Author: Site Editor Publish Time: 2025-09-11 Origin: Site
The HIQuad X is an innovative, high-performance safety-related programmable electronic system (PES) developed by HIMA, built upon the proven HIQuad system platform. It is designed for safety-critical applications up to SIL 3 (IEC 61508) and PL e (EN ISO 13849), while also featuring high availability characteristics. The HIQuad X is suitable for various control tasks within the process industry and factory automation, particularly excelling in process facilities. The system employs a modular design, supports flexible configuration, and can be programmed, configured, monitored, operated, and documented using HIMA's mature SILworX® engineering tool.
System Families and Structure
The HIQuad X encompasses two system families: H51X and H41X. They utilize identical modules but differ in structure and expansion capabilities:
HIQuad H51X:
Structure: Highly modular.
Base Rack: 1 (does not contain I/O modules).
Extension Racks: Maximum of 16.
Processor Modules (F-CPU 01): 1 or 2.
I/O Processing Modules (F-IOP 01): 1 per extension rack.
Communication Modules (F-COM 01): Up to 10 in the base rack.
I/O Modules per Extension Rack: 16.
Total I/O Modules: Up to 256.
HIQuad H41X:
Structure: Modular.
Base Rack: 1 (can accommodate up to 12 I/O modules).
Extension Racks: Maximum of 1.
Processor Modules (F-CPU 01): 1 or 2.
I/O Processing Modules (F-IOP 01): 1 in the base rack, 1 in the extension rack.
Communication Modules (F-COM 01): Up to 2 in the base rack.
I/O Modules per Extension Rack: 16.
Total I/O Modules: Up to 28.
These differences allow users to select the most suitable system platform based on the specific application requirements for I/O count and availability.
Core Features
1. Safety and Certification
The HIQuad X system is designed for safety applications adhering to both the "De-energize to Trip" and "Energize to Trip" principles. Its core safety features include:
Safety Integrity Level (SIL): Supports up to SIL 3 (IEC 61508), PL e (ISO 13849).
Certification: The system and its I/O modules are certified according to various international standards (see Safety Manual HI 803 209 E), including for use in fire alarm systems (compliant with DIN EN 54-2 and NFPA 72) and suitability for mounting in Zone 2 hazardous areas.
1oo2 Architecture: The safety-related processor modules (F-CPU 01) and I/O processing modules (F-IOP 01) incorporate an internal 1oo2 (one-out-of-two) processor system. Two microprocessor cores continuously synchronize and compare data, ensuring fail-safe operation.
Safety-Related Communication: Supports safety-related communication via the safeethernet protocol.
2. High Availability and Redundancy
The system offers multiple redundancy options aimed at maximizing system availability (Note: Redundancy increases availability, not the Safety Integrity Level - SIL):
Processor Redundancy: Can be configured with two redundant F-CPU 01 processor modules. If one module fails, the system automatically switches to the other to maintain safe operation. The faulty module can be replaced during system operation (hot-swappable in redundancy mode).
System Bus Redundancy: The system relies on two independent system buses (A and B) for communication. In a redundant configuration, both buses operate simultaneously. A failure of one bus does not affect system operation.
I/O Module Redundancy: Supports module redundancy (two I/O modules of the same type forming a redundancy group) and channel redundancy (pairing identical channel numbers within redundant modules). To enhance availability, redundant modules should be installed in different racks.
Power Supply Redundancy: Supports connection to redundant 24 VDC power supply units, ensuring high power supply availability. Optional buffer modules (F-PWR 02) can be used to compensate for voltage dropouts exceeding 20ms.
3. Modular Design and Scalability
The system employs a standard 19-inch rack structure, offering high flexibility:
Base Rack: Contains the backplane for installing processor modules, communication modules, power supply modules (H41X also includes I/O modules).
Extension Racks: Using F-BASE RACK 11 extension racks, the H51X system can be expanded by up to 16 racks, each capable of holding 16 I/O modules and one F-IOP 01 module, significantly increasing I/O capacity.
Module Types: The system supports a wide range of module types, including:
F-CPU 01: Safety Processor Module.
F-IOP 01: I/O Processing Module, connecting the system bus to the I/O bus.
F-COM 01: Communication Module, providing 2 Ethernet interfaces and 1 fieldbus interface.
F-PWR 01: 24VDC/5VDC Power Supply Module.
F-PWR 02: 24VDC Buffer Module.
Various I/O Modules: Including Digital Input/Output (DI/DO), Analog Input/Output (AI/AO), Relay Output, Counter modules, etc., catering to both safety-related and non-safety-related applications.
4. Communication Capabilities
The system communicates with external systems via F-COM 01 modules:
Standard Protocols: Supports various standard industrial communication protocols (licensing required), such as Modbus. Communication redundancy must be managed either through the user program or by the specific protocol itself (e.g., Modbus Slave).
Engineering Connection: Up to 5 Programming and Debugging Tools (PADTs) can be connected via Ethernet interfaces (RJ-45), but only one can have write access at any given time.
5. Diagnostics and Maintenance
The system provides comprehensive diagnostic functions for quick troubleshooting and maintenance:
LED Indicators: Each module front plate features LED indicators showing operational status, errors, communication status, etc.
Diagnostic History: F-CPU, F-IOP, and F-COM modules have built-in diagnostic history buffers (ring buffers) logging system events, errors, and warnings, categorized into short-term and long-term diagnostics. This can be viewed and analyzed using the SILworX tool.
Online Diagnostics: In the SILworX online view, module status is intuitively displayed via color changes (e.g., red for critical faults, yellow for warnings), and detailed status information can be viewed.
System Variable Monitoring: Provides extensive system variables (e.g., temperature state, power supply status, cycle time, error counters) that can be used within the user program or for monitoring purposes.
6. Programming and Configuration
System engineering is performed using SILworX:
Programming Languages: Supports programming languages compliant with the IEC 61131-3 standard.
Variable Management: Supports local and global variables. Variables can be assigned initial values, Retain (RETAIN) attributes, etc.
System Parameters and Variables: Provides numerous system parameters (for configuring controller behavior, e.g., Safety Time, Watchdog Time) and system variables (for obtaining system status information), accessible at different levels such as resource and hardware.
Forcing Function: Allows users to override the current value of variables for testing and simulation purposes. Time limits and access permissions for forcing can be set to ensure safe usage.
User Management: Offers two-level user management: PADT (project access) and PES (controller access). Different user groups and permissions (e.g., Read-only, Operator, Read+Write, Administrator) can be defined, enhancing system security.
7. Noise Blanking
To improve system immunity against transient interference, HIQuad X provides a noise blanking function:
Function: Suppresses transient interference on the buses or I/O modules, maintaining the last valid value for a configured time to prevent the system from erroneously entering a safe state due to short-term interference, thereby increasing availability.
Configuration: The effective noise blanking time depends on the Safety Time, Watchdog Time, and Cycle Time (Max. Noise Blanking Time = Safety Time - (2 x Watchdog Time)). It can be configured for I/O modules in SILworX.
Effective Direction: Noise blanking can act in different directions:
From the input module to the processor module (suppressing input and bus interference).
From the processor module to the output module (suppressing bus interference).
From the output module to the processor module (suppressing status acknowledgments, e.g., SC/OC detection).
Working Principle
The core operation of the HIQuad X system revolves around its hardware architecture and safety mechanisms.
Signal Flow and Processing:
Input Side: Field sensor signals are connected to safety I/O modules (e.g., F 3237 DI module). The I/O modules communicate via the I/O bus with the F-IOP 01 I/O processing module in their respective rack.
Data Processing: The F-IOP 01 module exchanges data with the F-CPU 01 processor modules in the base rack via the redundant system buses (A and B). The F-CPU 01 utilizes an internal 1oo2 architecture where two processor cores cyclically read input data, execute the user program, and compare results.
Output Side: The processor modules send the processing results back via the system buses to the F-IOP 01 module, which then transmits them via the I/O bus to the output modules (e.g., F 3330 DO module), thereby controlling field actuators. The F-IOP 01 is also responsible for generating and monitoring the I/O Watchdog (WD) signal. Output modules only operate when this signal is present (high level); otherwise, they enter a safe state.
Safety Mechanisms:
Fault Detection: The system continuously performs self-tests and cross-checks at various levels, including processor core comparison, communication checksums, module status monitoring, power supply monitoring, and temperature monitoring.
Safe State: Upon detection of an internal fault or external command (e.g., emergency stop), the system follows the "de-energize to trip" principle, placing the outputs into a predefined safe state (typically the de-energized state).
Time Monitoring: The Safety Time is the maximum allowed response time for the process. The Watchdog Time is the maximum allowed duration for the processor cycle; if exceeded, the system triggers a safety reaction. The Cycle Time is the actual time the processor takes to execute one user program cycle. The configuration of these timings is crucial for system safety and performance.
Redundancy Synchronization:
In a redundant configuration, the two processor modules continuously synchronize their internal state and data via the system buses.
If the primary processor module fails, the standby module immediately detects this and takes over control, maintaining continued safe operation of the system, enabling seamless switching and high availability.
Power Distribution:
The system is powered by a 24 VDC SELV/PELV power supply. Power distribution modules (e.g., K 7212) are used to distribute and protect power circuits.
The 5V power supply within the base rack is generated by F-PWR 01 modules and distributed via the backplane. The 5V power for extension racks is supplied from the base rack in a star topology.
The 24V auxiliary and field power for I/O modules is distributed and protected by power distribution modules (F 7133), with each F 7133 providing fused protection for 4 I/O module slots.
Thermal Management:
The system design considers heat dissipation from electronic components. Adequate ventilation (natural convection or forced air cooling) within the control cabinet is required to maintain an ambient temperature between 0°C and +60°C.
Modules incorporate temperature sensors, and the temperature status can be monitored via system variables. Warnings or errors are signaled if temperature thresholds are exceeded, although the temperature monitoring itself is not safety-related.
Application Areas
The HIQuad X system is widely used in industries with high demands on safety and availability:
Chemical and Petrochemical: Emergency Shutdown (ESD) systems, Burner Management Systems (BMS), Process Shutdown systems.
