Trusted
TM
PD-T8444
TM
Trusted
TMR Pulse Generator and
Monitoring Module
Introduction
The TrustedTM TMR Pulse Generator and Monitoring module interfaces through special Thyristor
Drivers, to two Stepper Motors, which form an integral part of a damper rod control system. The
module is based upon the Trusted
rod position is provided by the module as a % Movement figure and a series of fault signals.
Triplicated diagnostic tests are performed throughout the module in order to locate and annunciate
hardware failures. Inputs are treated as analogues and are fully tested by the nature of their operation.
Fault tolerance is achieved through a Triple Modular Redundant (TMR) architecture within the module.
The module has been configured to provide the control and interlock requirements for a high power
stepper motor control system which is used to position Damper Rods in a Nuclear reactor. The
functionality of this module is highly specialised and is detailed later in this PD.
Features
TM
T8461 Digital output module. Feedback of Thyristor activation and
• Two Stepper Motor controls
• Special control algorithms and fault diagnostics resident within the module
• Bi-directional Fast and slow movement
• Emergency stop and hold facility
• Rod position Indication
• Thyristor driver fault indications
• ESD Rod release
• 2500V dc optical isolation barrier
• Automatic over-current protection (per channel), no fuses required (outputs)
• Front panel status LEDs for each point indicate status and field wiring faults
• Front panel module status LEDs indicate module health and operational mode (Active,
Standby, Educated)
6V Certified IEC 61508 SIL 3
• T
Issue 9 Apr 10 PD-T8444 1
Trusted
Issue Record
Issue
Number Date Revised by Technical CheckAuthorised by Modification
5 July 05 J W Clark Formatting
6 Dec 06 N Owens I Vince P Stock Weights and Dims
7 Sep 07 N Owens I Vince P Stock Tbl16 Chns rotated
8 Nov 09 S Blackett A Holgate N Owens Table 5 change
9 Apr 10 S Blackett A Holgate N Owens Rack 7 change
TM
Module T8444
Issue 09 Apr 10 PD-T8444 2
Trusted
TM
Module T8444
This page is intentionally blank
Issue 09 Apr 10 PD-T8444 3
Trusted
TM
Module T8444
Table of Contents
1. Description ...................................................................................................................................9
1.1. Field Termination Unit (FTU) .....................................................................................................10
.2.
1
1.3. Host Interface Unit (HIU) ...........................................................................................................11
1.4. Front Panel Unit (FPU) ..............................................................................................................11
1.5. Line Monitoring ..........................................................................................................................12
1.6. Housekeeping............................................................................................................................12
1.7. Fault Detection/Testing..............................................................................................................12
1.8. Sequence of Events Characteristics..........................................................................................13
1.9. Output Switch Structure .............................................................................................................14
1.9.1. Switch Diagnostics.....................................................................................................................15
1.9.2. Short Circuit Protection Issues. .................................................................................................16
1.9.3. Group Fail Safe Switches. .........................................................................................................16
1.10. Input interfaces ..........................................................................................................................16
2. Installation..................................................................................................................................17
2.1. Module Insertion/Removal .........................................................................................................17
2.2. Field Cable Selection .................................................................................................................17
2.3. Module Pinout Connections .......................................................................................................18
2.4. TrustedTM Module Polarisation/Keying.......................................................................................19
3. Application .................................................................................................................................20
3.1. Module Configuration.................................................................................................................20
3.2. T8444 Complex Equipment Definition .......................................................................................20
3.2.1. Rack 1: PG_CTRL .....................................................................................................................21
3.2.2. Rack 2: FIELD ............................................................................ Error! Bookmark not defined.
3.2.3. Rack 3: PI_CTRL .......................................................................................................................23
3.2.4. Rack 4: PG_FAULT ...................................................................................................................23
3.2.5. Rack 5: Line_Flt .........................................................................................................................24
3.2.6. Rack 6: Discrep .........................................................................................................................24
3.2.7. Rack 7: Housekeeping...............................................................................................................25
3.2.8. Rack 8: INFO .............................................................................................................................26
3.3. SYSTEM.INI File Configuration .................................................................................................26
4. Operation ...................................................................................................................................27
4.1. Front Panel ................................................................................................................................27
4.2. Module Status LEDs ..................................................................................................................28
4.3. I/O Status LEDs .........................................................................................................................29
4.3.1. Outputs and Gate Outputs .........................................................................................................29
4.3.2. Feedback Inputs ........................................................................................................................30
4.4. Output and Input separation/Channel allocation........................................................................31
5. Fault Finding and Maintenance..................................................................................................32
5.1. Fault Reporting ..........................................................................................................................32
5.2. Field Wiring Faults .....................................................................................................................32
5.3. Module Faults ............................................................................................................................32
5.4. Companion Slot .........................................................................................................................33
ield Interface Unit (FIU) ...........................................................................................................10
F
Issue 09 Apr 10 PD-T8444 4
Trusted
5.5. SmartSlot ...................................................................................................................................33
5.6. Cold Start...................................................................................................................................33
5.7. Transfer between Active and Standby Modules ........................................................................34
6. Technical specification...............................................................................................................35
6.1. Introduction ................................................................................................................................35
6.2. Phase Rotation ..........................................................................................................................36
6.3. Fail Safe actions ........................................................................................................................37
6.4. Internal testing and Monitoring...................................................................................................37
6.5. Thyristor Driver interfaces/Stepper Motor Drives.......................................................................37
6.5.1. Module Start up..........................................................................................................................37
6.5.2. Minimum output Load ................................................................................................................37
6.5.3. Input Termination Resistance ....................................................................................................37
6.6. Operation with one thyristor driver removed ..............................................................................38
6.7. Detection of a missing pulse......................................................................................................38
6.8. Detection of an extra pulse ........................................................................................................38
6.9. Detection of a short/ long pulse .................................................................................................39
6.10. Analogue Feedback out of limits................................................................................................39
6.11. Motor Voltage Monitoring...........................................................................................................39
6.12. Inference of Position from Motor Pulses....................................................................................40
6.13. Number of Pulses for a full transition of a rod from End to End ................................................40
6.14. Synchronisation/External timing.................................................................................................40
6.15. Setting of Count Position ...........................................................................................................40
6.16. Analogue Input Discrepancy ......................................................................................................40
6.17. Output 2-oo-3 error ....................................................................................................................40
6.18. Module Temperature Measurement ..........................................................................................41
6.19. Diagnostics ................................................................................................................................41
6.20. FTA Output Schematic ..............................................................................................................42
6.21. FTA Input Schematic .................................................................................................................43
7. Specifications.............................................................................................................................44
TM
Module T8444
Issue 09 Apr 10 PD-T8444 5
Trusted
TM
Module T8444
Figures
Figure 1 Module Architecture....................................................................................................................9
Figure 2 Functional Block Diagram ........................................................................................................10
igure 3 Output Switch Structure............................................................................................................14
F
Figure 4 Simplified Switch Circuit Diagram ............................................................................................15
Figure 5 Module polarisation ..................................................................................................................19
Figure 6 Module Front Panel ..................................................................................................................27
Figure 7 PG/M Functional Block Diagram ..............................................................................................35
Figure 8 Field Termination Output Schematic ........................................................................................42
Figure 9 Field Termination Input Schematic ...........................................................................................43
Tab l es
Table 1 Line Monitoring Fault Status ......................................................................................................12
Table 2 Field Connector Pinout ..............................................................................................................18
Table 3 Complex Equipment Definition ..................................................................................................20
Table 4 OEM Parameters .......................................................................................................................21
Table 5 Rack 1: PG_CTRL descriptions.................................................................................................21
Table 6 Rack 2: Field descriptions .........................................................................................................22
Table 7 Rack 3: PI_CTRL descriptions ..................................................................................................23
Table 8 Rack 4: PG_Fault descriptions ..................................................................................................23
Table 9 Rack 5: Line_Flt descriptions ....................................................................................................24
Table 10 Rack 6: Discrepancy descriptions ...........................................................................................24
Table 11 Rack 7: Housekeeping descriptions ........................................................................................25
Table 12 Rack 8: INFO descriptions.......................................................................................................26
Table 13 Module Status Indicators .........................................................................................................28
Table 14 Default I/O Status Indicators....................................................................................................29
Table 15 Feedback Inputs ......................................................................................................................30
Table 16 I/O separation/Channel allocation............................................................................................31
Issue 09 Apr 10 PD-T8444 6
Trusted
TM
Module T8444
Notice
The content of this document is confidential to ICS Triplex Technology Ltd. companies and their
partners. It may not be given away, lent, resold, hired out or made available to a third party for any
purpose without the written consent of ICS Triplex Technology Ltd.
This document contains proprietary information that is protected by copyright. All rights are reserved.
Microsoft, Windows, Windows 95, Windows NT, Windows 2000, and Windows XP are registered
trademarks of Microsoft Corporation.
The information contained in this document is subject to change without notice. The reader should, in
all cases, consult ICS Triplex Technology Ltd. to determine whether any such changes have been
made. From time to time, amendments to this document will be made as necessary and will be
distributed by ICS Triplex Technology Ltd.
Information in this documentation set may be subject to change without notice and does not represent
a commitment on the part of ICS Triplex Technology Ltd..
The contents of this document, which may also include the loan of software tools, are subject to the
confidentiality and other clause(s) within the Integrator Agreement and Software License Agreement.
No part of this documentation may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying and recording, for any purpose, without the express
written permission of ICS Triplex Technology Ltd.
Disclaimer
The illustrations, figures, charts, and layout examples in this manual are intended solely to illustrate the
text of this manual.
The user of, and those responsible for applying this equipment, must satisfy themselves as to the
acceptability of each application and use of this equipment.
This document is based on information available at the time of its publication. While efforts have been
made to be accurate, the information contained herein does not purport to cover all details or variations
in hardware or software, nor to provide for every possible contingency in connection with installation,
operation, or maintenance. Features may be described herein which are present in all hardware or
software systems. ICS Triplex Technology Ltd. assumes no obligation of notice to holders of this
document with respect to changes subsequently made.
ICS Triplex Technology Ltd. makes no representation or warranty, expressed, implied, or statutory with
respect to, and assumes no responsibility for the accuracy, completeness, sufficiency, or usefulness of
the information contained herein. No warranties of merchantability or fitness for purpose shall apply.
Issue 09 Apr 10 PD-T8444 7
Trusted
TM
Module T8444
Revision and Updating Policy
All new and revised information pertinent to this document shall be issued by ICS Triplex Technology
Ltd. and shall be incorporated into this document in accordance with the enclosed instructions. The
change is to be recorded on the Amendment Record of this document.
Precautionary Information
WARNING
Warning notices call attention to the use of materials, processes, methods, procedures or limits which
must be followed precisely to avoid personal injury or death.
CAUTION
Caution notices call attention to methods and procedures which must be followed to avoid damage to
the equipment.
Notes:
Notes highlight procedures and contain information to assist the user in the understanding of the
information contained in this document
Warning
RADIO FREQUENCY INTERFERENCE
Most electronic equipment is influenced by Radio Frequency Interference (RFI). Caution should be
exercised with regard to the use of portable communications equipment around such equipment.
Signs should be posted in the vicinity of the equipment cautioning against the use of portable
communications equipment.
MAINTENANCE
Maintenance must be performed only by qualified personnel, otherwise personal injury or death, or
damage to the system may be caused.
Caution
HANDLING
Under no circumstances should the module housing be removed.
Associated Documents
Product Descriptions (PD) provide product specific information.
The Safety Manual contains the recommended safety requirements for the safety system design.
The PD8082B – Toolset Suite provides specific guidance on system configuration and application
generation.
The Operator and Maintenance Manual contains general guidelines on maintenance and diagnostic
procedures.
For technical support email: support@icstriplex.com
Issue 09 Apr 10 PD-T8444 8
Trusted
TM
Module T8444
1. Description
The TMR Pulse Generator and Monitoring module is a member of the TrustedTM range of Input/Output
(I/O) modules. All Trusted
level, all I/O modules interface to the Inter-Module Bus (IMB) which provides power and allows
ommunication with the TMR Processor. In addition, all modules have a field interface that is used to
c
connect to module specific signals in the field. All modules are Triple Modular Redundant (TMR).
TM
I/O modules share common functionality and form. At the most general
Figure 1 Module Architecture
All High Integrity I/O modules are made up of 4 sections: Host Interface Unit (HIU), the Field Interface
Unit (FIU), the Field Termination Unit (FTU), and the Front Panel Unit (or FPU).
Issue 09 Apr 10 PD-T8444 9
Trusted
TM
Module T8444
Fig 2 shows a simplified block diagram of the Trusted
M
T
PG/M Module.
Figure 2 Functional Block Diagram
1.1. Field Termination Unit (FTU)
The Field Termination Unit (FTU) is the section of the I/O module that connects all three FIUs to a
single field interface. The FTU provides the Group Fail-safe switches and passive components
necessary for signal conditioning, over-voltage protection, and EMI/RFI filtering. When installed in a
Trusted
TM
Controller or Expander Chassis, the FTU field connector interconnects to the Field I/O Cable
Assembly attached at the rear of the chassis.
The SmartSlot link is passed from the HIU to the field connections via the FTU. These signals go
directly to the field connector and maintain isolation from the I/O signals on the FTU. The SmartSlot
link is the intelligent connection between active and standby modules for co-ordination during module
replacement.
1.2. Field Interface Unit (FIU)
The Field Interface Unit (FIU) is the section of the module that contains the specific circuits necessary
to interface to the particular types of field I/O signals. Each module has three FIUs, one per slice. For
the TMR Pulse Generator and Monitoring Module, the FIU contains one stage of the output switch
structure, and A/D monitoring circuits for each of the channels. Two additional A/D circuits provide
optional monitoring of the external field I/O supply voltage.
The FIU receives isolated power from the HIU for logic. The FIU provides additional power conditioning
for the operational voltages required by the FIU circuitry. An isolated serial link connects each FIU to
one of the HIU slices.
The FIU also measures a range of on-board “house-keeping” signals that assist in monitoring the
performance and operating conditions of the module. These signals include power supply voltages,
current consumption, on-board reference voltages, board temperature, and condensation
Issue 09 Apr 10 PD-T8444 10
Trusted
ng I/O
Redundant power sharing of dual 24V dc chassis supply voltage and power regulation for logic
ordination during module
board housekeeping, which monitors reference voltages, current consumption and board
TM
Module T8444
1.3. Host Interface Unit (HIU)
The HIU is the point of access to the Inter-Module Bus (IMB) for the module. It also provides power
distribution and local programmable processing power. The HIU is the only section of the I/O module
to directly connect to the IMB backplane. The HIU is common to most high integrity I/O types and has
type dependent and product range common functions. Each HIU contains three independent slices,
commonly referred to as A, B, and C.
All interconnections between the three slices incorporate isolation to prevent any fault interaction
between the slices. Each slice is considered a Fault Containment Region (FCR), as a fault on one
slice has no effect on the operation of the other slices.
The HIU provides the following services common to the modules in the family:
• High Speed Fault-Tolerant Communications with the TMR Processor via the IMB interface.
• FCR Interconnect Bus between slices to vote incoming IMB data and distribute outgoi
module data to IMB.
• Optically isolated serial data interface to the FIU slices.
•
power to HIU circuitry.
• Magnetically Isolated power to the FIU slices.
• Serial data interface to the FPU for module status LEDs.
• SmartSlot link between active and standby modules for co-
replacement.
• Digital Signal Processing to perform local data reduction and self-diagnostics.
• Local memory resources for storing module operation, configuration, and field I/O data.
• On-
temperature.
1.4. Front Panel Unit (FPU)
The Front Panel Unit (FPU) contains the necessary connectors, switches, logic, and LED indicators for
the front panel. For every module, the FPU contains the Slice Healthy, Active/Standby, the Educated
indicators (LEDs), and the module removal switches. Additional bi-colour LEDs provide status
indication for the individual I/O signals. Serial data interfaces connect the FPU to each of the HIU
slices to control the LED status indicators and monitor the module removal switches.
.
Issue 09 Apr 10 PD-T8444 11
Trusted
TM
Module T8444
1.5. Line Monitoring
The module automatically monitors the channel line fault status. These are reported back to the
application and are represented below.
Description Line Fault Status
Field Short Circuit 1
Output Energised (On) 0
No Load, Field Open Circuit 1
Output De-energised (Off) 0
No Field Supply Voltage 1
Table 1 Line Monitoring Fault Status
1.6. Housekeeping
The module automatically performs local measurements of several on-board signals that can be used
for detailed troubleshooting and verification of module operating characteristics. Measurements are
made within each slice’s HIU and FIU to determine the condition of the power supplies and common
services such as the temperature of the HIU.
1.7. Fault Detection/Testing
From the IMB to the field connector, the I/O module contains extensive fault detection and integrity
testing. Most testing is performed in a non-interfering mode. Data input from the IMB is stored in
redundant error-correcting RAM on each slice portion of the HIU. Received data is voted on by each
slice. All data transmissions include a confirmation response from the receiver.
Periodically, the TMR Processor commands the onboard DSPs to perform a Safety Layer Test. The
SLT results in the DSP verifying with the TMR Processor its ability to process data with integrity. In
addition, the DSP uses Cyclical Redundancy Checks (CRC) to verify the variables and configuration
stored in Flash memory.
Between the HIU and FIU are a series of optically isolated links for data and power. The data link is
synchronised and monitored for variance. Both FIU and HIU have onboard temperature sensors to
characterise temperature-related problems. Each FIU is also fitted with a condensation sensor.
The power supplies for both the HIU and FIU boards are redundant, fully instrumented and testable.
Together these assemblies form a Power Integrity Sub System.
Issue 09 Apr 10 PD-T8444 12
Trusted
TM
Module T8444
1.8. Sequence of Events Characteristics
Each Boolean Variable can be configured for automatic Sequence of Events (SOE) logging. This
applies to the Input/Output Status and Line Fault Status variables. A Boolean variable is configured for
SOE during the variable definition in the Data Dictionary Editor. To select SOE, press the Extended
Button in the Boolean Variable Definition Dialog Box to open the Extended Definition Dialog. Then
check to box for Sequence of Events to enable the variable for automatic SOE logging.
During operation, the module automatically reports time-stamped change of state information for the
output data. The TMR Processor automatically logs change of state for configured SOE variables into
the system SOE Log. The SOE Log can be monitored and retrieved using the SOE and Process
Historian Package running on the EWS. This software package is described in PD-8013.
Issue 09 Apr 10 PD-T8444 13
Trusted
TM
Module T8444
1.9. Output Switch Structure
The outputs of the Pulse Generator and Monitoring Module provides a TMR switch topology where the
load is driven by a total of three fully monitored, fail-safe (6 element) switch channels, one physically
resident on each OFIU in the module. Any single switch or entire slice failure is designed to leave two
of the three fail-safe switch channels operational to power the load.
Figure 3 Output Switch Structure
The upper switches as shown in are denoted as N.O. (Normally Open), and are controlled by the FIU
1
on which they are physically resident.
and are controlled by the “upstream” neighbouring FIU.
The lower switches are depicted as N.C. (Normally Closed),
2
Note:
In this context, N.O. is defined as being in the off state in the absence of control signal power,
and similarly, N.C. is the on state in the absence of control signal power. These switches are
constructed from enhancement mode MOSFETs and are both guaranteed to be off in the
3
absence of module power to create gate voltage signals to bias them on
(unlike
electromechanical relays for example).
The reason that the lower switches are specified to be on in the absence of control signal power is to
allow two channels to power the load should an entire slice fail. Even if an entire slice fails, the
surviving output circuits will carry the necessary control. The structure of each OFIU output is shown
below:
1
Their “home” FIU.
2
The home FIU, supplies an independent control signal for the “downstream” FIU FSS.
3
For an un-faulted transistor.
Issue 09 Apr 10 PD-T8444 14
Trusted
A resistor provides a means of continuously monitoring the switch current. A signal transistor is used
to drive the gate of Switch 2. It provides Switch 2 with a negative gate voltage, to minimise it’s on
resistance, and serves to hold Switch 2 on in the event that the secondary gate control loses power.
The zener diode between the gate of Switch 2 and source is only required to protect the gate from
large voltage spikes on the drain that might capacitively couple through when Switch 1 and Switch 2
are in the off state.
The resistors in series with the gate of Switch 1 and the signal transistor serve to protect the drive logic
in the event of a malicious switch failure. The pull-up resistors define the gate voltages in the absence
of power.
TM
Module T8444
Figure 4 Simplified Switch Circuit Diagram
1.9.1. Switch Diagnostics.
During normal operation, Switch 1 and Switch 2 are maintained on. In this state, Switch 1 and Switch 2
exhibit less than 0.5L of resistance each.
To determine the ability of the system to control the load via Switch 1 and Switch 2, their gate voltages
are modulated, one at a time. As the gate voltages are modulated, the monitoring signals
synchronously change in a predictable fashion. The local DSP analyses the relative amplitude and
phase of these small AC signals, to determine the on resistance and threshold voltages of each switch.
The current to the load does not need to be completely interrupted in order to obtain a level of
confidence in the ability of the transistors to turn off. For the TMR switch configuration in the on state,
only one fail-safe switch at a time needs to be modulated, while the other two bear the load current.
Issue 09 Apr 10 PD-T8444 15
Trusted
TM
Module T8444
1.9.2. Short Circuit Protection Issues.
In a fuse-free design such as in the Trusted
event of an over-current or over-power situation. In fact, this protection scheme offers advantages to
fuses in both automatic recovery and speed of action.
The topology of the channel provides a natural limit to the instantaneous current flow, giving the
module time to respond. Furthermore, the over-current protection circuitry is inherently self-testable,
ince the threshold can be a programmable value.
s
The P-channel architecture of Switch 1 and Switch 2 utilises an open-drain output structure. Under
short-circuit conditions the maximum instantaneous current with a 24V field voltage is naturally limited
to less than 5A per channel. This is because high output currents cause the gate-source voltages of
the two transistors to be reduced, tending to turn them off.
The output current is monitored by the DSP and sustained over current conditions result in a latched
over-current condition and de-energise the associated output. After removing the fault condition, the
latched over-current condition can be reset by either pressing the system fault reset button or turning
off the logical output signal to the module. The output also includes a non-replaceable fusible link for
absolute protection.
TM
System, the module is required to respond rapidly in the
1.9.3. Group Fail Safe Switches.
To ensure safe operation, each output from the module is equipped with a series of switches that
provide source power to a group of 8 channels. The module Group Fail Safe Switch (GFSS) is
intended as a final control switch which can de-energise any outputs that cannot be de-energised in the
normal way. For safety, the presence of two or more faults within the module will cause the Group Fail
Safe Switches to de-energise, resulting in all of the outputs in its group to de-energise.
There are three switches in parallel, which comprise the GFSS, one associated with each 'slice' of the
power group. The GFSS’ are controlled via a signal from one of the other two neighbouring slices.
This means that if one slice determines from the output states that an output is not in a de-energised
state when it should be, then it can command its own GFSS and those of the other slices GFSS to deenergise. This results in two of the three elements of the GFSS structure to de-energise, leaving only
one GFSS element energised. If two slices do the same thing then the last GFSS output will deenergise. For example, this would occur if two or more output switch elements fail in a 'stuck-on' state
such that the output cannot de-energise.
The GFSS control signal is generated by a charge pump driven from the comms clock to the slice
power group. If the clock fails then the GFSS bias collapses. This means that even if the ability of the
slice to communicate with a power group is lost, the GFSS can still be de-energised by stopping the
comms clock. If a slice fails, the watchdog on the HIU will time out and reset the slice, this will
shutdown the OFIU power supply and the associated GFSS control signal will also de-energise.
1.10. Input interfaces
Each input channel is provided with three A/D converters which monitor the voltage at the input
connection. Each input is a high impedance channel which measures from 0 to 30 V. If current is to
be measured the input must be conditions with an external resistor. The module uses its TMR
architecture to provide fault tolerance in the event of a hardware failure. No particular dynamic testing
is provided on the inputs because of the continuous dynamic nature of the signal being interfaced and
the duality of the thyristor drives which are providing the input signals.
Issue 09 Apr 10 PD-T8444 16
Trusted
TM
Module T8444
2. Installation
2.1. Module Insertion/Removal
CAUTION:
The module contains static sensitive parts. static handling precautions must be observed. Specifically
ensure that exposed connector pins ARE NOT TOUCHED. Under no circumstances should the
module housing BE REMOVED.
Before installation, visually inspect the module for damage. Ensure that the module housing appears
undamaged and inspect the I/O connector at the back of the module for bent pins. If the module
appears damaged or any pins are bent, do not install the module. Do not try to straighten bent pins.
Return the module for replacement.
Ensure that the module is of the correct type.
Record the module type, revision and serial number of the module before installation.
To install the module:
1. Ensure that the field cable assembly is installed and correctly located.
2. If I/O module keys are used, verify that all keys are installed in the correct positions and
properly seated in their slots.
3. Release the ejector tabs on the module using the release key. Ensure that the ejector tabs
are fully open.
4. Holding the ejectors, carefully insert the module into the intended slot.
5. Push the module fully home by pressing on the top and bottom of the module fascia.
Close the module ejectors, ensuring that they click into their locked position.
The module should mount into the chassis with a minimum of resistance. If the module does not
mount easily, do not force it. Remove the module and check it for bent or damaged pins. If the pins
have not been damaged, try reinstalling the module.
2.2. Field Cable Selection
I/O cables suitable for use with the TrustedTM TMR Pulse Generator and Monitoring Module are
detailed in the following Product Descriptions.
TM
1. PD-TC200 – Trusted
2. PD-TC500 – Trusted
The Product Descriptions detailed above also detail the types of Field Termination Assembly (FTA) or
Versatile Field termination Assembly (VFTA) which may be used with type of module
I/O Companion Slot Cables
TM
I/O SmartSlot Cables
Issue 09 Apr 10 PD-T8444 17
Trusted
TM
Module T8444
2.3. Module Pinout Connections
1 Smart Slot Link C Smart Slot Link B Smart Slot Link A
2
3 Rod 1 Phase C Pwr Group 1 (+) Rod 1 Phase A
4 Rod 1 Phase CC Pwr Group 1 (+) Rod 1 Phase AA
5 Pwr Group 1 Rtn Pwr Group 1 (+) Pwr Group 1 Rtn
6 Rod 1 Gate A Pwr Group 1 (+) Rod 1 Phase B
7 Rod 1 Gate B Pwr Group 1 (+) Rod 1 Phase BB
8
9 Mon Rod 1 Phase C power supply A Pwr Group 2 (+) Mon Rod 1 Phase A power supply A
10 Mon Rod 1 Phase AA power supply A Pwr Group 2 (+) Mon Rod 1 Phase CC power supply A
11 Pwr Group 2 Rtn Pwr Group 2 (+) Pwr Group 2 Rtn
12 Mon Rod 1 Phase A power supply B Pwr group 2 (+) Mon Rod 1 Phase B power supply A
13 Mon Rod 1 Phase CC power supply B Pwr Group 2 (+) Mon Rod 1 Phase BB power supply A
14
15 Mon Rod 2 Phase A power supply A Pwr Group 3 (+) Mon Rod 1 Phase B power supply B
16 Mon Rod 2 Phase CC power supply A Pwr Group 3 (+) Mon Rod 1 Phase BB power supply B
17 Pwr Group 3 Rtn Pwr Group 3 (+) Pwr Group 3 Rtn
18 Mon Rod 2 Phase B power supply A Pwr Group 3 (+) Mon Rod 1 Phase C power supply B
19 Mon Rod 2 Phase BB power supply A Pwr Group 3 (+) Mon Rod 1 Phase AA power supply B
20
21 Mon Rod 2 Phase B power supply B Pwr Group 4 (+) Mon Rod 2 Phase C power supply A
22 Mon Rod 2 Phase BB power supply B Pwr Group 4 (+) Mon Rod 2 Phase AA power supply A
23 Pwr Group 4 Rtn Pwr Group 4 (+) Pwr Group 4 Rtn
24 Mon Rod 2 Phase C power supply B Pwr Group 4 (+) Mon Rod 2 Phase A power supply B
25 Mon Rod 2 Phase AA power supply B Pwr Group 4 (+) Mon Rod 2 Phase CC power supply B
26
27 Rod 2 Phase C Pwr Group 5 (+) Rod 2 Phase A
28 Rod 2 Phase CC Pwr Group 5 (+) Rod 2 PhaseAA
29 Pwr Group 1 Rtn Pwr Group 5 (+) Pwr Group 1 Rtn
30 Rod 2 Gate A Pwr Group 5 (+) Rod 2 Phase B
31 Rod 2 Gate B Pwr Group 5 (+) Rod 2 Phase BB
32
C B A
Table 2 Field Connector Pinout
Issue 09 Apr 10 PD-T8444 18
Trusted
identified below)
TM
Module T8444
2.4. TrustedTM Module Polarisation/Keying.
M
All Trusted
The polarisation comprises two parts. The module and the associated field cable.
Each module type has been keyed during manufacture. The organisation responsible for the
integration of the Trusted
so that they correspond with the bungs fitted to the associated module prior to fitting.
T
Modules have been Keyed to prevent insertion into the wrong position within a chassis.
TM
system must key the cable by removing the keying pieces from the cable
Cable Exit
1
Polarising/Keying
Pins.
(Remove using
side cutters where
Trusted Cable
hood
12
Release button
Smart
Swap
Connector
if Fitted
Figure 5 Module polarisation
For Cables with Companion slot installations both keying strips must be polarised.
For This Module (T8444) remove keying pins 1,7,8
Issue 09 Apr 10 PD-T8444 19
Trusted
TM
Module T8444
3. Application
3.1. Module Configuration
There is no configuration required to the physical module. All configurable characteristics of the
module are performed using tools on the EWS and become part of the application or system.ini file
that is loaded into the TMR Processor. The TMR Processor automatically configures the module after
applications are downloaded and during Active/Standby changeover.
The IEC1131 TOOLSET provides the main interface to configure the module. Details of the
configuration tools and configuration sequence are provided in PD-8082B Trusted
There are three procedures necessary to configure the module. These are:
1. Define the necessary I/O variables for the field data and module status data using the
Dictionary Editor of the IEC1131 TOOLSET.
2. Create an I/O module definition in the I/O Connection Editor for each I/O module. The I/O
module definition defines physical information, e.g. Chassis and Slot location, and allows
variables to be connected to the I/O channels of the module.
M
T
3. Using the Trusted
System Configuration Manager, define custom LED indicator modes,
per-channel default or fail-safe states, and other module settings.
TM
Toolset Suite.
3.2. T8444 Complex Equipment Definition
The T8444 I/O Complex Equipment Definition includes 8 I/O boards, referenced numerically
by Rack number. There are two OEM parameters included in the first rack (DO Board).
These OEM parameters define the primary module position; declaring the module’s chassis
and slot location. There is no need to define the secondary module position within the
IEC1131 TOOLSET. Where systems may be required to start-up with modules in the
secondary position as the active module, e.g. primary module is not installed when
application is started, the secondary module’s position should be declared in the module
definition of the System Configuration Manager.
Rack I/O Board Description Data Type Direction No. of Channels
1 PG_CTRL
2 FIELD Field State Integer In 26
3 PI_CTRL Position Indicator controls Integer Out 12
4 PG_FAULT Pulse Generator faults Boolean In 16
5 LINE_FLT Line Fault Status Boolean In 40
6 DISCREP Channel Discrepancy Integer In 3
7 HKEEPING Housekeeping Registers Integer In 57
8 INFO I/O Module Information Integer In 11
OEM Parameters - - -
Pulse Generator controls Boolean Out 16
Table 3 Complex Equipment Definition
Issue 09 Apr 10 PD-T8444 20
Trusted
TM
Module T8444
OEM Parameter Description Default
TICS_CHASSIS The number of the TrustedTM
Chassis where the Primary I/O
module is installed
TICS_SLOT The slot number in the chassis
where the Primary I/O module
is installed
Value
1 The TrustedTM Controller Chassis is 1, and Trusted
1 The I/O module slots in the TrustedTM Controller
Table 4 OEM Parameters
3.2.1. Rack 1: PG_CTRL
Channel Description
1 JOG control signal for Rod 1
2 RUN control signal for Rod 1
3 IN control signal for Rod 1
4 OUT control signal for Rod 1
5 ROD_TRIP control signal for Rod 1
6 PG_INHIBIT_RESET control signal for Rod 1
7 GD_A_INHIBIT_RESET control signal for Rod 1
8 GD_A_INHIBIT_RESET control signal for Rod 1
9 JOG control signal for Rod 2
10 RUN control signal for Rod 2
11 IN control signal for Rod 2
12 OUT control signal for Rod 2
13 ROD_TRIP control signal for Rod 2
14 PG_INHIBIT_RESET control signal for Rod 2
15 GD_A_INHIBIT_RESET control signal for Rod 2
16 GD_A_INHIBIT_RESET control signal for Rod 2
17 GD_A_INHIBIT_RESET control signal for Rod 2
18 GD_B_INHIBIT_RESET control signal for Rod 2
19 GD_A_INHIBIT control signal for Rod 2
20 GD_B_INHIBIT control signal for Rod 2
Notes
Expander Chassis are 2 to 15
chassis are numbered from 1 to 8. The I/O Module slots
in the TrustedTM Expander Chassis are numbered from
1 to 12
Table 5 Rack 1: PG_CTRL descriptions
Issue 09 Apr 10 PD-T8444 21
Trusted
TM
Module T8444
3.2.2. Rack 2: FIELD
Channel Description
1 Phase A voltage feedback on Motor A of Rod 1
2 Phase B voltage feedback on Motor A of Rod 1
3 Phase C voltage feedback on Motor A of Rod 1
4 Phase AA voltage feedback on Motor A of Rod 1
5 Phase BB voltage feedback on Motor A of Rod 1
6 Phase CC voltage feedback on Motor A of Rod 1
7 Phase A voltage feedback on Motor B of Rod 1
8 Phase B voltage feedback on Motor B of Rod 1
9 Phase C voltage feedback on Motor B of Rod 1
10 Phase AA voltage feedback on Motor B of Rod 1
11 Phase BB voltage feedback on Motor B of Rod 1
12 Phase CC voltage feedback on Motor B of Rod 1
13 Position Indicator value for Rod 1
14 Phase A voltage feedback on Motor A of Rod 2
15 Phase B voltage feedback on Motor A of Rod 2
16 Phase C voltage feedback on Motor A of Rod 2
17 Phase AA voltage feedback on Motor A of Rod 2
18 Phase BB voltage feedback on Motor A of Rod 2
19 Phase CC voltage feedback on Motor A of Rod 2
20 Phase A voltage feedback on Motor B of Rod 2
21 Phase B voltage feedback on Motor B of Rod 2
22 Phase C voltage feedback on Motor B of Rod 2
23 Phase AA voltage feedback on Motor B of Rod 2
24 Phase BB voltage feedback on Motor B of Rod 2
25 Phase CC voltage feedback on Motor B of Rod 2
26 Position Indicator value for Rod 2
Table 6 Rack 2: Field descriptions
Issue 09 Apr 10 PD-T8444 22
Trusted
TM
Module T8444
3.2.3. Rack 3: PI_CTRL
Channel Description
1 RESET control signal for PI for Rod 1
2 PULSER control signal for PI for Rod 1
3 COUNT_UP control signal for PI for Rod 1
4 COUNT_DOWN control signal for PI for Rod 1
5 LOAD control signal for PI for Rod 1
6 NewPosition integer value for PI for Rod 1
7 RESET control signal for PI for Rod 2
8 PULSER control signal for PI for Rod 2
9 COUNT_UP control signal for PI for Rod 2
10 COUNT_DOWN control signal for PI for Rod 2
11 LOAD control signal for PI for Rod 2
12 NewPosition integer value for PI for Rod 2
Table 7 Rack 3: PI_CTRL descriptions
3.2.4. Rack 4: PG_FAULT
Channel Description
1 Missing pulse fault on Motor A of Rod 1
2 Extra pulse fault on Motor A of Rod 1
3 Missing pulse fault on Motor B of Rod 1
4 Extra pulse fault on Motor B of Rod 1
5 <2 or >3 phases on fault on Rod 1
6 Pulse Generator inhibit on Rod 1
7 Gate Drive A inhibit on Rod 1
8 Gate Drive B inhibit on Rod 1
9 Missing pulse fault on Motor A of Rod 2
10 Extra pulse fault on Motor A of Rod 2
11 Missing pulse fault on Motor B of Rod 2
12 Extra pulse fault on Motor B of Rod 2
13 <2 or >3 phases on fault on Rod 2
14 Pulse Generator inhibit on Rod 2
15 Gate Drive A inhibit on Rod 2
16 Gate Drive B inhibit on Rod 2
Table 8 Rack 4: PG_Fault descriptions
Issue 09 Apr 10 PD-T8444 23
Trusted
TM
Module T8444
3.2.5. Rack 5: Line_Flt
Channel Description
1 Field output channel 1 line fault
2 Field output channel 2 line fault
40 Field output channel 40 line fault
Table 9 Rack 5: Line_Flt descriptions
The line fault input state is reported as true (logic ‘1’) for a line fault condition (open circuit, short circuit, and no
field supply voltage). The logic state is the majority voted value.
3.2.6. Rack 6: Discrep
Channel Description
1 Discrepancy status outputs 1 to 16 (output 1 is LSB)
2 Discrepancy status outputs 17 to 32 (output 17 is LSB)
3 Discrepancy status outputs 33 to 40 (output 33 is LSB)
Table 10 Rack 6: Discrepancy descriptions
Each of the words reports the discrepancy status of 16 output channels. The corresponding bit within the word is
set to ‘1’ when a discrepancy condition is detected on that output channel’s output state (rack 2).
Issue 09 Apr 10 PD-T8444 24
Trusted
Description
FCR
Units (Full Scale Range)
1A2B3
C
4A5B6
C
7A8B9
C
10A11B12
C
13A14B15
C
16A17B18
C
19A20B21
C
22A23B24
C
25A26B27
C
28A29B30
C
31A32B33
C
34A35B36
C
37A38B39
C
40A41B42
C
43A44B45
C
46A47B48
C
49A50B51
C
52A53B54
C
55A56B57
C
TM
Module T8444
3.2.7. Rack 7: Housekeeping
Channel
24V2 Output Voltage -32768 32767 mV
Internal supply voltage (post regulator) -32768 32767 mV
Internal supply current (post regulator) 0 65535 mA
Output voltage (post isolation) -32768 32767 mV
24V1 Output Voltage -32768 32767 mV
HIU Board Temperature
(Note: Temperature, ºC = input value / 256)
Front Panel Load Current 0 65535 mA
SmartSlot Link Voltage -32768 32767 mV
FIU Output Group 1 Field Supply Voltage -32768 32767 mV
FIU Board Temperature, Output Group 1
(Note: Temperature, ºC = input value / 256)
FIU Output Group 2 Field Supply Voltage -32768 32767 mV
FIU Board Temperature, Output Group 2
(Note: Temperature, ºC = input value / 256)
FIU Output Group 3 Field Supply Voltage -32768 32767 mV
FIU Board Temperature, Output Group 3
(Note: Temperature, ºC = input value / 256)
-32768 32767 -
-32768 32767 -
-32768 32767 -
-32768 32767 -
Issue 09 Apr 10 PD-T8444 25
FIU Output Group 4 Field Supply Voltage -32768 32767 mV
FIU Board Temperature, Output Group 4
(Note: Temperature, ºC = input value / 256)
FIU Output Group 5 Field Supply Voltage -32768 32767 mV
FIU Board Temperature, Output Group 5
(Note: Temperature, ºC = input value / 256)
Diagnostic error code
-32768 32767 -
-32768 32767 -
Table 11 Rack 7: Housekeeping descriptions
Trusted
Each input within the housekeeping rack is reported as an integer. In general, the application engineer will not
normally require these inputs. They are provided to aid fault finding and diagnosis and may be used for reporting
and display purposes.
TM
Module T8444
3.2.8. Rack 8: INFO
Channel Description
1 Active Module chassis number
2 Active Module slot number
3 Active Module Healthy
4 Active Module Mode
5 Standby Module Chassis Number
6 Standby Module Slot Number
7 Standby Module Healthy
8 Standby Module Mode
9 FCR Status
10 Primary module is active
11 Active module is simulated
Table 12 Rack 8: INFO descriptions
The active module chassis and slot numbers indicate the position of the currently active module.
These values will change to match the primary or secondary module position, depending on their active
status, i.e. active/standby changeover will “swap” the values for the active module chassis and slot
number channels with those in the standby module chassis and slot number channels. The chassis
and slot numbers are set to zero if the module is not present.
3.3. SYSTEM.INI File Configuration
There are many operating characteristics of the module that can be customised for a particular
application. The System Configuration Manager is a tool that allows the user to configure the specific
operating characteristics for each module. Descriptions of the items that may be configured for the
Trusted
Certain characteristics apply to the entire module and are considered Module Configurable Items.
Other characteristics apply to individual output channels and are considered Channel Configurable
Items. There are specific default settings for each of the configurable items. If the default settings are
appropriate for a given application, then customisation of the module definition in the System
Configuration Manager is not required.
TM
Pulse Generator and Monitoring Module T8444 are contained in PD-8082B.
Issue 09 Apr 10 PD-T8444 26
Trusted
TM
Module T8444
4. Operation
4.1. Front Panel
Status indicators on the front panel of the module provide visual indications of the module’s operational
status and field status. Each indicator is a bicolour LED. Located at the top and bottom of each
module is an ejector lever that is used to remove the module from the chassis. Limit switches detect
the open/closed position of the ejector levers. The ejector levers are normally latched closed when the
module is firmly seated into the Controller or Expander Chassis.
Module
Removal
Latch
Module
Status LEDs
Channel
Status LEDs
Module
Removal
Latch
Figure 6 Module Front Panel
Issue 09 Apr 10 PD-T8444 27
Trusted
TM
Module T8444
4.2. Module Status LEDs
There are six module status indicators on the module front panel: three Healthy, one Active, one
Standby, and one Educated. The Healthy indicators are controlled directly by each module slice. The
Active, Standby, and Educated indicators are controlled by the FPU. The FPU receives data from
each of the module slices. The FPU performs a 2-oo-3 vote on each data bit from the slices and sets
the indicators accordingly.
The module status indicator modes and their meanings are described as follows:
INDICATOR STATE DESCRIPTION
Healthy Off No power applied to the module.
Amber Slice is in the start-up state (momentary after
installation or power-up)
Green Slice is healthy.
Red – flashing Fault present on the associated slice but the slice is still
operational.
Red (momentary) On installation – power applied to the associated slice.
Red The associated slice is in the fatal state. A critical fault
has been detected and the slice disabled..
Active Off Module is not in the Active state.
Green Module is in the Active (or Maintain) state.
Red – flashing Module is in the shutdown state if the Standby LED is
off.
Red – flashing Module is in the fatal state if the Standby LED is also
flashing.
Standby Off Module is not in the Standby state.
Green Module is in the Standby state.
Red – flashing Module is in the fatal state. The Active LED will also be
flashing red.
Educated Off Module is not educated.
Green Module is educated.
Green – flashing Module is recognised by the Processor but education is
not complete.
Amber - Flashing Active/standby changeover in progress
Table 13 Module Status Indicators
Issue 09 Apr 10 PD-T8444 28
Trusted
TM
Module T8444
4.3. I/O Status LEDs
There are 40 channel status indicators on the module front panel, one for each field input/output.
These indicators are controlled by the FPU. The FPU receives data from each of the module slices.
The FPU performs a 2-oo-3 vote on each data bit from the slices and sets the indicators accordingly.
The input/output status indicator mode is dependent upon the numerical state of the channel. Each
state can be defined to have a particular indicator mode: off, green, red, flashing green, or flashing red.
The configurable indicator modes allow users to customise the status indications to suit individual
application requirements. Without customisation, the default indicator modes are suitable for damper
control installations as described below. Each channel is provided with a Bicolour Led. The channel
LED’s illuminate as follows.
4.3.1. Outputs and Gate Outputs
Function Off Green
Output off no
faults
Output Off with
Module Fault
Output Off with
field Fault
Output off with
Module and
Field Fault
Output on No
Faults
Output On with
Module Fault
Output On with
Field Fault
Output on with
Module and
field Fault
Yes Not
Yes Not
Not
Not
Not
Not
Not
Not
Steady
allowed
allowed
allowed
allowed
allowed
allowed
allowed
allowed
Green
Flash
Not
allowed
Not
allowed
Not
allowed
Not
allowed
Not
allowed
Not
allowed
Not
allowed
Not
allowed
Red
Steady
Slice LED’s Green
Slice LED’s Red
Yes Slice LED’s Green
Yes Slice LED’s Red
Yes Slice LED’s Green
Yes Slice LED’s Red
Yes Slice LED’s Green
Yes Slice LED’s Red
Red
Flash
Amber
Steady
Amber
Flash
Note
Table 14 Default I/O Status Indicators
Issue 09 Apr 10 PD-T8444 29
Trusted
TM
Module T8444
4.3.2. Feedback Inputs
Function Off Green
Input off no
faults
Input off with
Module fault
Input off with
Field Fault
Input Off with
Module and
Field Fault
Input On no
Fault
Input on with
Module fault
Input on with
Field Fault
Input on with
both Module
and field fault
Yes Not
Yes Not
Not
Not
Yes Not
Yes Not
Not
Not
Steady
Green
Flash
Red
Steady
allowed
allowed
allowed
allowed
allowed
allowed
allowed
allowed
Red Flash Amber
Not
allowed
Not
allowed
Not
allowed
Not
allowed
Not
allowed
Not
allowed
Not
allowed
Not
allowed
Steady
Slice LED’s
Slice LED’s Red
Yes Slice LED’s
Yes Slice LED’s Red
Slice LED’s
Slice LED’s Red
Yes Slice LED’s
Yes Slice LED’s Red
Amber
Flash
Notes
Green
Green
Green
Green
Table 15 Feedback Inputs
Note: The LEDs indicating channel status may be configured to suit user requirements by
implementing the procedure for configuring the System.INI file detailed in PD-8082B.
Issue 09 Apr 10 PD-T8444 30
Trusted
TM
Module T8444
4.4. Output and Input separation/Channel allocation
The Module has 6 pulse outputs 12 pulse inputs and 2 control signals per motor drive. The output
module has 5 power groups protected by Group Fail safe switches. In order to minimise the effect of a
single group failure the I/O is segregated as shown below.
Power
Group
1 1 Rod 1 Phase A 3 21 Mon Rod 2 Phase A power supply A
1 2 Rod 1 Phase CC 3 22 Mon Rod 2 Phase CC power supply A
1 3 Rod 1 Phase B 3 23 Mon Rod 2 Phase B power supply A
1 4 Rod 1 Phase BB 3 24 Mon Rod 2 Phase BB Power supply A
1 5 Rod 1 Phase C 4 25 Mon Rod 2 Phase C power supply A
1 6 Rod 1 Phase AA 4 26 Mon Rod 2 Phase AA power supply A
1 7 Rod 1 Gate A 4 27 Mon Rod 2 Phase A power supply B
1 8 Rod 1 Gate B 4 28 Mon Rod 2 Phase CC Power supply B
2 9 Mon Rod 1 Phase A
2 10 Mon Rod 1 Phase CC
2 11 Mon Rod 1 Phase B
2 12 Mon Rod 1 Phase BB
2 13 Mon Rod 1 Phase C
2 14 Mon Rod 1 Phase AA
2 15 Mon Rod 1 Phase A
2 16 Mon Rod 1 Phase CC
3 17 Mon Rod 1 Phase B
3 18 Mon Rod 1 Phase BB
3 19 Mon Rod 1 Phase C
3 20 Mon Rod 1 Phase AA
Channel Function Power
Group
4 29 Mon Rod 2 Phase B power supply B
power supply A
4 30 Mon Rod 2 Phase BB power supply B
power supply A
4 31 Mon Rod 2 Phase C power supply B
power supply A
4 32 Mon Rod 2 Phase AA Power supply B
Power supply A
5 33 Rod 2 Gate A
power supply A
5 34 Rod 2 Gate B
power supply A
5 35 Rod 2 Phase A
power supply B
5 36 Rod 2 Phase CC
Power supply B
5 37 Rod 2 Phase B
power supply B
5 38 Rod 2 Phase BB
power supply B
5 39 Rod 2 Phase C
power supply B
5 40 Rod 2 Phase AA
Power supply B
Channel Function
Table 16 I/O separation/Channel allocation
Issue 09 Apr 10 PD-T8444 31
Trusted
TM
Module T8444
5. Fault Finding and Maintenance
5.1. Fault Reporting
Module faults are reported to the user through visual indicators on the front panel of the module and
through status variables which may be automatically monitored in the application programs and
external system communications interfaces. There are generally two types of faults that must be
remedied by the user: external wiring and module faults. External wiring faults require corrective action
in the field to repair the fault condition. Module faults require replacement of the module.
5.2. Field Wiring Faults
By measuring the channel voltage and current, the module automatically detects field-wiring and load
faults. When a field signal fails open circuit, short circuit or there is no field supply voltage connected,
the status indicator will display the configured LED mode and the line fault status for that channel will
be set to ‘1’. All other channels will be unaffected, except in the case of common cause wiring and
supply voltage faults in the field.
The field voltage and current variables can be monitored to determine the actual operating conditions
of each channel. This additional information assists the user in determining the specific type of wiring
fault.
Once the specific field-wiring fault has been identified and corrected, the status variables and status
indicator will display the normal on/off status of the field device.
5.3. Module Faults
Extensive diagnostics provide the automatic detection of module faults. The TMR architecture of the
module and the diagnostics performed ensure the validity of all critical circuits. Using the TMR
architecture provides a Fault Tolerant method to withstand the first fault occurrence on the module and
continue normal control without interruption in the system or process. Faults are reported to the user
through the Healthy status indicators on the front panel of the module and through the INFO and
HKEEPING variables. Under normal operations all three Healthy Indicators are green. When a fault
occurs, one of the Healthy Indicators will be flashing red. It is recommended that this condition is
investigated and if the fault is within the module, it should be replaced .
Issue 09 Apr 10 PD-T8444 32
Trusted
TM
Module T8444
5.4. Companion Slot
M
For a Companion Slot configuration, two adjacent slots in a Trusted
same input module function. One slot is the primary slot and the other a unique secondary (or spare)
slot. The two slots are joined at the rear of the Trusted
TM
Chassis with a double-wide I/O Interface
T
Chassis are configured for the
Cable that connects both slots to common field wiring terminations. During normal operations, the
primary slot contains the active module as indicated by the Active indicator on the front panel of the
module. The secondary slot is available for a spare module that will normally be the standby module
as indicated by the Standby indicator on the front panel of the module.
Depending on the installation, a hot-spare module may already be installed, or a module blank will be
installed in the standby slot. If a hot-spare module is already installed, transfer to the standby module
occurs automatically if a module fault is detected in the active module. If a hot spare is not installed,
the system continues operating from the active module until a spare module is installed.
5.5. SmartSlot
For a SmartSlot configuration, the secondary slot is not unique to each primary slot. Instead, a single
secondary slot is shared among many primary slots. This technique provides the highest density of
modules to be fitted in a given physical space. At the rear of the Trusted
Cable connects the secondary slot directly to the I/O Cable connected to the failed primary module.
With a spare module installed in the SmartSlot and the SmartSlot I/O Cable connected to the failed
primary module, the SmartSlot can be used to replace the failed primary module.
Output module Smart Slot jumper cable TC-308-02
Smart Slot between chassis can be performed if the chassis are version 2 (or higher). These have the
connector fitted to enable connection of a TC-006 that ensures the 0 Volt of each chassis is at the
same potential.
TM
Chassis, a single-wide I/O
5.6. Cold Start
If an I/O module has shut down (due, for example, to two existing faults), the three Healthy LEDs will
be red, the Active and Standby LEDs will be flashing red and the Educated LED will be flashing amber.
The I/O functions provided by this module will have been lost if a hot swap partner has not taken over
control. The module can only be restarted by removing it from its slot and re-inserting it.
If an I/O module is inserted into a functional system slot which previously had no active module (e.g.
removing and reinserting as above), then the processor will educate the module once it has booted.
Once educated, the Educated LED will be steady green and the Active LED will be red flashing.
Input modules will now be reading and reporting their inputs. Output modules have not yet energised
their outputs. To activate outputs and to set the module’s Active LED and the processor’s System
Healthy LED steady green, press the processor Reset pushbutton.
Issue 09 Apr 10 PD-T8444 33
Trusted
the secondary, I/O module location for
each I/O module pair. Each primary module location must be unique and is defined as
. Secondary
ltiple secondary modules and are
defined within the module’s section within the System.INI file. The system will
automatically determine the secondary module position if the primary module is installed
module is installed, it will become the active module by
default. If the secondary module has been defined within the System.INI file and no
primary module is present, and if the secondary module location is unique, the
tive module by default. If the secondary module is
installed with no primary module present, and the secondary module location is not
unique (as in a SmartSlot configuration), then NO module for that module pair will
o become the active module, the TMR Processor will verify that
the module is the correct I/O module type and that both Module Removal levers (and
hence micro switches) are closed. At this point the I/O module is configured and
When a fault occurs on the active module, the TMR Processor will be informed. Once it
becomes aware of the fault, the TMR Processor will attempt an active/standby
by changeover starts with the TMR Processor checking to see if a
standby I/O module is installed. If no standby I/O module is available, the TMR
Processor will continue to utilise the active module and will continue to check for an
odule. Once a standby module is found, the TMR Processor will
verify that the I/O module is of the correct type, that both Module Removal switches are
closed, and that the I/O module is a part of the correct module pair by using the
is point, the TMR Processor will configure the standby I/O module
with the same configuration information as the currently active I/O module and place the
standby I/O module into the standby state. The active module is then placed in the
hich suspends field loop testing), and any module specific changeover
data is transferred. The educated light flashes amber before the active/standby
changeover takes place, to indicate transfer of dynamic change over data (COD). The
ule then becomes the active module and the original module
becomes standby. If the currently active module does not successfully complete the
tests, the TMR Processor will revert it to the standby state, and the module in the
When both Module Removal switches are opened on an active module, regardless of the
module fault status, the TMR Processor will treat it as a request to perform an
TM
Module T8444
5.7. Transfer between Active and Standby Modules
The TMR Processor is responsible for managing a pair of I/O modules through an active/standby
changeover. The following rules apply to active/standby changeovers, though the TMR Processor and
not the I/O module enforce them:
• The user must define the primary, and optionally
part of the complex equipment definition within the IEC1131 TOOLSET
module locations can be unique or shared between mu
and is operable.
• On initial start-up, if the primary
secondary module will become the ac
become active.
• In order for a module t
eventually placed in the active state.
• A module in the active state should never be removed.
•
changeover.
• An active/stand
available standby I/O m
SmartSlot link. At th
maintain state (w
previous standby mod
selfmaintain state will revert back to the active state.
•
active/standby changeover.
Under normal conditions, an active/standby changeover will only occur if the new active module is
fault-free. Under some circumstances, it is desirable to be able to force a changeover to a known
faulted module. This can be accomplished by opening the Module Removal switches on the currently
active module and pressing the push-button reset on the TMR Processor. This will force the
changeover to proceed even if the new active module is not fault free
Issue 09 Apr 10 PD-T8444 34
Trusted
TM
Module T8444
6. Technical specification
6.1. Introduction
The Pulse Generator and Monitoring module is required to be high integrity but it is not in itself
intended to be a safety system.
The design concept maintains the advantages of TMR systems while retaining a simple
implementation of a Damper Rod control system by the use of redundant paths.
The PG/M generates a series of waveforms which rotate a stepper motor in either a clockwise or anti
clockwise direction. The phasing of the outputs determines the direction of rotation while the frequency
determines the speed.
Figure 7 PG/M Functional Block Diagram
Issue 09 Apr 10 PD-T8444 35
Trusted
TM
Module T8444
6.2. Phase Rotation
PHASE 1 _|WWWWW|_______|WWWWW|_______|WW
PHASE 2 ___|WWWWW|_______|WWWWW|_______|
PHASE 3 _____|WWWWW|_______|WWWWW|______
PHASE 4 _______|WWWWW|_______|WWWWW|____
PHASE 5 WW|_______|WWWWW|_______|WWWWW|__
PHASE 6 WWWW|_______|WWWWW|_______|WWWWW|
TIME
T
2
| T
| T
TIME
T
1
FREQ. 1
(1.33 HZ)
FREQ. 2
(13.3 HZ)
NOTE : TIMING IS SHOWN FOR CLOCKWISE ROTATION OF STEPPING MOTOR.
FOR COUNTER-CLOCKWISE ROTATION PHASE 6 WOULD LEAD PHASE 5 WHICH WOULD
LEAD PHASE 4
437.5 MS 312.5 MS 125.0 MS
43.75 MS 31.25 MS 12.5 MS
1
2
| T3|
TIME
T
3
Issue 09 Apr 10 PD-T8444 36
Trusted
TM
Module T8444
6.3. Fail Safe actions
This is not a safety system. Other equipment must be supplied for removing the power from the motor
drive circuits in an emergency. Fail safe action in this case is to maintain control of the rods whenever
possible even if a fault is detected in the control Module. For example a slice fault will be logged and
annunciated to the Trusted
This is not a safety critical design and has been classified as Sil0 however it can reside in a system
which is capable of maintaining AK6 on some of its signals.
M
T
controller but it will not result in the module entering the “Fatal” state.
6.4. Internal testing and Monitoring
Maintaining control of the Damper Rods/Stepper Motors is the primary aim of this system. Fail danger
faults detected by any diagnostics do not lead to the module releasing the Damper rods except in the
manner specified in Framatome Spec 08-5011407-00.
Monitoring which detects faults provides alarm indication but unless totally unavoidable does not
release control of the damper rods.
6.5. Thyristor Driver interfaces/Stepper Motor Drives
6.5.1. Module Start up
When a module is powered up it will maintain all outputs Off. Gate signals will be off and Output
Drives will be off.
TM
The education process is automatic and follows the Trusted
Once the boot and education sequence is complete the module will turn on Outputs A and B for each
Motor. The fault detection will operate and the fault bits will be determined depending upon the field
state.
The Gate drives will remain latched until commanded to reset by the application program.
Should the motor poll pieces not be aligned with A&B it is assumed that a recovery procedure will be
initiated by the application to engage the threaded rod.
After a successful start the Position counters will be set to Zero. This value can be amended using the
INI file if required.
Should a module detect a problem with booting and education the start up will be aborted and the
module will not energise any of its outputs. Restart will be by removal and re insertion of the module.
standard procedure.
6.5.2. Minimum output Load
The Pulse Generator and Monitoring Module requires a minimum current to be drawn from each
energised output. If the load to which it is connected is not sufficient. It is suggested that the
termination resistor of 500Ohms should be fitted
6.5.3. Input Termination Resistance
Input circuits accept 0 to 10V analogue values. Circuits which are interfacing to 4 to 20mA signals
should be conditioned with a 500 Ohm resistor.
Issue 09 Apr 10 PD-T8444 37
Trusted
TM
Module T8444
6.6. Operation with one thyristor driver removed
The Pulse Generator and Monitoring Module interfaces to two Thyristor drivers from each channel.
The design is such that each channel can operate with one thyristor driver removed. Loss of feedback
from both thyristor drivers of one rod does not affect control of any other rods.
6.7. Detection of a missing pulse
Detection of a missing pulse is primarily intended to detect a failed thyristor in an otherwise working
driver this is found by detecting a dip in the DC waveform.
Normal Waveform
Missing Phase
Missing Pulse
6.8. Detection of an extra pulse
If an extra pulse is generated this will be caused by a faulty firing of a thyristor.
Normal Waveform
Shorted Gate Pattern
Issue 09 Apr 10 PD-T8444 38
Trusted
TM
Module T8444
6.9. Detection of a short/ long pulse
Deviation of pulse length is detected. This is performed by a window detector should a pulse
feedback start late or complete early a fault is indicated. The fault detection window is
15mS.
Initiating Pulse
Feedback Pulse
Acceptable
window
Normal Waveform
The window for short and long pulse width is 15mS. Under normal operation if the input is removed
when an AC phase had just started, the SCR would continue to conduct until the AC phase crossed
the 0V line again. Worst case could be close to 8ms.
Acceptable
Window
Input Removed
8mS
Output
Off
6.10. Analogue Feedback out of limits
No specific high or low limits are set. Failure of the transmitter is detected by the detection of a
missing or extra pulse, so no thresholding other than the detection of the presence of a pulse and
missed firings is needed.
6.11. Motor Voltage Monitoring
The Average level of the feedback pulse provides a measure of the voltage being applied to the motor.
This level is sampled once per pulse to determine that it is within specification.
Issue 09 Apr 10 PD-T8444 39
Trusted
TM
Module T8444
6.12. Inference of Position from Motor Pulses
Position is inferred by counting the number of pulses generated by the module (not the number of
Pulses fed back from the motor drivers). All 6 phases are be used to operate the counter. The counter
counts up when the Rod is withdrawn and down when the Rod is inserted. A count of Zero is expected
to be with the rod at rest and fully inserted.
6.13. Number of Pulses for a full transition of a rod from End to End
In one installation each rod is required to move slightly less than 12 feet. For the purposes of the
calculation we will utilise 12 feet. Each rotation of the motor moves the rod 0.75 Inches ergo 192
rotations moves the rod from end to end. Each rotation of the rod requires 2 pulses from each output
therefore each output must pulse 192*2 times = 384 Therefore if all pulses are counted the total will be
384*6 = 2304 pulses.
Because of potential position registration errors the Counter has been configured so that it can count
above the expected maximum and below Zero. The maximum count values are +32767 to –32768.
The actual values which represent 0 to 100% movement are specific to each application and must be
calculated from the mechanics of the Rod and motor system.
6.14. Synchronisation/External timing
No effort is made to synchronise signals between motors.
6.15. Setting of Count Position
Two methods exist for zeroing the rod position counter. The counter can be manually incremented or it
can be preset to a particular value from the Trusted
Position
Manual increments can be made by jogging the displayed position up or down under control of the
Trusted
matrix which would request “Jog up” or “Jog down”. The application then passes this command on to a
selected channel in a selected module and causes the position count to increment or decrement.
Alternatively a position register can be set up in the Trusted
PGM in a single action.
Zero/Reset
The counter can be caused to Zero/Reset by the application of a signal from the Trusted
As with incrementing the position this control is expected to be from a MMI of some sort via the
Trusted
TM
application. Typically the application would receive an input from a switch on the control
TM
application.
TM
application.
TM
controller which can be loaded to the
TM
application.
6.16. Analogue Input Discrepancy
Detected on a per channel basis if one or more slices’ analogue values deviate outside a preset
window for more than a set number of samples.
6.17. Output 2-oo-3 error
Detected by loss of current flow in one slice when commanded on.
Issue 09 Apr 10 PD-T8444 40
Trusted
TM
Module T8444
6.18. Module Temperature Measurement
Temperature measurements are made on the module for general monitoring purposes. These are
indicative only and are not intended to provide accurate temperature readings.
6.19. Diagnostics
M
Wherever possible the Trusted
of the design these have been modified so as not to escalate any failures to a position which would
result in a rod motor being de energised. The module has however been supplied with an application
interface which can cause the outputs to shutdown and de-energise if required.
Items such as loss of communication between the module and the Main Processor will result in a
degradation process which maintains the outputs in the last controlled state where ever possible (3-2Maintain last state).
T
standard diagnostics have been maintained. Because of the nature
Issue 09 Apr 10 PD-T8444 41
Trusted
TM
Module T8444
6.20. FTA Output Schematic
Output
Switch
24V
Field
Output
Burden
Resitor
Feedback
Monitoring
Module Field Termination Assembly
To Thyristor
Unit
0V Field
Figure 8 Field Termination Output Schematic
Issue 09 Apr 10 PD-T8444 42
Trusted
TM
Module T8444
6.21. FTA Input Schematic
Figure 9 Field Termination Input Schematic
Issue 09 Apr 10 PD-T8444 43
Trusted
TM
Module T8444
7. Specifications
System Supply Voltage 20-32Vdc
Circuit Type Fault tolerant, fully triplicated with optional
line monitoring
Number of Channels 40 Channels
Independent Power Groups 5 each of 8 outputs
Operational Output/Field Voltage Range 18 to 60V dc
Output Voltage
Measurement Range 0 to 60V dc
Maximum Withstanding -1 to 60V dc
Output Current Rating (Continuous) 0.75A per channel
Minimum On State Load Current 25mA
Output Off State Resistance (effective
leakage)
Maximum capacitance Pre release 3.5: 30-55uF
Output On State resistance 0.6L
Output Short Circuit Protection Electronic (latching)
Channel to Channel Crosstalk >-40dB
Output Short Circuit Protection Automatic
Input Measurement Range -20 to +28V Limited by A/D range.
Input Impedance 50K ohms
Power Consumption
Field Supply (1A per channel)
System Supply (24V)
Field Common Isolation
Sustained Working
Maximum Withstanding
Output Turn-on/off Delay 1.0ms
Sample Update Time 1.0ms
Sequence of Events
Event Resolution
Self-Test Interval 2 minutes
Intrinsic Safety External barrier
Operating Temperature
Non-operating Temperature
Temperature change 0.5ºC/min
Operating Humidity 5 – 95% RH non-condensing
Environmental Specifications Refer to Document 552517
Dimensions
Height
Width
Depth
Weight 1.285kg (2.8lbs)
limited to 6A per power group
33kL
Release 3.5: at least 2800uF
24W Dissipated in field device
22W Dissipated in the module
±250V dc
±2.5kV dc
1ms
-5°C to 60°C (23°F to 140°F)
-25°C to 70°C (-13°F to 158°F)
266mm (10.5ins)
31mm (1.2ins)
303mm (12ins)
Issue 09 Apr 10 PD-T8444 44
Trusted
TM
Module T8444
This page is intentionally blank
Issue 09 Apr 10 PD-T8444 45
Loading...