Auma Ac 01.2-22x User manual

Multi-turn actuators

SA 25.1 –SA 40.1

SAEx 25.1 –SAEx 40.1

with actuator controls

AC 01.2 -22X/-22Y

ACExC 01.2 -22X/-22Y

Functional safetyManual

NOTICE for use!

This document is only valid with the latest operation instructions attached to the device, the attached manual as

well as the respectively pertaining technical and electrical data sheets.They are understood as reference

documents.

Purpose of the document:

The present document informs about the actions required for using the device in safety-related systems in

accordance with IEC 61508 or IEC 61511.

Reference documents:

●Operation instructions (Assembly and commissioning) for the actuator

●Manual (Operation and setting) AC 01.2/ACExC 01.2 actuator controls

●Manual (Device integration Fieldbus) AC(V) 01.2/AC(V)ExC 01.2 actuator controls

●Technical data for multi-turn actuator and actuator controls.

Reference documents are available on the Internet at: http://www.auma.com.

Table of contents Page

41. Terminology............................................................................................................................ 41.1. Abbreviations and concepts

62. Application and validity......................................................................................................... 62.1. Range of application 62.2. Standards 62.3. Valid device types

73. Architecture, configuration and applications...................................................................... 73.1. Architecture (actuator sizing) 83.2. Configuration (setting)/version 103.3. Protection against uncontrolled operation (self-locking/brake) 113.4. Operation mode (low/high demand mode) 113.5. Further notes and indications on architecture 113.6. Applications (environmental conditions)

124. Safety instrumented system and safety functions............................................................. 124.1. Safety instrumented system including an actuator 124.2. Safety functions 134.3. Safe inputs and outputs 134.4. Redundant system architecture 144.5. Examples of applications 164.6. System representation

175. Installation, commissioning and operation......................................................................... 175.1. Installation 195.2. Commissioning 195.3. Operation 205.4. Lifetime 205.5. Decommissioning

216. Indications on display............................................................................................................ 216.1. Status indications on SIL functions 226.2. SIL configuration warning 226.3. Backlight

Multi-turn actuators

Table of contents SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y

237. Signals..................................................................................................................................... 237.1. Signals via SIL module 237.2. SIL - fault signal via the standards actuator controls display (for troubleshooting support) 247.3. Status signals via output contacts (digital outputs) of standard actuator controls 257.4. Signals via fieldbus of standard actuator controls

268. Tests and maintenance.......................................................................................................... 268.1. Safety equipment: check 268.2. Actuator monitoring for ESD safety function 268.2.1. Partial Valve Stroke Test (PVST): execute 288.3. Actuator monitoring for “safe end position feedback”safety function 288.4. Proof test (verification of safe actuator function) 298.4.1. Preliminary tests 298.4.2. Check Safe ESD safety operation “Safe OPENING/CLOSING”308.4.3. Check SIL fault signal “Actuator monitoring”318.4.4. Check Safe ESD reaction for “Motor protection (thermal fault)”signals 328.4.5. Check Safe ESD reaction to “Limit seating with overload protection”(limit and/or torque

evaluation) 338.4.6. Check Safe ESD reaction to “Forced limit seating in end position”(limit evaluation) –

for actuators with electromechanical control unit 348.4.7. Check Safe ESD reaction to “Forced limit seating in end position”(limit evaluation) –

for actuators with electronic control unit and limit switches 358.4.8. Check Safe ESD reaction to “Forced torque seating in end position”(torque after limit

evaluation) 358.4.9. Check Safe ESD reaction for “no seating”(no evaluation of limit and torque) 378.4.10. Check Safe STOP function 378.4.11. Check combination of Safe ESD and Safe STOP function 388.4.12. Check “Safe end position signal”safety function 398.5. Maintenance

409. Safety-related figures............................................................................................................. 409.1. Determination of the safety-related figures 419.2. Specific figures for AC 01.2 actuator controls in 22X or 22Y version with actuators of the SA .1

type range

4310. SIL Declaration of Incorporation...........................................................................................

47Index........................................................................................................................................

Multi-turn actuators

SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y Table of contents

1. Terminology

Information sources ●IEC 61508-4, Functional safety of electrical/electronic/programmable electronic

safety-related systems –Part 4: Definitions and abbreviations

●IEC 61511-1, Functional safety - Safety instrumented systems for the process

industry sector –Part 1:Framework, definitions, system, hardware and software

requirements

1.1. Abbreviations and concepts

To evaluate safety functions, the lambda values or the PFD value (Probability of

Dangerous Failure on Demand) and the SFF value (Safe Failure Fraction) are the

main requirements.Further figures are required to assess the individual components.

These figures are explained in the table below.

Table 1:Abbreviations of safety figures

DescriptionFull expressionAbbrevi-

ation Number of safe failuresLambda SafeλSNumber of dangerous failuresLambda DangerousλDNumber of undetected dangerous fail-

ures

Lambda Dangerous UndetectedλDU

Number of detected dangerous failuresLambda Dangerous DetectedλDD Diagnostic Coverage - ratio between

the failure rate of dangerous failures

detected by diagnostic tests and total

rate of dangerous failures of the com-

ponent or subsystem.The diagnostic

coverage does not include any failures

detected during proof tests.

Diagnostic CoverageDC

Mean time between the occurence of

two subsequent failures

Mean Time Between FailuresMTBF

Fraction of safe failures as well as of

detectable dangerous failures

Safe Failure FractionSFF

Average probability of dangerous fail-

ures on demand of a safety function.

Average Probability of dangerous Fail-

ure on Demand

PFDavg

Ability of a functional unit to execute a

required function while faults or devi-

ations are present.HFT = n means that

the function can still be safely executed

for up to n faults occurring at the same

time.

Hardware Fault ToleranceHFT

Interval for proof testProof test intervalTproof

SIL Safety Integrity Level

The international standard IEC 61508 defines 4 levels (SIL 1 through SIL 4).

Safety function Function to be implemented by a safety-related system for risk reduction with the

objective to achieve or maintain a safe state for the plant/equipment with respect to

a specific dangerous event.

Safety instrumented

function (SIF) Function with specified safety integrity level (SIL) to achieve functional safety.

Safety instrumented

system (SIS) Safety instrumented system for executing a single or several safety instrumented

functions.An SIS consists of sensor(s), logic system and actuator(s).

Safety-related system A safety-related system includes all factors (hardware, software, human factors)

necessary to implement one or several safety functions. Consequently failures of

safety function would result in a significant increase in safety risks for people and/or

the environment.

A safety-related system can comprise stand-alone systems dedicated to perform a

particular safety function or can be integrated into a plant.

Multi-turn actuators

Terminology SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y

Proof test Periodic test performed to detect dangerous hidden failures in a safety-related system

so that, if necessary, a repair can restore the system to an "as new" condition or as

close as practical to this condition.

MTTR (MeanTimeTo

Restoration) Mean time to restoration once a failure has occurred. Indicates the expected mean

time to achieve restoration of the system.It is therefore an important parameter for

system availability.The time for detecting the failure, planning tasks as well as

operating resources is also included.It should be reduced to a minimum.

MRT (Mean RepairTime) Mean repair time indicates the mean time required to repair a system.The MRT is

crucial when defining the reliability and availability of a system.The MRT should

preferably be small.

Device type (type A and

type B) Actuator controls can be regarded as type A devices if all of the following conditions

are met for all components required to achieve the safety instrumented function:

●The failure modes for all constituent components involved are well defined

●The behaviour under fault conditions can be completely determined.

●There is sufficient dependable failure data from the field to show that the claimed

rates of failure are met (confidence level min. 70 %).

Actuator controls shall be regarded as type B devices if one or several of the following

conditions are met:

●The failure of at least one constituent component is not well defined.

●The fault behaviour is not completely known.

●There is insufficient dependable failure data to support claims for rates of failure

for detected and undetected dangerous failures.

PTC (ProofTest Cover-

age) Proof test coverage describes the fraction of failures which can be detected by means

of a proof test.

Multi-turn actuators

SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y Terminology

2. Application and validity

2.1. Range of application

AUMA actuators and actuator controls in 22X or 22Y version are intended for

operation of industrial valves and are suitable for use in safety instrumented systems

in accordance with IEC 61508 or IEC 61511.

2.2. Standards

Both actuators and actuator controls meet the following requirements:

The safety figures of the devices described meet the requirements of IEC 61508:

2010 in the respective SIL level with regard to failure rates and architecture

requirements.However, this does not imply that all further requirements of IEC 61508

are met.

2.3. Valid device types

The data on functional safety contained in this manual applies to the device types

indicated.

Table 2:Overview on suitable device types

Power supplyType MotorActuator controlsActuator 3-phase ACAC 01.2 in 22X or 22Y versionSA 25.1 –SA 40.1 3-phase ACACExC 01.2 in 22X or 22Y versionSAEx 25.1 –SAEx 40.1

Hardware, software and configuration of actuator and actuator controls must not be

modified without prior written consent by AUMA. Unauthorised modification may

have a negative impact on both safety figures and SIL capability of the products.

Information In applications with requirements on functional safety, only AUMA actuator controls

and actuators in SFC , SIL, 22X or 22Y versions may be used.

AUMA actuator controls and actuators in 22X or 22Y version can among others be

identified from the letters “22X”or “22Y”on the name plate.

Figure 1: Example of name plate with “22X”marking.

Figure 2: Example of SA name plate with marking “22X”

Multi-turn actuators

Application and validity SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y

3. Architecture, configuration and applications

3.1. Architecture (actuator sizing)

For actuator architecture (actuator sizing) the maximum torques, run torques and

operating times are taken into consideration.

Incorrect actuator architecture can lead to device damage within the safety-

related system!

Possible consequences:Valve damage, motor overheating, contactor seizure,

damage to the electronics, heating up or damage to cables.

→The actuator technical data must imperatively be observed when selecting the

actuator.

→Sufficient reserves have to be provided to ensure that actuators are capable of

reliably opening or closing the valve even in the event of an accident or under-

voltage.

Architecture when using the Safe STOP function

Information For the Safe STOP function, the motor is switched off, overrun may possibly occur!

Valve damage due to overrun!

→For the Safe STOP function, the overrun of the arrangement (actuator, gearbox,

valve) and the reaction time have to be observed.

→If the application requires self-locking of the actuator, please consult AUMA.

Architecture when using the Safe ESD function

Actuators with electromechanical control unit:

For “SIL seating”= “no seating”(without end position protection), we recommend:

●To prevent valve damage during safety operation, we recommend, depending

on the stiffness, sizing the valve to 3 –5 times the maximum actuator torque.

●To avoid thermal damage due to excessive currents, we recommend monitoring

(assessing) the motor protection.

Actuators with electronic control unit MWG:

Information End position signalling (limit switching) and torque signalling via the electronic control

unit MWG are not considered as safe signals.

●To prevent valve damage during safety operation, we recommend, depending

on the stiffness, sizing the valve to 3 –5 times the maximum actuator torque.

●To avoid thermal damage due to excessive currents, we recommend monitoring

(assessing) the motor protection.

Actuators with electronic control unit MWG including limit switches:

For “SIL seating”= “no seating”(without end position protection), we recommend:

●To prevent valve damage during safety operation, we recommend, depending

on the stiffness, sizing the valve to 3 –5 times the maximum actuator torque.

●To avoid thermal damage due to excessive currents, we recommend monitoring

(assessing) the motor protection.

Multi-turn actuators

SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y Architecture, configuration and applications

Information For “SIL seating”= “Forced limit seating in end position”, the seating is performed

via limit switches in the end position.Since each switch has a hysteresis, the actuator

leaves the end position prior to limit switch release.Consequently, there is a marginal

range of actuator positions to the safety position, for which the limit switch is still

operated when leaving the safety position for which the Safe ESD function is therefore

NOT available. In this case, safety function triggering leads to actuator standstill. If

the range in question is approached from the opposite direction, this limitation does

not apply. In general this range is relatively small. However, for unfavourable config-

urations (low number of turns per stroke), this range can amount to more than 10 %

of the total stroke.

Should, within the framework of unfavourable conditions, the effect described above

represent an unacceptable limitation for the safety function, we recommend applying

the configuration “Forced torque seating in end position”or “no seating”for safety

operation.

Architecture when using the “safe end position feedback”

Safe end position feedback is exclusively available with the 22Y version. Only the

mechanical end position switches directly wired to the customer output may be used

for safe end position feedback.The signals at the DOUT 1 –DOUT 6 outputs of the

I/O interface, the analogue outputs designated with AOUT and the fieldbus interfaces

of the AC.2 / ACExC .2 do not represent safe feedback within the meaning of

functional safety.

Information For the “Safe end position feedback”safety function, heed that signalling is made

via mechanical switches.Since these elements have an unavoidable hysteresis, the

actuator slightly leaves the end position before the end position signal is deleted.

Consequently, there is a marginal range of actuator positions to the safety position,

for which the end position is still signalled although the actuator has already left the

end position during operation from safety position.If the range in question is ap-

proached from the opposite direction, this limitation does not apply. In general this

range is relatively small. However, for unfavourable configurations (low number of

turns per stroke), this range can amount to more than 10 % of the total stroke.

Should, within the framework of unfavourable conditions, the effect described above

represent an unacceptable limitation for the safety function, we recommend evaluating

both limit and torque switches for the end position feedback.

Power supply

Information The plant operator is responsible for power supply.

3.2. Configuration (setting)/version

Configuration (setting) of safety-related functions is defined in the factory during

actuator controls assembly and validated during final inspection. Subsequent

modification of the configuration by the plant operator is not permissible.

General functions are set as described in the Operation instructions or the Manual

(Operation and setting) AUMATIC AC 01.2.

Configuration of safety-related functions is listed in the order-related technical data

sheet.

Multi-turn actuators

Architecture, configuration and applications SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y

Configuration options for safety function

Table 3:

Configuration options for safety function

Short descriptionConfiguration

SIL function

Safe CLOSINGSafe ESD CLOSE/CLOSE

Safe OPENINGSafe ESD OPEN/OPEN

Safe STOP in direction CLOSE and direction OPENSafe STOP CLOSE/OPEN

Safe CLOSING and safe STOP in direction CLOSE and direc-

tion OPEN

Safe ESD CLOSE/CLOSE + Safe STOP

CLOSE/OPEN

Safe OPENING and safe STOP in direction CLOSE and direc-

tion OPEN

Safe ESD OPEN/OPEN + Safe STOP

CLOSE/OPEN

When configuring a Safe ESD function and a Safe STOP function, the Safe ESD

function is always prioritised compared to the Safe STOP function when requested

simultaneously.

Seating configuration options

Information Seating of standard actuator controls should be configured as set forth in the tables

below.

Table 4:

For actuators with electromechanical control unit:

Configuration

Type of seating

Standard actuator controls

Short descriptionConfiguration

SIL seating type

Freely selectableNo seating by limit or torque switches during

safety operation

1 = No seating

Torque seatingSafety operation is stopped if both limit and

torque switches trip simultaneously

2: Forced torque seating

in end position

Limit seatingFailure operation is stopped by limit switch trip-

ping

3: Forced limit seating in

end position

Limit seatingFailure operation is stopped by tripping the limit

switches and/or the torque switches (overload

protection).

4: Limit seating with

overload protection

Table 5:

for actuators with electronic control unit MWG

Configuration

Type of seating

Standard actuator controls

Short descriptionConfiguration

SIL seating type

Freely selectableNo seating by limit or torque switches during

safety operation

1 = No seating

Table 6:

for actuators with electronic control unit MWG including limit switches

Configuration

Type of seating

Standard actuator controls

Short descriptionConfiguration

SIL seating type

Limit seatingFailure operation is stopped by limit switch trip-

ping

3: Forced limit seating in

end position

Multi-turn actuators

SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y Architecture, configuration and applications

Configuration options for motor protection assessment

Table 7:

Configuration options for motor protection assessment

Short descriptionConfiguration

SIL motor protection

Tripping of the motor protection (thermal fault) stops or prevents safety oper-

ation

Active

Motor protection has no impact on the safety operationInactive

Information “SIL motor protection”= “inactive”configuration is only set if explicitly required.The

version does not meet the Ex approval requirements.

Information If limit and/or torque switches for the end positions are available, precise setting is

imperative to ensure correct function of the “Safe end position feedback”or the “ESD

function”.For setting details related to the respective switches, please refer to oper-

ation instructions.

Configuration of “reaction monitoring”diagnostics and “Partial Valve Stroke

Test (PVST)”

Depending on the type of diagnostics specified, the reaction monitoring via blinker

transmitter or Partial Valve Stroke Test configurations have to be checked and

adapted, if required.

For detailed configuration options as well as detailed information on the PartialValve

StrokeTest (PVST), refer to Manual (Operation and setting) AUMATIC AC 01.2.

Please note that reaction monitoring may only be executed via the blinker

transmitter/SIL fault signal and not via the reaction monitoring function of the AC .2

firmware.

3.3. Protection against uncontrolled operation (self-locking/brake)

For self-locking AUMA actuators, it can be assumed that a load up to maximum

torque will not result in uncontrolled valve operation from standstill due to valve torque

load.Consequently, in these cases, further protection against uncontrolled operation

is not imperatively required.This might become necessary if, for example, self-locking

can either not be guaranteed due to vibration or if it is insufficient.In addition, certain

applications may require active position locking, for example by using a brake.There

are user-specific standards demanding this type of protection.Therefore, each project

must be subject to individual verification if any further protection is required. In any

case, this protection is required for actuators without self-locking.

Table 8: Overview self-locking for AUMA actuators (at the time of printing of this document)

Self-lockingOutput speedType

60 Hz50 Hz

Self-locking≤108 rpm≤90 rpmSA 25.1 –SA 30.1

SAEx 25.1 –SAEx 30.1 NOT self-locking≥150 rpm≥125 rpm

Self-locking≤26 rpm≤22 rpmSA 35.1

SAEx 35.1 NOT self-locking≥38 rpm≥32 rpm

Self-locking≤26 rpm≤22 rpmSA 40.1

SAEx 40.1 NOT self-locking≥38 rpm≥32 rpm

If actuators with insufficient self-locking function paired with “Forced torque seating

in end position”SIL seating type are used for the safety function, the following effect

might occur:During ESD, the actuator operates to the end position and switches off

due to reaching the end position and the tripping torque.Thereafter, the gear train

is relieved and the torque falls below the preset limit value. As a matter of fact, the

actuator controls detect this incident and switch the actuator on again since the

behaviour is correctly considered as termination of the ESD condition.The latter

generates additional torque until the switching off condition is reached again, and

so on.The “pumping effect”of the actuator is the consequence.

Multi-turn actuators

Architecture, configuration and applications SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y

To successfully avoid this incident, we recommend either selecting actuator or other

elements with sufficient self-locking within the gear train or –if acceptable from a

process and safety point of view –selecting “Forced limit seating in end position”as

safety function.

3.4. Operation mode (low/high demand mode)

The safety functions of the actuators supplied by AUMA are suitable for the low

demand mode and may only be used in this operation mode.If a non-safety

instrumented function of basic process control system is executed via the same

actuator in addition to the safety function, note that while considering the sum of

non-safety instrumented function, required tests and safety function, the defined

number of maximum permissible cycles1) for the respective actuator as well as the

maximumnumberof starts2) maynotbe exceeded during deployment ofthe actuator

within a safety instrumented system.

3.5. Further notes and indications on architecture

HFT is 0.

Ifthe actuator isequipped with aposition transmitterlikeMWG, RWGor EWG,these

elements may not be integrated within the safety instrumented system.

The actuator safety functions can be considered as type A device.

The operating time for a complete stroke must exceed 4 seconds. CAUTION: Any

modification of the nominal stroke results in operating time change.

The safety function(s) and their feedback signals may exclusively be performed via

the digital inputs and outputs of the SIL module or the end position switches directly

wired to the customer connection.

The signal issued via SIL fault output must be permanently evaluated. If the

output signals a fault, assumption can be made that the safety function is not

available.The safety function must be checked without delay.Possibly further safety

measures are to be taken to restore the safety function without fault.

3.6. Applications (environmental conditions)

When specifying and using the actuators within safety instrumented systems,

particular attention has to be paid that the permissible service conditions and the

EMC requirements by the peripheral devices are met.Service conditions are indicated

in the technical data sheet.

●Enclosure protection

●Corrosion protection

●Ambient temperature

●Vibration resistance

If the actual ambient temperatures exceed an average of +40 °C, the lambda values

have to be incremented by a safety factor. For an average temperature of +60 °C,

this factor is specified to 2.5.

1) Definition of “cycles”according to EN 15714-2:2010

2) Definition of “starts”according to EN 15714-2:2010

Multi-turn actuators

SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y Architecture, configuration and applications

4. Safety instrumented system and safety functions

4.1. Safety instrumented system including an actuator

Typically, a safety instrumented system including an actuator is composed of the

components as shown in the figure.

Figure 3:Typical safety instrumented system

[1] Sensor

[2] Controls (safety PLC)

[3] Actuator (with actuator controls on wall bracket)

[4] Valve

[5] DCS

Thesafetyintegrity level is alwaysassigned to anoverall safety instrumented system

and not to an individual component.

For an individual component (e.g.an actuator), safety figures are determined.These

figures are used to assign the devices to a potential safety integrity level (SIL).The

final classification of the safety instrumented system can only be made after assessing

and calculating all subsystems.

4.2. Safety functions

In calculating the safety figures of the actuator system, the following safety functions

are taken into account:

●Safe ESD function (Emergency Shut Down): Safe OPENING/CLOSING

-Redundant Safe ESDa and Safe ESDb signals (default: low active) make

the actuator run into the configured direction (OPEN/CLOSE), irrespective

of the selector switch position.

Multi-turn actuators

Safety instrumented system and safety functions SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y

●Safe STOP function: safe STOP

-An operation command of standard actuator controls (in directions OPEN

or CLOSE) will only be executed if an additional enable signal for the op-

eration command is present.

-If this is not the case, operation in directions OPEN or CLOSE is stopped

or even suspended (motor is switched off).

- The Safe STOP function is effective for all operation commands of the

standard actuator controls, irrespective of the command source (e.g.Re-

mote or Local).

●Safe ESD function combined with Safe STOP function

-Safe ESD function has a higher priority i.e.if both functions are activated,

the actuator is operated into the configured direction (OPEN/CLOSE).

●22Y version only:“Safe end position feedback”

-An end position signal directly wired to the actuator is available.The safety

function is the correct signal whether the actuator is in the requested actu-

ator end position or not.3) Only the signal via this signal communication

path is safety related. End position feedback via I/O interface relay or a

positioner (RWG, MWG, potentiometer, ...) or via a fieldbus interface does

not represent a safe end position feedback.

The different configuration options of the safety functions are described in the

<Configuration (setting)/version> chapter.

4.3. Safe inputs and outputs

Safe input for safe OPENING/CLOSING (Safe ESD function):

●Safe ESDa

●Safe ESDb

Safe inputs for safe stop (Safe STOP function):

●Safe STOP OPEN

●Safe STOP CLOSE

Safe outputs (indication that it might not be possible to perform the safety function):

●SIL failure

●SIL ready

For detailed information on safe inputs and outputs, refer to <Configuration

(setting)/version> chapter and <Installation> chapter.

4.4. Redundant system architecture

Besides the already described typical safety instrumented system including an

actuator, safety can be increased by implementing a second, redundant valve and

actuator with actuator controls in 22X or 22Y version into the safety instrumented

system.The decision on the appropriate version depends on the entire system.

Information Depending on the safety function and the safety instrumented task of this safety

function, it must be verified for each and every application whether and –if so –in

whichconfiguration aHFT>0 canbe actuallyachieved whenusing severalactuators.

This applies in particular –but is not limited to –the Safe STOP safety function.

A possible example for Safe CLOSING or Safe OPENING is shown in figure 3 and

4. Another example, in which several actuators do not achieve redundancy, is a

Safe STOP function used to safely exclude the movement of mechanical system

parts, if, for example, the fire brigade has to access the plant section in question in

case of an emergency. For this application, use of two actuators does generally not

result in a 1oo2 but in a 2oo2 system in terms of safety effect to be achieved.

Therefore, the HFT is not increased in this case.

3) Please note that safety figures only include the components of the actuator. Further components

(e.g.integrity of external controls, gearboxes, valve shaft, other valve components....) are not

considered with the AUMA safety figures related to this product.

Multi-turn actuators

SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y Safety instrumented system and safety functions

Figure 4: Redundant system with safe ESD for safe CLOSING

Figure 5: Redundant system with safe ESD for safe OPENING

4.5. Examples of applications

Safe opening of a pressure vessel using the Safe ESD function

The standard PLC controls the entire system. A system fault occurs if excessive

pressure is generated within the system.In this case, the safety PLC immediately

opens the valve for safe pressure reduction.

Multi-turn actuators

Safety instrumented system and safety functions SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y

Figure 6: Application example:Pressure vessel

Safe stop of locks to prevent destruction using the Safe STOP function.

Operationsafety(preventing hazards topersons and systems)is of utmostimportance

for locks.Once the lock closes, no boats must be between the gates.Otherwise, the

Safe STOP function (e.g. via EMERGENCY Stop button) is executed.

Multi-turn actuators

SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y Safety instrumented system and safety functions

Figure 7: Application example: Lock

4.6. System representation

The representation below shows the simplified design of an AC 01.2/ACExC 01.2

in 22X or 22Y version.

Figure 8: Simplified system representation

Multi-turn actuators

Safety instrumented system and safety functions SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y

5. Installation, commissioning and operation

Information Installation and commissioning have to be documented by means of an assembly

report and an inspection certificate.Installation and commissioning may only be

performed by authorised personnel who have been trained on functional safety.

The plant operator is responsible for ensuring power supply including overvoltage

and undervoltage protection during execution of a safety function.

5.1. Installation

Information The PIN assignments (XK ...) mentioned in this chapter (and also in other chapters)

are considered as standard assignments of AC 01.2- 22X/- 22Y/ACExC 01.2- 22X/-

22Y.In certain configurations, this typical assignment is not respected with the ob-

jective to meet specific equipment demands. In case of doubt, the assignment as

indicated on the pertaining wiring diagram is applicable.

General installation tasks (assembly, electrical connection) have to be performed

according to the operation instructions pertaining to the device and the enclosed

order-specific wiring diagram.

When operating and storing the devices in ambient temperatures below –25 °C,

ensure power supply of integral heating system.

Safety functions are connected via the SIL module integrated in the

AC 01.2/ACExC 01.2 actuator controls.

The SIL fault must be connected to an input compatible with the required SIL level

of a safety PLC and subsequently analysed.

Figure 9: Connections for safety functions via SIL module as well as the directly

wired Safe end position feedback

[1] Typical connection assignment for parallel control

[2] Typical connection assignment for fieldbus control

[3] Directly wired Safe end position feedback

Input switching behaviour of Safe ESDa/ESDb and Safe STOP

OPEN/CLOSE:

●Input level = high level (default: +24 V DC)

= No safety operation for Safe ESD function or

= No safe stop for Safe STOP function

●Input signal = low level (0 V DC or input open)

= Failure operation for Safe ESD function or

= Safe stop for Safe STOP function

Information The Safe ESDa and Safe ESDb inputs are redundant inputs for the same safety

function (depending on the configuration ESD OPEN or ESD CLOSE).Therefore,

the same level (high or low) should be applied to them. If “high”is applied at one of

the two ESDa or ESDb inputs and “low”at the other, this represents a fault state

within the safety instrumented system.In this instance, the actuator signals a “SIL

fault”. Since it is not clear whether the “high”level input or the “low”level input is

faulty, the safety function is performed for safety reasons.

Multi-turn actuators

SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y Installation, commissioning and operation

Information The Safe STOP OPEN and Safe STOP CLOSE inputs are two independent inputs

with independent functions:

●If Safe STOP OPEN = low level, the safety function inhibits operation in direction

OPEN (exception ESD OPEN)

●If Safe STOP CLOSE = low level, the safety function inhibits operation in direc-

tion CLOSE (exception ESD CLOSE)

Permissible input voltage range:

●High level: 15 –30 V DC

●Low level: max. 5 V DC

Signal behaviour of SIL ready and SIL failure outputs:

●SIL ready/ Absence of fault to be detected by diagnostics:

NO (NO contact) output = closed

NC (NC contact) output = open

●SIL failure/ Presence of fault to be detected by diagnostics:

NO (NO contact) output = open

NC (NC contact) output = closed

Customer connections for control

(typical assignment)

SignalDesignation

Wiring diagram [2] Fieldbus[1] Parallel XK 3XK 31Digital input for Safe ESD functionSafe ESDa XK 5XK 32Redundant input for Safe ESD functionSafe ESDb XK 7XK 33Reference potential for Safe ESDa and Safe ESDb0 V XK 8XK 35Digital input for Safe STOP function in direction CLOSESafe STOP CLOSE XK 9XK 37Reference potential for Safe STOP CLOSE0 V XK 10XK 36Digital input for Safe STOP function in direction OPENSafe STOP OPEN XK 11XK 38Reference potential for Safe STOP OPEN0 V XK 15XK 40NO contact of SIL fault signalSIL ready XK 14XK 39NC contact of SIL fault signalSIL failure XK 16XK 42Reference potential for SIL fault signalCom.

SIL fault displayed via SIL failure output

DescriptionFault causes

SIL Motor protection trippedThermal fault Torque fault in directions OPEN and/or CLOSETorque fault Current position feedback is outside permissible range.Fault position feed-

back One phase of power supply is missing.

Controls are not supplied with mains voltage

Phase failure

The phase conductors L1, L2 and L3 are connected in the wrong sequence.Phase sequence

fault The safety-related part of controls is without power supply.Power supply failure Temperature within actuator controls housing too high.

Failure of heating system for ambient temperatures below –25 °C

Temperature fault

Actuator of valve lockedFailure of actuator

monitoring Both signals Safe ESDa and Safe ESDb are not simultaneously on the same level.Fault in redundant

wiring Safe ESD Internal error of the SIL moduleInternal error

For further information on SIL faults and in particular to assist in troubleshooting,

refer to chapter <Indications>.

Installation and commissioning must be recorded and a final installation and

commissioning report must be issued.

Multi-turn actuators

Installation, commissioning and operation SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y

Information The basic function "automatic correction of direction of rotation" is not available for

this version.When connecting the power supply ensure that phases L1, L2 and L3

are correctly connected. For checking the direction of rotation, refer to operation in-

structions pertaining to the actuator.

The "external supply of electronics" option of the actuator controls refers to standard

actuator controls.In case of mains failure, the SIL module would no longer be

operable despite external supply of the electronics.

Information Limit switch setting for version with electronic control unit and SIL limit switches is

slightly different from the standard setting for the electromechanical control unit.

Refer to the supplement to operation instructions for correct setting (Y006.238).

5.2. Commissioning

The operation instructions pertaining to the device must be observed for general

commissioning.

Information For the Safe ESD function, operation into the safe position can be performed irre-

spective of the selector switch position (LOCAL - OFF - REMOTE) or the operating

status.Upon request of the safety function, the actuator will start operation even in

positions LOCAL and OFF or on system start.

Risk of immediate actuator operation when switching on!

Risk of personal injuries or damage to the valve

→Ensure that high level is present at the Safe ESDa/ESDb inputs when

switching on (default: +24 V DC).

After commissioning, the safe actuator function must be verified. Refer to <Proof

Test> chapter.

If the actuator is operated over a longer period while the motor is disengaged,

this entails considerable wear of the actuator.Worst case would be accidental

start-up, turning of the handwheel or even destruction of the actuator.

Risk of personal injuries or damage to the actuator.

→Operational actions have to be provided to ensure that the motor (with exception

of the proof test) is not operated while the motor is disengaged.

→Only operate disengaged motor for a short time during proof test.

Commissioning checklist

Table 9:Commissioning checklist

⎕ ✓1. Actuator and controls correctly wired?

⎕ ✓2. Limit and torque switching set?

⎕ ✓3.Safe function (depending on the configuration) checked in accordance with the proof

test checklists?

⎕

Yes

⎕No

4. Commissioning of basic settings (standard actuator controls) performed in accord-

ance with the operation instructions?

☒ ✓ = Executed

5.3. Operation

Regular maintenance and device checks in determined Tproof intervals are the basis

for safe operation.The parameters indicated in the <Safety figures> chapter are

valid for Tproof = 1 year.

For operation, both the pertaining operation instructions and the Manual (Operation

and setting) AC 01.2/ACExC 01.2 have to be observed.

Multi-turn actuators

SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y Installation, commissioning and operation

In case of possible failures or defects of the safety system, safe function must be

guaranteed by introducing alternative actions.Furthermore, a detected fault including

fault description has to be sent to AUMA Riester GmbH & Co. KG. Autonomous

repair work by the plant operator is not permitted.

5.4. Lifetime

Actuator lifetime is described in the technical data sheets or the operation instructions.

Safety-related parameters are valid for the cycles or modulating steps defined in the

technical data specifications for typical periods of up to 10 years (the criterion

achieved first is valid). After this period, the probability of failure increases.

Extending this period is basically feasible in many cases provided both manufacturer

and operator introduce respective actions in compliance with footnote N3 of NOTE

3 of the German version of IEC 61508-2:2010 7.4.9.5 b).This is the responsibility

of the operator who will have to take appropriate and suitable measures. Please

5.5. Decommissioning

When decommissioning an actuator with safety functions, the following must be

observed:

●Impact of decommissioning on relevant devices, equipment or other work must

be evaluated.

●Safety and warninginstructionscontained in theactuator operationinstructions

must be met.

●Decommissioning must be carried out exclusively by suitably qualified personnel.

●Decommissioning must be recorded in compliance with technical requirements.

Multi-turn actuators

Installation, commissioning and operation SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y

This manual suits for next models

Table of contents

Popular Controllers manuals by other brands

TechGrow

TechGrow Pro Series user manual

Intelligent Energy

Intelligent Energy 10005518 user manual

HTC

HTC VIVE Operation guide

AirCycler

AirCycler FRV user guide

Aerotech

Aerotech PLANAR HD Series user manual

Hiwin

Hiwin HIMC installation guide

Conrad

Conrad 64 05 52 operating instructions

gefran

gefran SIEIDrive LIFT AGy -L instruction manual

Shimaden

Shimaden PAC46 Series instruction manual

ISC

ISC APECS Operational instructions

Digitrax

Digitrax DN166I1B quick start guide

Johnson Controls

Johnson Controls FAC2611-0U installation instructions

SpaNet

SpaNet SV2 Installation & technical manual

Veris Industries

Veris Industries G Series installation guide

Honeywell

Honeywell S05 Series installation instructions

Linear Technology

Linear Technology LTC4007 quick start guide

Hy-Gain

Hy-Gain AR-500 instruction sheet

BST

BST ekr 500 operating manual

AUMA AC 01.2-22X User manual

Popular Controllers manuals by other brands