Group fail safe switches, Trusted, Module t8480 – Rockwell Automation T8480 Trusted TMR Analogue Output Module - 40 Channel User Manual
Page 15
Trusted
TM
Module T8480
Issue 13 Apr 10
PD-T8480
15
Note that short circuits are not considered to be a fault condition for an analogue current output
channel such as provided by this module. The module is designed to drive 20 mA indefinitely into 0
volts. The channel voltages are provided to the application, where such a fault determination may be
made if it is required.
1.9.2. Group Fail Safe Switches
To ensure safe operation, the output module is equipped with a series of switches that provide source
power to a group of 8 output channels. The output module Group Fail Safe Switch (GFSS) is intended
as a final control switch which can de-energise any outputs that cannot be de-energised in the normal
way. For safety, the presence of two or more faults within the output module will cause the Group Fail
Safe Switches to de-energise, resulting in all of the outputs in its group to de-energise.
There are three switches in parallel, which comprise the GFSS, one associated with each 'slice' of the
power group. The GFSS’ are controlled via a signal from one of the other two neighbouring slices.
This means that if one slice determines from the output states that an output is not in a de-energised
state when it should be, then it can command its own GFSS and those of the other slices GFSS to de-
energise. This results in two of the three elements of the GFSS structure to de-energise, leaving only
one GFSS element energised. If two slices do the same thing then the last GFSS output will de-
energise. For example, this would occur if two or more output switch elements fail in a 'stuck-on' state
such that the output cannot de-energise.
The GFSS control signal is generated by a charge pump driven from the comms clock to the slice
power group. If the clock fails then the GFSS bias collapses. This means that even if the ability of the
slice to communicate with a power group is lost, the GFSS can still be de-energised by stopping the
comms clock. If a slice fails, the watchdog on the HIU will time out and reset the slice, this will
shutdown the OFIU power supply and the associated GFSS control signal will also de-energise.