4 Hardware Overview

Copyright Ó2005 Yokogawa System Center Europe B.V.

Table of contents

4 ProSafe-RS Hardware Overview ..................................................................................... 1

4.1 ProSafe-RS Hardware Overview..................................................................................3
4.1.1 Chapter Objectives ...................................................................................................4
4.1.2 Introduction..............................................................................................................5
4.1.2.1 Components of a basic Safety Control Station........................................................7
4.1.2.2 The modules in a Basic SCS system ....................................................................10
4.1.2.3 SCS extended with Safety Nodes .........................................................................13
4.1.2.4 Communication to other Yokogawa Systems over the Control Bus ......................16
4.1.2.5 Communication via RS232 or RS422/485............................................................20
4.1.3 IO Hardware typicals ..............................................................................................21
4.1.4 Other Hardware Elements .......................................................................................22
4.1.5 Addressing .............................................................................................................24
4.1.6 Redundancy Options...............................................................................................28
4.1.6.1 Single SCS System..............................................................................................29
4.1.6.2 Dual-Redundant Processor Module, Single I/O ....................................................30
4.1.6.3 Complete Dual-Redundant Configuration ............................................................31
4.1.6.4 Redundant Input or Output ..................................................................................32

4-2 RSWB rev 1.2

4.1 ProSafe-RS Hardware Overview
This section describes the hardware used to implement a ProSafe-RS critical control system.

RSWB rev 1.2 4-3

4.1.1 Chapter Objectives
After completing this section, the student will be able to:
§ Identify the hardware components in a ProSafe-RS system.
§ Identify the field and system connections to each module.
§ List the communication interfaces in the ProSafe-RS system and the modules that reside on
each.
§ Set up a ProSafe-RS system using multiple Processor Modules.
§ Describe the available safety features for handling inputs and/or outputs.
§ Set up a redundant ProSafe-RS system.
§ Describe the options available for accessing data in the control system from other controllers.
§ List the modules available for the ProSafe-RS system and describe the purpose of each.

4-4 RSWB rev 1.2

4.1.2 Introduction
ProSafe-RS is a microprocessor based programmable control system designed specifically for critical
applications, such as: emergency shutdown systems, burner management systems, fire and gas
detection systems and high availability process control. A complete ProSafe-RS control system
consists of three major components: a Human Machine Interface, the ProSafe-RS system and field
instruments for input to and output from the system.
Off course the ProSafe-RS could be positioned in a network of other systems. The figure below
illustrates an example of possibilities.

Figure 4-1

1. A basic system, also called a Safety Control Station (SCS)

2. If the amount of I/O is more than 1 SCS can handle, it is possible to expand the system with a
maximum of 9 Safety Nodes
3. A SCS can communicate to other systems over the Yokogawa network (Vnet).
Communication to these systems are:
a. Other SCS systems.
b. The SENG. Station for ENGineering and maintenance.
This SENG is always necessary to configure a Safety System
c. Yokogawa DCS CS3000
4. Equipment with no Vnet interface (like DCS, Safety or PLC systems) can communicate via
RS232 or RS422/485.

RSWB rev 1.2 4-5

 5. I/O equipment. For I/O equipment hardware typicals are available.

The hardware needed for above mentioned options will be described in the next paragraphs.

4-6 RSWB rev 1.2

4.1.2.1 Components of a basic Safety Control Station
The SCS consist of a rack with 2 power modules, a control module (2 in a redundant configuration)
and separate I/O modules (pairs in a redundant configuration) to handle the input and/or output of
field signals. Both types of modules are microprocessor based.
The control module performs the actual process control. Through the I/O modules, it retrieves values
from the inputs and sends appropriate signals to the outputs.
The I/O modules collect data from input devices and transmit data to output devices. These modules
act as an interface between the control module and the field.
The I/O data transfer and control algorithms are performed in a standard order which is called a scan
sequence. The typical arrangement is to transmit outputs, read inputs and then perform process
calculations.

Human Machine Interface

ProSafe-RS System

Application Logic
Control Module

Contol Module
Function Blocks

I/O
Input Variable
Scan
Output Variable

Output
Enable/Disable

Data Status
Data Value SCAN SEQUENCEData Status Data Value

IO Image Discrete Analog I/O Discrete Analog

Area Status Information
Input Data Modules Output Data

Input Module Output Module

Transmitter Inputs Final Control Elements

Figure 4-2

The ProSafe-RS system is module based, as shown in Figure 4-3 and Figure 4-4.
§ ProSafe-RS modules are each designed to perform a specific application such as critical
control or I/O handling.
§ The type of module (and number of each) in a system depends on the application. Any two
systems are not necessarily the same.

RSWB rev 1.2 4-7

 Figure 4-3

Figure 4-4

· Modules are inserted into a Safety Control Unit assembly (rack).

Two types are available, the standard type and the type which is suitable for circumstances where
the ambient temperature is exceeding 50 degrees Celsius (until 70 degrees Celsius).The last one
will be supplied with a Fan Unit.
· The Safety Control Unit has 12 slots, 2 slots are used for the Power Supplies (redundant), 2 slots
for the Processor Module (if redundant) and 8 slots for Input/Output modules.

4-8 RSWB rev 1.2

· Slot numbering is done from left to right.
· If the amount of IO cards is more then 8 (4 redundant pairs or any other combination) an extra
Safety Node will be used. Slots 7 and 8 in the Safety Control Unit are then equipped with an ESB
Coupler module (redundant). The Safety Node must then be equipped with an ESB bus interface
module
· The backplane provides the physical communication path between modules in the system.

RSWB rev 1.2 4-9

4.1.2.2 The modules in a Basic SCS system

Figure 4-5
In the Figure 4-5, ProSafe-RS modules in a basic SCS are illustrated:
1. The Power Supply Module is connected to a 100 to 120VAc or 220 to 240VAc or 24VDC
main source and supplies insulated +5V and +24V to each installed I/O module through the
back board.
2. The Control Module executes the configured control scheme. It is able to execute any
combination of two control languages and supervise its I/O modules to provide discrete
regulatory control.
3. I/O modules are configurable modules which act as interfaces between control modules and
field signals, offering a analog inputs and discrete input/output capabilities.
a. Analog data of either 4 to 20 mA or 1 to 5 V/ 1 to 10 V is converted to data of 0 to
100% in the CPU process data input processing and stored in the input variables. This
means that the data values stored in the input variables have been normalized to
values between 0 and 100%. All data that requires normalization, such as
measurements from differential pressure transmitters, is automatically processed in
the process data input processing in this way. Subsequent conversion from data in the
range from 0 to 100% to data using engineering units can be performed freely in the
application logic.

4-10 RSWB rev 1.2

 Classification Type (model) Input type Channel Input Range SIL Redundancy
number support
Analog Input SAI143_S Current 1 to 16 4 to 20 mA 3 Allowed
input
SAV144_S Voltage 1 to 16 1 to 10 V 3 Allowed
input

b. The input digital signals are converted into the internal data in the safety control unit.
The ProSafe-RS digital input/output modules consist of the following types:
· SDV144: Non-voltage contact input, 16 Channels, Isolated Dry contact 24
VDC
· SDV531: 24V DC output (0.6 A/channel), 16 Channels, Isolated

Classification Type (model) Input type Channel SIL support Redundancy

number
Digital Input 24 V DC, Discrete 1 to 16 3 Allowed
isolated input
(SDV144)
Digital Output 24 V DC, Discrete 1 to 8 3 Allowed
isolated output
(SDV531)

RSWB rev 1.2 4-11

 I/O modules can be equipped with the following fronts:
· Pressure Clamps
· Signal cable adapter with Terminal Board
· MIL connector

In the Figure 4-6 these options have depicted.

Figure 4-6

1. Power Supply modules are always redundant

4-12 RSWB rev 1.2

4.1.2.3 SCS extended with Safety Nodes
When the amount of I/O cards (+RS232 or RS422/485) is more then 8, it is possible to extend the
safety system with Safety Nodes. Up to 9 Safety Nodes can be connected to a SCS.

Figure 4-7

1. ESB bus coupler module (Model: SEC401) is installed in the safety control unit for
communicating with the ESB bus interface module (Model: SSB401) installed in the safety node
unit. Generally, the ESB bus coupler modules are dual-redundantly configured.
2. ESB bus interface module (Model: SSB401) is installed in the safety node unit for communicating
with the ESB bus coupler module (Model: SSB401) installed in the safety control unit. Generally,
the ESB bus interface modules are dual-redundantly configured.
If a second (up to 9) Safety Node is required the SSB401 card has 2 connectors on the front (for
continuation of the ESB bus). The last Safety node will be terminated (special SSB front
connector, with only 1 connector).

RSWB rev 1.2 4-13

 Figure 4-8

In Figure 4-8 a schematic overview with the positions of the ESB modules have been illustrated.

4-14 RSWB rev 1.2

 Figure 4-9

RSWB rev 1.2 4-15

4.1.2.4 Communication to other Yokogawa Systems over the Control
Bus

The ProSafe-RS can communicate to other Yokogawa System using the Control Bus, also known as
Vnet.
The following options will be described:
1. Communication to other SCS systems.
2. Communication to the SENG and/or other computers equipped with a Vnet PCI card.
3. Communication to DCS CS3000.

4-16 RSWB rev 1.2

4.1.2.4.1 Communication to other SCS systems

CS 3000 HIS

V net

Safety
communication Safety Data to FCS

CS 3000 FCS
Safety Controller

Figure 4-10

If communication between two or more (ProSafe-RS) Safety Control Units is required then the
dedicated Yokogawa Control Bus is used, know as Vnet. Safety communication through Vnet allows
data to be sent and received between SCSs.
In the Figure 4-11 the control bus (Vnet) connections are illustrated between two SCS systems.
Communication over the control bus is Safe only if special function blocks are used within the
application program.

Figure 4-11

RSWB rev 1.2 4-17

4.1.2.4.2 Communication to the SENG (Control Bus interface card)

The minimum ProSafe-RS configuration includes one SCS and one SENG.
This SENG is Windows based PC with Control BUS Interface card (Vnet card).
Programs such as ProSafe-COM MULCOM and FAST/TOOLS can communicate to Vnet.
In the figure below a Vnet Interface Card is depicted. This card must be installed in (for example) the
SENG.

Figure 4-12

4-18 RSWB rev 1.2

4.1.2.4.3 Communication to CS3000

The CS3000 Integration Function of the ProSafe-RS provides a communication interface for
accessing ProSafe-RS SCSs via the Vnet from HISs and FCSs connected to a CS3000 system. This
function allows the SCSs to be operated and monitored from HISs using the same interface (windows)
used when monitoring FCSs. SCS data can also be accessed from FCSs using the same interface (tag
names).

Figure 4-13

RSWB rev 1.2 4-19

4.1.2.5 Communication via RS232 or RS422/485.

Communication module name SIL support Redundancy

(model name)
RS-232C serial communication Interference-free No
module (ALR111)
RS-422/RS-485 serial Interference-free No
communication module (ALR121)

4-20 RSWB rev 1.2

4.1.3 IO Hardware typicals
Hardware typicals will be distributed separately during the course.

RSWB rev 1.2 4-21

4.1.4 Other Hardware Elements

Vnet
Ethernet Domain C
Vnet
Safety ENG HIS HIS/ENG SENG
Domain A
ENG
CGW CGW

Repeater

FCS Safety Safety FCS FCS FCS Safety

Controller Controller BCV Vnet Controller
Domain B
Optical Optical SENG
Repeater Repeater

Safety FCS
Controller Safety Safety
Controller Controller

Figure 4-14

A configuration can include the following elements:

· Vnet bus repeater,
· Vnet optical repeater,
· Vnet bus converter (BCV)
· Communication Gateway Unit (CGW).

Using Vnet bus repeaters and Vnet optical repeaters can expand the Vnet connection within one Vnet
domain. Furthermore, a Vnet domain can be divided into several Vnet domains connected each other
using BCV and CGW. Passing through BCV and CGW enables communication between stations in
different Vnet domains. The system connected through BCV and CGW is a kind of CS 3000
Integration Structure.

A Vnet domain is a collection of stations connected to each other with one line of Vnet.

Limitations
Systems can be extended up to the following numbers.
· Hierarchical domains that can be connected: 16
· Stations that can be connected in a domain: 64
· Hierarchical stations that can be connected: 256

4-22 RSWB rev 1.2

 · Hierarchy: three-level hierarchy (Bus converter for 2 domains, Control Bus for 3
domains) However, regarding CS 3000 HIS, the limit is 16 stations/domains at maximum.
· Number of SENG
One SENG at least is required. When using more than one PC for SENG, it is necessary
to connect between SENGs with Ethernet.
· Number of SCS
The number of stations should be within the limit. When using some domains, BCV and
CS 3000 ENG function are required

RSWB rev 1.2 4-23

4.1.5 Addressing

Figure 4-15

Specify a domain number in the range from 1 to 16 and a station number from 1 to 64.

4-24 RSWB rev 1.2

4.1.5.1.1 Setting the Domain and Station on the controller and Vnet card

The domain and station number can be set on the backside of the controller. Changing of the Domain
and Station Address must be done offline.

Figure 4-16

The following dip switch tables must be used for setting the addressing.
The Domain number can be set with the following table:

Figure 4-17

RSWB rev 1.2 4-25

The Station number can be set with the following table:

Figure 4-18

4-26 RSWB rev 1.2

4.1.5.1.2 Setting the Node number on the SSB card (Safety Node)

If the Safety system is extended with a Safety Node, the node setting must be done on the SSB401
card in the Safety Node on the front side (first remove the front cover). Changing of node numbers
must be done Off-line.

Figure 4-19

Figure 4-20

RSWB rev 1.2 4-27

4.1.6 Redundancy Options
ProSafe-RS supports dual-redundant configurations of SCS CPU modules and input/output modules.
With the dual-redundant configuration, the continuous controllability and operating efficiency can be
improved. Moreover, with dual-redundantly configured hardware, the continuity of plant safety
monitoring will be guaranteed by swapping the control rights when an error occurs in the SCS
hardware.
It is possible to employ redundant configuration for SCS CPU modules and input/output modules. The
Vnet communication, power supply module, ESB bus/SSB401 and SB bus are placed in a redundant
configuration.
· CPU Module
o The CPU module on the standby side performs the same control processing as the
control side even while it is in the standby status. For this reason, it is possible to take
over outputting data immediately after the control right is switched. Moreover, the
operating mode of the SCS does not change.
o Only the CPU on the control side accesses the hardware composing the SCS and the
CPU on the standby side always sets the equivalent value as the processing result.
Therefore, the CPU modules on both sides always perform processing using the same
data.
o In redundant configuration, if the CPU module on the standby side is not in the STBY
status and the control right cannot be switched, the same operation as single
configuration CPU module is performed.
o SOE data related to discrete inputs may be lost when the control right is switched
between the CPU modules.
· Input/Output Modules
In a SCS, it is possible to mount input/output modules of the same type in two adjacent slots (*1)
to make them redundant. In the case of redundant configuration, one side becomes the control
side and the other becomes the standby side. Switching of the control right is performed by input/
output modules. The switching has no influence on the application logic.
*1: An odd-numbered slot and the even-numbered slot obtained by adding 1 to the odd slot
number, e.g. 1 & 2, 3 & 4, 5 & 6.
o It is not allowed to have redundant configuration across two nodes.
o SOE data related to discrete inputs may be lost when the control right is switched
between the input modules even though the frequency is low.

4-28 RSWB rev 1.2

4.1.6.1 Single SCS System
SIL3 will be achieved in single Input-CPU-Output module configuration. This is a proven “Pair &
Spare” from the CS3000 scheme.

Input MPU memory Output

Circuit, MPU MPU memory Circuit, MPU

Circuit, MPU MPU memory Circuit, MPU

Figure 4-21

RSWB rev 1.2 4-29

4.1.6.2 Dual-Redundant Processor Module, Single I/O
Module redundancy is for availability, not for safety.
The Processor modules are placed in slot 9 and 10.

MPU memory
MPU memory

MPU memory

Input MPU memory Output

Circuit, MPU MPU memory Circuit, MPU

Circuit, MPU MPU memory Circuit, MPU

Figure 4-22

4-30 RSWB rev 1.2

4.1.6.3 Complete Dual-Redundant Configuration
If Input modules and Output modules are dual-redundant then a couple must be placed for example in
slot 1 & 2, or 3 & 4.
The combination 2 & 3 is not allowed.

Input MPU memory Output

Circuit, MPU MPU memory Circuit, MPU

Circuit, MPU MPU memory Circuit, MPU

Input MPU memory Output

Circuit, MPU MPU memory Circuit, MPU

Circuit, MPU MPU memory Circuit, MPU

Figure 4-23

RSWB rev 1.2 4-31

4.1.6.4 Redundant Input or Output
A mix of dual-redundant with the normal (SIL3) configuration is possible.
If dual-redundant I/O cards are used then a special front cover must be used. The figure below
illustrates a Pressure Clamp dual redundant cover.

Figure 4-24

Input MPU memory

Circuit, MPU MPU memory

Circuit, MPU MPU memory

Input MPU memory Output

Circuit, MPU MPU memory Circuit, MPU

Circuit, MPU MPU memory Circuit, MPU

Figure 4-25

4-32 RSWB rev 1.2

 MPU memory Output
MPU memory Circuit, MPU

MPU memory Circuit, MPU

Input MPU memory Output

Circuit, MPU MPU memory Circuit, MPU

Circuit, MPU MPU memory Circuit, MPU

Figure 4-26

RSWB rev 1.2 4-33

4-34 RSWB rev 1.2