Short circuit protection issues, Group fail safe switches, Trusted – Rockwell Automation T8461 Trusted TMR 24 48Vdc Digital Output Module User Manual

Trusted

TM

Module T8461

Issue 13 Apr 10

PD-T8461

14

1.9.2. Short Circuit Protection Issues

In a fuse-free design such as in the Trusted

TM

System, the module is required to respond rapidly in the

event of an over-current or over-power situation. In fact, this protection scheme offers advantages to
fuses in both automatic recovery and speed of action.

The topology of the channel provides a natural limit to the instantaneous current flow, giving the
module time to respond. Furthermore, the over-current protection circuitry is inherently self-testable,
since the threshold can be a programmable value.

The P-channel architecture of Switch 1 and Switch 2 utilizes an open-drain output structure. Under
short-circuit conditions the maximum instantaneous current with a 48V field voltage is naturally limited
to less than 5A per channel. This is because high output currents cause the gate-source voltages of
the two transistors to be reduced, tending to turn them off.

The output current is monitored by the DSP and sustained over current conditions result in a latched
over-current condition and de-energise the associated output. After removing the fault condition, the
latched over-current condition can be reset by either pressing the system fault reset button or turning
off the logical output signal to the module. The output also includes a non-replaceable fusible link for
absolute protection.

1.9.3. Group Fail Safe Switches

To ensure safe operation, the output module is equipped with a series of switches that provide source
power to a group of 8 output channels. The output module Group Fail Safe Switch (GFSS) is intended
as a final control switch which can de-energise any outputs that cannot be de-energised in the normal
way. For safety, the presence of two or more faults within the output module will cause the Group Fail
Safe Switches to de-energise, resulting in all of the outputs in its group to de-energise.

There are three switches in parallel, which comprise the GFSS, one associated with each 'slice' of the
power group. The GFSS’ are controlled via a signal from one of the other two neighbouring slices.
This means that if one slice determines from the output states that an output is not in a de-energised
state when it should be, then it can command its own GFSS and those of the other slices GFSS to de-
energise. This results in two of the three elements of the GFSS structure to de-energise, leaving only
one GFSS element energised. If two slices do the same thing then the last GFSS output will de-
energise. For example, this would occur if two or more output switch elements fail in a 'stuck-on' state
such that the output cannot de-energise.

The GFSS control signal is generated by a charge pump driven from the comms clock to the slice
power group. If the clock fails then the GFSS bias collapses. This means that even if the ability of the
slice to communicate with a power group is lost, the GFSS can still be de-energised by stopping the
comms clock. If a slice fails, the watchdog on the HIU will time out and reset the slice, this will
shutdown the OFIU power supply and the associated GFSS control signal will also de-energise.