YAMASHIRO Yasuhiko1 SEKINO Hiroyoshi1 SHISHIBA Ryoutarou1 KOBAYASHI Yoshinori1
The new hardware of our ProSafe-RS safety system offers single and dualredundant module configurations, both of which have achieved a safety integrity level (SIL) of 3. Based on the technological heritage and reliability of the CENTUM CS 3000, which has a proven track record in the hardware market, the ProSafe-RS is designed to meet all the safety design requirements of IEC61508, an international functional safety standard. The main feature of the newly developed ProSafe-RS hardware is the application of dual microprocessor technology, not only to the CPU module, but also to the I/O module. This feature affords an SIL 3 in a single configuration as well as in a dual-redundant configuration.
There are already safety systems on the market that have achieved safety integrity level SIL3 of the functional safety standard, IEC61508. However, most of them have achieved SIL3 by conversion of modules into dual-redundant or triplex form. With this method, if one of the modules fails, safety is degraded; the failure must be repaired within a specified time in order to maintain safety. Moreover, because the modules are required to be multiplexed, costs are likely to be relatively high. If SIL3 can be achieved in single configuration, system costs can be reduced to a low level, and if redundancy is available, a high operating ratio can be attained.
This paper primarily introduces the hardware of safety system ProSafe-RS (Figure 1) which has achieved safety integrity level SIL3 in a single module configuration based on the highly reliable technology of the CENTUM CS 3000 series that has a market-proven record. Moreover, flexible redundancy was also available in this system.
|Figure 1 External View of the ProSafe-RS
(in Redundancy Configuration)
Upper half: safety control unit
Lower half: safety node unit
|PW : power module (SPW481, SPW482, SPW484)
CPU : processor module (SCP401)
ESB CPL : ESB bus coupler module (SEC401)
ESB I/F : ESB bus interface module (SSB401)
IO : input/output module Vnet
CPL: Vnet coupler unit (AIP504)
|Figure 2 SCS Configuration|
The safety control station (SCS) consists of one safety control unit and safety node units that can be extended to a maximum of nine units. The control buses and I/O buses have adopted the same Vnet and ESB/SB buses as those of the CENTUM CS 3000. Figure 2 shows the configuration of ProSafe-RS's SCS.
At the time of development, CS 3000's FFCS and FIO were employed as the platform taking into account integral operation with CS 3000, maintainability, and productivity as well as a high degree of safety and reliability. Thus, the ProSafe-RS's outer dimensions are the same as those of FFCS and FIO.
The safety control unit can singly configure SCS, incorporating eight input/output modules in addition to the processor modules. Alternatively, it can have six input/output modules and incorporate the ESB bus coupler module (SEC401) to set up configuration that extends the capability of the safety node unit. The operating ambient temperature of the safety control unit is from -20°C to 50°C as standard, but wider temperature-capable specifications that are equipped with cooling fans and can cope with a maximum of 70°C are also available.
Moreover, the IRIG-B (GPS connection) interface for realizing high-precision time-of-day synchronization between SCSs is also available as an option.
The safety node unit can incorporate up to eight input/output modules, coping with a temperature environment of from -20°C to 70°C as standard.
The I/O bus (ESB/SB bus) specifications are the same as those of CENTUM. Because isolation between safety communication and non-safety communication is realized on the same bus using the noted safety layers, it is also possible to use the conventional FIO by connecting it on the same buses. However, it is necessary in this case to obtain the TÜV certification for the fact that FIO connection does not interact with the safety functions. Thus, only the RS communication modules are made connectable at present.
Figure 3 shows the configuration of the processor modules (in redundant configuration). The processor module was developed based on the CS 3000 FFCS's processor modules (CP401) that employ the redundant matching method, or 'Pair & Spare' method. In the CP401's redundant matching method, two processors perform the same computation, the results of which are compared by one comparator at signal-line levels to detect temporary computation errors. This alone is enough to achieve high reliability. In the ProSafe-RS, however, the comparators, main storages, groups of associated registers, WDT, etc., are made completely dual-redundant to thoroughly eliminate factors that might result in a common-cause failure. This allows the processor modules to be designed such that the undetected dangerous failure rate (λDU) is minimized. To incorporate these functions into the same size as that of the CP401, we have developed a new highly integrated ASIC, and most of the redundancy-related functions are incorporated into this one-chip ASIC with the exception of the microprocessor (MPU) and main storage (ECC memory). This ASIC design was also made such that a variety of safety design requirements specified by IEC61508 have been satisfied.
In addition, the CP401 uses chargeable secondary batteries to back up the main storage against a power failure and backup time is approximately 48 hours. However, IEC61131-2 requires that the retention time of the application program be 1000 hours or more at normal temperature, or 300 hours or more even at high temperatures. To meet these requirements, we have adopted the method of storing application programs in a non-volatile memory (flash memory).
Figure 3 Configuration of the Processor Modules (in Redundant Configuration)
We have developed four types of new SIL3-compliant input/output modules based on FIO and have taken steps such that two types of the existing FIO communication modules can be installed in the same SCS as interference-free modules for safety function. Table 1 shows the types of the input/output modules.
Table 1 Input/Output Module Types
|SAI143||Analog input module||4-20 mA, 16 ch|
|SAV144||Analog input module||1-10 V, 16 ch|
|SDV144||Digital input module (with SOE function)||No-voltage contacts, 16 ch|
|SDV531||Digital output module||24 VDC, 8 ch,0.6 A/ch|
|ALR111*||RS-232 communication module||2 ports|
|ALR121*||RS-422/-485 communication module||2 ports|
* These modules can be installed in SCS for use, but cannot be applied to the safety loop
Figure 4 shows the schematic configuration of an input module, while Figure 5 shows that of an output module. Each input/output module is equipped with two MPUs and operates by comparison collating the soundness of commands or input/output data from the processor modules between the MPUs. Unlike hardware-based comparison collation made by comparators in the processor modules, MPU-to-MPU comparison collation operations in the input/output modules are achieved by performing inter-MPU communication using firmware installed in each MPU to make synchronization at a high level. This method is one of the significant features of the safety input/output modules.
|Figure 4 Input Module||Figure 5 Output Module|
An input module consists of two microprocessors (MPUs), two input circuits per channel, and a diagnostic circuit checking the input circuits and peripheral circuits. Input signals from the field are input to the two MPUs via the two independent input circuits. The MPUs check if data input to each MPU matches each other by mutual collation, to assure the soundness of the input circuits and MPUs themselves. When they agree with each other, the data is transmitted to the processor modules via the safety layers configured by the firmware. Moreover, because an input signal handled by the safety system does not change unless a shutdown request is generated, if a component of the input channel circuit gets stuck and fails and cannot be detected, the output cannot be shut down in the event of an occurrence of demand. To avoid such a hazardous situation, the input channel circuits are periodically activated to check for a sticking failure all the time.
An output module receives an output-instructing command sent from the processor modules via the I/O buses using two MPUs and checks the soundness of the command at each MPU making use of the safety layers. The module also compares the results of the check between the MPUs. After verifying the soundness of the command, the module outputs an instruction value. The output value is read back by the two MPUs to check if it agrees with the instruction value all the time. Because an output signal also does not change unless a shutdown request occurs, the output channel circuit is periodically activated to check for a sticking failure in the output switches and read-back circuits. If an output switch is stuck to ON and fails, the other switch arranged in series with that output switch is turned off. This allows the output to be forcibly shut off.
Field Wiring Diagnosis
The soundness of cables connecting the ProSafe-RS and field devices is also an important point in building the safety loop. Even if the ProSafe-RS itself is sound, if wiring is short-circuited or has a break, field wiring cannot properly function as a safety loop. Thus, the ProSafe-RS input/output modules are provided with a function for detecting short-circuits or breaks in wiring. If an input/output module detects a problem, an alarm is generated to inform the operator of the occurrence of a problem, allowing the problem to be resolved.
This paper has introduced the hardware configuration and design architecture of the ProSafe-RS SCS. In the future, it is expected that the development of technologies for improving safety and reliability of sensors and actuators will accelerate in the market. These devices occupy a considerable portion of the safety loop's PFD value.
We will enhance a lineup of input/output modules for the ProSafe-RS that can handle such field devices and offer higher safety solutions to users.
ProSafe-RS offers control system integration and features a dual architecture in every module to achieve SIL3-level protection and high reliability.
ProSafe-SLS is designed for the highest-integrity, SIL4-rated applications, using self-testing technology for an SIS solution that is inherently fail-safe.
Yokogawa Distributed Control Systems (DCS) deliver the industry's highest proven availability, maximizing performance and profitability.
Safeguard your plant with our industry-leading safety instrumented systems, designed to prevent unnecessary shutdowns, improve asset performance, and enhance operator effectiveness.