Linked but separate

Yokogawa's ProSafe-RS heralds a new era in SIS-DCS integration, without compromising safety

Launched in February 2005, Yokogawa's ProSafe-RS safety instrumented system (SIS) quickly gained a significant share of the market. Just 18 months later, 100 units had been sold—quite a feat considering the generally conservative nature of the SIS market. So what is behind this rapid success?

One reviewer wrote of the ProSafe-RS: "This is the beginning of the end of diverse and separated safety systems." In a market that had seen no great innovations in more than ten years, two key factors have made the ProSafe-RS a success: system architecture that achieves high availability while maintaining safety; and a high level of DCS integration that keeps control and safety functions separate. Steadily-rising sales figures for the ProSafe-RS show that the market does indeed appreciate innovative products, and also that the system meets the high standards required. ProSafe-RS is certified by TÜV to comply with the IEC 61508 standard, a prerequisite for SISs, as well as a wide range of other standards: IEC 61511 for functional safety in the process industries, EN 54-2 and NFPA 72 for fire detection and fire alarm systems, and EN 298, EN 50156-1 and NFPA85 for burner management systems.

The ProSafe-RS also passed an evaluation conducted by several oil majors with flying colors. The rigorous tests covered a wide range of issues, including safety functions, hardware robustness, self-diagnostic capability, usability in engineering and operation, DCS integration, and overall performance. The result was a large number of orders, most of which were placed alongside orders for Yokogawa Centum CS 3000 DCS systems and were destined for large-scale projects. These successes show that customers value Yokogawa's competence in project execution as well as the safety functions and DCS compatibility of the ProSafe-RS.

Redundancy within modules

ProSafe-RS employs a new "versatile modular redundant" (VMR) architecture. Each ProSafe-RS module, such as a CPU or I/O module, can be used in a single configuration for applications up to safety integrity level 3 (SIL3). Dual-redundant modules are also available where even higher levels of system availability are required without sacrificing safety. This is a huge advance on conventional SISs, whose safety and availability cannot be guaranteed without redundancy of complete units.

The VMR architecture provides SIL3 protection by incorporating dual circuitry in a miniature module, while achieving high availability through redundancy that can be specified and controlled on a per-module basis. It is based on the Pair & Spare CPU technology developed for the Centum CS 3000, which was first released in 1994 and incorporated additional safety functions specified by safety standards.

Currently, the CS 3000 has a system availability of 99.99999 percent ("seven 9s"), and the same or better can be expected from the ProSafe-RS.

Horizontal integration

Process plants are becoming increasingly complex and geographically distributed. ProSafe-RS supports safety communication between safety control stations (SCSs), allowing the creation of a safety loop between the input to one controller and the output from another. The safety network can be configured on the same bus as the CS 3000; in other words, a DCS and an SIS can share the same Vnet/IP. Communication between SCSs on the network is secure, since it is functionally separated from the DCS communication. Eliminating the need to install separate cables for the two systems can greatly reduce costs. ProSafe-RS also supports remote I/O modules through optical repeaters. This can benefit system design significantly, as it allows I/O modules to be installed away from the CPU module.

While ProSafe-RS integrates with the CS3000DCS by using a common network, the safety and control functions remain completely separate, as required by the relevant standards. The safety function is performed by the SCSs, and the control function by CS 3000 field control stations (FCSs). As both systems apply to the same process, however, their information needs to be integrated from the user's perspective. CS 3000 users can monitor information from both systems, such as tags, alarms, and events, on CS 3000 human interface stations (HISs). Enabling DCS operators to view SIS information under normal plant operating conditions can reduce errors and indirectly increase process safety. ProSafe-RS can even be operated on HISs through a mechanism that is certified by TÜV. SIS operations such as opening shutdown valves at system start-up can be done from the DCS in the same way as operating a control valve.

Vertical integration, too

Field device management is as essential for SIS maintenance as it is for DCSs. ProSafe-RS supports Hart communications, so it can manage information from intelligent field devices without the need for equipment such as multiplexers. Yokogawa's EJX pressure transmitters and YTA temperature transmitters feature SIL2/3 certification as standard (SIL3 for dual-redundant configurations only).

Recently, valve partial stroke testing (PST) has become a hot topic as it can conveniently maintain both SIL capability and non-stop operation for safety loops. ProSafe-RS can work with PST-compatible safety valve positioners from various valve vendors, as well as PRM's plug-in software.

ProSafe-SLS is another member of the ProSafe family. It utilizes inherently-safe magnetic core technology and is certified for applications up to SIL4. ProSafe-SLS has been used in applications including high-integrity pressure-protection systems.


Path to Safety Excellence

Operational Excellence by VigilantPlantYokogawa proposes a model for operational excellence based on its VigilantPlant philosophy of "See, Know, and Act". This model is based on three primary facets—Asset Excellence, Production Excellence, and Safety Excellence. Combined, these three facets create a path to lifecycle excellence, continuous improvement, and sustainability. In Safety Excellence, the "See" aspect consists of monitoring plant-wide process conditions by integrated monitoring of plant-wide alarms and events. The "Know" aspect consists of detection of critical conditions and emergency avoidance through prioritization and role-based notification of predictive alerts. The "Act" aspect consists of the ability to optimize operation and safeguarding through providing effective and proactive guidance to operators and safety experts. ProSafe-RS is a core building block of Safety Excellence solutions.

