Pac 8000 Safety Net Data Sheets

PAC8000 SafetyNet
♦ SIL2 certified 1oo1D (single Controller ♦ Single programming environment for

with diagnostics) Process, Logic and Safety Applications
♦ Process Control & Safety Functions ♦ On-line changes supported
from a single platform ♦ Mounts in harsh and hazardous
♦ Mix standard and SafetyNet Modules Environments
on the same nod
The PAC8000 SafetyNet System is a new addition to the Designed for SIL 2, the SafetyNet System has been
GE’s product family. Sharing the same fundamental specifically developed for safety applications, with features
platform as the PAC8000 controllers, a new SafetyNet that ensure safety designed in to the product, with a simple
Controller, a new Earth Line Fault Detect (ELFD) Controller and straightforward Safety Manual. The net result is a
Carrier and two new SafetyNet IO Modules have been product that is easy to program, configure and use.
developed and certified. The SafetyNet System uses the
same field terminals, I/O Module Carriers and Power The modular approach provides cost effective solutions to
Supplies as the Process Control products. Configuration safety applications with limited I/O counts per node. And
and application design is carried out using software tools since each SafetyNet node can accommodate up to 64 I/O
specifically safety applications -but within a common modules, (each of 8 channels), the requirements of safety
programming environment. systems with high I/O counts are also met.
Certified according to IEC 61508 as a "Programmable Using a 1 out of 1 with diagnostics structure(1oo1D), a
Electronic Safety System", PAC8000 SafetyNet is suitable single controller, input module and output module (together
for use in safety-related applications up to Safety Integrity with the necessary field terminals, carriers and power
Level (SIL) 2. As part of the family of open system supplies and a suitable sensor and final element) meet all
components designed for the process automation market, it the requirements of a SIL 2 safety function.
can be closely integrated with the Proficy Process Control
System or used as a standalone safety system working
alongside any Process Control solution. The system will Redundant controllers can be used to improve availability
also operate "openly" with your choice of HMI - whatever for the SIL 2 safety function - with entirely bumpless transfer.
package you use. Further availability enhancements can be made by the use
of redundant, fault tolerant Ethernet communications and
redundant power supplies.
Emergency Shutdown, Fire & Gas and Burner
Management application requirements are all met, with
certification to IEC 61511 for process industries and NFPA
85 for burner management systems.
GE Intelligent Platforms
Americas: 1 800 433 2682 or 1 434 978 5100
Global Regional phone numbers are available on our
website www.ge-ip.com/contacts
Page:1
PAC8000 SafetyNet
New additions to the family Control Products. In addition to
The PAC8000 SafetyNet System uses providing the options of programming
the same basic structure as the the required safety function in one of
PAC8000 controllers, but in addition three IEC 61131-3 languages (Ladder
incorporates specifically developed Diagram, Function Block Diagram
components. These are: and Structured Text) the package
♦ SafetyNet Controllers (8851-LC-MT) also provides many useful tools to
assist in testing and commissioning.
♦ Dedicated Controller Carriers for
Earth Leakage Fault Detection (8751- Restricted access
CA-NS) Access to modify safety-related
General parameters within the configuration
The PAC8000 SafetyNet System is a ♦ SafetyNet IO Modules -Analog Input
with HART (8810-HI-TX) and Discrete and application program must be
"Programmable Electronic Safety
IO (8811-IO-DC) restricted to authorized personnel.
System", certified according to IEC
The SafetyNet system provides a
61508 as suitable for use in safety ♦ Workbench software tools for use
number of layers and methods of
related applications up to Safety with the SafetyNet System (8841-LC-
providing this protection. Only users
Integrity Level 2. The system is suitable MT)
with "Safety Responsibility" can
for use in emergency shutdown, fire & Open communications access the safety-related aspects of
gas and burner management PAC8000 products are open. SafetyNet the Workbench. Only computers that
applications. nodes communicate with one another, the SafetyNet Controller identifies as
with standard PAC8000 nodes, historian "trusted hosts" can download new
and asset management packages and parameters. A download can only
with HMI packages over a fault tolerant take place when an "over-ride key-
Ethernet LAN, running at up to 100 switch" is set to the required position.
Mbit/s. And, if required, each SafetyNet
Peer to peer communication Controller can be protected by its own
SafetyNet Controllers can communicate password - without which access to
with one another via Ethernet using the safety parameters is denied.
SafetyNet P2P - which has been Maintaining field
certified as suitable for use in SIL 2
instruments
applications. Robust checks and
Maintenance over-rides can be
controls on access and data corruption
implemented from operator
ensure the safety of communication and
workstations in full compliance with
allow safety functions for which the
the guidelines from TUV. Users
inputs and outputs are widely separated
define - as part of the safety
to be easily implemented - both in terms
application - the actions to be taken to
of the software programming and in the
maintain a particular instrument and
hardware design.
the SafetyNet System then
Mixing safe and standard implements these pre-defined
Standard IO Modules can be mounted actions.
on SafetyNet Nodes - together with
HART capability
SafetyNet IO Modules - without affecting
The SafetyNet System allows full
the node's functional safety
access to HART field devices for
performance. Only standard applications
Emerson's AMS maintenance
can read data from standard Modules,
software. (The first release of
but both standard and SafetyNet
SafetyNet will not have full HART
applications are allowed to write to
capability, contact GE for further
standard modules. This flexibility can
information).
simplify hardware design, where the
physical constraints of the particular Earth leakage detection
locality demand such an approach. Earth leakage fault detection may be
implemented using the 8751-CA-NS
Serial interfaces Controller Carrier in conjunction with
The Open approach extends to Modbus
an input channel from an 8811-IO-
serial interface products - which can be
DC Discrete I/O Module. If ELFD is
connected to any node (SafetyNet or
not required, SafetyNet Controllers
standard) by an RS485 connection. As
can be mounted on 8750-CA-NS
with data from standard IO Modules, this
Controller Carriers.
data can be read by standard
Controllers, but not by SafetyNet On-line changes
Controllers. Both standard and Where allowed by local practices –
SafetyNet Controllers can write to such and following adequate testing and
devices. approval - new safety programs and
configuration can be downloaded on-
Comprehensive programming line and in real time. In some
tools situations, this may be possible
The SafetyNet System is programmed without interrupting the operation of
using the Workbench software package the safety function.
– in common with the PAC8000 Process
Americas: 1 800 433 2682 or 1 434 978 5100
Page:2
PAC8000 SafetyNet
Harsh and Hazardous Event Logging and Sequence Reduced cabling and
Environments of Events Recording termination costs
The SafetyNet System is as rugged as The SafetyNet System has the same In common with the PAC8000
the other PAC8000 Controller and 8000 Event Logging and Sequence of Events Controllers, the SafetyNet System
Process I/O Components: -40ºC to (SOE) recording capability as the offers users the opportunity to
+70ºC operating ambient temperature; PAC8000 Controllers. Data received significantly reduce their spending on
Zone 2 or Class 1 Division 2 hazardous from SafetyNet Modules is time- wiring and termination costs. Moving
area mounting; G3 corrosion resistance; stamped by the SafetyNet Controller control and safety hardware out of the
and enhanced shock and vibration with a resolution of better than 200ms control room and on to the plant gives
capability. The system will operate in the (this is dependent on the execution significant savings. The Field Terminal
PAC8000 extreme environments found cycle - small nodes will deliver better design allows users to avoid
in process industries, allowing remote resolution). Data from dedicated (non- unnecessary spend on marshalling
mounting and a truly distributed SIL) SOE modules is time-stamped with cabinets, cross wiring and marshalling
architecture in even the most a resolution of less than 0.25ms terminals. Integral tagging and fusing
demanding situations. between different channels of the same further simplifies cabinet design and
SOE module and less than 1ms installation.
between channels from different SOE
modules. The SafetyNet Controller can
record up to 8000 events before its
event data buffer begins to be
overwritten by new data.
Americas: 1 800 433 2682 or 1 434 978 5100
Page:3
PAC8000 SafetyNet
Figure 1 – typical PAC8000 SafetyNet System layout
PAC8000 SafetyNet on your plant

Figure 1 shows a typical layout of a
PAC8000 SafetyNet System, together
with a PAC8000 Controller, an OPC
Server, an HMI and asset
management and historian packages
all connected together via an Ethernet
LAN. Also shown is the PAC8000
Workbench - the dedicated tool for
programming and configuring
PAC8000 SafetyNet and PAC8000
Controller.
SafetyNet node layout and

powering
Figure 2 shows a typical layout of a
SafetyNet node, with Controllers, IO
Modules, Field Terminals, and
Carriers. The power connections that
need to be made are also shown.
Americas: 1 800 433 2682 or 1 434 978 5100
Page:4
PAC8000 SafetyNet
Fault Tolerant Redundant LAN
The availability of Ethernet connections -
between SafetyNet and standard
Controllers, historian and asset
management packages and HMI stations -
has a significant impact on the
effectiveness and availability of both safety
and control functions. To maximise
availability of the Ethernet LAN, PAC8000
SafetyNet Systems feature Fault Tolerant
Ethernet ports that monitor the integrity of
their local network and automatically
switch to an alternate path if the existing
path becomes unavailable. If suitable
Ethernet switches are used - such as
Moxa Industrial Ethernet Switches - they
too will monitor their local network and
switch to an alternative path when this is
required. Monitoring the local network
paths – even when they are not being
used - allows the system to report the loss
of any failed paths so that appropriate
maintenance can be carried out.
Moxa Industrial Ethernet Figure 1 - redundant Ethernet LAN with intra-LAN link
Switches
The Moxa Ethernet Switch range is
specifically designed for use in Industrial
applications that require high availability in
harsh environments, with a broad
operating temperature range (-40ºC to
+75ºC, except EDS-205: -10ºC to +60ºC)
and hazardous area mounting capability
(Class 1, Div 2 or Zone 2). Two alternative
topologies are shown in figures 1 and 2.
Which topology is preferred will depend on
the physical layout of the entities on the
LAN and local preferences. Figure 1
shows a redundant Ethernet LAN, with
intra-LAN link while figure 2 shows a single
"Turbo Ring" that provides an alternate
means of ensuring Ethernet availability -
implemented in the Moxa EDS405 5-port
switch. If any part of the Turbo Ring fails,
communication is re-routed automatically
within 300ms. Further improvements to
availability can be achieved by putting in
place a second identical, "Turbo Ring"
which should be connected to the first ring
by a single intra-LAN link. This link would
normally be mounted in the control room.
The Moxa switches are available with
either all copper or a combination of
copper and fibre ports. For media
conversion between fibre and copper the Figure 2 - “Turbo Ring” Ethernet LAN
MOXA IMC-101 can be used. All the Moxa
products (except the EDS-205) have dual
power supply inputs and a relay output for
user configurable fault reporting.
Americas: 1 800 433 2682 or 1 434 978 5100
Page:5
PAC8000 SafetyNet
interfere with, the safety application. (The first
Certification release of SafetyNet will not have full HART
The SafetyNet Controller is certified for capability, contact GE for further information).
use in safety-related applications up to Live maintenance
and including SIL 2. The SafetyNet Once the Ethernet LANs are isolated,
Controller achieves this Safety Integrity SafetyNet Controllers can be removed and
Level with a 1oo1D architecture (i.e. it replaced - with the local power supplies still
operates in "simplex" mode, with correct connected - even in Division 1, Class 2 or Zone
operation ensured by comprehensive 2 hazardous areas.
General internal diagnostics). In such applications Redundant Controllers
The 8851-LC-MT SafetyNet the SafetyNet Controller is used in SafetyNet Controllers can be used in a master -
Controller stores and runs the conjunction with the 8811-IO-DC standby redundant configuration to improve the
SafetyNet application program which SafetyNet Digital Input/Output Module availability of the safety function, but this is not
is downloaded from the Workbench. and the 8810-HI-TX SafetyNet Analog required for safety. Redundancy is
It manages a number of Input Module with HART*. The SafetyNet implemented by simply inserting the new
communication paths: with the IO Controller is mounted on its dedicated Controller in to the free slot on the Controller
Modules mounted on the local node Carrier 8751-CA-NS. *First release of Carrier. The SafetyNet system will
via the internal Railbus; with other SafetyNet will not have full HART automatically upload the required SafetyNet
entities on the Ethernet LAN (other capability. application to the new Controller and initiate the
PAC8000 nodes, PCs running the Safe by design redundancy algorithms. Switching between
Workbench programming tools, HMI, The SafetyNet Controller has been redundant Controllers on detection of a fault is
historian packages and asset designed specifically for safety-related automatic and bumpless. The standby
management tools) and with remote applications and is certified on the basis Controller continually performs the same
mounted serial devices. The of the excellence of its design. It does not processing, on the same data and at the same
SafetyNet Controller also manages depend for its certification on "proven in time as the Master and the results are routinely
the implementation of the use" data. cross-checked. This ensures that the Standby
redundancy strategy either as Diagnostics is always ready to take over control from the
master or standby. If the SafetyNet Controller's internal Master. The redundancy strategy employed is
diagnostics detect a fault that would known as "rendezvous redundancy". The
prevent the SafetyNet System from "Change State" button on the Controller Carrier
carrying out its safety function, then it will is used to switch a master to being the standby
initiate a controlled shutdown. A in a redundant pair, to switch a standby offline
controlled shutdown has two objectives - and to instruct an offline standby Controller to
firstly, to ensure that the SafetyNet synchronise itself with the Controller and to
System enters its failsafe mode; and enter standby. If a SafetyNet Controller has
secondly, to record sufficient data to entered the “Failsafe” state, it can be brought
allow the reason for the shutdown to be out of this state by use of the “Change State”
determined. button.
If a SafetyNet Controller enters a Serial communications
controlled shutdown, then all Each SafetyNet Controller provides two serial
communication with IO Modules is ports - one of which is physically connected via
stopped and - when the programmed the Controller Carrier, the other directly on the
time delay for each IO module has Controller itself. The two ports can be
elapsed - they will enter their safe states. configured to be entirely independent, or can
System size be made to work redundantly, either as
The SafetyNet Controller can interface redundant connections to the same serial link
with up to 64 locally mounted, 8-channel or as redundant connections to redundant links.
IO Modules - giving a total capacity of When redundant ports of a single Controller are
over 500 channels per node. The configured as Modbus masters, redundancy
Ethernet LAN is capable of supporting issues are handled automatically by the
over 200 nodes, giving a maximum SafetyNet Controller deciding when to switch to
theoretical capacity of over 100 000 the standby port, alarming failures in the
channels! standby). When redundant ports of a single
Controller are configured as Modbus slaves
HART pass-through and multi-dropped on a single serial link, the
SafetyNet Controllers can be configured
SafetyNet Controller will again manage the
to allow transparent access to the
redundancy (deciding which port respond to the
process variables and status information
Modbus master and alarming a fault in the
provided by HART field instruments.
standby port). When redundant Controllers are
HART data cannot be used within the
used, this adds additional availability to the
SafetyNet application (as - for example -
arrangements above. It is not possible to use
it does not employ sufficiently rigorous
the ports on the standby Controller as
data error detection algorithms), but
additional serial connections.
communication with such devices can be
achieved by using a "passthrough"
command which does not involve, nor
Americas: 1 800 433 2682 or 1 434 978 5100
Page:6
PAC8000 SafetyNet
SafetyNet Controller 8851-LC-MT
Certified for use in SIL 2 safety applications, according

to IEC 61508
Comprehensive internal diagnostics provide basis for
safety architecture 1oo1D
Optional redundancy with bumpless transfer for
increased availability
Dual redundant high speed fault tolerant Ethernet LAN
Two connections to serial devices
On-line configuration and re-configuration
Communicates with up to 64 I/O modules
Communicates on peer-to-peer basis with other
SafetyNet and standard Controllers
Can write to standard output modules without
compromising safety function
Live maintainable and hot-swappable - even in Class 1,
Div 2 or Zone 2 hazardous areas
HART pass-through of process and status variables
Event logging up to 8000 events
12Vdc Controller power required from 8913-PS-AC
POWER SUPPLIES
CONTROLLER SPECIFICATION Controller Power Voltage................12V dc (from 8913-PS-AC)
See also System Specification
Controller Power Supply…………..........0.4A (typical), 0.5A (max.)
LAN INTERFACE System Power Supply......................................................15mA (max.)
Transmission medium...............100BaseTX or 10BaseT Ethernet™ MECHANICAL
Transmission protocol......................................................SafetyNet P2P*
Module dimensions ........................69 (w) x 232 (l) x 138 (h) mm
Transmission rates ..........................................................10 - 100 Mbits/s
Weight (approx.).............................................................................1.35kg
LAN connector type (x2) .........................................................RJ 45 (8-pin)
LAN isolation (dielectric withstand)............................................1500 V
Action on software malfunction ………..........Halt CPU / Reset CPU
* SafetyNet P2P is a modified form of Modbus™ certified as
suitable for use in SIL 2 safety related applications that require
peer-to-peer communication.
SERIAL INTERFACES (COM 1 & COM 2)
Transmission rates...................................1.2 – 115.2 kbits/s (async.)
Transmission standard..........................................RS485 half-duplex
COM 1 connector (on carrier) .............9-pin D-type connector (F)
COM 2 connector (on controller) .......9-pin D-type connector (M)
HAZARDOUS AREA SPECIFICATION
Protection Technique..........................................................EEx nL IIC T4
Location (FM and CSA) ...................Class 1, Div.2, Grps A,B,C,D T4
Americas: 1 800 433 2682 or 1 434 978 5100
Page:7
PAC8000 SafetyNet
LED's
The SafetyNet Controller has a number of LED’s that indicate the status and mode of operation of the Controller. The table below
explains what they refer to and describes their operation:
Note: the information here given here is simplified. Additional combinations of LED states are used to provide further indication of
the status of the SafetyNet Controllers. Full details are found in the relevant instruction manuals.
Americas: 1 800 433 2682 or 1 434 978 5100
Page:8
PAC8000 SafetyNet
Workbench for SafetyNet – Overview
PAC8000 Workbench SafetyNet Workbench enter Configuration Mode without the
The PAC8000 Workbench is The SafetyNet Workbench (8841-LC-MT) Controller Password.
the engineering and has all the features of the standard On-line download
documentation tool for the Workbench, but additionally includes the Users with safety responsibility can download
PAC8000 Controllers and special tools required for safety new parameters to a SafetyNet Controller, from
SafetyNet Systems. The applications. a Trusted Host, to a Controller whose Key
Workbench is used to perform Safety programming Switch is set to permit new downloads and
the following tasks: where the particular SafetyNet Controller’s
languages Password is known. New parameter download
♦ Configure IO Channel The Workbench provides three IEC61131
and Module parameters is carried out as a background task over a
programming languages that can be used
number of cycles to ensure that the fault
♦ Configure Controller and to write safety-related application
reaction and response times are not
network parameters programs:
compromised. Once download is complete and
♦ Input and manage the IO ♦ Ladder logic (LD) the new parameters have passed the checking
♦ Function Block Diagram (FBD) and security tests, the new parameters will be
tag database
♦ Structured Text (ST) automatically adopted. Where redundant
♦ Engineer and document
Configuration Mode and SafetyNet Controllers are used, the stand-by
the control or safety Controller will also be automatically updated.
application Safety Responsibility
Changes to safety-related parameters are Note: on-line download should only be used
♦ Generate wizards to where there are adequate procedures for
carried out with the SafetyNet Controller in
simplify HMI design “Configuration Mode”. Access to this mode approving the changes that have been made
♦ Simulate and test control is restricted to personnel with “Safety and testing them prior to download.
and safety applications Responsibility” and its use is constrained Static Analysis Tool
♦ Generate reports to by a number of further layers of protection Any safety-related application program must be
for downloading parameters to SafetyNet developed by suitably qualified personnel and
assist in Factory and Site must be subject to careful scrutiny to ensure
Controllers. The SafetyNet system defines
Acceptance Testing 6 password protected levels of access safety, but the Workbench provides an additional
authority – with only the 3 highest levels safety test. The Static Analysis Tool checks for
being granted “Safety Responsibility”. illegal constructs within the safety program prior to
Trusted Hosts download.
To prevent access to SafetyNet Controllers Differences Utility
by non-approved instances of the Once a new SafetyNet application is successfully
Workbench, remote Modbus devices, asset compiled, it can be downloaded to a SafetyNet
management packages and HMI, only Controller. On download, two text reports are
those that the SafetyNet Controller generated: a Download Report and a Master Tag
identifies as “Trusted Hosts” can download Xref. These can be used for comparison with other
new parameters. Each Trusted Host is downloads using the Differences Utility.
recognised by its IP and MAC addresses Download backup
(remote Modbus devices are recognised by A time stamped backup of each safety application
the serial port to which they are is automatically created following a successful
connected). For each Trusted Host a download. Changes between versions can be
number of other restrictions can be defined: viewed and backups can be used either as a start
♦ Modbus write not allowed point for developing new safety applications or to
♦ Workbench write not allowed restore an earlier version.
♦ HART pass-through not allowed Change Control Log
Key Switch Protection The Workbench maintains a Change Control Log
When a SafetyNet Controller is added to that records - for example - when:
the Workbench the user is given the option ♦ IO Modules are added, deleted or moved
of selecting a tag to act as a “Key Switch”. ♦ Tags are added to, removed from, or moved
This can be used by an Operator to lock within an IO Module
the SafetyNet System so that Configuration ♦ IO Configuration parameters are saved
Mode cannot be entered without their ♦ Controller IP addresses or node numbers are
awareness or permission. The Key Switch entered or modified
can be a physical switch, driven from an ♦ External node numbers are entered or modified
HMI screen or it can be an output from the ♦ Serial communications parameters are entered
SafetyNet application. or modified
♦ A successful download is made
Controller Passwords ♦ A Strategy is removed
When a SafetyNet Controller is added to the
♦ The Controller password is changed
Workbench the user is given the option to
use a Controller Password. If this option is
selected, it is subsequently impossible to
Americas: 1 800 433 2682 or 1 434 978 5100
Page:9
PAC8000 SafetyNet
SafetyNet IO Modules – Overview
Line fault monitoring
In addition to the comprehensive internal
diagnostics the SafetyNet IO Modules
Certification can monitor field wiring for line faults.
The SafetyNet IO Modules are certified
for use in safety-related applications up Event logging
to and including SIL 2. The SafetyNet Data from SafetyNet IO Modules can be
System achieves this certification with time stamped and stored by the
a 1oo1D architecture. The SafetyNet SafetyNet Controller before being
IO Modules have been designed downloaded to the PAC8000 SOE Data
rd
specifically for safety-related Retrieval Client or a 3 party historian
applications and are certified on the package. SafetyNet IO Module data is
basis of the excellence of their design. time stamped with a resolution of better
The certification does not depend on than 200ms.
General
SafetyNet IO Modules interface “proven in use” data. Failsafe Mode
to safety system field wiring via Diagnostics IO Modules will enter Failsafe Mode from
Field Terminals. The IO Modules The IO Modules perform the Running State either due to loss of
and the Field Terminals mount on comprehensive internal diagnostic tests communications with the Controller or
Carriers that provide mechanical as an essential part of ensuring that the because the module has received an
support, but also connect the IO can carry out the required safety instruction from the Controller to enter
internal communication bus and function. If the SafetyNet IO Module’s the Failsafe State. In this state:
power supply connections to the internal diagnostics detect a fault that ♦ The Red Fault LED is lit
Modules. The IO Modules are would prevent the SafetyNet System ♦ The IO Module is flagged as
certified as suitable for use in SIL from carrying out its safety function, unhealthy to the Controller
2 safety-related applications. then it will initiate a controlled ♦ All Railbus Write requests are
shutdown. A controlled shutdown has rejected, except instructions to Reset or
two objectives – firstly, to ensure that to exit the Failsafe State
the IO Module enters its failsafe mode; ♦ Inputs and HART data are read
and secondly, to record sufficient data ♦ Outputs are de-energised
to allow the reason for the shutdown to
♦ Background diagnostics continue and
be determined. If a SafetyNet Module
if a failure is detected, the module will
enters a controlled shutdown, then all
enter Controlled Shutdown
IO channels are deactivated: input
channels are not scanned; and output Controlled Shutdown
channels are de-energised. A Controlled Shutdown is carried out if a
Bussed Field Power fault is detected in the Module. In this
state it can communicate the reason for
The Bussed Field Power (BFP)
shutdown.
connectors on the rear of IO Module
Carriers provide the power connections LED’s
for field instruments wired to the IO A number of LED’s are provided on each
Modules. For the SafetyNet System, IO Module to provide visual indication of
BFP must be 24V dc and supplied by the status of the Module, its channels
MTL’s 8914-PS-AC units. These and its power supply.
power supplies may be used in Module ‘Fault’ LED (red)
redundant pairs, if required. On - Failsafe
Live maintenance Off - Normal operation
SafetyNet IO Modules can be removed Flashing (equal:mark space ratio) – Cold
and replaced in a Class 1, Division 2 or start in process, will flash until
Zone 2 hazardous area - once the communication is established with
relevant Bussed Field Power (BFP) SafetyNet Controller.
connection has been isolated using an Blinking (On for a short period, then On
appropriate hazardous area switch for a longer period – morse code ‘a’) –
(such as the MTL951). Removing and Fault state after controlled shutdown
replacing the Modules does not Module ‘Power’ LED (green)
interrupt the operation of the other On - Power OK
parts of the node. If a Module is Off - BFP or Railbus Power Failure
replaced by another Module of Module ‘Channel’ LED’s
identically the same type, then no
intervention is required for the System
(yellow)
See Individual Module Specifications.
to begin operating normally once the
Bussed Field Power is restored.
Americas: 1 800 433 2682 or 1 434 978 5100
Page:10
PAC8000 SafetyNet
SafetyNet Analog IO Module – Overview
Diagnostics secondary variables – which can be used
The SafetyNet Analogue Input Module by a standard (but not SafetyNet)
carries out a number of diagnostic application program. The Module also
checks to confirm the accuracy of the allows Emerson’s AMS package to
measurement reported and the correct communicate with any HART field device
operation of the module. In addition to transparently, using HART pass-through.
the primary measurement, a second (The first release of SafetyNet will not
diagnostic measurement is made using have full HART capability, contact GE for
different internal circuitry. The two values further information).
are then compared. The primary LED’s
measurement is reported as faulty if it For the operation of the Power and
differs from the diagnostic measurement Fault LED’s see IO Module Overview.
value by more than 2%. Further tests Module ‘Channel’ LED’s
General are carried out on internal supply and
The SafetyNet Analog Input Module references voltages. If a particular
(yellow)
with HART provides the interface to On – Channel in range (4-20mA)
channel fails a test, then that channel is
8 channels of 4-20 mA input signals. Off – Channel inactive
made inactive. If the failed test indicates
The SafetyNet Analogue Input Flashing (equal:mark space ratio) – Any
that the Module is not working correctly,
Module is certified for use in safety- of the following, with an active channel:
it will enter Controlled Shutdown.
related applications up to SIL 2. In line fault (indicated by the input
Live maintenance measurement being outside the 4-20mA
such applications the module is used The field wiring connections to the
with the 8851-LC-MT SafetyNet range), loss of HART signal, Hi-Hi or Lo-
SafetyNet Analogue Input Module are Lo alarm.
Controller and 8811-IO-DC classified as non-incendive and can
SafetyNet Discrete Input/Output therefore be live worked in a Class 1,
Alarms, Deadband, Dead Zone
Module. The Analogue Input Module has a
Division 2 or Zone 2 hazardous area.
number of configurable parameters for
(Note the Bussed Field Power
managing setting and clearing alarms
connection must be isolated before the
and triggering the reporting of a new input
module is removed or replaced).
value. Hi, Hi-Hi, Lo and Lo-Lo alarms
Input sampling and filtering can be configured – together with a
Each input channel is sampled once Deadband through which the input must
every 25ms and is filtered by 1st order move before the alarm is cleared. The
hardware and software filters. The relationship between these parameters is
software filter can be disabled or set to a shown in the diagram below. A Dead
number of different values according to Zone can also be configured, which is the
the filtering requirements of each value by which an input measurement
channel. must change before it is reported as a
HART capability new value.
The HART capabilities of the Analogue
Input Module allow acquisition of
Americas: 1 800 433 2682 or 1 434 978 5100
Page:11
PAC8000 SafetyNet
SafetyNet Analogue Input Module
4-20 mA with HART 8810-HI-TX

♦ 8 single ended 4-20mA input channels
♦ Certified for use in SIL 2 safety applications
♦ Non-incendive field circuits
♦ 2-, 3- or 4-wire transmitters
♦ HART pass-through, acquisition and status
reporting*
♦ 24V dc Bussed Field Power required from 8914-PS-
AC
MODULE SPECIFICATION
INPUTS
Number of channels ........................................8, single-ended
Nominal signal range (span) ....................................4 to 20mA
Full signal range ..................................................0.25 to 24mA
Line fault detection
Short circuit current .....................................................> 23.5mA
Open circuit current ......................................................< 0.5mA
Output voltage (@ 20mA)......................................10.2V (min.)
Output current ......................................................28mA (max.)
Accuracy (at 25oC) ............................................± 0.1% of span
Temperature coefficient ...........................................38 ppm/C
Resolution ......................................................................16 bits
Repeatability ......................................................0.05% of span
Data format ....................16-bit unsigned (0-25mA = 0-65,535)
HART data format ..................................IEEE754 floating point
Isolation
(any channel to Railbus) .......................................250V ac RMS
(between channels) ............................................................none
CONFIGURABLE PARAMETERS
Alarms. ..................................high, high-high, low and low-low HAZARDOUS AREA SPECIFICATION
Alarm deadband (hysteresis) .......................user defined value Protection Technique..............................EEx nA [nL] IIC T4
Input filter time constant ............................user defined value Location (FM and CSA) ..........ss 1, Div.2, Grps A,B,C,D T4
Input dead zone ...........................................user defined value (CSA with non-incendive field terminal, subject to conditions
Drive on fault state .....................disabled /upscale /downscale in CSA certificate.)
HART variable and status reporting .............. enable /disable FM non-incendive field wiring parameters (each channel)
RESPONSE TIME .........................................................Voc = 28.7V; Isc = 33mA
Signal change to availability on Railbus Gas groups A, B ..............................Ca = 0.17μF; La = 11mH
4– 20 mA mode ......................................................25ms (max.) Gas group C ....................................Ca = 0.51μF; La = 33mH
HART mode....................................................0.75s per channel Gas group D ....................................Ca = 1.36μF; La = 88mH
* The first release of SafetyNet will not have full HART POWER SUPPLIES
capability, contact GE for further information. System Power Supply.............50mA (typical), 70mA (max.)
Bussed Field Power Supply
.................350mA (2-wire TX max.), 110mA (4-wire TX max.)
MECHANICAL
Module Key Code .............................................................A1
MODULE WIDTH .........................................................42mm
WEIGHT .........................................................................200g
For recommended and compatible Field Terminals, see
Field Terminal - Specification and Selection Guide.
Americas: 1 800 433 2682 or 1 434 978 5100
Page:12
PAC8000 SafetyNet
8-channel combination 8811-IO-DC
Input filtering
Combined inputs and A change in the input state is recorded
outputs only if the states observed at the start
Each of the 8 channels of the SafetyNet and end of the filter time interval are the
Discrete Input/Output Module may be same. If they are different the previous
configured, on a channel-by-channel basis, state is maintained. (This reduces the
as either an input or an output. When chance of noise being incorrectly
configured as an input, the channel is interpreted as a change of input value).
suitable for use with dry contacts – with The filter time interval can be configured
power supplied from the Module. When between 0 and 8s, in 1ms intervals.
configured as an output, the channel is Input transition counting
capable of switching up to 2.0A (maximum A counter can record the number of
of 6.0A continuous per module). Output filtered transitions of a particular type.
channels are used with solenoids, valves Depending on the polarity setting, the
General and alarms counter will either count transitions from 0
The SafetyNet Discrete Input/Output Diagnostics to 1, or from 1 to 0. The counter “wraps
Module provides the interface to 8 Comprehensive diagnostic tests are around” from 65 535 to zero without
channels that may be configured in performed on the module and each of its indication. Transitions are counted even if
any combination of discrete inputs channels, including tests for stuck ON and the channel is configured to “latching”.
and outputs. The SafetyNet Discrete stuck OFF output switches. Earth leakage detection
Input/Output Module is certified for Where earth leakage fault detection is
use in safety related applications up Live maintenance
The field wiring connections to the required, a single channel of an 8811-
to SIL 2. In such applications the IODC module must be configured to
module is used with the 8851-LC-MT SafetyNet Discrete I/O Module are
classified as nonsparking and can only be monitor earth leakage and wired to the
SafetyNet Controller and 8810-HI-TX appropriate terminals of an 8751-CA-NS
SafetyNet Analogue Input Module worked on in a Class 1, Division 2 or Zone
2 hazardous area once the Bussed Field Controller Carrier.
with HART.
Power connection has been isolated. Note: Input latching
the Bussed Field Power connection must Inputs can be configured to “latch” a
also be isolated before removing or particular (filtered) input transition and
replacing the module. maintain the output in the latched state
Input configuration until the latch is cleared. “Normal
Input channels are used to interface to volt Polarity” will latch a transition from 0 to 1
free contacts. Line fault detection can be as 1, “Inverse Polarity” will latch a
turned OFF or can detect open circuits or transition 1 to 0 as 0. The operation is
both open and short. described in the figure below.
Americas: 1 800 433 2682 or 1 434 978 5100
Page:13
PAC8000 SafetyNet
Normally energized and Output channels can be configured Line fault detection (LFD) for open
to give a pulsed output – of either and short circuit line faults will
normally de-energized single static, single dynamic, normally be enabled for safety
outputs continuous or continuous dynamic related input channels. Series
Individual output channels can be form. The single static pulse is ON resistors are required for short circuit
either normally energized or de- for a predetermined time. It then detection and end of line resistors for
energized. Each output channel remains OFF until a new pulse open circuit detection, as shown in
comprises 2 switches that operate in instruction is received. The single figure 3.
series with the load – one on the dynamic pulse is ON for a period that
supply line, the other on the return may be changed by the application,
For normally energized outputs, if a then remains OFF until a new
single switch fails short circuit, the instruction to write is received. In
other switch can still de-energies the continuous pulse mode a series of
load. If either fails open circuit, the pulses of defined ON period are
load will be immediately reenergized sent, with a defined OFF period
by the fault. For normally de- between. Continuous dynamic pulse
energized outputs, if a single switch mode allows the application to
fails short circuit, the other switch continually vary the ON and OFF The nominal resistance thresholds
can energize the load. If either fails times of the pulse train. For all types employed are shown in the table
open circuit, the load cannot be of Pulsed Output, the ON time of the below.
energized. Switches are tested by pulse may be between 0 and 60s in
pulsing them ON or OFF for a 1ms intervals. For the continuous
maximum of 5 ms – the load must pulse mode, the OFF period can be
not respond to this length of pulse. set between 0 and 60s, in 1ms
This test can be disabled if required. intervals.
Short circuit protection Pre-configured output
Channels that are configured as
outputs and which are short-circuited
patterns
A number of different, pre-defined Output channel line fault
are protected by over-temperature
output patterns are available, which detection
thermal detection. If an output
can be used to indicate the
channel is short-circuited it will briefly Line fault detection (LFD) for open
occurrence of different events, using
conduct an over specification and/or short circuit line faults can
the same alarm hardware. The
current, but this will be identified by optionally be enabled for normally
patterns comply with the
the thermal detection and the de-energized outputs. (Normally
requirements of NFPA 72 and are
relevant channel made inactive. energized loads would be de-
shown in figure 2.
energized by either open or short
circuit line faults, of these only short
circuit faults will be detected and
reported by the IO Module). An
open circuit fault will be reported for
line resistances above 30k. Short
circuit line fault detection can be
enabled with forward or reverse
biased test currents. With forward
biased test currents, the threshold at
which a short circuit fault is reported
is configurable up to 1k. With
reverse biased test currents, the
threshold is fixed at 1.95k.
LED’s
For the operation of the Power
and
Fault LED’s see IO Module
Overview.
Module ‘Channel’ LED’s
(yellow)
On – Input or output ON
Off – Input or output OFF
Pulsed output Input channel line fault

detection
Americas: 1 800 433 2682 or 1 434 978 5100
Page:14
PAC8000 SafetyNet
SafetyNet Discrete Input/Output Module
24Vdc, non-isolated, module powered inputs and outputs 8811-IO-DC
♦ 8 inputs - any combination of inputs and outputs Input Signal change to availability on Railbus .....5ms (max.)
Railbus command to output change .......................1ms (max.)
♦ Certified for use in SIL 2 safety applications
♦ Non-arcing inputs and outputs
♦ Output channels rated up to 2A continuous
♦ Inputs for dry contact switches
♦ 24Vdc Bussed Field Power required from 8914-PS-AC
Number of channels ..............................................................8
(independently configured as inputs or outputs)
INPUTS
ON/OFF threshold current ....................................0.9mA (typ.)
O/C Voltage ...................24V dc (typ.) - depends on BFP Supply
Wetting current ......................................................1.2mA (typ.)
Minimum pulse width detected..........................................5ms
Max input frequency in pulse counting mode (no debounce)
30Hz
Isolation (any channel to Railbus)...................................250V ac
OUTPUTS
Maximum Output Current per Channel ................................2A
Maximum Output Current per Module
Continuous ................................................................................6A
Non-continuous (<10 seconds)
..........................................................8A
INPUT CONFIGURABLE PARAMETERS
Filter time interval ....................................0 to 8s (in 1ms steps)
Earth Leakage Detection Channel ............................ON/OFF
Latch inputs ........................................................enable /disable
Latch polarity ....................................latch on high/latch on low
Pulse counting ....................up transition/down transition/disable
Line fault detection.......... none/open circuit/open & short circuit
OUTPUT CONFIGURABLE PARAMETERS HAZARDOUS AREA SPECIFICATION

Output type ..............................................pulse/discrete/pattern Protection Technique......................................EEx nA nL IIC T4
Pulse width................................................................1ms to 60s Location (FM and CSA) ............Class 1, Div.2, Grps A,B,C,D T4
Line fault detection*..........open line & short circuit detect /disable POWER SUPPLIES
* Normally de-energised channels only System Power Supply ......................50mA (typ.), 70mA (max.)
Bussed Field Power Supply
RESISTANCE MEASUREMENT ACCURACY All channels configured as inputs .............................50mA (max)
Any channels configured as output................50mA + output load
For normally de-energised output open and short-circuit
currents
detection.
With forward biased test current MECHANICAL
.................................... ±(3.4%+5.3ohmfor line resistance Module key code ..................................................................B6
Module width ....................................................................42mm
220ohm
Weight ................................................................................210g
..greater of: ±7% or ±(3.1%+27for line resistance >220<1kohm
For recommended and compatible Field Terminals, see
With reverse biased test current
Field Terminal - Specification and Selection Guide.
................................................greater of: ±7% or ±(3.1%+430ohm
RESPONSE TIME
Americas: 1 800 433 2682 or 1 434 978 5100
Page:15
PAC8000 SafetyNet
Carriers - overview
Power and communication an 8811-IO-DC module must be
Carriers distribute “system” power to allocated to earth leakage detection
IO Modules and provide the to implement this function.
communications route between SafetyNet applications that do not
Controllers and IO Modules. require ELFD can use the standard
(Controller power is supplied by Controller Carrier (8750-CA-NS).
direct connections to the Controllers Change State buttons
themselves). IO Module Carriers Two change state buttons are
provide connectors through which mounted on the SafetyNet Controller
General field power can be supplied (see Carrier – one for each Controller.
“Bussed Field Power”). Note: field The button is used to switch a
Carriers are the backplanes on to
power to Intrinsically Safe IO is master to being the standby in a
which the PAC8000 SafetyNet and
managed differently, see the relevant redundant pair, to switch a standby
PAC8000 Controllers are mounted.
2/1 data sheets. Multi-pin offline and to instruct an offline
A Controller Carrier is required for
connectors at the end of each carrier standby Controller to synchronise
each node, then IO Module Carriers,
allow further Carriers to be added– itself with the Controller and to enter
Carrier Extenders and Cables can be
and the “system” power supply and standby.
added as required – depending on
“Railbus” connections to be made. Terminations for power fail
the number of IO Modules needed
and their physical distribution within Earthing screens and inputs
the cabinet or junction box. shields The 8913-PS-AC and 8914-PS-AC
All I/O Module Carriers have their power supplies each have an output
own independent earthing/grounding that indicates the health of the
strip to terminate the screens/shields supply. These outputs can be
of field wiring cables. connected to the termination block
SafetyNet Controller on the SafetyNet Controller Carrier
and are used by the Power Supply
Carrier Monitor Module to detect failures in
The SafetyNet Controller Carrier
any of up to 7 of these external
(8751-CANS) is the dedicated
power supplies.
Carrier for the SafetyNet System. It
can support simplex or redundant Module Carrier
SafetyNet Controllers and the Power SafetyNet Systems use the 8-
Supply Monitor (8410-NS-PS). module Carrier with 64-slot
addressing (8709-CA-08) for
Serial communications SafetyNet and standard modules.
Two D-type connectors are provided
Up to 8 of these may be used
on the SafetyNet Controller Carrier
together to provide slots for up to 64
for connecting to serial devices.
IO Modules. The 4-module Carrier
These link to Serial Port “1” of
(8710-CA-04) can be used where the
Controller A and Controller B. A
application requires four IO Modules
second pair of D-type connectors is
or less. This will modify the
found on the Controllers themselves,
addressing system and users should
to provide connections to Serial Port
contact GE Faniuc when considering
“2” where redundant serial
this option.
communication is required. Further
details of the serial port connections Carrier Extenders and
are given in the data sheet for the Cables
SafetyNet Controllers and Carriers. To allow for flexibility in cabinet
Controller Carriers layout, Carrier Extenders are
Two Controller Carriers are available provided which – together with the
– the standard Controller Carrier and Extender Cables – are used to
the ELFD Controller Carrier. To connect Carriers mounted on
comply with the earth leakage fault different sections of the cabinet
detection (ELFD) requirements of backplane or DIN rail. Carrier
Fire & Gas application standards, the Extenders are used in left- and right-
ELFD Controller Carrier (8751-CA- hand pairs.
NS) can be used. A single channel of
Americas: 1 800 433 2682 or 1 434 978 5100
Page:16
PAC8000 SafetyNet
Controller Carrier
ELFD Controller Carrier 8751-CA-NS
♦ terminals for earth leakage fault detection

♦ accommodates two SafetyNet Controllers
♦ accommodates Power Supply Monitor module
♦ two serial port connections
♦ manual “ change state” buttons
The ELFD Controller Carrier provides a mounting platform for up

to two SafetyNet Controllers (8851-LC-MT). It can also
accommodate a Power Supply Monitor module (8410-NS-PS)
which can monitor the health of up to two 8913-PS-AC, four
8914-PS-AC power supplies and the 12V supply to Intrinsically
Safe Modules (when these are used). For each Controller there
is a serial port connector and a manually operated "“Change
State” button. The Carrier also provides terminals that are used
when earth leakage fault detection is required.
CARRIER SPECIFICATION
CARRIER MOUNTING MODULES

SafetyNet Controller (x2) .......................................8851-LC-MT
Power Supply Monitor Module ..............................8410-NS-PS
ELECTRICAL CONNECTIONS
Railbus connector ........................................................male out
Serial port connectors......................9-pin, D-type (female) (x2) CONTROLLER CARRIER LAYOUT
Power Fail connections ....................screw terminals (x7 pairs)
Ground connection ................................M4 screw terminal (x1)
BFP0V connection .................................M4 screw terminal (x1)
Earth leakage fault detection connections
.................................................................screw terminals (1 pair)
System Power connections....................................6-Pin (male)
(Note: this does not provide power to the SafetyNet Controllers)
MECHANICAL
Dimensions ...............................200 (w) x 253 (d) mm (footprint)
Height ..............................................28 mm (top of circuit board)
.............................................................................55 mm (overall)
Weight ..............................................................1.43 kg (approx.)
Mounting methods ......................................flat panel (4 fixings)
USER CONTROLS
Two “ change state” buttons, one for each SafetyNet Controller,
are provided on the carrier. The state change depends upon the
controller state before the button is pressed. See table below for
effects.
Americas: 1 800 433 2682 or 1 434 978 5100
Page:17
PAC8000 SafetyNet
Controller Carrier
8751-CA-NS (continued)
EARTH LEAKAGE FAULT DETECTION

SERIAL PORT CONNECTORS (X2)
When earth leakage fault detection is NOT required, a link
should be made - as shown below - between the BFP0V and
GND connection studs. Note: the BFP0V connection stud
must still be connected to Bussed Field Power 0V, marked “-
” on the 8914-PS-AC power supply, and the GND connection
must still be connected to ground.
SYSTEM POWER SUPPLY CONNECTIONS
When earth leakage fault detection IS required, then the

terminals of connector CON12 must be wired to a channel of
an 8810-IO-DC module - as shown below - that has been
configured for earth leakage. Note: earth leakage fault
detection can only operate when BFP0V and all field wiring
and field instruments are isolated from ground (GND).
Two pairs of System Power supply connections (terminals

2/3 and terminals 4/5) are provided for wiring a redundant
pair of 8913-PSAC power supplies.
Note: The Controllers do not draw their power from these
connections, they are supplied with Controller Power via
connections on the Controllers themselves.
GND AND BFP0V CONNECTION

The GND terminal must always be connected to the main
instrument earth or the ‘star-point’ bus-bar. (Note: the 0V of
the 8913-PS-AC power supplies is GND).
The BFP0V terminal must always be connected to 0V of the
8914-PSAC power supplies.
Americas: 1 800 433 2682 or 1 434 978 5100
Page:18
PAC8000 SafetyNet
Controller Carrier
8751-CA-NS (continued)
PSU POWER FAIL CONNECTIONS Terminal pairs 7 and 8

These terminal pairs are used to monitor the AUX (or power
An 8410-NS-PS Node Services Power Supply Monitor fail) output from up to two 8913-PS-AC power supplies. The
Module must be installed on the Controller Carrier to make upper terminal of each pair is connected directly to the AUX
use of this capability. If an 8410-NS-PS is not being used, terminal of the 8913-PS-AC that is to be monitored. It is not
then it is not necessary to make any connections to the PSU necessary to connect the lower terminal - as this is internally
Power Fail terminals. connected to the GND terminal on the Carrier. If a pair is
unused, a shorting link must be placed between the upper
and lower terminals, otherwise the Power Supply Monitor
Module will continuously report a fault.
Terminal pair 9
If a Railbus Isolator (8922-RB-IS) is not used in the node,
this terminal pair must be fitted with a shorting link to prevent
an alarm condition being signalled to the Controller. If a
Railbus Isolator is used, internal connections are made to
monitor the failure of any power supplies used to provide
power for the Intrinsically Safe IO Modules.
Terminal pairs 1, 2, 4 and 5

These terminal pairs are used to monitor the AUX (or power
fail) output from up to four 8914-PS-AC power supplies. The
upper terminal of each pair is connected directly to the AUX
terminal of the 8914-PS-AC that is to be monitored. It is not
necessary to connect the lower terminal - as this is internally
connected to the BFP0V terminal on the Carrier. If any of
the 8914-PS-AC supplies are acting as redundant pairs, then
these should be connected to terminal pairs 1 and 2 and/ or
terminal pairs 4 and 5. If a pair is unused, a shorting link
must be placed between the upper and lower terminals,
otherwise the Power Supply Monitor Module will
continuously report a fault.
Terminal pair 3
The upper terminal of this pair should be connected to the
24V dc supply of the 8914-PS-AC supply monitored by
terminal pairs 1 and 2. The lower should be connected to the
24Vdc supply of the 8914- PS-AC monitored by terminal
pairs 4 and 5. If a single pair of 8914-PS-AC power supplies
is being monitored, then it is only necessary to make single
connection to appropriate terminal of pair 3.
Terminal pair 6
This terminal pair is unconnected and should not be used.
Americas: 1 800 433 2682 or 1 434 978 5100
Page:19
PAC8000 SafetyNet
Module Carrier
8-module Carrier - extended addressing 8709-CA-08
 64-slot address bus

 accepts up to eight SafetyNet and/or standard I/O
modules
 DIN rail or panel mounting
 carries control signals and data on Railbus
 distributes System Power to modules
 distributes Bussed Field Power to modules
 isolated earthing bar for cable screens/shields
ELECTRICAL CONNECTIONS BUSSED FIELD POWER CONNECTOR

Railbus connectors .....................................female in, male
out
Cable screens/shield connections...M4 screw terminals
(x34)
Bussed field power supply connectors.........8-pin male
(x2)
The two 8-pin connectors provided at the top rear of the
carrier
connect power supplies for ‘field power’. These supplies are
routed
through I/O modules that require power for their field circuits.
MECHANICAL
Dimensions .................................342 (w) x 170 (d) x 22
(h)mm
Weight
..............................................................................680g
Mounting methods..................................Flat panel or DIN
rail
DIN-rail types
CONNECTOR AND TABLE
..........‘Top hat’ 35 x 7.5mm rail or 35 x 15mm rail to EN
50022
........................................................G-section rail to EN The table above gives the connection details for modules 1
50035 to 4. The second connector provides identical connections
for modules 5 to 8.
Note: For applications with up to 4 IO Modules, it is possible
to use the 4-module Carrier (8710-CA-04). For further
information, contact MTL.
Americas: 1 800 433 2682 or 1 434 978 5100
Page:20
PAC8000 SafetyNet
Carrier Extender
Left-hand/right-hand 802x-CE-Xh
 ensures Railbus and power supply continuity

 pairs (left & right hand) link separate carrier runs
 sub-D connectors linked via multi-way cable
 multi-pin connector to carrier
 maximum of 3 extender pairs per node
 32- and 64-slot address capable
Railbus carrier connector
8020-CE-RH
..................................................................female in
8021-CE-LH....................................................................male
out
Extender cable connector ........................Sub-D, 37-pin
female
System Power cable connections* ..............screw terminal
(x6)
System Power cable conductor size..................2.5mm2
(max.)
* The six terminals for the System Power connections must
be made
in addition to connecting the Extender cable. The Terminals
on the
left- and right- hand extenders indicate which connections
need to be
made for System Power (HVCC + and HVCC -) and an
internal
ground connection (SGND).
MECHANICAL
Dimensions (overall) .................42 (w) x 168 (d) x 37 (h)mm
Weight. ..........................................................................135g
Mounting method .............................integral DIN-rail fixings
DIN rail types
..................‘Top hat’, 35 x 7.5mm or 35 x 15mm to EN 50022
...........................................................G-section, to EN 50035
PART NUMBERS
Carrier Extender, Right-hand 8020-CE-RH
Carrier Extender, Left-hand 8021-CE-LH
Americas: 1 800 433 2682 or 1 434 978 5100
Page:21
PAC8000 SafetyNet
Carrier Extender Cable
0.35m, 0.85m 1.2m 800x-CC-xx
♦ Railbus data extender cables
♦ three lengths - 0.35, 0.85 and 1.2 m
♦ Sub-D cable connectors
SPECIFICATION
Extender cable connectors....................Sub-D, 37-pin male
(X2)
Carrier Extension Cable, 0.35m 8001-CC-35
Americas: 1 800 433 2682 or 1 434 978 5100
Page:22
PAC8000 SafetyNet
Field Terminals – overview
Keying
8-channel Field Terminals Rotary keys in the Field Terminal are
SafetyNet IO Modules use standard adjustable to allow insertion of
8000 Process I/O 8-channel Field certain modules. Modules that would
Terminals. Depending on the cause field wiring to be unsafe (in
application, the Field Terminals may respect of hazardous areas) cannot
be for general purpose, non-arcing be inserted. The four types of Field
or non-incendive field wiring, may Terminal can be identified from the
incorporate fused disconnects and diagram below
may be for 2-, 3- or 4-wire
transmitters.
General Fused disconnect
Field terminals are removable units The fused disconnect Field
for terminating wiring from field Terminals incorporate a 2A fuse that
instruments. Each IO Module can be partially withdrawn from the
combines with a Field Terminal to Field Terminal to act as a loop
which the wiring from field disconnect.
instrumentation is connected. Tag strip
Recommended and compatible Field Each Field Terminal is supplied with
Terminal types are given in the Field an integral tag strip, which is hinged
Terminal Specification and Selection to provide access to the wiring
Guide. They can be selected to terminals and the fuse disconnects.
optionally include loop disconnection Field Terminal clicks
and fusing – eliminating the need for
additional terminals and wiring on to Carrier
between the Field Terminal and the The Field Terminal is easily removed
instrumentation. By wiring directly to from the Carrier – it is held in place
the Field Terminal, there is no need by a sprung latch that can be
for additional terminals or wiring. released without the need for tools.
This simplifies connection of the field
wiring. The Field Terminal is secured
in place by the insertion of the IO
Module.
Wiring to Field Terminals
SafetyNet IO Modules all use 8-
channel Field Terminals, to which
wiring with a cross section of up to
2.5mm2 can be connected. Each
termination point is clearly numbered
to simplify recognition of each
terminal. The two rows of terminals
are offset to allow access to the
lower row when wiring is in place.
Americas: 1 800 433 2682 or 1 434 978 5100
Page:23
PAC8000 SafetyNet
Field Terminal - Specification and Selection Guide
Field Terminals 86xx-FT-xx
♦ a range of Field Terminals
♦ standard, fused and loop-disconnect
♦ tag strip fitted to all Field Terminals
FIELD TERMINAL SPECIFICATION

ELECTRICAL
Rated voltage ................................................................250V
ac
Maximum current per I/O channel.................................3A
Fuse rating (where fitted) ..............................................2A
Conductor size ...............................................0.14–2.5mm2
MECHANICAL
Dimensions - approx (including tagging strip)
.................................................42 (w) x 88 (d) x 39.5 (h)mm
Weights (typical - including tagging strip)
Unfused type ................................................................78g
Fused type ....................................................................86g
PART NUMBERS
CONNECTION DIAGRAM
The connection diagram below applies to all Field Terminals
usedwith SafetyNet IO Modules.
Americas: 1 800 433 2682 or 1 434 978 5100
Page:24
PAC8000 SafetyNet
Power Supplies – overview
Redundancy
Redundancy is implemented by “pairing” each power supply
with a second power supply. If the optional Nodes Services
Power Supply Monitor (8410-NS-PS) is used, then this can
detect if there has been a failure in any one of up to six
8913-PS-AC/ 8914-PSAC power supplies and the 2/1 power
supplies for nodes including Intrinsically Safe IO – and will
then report that such a failure has occurred.
Wide range of input voltages

The 8913-PS-AC and 8914-PS-AC power supplies accept
AC input voltages in the range 85 - 264V ac.
Hazardous area mounting

Each power supply can be mounted in Class 1, Division 2 or
Zone 2 hazardous areas.
Operating ambienttemperature
When mounted with the optimum orientation for cooling, the
power supplies will provide their full rated output in operating
ambient temperatures of +70C (provided the input range is in
General excess of 125V ac).
In order to meet the relevant safety requirements, the power
supplies are specifically designed for use with PAC8000
SafetyNet and are used to power the SafetyNet Controller
and IO Modules. The 8913-PS-AC power supply must be
used to supply the 12V dc for the SafetyNet Controller and
System Power, and the 8914-PS-AC power supply must be
used for the 24V dc Bussed Field Power supply to the
SafetyNet IO Modules.
Americas: 1 800 433 2682 or 1 434 978 5100
Page:25
PAC8000 SafetyNet
Power Supply
System Power 8913-PS-AC
used to supply 24Vdc Bussed Field Power.voltage dependent resistor
♦ 12V dc @ 5A System and Controller power
♦ 24V dc @ 5A for powering local instrumentation
♦ 85 – 264V ac input voltage
♦ Zone 2/Div 2 hazardous area mounting
♦ 12V output supports load sharing for
redundancy†
POWER SUPPLY SPECIFICATION

AC Input connections.........................screw terminals (x3)
DC Output connections .....................screw terminals (x8)
Power fail signal connection ...............screw terminal (x1)
INPUT SPECIFICATION
Input voltage.....................................................85–264V ac
Input frequency ....................................................47–65Hz POWER-FAIL SIGNALLING - DC12V output only
Power efficiency ...............................................Up to 87 % Threshold to trigger "power-fail" signal ............11.33V (max.)
Input protection ..internal (6.3A) slow-blow fuse and VDR* ................................................................................10.30V (min.)
Power-fail signal output (open collector)
OUTPUT SPECIFICATION Power supply "OK"..............Low impedance to –ve of DC12V output
DC24V output voltage ...............................24.7V dc ± 10% Power supply "failure" ......High impedance to –ve of DC12V output
DC12V output voltage ...............................11.95V dc ± 5%
DC24V output current...............5A (nominal - see Figure1) HAZARDOUS AREA SPECIFICATION
DC12V output current .............5A (nominal - see Figure 1) Protection Technique..............................................EEx nA II T4
Input-output isolation .........................................2800V dc Location (FM) ..........................Class 1, Div.2, Grps A,B,C,D T4
Hold-up time (at full rated load) ......................15ms (typ.) Location (CSA) ......................Class 1, Div.2, Grps A,B,C,D T3C
Thermal protection. .........................reduced output power
Supply health indicator. .............................................LED MECHANICAL
Dimensions ........103 (w) x 138 (h) x 113.6 (d)mm (see Figure 4)
Mounting methods ..............35 mm x 7.5 mm T-section DIN rail
(see also Accessories overleaf)
Weight ................................................................................750g
APPROVALS
• EN 61204: 1995 Low-voltage power supply devices, d.c. output -
Performance characteristics and safety requirements
• EN 60950-1: 2002 Safety of information technology equipment
• EN 61326: 1997 + A1: 1998 + A2: 2001 Electrical equipment for
measurement, control and laboratory use - EMC requirements (Class A
equipment)
• EN50021: 1999 Electrical apparatus for potentially explosive atmospheres -
Type of protection “n”
Figure 1 - DC24V and DC12V output current de-rating †

The 24Vdc output does not support load sharing and should only be
used for supplying local 24Vdc instrumentation. It should not be
Americas: 1 800 433 2682 or 1 434 978 5100
Page:26
PAC8000 SafetyNet
Power Supply
System Power 8913-PS-AC continued
TERMINAL ASSIGNMENTS
Input connector screw terminals
Americas: 1 800 433 2682 or 1 434 978 5100
Page:27
PAC8000 SafetyNet
Power Supply
Bussed Field Power 8914-PS-AC
♦ 24V dc @ 10A for Bussed Field Power

♦ 85 – 264V ac input voltage
♦ Zone 2/Div 2 mounting
♦ supports load sharing for redundancy
POWER SUPPLY SPECIFICATION

AC Input connections..........................screw terminals (x3)
DC Output connections ......................screw terminals (x8)
Power fail signal connection ....................rew terminal (x1)
INPUT SPECIFICATIONS
Input voltage .....................................................85–264V ac
Input frequency......................................................47–65Hz
Power efficiency ..................................................up to 87 %
Input protection ....internal (6.3A) slow-blow fuse and VDR*
POWER-FAIL SIGNALING
OUTPUT SPECIFICATIONS Threshold to trigger "power-fail" signal.........23.3V (max.)
Output ............................................................24V dc ± 10% ............................................................................22.0V (min.)
Output current .........................10A (nominal - see Figure 1) Power-fail signal output (open collector)
Input-output isolation .........................................2800V DC Power supply "OK" .....................low impedance to ground
Hold-up time (at full rated load) ...........................15ms (typ.) Power supply "failure" ...............high impedance to ground
Thermal protection ............................reduced output power
Supply health indicator .................................................LED HAZARDOUS AREA SPECIFICATION
Protection Technique........................................EEx nA II T4
Location (FM) .....................Class 1, Div.2, Grps A,B,C,D T4
Location (CSA) ................Class 1, Div.2, Grps A,B,C,D T3C
MECHANICAL
Dimensions ........103 (w) x 138 (h) x 113.6 (d)mm (see
Figure 4)
Mounting methods ........35 mm x 7.5 mm T-section DIN rail
(see also Accessories overleaf)
Weight ...........................................................................750g
APPROVALS
• EN 61204: 1995 Low-voltage power supply devices, d.c.
output - Performance characteristics and safety
requirements
• EN 60950-1: 2002 Safety of information technology
equipment
• EN 61326: 1997 + A1: 1998 + A2: 2001 Electrical
equipment for measurement, control and laboratory use -
EMC requirements (Class A equipment)
• EN50021: 1999 Electrical apparatus for potentially explosive
atmospheres - Type of protection “n”
Americas: 1 800 433 2682 or 1 434 978 5100
Page:28
PAC8000 SafetyNet
Power Supply
Field Power 8914-PS-AC continued
TERMINAL ASSIGNMENTS
Input connector screw terminals
Output connector screw terminals
ACCESSORIES
Heavy duty DIN rail mounting kit* ......................8413-FK-
DN
Surface panel mounting kit..................................8414-FK-
SU
 For high vibration environments
Americas: 1 800 433 2682 or 1 434 978 5100
Page:29
PAC8000 SafetyNet
Node Services Power Supply Monitor
8410-NS-PS
♦ power supply status monitoring for 8913-PS-AC

and 8914-PS-AC power supplies
♦ indicates supply failures to SafetyNet Controller
♦ monitors up to two 8913-PS-AC, four 8914-PS-AC
power supplies and the 2/1 supply for nodes including
IS IO modules
♦ Zone 2/Div 2 hazardous area mounting
♦ mounts on 8571-CA-NS Carrier
The Power Supply Monitor can monitor the health of

supplies powering a SafetyNet node and signal the
Controller in the event of any one of them failing. The
module can receive power supply status signals from up to
two 8913-PS-AC and four 8914-PS-AC power supplies. It
can also monitor the status of 8920-PS-DC supplies
powering intrinsically safe I/O modules. Where power supply
redundancy is employed, the module enables failed power
supplies to be identified and replaced without interference to
the process. The module itself may be removed and
replaced in a Zone 2/ Div 2 hazardous area without gas
clearance.
LED INDICATOR
PWR (i.e. System power supply present)
HAZARDOUS AREA SPECIFICATION
Protection Technique.....................................EEx nL IIC T4
Location (FM and CSA) .....Class 1, Div.2, Grps A,B,C,D T4
POWER SUPPLIES
System Power Supply....................5mA (typ.), 10mA (max.)
MECHANICAL
Mounting method ...........................(captive x2) screw fixing
Weight (approx.) ............................................................75g
DIMENSIONS
Dimensions in mm
Americas: 1 800 433 2682 or 1 434 978 5100
Page:30
PAC8000 SafetyNet
System Specification
System Specification
ENVIRONMENTAL ◆ EN 60079-15: 2005 “Electrical apparatus for explosive gas

Operating Ambient Temperature atmospheres. Part 15: Construction, test and marking of type of
Optimum orientation* ..........................................-40oC to +70oC protection ‘n’ electrical apparatus”.
Non-optimum orientation......................................-40oC to +50oC ELECTRICAL STANDARDS AND APPROVALS
Storage ..............................................................-40oC to +85oC Applicable EMC standards
Relative Humidity..............................5 to 95% (non-condensing) ◆ EN 61326-1: 2005. “Electrical equipment for measurement,
Ingress protection ............................IP20 to BS EN60529: 1992 control and laboratory use – EMC requirements. Part 1: General
Corrosion resistance............Designed to meet ten year service requirements”.
in Class G3 corrosive environment, as per ISA S-71.04: 1985 Applicable Electrical Safety standards
“Environmental Conditions for Process Measurement and Control ◆ IEC 61131-2: 2003. “Programmable controllers - Part 2:
Systems: Airborne Contaminants”. Equipment requirements and tests”.
* With field terminals vertically above or below the IO Modules. SAFETY APPROVALS
Operating vibration resistance Applicable Functional safety standards
DIN rail mounted* .................................................................... ◆ IEC 61508:2000. “Functional Safety of
..................1g (sinusoidal vibration 10 – 500Hz to EN 60068-2-6) Electrical/Electronic/Programmable Electronic Safety-related
..................1g (random vibration 20 – 500Hz to BS2011: Part 2.1) Systems”
Surface mounted ...................................................................... ◆ IEC 61511:2004. “Functional Safety - Safety Instrumented
..................5g (sinusoidal vibration 10 – 500Hz to EN 60068-2-6) Systems for the Process Sector”.
..................5g (random vibration 20 – 500Hz to BS2011: Part 2.1)
* The ELFD Controller Carrier 8751-CA-NS can only be surface System Specification
mounted.
Operating, Storage and Transportation vibration resistance System Specification
.....30g peak acceleration, with 11ms pulse width (EN 60068-2-27) CABLE PARAMETERS FOR NON-INCENDIVE FIELD
Storage and Transportation shock resistance WIRING
..................................1m drop onto flat concrete (EN 60068-2-32)
MECHANICAL
DIN-rail types
..............................................’Top hat’, 35 x 7.5mm to EN 50022
..............................................’Top hat’, 35 x 15 mm to EN 50022
................................................................G-section, to EN 50035
ISOLATION
Between SafetyNet channels ............................................none
Channel (any) to railbus ......................................250V ac rms
NODE SIZE LIMITATIONS
Maximum physical length of railbus* ............................6.8m
Maximum number of extender cables ..................................3
Maximum number of IO Modules........................................64
Maximum number of SafetyNet nodes ............................249
 overall including backplanes and extender cables
HAZARDOUS AREA APPROVAL

SafetyNet node location
..................................................................................Safe area or
....................................................Zone 2, IIC, T4 hazardous area
........................Class 1, Div 2, Groups A-D T4* hazardous location
* 8913-PS-AC and 8914-PS-AC power supplies T3C
Field equipment and wiring location
..................................................................................Safe area or
..........................................................Zone 2, IIC hazardous area
..............................Class 1, Div 2, Groups A-D hazardous location
(Temperature classification will be determined by the field
apparatus)
Applicable hazardous area standards:
◆ Factory Mutual Research Co., 3611: 2004. “Non-incendive
Electrical Equipment for use in Class I and II, Division 2, and
Class III Divisions 1 and 2, Hazardous (Classified) Locations”.
◆ CSA C22.2 No 213-M1987, Reaffirmed 2004. “Nonincendive
Electrical Equipment for Use in Class I, Division 2 Hazardous
Locations”.
◆ EN 60079-0:2004 “Electrical apparatus for explosive gas
atmospheres. Part 0: General Requirements”.
Americas: 1 800 433 2682 or 1 434 978 5100
Page:31

Pac 8000 Safety Net Data Sheets

Uploaded by

Copyright:

Available Formats

Pac 8000 Safety Net Data Sheets

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pac 8000 Safety Net Data Sheets

Uploaded by

Copyright:

Available Formats

PAC8000 SafetyNet

♦ SIL2 certified 1oo1D (single Controller ♦ Single programming environment for

Figure 1 – typical PAC8000 SafetyNet System layout

PAC8000 SafetyNet on your plant

SafetyNet node layout and

Certified for use in SIL 2 safety applications, according

4-20 mA with HART 8810-HI-TX

Pulsed output Input channel line fault

OUTPUT CONFIGURABLE PARAMETERS HAZARDOUS AREA SPECIFICATION

♦ terminals for earth leakage fault detection

The ELFD Controller Carrier provides a mounting platform for up

CARRIER MOUNTING MODULES

EARTH LEAKAGE FAULT DETECTION

SYSTEM POWER SUPPLY CONNECTIONS

When earth leakage fault detection IS required, then the

Two pairs of System Power supply connections (terminals

GND AND BFP0V CONNECTION

PSU POWER FAIL CONNECTIONS Terminal pairs 7 and 8

Terminal pairs 1, 2, 4 and 5

 64-slot address bus

ELECTRICAL CONNECTIONS BUSSED FIELD POWER CONNECTOR

 ensures Railbus and power supply continuity

FIELD TERMINAL SPECIFICATION

Wide range of input voltages

Hazardous area mounting

POWER SUPPLY SPECIFICATION

Figure 1 - DC24V and DC12V output current de-rating †

♦ 24V dc @ 10A for Bussed Field Power

POWER SUPPLY SPECIFICATION

Output connector screw terminals

♦ power supply status monitoring for 8913-PS-AC

The Power Supply Monitor can monitor the health of

ENVIRONMENTAL ◆ EN 60079-15: 2005 “Electrical apparatus for explosive gas

HAZARDOUS AREA APPROVAL

You might also like