Rockwell Automation T3468A User Manual
ICS Regent
®
PD-6019
DC Guarded Digital Output Modules
24 VDC, 48 VDC and 120 VDC
(T3461A, T3462A and T3468A)
Issue 1,
DC Guarded output modules provide Guarded switching of
user-supplied DC voltages to a maximum of eight field loads.
These
dual-redundant design ensures that no single fault within the
module will inadvertently apply power to an output.
Extensive fault detection and redundant critical circuits
ensure that each module operates in a fail-safe manner.
modules are called Guarded because each module's
March, 06
Features
·
Eight Guarded output circuits configured as two sepa
powered groups of four circuits each.
·
Fault tolerant operation when connected in parallel with
an
·
Hot-replaceable.
·
100% self-testing of all critical circuits.
·
Individual front panel indicators on each module show active
and fault, shutdown state, blown fuse, and output on/off status
(logic side).
·
2500 volt minimum electrical isolation between field and logic
circuits.
·
TÜV certified, Risk Class 5.
Two Guard
obtain fault tolerant control of power to loads. In this parallel
module configuration, either module can be removed and
replaced while the other Guarded module continues to control
the loads without interruption.
other module of the same type.
ed output modules can be connected in parallel to
rately
Industrial Control Services
1
DC Guarded Digital Output Modules (T3461A, 62A, 68A)
Module Operation
A block diagram of a typical monitored Guarded output
module is shown in Figure 1.
The processor modules send triplicated write data commands
over the I/O Safetybus to the Guarded output module.
Onboard the Guarded output modules the triplicated data are
routed to two independent voter and I/O Safetybus logic
sections. Each section independently votes the triplicated
data and operates one of the two field effect transistor (FET)
output control switches. The two FETs are connected in series
with the load.
2
Figure 1. Block Diagram of a DC Guarded Output Module.
When both circuits are on, current will flow through the
output and energize a field load. If e
will not flow through the output and the load will be de
Industrial Control Services
ither switch is off, current
-
(T3461A, 62A, 68A) DC Guarded Digital Output Modules
Case
Commanded
Output St
ate
Switch
Failed
State
Actual
Output
to Load
Remarks
1 On
On On
Continued correct control.
Automatic testing detects
stuck-on switch. If output is
subsequently commanded
off, output will turn off.
2 On
Off Off
Fail-safe output. Automatic
testing detects stuck-off
switch.
3 Off
On
Off
Continued correct control.
Automatic testing detects
stuck-off switch. If output is
subsequently commanded
on, output will turn on.
4 Off
Off Off
Fail-safe output. Automatic
testing detects stuck-off
switch. If ou
tput is subse
quently commanded on,
output will remain off.
energized. This combination of series output switches and
independent drive signals produces fail-safe activation of the
load. Single failures can only affect one of the output drive
signals or switches. A single failure will result in either
continued correct control or a fail-safe output as shown in
Table 1.
Table 1. Output States After Switch Failure.
PD-6019
Mar-06
To achieve fault tolerance, two Guarded output modules are
used with their outputs connected in parallel. This
configuration provides for continued correct control even
when one output switch fails off (cases two and four in Table
1
). The module failure is automatically detected and the
module can be removed and replaced without interrupting
output control.
Testing and Diagnostics
The voter and I/O bus interface logic o
f the Guarded output
modules is automatically tested by the processor modules.
Discrepant data are sent through one of three legs of the I/O
Safetybus to determine whether the module’s voters are able
to outvote the incorrect data. A failure to return the correct
3
DC Guarded Digital Output Modules (T3461A, 62A, 68A)
majority-voted result to the processors produces an I/O
module error indication at the processor modules and a
module fault indication at the I/O module.
Each type of module has a unique identification code that is
read by the controller. This c
ode lets the controller know
which type of module is installed in each I/O chassis slot and
how to address that module and its points specifically. If a
module is removed, or is replaced with a module of a different
type, the processor modules will indicate an I/O module error.
Loopback logic tests periodically write data to the module and
then read it back to determine whether the module’s I/O bus
interface logic is functioning correctly.
Fuses are checked for continuity. Blown fuse detection is
independent of load connection or the output circuit’s on/off
state.
To detect a failure in the redundant logic drive circuits, each
pair of output switches is checked for state discrepancies. If a
discrepancy is detected, a module fault is indicated. These
state comparison tests allow for normal variances in FET
switching times.
Approximately once every second each FET on the module is
tested for its ability to change its current state. During
testing, the output state is changed; outputs that are on are
turned off and outputs that are off are turned on. The testing
time is nominally 0.75 milliseconds, and is insufficient to
affect the state of most field loads.
Testing of the output switches is non-overlapping, i.e. no turn
on pulse is applied to the load unless one of the switches is
shorted. Also, in a dual module configuration, no turn-off
pulse is applied to the load unless the asynchronous test
pulses between the dual modules overlap, a output switch is
open, or a module is removed. In any case, the nomi
nal test
pulse duration of 0.75 milliseconds is insufficient to disturb
field outputs.
Output circuit test results are not affected by the presence or
absence of a load. Output FET current leakage greater than 2
mA is detected as a shorted FET.
4
Industrial Control Services
(T3461A, 62A, 68A) DC Guarded Digital Output Modules
Note:
When an output switch failure or blown fuse is detected a
module fault condition is alarmed, resulting in an I/O module
error indication at the processor modules and a module fault
indication on the I/O module.
Front Panel
Figure 2 shows
output modules. The front panel of each module contains a
module active and fault status indicator, a shutdown
indicator, as well as output fuses, output status indicators, and
blown fuse indicators for each output circuit.
Active/Fault Status Indicator
These green and red LEDs indicate the overall health of the
module and its field circuits. During normal operation, the
green ACTIVE indicator flashes at the controller’s scan rate.
If a module fault is detected the red FAULT indicator turns
on and the green ACTIVE indicator turns off.
Shutdown Indicator
Upon loss of communications with the controller, output
modules enter either a shutdown or hold fault mode. If the I/O
unit is set to shutdown, the red SHUTDOWN indicator will
turn on when communications with the controller are lost. If
the I/O unit is set to hold, the SHUTDOWN indicator will
always be off (see page 13, Fault Mode Jumper).
the physical features of the DC Guarded
PD-6019
Mar-06
When the module is installed in the I/O chassis or
power (from the I/O power supply modules) is first applied to
the module, it will be in the shutdown mode until the first
output scan, regardless of the fault mode jumper settings.
Also, removing two I/O transceiver modules, two I/O power
supply modules, or two power legs will cause the module to be
in the shutdown mode.
Output Status Indicators
The output status indicators are yellow LEDs, located on the
front of the module. The state of the output circuit is sensed
on the field-side of the c
isolated to drive the logic-side LEDs. These indicators are on
when the load is energized.
5
ircuit and this status is optically
when logic
DC Guarded Digital Output Modules (T3461A, 62A, 68A)
6
Figure 2. A DC Guarded Output Module.
Industrial Control Services
Loading...