HIMA H41q/H51q Safety PLC System

HIMA Programmable Systems The H41q and H51q System Families

Overview of HIMA H41q/H51q Safety PLC System

The HIMA H41q and H51q system families are third-generation programmable electronic systems that have been field validated and designed specifically for safety critical applications in the process industry. These two system families are based on the same hardware and software platform, mainly used to control process flows with extremely high safety and availability requirements such as chemical plants, refineries, and power plants.

The core design philosophy of HIMA PES is to balance safety and usability. HIMA PES can be configured as a single channel or dual channel (redundant) system based on the required safety level (requirement levels AK 1 to 6 in accordance with DIN V 19250 standard) and availability requirements. This flexibility is not only reflected in the central module, but also applies to input/output modules and I/O buses, providing users with a complete solution from basic safety to the highest availability safety system.

The system configuration uses the ELOP II programming system to input, compile, load, test, and monitor user programs through a personal computer. All HIMA modules comply with the requirements of the EU EMC Directive 89/336/EWG and bear the CE mark, ensuring electromagnetic compatibility in harsh industrial environments.

System Architecture and Selection Guide

The HIMA H41q and H51q system families offer multiple models based on the redundancy level of the central module, I/O bus, and I/O module to meet different safety levels and availability requirements. Users can choose based on the number of I/O points and system complexity.

2.1 H41q Compact System

The H41q series is a highly integrated compact system, with all components including the central unit, power supply, fuses, power distribution, and input/output modules installed in a 5U height 19 inch subrack. This integrated design simplifies system integration and saves control cabinet space. It is suitable for applications with fewer I/O points (<192 points).

2.2 H51q Modular System

The H51q series adopts a modular design, consisting of a 5U high central rack and up to 16 4U high I/O sub racks, which can support up to 256 I/O modules and is suitable for large distributed control systems. It is suitable for complex applications with a large number of I/O points (>192 points) or requiring more than 2 serial interfaces.

2.3 Model Naming and Redundancy Concept

The suffix of the system model directly defines its redundant architecture:

M (Mono): Single channel central module and single channel I/O bus. Provide standard availability.

MS (Mono, Safety): A T Ü V certified single channel central module (using a dual processor architecture) and single channel I/O bus. Meet AK 1-6 security levels and standard availability.

H (High): Redundant central module and single channel I/O bus. Provide high availability.

HS (High, Safety): A redundant central module certified by T Ü V (using a dual processor architecture) and a single channel I/O bus. Provide high availability and security (AK 1-6).

HR (High, Redundant): Redundant central module and dual channel I/O bus. Provide extremely high availability.

HRS (High, Redundant, Safety): A T Ü V certified redundant central module (using a dual processor architecture) and dual channel I/O bus. Provide the highest availability and security (AK 1-6).

Core central module

The H41q and H51q system families are based on two core central modules: the secure type (F8652/F8650, dual processor) and the standard type (F8653/F8651, single processor).

3.1 Safe central module F8650/F8652

Specially designed for safety related applications, with T Ü V certification, meeting AK levels 1-6.

Dual processor architecture: Two microprocessors running in parallel with synchronized clocks. The key security mechanism is that one processor processes real data and programs, while the other processes reverse data and programs.

Testable hardware comparator: Real time comparison of all external accesses between two processors. Once a difference is detected, the safety watchdog is immediately set to a safe state and sends out a processor status signal, achieving true fault safety control.

Program memory: using Flash EPROM, supporting at least 100000 write cycles, used to store operating systems and user programs.

Data storage: sRAM is protected against power failure by the lithium battery on the central module and has monitoring function.

Interface and Diagnosis: Provides 2 electrically isolated RS-485 interfaces (maximum 57600 bps), equipped with a 4-digit alphanumeric display screen and 2 LED indicator lights for displaying system status and diagnostic information.

3.2 Standard central module F8651/F8653

Used for standard or high availability (non secure) applications. Adopting a single Intel 386 EX processor with a clock frequency of 25 MHz, it has interfaces and diagnostic functions similar to secure modules, but does not include a dual processor comparison architecture.

Input/output subsystem and safety shutdown

4.1 I/O module characteristics

Online plugging and unplugging: All I/O modules support live plugging and unplugging while the system is running, greatly facilitating maintenance.

Intrinsic Safety (Ex) i Module: Available in two models with PCB coating and without coating, suitable for hazardous areas. When using a coated Ex i module, the adjacent slot on the right must be kept empty or a blind plate with an isolation plate must be installed to ensure safe isolation.

4.2 Safe output module

All safety related output modules meet the AK 6 level requirements, and their key designs include:

Triple redundant shutdown: Three series connected semiconductor switches are used internally, far exceeding the requirement of two independent components for safe shutdown, achieving "integrated safe shutdown". Once the module fails, it will automatically switch to a safe power-off state.

Parallel capability: To improve availability, the output terminals of the safety type output module can be used in parallel without the need for external diodes.

L-Power supply design: When the negative terminal L of the power supply is cut off, there will be no voltage at the output terminal, so there is no need to wire L - as a ring feeder, simplifying the design and troubleshooting.

4.3 Safety shutdown mechanism

The core safety mechanism of HIMA PES is to drive the process to a safe state when a fault occurs. The system performs different levels of shutdown based on the location and severity of the fault:

Module shutdown: A testable output module with integrated safety shutdown function will automatically switch to a safe power-off state when an internal fault is detected.

Group shutdown: Up to 10 testable output modules can be defined as a group through the H8-STA-3 function block in the user program. When any module in the group fails, the user program can trigger the shutdown of the whole group.

Watchdog shutdown: In the event of an I/O bus failure, dual output module failure, or central module failure, the associated central module will cut off its watchdog signal (WD), resulting in the safe shutdown of all related output modules.

Power Supply and Distribution

5.1 System Voltage

The HIMA system uses two voltage levels: 24 V DC (L+/L -) for peripheral devices and 5 V DC for microprocessor systems. 5 V DC is generated by 24 V DC through a high-frequency switching power module (F7126 for H51q, F7130A for H41q).

5.2 Power Redundancy and Monitoring

Redundant configuration: In high availability (H/HR/HS/HRS) systems, multiple parallel power modules are equipped. When one module fails, other modules can seamlessly take over to ensure the continuous operation of the system.

Voltage monitoring: The 5V DC output voltage is monitored for undervoltage and faults by the central module or monitoring module (F7131). Fault information is transmitted to the user program through system variables for easy diagnosis.

Battery buffering: The sRAM and hardware clock on the central module are buffered by onboard lithium batteries. The sRAM of the coprocessor module (F8621A) in the H51q system is buffered by the lithium battery on the monitoring module F7131.

Communication Interface and Expansion

HIMA PES provides multiple communication interfaces to meet different levels of system integration requirements.

RS-485 interface: Each central module comes standard with 2 electrically isolated RS-485 interfaces, used to connect programmers (via H7505 converter) or build control system buses (HIBUS), with a maximum transmission rate of 57600 bps. In the H51q system, up to 6 additional RS-485 interfaces can be extended through up to 3 coprocessor modules (F8621A).

Ethernet interface: Through the communication module F8625, Ethernet communication that complies with the IEEE 802.3 10BaseT standard can be achieved, and up to 10 interfaces can be expanded.

Profibus DP interface: Through the communication module F8626, Profibus DP slave communication can be achieved, with a maximum transmission rate of 12 Mbit/s and the ability to expand up to 10 interfaces.

Installation, Maintenance, and Standardization

7.1 ESD Protection

The manual begins with the phrase 'Attention' emphasizing the crucial importance of electrostatic discharge protection. When performing maintenance on power, signal, and data lines, qualified personnel must operate and take all necessary ESD protection measures. Maintenance personnel must release their own static electricity before directly contacting these lines.

7.2 Module insertion and removal

I/O module: can be plugged and unplugged with power. When pulling out, first loosen the fixing screw and pull out the cable plug together. When inserting, first insert and secure the module, then insert the cable plug.

Central module: Before unplugging, remove the data cable and use the ejection lever on the module to separate it from the bus board. Before insertion, check the switch and jumper settings.

7.3 Grounding and Electromagnetic Compatibility

To meet CE requirements and ensure electromagnetic compatibility, strict grounding and shielding measures must be taken:

Grounding: The system supports floating or L-grounding operation. The grounding resistance should be ≤ 2 ohms. L - can only be grounded at one point within the system.

Shielding: The shielding layer of the communication data line must be grounded at the single end of the bus user side (such as H41q/H51q). On site cables (sensors/actuators) should use shielded cables and be laid separately from power cables.

7.4 Buffer battery replacement

The central module uses lithium batteries (such as CR 2477N) to buffer sRAM. HIMA recommends replacing the battery every 2.5 years or within three months when the "BATE" indicator appears on the display screen.

Technical Data Summary

Working temperature: 0 ° C to+60 ° C

Storage temperature: -40 ° C to+85 ° C (without battery)/-40 ° C to+75 ° C (with battery)

Supply voltage: 24 V DC (+20%/-15%)

EMC immunity: Complies with EN 50082-2 industrial environment standards, including ESD contact 6 kV, air 8 kV, Burst 2 kV, and other tests.

EMC emission: Complies with EN 50081-2 industrial environmental standards, with limits meeting Class A requirements.

Mechanical testing: Complies with the IEC 68 series standards, including sine vibration (1g) and impact (15g/11ms) testing.