EMORI Toshiyuki1 KAWAKAMI Shigehito1
We have developed the ProSafe-RS safety instrumented system, which has been certified by the TÜV German certification organization as meeting Safety Integrity Level (SIL) 3 specified in IEC 61508, the international standard for functional safety. The Safety Control Station (SCS) is a safety controller that is a core component of the ProSafe-RS. This paper describes some of the technologies, including safety functions, protection against interference from non-safety functions, and safety communication, incorporated in the SCS to achieve SIL 3.
*1 IA Systems Business Division, IA Business Headquarters
Conventional safety instrumented system (SIS) is typically installed separated from a distributed control system (DCS) to eliminate interference from the DCS and assure safety. However, users increasingly wish to integrate SIS with DCS while maintaining the safety of safety controllers.
The safety control station (SCS), a safety controller of the ProSafe-RS, features the same architecture as the field control station (FCS) of our DCS, the CENTUM CS 3000, and inherits the same high reliability and the process data communication interface as the FCS. Furthermore, the SCS implements safety functions and safety communication to achieve SIL3-level safety as well as close integration with the CS 3000 system, and has been certified by the TÜV German certification organization.
Figure 1 shows the SCS functional configuration.
The SCS is a safety logic solver located on a safety loop and captures input data from sensors and outputs data in a fail-safe manner to final control elements.
The SCS consists of safety functions that directly affect a safety loop (safety logic execution, I/O function, diagnostic function, etc.), as well as non-safety functions not directly related to the safety loop (connection to CS 3000 and Modbus communication, etc.). Moreover, use of Inter-SCS safety communication allows a safety loop to be built extending over multiple SCSs via the V net control network.
|Figure 1 Configuration of SCS Functions|
This section describes the basic safety functions of the SCS as the safety logic solver.
Safety Logic Execution
In the SCS, safety logic described using the IEC 61131-3 international standards compliant function block diagrams (FBD) and ladder diagrams (LD) are run in specified scan period. When the SCS detects demand (event for which the plant should be shut down) from sensors, shutdown processing described using safety logic is run to output shutdown signal to final control element(s) (shutdown valves, etc.).
Actions On Fault Detection
In the CPU modules and I/O modules of the SCS, self- diagnostics are performed periodically by the hardware and software.
The following describes the actions of each module to be performed if a failure is detected in single module operation. When modules are operated in dual-redundant configuration, if a single failure occurs, the module continues to operate singly and does not allow the shutdown processing to run. A failed module and the cause of failure are notified by an alarm, and the failed module can be replaced while online.
Inter-Scs Safety Communication
The ProSafe-RS allows an integrated system in which safety communication with SIL3-level certification and conventional CS 3000 control communication are mixed to be flexibly built, either in a small- to large-scale configuration or in a wide-area configuration, on the same V net without separating the CS 3000 system's V net control network.
To perform Inter-SCS safety communication, dedicated Inter-SCS safety communication function blocks (FB) are used to describe the safety logic (Figure 2).
Figure 2 Example of Logic for Inter-SCS Safety Communication
Hazardous events that may occur in communication (such as data corruption, omission, or delay) are all checked by the consumer SCS FB (CONS_B in example in Figure 2). If a fault is detected, a pre-defined fail-safe value is output, and information identifying the faulty data and the cause of the fault are notified by an alarm.
The maintenance override function is used for bypassing shutdown processing so that it is not executed by safety logic during partial maintenance such as specific input. Creating bypass logic using a dedicated override FB allows the CS 3000's human interface station (HIS) to safely perform maintenance override for SCS (Figure 3).
Figure 3 Example of Maintenance Override from HIS
Generally, a value input to the override FB is output as-is. However, an override execution command from the HIS causes a specified value (OVR_B VAL in Figure 3) to be output.
Moreover, the override FB has an override permission switch (OVR_B SW in Figure 3), and maintenance override cannot be executed from the HIS unless this switch is in the permission status. A combination of the override FB with a dedicated password FB also allows the HIS to make an override permission.
To meet the SIL3-level safety for an integrated system having both safety functions and non-safety functions as shown in Figure 1, it is required to assure the validity of the safety functions and safety communication, and assure that non-safety functions do not interfere with safety functions.
Assurance of Validity of Safety Functions
The ProSafe-RS has been developed according to strict development standards in the same way as the CS 3000 to assure high quality. Furthermore, it analyzes the effects of potential risks on the safety functions and incorporates the following mechanisms for detecting faults to check that no hazardous status (condition in which a plant cannot be shut down even if a demand is happened) is caused by systematic failure resulting from a human error, etc.:
Protection against Interference from Non-safety Functions
The SCS is equipped with the following mechanisms to protect the SCS's safety functions against interference from non- safety functions also existing in the SCS or interference from a non-safety device connected to the SCS via communication:
Safety Communication in the SCS
|Figure 4 Configuration of Safety Communication|
Safety communication is a communication method that has a mechanism for checking that safety-related data is passed to the communication counterpart without fail on an existing non-safety communication system. (See the EN50159 European standards concerning safety communications.)
In safety communication, a safety layer is arranged in the place of the application layer in communication to separate the safety functions from the outside non-safe world. Figure 4 shows the configuration of general safety communication.
In the SCS, the safety layer is arranged within the Inter-SCS safety communication FBs (see Figure 2) that are executed by safety logic to ensure safety communication. The producer-side safety layer (producer FB) appends information such as a sequence number, time stamp, and CRC codes to each safety data to be sent, while the consumer-side safety layer (consumer FB) strictly checks for transmission errors.
Table 1 shows transmission errors that may occur in communication and check measures conducted in the Inter-SCS safety communication.
Table 1 Check Measures for Transmission Errors in the Inter-SCS Safety Communication
|Possible Transmission Errors||Measures for Checking|
|Appending of Information Identifying Transmission Source and Destination||Appending of Sequence No. to be Updated Every Sending||Appending of Time Stamp upon Sending on the Transmission Side||Appending of CRC Codes to Data and Information Appended as Noted at the Left|
|Repetition of same message||---||•||•||---|
|Missing of necessary message||---||•||---||---|
|Insertion of unexpected message||---||•||---||---|
|Transposed message order||---||•||•||---|
|Message has been corrupted||---||---||---||•|
|Delay in message arrival||---||---||•||---|
|Confused as message from a non-safety device||•||---||---||---|
• : transmission error that can be checked by a measure,
--- : transmission error that cannot be checked by a measure
V net's high reliability and high responsiveness have already been proven in the CS 3000's control communication. The Inter-SCS safety communication further improves the communication reliability and safety assurance under an environment having both safety communication and control communication.
In the ProSafe-RS, not only the mechanism of safety measures implemented on the SCS but also precautions and operating procedures for safe engineering and operations are described in safety manuals and engineering guides to assure safety from various aspects for obtaining safety certification.
Yokogawa will continue to develop DCS and SIS in integrated form, to keep providing total solutions that satisfy users.
ProSafe-RS offers control system integration and features a dual architecture in every module to achieve SIL3-level protection and high reliability.
Yokogawa Distributed Control Systems (DCS) deliver the industry's highest proven availability, maximizing performance and profitability.
Safeguard your plant with our industry-leading safety instrumented systems, designed to prevent unnecessary shutdowns, improve asset performance, and enhance operator effectiveness.