AUMA SA 3 User manual

Multi-turn actuators

SA3 – SA100

SAR3 - SAR100

with epac controls in SIL version

Manual Functional Safety

NOTICE for use!

This document is only valid with the latest operation instructions attached to the device, the attached manual as

well as the pertaining technical and electrical data sheets respectively. They are understood as reference

documents.

Purpose of the document:

The present document informs about the actions required for using the device in safety-related systems in

accordance with IEC 61508 / IEC 61511.

Reference documents:

• Operation instructions (Assembly, operation, commissioning) for actuator.

• Manual (Operation and setting) 3.XX NI.

• Manual (Device integration Fieldbus) 3.XX NI Proﬁbus.

• Technical data on multi-turn actuator and actuator controls.

Reference documents can be downloaded from the internet (www.auma.co.in).

Table of Content

Sl. No.

Content

Page No.

Terminology

4-5

1.1

Abbreviations and concepts

Application and validity

2.1

Range of application

2.2

Standards

General information about Proﬁbus DP

6-7

2.1

Basic characteristics

2.2

Basic functions of Proﬁbus DP

2.3

Transfer mode

2.4

BUS access

2.5

Functionality

2.6

Protective functions

2.7

Device types

Commissioning

8-11

3.1

Introduction

3.2

Parameter setting

3.2.1

Settings for basic functionality for Proﬁbus DP-V1

3.2.2

Settings for Proﬁbus DP-V1 services

3.3

BUS address (slave address)

Table of Contents

Sl. No.

Content

Page No.

Terminology

5-6

1.1

Abbreviations and concepts

Application and validity

2.1

Range of application

2.2

Standards

2.3

Valid device types

Architecture, conﬁguration and applications

8-12

3.1

Architecture (actuator sizing)

3.2

Conﬁguration (setting)/version

3.3

Protection against uncontrolled operation (self-locking/brake)

3.4

Operation mode (low/high demand mode)

3.5

Further notes and indications on architecture

3.6

Applications (environmental conditions)

Safety instrumented systems and safety functions

13-16

4.1

Safety instrumented system including an actuator

4.2

Safety functions

4.3

Safe inputs and outputs

Multi-turn actuators

SA series with Control 3.XX /NI/SIL

4.4

Redundant system architecture

4.5

Examples of applications

4.6

System representation

Installation, commissioning and operation

17-19

5.1

Installation

5.2

Commissioning

5.3

Operation

5.4

Lifetime

5.5

Decommissioning

Indications on display

20-21

6.1

Status indications on SIL functions

6.2

SIL conﬁguration warning

6.3

Backlight

Signals

22-23

7.1

Signals via SIL module

7.2

SIL fault signal via standard controls display (for troubleshooting support)

7.3

Status signals via output contacts (digital outputs) of standard controls

7.4

Signal via ﬁeldbus of standard controls

Tests and maintenance

24-35

8.1

Safety equipment: check

8.2

Internal actuator monitoring with control via standard controls

8.3

Partial Valve Stroke Test (PVST): execute

8.4

Proof test (veriﬁcation of safe actuator function)

8.4.1

Safe ESD safety operation “Safe OPENING/CLOSING”: check

8.4.2

SIL fault signal “Actuator monitoring”: check

8.4.3

Safe ESD reaction for “Motor protection (thermal fault)” signals: check

8.4.4

Safe ESD reaction to “Limit seating with overload protection” (limit and/or torque

evaluation): check

8.4.5

Check Safe ESD reaction to “Forced limit seating in end position” (limit evaluation) –

for actuators with electromechanical control unit

8.4.6

Safe ESD reaction to “Forced limit seating in end position” (limit evaluation) – for

actuators with electronic control unit and limit switches: check

Multi-turn actuators

SA series with Control 3.XX /NI/SIL

8.4.7

Safe ESD reaction to “Forced torque seating in end position” (torque after limit

evaluation): check

8.4.8

Safe ESD reaction for “no seating” (no evaluation of limit and torque): check

8.4.9

Safe STOP function: check

8.4.10

Combination of Safe ESD and Safe STOP function: check

8.5

Maintenance

Safety-related ﬁgures

36-3

9.1

Determination of the safety-related ﬁgures

9.2

Speciﬁc ﬁgures for SA series with EPAC controls 3.XX/NI in SIL version with

actuators

SIL Certiﬁcate

Checklists

39-46

11.1

Commissioning checklist

11.2

Proof test checklists

11.2.1

Safe ESD safety operation (Safe OPENING/CLOSING)

11.2.2

SIL fault signal “Actuator monitoring”

11.2.3

Safe ESD reaction for “Motor protection (thermal fault)” signal

11.2.4

Safe ESD reaction to “Limit seating with overload protection” (limit and/or torque

evaluation)

11.2.5

Safe ESD reaction to “Forced limit seating in end position” (limit evaluation) – for

actuators with electromechanical control unit

11.2.6

Safe ESD reaction to “Forced limit seating in end position” (limit evaluation) – for

actuators with electronic control unit and limit switches

11.2.7

Safe ESD reaction to "Forced torque seating in end position" (torque after limit

evaluation)

11.2.8

Safe ESD reaction to “no seating”

11.2.9

Safe STOP function

11.2.10

Combination of Safe ESD and Safe STOP

Multi-turn actuators

SA series with Control 3.XX /NI/SIL

1 Terminology

Information sources

• IEC 61508-4, Functional safety of electrical/electronic/programmable electronic safety

related systems – Part 4: Deﬁnitions and abbreviations.

• IEC 61511-1, Functional safety - Safety instrumented systems for the process industry

sector – Part 1: Framework, deﬁnitions, system, hardware and software requirements.

1.1 Abbreviations and concepts

To evaluate safety functions, the lambda values or the PFD value (Probability of Dangerous

Failure on Demand) and the SFF value (Safe Failure Fraction) are the main requirements.

Further ﬁgures are required to assess the individual components. These ﬁgures are

explained in the table below:

SIL

Safety Integrity Level

The international standard IEC 61508 deﬁnes 4 levels (SIL1 through SIL 4).

Safety function

Function to be implemented by a safety-related system for risk reduction with the objective to

achieve or maintain a safe state for the plant/equipment with respect to a speciﬁc dangerous

event.

Safety instrumented

function (SIF)

Function with speciﬁed safety integrity level (SIL) to achieve functional safety.

Safety instrumented

system (SIS)

Safety instrumented system for executing a single or several safety instrumented functions.

A SIS consists of sensor(s), logic system and actuator(s).

Safety-related system

A safety-related system includes all factors (hardware, software, human factors) necessary

to implement one or several safety functions. Consequently, failures of safety function would

result in a signiﬁcant increase in safety risks for people and/or the environment.

Abbreviation

Full expression

Description

λS Lambda Safe Number of safe failures

λD Lambda Dangerous Number of dangerous failures

λDU Lambda Dangerous Undetected Number of undetected dangerous failures

λDD Lambda Dangerous Detected Number of detected dangerous failures

DC Diagnostic Coverage Diagnostic Coverage - ratio between the failure

rate of dangerous failures detected by diagnostic

tests and total rate of dangerous failures of the

component or subsystem. The diagnostic

coverage does not include any failures detected

during proof tests.

MTBF Mean Time Between Failures Mean time between the occurrence of two

subsequent failures

SFF Safe Failure Fraction Fraction of safe failures as well as of detectable

dangerous failures

PFDavg Average Probability of dangerous

Failure on Demand

Average probability of dangerous failures on

demand of a safety function.

HFT Hardware Failure Tolerance Ability of a functional unit to execute a required

function while faults or deviations are present.

HFT = n means that the function can still be safely

executed for up to n faults occurring at the same

time.

Tproof Proof test interval Interval for proof test

Multi-turn actuators

SA series with Control 3.XX /NI/SIL

A safety-related system can comprise stand-alone systems dedicated to perform a

particular safety function or can be integrated into a plant.

Proof test

Periodic test is performed to detect dangerous hidden failures in a safety-related system so

that, if necessary, a repair can restore the system to an "as new" condition or as close as

practical to this condition.

MTTR (Mean Time To

Restoration)

Mean time to restoration once a failure has occurred, indicates the expected mean time to

achieve restoration of the system. It is therefore an important parameter for system

availability for the safety function. The time for detecting the failure, planning tasks, as well

as operating resources is also included. This should be reduced to a minimum.

MRT (Mean Repair Time)

Mean repair time indicates the mean time required to repair a system. The MRT is crucial

when deﬁning the reliability and availability of a system for safety operation. The MRT should

preferably be small.

Device type (type A and

type B)

Actuator controls version can be regarded as type A devices if all of the following conditions

are met for all components required to achieve the safety instrumented function:

• The failure modes for all constituent components involved are well deﬁned.

• The behavior under fault conditions can be completely determined.

• There is sufﬁcient dependable failure data from the ﬁeld to show that the claimed rates of

failure are met (conﬁdence level min. 70%).

Actuator controls shall be regarded as type B devices if one or several of the following

conditions are met:

• The failure of at least one constituent component is not well deﬁned.

• The fault behavior is not completely known.

• There is insufﬁcient dependable failure data to support claims for rates of failure for

detected and undetected dangerous failures.

PTC (Proof Test Cover-

age)

Proof test coverage describes the fraction of failures which can be detected by means of a

proof test.

Multi-turn actuators

SA series with Control 3.XX /NI/SIL

2 Application and validity

2.1 Range of application

AUMA actuators and actuator controls in SIL version are intended for operation of industrial

valves and are suitable for use in safety instrumented systems in accordance with IEC 61508

/ IEC 61511.

2.2 Standards

Actuators and actuator controls meet the following requirements:

• IEC 61508 ED.2: Functional safety of electrical/electronic/programmable electronic

safety-related systems

2.3 Valid device types

The data on functional safety contained in this manual applies to the device types indicated

hereafter.

Table 2: Overview on suitable device types

Hardware, software and conﬁguration of actuator and actuator controls must not be modiﬁed

without prior written consent by AUMA. Unauthorized modiﬁcation may have a negative

impact on both safety ﬁgures and SIL capability of the products.

Information

In applications with requirements on functional safety, only AUMA actuator controls and

actuators in SFC or SIL version may be used.

AUMA actuator controls and actuators in SIL version can be identiﬁed by the letters “SIL” on

the nameplate.

Figure 1: Example of name plate with “SIL” marking on EPAC.

Type

Power supply

Actuator

Controls

Motor

SA3 – SA100 EPAC controls in SIL version 3-phase AC current

SAR3 – SAR100 EPAC controls in SIL version 3-phase AC current

Multi-turn actuators

SA series with Control 3.XX /NI/SIL

3 Architecture, conﬁguration and applications

3.1 Architecture (actuator sizing)

For actuator architecture (actuator sizing) the maximum torques, run torques and operating

times are taken into consideration.

Incorrect actuator architecture can lead to device damage within the safety- related

system!

Possible consequences can be valve damage, motor overheating, contactor jamming,

defective thyristors, heating up of cables or damage to cables.

→ The actuator technical data must imperatively be observed when selecting the

actuator.

→ Sufﬁcient reserves have to be provided to ensure that actuators are capable of reliably

opening or closing the valve even in the event of an accident or under- voltage.

Architecture when using the Safe STOP function

Information

For the Safe STOP function, the motor is switched off, overrun may possibly occur!

Valve damage due to overrun!

→ For the Safe STOP function (SS), the overrun of the arrangement (actuator, gearbox,

valve) and the reaction time have to be observed.

→ If the application requires self-locking of the actuator, please consult AUMA.

Architecture when using the Safe STOP function

Actuators with electromechanical control unit:

For end position signaling (limit switching) and torque signaling via the electromechanical

control unit are safe signals which may be integrated into a safety-related system. However,

this signal is not part of the certiﬁcation by TÜV Nord. Please refer to the speciﬁc safety

manual for details regarding this signal.

For “SIL seating” = “no seating” (without end position protection), we recommend:

• To prevent valve damage during safety operation, we recommend, depending on the

stiffness, sizing the valve to 3 – 5 times the maximum actuator torque.

• To avoid thermal damage due to excessive currents, we recommend monitoring

(assessing) the motor protection.

Actuators with electronic control unit MWG:

Information

For end position signaling (limit switching) and torque signaling via the electronic control unit

MWG are not considered as safe signals.

• In case safe signals are required, they have to be implemented differently, e.g. using

switches on the valve.

• To prevent valve damage during safety operation, we recommend, depending on the

stiffness, sizing the valve to 3 – 5 times the maximum actuator torque.

• To avoid thermal damage due to excessive currents, we recommend monitoring

(assessing) the motor protection.

NOTICE

Multi-turn actuators

SA series with Control 3.XX /NI/SIL

Actuators with electronic control unit MWG including limit switches:

Information

In this version, safe signaling can exclusively be ensured via limit switches. However, this

signal is not part of the certiﬁcation by TÜV Nord. Please refer to the speciﬁc safety manual

for details regarding this signal.

For “SIL seating” = “no seating” (without end position protection), we recommend:

• To prevent valve damage during safety operation, we recommend, depending on the

stiffness, sizing the valve to 3 – 5 times the maximum actuator torque.

• To avoid thermal damage due to excessive currents, we recommend monitoring

(assessing) the motor protection.

Information

For “SIL seating” = “Forced limit seating in end position”, the seating is performed via limit

switches in the end position. Since, each switch has a hysteresis, the actuator leaves the end

position prior to limit switch release. Consequently, there is a marginal range of actuator

positions to the safety position, for which the limit switch is still operated when leaving the

safety position, while the Safe ESD function is NOT available. In this case, safety function

triggering leads to actuator standstill. If the range in question is approached from the opposite

direction, this limitation does not apply. In general this range is relatively small. However, for

unfavorable conﬁgurations (low number of turns per stroke), this range can amount to more

than 10 % of the total stroke.

Should within the framework of unfavorable conditions the effect described above represent

an unacceptable limitation for the safety function, we recommend applying the conﬁguration

“Forced torque seating in end position” or “no seating” for safety operation.

Power Supply

Information

The plant operator is responsible for power supply.

3.2 Conﬁguration (setting)/version

Conﬁguration (setting) of safety-related functions is deﬁned in the factory during actuator

controls assembly and validated during ﬁnal inspection. Subsequent modiﬁcation of the

conﬁguration by the plant operator is not permissible.

General functions are set as described in the Operation instructions or the Manual (Operation

and setting) 3.XX EPAC actuator.

Conﬁguration of safety-related functions is listed in the order-related technical data sheet.

Conﬁguration options for safety function

Table 3:

When conﬁguring a Safe ESD function and a Safe STOP function, the Safe ESD function is

always prioritized compared to the Safe STOP function when requested simultaneously.

Configuration options for safety function

Configuration

SIL function

Short description

Safe ESD CLOSE/CLOSE

Safe CLOSING

Safe ESD OPEN/OPEN

Safe OPENING

Safe STOP CLOSE/OPEN

Safe STOP in direction CLOSE and direction OPEN

Safe ESD CLOSE/CLOSE + Safe STOP

CLOSE/OPEN

Safe CLOSING and Safe STOP in direction CLOSE and direc-

tion OPEN

Safe ESD OPEN/OPEN + Safe STOP

CLOSE/OPEN

Safe OPENING and Safe STOP in direction CLOSE and direc-

tion OPEN

Multi-turn actuators

SA series with Control 3.XX /NI/SIL

Seating conﬁguration options

Information

Seating of standard actuator controls should be conﬁgured as set forth in the tables below.

Table 4:

Table 5:

Table 6:

Conﬁguration options for motor protection assessment

Table 7:

Information

“SIL motor protection” = “inactive” conﬁguration is only set if explicitly required. The version

does not meet the Ex approval requirements.

3.3 Protection against uncontrolled operation (self-locking/brake)

For self-locking AUMA actuators, it can be assumed that a load up to nominal torque will not

result in uncontrolled valve operation from standstill due to valve torque load. Consequently,

in these cases, further protection against uncontrolled operation is not imperatively required.

However, certain applications may require active position locking, for example by using a

brake. There are user-speciﬁc standards demanding this type of protection. Therefore, each

project must be subject to individual veriﬁcation if any further protection is required. In any

case this protection is required for actuators without self-locking.

For actuators with electromechanical control unit:

Configuration

SIL seating type

Short description

Configuration

Type of seating

Standard controls

1: No seating

No seating by limit or torque switches during

safety operation

Freely selectable

2: Forced torque seating

in end position

Safety operation is stopped if both limit and

torque switches trip simultaneously

Torque seating

3: Forced limit seating in

end position

Safety operation is stopped by limit switch trip-

ping

Limit seating

4: Limit seating with

overload protection

Safety operation is stopped by tripping the limit

switches and/or the torque switches (overload

protection).

Limit seating

For actuators with electronic control unit MWG

Configuration

SIL seating type

Short description

Configuration

Type of seating

Standard controls

1: No seating

No seating by limit or torque switches during

safety operation

Freely selectable

For actuators with electronic control unit MWG including limit switches

Configuration

SIL seating type

Short description

Configuration

Type of seating

Standard controls

3: Forced limit seating in

end position

Safety operation is stopped by limit switch trip-

ping

Limit seating

Configuration options for motor protection assessment

Configuration

SIL motor protection

Short description

Active

Tripping of the motor protection (thermal fault) stops or prevents safety oper-

ation

Inactive

Motor protection has no impact on the safety operation

Multi-turn actuators

SA series with Control 3.XX /NI/SIL

Other manuals for SA 3

This manual suits for next models

Table of contents

Popular Controllers manuals by other brands

Digiplex

Digiplex DGP-848 Programming guide

YASKAWA

YASKAWA SGM series user manual

Sinope

Sinope Calypso RM3500ZB installation guide

Isimet

Isimet DLA Series Style 2 Installation, Operations, Start-up and Maintenance Instructions

LSIS

LSIS sv-ip5a user manual

Rockwell Automation

Rockwell Automation 1769-L31 installation instructions

Airflow

Airflow Uno hab Installation and operating instructions

ABB

ABB ACS580-01 drives Hardware manual

Panasonic

Panasonic GM1 Series Reference manual

Emerson

Emerson SW93 owner's manual

AutoAqua

AutoAqua Smart ATO micro SATO-120P manual

Panasonic

Panasonic FP? Positioning Unit RTEX Technical manual

Samson

Samson Type 5824 Mounting and operating instructions

Alpha IP

Alpha IP MIOB 21001 manual

Siemens

Siemens OpenAir GMA 1 Series Mounting instructions

Surecom

Surecom SR-629 user manual

Fishman

Fishman TriplePlay installation guide

Regulus

Regulus SRS1 T Installation and operation manual