassis. Turning the fuse holder onequarter turn from its locked position releases the fuse holder, extending the fuse and allowing it to be removed. To prevent damage to the module, replacement fuses must be of the same rating and type (see Specifications, below). 22 (Issue 2) Industrial Control Services Monitored Guarded Output Modules (T7481/81A, 84 and 88/88A) Safety Considerations The Monitored Guarded output modules are TÜV certified to Risk Class 5 for safety critical outputs. The modules are approved for de-energize to trip safety critical outputs in single or dual module configurations. The modules are also approved for energize to trip safety critical outputs in dual module configuration, but only if the fault name variables are configured and used to automatically alarm and annunciate the detection of load/fuse faults to plant operations personnel. Specifications Safetybus Power 1.5 load units Number of Outputs 16 circuits divided into two groups of 8 circuits each T7481 (81A) Voltage Range Frequency Load Current T7484 T7488 (88A) 18 to 36 VDC 90 to 130 VAC 95 to 140 VDC N/A 47 to 63 Hz N/A 2 amp 0.7 amp 1.0 amp 1.5 amp 0.5 amp 0.75 amp Minimum Load On State Drop Surge Current 20 mA ( 5mA) 20 mA 35 mA (5mA) 1.0 V, maximum 2.5 V, maximum 2.0 V, maximum incandescent, capacitive loads: 3.5 amps, peak 3.5 amps, peak 3.5 amps, peak 7 amps for 20 msec 3 amps for 20 msec 3 amps for 20 msec single, fail-safe module: 5 mA, ( 700ua) maximum 5.5 mA, maximum 5.5 mA, (700ua) maximum dual, fault-tolerant modules: 7.5 mA, (1 mA) maximum 8.5 mA, maximum 8.5 mA, (1 mA) maximum (0 to 40° C) derating (at 60° C) inductive loads: Output Leakage T7481/81A PD-6033 Mar-06 (Issue 2) T7484 T7488/88A 23 Monitored Guarded Output Modules (T7481/81A, 84, and 88/88A) One 3 amp, 250 V, fast acting (3AB), rectifier type, per output One 2 amp, 250 V, fast acting (3AB), rectifier type, per output One 2 amp, 250 V, fast acting (3AB), rectifier type, per output Littelfuse 322-003 Littelfuse 322-002 Littelfuse 322-002 Turn-On Delay Turn-Off Delay Output Test Duration 0.5 msec 0.5 msec 0.5 msec 0.5 msec 0.5 msec 0.5 msec 250 msec for single or dual modules, max of 425 msec if switch fault (dual modules only) 250 msec for single or dual modules, max of 425 msec if switch fault (dual modules only) 250 msec for single or dual modules, max of 425 msec if switch fault (dual modules only) Heat Dissipation 30 Watts, 101 BTUs/hour 27 Watts, 92 BTUs/hour 27 Watts, 92 BTUs/hour Over Voltage Protection 70 VDC, continuous 275 VAC, continuous 275 VAC, continuous 100 VDC, 5 seconds 450 VAC, 5 seconds 450 VAC, 5 seconds Fusing (front mounted) Isolation 2500 volts minimum (field wiring to control logic) 2500 volts minimum (output group 1-8 to output group 916) Operating Temperature 0° to 60° C (32° to 140° F) Storage Temperature -40° to 85° C (-40° to 185° F) Operating Humidity 0 to 95% relative humidity, non-condensing Vibration 10 to 55 Hz: ±0.15mm Shock 24 Operating: 15 g, ½ sine wave, 11 msec (Issue 2) Industrial Control Services Monitored Guarded Output Modules (T7481/81A, 84 and 88/88A) Electromagnetic Interference • • • • • IEC 801 Part 2 - Electrostatic Discharges IEC 801 Part 3 - Radiated Electromagnetic Fields IEC 801 Part 4 - Transients and Bursts IEC 801 Part 5 - Surge Immunity ANSI/IEEE C37.90 - Surge Withstand Capability Safety Level 3: Contact discharge of 6 kV Level 3: 10 V/M, 27 MHz 500 MHz Level 4: 2 kV, 2.5 kHz for t=60 sec Level 3: 2 kV 2.5 kV damped 1 MHz sine wave, 4 kV bi-directional impulse, 10 nsec rise time, fast transient Certified to DIN V VDE 0801 for Risk Class 5. Also designed to meet UL 508 and CSA 22.2, No. 142-M1981 Dimensions Height: Width: Depth: Weight PD-6033 Mar-06 (Issue 2) 12.6" (320 mm) 1.27" (32 mm) 10.12" (257 mm) 4.2 lbs (1.8 kg) 25 Monitored Guarded Output Modules (T7481/81A, 26 (Issue 2) Industrial 84, and 88/88A) Control Services ">
Key Features
- Sixteen Guarded Outputs
- Fault Tolerant Operation
- Hot-Replaceable
- Complete Testing
- TÜV Certified, Risk Class 5
- Line Monitoring
- Individual Indicators
- Fail-safe Activation
Frequently Answers and Questions
How many outputs does the ICS Regent+Plus Monitored Guarded Output Modules have?
This module has sixteen guarded outputs, divided into two groups of eight.
What are the safety certifications for this module?
This module is TÜV certified, Risk Class 5. It is also designed to meet UL 508 and CSA 22.2 standards.
What does "Guarded" mean in the context of this device?
Each module's dual-redundant design ensures that no single fault within the module will inadvertently apply power to an output.
How is fault tolerance achieved in this system?
Two monitored Guarded output modules can be connected in parallel to provide fault tolerant control of power to loads. If one module fails, the other module will continue to control the loads.