Aims And Features Of The ProSafe-RS Safety System

Descargas (58 KB)


We have developed the ProSafe-RS, a safety system compatible with the SIL3 level of the IEC 61508 international standard. This product alone fulfills the requirements for safe instrumentation. In addition, it is highly compatible with our CENTUM CS 3000 process control system and offers a platform for flexible, comprehensive solutions to users who implement overall process plant designs. This paper outlines the aims and features of the ProSafe-RS.

  1. IA Systems Business Division, IA Business Headquarters


There is growing recognition of the importance of preventing serious accidents in the process control field in view of the potential scale of impact on society. The IEC 61508 and IEC 61511 international standards call for the reduction of risk using safety instrumented systems (SIS) as well as the configuration of multiple protective layers in a process control system in order to prevent major accidents. Safety systems included in SIS are required to be both safe and highly reliable. Generally, safety and high reliability appear to be similar in meaning. However, the term "safety" as applied to safety systems, means the level of accuracy at which plant shutdown is performed when a problem occurs, and includes the characteristic that safety systems will behave toward the fail-safe side, i.e., plant shutdown, even if they themselves fail. In contrast, reliability refers to the low probability at which a plant is shut down due to failure in a safety system (error trip rate is low). From the user's point of view, both process control and safety instrumentation are conducted for the same plant, requiring solutions that consider both process control and safety instrumentation comprehensively. Our safety system, the ProSafe-RS, has been developed with the following features to meet these requirements.

  • Integration with DCS
  • Compatibility between the high safety of SIL3 level and high reliability in a single configuration
  • IEC 61131-3-compliant engineering tools


Figure 1 Example of ProSafe-RS/CS 3000 Integrated System

Figure 1 Example of ProSafe-RS/CS 3000 Integrated System Configuration

Figure 1 shows an example of an integrated configuration of the ProSafe-RS safety system and the CENTUM CS 3000 production control system. In the ProSafe-RS, the safety engineering PC (SENG) and safety control station (SCS) are connected directly using a V net control bus.

The SENG is a PC on which software having engineering functions and maintenance functions runs.

The SCS is a safety controller that performs logical operations such as shutdown by downloading application(s) created on the SENG. The architecture of the SCS is based on the flexibility of the CS 3000 FCS, and its I/O modules and CPU modules allow the user to select a dual-redundant configuration (Figure 1- 1) or single configuration (Figure 1- 2 3) in a single station according to the user's objective. Moreover, SCS supports inter-SCS safety communication, allowing a safety loop to be built (Figure 1- 4) extending over SCSs via the V net control bus shared by the CS 3000.

Performing CS 3000 tag engineering on the SENG and then downloading these tags to the SCS allows integrated operations handling SCS (Figure 1- 6) to be performed from the CS 3000 HIS in the same way as the CS 3000 FCS.


Architecture Integration The basic architecture of the ProSafe-RS is the same as that of the CS 3000. This makes the ProSafe-RS easy to use, based on the many years of DCS development and the proven field reliability of the CS 3000.

Users also benefit, as the concept of hardware installation, maintenance methods, etc., is the same between DCS and SIS by applying the CS 3000 and ProSafe-RS in the same plant.

Moreover, architecture integration allows the SIS and DCS to be connected using the V net common control bus. This simplifies system building and mutual interface design, thus significantly improving total engineering efficiency including the design and installation costs of system building and interface design.

In addition, the design concept of providing the same interface with the HIS operator station and MES domain for the DCS and SIS provides a platform offering a total solution using the DCS and SIS with virtually no distinction, as well as sophisticated functional enhancement (such as equipment management) in the future.

Operation Integration

The SIS is a system that immediately shuts down a plant safely if a problem occurs in the plant and neither the DCS nor humans can handle it. In other words, cases where SIS operation or monitoring is required are very rare, and it is inconvenient to always monitor both SIS-specific HMI and DCS-specific HMI for that purpose alone. If the SIS and DCS can be operated and monitored using the same HMI, the operators do not have to remember the operations of both HMIs, and when needed, the operator can take accurate action using the HMI of the DCS he/she usually uses. Therefore, routine SIS monitoring should ideally be performed using the same DCS HMI.

To meet these user requirements, the ProSafe-RS provides an integrated operating environment having the following features:

  • The operator can check pre-alarms sent from the SIS using the same CS 3000's HMI
  • The operator can perform operations using the same method as the CS 3000 during periodic inspection.
  • The system structure allows the CS 3000's HMI or FCS to easily refer to SCS data, so DCS and SIS integrated applications can be built easily. For example, in some applications SIS data is successfully used on the DCS side, such as comparing SIS and DCS sensor information on the DCS side to check that DCS-side sensors are correct.
  • Higher-level management using OPC can be performed in the same way as DCS.
  • By comprehensively analyzing DCS and SIS event information (sequence of event: SOE), the causes of abnormality can be analyzed on a plant-wide scale.

Integration of DCS and SIS, and Segregation Thereof

Integration of DCS and SIS has the advantages described above. However, the international safety standards require DCS and SIS to be segregated in order to protect the function of safety protective layers even if control functionality is lost, as is apparent in risk assessment analysis (Layer of Protection Analysis, LOPA) using multiple protective layers.

The system configuration of the ProSafe-RS integrates the DCS and SIS using the V net control bus, while keeping DCS and SIS functions securely separated. When considering the segregation between the DCS and SIS, the key points are how to prevent interference from the DCS to SIS and how to prevent a failure affecting both systems. The following describes how the ProSafe-RS protects itself against interference from DCS and common cause failures.

Figure 2 Common Cause Failures and Safety in Reuse

Figure 2 Common Cause Failures and Safety in Reuse

  • Prevention of interference from DCS to SIS
    For example, assume that two interconnected SCSs and three FCSs are directly connected to the same V net. Possible cases of interference by the FCS with the SCS via the V net bus include attacking the SCS by the erroneous transmission of a large amount of data to the V net bus and mistakenly transmitting incorrect frames. However, the reliability of the V net bus and FCSs has been proved by the proven-in-use data provided by the CS 3000, so the FCS is very unlikely to have adverse effects on the SCS, as is the case with the CS 3000. Even if a V net bus failure occurs, the safety measures, in, which is implemented focusing on detecting the V net bus failure, can protect SCSs from communication attacks or shut down a safety loop configured by SCS-to-SCS connection. This means that any effects from the DCS via the V net do not cause a dangerous failure in the ProSafe-RS. That is, non- interference from the DCS to SIS (DCS does not cause loss of SIS safety functions) is assured.
  • Protection of DCS and SIS against common cause failures
    Because the ProSafe-RS is based on the CS 3000 architecture, it is important to assume common systematic failure in both the DCS and SIS and consider the possibility of common- cause failure and preventive measures. Figure 2 shows the basic concept in regard to preventing such failures. For both SCS hardware and software, the modules' proven-in-use data shared by the CS 3000 has been analyzed, and measures are taken for areas judged to adversely affect safety such as implementing a diagnostic scheme or multiplexing these areas. Moreover, if an abnormality in each section could have adverse effects on the safety functions in view of the functions and architecture of the ProSafe-RS, then safety measures are incorporated in the same way. These safety measures have been newly developed for the ProSafe-RS, and their effectiveness and sufficiency have been discussed and recognized by a certification body (TÜV).
    In other words, even if there is a systematic failure common to both the CS 3000 and ProSafe-RS, the ProSafe-RS is capable of detecting such a failure (or error caused by it) and taking pre-determined actions.


The ProSafe-RS incorporates the redundant matching mechanism and self-diagnostic mechanism in one I/O module and CPU module to comply with the SIL3 level defined in IEC 61508 by a single component. That is, both the CPU module and I/O module can realize a safety loop meeting SIL3 in a single configuration. This provides the following additional engineering options:

  • No damage in safety functions against one side failure in dual-redundant configuration
    The ProSafe-RS, in which no safety function is damaged even if a component on one side fails in dual-redundant configuration, meets the SIL3 level in a single configuration. Thus, if one of the CPU modules or I/O modules fails in dual- redundant configuration, the SIL3 level safety is still maintained.
    In general, for systems realizing the SIL3 level in the dual- redundant configuration, if a single-side failure occurs, the failure detection ratio drops until repair is completed. In this case, the upper limit of the time taken to repair the hardware concerned is determined (for example, 8 hours), and if the hardware is not repaired within that time, overall system safety deteriorates. That is, the user must repair the failure within the specified time, and if this is not possible, then the user must take safety actions such as manually shutting down the plant. Therefore, the user must consider the running costs involved in ensuring the repair time, such as putting engineer(s) on standby, increasing the number of engineers, quickly identifying and replacing the faulty area and then establishing a system to conduct tests, throughout the entire plant's operation period. The ProSafe-RS overcomes these limitations; the dependence of safety on humans can be reduced, and running costs can also be reduced. Moreover, the flexibility of engineering is broadened, such as installation in difficult-to-maintain locations (remote locations, within wells, etc.).
  • High reliability
    For systems meeting the SIL3 level by dual-redundant CPU module configuration, safety is often secured by performing data collation between the two CPU modules. If nonconformity is detected during this data collation, it is difficult to determine which module is faulty. Thus, both modules are generally assumed to be faulty and measures are taken to shut down the system. In other words, any single fault causing collation nonconformity results in an error trip. However, because the ProSafe-RS performs SIL3-level diagnosis in each module, no inter-CPU module collation is made. This means that no error trip occurs unless two failures simultaneously occur in both CPU modules, making the system exceptionally reliable.
  • Flexible action in single configuration
    The ProSafe-RS has a function for preventing an error trip in the event of an I/O module failure even in a single I/O module configuration. For digital input modules (DI), it is possible to define that "1" is input if a failure is detected in the relevant channel of an I/O module when the signal input is set to "1" during normal condition and to "0" in the event of plant failure. In this case, no error trip is caused in the event of failure in the I/O module even in a single configuration, and only the occurrence of failure is notified using an alarm. This maintains plant reliability. In addition, the user can replace a faulty area within a specified repair time to secure safety.


The ProSafe-RS engineering functions support languages compliant with the IEC 61131-3 international standard. This allows applications having a hierarchical structure to be created and so users can benefit from the advantages of IEC 61131-3, such as reusability and conversion to parts. The ProSafe-RS supports the following functions for efficient engineering and maintenance.

  • IEC 61131-3 languages and CS 3000 integrated tools
    As a function for integration with the CS 3000, the ProSafe- RS supports tools that correlate the IEC 61131-3 function blocks with CS 3000 tags and work in conjunction with the CS 3000 engineering functions. This ensures the efficiency of CS 3000 integrated engineering.
  • On-line modification
    The ProSafe-RS function of modifying an application without stopping the safety controller, i.e., without shutting down the plant, and continuing operations has been officially certified. Furthermore, there is an engineering tool (Cross Reference Analyzer) for minimizing areas to be tested during on-line modification. This eliminates the need for retesting all applications after partial modification of an application, which is compulsory in many SISs in terms of certification.
  • Function for quick maintenance work
    The ProSafe-RS supports maintenance-specific HMIs (SCS maintenance support function) to simplify identification of a failed area in the event of an SCS hardware failure.


This paper has outlined the features of the ProSafe-RS and their objectives. The ProSafe-RS provides a powerful platform for achieving safety instrumentation and total DCS solutions. In the future, we will study the following functional enhancements to meet various user needs:

  • Expansion of I/O types and coordination with field devices
  • Functional enhancement for reducing engineering costs
  • Support for value-added functions such as operator training environment


  1. Sekiguchi Takashi, Sato Yoshinobu, Practical Manual for Mechanical and Functional Safety, Nikkan Kogyo Shimbun, 2001, 271p. in Japanese
  2. Komiya Hiroyoshi, et al.,"FFCS Compact Control Station in CENTUM CS 3000 R3," Yokogawa Technical Report, No.38, 2004, pp. 5-8
  3. Feature Story about Safety Systems, Yokogawa Giho, Vol. 49, No. 4, 2005, pp. 147-158 in Japanese
  • "Prosafe" and "CENTUM" are registered trademarks of Yokogawa Electric Corporation.


  • En cubierta

    Al igual que su equivalente en tierra, el procesamiento y manejo en cubierta en las plataformas de producción preparan hidrocarburos extraídos para transportación. Yokogawa ofrece soluciones de control integrado y de monitoreo que maximizan la productividad y la disponibilidad de las operaciones en cubierta.

    Leer Más
  • Energía

    A mediados de la década de 1970, Yokogawa inició su participación en el negocio de la energía con el lanzamiento del Sistema de control eléctrico EBS. Desde entonces, Yokogawa ha continuado firmemente con el desarrollo de nuestras tecnologías y capacidades para proveer los mejores servicios y soluciones a nuestros clientes en todo el mundo.

    Yokogawa ha operado la red de soluciones de energía globales para jugar un papel más activo en el dinámico mercado de energía global. Esto ha hecho un posible un trabajo en equipo más unido dentro de Yokogawa, el cual conjunta nuestros recursos globales y nuestra especialización en la industria. Los expertos en el sector de energía de Yokogawa trabajan juntos para brindar a cada cliente la solución que se adapta mejor a sus requerimientos sofisticados.

    Leer Más
  • Petroquímica y a granel

    Las empresas productoras de petroquímicos, productos inorgánicos o productos intermedios se encuentran bajo una presión constante para equilibrar los costos y los márgenes al suministrar productos a sus clientes de manera oportuna y eficiente, manteniendo al mismo tiempo operaciones seguras y conformes con la normativa. Además, las empresas químicas tienen que adaptarse a la constante fluctuación de los precios de los insumos y la energía y tener la capacidad de proveer al mercado la combinación de productos más rentable.

    Yokogawa ha estado supliendo las necesidades de automatización del mercado de productos químicos a granel globalmente y ha obtenido reconocimiento como líder en este mercado. Con productos, soluciones y especialización en la industria, Yokogawa entiende su mercado y las necesidades de producción y trabajará con usted para proporcionarle una solución confiable y rentable durante el ciclo de vida de su planta.

    Leer Más
  • Procesamiento y fraccionamiento

    El procesamiento de gas natural está diseñado para controlar el punto de condensación del flujo de gas natural y separar los líquidos de gas natural para la venta y distribución. La eliminación de petróleo y condensados, la eliminación de agua, la separación de líquidos de gas natural y la eliminación de azufre y dióxido de carbono son procesos que se emplean para separar las impurezas en el alimentador que proviene de los yacimientos aguas arriba. En el proceso de fraccionamiento se extraen los efluentes líquidos de la planta de procesamiento de gas, que pueden estar compuestos de metano, propano, butano y pentano, para ser tratados en columnas de fraccionamiento separadas, y posteriormente pueden pasar a una planta de tratamiento de impurezas antes de ser vendidos como componentes separados.

    Leer Más
  • Producción flotante, almacenamiento y descarga (FPSO)

    La unidad de Producción flotante, almacenamiento y descarga (FPSO) es una planta de producción flotante en altamar que almacena tanto el equipo de procesamiento como los hidrocarburos producidos. Las unidades de Producción flotante, almacenamiento y descarga (FPSO) son utilizadas por las compañías petroleras para lograr que sea económicamente viable producir petróleo en zonas remotas y en aguas más profundas.

    Leer Más
  • Refinación, procesamiento y almacenamiento de petróleo y gas

    Gracias a sus innovadoras plataformas tecnológicas y su ejecución líder en la industria, Yokogawa tiene buena reputación en el mercado global como socio en soluciones pionero en la integración de tecnologías para todos los aspectos del ecosistema de petróleo y gas, desde el yacimiento hasta la empresa. Soluciones comprobadas que incluyen modelado de negocio predictivo, optimización de plantas y plataformas de automatización altamente confiables están apoyando a los operadores de refinación, procesamiento y almacenamiento a dirigir sus negocios con niveles de eficiencia óptimos. Yokogawa está ayudando a sus clientes a desarrollar sus estrategias de automatización, para garantizar años de utilización de activos altamente eficaz y sostenibilidad.

    Leer Más
  • Submarino

    Los sistemas de producción submarinos se encuentran a diferentes profundidades en el fondo del mar. A medida que se extrae el hidrocarburo, este puede ser enviado a una plataforma de producción en altamar existente, o por medio de líneas que se pueden atar a las instalaciones en tierra para su procesamiento. Varios tipos de tecnología de equipo de perforación pueden perforar los pozos, y el aceite extraído así como el gas natural se transportan a la superficie a través de un tubo ascendente. Al igual que en las instalaciones en tierra, las plataformas de producción pueden dar servicio a muchos pozos en un área grande. Los sistemas submarinos extraen y en algunos casos procesan los hidrocarburos antes del transporte.

    Yokogawa ofrece soluciones integradas de control y monitoreo que maximizan la productividad del submarino, de la marina y las operaciones en cubierta mientras se mantienen en un ambiente seguro.

    Leer Más
  • Terrestre

    La industria de exploración, desarrollo y producción terrestre se enfrenta a exigencias cada vez más altas y mayores desafíos con entornos cada vez más difíciles y hostiles en las que debe funcionar.

    A medida que las oportunidades de los recursos de gas natural no convencionales, en particular el gas de esquisto, están creciendo en América del Norte, la solución total de Yokogawa juega un papel importante al ayudar a los clientes a satisfacer los desafíos de reducir tanto el CAPEX como el OPEX, mientras que las tecnologías integradas mejoradas aumentan la producción. Nuestra experiencia global y local constituye la base de nuestras soluciones totales únicas para satisfacer las necesidades de esta industria. Con expertos en exploración, desarrollo y producción terrestre que trabajan en oficinas por todo el mundo, ofrecemos un soporte rápido y extenso para satisfacer las demandas de nuestros clientes.

    Leer Más