Group fail safe switches, Output line monitoring states, Table 1 line monitoring fault status – Rockwell Automation T8448 Trusted TMR Zone Interface Module - 40 Channel User Manual

Trusted

TM

Module T8448

Issue 14 Apr 10

PD-T8448

15

The output current is monitored by the DSP. Sustained over current conditions cause the DSP to de-
energise the associated output. Once the fault has been corrected, the latched de-energised state can
be reset by turning off the logical output signal to the module and pressing the system fault reset
button. The output also includes a non-replaceable fusible link for absolute protection.

1.9.3. Group Fail Safe Switches

To ensure safe operation, the Zone Interface Module is equipped with a series of switches that provide
source power to a group of 8 channels. The module Group Fail Safe Switch (GFSS) is intended as a
final control switch which can de-energise any outputs that cannot be de-energised in the normal way.
For safety, the presence of two or more faults within the module will cause the Group Fail Safe
Switches to de-energise. This de-energises all of the outputs in its group.

The GFSS has three switches in parallel, each controlled by one 'slice' of the group. This means that if
one slice determines from the states that an output is not de-energised when it should be, then it can
command its own GFSS and those of the other slices’ GFSS to de-energise. This results in two of the
three elements of the GFSS structure to de-energise, leaving only one GFSS element energised. If
two slices do the same thing then the last GFSS will de-energise. For example, this would occur if two
or more switch elements fail in a 'stuck-on' state such that the output cannot de-energise.

The GFSS control signal is generated by a charge pump driven from the comms clock to the slice
power group. If the clock fails then the GFSS bias collapses. This means that even if the ability of the
slice to communicate with a power group is lost, the GFSS can still be de-energised by stopping the
comms clock. If a slice fails, the watchdog on the HIU will time out and reset the slice. This will
shutdown the OFIU power supply and the associated GFSS control signal will also de-energise.

1.10. Output Line Monitoring States

When a channel is selected as an output, the module automatically monitors channel current and
voltage to determine the state. The numerical output state and line fault status are reported back to
the application and are represented below.

Description

Numerical
Output State

Line Fault
Status

Field Short Circuit

5

1

Output Energised (On)

4

0

No Load, Field Open Circuit

3

1

Output De-energised (Off)

2

0

No Field Supply Voltage

1

1

Table 1 Line Monitoring Fault Status