HIMA H41q and H51q series programmable electronic systems (PES)

HIMA H41q and H51q series programmable electronic systems (PES)

The HIMA H41q and H51q system families are third-generation programmable electronic systems that have been field validated and designed specifically for safety critical applications in the process industry. These two system families are based on the same hardware and software platform, mainly used to control process flows with extremely high safety and availability requirements such as chemical plants, refineries, and power plants.

The core design philosophy of HIMA PES is to balance safety and usability. HIMA PES can be configured as a single channel or dual channel (redundant) system based on the required safety level (requirement levels AK 1 to 6 in accordance with DIN V 19250 standard) and availability requirements. This flexibility is not only reflected in the central module, but also applies to input/output modules and I/O buses, providing users with a complete solution from basic safety to the highest availability safety system.

The system configuration uses the ELOP II programming system to input, compile, load, test, and monitor user programs through a personal computer. All HIMA modules comply with the requirements of the EU EMC Directive 89/336/EWG and bear the CE mark, ensuring electromagnetic compatibility in harsh industrial environments.

System Architecture and Design Philosophy

The HIMA H41q and H51q system families offer multiple models based on the redundancy level of the central module, I/O bus, and I/O module to meet different safety levels and availability requirements.

2.1 H41q Compact System

The H41q series is a highly integrated compact system, with all components including the central unit, power supply, fuses, power distribution, and input/output modules installed in a 5U height 19 inch subrack. This integrated design simplifies system integration and saves control cabinet space.

H41q-M/MS: Single channel central module and single channel I/O bus. The MS model adopts a dual processor central module (F8652), certified by T Ü V, and can reach the highest requirement level AK 6.

H41q-H/HS: Redundant central module and single channel I/O bus, used to improve availability. The HS model also adopts a dual processor redundant central module, which combines high availability and security.

H41q HR/HRS: Redundant central module and redundant dual channel I/O bus designed for maximum availability requirements. The HRS model has been certified by T Ü V and meets AK 6 level.

2.2 H51q Modular System

The H51q series adopts a modular design, consisting of a 5U high central rack and up to 16 4U high I/O sub racks, which can support up to 256 I/O modules and is suitable for large distributed control systems.

H51q-M/MS: Single channel central module and single channel I/O bus. The MS model is equipped with a dual processor central module (F8650), suitable for applications with the highest level of security.

H51q-H/HS: Redundant central module and single channel I/O bus, balancing high availability and economy.

H51q HR/HRS: Redundant central module and redundant dual channel I/O bus, achieving the highest system availability and fault tolerance. The HRS model has been certified by T Ü V AK 6.

2.3 Safety shutdown concept

The core safety mechanism of HIMA PES is to drive the process to a safe state when a fault occurs. For systems with defined safety states, this is usually the lowest energy state. The system performs different levels of shutdown based on the location and severity of the fault:

Module shutdown: A testable output module with integrated safety shutdown function will automatically switch to a safe power-off state when an internal fault is detected.

Group shutdown: Up to 10 testable output modules can be defined as a group through the H8-STA-3 function block in the user program. When any module in the group fails, the user program can trigger the shutdown of the whole group.

Watchdog shutdown: When an I/O bus failure, dual failure of output modules, or central module failure occurs, the associated central module will cut off its watchdog signal, causing all related output modules to shut down safely.

Central module and core processing unit

The H41q and H51q system families are based on two core central modules: F8652/F8650 (secure, dual processor) and F8653/F8651 (non secure, single processor).

3.1 Safe central module F8650/F8652

Specially designed for safety related applications, with T Ü V certification.

Dual processor architecture: Two microprocessors with synchronized clocks run in parallel, one processing real data and programs, and the other processing reverse data and programs.

Testable hardware comparator: compares all external accesses of two processors. Once a difference is detected, the watchdog is immediately put into a safe state and sends out a processor status signal.

Program memory: using Flash EPROM, supporting at least 100000 write cycles, used to store operating systems and user programs.

Data storage: sRAM is protected against power failure by the lithium battery on the central module and has monitoring function.

Interface: Provides 2 electrically isolated RS-485 interfaces with a maximum transmission rate of 57600 bps.

Diagnosis: Equipped with a 4-digit alphanumeric display screen and 2 LED indicator lights, used to display system status, I/O level information, and user program information.

3.2 Non safety central module F8651/F8653

Used for standard or high availability (non secure) applications.

Single processor: using Intel 386 EX processor with a clock frequency of 25 MHz.

Functional unit: including microprocessor, program and data storage, I/O bus logic, dual port RAM (for communication with redundant central modules), multiplexer, etc.

Interface and diagnosis: Two RS-485 interfaces and a diagnostic display screen are also provided.

Input/output subsystem

The I/O module is the bridge between PES and the process site, responsible for signal conversion and matching.

4.1 I/O module characteristics

Online plugging and unplugging: All I/O modules support live plugging and unplugging while the system is running.

Signal indication: The status of the digital output module is clearly displayed through the LED on the cable plug.

Power supply method: It can be powered through the front-end cable plug or through the I/O bus board.

4.2 Safe output module

All safety related output modules meet the AK 6 level requirements, and their key designs include:

Triple redundant shutdown: Three series connected semiconductor switches are used internally, far exceeding the requirement of two independent components for safe shutdown, achieving "integrated safe shutdown". Once the module fails, it will automatically switch to a safe power-off state.

Parallel capability: To improve availability, the output terminals of the safety type output module can be used in parallel without the need for external diodes.

L-Power supply design: When the negative terminal L of the power supply is cut off, there will be no voltage at the output terminal, so there is no need to wire L - as a circular feeder.

Inductive load handling: It can be directly connected to inductive loads without the need for parallel diodes at both ends of the coil.

4.3 Intrinsic Safety (Ex) i Module

For hazardous area applications, HIMA offers two types of intrinsic safety modules: those with PCB coating and those without coating. When using a coated Ex i module, the adjacent slot on the right must be kept empty or a blind plate with an isolation plate must be installed to ensure safe isolation.

Power Supply and Distribution

5.1 System Voltage

The HIMA system uses two voltage levels:

24 V DC: peripheral device power supply, positive pole L+, negative pole L - (reference pole).

5 V DC: Power supply for microprocessor system, generated by 24 V DC through high-frequency switch power module (F7126 for H51q, F7130A for H41q).

5.2 Power Redundancy and Monitoring

Redundant configuration: Multiple parallel power modules are equipped in H41q-H/HR/HS/HRS and H51q systems. When one module fails, other modules can seamlessly take over to ensure the continuous operation of the system.

Voltage monitoring: The 5V DC output voltage is monitored for undervoltage and faults by the monitoring module (F7131) or the central module itself. Fault information is transmitted to the user program through system variables.

Battery buffering: The sRAM and hardware clock on the central module are buffered by onboard lithium batteries. The sRAM of the coprocessor module (F8621A) in the H51q system is buffered by the lithium battery on the monitoring module F7131.

5.3 24V DC distribution

Distribute 24V DC power through plug-in fuses and distribution units (such as F7133 power distribution module). Each I/O module corresponds to a fuse on the F7133 module, which can also provide fuse protection for sensors and actuators. The power distribution module is equipped with LED indicator lights and contacts for fuse fault alarm.

Communication Interface and Expansion

HIMA PES provides multiple communication interfaces to meet different levels of system integration requirements.

RS-485 interface: Each central module comes standard with 2 electrically isolated RS-485 interfaces for connecting programmers or building control system buses (HIBUS). In the H51q system, up to 6 additional RS-485 interfaces can be extended through up to 3 coprocessor modules (F8621A).

Ethernet interface: Ethernet communication can be achieved through the communication module F8625, which complies with the IEEE 802.3 10BaseT standard and can expand up to 10 interfaces.

Profibus DP interface: Through the communication module F8626, Profibus DP slave communication can be achieved, with a maximum transmission rate of 12 Mbit/s and the ability to expand up to 10 interfaces.

Installation and maintenance specifications

7.1 ESD Protection

The manual begins with the phrase 'Attention' emphasizing the importance of electrostatic discharge protection. When performing maintenance on power, signal, and data lines, qualified personnel must operate and take all necessary ESD protection measures. Maintenance personnel must release their own static electricity before directly contacting these lines.

7.2 Module insertion and removal

I/O module: can be plugged and unplugged with power. When pulling out, first loosen the fixing screw and pull out the cable plug together. When inserting, first insert and secure the module, then insert the cable plug.

Central module: Before unplugging, the data cable needs to be removed first. Separate it from the bus board using the ejection rod on the module. Before insertion, check the switch and jumper settings.

Power module: Before replacing, check the output voltage of all other power modules.

7.3 Grounding and Electromagnetic Compatibility

To meet CE requirements and ensure electromagnetic compatibility, strict grounding and shielding measures must be taken:

Grounding: The system supports floating or L-grounding operation. The grounding resistance should be ≤ 2 ohms.

Shielding: The shielding layer of the communication data line must be grounded at the single end of the bus user side (such as H41q/H51q). On site cables (sensors/actuators) should use shielded cables and be laid separately from power cables.

Power filter: It is recommended to install the HIMA H7013 power filter at the 24 V DC inlet.

Technical Data Summary

Working temperature: 0 ° C to+60 ° C

Storage temperature: -40 ° C to+85 ° C (without battery)/-40 ° C to+75 ° C (with battery)

Supply voltage: 24 V DC (+20%/-15%)

EMC immunity: Complies with EN 50082-2 industrial environment standards, including ESD contact 6 kV, air 8 kV, Burst 2 kV, and other tests.

EMC emission: Complies with EN 50081-2 industrial environmental standards, with limits meeting Class A requirements.

Mechanical testing: Complies with the IEC 68 series standards, including sine vibration (1g) and impact (15g/11ms) testing.