Trusted ICS

Hardware Training
Trusted Hardware Training

 Trusted with Regent I/O

 Trusted with Native I/O
 System Integration Issues
 On line replacement
 Diagnostics
 Power Distribution
System version release numbers
 V1.1 - Low density I/O (Regent I/O)

 V1.2 - Low density I/O with peer to peer and

process historian

 V2.0 - Both High density I/O and Low density

I/O, SOE to 1 mS on high density modules
Communication and TMR Interface modules can
be used is different slots.
Typical Trusted ICS system
 General Overview Trusted with Native
I/O TMR Interface
For communication to
TMR Processor High Density I/O Regent Chassis
Spare Slot (low density I/O)
Spare slots

Processing,
communications
and I/O in 1 chassis

Engineering Workstation
• On-line monitoring Chassis
• Off-line simulation dimensions:
• System and I/O 19”w - 10.5”h (6U)
configuration utilities
• IEC1131 languages

Expander Interface Communications Interface

For communication to • For communications with
Expander Chassis external systems.
Trusted Expander

Expander Processor
• Up to 14 expansion chassis per
processor set

• 14 physical slots

• Up to 12 I/O slots available

• Active spare slots or single

Chassis dimensions:
centralised spare (smart slot)
19”w - 6U h
• Rack or panel mount
 System Architecture
Backplane Bus 3

Expander TMR Comms

MP
Interface Interface Module

3x2 3
Backplane Bus
Safety
Bus
Expander Transceivers Regent I/O Regent I/O
Expander
Bus
Bus (250Mbps)
(250Mbps)

Backplane Bus 3

Expander
Native I/O Native I/O
Processor

Backplane Bus

Expander
Native I/O Native I/O
Processor
Trusted TMR processor

Three 32 bit RISC microprocessors (600 series)

based on a triple modular redundant architecture:

• TUV certified for safety AK6

• Hardware Implemented Fault Tolerant (HIFT)

3-2-0 operation

• Hot replaceable

• Dedicated hardware and software test regimes

• IEC1131-3 programming languages

• Automatic fault handling

Trusted TMR Processor
Trusted TMR Processor
Trusted TMR Processor
System Fault Alarms
 System Faulty
 Output to alarm that the system has a fault.

 Processor Failed
 Output to alarm that at least 2 processor slices have failed
Trusted TMR Interface

Provides interface to existing Regent and

Regent+Plus I/O assemblies:

• Supports up to 16 I/O chassis

• Use of proven HIFT principles

• Hot replaceable

• TUV certified for safety (Regent I/O to AK5)

Trusted TMR Interface
Trusted TMR Interface
TMR Interface Cable
Trusted Expander Interface

Provides interface to Trusted Expander

Chassis:

• Supports up to 7 Expander chassis

• Use of HIFT principles

• Hot replaceable
Trusted Expander Processor

Provides interface to Trusted Expander

Interface Chassis:

• Supports up to 12 Native I/O modules

• Use of HIFT principles

• Hot replaceable
 Expander Backup
Processor Expander
1 Processor
Expander
Interface

Expander Backup
Backup Processor Expander
Expander 5 Processor
Interface
Expander
Processor
6

Expander
Processor
7
Trusted Communications Interface

Intelligent, programmable protocol translation

module:
• Four serial and two Ethernet ports
• Support for a wide range of protocols

• Provides interface to MMI and

Engineering Workstation

• Hot replaceable
Trusted Communication Module
Chassis Configurations

• Swingframe and panel mount

• 12 I/O modules per chassis
• Multiple connector types, 32, 48, 64
and 96 pt. DIN 41612
Connector to Chassis Attachment
Features
 High Integrity I/O
Module
Latch Digital Inputs
• 40 triplicated points
• Extensive diagnostics
Module
Status • 1ms SOE tagging, selectable
Indicators
per channel
• Line monitoring and filtering,
selectable per channel
Input • 24Vdc and 120 Vdc modules
Status
Indacators • On-line replacement

Module
Latch
High Integrity Digital Input

FCR INTERCONNECT BUS

HIU ASSEMBLY
FPU
Front Panel
Unit
FIU ASSEMBLY FTU ASSEMBLY

IMB
HIU FIU FTU
Host Field Field
Interface Interface Termination
Unit Unit Unit
A
B
C
Dual HIU
Power IPIU Power FIU Power Supply (slice)
In Supply SIGNAL
CONDITIONED
FIELD I/O
2500 V Isolation Barrier
Trusted Digital Input
IMB Opto Isolation Boundary

Slice
Bus Control
+V
Field Logic Sigma Delta
Interface A Control 1 Bit ADC (18-36 V)
Time Stamp Field Input
Slice A 1-40

Slice
Bus Field Logic Sigma Delta
Control
Interface Control 1 Bit ADC
B
Time Stamp
Slice B
System TMR Bus

Optional Line
Slice -V Monitoring
Bus Field Logic Sigma Delta
Interface Control Device
Control 1 Bit ADC
C
Time Stamp
Slice C

Internal
Voting Bus
Front Panel
Voting
Supply
Logic
Voltage Serial Display Latches
Load Current
Module
Temp
Health Voted Status Display LEDs
Supply Diag
Indicators
Front Panel

Back Plane Back Plane

Power Bus 1 Power Bus 2
Input Module Power

Opto Isolation
Input Common 24V Module Supply
From Backplane

Input Signals -
Bus Interface
Field Interface
(HIU)

Ref. Inputs
Input Distribution for
a complete
Termination Bay.
Input Distribution
Unit.

Provides supply
protection for
1 Termination Bay
Field Signal Marshalling
S y s te m C a b in e t

T r u s te d I C S Te r m in a l
I /O B lo c k
M o d u le

C u s to m e r
F ie ld C a b le

S c e n a r io 1 - I llu s tr a te s a n e x a m p le o f I n te r n a l M a r s h a llin g

S y s te m C a b in e t

K n it tin g
T ru s te d I C S B e tw e e n
I /O I/O &
M o d u le F ie ld

C u s to m e r to Te r m in a te

F used
Te r m in a ls

S c e n a r io 2 - I llu s tr a te s a n e x a m p le o f I n te r n a l M a r s h a llin g w ith o u t u s in g a n I TA

Native I/O Module
FIUs
FPU HIU
(underneath FIUs)

F
HIU HIU HIU
IMB CONNECTOR
A B C
HIU to FTU
MECHANICAL JOINT
U
FIELD CONNECTOR

HIU
FTU
(underneath FIUs)
IMB CONNECTOR

FIU FIU FIU

F HIU HIU HIU
A B C
P
FIELD CONNECTOR

FTU
Native I/O Thresholds

Typical
Threshold Monitored
Contact Input Status
Voltage Input
Voltage

Line Fault High Thresholds for

> 20 Contact rising values are
Closed
20 different than
16 Contact Closed
14 those used for
14 Contact
falling values
12 Indeterminate
10

10
8 Contact Open
4
Contact
Open
<4
Line Fault Low
 LED's
Open Field Loop ( no error)
Educated
Off

Green Closed Field Loop

Red Channel Fault, Short Circuit, Out of Range Measurement,

Open Circuit
"Flashing"

Flashing Green - LL or HH
 Red Green
Off Green "Flashing" Red "Flashing"
LED's

No Slice is Fault present Slice has

power Healthy on Slice power

Healthy Module is not Module in

Module is in
in the Active Active State shutdown
Active state state

Standby Module in
Module is not
Module is in "passive"
Educated in Standby
Standby State shutdown
state

Module is not Module is Education in

educated educated progress
High Integrity I/O

Analogue Inputs
• 40 points TMR
• No analogue multiplexers
• Alarm threshold, selectable
per channel
• 1ms SOE tagging, selectable
per channel
• Self calibrating
• Extensive diagnostics
• On-line replacement
Trusted Analogue Input
IMB Opto Isolation Boundary

Slice
Bus Control Field Logic Sigma Delta
Interface A Control 1 Bit ADC
Time Stamp

Slice A
+V
Field Input
Slice 1-40
Bus Field Logic Sigma Delta
Control
Interface Control 1 Bit ADC
B
Time Stamp
Slice B
System TMR Bus

Slice -V
Bus Field Logic Sigma Delta
Interface Control
Control 1 Bit ADC
C
Time Stamp
Slice C

Internal
Voting Bus
Front Panel
Voting
Supply
Logic
Voltage Serial Display Latches
Load Current
Module
Temp
Health Voted Status Display LEDs
Supply Diag
Indicators
Front Panel

Back Plane Back Plane

Power Bus 1 Power Bus 2
High Integrity Output Module
Module
Latch

Module
Digital Outputs
Status • 30 points 120Vdc; 40
Indicators
points 24V
• Low and high dc
voltage
Input • On-line replacement
Status
Indacators • Load supervision
• Extensive diagnostics

Module
Latch
Trusted Output Module
Output Module Power

Opto Isolation
Output Common 24V Module Supply
From Backplane

1 Field Interface +
Output Group 1
8 +
Output Signals

Bus Interface -
(HIU)
Output Common

33 Field Interface
Output Group 5
40
Output Signals
Modified
Din 41612
connector
Output Power
connected to
3 Modules
Power
Distribution
Unit for
3 Output
Modules
Trusted TMR Processor
Healthy - State of each slice, Green = healthy, Red = Fault.
Active - On when this processor is the active MP.
Standby - On when this processor is the standby MP.
Educated - Off = no application,
Flashing = copying from active MP,
On = Module is educated and ready to
become active.
Run - Flashing = Application is running.

Reset - Reset fault flags & LED’s

System Healthy - Green if no system faults detected,
Flashing red if and system fault LED is on,
(including I/O).
User 1 & 2 - LED's that can be controlled by the Application
Program or as INI file

Maintenance Switch -
Maintenance = Download Application and INI file.
Run = Normal running condition, Diagnostics, SOE.
Trusted TMR Interface
Contains 3 Regent IOP processors (software identical to Regent).

Healthy - State of each slice, Green = healthy, Flashing Green = Fault.

Active - On when this module is active.

Standby - On when this module is in standby.

Educated - Off = not educated,

Flashing = being educated,
On = Module configuration is valid.

I/O Healthy - Green if no I/O faults.

Trusted Communication Module

Healthy - State of module, Green = healthy, Flash Red = Fault.

Active - On when this module is active.

Standby - On when this module is in standby.

Educated - Off = not educated,

Flashing = being educated,
On = Module configuration is valid.

Communication LED’s, Green = receiving data, Red = sending data

(looks Yellow with fast comms.)
TRUSTED Power Supply Unit
(Chassis + TRUSTED Power Supply
Modules)

Grille

TRUSTED Controller
(Chassis + TRUSTED TMR
Processor
TRUSTED Interfaces)
Grille

Regent + Plus I/O Assembly

(Chassis + Regent + plus I/O
Transceivers + I/O modules)

Grille

Regent + Plus I/O Assembly

I/O Replacement Options

Module

• Active spare slot for ease of

replacement

or ...

• Single smart slot per chassis

for greatest savings in footprint
and cost

Active spare or ... Smart slot

I/O Replacement Options

Active spare
configuration

Slot X Smart slot

1 2
SOE Data Flow

MMI

Field
Device

Trusted
Input Trusted TMR
Communication
Interface Processor
Interfaces
IEC1131 TOOLSET
SEQUENCE OF EVENT (SOE)
 SOE recording of I/O time
stamped to 1ms resolution
(accuracy depending on module)
 I/O tags imported from IEC1131
TOOLSET applications
 Configurable state mnemonics
and colour attributes
 Accessible via serial or Ethernet
connections
 Cut & Paste data to other
packages for analysis
Interface

Open systems on an open highway

Operator Workstation
Reduced cost
Alarms Graphics
• No proprietary gateway

Common platform
Database
• NT, Ethernet

Standard software tools

DCS
• OPC

Gateway
Power Supply

Features:

• Power for processors & I/O modules,

as well as field devices

• Dual isolated inputs (ac & dc) with

auto-sensing

• N+1, dual, triplicated configurations

• 1500W total power, 250W per unit.

• Modular design

• Interface card for remote diagnostics

• TUV, UL and CSA approvals

TRUSTED PSU Backplane - Front
View
Power Supply Modifications
Dual Feed N+1 Power supplies with modules added as required

Power Module

Fanning Strips
Power Module
to combine the
terminals of the
Power Module 24V and 0V
supplies
within the
Power Module Power Chassis
Fanning Strip
For Power
supplies
Power Fanning Strips
in place on 0V and 24V
connections
Main Power Distribution Unit

Four connections
Power Supply
Chassis to System Power,
Power
Distribution or Input Distribution
and
Protection Boards
Unit
To Fans,
Protected at 3 Amps
Power Distribution
and Protection Unit
 AFTER

Power distribution
unit for up to :-

4 Trusted Trays
or
1 Trusted Tray and
3 Regent Trays

Swing Frame
awaiting wiring.
Input Distribution for
a complete
Termination Bay.
Peer to Peer
Examples of System Communications
Single Communications Module
Networks
Dual Communications Module
Networks
Unsupported Configuration
Trusted Hardware Training

 Trusted with Regent I/O

 Trusted with Native I/O
 System Integration Issues
 On line replacement
 Diagnostics
 Power Distribution