You are on page 1of 12





TI 48E02A00-00E-N

ProSafe-PLC is a programmable safety system designed specifically

for critical applications, such as emergency shut down systems,
burner management systems, compressor protection systems, and
fire and gas detection systems. ProSafe-PLC combines the
beneficial features of a PLC (such as modularity, ladder logic and
sequential programming, high-speed logic solving, and industrial
strength) with high safety, high availability, and extensive
ProSafe-PLC also incorporates analog I/O, open communications,
and a variety of operator interface options not typically available from
a PLC.
The ProSafe-PLC system (Figure 1) offers:

Increased safety with proven fail-safe characteristics and guarded


Higher system availability with the fault tolerance of quad

redundancy, special self-testing software, and unique common
cause defense mechanisms

Improved reliability with greater strength against industrial

stressors and isolation between I/O subsystems

Lower management of change costs via direct graphical storage

of a configuration in the control module

Decreased start-up time and minimized downtime with on-line

diagnostics and detailed error reporting

Reduced configuration time through the ability to mix the following

languages in one control modules configuration: ladder logic,
sequential function charts, function blocks, and structured text

Increased security with extensive protection against unauthorized changes

Easier integration with other control systems via open communications

Simplified efforts for site certification via agency approvals (DIN 19250: AK4 ... AK6)

Less complicated project cycle through available project engineering services

Figure 1

Yokogawa Industrial Safety Systems

Yokogawa Industrial Safety Systems

PO Box 20020, 7302 HA, Apeldoorn, The Netherlands
Tel.: (31) 55-5389500 Fax.: (31) 55-5389511

ProSafe-PLC System

TI 48E02A00-00E-N
Copyright 1997
3rd Edition: November 2000

2 of 12
As a result of a design strategy for superior fault avoidance and fault tolerance, the ProSafe-PLC system in
the Quadruple channel architecture outpaces conventional dual PLCs and TMR systems in reliability and
Fault avoidance techniques reduce the system failure-rate, while fault tolerance enables the system to
operate successfully, even when a component fails. The Safety critical parts of the ProSafe-PLC system
have a Safety certification from the TV covering AK1-6 applications.
Typical user applications as a Safety Instrumented System (SIS) are found in the Chemical, Refining and
Oil & Gas production industry. This includes the protection of offshore platforms and Floating Production,
Storage and Off-loading (FPSO) systems, such as:

Emergency Shut-Down systems (ESD) for Safety Critical process units

Burner Management Systems for incinerator furnaces and steam boilers

Compressor Protection Systems for rotating and piston type compressors

Fire & Gas detection systems

Safety Requirements in Industry

In recent decades, many accidents in industry have been attributed to computer failures, causing loss of
life, damage to assets and to the environment.
This has strengthened the corporate and public awareness of the need for risk reduction, to create Safety
in Industrial processes. The guidelines for safe operation of Industrial installations in the petro-chemical, oil
and gas production are becoming more and more severe by International Safety standards, developed by
the IEC. Safety standards, such as the new IEC 61508, are developed by co-operation of industry groups,
Safety certifying agencies and insurance companies, resulting in more stringent regulation and legislation.
The operating companies are aware, that a reliable Safety Instrumented System (SIS) is of great value, not
only because of the legal and insurance liability. It serves to provide protection for people, environment and
to safeguard the large scale investments, that are involved in todays production processes.
On the other hand, unnecessary interruptions of a production process must be avoided, because this
aspect of process availability has a direct relation with production yield and cost. Furthermore there also
exists an indirect and positive correlation between Availability and Safety. Availability is therefore an
integral part of the design of a reliable SIS.
It is important to emphasise that availability by fault-tolerance, is an other phenomenon than Safety, and to
be aware that these two benefits are created by different design strategies. The combination of these two
elements in one design requires a specific attention for the facets of common-cause effects and the selfdiagnostic capability.
Regular PLCs were designed around 1970 to create flexibility for process-control and to implement facilities
such as PID-loops, calculation, sequencing, etc. The general trend towards more complex processes and
the necessity of flexibility during engineering, as well as during operational use, have introduced PLCs as
Safety Instrumented Systems (SIS) in the industry. Often also non-Safety related functions have been put
in the same systems, because of the powerful capabilities. Todays special Safety-PLCs do all employ a
variety of redundant configurations to improve the Safety as well as availability.

Single PLC (1oo1)

Employ a single signal path from the inputs via a microprocessor to the outputs are unsuitable for SIS
systems, since any type of hardware or software failure can create a potentially unsafe situation, if an
output switch can no longer be de-energised to perform its protection function. This condition is not
likely to be detected by the systems self-diagnostics. Therefore a single PLC does not comply with
todays Safety standards and are considered unsuitable for Safety applications.

All Rights Reserved. Copyright Yokogawa ISS

TI 48E02A00-00E-N November 2000

3 of 12

Dual Safety PLC (2oo2)

Based on the principle of diagnostics by comparison. Both PLCs execute the same program and in case
of a discrepancy between the results of two processors the outputs will be de-energised. The I/O circuits
need special provisions for comparison or self-test. This creates an improved Safety performance when
compared to a 1oo1 system, at the expense of increased hardware use, which is responsible for the
lower availability or higher false trip rate (FTR) of 2oo2 systems.

Triple Safety PLC (2oo3) or TMR Systems

Based on the principle of diagnostics by consensus or majority voting, creating about similar Safety as
dual PLC systems, without the need to trip at the first failure. A voting mechanism acts on dynamic
changes in order to recognise any differences. However the majority of potential unsafe failures is static
and is responsible for on-demand failures. Also the common-cause effects are a source of concern,
because in most TMR systems no diversity is applied in the hardware or in software. The higher
availability (or low FTR), compared to 2oo2 systems, is achieved at the expense of fully triplicate

ProSafe-PLC 1oo1D Structure

Applies diversity in the dual signal paths, combined with comparison between processors, which is a
more effective configuration than a regular 2oo2 PLC. The architecture denomination D reflects the
extensive self-diagnostic by reference capabilities, implemented in each channel and the secondary
shutdown path that is controlled by this self-diagnostic. This standard 1oo1D architecture can be
expanded to include optional redundant controllers, providing a low-cost option for redundancy of critical

ProSafe-PLC in 1oo2D Quadruple Channel Architecture

Creates full fault-tolerance, by employing the basic 1oo1D structure in redundancy. At the detection of a
first critical failure, the system goes in the 1oo1D mode and there is no shutdown. An on-line repair can
be executed to restore the 1oo2D structure. When comparing different generic control structures, no
other architecture has a lower FTR than this 1oo2D, according to the IEC 61508 standard. The same
conclusion can be found in many other well-documented publications. The Safety and availability
performance of 1oo2D is equivalent, if not better, compared to TMR and furthermore this is achieved at
reduced cost.

ProSafe-SLS Technology
Employed for the most demanding applications including SIL1-4 or AK1-7 and is available as a solidstate system. ProSafe-SLS has eliminated all known sources of unsafe failures by introducing an
inherent self-test. This ProSafe-SLS technology is described in separate Yokogawa documentation.


The names of the generic SIS configurations: 1oo1, 1oo2, 2oo2, 2oo3, 1oo1D, 1oo2D are
assigned to these architectures by the IEC 61508 standard.

All Rights Reserved. Copyright Yokogawa ISS

TI 48E02A00-00E-N November 2000

4 of 12
Modular Design
The ProSafe-PLC system consists of a series of plug-in modules, each dedicated to a particular task. The
two categories of ProSafe-PLC modules include control modules and I/O modules.
Control modules execute any combination of four distinct control languages (function block, ladder logic,
sequential function chart or structured text), while a series of I/O modules act as an interface between the
control module and field termination signals. A wide range of safety critical discrete, high-level analog, lowlevel analog and non-critical discrete type modules are available.
ProSafe-PLCs architecture brings these safety system elements together in a scalable and flexible
manner. The modular controller hardware and operator interface options allow the system to start very
small and grow incrementally at minimal cost. Expansion or new technology can be accommodated by
simply adding modules.
A ProSafe-PLC system is created for a particular application by simply selecting functionality as individual
modules and populating a module rack such as the ten-slot MODULRACK shown in Figure 2.
When a module is plugged into a module rack, a
connector on the back of the module engages
with a receptacle on the module rack backplane.
This connection provides the physical
communication and power path. When the
system is on-line, communication takes effect as
soon as the module is inserted. This hot insert
feature allows on-line replacement of modules,
minimizing process down-time for system
In addition, all slots in a module rack are
identical. This allows any module to be plugged
into any slot, providing maximum flexibility in
initial system design and future expansion. It
also allows the use of a single rack version
across all applications, which reduces
installation costs and simplifies maintenance.
Figure 2

All Rights Reserved. Copyright Yokogawa ISS


TI 48E02A00-00E-N November 2000

5 of 12
The ProSafe-PLC system has two communication buses that modules use to share process and system
information: MODULE-BUS (M-BUS) and I/O-BUS. M-BUS is used for communication between control
modules and ProSafe-COM. I/O-BUS is used by I/O modules and their master control module. The
relationship between these buses is shown in Figure 3.

Control Module


Boundary of Safety Critical System
I/O Modules

Figure 3


MODULE-BUS and I/O-BUS Structure

M-BUS implements deterministic token-passing techniques in module-to-module communication. It is a
redundant communication bus with a data transmission rate of 5 Mbps. These characteristics provide high
speed, secure communication for control functions.
A local M-BUS supports up to 32 modules. M-BUS can be expanded from a local bus to a multiple area
network via the M-BUS Expander Module (MBX). This module provides a path for M-BUS communications
over a standard carrier band IEEE 802.4 network called MODULE-NET (M-NET). M-NET is identical to MBUS in that it is redundant, uses deterministic token-passing communication, and operates at 5 Mbps.
ProSafe-PLC control modules provide a secure area for reading and writing of process variables to M-BUS.
A fire wall protection system prevents M-BUS from affecting the safety critical control functions.
An I/O-BUS provides a control module with dedicated, secure access to I/O points, which are terminated at
I/O modules. I/O-BUS is a redundant bus that has a data transmission rate of 1 Mbps. The media access
method is master/slave, and the electrical specification is IEEE RS485.
One control module (the master) and 39 slave I/O modules can be distributed locally or remotely on an I/OBUS. The remote capabilities include using extension cables and fibre optic repeaters. The fibre optic
option supports star configurations for the most cost-effective distribution of I/O modules.

All Rights Reserved. Copyright Yokogawa ISS

TI 48E02A00-00E-N November 2000

6 of 12
Guarded Outputs
Like special-purpose electromechanical relays, ProSafe-PLC minimizes the chance of an energized failure.
Output modules use a combination of extensive on-line diagnostics and internal diagnostic cut-off relays
to automatically protect against energized output failures. Figure 4 contains a block diagram of the
standard ProSafe-PLC architecture. Output energy flows through dual-switches to the load. A solid-state
switch provides the normal control module output. A relay, controlled by the built-in diagnostics, supplies
the second switch through a set of normally open contacts. If a dangerous failure is detected within the
output channel, the relay contacts may be opened. This action de-energizes the output, ensuring the output
fails safely.
ProSafe-PLC Guarded Outputs ensure no single component failure can prevent a mandatory trip.

Figure 4

Standard ProSafe-PLC Architecture

All Rights Reserved. Copyright Yokogawa ISS

TI 48E02A00-00E-N November 2000

7 of 12
While the first priority of a critical control system is safety, the system must also maintain high system
availability to avoid unnecessary shutdowns. ProSafe-PLC achieves high availability through extensive
redundancy options that range from internal standard redundancy features, to redundancy of a single
control module, through to full quad redundancy.
Standard Redundancy
In its standard form, ProSafe-PLC incorporates a dual architecture and includes redundant communication
networks. The bus on which control and communication modules communicate (MODULE-BUS) is a
secure, redundant, deterministic network. In addition, I/O modules exchange data with control modules
over a dedicated redundant bus (I/O-BUS).
Module-to-Module Redundancy
The most inexpensive form of redundancy is duplication of a
single control module. Making a control module redundant simply
consists of inserting a second identical module in a slot adjacent
to the first, and connecting the two modules via a redundancy
cable (Figure 5). All program synchronization, comparison, and
control arbitration logic is embedded in the control module
firmware, with no programming required to activate any of the
redundancy features.

Figure 6

Figure 5

Module-to-Module Redundancy

ProSafe-PLC 1oo1D Configuration for TV AK4 or SIL2

Rack-to-Rack Redundancy
For maximum availability, the ProSafe-PLC architecture features a parallel combination of protected
outputs, thus providing 4 switches for every output (Figure 7). Should the on-line diagnostics detect a
failure in one system (input/ processor/output), the other system automatically assumes control and the
system remains available. The architecture is referred to as 1oo2D, as defined by IEC 61508.
ProSafe-PLC also offers the option of physically separating redundant systems into separate cabinets
(Figure 8). This minimizes the systems susceptibility to common causes, such as cabinet temperature or
cabinet damage.

All Rights Reserved. Copyright Yokogawa ISS

TI 48E02A00-00E-N November 2000

8 of 12

Figure 7

ProSafe-PLC 1oo2D Configuration for TV AK6 and SIL3 Applications


Rack A


Rack B

Redundancy Cable

Figure 8

Rack-to-Rack Redundancy

Power Supply Redundancy

System power (24Vdc) can be supplied by up to three separate sources. All ProSafe-PLC modules connect
to and monitor the triplicate power bus and share power accordingly.

All Rights Reserved. Copyright Yokogawa ISS

TI 48E02A00-00E-N November 2000

9 of 12
Areas of Application
The ProSafe-PLC system suits all Safety and high availability applications
Because of the flexible system architecture the ProSafe-PLC can be configured to fit a variety of
requirements for Safety Integrity Levels and availability. Figure 9 shows the Safety Integrity Levels (SIL) by
which the systems are rated. The ProSafe-PLC covers SIL1-3 and AK1-6 classification.

Figure 9

The coverage of Safety classification by ProSafe-PLC and ProSafe-DSP systems.


The SIL levels are determined by calculation and include the field devices, based on the IEC
61508 standard. The AK classes are a qualitative assessment considering only the Safety
Instrumented System, based on DIN 19250.

All Rights Reserved. Copyright Yokogawa ISS

TI 48E02A00-00E-N November 2000

10 of 12
Example Systems
ProSafe-PLCs modularity and flexible networking options allow it to form many sizes and types of safety
systems. The following are examples of the many systems available.
Safety System
A standard personal computer can be used as the workstation. It can communicate with a rack of control and I/O
modules in one of two ways: via a MODULE-BUS Interface
(MBI) card or a standard network card. As shown in Figure
10, an MBI card plugs into an expansion slot of a PC and
provides a MODULE-BUS connection directly to the module
rack. This architecture has the added benefit of a redundant,
secure highway between the control module and PC.

Local PC running
HMI and ProSafePLC SET
MBI Card


Local Area System

A local area system consists of multiple logic racks and
multiple PCs, which are used as operator interfaces and
engineering workstations. This type of system is simply an
extension of the unit safety system using the same hardware. Figure 10 Safety System with Local PC using
MBI Card
The added feature is geographic flexibility. Figure 11 shows
the extension of Figure 10.
PCs running HMI and/or PLC SET

MBI Card

MBI Card

MBI Card

MBI Card





Figure 11 Local Area system with PCs with MBI Cards

Other Applications
The ProSafe-PLC system provides a complete critical safety solution. Build-in provisions for applications
such as Sequence of Event Recording (SER) and Data Communication are included.

Sequence of Event Recording

It is a necessity for safeguarding systems to monitor start-up and shutdown procedures in real system-time
and record these events for later analysis. The Sequence of Event Recorder system provides just that
"black box" function, which makes it possible to retrace and analyse the events associated with a particular
process situation. As a consequence it is necessary for the Safety system to interface with other process
data handling systems.
All Rights Reserved. Copyright Yokogawa ISS

TI 48E02A00-00E-N November 2000

11 of 12
Status and event data can be communicated with other data handling systems, such as the ProSafe
Human Machine Interface (HMI) and a Distributed Control System (DCS).
The Sequence of Event Recorder (SER) controls and manages data collected by an I/O module capable of
high speed event gathering, such as CDM and CDO. If two observed points change status 1 millisecond or
greater apart, the I/O module will detect that two separate events have occurred, logging them with distinct
times. This accuracy level provides the ability to detect what happened, what followed, and the context in
which it all occurred. The I/O module then sends the information to the Event Recorder in the Critical
Control Module (CCM) and the Event Recorder stores the information in a user-specified array, which
includes a user-defined description for each string. The array may then be read from the CCM and placed
in a text file in the Operator Interface or PC.

Data Communication
ProSafe-COM handles the data communication between the ProSafe safety system and various external
systems, like CENTUM CS3000 or other supervisory systems.
The data communication can be:

from ProSafe safety system to ProSafe-COM, and further up to supervisory systems

from supervisory systems down to ProSafe-COM, and further down to the ProSafe safety system

The basic function of ProSafe-COM is communication. In addition to this, ProSafe-COM can store events
and perform logical operations.
The engineering and maintenance tool for ProSafe-COM is the ProSafe-COM System Engineering Tool
(SET). During commissioning, test and maintenance ProSafe-COM SET is a powerful tool. ProSafe-COM
SET can be used for remote inspection and troubleshooting. Especially when long distances need to be
covered this can be very useful.
ProSafe-COM comes in a DOS version (MODCOM) and a Windows NT version (MULCOM). MODCOM will
connect to a serial port of a ProSafe-PLC controller module. MULCOM will connect to either the M-BUS or
M-NET of the ProSafe-PLC system.
Further information is available in the ProSafe-COM documentation.

All Rights Reserved. Copyright Yokogawa ISS

TI 48E02A00-00E-N November 2000

12 of 12

MBI Networks
between PCs)

Max. Length Across Rack
Module Rack Capacity
Module Capacity
Electrical Specification
Transmission Rate
Max. Length
No. of PCs
Electrical Specification
Cable Types


Max. Length


Module Rack Capacity

Module Capacity
Electrical Specification
Transmission Rate
Max. Length

Workstation Network

Electrical Specification
Transmission Rate
Transmission Rate
Physical Cabling

All Rights Reserved. Copyright Yokogawa ISS

18.3 m (60 ft.)
Unmodulated IEEE 802.4
5 Mbps
167 m (550 ft.)
Unmodulated IEEE 802.4
MBI Cable: 4 & 15 m lengths
Extension Cable: 50 & 150 m lengths
91.4 m (300 ft.) standard
457.2 m (1500 ft.) extended
2286 m (7500 ft.) fibre optic segments to allow
star configurations. Each segment can have
additional (nested) segments.
1 Mbps
Up to 909.6 m (3000 ft.) without repeaters
[Depends on the number of drops and drop cable lengths.
Refer to the Instruction Manual]
IEEE 802.4
5 Mpbs
Redundant carrier band
Ethernet, Token Ring, etc.
Ethernet: 10 Mbps Token Ring: 16 or 4 Mbps, depending on
cable selection
ProSafe-COM provides a standard AUI connection to support
all types of Ethernet physical cabling.
Others are media-dependent.

TI 48E02A00-00E-N November 2000