ICS Regent + Plus
®
PD-7033
Monitored Guarded Output Modules
24 VDC, 110 VAC and 120 VDC
(T7481/T7481A, T7484 and T7488/T7488A)
Issue 2,
Monitored Guarded output modules provide Guarded control
and line monitoring for sixteen field loads. Three typ
modules are available for interfacing to outputs powered from
24 VDC, 110 VAC, or 120 VDC field power supplies. These
modules are called Guarded because each module's dual
redundant design ensures that no single fault within the
module will inadvertently apply power to an output. These
modules also monitor the output field wiring for open and
short circuit faults. Individual output line status is available
to application programs.
March, 06
es of
-
Features
·
Sixteen Guarded outputs (in two groups of eight).
•
Fault tolerant operation when connected in parallel with
another module of the same type.
•
Hot-replaceable.
•
Complete, automatic testing of all output circuits.
•
Automatic line monitoring detects open and short field wiring
circuits.
•
Individual front panel indicators on each module show module
fault/active status and shutdown state; addi
show output status and load/fuse fault for each point.
·
Fuses accessible from front panel.
•
2500 minimum electrical isolation between field and logic
circuits.
·
TÜV certified, Risk Class 5.
Each module's triplicated Safetybus interface ensures that no
Regent system failure will inadvertently apply power to an
tional indicators
Industrial Control Services
(Issue 2)
1
Monitored Guarded Output Modules
(T7481/81A, 84, and 88/88A)
output. E
circuits ensure that each module operates in a fail-safe
manner.
Two monitored Guarded output modules can be connected in
parallel to obtain fault tolerant control of power to loads. In
this parallel module configuration, either module can be
removed and replaced while the other Guarded module
continues to control the loads without interruption.
Module Operation
A block diagram of a typical monitored Guarded digital output
module is shown in Figure 1.
xtensive fault detection and redundant critical
Figure 1. Block Diagram of a Monitored Guarded Digital Output Module.
2
(Issue 2)
Industrial Control Services
Monitored Guarded Output Modules
Case
Commanded
Output State
Switch
Failed
State
Actual
Output
to Load
Remarks
1 On
On On
Continued correct control.
Automatic testing detects
stuck-on switch. If output is
subsequently commanded
off, output will turn off.
2 On
Off Off
Fail-safe output. Automatic
testing detects stuck-off
switch.
3 Off
On
Off
Continued correct control.
Automatic testing detects
stuck-on
switch. If output is
subsequently commanded
on, output will turn on.
4 Off
Off Off
Fail-safe output. Automatic
testing detects stuck-off
switch. If output is subse
quently commanded on,
output will remain off.
The processor modules send triplicated write data commands
over the I/O Safetybus to the monitored Guarded output
module. Onboard the output module the triplicated data are
routed to two independent voters which provide voted data to
associated field programmable gate arrays (FPGA). Each
FPGA independently operates one of the two output control
switches. The two out
the load.
put switches are connected in series with
When both output switches are on, current will flow through
the output and energize a field load. If either switch is off,
current will not flow through the output and the load will be
de-energized. This combination of series output switches and
independent drive signals produces fail-safe activation of the
load. Single failures can only affect one of the output drive
signals or switches. A single failure will result in either
continued correct control
Table 1.
(T7481/81A, 84 and 88/88A)
or a fail-safe output as shown in
Table 1. Output States After Switch Failure.
PD-6033
Mar-06
To achieve fault tolerance, two monitored Guarded output
modules are used with their outputs connected in parallel.
This configuration provides for continued correct control even
(Issue 2)
3
Monitored Guarded Output Modules
when one output switch fails off (cases two and four in Table
1
). The module failure is automatically detected and the
module can be removed and replaced without interrupting
output control.
(T7481/81A, 84, and 88/88A)
Testing and Diagnostics
Automatic testing is performed on the monitored guarded
output modules as well as the field load connections.
Module Testing
Each voter and FPGA logic section of the Guarded output
modules are automatically tested by the processor modules.
Discrepant data are sent through one of three legs of the I/O
Safetybus to determine whether the module’s voters are able
to outvote the incorrect data. A failure to return the correct
majority-voted result to the processors produces an I/O
module error indication at the processor modules and a
module fault indication at the I/O module.
Each type of module has a unique identification code that is
read by the controller. This code lets the controller know
which type of module is installed in each I/O chassis slot and
how to address that module and its points specifically. If a
module is removed, or is replaced with a module of a different
type, the
processor modules will indicate an I/O module error.
4
Loopback logic tests periodically write data to the module and
then read it back to determine whether the module’s I/O bus
interface logic is functioning correctly.
Output Circuit Testing
The output circuits of the monitored guarded output module
are automatically tested to detect failures in the redundant
output switch circuits on-board the module and also to detect
open and short circuits in the output field wiring and load
devices.
Output Switch Testing
To detect a failure in the redundant output switch circuits,
each output switch is checked for turn-on and turn-off
capability. Periodically, each output switch circuit on the
module is tested for its ability to change its current state.
(Issue 2)
Industrial Control Services
Monitored Guarded Output Modules
During testing, the output state is changed; outputs that are
on are turned off and outputs that are off are turned on.
When two monitored guarded output modules are wired in
parallel for fault tolerance, the output circuit testing of the
dual modules is coordinated. The test coordination is
automatically performed by the system when the modules are
properly configured for dual mode (see Configuration, starting
on page 17). When dual modules are tested, the second
module’s outputs are turned off momentarily while the first
module’s outputs are tested. Subsequently, the first module’s
outputs are turned off while second module’s outputs are
tested.
When an output switch is tested, the test pulse duration is
nominally 250 msec, and is insufficient to affect the state of
most field loads. With modules configured in dual mode, the
maximum test pulse may be 425 msec if one module has a
switch failure. The output circuit test interval will range from
1 to 60 seconds, depending on the quantity of I/O configured
in the system.
(T7481/81A, 84 and 88/88A)
If an output switch doesn’t change state when tested, an
output switch fault is detected. An output switch failure is
annunciated as a module fault. An I/O
module fault is
indicated by the module FAULT LED on the module, the red
I/O fault LEDs on the processor modules and the system
control relay fault bit for the module assembly and slot.
Load and Fuse Monitoring and Testing
During output switch testing, the module also monitors the
change in current flow in the field power for the outputs. The
sensed state changes of the output switches and the field
power current are reported back to the processor modules.
The triplicated processor modules use this inform
ation to
identify if an open load, shorted load or blown fuse condition
exists.
Any of these load/fuse fault conditions are annunciated via
the LOAD/FUSE fault LEDs on the face of the module and the
Fault Name variables configured for each point. Load/Fuse
faults are not reported as module faults and so do not turn on
the red Module FAULT LED or associated system variable
control relay fault bit. The Fault Name variables should be
PD-6033
Mar-06
(Issue 2)
5
Note:
Monitored Guarded Output Modules
monitored by the application program or external operator
interface equipment to dispatch maintenance personnel to
correct the field connection problem.
Field faults such as open load, shorted load, blown fuse and
absence of field power, will mask an output switch fault. When
load/fuse faults are detected, they should be repaired as soon
as possible.
If the health of spare, unused output points is important, then
a minimum load device should be connected to these points.
(T7481/81A, 84, and 88/88A)
Front Panel
Figure 2 shows the physical features of the monitored
Guarded output modules. The front panel of each module
contains a module active and fault status indicator, a
shutdown indicator, as well as output fuses, output status
indicators and load/fuse fault indicators for the output
circuits.
Active/Fault Status Indicators
These green and red LEDs indicate the overall health of the
module and output circuits. During normal operation, the
green ACTIVE indicator flashes at the controller's scan rate.
If a module fault is detected, the red FAULT indicator turns
on and the green ACTIVE indicator turns off.
Shutdown Indicator
Upon loss of communications with the controller, output
modules enter either a shutdown or hold fault mode. If the I/O
unit is set to shutdown, the red SHUTDOWN indicator will
turn on when communications with the controller are lost. If
the I/O unit is set to hold, the SHUTDOWN indicator will
always be off (see page 16, Fault Mode Jumper).
6
(Issue 2)
Industrial Control Services
Monitored Guarded Output Modules
Note:
When the module is installed in the I/O chassis or when logic
power (from the I/O power s
the module, it will be in the shutdown mode until the first
output scan, regardless of the fault mode jumper settings.
Also, removing two I/O transceiver modules, two I/O power
supply modules, or two power legs will cause the module to be
in the shutdown mode.
(T7481/81A, 84 and 88/88A)
upply modules) is first applied to
PD-6033
Mar-06
(Issue 2)
7
Monitored Guarded Output Modules
(T7481/81A, 84, and 88/88A)
8
Figure 2. Monitored Guarded Output Modules.
(Issue 2)
Industrial Control Services
Monitored Guarded Output Modules
(T7481/81A, 84 and 88/88A)
Application
Output Status Indicators
The output status indicators are yellow LEDs, located on the
front of the module. The state of the ou
on the field side of the output circuit and optically coupled to
both of the FPGAs. The FPGAs logically drive the output
status LEDs. The indicator is on when the output circuit is
energized.
During output testing, the module monitors the current flow
to the load device. If no current is detected, or if an excessive
current is detected, the red load/fuse fault LED is energized.
This indicator annunciates a blown fuse or an open or short
circuit in the field wiring to the output
tput circuit is sensed
field device.
Monitored Guarded digital output modules provide a suitable
interface to safety-critical output devices. These safety
critical devices typically include solenoids, actuators, or other
process interlock outputs. Monitored Guarded output modules
can be used for fail-safe or fault tolerant operation.
-
Fail-Safe Configuration
As shown in Figure 3, fail-safe configuration uses a single
monitored Guarded output module. In this configuration, the
worst case failur
In a fail-safe configuration, removing the module disables all
outputs.
e will cause the output to fail to the off state.
Figure 3. Fail-Safe Configuration.
PD-6033
Mar-06
(Issue 2)
9
Monitored Guarded Output Modules
(T7481/81A, 84, and 88/88A)
Fault Tolerant Configuration
For fault tolerant operation, two monitored Guarded output
modules are connected in parallel as shown in Figure 4. In
this configuration, operation continues even if one module
fails.
In the fault tolerant configuration, a failed module can be
re
moved and replaced without interrupting operation of the
loads.
Figure 4. Fault Tolerant Configuration.
10
(Issue 2)
Industrial Control Services
Monitored Guarded Output Modules
Fault Tolerant Configuration with Redundant
(T7481/81A, 84 and 88/88A)
Actuators
When redundant actuators are installed in the field, the level
of fault protection can be extended to include the field wiring
and actuators. Each actuator should be connected to an
individual monitored guarded output module as shown in
Figure 5.
In this configuration continuous operation can be maintained
even if a module, field wiring or load fault occurs.
PD-6033
Mar-06
Figure 5. Fault Tolerant Configuration with Redundant
Actuators.
Output Load Considerations
The monitored guarded output module will operate correctly
(no FAULT indication) with loads as small as 20 mA. The 81A
and 88A version will operate with loads as small as 5 mA.
(Issue 2)
11
Load
OFF State Voltage (nominal field voltage and shorted switch)
Rating
T7481/81A
(24 Vdc)
T7484
(110 Vac)
T7488/88A (120
Vdc)
(mA) Single Dual
Single
Dual Single Dual
5 na 2.6 na 3.7 na na
na
12.8 na 18.3
10 na 1.4 na 2.0 na na
na
6.8 na 9.9
20 4.7 .71 6.4 1.0 23.5
31.8
na. 3.5 na 5.2
35 3.0 .41 4.1 .6 14.8
20.8
17.5 2.0 24.4 3.0
50 2.2 .29 3.1 .43 10.8
15.5
12.8 1.4 18.2 2.1
100
1.2 .15 1.7 .21 5.7 8.4
6.7. .71 9.8 1.0
Note:
Monitored Guarded Output Modules
However, care should be exercised in applying the module to
small load devices.
(T7481/81A, 84, and 88/88A)
Off-state test cur
rent (Leakage current ) of the output circuit
may prevent some load devices from turning off completely.
Table 2 lists the off-state voltages (worst case) for various load
ratings and module configurations. These should be
compared to the “
being applied.
guaranteed off
Table 2. Off-
” voltage for the load device
State Voltage Ratings.
Field Wiring
Field wiring terminal blocks on the I/O chassis are used to
connect power sources and loads to the module. The terminal
blocks are located directly above and below the slot where t
he
module is installed. Each terminal block consists of ten #6
wire clamp screw terminals capable of holding two 12 AWG
wires.
Each module has separate power terminals for each output
group (group 1: channels 1-8, group 2: channels 9-16). The
two groups are electrically isolated from each other. Figure
6
shows the proper field wiring for a single module and Figure
shows the field wiring for fault tolerant modules connected in
parallel.
This
module does not require a return connection from the
field power source. Do not connect any field wiring to
terminals A and D.
7
12
(Issue 2)
Industrial Control Services
Monitored Guarded Output Modules
Note:
Output circuit testing monitors current flow to the outputs. If
the field power supply is not connected, then all of the outputs
in the associated group without power will indicate a load/fuse
fault condition.
(T7481/81A, 84 and 88/88A)
PD-6033
Mar-06
(Issue 2)
13
Monitored Guarded Output Modules
(T7481/81A, 84, and 88/88A)
14
(Issue 2)
Figure 6. Fail-Safe Field Wiring.
Industrial Control Services
Monitored Guarded Output Modules
(T7481/81A, 84 and 88/88A)
PD-6033
Mar-06
(Issue 2)
Figure 7. Fault Tolerant Field
Wiring.
15
Module
Upper
Connector
Lower
Connector
T3481/81A
4
3
T3484
10
3
T3488/88A
11 3
Monitored Guarded Output Modules
(T7481/81A, 84, and 88/88A)
Fault Mode Jumper
The fault mode jumper is located behind the ID switch cover
in the lower left-hand corner of each I/O chassis. The position
of the fault mode jumper determines the module's response to
system level faults. The fault mode jumper’s position will
cause all output modules in the I/O chassis to either shutdown
(turn off all outputs) or to hold (hold the last state) after a
system level failure occurs. An example of a system level
failure is the failure of two processor modules.
Keyin
g
The I/O chassis can be physically keyed to prevent accidental
damage caused by inserting a module into a slot wired for a
different module type. Figure 8 illustrates how the slot keys
are installed on the I/O chassis slot field wiring connectors.
The slot key positions for the Monitored Guarded output
modules are listed in Table 3.
Table 3. Slot Key Positions.
16
(Issue 2)
Industrial Control Services
Monitored Guarded Output Modules
(T7481/81A, 84 and 88/88A)
PD-6033
Mar-06
Figure 8. Installing Slot Keys.
Configuration
Each output module is configured using the
W
INTERPRET
Configuration Editor. In the editor you will perform the four
steps described below to configure the output module.
(Issue 2)
I/O
17
Monitored Guarded Output Modules
(T7481/81A, 84, and 88/88A)
1) Set the Module Type:
Position the cursor on the module slot you wish to define.
Choose Set Module Type from the Edit Menu and select
the appropriate monitored guarded output module from
the list.
2) Edit the Module Definition:
Choo
se Edit Module Definition from the Edit Menu. A
dialog box will open where you can define the output point
definitions.
Figure 9. Monitored Guarded Output Module Definition.
3) Configure the module for single or dual mode.
With the cursor at the top of the list in the Module Definition
dialog shown in Figure 9, open the Monitored Guarded
Output Module Definition dialog by pressing Enter or double
clicking on the “(Module)” selection.
If the output module is to be
used in dual mode (wired in
parallel with another similar module for fault tolerance), then
you must check the Dual Mode selection in the dialog box
shown in Figure 10. Also, you must enter the I/O Assembly
number (1-16) and I/O Slot number (1-10) of the redundant
module. This must be done for each of the two modules that
will operate in dual mode.
18
(Issue 2)
Industrial Control Services
Monitored Guarded Output Modules
Note:
Note:
(T7481/81A, 84 and 88/88A)
Figure 10. Defining the Guarded Output Module Definition.
If you do not configure the modules for Dual
Mode then the
output testing performed on the modules will not be
coordinated and each of the modules wired in parallel will
report a fault.
For the T3484, 110 VAC Monitored Guarded Output Module
you must also select the line frequency of the field power
supply. In the Line Frequency drop-down list, select either
50 Hz or 60 Hz.
4) Edit each point:
Choose Edit from the Module Definition dialog box to define a
name and description for each output point. In the Monitored
Guarded Output Point dialog, enter names and values for the
configuration fields as described below.
PD-6033
Mar-06
(Issue 2)
19
Monitored Guarded Output Modules
(T7481/81A, 84, and 88/88A)
Figure 11. Defining a Guarded Digital Output Point.
Name
Also called the tag name, this is the name used in the
application program to reference the output point. The name
can be up to 12 characters long.
Description
This 40-character field provides a place to describe the output
point definition. The description is used to help document
your system (it does not affect application program operation).
Comm Protect
Marki
ng the Comm Protect check box protects the point from
changes by communications functions such as data write,
forcing, and load initial value when Comm Protect is enabled.
Initial Value
The initial value for the output is loaded to the Regent when
you load the I/O configuration and also when you load the
application program that controls the output.
20
Final Value
The final value for the output is loaded to the Regent when
the application program that controls the output is deleted.
Unless special circumstances exist, you should always enter
(Issue 2)
Industrial Control Services
Monitored Guarded Output Modules
zero, so that the output is turned off when you delete the
application program that controls it.
(T7481/81A, 84 and 88/88A)
Fault Name
This is the name used in the application program to reference
the output point line fault status. The name can be up to 12
characters long.
During operations the output module is regularly tested for
open load, shorted load and blown fuse conditions. If any of
these conditions occur, the Fault Name variable will turn on.
Fault Name Description
This 40-character field provides a place to describe the output
point fault name definition. The description is used to help
document your system (it does not affect application program
operation).
Disable Fault LED
Marking the Disable Fault LED check box disables the
load/fuse fault LED for this output point on the face of the
output module. Marking this box does not stop the module
from performing load monitoring and blown fuse detection, it
only stops the module from displaying load/fuse faults on the
face of the output mod
ule. Load/fuse faults are still reported
to the Regent and are available to the application program
through the fault name variable.
PD-6033
Mar-06
This box can be checked for those output points that are spare
and have no field loads connected. In this configuration the
load/fuse fault LED will always be off. If you do not check this
box for unconnected spare points, the load/fuse fault will
always be on.
Output Module Definition
In addition to configuring output point definitions, you can
configure the output module definition to represent the
combined state of all 16 output points. This configuration is
done in the Monitored Guarded Output Module dialog shown
in Figure 10.
The module definition represents the 16 output point
definitions as signed, 16-bit integers. The Module Output
name represents the 16 output names and the Module Fault
(Issue 2)
21
Monitored Guarded Output Modules
Name represents the 16 output fault names. In each module
variable, output 1 is the least significant bit (LSB) and output
point 16 is the most si
The module definition names are not normally used for
control purposes. However, they do provide convenient single
name references to all 16 outputs points when reporting
status information to operator interface equipment.
(T7481/81A, 84, and 88/88A)
gnificant bit (MSB).
Programming
Outputs are controlled by writing application programs that
solve for output values. For example, placing an output tag
name on a coil in ladder logic will cause the output to turn on
when there is power flow to the coil in the ladder logic rung.
To program fault tolerant outputs two output coils driven by
the same control logic are used as shown in Figure 12.
Figure 12. Programming Fault Tolerant Outputs.
In this illustration A, B, C, D represent various logic elements
used to drive the outputs; XV103A represents the output on
one Guarded output module; and XV103B represents the
output on the other Guarded output module.
Maintenance
22
No periodic maintenance or calibration is requ
module.
Fuses can be removed and replaced without removing the
module from the I/O chassis. Turning the fuse holder one
quarter turn from its locked position releases the fuse holder,
extending the fuse and allowing it to be removed.
To prevent damage to the module, replacement fuses must be
of the same rating and type (see Specifications, below).
(Issue 2)
Industrial Control Services
ired for this
-
Monitored Guarded Output Modules
Safetybus Power
1.5 load units
Number of Outputs
16 circuits divided into two
groups of 8 circuits each
T7481 (81A)
T7484
T7488 (88A)
Voltage Range
18 to 36 VDC
90 to 130 VAC
95 to 140 VDC
Frequency
N/A 47 to 63 Hz
N/A
Load Current
(0 to 40° C)
derating (at 60°
C)
2 amp
1.5 amp
0.7 amp
0.5 amp
1.0 amp
0.75 amp
Minimum Load
20 mA ( 5mA)
20 mA
35 mA (5mA)
On State Drop
1.0 V, maximum
2.5 V, maximum
2.0 V, maximum
Surge Current
incandescent,
capacitive loads:
inductive loads:
3.5 amps, peak
7 amps for
20 msec
3.5 amps, peak
3 amps for
20 msec
3
.5 amps, peak
3 amps for 20 msec
Output Leakage
single, fail-safe
module:
dual, fault-tolerant
modules:
5 mA, ( 700ua)
maximum
7.5 mA, (1 mA)
maximum
5.5 mA,
maximum
8.5 mA,
maximum
5.5 mA, (700ua)
maximum
8.5 mA, (1 mA)
maximum
T7481/81A
T7484
T7488/88A
(T7481/81A, 84 and 88/88A)
Safety Considerations
Specifications
The Monitored Guarded output modules are TÜV certified to
Risk Class 5 for safety critical outp
uts. The modules are
approved for de-energize to trip safety critical outputs in
single or dual module configurations.
The modules are also approved for energize to trip safety
critical outputs in dual module configuration, but
only
if the
fault name variables are configured and used to automatically
alarm and annunciate the detection of load/fuse faults to plant
operations personnel.
PD-6033
Mar-06
(Issue 2)
23
Fusing
(front mounted)
One 3 amp, 250
V, fast acting
(3AB), rectifier
type, per output
Littelfuse 322-003
One 2 amp, 250
V, fast acting
(3AB), rectifier
type, per output
Littelfuse
322-002
One 2 amp, 250 V,
fast acting (3AB),
rectifier t
ype, per
output
Littelfuse 322-002
Turn-On Delay
0.5 msec
0.5 msec
0.5 msec
Turn-Off Delay
0.5 msec
0.5 msec
0.5 msec
Output Test
Duration
250 msec for
single or dual
modules, max of
425 msec if switch
fault (dual
modules only)
250 msec for
single or dual
modules, max of
425 msec if
switch fault
(dual modules
only)
250 msec for single
or dual
modules,
max of 425 msec if
switch fault (dual
modules only)
Heat Dissipation
30 Watts,
101 BTUs/hour
27 Watts,
92 BTUs/hour
27 Watts,
92 BTUs/hour
Over Voltage
Protection
70 VDC,
continuous
100 VDC,
5 seconds
275 VAC,
continuous
450 VAC,
5 seconds
275 VAC,
continuous
450 VAC, 5 seconds
Isolation
2500 volts minimum (field
wiring to control logic)
2500 volts minimum (output
group 1-8 to output group 9
-
16)
Operating Temperature
0°
to 60° C
(32° to 140° F)
Storage Temperature
-40°
to 85° C
(-40°
to 185° F)
Operating Humidity
0 to 95% relative humidity,
non-condensing
Vibration
10 to 55 Hz:
±0.15mm
Shock
Operating:
15 g, ½ sine wave, 11 msec
Monitored Guarded Output Modules
(T7481/81A, 84, and 88/88A)
24
(Issue 2)
Industrial Control Services
Monitored Guarded Output Modules
Electromagnetic
Interference
•
IEC 801 Part 2 - Electrostatic
Discharges
•
IEC 801 Part 3 - Radiated
Electromagnetic Fields
•
IEC 801 Part 4 - Transients
and Bursts
•
IEC 801 Part 5 - Surge
Immunity
•
ANSI/IEEE C37.90 - Surge
Withstand Capability
Level 3: Contact discharge of
6 kV
Level 3: 10 V/M, 27 MHz 500 MHz
Level 4: 2 kV, 2.5 kHz for
t=60 sec
Level 3: 2 kV
2.5 kV damped 1 MHz sine
wave,
4 kV bi-directional impulse,
10 nsec rise tim
e, fast
transient
Safety
Certified to DIN V VDE
0801 for Risk Class 5. Also
designed to meet UL 508 and
CSA 22.2, No. 142-M1981
Dimensions
Height:
Width:
Depth:
12.6" (320 mm)
1.27" (32 mm)
10.12" (257 mm)
Weight
4.2 lbs (1.8 kg)
(T7481/81A, 84 and 88/88A)
PD-6033
Mar-06
(Issue 2)
25
Monitored Guarded Output Modules
(T7481/81A, 84, and 88/88A)
26
(Issue 2)
Industrial Control Services
Loading...