Switch diagnostics, Short circuit protection issues, Group fail safe switches – Rockwell Automation T8449 Trusted TMR 24V dc Valve Monitor Module - 40 Channel User Manual

Trusted

TM

Module T8449

Issue 13 Apr 10

PD-T8449

14

1.9.1. Switch Diagnostics

During normal operation, Switch 1 and Switch 2 are maintained on. In this state, Switch 1 and Switch 2
exhibit less than 0.5 ohms of resistance each.

To determine the ability of the system to control the load via Switch 1 and Switch 2, their gate voltages
are modulated, one at a time. As the gate voltages are modulated, the monitoring signals
synchronously change in a predictable fashion. The local DSP analyses the relative amplitude and
phase of these small AC signals, to determine the on resistance and threshold voltages of each switch.

The current to the load does not need to be completely interrupted in order to obtain a level of
confidence in the ability of the transistors to turn off. For the TMR switch configuration in the on state,
only one fail-safe switch at a time needs to be modulated, while the other two bear the load current.

1.9.2. Short Circuit Protection Issues

In a fuse-free design such as in the Trusted

TM

, the module is required to respond rapidly in the event of

an over-current or over-power situation. In fact, this protection scheme offers advantages to fuses in
both automatic recovery and speed of action.

The topology of the channel provides a natural limit to the instantaneous current flow, giving the
module time to respond. Furthermore, the over-current protection circuitry is inherently self-testable,
since the threshold can be a programmable value.

The P-channel architecture of Switch 1 and Switch 2 utilises an open-drain output structure. Under
short-circuit conditions the maximum instantaneous current with a 24V field voltage is naturally limited
to less than 5A per channel. This is because high output currents cause the gate-source voltages of
the two transistors to be reduced, tending to turn them off.

The output current is monitored by the DSP and sustained over current conditions result in a latched
over-current condition and de-energise the associated output. After removing the fault condition the
latched over-current condition can be reset by either pressing the system fault reset button or turning
off the logical output signal to the module. The output also includes a non-replaceable fusible link for
absolute protection.

1.9.3. Group Fail Safe Switches

To ensure safe operation, the output module is equipped with a series of switches which provide
source power to a group of 8 channels. The output module Group Fail Safe Switch (GFSS) is intended
as a final control switch which can de-energise any outputs that cannot be de-energised in the normal
way. For safety, the presence of two or more faults within the output module will cause the Group Fail
Safe Switches to de-energise, resulting in all of the outputs in its group to de-energise.

There are three switches in parallel which comprise the GFSS, one associated with each 'slice' of the
power group. The GFSS’ are controlled via a signal from one of the other two neighbouring slices.
This means that if one slice determines from the output states that an output is not in a de-energised
state when it should be, then it can command its own GFSS and those of the other slices GFSS to de-
energise. This results in two of the three elements of the GFSS structure to de-energise, leaving only
one GFSS element energised. If two slices do the same thing then the last GFSS output will de-
energise. For example, this would occur if two or more output switch elements fail in a 'stuck-on' state
such that the output cannot de-energise.

The GFSS control signal is generated by a charge pump driven from the comms clock to the slice
power group. If the clock fails then the GFSS bias collapses. This means that even if the ability of the
slice to communicate with a power group is lost, the GFSS can still be de-energised by stopping the
comms clock. If a slice fails, the watchdog on the HIU will time out and reset the slice, this will
shutdown the OFIU power supply and the associated GFSS control signal will also de-energise.

1.10. Control / Feedback circuits

Like the TMR 24Vdc Digital Output module, the TMR 24Vdc Valve Monitor module has 5 groups with 8
output circuits each, for a total of 40 output channels. Only 20 of the channels (4 per power group) are