Contents
1.
Introduction
3.
Features of the TMR PLC System
8.
Bus Systems & Power Distribution
10. Single Digital Input Modules
–
Advanced Communication Module (ACM)
14.
Power Modules
15. Basic Components
17.
Batteries of the Main Chassis
18.
I/O EXPANSION
19.
Using RS-485 Expansion Bus Ports
20. POWER MODULES—MODELS #8310,
8311 & 8312
The
TMR PLC is a state-of-the-art programmable logic and process controller that
provides a high level of system fault tolerance. This section describes fault tolerance and lists the main features
offered by the TMR PLC system.
What
is Fault Tolerance?
Fault
tolerance, the most important capability of the TMR PLC system, is the ability
to detect transient and steady-state error conditions and to take appropriate
corrective action on-line. With fault tolerance, there is an increase in safety
and an increase in the availability of the controller and the process being
controlled. The TMR PLC provides fault tolerance through Triple Modular
Redundant (TMR) architecture. The system consists of three identical system
legs (except for the Power Modules
which are dual redundant). Each system leg independently executes the control
program in parallel with the other two legs.
Hardware voting mechanisms qualify and verify all digital inputs and outputs from the field; analog inputs are subject to a mid-value selection process. Because each leg is isolated from the others, no single-point failure in any leg can pass to another. If a hardware failure occurs in one leg, the faulty leg is overridden by the other legs. Repairs consist of removing and replacing the failed module in the faulty leg while the TMR PLC is on-line and without process interruption. The system then reconfigures itself to full TMR operation. Extensive diagnostics on each leg, module and functional circuit immediately detect and report operational faults by means of indicators or alarms. The diagnostics also store information about faults in system variables. If faults are detected, the operator can use the diagnostic information to modify control actions or direct maintenance procedures. From the user’s point-of-view, setting up applications is simple because the triplicated system operates as one control system. The user terminates sensors and actuators at a single wiring terminal and programs the TMR PLC with one set of application logic. The TMR PLC manages the rest.
Features of the TMR PLC System
To
ensure the highest possible system integrity at all times, the TMR PLC:
– Provides
Triple Modular Redundant architecture whereby each of three identical system
legs independently executes the control program, and specialized
hardware/software mechanisms “vote” all inputs and outputs.
–
Withstands harsh industrial environments.
–
Enables field installation and repair to be done at the module level while the
controller remains on-line. Replacing an I/O module does not disturb field
wiring.
–
Supports up to 118 I/O modules (analog and digital) and optional communication
modules that interface with Modbus masters and slaves, Foxboro and Honeywell
Distributed Control Systems (DCS), other TMR PLCs in Peer-to-Peer networks, and
external host applications on 802.3
networks.
–
Provides integral support for remote I/O modules located up to twelve (12) kilometers (7.5 miles) from the Main
Chassis.
– Executes
control programs developed and debugged with a separate programmer’s workstation
—
the DOS-based TRISTATION
Multi-System
Workstation (MSW) or Windows NT-based TriStation 1131.
–
Provides intelligence in the input and output modules to reduce the workload of
the Main Processors. Each I/O module has three microprocessors. Input module
microprocessors filter and debounce the inputs and diagnose hardware faults on
the module. Output module microprocessors supply information for the voting of
output data, check loopback data from the output terminal for final validation
of the output state, and diagnose field-wiring problems.
–
Provides integral on-line diagnostics with adaptive-repair capabilities.
–
Allows normal maintenance while the TMR PLC is operating, without disturbing
the controlled process.
–
Supports “hot spare” I/O modules for critical applications where prompt service
may not be possible.
Physically,
a basic TMR PLC High Density system consists of modules, the chassis in which modules
are housed, field wiring connections and the programmer’s workstation.
TMR
PLC modules are field-replaceable units consisting of an electronic assembly
housed in a metal spine. Each module has a protective cover that ensures no
components or circuits are exposed even when a module is removed from the
chassis. Offset backplane connectors make it impossible to plug a module in
upside down, and “keys” on each module prevent the insertion of modules into
incorrect slots. The TMR PLC supports digital and analog input and output
points, as well as thermocouple inputs and multiple communication protocols.
There
are three types of chassis for Version 9 TMR PLC Systems: Main Chassis,
Expansion Chassis and Remote Extender Chassis. A TMR PLC system can include up
to fifteen chassis housing any appropriate combination of input, output, and
hot spare modules as well as communication modules The Main Chassis of the TMR
PLC system houses the Main Processor modules
and up to six I/O sets. I/O modules within a chassis connect by means of
a triplicated RS-485 bi-directional communication port. Expansion Chassis
(chassis 2-15) support up to eight I/O sets each. Expansion Chassis connect to
the Main Chassis by means of a triplicated RS-485 bi-directional communication
port. The total standard cable length, which can be used to join a set of Main
and Expansion chassis, is up to 30 meters (100 feet). Remote Extender Chassis
enable a system to extend to remote locations up to twelve (12) kilometers (7.5
miles) from the Main Chassis.
The
fully expandable Version 9 (V9) TMR PLC Systems and Single Chassis V9 TMR PLC systems are programmed with an
engineering and maintenance workstation called TriStation. There are two types
of TriStations available:
–
The TriStation
1131 Developer’s Workbench runs on an
IBM-compatible
computer running Windows NT Version 3.51 or later. TriStation 1131 supports
three programming languages which comply
with the IEC 1131-3 standard: Function Block Diagram, Ladder
Diagram,
and Structured Text.
–
The DOS-based TRISTATION Multi-System Workstation (MSW) runs on an
IBM-compatible personal computer and supports the Relay Ladder Logic
programming language.
Both
TriStation
1131 and TRISTATION MSW are used to:
- Develop and debug the control program which
the TMR PLC executes
–
Diagnose system status
–
Force points for loop checkout and maintenance of field devices
Once
a control program is developed, a loading operation installs the program
into
the TMR PLCex controller and verifies that it is operating correctly.
General environmental specifications for the TMR PLC are shown in
Table Below. Due to the number of
components that can make up a system, not all of
these specifications apply to every component.
Triple-Modular Redundant (TMR) architecture (shown in Figure)
ensures fault tolerance and provides error-free, uninterrupted control in the
presence of either hard failures of components or transient faults from
internal or external sources. Every I/O module houses the circuitry for three
independent legs. Each leg on the input modules reads the process data and
passes that information to its respective Main Processor. The three Main
Processors communicate with each other using a proprietary high-speed bus
system called the TRIBUS. Once per scan, the Main Processors
synchronize and communicate with their neighbors over the TRIBUS. The TRIBUS
votes digital input data, compares output data, and sends copies of analog
input data to each Main Processor. The Main Processors execute the control
program and send outputs generated by the control program to the output
modules. In addition to voting the input data, the TMR PLC votes the output
data. This is done on the output modules as close to the field as possible to
detect and compensate for any errors that could occur between the TRIBUS voting
and the final output driven to the field. For each I/O module, the system can
support an optional hot-spare module. If present, the hot-spare takes control
if a fault is detected on the primary module during operation. The hot-spare
position is also used for on-line system repairs.
Main Processor Modules
A TMR PLC system contains three Main Processor modules. Each
controls a separate leg of the system and operates in parallel with the other
two Main Processors . A dedicated I/O
communication processor on each Main Processor manages the data exchanged
between the Main Processor and the I/O modules. A triplicated I/O bus, located
on the chassis backplane, extends from chassis to chassis by means of I/O bus
cables.
As each input module is polled, the appropriate leg of the I/O bus
transmits new input data to the Main Processor. The input data is assembled into
a table in the Main Processor and is stored in memory for use in the hardware
voting process. The individual input table in each Main Processor is
transferred to its neighboring Main Processors over the TRIBUS. During this
transfer, hardware voting takes place. The TRIBUS uses a direct memory access
programmable device to synchronize, transmit, vote and compare data among the
three Main Processors. If a disagreement occurs, the signal value found in two
out of three tables prevails, and the third table is corrected accordingly.
One-time differences which result from sample timing variations are
distinguished from a pattern of differing data. Each Main Processor maintains
data about necessary corrections in local memory. Any disparity is flagged and
used at the end of the scan by the TMR PLC’s built-in fault analyzer routines
to determine whether a fault exists on a particular module.
Architecture of a Main Processor
The Main Processors put corrected data into the control program.
The 32-bit main microprocessor and a math coprocessor execute the control
program in parallel with the neighboring Main Processor modules. The control
program generates a table of output values which are based on the table of
input values according to customer-defined rules built into the application.
The I/O communication processor on each Main Processor manages the transmission
of output data to the output modules by means of the I/O bus. Using the table of output values, the I/O
communication processor generates smaller tables, each corresponding to an
individual output module in the system. Each small table is transmitted to the
appropriate leg of the corresponding output module over the I/O bus. For
example, Main Processor A transmits the appropriate table to Leg A of each output
module over I/O Bus A. The transmittal of output data has priority over the
routine scanning of all I/O modules. The I/O communication processor manages
the data exchanged between the Main Processors and the communication modules
using the communication bus which supports a broadcast mechanism. The model
#3006 Main Processors provide 2 Megabytes SRAM each for fully expandable V9 TMR
PLC Systems, while model #3007 Main Processors provide 1 Megabyte SRAM each for
Single Chassis V9 TMR PLC Systems only. The SRAM is used for the user-written
control program, SOE 1 data, I/O data,
diagnostics and communication buffers. In the event of an external power
failure, the SRAM is protected by batteries which reside on the backplane of
the Main Chassis. In the absence of power to the TMR PLC, the batteries
maintain the integrity of the program and theretentive variables for a minimum
of six months. The Main Processor modules receive power from the dual Power
Modules and power rails in the Main Chassis. A failure on one Power Module or
power rail does not affect system performance.
Bus Systems & Power Distribution
Three triplicated bus systems are etched on the chassis backplane:
the TRIBUS, the I/O bus, and the communication bus.
The TRIBUS consists of three independent serial links operating at
4 Mbaud. It synchronizes the Main Processors at the beginning of a scan. Then
each Main Processor sends its data to its upstream and downstream neighbors.
The TRIBUS takes the following actions:
– Transfers analog, diagnostic and communication data
–
Transfers and votes digital input
data
– Compares data and flags disagreements for the previous scan’s output data and control program memory.
TMR PLC Back Plane
An important feature of TMR PLC architecture is the use of a single transmitter to send data to both the upstream and downstream Main Processors. This ensures the same data is received by the upstream processor and downstream processor.
Each
I/O module transfers signals to or from the field through its associated field
termination assembly. Two positions in the chassis tie together as one logical
slot. The first position holds the active I/O module and the second position holds
the hot-spare I/O module. Termination cables are tied to panel connectors at the top of the backplane. Each
connection extends from the termination module to both active and hot-spare I/O
modules. Therefore, both the active module and the hot-spare module receive the
same information from the field termination wiring. The 375 Kbaud triplicated
I/O bus transfers data between the I/O modules and the Main Processors. The I/O
bus is carried along the bottom of the backplane. Each leg of the I/O bus runs
between one Main Processor and the corresponding legs on the I/O module. The
I/O bus extends between chassis using a set of three I/O bus cables. The 2
Mbaud communication bus runs between the Main Processors and the communication
modules. Power for the chassis is distributed across two independent power
rails and down the center of the backplane. Each module in the chassis draws
power from both power rails through dual power regulators. There are four sets
of power regulators on each input and output board: one set for each leg (A, B,
and C) and one set for the status indicators.
MODIFICATION
REQUIRED ON USAGE OF I/O MODULES FOR THE PROJECT
Digital
Input Modules
The
TMR PLC supports two basic types of digital input modules: TMR and single. On
TMR modules, all critical signal paths are 100% triplicated for guaranteed
safety and maximum availability. On single modules, only those portions of the
signal path which are required to ensure safe operation are triplicated. Single
modules are optimized for those safety-critical applications
where
low cost is more important than maximum availability.
Each
digital input module houses the circuitry for three identical legs (A, B
and
C). Although the legs reside on the same module, they are completely isolated
from each other and operate independently. Each leg conditions signals
independently and provides optical isolation between the field and the TMR PLC.
(The model #3504E High-Density Digital Input Module with 64 points is an
exception—it has no isolation.) A fault on one leg cannot pass to another. In
addition, each leg contains an 8-bit microprocessor called the input/output
(I/O) communication processor which handles communication with its
corresponding Main Processor.
Each
of the three input legs asynchronously measures the input signals from each point on the input termination module,
determines the respective states of the input signals, and places the values
into input tables A, B and C respectively. Each input table is regularly
interrogated over the I/O bus by the I/O communication processor located on the
corresponding Main Processor module. For example, Main Processor A interrogates
Input Table A over I/O Bus A. DC models of the digital input modules can
self-test to detect “stuck ON” conditions where the circuitry cannot tell
whether a point has gone to the OFF state. Since most safety systems are set up
with a “de-energize-to-trip” capability, the ability to detect OFF points is an
important feature. To test for “stuck ON” inputs, a switch within the input
circuitry is closed to allow a zero input (OFF) to be read by the optical
isolation circuitry. The last data reading is frozen in the I/O communication
processor while the test is running.
Single
Digital Input Modules
Each
digital input module houses the intelligent control circuitry for three
identical legs (A, B and C). Although the legs reside on the same module, they
are completely isolated from each other and operate independently. A fault on
one leg cannot pass to another. The intelligent control circuitry consists of
an 8-bit microprocessor called the I/O communication processor which handles
communication with its corresponding Main Processor. Each of the three input
legs independently measures the input signals by means of a non-triplicated set
of signal conditioners. This is done for each point on the input termination
module. Each leg determines the states of the points and places their values
into input tables A, B and C respectively. Each input table is regularly
interrogated over the I/O bus by the I/O communication microprocessor located
on the corresponding Main Processor module. For example, Main Processor A
interrogates Input Table A over I/O Bus A.
Special
self-test circuitry is provided to detect all stuck-ON and stuck-OFF fault
conditions within the non-triplicated signal conditioners in less than 500
milliseconds.
This is a mandatory feature of a fail-safe system, which must detect all faults
in a timely manner and upon detection of an input fault, force
the
measured input value to the safe state. Because the TMR PLC is optimized
for
de-energize-to-trip applications, detection of a fault in the input circuitry
forces to OFF (the de-energized state) the value reported to the MainProcessors
by each leg.
Digital
Output Modules
There
are four basic types of digital output modules:
–
Supervised digital output modules
–
DC voltage digital output modules
–
AC voltage digital output modules
–
Dual DC digital output modules
Every
digital output module houses the circuitry for three identical, isolated legs.
Each leg includes an I/O microprocessor which receives its output table from
the I/O communication processor on its corresponding Main Processor. All of the
digital output modules, except the dual DC modules, use special quadruplicated
output circuitry which votes on the individual output signals just before they
are applied to the load. This voter circuitry is based on parallel-series paths
which pass power if the drivers for Legs A and B, or Legs B and C, or Legs A
and C command them to close—in other words, 2-out-of-3 drivers voted ON. Each
type of digital output module executes a particular type of Output Voter Diagnostic
(OVD) for every point. In general, during OVD execution the commanded state of each
point is momentarily reversed on one of the output drivers, one after another.
Loop-back on the module allows each microprocessor to read the output value for
the point to determine whether a latent fault exists within the output circuit.
(For devices that cannot tolerate a signal transition of any length, OVD on
both AC and DC voltage digital output
modules can be disabled.)
A supervised digital
output module
provides both voltage and current loopback, allowing
complete fault coverage for both energized-to-trip and de-energized-to-trip
conditions. In addition, a supervised digital output module verifies the
presence of the field load by doing continuous circuit-continuity checks. Any
loss of field load is annunciated by the module.
A DC voltage digital
output module is specifically designed to control
devices which hold points in one state for long periods of time. The OVD
strategy for a DC voltage digital output module ensures full fault coverage
even if the commanded state of the points never changes. On this type of
module, the output signal transition normally occurs during OVD execution, but
is guaranteed to be less than 2.0 milliseconds (500 microseconds is typical)
and is transparent to most field devices.
On
an AC voltage digital output module, a faulty switch identified by the OVD
process will cause the output signal to transition to the opposite state for a
maximum of half an AC cycle. This transition may not be transparent to all
field devices. Once a fault is detected, the module discontinues further
iterations of OVD. Each point on an AC voltage digital output module requires
periodic cycling to both the ON and OFF states to ensure 100% fault
coverage.
Analog Input Modules
On
an analog input module, each of the three legs asynchronously measures the
input signals and places the results into a table of values. Each of the three
input tables is passed to its associated Main Processor module using the
corresponding I/O bus. The input table in each Main Processor module is
transferred to its neighbors across the TRIBUS. The middle value is selected by
each Main Processor, and the input table in each Main Processor is corrected
accordingly. In TMR mode, the mid-value data is used by the control program; in
duplex mode, the average is used. Each analog input module is automatically
calibrated using multiple reference voltages read through the multiplexer.
These voltages determine the gain and bias required to adjust readings of the analog-to-digital
converter. Analog input modules and termination modules are available to
support a wide variety of analog inputs, in both isolated and non-isolated
versions: 0-5 VDC, 0-10 VDC, 4-20 mA, thermocouples (types K, J, T and E), and
resistive thermal devices (RTDs).
The
analog output module receives three tables of output values, one for each leg from the corresponding Main Processor.
Each leg has its own digital-to-analog converter (DAC). One of the three legs
is selected to drive the analog outputs. The output is continuously checked for
correctness by “loop-back” inputs on
each point which are read by all three microprocessors.
If
a fault occurs in the driving leg, that leg is declared faulty, and a new leg
is selected to drive the field device. The designation of “driving leg” is
rotated among the legs so that all three legs are tested.
Communication
Modules
By
means of the communication modules described in this section, the TMR PLC can
interface with Modbus masters and slaves, other TMR PLCs in Peer-to-Peer
networks, external hosts running applications over 802.3 networks, and
Honeywell and Foxboro Distributed Control Systems (DCS). The Main Processors
broadcast data to the communication modules across the communication bus. Data
is typically refreshed every scan; it is never more than two scan-times old.
Advanced
Communication Module (ACM) —
This
module acts as an interface between a TMR PLC controller and Foxboro’s
Intelligent Automation (I/A) Series DCS. The ACM appears to the Foxboro system
as a safety node on the I/A Series Nodebus, allowing the TMR PLC to manage
process-critical points within the overall I/A DCS environment. The ACM
transmits all TMR PLC aliased data and diagnostic information to I/A operator
workstations in display formats that are familiar to Foxboro operators.
Availability of the ACM depends on Foxboro’s schedule for Version 4.2.2 of the
I/A Series Software.
Power Modules
Each TMR PLC chassis houses two Power Modules arranged in a
dual-redundant configuration. Each module derives power from the backplane and
has independent power regulators for each leg. Each can support the power
requirements for all the modules in the chassis in which it resides, and each
feeds a separate power rail on the chassis backplane. The Power Modules have
built-in diagnostic circuitry which checks for out-of-range voltages and
over-temperature conditions. A short on a leg disables the power regulator
rather than affecting the power bus.
System
Diagnostics & Status Indicators
The
TMR PLC incorporates integral on-line diagnostics. Probable failure modes are
anticipated and made detectable by specialized circuitry. Fault-monitoring
circuitry in each module helps fulfill this requirement. The circuitry includes
but is not limited to I/O loopback, deadman timers, loss-of-power sensors, and
so on. This aspect of the system design enables the TMR PLC to reconfigure
itself and perform limited self-repair according to the
health
of each module and leg.
Each
TMR PLC module can activate the system “integrity” alarm. The alarm
consists
of an NC/NO relay contact on each Power Module. Any failure condition,
including loss or “brownout” of system power, activates the alarm to summon
plant maintenance personnel. The front panel of each module provides indicators
(LEDs) that show the status of the module or the external systems to which it
may be connected. PASS, FAULT and ACTIVE are common states shown. Other
indicators are specific to each module.
Maintenance
consists of replacing plug-in modules. A lighted Fault indicator
shows
that the module has detected a fault and must be replaced. The control
circuitry
for the indicators is isolated from each of the three legs and is redundant.
All internal diagnostic and alarm status data is available for remote logging
and report generation. This reporting is done through a local or remote
TriStation, or through a host computer.
This
chapter describes the basic hardware components required for any TMR PLC
system. It includes information about the following:
–
Main and Expansion Chassis
–
I/O Expansion
–
Dual Power Modules
– Triplicated
Enhanced Main Processors
Main Chassis, Front View
A TMR PLC chassis can be rack-or panel-mounted in an
industry-standard NEMA enclosure. The physical size of a Main Chassis or an
Expansion Chassis is 48.3 cm x 57.8 cm x 45.1 cm (19 in x 22.75 in x 17.75 in).
(Measurements are width x height x depth.)
A Main Chassis can support the following modules:
– Two Power Modules
– Three Main Processors
– Communication modules such as the ICM, NCM, SMM, HIM or ACM
– I/O modules with hot spares
An Expansion Chassis can support the following modules:
– Two Power Modules
– I/O modules with hot spares
– Communication modules (in Expansion Chassis #2 only)
Each chassis has a different bus address (1 to 15); each module
within a chassis has an address defined by its location or slot. The Main Chassis
has a four-position keyswitch that controls the entire TMR PLC system. Switch
settings are RUN, PROGRAM, STOP and REMOTE.
Expansion Chassis, Front View
Batteries of the Main Chassis
The TMR PLC’s dual-redundant batteries are located on the paneled
portion of the Main Chassis backplane beside the I/O expansion ports (as shown
figure ). If a total power failure occurs, these lithium batteries can maintain
data and programs for a cumulative time period of six months. Each
battery has a shelf-life of five years. We recommend that you
replace the batteries either every five years or after they accumulate six
months of use, whichever comes first.
I/O EXPANSION
I/O Expansion Bus Ports
The TMR PLC I/O bus provides support for up to fifteen chassis. In
most installations, Expansion Chassis are installed near the Main Chassis. The
following limits apply:
Maximum
Number of Chassis 15
Maximum
Number of I/O Modules 118
Maximum
Total I/O Bus Length 30
meters (100 feet)
Under
normal conditions I/O bus lengths greater than 30 meters (100 feet) must be
supported by a Remote Extender Chassis.
Using RS-485 Expansion Bus Ports
Each TMR PLC chassis provides six RS-485 I/O expansion bus ports
at the top left corner of the backplane, as shown in figure. The ports form a
triplicated serial communications path for Expansion and RXM chassis. Drop-line
cabling should be used to connect the RS-485 ports of Expansion Chassis to
other chassis. Each chassis is one node in the multiple-drop I/O extension bus.
The I/O ports are grouped as three pairs forming a triplicated extension of the
TMR PLC I/O bus. Communication along the extended bus proceeds at the same rate
as along the internal TMR PLC I/O bus (375 Kbaud). In this manner, the three
control legs are physically and logically extended to the Expansion Chassis
without sacrificing performance.
POWER
MODULES—MODELS #8310, 8311 & 8312
A
V9 TMR PLC chassis comes with one of the following Power Modules: Each of these
Power Modules contains two independent power supplies, and each power supply
can support all power requirements of the system. The Power Module can be hot-replaced and you can add a hot-spare if
desired. This section provides the following information about the Power
Module:
–
Physical description
–
Special features
–
Alarm description
–
Specifications
Model # Power
Module
8310 120 VAC/VDC Power
Module
8311 24 VDC Power Module
8312
230 VAC Power Module
Physical Description
The Power Modules, located on the lower left side of the chassis ,
convert line power to DC power appropriate for all TMR PLC modules. Two
terminal strips for the Power Modules reside on the lower left side of the
paneled portion of the backplane. One terminal strip is used to select system
grounding options, and the other is for incoming power and alarm connections.
Each Power Module provides an in-line, slow-blow fuse for each external power
source, mounted inside the module. To replace the module, you do not have to
disconnect any wiring or disassemble the Power Module—just remove the module
from the chassis.
Terminals for System Grounding Options
The backplane above the Power Module provides three terminals for
grounding options:
– RC network connected to chassis ground (RC)
– Direct connection to TMR PLC internal signal ground ( ,
functional earth)
– Direct connection to chassis ground ( , protective earth)
The TMR PLC is normally delivered with a jumper installed between
RC and signal ground ( ).