Ges C0201 01 Sis HW FDS R4.01.00

Doc.
Title: SIS Hardware Functional Design Specification Page 1 of 105

Doc. No.<PJT Document No.> Doc. Rev <Document Rev.>
<Name of Project>
Project No. <Project No>
=== This area is space for EPC or End-User Logo (if desired) ===
<Name of End User>

<Location of End User>
<Name of YOKOGAWA Affiliate>

<Location of YOKOGAWA Affiliate>
Yokogawa Main Automation Contractor Toolkits

GES_C0201_01
DOCUMENT TITLE:
SIS Hardware Functional Design Specification

PO Number Purchaser:
<PO Number> <Name of EPC Contractor>
Yokogawa Document Number: Purchaser Document Number:
<PJT Document No.> <EPC Document No.>
A dd-mmm-yyyy Issued for Approval ENG LE PM

REV DATE DESCRIPTION ORIG CHK APPR
Note: All Items Highlighted in Green Needs to be Updated Prior to Submission
Confidentiality Notice: This document and the information contained herein shall not be copied or used for other than the purposes for
which it is or has been provided or disclosed in any form or medium to third parties, except as expressly permitted by Yokogawa.
Doc. Title: SIS Hardware Functional Design Specification Page 2 of 105
Doc. No. <PJT Document No.> Doc. Rev. <Document Rev.>
=============== Start of pure Yokogawa internal use section ================

The statements from “Start of pure Yokogawa internal use section” till “End of pure Yokogawa
internal use section” are for Yokogawa internal use only. It must be eliminated if this document is
submitted to customers.
Notes on using this document:
1. When this document is used as the basis for an actual project deliverable (subject to
submission to customers), all internal contents shall be removed. Internal contents are
highlighted in yellow color or quoted as “pure Yokogawa internal use section”.
2. Red Italic text is meant as a suggestion and shall either be replaced by final black text or
deleted !!!
3. Blue Italic text is meant as an instruction and shall be deleted !!!
=============== End of pure Yokogawa internal use section ================
Copyright © Yokogawa Electric Corporation Reference: GES_C0201_01 Rev. 4.01.00

REVISION DETAILS
Revision History of this Project Document

Date
Rev. Section Description
(MM/DD/YY)
Rn.nn.nn MM/DD/YY xxxxx Describe major revision topics
Deliverable Document will have the reference GES

(including revision) for easier tracking of GES Utilization.

Table of Contents
1 Introduction..................................................................................................................... 7
1.1 General...................................................................................................................... 7
1.2 Purpose and Scope of This Document.......................................................................7
1.3 Abbreviations and Definitions.....................................................................................8
1.3.1 Abbreviation.........................................................................................................8
1.3.2 Definitions.......................................................................................................... 10
1.4 Project Design References and Standards...............................................................12
1.4.1 Project Specifications Documents......................................................................12
1.4.2 Customer Reference Documents.......................................................................12
1.4.3 Yokogawa GES Template Documents...............................................................12
1.4.4 Other Yokogawa Documents.............................................................................12
1.4.5 Applicable Codes and Standards.......................................................................13
1.5 Order of Precedence................................................................................................14
1.5.1 Conflicting Requirements...................................................................................14
2 System Description......................................................................................................15
2.1 Plant Shutdown and Depressurizing overview..........................................................15
2.2 Safety System objective...........................................................................................15
2.3 System Overview.....................................................................................................16
2.4 Basis of Design........................................................................................................ 16
2.5 General Design Constraints.....................................................................................18
2.6 SIS Functional requirements....................................................................................18
2.7 Safety Instrumented Functions and SIL....................................................................18
2.8 System availability....................................................................................................18
2.9 General Design Requirements.................................................................................19
2.9.1 SIS Equipment and Location..............................................................................19
2.9.2 Electrical Power Supply Requirements..............................................................19
2.9.3 Electromagnetic Compatibility Requirements.....................................................20
2.9.4 Installation Environment and Power Supply Specification for ProSafe-RS.........21
2.9.5 Hardware and I/O Segregation..........................................................................22
2.9.6 Operating Plant Area Segregation.....................................................................22
2.9.7 Process Unit Segregation..................................................................................22
2.9.8 Controller Segregation.......................................................................................22
2.9.9 I/O Segregation..................................................................................................23
2.9.10 Segregation of Safety IOs and Non-Safety IOs..............................................23

2.9.11 Inter Trip Philosophy.......................................................................................24

2.9.12 Equipment Naming Philosophy.......................................................................24
2.10 System Sizing and Spare Capacity.......................................................................25
2.10.1 System Sizing.................................................................................................25
2.10.2 Installed Spare and Spare Space...................................................................26
3 System Description and Operation.............................................................................27
3.1 ProSafe-RS System Overview.................................................................................27
3.1.1 Components of ProSafe-RS system..................................................................27
3.1.2 Vnet/IP Real Time Control Network...................................................................28
3.2 Hardware Fault Tolerance and Diagnostics..............................................................30
3.2.1 Fault Tolerance..................................................................................................30
3.2.2 Line Monitoring Diagnostics...............................................................................34
3.2.3 Common Failure Cause Avoidance...................................................................37
3.3 System Behavior in case of Failure..........................................................................39
3.3.1 IO Channel Error................................................................................................39
3.3.2 Module Error......................................................................................................50
3.3.3 Calculation Error................................................................................................56
3.3.4 Safety Communication Error..............................................................................57
3.4 System Description..................................................................................................59
3.4.1 System Reaction (Response) Time of SCS.......................................................59
3.4.2 SCS Scan Time Overview.................................................................................59
3.4.3 ProSafe-RS SCS Operating Mode.....................................................................59
3.4.4 SCS Security Level............................................................................................61
3.5 Maintenance Override Function...............................................................................64
3.6 Hart Communication and Partial Stroke Test............................................................65
3.7 Sequence of Events (SOE)......................................................................................67
3.7.1 SOE OPC Interface............................................................................................68
3.8 Safety and Interference Free Communication..........................................................69
3.9 System Interface......................................................................................................72
3.9.1 Integration with Centum VP...............................................................................72
3.9.2 CCR Operator Console Interface.......................................................................72
3.9.3 Interface with other systems..............................................................................73
3.10 Time Synchronisation............................................................................................74
3.11 System Power-on Start (Black start).....................................................................76
4 SIS Hardware specifications........................................................................................77
4.1 Safety Control Station..............................................................................................77

4.1.1 Safety Control Unit (CPU Node)........................................................................77

4.1.2 Safety Node Unit (I/O Node)..............................................................................78
4.1.3 Processor Module..............................................................................................79
4.1.4 Power Supply Modules......................................................................................81
4.1.5 ESB Bus Coupler module..................................................................................82
4.1.6 ESB Bus Interface Module.................................................................................82
4.1.7 Optical ESB Bus Repeater Module (for Remote Node)......................................84
4.1.8 ESB Bus Cable..................................................................................................84
4.1.9 Modbus Communication Module........................................................................85
4.2 Input and Output Modules........................................................................................86
4.2.1 SIS Analog Input Design....................................................................................87
4.2.2 Analog Output Design........................................................................................88
4.2.3 SIS Digital Input Design.....................................................................................88
4.2.4 Discrete Output Design......................................................................................89
4.2.5 Accidental Insertion of Module Type..................................................................91
4.3 Safety Engineering Station (SENG)..........................................................................91
4.3.1 Safety Engineering PC.......................................................................................91
4.3.2 Control Bus Interface Card (Vnet/IP)..................................................................93
4.4 Cabinet Description..................................................................................................94
4.4.1 System Cabinet.................................................................................................94
4.4.2 Marshalling Cabinet...........................................................................................94
4.4.3 Field Power Supply............................................................................................95
4.4.4 Earth Leakage Detection...................................................................................96
4.5 Grounding................................................................................................................ 96
4.6 I/O Interface Components Description......................................................................98
4.6.1 Surge Protection Device....................................................................................98
4.6.2 Barriers / Galvanic Isolators...............................................................................98
4.6.3 Signal Splitters...................................................................................................98
4.6.4 Interposing Relay...............................................................................................99
4.7 Components Description........................................................................................100
4.7.1 Terminal Boards...............................................................................................100
4.7.2 I/O System Cables...........................................................................................100
5 System Security.......................................................................................................... 101
5.1 Necessity for Security.............................................................................................101
5.1.1 Security Control measures...............................................................................101
6 Appendices................................................................................................................. 102

6.1 3rd Party Material Selection – Compliance Check Sheets.......................................102
1 Introduction
1.1 General
This section includes (but not limited to) details about Introduction to the Project; includes project
background, end users, consultant for the project, project location / country.
1.2 Purpose and Scope of This Document

The purpose of this document is to provide the Hardware design basis of Instrumented Protective
System (IPS)/Safety Instrumented System (SIS)/ Emergency Shutdown System (ESD) { use
appropriate terms as per project } for project name xxxx project realized using Yokogawa ProSafe-
RS System.
The contents of this document are limited to the scope of SIS/ESD/IPS systems design and
their safety aspects.
This Function Design Specification (FDS) covers the conceptual system design of:
 SIS Functional Requirements
 SIS System Description and Operation
 SIS Hardware Specification
 SIS Functional Safety (MAC context)
This SIS Hardware FDS shall be read in conjunction with the SIS Software FDS (Document No:
xxxx).
This document shall be further updated at the start of execute phase to confirm as final design for
CONTRACTOR.
This document shall be maintained by the Vendor as a regularly updated "working document" and
shall only be submitted to the Purchaser for review subsequent to the initial "design freeze" or after
major modifications to design or requirements. An as-built update shall be issued to the Purchaser
after completion of the Factory Acceptance Test (FAT).

1.3 Abbreviations and Definitions
1.3.1 Abbreviation
Need to be updated as per Project requirement
Abbreviation Description
AIO Analog Input and Output
AMO Automatic Maintenance Override
ANN Annunciator
BPCS Basic Process Control System
CAMS Consolidated Alarm Management System
CCR Central Control Room
CERR Computation error
CPU Central Processing Unit
CTRL Control
DCS Distributed Control System
DINT Double Integer
DIO Digital Input and Output
DIP dual in-line package
DTS De-energise to Safe
EDP Emergency Depressurisation
EDV Emergency Depressurization Valve
ENG Engineering
EPC Engineering Procurement Construction
ESB Extended Serial Bus
ESD Emergency Shutdown System
ETS Energise to Safe
FAR Field Auxiliary Room
FAT Factory Acceptance Test
FBD Function Block Diagram
FCS Field Control Station
FDS Functional Design Specification
FER Field Equipment Room
FGS Fire & Gas System
FIFO First-in First out
FLT Fault

FUP First-up
GES Global Engineering Standard
HART Highway Addressable Remote Transducer
HDD Hard disk drive
HIPPS High Integrity Pressure Protection System
HIS Human Interface Station
HMI Human Machin Interface
HRDY Hard-ready
ICSS Integrated Control & Safety System
IEC International Electrotechnical Commission
IER Instrument Equipment Room
IODB Input Output Data Base
IOP Input High/Low limit error occurred
IPS Instrumented Protective System
LAN Local Area Network
LCL Local
LCR Local Control Room
LED Light Emitting Diode
MAC Main Automation Contractor
MCB Main Control
MCR Main Control Room
MOS Maintenance override switch
MPU Microprocessor Unit
MTRP Manual Trip
MTTR Mean Time to Restoration
NAMUR User Association of Automation Technology in Process
Industries (Germany)
NDE Normally De-energise
OOP Output Channel Status-Open circuit/Short circuit
OOS Operational override switch
OOW Operational override warning
OPC Open Platform Communication
OVR Override
PID Proportional Integral Derivative

POU Program organization unit
PRM Plant Resource Manager (IAMS)
PSD Plant Shutdown System
PST Partial Stroke Test
PSU Power Supply unit
RDY Ready
RST Reset
SAT Site Acceptance Test
SCS Safety control station
SCU Safety Control Unit
SENG Safety Engineering Station
SER Sequence of event Record
SIF Safety Instrumented Function
SIL Safety Integrity Level
SIS Safety Instrumented System
SOE Sequence of Event
SOER Sequence of Event Record
SRS Safety Requirement Specification
STAT Status
STBY Standby
SUO Start-up override
SVP Safety validation Plan
SYS System
TRANS Transmitter Higher/Lower limit error
TÜV Technischer Überwachungsverein
(German: Technical Monitoring Association)
UDFB User Defined Function Block
UPS Uninterruptible Power Supply
USB Universal Serial Bus
VOT Voting
Table 1-1 Abbreviations
1.3.2 Definitions
Company/Owner/End User :
Project :

Contractor : Engineering, Procurement & Construction (EPC)

Main Automation Contractor (MAC) : Yokogawa.

1.4 Project Design References and Standards

The reference list for this document is shown in below.
1.4.1 Project Specifications Documents

List the project specific design input documents received from EPC/Contractor
S.N Document Title Document Number Rev.No

o
Table 1-2 Project Specific Documents
1.4.2 Customer Reference Documents

List the project specific Customer reference Document received from End-User (If any)
S.N Document Title Document Number Rev.No

o
Table 1-3 Customer Reference Documents
1.4.3 Yokogawa GES Template Documents

S.No Document Title Document Rev No
Number
[1] SIS Hardware Functional Design Specification GES_0201_01 4.00.00
Table 1-4 Yokogawa GES Documents
1.4.4 Other Yokogawa Documents

List down the IM,GS,TI Applicable for the Project
S.No Document Title Document Number / Rev

No.
Instruction Manuals (IM):
[1] Safety Manual IM 32Q01S10-31E(4)
[2] Engineering Guide IM 32Q01C10-31E(4)
[3] Safety Control Station IM 32Q03B10-31E(4)
[4] Engineering Reference IM 32Q04B10-31E(4)
[5] ProSafe-RS System Test Reference IM 32Q04B30-31E(4)
[6] Open Interfaces IM 32Q05B10-31E(4)
[7] Integration with CENTUM VP/CS 3000 IM 32Q01E10-31E(4)
[8] ProSafe-RS Security Guide IM 32Q01C70-31E(4)
[9] License Management IM 32Q01C60-31E(4)
[10] ProSafe-RS Vnet/IP IM 32Q56H10-31E(4)
[11] Safety Control Stations (Hardware) IM 32Q06C10-31E(4)

S.No Document Title Document Number / Rev

No.
General Specification (GS):

[1] ProSafe-RS Safety Instrumented System Overview GS 32Q01B10-31E(12)
(for Vnet/IP)
[2] Models SSC60S, SSC60D Safety Control Units GS 32Q06D10-31E(5)
Duplexed Safety Control Units (for Vnet/IP, Rack
Mountable Type)
[3] SNB10D Safety Node Unit (Rack Mountable Type) GS 32Q06K10-31E(3)
[4] ProSafe-RS Outline of I/O Modules (for FIO) GS 32P06K60-01EN(1)
[5] Analog I/O Modules (for FIO) GS 32Q06K30-31E(9)
[6] Digital I/O Modules (for FIO) GS 32Q06K40-31E(7)
[7] ESB Bus Coupler Module (for 2-Port) GS 32Q06L10-31E(3)
[8] Terminal Boards/Relay Boards (for ProSafe-RS) GS 32Q06L20-31E(6)
Technical Instruction (TI):

[1] Safety Instrumented System ProSafe-RS System TI 32R01B10-01E(7)
Overview
[2] ProSafe-RS Installation Guidance TI 32S01J10-01E(22)
[3] Security Standard of System Product TI 33Y01B30-01E(5)
Table 1-5 Other Yokogawa Documents
List down the project related deliverable.
S.No Document Title Document Rev No

Number
[1] Bill of Materials
[2] SIS Hardware Functional Design Specification
[3] SIS Software Functional Design Specification
Table 1-6 Other Yokogawa Documents
1.4.5 Applicable Codes and Standards

List down the applicable codes and standards from Project specification document.

1.5 Order of Precedence

The approved MAC Document Deliverables developed based on the various requirements in the
order of priority listed below, this shall be the reference document for all further engineering,
manufacturing, FAT and SAT:
 International and local statutory regulations.
 End User Technical Standards.
 Project specifications.
 Referenced national and international codes.
List down the order of precedence based on Project requirement.
1.5.1 Conflicting Requirements

Areas of apparent conflict between documents shall be brought to the attention of Enduser for
resolution.
In the event of a conflict between project specification, this document and a relevant law or
regulation, the relevant law or regulation shall be followed. If the document creates a higher
obligation, it shall be followed as long as this also achieves full compliance with the law or
regulation.

2 System Description
2.1 Plant Shutdown and Depressurizing overview
Include brief description about ESD shutdown hierarchy based on Project Specifications.
2.2 Safety System objective

The objective is to design a SIS/ESD/IPS to mitigate the risks of hazards in accordance with IEC
61511 and IEC 61508 and to take the process to a predefined safe state when safe operating
boundaries are exceeded.
Through the identifying of hazards and hazardous events and applying risk reduction methods a SIS
is designed with the overall purpose of:
 The protection of personnel,
 The protection of the environment, and
 The protection of plant and equipment.
The SIS/ESD/IPS shall enhance these objectives by:

 Automatically sense an abnormal operational or equipment condition
 Within a specified amount of time react automatically to this condition by taking the
appropriate actions to bring the installation to a pre-determined safe state shutting down
and/or isolating the installation, preventing any consequential effects of the abnormal
condition.
 Provide additional manual facilities for the shutdown and/or isolation and blowdown of
sections of the installation.
 Depressurising of the unit either manually by the operator after the relevant section of the
unit has been isolated, or automatically after the detection of a major process upset by the
SIS/ESD/IPS system.
 Provide information/data to other systems
 Provide audible and visual system status information for the operator and/or other personnel
as appropriate.
 Provide sequence of events recording
 Interfacing to HMI to provide audible and visual system status information for the operator
and enable actuation of various switches (such as override switches) in the SIS as
appropriate.
 Also, prevent unnecessary economic losses by being as robust as possible against spurious
trips.
In addition, the function of the SIS system is to provide Sequence of Event Recording (SOE) for
analysis purposes.

2.3 System Overview

SIS systems for !Project Name! is realized based on Yokogawa ProSafe-RS system, which is
certified for use in safety applications up to and including SIL3 (IEC61508). Refer product TÜV
Rheinland certification.
The requirements for SIS/ESD/IPS have to be considered as part of the overall health, safety and
environmental protection facilities for a plant installation. The fundamental requirements for
SIS/ESD/IPS are specified in IEC 61508 and IEC 61511. The concepts within the standard are
equally applicable where the consequences include asset or environmental loss.
The SIS/ESD/IPS network configuration and major components is shown in the ICSS system
architecture diagram (Doc no).
The ProSafe-RS systems are used for SIS/ESD/IPS applications for the Project xxxx.
Provide Project & plant information, Indicate sub systems (by Modbus), Show MATRIX/MIMIC
panels, indicate clearly the boundaries in scope of supply
The SIS/ESD/IPS I/O and logic solvers are distributed geographically into CCR and FER/FAR/IER.
The Vnet/IP link (redundant) is used for communication between SENG PC, SIS/ESD/IPS, FGS and
DCS.
Refer to the Hardware FDS document [xxxx] for the process segregation.
2.4 Basis of Design

The engineering details for system hardware sizing and application logic design to fulfill the
functional requirements shall be derived from the engineering input documents supplied by the
CONTRACTOR and shall include the below details as minimum.
Hardware Sizing:

Input/ Output list along with field cable schedule (for I/O assignment, marshalling cabling)

Controller segregation information (process unit grouping, redundant and multi train
equipment)
 I/O segregation information (voting, online and standby pumps, redundant and train
equipment, depressurizing system)
 Power rating of field devices
 Information on devices requiring external power supply
 Design SIL targets for SIFs
 Field cable sizes & cable run length from FAR to field devices
 Surge protection requirements per I/O
 IS interface requirement per I/O
 Piping and Instrumentation Diagram (P&ID)
Software Configuration:
 Cause and effect Diagram (for application software configuration)
 Boolean logic diagram (for configuration of complex logic which cannot be clearly described
by Cause and Effect diagrams e.g. sequence)
 SIF narratives (for reference)

 Trip set points, trip delay time and hysteresis

 MOS grouping information for MOS permissive key switches
 Start-up override requirements, permissive conditions, timer settings
 SOE, annunciation and first-up requirements
 Safety requirement specifications (SRS) along with SIF/ SIL study report
 Process safety time/SIF response time/proof test interval
 Tag description for proper SOE message and annunciation message configuration
 Valves/ SIS equipment requiring manual operation/manual reset
 Safe failure position for inputs and outputs
 Valve partial stroke test requirement carried out from SIS
 Answerback timing for valve position feedback, pump running contacts etc.

2.5 General Design Constraints

The general design boundaries for this project applicable for the SIS systems are as described in
this section.
 The safety validation planning for the SIS system is as documented in MAC Safety
Validation Plan issued for the project execution phase and shall be considered for overall
safety validation by CONTRACTOR.
 The scan time of the SIS systems is set to 300 milliseconds. The system controller is
designed such that, during normal operation, no more than 60% of the processing capacity
and/or memory is utilised (installed Spares capacity is included in 60%).
 The system sizing based on CPU loading estimation calculation includes system resources
for 20% installed I/O spares.
 The CONTRACTOR shall ensure field cables are sized adequately for IS/Non IS cable
parameters (L, C, R values) and minimum working voltage & current requirements of field
devices.
 For discrete output signals, the actual per channel load capacity of the DO card is subject to
the cable specification and voltage drops associated with the total cable lengths between the
output card and the specific field devices.
 Appropriate SIL rated input and output interfaces (e.g. Surge protector, Barrier, Signal
Splitter, Interposing Relay) shall be selected.
2.6 SIS Functional requirements

Include project specific functional requirements here.
2.7 Safety Instrumented Functions and SIL

The requirements for shutdown and/or isolation shall be provided by CONTRACTOR as part of
engineering input, Safety Requirement Specifications (SRS) to MAC, describing Safety
Instrumented Function (SIF) and associated Safety Integrity Level (SIL) requirements for all plant
equipment. This shall form a basis of design of the SIS systems.
The SIS/ESD/IPS logic solver is SIL 3 capable. During detailed design phase of the SIS systems,
MAC will carry out PFDavg and availability calculations (limited to equipment within MAC SIS scope
of supply) to support CONTRACTOR overall SIL verification calculation. This will be included in the
MAC ‘Safety Validation Plan’ document.
The SRS shall specify the following minimum parameters
 Safety Instrumented Functions and target SIL
 Proof test intervals
 Process safety time and SIF response time
 Start-up, Shutdown and Special Operating modes
Definition of the logical and the functional operation, the functionality of the SIS logic and auto
sequence function shall be defined as per the project Cause & Effect diagram/logic diagram and SIF
narrative.
2.8 System availability

The availability of the SIS (all modules and subsystems considered) is 99.99% or better.
The MTTR of 8 hours is considered for all SIS components for all self-revealing features.

Refer Reliability / Availability Calculations [!SIS FDS Software Doc No.!] for availability calculations
for SIS equipment within MAC scope of supply.
If this document is used then availability calculation in SVP shall be excluded
2.9 General Design Requirements

Safety Instrumented System (SIS) Design is based on the following particular principles:
 The Plant is designed for XX years design life
 The scan time of the SIS logic solver shall be a maximum of 300 msec.
 The SIS shall be fail safe, normally energized, de-energized to trip. In case of ETS (Energize
to Trip) CONTRACTOR have to provide detailed information for the detailed design.
 Proof test of SIF’s will be standardized on every X year test interval or logic solver will be
proof tested every X years, sensors every X years and final elements every X years.
 All relevant safety subsystems and Field I/O interface with SIS through hardwired signals.
2.9.1 SIS Equipment and Location

The SIS equipment such as System Cabinets, Marshalling Cabinets, Safety Engineering Work
Stations and Remote Cabinets shall be installed in buildings (i.e. Main Control Building (MCB),
Marine Terminal Building (MTB) and Field Auxiliary Room (FAR) in a controlled environment with
the following conditions,
 Temperature: 18 °C to 27 °C normal
 Relative humidity: 35 % to 75 % normal
 Classification for corrosive environment
 Classification for explosion protection- System Cabinets, Marshalling Cabinets, Safety
Engineering Work Stations and Remote Cabinets.
 Lightning protection
 Add Project EMC Requirements
Add Project Special Requirements (if any):

 ROHS
 GOST
 Add any other special requirements
Add requirements for different locations.
The SIS equipment shall not be installed directly in the field or open areas.
2.9.2 Electrical Power Supply Requirements

The electrical power distribution to the SIS system is in accordance with requirements defined in
ICSS Project Specification [!ICSS Project Specification!]
The SIS cabinets shall receive dual segregated XX VAC, XX Hz, single phase UPS power from two
independent sources provided by CONTRACTOR.
A transient power interruption of 20 msec shall have no effect on the equipment or system
performance.

Each of the SIS system CPU nodes and I/O nodes receive two independent UPS power feeders via
a power distribution arrangement in the Power distribution cabinet.
Non UPS power XX VAC, XX Hz supply is used for utility sockets and lighting in cabinets.
 Field power supply
2.9.3 Electromagnetic Compatibility Requirements

The hardware components of the ProSafe-RS comply with the EMC Conformity standards, EMC
Directive EN 61000-6-2 (100-120 VAC, 220-240 VAC and 24 VDC power supply specifications)
subject to conditions stated in the Yokogawa GS and IM.
For the proper and stable operation of the ProSafe-RS system, the field electric strength of the
location for the equipment shall be controlled as following:
 10 V/m or less (26 MHz to 1.0 GHz)
 10 V/m or less (1.4 to 2.0 GHz)
 1 V/m or less (2.0 to 2.7 GHz)
In case of the usage of wireless equipment such as transceiver nearby this system, the following
precaution shall be followed:
 The door of this system should be closed.
 As for the usage of transceiver/wireless equipment with 10W or less such as mobile-
telephone, PHS, wireless telephone or LAN equipment, the distance should be kept 1 m or
more. Attention should be paid to the micro wave radiated from mobile-telephone or PHS
even out of usage.

2.9.4 Installation Environment and Power Supply Specification for ProSafe-RS

The table below lists the general installation environment and power supply specifications for the
ProSafe-RS System.
The following need to be updated for the project requirement.
Parameter Specification
O
Temperature Normal Operation -20 to 40 C (basic safety standard unit)
(Avoid Direct Transportation/ -40 to 85OC
sunlight) Storage
Humidity Normal Operation 5 to 95 %RH (non-condensing)
Transportation/ 5 to 95 %RH (non-condensing)
(no condensation)
Storage
Temperature Normal Operation Within ±10OC/h
Fluctuation Transportation/ Within ±20OC/h
Storage
100-120VAC ±10%
Voltage Range
24V DC ±10% (including ripple)
Frequency 50/60 ±3Hz
Power Source Distortion Factor 10% or less
Crest Factor For 100VAC system: 118VAC or larger
Momentary Failure 20 ms or less (when receiving the rated AC voltage)
DC Power Supply 1% P-P maximum
Ripple Rate
Withstanding Voltage 1500VAC for 1 minute (for 100-120V AC) Between
power & ground terminals
Insulation resistance 20 MΩ at 500VDC (Between power & ground
terminals)
Grounding 100Ω or less, Independent grounding
Dust Maximum of 0.3mg/m3
Corrosive gas ANSI/ISA S71.04G3 (standard)
Electric Field 10V/m maximum (80MHz to 1GHz)
Noise 4 kV or less (direct discharge),
Static Electricity
8 kV or less (aerial discharge),
Continuous Amplitude: 1.75mm (5Hz to 9Hz)
vibration Acceleration: 4.9 m/s2 (9Hz to 150Hz)
Non- Amplitude: 3.5mm (5Hz to 9Hz)
Vibration Continuous
Acceleration: 9.8m/s2 (9Hz to 150Hz)
vibration
Seismic Acceleration: 4.9 m/s2 (9Hz to 150Hz)
Horizontal 4.9m/s2,
Transportation
Vertical 9.8m/s2 (in packed condition)
Impact 147 m/s2, 11ms
Altitude 2000m above sea level or less

For Installation Environment and Power Supply Specification for Third Party Components refer to
Buyout Hardware Specification for ProSafe-RS-Doc no XXXX for details.
2.9.5 Hardware and I/O Segregation

2.9.6 Operating Plant Area Segregation
All process operations shall be monitored and controlled from the Central Control Room (CCR)
segregated based on Plant Area (PA).
The Plant Area may have a dedicated SIS system housed in the Field Auxiliary Room (FAR).
2.9.7 Process Unit Segregation

The following table shows the FAR and the associated process units. The SIS associated with FAR
will monitor/shutdown the associated process unit.
The tabular column showing the above details needed to be listed here.
Controller
Plant Unit Unit Description Domain
Name
2.9.8 Controller Segregation

Dedicated Safety controllers (SCS) is provided to avoid failure of one controller affecting the entire
plant. In addition to the above, the Segregation for Controllers is as follows:
 SIS Controllers are segregated for each plant Group. Details of process unit segregation
shall be provided by CONTRACTOR during basic design phase.
 Process unit with multiple trains (e.g. Utility) shall have SIS system Controllers segregated
for each train.
 Major process equipment such as Boilers, turbines and compressors that are redundant are
engineered into separate SIS systems.
 Depending upon the number of Inputs & outputs, the above SIS system hardware are
combined for small areas for Offsites, Utilities and interconnecting, subject to specific
approval by end user.
 Depending upon the number of Inputs & outputs, more than one safety controller may be
necessary for a Process Unit group.
 Based on FAR/Process Unit Grouping, SIS controller is provided with dedicated remote I/O
node units to connect SIS console I/Os (e.g. shutdown push buttons, MOS Switches and
lamps) for respective groups.
 Remote I/O nodes separated per SIS Controller in FAR
 Logical segregation of controllers is done to optimize ( minimize) inter domain
communication
For details refer ICSS System Architecture Diagrams [!ICSS SA!]

2.9.9 I/O Segregation

I/O segregation rules are applied to minimize the likelihood that a common failure will impact
different operating units or trained equipment within a process unit.
Segregation also considers maintenance requirements between/within process units and
equipment. The following rules are applied:
 I/O cards shall be segregated for each unit. For Multi-trains within each unit (e.g. Utility), I/O
cards will further be segregated for each train. Details of such segregation shall be provided
by CONTRACTOR during basic design phase.
 Voted trip initiators (e.g. 2oo3 transmitters) shall be wired to separate hardware fault tolerant
(redundant) sets of input cards.
 Voted trip outputs to final elements (e.g. 1oo2 valves) shall be wired to separate hardware
fault tolerant (redundant) sets of output cards.
 All I/O associated with redundant process equipment (e.g. duty-standby motors or pumps,
multiple trains, etc.) shall be located on separate cards. i.e. motor A and motor B, the I/O for
motor A shall be located on different cards from those assigned to motor B; thus the failure
of a single I/O card shall only affect the logic associated with one of them.
 Cards for redundant equipment have to be located in different racks.
 I/O cards belonging to one SIF group (UZ logic) shall be grouped together.
 Where possible, I/O shall be allocated to cards in a way to minimize the number of devices
that would be affected by a card failure. For this purpose, spare channels shall be distributed
across all available installed cards.
 Open and close limit switches from the same valve shall be located on the same input card.
 I/O segregation shall be considered with a view to minimize peer to peer safety
communication as much as possible to reduce inter- systems dependency of SIFs and avoid
any impact on SIF response time.
 Each of process unit I/O on the same SIS controller shall be segregated in different racks.
Project specific segregation requirements (e.g. De Pressurization) need to be explained based on
the project requirements.
2.9.10 Segregation of Safety IOs and Non-Safety IOs

Safety I/O’s and Non-Safety I/O’s shall be allocated in different I/O modules.
Project specific segregation requirements for safety IOs and Non-Safety IOs need to be explained
based on the project requirements.

2.9.11 Inter Trip Philosophy

The ESD signals could be:
 Some of the ESD process signals may need to be transferred to other SCS located in
another FAR if the ESD signals of the same process unit are segregated into different SCS.
 Some of the process unit inter trip signals may need to be transferred to different process
unit or different plant located in other FAR as per shut down logic requirement.
The following philosophy is used for the Inter trips used in the projects.
Trip category Trip Philosophy
SCS to SCS (Same Domain) SCS Link Transmission
SCS to SCS (Different Domain) Inter SCS Communication
SCS to FCS (Same/Different Domain) Inter SCS Communication
FCS to SCS (Same/Different Domain) Hardware I/O (If Applicable)
Other System to SCS Hardware I/O (If Applicable)
The tabular column need to be updated for Project requirements.
2.9.12 Equipment Naming Philosophy

Equipment naming philosophy refers to the equipment and system components used in the project
which shall have a unique Naming ID for its easy identifications and trouble shooting.
Refer Equipment naming Philosophy Doc No XXXX for equipment and system components naming
philosophy.

2.10 System Sizing and Spare Capacity

2.10.1 System Sizing
System Resource:
Under the controller normal operation, the memory resources utilized shall not exceed 60% of
memory capacity at the time of FAT.
The system sizing based on CPU loading estimation calculation includes system resources for 20%
installed I/O spares.
CPU Idle Time:
Controller is sized to ensure idle time of 40% at the time of FAT.
The system sizing based on CPU loading estimation calculation shall include system resources for
20% installed I/O spares.
Note:
 Assumption that the design I/O data provided by CONTRACTOR at the time of design freeze
includes any growth in I/O until FAT
 The CPU loading estimation calculation is performed by Yokogawa proprietary tool
Refer ESD Software FDS Sec: XX for more details.
System Sizing Guideline:
The system sizing is based on many factors, some of which are listed below:
 Segregation of SCS (e.g. Number of nodes)
 SCS Scan period (based on FDS definition)
 I/Os quantity per SCS (based on I/O database)
 Remote I/O quantity per SCS (based on I/O database)
 Module redundancy (based on I/O database)
 Installed spare I/O quantity (e.g. 20% shall be considered during CPU load sizing)
 Application program size
 Peer-to-peer communication quantity and communicated data
 Subsystem communication modules quantity and communicated data (Modbus read/write
data)
 User interface requirements using BPCS integration (e.g. MOS, bypass, faceplates, reset
etc.)

2.10.2 Installed Spare and Spare Space

Installed I/O:
Installed spares shall be provided as below:
 In each controller
 Each type of I/O
Installed I/O spares shall be distributed across the I/O modules installed.
The 20% installed spares shall include spare wired I/O points on the cards up to termination boards.
20% spare terminals shall be provided in marshalling cabinets for terminating spare cores in the
field cable. The field cables that are specified with surge protection, all unused spare cores shall
also be connected to spare surge protectors
All IO points shall be prewired to termination board in the marshalling cabinet using system cables.
All field cables spare cores shall be terminated on the terminals. However spare I/O channels in the
termination board shall not be wired to spare terminals as it is not possible to determine to which
spare terminal the spare channel shall be wired.
Note:
 Assumption that the design I/O data provided by CONTRACTOR at the time of design
freeze includes any growth in I/O until FAT
 Redundant capacity shall not be considered as spare capacity.
Power Supply Unit:
Power supply units shall have spare capacity to meet the load of installed spare I/O and future I/O
that can be installed in each marshalling cabinet. Each power supply shall provide 150% of the
ampere capacity requirements
Engineering Workstation:
EWS shall have adequate spare resource and software license to configure installed spare I/O and
20% future IO that can be added including the logic/control function blocks that may be required
Wire Ways:
Wire ways in the cabinet shall have 20% spare space for future wiring requirements
Space for Future Addition:
 20% spare rack slots shall be available in each controller for adding I/O modules in the
future.
 20% spare space for terminal boards will be used while designing marshalling cabinet.
 20% spare installation space will be provided inside SIS Controller Cabinets
 20% IO growth for future expansion can be completed, with the spare I/O provided and
these spare I/O can be utilised without the need for installing new Marshalling cabinets

3 System Description and Operation

Include project specific system overview here.
Refer to ICSS System Architecture Diagrams [!ICSS SA!] for overall project system architecture.
3.1 ProSafe-RS System Overview

3.1.1 Components of ProSafe-RS system
SSC60D is showed below for example; if the project uses S2SC70D or SSC50D then the context
should be changed accordingly.
The SCS consists of Safety Control Unit (SCU or CPU Node) and optionally Safety Node Units
(SNU or I/O Node). The SCU is the rack housing ProSafe-RS CPU modules and I/O modules, while
the SNU is for installing ProSafe-RS I/O modules only.
The SCU is a 19”rack unit consisting of processor modules, power supply modules, ESB bus
coupler modules (SEC401 or SEC402), Vnet/IP connection port and I/O modules. The SNU is a
19”rack unit consisting of power supply modules, ESB bus communications modules (SSB401) and
I/O modules
The standard SCS configuration supports 1 SCU and 9 SNUs using standard ESB Bus Coupler
Module SEC401. Using node expansion package (CFS1350) and dedicated ESB Bus Coupler
Module SEC402, the number of nodes can be increased up to a maximum of 13 SNUs from 10
SNUs. Both SCU and SNU consist of 12 module slots.
In SCU, the first two slots are occupied by the power supply modules. The next two slots are
occupied by CPU modules. To enable communication extension from SCU to SNU, SEC401 or
SEC402 needs to be installed in 7th & 8th slot of SCU. The remaining six slots can be used for I/O
modules installation in singular configuration.
In SNU, the first two slots are occupied by power supply modules. The next two slots are occupied
by ESB Bus Communication (SSB401) modules. The remaining eight slots can be used for I/O
modules installation in singular configuration.
The standard SCS configuration using SEC401 supports a maximum number of 78I/O modules in
singular configuration. With node expansion package using CFS1350 and SEC402, a maximum of
number of I/O modules can be 110 in singular configuration.
The ESB Bus is a dual redundant bus system that is used for I/O communication and connects the
SNU to SCU of SCS. Total length of the ESB bus should be less than 10 meters. The ESB bus
employs dual redundant transmission channels with a network speed of 128 Mbits/sec. The ESB
bus can be extended by use of optical transmission as described.

Figure 3-1 - Safety control unit and Safety node units connected
3.1.2 Vnet/IP Real Time Control Network

The control network is based on Yokogawa’s robust and highly reliable fully duplexed Vnet/IP real-
time network with quick response.
Vnet/IP forms the network backbone connecting Centum VP systems and ProSafe-RS systems and
allows data exchange between them in addition to status monitoring on the HIS. Vnet/IP is a fully
dual redundant network with control Bus 1 and 2.
Figure 3-2 - Vnet/IP features

Vnet/IP also allows communication via Ethernet-based standard protocols within predetermined
bandwidth (hereinafter referred to as Open Communications). The Vnet/IP Bus2 can be used for
TCP/IP protocol-based communications, such as data access through an ExaOPC interface.
A Vnet/IP network uses network category 6 cables as a minimum.
Specifications on Connecting Equipment in Vnet/IP Domain:
 Number of Vnet/IP station: maximum 64 stations
 Other general-purpose Ethernet devices (PCs, routers etc): maximum 124 devices (bus-2
only)
 Distance between stations in the same domain: maximum 40 km
 Distance between layer 2 switch and station: maximum 100 m (when UTP is used) &
maximum 5 km (when optical fiber is used)

 Distance between layer 2 switches: maximum 5 km (when optical fiber is used)

 Number of layer 2 switches to be equipped between stations in the same domain: maximum
7 units per bus (multiple cascade connection available)
 Network topology: Tree formation
 Transmission rate: 1 Gbps for BPCS / 100 Mbps for ProSafe-RS
Vnet/IP Components:
 Vnet/ IP is a control bus conforming to the IEEE 802.3 standard. Line speed is 1 Gbps. A
Vnet/IP bus has a dual redundant configuration. On its bus-2, control communications and
open-based communications with various Ethernet standard protocols are provided. At the
bus-2 side, data access through an Exaopc OPC interface and TCP/IP protocol-based
communications can be carried out. For equipment for network connections, including
repeaters, cables, layer 2 switches, layer 3 switches, and the like; commercially available
general-purpose products are used. For the IP address, IPv4 for Class C private space
addressing is applied.
 (IPv4 for Class B private space addressing is also applied.)
 Layer 2 Switch: This is a device to connect equipment within the Vnet/IP domain. The layer
2 switch, unlike a HUB, incorporates bridge functions to send data to the destination terminal
equipment only; it can, therefore, reduce traffic within its domain. Commercially available
equipment can be used for a layer 2 switch.
 Layer 3 Switch: This switch is used to connect Vnet/IP domains. The layer 3 switch relays a
communications frame to another domain with IP address route control, or routing functions.
Commercially available equipment can be used for a layer 3 switch.
Control Bus Communications Specification:
 Communication method: read/write communications, message communications, and link
transmission
 Link transmission period: 100 msec
Open Communications Specification:
 Open communication is achieved through Bus-2. Ethernet-based communications devices
are connected to CENTUM system components. Devices through an external network
cannot be directly connected to the Vnet/IP from the viewpoint of security due to firewall
protection.
Transmission Path Specifications:
 Network topology: Tree formation
 Transmission path redundancy: Indispensable (control bus communications only)
 Transmission rate: 1 Gbps for DCS / 100 Mbps for ProSafe-RS
Control Communications:
Vnet/IP is a redundant network configured with independent redundant control bus, i.e. bus 1 and
bus 2. Normally, bus 1 is used for control communications only. Although it is possible to use bus 2
for normal Ethernet communication for small scale control system, in Project XXX, bus 2 is used for
control communication only. Any station with Ethernet communication requirement such as HIS,
etc.. a dedicated Ethernet card will be installed in the station for this purpose.
Vnet/ IP Fault Tolerance and Selection of Transmission Path:
A Vnet/IP communications station comprehends the path status for a communication destination
from its own communication path information, and chooses a normal bus to transmit the information
required. If the communication paths for the communication destination are normal in both buses,
Bus 1 is selected. For control communications, Bus 1 is prioritized to be used rather than Bus 2. If a

problem occurs in Bus 1, Bus 2 will be used. If Bus 1 recovers, communication will be switch back
to Bus-1 without disturbing the network communication. Bus switching (Manual bus switching is not
supported) is performed in every path up to the communication destination.
Update as per project requirement for equipments connected, open communications,
communications in Bus-2

3.2 Hardware Fault Tolerance and Diagnostics

Update as per project requirement on HFT whether single or redundant IOM configuration.
3.2.1 Fault Tolerance

The SIS/ESD/IPS is designed such that a failure of any component shall not cause a total failure of
the entire system.
ProSafe-RS support the dual-redundant configuration for continuous controllability and operating
efficiency. Moreover, with the dual redundant hardware configuration, the continuity of plant safety
monitoring shall be guaranteed.
For project xxx redundant configuration shall be implemented for:
 CPU Modules
 System power supply for CPU nodes, I/O nodes
 ESB Bus
 Analogue and discrete Input /Output cards
 V-Net/IP communication bus and Network Switches
 24V DC bulk power supply unit for field I/Os
 AC UPS power supply feed arrangement for system and marshalling cabinets
The SIS/ESD/IPS is a dedicated system using Yokogawa ProSafe-RS Safety Instrumented System
incorporating a redundant architecture which is fault tolerant, fail-safe and fully integrated with the
DCS via a redundant, common safety and control bus (Vnet/IP).
The ProSafe-RS CPU and I/O modules have built in dual processor, dual memory circuitry,
additional circuitry and software for diagnostic purpose. This dual architecture within each module
allows ProSafe-RS system to be certified to SIL 3 level in a single configuration (non-redundant).
The major components in CPU modules are duplicated and their operation results from the pair of
CPU module are always compared. The detection is by CPU self-diagnostics which is run every
scan cycle and also comparison of results and address/data between dual MPU processors at
every processor command execution
Each processor in the CPU modules performs the same computations and results are compared
after each calculation. If the results agree then the control side card is healthy and remains in
control. On the other hand if the results do not agree then the card sends “Abnormal Status”
message and the standby card takes over, if Standby card is normal. The standby processor card
also performs concurrently all the calculations as the main processor does. In case abnormal status
is detected in the standby CPU module, a system alarm is generated.
In case of a failure of one of the redundantly configured CPU or I/O modules, the system continues
to operate without any “degraded” or “crippled” mode as shown in the following Figure 3 -3. The
failed CPU or I/O modules can be replaced online. Since, ProSafe-RS is SIL3 capable in single
CPU and Single IO module configuration, no MTTR timer is applicable.

Figure 3-3 - Fault Tolerant architecture of the ProSafe-RS

Redundancy on CPU:
For the redundancy configuration, one side becomes the control side and other side becomes the
standby side. Switching the control side is performed by CPU module and has no influence on the
application logic.
The CPU on the standby side performs the same control processing as the control side even while
it is in the standby status. Moreover it is possible to take over immediately after the control side is
switched
The major components in the CPU module are duplexed, and their operation results are always
compared between the two. This enables to detect a fault in a very short time. The detection of a
fault causes a shutdown of the CPU module and system alarm is generated which is displayed/
captured in diagnostic message. Accordingly, the output modules detect a communication halt of
the CPU module and sends the predefined failsafe value for each channel.
Figure 3-4 - CPU Status Shift
Document Title Document Number

FAIL (CPU stopped) The power is supplied by CPU, but the software is not
running

Document Title Document Number

RDY (CPU Initializing status) The system program is being set in the main memory in
this status
CTRL (Control status The system program runs inside the CPU and the CPU
has the right to access input/output modules in status.
STBY (Standby status) The system programs runs inside the CPU but the CPU
does not have the right to access input/output modules
in this status
Table 3-7 - CPU Status for ProSafe-RS
Redundancy on Vnet/IP Communication:
The CPU has a communication interface that supports the redundant V-net/IP connection. The
complete Vnet/IP network including the network switches is redundant.
V-net/IP communication is used to communicate among SCSs within same domain or different
domain. The V-net/IP redundant communication is also used to communicate with HIS or DCS or
SENG.
Redundancy on Power Supply:
Redundant power supply modules are mounted on both CPU nodes and I/O nodes of an SCS. The
SCS monitor the power supply status at the regular intervals and, if an error occurs, it notifies the
fact the user via the status Display window of the SENG and HIS as well as through a diagnostic
information message.
Redundancy on ESB Bus:
An SSB401 is connected to the ESB buses respectively. If an error occurs in an SSB401 on one
side, the error is notified to the user via the diagnostic information message but the SCS still
continues communicate using only ESB bus on other side. If both fail, the error is treated as an ESB
bus failure and the IOs are driven to fail safe state predefined.
Redundancy on SB Bus:
The SB bus is a backboard bus that connects the SSB401 and each input/output module. If an error
occurs in a SB bus on one side, the error is notified to the user via the diagnostic information
message but the SCS still continues to communicate using the ESB bus connected to the normal
SB bus used
Redundancy on I/O Modules:
For the redundancy configuration, one side becomes the control side and other side becomes the
standby side. Switching the control side is performed by I/O modules and has no influence on the
application logic.
Input Module:
Diagnostic tests of input modules are performed by the firmware periodically. When one of the
following faults is detected, the status of input channel changes to ‘bad’ and a predefined failsafe
value (input value of error occurrence) is transferred to the application logic. This means, faults in
input modules, as well as demands (changes in input values), can be handled by application logic.
 Fault in the common part of an input module
 Fault in an input channel
 Failure in communication between an input module and a CPU module
Output Module:

Diagnostic tests of output modules are performed by the firmware periodically. When one of the
following faults is detected, the Output Shutoff Switch is activated to force the output channel to
OFF (0).
 Fault in the common part of an output module
 Stuck-at-ON, the case where the output cannot be turned to OFF
 Output current read back error (analog output module)
In case of a communication fault between an output module and a CPU module, the failsafe value
for each channel is activated.
Peer-Peer Safety Communication:
The receiver side of SCS can detect failures caused by faults in the SCSs and the relay devices on
the communication path.
When a failure in peer to peer safety communication is detected, the predefined value is transferred
to the application logic in the receiver side of SCS.
As per project specification, failures of safety communication links within the safety systems shall
bring any safety related signals to a fail-safe state.
Time out of safety communication signals configured between domain SCSs or within domain SCS
or loss of communication, shall initiate a communications failure/discrepancy alarm to notify the
operator that manual intervention, maintenance or remedial action is required.
The communication failure shall trip its respective facilities upon total loss of communication signals
with the master peer.
Loss of DCS/SIS Communication:
Logic and/or hardware shall be configured in such a way that the shutdown shall not be initiated due
to the loss of DCS- SIS/ESD/IPS communication.
Loss of Remote I/O Communication:
The console SIS/ESD/IPS push buttons and lamps located in MCB shall be wired to the LCR
system remote I/O node in MCB. The default fail safe value for I/O’s shall be specified as ‘0’ fail
safe ( or de-energized ) for remote I/O module related fault or loss of communication to controller,
which cause SIF shutdown at LCR level.
Actions on Major System Failure:
All parts of the SIS/ESD/IPS system shall maintain safe operation after any failure; in case of a
major SIS system failure (total black out or other electric failure) the system shall always go to a
predefined failsafe position. In such cases, all ProSafe-RS outputs are set to de-energized state.
Diagnostic Messages:
SCS performs self-diagnosis regularly to detect hardware and software errors. It analyses the
detected errors and system configuration to determine the error level according to the error
occurred and executes error-handling operations according to the error level.
Error Level Diagnostic Information Notification to application

Messages logic
Fatal error Diagnostic information message Notification is not possible
may not be notified because the because the CPU is stopped.
CPU stops.
Major error The failure location, cause of The error and output status is
error and other information are notified.
notified.

Error Level Diagnostic Information Notification to application

Messages logic
Minor error The failure location, cause of
A representative error state is
error and other information are
notified, instead of an
notified. individual error state. An
application logic that utilizes
this notification can be
created.
Table 3-8 – Error level types and the error status notification process
The diagnostic management function saves/manages diagnostic information messages generated
by self-diagnosis and manages the SCS status. Moreover, it notifies the operation status of the SCS
to the SENG and HIS.
Update applicable components as per project redundancy requirements
3.2.2 Line Monitoring Diagnostics

A diagnostic function is provided to detect open and short circuits in wiring between field devices
and I/O modules. The behavior after detection of such a fault is the same as the case of a fault in
the channel of the I/O modules.
Line Monitoring Diagnostics for Analog Input:
SIS Analog input channels are configured to monitor cable faults (open circuit or short circuit) or
transmitter faults (over range or under range) by employing SIS line monitoring features i.e. by
comparing loop current (mA) with pre-set fault threshold values configured in SIS.
Figure 3-5 - Analog Input Open and Short Circuit Detection

The SIS software configuration will be enabled for each of the following diagnostics at input card
level.
 Input low limit detection (Open Circuit, IOP-)
 Input high limit detection (Short Circuit, IOP+)
 Transmitter low limit detection (Transmitter Fault burnout High, TRANS+)
 Transmitter high limit detection (Transmitter Fault, burnout Low TRANS-)
The threshold value will be specified for each of the diagnostic at input card level. The threshold
setting for each of the diagnostics is consideration of NAMUR-NE43 recommendation. This setting
is also applicable for all type of transmitters irrelevant of NAMUR complaint transmitters. Signal
handling according to NAMUR NE 43 is shown in figure below.

Figure 3-6 - mA Signal Handling According to NAMUR NE 43

The input channel status is represented as ‘BAD (‘in invalidity’) upon fault detection for operator and
maintenance attention. The diagnostic alarms shall be recorded in sequence of events and
annunciated in HIS alarm annunciation window.
The details of the system function can be referred to the SIS FDS - Software [!SIS FDS Software
Doc No.!]
Field wiring diagnosis function for Digital Inputs:
SIS Digital Input channels are configured line monitoring for directly wired discrete switches without
any intermediate input interfacing devices (e.g. Isolators)
Field wiring diagnosis for digital inputs connected to discrete input module SDV144 requires Wiring
Check Adapters SCB 100 (resistor with value 36 kilo ohm, 1%, 0.25W) and SCB110 (Zener Diode
with value of 5.6V) to be installed at the field device end.
 Open Circuit Detection: When the input signals are “normally off” while in normal operation,
connect SCB100 in parallel with the contact output of the field equipment as given below
Figure 3-7 - Open Circuit Detection

 Short Circuit Detection: When the input signals are “normally on” while in normal operation,
connect SCB110 in series with the contact output of the field equipment as given below.

Figure 3-8 - Short Circuit Detection

 Combination of Open and short circuit detection: When checking for both defective short and
open circuits, connect the SCB100 and SCB110 in parallel and series with the contact
outputs of the field equipment respectively
Note: These adaptors will be provided by Yokogawa a part of scope of supply. This shall be
installed in the field device (e.g. Manual Call Points, Process Switches…) by CONTRACTOR
Line monitoring requirement shall be specified by CONTRACTOR via Input documents per tag
basis.
The SIS software configuration shall be enabled for applicable line monitoring diagnostics at input
card level.
 Input disconnection detection (open circuit)
 Input short circuit detection (short circuit)
The input channel status shall be represented as ‘BAD’ upon fault detection for operator and
Line Monitoring for Digital Input IS Signals:
The line monitoring diagnostics for Digital Input IS signals shall be based on isolator specific end of
line (EOL) specifications.
Field wiring diagnosis function for Discrete Outputs:
This section describes the line monitoring features for directly wired output loads without any
intermediate output interfacing devices.
DO module monitors the open circuit line fault by monitoring the loop impedance within the DO
module specifications. If the load impedance is out of range, then the system issues the diagnostic
fault.
If the field cable and +24Vdc power line are shorted together, DO module monitors short circuit line
fault by monitoring the loop impedance within DO module specifications. If the field cable +24Vdc
line and 0Vdc line are shorted together, then the channel is disabled immediately (electronic current
limit function) along with diagnostic fault.
For de-energized outputs, in order to detect short circuit, the DO module uses a “pulse ON” test by
sending out a very short pulse (0.2mSec) periodically.
It shall be noted that if relay is used, the line is monitored only as far as the relay.
The SIS software configuration ‘Detect Disconnection’ shall be enabled for applicable line
monitoring diagnostics at output card level. No specific setting is required for short circuit at output
card level.
The output channel status shall be represented as ‘BAD’ upon fault detection for operator and
The disabled channel can be enabled manually only after removing the fault and by performing
manual ‘output enable’ operation at engineering station.
For normally de-energized high-rate emergency depressurizing systems, the SIS input circuits from
the ‘depressurizing’ initiating device and the SIS outputs circuits to the solenoid valves shall be
permanently monitored for open circuits, short circuits and system common earth faults. These
faults shall generate alarms, but shall not result in opening of the high-rate emergency
depressurizing valve.

Line Monitoring for Digital Output IS Signals:

The line monitoring diagnostics for Digital Output IS signals shall be based on isolator specific
specifications.
Field wiring diagnosis function for Analog Outputs:
This section describes the line monitoring features for directly wired output loads without any
intermediate output interfacing devices.
The Analog output module supports diagnostics configuration of
Short circuit detection
Short circuit will lead the field device to shut down because no energy is supplied. It is considered
‘Safe’ from the safety point of view. However, the ‘short circuit’ detection shall be enabled for all
analog outputs for diagnostics detection of output channels.
Open circuit detection
Open circuit will lead the field device to shut down because no energy is supplied the field device. It
is considered ‘Safe’ from the safety point of view. However, the ‘open circuit’ detection shall be
enabled for all analog outputs for diagnostics detection of output channels.
Update as per project Line Monitoring requirements
3.2.3 Common Failure Cause Avoidance

The SIS system design shall consider measures for avoidance of common failure causes including:
 Redundant communication cables (Redundant Vnet/IP bus1, bus2, Redundant ESB bus
fiber-optic cables for remote node connection) via separate physical routing within the FAR
or between FAR to MCB.
 Colour coding of Vnet/IP cables separate for SIS, FGS and other system.
 IO segregation for voted inputs, redundant plant equipment, segregation of remote nodes for
connection to SIS console shutdown buttons based on FAR/ process unit groups.
 All SIS equipment shall be selected for immunity to environmental conditions (temperature,
humidity, corrosion and EMC).
 Maintain adequate separation distances between AC and DC power, signal wiring.
 Field I/O power supplies shall be separated and totally independent of SIS system chassis
power supplies.
 Redundant field power supplies shall be sized to continuously rated connected load while
one power supply unit is removed (at rated voltage, ampacity, and at maximum ambient
temperature of 40°C).
 Redundant field power supplies with separated power distribution and individual protection
diodes.
 Avoid sources of EMI/RFI inside system cabinets such as fluorescent lamps which may
potentially interfere with the system modules electronic circuits.
 Install spark killer diode on inductive loads (by CONTRACTOR) (e.g. inside SOV's).
 Use lightning surge protection in signal lines which are prone to effects of lightning.
 Power sources and main feeders like UPS shall be provided lightning surge protection (by
CONTRACTOR).
 The ambient temperature where signal and bus cables are laid must be within the limits
specified for each cable.

 Unused spare field cable cores shall not be wired to spare IO channels to avoid the
possibility of stray voltage pick up or earth faults.
For DPV, the following common cause failure avoidance shall be considered.
 Segregation of redundant trip initiators and valves into separate cards installed in separate
racks with separate power supplies, separate cable routing for system and field cabling etc.
Update as per project design

3.3 System Behavior in case of Failure

The CPU modules and I/O modules are diagnosed by the hardware and software periodically.
Errors in communication between CPU module and I/O modules and in safety communications are
detected by various measures. When an error is detected, the failsafe (pre-defined) value is used
for the output value and a diagnostic information message is issued. The diagnostic information
message, which is sent to the SENG and HIS (when integrated with Centum VP) via the control
bus, is useful for identifying the details and the cause of the error.
In a dual-redundant configuration, the other module that is working normally takes over control to
continue the operation. The diagnostic information message that is issued at the same time helps to
identify the failed module.
The user can define the fail-safe behaviour of the system when faults are detected in I/O modules.
The following section describes the details.
3.3.1 IO Channel Error

3.3.1.1 Digital Input Channel Fail
IO
parameter Safety Impact on
System
Failure Mode Settings in Remarks
Diagnostics Application Logic
Applicatio
n Software
‘The channel status is
reported as ‘good’.
Input channel is
turned ON.
DTS : The demand
Detect (OFF state) cannot be
Short circuit fault
short No system detected - Safety
between 24V DC
circuit-Not diagnostics impact
and input channel
configured ETS : Short circuit is
mistakenly
recognized as
demand, which may
cause a spurious trip
– Safety impact
Short circuit fault Detect Channel fault ‘The channel status is ‘Detect short
between 24V DC short notification on reported as ‘bad’. circuit’ is to be
and input channel circuit”Conf operation station if Input channel is set enabled in the
Fault igured the condition at based on ‘input Software
‘remarks’ column processing at fault’ configuration
meets definition. and SCB110 is
to be installed
DTS: The demand at field device.
(OFF state) cannot be
No redundant
detected. However,
switch over.
the diagnostics helps
to remove the cause
of the fault. Hence the
manual (operator)

IO
System
Applicatio
n Software
attention is required.
Failure of manual
attention may lead to
unsafe operation of
the plant.
ETS: The fault is
diagnosed for ETS for
operation action.
Hence the manual
(operator) attention is
required.
Failure of manual
unsafe operation of
the plant.
Short circuit fault
Channel recover
between 24V DC Safety Interlock reset
notification on
and input channel required.
operation station
recover
Input channel is
turned OFF.
Input channel
disconnection Detect DTS : Spurious
Fault Disconnecti No system process trip
on-Not diagnostics ETS: The demand

configured cannot be detected –

Safety impact.
Input channel Detect Channel fault ‘The channel status is ‘Detect

disconnection Disconnecti notification on reported as ‘bad’. disconnection’
Fault on- operation station if Input channel is set is to be
configured the condition at based on ‘input enabled in the
‘remarks’ column processing at fault’ software
meets definition. configuration
and SCB100 is
DTS: Spurious
to be installed
process trip shall
at field device.
occur if line fault is
considered as trip.
However, the No redundant
diagnostics helps to switch over.
remove the cause of

IO
System
Applicatio
n Software
the fault.
ETS: The demand
cannot be detected.
However, the
diagnostics helps to
remove the cause of
the fault. Hence the

manual (operator)
Failure of manual
unsafe operation of
the plant.
Input channel Channel recover
Safety Interlock reset
disconnection notification on
required.
recover operation station
Failure alarm is If the
issued. redundant
Internal failure No safety impact
Switch over to the module is
standby. available
3.3.1.2 Digital Output Channel Fail
IO parameter
Settings in System Safety Impact on
Failure Mode Remarks
Application Diagnostics Application Logic
Software
‘‘The channel status
is reported as ‘good’.
Output channel value
depends on the
application logic.
The field device turns
ON
Short circuit
fault between Detect No system DTS: The field device
24V DC and Disconnection diagnostics on the affected
output channel -Not channel cannot be
configured shut down. - Safety
impact
ETS : Short circuit is
mistakenly
recognized as
demand, which may
cause a spurious trip
– Safety impact

IO parameter
Software
‘The channel status
is reported as ‘bad’.
Output channel is set
based on ‘Output
value in detecting
error’ definition.
DTS: Depending on
‘output value in
detecting error,
spurious process
shutdown can occur. ‘Detect
However, the disconnection’
diagnostics helps to is to be
Short circuit Channel fault remove the cause of enabled in the
fault between notification on the fault. Hence the Software
24V DC and Detect
operation station if manual (operator) configuration.
output channel Disconnection
the condition at attention is required.
-Configured
‘remarks’ column No redundant
ETS: Depending on
meets switch over.
‘output value in
detecting error’, the
process shutdown
demand cannot
meet. However, the
remove the cause of
manual (operator)
Failure of manual
unsafe operation of
the plant.
Short circuit Detect
fault between Disconnection Output enable is to
24V DC and -Configured Channel recover be carried out at
output channel notification on SENG. Safety
recover operation station Interlock reset
required.
Output channel Detect No system ‘The channel status

disconnection Disconnection diagnostics is reported as ‘good’.
Fault -Not Output channel is
configured turned OFF.
OFF.
DTS: The field device
on the affected

IO parameter
Software
channel shutdown.
Spurious process
shutdown
ETS: The field device
on the affected
channel cannot be
turned ON. – Safety
impact
is reported as ‘good’.
Output channel is
turned OFF.
OFF.
is reported as ‘bad’.
Output channel is set
based on ‘Output
value in detecting
error’ definition.
However, the field
device turns OFF
DTS: Spurious Detect
process trip. disconnection'
However, the is to be
Channel fault
Output channel Detect diagnostics helps to enabled in the
notification on
disconnection Disconnection remove the cause of Software
operation station if
Fault - Configured the fault. configuration.
the condition at
‘remarks’ column ETS: The process
meets shutdown demand No redundant
cannot meet. switch over.
However, the
remove the cause of
manual (operator)
Failure of manual
unsafe operation of
the plant
Output channel Detect Channel recover Output enable is to
disconnection Disconnection notification on be carried out at
recover -Configured operation station SENG. Safety
Interlock reset

IO parameter
Software
required.
Pulse test ON
or OFF and
Output Shutoff
Channel fault switch is to be
notification on enabled in the
operation station if software
the condition at configuration.
Internal failure ‘remarks’ column No safety impact
meets.
If the
Switch over to the redundant
standby module. module is
available
3.3.1.3 Analog Input Channel Fail
IO parameter
Software
Open / Short IOP+/-:Not No system ‘The channel
Circuit configured diagnostics status is reported
(IOP+/-) fault as ‘good’.
Input channel
follows field
transmitter current,
which could be
‘raw value’. i.e.
0mA  in case
of open circuit
23.5mA  in case
of short circuit (2
wire)
0mA  in case
of short circuit (4
wire)
1ooN voted
transmitter
(applicable for
SIS/ESD/IPS)
Since the input
value is in the
range of ‘off scale’,
spurious process
shutdown is

IO parameter
Software
expected. The
cause of the
transmitter ‘off
scale’ is not
diagnosed by
analog input
module. – Safety
Impact
2ooN voted
transmitter
(applicable for
SIS/ESD/IPS)
Since the
transmitters are in
voted, the spurious
process shutdown
is avoided due to
the validation of
inputs. The cause
of the transmitter
‘off scale’ is not
diagnosed by
analog input
module – Safety
impact
Open / Short IOP+/-:configured IOP+/- fault The channel status IOP+/- are to
Circuit notification on is reported as ‘bad’ be enabled and
(IOP+/-) fault operator station and channel value threshold
is set to “input settings for
processing at fault” these items are
pre-defined value to be specified
1oo1 voted in software
transmitter configuration
(applicable for ‘Input
SIS/ESD/IPS) processing at
fault’ value is to
For 1oo1
be pre-defined
transmitter, the
automatic MOS
(AMO) is activated No redundant
to avoid the switch over
spurious process
shutdown
The process
shutdown is
expected upon
expiry of AMO
timer.

IO parameter
Software
Upon AMO alarm,
the manual
(operator)
attention is
required. Failure of
manual attention
may lead to
spurious process
shutdown
2ooN voted
transmitter
(applicable for
SIS/ESD/IPS)
For 2ooN
transmitter, the
time delay
shutdown is not
applicable. Since
the transmitters
are in voted, the
spurious process
shutdown is
avoided due to the
validation of
inputs.
1oo1 voted
transmitter
Open / Short (applicable for
Circuit IOP+/- recover SIS/ESD/IPS)
(IOP+/-) IOP+/-:configured notification on The AMO is
recover operator station removed
automatically, if
fault is recovered
within AMO timer
Over / Under Trans+/-:Not No system ‘The channel No redundant
range configured diagnostics status is reported switch over.
Transmitter as ‘good’.
(TRANS+/-) Input channel
fault follows field
transmitter current,
which could be ‘off
scale’. i.e.
<4mA  in case
under range
>20mA  in case
of short circuit

IO parameter
Software
DTS: The field
device on the
affected channel
shutdown.
Spurious process
shutdown
1oo1 voted
transmitter
Refer scenario of
‘Open / Short
Circuit (IOP+/-)
fault’
2ooN voted
transmitter
Refer scenario of
‘Open / Short
Circuit (IOP+/-)
fault’
Over / Under Trans+/-:Configure TRANS+/- are
Refer scenario of
range d to be enabled
TRANS+/- fault ‘Open / Short
Transmitter and threshold
notification on Circuit (IOP+/-)
(TRANS+/-) settings for
operator station fault’
fault these items are
to be specified
in software
configuration
Over / Under ‘Input
range Refer scenario of processing at
Transmitter TRANS+/- recover
Trans+/-:Configure ‘Open / Short fault’ value is to
(TRANS+/-) notification on
d Circuit (IOP+/-) be pre-defined
recover operator station
recover’
No redundant
switch over.
Switch over to
Internal failure the standby if
Failure alarm is
No safety impact redundant
issued.
module is
available

3.3.1.4 Analog Output Channel Fail
IO parameter
Software
Detect short ‘The channel status is
circuit-Not reported as ‘good’.
configured Output channel value
depends on the
application logic.
The field device is
Output channel 0mA
No system
short circuit
diagnostics DTS: The field device
fault
on the affected
channel shuts down
ETS: The field device
on the affected
channel cannot be
shuts down – Safety
impact
Output channel Detect short Channel fault ‘The channel status is “Detect short
short circuit circuit- notification on reported as ‘bad’. circuit” is to
fault Configured operation station if Output channel is set be enabled in
the condition at based on ‘Output the Software
‘remarks’ column value at fault’ configuration.
meets definition.
DTS: Depending on No redundant
‘output value at fault’, switch over.
spurious process
shutdown can occur.
However, the
remove the cause of
manual (operator)
ETS: Depending on
‘output value at fault,
the process shutdown
demand cannot meet.
However, the
remove the cause of
manual (operator)
Failure of manual
unsafe operation of

IO parameter
Software
the plant.
Output channel Detect short
short circuit circuit- Channel recover
Output enable is to be
recover Configured notification on
carried out at SENG.
operation station

Output channel value
depends on the
application logic.
The field device is
always 0mA
Output channel Detect No system
disconnection Disconnection- diagnostics DTS: The field device
Not configured on the affected
channel shuts down.
ETS : The field device
on the affected
channel cannot be
shuts down – Safety
impact
Channel fault Refer ‘Output channel

Detect notification on ‘Detect
Output channel short circuit fault disconnection
Disconnection- operation station if
disconnection (Configured)’ ’ is to be
Configured the condition at
scenario enabled in
‘remarks’ column
meets the Software
configuration.
Output channel Detect
disconnection Disconnection- Channel recover
Output enable is to be
notification on No redundant
recover Configured carried out at SENG.
operation station switch over.
Output
Shutoff switch
Channel fault is to be
Internal failure enabled in
notification on
e.g. mismatch operation station if the software
between the the condition at configuration.
commanded ‘remarks’ column No safety impact
value and meets.
readback value If the
Switch over to the redundant
standby module module is
available

3.3.2 Module Error

3.3.2.1 CPU Module Failure (Partial)
Safety Impact on
Failure Mode System Diagnostics Remarks
Application Logic
CPU fail / recover
Standby CPU
notification on operation No safety impact
fail / recover
station
CPU fail / recover
Active CPU fail /
notification on operation No safety impact Note:1
recovery
station
Notes:
1. Standby CPU takes over control right and recovered active CPU acts as standby CPU
3.3.2.2 CPU Module Failure (Total)
Safety Impact on
Application Logic
 System Shutdown
 Plant shutdown condition
 Loss of controller data to
Operator/ HIS /SENG
 Temporary loss of SOE
data
 Safety communication
Active CPU and CPU fail notification failure
Standby CPU fail on operation station  Remote I/O
communication failure
Spurious trip for De-energized
to Safe (DTS) system design
(SIS/ESD/IPS)
Unavailability for Energized to
Safe (ETS) system design –
Safety impact.
 Resumption of safety
control station using
initial configured preset
Active CPU and CPU recover values.
Standby CPU notification on  Resumption of SOE/HIS
recover operation station data update
 Output enable is
required for each SCS

3.3.2.3 CPU Node Failure (Due to Power Supply Failure)
Safety Impact on
Application Logic
PSU fail / recover
Left PSU fail /
recover
station
PSU fail / recover
Right PSU fail /
recover
station
Both Left PSU
Refer scenario Active CPU
and Right PSU Refer scenario 3.3.2.2
and Standby CPU fail
fail
Both Left PSU
Refer scenario Active CPU
and Right PSU Refer scenario 3.3.2.2
and Standby CPU recover
recover
3.3.2.4 I/O Node Failure (Due to Power Supply Failure)
System Safety Impact on

PSU fail
Left PSU fail notification on No impact
operation station
PSU recovery
Left PSU
notification on No impact
recover
operation station
PSU fail
Right PSU fail notification on No impact
operation station
PSU recovery
Right PSU
recover
operation station
Both Left PSU Channel fault Fault response
and Right notification on to be
PSU fail operation station Digital / Analog input channel : considered:
Application
The channel status is reported as
program to
‘bad’.
handle impact
Input channel is set based on of this fault to
‘input processing at fault’ other Node
definition. I/O’s.
( example : All
I/O shutdown)
Digital / analog output channel :
The channel status is reported as
‘bad’.
Output channel is set based on
‘output value at fault’ definition.


Digital input / output and analog
Module fault input / output Module :
notification on
operation station Refer respective module fail
scenarios
Module/channel Digital / analog output channel :
Both Left PSU
recover
and Right Output enable is to be carried out
notification on
PSU recover at SENG.
operation station
3.3.2.5 I/O Node Failure (Due to ESB Bus Fail)
Failure System Safety Impact on

Remarks
Mode Diagnostics Application Logic
ESB Bus 1 Bus fail notification
No impact
fail on operation station
Bus recover
ESB Bus 1
recover
operation station
ESB Bus 2 Bus fail notification
No impact
fail on operation station
Bus recover
ESB Bus 2
recover
operation station
Digital / analog input channel: ESB bus fail does
located at I/O Node not affect the
The channel status is reported channel status of
as ‘bad’. CPU node I/O
Input channel is set based on channels and the
Bus fail notification
‘input processing at fault’ same are in
on operation station
definition. ‘good’.
and
Fault response to
Channel fault
Digital / analog output channel: be considered:
notification on
Both ESB located at I/O Node Application
operation station
Bus 1 and The channel status is reported program to handle
Bus 2 fail as ‘bad’. impact of this fault
Output channel is set based on to other Node
‘output value at fault’ definition. I/O’s.( example :
All I/O shutdown)
Bus fail notification
Digital input / output and
on operation station
analog input / output Module : ESB bus fail does
and
located at I/O Node not affect the CPU
Module fault node I/O modules.
Refer respective module fail
notification on
scenarios
operation station
Both ESB Module/channel Digital / analog output Output enable is
Bus 1 and recover notification channel : located at I/O Node not required for


Remarks
output channel
Bus 2 Output enable is to be carried
on operation station located at CPU
recover out at SENG.
node.
3.3.2.6 Digital Input Module Failure

Module fail
Standby DI
module fail
operation station
Module recover
Standby DI
module recover
operation station
Module fail
notification on
Active DI module operation station,
No impact
fail Standby Module
take over control
right
Module recover
notification on
Active DI recover operation station, No impact
Module acts as
standby Module
reported as ‘bad’.
Input channel is set based on
‘input processing at fault’
definition.
DTS: Spurious process trip
Active DI module Module fail Fault response
ETS: The demand cannot be to be
and Standby DI notification on detected. considered:
module fail operation station
However, the diagnostics Application
helps to identify the cause of program to
the fault. Further, manual handle impact
(operator) attention is of this fault to
required. Failure of manual other I/O’s.
attention may lead to unsafe ( example : All
operation of the plant I/O shutdown)

3.3.2.7 Digital Output Module Failure

Module fail
Standby DO
module fail
operation station
Module recover
Standby DO
module recover
operation station
Module fail
notification on
Active DO operation station,
No impact
module fail Standby Module
take over control
right
Module recover No impact
notification on
Active DO
operation station,
recover
Module acts as
standby Module
DTS: Spurious process
shutdown. Segregation of
ETS: The response to parallel final elements
demand cannot be in different DO
executed. module shall be
Active DO However, the diagnostics followed.
Module fail
module and helps to identify the cause
notification on
Standby DO of the fault. Further, Fault response to be
operation station
module fail manual (operator) considered:Applicatio
attention is required. n program to handle
Failure of manual impact of this fault to
attention may lead to other I/O’s.( example :
unsafe operation of the All I/O shutdown)
plant
3.3.2.8 Analog Input Module Failure

Remarks
Module fail
Standby AI notification on
No safety impact
module fail operation
station
Module recover
Standby AI
notification on
module No safety impact
operation
recover
station
Active AI Module fail No safety impact


Remarks
notification on
operation
station, Standby
module fail
Module take
over control
right
Module recover
notification on
Active AI operation
No safety impact
recover station, Module
acts as standby
Module
1oo1 voted transmitter - Refer
the Scenario 3.3.1.3
Multiple failure of 1oo1 voted
transmitter is configured in the
same module, then the Fault response to be
activation of automatic MOS considered:Applicatio
shall be prevented n program to handle
Active AI Module fail simultaneously. impact of this fault to
module and notification on other I/O’s.( example :
Standby AI operation All I/O shutdown)
(Additional application
module fail station
program may be required to
handle this scenario.)
2ooN voted transmitter
Segregation of 2ooN
If 2ooN voted transmitters are voted transmitters in
configured in the same different AI module
module, then the spurious shall be followed.
process shutdown is expected
1.5.1.1 Analog Output Module Failure

Module fail
Standby AO
module fail
operation station
Standby AO Module recover
module notification on No impact
recover operation station
Module fail
notification on
Active AO operation
No impact
module fail station, Standby
Module take
over control right


Module recover
Active AO operation
recover station, Module
acts as standby
Module
Segregation of
parallel final
elements in
DTS: Spurious process shutdown. different AO
module has to
ETS: The response to demand be followed.
cannot be executed.
Active AO Fault response
Module fail However, the diagnostics helps to
module and to be
notification on identify the cause of the fault.
Standby AO considered:
operation station Further, manual (operator)
module fail Application
attention is required. Failure of program to
manual attention may lead to handle impact
unsafe operation of the plant of this fault to
other I/O’s.
( example : All
I/O shutdown)
3.3.3 Calculation Error

In the case of critical user application errors such as division by zero, overflow or access beyond an
array, the SCS stops, resulting in false trip. It is possible to specify the option to continue operation
whilst notifying users about such situations through System Alarms at HIS. The options are:
 SCS fails: The SCS stops upon detection of the application exceptional errors.
 SCS continues: The detailed explanation of SCS behaviour upon detection application
exceptional error is described in Table 3 -9 - Exception handling Scenario below
Exception Occurance SCS Continues

Condition
Behaviour Description
If error occurs, the maximum value of the
The denominator applicable type (the maximum negative value if the
is zero in a value is negative) is assigned to the variable of the
Zero division
division of DINT or operation result. The POU (program) where the
REAL type data. calculation error occurred does not stop but
operates until the end.
If illegal access occurs, the corresponding POU
(function/function block) is stopped immediately.
An index of an
The POU is executed in the next and subsequent
array variable
Access beyond scans as well, but the execution is stopped at the
points to the
the array same location unless the problem is resolved. The
outside of the
POU (program/function/function block) that called
array.
the function/function block in which the calculation
error exists is executed until the end.

Exception Occurance SCS Continues

Condition
Behaviour Description
If error occurs, the maximum value of the given
type is assigned to the variable of the operation
An overflow result. The maximum negative value is assigned if
occurs in the first operand is negative in the case of
Over flow calculation addition/subtraction as well as if the signs of first
between REAL and second operands are different in the case of
type operands multiplication/division. The POU (program) where
the calculation error occurred does not stop but
operates until the end.
An overflow
If error occurs, a value of “TRUE” used for BOOL
occurs when
data type, maximum value of DINT type used for
REAL data type casting
DINT data type and a maximum value of TIME
casting with (converting) REAL
type for TIME data type. The POU (program)
other data types type data to
where the calculation error occurred does not stop
BOOL, DINT or
but operates until the end.
TIME type
Table 3-9 - Exception handling Scenario
The system diagnostic functions are explained as below:
A System Alarm shall be generated to notify users of this function as shown below
 Abnormal calculation occurred
 Recovery from Abnormal calculation
It is also possible to create application logic for confirming the state of abnormal calculation using
the function block SYS_CERR. If calculation errors occur in multiple POUs (programs), a diagnostic
information message (No.4145) is generated for each POU (program). If different types of
calculation errors occur in the same POU (program) at the same time, a diagnostic information
message is generated for each type of calculation error. The default interval of re-warning is 10
minutes.
3.3.4 Safety Communication Error

Inter SCS Safety communication error:
Safety communication between different domains. If a communication error occurs during inter-SCS
safety communication, the following operations are performed.
 The fail-safe value pre-set on the function block for inter-SCS safety communication on the
consuming side is output
 The communication status (parameter NR) becomes abnormal (False)
 A diagnostic information message notifying about the error is output.
Refer section Error: Reference source not found for safety communication details.
SCS Link Transmission:
Safety communication within domain.
 Logical data of the link transmission data area received shall be set according to the specific
input value at error occurrence defined in the data wiring definition of SCS link Transmission
builder.
 The data status will be BAD.

 A diagnostic information message indicating “Diagnostic Error” will be sent from each
receiving station where a communication error has occurred.

3.4 System Description

3.4.1 System Reaction (Response) Time of SCS
System reaction (response) time of SCS is defined as the maximum time from the occurrence of an
event at the input terminations to the response at output terminals. This covers I/O card response
times, processor scan rates and any communication delays (I/O bus, data and communication
networks) and server traffic time.
The project specifications are
 The scan time for SIS Logic solver shall be maximum 300ms. This results in a time from
input change to output response of less than 600ms including all spare capacity (including
installed spares and future spare slots).
 The SIS system data communication scan rate with the BPCS network shall be one second
maximum.
Where response time using safety network (Peer to Peer safety network) is not able to meet the
specifications, hardwired signals shall be used.
3.4.2 SCS Scan Time Overview

There are two types of scan time of SCS:
 Scan time of the Application Logic Execution Function
The ‘application logic execution function’ is the function having a top priority among SCS
functions.
 Scan time of the External Communication Function
The ‘external communication function’ is executed in a part where the ‘application logic
execution function’ is not executed in the CPU processing period. If the ‘external communication
function’ finishes its processing before a scan time ends, the remaining time becomes the idle
time on CPU.
 Specification of Idle Time:
CPU idle time is the period of time when the CPU has no task including the External
Communication Function, averaged over every 60 seconds. Idle time is meant for handling
communication processes with SENG (online application logic monitoring, I/O lock window
operation, etc.) and communication requests from BPCS by the CPU of SCS.
Figure 3-9 - Scan time overview of FCS
3.4.3 ProSafe-RS SCS Operating Mode

The operating mode indicates the operating status of the SCS. The operations of each function
executed by the system program of SCS are determined by the operating mode.
The SCS operating mode can be one of the following five types:

 Stop mode
 Loading mode
 Initial mode
 Waiting mode
 Running mode
3.4.3.1 Operating Mode of SCS
An overview of the operating modes is provided below.
 The operating mode indicates the overall operating status of SCS, not the status of each
output module.
 The operating mode indicates the status of a single SCS, regardless of whether the
configuration of CPU of SCS is single or dual-redundant.
 If CPU of SCS is dual-redundant, the operating mode does not shift even if the control right
of CPU is switched.
Figure 3-10 - SCS Operating Mode Status Shift

The various SCS modes are Stop Mode, Loading Mode, Initial Mode, Waiting Mode and Running
Mode and each of these modes are described as below.
 Stop Mode (Stopped Status): This is the initial state of the SCS.
 Loading Mode (During Off-line Download): In this mode, program and database are being
downloaded from the SCS Manager to the SCS.
 Initial Mode (Initializing Status): In this mode, the SCS is initializing databases, processing
the diagnostic at start-up and starting the input/output modules, all of which are necessary
following an initial cold start. If started successfully, input modules set input values in the
applicable input variables. If the start-up of any input module has failed, an error is
recognized for the module. With output modules, the outputs of all channels remain disabled
even after the start-up is completed, so that the output values from the application logic shall
not be output to the field immediately. Subsystem communication modules communicate the
inputs only, while their outputs remain disabled.

 Waiting Mode (Waiting for Output Enable Request): Application logic is periodically executed
on each scan time. However, if the status of any output channel is faulty, the result of the
application logic shall not be reflected in physical output, and the status of the faulty output
channel is set to “Output Disable”.
 If the “Output enable operation” is executed just after starting up the SCS, the SCS also
enables the output of inter-SCS safety communication, SCS Link Transmission and
subsystem communication. The Waiting mode status can be checked in the SCS State
Management Window on the SENG and the LED display of the CPU module.
 Running Mode (Controlling Status): This mode indicates that the SCS is running normally.
All output channels of safety output modules are normal and physically transferring the
output values from the application logic. The Running mode status can be checked in the
SCS State Management Window on the SENG and LED display of the CPU module.
 Output Status Monitoring: All output channels of safety output modules are monitored. If any
of the channels becomes “Output Disable” status due to a failure in the corresponding
module or in the output channel itself, or after adding new channels during online
modification, the SCS shall change its operating mode to the Waiting mode. The operating
mode changes to the Running mode when the cause of the channel failure is removed, the
output enable operation is completed and all output channels are placed in the Output
Enable status.
3.4.4 SCS Security Level

An SCS is equipped with a function to protect internal data from being overwritten by external
devices. It always monitors attempts to write data from outside and judges whether user operations
should be enabled or disabled according to the security level of the SCS. One SCS has one security
level. The security level indicates to what degree the SCS memory is protected from data writing
attempts from outside.
There are two levels for the security level: An ‘online level’ used during constant operation of an
SCS and a level ‘offline level’ used when the SCS is not operating. Change in SCS Security Level
can be protected by either using password or external two ways key switch.
At Online Level, the SCS itself maintains the security by managing and controlling memory access
from outside. It can be sub-divided into two levels according to limits of functions which can be used
 Level 2: The highest security level. The SCS runs at this level in normal operation.
 Level 1: A temporary security level used by authorized users for maintenance of equipment
and changing SCS applications online.
At Offline Level, the SCS does not restrict access to the SCS from outside. The security level is
displayed at SENG and SCS issue diagnostic message for any change in the security level.
In this project, each SCS Security Level is controlled by using external two ways key (Configuration
Enable) switch located in respective SCS system cabinet.

Figure 3-11 - Safety Control Station Security Level

Configuration Enable Switch:
Safety Engineering and Maintenance Workstation located at IER and FAR supports the modification
of SCS application logic & configuration and I/O forcing. To restrict such unauthorized modifications,
a hardwired configuration enable key switch shall be considered as discrete input for ‘each SCS’
and application program will be configured to link this switch to system diagnostic functions. The
configuration enable switch will be a 2-position selector switch provided with a key mounted in each
system cabinet, where SCS is located.
To meet this requirement, the SCS system ‘Security Level’ function shall be controlled by using this
external switch.
Basically, configuration enable switch controls Level 2 (Configuration Disable) and Level 1
(Configuration Enable) of SCS Security Level.
Selector Authorization
Selector Switch
Switch
Position Description
Contact
SCS security level is in Level 2:
Configuration Disable ‘Configuration Enable’ function is disabled
OFF
(Switch Turned Left) ‘Force Enable’ function is disabled.
(Refer note)
SCS security level is in Level 1
Configuration Enable
ON ‘Configuration Enable’ function is enabled.
(Switch Turned Right)
‘Force Enable’ function is enabled
Table 3-10: Configuration Enable Switch position
Note:
The existing forces will be maintained when configuration enable switch is set to disable position.
The forces can be released only after configuration enable switch is set to enable position.
Controls on the use of this switch shall be in place. All configure enable switches shall be provided
with a unique number and a unique key lock. The keys shall only be removable from the key lock in
the ‘disable’ position. There shall be no ‘master’ key possible.
The details of the system function can be referred to the SIS FDS - Software [!SIS FDS Software
Doc No.!]

In general, online modifications may be carried out at SENG located at Engineering Room. It is
expected that the actual on-line download to SCS is to be carried out using SENG located at FAR
physically after enabling ‘Configuration Enable Switch’ at SCS cabinet.

3.5 Maintenance Override Function

Maintenance override switches shall be used to inhibit trip initiators in order to enable maintenance
or on-line functional testing.
MOS shall be provided for all SIS system inputs with an exception of the following signals:
 Manual SIS shutdown push buttons
 Flame failure detection, axial displacement, vibration signals
 Limit /proximity switches
 Lamp test, acknowledge and reset push buttons etc.
MOS enable switches and selector switches
Maintenance override switches shall be configured for all 1oo1, 1ooN and 2ooN voted trip initiators.
This shall be implemented by defining a unique MOS group per UZ shutdown logic.
A Maximum of one trip initiator may be overridden per protection group (UZ group) at any one time
(including of automatic MOS)
The normal MOS shall be configured for 1ooN voted (e.g. 1oo2) transmitters i.e. activation of MOS
shall inhibit trip initiators causing shutdown. For 1oo2 voted initiators, it shall be prohibited activating
more than one MOS at a time. Activation of MOS for one of the initiators in 1oo2 voted architecture
shall result in voting degradation to 1oo1 configuration.
The negative MOS shall be configured for 2ooN voted (e.g. 2oo2 and 2oo3) initiators. For 2oo2 and
2oo3 voted initiators, it shall be prohibited activating more than one MOS at a time. A negative MOS
is a MOS that, when activated, forces the signal into the safe state (logical ‘0’). Activation of MOS
for one of the initiators in 2oo3 voted architecture forces the signal into the safe state result in voting
degradation to 1oo2 rather than 2oo2 architecture. Similarly application of MOS for one the initiators
in 2oo2 voted architecture shall result in voting degradation to 1oo1 configuration.
 MOS shall not be provided for SIS output signals
Refer SIS FDS - Software [!SIS FDS Software Doc No.!] for MOS design details.

3.6 Hart Communication and Partial Stroke Test

Hart Communication:
Analogue I/O Modules with HART communication on ProSafe-RS allows the Instrument Asset
Management System (IAMS) (Yokogawa’s Plant Resource Manager (PRM)) to control the HART
communication devices connected to the input and output on SCS. Also, HART modules allow
IAMS to conduct Partial Stroke Test (PST) on HART supported valve positioner equipped with the
PST function.
The HART modules on ProSafe-RS are interference free and have no impact on the safety
functions on the SCS.
Figure 3-12 - HART Communication Schematic
The Analogue Input (SAI143-H) and Analogue output (SAI533-H) modules are in-built with HART
communication function. One HART device is connectable for each channel. Each channel is
equipped with a power supply function to the HART device.

“Smart” transmitters (HART) must be configured to “read only”. Some means of security or special
procedural instruction must be provided to assure that these transmitters are not electronically
reconfigured during testing, without proper authorization.
Partial Stroking Test:
In this project, for partial stroke testing, the SIS valve shall be provided with smart positioner with
HART protocol wired to SIS analog output card (HART pass through type). The SIS valve will be
provided with solenoid valve connected to SIS system for trip.
To avoid spurious trips, 4mA is set as full open and 20mA is set as full closed for fail close valves.
PST shall be initiated manually at required testing intervals from IAMS. Once PST command is
initiated at IAMS, HART signal will be sent through SIS analogue output module to valve positioner
to partially stroke the valve. The positive feedback signals and valve signature data from positioner
will be sent to PST software in IAMS via the SIS analogue out connection using HART protocol. The
PST software analyses the stroke testing and will notify the IAMS and HMI Operator.
A trip condition will override the PST and will force the valve to its fail safe position.
If valve position is used for trip action, then limit switch or position transmitter (with required SIL
rating) shall be used, this shall be hardwired to SIS system, to avoid spurious trip.
For automated partial stroke testing, application logic in the SIS will need to be programmed
considering partial closing of the valve (e.g. up to 20% valve stroking) based on feedback signal.
The valve stroking limit is specified in IAMS and partial stroking function is invisible to SIS
application logic.
Depending on smart positioner design, the failure of SIS analog output may cause the SIS valve to
fail safe position. Refer IAMS FDS – [!IAMS FDS Doc. No.!] for PST details.
Refer SIS FDS - Software [!SIS FDS Software Doc No.!] for SIS system configuration related to
PST.
Update as per project requirements

3.7 Sequence of Events (SOE)

SOE (Sequence of Events Recorder) is a function for recording events detected by an SCS so that
these can be used in analysis. With SOE, changes in analog inputs/outputs, discrete inputs/outputs
and application logics can be collected/saved as event information. Collected event information is
displayed in the SOE Viewer. Moreover, a function to synchronize to the standard time is provided
in order to maintain the accuracy of the time stamps attached to the events. Sequence of Events
time stamped in the SIS System as follows:
 Time stamp resolution of events collected by a discrete input module is 1 millisecond.
 Other events (e.g. analog trip events, voted trip events, digital output events) are collected
by CPU module and their time stamp resolution is equivalent to SCS scan time. This is to
ensure the sequence of events captured for the actual trip functions which is executed in
application logic.
Figure 3-13 - SOE Function
Sequence of Events Recording includes:

 Trip initiators (analog/discrete trip inputs)
 Shutdown outputs (analog/discrete outputs)
 Manual trip inputs (Shutdown push buttons)
 Maintenance override status
 Operation override status
 I/O forced status
 Manual operations (logic resets, equipment reset, first up reset, acknowledge, lamp test
operated via HIS & console.)
 Voting alarm, first out alarm, cabinet alarms,

 Diagnostic alarms,
Event information is stored in the SOE event information storage memory of an SCS. There are two
types of files in which event information can be stored; an even log file and trip signal files. An even
log file stores the latest event information. In the trip signal file, events before and after each trip
signal are saved.
SCS creates only one event Log file. SCS always stores the latest information in the event log file.
SCS event log file can store up to a maximum of 15000 Events. If the number of events exceeds
maximum events, the older events are deleted and overwritten by new events based on ‘first in first
out’ (FIFO) sequence.
SCS creates a trip file if a trip event is detected. SCS creates only 2 trip file if more than one trip
event is detected. Each trip signal file stores 1500 events in total; the last 500 events generated
before trip event occurred and 1000 events generated after trip event occurred. The trip signal file
includes the trip Event.
Safety OPC Server collects the Sequence of Events (time stamped in safety system) from SCS via
Vnet/. The Safety SOE OPC Server buffers (log) the Sequence of Event locally and passes them to
the OPC Client ALMS.
3.7.1 SOE OPC Interface

By using the SOE OPC Interface (server) provided by ProSafe-RS, it is possible to access
Sequence of event information and diagnostic information of SCS from OPC applications (clients)
on the host computer. The OPC information from the SCS containing SOE Events log and
Diagnostic Information log can be transferred to an OPC client as shown in the schematic below.
Figure 3-14 - Scheme for OPC Connectivity

Safety OPC Server collects the Sequence of Events (time stamped in safety system) from SCS via
Vnet/IP. The Safety SOE OPC Server buffers the Sequence of Event and passes them to the Data
Historian Server.
Process alarms are not collected by the Safety SOE OPC Server.
The ALMS is the Data and Alarm Historian. The alarm & events from Safety OPC server and BPCS
ExaOPC Server will be transferred to the Data Historian (with alarm historian). The alarm & events
will be stored in the alarm historian in the data historian server for offline monitoring, alarm report
and alarm analysis by AAM alarm management tool.

Refer FDS – ALMS [!ALMS FDS Doc.No.!] for details.

3.8 Safety and Interference Free Communication

ProSafe-RS supports Safety Communication for exchange of safety related information between the
SCS in the control bus domain or different control bus domains.
An SCS is able to perform safety communication with other SCSs in the same domain as well as in
different domains that allow a safety loop that meets the requirements of SIL3 to be built between
different SCSs connected via the control bus (Vnet/IP). The Vnet/IP control bus is a redundant
communication network and safety communication also follows this redundant architecture.
Safety communication attaches safety information to the communication data values, therefore, the
receiving SCS can validate the received data values according to the safety information (safety-
layer). Due to this validation, safety communication data can be used up to SIL3 safety loops.
The following types of communications between controllers are possible:
 Inter-SCS Safety Communication used in between SCS – SCS (different domain)
Analog (REAL, DINT) data exchange between SIS controllers.
 SCS Link Transmission Safety Communication used in between SCS – SCS (same domain)
Discrete (BOOL) data exchange between SIS controllers.
 SCS Link Transmission Global Switch Communication (Interference free) used in between
SCS - BPCS (same domain)
Refer FDS – BPCS Software [!BPCS FDS Software Doc No.!] for BPCS to SCS communication
details
For automatic shutdown signals exchanged between SIS controllers using peer-to-peer
communication, the response time via safety network shall be carefully evaluated which shall not
exceed process safety time and or Licensor’s requirements. Otherwise, hardwired signals using
single SIS controller shall be considered for the concerned UZ logic.
Inter-SCS Safety Communication:
Inter-SCS safety communication is achieved by function blocks dedicated for the purpose. The
function block on the producing side sends setting data as well as data for guaranteeing
communication quality to the communicating SCS via the control bus. The communication path can
be between SCSs in the same domain or SCSs in different domains.
The function block on the consuming side performs various tests on received data to check the
validity and only outputs data whose quality can be guaranteed. If data is judged to be incorrect as
a result of these tests, the fail-safe (configurable) value preset on the consuming side is output.
If a communication error occurs during inter-SCS safety communication, the following operations
are performed.
 The ‘fail-safe’ value preset on the function block for inter-SCS safety communication on the
consuming side is output. The UZ application logic causes the SIF shutdown due to fail safe
value.
 The communication status (parameter NR) becomes abnormal (FALSE).
 A diagnostic information message notifying about the error is output.
The following operations are performed if the system recovers from communication error.

 The data value received from the producing side is output from the function block on the
consuming side. However, the UZ application logic needs logic reset function for SIF
shutdown recovery.
 The communication status (parameter NR) becomes normal (TRUE).
 A diagnostic information message notifying about the recovery is output.
Figure 3-15 - Inter-SCS Safety Communication

SCS Link Transmission Safety Communication:

SCS link transmission safety communication data can be used between SCS within the same
domain and up to SIL3 safety loops. This communication supports only BOOL type data.
Figure 3-16 - SCS Link Transmission Safety Communication
When an error is detected by safety-layer, SCS will act as follows:

 Initiate a system alarm on the diagnosis error.
 Set the statuses of the data received from the corresponding station to BAD.
 Use the fail-safe data values specified on the builder to replace the data values of input FBs.
The UZ application logic causes the SIF shutdown due to fail safe value.
When the diagnosis error is recovered, SCS will act as follows: Since the error status is not latched,
it may be necessary to make the application to latch the error status.
 Initiate a system alarm on the recovery.
 Set the statuses of the data received from the corresponding station to GOOD.
 Input FBs use the data values that are refreshed after recovery. However, the UZ application
logic needs logic reset function for SIF shutdown recovery.
SCS Link Transmission Global Switch Communication (Interference Free):
Through link transmission, SCS can read data of BPCS global switches. Vice versa, BPCS can
receive data from SCS as global switches.
Since BPCS and SCS are in different domain, this communication method cannot be used for this
project.
Refer FDS – BPCS Software [!BPCS FDS Software Doc No.!] for BPCS to SCS communication
details

3.9 System Interface

3.9.1 Integration with Centum VP
The BPCS HIS provides visibility of the SIS systems for operations and maintenance. Each SIS
system communicates to the BPCS via redundant Vnet/IP link.
The configuration consists of ProSafe-RS and Centum VP is called ‘Centum Integration’ Structure.
This function provides a communication interface for accessing SCS of ProSafe-RS from HIS and
BPCS of Centum VP system. The figure below shows an example of the Centum Integration
Structure. The role of each station in the Centum Integration Structure is as follows:
 SCS: To shut down the plant safely if a fault occurs in the plant.
 BPCS (FCS): To perform process control.
 HIS: To provide user interfaces for accessing BPCS and SCS data.
By this function, operation and monitoring of SCS from HIS uses the same interfaces (windows) for
operating and monitoring BPCS.
Failure of communication links between BPCS and SIS shall not generate spurious trips and affect
integrity of SIF functions.
Figure 3-17 - Centum VP Integration
3.9.2 CCR Operator Console Interface

This need to be updated as per project requirement.
The main operator interface for the SIS system will be through the BPCS operator consoles located
in the MCR’s of the complex. All alarms and status indications are to be displayed on the HMI
operator consoles. In addition, HMI operators interface to SIS for equipment shutdown, resets and
operational overrides (OOS) and maintenance overrides (MOS) in the CCR.

SIS switch cabinet and DPV Switch cabinet shall be considered in each group within each HMI
operator console, for the hardware activation push buttons switches and lamps. The SIS hardwired
console located as a part of operator console consists of:
 SIS shutdown switches
 Depressurising valve switches
 SIS MOS enable key switch
 SIS SOS switches
 Status Lamp indicators
SIS Switches:
The SIS switches shall be of a different shape/type (mushroom type, pressing type, protective
cover, etc.) and different colors according to Emergency levels. SIS switches shall require double
action (e.g. two separate mechanical movements). Switches shall be equipped with protective
covers to avoid spurious action and with internal lamps.
MOS Enable Key Switch:
The MOS Enable is the key switch on the SIS switch cabinet. A separate MOS confirm indication
lamp (Yellow) on the SIS switch cabinet shall be derived from the DO of the SIS system only. This
is to ensure that the MOS Enable Key switch is activated and the SIS Logic solver has received the
MOS Enable command and the actual feedbacks of MOS confirm lamp is derived from the SIS
logic.
Lamp test facility, colour engraved nameplates and plug-in terminal boards for external wiring shall
be provided.
Remote I/O:
The SIS switches (push buttons), MOS, SOS switch status and lamp located in CCR console are
hardwired to Remote I/O nodes located in CCR Equipment Room, segregated per FAR/SIS
controller. The FAR SIS controller is directly connected to Remote I/O over fiber optic.
 Separate Remote I/O nodes in MCB shall be provided per SIS controller group in FAR. The
SIS push-buttons and lights indicators are powered by the SIS.
 The SIS switches are line monitored. Refer section discrete input line monitoring in this FDS.
3.9.3 Interface with other systems

By default, the interface with subsystem or package control system shall be using hardwired to SIS
system.
Interface to FGS:
Interfaces between SIS and FGS systems are normally not expected, as confirmed Fire & Gas
detection should not initiate automatically some process shutdown.
In case of specific requirement, relevant shutdown signals issued from the FGS will be sent to SIS
through hardwired signals.

3.10 Time Synchronisation

The ProSafe-RS SIS systems use time synchronization over Vnet/ IP. The structure of time
synchronization is shown in figure below.
The SIS system will synchronize the time with Vnet/IP time master with synchronization accuracy of
1msec within a domain and 5 msec between domains.
Figure 3-18 - Time Synchronisation Schematic

The system time of a SCS station is synchronized with the Vnet/IP network time. Moreover, the DI
module with SOER (sequence of event records) installed in the SCS also synchronizes its time with
this network time through SB/ESB buses. The time synchronization method is called as ‘Vnet/IP
Time Synchronization.
Refer BPCS FDS –Software [!BPCS FDS Software Doc No.!] for details.

Interface with Machinery Condition Monitoring System (MCMS):

The trip signals from MCMS (vibration, temperature, speed) shall be volt free and hardwired to SIS
system. Voting of trip signals shall be conducted in MCMS
Interface with Package Control System PLCs:
The trip signals from SIS/BMS to PLC shall be hardwired via interposing relays located in PLC
cabinet. The relay shall be driven from 24Vdc signal powered from the SIS system. Trip signals
from PLC to SIS shall be performed through volt free contact in the PLC.
Interface to Electrical Substation:
The trip signals from SIS to HV/LV motors/switchboards or VSDS shall be hardwired via interposing
relays located in IRP in substation. The relays shall be driven from 24Vdc signals powered from the
SIS system.

3.11 System Power-on Start (Black start)

An SCS always performs the initial cold start processing when it starts up. It does not have a
function that allows it to resume the operating mode it was in before stopping.
All overrides and forces existing on the system will be initialized and reset upon power-on restart of
the system.
All Output channels from the SIS system remains physically de-energized after a power-on cold
start/ restart until an “Output Enable” operation is performed on the system.
All Inter- SCS communication outputs remains de-energized after a power-on cold start/ restart until
an “output enable” operation is performed.
The “output enable” operation is performed from the SENG for each SCS.

4 SIS Hardware specifications

SSC60D is showed below for example; if the project uses S2SC70D or SSC50D then the context
should be changed accordingly.
Need to be update all modules used in the project, including project special requirements and any
technical memos, service notes etc. since sample modules are shown here.
4.1 Safety Control Station

4.1.1 Safety Control Unit (CPU Node)
A Safety Control Station (SCS) consists of Safety Control Unit (SCU) and optionally other Safety
Node Units (SNU). A SCU is basically the rack housing the ProSafe-RS CPU modules and I/O
modules, while the SNU houses the ProSafe-RS I/O modules only.
The standard type of duplex SCU (Model SSC60D) is used in this project. This SCU has redundant
configuration for power supply modules, processor modules and ESB bus coupler modules. The
SCU also includes insulting bushes for isolating this unit from cabinet frame.
The components of the SCU are illustrated in the figure below.
Figure 4-19 - Safety Control Unit
Item Specifications
Model SSC60D
Voltage & Frequency 100 ~ 120 VAC & 60 Hz
CPU Unit SCP461 Redundant
Power Supply Units SPW481 Redundant (100 to 120 V AC Power Supply)
ESB Modules SEC401 Redundant
Power Consumption of Unit 200 VA
Mounting type 19” Rack
Table 4-11: Safety Control Unit Specification

4.1.2 Safety Node Unit (I/O Node)

The node units (local or remote node) which house I/O modules are signal processing units, which
convert and transmit process I/O signals received from the field devices through the process I/O
modules to the SCU.
The standard type of SNU (model SNB10D) is used in this project. The SNB10D node unit has
interface functions that communicate the analogue I/O signals and contact I/O signals of field with
SCU via an ESB bus.
The components of the SNU are illustrated in the figure below.
Figure 4-20 - Safety Node Unit

Item Specifications
Model SNB10D-XXX
Voltage & Frequency 100 ~ 120VAC& 60Hz
Power Supply Units SPW481 Redundant (100 to 120 V AC Power Supply)
ESB Modules SSB401 (Redundant)
Power Consumption of Unit 200VA
Mounting type 19” Rack
Table 4-12: Node Unit Specification
Remote I/O
The I/O signals at the remote locations are connected to SCU using SNB10D and remote I/O
communication modules (also called as Remote I/O node). Remote I/O nodes are connected to
SCU via redundant fiber optic (FO) link. The power supply modules and ESB bus interface modules
are always dual-redundantly configured. The SCU also includes insulting bushes for isolating this
unit from cabinet frame.

4.1.3 Processor Module

The processor module (Model: SCP461) in dual redundant configuration is selected. This contains a
MIPS R5000 processor with 128 MB memory capacity and supports Vnet/IP.
The front and rear views of processor module are illustrated in figure. Behind the front cover,
batteries (Li battery) which are used to protect the processor module management information (in
the storage memory) during a power failure are installed. DIP switches for setting domain number
and station numbers are placed at the rear part of the processor module.
External View:
Figure 4-21 - Processor Module External View

The SCS always performs initial cold starts when it is started up i.e. variable values maintained
dynamically by the SCS are initialized. System programs and database that were downloaded off-
line and changes made online are saved in flash memory (non-volatile memory) and restored at
start up. The flash memory is located within the CPU module, which does not require battery back-
up.
When the SCS is started up, the system diagnostic information and the SOE data log information
will be saved in memory with the battery backup, which may remain without being initialized. This
battery back-up memory can store data for approximately 300 hours even if the power supply to the
SCS fails. System issues diagnostic alarm for battery fault. The batter fault does not harm CPU
performance and the same can be replaced online.

Switches on the Processor module (Front):
Figure 4-22 - Processor Module - Front & Rear Switches

 START/STOP Switch: This maintenance switch is used for forcing the processor module
CPU stop or restart. If this switch is pressed when the processor module is still operating,
the CPU will stop. If this switch is pressed when the processor module is not operating, the
CPU will restart. This switch is located inside a hole next to the START/STOP sign. The
switch can be operated using a non-conductive slender bar of around 1 to 2 mm diameter.
 Battery ON/OFF switch: When this switch is on, battery backup is activated for protecting the
processor module management information (in the storage memory) during power failure.
ON: Enables the backup. Select this position during normal operation.
OFF: Disables the backup.
 Front setting switch (6-bit DIP switch)
- PORT: Port for maintenance (In normal operations, set to OFF position).
- DOMN: Indicates on STATUS LED the domain number that was set to the processor module, if
this switch is ON. (In normal operation, set to OFF position).
- STA: Indicates on STATUS LED the station number that was set to the processor module, if
this switch is ON. (In normal operation, set to OFF position).
- FIX: for Vnet/IP communications Negotiation (Default: OFF)
- ON: Force
-OFF: Auto
 Domain Switch (Rear side)
A domain stands for a range of stations connected on Vnet/IP. Set the domain number to a
value between 1 and 31. To set a domain number, set the DIP switches as shown in Figure 4 -
22. Bits 2 and 3 must always be set to zero.
 Station Switch (Rear side)
Set the station number to a value from 1 to 64. To set a station number, set the DIP switches as
shown in Figure 4 -22.
Status LED’s on the Processor module:

Figure 4-23: Processor Module – status LEDs
4.1.4 Power Supply Modules

A power supply module (Model: SPW481) is connected to a 100 to 120 V A.C. main source and
supplies insulated +5 V and +24 V to each installed I/O module through the back plane. Redundant
power supply modules are mounted on both CPU nodes and I/O nodes of an SCS.
The SCS monitors the power supply status at the regular intervals and, if an error occurs, it notifies
the fact the user via the status display window of the SENG and HIS as well as through a diagnostic
information message.
Figure 4-24 - Power Supply Module External View

4.1.5 ESB Bus Coupler module

ESB bus coupler module (Model: SEC401) is installed in the safety control unit for communicating
with the ESB bus interface module installed in the safety node unit. The ESB bus coupler module is
always dual-redundantly configured.
Figure 4-25 - ESB Bus Coupler Module External View
4.1.6 ESB Bus Interface Module

ESB bus interface module (Model: SSB401) is installed in the safety node unit for communicating
with the ESB bus coupler module installed in the safety control unit. The ESB bus interface module
is always dual-redundantly configured.
Figure 4-26 - ESB Bus Interface Module External View

ESB Bus Connector:
The ESB bus connector is connected to a connector unit for ESB bus, (shown in the following
figure); via an ESB bus cable (YCB301).
Connect the ESB bus cable connector to a connector unit with terminator for ESB bus to terminate
the ESB bus.

Figure 4-27 - Connector Unit for ESB Bus and Connector Unit with Terminator for ESB Bus

4.1.7 Optical ESB Bus Repeater Module (for Remote Node)

An optical ESB bus repeater module is used to convert electric signals sent through the ESB bus
into optical signals and transmit to Remote Safety Node Units. For transmission distances up to 5
km, the following master–slave fiber-optic module combination is used:
 Model SNT401: Optical ESB bus repeater master for installation on SCU and SNU
 Model SNT501: Optical ESB bus repeater slave for installation SNU
Figure 4-28 - Optical ESB Interface Module External View

Fiber-optic Cable Specifications for Optical ESB repeater Bus modules is given below:
Figure 4-29 - Fiber-optic Cable Specifications for Optical ESB

4.1.8 ESB Bus Cable

The ESB bus uses the dedicated communication cable YCB301 as shown in figure.
Figure 4-30 - Pre-fabricated ESB Bus Cable (YCB301)
4.1.9 Modbus Communication Module

This module is not used for SIS system in this project / include details of modules applicable for the
project.
This section need to be updated as per project requirement

4.2 Input and Output Modules

Need to be update all modules used in the project since sample modules are showed here.
The ProSafe-RS input and output modules (IOM) include the following types:
 Analog Input (AI) / Analog Output (AO) Modules
 Digital Input (DI) / Digital Output (DO) Modules
I/O modules are plug-in modules mounted in defined slots on SCU and SNU. Slots 1 to 8 of node
can accept all types of I/O modules.
Communication with ESB bus is through the backplane. All data from SCU to I/O modules mounted
at SNU is transferred via ESB.
All I/O modules come with either signal cable interface adaptor or pressure clamp terminal block.
Signal cable interface adaptor is used to connect the prefabricated system cable to the termination
board. Pressure clamp terminal block is used to wire the I/O module directly to the field interface
terminal. Pressure clamp terminal block shall not be used in this project.
All the modules can be used in redundant or non-redundant configuration. These modules can be
installed in any IO module slot in CPU rack or NIU. However, the redundant modules must be
installed in the adjacent slots in the same NIU.
The following sections provide summary of I/O Modules, Termination Board, System Cable and
specification of each type of IOM that will be used in this project.
No of I/O System
Model Specification Termination Board
channels Cable
Analog I/O Modules
Non-IS: Yokogawa
Analog Input
IS: HiCTB16-YRS-RRB-
SAI143-H Module 16 KS1
KS-CC-AI16 with isolator
(4~20mA, HART)
HiC2025ES
Non-IS: Yokogawa
Analog Output
SAI533-H Module (4~20mA, 8 IS: HiCTB08-YRS-RRB- KS1
HART) KS-CC-AO08 with isolator
HiC2031
Digital I/O Modules
Digital Input Non-IS: Yokogawa
Module, IS: HiCTB16-YRS-RRB-
SDV144 16 AKB331
(24Vdc, potential AK-CC-DI16 with isolator
free contact)
HiC2831R1
Non-IS: Yokogawa
Digital Output
SDV531-L Module (24Vdc, 8 IS : HiCTB08-YRS-RRB- AKB651
0.6A/Channel) AK-CC-DO08 with isolator
HiC2871
Non-IS: Yokogawa
Digital Output
SDV541 Module (24Vdc, 16 IS : HiCTB16-YRS-RRB- AKB651
0.2A/Channel) AK-CC-DO16 with isolator
HiC2871

Table 4-13: I/O Module list
4.2.1 SIS Analog Input Design

The ProSafe-RS 16 channel, 4-20mA, Analog input module SAI143-H will be used to process all
SIS Analog input signals.
SIS Analog input card power the loop powered SIS transmitters in two wire configuration. If
transmitters are of non-loop power configuration, then field 24Vdc power supply located at SIS
marshalling cabinet power the transmitters. The loop power (two wires) or non-loop power (three or
four wire) configuration for each transmitters has to be specified in channel software parameter
setting and channel jumper settings at input card level.
CONTRACTOR shall specify the list of non-loop power instruments along with field wiring
configuration (three or four wire) and required source of power.
The signal filter function (damping) for input signal shall be configured at transmitter level. Time
delays for this purpose shall not be applied if the sum of the required delay time and the SIF
response time (including the SIS response time, taken as twice the SIS scan time) exceeds the
process safety time.
Signals which require surge protection (SPD) will be implemented using surge protection devices.
For IS Analog input signals, the Ex-i certified barriers (isolator) will be considered. IS isolators shall
be evaluated for SIL rating to meet the SIF SIL design target.
The square root function if required shall be implemented at field transmitter by default. An
exceptional case, this function shall be configured at AI card level instead of application logic level.
Refer ICSS Buyout Hardware Specification [!ICSS Buyout Doc. No.!] for details about SPD, Isolator
specification and its SIL rating.
Item Specifications
Model SAI143-H
Number of input channels 16-channel, module isolation
Rated input range 4 to 20 mA
Permissible input range 0 to 25 mA
Input impedance during P-ON 272.5Ω (20 mA) to 362.5Ω (4 mA)
Input impedance during P-OFF 500KΩ minimum
Rated accuracy ±16 μA
Temperature drift ±16 μA/10 °C
Transmitter power supply 16.15 V minimum (at 20 mA), 26.4 V maximum (at 0 mA)
(Output current limit: 25 mA)
2/4-wire setting Individual channel setting (Changed by setting pins)
SIL support SIL3 capable
Redundancy Can be configured dual redundant for increased availability
Electronic current limit 25mA/channel
Coating G3
Table 4-14: SAI143-H Specification

4.2.2 Analog Output Design

In this project, for partial stroke testing, the SIS valve shall be provided with smart positioner with
HART protocol wired to SIS analog output card (HART pass through type).
The ProSafe-RS 8 channel, 4-20mA, analog output module SAI533-H will be used to process all
SIS analog output signals.
SIS analog output card power the loop powered SIS smart positioner in two wire configuration.
Signals which requiring surge protection (SPD) will be implemented using external surge protection
devices.
All analog outputs are of IS signals. The Ex-i certified barrier (isolator) will be considered. IS
isolators shall be evaluated for SIL rating to meet the SIF SIL design target. The IS Isolators are
mounted on termination board (mother board).
and its SIL rating.
Item Specifications
Model SAI533-H
Number of output channels 8-channel, module isolation
Rated input range 4 to 20 mA
Maximum range of guaranteed 1.25 to 23 mA
precision
Allowable load resistance @ 230 to 600 Ω
rated range
Rated accuracy ±48 μA
Temperature drift ±16 μA/10 °C
Coating G3
Table 4-15: SAI533-H Specification
4.2.3 SIS Digital Input Design

ProSafe-RS 16 channel, 24Vdc discrete input card SDV144 will be used to process discrete signals.
In general, the discrete inputs connected to SIS are
 Process trip switches (initiators) of ‘normally closed’ contact (e.g. pressure, level switches)
 Non trip switches of ‘normally open’ contact (e.g. MOS enable switch, reset switches)
 Permissive switches of ‘normally open’ contact (e.g. limit switches)
 For IS NAMUR type proximity switches, an external IS isolator will be used for signal
conditioning interface.
 For voltage carrying field switches if any, an input interposing relay will be used.
CONTRACTOR shall specify the list of such switches carrying voltages which require
interposing relays, as part of engineering inputs to MAC.
Discrete inputs will be configured with filtering or very short time delays (10ms) in SIS application
logic so as to mask contact bounce (contact chattering). The requirement shall be reviewed and
shall be implemented only for process trip switches case by case in order to restrict increase in SIF

response time. CONTRACTOR shall specify the list of process trip switches require this function
along with filter timing.
The surge protection for input switches shall be implemented using surge protection device. For IS
discrete signals, the external barrier (isolator) shall be considered. IS isolators shall be evaluated for
SIL rating to meet the SIF SIL design target. The IS Isolators are mounted on termination board
(mother board).
specification and its SIL rating.
Item Specifications
Model SDV144
No-voltage contact
Input signal
ON: 1 kΩ maximum, OFF: 100 kΩ minimum
6 mA ± 20 %,
Input current
(External power supply, 24 V DC at 0 Ω input)
External power supply 24 V DC ± 20 % / -10%
Install for individual channels at the field device end:
Field wiring diagnostics
SCB100: for defective open circuit detection while accepting
OFF signals
Coating G3
Table 4-16: SDV144 Specification
4.2.4 Discrete Output Design

SIS shall support the following final Interface types
 Solenoid valves with a coil voltage of 24Vdc.
 Interfacing relays (to motor control units) with a coil voltage of 24Vdc
 Control room and/or local panel alarm lights with a lamp rating of 24Vdc.
The SIS shall provide the power for all output circuit loads, interposing relays required to interface
with a higher voltage system.
Safety SIS outputs to low voltage 24Vdc devices shall be switched through digital output modules
and not through relay contacts. CONTRACTOR shall ensure the inductive loads are installed with
spark killer/freewheeling diode (e.g. inside solenoid valve).
For particular applications, where field load exceed output switching rating (e.g. very high power
solenoids), interface relay contact type output using SIL certified relays may be used. The contact
rating shall be selected according to the load specifications.
If the field load operating voltage is of higher rating (e.g. burner ignition transformer voltage of
100Vac), then interface relay contact type output using SIL certified relay shall be used.
Rotating equipment stop (trip) circuit SIS final elements shall be implemented by a 24Vdc output
connected to the coil of an interposing relay. The trip signals from SIS to HV/LV motors

/switchboards or VSDS shall be hardwired via interposing relays located in substation. The relays
shall be driven from 24Vdc signals powered from the SIS system. A contact of this relay shall be
wired into the motor switchgear.
For interface with package control system PLCs, the trip signals from SIS to PLC shall be hardwired
via interposing relays located in PLC cabinet. The relay shall be driven from 24Vdc signal powered
from the SIS system.
Console LED/lamp shall be connected to redundant DO card channel from the MCB Equipment
room SIS system remote nodes (of the respective FAR SIS controllers)
The CONTRACTOR shall consider the following electrical interface requirements for selection of
SIS Output.
 For 8 channel DO card (SDV531L, 0.6/channel), the load (SOV) specification shall be in the
range of 40Ω (OFF state) to 685Ω (ON state).
 For 16 channel DO card (SDV541, 0.2/channel), the load (lamp or relay) specification shall
be in the range of 120 Ω (OFF state) to 685Ω (ON state).
 The OFF state represents the DO in de-energized state and ON state represents the DO in
energized state.
 The field cable sizing and selection shall be in line with the working voltage and minimum
operating voltage of the selected field devices. CONTRACTOR shall consider cable voltage
drop in field cable sizing calculations.
 Total value of the capacitance of the ‘field devices’ and their ‘field cable wiring’ shall be
limited to < 0.1uF for Normally De-energized outputs (Solenoids) which require line
monitoring. CONTRACTOR shall select cables considering the total capacitance
requirement for the field device and the field cable run.
 For IS circuits, the ENTITY parameters (resistance, inductance, capacitance) as specified in
IS barrier and Ex-i field device certificates should be considered.
If an SIS system has few interposing relay interfacing requirement or few lamp outputs and existing
SDV531L has sufficient spare outputs (excluding project spare requirement), then these outputs
shall be combined with SDV531L as part of I/O card optimization.
Item Specifications
Model SDV 531-L
Output voltage 24V DC, (Output voltage drop: 1 V maximum)
Maximum load current 0.6 A/output line (4.8 A in total output of all the channels)
External power supply 24 V DC + 20 % / -10 %
Maximum leak current at 1.6 mA
output off status
Output format Current source
Minimum load current 35 mA
Load resistance range 40 to 685 Ω (Resistance value of the load for both ON and OFF
state, including the field wiring resistance.)
Electronic current limit 0.63A/channel (short circuit limit)
Coating G3
Table 4-17: SDV531L Specifications
Item Specifications

Model SDV 541

Output voltage 24V DC, (Output voltage drop: 1 V maximum)
Maximum load current 0.2 A/output line (3.2 A in total output of all the channels)
External power supply 24 V DC + 20 % / -10 %
Maximum leak current at 1.6 mA
output off status
Output format Current source
Minimum load current 35 mA
Load resistance range 120 to 685 Ω (Resistance value of the load for both ON and
OFF state, including the field wiring resistance.)
Electronic current limit 0.2A/channel (short circuit limit)
Coating G3
Table 4-18: SDV541 Specifications
4.2.5 Accidental Insertion of Module Type

ProSafe-RS uses intelligent recognition of card insertion. If wrong module type is inserted in a slot
configured for another card type, there will be a system alarm. No mechanical key is used in
installation of I/O modules for ProSafe-RS system.
4.3 Safety Engineering Station (SENG)

4.3.1 Safety Engineering PC
To configure the ProSafe-RS system, the CHS5100 Safety System Generation and Maintenance
Package need to be installed on a general-purpose PC (IBM PC/AT-compatible computers). The
following Safety Engineering Workstation. One SENG Workstation for SIS in MTB along with SOE
viewing function.
One SENG Workstation for SIS in each FAR along with SOE viewing function.
One SENG Server in MCB ER to maintain centralized SIS project database
One SER Workstation in MCB ER along with SOE viewing function and SOE OPC server
function
The Standard Operation and Monitoring Function runs on a computer, which meets the following
requirements:

Minimum Specification for Windows 7 Workstation Computers:
Minimum Specification for Windows 2008 Server R2 Computers:
Refer ICSS Buyout Hardware Specification [!ICSS Buyout Doc. No.!], for project specific
Workstation and Server specification.

4.3.2 Control Bus Interface Card (Vnet/IP)

In a ProSafe-RS system, a Safety Engineering PC (SENG) is connected to Safety Control Stations
(SCSs) via the Vnet/IP control bus interface card (VI702) installed in the SENG. A control bus
interface card is a communication card that is installed in PC/AT-compatible PCs.
A dedicated Vnet/IP interface card model VI702 (for PCI express slot) is installed in each SENG
located at ER/FAR/MTB and SOE PC located at ER to be used for control communication and open
communication. There are two ports, BUS1 and BUS2 ports on the card. Both ports support control
communication and open communication.
Figure 4-31 - Vnet/IP Interface card (VI702)

4.4 Cabinet Description

Cabinets are provided to house various components in a logical arrangement convenient for
operation and maintenance. The following types of cabinets are provided:
 System Cabinets
 IS and Non-IS Marshalling Cabinets
 Remote I/O Cabinets
All cabinets are Rittal make TS series with single leaf door and System and/or Remote cabinet. For
more details on cabinet refer to document ICSS Buyout Hardware Specification [!ICSS Buyout Doc.
No.!].
4.4.1 System Cabinet

The System Cabinet (SC) is designed to accommodate the following SIS hardware:
 Safety Control Unit (SCU)
 Safety Node Unit (SNU)
The SCU is mounted at the top most part of the cabinet. The SNUs are mounted below the SCU.
SNUs are mounted at the front and rear of the cabinet depending on the number of SNUs provided.
A maximum of 10 node units can be installed in one cabinet. Two double pole MCBs are provided
at the bottom rear of the cabinet to receive two independent 120Vac single-phase supplies from
redundant UPS. The AC power is distributed to SCU and SNU by power distribution units installed
in the cabinet.
Four roof-mounted fans ensure temperature in System Cabinets cabinet is within limits. Two fans
diagonally opposite are connected to primary supply UPS feeder and the other two to the secondary
UPS feeder. RTD is installed at the top to monitor the cabinet temperature and generate high
temperature alarm if pre-set value is exceeded
The remote I/O cabinet design shall be consistent with SIS system cabinet with the exception that
the power supply feed for remote node for each FAR shall be also be segregated.
Refer ICSS Buyout Hardware Specification [!ICSS Buyout Doc. No.!], for cabinet specification
details
4.4.2 Marshalling Cabinet

Marshalling Cabinets (MC) are used for marshalling the field IS and NON IS I/O signals. They fall
into following types depending on the type of field signal.
Analog & Digital Non-IS Signals Marshalling Cabinets
Analog & Digital IS Signals Marshalling Cabinets
Marshalling cabinets are designed for front and rear access with single leaf doors and have
mounting plates in the front and rear to mount components. Digital signal/Analogue (where
applicable) marshalling cabinets are provided with redundant 24V DC power supply units to power
the field devices.
Terminal boards, power supplies and relay boards are mounted on mounting plates. System cables
connect terminal boards to corresponding I/O module in the System Cabinet. Cable trays are
provided in the cabinet to support the system cables.
Terminal blocks for termination of field cables are installed on DIN rails installed in the cabinet.
Maximum possible number of terminals will be installed on DI/DO cabinets and for AI/AO cabinets.
The terminals will be numbered to match the terminal numbering in the junction box. A name plate
will be provided for each block of terminals corresponding to the field junction box. The name plate

will include the row number. Cable overall screens will be terminated on ground terminal block
mounted on insulated DIN Rail which will be connected to Instrument Earth bar. A PVC cable duct
adjacent to the terminal row serves to run the cable inside the cabinet.
Where practicable a dedicated marshalling cabinets will be provided for IS and Non-IS signals.
Where the IO count does not justify dedicated cabinets, IS and Non-IS will be assigned to front and
rear of the cabinet respectively. IS signals wiring duct and terminals will be blue in colour. The
termination board for IS signals will include IS modules.
Depending on the heat dissipation requirement, fans will be provided on the roof of the cabinet to
circulate air inside the cabinet to ensure cabinet temperature is within the specified limit of the
components in the cabinet.
ELCO boards will be used for interconnection between SIS Switch cabinet and marshalling cabinet.
All interconnect wiring between marshalling cabinets will be using multi-core cabling by
CONTRACTOR.
RTD (where applicable) will be provided in the cabinet for cabinet temperature. An earth leakage
relay is provided in marshalling cabinets for redundant 24V DC power supply for earth fault
detection and alarm.
Each marshalling cabinet will have earthing bars in the front and rear for the following grounding
requirement.
 Safety Earth bar non-isolated
 Instrument Earth bar isolated
DI and DO Marshalling cabinets will be provided with two incoming double pole MCBs of
appropriate rating for UPS incoming power supply.
Surge arrestors where provided will be installed in place of terminals.
For more details on Marshalling Cabinet refer to following documents:
Refer ICSS Buyout Hardware Specification [!ICSS Buyout Doc. No.!], for cabinet specification
details
Refer ICSS Marshalling Cabinet Typical layout Drawing [XXXX] for details about system cabinet GA
& wiring.
4.4.3 Field Power Supply

The AC/DC power supply converters within the SIS shall be 100% fault tolerant and be redundant.
SIS shall have redundant power bus. All power supplies shall be replaceable on-line without
interruption to the SIS System Performance.
24V DC field power supply units in N+N redundant configuration are provided for supplying power to
field devices.
SIS equipment (e.g. terminal boards) that supports redundant power feed terminals shall be wired
from each power distribution unit independently
SIS equipment (e.g. relay ) that do not support redundant power feed shall be designed in a such a
way that the power redundancy is achieved using external circuit consists of power distribution from
each PSU along with diode block for positive polarity of each PSU and bus bar arrangement.
The minimum supply voltage available at the marshalling terminals to discrete output power field
devices (e.g. solenoid valves) shall not be less than 24 volts DC. To ensure availability of 24Vdc at
marshalling cabinet, the 24Vdc field PSU shall be set to 26.5Vdc as a minimum. The maximum
setting of voltage if any, shall consider the operating voltage of the I/O interface devices (e.g. relay).

The power supply to the input and output circuits shall be floating (non-earthed). Hardware shall be
provided which automatically checks and alarms if the supply is not floating due to a fault in the
system. These alarms shall be included in the common cabinet utility alarm.
Refer ICSS Buyout Hardware Specification [!ICSS Buyout Doc. No.!], for field power supply
specification details.
4.4.4 Earth Leakage Detection

In each marshalling cabinet one common Earth Leakage detector for the 24V DC Power supply
shall be provided. The detector shall consist of detection / alarm system, which continuously
monitors and alarms if one of the connected circuits has an earth fault. This alarm shall be part of
common cabinet utility alarms.
Refer ICSS Buyout Hardware Specification [!ICSS Buyout Doc. No.!], for Earth Leakage Detection
4.5 Grounding
Need to be updated as per project requirements.
Safety Control Units and Safety Node Units:
To protect from external noises, the safety control units and the safety node units must be
grounded. Grounding is to be connected to an independent earth of resistance up to 100 ohm using
a grounding cable with minimum nominal conductor cross-sectional area of 2.0 mm2.
The safety control units, safety nodes and Node power supply modules shall be connected to
‘Reference Earth’ in cabinet
SIS System Cabinets:
To avoid shock hazards and minimize the effects of external noise, the ProSafe-RS system must be
grounded with a ground resistance of 100 ohms or less through a grounding bus of 22 mm2 or
thicker. When multiple ProSafe-RS cabinets are installed in the same room, the ground cables of
those cabinets may be connected to one ground bus inlet as illustrated below. A ground cable of at
least 5.5 mm2 should be used to connect each cabinet and the inlet.
Figure 4-32 - ProSafe-RS Cabinets Grounding

Grounding for Surge Protection:

When lightning surge protectors are provided on power and signal lines, those SPD's shall be
grounded to the same bus as the ProSafe-RS system IO modules.
Refer BPCS FDS –Hardware [!BPCS FDS Hardware Doc. No.!], for details about following earthing
description
 System Earth
 Instrument Earth
 Safety Earth
 Surge Arrestor Earth
Refer ICSS Typical Grounding Scheme [XXXX] for details about grounding specifications &
schematic.

4.6 I/O Interface Components Description

4.6.1 Surge Protection Device

Surge protective devices shall be provided for specified SIS Inputs and Outputs for instruments and
cabling located outside of protected areas to limit transient over-voltages and divert surge currents
occurring mainly due lightning. As surge protection device shall be the first component of the
system connected to field cabling, the SPD with loop disconnect provision for easy maintenance
shall be provided instead of terminals and installed in marshalling cabinets.
When an instrument connected to SIS is located in an unprotected area, all signals transmitted in
the same multicore shall also be protected with SPD’s installed in the MDF.
SPD shall have auto resetting function without manual intervention, and failure of SPD due to open
or short circuit then corresponding loop alarm shall be generated in the system.
SPD’s requiring period disconnecting for testing or manual resetting is not allowed. Devices with
fuses shall not be applied. The SPD’s shall be certified for use in an Exi circuit where applicable.
Suitable SIL rated SPD shall be used to meet the design SIF SIL requirement. All SPD’s selected
for use in this project are rated for minimum SIL2 applications.
Refer ICSS Buyout Hardware Specification [!ICSS Buyout Doc. No.!], for surge protection
4.6.2 Barriers / Galvanic Isolators

Depending upon the area classification, the SIS I/O signals could be IS or Non-IS. For IS classified
signals, external IS barriers shall be used.
External IS barriers used for intrinsically safe circuit shall be Galvanic Isolator / repeater type
certified Exi.
All barriers for analog and discrete IS signals shall be installed in the IS termination boards. These
boards shall be DIN rail mounted in marshalling cabinets.
For discrete input IS signals, the barrier shall support line fault transparency function to discrete
input card. To support this, an EOL may need to be installed at field devices according to barrier
data sheet.
Suitable SIL rated Barrier shall be used to meet the design SIF SIL requirement. All IS barriers
selected for use in this project are rated for minimum SIL2 applications.
Refer ICSS Buyout Hardware Specification [!ICSS Buyout Doc. No.!], for Barrier specification
details and Refer Section 4.2 for Isolator models used in this project.
4.6.3 Signal Splitters

For the case where Splitter is used, the transmitters shall be loop powered from SIS marshalling
cabinet.
For surge protected signal, the splitter shall be after the surge protector. The transmitter signal that
requires to be split may be of Non-IS signal or IS signal.
For Non-IS signal, the splitter shall support one input and two outputs and shall be DIN rail
mountable.
For IS signal, the barrier shall be selected with one input and two outputs. In such case, the barrier
is not part of IS termination board. The barrier shall be DIN rail mountable.

Suitable SIL rated signal splitter shall be used to meet the design SIF SIL requirement. All splitters
selected for use in the Project are rated for minimum SIL2 applications.
Refer ICSS Buyout Hardware Specification [!ICSS Buyout Doc. No.!], for Splitter details along with
SIL capability information.
4.6.4 Interposing Relay

Relays shall be used for replication of SIS system inputs or outputs when solid-state isolation
devices are incapable of meeting signal isolation specifications.
For installation in indoor cabinets, electric relays shall be dust-tight. All relays are hermetically
sealed and shall be equipped with status indicator LED. Relays shall be mounted in accordance
with manufacturer’s recommendations.
When using relays, line monitoring function shall be available up to the first interface point (i.e., the
relay) from the SIS DO module.
CONTRACTOR shall specific the line monitoring function requirement from relay contact to field
device
Safety relay may need to be considered depending on the safety requirement for specific SIS SIF if
applicable.
Relay contact outputs, if provided with wetting power supply, shall be provided with fuse protection.
Refer ICSS Buyout Hardware Specification [!ICSS Buyout Doc. No.!], for relay specification detail.

4.7 Components Description

4.7.1 Terminal Boards
Terminal boards are used to connect field signals through terminal blocks or surge protectors for
surge protected signals. System cables are used to connect the terminal boards and I/O module.
For connecting different I/O modules, various types of terminal boards are used.
The various identified termination boards for Non-IS and IS signals are as follows
 Analog Input Termination Board (Non-IS)
 Analog Output terminal board ( Non-IS)
 Digital Input Termination Board (Non-IS)
 Digital Output Termination Board (Non-IS)
The IS termination board shall have on-board barrier (IS backplanes)
 Analog Input Termination Board (IS)
 Analog Output terminal board (IS)
 Digital Input Termination Board (IS)
 Digital Output Termination Board (IS)
For SIS, the relay boards shall not be used. Depending on SIF requirement, either DIN rail mounted
SIL 3 rated relays or general purpose relays shall be used depending on the application
requirement.
Refer ICSS Buyout Hardware Specification [!ICSS Buyout Doc. No.!], for termination board
Refer Section 4.2 for the terminal boards models used in this project.
4.7.2 I/O System Cables

All inter-connecting cables between I/O modules and Non-IS terminal boards or IS backplanes are
classified as system cables. These are Yokogawa standard cables.
Item Specifications
I/O Module SAI143-H SAI533-H SDV144/ SDV531L SDV541
I/O System
KS1 KS1 AKB331 AKB651 AKB651
Cable Type
Maximum
20mts 20mts 15mts 15mts 15mts
Length
Table 4-19: I/O module Vs System cable

5 System Security
5.1 Necessity for Security
Along with the recent advancement in network and information technologies, latest control systems
have adopted open technologies used in information systems, such as OS and communication
protocols. It is an accelerating factor for establishing close connections between information
systems and production control systems.
On the other hand, in this kind of open environment, production control systems are targeted by
malicious attackers represented by computer viruses and others that cause hazardous incidents.
Nowadays, security threats aimed at control systems are increasing by malwares (i.e. worms,
viruses, Trojan horse, etc.) and appearance of Advanced Persistent Threats (APT) (i.e. targeted
attacks).
In order to operate industrial plants and factories in safe and stable conditions, it is inevitable to
protect the plants’ production equipment.
5.1.1 Security Control measures

This chapter explains how the security controls protect the production related assets from the
threats. The security countermeasures for control system should be examined, designed, operated
and evaluated while the process safety and physical defense are simultaneously taken into
consideration.
The following are the types of security features implemented in this Project XXXX to ensure the
security of the safety Systems.
 Network Architecture
 Antivirus Software
 Security Patch Management
 System Hardening
 Monitoring the System and the network
 Windows Management
 Security Function of Yokogawa System Products
Other Physical Protection,

 Operator Training
 Management of Removal Devices
 Backup & Recovery

6 Appendices
6.1 3rd Party Material Selection – Compliance Check Sheets
Based on Project requirement, the applicable 3rd party material selection cheek sheets to be
attached.
The document number for the attachments are intentionally considered as Hardware FDS template
number. The cover sheet of the attachment to be deleted and it can be included in this same
document as appendixes. The following items are listed for references:
A. Analog Input Barrier

B. Analog Output Barrier
C. Cables
D. Console Items
E. Digital Input Barrier
F. Digital Output Barrier
G. Earth Leakage Monitor
H. General Purpose Relay
I. Network Switch
J. Personal Computer
K. Power Distribution Components
L. Power Supply
M. Printer
N. Safety Relay
O. Analog Signal Splitter
P. Surge Arrestor
Q. Terminal Boards
A1.1.1.1

GES REVISION DETAILS
Revision History of This Toolkit Document

Date
Rev. By Checked Approved Description
(MM/DD/YY)
Author 1 Reviewers
R4.00.00 09/14/16 (see 1 (see Y. Yamada Initial release
below) below)
R4.01.00 11/21/18 A.Kushima K.Suzuki K.Yoshida Applied new format
Authors1: Venkat, NSK

Reviewers1: EP&GSME, Safety GSME team
Record of Change for This Toolkit Document

Revision: R4.00.00 Date: 09/14/2016
Location Action Description

All Newly Initial release
Created
Revision: R4.01.00 Date: 11/21/2018

All Changed Applied new format

Revision: Rn.nn.nn Date: MM/DD/YYYY

Chapter#, Added, Describe specific revision topics for the specified location.
Section#, or Changed,
All Re-written,
Newly
Created,
Deleted, etc.
This section to be removed prior to document submission.

Ges C0201 01 Sis HW FDS R4.01.00

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ges C0201 01 Sis HW FDS R4.01.00

Uploaded by

Copyright:

Available Formats

Doc.

Title: SIS Hardware Functional Design Specification Page 1 of 105

<Name of End User>

<Name of YOKOGAWA Affiliate>

Yokogawa Main Automation Contractor Toolkits

SIS Hardware Functional Design Specification

A dd-mmm-yyyy Issued for Approval ENG LE PM

Note: All Items Highlighted in Green Needs to be Updated Prior to Submission

=============== Start of pure Yokogawa internal use section ================

Copyright © Yokogawa Electric Corporation Reference: GES_C0201_01 Rev. 4.01.00

Revision History of this Project Document

Deliverable Document will have the reference GES

Copyright © Yokogawa Electric Corporation Reference: GES_C0201_01 Rev. 4.01.00

Copyright © Yokogawa Electric Corporation Reference: GES_C0201_01 Rev. 4.01.00

2.9.11 Inter Trip Philosophy.......................................................................................24

Copyright © Yokogawa Electric Corporation Reference: GES_C0201_01 Rev. 4.01.00

4.1.1 Safety Control Unit (CPU Node)........................................................................77

Copyright © Yokogawa Electric Corporation Reference: GES_C0201_01 Rev. 4.01.00

6.1 3rd Party Material Selection – Compliance Check Sheets.......................................102

1.2 Purpose and Scope of This Document

Copyright © Yokogawa Electric Corporation Reference: GES_C0201_01 Rev. 4.01.00

1.3 Abbreviations and Definitions

Copyright © Yokogawa Electric Corporation Reference: GES_C0201_01 Rev. 4.01.00

Copyright © Yokogawa Electric Corporation Reference: GES_C0201_01 Rev. 4.01.00

Copyright © Yokogawa Electric Corporation Reference: GES_C0201_01 Rev. 4.01.00

Contractor : Engineering, Procurement & Construction (EPC)

Copyright © Yokogawa Electric Corporation Reference: GES_C0201_01 Rev. 4.01.00

1.4 Project Design References and Standards

1.4.1 Project Specifications Documents

S.N Document Title Document Number Rev.No

Table 1-2 Project Specific Documents

1.4.2 Customer Reference Documents

S.N Document Title Document Number Rev.No

Table 1-3 Customer Reference Documents

1.4.3 Yokogawa GES Template Documents

1.4.4 Other Yokogawa Documents

S.No Document Title Document Number / Rev

Copyright © Yokogawa Electric Corporation Reference: GES_C0201_01 Rev. 4.01.00

S.No Document Title Document Number / Rev

General Specification (GS):

Technical Instruction (TI):

S.No Document Title Document Rev No

Table 1-6 Other Yokogawa Documents

1.4.5 Applicable Codes and Standards

Copyright © Yokogawa Electric Corporation Reference: GES_C0201_01 Rev. 4.01.00

1.5 Order of Precedence

1.5.1 Conflicting Requirements

Copyright © Yokogawa Electric Corporation Reference: GES_C0201_01 Rev. 4.01.00

2.2 Safety System objective

The SIS/ESD/IPS shall enhance these objectives by:

Copyright © Yokogawa Electric Corporation Reference: GES_C0201_01 Rev. 4.01.00

2.3 System Overview

2.4 Basis of Design

Copyright © Yokogawa Electric Corporation Reference: GES_C0201_01 Rev. 4.01.00

 Trip set points, trip delay time and hysteresis

Copyright © Yokogawa Electric Corporation Reference: GES_C0201_01 Rev. 4.01.00

2.5 General Design Constraints

2.6 SIS Functional requirements

2.7 Safety Instrumented Functions and SIL

2.8 System availability

Copyright © Yokogawa Electric Corporation Reference: GES_C0201_01 Rev. 4.01.00

2.9 General Design Requirements

2.9.1 SIS Equipment and Location