AUMA AC 01.2-22X User manual
Multi-turn actuators
SA 25.1 –SA 40.1
SAEx 25.1 –SAEx 40.1
with actuator controls
AC 01.2 -22X/-22Y
ACExC 01.2 -22X/-22Y
Functional safetyManual
NOTICE for use!
This document is only valid with the latest operation instructions attached to the device, the attached manual as
well as the respectively pertaining technical and electrical data sheets.They are understood as reference
documents.
Purpose of the document:
The present document informs about the actions required for using the device in safety-related systems in
accordance with IEC 61508 or IEC 61511.
Reference documents:
●Operation instructions (Assembly and commissioning) for the actuator
●Manual (Operation and setting) AC 01.2/ACExC 01.2 actuator controls
●Manual (Device integration Fieldbus) AC(V) 01.2/AC(V)ExC 01.2 actuator controls
●Technical data for multi-turn actuator and actuator controls.
Reference documents are available on the Internet at: http://www.auma.com.
Table of contents Page
41. Terminology............................................................................................................................ 41.1. Abbreviations and concepts
62. Application and validity......................................................................................................... 62.1. Range of application 62.2. Standards 62.3. Valid device types
73. Architecture, configuration and applications...................................................................... 73.1. Architecture (actuator sizing) 83.2. Configuration (setting)/version 103.3. Protection against uncontrolled operation (self-locking/brake) 113.4. Operation mode (low/high demand mode) 113.5. Further notes and indications on architecture 113.6. Applications (environmental conditions)
124. Safety instrumented system and safety functions............................................................. 124.1. Safety instrumented system including an actuator 124.2. Safety functions 134.3. Safe inputs and outputs 134.4. Redundant system architecture 144.5. Examples of applications 164.6. System representation
175. Installation, commissioning and operation......................................................................... 175.1. Installation 195.2. Commissioning 195.3. Operation 205.4. Lifetime 205.5. Decommissioning
216. Indications on display............................................................................................................ 216.1. Status indications on SIL functions 226.2. SIL configuration warning 226.3. Backlight
2
Multi-turn actuators
Table of contents SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y
237. Signals..................................................................................................................................... 237.1. Signals via SIL module 237.2. SIL - fault signal via the standards actuator controls display (for troubleshooting support) 247.3. Status signals via output contacts (digital outputs) of standard actuator controls 257.4. Signals via fieldbus of standard actuator controls
268. Tests and maintenance.......................................................................................................... 268.1. Safety equipment: check 268.2. Actuator monitoring for ESD safety function 268.2.1. Partial Valve Stroke Test (PVST): execute 288.3. Actuator monitoring for “safe end position feedback”safety function 288.4. Proof test (verification of safe actuator function) 298.4.1. Preliminary tests 298.4.2. Check Safe ESD safety operation “Safe OPENING/CLOSING”308.4.3. Check SIL fault signal “Actuator monitoring”318.4.4. Check Safe ESD reaction for “Motor protection (thermal fault)”signals 328.4.5. Check Safe ESD reaction to “Limit seating with overload protection”(limit and/or torque
evaluation) 338.4.6. Check Safe ESD reaction to “Forced limit seating in end position”(limit evaluation) –
for actuators with electromechanical control unit 348.4.7. Check Safe ESD reaction to “Forced limit seating in end position”(limit evaluation) –
for actuators with electronic control unit and limit switches 358.4.8. Check Safe ESD reaction to “Forced torque seating in end position”(torque after limit
evaluation) 358.4.9. Check Safe ESD reaction for “no seating”(no evaluation of limit and torque) 378.4.10. Check Safe STOP function 378.4.11. Check combination of Safe ESD and Safe STOP function 388.4.12. Check “Safe end position signal”safety function 398.5. Maintenance
409. Safety-related figures............................................................................................................. 409.1. Determination of the safety-related figures 419.2. Specific figures for AC 01.2 actuator controls in 22X or 22Y version with actuators of the SA .1
type range
4310. SIL Declaration of Incorporation...........................................................................................
47Index........................................................................................................................................
3
Multi-turn actuators
SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y Table of contents
1. Terminology
Information sources ●IEC 61508-4, Functional safety of electrical/electronic/programmable electronic
safety-related systems –Part 4: Definitions and abbreviations
●IEC 61511-1, Functional safety - Safety instrumented systems for the process
industry sector –Part 1:Framework, definitions, system, hardware and software
requirements
1.1. Abbreviations and concepts
To evaluate safety functions, the lambda values or the PFD value (Probability of
Dangerous Failure on Demand) and the SFF value (Safe Failure Fraction) are the
main requirements.Further figures are required to assess the individual components.
These figures are explained in the table below.
Table 1:Abbreviations of safety figures
DescriptionFull expressionAbbrevi-
ation Number of safe failuresLambda SafeλSNumber of dangerous failuresLambda DangerousλDNumber of undetected dangerous fail-
ures
Lambda Dangerous UndetectedλDU
Number of detected dangerous failuresLambda Dangerous DetectedλDD Diagnostic Coverage - ratio between
the failure rate of dangerous failures
detected by diagnostic tests and total
rate of dangerous failures of the com-
ponent or subsystem.The diagnostic
coverage does not include any failures
detected during proof tests.
Diagnostic CoverageDC
Mean time between the occurence of
two subsequent failures
Mean Time Between FailuresMTBF
Fraction of safe failures as well as of
detectable dangerous failures
Safe Failure FractionSFF
Average probability of dangerous fail-
ures on demand of a safety function.
Average Probability of dangerous Fail-
ure on Demand
PFDavg
Ability of a functional unit to execute a
required function while faults or devi-
ations are present.HFT = n means that
the function can still be safely executed
for up to n faults occurring at the same
time.
Hardware Fault ToleranceHFT
Interval for proof testProof test intervalTproof
SIL Safety Integrity Level
The international standard IEC 61508 defines 4 levels (SIL 1 through SIL 4).
Safety function Function to be implemented by a safety-related system for risk reduction with the
objective to achieve or maintain a safe state for the plant/equipment with respect to
a specific dangerous event.
Safety instrumented
function (SIF) Function with specified safety integrity level (SIL) to achieve functional safety.
Safety instrumented
system (SIS) Safety instrumented system for executing a single or several safety instrumented
functions.An SIS consists of sensor(s), logic system and actuator(s).
Safety-related system A safety-related system includes all factors (hardware, software, human factors)
necessary to implement one or several safety functions. Consequently failures of
safety function would result in a significant increase in safety risks for people and/or
the environment.
A safety-related system can comprise stand-alone systems dedicated to perform a
particular safety function or can be integrated into a plant.
4
Multi-turn actuators
Terminology SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y
Proof test Periodic test performed to detect dangerous hidden failures in a safety-related system
so that, if necessary, a repair can restore the system to an "as new" condition or as
close as practical to this condition.
MTTR (MeanTimeTo
Restoration) Mean time to restoration once a failure has occurred. Indicates the expected mean
time to achieve restoration of the system.It is therefore an important parameter for
system availability.The time for detecting the failure, planning tasks as well as
operating resources is also included.It should be reduced to a minimum.
MRT (Mean RepairTime) Mean repair time indicates the mean time required to repair a system.The MRT is
crucial when defining the reliability and availability of a system.The MRT should
preferably be small.
Device type (type A and
type B) Actuator controls can be regarded as type A devices if all of the following conditions
are met for all components required to achieve the safety instrumented function:
●The failure modes for all constituent components involved are well defined
●The behaviour under fault conditions can be completely determined.
●There is sufficient dependable failure data from the field to show that the claimed
rates of failure are met (confidence level min. 70 %).
Actuator controls shall be regarded as type B devices if one or several of the following
conditions are met:
●The failure of at least one constituent component is not well defined.
●The fault behaviour is not completely known.
●There is insufficient dependable failure data to support claims for rates of failure
for detected and undetected dangerous failures.
PTC (ProofTest Cover-
age) Proof test coverage describes the fraction of failures which can be detected by means
of a proof test.
5
Multi-turn actuators
SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y Terminology
2. Application and validity
2.1. Range of application
AUMA actuators and actuator controls in 22X or 22Y version are intended for
operation of industrial valves and are suitable for use in safety instrumented systems
in accordance with IEC 61508 or IEC 61511.
2.2. Standards
Both actuators and actuator controls meet the following requirements:
The safety figures of the devices described meet the requirements of IEC 61508:
2010 in the respective SIL level with regard to failure rates and architecture
requirements.However, this does not imply that all further requirements of IEC 61508
are met.
2.3. Valid device types
The data on functional safety contained in this manual applies to the device types
indicated.
Table 2:Overview on suitable device types
Power supplyType MotorActuator controlsActuator 3-phase ACAC 01.2 in 22X or 22Y versionSA 25.1 –SA 40.1 3-phase ACACExC 01.2 in 22X or 22Y versionSAEx 25.1 –SAEx 40.1
Hardware, software and configuration of actuator and actuator controls must not be
modified without prior written consent by AUMA. Unauthorised modification may
have a negative impact on both safety figures and SIL capability of the products.
Information In applications with requirements on functional safety, only AUMA actuator controls
and actuators in SFC , SIL, 22X or 22Y versions may be used.
AUMA actuator controls and actuators in 22X or 22Y version can among others be
identified from the letters “22X”or “22Y”on the name plate.
Figure 1: Example of name plate with “22X”marking.
Figure 2: Example of SA name plate with marking “22X”
6
Multi-turn actuators
Application and validity SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y
3. Architecture, configuration and applications
3.1. Architecture (actuator sizing)
For actuator architecture (actuator sizing) the maximum torques, run torques and
operating times are taken into consideration.
Incorrect actuator architecture can lead to device damage within the safety-
related system!
Possible consequences:Valve damage, motor overheating, contactor seizure,
damage to the electronics, heating up or damage to cables.
→The actuator technical data must imperatively be observed when selecting the
actuator.
→Sufficient reserves have to be provided to ensure that actuators are capable of
reliably opening or closing the valve even in the event of an accident or under-
voltage.
Architecture when using the Safe STOP function
Information For the Safe STOP function, the motor is switched off, overrun may possibly occur!
Valve damage due to overrun!
→For the Safe STOP function, the overrun of the arrangement (actuator, gearbox,
valve) and the reaction time have to be observed.
→If the application requires self-locking of the actuator, please consult AUMA.
Architecture when using the Safe ESD function
Actuators with electromechanical control unit:
For “SIL seating”= “no seating”(without end position protection), we recommend:
●To prevent valve damage during safety operation, we recommend, depending
on the stiffness, sizing the valve to 3 –5 times the maximum actuator torque.
●To avoid thermal damage due to excessive currents, we recommend monitoring
(assessing) the motor protection.
Actuators with electronic control unit MWG:
Information End position signalling (limit switching) and torque signalling via the electronic control
unit MWG are not considered as safe signals.
●To prevent valve damage during safety operation, we recommend, depending
on the stiffness, sizing the valve to 3 –5 times the maximum actuator torque.
●To avoid thermal damage due to excessive currents, we recommend monitoring
(assessing) the motor protection.
Actuators with electronic control unit MWG including limit switches:
For “SIL seating”= “no seating”(without end position protection), we recommend:
●To prevent valve damage during safety operation, we recommend, depending
on the stiffness, sizing the valve to 3 –5 times the maximum actuator torque.
●To avoid thermal damage due to excessive currents, we recommend monitoring
(assessing) the motor protection.
7
Multi-turn actuators
SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y Architecture, configuration and applications
Information For “SIL seating”= “Forced limit seating in end position”, the seating is performed
via limit switches in the end position.Since each switch has a hysteresis, the actuator
leaves the end position prior to limit switch release.Consequently, there is a marginal
range of actuator positions to the safety position, for which the limit switch is still
operated when leaving the safety position for which the Safe ESD function is therefore
NOT available. In this case, safety function triggering leads to actuator standstill. If
the range in question is approached from the opposite direction, this limitation does
not apply. In general this range is relatively small. However, for unfavourable config-
urations (low number of turns per stroke), this range can amount to more than 10 %
of the total stroke.
Should, within the framework of unfavourable conditions, the effect described above
represent an unacceptable limitation for the safety function, we recommend applying
the configuration “Forced torque seating in end position”or “no seating”for safety
operation.
Architecture when using the “safe end position feedback”
Safe end position feedback is exclusively available with the 22Y version. Only the
mechanical end position switches directly wired to the customer output may be used
for safe end position feedback.The signals at the DOUT 1 –DOUT 6 outputs of the
I/O interface, the analogue outputs designated with AOUT and the fieldbus interfaces
of the AC.2 / ACExC .2 do not represent safe feedback within the meaning of
functional safety.
Information For the “Safe end position feedback”safety function, heed that signalling is made
via mechanical switches.Since these elements have an unavoidable hysteresis, the
actuator slightly leaves the end position before the end position signal is deleted.
Consequently, there is a marginal range of actuator positions to the safety position,
for which the end position is still signalled although the actuator has already left the
end position during operation from safety position.If the range in question is ap-
proached from the opposite direction, this limitation does not apply. In general this
range is relatively small. However, for unfavourable configurations (low number of
turns per stroke), this range can amount to more than 10 % of the total stroke.
Should, within the framework of unfavourable conditions, the effect described above
represent an unacceptable limitation for the safety function, we recommend evaluating
both limit and torque switches for the end position feedback.
Power supply
Information The plant operator is responsible for power supply.
3.2. Configuration (setting)/version
Configuration (setting) of safety-related functions is defined in the factory during
actuator controls assembly and validated during final inspection. Subsequent
modification of the configuration by the plant operator is not permissible.
General functions are set as described in the Operation instructions or the Manual
(Operation and setting) AUMATIC AC 01.2.
Configuration of safety-related functions is listed in the order-related technical data
sheet.
8
Multi-turn actuators
Architecture, configuration and applications SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y
Configuration options for safety function
Table 3:
Configuration options for safety function
Short descriptionConfiguration
SIL function
Safe CLOSINGSafe ESD CLOSE/CLOSE
Safe OPENINGSafe ESD OPEN/OPEN
Safe STOP in direction CLOSE and direction OPENSafe STOP CLOSE/OPEN
Safe CLOSING and safe STOP in direction CLOSE and direc-
tion OPEN
Safe ESD CLOSE/CLOSE + Safe STOP
CLOSE/OPEN
Safe OPENING and safe STOP in direction CLOSE and direc-
tion OPEN
Safe ESD OPEN/OPEN + Safe STOP
CLOSE/OPEN
When configuring a Safe ESD function and a Safe STOP function, the Safe ESD
function is always prioritised compared to the Safe STOP function when requested
simultaneously.
Seating configuration options
Information Seating of standard actuator controls should be configured as set forth in the tables
below.
Table 4:
For actuators with electromechanical control unit:
Configuration
Type of seating
Standard actuator controls
Short descriptionConfiguration
SIL seating type
Freely selectableNo seating by limit or torque switches during
safety operation
1 = No seating
Torque seatingSafety operation is stopped if both limit and
torque switches trip simultaneously
2: Forced torque seating
in end position
Limit seatingFailure operation is stopped by limit switch trip-
ping
3: Forced limit seating in
end position
Limit seatingFailure operation is stopped by tripping the limit
switches and/or the torque switches (overload
protection).
4: Limit seating with
overload protection
Table 5:
for actuators with electronic control unit MWG
Configuration
Type of seating
Standard actuator controls
Short descriptionConfiguration
SIL seating type
Freely selectableNo seating by limit or torque switches during
safety operation
1 = No seating
Table 6:
for actuators with electronic control unit MWG including limit switches
Configuration
Type of seating
Standard actuator controls
Short descriptionConfiguration
SIL seating type
Limit seatingFailure operation is stopped by limit switch trip-
ping
3: Forced limit seating in
end position
9
Multi-turn actuators
SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y Architecture, configuration and applications
Configuration options for motor protection assessment
Table 7:
Configuration options for motor protection assessment
Short descriptionConfiguration
SIL motor protection
Tripping of the motor protection (thermal fault) stops or prevents safety oper-
ation
Active
Motor protection has no impact on the safety operationInactive
Information “SIL motor protection”= “inactive”configuration is only set if explicitly required.The
version does not meet the Ex approval requirements.
Information If limit and/or torque switches for the end positions are available, precise setting is
imperative to ensure correct function of the “Safe end position feedback”or the “ESD
function”.For setting details related to the respective switches, please refer to oper-
ation instructions.
Configuration of “reaction monitoring”diagnostics and “Partial Valve Stroke
Test (PVST)”
Depending on the type of diagnostics specified, the reaction monitoring via blinker
transmitter or Partial Valve Stroke Test configurations have to be checked and
adapted, if required.
For detailed configuration options as well as detailed information on the PartialValve
StrokeTest (PVST), refer to Manual (Operation and setting) AUMATIC AC 01.2.
Please note that reaction monitoring may only be executed via the blinker
transmitter/SIL fault signal and not via the reaction monitoring function of the AC .2
firmware.
3.3. Protection against uncontrolled operation (self-locking/brake)
For self-locking AUMA actuators, it can be assumed that a load up to maximum
torque will not result in uncontrolled valve operation from standstill due to valve torque
load.Consequently, in these cases, further protection against uncontrolled operation
is not imperatively required.This might become necessary if, for example, self-locking
can either not be guaranteed due to vibration or if it is insufficient.In addition, certain
applications may require active position locking, for example by using a brake.There
are user-specific standards demanding this type of protection.Therefore, each project
must be subject to individual verification if any further protection is required. In any
case, this protection is required for actuators without self-locking.
Table 8: Overview self-locking for AUMA actuators (at the time of printing of this document)
Self-lockingOutput speedType
60 Hz50 Hz
Self-locking≤108 rpm≤90 rpmSA 25.1 –SA 30.1
SAEx 25.1 –SAEx 30.1 NOT self-locking≥150 rpm≥125 rpm
Self-locking≤26 rpm≤22 rpmSA 35.1
SAEx 35.1 NOT self-locking≥38 rpm≥32 rpm
Self-locking≤26 rpm≤22 rpmSA 40.1
SAEx 40.1 NOT self-locking≥38 rpm≥32 rpm
If actuators with insufficient self-locking function paired with “Forced torque seating
in end position”SIL seating type are used for the safety function, the following effect
might occur:During ESD, the actuator operates to the end position and switches off
due to reaching the end position and the tripping torque.Thereafter, the gear train
is relieved and the torque falls below the preset limit value. As a matter of fact, the
actuator controls detect this incident and switch the actuator on again since the
behaviour is correctly considered as termination of the ESD condition.The latter
generates additional torque until the switching off condition is reached again, and
so on.The “pumping effect”of the actuator is the consequence.
10
Multi-turn actuators
Architecture, configuration and applications SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y
To successfully avoid this incident, we recommend either selecting actuator or other
elements with sufficient self-locking within the gear train or –if acceptable from a
process and safety point of view –selecting “Forced limit seating in end position”as
safety function.
3.4. Operation mode (low/high demand mode)
The safety functions of the actuators supplied by AUMA are suitable for the low
demand mode and may only be used in this operation mode.If a non-safety
instrumented function of basic process control system is executed via the same
actuator in addition to the safety function, note that while considering the sum of
non-safety instrumented function, required tests and safety function, the defined
number of maximum permissible cycles1) for the respective actuator as well as the
maximumnumberof starts2) maynotbe exceeded during deployment ofthe actuator
within a safety instrumented system.
3.5. Further notes and indications on architecture
HFT is 0.
Ifthe actuator isequipped with aposition transmitterlikeMWG, RWGor EWG,these
elements may not be integrated within the safety instrumented system.
The actuator safety functions can be considered as type A device.
The operating time for a complete stroke must exceed 4 seconds. CAUTION: Any
modification of the nominal stroke results in operating time change.
The safety function(s) and their feedback signals may exclusively be performed via
the digital inputs and outputs of the SIL module or the end position switches directly
wired to the customer connection.
The signal issued via SIL fault output must be permanently evaluated. If the
output signals a fault, assumption can be made that the safety function is not
available.The safety function must be checked without delay.Possibly further safety
measures are to be taken to restore the safety function without fault.
3.6. Applications (environmental conditions)
When specifying and using the actuators within safety instrumented systems,
particular attention has to be paid that the permissible service conditions and the
EMC requirements by the peripheral devices are met.Service conditions are indicated
in the technical data sheet.
●Enclosure protection
●Corrosion protection
●Ambient temperature
●Vibration resistance
If the actual ambient temperatures exceed an average of +40 °C, the lambda values
have to be incremented by a safety factor. For an average temperature of +60 °C,
this factor is specified to 2.5.
1) Definition of “cycles”according to EN 15714-2:2010
2) Definition of “starts”according to EN 15714-2:2010
11
Multi-turn actuators
SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y Architecture, configuration and applications
4. Safety instrumented system and safety functions
4.1. Safety instrumented system including an actuator
Typically, a safety instrumented system including an actuator is composed of the
components as shown in the figure.
Figure 3:Typical safety instrumented system
[1] Sensor
[2] Controls (safety PLC)
[3] Actuator (with actuator controls on wall bracket)
[4] Valve
[5] DCS
Thesafetyintegrity level is alwaysassigned to anoverall safety instrumented system
and not to an individual component.
For an individual component (e.g.an actuator), safety figures are determined.These
figures are used to assign the devices to a potential safety integrity level (SIL).The
final classification of the safety instrumented system can only be made after assessing
and calculating all subsystems.
4.2. Safety functions
In calculating the safety figures of the actuator system, the following safety functions
are taken into account:
●Safe ESD function (Emergency Shut Down): Safe OPENING/CLOSING
-Redundant Safe ESDa and Safe ESDb signals (default: low active) make
the actuator run into the configured direction (OPEN/CLOSE), irrespective
of the selector switch position.
12
Multi-turn actuators
Safety instrumented system and safety functions SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y
●Safe STOP function: safe STOP
-An operation command of standard actuator controls (in directions OPEN
or CLOSE) will only be executed if an additional enable signal for the op-
eration command is present.
-If this is not the case, operation in directions OPEN or CLOSE is stopped
or even suspended (motor is switched off).
- The Safe STOP function is effective for all operation commands of the
standard actuator controls, irrespective of the command source (e.g.Re-
mote or Local).
●Safe ESD function combined with Safe STOP function
-Safe ESD function has a higher priority i.e.if both functions are activated,
the actuator is operated into the configured direction (OPEN/CLOSE).
●22Y version only:“Safe end position feedback”
-An end position signal directly wired to the actuator is available.The safety
function is the correct signal whether the actuator is in the requested actu-
ator end position or not.3) Only the signal via this signal communication
path is safety related. End position feedback via I/O interface relay or a
positioner (RWG, MWG, potentiometer, ...) or via a fieldbus interface does
not represent a safe end position feedback.
The different configuration options of the safety functions are described in the
<Configuration (setting)/version> chapter.
4.3. Safe inputs and outputs
Safe input for safe OPENING/CLOSING (Safe ESD function):
●Safe ESDa
●Safe ESDb
Safe inputs for safe stop (Safe STOP function):
●Safe STOP OPEN
●Safe STOP CLOSE
Safe outputs (indication that it might not be possible to perform the safety function):
●SIL failure
●SIL ready
For detailed information on safe inputs and outputs, refer to <Configuration
(setting)/version> chapter and <Installation> chapter.
4.4. Redundant system architecture
Besides the already described typical safety instrumented system including an
actuator, safety can be increased by implementing a second, redundant valve and
actuator with actuator controls in 22X or 22Y version into the safety instrumented
system.The decision on the appropriate version depends on the entire system.
Information Depending on the safety function and the safety instrumented task of this safety
function, it must be verified for each and every application whether and –if so –in
whichconfiguration aHFT>0 canbe actuallyachieved whenusing severalactuators.
This applies in particular –but is not limited to –the Safe STOP safety function.
A possible example for Safe CLOSING or Safe OPENING is shown in figure 3 and
4. Another example, in which several actuators do not achieve redundancy, is a
Safe STOP function used to safely exclude the movement of mechanical system
parts, if, for example, the fire brigade has to access the plant section in question in
case of an emergency. For this application, use of two actuators does generally not
result in a 1oo2 but in a 2oo2 system in terms of safety effect to be achieved.
Therefore, the HFT is not increased in this case.
3) Please note that safety figures only include the components of the actuator. Further components
(e.g.integrity of external controls, gearboxes, valve shaft, other valve components....) are not
considered with the AUMA safety figures related to this product.
13
Multi-turn actuators
SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y Safety instrumented system and safety functions
Figure 4: Redundant system with safe ESD for safe CLOSING
Figure 5: Redundant system with safe ESD for safe OPENING
4.5. Examples of applications
Safe opening of a pressure vessel using the Safe ESD function
The standard PLC controls the entire system. A system fault occurs if excessive
pressure is generated within the system.In this case, the safety PLC immediately
opens the valve for safe pressure reduction.
14
Multi-turn actuators
Safety instrumented system and safety functions SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y
Figure 6: Application example:Pressure vessel
Safe stop of locks to prevent destruction using the Safe STOP function.
Operationsafety(preventing hazards topersons and systems)is of utmostimportance
for locks.Once the lock closes, no boats must be between the gates.Otherwise, the
Safe STOP function (e.g. via EMERGENCY Stop button) is executed.
15
Multi-turn actuators
SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y Safety instrumented system and safety functions
Figure 7: Application example: Lock
4.6. System representation
The representation below shows the simplified design of an AC 01.2/ACExC 01.2
in 22X or 22Y version.
Figure 8: Simplified system representation
16
Multi-turn actuators
Safety instrumented system and safety functions SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y
5. Installation, commissioning and operation
Information Installation and commissioning have to be documented by means of an assembly
report and an inspection certificate.Installation and commissioning may only be
performed by authorised personnel who have been trained on functional safety.
The plant operator is responsible for ensuring power supply including overvoltage
and undervoltage protection during execution of a safety function.
5.1. Installation
Information The PIN assignments (XK ...) mentioned in this chapter (and also in other chapters)
are considered as standard assignments of AC 01.2- 22X/- 22Y/ACExC 01.2- 22X/-
22Y.In certain configurations, this typical assignment is not respected with the ob-
jective to meet specific equipment demands. In case of doubt, the assignment as
indicated on the pertaining wiring diagram is applicable.
General installation tasks (assembly, electrical connection) have to be performed
according to the operation instructions pertaining to the device and the enclosed
order-specific wiring diagram.
When operating and storing the devices in ambient temperatures below –25 °C,
ensure power supply of integral heating system.
Safety functions are connected via the SIL module integrated in the
AC 01.2/ACExC 01.2 actuator controls.
The SIL fault must be connected to an input compatible with the required SIL level
of a safety PLC and subsequently analysed.
Figure 9: Connections for safety functions via SIL module as well as the directly
wired Safe end position feedback
[1] Typical connection assignment for parallel control
[2] Typical connection assignment for fieldbus control
[3] Directly wired Safe end position feedback
Input switching behaviour of Safe ESDa/ESDb and Safe STOP
OPEN/CLOSE:
●Input level = high level (default: +24 V DC)
= No safety operation for Safe ESD function or
= No safe stop for Safe STOP function
●Input signal = low level (0 V DC or input open)
= Failure operation for Safe ESD function or
= Safe stop for Safe STOP function
Information The Safe ESDa and Safe ESDb inputs are redundant inputs for the same safety
function (depending on the configuration ESD OPEN or ESD CLOSE).Therefore,
the same level (high or low) should be applied to them. If “high”is applied at one of
the two ESDa or ESDb inputs and “low”at the other, this represents a fault state
within the safety instrumented system.In this instance, the actuator signals a “SIL
fault”. Since it is not clear whether the “high”level input or the “low”level input is
faulty, the safety function is performed for safety reasons.
17
Multi-turn actuators
SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y Installation, commissioning and operation
Information The Safe STOP OPEN and Safe STOP CLOSE inputs are two independent inputs
with independent functions:
●If Safe STOP OPEN = low level, the safety function inhibits operation in direction
OPEN (exception ESD OPEN)
●If Safe STOP CLOSE = low level, the safety function inhibits operation in direc-
tion CLOSE (exception ESD CLOSE)
Permissible input voltage range:
●High level: 15 –30 V DC
●Low level: max. 5 V DC
Signal behaviour of SIL ready and SIL failure outputs:
●SIL ready/ Absence of fault to be detected by diagnostics:
NO (NO contact) output = closed
NC (NC contact) output = open
●SIL failure/ Presence of fault to be detected by diagnostics:
NO (NO contact) output = open
NC (NC contact) output = closed
Customer connections for control
(typical assignment)
SignalDesignation
Wiring diagram [2] Fieldbus[1] Parallel XK 3XK 31Digital input for Safe ESD functionSafe ESDa XK 5XK 32Redundant input for Safe ESD functionSafe ESDb XK 7XK 33Reference potential for Safe ESDa and Safe ESDb0 V XK 8XK 35Digital input for Safe STOP function in direction CLOSESafe STOP CLOSE XK 9XK 37Reference potential for Safe STOP CLOSE0 V XK 10XK 36Digital input for Safe STOP function in direction OPENSafe STOP OPEN XK 11XK 38Reference potential for Safe STOP OPEN0 V XK 15XK 40NO contact of SIL fault signalSIL ready XK 14XK 39NC contact of SIL fault signalSIL failure XK 16XK 42Reference potential for SIL fault signalCom.
SIL fault displayed via SIL failure output
DescriptionFault causes
SIL Motor protection trippedThermal fault Torque fault in directions OPEN and/or CLOSETorque fault Current position feedback is outside permissible range.Fault position feed-
back One phase of power supply is missing.
Controls are not supplied with mains voltage
Phase failure
The phase conductors L1, L2 and L3 are connected in the wrong sequence.Phase sequence
fault The safety-related part of controls is without power supply.Power supply failure Temperature within actuator controls housing too high.
Failure of heating system for ambient temperatures below –25 °C
Temperature fault
Actuator of valve lockedFailure of actuator
monitoring Both signals Safe ESDa and Safe ESDb are not simultaneously on the same level.Fault in redundant
wiring Safe ESD Internal error of the SIL moduleInternal error
For further information on SIL faults and in particular to assist in troubleshooting,
refer to chapter <Indications>.
Installation and commissioning must be recorded and a final installation and
commissioning report must be issued.
18
Multi-turn actuators
Installation, commissioning and operation SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y
Information The basic function "automatic correction of direction of rotation" is not available for
this version.When connecting the power supply ensure that phases L1, L2 and L3
are correctly connected. For checking the direction of rotation, refer to operation in-
structions pertaining to the actuator.
The "external supply of electronics" option of the actuator controls refers to standard
actuator controls.In case of mains failure, the SIL module would no longer be
operable despite external supply of the electronics.
Information Limit switch setting for version with electronic control unit and SIL limit switches is
slightly different from the standard setting for the electromechanical control unit.
Refer to the supplement to operation instructions for correct setting (Y006.238).
5.2. Commissioning
The operation instructions pertaining to the device must be observed for general
commissioning.
Information For the Safe ESD function, operation into the safe position can be performed irre-
spective of the selector switch position (LOCAL - OFF - REMOTE) or the operating
status.Upon request of the safety function, the actuator will start operation even in
positions LOCAL and OFF or on system start.
Risk of immediate actuator operation when switching on!
Risk of personal injuries or damage to the valve
→Ensure that high level is present at the Safe ESDa/ESDb inputs when
switching on (default: +24 V DC).
After commissioning, the safe actuator function must be verified. Refer to <Proof
Test> chapter.
If the actuator is operated over a longer period while the motor is disengaged,
this entails considerable wear of the actuator.Worst case would be accidental
start-up, turning of the handwheel or even destruction of the actuator.
Risk of personal injuries or damage to the actuator.
→Operational actions have to be provided to ensure that the motor (with exception
of the proof test) is not operated while the motor is disengaged.
→Only operate disengaged motor for a short time during proof test.
Commissioning checklist
Table 9:Commissioning checklist
⎕ ✓1. Actuator and controls correctly wired?
⎕ ✓2. Limit and torque switching set?
⎕ ✓3.Safe function (depending on the configuration) checked in accordance with the proof
test checklists?
⎕
Yes
⎕No
4. Commissioning of basic settings (standard actuator controls) performed in accord-
ance with the operation instructions?
☒ ✓ = Executed
5.3. Operation
Regular maintenance and device checks in determined Tproof intervals are the basis
for safe operation.The parameters indicated in the <Safety figures> chapter are
valid for Tproof = 1 year.
For operation, both the pertaining operation instructions and the Manual (Operation
and setting) AC 01.2/ACExC 01.2 have to be observed.
19
Multi-turn actuators
SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y Installation, commissioning and operation
In case of possible failures or defects of the safety system, safe function must be
guaranteed by introducing alternative actions.Furthermore, a detected fault including
fault description has to be sent to AUMA Riester GmbH & Co. KG. Autonomous
repair work by the plant operator is not permitted.
5.4. Lifetime
Actuator lifetime is described in the technical data sheets or the operation instructions.
Safety-related parameters are valid for the cycles or modulating steps defined in the
technical data specifications for typical periods of up to 10 years (the criterion
achieved first is valid). After this period, the probability of failure increases.
Extending this period is basically feasible in many cases provided both manufacturer
and operator introduce respective actions in compliance with footnote N3 of NOTE
3 of the German version of IEC 61508-2:2010 7.4.9.5 b).This is the responsibility
of the operator who will have to take appropriate and suitable measures. Please
contact us if you need support in identifying suitable measures.
5.5. Decommissioning
When decommissioning an actuator with safety functions, the following must be
observed:
●Impact of decommissioning on relevant devices, equipment or other work must
be evaluated.
●Safety and warninginstructionscontained in theactuator operationinstructions
must be met.
●Decommissioning must be carried out exclusively by suitably qualified personnel.
●Decommissioning must be recorded in compliance with technical requirements.
20
Multi-turn actuators
Installation, commissioning and operation SA .1 with AC 01.2-22X/-22Y/ACExC 01.2-22X/-22Y
This manual suits for next models
7
Table of contents
Other AUMA Controllers manuals
AUMA
AUMA AMB 01.1 User manual
AUMA
AUMA AM 01.1 User manual
AUMA
AUMA Profibus PBD 100 User manual
AUMA
AUMA SA 25.1 User manual
AUMA
AUMA Aumatic ACExC 01.1 User manual
AUMA
AUMA SAEx 07.2 User manual
AUMA
AUMA SVCR 05.1 User manual
AUMA
AUMA SAExC 07.1 User manual
AUMA
AUMA SAEx 25.1 User manual
AUMA
AUMA SAEx 07.2 User manual
AUMA
AUMA SA 07.1 User manual
AUMA
AUMA SAV 07.2 User manual
AUMA
AUMA SQEx 05.2 User manual
AUMA
AUMA SQ 05.2 User manual
AUMA
AUMA SQEx 05.2 User manual
AUMA
AUMA SBA 12 User manual
AUMA
AUMA SAE 07.2 Series Training manual
AUMA
AUMA SQEx 05.2 User manual
AUMA
AUMA SA 07.1 - SA 30.1 User manual
AUMA
AUMA SQEx 05.2 User manual
Popular Controllers manuals by other brands
Mitsubishi Electric
Mitsubishi Electric L26CPU-BT user manual
Mitsubishi Programmable Controllers
Mitsubishi Programmable Controllers ENHANCED F2 Series instruction manual
Phasetronics
Phasetronics EP1 Series Operation and service manual
Siemens
Siemens OpenAir GLB141.1P Technical instructions
Beckhoff
Beckhoff CU8880-0010 Installation and operating instructions
Fisher
Fisher ED Safety manual
Ingenium
Ingenium SR Technical installation manual
sauter
sauter TSHK 68. F Series operating instructions
giulio lighting
giulio lighting LC-001 user manual
Xycom
Xycom XVME-202 manual
Siemens
Siemens Simatic S7 Series manual
Task Force Tips
Task Force Tips HYDRANT MASTER INSTRUCTIONS FOR SAFE OPERATION AND MAINTENANCE
Honeywell
Honeywell 10260A Series Replacement instructions
Delta Electronics
Delta Electronics Programmable Logic Controller DVP-PLC instruction sheet
Heatcraft
Heatcraft intelligen Webserver Card Installation & operation manual
dji
dji T1d user manual
Parker
Parker COMPAX-M /-S (L) user guide
Mircom
Mircom TX3-BBCX-4W Wiring