Planar Safety Manual

7/22/2019 Planar Safety Manual

1/60

Electronic Systems

HIMA Paul Hildebrandt GmbH + Co KGIndustrie-Automatisierung

Planar4

System Manual


2/60

Attention:

Maintenance on supply, signal and data lines may only be executed by qualified personnel withconsideration off all ESD protection measures. With direct contact of this lines the maintenance per-

sonnel have to be electrostatic discharged!

Important Note

All HIMA products mentioned in this manual are protected with the HIMA trade-mark. As not diffe-rently noted down this is possibly also valid for other mentioned manufactueres and their products.

The technology is subject to changes without notice.

All technical statements and data in this manual have been worked out very carefully, and effectivechecks and inspections have been applied. This manual may however contain flaws or typesetting

errors. Therefore HIMA does not offer any warranties nor assume legal reponsibility nor any liabilityfor the possible consequences of any errors in this manual. HIMA would appreciate being informedon possible errors.

Conditions of Supply and Delivery

The General Conditions of Supply and Delivery for the Products and Services of the German Elec-trical Industry apply for our deliveries and services.

Eventual complaints can be recognized only when we are being notified within 14 days after receiptof the merchandize.

The prices shown in a special list are valid ex works, packing charges excluded. The prices ars sub-ject to change.


3/60

The HIMA Planar4 System

1

1 The HIMA Planar4 System

The increasing complexity and the capacity of the processes in today'sprocess engineering industry require more and more half or fully automa-tic controls. While the observation of safety regulations is predominant inprocess engineering, high availability is extremely important in productionprocesses with big capacities.

The awareness of environmental issues of today, the safety orientation aswell as the legal regulations greatly influence the planning of modern in-dustrial plants. Here, plant failures should have little or no consequencesat all for people or for the plant itself.

The possible hazard of big industrial plants or in traffic technology lies inthe system as a whole. It must be monitored and be put to a clearly defi-ned, undangerous state with the help of controls. For this reason thefunctional failure of the control may result in a critical reaction.

The HIMA Planar4 System represents a modular electronic system featu-ring Euro modules for designing hard-wired safety-related control and mo-nitoring systems. It operates with only one system voltage of 24 V DC.Practice-oriented design and uncomplicated project planning enable aneasy installation. All modules are equipped with a self-diagnosis for faultdetection; additional communication modules enable the data transferfrom the control to other systems.

The HIMA Planar4 System was developped on the basis of decades of ex-perience in the technology of hard-wired programmed controllers; it is ba-sed on the approved and sucessfull Planar System F. The high qualitystandard of HIMA modules is achieved by the use of high quality compon-ents, carefully proportioned circuits, sophisticated modern manufacturingtechnology and thorough and automatic testing procedures.

1.1 Safety-Related Modules

A safe control must be designed in a way that each failure of componentsand other imaginable influences do not cause impermissible failure states.Safety-related systems are required e. g. for trains, lifts, presses, eleva-tors, incinerator plants etc.

The safe state is the state into which a system can be put from its currentoperational state and which has a system specific lower hazard potentialthan the operational state. The absolutely safe state for systems with asafety state is according to DIN 31000 the state with the lowest amount ofenergy involved.

In the common electronic control modules DC voltage signals are proces-sed (static circuits). This simple design cannot be used for safety relatedmodules, as the failure direction of electronic components cannot be defi-ned, and for this reason in case of a failure the deenergized state cannot

be guaranteed.


4/60


2

The HIMA Planar4 System comprises special TV tested modules whichmeet the requirements for safety-related control systems. The safety-rela-ted electronic modules use the dynamic principle: the input and output si-gnals are still static DC voltage signals, but the internal processing ofthese signals is made dynamically. For this purpose each safety-relatedmodule has its own integrated function frequency generator.

Fig. 1 shows the principle structure of a safety-related AND element as anexample. The V1 transistor can only amplify the rectangular signal of thefunction frequency generator if the E1 contact is closed. The same prin-ciple of function is true for the V2 transistor with contact E2. Thus the out-put stage is controlled, and at the secondary side of the transformer an ACvoltage is generated which is available at output A after rectification as 1-signal.

Fig. 1: AND function in safety-related design

With a failure of each component in the safety circuit the output is deener-gized. The safety function is not endangered when up to three errors occurwithin the circuitry. All requirements concerning the fail-safe shutdown aremet by use of the dynamic principle.

The safety related modules of the system are tested according to DIN V19250 and IEC 61508. All modules without microprocessors are usable in

the requirement classes 1...7, corresponding to SIL 4 according to IEC61508. Modules with microprocessors can be used up to requirementclass 6 (corresponding to SIL 3). The modules are signed in the data sheetwith the symbol .

1.2 Diagnosis and Error Indication

Failures or malfunctions in a control require an extensive error detectionby skilled personnel with knowledge and documentation of the system.

The resulting shutdown periods of a plant can cause the owner of a planta lot of expense. With the intention to shorten these times of a shutdownto a minimum the entire Planar4 System is equipped with a self-diagnosis.


5/60


3

A diagnosis and communication subassembly (DCM) integrated on eachmodule samples all input and output signals, reproduces the functions ofthe module and compares them with the really existing functions. So dis-crepancies of the signals can be detected immediately; the DCM activatesan electronic output ERR (suitable for busbar wiring), and a relay (withfloating contact suitable for loop wiring) is deenergized. At the same timea red light emitting diode ERR on the front plate indicates unambiguously

the position of the faulty module. Fig. 2 shows the function principle. TheDCM has no effects on the safety-related function.For the reasons of clarity the input and output signals of the DCM are de-picted as bus conductors; practically there are non-interacting single con-nections used.

Fig. 2: Diagnosis and communication subassembly DCM

If an error occurs only from time to time, the fault signal remains stored onthe module. This arises also if the DCM generates a fault signal caused byexternal manipulations (e. g. a short-circuit at an output). The fault signalcan be reset only by switching off the supply voltage for a short time (e. g.by pulling out and inserting the module again) or - at modules since editionstate (AS) 10 - by operating the reset pushbutton on the communicationmodule or the reset module.

At input modules with line monitoring the external lines are checked forwire break and short circuit. A line fault is not indicated via ERR but it isannounced via separated signal outputs and displayed by LEDs on thefront plate. In the same way fuses in output circuits are monitored and in-

dicated in case of a fuse tripped.

Thus in case of an error the faulty module can be localized very quickly;faulty modules can be replaced during operation. So the periods of plantshutdowns caused by a faulty control system can be reduced to a mini-mum.To avoid shutdown periods completely, i. e. for highest availability, aredundant design of the control is recommended. Then the plant can beoperated in a single channel mode if one module fails, and a new start-upof the production after fault locating is not necessary. The self-diagnosisand the display of the faulty module replaces the additional equivalencemonitoring of both channels which was necessary till now for systems withredundant design.

A green light emitting diode RDY (Ready) signalizes that the connectedoperating voltage (24 V DC) has a level of at least 20 V.


6/60


4

1.3 Communication with other Sytems

The diagnosis and communication subassembly DCM on the modules ofthe HIMA Planar4 System enables the communication between a hard-wired control and other systems , e. g. a process control system. For thisfunction each Planar4 subrack designed for communication is equippedwith a communication module at module location 21 which is connected to

a bus system and transfers the data of the modules at the module locati-ons 1...20.Each subrack requires a separate communication module.

The following information can be read out from the modules:

general information like type and state of the inserted module, errorsin input and output circuits, voltage supply,

signal states of all inputs and outputs,

events (binary signal changes of the inputs and outputs with time),

residual delay of time delay elements,actual values and limit values oflimit monitors.

The communication with other systems has a three-level structure:

communication internally on each module with the diagnosis and com-munication subassembly (DCM), conditioning of the module data,

communication within the subrack between the modules and the com-munication module via the bus PCB (cyclic scanning of all modules by

the communication module),

communication externally between the communication module andother systems via a bus.

The external data transfer from a Planar4 System to other systems is pos-sible via an RS 485 interface (MODBUS or Profibus-DP) or Ethernet10BaseT (OPC server with protocol TCP/IP). Depending on the type ofdata transfer different types of communication modules are used.

A detailed description of the communication to other systems can be foundin the chapter Communication in this system manual.


7/60

Functions of the Modules

5

2 Functions of the Modules in theHIMA Planar4 System

The type designation of the modules consists of five digits. It is defined ac-cording to the following code:

2.1 Input Modules

If mechanical contacts are used for input modules instead of proximityswitches, they must be equipped in the field with rtesistors. For this appli-cation the details in the data sheet must be regarded.Notes for the (Ex) use of modules are mentioned in the chapter Modulesfor Intrinsically Safe Circuits.

2.2 Output Modules

Digit Allocation1 2 3 4 5

1 Input modules

2 Output modules

3 Relay modules

4 Logic function modules

5 Time function modules

6 Analogue modules

7

8 Communication module

9 Power supply, accessories0 no certification

1 (Ex) certificate

2 TV certificate, safety-related

3 (Ex) and TV certificate

4

0..9 0..9 Counting numbers 00...99

0 Standard design

1..9 Modification

Module Inputs Output

Type Functions Proximity switch Contact (Ex)i Line monitoring 1-signal RC / SIL

12 100 4 7 / 4

13 110 2 7 / 4


Type Functions 1-signal with pre-logic Switch Fuse with monitoring Power RC/SIL

22 100 4 25V/3W 7 / 4

22 120 1 25V/24W 7 / 4

22 121 1 60V/24W 7 / 4


8/60


6

2.3 Relay Modules

2.4 Logic Function Modules

2.5 Time Delay Modules

2.6 Analogue Limit Monitor

2.7 Communication Modules


Type Functions 1-signal withpre-logic

Fuse Fuse withmonitoring

Switching voltage RC / SIL

32 100 2 24 V =, 24 V ~ 7 / 4

32 101 2 48/60 V =, 60 V ~ 7 / 4

32 102 2 110 V =, 127 V ~ 7 / 4

32 103 2 220 V =, 230 V ~ 7 / 4

32 110 4 250V = / ~ 4 / 2

Module

Type Functions Logic function RC / SIL

42 100 4 AND element with 5 inputs, 1 with OR 7 / 442 110 8 AND element with 2 inputs 7 / 4

42 200 7 Element combination AND/OR/blocking element 7 / 4

42 300 8 OR element with 2 inputs 7 / 4

42 400 4 Blocking element, direct and inverted output 7 / 4

42 500 4 Selection element, 2oo3 voting 7 / 4

Module

Type Functions RC / SIL

52 100 1 Time delay element 6 / 3

52 110 4 Time delay element SEVA up to 15 s 5 / 3

Module

Type Functions Description RC / SIL

62 100 2 Analogue limit monitor 0/4...20 mA 6 / 3

Module

Type Functions Description RC / SIL

80 105 1 Communication module for MODBUS -

80 106 1 Communication module for Profibus-DP -

80 107 1 Communication module for Ethernet (OPC server) -

80 110 1 Reset module -


9/60


7

2.8 Modules for Power Supply,

Accessories

2.9 Intrinsically Safe Circuits and Modules

Different types of protection according to EN 50014 (VDE 0170/0171, part

1) are applied to electrical installations in order to prevent the risk of ex-plosion within explosive atmosphere.

In the Planar4 System two variants are applicated: Modules for control of (Ex)d valves, Modules with (Ex)i circuits

These installations are called corresponding electric installations.

For use of the (Ex)d installations the related modules must be equippedwith fuses only with the values mentioned in the Test Certificate.

The circuits of the type of protection intrinsically safe, designation i ac-cording to EN 50020 (VDE 0170/ 171, part 7), limit the currents and volta-ges prevailing in the sensor circuits in a way to prevent sparks and thermaleffects during operation or in the case of malfunction (under fixed testingconditions), which otherwise could cause explosions within explosive at-mospheres.

Intrinsically safe amplifiers are used for transmitting control commandsfrom intrinsically safe circuits to circuits that are not intrinsically safe andvice versa. Due to the design of these modules all intrinsically safe circuitswithin the modules are reliably protected against the impact of external

voltages by not intrinsically safe circuits and the intrinsically safe circuitsare electrically isolated from the supply voltage and the output circuits upto 250 V.

The intrinsically safe parts of corresponding electric installations are divi-ded into the categories ia and ib. Moreover, the parts are divided intogroup I (mines susceptable to firedamp) and group II (hazardous areas ex-cept mines susceptable to firedamp). An indication of temperatures(T1...T6) does not apply as here it concerns corresponding electrical in-stallations which must be installed outside the hazardous areas.

Module / Accessory

Type Functions Description AK / SIL

90 100 4 Fuse module 24 V DC with monitoring -

90 300 2 Bypass module, non-interacting -90 900 - Subrack, soldering connections -

90 901 - Subrack (Ex)i, soldering connections -

90 902 - Subrack, termipoint/wire-wrap -

90 903 - Subrack (Ex)i, termipoint/wire-wrap -

90 900 - Subrack, soldering connections, supply EL+ separately for each slot -


10/60


8

Example of a designation for the control circuit of a corresponding electri-cal installation:

II(1)G [EEx ia] IIC (according to european guidelines)

II Operation range: device group1 G Operation range: device category

[ ] Designation of a corresponding electrical installationEEx Installation with type of protection according to ENia Type of protection intrinsically safe, category iaIIC Temperature class (test gas mixture,

21 2 % of hydrogen in air)

Modules with intrinsically safe circuits have an EC Prototype Test Certifi-cate. These certificates are part of the concerning data sheets of this sy-stem manual.

The number of the certificate contains statements as shown in the follo-

wing examples:

PTB 97 ATEX 2164 X (according to European Guidelines)

PTB Testing authority97 Year of issue

ATEX Type examination according to EC Guideline 94/9/EG2 Sign of test department164 Consecutive number X Specific conditions

The indication of specific conditions (X) are e. g. notes on: arrangement of the module outside hazardousareas, mounting with type of protection IP 20 according to EN 60529 (protec-

tion against medium-sized foreign bodies, no protection againstwater),

interconnection of intrinsically safe circuits (The statements in the cer-tificate for parallel connection do not indicate that the correct functionof the modules is guaranteed even when connected in parallel),

features of the wiring.

Modules for intrinsically safe circuits are signed in the data sheets with thesymbol .

When fitting HIMA modules with intrinsically safe circuits into subracksand cabinets, the following items should be observed (cf. also EN 50014,EN 50020, EN 60079-14):

Use of female connectors with higher resistance to creepage andcoding pins

Separation of intrinsically safe and non-intrinsically safe terminals,distance of 50 mm or partition (filament dimension 50 mm)

Intrinsically safe lines and cables with insulation in light-blue colour

Separation of intrinsically safe and non-intrinsically safe lines andcables or additional insulation

Use of wiring protective covers orpins of the female connectors covered with shrink sleeves, inclu-ding all pins in an area of 50 mm around the (Ex)i pins


11/60


9

Use of power supplies with safe isolation

limitation of the output voltage of the power supplies to 30V

Protection against system interference by disturbing voltages

For modules with intrinsically safe circuits coding pins must be used on thefemale connector (on pin d6) in the subrack in order to ensure that the in-

trinsically safe circuits are not endangered by inserting non-intrinsicallysafe modules into slots with intrinsically safe functions. The module loca-tion must be designated with the type of the module.

2.10 Current Circuits with Safe Isolation

Safe isolation means preventing the transfer of the voltage of one circuitinto another one with sufficient safety.

The safe isolation is achieved by the use of optocouplers (DIN VDE 0884),isolating transformers or/and relays.

For the protection against dangerous electric shocks the chemical industryrecommends a low functional voltage with safe isolation (SELV, PELV) ac-cording to EN 50178 (NAMUR recommendation NE 23). Through this pro-tection measure it is intended to achieve that undangerous work likemaintenance or repair can be carried out with the plant running. This grea-tly increases the availability of the plant.

Relay amplifiers effect a safe isolation of the inputs and the supply voltagefrom the output contacts; buffer amplifiers effect a safe isolation of the in-puts from the outputs as well as the supply voltage each, in accordance to

EN 61140 (VDE 0160 part 1). The clearance in air and the creepage di-stance are dimensioned for overvoltage class II resp. III up to 300 V. Ac-cording to EN 50178 the overvoltage classes are defined as:

Overvoltage class IIIcircuits which are designed for the connection to the mains supply

overvoltage class IIcircuts which are not designed for the connection to the mains supply

The overvoltage classes and the notes of safe isolation are indicated in the

data sheets of the concerning modules.

To prevent electric shocks at output circuits with high switching voltage re-lay amplifiers should be placed in separate subracks. Additionally the rearpart of these subracks must be covered with a barrier; optionally the con-nector pins may be covered with shrink sleeves.


12/60


10

For your notes


13/60

System Data

11

3 System Data

3.1 Operating Voltage

The HIMA Planar4 System operates on one voltage only. The operatingvoltage required for the modules is defined according to DIN 19240 (7.85)as follows:

Nominal voltage 24 V DC, -15...+20 %,20.4 V...28.8 V

Maximum admissible 18.5 V...30.2 Vtolerance for continuous (including ripple)operation

Maximum peak value 35 V for 0.1 s

Admissible ripple r < 5 % effective value,rpp< 15 % peak to peak value

Reference potential L- (negative pole)Grounding of the reference poleis admissible

The modules are overvoltage-protected. This protection serves also aspolarity safeguard. The connected operating voltage is signalized on thefront plate of the modules by a green light emitting diode RDY (Ready) ifit has a level of 20 V.

In order to ensure the correct function of the control, the operating voltage

24 V DC must be monitored by means of a voltage measuring device. Ifthe voltage goes down to a value of 18 V, the supply voltage of the con-trol or at least of the output modules must be cut off.

3.2 Voltage Supply

In the range of voltage supply for HIMA systems there are used three dif-ferent terms:

L+ positive pole (power voltage)EL+ positive pole (control voltage)L- negative pole (reference pole)

For L+ and EL+ the same definitions as mentioned at item 3.1are valid.Due to the admissible ripple for control voltage (EL+) and power voltage(L+), for a connection to single-phase mains supply there are power sup-ply units with bridge rectification and smoothing required or stabilized po-wer supply units. The HIMA standard power supply units (stabilized types)meet these requirements; additionally they are able to compensate dips ofthe primary supply voltage up to 20 ms under full load. Detailed informati-on is available from the HIMA brochure Power Supply and Current Distri-bution.

Note: To reduce the total power loss in principle the use of stabilized (swit-ched-mode) power supply units is recommended.


14/60

System Data

12

The EL+ is defined to be a voltage which is able to compensate voltagedips up to 20 ms per second (according to NAMUR NE 21). This require-ment can also be met by the L+ supply, e. g. when HIMA standard powersupply units are used or by application of a battery back-up.

High current peaks (e. g. caused by lamps, 7...10-fold nominal current)

must be compensated by power supply units sufficiently dimensioned orby back-up batteries. If this is not provided then for supplying the electro-nic modules a decoupled supply voltage EL+ is required.

The decoupling is also necessary when using power supply units for con-nection to three-phase current. Due to their three-phase bridge rectificati-on they do have a sufficiently low ripple but no compensation of voltagedips.

A decoupling consists of a power diode and a capacitor (approx.7000...10000 mF per 1 A current load). It buffers the control voltage, andthe diode prevents a feedback onto the power voltage. Detailed informati-on about decouplings is available from the brochure Power Supply and

Current Distribution.

Fig. 3: Principle of supply with decoupling

The decoupling of the control voltage from the power voltage can beachieved also by the use of two separate power supply units.

An operation without decoupling is only possible if the user provides anuninterupted 24 V DC supply voltage according to NAMUR NE 21.

If a redundant power supply is required, the supply units connected in par-allel must be decoupled via additional diodes. These diodes are already

integrated in the HIMA standard power supply units.

Fig. 4: Principle of supply without decoupling


15/60

System Data

13

3.3 Wiring of the Subracks

If in a control operating with the Planar4 System the possibility of commu-nication is not used, for the mechanical design a normal 19-inches sub-rack is sufficient. With 32-pole connectors all functions of the systemexcept the communication can be applicated. For the basis wiring only thefollowing pins are used:

EL+ z30, d30L- z32, d32Error signal(busbar) d28Error signal(NC contact) z26-d26

Fig. 5 shows the principle of the basis wiring of the subrack. For the rea-sons of EMC it is advised against the loose wiring of the communicationconnections in this subrack; for this purpose the subrack with bus PCBshould be used.

For safety reasons the reference pole L- must be made as a ring feeder tothe distributors and the subracks. Both ends of this ring line must be con-nected to two separated terminals on the L- busbar. The L- must not befused.

The different circuits in the cabinets are fused with fuses 4A as a wire pro-tection. They are included in the power distribution modules. These areconnected to a back-up fuse of preferably 16A. If the total current exceedsthe value of 16A, several back-up fuses with 16A must be provided. Back-up fuses, distribution elements (e. g. busbars) and diodes for redundant

supplies are mounted on drawers for the 19-inches field. Detailed informa-tion about these drawers is available from the brochure Power Supplyand Current Distribution.

For application of the communication of the Planar4 System the use of thespecial subrack with bus PCB is recommended. The entire basis wiring(voltage supply, fault signals and communication) is included in the PCB;so there is more space available for the wiring of the functions. Module lo-cation no. 21 is reserved for the communication.

Fig. 6 shows a depiction of the bus PCB principle. Additionally the depic-tion shows with an example how the potential-free terminal blocks XG.2 toXG.5, which are consisting of seven linked terminals each, can be usedfor further wiring.In order to keep mechanical stress to the soldering pointslow, the terminal blocks XG.1 to XG.6 should be pulled out from their sok-kets before connecting or removing wires.

If in the subrack not all module locations are used, the pins of the contactloop for the fault signal (z26-d26) must be linked or connected to the ter-minals EC in the blocks XG.1 or XG.6.From terminal E the fault signalERR is available as a common signal for further processing.


16/60

System Data

14

Fig. 5: Basis wiring of a subrack without bus PCB


17/60

System Data

15

Fig. 6: Bus PCB of the subrackprinciple depiction with wiring example


18/60

System Data

16

Fig. 7: Bus PCB of the subrack, EL+ for each slotprinciple depiction

2

2

6

6

10

10

14

14

18

18

22

22

26

304

4

8

8

12

12

16

16

20

20

24

24

28

32

21

20

19

...

...

...

...

2

...

...

...

...

1

d

d

d

d

d

b

b

b

b

b

z

z

z

z

z

L-

L-

EL+

EL+

(Pos

.20

...1

5)

EL+

(Pos

.14

...8

)

EL+

(Pos

.7

...1

)

Stec

kp

latz

-Nr.

Slotno

.

EL+

EL+

L-

L-

E

EC

EC

14

13

12

11

10

9

8

7

6

5

4

3

2

1

20

19

18

17

16

15

L-

L-

L-

L-

E

EC

EC

Pinforfunctionwiring

ConnectiononbusPC

B

usedforcommunicatio

n

Busbarforfaultsignal

ERR

Contactloopforfaults

ignal

E EC


19/60

System Data

17

3.4 Electromagnetic Compatibility (EMC)

The modules of the Planar4 System meet the requirements of the EMC

guideline of the European Union. The data sheets and the modules there-fore show the label.

Immunity

The severity level of the test is defined in the following standard:

EN 50082-2 Electromagnetic Compatibility (EMC), Generic ImmunityStandard Industrial Environment

Emmission

EN 50081-2 Electromagnetic Compatibility (EMC), Genericemmission standard Industrial environment

EN 55011 Suppression of Radio Disturbances caused by

electrical appliances and systemsThe modules do not exceed the limits of the class B

for the group 1 and are designed for use in industrialenvironment.

3.5 Ambient Conditions

The modules of the HIMA Planar4 System are suitable for application un-der the following ambient conditions:

Range of ambient temperatures prevailing

on the modules during operation -25...+70 C

Admissible storage temperature -40...+85 C

Admissible humidityannual average 75 %

during 30 days of the year 95 %during the remaining days 85 %not exceeding the annual average

Standard Test Test value

NAMUR NE 21

5/93

Inrush current limiting Imax15 x IN

IEC 1000-4-2

(DIN EN 61000-4-2)

Electrostatic discharge

(ESD)

Contact: 6 kV,

clearance in air: 8 kV

IEC 1000-4-3

(DIN EN 61000-4-3)

Radio frequency interfe-

rence (RFI), radiated

10 V/m

IEC1000-4-4

(DIN EN 61000-4-4)

Burst (supply lines)

Burst (data lines)

2 kV

2 kV

IEC 1000-4-5

(DIN EN 61000-4-5)

Surge pulse

(supply lines)

1 kV symm.

2 kV asymm.

IEC 1000-4-6

(DIN EN 61000-4-6)

Radio frequency interfe-

rence, conducted

10 V


20/60

System Data

18

Pollution

Pollution degree IIslight not conductible pollution

Limit of mechanical stress

Vibration / oscillation 10...150 Hz, 1 gShock 15 g / 11 msadmissible mechanical stress for stationary non-vibrationless

devices or vehicles, but not fitted to a motor or on board of ships

Air pressureoperating altitudes up to 1000 m MSL

Note: Modules of the HIMA Planar4 System may be used also in altitudes

higher than 1000 m MSL, if there the reduction of the power dissipation(and of the output loads at the same time) is regarded.

From 1000 m MSL the power load at nominal voltage must be reduced byapprox. 10 % per 1000 m additional altitude.

3.6 Definit ion of Signals and Standard Load Factors

The signal levels of the modules of the Planar4 System correspond to thestandards IEC 60946 (binary DC signal).

With reference to EN 61131-2 the inputs and outputs of the Planar4 Sy-

stem can be combined with those of the HIMA Automation System withoutany restrictions.The input and output loads can be recognized by the standard load factors

indicated in the data sheets.

Designation of standard load factors:

F (Fan in (Fi) or Fan out (F

o)), indication of figure and letter F, e.g. 10 F.

There is no difference made between Fan in and Fan out, since it is ob-vious whether this relates to an input load (F i) or an output load capability

(Fo).

The values are summarized by the following table..

Note: The signals for the control of Planar4 modules must have an edgesteepness of 1 V/ms.

Designation Values according to IEC 60946

Standard load factor

Designation within the HIMA data sheets

Note

Electrical value

F = Fan

Declaration of a number and character F

Fi= Fan In (input load) / Fo= Fan Out (output load capability)

1 F = 2 mA at 24 V (R i= 12 k)

Signal voltages on the inputs

0-Signal (L-Signal)

1-Signal (H-Signal)

typ. operating point

-3 V...+5 V or open input

+13 V...+33 V

approx. +10 V

Signal voltages on the outputs

0-Signal (L-Signal)

1-Signal (H-Signal)

0...+2 V

+16 V...+30 V

10 F


21/60

System Data

19

3.7 Short-Circuit Strength of the Outputs

The outputs marked are short-circuit proof against L- and L+. Accor-ding to VDE 0160 (05.88), outputs may be designated as short-circuitproof if there is no excessive temperature rise or other damage when ashort-circuit occurs for an indefinite time. When the short-circuit is elimina-ted, full functioning must be restored without replacement of components.

This is not applicable, however, if the value of a fuse in the output circuitis lower than the electronic short-circuit current limitation.

The short-circuit strength and immunity to damage of the inputs and out-puts of the Type F modules is assured against L- and L+ without limitation.Therefore during testing and commissioning, at any time the 1-signal canbe forced by applying L+ to an input and the 0-signal by applying L- withouthaving to note the state of the preceding output.

Due to short-circuits or applying of a signal as well the diagnosis and com-munication subassembly (DCM) can indicate an error on the module. Thefunction of the module is not influenced, but the fault signal, however,remains until the voltage supply of the module is switched off for a shorttime, e. g. by pulling out the module and inserting it again or - at modulessince edition state (AS) 10 - by operating the reset pushbutton on the com-munication module or the reset module.

3.8 Current Consumption of Modules

The currents indicated under operating data in the data sheets apply tofunctional modules, i.e. the current indications also include the input cir-cuits and therefore the input currents. As a consequence the load of the

control outputs is automatically taken into account.

The control current consumption of wired systems is yielded from the totalof currents indicated under opera-ting data in the data sheets.

The current consumption of the power circuit is yielded from the total ofcurrents of the loads connected (lamps, solenoid valves, relays etc.).

3.9 Contact Data of the Error Relay in the DCM

Contact material Ag alloy, gold-platedSwitchig voltage 30 V DC/AC, 10 mVSwitching current 1 A, 10 ASwitching capacity DC 30 W, non-inductive load

AC 30 VA, cos > 0,7Bounce time < 2 msLife mechanical > 107cycles

electrical > 105cycles at resistive loadand 0,1 cycles/second

k


22/60

System Data

20

For your notes


23/60

Mechanical Design

21

4 Mechanical Design

4.1 Modules of the HIMA Planar4 System

Basis of the modules are printed circuit boards according to DIN IEC 326

(160 x 100 mm), made from glass-fibre reinforced epoxy resin. The tracksare tin-plated and coated with a solder resist.

Fig. 8: Side and front view of a module

Depending on the type, on the front plate there may be included light emit-ting diodes, switches, operating elements etc. The indicator lights shownin the data sheets are designed as light emitting diodes. The type of the

module and the markings for display and operating elements is printed on.By pushing down the mobile handle on the front plate the module can bepulled out after having detached the fixing screws.

A male connector type F according to DIN 41612 is used as plug connec-tor. The male connectors at the modules and the female connectors at thesubracks meet at least the requirement level 2 according to DIN 41612.The contacting surfaces are hard gold plated.

The module data sheets indicates the space requirements:3 U high 1 U (unit) = 44.45 mm

4 SU 1 SU (spacing unit) = 5.08 mm

4.2 Subracks

The modules can be arranged in subracks type BT 21 (with 21 slots),available for 19-inches fields. The subracks can be fitted into frames orracks featuring tracks of punched holes according to DIN 41494. In addi-tion there are special subracks available with a bus printed circuit boardincluding a module location for a communication module and the entire ba-sis wiring for voltage supply, fault signals and communication (cf. alsochapter Wiring of the Subracks).

14 20

128.

7

172


24/60

Mechanical Design

22

4.3 Cabinets and Racks

For the construction of systems there is a standard selection of cabinetswith 19" frames available.

For further details of the cabinets refer to the brochure Standard Cabinetand Mechanical Construction.


25/60

Wiring and Fusing

23

5 Wiring and Fusing

5.1 Colours of Wires

For the wiring of the voltage supply in the cabinet with single wires and for

solid-wire links the following colours are recommended and used by HI-MA:

red (RD) L+, EL+ (24 V DC)black (BK) L- (reference pole)grey (GY) signal linesbrown (BN) circuits with U > 50 V AC, U > 120 V DClight blue (BU) intrinsically safe circuits

5.2 Wire Cross-Sections

Feeding of the HIMA CabinetsAn externally generated supply voltage 24 V DC must be fused also exter-nally.

Inside the cabinet the wiring of the supply voltage is made in accordanceto the following table:

Cross-Sections in HIMA Systems

Wire cross-sections behind fuses are dimensioned according to the follo-wing table:

Used equipment wire: type H07V-K

Current

(external fuse)

Terminal

size

Wire cross-

section

Wiring in the

cabinet

I 16 A 4 mm2 2.5 mm2 direct on potentialdistributor

I > 16 AI 35 A

10 mm2 6 mm2 on distributiondrawer K . . . .

I > 35 AI 63 A

35 mm2 16 mm2 on distributiondrawer K . . . .

Fuse Cross-section

4 A gL or T 1.0 mm2

10 A gL 1.5 mm2

16 A gL 2.5 mm2

25 A gL 4.0 mm2

35 A gL 6 mm2

50 A gL 10 mm2

63 A gL 16 mm2


26/60

Wiring and Fusing

24

5.3 Fuses

There are two categories of fuses:

Fuse cartridgesHere the standards DIN VDE 0636-301 and DIN 49515 are valid.In HIMA systems generally only the following fuse cartridges areused:

gL line protectiongR semiconductor protection

Miniature fuses (G fuses, 5 x 20 mm and 5 x 25 mm)Here the standard IEC 60127-2 is valid.The identification of the fuse tripping characteristic is made in theclasses

F quick-actingT time-lag

The fuses available in the supply of the control voltage EL+ and the powercircuit voltage L+ are exclusively intended for line protection. For this rea-

son, fuses below 4 A are not required (on fuse modules). The subrackswith a bus PCB and the fuse modules may be protected using back-up fu-ses with preferably 16 A.

The reference pole L- must not be protected by fuses in order to ensurethat the modules operate properly. For safety reasons the reference poleL- must be made as a ring circuit to the distributors and the subracks. Bothends of this ring line must be connected to two separated terminals on theL- busbar. The modules of the Planar4 System are equipped with at leasttwo connections for L-.

The power supply unit is fuse-protected against short circuits at the sy-stem supply. Here it is also admissible to have a fuse-protected negativepole L- if it is ensured that the system is completely closed in itself and thatbefore the fuse there are no electrical connections to other systems.

5.4 Connecting the Field Cables

Basically, the field cables may be connected in various ways on the cabi-nets or directly on the subracks:

Terminals available on the cabinets or racks:Terminal strips with continuous terminals are avail-able on the rear

side of the cabinet or rack. According to this traditional method theinternal lines are lead to the connecting points of the female con-nectors available on the subracks on one side of the terminals withthe wires of the field cables connected on the other side of the ter-minals.

Connectors in the cabinets or racks:Connectors are used instead of continuous terminal rows and theyenable a quick connection of the system on site when using preas-sembled cables.


27/60

Quality Management

25

6 Tests within the Quality Management

The quality assurance is based on DIN EN ISO 9001.

All modules of the HIMA Planar System F, as well as the control cabinetsand systems wired by HIMA are subject to extensive functional tests be-fore delivery.

6.1 Final Product Testing of Modules

Each individual module is subject to a complete final test. These tests arecarried out for the modules using automatic test equipment or special te-sting devices. A specific test program is elaborated for each individual mo-dule. Specific devices for each individual module provide for measuringelectrical values at given locations within the circuit. These measurementsdo not only compare the voltage levels but also register their course intime and compare them to the target data.

6.2 Factory Testing of HIMA Control Cabinets

Factory testing of HIMA control cabinets or of the systems wired by HIMAis effected in two stages: mechanical check and function test.

6.2.1 Mechanical Check

CompletenessIt is checked whether the parts have been fitted in completely and properlyusing the unit list and the design plan

Wiring check

Conductor cross-sections, colours and fuse protection of supply 24 V DCaccording to wiring documents

Laying and connecting of intrinsically safe circuits

Laying of lines featuring voltages not inherent to the sys-tem

Checking of solder joints, screwed and terminal connections, as far aspossible

Checking live conductors and wiring of busbars for short-circuit and pola-rity

Function of the built-in fans

Labelling

Attaching and designating the modules and the mounting parts in com-pliance with HIMA standard

Attaching type, company and test plates


28/60

Quality Management

26

Mechanical parts

Checking of screwed connections

Checking the colour of the cabinets and type of painting

Checking the doors whether they close properly

Locking the swivel frame for dispatch

Grounding of all metal parts

6.2.2 Function Test

Function tests are carried out on the individual HIMA control cabinetsusing the circuit diagrams.

They include the electrical signals of the input terminals, the functions andthe output terminals.

The binary and digital input signals are simulated on test boards usingswitches or keys. The binary output signals are indicated by lamps. Te-sting of valve and motor functions is effected using special modules (simu-lation of functions).

Analog input signals simulated by using voltage or current sources.Similar functions (e.g. in the case of annunciator sys-tems and isolatingamplifiers) are subject to functional random testing; wiring is checkedcompletely by line continuity tests.

The testing scope does not include an interconnection of several controlcabinets. Interconnection is made only upon request and will be chargedadditionally.

Factory testing of switch cabinets is effected together with the modulesthat are delivered with the cabinets.

During the factory acceptance test the doors and covers of control cabi-nets are not mounted yet due to possible modifications. They will bemounted before dispatch.

6.2.3 System Test at Increased Temperature

The function of HIMA control cabinets or wired systems can be tested in aspecial room at increased temperatures of 50 C (5 C). Depending onthe size of the room a maximum of up to ten standard cabinets includingtest equipment can be tested simultaneously.

Testing of cabinets at increased temperatures (Special test: Heat SoakTest) is made upon request only and will be charged additionally.


29/60

Engineering Notes

27

7 Engineering Notes

Mixed equipment of modules (Ex)i and non-(Ex)i

Modules with intrinsically safe connections ((Ex)i) can be placed directlybesides normal ones; minimum distances or empty slots are not pre-scribed.The statements of the chapter Intrinsically Safe Circuits and Modules,

however, must be regarded, especially concerning the wiring.

Edge steepness of the signals

The signals for the control of Planar4 modules must have a edge steep-ness of 1 V/ms. With a too small edge steepness of an input signal therearises the possibility of a module error diagnosis.The safety function and the diagnosis of a module are independent fromeach other.

Wired-OR logic

Wired-OR logic functions are not admissible for the outputs of logic modu-

les, as this can result into the diagnosis of a module error. OR functionsmust be realised with OR elements.For this purpose power outputs have a second output decoupled with a di-ode. A break of the diode, however, is not detected in this application.

Time delay with RC element

RC elements for the time delay of signals are not admissible, as this canresult into the diagnosis of a module error (cf. above, Edge steepness ofthe signals).For time delay functions suitable modules must be used.

Minimum load for the module 22 100

When the module 22 100 is used as a signal amplifier, at the concerningthere must be a minimum load of 1.5 W (corresponding to 60 mA / 30 F /420 ).In case of disregarding the diagnosis of errors is possible in the subse-quent modules (cf. above, Edge steepness of the signals).

Connection of switching voltage to modules 32 100 ... 32 103

The reference pole of the switching voltage for the modules must also beconnected for monitoring, otherwise unlogical displays (LEDs OC) willoccur.

Ring feeder for reference pole L-For safety reasons the reference pole L- must be made as a ring feeder tothe distributors and the subracks. Both ends of this ring line must be con-nected to two separated terminals on the L- busbar. The L- must not befused.

Operating voltage

In order to ensure the correct function of the control, the operating voltage24 V DC must be monitored by means of a voltage measuring device. Ifthe voltage goes down to a value of 18 V, the supply voltage of the con-trol or at least of the output modules must be cut off.

Engineering notes for safety functions

can be found in the chapter Safety Controls with the Planar4 System inthis manual.


30/60

Engineering Notes

28

Fault signals of modules

Due to manipulations on the wiring side of a subrack the diagnosis andcommunication subassembly (DCM) can indicate an error on a module.The function of the module is not influenced, but the fault signal, however,remains stored until- the supply voltage is switched off for a short time,- the module is pulled out and inserted again,

- triggering of a reset via the communication modules 80 105, 80 106, 80 107 or the reset module 80 110 (possible only for Planar4 modules with the edition state (AS) 10)


31/60

Start-Up, Maintenance, Repair

29

8 Start-Up, Maintenance, Repair

In order to avoid reduction or endangering of the safety of modules of thePlanar4 System and their functions, before starting work in start-up,maintenance, modifications and repairs the following chapters Start-up,Maintenance, Repair, Safety Controls with the Planar4 System andCertification of the Planar4 System have to be regarded carefully as well

as all notes in the data sheets of the modules.

8.1 Start-Up

The control cabinets are delivered with the modules plugged in and fixedwith screws. They have been tested with these modules in the factory, sothat the following tests can be restricted to the correct external installation.

The modules themselves have no coding. Only the correct allocation of

the module type to the slot must be regarded according to the labelling.The existing fuse modules including fuses have to be checked for comple-teness.

For pulling out or inserting of modules of the Planar4 System it is not re-quired to cut off the power supply, but here any possible effects onto theentire function of the control must be regarded.

8.1.1 Testing the Inputs and Outputs for External Voltage

and Earth FaultsImpermissible external voltages (especially e. g. 230 V AC to earth or L-)can be checked with a multimeter. It is recommended to check each singleconnection for impermissible external voltage.

When testing the external cables for insulating resistance, short circuitsand wire breaks, the cables must be disconnected at both ends in order toavoid defects or damaging of the modules with excessive voltages.

The testing for earth faults is made the field cables are connected to thecontrol cabinet. The supply voltage to the sensors and the negative pole

for the actuators must be disconnected. If the negative pole is used forearthed operation, the earth connection must be interrupted during testingfor earth faults. This also applies for the earth connection of possibly exi-sting earth fault testing facilities.The checking of each connection against earth can be made a resistancemeter or a special testing device.

In this state of the system testing is only permissible for individual lines ora group of lines insulated against earth, but not two lines among themsel-ves. Otherwise there is a high risk of damage. Testing with high voltagesis not permissible as well.

The standard for test voltages and insulating resistance is EN 50178 (VDE0160).


32/60


30

8.1.2 Connection of Power Supply

The modules are fixed with screws in the subracks when delivered. Befo-reconnection of the power supply 24 V DC it has to be checked for correctpolarity, level and ripple. With polarity reversal the fuses on the moduleswill blow, and they are not exchangeable by the user.

8.1.3 Modifications

During work at the control system the operating voltage must be switchedoff if possible, as short-circuits in the range of the signal wiring may endan-ger the safety funtions of the control system.

For soldering work the use of a a low voltage soldering iron with an isola-ting transformer is mandatory. Working with soldering irons directly con-nected to 230 V AC may result in damage of the semiconductors. Thisapplies even when the operating voltage of the control is switched off.

For other types of wiring technology e. g. termi-point the use of a suitabletool is necessary.

For modifications in the area of power supply the wire cross-sections mustbe regarded (cf. chapter System Data). The connection of the referencepole L- to the subrack or to other devices supplied with 24 V DC must al-ways be made as a ring line wiring.

Due to short-circuits, applying of a signal or similar manipulations on thewiring side of a subrack the diagnosis and communication subassembly(DCM) can indicate an error on a module. The function of the module is

not influenced, but the fault signal, however, remains stored until the sup-ply voltage is switched off for a short time (e. g. by pulling out and insertingthe module again).

8.2 Maintenance

The HIMA Planar4 System is designed for industrial conditions. Electroniccomponents have a very low failure rate after the initial operating phase ofapprox. 500 to 1000 h. This initial operating time is already attained duringthe period of functional tests at the factory or during start-up of the system.

Wear can only occur in relay outputs with heavy loads and/or those whichare frequently switched. These modules should be replaced as a preven-tive measure when the number of switching cycles according to the datasheet is reached.

For safety related relay outputs the possibly stipulated testing intervalshave to be regarded. More detailed instructions are listed in the datasheets of the modules or in the Report to the Certification.

Defective modules of the Planar4 System are detected by the intgratedself-diagnosis and immediately reported to an equipment suitable for eva-

luation (cf. chapter The HIMA Planar4 System). A defective module isidentified by a red light emitting diode ERR and can be replaced at once.For replacing the module it is not necessary to disconnect the voltage sup-ply.


33/60


31

A module detected to be faulty must be removed or replaced immediately,as one or several errors occuring additionally within the module mayendanger the safe state of the system.

If an input module is equipped with a line monitoring then also the lines tothe sensors are tested, and external faults are indicated by light emittingdiodes and additional signal outputs of the module. This is also valid for

output modules with monitoring of the fuse in the output circuit. In this casethe external line must be checked but the module may not be replaced.

For power supplies and decouplings it is recommended to replace electro-lytic capacitors approximately every five years.

Other maintenance work is not required for the Planar4 System.

8.3 Electrostatic Discharge (ESD)Repair or maintenance work on supply and signal lines of a Planar4 Sy-stem control may only be executed by qualified personnel with consi-deration of all ESD protective measures . Before direct contact of theselines the maintenance personnel must be discharged electrostatically.

8.4 Repair of Modules

The repair of modules cannot be made by the plant operator, as there arespecial computer programs and equipment necessary. Faulty modulesshould be tested by the operator and then be sent to HIMA with a shortfault description.

For repairs performed outside our influence, our responsibility for the pro-duct concerned expires. This is of especial importance in those caseswhere the product responsibility is fixed upon the manufacturer by legisla-tion and/or ordinances.

Equipment possessing a safety certificate is safety-relevant; it is markedwith a TV safety certification number. According with the relevant autho-

rity the legal product responsibility remains with the manufacturer.In order to retain the validity of safety certificates, the repairs of safety-re-lated modules of the Planar4 system must be performed only at HIMA.

For all other non-safety-related modules the following ordinances are va-lid:

1. Equipment with (Ex)i circuitspossessing an EC Prototype Test Certificate:

In accordance with the regulations, such equipment is clearly marked

(EX sign on the front plate, Ex data on the connector strip). Theconformity certificate is enclosed to the respective data sheet.


34/60


32

The German ordinance on electrical systems in explosion-hazardrooms (ElexV) lays down in 9 Repairs (1) that a piece of equipmentwhich has been repaired in connection with a part on which the explo-sion protection depends, must be checked and confirmed by an expertfor perfect condition in safety-related functions before being used.

According with 9 (2) of this ordinance ElexV this requirement may be

inapplicable if the equipment concerned has been repaired by the ma-nufacturer.

2. Equipment in systems with liquids dangerous to water under the Ger-man Water Equilibrium Act (WHG):

This act, as amended on 30th September, 1986, lays down that repairsmay be performed only by specialized companies within the meaningof 191 of the act. If the user concerned is not certified under 191WHG, it is impermissible for him to perform repairs on this equipment.

8.5 Supply of Internal Documentation of the Modules

Internal circuit diagrams, face plans and parts lists relating to modules anddevices are considered to be internal documents and do not form part ofthe general HIMA documentation and plant documentation. They are onlyneeded for repair which may not be made by the plant operator as men-tioned above, and so they are no subject of delivery.

The system manual with the data sheets provides for sufficient understan-ding of the module functions and for the planning of controls with modulesof the HIMA Planar4 System.

8.6 Service and System Training

Appointments can be made with the Service Department concerning start-up, tests or modifications of HIMA controls, as well as the dates and extentof the work to be done. The invoices for the service work are based on theextent of work and on set rates.

HIMA makes special training for the safety controls of the Planar4 Systemwhich usually takes place in our premises. Additionally training on site is

offered on the customer's premises. The current training program with de-tailed information and dates can be obtained on request from HIMA.


35/60

Safety Controls

33

9 Safety Controls with the Planar4 System

9.1 Reliability

Reliability is the characteristic of a technical equipment to fulfil a required

function under given conditions for a certain period of time. Mostly this isnot longer possible if one component has failed.

A parameter for reliability is the MTBF (Mean Time Between Failure). Itshows the mean operating time during which no failures occur. The MTBFcan either be calculated from the reciprocal value of the sum of componentfailure rates, or it can be calculated statistically.

A high reliability (large MTBF) is, however, no criterion for the safety andals not the only criterion for the availability of a system.

Important parameters for the statistical calculation of the MTBF are:

Failure ratio:The failure ratio is the percentage of faulty components during an opera-ting period, shown in percent.

Failure rate:The failure rate l is the failure ratio divided by the operating time and is gi-ven in h or in FIT (failure in time). One FIT means one failure within 109

component hours.

The failure rate depends on the operating time of the system. Fig. 8 showsthis dependency. To calculate the MTBF the time of the constant failurerate is used when the infant mortalities (after 3-4 weeks of operation) areover.

Range t0...t1:

Infant mortalities

Range t1...t2:Random failures

Range t2...t3:Failures due to wear

Fig. 9: Failure rate depending on time

The infant mortalities of the modules (components) usually occur duringthe test and start-up period, so they are not relevant for operational appli-cation. Electronic components are only subject to infant mortality or ran-

dom failures. Failures due to wear are only relevant for mechanicalcomponents (relays) and for electrolytic capacitors in power supplies.

Failure rationumber of failures

number of components------------------------------------------------------------- 100%=

Failure rationumber of failures

number of components loadtime-----------------------------------------------------------------------------------------=

tt0 1 2 3


36/60

Safety Controls

34

Calculating the MTBF of modules which is made as a HIMA standard withthe failure rates indicated by the component manufacturers will automati-cally result in a lower operating time, as the manufacturer failure rates areindicated for full load on the components (worst case). To obtain a realisticvalue the result must be multiplied by a correction factor.

The possibility for statistical determination of the MTBF of an entire system

shows the following example:

During five years the operating times of a plant were registered. Its controlcabinet is fully equipped with 200 modules. The following operating timeswere found:100 h, 1 500 h, 13 500 h, 8 000 h, 20 000 h

The total operating time (excluding the time for repair) was T = 43 100 h.The plant had a total of n = 5 failures.

The reliability alone, however, is no statement about the safety of a sy-stem. Unreliable systems can be safe too, if the failures result every timein the safe state.

9.2 Availability

Definition according to VDI/VDE 2180:

The availability A is the probability to find a system in a functioning state

at a given point of time.

Calculation of availability according to VDI/VDE 2180:

Total operating time = MTBF + MDTMDT = Mean Down Time

The MDT is also frequently called "mean repair time", and it consists of themean fault detection time plus the mean fault correction time.

Due to the self-diagnosis of the modules of the Planar4 System there is nofault detection time, and the time for the fault correction is limited to the ex-change of the module signalized as being faulty. So the MDT is calculableunlike in systems without self-diagnosis, and the replacing of modules canbe made by personnel without any specific knowledges.

MTBFT

n--- 4300 h

5------------------ 8620 h (approx. 1 year)===

AMTBF

MTBF + MDT------------------------------------ 100%=


37/60

Safety Controls

35

The availability can additionally increased by parallel arrangement of mo-dules. The MTBF of a redundant system then is determined essentially bythe MDT:

9.3 Safety

If a system has a high reliability and availability, this does not necessarilymean it is safe. In case of failure hazardous states may occur, as no state-ment can be made on the reaction of the output signals of electronic com-ponents in such a case. A system is safeexactly when in case of eachpossible fault the affected part of the plant is put to a safe state. In e. g.ESD systems this is the deenergized state of the output signals, so thatline breaks as well as the failure of the power supply are regarded as non-

dangerous faults.

For the term of safety there are numerous definitions that have beenworked out by different boards. All definitions have in common that safetymeans a sufficient protection from danger. In the DIN 31000 standard do-cument, part 2, safety is defined as a situation in which the risk is not hig-her than the limit risk. This also means that absolute safety cannot beachieved in technology.

Limit risk: the highest acceptable riskSafety: lower risk than limit riskDanger: higher risk than limit risk

Fig. 10: Safety and danger as expressions of different risks

A so-called remaining risk (danger) exists in each safe plant (as shownby the subdivision of risks in fig. 9), as not all faults can be foreseen.

9.3.1 Safety Standards and Guidelines

The safety standards like DIN V 19250, DIN V VDE 0801 and IEC 61508look at the entire complex of safety, independently of specific applications.Requirement classes and the most general measures for the satisfaction

of a requirement class are defined, depending on the risk involved. It isonly in the group standards that possible measures are explicitly descri-bed in terms of their effectiveness and the time which they might consume.

MTBFredMTBFmono

2

2 MDT -----------------------------------=


38/60

Safety Controls

36

Product standards are included here. This division of standards and gui-delines corresponds to the CEN classification which is valid in Europesince 1992.

Standard Title Edition

VDE 0100 Regulations for the installation of power systems 12.90

VDE 0105 Operation of power installationsGeneral rules

06.00

EN 61140(VDE 0140part 1)

Protection against electric shockBasic requirements for electrical plants and installations

08.01

VDE 0110-1 Coordination of insulation for electrical installations in lowvoltage switch gearsPart 1: Principal rules

04.97

VDE 0116 Electrical equipment of furnaces 10.89

EN 50178(VDE 0160)

Electronic equipment for use in electrical power installati-ons and their assembly into electrical power installations

04.98

VDE 0435 Electrical relays 04.88

EN 60742(VDE 0551)

Isolating transformers and safety isolating transformers 01.95

VDE 801 Principles for computers in safety related systems 01.90

EN 60950(VDE 0805)

Safety of information technology equipment includingelectrical buisiness equipment

11.97

DIN V 19250 Requirement categories and basic safety considerations 05.95

DIN V 19251 Process control technology, MC protection equipmentRequirements and measures for safe guarded functions

02.95

DIN 31000-2 Genaral rules to construct safety related technicalfacilitiesPart 2: Terms of safety technology, basic terms

12.87

EN 298 Automatic gas burner control systems for gas burners andgas burning appliances with or without fans

1993

EN 50081-2(VDE 0839part 81-2)

Electromagnetic compatibility (EMC), Generic emisssionstandard, Industrial environment

04.94

EN 50082-2(VDE 0839part 82-2)

Electromagnetic compatibility (EMC) Generic immunitystandard, Industrial environment

02.96

EN 55011 Limit values and measuring methods of radio interfe-rences

2000

IEC 60068 Basic environmental testing proceduresPart 2-1: Cold PartPart 2-2: Dry heatPart 2-3: Damp heat, steady statePart 2-6: Vibration, sinusodial

03.9508.94196905.96

IEC 61508 Functional safety; safety-related systems

VDI/VDE 2180

part 1part 2

part 3part 4

part 5

Safeguarding of industrial processing plants by means ofinstrumentation and control technologyIntroduction, terms, designationsCalculation methods for reliability characteristics of safetyfacilitiesClassification of measurement and control systemsConstruction and testing of protection devices

Building and installations requirements for safeguardingmeasurement and control equipment under emergencyconditions

04.8604.86

12.8407.88

12.84


39/60

Safety Controls

37

Excerpt from standards and guidelines (edition 2001)

9.3.2 Module Test according to DIN V 19250

All safety-related modules of the Planar4 System are tested according torequirement classes (RC) in DIN V 19250. The system concept is desi-gned for RC 7.

9.3.3 Module Test according to IEC 61508

Nationally valid as a basis standard for the safety of process control pro-tection equipment is DIN V 19250, internationally the standard IEC 61508;

the modules of the Planar4 System are tested according to it as well.

The safety levels of the IEC 61508 standard are defined as SIL (Safety In-tegrity Level) 1... 4. The table below serves as a cross reference to the re-quirement classes according to DIN V 19250.

VDI/VDE 3541 Interlocking and sequencing systems with agreed safe-guarded function

10.85

VDI/VDE 3542 Safety terms for automation systems 12.88

DIN V 19250

DIN V VDE 0801

IEC 61508

Requirement classes RC Safety Integrity Level SIL

Low demand mode ofoperation

High demand or continuousmode of operation

1

21 (


40/60

Safety Controls

38

9.4 Functional Principles of Safety-Related Modules

Individual operational items in modular systems are called safety-relatedmodules when they have a corresponding safety certificate from the TVtest authority.

9.4.1 Module Safety by Fail-Safe PrincipleSafety-related modules are modules which in case of a component failureare put to the state defined as safe on the output. In the Planar4 Systemthe basis of the safety function is the closed-circuit principle; here the statewith the lowest amount of energy is defined as safe.

Unlike the modules which are not safety-related (internal processing withDC voltage) for these modules internally the dynamic principle is used: theinput and output signals are still static DC voltage signals, but the internalprocessing of the signals is made dynamically via an AC coupling.

The detailed description of this principle can be taken from the chapterThe HIMA Planar4 System.

9.4.2 Module Safety by Comparison Functions

The safety of module due to comparison functions (e. g. 1oo2 micropro-cessor systems) is guaranteed with the use of a two-channel and synchro-nous operating processor structure and cyclic self tests. Microcontrollersare used as central processor units.The task of the self-test software is to detect all failures by using of specialmeasures (like high-quality tests of the input and output circuitry) which

may not be detected via the system structure (two-channel) and may re-sult in a dangerous operational state.

This safety principle is used e. g. for time-delay function modules.

9.5 Safety Circuits

9.5.1 Closed-Circuit Principle

In the safety-related controls of the Planar4 System always the closed-cir-cuit principle is valid as basis, i. e. with wire breaks or defective safety-re-lated modules the control is set into the state defined as safe(deenergized). This principle must be continued also in the plants control-led with it.

9.5.2 Latching Circuits (Memory)

Using the closed-circuit principle in safety related controls the binary me-mory is replaced by a latching circuit. For these circuits should be ensuredthat the self-holding function is released both in case of a switch-off and incase of a fault (also line break). The technical realisation of this in the cir-cuit must be the dominant reset (OFF with 0-signal).


41/60

Safety Controls

39

Fig. 11: Latching Circuits

Note

Due to the internal circuit structure of the modules the feedback path of thelatching circuit should be connected to the input marked d.. or in case ofmore inputs to that one with the highest number.

9.5.3 Negation (Blocking Element)

In safety related circuits the application of inverters is always highly pro-blematic , as principally the input of a module cannot distinguish between0-signal and an open line (line break). This fact is true for all hard-wiredsystems, also for relay circuits. So the use of an inverter directly in a safe-ty related circuit is not permissible; the negation of the signal must bemade at any other suitable place, e. g. by application of an opening or clo-sing contact (regarding the closed-circuit-principle), or for proximity swit-

ches by a specially designed mechanical construction of the dampingelement.

If in a safety related control both the direct signal as well as the invertedone are processed, the use of a safety-related blocking element is man-datory. It is important then to take the direct signal behind the blockingelement from the direct output, as the internal circuit arrangement of theblocking element excludes a simultaneous 1-signal (also overlapping) onboth the inverted and on the direct output.

Fig. 12: Signal inversions in safety related controls

In the logic in fig. 12 a line break in front or behind the time delay functionor an error within the time function would prevent the switching-off of out-put A1 via E2.

The wiring with an inverter contains a blocking element for the signal input

E2 and a changed time delay function (delay-off instead of delay-on). Butalso here a line break in front of the blocking element prevents a switching-off of output A1, whereas A2 nevertheless is switched off.


42/60

Safety Controls

40

Fig. 13: Problematic nature of signal negation

9.5.4 Input Circuits for Inductive Sensors (proximity switches)

The safety-related input modules of the Planar4 System correspond to EN60947-5-6 standards for DC interfaces, their inductive sensors (proximityswitches) and switching amplifiers. The safety-related evaluation of a pro-cess signal, however, is obtained only in connection with a safety-tested

proximity switch.

Instead of a proximity switch also a contact with a serial and a parallel re-sistor can be used. These resistors must be installed directly at the contactto detect line faults. The values of the resistors are shown in the datasheets of the related input modules.

For the use of non-safety-related proximity switches (according to EN60947-5-6) there is one possibility to evaluate the process signal accor-ding to the redundancy principle via two separated proximity switches andtwo channels of an input module (or via two modules); both the output si-

gnals must be combined by an AND element. The notes in the data sheetsof the related module have to be regarded.

As the electrical and mechanical switching points of the sensors may di-verge, the application of an equivalence monitoring with time delay is ne-cessary to prevent undesired switching functions. The expense can bereduced when the safety-related module with 2oo3 selection elements isused for monitoring the signals. Additionally the function has to be testedin regular intervals, e. g. one time per year.

9.5.5 Coupling to Safety-Related Circuits

It is possible to transfer signals from safety-related circuits to other non-safety-related modules. This may be an advantage because of economi-cal reasons. But the non-safety-related modules must have non-interac-ting inputs to prevent a feedback to the safety related circuit in case of aninternal fault of this non-safety-related module.

All inputs of the safety-related modules of the Planar4 System are non-in-teracting.

If other modules which are not non-interacting are used for coupling to

safety circuits, the non-interacting function must be guaranteed by the in-sertion of an OR element branch (cf. fig. 13).


43/60

Safety Controls

41

Fig. 14: Coupling to safety-related circuits


44/60

Certification

42

10 Certification of the Planar4 System

Safety related controls which in case of failure may cause considerabledamage are subject to strict tests. The safety related modules used in theHIMA Planar System have all undergone individual TV type approvaltests. The succesful passing of the tests was certified for each module.

10.1 Basis of the Certification

For the tests to get the certification different regulations are applied. De-tailed information about that can be taken from the Report to the Certifica-te.

The TV test centre simulates faults like short circuits and interruptions.The test result has to demonstrate that the safety function of the HIMA mo-dule remains in case of a not detected single fault, and even also if up totwo additional faults occur. The probability of occurance of a fourth failure

is considered as being sufficiently remote.

Due to the high density of circuit elements a complex effect of faults is ex-pected in the integrated circuits. Inevitable faults resulting from this are ta-ken into account during the test.

Besides this, the module is submitted to an environmental test. The air andcreeping distances must follow DIN VDE 0110.

10.2 Report to the Certicicate

The Report to the Certificate of the Planar4 System contains detailed in-formation about testing and certification requirements and a listing of thetested modules. Additionally there are listed restrictions (e. g. proof checkintervals) which must eventually regarded during operation of the modu-les. The report is available on request.

10.3 Notes to the Electrical Equipment of Furnace Controls

according to DIN VDE 0116

1 Circuit breaker for circuits with voltages 50 VA manually operated circuit breaker has to be provided for each burner orfor a group of burners interrupting circuits with voltages > 50 V. This circuitbreaker has to be mounted outside the control cabinet if not specifiedotherwise.

2 Emergency switch-off and main switch

2.1 Emergency switch-off

The ermergency switch-off signal has to be handled as an additionalswitch-off signal. The number and the function of emergency-off signalsare to specify. Use of push-buttons requests special circuits (e.g. latchingcircuits).

In hard-wired safety-related controls these signals belong to the shut-down circuits.


45/60

Certification

43

2.2 Main switch

A main switch has to be provided on site out of the cabinet if not specifiedotherwise.

3 Earthing of auxialiary circuits

An earthed as well as a non-earthed operation is permitted. Non-earthedoperation is preferred in reason of a higher availability.

3.1 Non-earthed operation

An insulation monitoring has to be provided for non-earthed operation.

3.1.1 Supply of the control cabinet 24 V DC

The insulation monitoring is to be provided outside of the control cabinet.

An insulation monitoring device is also requested for control circuits (out-put circuits) with floating or fused contacts and voltages different from 24V DC (mainly 230 V AC). A specification of the insulation monitoring de-vice makes only sense when the other voltages are used only for the ope-

ration of the control in question and are electrically isolated from the mainssupply

3.1.2 Supply of the control cabinet with voltages > 24 V DC

Mainly with power supplies 230 V AC/24 V DC

The external power supply for control circuits with floating or fused con-tacts has to be monitored outside of the control cabinet if this power supplyis not earthed.

The external supply of control circuits with neutral or fused contacts requi-res a separate control transformer and a separate insulation monitoring ifthe voltage is not earthed. If not specified separately an earthed operationof these control circuits is assumed and no insulation monitoring is provi-ded.

3.2 Earthed operation

The negative pole L- has to be lead on earth. The connection to earth mustbe removable and has to be provided directly at the power supply (controltransformer).

The earthed operation guarantees defined signal states. However, a shortcircuit to the earth will mainly result in a switch-off of the signal circuit or a

cut-off of the fuse in question.


46/60

Communication

44

11 Communication

The communication module at module location 21 of a Planar4 subrackenables the data transfer to other systems via an RS 485 interface (MOD-BUS, Profibus-DP) or Ethernet 10BaseT (OPC with protocol TCP/IP). De-pending on the type of data transfer different types of communicationmodules are used.

The following types of data can be transferred:

11.1 Communication via MODBUS Protocol

The MODBUS protocol is designed as a master-slave system for a serialdata transfer via a bus, and it was defined by Gould Modicon Inc.

The default setting is 1 stop bit, parity bit even and 9600 baud; the com-munication module enables also 19 200 and 57 600 baud.

The HIMA systems only have the RTU (Remote Terminal Unit) mode oftransmission. The transmission is asynchronous with 8 bits and CRC errorcheck.

The RTU data transmission mode usually has the following structure:

The number of bytes depends on the function, the quantity of addresses and data

Start, end Start of transmission resp. end of transmission is identi-of transm. fied by a pause of 3.5 characters (bytes) (T1 T2 T3)

Slave Address of the slave system:slave number, setting on the communication module

Code Function code: Reading of data, events

Data They comprise start address (area code and basisaddress), quantity of adresses and data depends on

function, cf. definitions in the MODBUS protocol

Error check CRC code (Cyclic Redundancy Check), which isautomatically generated by the transmitting system

Type of data MODBUS

RS 485

Profibus-DP

RS 485

Ethernet (OPC)

10BaseT

BOOL:State of modules, state of module inputs and outputs

WORD / Ubyte: Type of module, actual values, limit values

Events(Signal changes of inputs and outputs with date and time)

Time synchronization

Start Slave no. Code Data Error check End of

telegram

T1 T2 T3 1 byte 1 byte 2 bytes T1 T2 T3


47/60

Communication

45

For the Planar4 System communication the following functions can beprocessed with the MODBUS protocol:

Reading of variables like inputs, outputs, actual values, limit values Reading of events Time synchronization

Binary signal changes of inputs and outputs are recorded as events. The-

refore events recorded in the same scanning cycle have the same timestamp. The scanning cycle is 4 ms.

Events can be read (reading from the buffer on the communication modu-le) with special function codes not defined in the original MODBUS proto-col or with standard codes.

Each MODBUS communication module in a subrack of the Planar4 Sy-stem is a slave in a RS 485 network. The slave number is defined by me-ans of a switch on the communication module (cf. data sheet).

Design of the RS 485 Bus System

The quantity of slaves connected to a bus segment is limited to 31; by me-ans of repeaters the system can be extended to four segments. With thatthe quantity of addressable slaves is limited to 124.

The MODBUS master receives the desired information from the modulesof the Planar4 System by means of slave number, function code andaddresses.

A redundant design of the RS 485 bus system is not possible, as in eachsubrack only one communication module can be used, and this modulehas only one interface.


48/60

Communication

46

Function Codes

For the Planar4 System the following function codes are realized:

11.1.1 Addresses

The addresses depend on the module location in the subrack and on therequested information. For each module there are 256 addresses reser-ved. The address A of the information of a module is determined as fol-lows:

A = p 256 + np module location in the subrack; for the 1st location p = 1n relative address of the information within a module

(cf. tables in the data sheets)

11.1.2 Reading of Data

For the reading of data the following function codes are realised:

With the function code 3 it is possible to transfer all information of the mo-dules of one single subrack within only one telegram. For this function al-ways 84 digital values (words) must be required according to the 21 inputsof the communication module.

By using the starting addresses either 2000H, 3000H or 4000H it is deter-mined which of the data are required. The data depend on the type of themodule. For module locations not in use the values 0 are transferred.

The master system must be able to interprete the received data, as theycontain a mixture of binary and digital values of the modules (types BOOLand WORD).

1 Reading the status of one or several binary values, e. g. inquiry for the stateof a module, input and output signals

3 Reading the status of one or several digital values, e. g. inquiry for the type ofa module, actual value of a time delay, residual delay times, limit and actualvalues of limit monitors

6 Time synchronization

656667

Scanning of events:binary signal changes with time(free codes in the original MODBUS protocol)

70 Time synchronization

Code Function

1 Reading the status of one or several binary signals (type BOOL)

3 Reading the status of one or several digital signals(type WORD)


49/60

Communication

47

11.1.3 Events

The communication module generates events of all binary input and out-put signals of the modules. The signal changes are recorded, and anevent number (depending on the module location and the signal on themodule) with time is stored in a buffer. Events recorded in the same scan-ning cycle have the same time stamp.

For each module there are 32 events reserved. The event number E of theinformation of a module is determined as follows:

E = (p-1) 32 + np module location in the subrack; for the 1st location p = 1n relative number of the event within a module

(cf. tables in the data sheets)

A maximum of 1024 events can be stored in the buffer. Two master sy-stems can scan the events.

11.1.4 Reading of Events

For the reading of events the following function codes are used:

Reading with function code 65

With function code 65 the binary input and output signals of the modulesare transferredwithout the time. For module locations not in use the values0 are transferred.

Function code 65

Response of the slave

Function code 66: Reading new events

A maximum of 8 events (64 bytes) is transmitted at the same time.

Function code 66

Code Function

65 Reading event values (status of the events without time)

66 Reading new events (address, status, time)

67 Request to repeat the last transmission

Slave Code Bytes Starting address Quantity of events CRC

1 byte 1 byte 1 byte 2 bytes 2 bytes 2 bytes

9 always 0 always 640

Slave Code Bytes Event values module 1 ... Event values module 20 CRC

1 byte 1 byte 1 byte 4 bytes ... 4 bytes 2 bytes

Slave Code CRC

1 byte 1 byte 2 bytes


50/60

Communication

48

Response of the slave if there are no events

Response of the slave if there are events

Structure of an event

Function code 67: last events transmittedCode 67 is only possible after Code 66, if the master system has not re-ceived a correct response to code 66. It makes the slave system repeat itslatest response.

Function code 67

Response of the slave like at code 66, if the previous code was 66, otherwise

After a new start or buffer overflow of the slave system code 65 should besent. In normal operation code 66 resp. 67 has to be sent cyclically by themaster sys

Documents

Planar Safety Manual