H41q/H51q

Safety-Related Controller

H41q/H51q Maintenance Manual

HIMA Paul Hildebrandt GmbH + Co KG

Industrial Automation

Rev. 1 02 HI 800 439 E

All HIMA products mentioned in this manual are protected by the HIMA trade-mark. Unless noted
otherwise, this also applies to other manufacturers and their respective products referred to herein.
All of the instructions and technical specifications in this manual have been written with great care and
effective quality assurance measures have been implemented to ensure their validity. For questions,
please contact HIMA directly. HIMA appreciates any suggestion on which information should be
included in the manual.
Equipment subject to change without notice. HIMA also reserves the right to modify the written material
without prior notice.
For further information, refer to the CD-ROM and our website http://www.hima.de and
http://www.hima.com.

© Copyright 2011, HIMA Paul Hildebrandt GmbH + Co KG

All rights reserved

Contact
HIMA Address
HIMA Paul Hildebrandt GmbH + Co KG
P.O. Box 1261
68777 Brühl, Germany
Tel: +49 6202 709-0
Fax: +49 6202 709-107
E-mail: info@hima.com

Revision Revisions Type of Change

index technical editorial
1.00 Original version

1.01 Changed: chapter 2 X

1.02 Changed: chapter 5.3.3 X

HI 800 439 E Rev. 1 02 (1127)

H41q/H51q Table of Contents

Table of Contents
1 Introduction ............................................................ 5
1.1 Target Audience and Required Knowledge......................................................... 5
1.2 Formatting Conventions ....................................................................................... 5
1.2.1 Safety Notes ............................................................................................................ 5
1.2.2 Operating Tips ......................................................................................................... 6
1.3 HIMA Service .......................................................................................................... 6
2 Operating and Servicing .......................................... 7
3 Other Applicable Documents ................................... 9
4 Proof Test ............................................................. 10
4.1 Proof Test Execution ........................................................................................... 10
4.2 Frequency of Proof Tests.................................................................................... 10
5 Maintenance Actions, in Details ............................ 11
5.1 Replacing the Fans .............................................................................................. 11
5.2 Replacing Buffer Batteries.................................................................................. 11
5.2.1 Replacing the External Batteries of the H41q/H51q Systems................................ 12
5.2.2 External Batteries of the H41q System: Backplane Reverse Side......................... 12
5.2.3 H51q System's External Batteries: Power Supply Monitoring F 7131 ................... 12
5.2.4 Central Modules F 8650E / F 8650X, F 8651E / F 8651X, F 8652E / F 8652X,
F 8653E / F 8653X................................................................................................. 12
5.2.5 Co-Processor Module F 8621A.............................................................................. 12
5.3 Replacing Modules .............................................................................................. 12
5.3.1 I/O Modules............................................................................................................ 13
5.3.2 Connection Modules .............................................................................................. 13
5.3.3 Central Module (CM).............................................................................................. 14
5.3.4 Power Supply Units................................................................................................ 14
5.3.5 Communication and Co-Processor Modules ......................................................... 15
5.4 Replacing Subracks............................................................................................. 15
Appendix ............................................................... 17
Glossary................................................................................................................ 17
Index of Tables..................................................................................................... 18

HI 800 439 E Rev. 1 02 Page 3 of 20

Table of Contents H41q/H51q

Page 4 of 20 HI 800 439 E Rev. 1 02

H41q/H51q Introduction

1 Introduction
This document describes the most important servicing activities for a H41q/H51q controller.
The following instructions describe the required safety measures and give some
recommendations for improving the availability of the system

1.1 Target Audience and Required Knowledge

This manual addresses system planners, configuration engineers, programmers of automa-
tion devices and personnel authorized to maintain the systems. Specialized knowledge of
safety-related automation systems is required.

1.2 Formatting Conventions

To ensure improved readability and comprehensibility, the following fonts are used in this
document:
Bold: To highlight important parts
Names of buttons, menu functions and tabs that can be clicked and
used in SILworX.
Italics: For parameters and system variables
Courier Literal user inputs
RUN Operating state are designated by capitals
Chapter 1.2.3 Cross references are hyperlinks even though they are not particu-
larly marked. When the cursor hovers over a hyperlink, it changes its
shape. Click the hyperlink to jump to the corresponding position.

Safety notes and operating tips are particularly marked.

1.2.1 Safety Notes

The safety notes are represented as described below.
These notes must absolutely be observed to reduce the risk to a minimum. The content is
structured as follows:
ƒ Signal word: danger, warning, caution, notice
ƒ Type and source of danger
ƒ Consequences arising from the danger
ƒ Danger prevention

SIGNAL WORD
Type and source of danger!
Consequences arising from the danger
Danger prevention

The signal words have the following meanings:

ƒ Danger indicates hazardous situation which, if not avoided, will result in death or serious
injury.
ƒ Warning indicates hazardous situation which, if not avoided, could result in death or se-
rious injury.
ƒ Warning indicates hazardous situation which, if not avoided, could result in minor or
modest injury.
ƒ Notice indicates a hazardous situation which, if not avoided, could result in property
damage.

HI 800 439 E Rev. 1 02 Page 5 of 20

Introduction H41q/H51q

NOTE
Type and source of damage!
Damage prevention

1.2.2 Operating Tips

Additional information is structured as presented in the following example:

i The text corresponding to the additional information is located here.

Useful tips and tricks appear as follows:

TIP The tip text is located here.

1.3 HIMA Service

HIMA Service engineers are available to perform the maintenance actions described in this
manual.
Contact:
Mr. Thomas Lang

HIMA Paul Hildebrandt

GmbH + Co KG
Albert-Bassermann-Strasse 28
68782 Brühl, Germany
Tel.: (+49 62 02) 70 93 02
Fax: (+49 62 02) 70 91 99
E-mail: service@hima.com

Page 6 of 20 HI 800 439 E Rev. 1 02

H41q/H51q Operating and Servicing

2 Operating and Servicing

No Action Period Reference Performed Notes
. (Table 2) by 1)
1 Access protection (security) Always A
Mechanical test (visual inspection)
2 Are the modules screwed tightly? Yearly - C, A, O
3 Are the cable plugs screwed tightly? Yearly - C, A, O
4 Are the data connection cables Yearly - C, A, O
screwed tightly?
Power supply test
5 Check 230 VAC/24 VDC Yearly - C, A, O
6 Check 24 VDC distribution Yearly - C, A, O
7 Check 24 V / 5 V power supply (5.4 V) Yearly - C, A, O F7126, F7130,
F7130 A
8 Check 5 VDC EABT (≥ 4.8 V) Yearly - C, A, O
9 Functionality with redundant supply Yearly - C, A, O
Proof Test
10 Loop test including the I/O modules ≤ 10 years D2 C, A, O
within the PES Chapter 4
The modules used for safety-related application must be subjected to a proof
test at regular intervals (refer to IEC/EN 61508-4, Section 3.8.5)
Hardware change/extension/test
11 Replacing modules If required Chapter C, A, O
5.3
12 Functional test of the fans Yearly Chapter C, A, O
5.1
13 Replacement of the fans: Chapter
14 K 9212 Every 5 years 5.1 C, A, O
15 K 9203 Every 5 years C, A, O
16 K 9202 cabinet fans Every 5 years C, A, O
Relay modules: Proof test
17 F 3430 SIL 3: every 5 - H
years.
SIL 2: every
20 years
18 H 4116 SIL 2 every 5 - C, A, O
years.
19 H 4134 SIL 2 every 5 - C, A, O
years.
20 H 4135 SIL 3: every 5 - H
years.
SIL 2: every
20 years
21 H 4135A SIL 3 every 5 D4 C, A, O
years.
SIL 2 every 20
years.
22 H 4136 SIL 3 every 5 - H
years.
SIL 2 every 20
years.
Replacement of buffer batteries
23 Power supply unit- ≤ 6 years Chapter C, A, O, H
monitoring F 7131 5.2

HI 800 439 E Rev. 1 02 Page 7 of 20

Operating and Servicing H41q/H51q

No Action Period Reference Performed Notes

. (Table 2) by 1)
24 F 865x
25 Backplane bus with H41q, if F8621A is
used
Replacement of electrolytic capacitors
26 230 VAC/24 VDC power supply unit 10 years2) - H
27 24 VDC/5VDC power supply unit: 10 years2) - H
- H41q: F7130A
- H51q: F7126
28 I/O modules
29 F 3237 10 years2) - H
30 F 6213, F 6214 10 years2) - H
2)
31 For all remaining ≤ 20 years - H
Software change/extension/test
32 Load and deletion of the user program If required D1 C, A, O
33 Operating system download If required D1 C, A, O
34 Change of the system parameter set- If required D1 C, A, O
tings
1)
C: operating Company, A: Assembler, O: Other, H: HIMA
2) The service life of electrolytic capacitors depends on the temperature
(typical manufacturer specification: >10 years at 40°C).
Table 1: Required Operating and Maintenance Activities

Only personnel with knowledge of ESD protective measures may modify or extend the
system or replace modules.

NOTE
Device damage due to electrostatic discharge!
ƒ When performing the work, make sure that the workspace is free of static, and
wear an ESD wrist strap.
ƒ If not used, ensure that the device is protected from electrostatic discharge, e.g.,
by storing it in its packaging.

Before touching the modules, wear wrist straps and connect them to the control cabinet's
relevant ESD connection points in order to exclude any residual charge. Also do so when
attaching the cable plugs with the I/O modules and the data connection lines with the
interfaces of the central or co-processor modules.
If the control cabinets do not have any ESD connection points, one of their earthed
components shall be touched before removing the module.
Directly touching as well electronic components on the modules as the printed circuit board
shall be avoided. The modules must be touched only using the handle strip.
If a direct contact of the components cannot be avoided, as when replacing batteries, an
anti-static mat and a wrist strap shall be used. They must both be earthed.

Page 8 of 20 HI 800 439 E Rev. 1 02

H41q/H51q Other Applicable Documents

3 Other Applicable Documents

Ref. Standard/Document Description
N1 IEC 61511-1, Section 16.3 Functional safety -
Safety instrumented systems for the process industry
sector
Framework, definitions, system, hardware and soft-
ware requirements
N2 IEC 61508-4, Section 3.8.5 Proof Test
D1 HI 800 105 H41q/H51q Operating System Manual
D2 HI 800 013 H41q/H51q Safety Manual
D3 - ELOP II Online Help
D4 H 4135A Data Sheet
Table 2: Documentation

HI 800 439 E Rev. 1 02 Page 9 of 20

Proof Test H41q/H51q

4 Proof Test
The proof test reveals dangerous undetected faults that could otherwise affect the safe
function of the system.
HIMA safety systems must be subjected to a proof test in intervals of 10 years. It is often
possible to extend this interval using the a calculation tool to analyze the implemented
safety loops.
With relay modules, the proof test for the relay must be performed in the intervals defined
for the plant.

4.1 Proof Test Execution

The proof test execution depends on the following factors:
ƒ Plant characteristics (EUC = equipment under control)
ƒ Plant's intrinsic risk potential
ƒ The standards applicable to the plant operation and required for approval by the
responsible test authority.
According to IEC 61508 1-7, IEC 61511 1-3, IEC 62061 and VDI/VDE 2180 sheets 1 to 4,
the operator of the safety-related systems is responsible for performing the proof tests.

4.2 Frequency of Proof Tests

The HIMA PES can be proof tested by executing the full safety loop.
In practice, shorter proof test intervals are required for the input and output field devices
(e.g., every 6 or 12 months) than for the HIMA controller. Testing the entire safety loop
together with a field device automatically includes the test of the HIMA controller. There is
therefore no need to perform additional proof tests of the HIMA controller.
If the proof test of the field devices does not include the HIMA controller, the HIMA
controller must be tested at least once every 10 years. This can be achieved by restarting
the HIMA controller.
Additional proof test requirements for specific devices are described in the corresponding
data sheets.

Page 10 of 20 HI 800 439 E Rev. 1 02

H41q/H51q Maintenance Actions, in Details

5 Maintenance Actions, in Details

This chapter describes the maintenance actions for each module and for other components
of the H41q/H51q system.

i Only qualified personnel may perform maintenance actions to supply, signal and data lines,
taking all ESD protection measures into account. Personnel must be electrostatically
discharged prior to any direct contact with these supply more signal lines!

5.1 Replacing the Fans

The frequency with which the fans are replaced depends on the operating temperature.
HIMA recommends observing the following instructions when replacing the fans:
ƒ Every 5 years, at normal operating temperature (< 40 °C)
ƒ Every 2.5 years, at higher operating temperature (> 40 °C)

For more information, see the data sheets of K 9212, K 9203 and K 9202.
Contact the HIMA service personnel to replace older fan models.

5.2 Replacing Buffer Batteries

Lithium batteries are used as buffer batteries

Service life of the buffer batteries (with non-operating CPU and modules without power
supply):
1000 Days with tA = 25 °C
200 Days with tA = 60 °C

HIMA recommends replacing the batteries at least every 6 years (with non-operating CPU
and modules without power supply).
If BATI is displayed, the battery should be replaced within the next three months.

HI 800 439 E Rev. 1 02 Page 11 of 20

Maintenance Actions, in Details H41q/H51q

5.2.1 Replacing the External Batteries of the H41q/H51q Systems

Replacement of a battery without soldering tag: CR-1/2 AA-CD, HIMA part no.
440000019.
1. Remove the battery cover.
2. Release the battery from the clamp.
3. Insert the new battery ensuring that the proper polarity is applied!
The battery is replaced.

Replacement of a battery with soldering tag: CR-1/2 AA-CD, HIMA part no.
440000016.
1. Desolder the battery, first the + pole, then the - pole
2. First solder the - pole, then the + pole. Ensure that the right polarity is applied!
The battery is replaced.

5.2.2 External Batteries of the H41q System: Backplane Reverse Side

Replace the batteries as specified above and in accordance with the battery type.

5.2.3 H51q System's External Batteries: Power Supply Monitoring F 7131

The module can be removed when the device is energized. Replace the battery as
specified above.

5.2.4 Central Modules F 8650E / F 8650X, F 8651E / F 8651X, F 8652E /

F 8652X, F 8653E / F 8653X
Battery: CR 2477N, HIMA part no. 440000018

The central module must be removed from the subrack when replacing batteries!
To remove the central module, observe the instructions specified in Chapter 5.3. With
single-channel systems, this may result in the system's failure whereas with redundant
systems, the reaction depends on the configuration.

5.2.5 Co-Processor Module F 8621A

Optionally, the co-processor module can be mounted in the central subrack of the
H41q/51q system family. With the H41q system, batteries are used to buffer the module on
the backplane bus, with the H51q system, this task is performed by the F 7131 power
supply monitoring module.

5.3 Replacing Modules

Pluggable modules must be replaced individually. The following section describes how to
replace them.
Take the following points into account, when pulling and plugging the modules:
ƒ Only pull and plug the modules of the HIMA PES H41q and H51q if the following rules
are observed.
ƒ Disconnected the module from the backplane bus quickly to ensure that no faulty
signals causing the system to shut down can occur.
ƒ Do not jam the module with a screwdriver or through shaking.

i HIMA cannot be held liable for damages caused by plugging and pulling the module
improperly.

Page 12 of 20 HI 800 439 E Rev. 1 02

H41q/H51q Maintenance Actions, in Details

5.3.1 I/O Modules

To remove the I/O module
1. Release the module's fastening screws.
2. Remove the module with plugged cable plug.
3. Unscrew the cable plug and remove it.
The I/O module is removed from the subrack

To insert the I/O module

1. Insert the module without cable plug and screw it in place.
2. Plug in the cable plug and screw it in place.
3. With safety-related modules and modules with slot detection:
To reset the display, engage the ACK key on the central module.
The I/O module is inserted in the subrack.

5.3.2 Connection Modules

To remove the connection module
1. Switch off the module (Switch WD set to OFF).

2. Release the module's fastening screws.

3. Remove the module
; The corresponding I/O subrack is completely switched off.
The connection module is removed.

i Removing the module without previously switching it off causes the watchdog signal to
switch off for all I/O subracks. This results in an error stop of the MS and HS systems.

To insert the central module

1. Set the coding switch on the module as specified in the F 7553 data sheet.
2. Plug the module and screw it in place.
3. Switch on the module (Switch WD set to ON).
4. Engage the ACK key on the central module until RUN is displayed.
The connection module is inserted.

HI 800 439 E Rev. 1 02 Page 13 of 20

Maintenance Actions, in Details H41q/H51q

5.3.3 Central Module (CM)

The technology implemented in the HIQuad controllers allows one to replace a central
module in the STOP state during operation.
One should avoid removing redundant central modules in the RUN state since redundant
central modules constantly communicate with one another to ensure their synchronization.
Removing an operating redundant central module generates signal disturbances on the
backplane bus. In rare cases, an error stop can be triggered on the remaining central
module causing the PES to enter the safe state.
To prevent a fault reaction, transfer the central module to the STOP state prior to removing
it (e.g., by deleting the user program). In doing so, communication between the central
modules is terminated. Removing the stopped central module can no longer generate
signal disturbances on the backplane bus, which could cause the remaining central module
to fail.

i Prior to removing a redundant central module in the RUN state, HIMA recommends to
delete its user program. Refer to the Operating System Manual (HI 800 105 E), for detailed
instructions on how to delete the user program.

To remove the central module

1. Release the data cable plug.
2. Remove the data cable.
3. Completely release the module's fastening screws, i.e., they must be free to move!
4. Apply strong downward pressure on the ejection lever (type label) to disconnect the
module from the backplane bus. This action ensures that no faulty signals causing the
system to shut down can occur.
5. Remove the module completely.
The central module is removed from the subrack
Do not touch the components of the module! Observe the ESD rules for CMOS
components.

To insert the central module

1. Check the settings of the switches and jumpers according to the data sheet.
2. Remove the fastening screws of the front plate completely.
3. Set the module onto the terminal block and insert it as far as it can go to avoid faulty
signals in the system.
4. Tighten the fastening screws
5. Plug in the data cable connectors and tighten the screws.
The central module is inserted in the subrack.

i With redundant systems, the new central module must have the same operating system
version as loaded in the existing central module. If this is not ensured, an error message is
displayed on the new central module and the module enters the STOP state. At this point,
the corresponding operating version must be loaded. For more information, refer to the
Operating System Manual (HI 800 105 E).

5.3.4 Power Supply Units

To remove the power supply unit
1. Check the LEDs on the power supply units F 7126, F 7130A and power supply
monitoring modules F 7127, F 7131

Page 14 of 20 HI 800 439 E Rev. 1 02

H41q/H51q Maintenance Actions, in Details

A blinking LED indicates that the module is correctly operating whereas a completely
unlit LED signalizes that the module is defective. Only replace the faulty module to
prevent the PES from failing!
2. If the LED is unlit, check the 24 V supply.
3. Prior to removing the faulty power supply unit F 7126, check the output voltage of all
power supply units F 7130A (refer to the data sheet for more details)
4. Unscrew the faulty power supply unit and remove it.
The power supply unit is removed.

To insert the power supply unit

1. Insert the power supply unit and tighten it.
2. Check the output voltage (refer to the data sheet for more details).
The power supply unit is inserted.

5.3.5 Communication and Co-Processor Modules

To remove a communication or co-processor module
1. Remove the communication cables.
2. Important: First remove the associated central module after the fastening screws have
been screwed off.
3. Unscrew the fastening screws and remove the communication module (Ethernet module
with plugged HSR cable).
4. Release the HSR cable from the Ethernet module.
The communication or co-processor module is removed from the subrack.

To insert a communication or co-processor module

1. Check the settings of the switches according to the manual.
2. Insert the communication module without cable and screw it in place.
3. With Ethernet module, plug the HSR cable (with HIPRO-S only, not with HIPRO-S-
DIRECT).
4. Plug in the communication cable.
5. Insert the associated central module and screw it tightly.
The communication or co-processor module is inserted.

5.4 Replacing Subracks

A faulty subrack must be replaced. The replacement of a subrack may only be performed if
the power supply is switched off.
Prior to shutting down the controller, thoroughly verify the consequences that switching off
the power may have on the entire plant's safe functioning!

HI 800 439 E Rev. 1 02 Page 15 of 20

Maintenance Actions, in Details H41q/H51q

Page 16 of 20 HI 800 439 E Rev. 1 02

H41q/H51q Appendix

Appendix
Glossary
Term Description
ARP Address Resolution Protocol: Network protocol for assigning the network addresses
to hardware addresses
AI Analog Input
CRC Cyclic Redundancy Check
DI Digital Input
DO Digital Output
ELOP II Programming tool for H41q/H51q systems
EMC ElectroMagnetic Compatibility
EN European Norm
ESD ElectroStatic Discharge
FB FieldBus
FBD Function Block Diagrams
FTA Field Termination Assembly
FTT Fault Tolerance Time
ICMP Internet Control Message Protocol: Network protocol for status or error messages
IEC International Electrotechnical Commission
MAC address Media Access Control address: Hardware address of one network connection
PADT Programming And Debugging Tool (in accordance with IEC 61131-3),
PC with ELOP II
PE Protective Earth
PELV Protective Extra Low Voltage
PES Programmable Electronic System
PFD Probability of Failure on Demand, probability of failure on demand of a safety func-
tion
PFH Probability of Failure per Hour, probability of a dangerous failure per hour
R Read: The system variable or signal provides value, e.g., to the user program
Rack ID Base plate identification (number)
Non-reactive Supposing that two input circuits are connected to the same source (e.g., a trans-
mitter). An input circuit is termed non-reactive if it does not distort the signals of the
other input circuit.
R/W Read/Write (column title for system variable/signal type)
SELV Safety Extra Low Voltage
SFF Safe Failure Fraction, portion of safely manageable faults
SIL Safety Integrity Level (in accordance with IEC 61508)
SNTP Simple Network Time Protocol (RFC 1769)
SW Software
TMO TiMeOut
W Write: System variable/signal is provided with value, e.g., from the user program
WD WatchDog: Time monitoring for modules or programs. If the watchdog time is ex-
ceeded, the module or program enters the ERROR STOP state.
WDT WatchDog Time

HI 800 439 E Rev. 1 02 Page 17 of 20

Appendix H41q/H51q

Index of Tables
Table 1: Required Operating and Maintenance Activities 8
Table 2: Documentation 9

Page 18 of 20 HI 800 439 E Rev. 1 02

 HI 800 439 E © by HIMA Paul Hildebrandt GmbH + Co KG

HIMA Paul Hildebrandt GmbH + Co KG

P.O. Box 1261
68777 Brühl, Germany
Tel: +49 6202 709-0
Fax: +49 6202 709-107

(1127) E-mail: info@hima.com Internet: www.hima.com