Rockwell Automation T7488, T7488A User Manual
ICS Regent + Plus
®
PD-7033
Monitored Guarded Output Modules
24 VDC, 110 VAC and 120 VDC
(T7481/T7481A, T7484 and T7488/T7488A)
Issue 2,
Monitored Guarded output modules provide Guarded control
and line monitoring for sixteen field loads. Three typ
modules are available for interfacing to outputs powered from
24 VDC, 110 VAC, or 120 VDC field power supplies. These
modules are called Guarded because each module's dual
redundant design ensures that no single fault within the
module will inadvertently apply power to an output. These
modules also monitor the output field wiring for open and
short circuit faults. Individual output line status is available
to application programs.
March, 06
es of
-
Features
·
Sixteen Guarded outputs (in two groups of eight).
•
Fault tolerant operation when connected in parallel with
another module of the same type.
•
Hot-replaceable.
•
Complete, automatic testing of all output circuits.
•
Automatic line monitoring detects open and short field wiring
circuits.
•
Individual front panel indicators on each module show module
fault/active status and shutdown state; addi
show output status and load/fuse fault for each point.
·
Fuses accessible from front panel.
•
2500 minimum electrical isolation between field and logic
circuits.
·
TÜV certified, Risk Class 5.
Each module's triplicated Safetybus interface ensures that no
Regent system failure will inadvertently apply power to an
tional indicators
Industrial Control Services
(Issue 2)
1
Monitored Guarded Output Modules
(T7481/81A, 84, and 88/88A)
output. E
circuits ensure that each module operates in a fail-safe
manner.
Two monitored Guarded output modules can be connected in
parallel to obtain fault tolerant control of power to loads. In
this parallel module configuration, either module can be
removed and replaced while the other Guarded module
continues to control the loads without interruption.
Module Operation
A block diagram of a typical monitored Guarded digital output
module is shown in Figure 1.
xtensive fault detection and redundant critical
Figure 1. Block Diagram of a Monitored Guarded Digital Output Module.
2
(Issue 2)
Industrial Control Services
Monitored Guarded Output Modules
Case
Commanded
Output State
Switch
Failed
State
Actual
Output
to Load
Remarks
1 On
On On
Continued correct control.
Automatic testing detects
stuck-on switch. If output is
subsequently commanded
off, output will turn off.
2 On
Off Off
Fail-safe output. Automatic
testing detects stuck-off
switch.
3 Off
On
Off
Continued correct control.
Automatic testing detects
stuck-on
switch. If output is
subsequently commanded
on, output will turn on.
4 Off
Off Off
Fail-safe output. Automatic
testing detects stuck-off
switch. If output is subse
quently commanded on,
output will remain off.
The processor modules send triplicated write data commands
over the I/O Safetybus to the monitored Guarded output
module. Onboard the output module the triplicated data are
routed to two independent voters which provide voted data to
associated field programmable gate arrays (FPGA). Each
FPGA independently operates one of the two output control
switches. The two out
the load.
put switches are connected in series with
When both output switches are on, current will flow through
the output and energize a field load. If either switch is off,
current will not flow through the output and the load will be
de-energized. This combination of series output switches and
independent drive signals produces fail-safe activation of the
load. Single failures can only affect one of the output drive
signals or switches. A single failure will result in either
continued correct control
Table 1.
(T7481/81A, 84 and 88/88A)
or a fail-safe output as shown in
Table 1. Output States After Switch Failure.
PD-6033
Mar-06
To achieve fault tolerance, two monitored Guarded output
modules are used with their outputs connected in parallel.
This configuration provides for continued correct control even
(Issue 2)
3
Monitored Guarded Output Modules
when one output switch fails off (cases two and four in Table
1
). The module failure is automatically detected and the
module can be removed and replaced without interrupting
output control.
(T7481/81A, 84, and 88/88A)
Testing and Diagnostics
Automatic testing is performed on the monitored guarded
output modules as well as the field load connections.
Module Testing
Each voter and FPGA logic section of the Guarded output
modules are automatically tested by the processor modules.
Discrepant data are sent through one of three legs of the I/O
Safetybus to determine whether the module’s voters are able
to outvote the incorrect data. A failure to return the correct
majority-voted result to the processors produces an I/O
module error indication at the processor modules and a
module fault indication at the I/O module.
Each type of module has a unique identification code that is
read by the controller. This code lets the controller know
which type of module is installed in each I/O chassis slot and
how to address that module and its points specifically. If a
module is removed, or is replaced with a module of a different
type, the
processor modules will indicate an I/O module error.
4
Loopback logic tests periodically write data to the module and
then read it back to determine whether the module’s I/O bus
interface logic is functioning correctly.
Output Circuit Testing
The output circuits of the monitored guarded output module
are automatically tested to detect failures in the redundant
output switch circuits on-board the module and also to detect
open and short circuits in the output field wiring and load
devices.
Output Switch Testing
To detect a failure in the redundant output switch circuits,
each output switch is checked for turn-on and turn-off
capability. Periodically, each output switch circuit on the
module is tested for its ability to change its current state.
(Issue 2)
Industrial Control Services
Monitored Guarded Output Modules
During testing, the output state is changed; outputs that are
on are turned off and outputs that are off are turned on.
When two monitored guarded output modules are wired in
parallel for fault tolerance, the output circuit testing of the
dual modules is coordinated. The test coordination is
automatically performed by the system when the modules are
properly configured for dual mode (see Configuration, starting
on page 17). When dual modules are tested, the second
module’s outputs are turned off momentarily while the first
module’s outputs are tested. Subsequently, the first module’s
outputs are turned off while second module’s outputs are
tested.
When an output switch is tested, the test pulse duration is
nominally 250 msec, and is insufficient to affect the state of
most field loads. With modules configured in dual mode, the
maximum test pulse may be 425 msec if one module has a
switch failure. The output circuit test interval will range from
1 to 60 seconds, depending on the quantity of I/O configured
in the system.
(T7481/81A, 84 and 88/88A)
If an output switch doesn’t change state when tested, an
output switch fault is detected. An output switch failure is
annunciated as a module fault. An I/O
module fault is
indicated by the module FAULT LED on the module, the red
I/O fault LEDs on the processor modules and the system
control relay fault bit for the module assembly and slot.
Load and Fuse Monitoring and Testing
During output switch testing, the module also monitors the
change in current flow in the field power for the outputs. The
sensed state changes of the output switches and the field
power current are reported back to the processor modules.
The triplicated processor modules use this inform
ation to
identify if an open load, shorted load or blown fuse condition
exists.
Any of these load/fuse fault conditions are annunciated via
the LOAD/FUSE fault LEDs on the face of the module and the
Fault Name variables configured for each point. Load/Fuse
faults are not reported as module faults and so do not turn on
the red Module FAULT LED or associated system variable
control relay fault bit. The Fault Name variables should be
PD-6033
Mar-06
(Issue 2)
5
Note:
Monitored Guarded Output Modules
monitored by the application program or external operator
interface equipment to dispatch maintenance personnel to
correct the field connection problem.
Field faults such as open load, shorted load, blown fuse and
absence of field power, will mask an output switch fault. When
load/fuse faults are detected, they should be repaired as soon
as possible.
If the health of spare, unused output points is important, then
a minimum load device should be connected to these points.
(T7481/81A, 84, and 88/88A)
Front Panel
Figure 2 shows the physical features of the monitored
Guarded output modules. The front panel of each module
contains a module active and fault status indicator, a
shutdown indicator, as well as output fuses, output status
indicators and load/fuse fault indicators for the output
circuits.
Active/Fault Status Indicators
These green and red LEDs indicate the overall health of the
module and output circuits. During normal operation, the
green ACTIVE indicator flashes at the controller's scan rate.
If a module fault is detected, the red FAULT indicator turns
on and the green ACTIVE indicator turns off.
Shutdown Indicator
Upon loss of communications with the controller, output
modules enter either a shutdown or hold fault mode. If the I/O
unit is set to shutdown, the red SHUTDOWN indicator will
turn on when communications with the controller are lost. If
the I/O unit is set to hold, the SHUTDOWN indicator will
always be off (see page 16, Fault Mode Jumper).
6
(Issue 2)
Industrial Control Services
Monitored Guarded Output Modules
Note:
When the module is installed in the I/O chassis or when logic
power (from the I/O power s
the module, it will be in the shutdown mode until the first
output scan, regardless of the fault mode jumper settings.
Also, removing two I/O transceiver modules, two I/O power
supply modules, or two power legs will cause the module to be
in the shutdown mode.
(T7481/81A, 84 and 88/88A)
upply modules) is first applied to
PD-6033
Mar-06
(Issue 2)
7
Monitored Guarded Output Modules
(T7481/81A, 84, and 88/88A)
8
Figure 2. Monitored Guarded Output Modules.
(Issue 2)
Industrial Control Services
Loading...