2 module replacement configuration – Rockwell Automation T8094 8000 Series TMR System Safety Manual User Manual

SAFETY MANUAL

D oc N umber T8094
I ssue 27 – June 2013

Page 35 of 103

3.7.1.6 De Energised Short Circuit Detection Section

This section allows the user to enable the de-energised short circuit detection (default
is disabled).

Safety related I/O that is normally De-Energised shall use short

circuit monitoring (see section 3.2.4).

3.7.2 Module Replacement Configuration

The system supports 3 forms of High Density I/O module replacement:

a. Hot-swap pair (companion slot)

b. SmartSlot

c. Live insertion and removal

In the hot-swap pair, 2 adjacent module positions are coupled to provide and active
and standby module pair. If it intended that the system be able to start-up (including
application stop and re-start), on the primary module position, there is no requirement
to define the secondary module position.

If it is intended to allow the system to start with only the secondary module
position occupied, it is important that the module positions be included within
the system.ini file. For Companion Slot modules, enter a module in the primary
slot. Tick ‘Simulate’ and enter the partner chassis and slot location. Do NOT
enter a module in the partner slot.

For SmartSlot pair operation, it is not possible to start-up using the “spare” module
position. The spare module position need not be in the same chassis as the primary
module position.

If it is intended to perform live insertion and removal without transfer to a standby
module no specific configuration is required. If it is intended to start-up a system
without the primary module installed in either a SmartSlot or single module live
insertion and removal configuration, the “simulate” configuration option should be set.
The simulate option will allow the system to start with these modules omitted, the
corresponding states and values being set to their fail-safe conditions.

1. A consistent module replacement philosophy should be used within any

single system. Where mixed philosophies are used, there shall be clear
indication of the repair approach applicable to each module or group of
modules.

2. In hot-swap and SmartSlot configurations, the accuracy with both modules

installed shall be within the plant required safety accuracy specification. If
tighter tolerance is required, ensure that each sensor within a redundant
configuration is allocated to independent modules and procedural measures
are implemented to ensure that only a single module within this set of
modules is paired at any instant.

3. If the SmartSlot module replacement is used, the system shall include

provision for testing the SmartSlot linking cable. This cable shall be tested
before use; the testing of this cable shall be included in the Operating and
Maintenance Manual.

4. In hot-swap configurations, a secondary module that does not pair with the

primary module in a reasonable amount of time (less than the second fault
occurrence time) must be removed.

5. In SmartSlot configurations, a secondary module that does not pair with the

primary module in a reasonable amount of time (less than the second fault
occurrence time) when the SmartSlot linking cable is installed must be
removed.