HI 800 161 E HIMatrix F3 AIO 8 4 01
HI 800 161 E HIMatrix F3 AIO 8 4 01
HI 800 161 E HIMatrix F3 AIO 8 4 01
Safety-Related Controller
Contact
HIMA contact details:
HIMA Paul Hildebrandt GmbH + Co KG
P.O. Box 1261
68777 Brühl, Germany
Phone: +49 6202 709-0
Fax: +49 6202 709-107
E-mail: [email protected]
Table of Contents
1 Introduction 5
1.1 Structure and Use of this Manual 5
1.2 Target Audience 6
1.3 Formatting Conventions 7
1.3.1 Safety Notes 7
1.3.2 Operating Tips 8
2 Safety 9
2.1 Intended Use 9
2.1.1 Environmental Requirements 9
2.1.2 ESD Protective Measures 9
2.2 Residual Risk 10
2.3 Safety Precautions 10
2.4 Emergency Information 10
3 Product Description 11
3.1 Safety Function 11
3.1.1 Safety-Related Analog Inputs 11
3.1.1.1 Reaction in the Event of a Fault 12
3.1.2 Line Monitoring for Digital Outputs 12
3.1.2.1 Requirements 12
3.1.2.2 Examples 12
3.2 Analog Outputs 17
3.3 Equipment, Scope of Delivery 18
3.3.1 IP Address and System ID (SRS) 19
3.4 Type Label 19
3.5 Structure 20
3.5.1 LED Indicators 21
3.5.1.1 Operating Voltage LED 21
3.5.1.2 System LEDs 21
3.5.1.3 Communication LEDs 22
3.5.2 Communication 22
3.5.2.1 Connections for Ethernet Communication 22
3.5.2.2 Network Ports Used for Ethernet Communication 23
3.5.3 Reset Key 23
3.6 Product Data 24
3.6.1 Product Data F3 AIO 8/4 011 (-20 °C) 25
3.6.2 Product Data F3 AIO 8/4 012 (subsea / -20 °C) 25
3.6.3 Product Data F3 AIO 8/4 014 27
3.7 Certified HIMatrix F3 AIO 8/4 01 28
4 Start-up 29
4.1 Installation and Mounting 29
4.1.1 Connecting the Analog Inputs 29
5 Operation 45
5.1 Handling 45
5.2 Diagnosis 45
6 Maintenance 46
6.1 Faults 46
6.2 Maintenance Measures 46
6.2.1 Loading the Operating System 46
6.2.2 Proof Test 46
7 Decommissioning 47
8 Transport 48
9 Disposal 49
Appendix 51
Glossary 51
Index of Figures 52
Index of Tables 53
Index 54
1 Introduction
This manual describes the technical characteristics of the device and its use. It provides
information on how to install, start up and configure the module.
HIMatrix remote I/Os are available for the programming tools SILworX and ELOP II Factory.
Which programming tool can be used, depends on the processor operating system of the
HIMatrix remote I/O, refer to the following table:
Programming tool Processor operating system
SILworX CPU OS V7 and higher
ELOP II Factory CPU OS up to V6.x
Table 1: Programming Tools for HIMatrix Remote I/Os
Projects created with ELOP II Factory cannot be edited with SILworX, and vice versa!
i
The latest manuals can be downloaded from the HIMA website at www.hima.com. The revision
index on the footer can be used to compare the current version of existing manuals with the
Internet edition.
SIGNAL WORD
Type and source of risk!
Consequences arising from non-observance
Risk prevention
NOTE
Type and source of damage!
Damage prevention
2 Safety
All safety information, notes and instructions specified in this document must be strictly
observed. The product may only be used if all guidelines and safety instructions are adhered to.
This product is operated with SELV or PELV. No imminent risk results from the product itself.
The use in Ex-zone is permitted if additional measures are taken.
Exposing the HIMatrix system to environmental conditions other than those specified in this
manual can cause the HIMatrix system to malfunction.
NOTE
Device damage due to electrostatic discharge!
When performing the work, make sure that the workspace is free of static, and wear
an ESD wrist strap.
If not used, ensure that the device is protected from electrostatic discharge, e.g., by
storing it in its packaging.
3 Product Description
The safety-related F3 AIO 8/4 01 remote I/O is a compact system in a metal housing with
8 analog inputs and 4 analog outputs.
The remote I/O is available in various model variants for SILworX and ELOP II Factory, see
Table 10.
Remote I/Os are connected to individual HIMax or HIMatrix controllers via safeethernet. They
are used to extend the I/O level, but are not able to run any user program by themselves.
The remote I/O is suitable for mounting in Ex-zone 2, see Chapter 4.1.4.
The device is TÜV-certified for safety-related applications up to SIL 3 (IEC 61508, IEC 61511
and IEC 62061), Cat. 4 and PL e (EN ISO 13849-1) and SIL 4 (EN 50126, EN 50128 and
EN 50129).
Further safety standards, application standards and test standards are specified in the
certificates available on the HIMA website.
If an open-circuit occurs during voltage measurement (the line is not monitored), any input
signals are processed on the high-resistance inputs. The value resulting from this fluctuating
input voltage is not reliable; with voltage inputs, the channels must be terminated with a 10 k
resistor. The internal resistance of the source must be taken into account.
For a current measurement with the shunt connected in parallel, the 10 k resistor is not
required.
The analog inputs are designed to retain the metrological accuracy for 10 years. A proof test
must be performed every 10 years.
3.1.1.1 Reaction in the Event of a Fault
If the device detects a fault on an analog input, the AI.Error Code parameter is set to a value
greater than 0. If a device fault occurred, the SILworX system parameter Module Error Code is
set to a value greater than 0, or if ELOP II Factory is used, the Module.Error Code signal is set
to a value greater than 0.
In both cases, the device activates the FAULT LED.
In addition to the analog value the the error code must be evaluated. The analog value must be
configured to ensure a safety-related reaction.
The error code allows the user to configure additional fault reactions in the user program.
These conditions apply for all systems within the HIMatrix family, from compact to modular
systems.
3.1.2.2 Examples
The digital outputs of the F2 DO 16 01 or F20 can be monitored with the analog inputs of the
F3 AIO 8/4 01.
The analog inputs of the F3 AIO 8/4 01 can monitor the digital outputs of the DIO 24/16 01
(modular system).
Figure 1 shows how the lines connecting a digital output (DO) to an actuator (e.g., solenoid
valve) can be monitored for open-circuits and short-circuits.
The connection must be adapted to the field devices used and the functionality checked
i accordingly!
Circuitry:
Examples of how to configure line monitoring for the digital output DO (circuit with solenoid
valve 8 W 24 VDC):
Resistance values:
Resistor: Rseries resistor 1.6 k
Solenoid valve resistance: Rsolenoid valve 75
Shunt: Rshunt 10
Table 5: Examples of Line Monitoring - Resistance Values
Voltage values:
Transmitter voltage: 26.4 V
Output voltage DO during normal operation: 24 V
Output voltage DO with a short-circuit: 26.8 V
Voltage drop on the solenoid valve: 21 V
Switching voltage of the Z-diode: 12 V
Table 6: Examples of Line Monitoring - Voltage Values
1. Open-Circuit:
The supply voltage of the series resistor (transmitter voltage) fluctuates within a tolerance
range, see Specifications in Table 18. For this reason, the voltage drops on the resistors can
change slightly. Within the fluctuation range, a measurable voltage drop is definitely still
detected on shunt Rshunt.
The series resistor was dimensioned such that when DO = FALSE, the voltage drop on the
solenoid valve is as low as possible (valve is slightly warmed up) and the voltage drop on the
shunt is still measurable.
The shunt Rshunt was measured with dependence on the solenoid valve resistance such that if
the output DO is activated (DO = TRUE), the voltage drop on the solenoid valve is higher than
the switching threshold of the solenoid valve, i.e., the coil of the solenoid valve is energized.
Additionally, the shunt Rshunt is designed such that with any switching state of the output DO
(TRUE or FALSE), a measurable voltage drop results (values for AI > 10, see Table 7).
On the other hand, if field wiring breakage occurs within the red-colored area, voltage drops are
no longer present on the shunt.
An open-circuit within the red-colored area (see Figure 1) can be monitored through the voltage
drop on the shunt Rshunt , i.e., the input value of AI, see Table 7.
To allow open-circuit monitoring, the value of AI must be evaluated in the logic of the user
program.
Connect the series resistor Rseries resistor and the shunt Rshunt directly to the terminals of the
i controller or remote I/O to maximize the monitored line area.
2. Short-Circuit:
An short-circuit within the actuator circuitry (including the actuator) results in a high voltage drop
( output voltage of DO) through the shunt, which causes the short-circuit to be detected
(maximum resolution of AI, see Table 7). The overvoltage protection of the analog inputs is
activated at approximately 15 V.
A protective circuit consisting of a Z-diode and series resistor must be implemented to avoid an
overload of the internal overvoltage protection.
NOTE
To protect the input multiplexer of the analog inputs from overload, a protective circuit
consisting of Z-diode and a series resistor must be connected within the input circuit in
parallel to the existing shunt
The configuration of the Z-diode with series resistor depends on the overvoltage protection
threshold and must be set up to ensure that the HIMatrix overvoltage protection is not activated
if a short-circuit occurs.
Short-circuit:
Umax = Usolenoid valve + Ushunt = 26.8 V = 0 V + 26.8 V
If a short-circuit occurs in the external circuit (actuator or line), the voltage from DO is dropped
completely at the shunt.
The switching threshold of the overvoltage protection of AI is approximately 15 V.
The Z-diode should become conductive at 12 V such that no more than 12 V is present on AI
and the entire scaling range of AI is available.
The maximum voltage drop Udiode on the series resistor Rdiode of the Z-diode results from:
Udiode = 26.8 V – 12 V = 14.8 V
The current through the Z-diode should be limited to 20 mA (specification of the Z-diode). This
results in a minimum value for the series resistor of:
Rdiode = 14.8 V / 20 mA = 740
The value for Rdiode can be set to 1 K.
This resistance limits the maximum current through the Z-diode to approximately 15 mA.
A short-circuit within the red-colored area (see circuit diagram) can be monitored through the
voltage drop on the shunt Rshunt, i.e., the input value of AI, see Table 7.
To allow short-circuit monitoring, the value of AI must be evaluated in the logic of the user
program.
NOTE
The analog outputs may only be used as safety-related outputs, if the output values are
read back to safety-related analog inputs and evaluated in the user program.
To configure the safe reaction, set the 4 Channel Used [BOOL] -> system parameters to FALSE
(SILworX) or the 4 AO[1..4].Used system signals to FALSE (ELOP II Factory). This appears
internal safety switches, ensuring that no output signal is output.
Alternatively, the safety reaction can be triggered using the Emergency Stop system variable.
RShunt Actuator
The analog outputs are designed to retain the metrological accuracy for 10 years. A proof test
must be performed every 10 years.
IP___.___.___.___SRS____.__.__
The label must be affixed such that the ventilation slots in the housing are not obstructed.
Refer to the First Steps manual of the programming tool for more information on how to modify
the IP address and the system ID.
3.5 Structure
This chapter describes the layout and function of the remote I/Os, and their communication via
safeethernet.
AIO
8/4 01
3.5.2 Communication
The remote I/O communicates with the associated controller via safeethernet.
3.5.2.1 Connections for Ethernet Communication
Property Description
Port 2 x RJ-45
Transfer standard 10BASE-T/100BASE-Tx, half and full duplex
Auto negotiation Yes
Auto crossover Yes
IP address Freely configurable1)
Subnet mask Freely configurable1)
Supported protocols Safety-related: safeethernet
Standard protocols: Programming and debugging tool
(PADT), SNTP
1)
The general rules for assigning IP address and subnet masks must be adhered to.
Table 14: Ethernet Interfaces Properties
The two RJ-45 connectors with integrated LEDs are located on the bottom left-hand side of the
housing. Refer to Chapter 3.5.1.3 for a description of the LEDs' function.
The connection parameters are read based on the MAC address (media access control
address) defined during manufacturing.
The MAC address for the remote I/O is specified on a label located above the two RJ-45
connectors (1 and 2).
The remote I/O is equipped with an integrated switch for Ethernet communication. For further
information on the integrated switch and safeethernet, refer to Chapter Communication of the
system manual for compact systems (HI 800 141 E).
Only the model variants without protective lacquer are equipped with a reset key.
i
The key can be accessed through a small round hole located approximately 5 cm from the
upper left-hand side of the housing. The key is engaged using a suitable pin made of insulating
material to avoid short-circuits within the remote I/O.
The reset is only effective if the remote I/O is rebooted (switched off and on) while the key is
simultaneously engaged for at least 20 s. Engaging the key during operation has no effect.
Properties and behavior of the remote I/IO after a reboot with engaged reset key:
Connection parameters (IP address and system ID) are set to the default values.
All accounts are deactivated except for the administrator default account with empty
password.
After a new reboot without the reset key engaged, the connection parameters (IP address and
system ID) and accounts become effective.
Those configured by the user.
Those valid prior to rebooting with the reset key engaged, if no changes were performed.
Analog inputs
Number of inputs 8 (non-galvanically separated)
Nominal range 0...+10 VDC,
0/4...+20 mA with 500 shunt
Operating range -0.1...+11.5 VDC,
-0.4...+23 mA with 500 shunt
Input resistance > 2 M
Source resistance input 500
of the input signal
Digital resolution 12-bit
Measurement accuracy at 0.1 % of final value
25 °C, max.
Metrological accuracy on full 0.5 % of final value
temperature, max.
Temperature coefficient, max. 0.011 %/K of final value
Safety-related accuracy, max. 2 % of final value
Measured value refresh once per cycle of the controller
Sampling time ca. 45 µs
Table 17: Specifications for the Analog Inputs
Supply outputs
Number of supply outputs 8
Nominal voltages 8.2 VDC / 26 VDC, switchable
Tolerance 5 %
Safely monitored limits
Range: 8.2 V 7.6...8.8 V, (tolerance range: 7.3...9.1 V)
Analog outputs
Number of outputs 4 non-galvanically separated,
non-safety-related,
common safe shutdown
Nominal value 4...20 mA
Operating value 0...21 mA
Digital resolution 12-bit
Load impedance max. 600
Measurement accuracy at 0.1 % of final value
25 °C, max.
Metrological accuracy on full 0.5 % of final value
temperature, max.
Temperature coefficient, max. 0.011 %/K of final value
Safety-related accuracy, max. 1 % of final value
Table 19: Specifications for the Analog Outputs
The remote I/O F3 AIO 8/4 014 meets the conditions for vibrations and shock test according to
IEC 61373, category 1, class B.
4 Start-up
To start up the remote I/O, it must be mounted, connected and configured in the programming
tool.
Refer to the corresponding manuals for further information on the shunt adapters.
Exception:
If a potentially explosive atmosphere has been precluded, work can also performed when the
controller is under voltage.
2. The enclosure in use must be able to safely dissipate the generated heat. The power
dissipation of the module F3 AIO 8/4 01 is 18 W at maximum.
3. Protect the HIMatrix F3 AIO 8/4 01 with a 10 A time-lag fuse.
The 24 VDC power must come from a power supply unit with safe isolation. Use power
supply units of type PELV or SELV only.
4. Applicable standards:
VDE 0170/0171 Part 16, DIN EN 60079-15: 2004-5
VDE 0165 Part 1, DIN EN 60079-14: 1998-08
The remote I/O is additionally equipped with the label represented below:
4.2 Configuration
The remote I/O can be configured using a programming tool, SILworX or ELOP II Factory.
Which programming tool should be used, depends on the revision status of the operating
system (firmware):
SILworX is required for CPU OS V7 and higher.
ELOP II Factory is required for CPU OS up to V6.x.
How to switch between operating systems is described in Chapter Loading Operating Systems
i of the system manual for compact systems (HI 800 141 E).
Double-click the module to open the Detail View with the corresponding tabs. The tabs are used
to assign the global variables configured in the user program to the system variables of the
corresponding module.
4.3.1 Parameters and Error Codes for the Inputs and Outputs
The following tables specify the system parameters that can be read and set for the inputs and
outputs, including the corresponding error codes.
In the user program, the error codes can be read using the variables assigned within the logic.
The error codes can also be displayed in SILworX.
4.4.2 Signals and Error Codes for the Inputs and Outputs
The following tables specify the system signals that can be read and set for the inputs and
outputs, including the corresponding error codes.
In the user program, the error codes can be read using the signals assigned within the logic.
The error codes can also be displayed in ELOP II Factory.
RL/2
RL/2
RL/2
RL/2
NOTE
Overload, failure due to improperly set voltage (8.2 V / 26 V)!
Failure to comply with these instructions can damage the electronic components.
Prior to start-up, set the Transmitter Supply[01] system parameter to 1 (8.2 V). If the
shunt adapter has been overloaded, it must be replaced.
RL/2
RL/2
RL/2
RL/2
5 Operation
The remote I/O can only operated together with a controller. No specific monitoring is required
for remote I/Os.
5.1 Handling
Handling of the remote I/O during operation is not required.
5.2 Diagnosis
A first diagnosis results from evaluating the LEDs, see Chapter 3.5.1.
The device diagnostic history can also be read using the programming tool.
6 Maintenance
No maintenance measures are required during normal operation.
If a failure occurs, the defective module or device must be replaced with a module or device of
the same type or with a replacement model approved by HIMA.
Only the manufacturer is authorized to repair the device/module.
6.1 Faults
Refer to Chapter 3.1.1.1, for more information on the fault reaction of inputs.
Refer to Chapter 3.2, for more information on the fault reaction of the outputs.
If the test harnesses detect safety-critical faults, the module enters the STOP_INVALID state
and will remain in this state. This means that the input signals are no longer processed by the
device and the outputs switch to the de-energized, safe state. The evaluation of diagnostics
provides information on the fault cause.
7 Decommissioning
Remove the supply voltage to decommission the device. Afterwards pull out the pluggable
screw terminal connector blocks for inputs and outputs and the Ethernet cables.
8 Transport
To avoid mechanical damage, HIMatrix components must be transported in packaging.
Always store HIMatrix components in their original product packaging. This packaging also
provides protection against electrostatic discharge. Note that the product packaging alone is not
suitable for transport.
9 Disposal
Industrial customers are responsible for correctly disposing of decommissioned HIMatrix
hardware. Upon request, a disposal agreement can be arranged with HIMA.
All materials must be disposed of in an ecologically sound manner.
Appendix
Glossary
Term Description
ARP Address resolution protocol: Network protocol for assigning the network addresses to
hardware addresses
AI Analog input
AO Analog output
COM Communication module
CRC Cyclic redundancy check
DI Digital input
DO Digital output
ELOP II Factory Programming tool for HIMatrix systems
EMC Electromagnetic compatibility
EN European norm
ESD Electrostatic discharge
FB Fieldbus
FBD Function block diagrams
FTT Fault tolerance time
ICMP Internet control message protocol: Network protocol for status or error messages
IEC International electrotechnical commission
MAC address Media access control address: Hardware address of one network connection
PADT Programming and debugging tool (in accordance with IEC 61131-3),
PC with SILworX or ELOP II Factory
PE Protective earth
PELV Protective extra low voltage
PES Programmable electronic system
R Read: The system variable or signal provides value, e.g., to the user program
Rack ID Base plate identification (number)
Interference-free Supposing that two input circuits are connected to the same source (e.g., a
transmitter). An input circuit is termed interference-free if it does not distort the signals
of the other input circuit.
R/W Read/Write (column title for system variable/signal type)
SELV Safety extra low voltage
SFF Safe failure fraction, portion of faults that can be safely controlled
SIL Safety integrity level (in accordance with IEC 61508)
SILworX Programming tool for HIMatrix systems
SNTP Simple network time protocol (RFC 1769)
SRS System.rack.slot addressing of a module
SW Software
TMO Timeout
W Write: System variable/signal is provided with value, e.g., from the user program
rPP Peak-to-peak value of a total AC component
Watchdog (WD) Time monitoring for modules or programs. If the watchdog time is exceeded, the
module or program enters the ERROR STOP state.
WDT Watchdog time
Index of Figures
Figure 1: Circuitry for Line Monitoring 13
Figure 2: Application Example for Safety-Related Analog Outputs 17
Figure 3: Sample Type Label 19
Figure 4: Front View 20
Figure 5: Block Diagram 20
Figure 6: Sample MAC Address Label 22
Figure 7: HIMatrix F3 AIO 8/4 012 with Aluminum Plate 26
Figure 8: Aluminum Plate with Dimensions 27
Figure 9: Label for Ex Conditions 32
Figure 10: Proximity Switch on Analog Inputs 41
Figure 11: Wired Mechanical Contact 43
Figure 12: Mechanical Contact with Resistive Coupling Element 44
Index of Tables
Table 1: Programming Tools for HIMatrix Remote I/Os 5
Table 2: Additional Relevant Documents 6
Table 3: Environmental Requirements 9
Table 4: Input Values for the Analog Inputs 11
Table 5: Examples of Line Monitoring - Resistance Values 13
Table 6: Examples of Line Monitoring - Voltage Values 13
Table 7: Voltage Values with Line Monitoring of DO 14
Table 8: Example of Short-Circuit 15
Table 9: Output Values of the Analog Outputs 17
Table 10: Available Variants 18
Table 11: Operating Voltage LED 21
Table 12: System LEDs 21
Table 13: Ethernet Indicators 22
Table 14: Ethernet Interfaces Properties 22
Table 15: Network Ports in Use 23
Table 16: Product Data 24
Table 17: Specifications for the Analog Inputs 24
Table 18: Specifications for the Transmitter Supply 25
Table 19: Specifications for the Analog Outputs 25
Table 20: Product Data of F3 AIO 8/4 011 (-20 °C) 25
Table 21: Product Data F3 AIO 8/4 012 (subsea / -20 °C) 26
Table 22: Product Data of F3 AIO 8/4 014 27
Table 23: Certified HIMatrix F3 AIO 8/4 01 28
Table 24: Terminal Assignment for the Analog Inputs 29
Table 25: Shunt Adapter 30
Table 26: Terminal Assignment for the Analog Outputs 30
Table 27: Power Supply Cable Plug Properties 31
Table 28: Input and Output Cable Plug Properties 31
Table 29: SILworX - System Parameters for Analog Inputs, Module Tab 35
Table 30: SILworX - System Parameters for Analog Inputs, AI 8: Channels Tab 35
Table 31: SILworX - System Parameters for Analog Outputs, Module Tab 36
Table 32: SILworX - System Parameters for Analog Outputs, AO 4: Channels Tab 37
Table 33: ELOP II Factory - System Signals for the Analog Inputs 39
Table 34: ELOP II Factory - System Signals for the Analog Outputs 40
Table 35: Thresholds for the Inputs with Proximity Switches 42
Table 36: Thresholds for the Inputs with Wired Mechanical Contacts 43
Table 37: Switching Thresholds for the Inputs for Mechanical Contacts with
Resistive Coupling Element 44
Index
block diagram..............................................20 reset key..................................................... 23
diagnosis.....................................................45 safeethernet .............................................. 22
fault reaction safety function ............................................ 11
analog Inputs...........................................12 specifications.............................................. 24
front view.....................................................20 SRS ............................................................ 19