Rockwell Automation T3488/T3488A ICS regent Monitored Guarded Output Modules User Manual
Page 3
Monitored Guarded Output Modules (T3481/81A, 84 and 88/88A)
P D - 6 0 3 3 M a r - 0 6 (Issue 2)
3
The processor modules send triplicated write data commands
over the I/O Safetybus to the monitored Guarded output
module. Onboard the output module the triplicated data are
routed to two independent voters which provide voted data to
associated field programmable gate arrays (FPGA). Each
FPGA independently operates one of the two output control
switches. The two output switches are connected in series with
the load.
When both output switches are on, current will flow through
the output and energize a field load. If either switch is off,
current will not flow through the output and the load will be
de-energized. This combination of series output switches and
independent drive signals produces fail-safe activation of the
load. Single failures can only affect one of the output drive
signals or switches. A single failure will result in either
continued correct control or a fail-safe output as shown in
Table 1.
Table 1. Output States After Switch Failure.
Case
Commanded
Output State
Switch
Failed
State
Actual
Output
to Load
Remarks
1
On
On
On
Continued correct control.
Automatic testing detects
stuck-on switch. If output is
subsequently commanded
off, output will turn off.
2
On
Off
Off
Fail-safe output. Automatic
testing detects stuck-off
switch.
3
Off
On
Off
Continued correct control.
Automatic testing detects
stuck-on switch. If output is
subsequently commanded
on, output will turn on.
4
Off
Off
Off
Fail-safe output. Automatic
testing detects stuck-off
switch. If output is subse-
quently commanded on,
output will remain off.
To achieve fault tolerance, two monitored Guarded output
modules are used with their outputs connected in parallel.
This configuration provides for continued correct control even