AUMA SA 3 User manual
1
Multi-turn actuators
SA3 – SA100
SAR3 - SAR100
with epac controls in SIL version
Manual Functional Safety
2
NOTICE for use!
This document is only valid with the latest operation instructions attached to the device, the attached manual as
well as the pertaining technical and electrical data sheets respectively. They are understood as reference
documents.
Purpose of the document:
The present document informs about the actions required for using the device in safety-related systems in
accordance with IEC 61508 / IEC 61511.
Reference documents:
• Operation instructions (Assembly, operation, commissioning) for actuator.
• Manual (Operation and setting) 3.XX NI.
• Manual (Device integration Fieldbus) 3.XX NI Profibus.
• Technical data on multi-turn actuator and actuator controls.
Reference documents can be downloaded from the internet (www.auma.co.in).
Table of Content
Sl. No.
Content
Page No.
1
Terminology
4-5
1.1
Abbreviations and concepts
2
Application and validity
2.1
Range of application
2.2
Standards
2
General information about Profibus DP
6-7
2.1
Basic characteristics
2.2
Basic functions of Profibus DP
2.3
Transfer mode
2.4
BUS access
2.5
Functionality
2.6
Protective functions
2.7
Device types
3
Commissioning
8-11
3.1
Introduction
3.2
Parameter setting
3.2.1
Settings for basic functionality for Profibus DP-V1
3.2.2
Settings for Profibus DP-V1 services
3.3
BUS address (slave address)
Table of Contents
Sl. No.
Content
Page No.
1
Terminology
5-6
1.1
Abbreviations and concepts
2
Application and validity
7
2.1
Range of application
2.2
Standards
2.3
Valid device types
3
Architecture, configuration and applications
8-12
3.1
Architecture (actuator sizing)
3.2
Configuration (setting)/version
3.3
Protection against uncontrolled operation (self-locking/brake)
3.4
Operation mode (low/high demand mode)
3.5
Further notes and indications on architecture
3.6
Applications (environmental conditions)
4
Safety instrumented systems and safety functions
13-16
4.1
Safety instrumented system including an actuator
4.2
Safety functions
4.3
Safe inputs and outputs
2
Multi-turn actuators
SA series with Control 3.XX /NI/SIL
3
4.4
Redundant system architecture
4.5
Examples of applications
4.6
System representation
5
Installation, commissioning and operation
17-19
5.1
Installation
5.2
Commissioning
5.3
Operation
5.4
Lifetime
5.5
Decommissioning
6
Indications on display
20-21
6.1
Status indications on SIL functions
6.2
SIL configuration warning
6.3
Backlight
7
Signals
22-23
7.1
Signals via SIL module
7.2
SIL fault signal via standard controls display (for troubleshooting support)
7.3
Status signals via output contacts (digital outputs) of standard controls
7.4
Signal via fieldbus of standard controls
8
Tests and maintenance
24-35
8.1
Safety equipment: check
8.2
Internal actuator monitoring with control via standard controls
8.3
Partial Valve Stroke Test (PVST): execute
8.4
Proof test (verification of safe actuator function)
8.4.1
Safe ESD safety operation “Safe OPENING/CLOSING”: check
8.4.2
SIL fault signal “Actuator monitoring”: check
8.4.3
Safe ESD reaction for “Motor protection (thermal fault)” signals: check
8.4.4
Safe ESD reaction to “Limit seating with overload protection” (limit and/or torque
evaluation): check
8.4.5
Check Safe ESD reaction to “Forced limit seating in end position” (limit evaluation) –
for actuators with electromechanical control unit
8.4.6
Safe ESD reaction to “Forced limit seating in end position” (limit evaluation) – for
actuators with electronic control unit and limit switches: check
Multi-turn actuators
SA series with Control 3.XX /NI/SIL
4
8.4.7
Safe ESD reaction to “Forced torque seating in end position” (torque after limit
evaluation): check
8.4.8
Safe ESD reaction for “no seating” (no evaluation of limit and torque): check
8.4.9
Safe STOP function: check
8.4.10
Combination of Safe ESD and Safe STOP function: check
8.5
Maintenance
9
Safety-related figures
36-3
9.1
Determination of the safety-related figures
9.2
Specific figures for SA series with EPAC controls 3.XX/NI in SIL version with
actuators
10
SIL Certificate
38
11
Checklists
39-46
11.1
Commissioning checklist
11.2
Proof test checklists
11.2.1
Safe ESD safety operation (Safe OPENING/CLOSING)
11.2.2
SIL fault signal “Actuator monitoring”
11.2.3
Safe ESD reaction for “Motor protection (thermal fault)” signal
11.2.4
Safe ESD reaction to “Limit seating with overload protection” (limit and/or torque
evaluation)
11.2.5
Safe ESD reaction to “Forced limit seating in end position” (limit evaluation) – for
actuators with electromechanical control unit
11.2.6
Safe ESD reaction to “Forced limit seating in end position” (limit evaluation) – for
actuators with electronic control unit and limit switches
11.2.7
Safe ESD reaction to "Forced torque seating in end position" (torque after limit
evaluation)
11.2.8
Safe ESD reaction to “no seating”
11.2.9
Safe STOP function
11.2.10
Combination of Safe ESD and Safe STOP
Multi-turn actuators
SA series with Control 3.XX /NI/SIL
5
1 Terminology
Information sources
• IEC 61508-4, Functional safety of electrical/electronic/programmable electronic safety
related systems – Part 4: Definitions and abbreviations.
• IEC 61511-1, Functional safety - Safety instrumented systems for the process industry
sector – Part 1: Framework, definitions, system, hardware and software requirements.
1.1 Abbreviations and concepts
To evaluate safety functions, the lambda values or the PFD value (Probability of Dangerous
Failure on Demand) and the SFF value (Safe Failure Fraction) are the main requirements.
Further figures are required to assess the individual components. These figures are
explained in the table below:
SIL
Safety Integrity Level
The international standard IEC 61508 defines 4 levels (SIL1 through SIL 4).
Safety function
Function to be implemented by a safety-related system for risk reduction with the objective to
achieve or maintain a safe state for the plant/equipment with respect to a specific dangerous
event.
Safety instrumented
function (SIF)
Function with specified safety integrity level (SIL) to achieve functional safety.
Safety instrumented
system (SIS)
Safety instrumented system for executing a single or several safety instrumented functions.
A SIS consists of sensor(s), logic system and actuator(s).
Safety-related system
A safety-related system includes all factors (hardware, software, human factors) necessary
to implement one or several safety functions. Consequently, failures of safety function would
result in a significant increase in safety risks for people and/or the environment.
Abbreviation
Full expression
Description
λS Lambda Safe Number of safe failures
λD Lambda Dangerous Number of dangerous failures
λDU Lambda Dangerous Undetected Number of undetected dangerous failures
λDD Lambda Dangerous Detected Number of detected dangerous failures
DC Diagnostic Coverage Diagnostic Coverage - ratio between the failure
rate of dangerous failures detected by diagnostic
tests and total rate of dangerous failures of the
component or subsystem. The diagnostic
coverage does not include any failures detected
during proof tests.
MTBF Mean Time Between Failures Mean time between the occurrence of two
subsequent failures
SFF Safe Failure Fraction Fraction of safe failures as well as of detectable
dangerous failures
PFDavg Average Probability of dangerous
Failure on Demand
Average probability of dangerous failures on
demand of a safety function.
HFT Hardware Failure Tolerance Ability of a functional unit to execute a required
function while faults or deviations are present.
HFT = n means that the function can still be safely
executed for up to n faults occurring at the same
time.
Tproof Proof test interval Interval for proof test
Multi-turn actuators
SA series with Control 3.XX /NI/SIL
6
A safety-related system can comprise stand-alone systems dedicated to perform a
particular safety function or can be integrated into a plant.
Proof test
Periodic test is performed to detect dangerous hidden failures in a safety-related system so
that, if necessary, a repair can restore the system to an "as new" condition or as close as
practical to this condition.
MTTR (Mean Time To
Restoration)
Mean time to restoration once a failure has occurred, indicates the expected mean time to
achieve restoration of the system. It is therefore an important parameter for system
availability for the safety function. The time for detecting the failure, planning tasks, as well
as operating resources is also included. This should be reduced to a minimum.
MRT (Mean Repair Time)
Mean repair time indicates the mean time required to repair a system. The MRT is crucial
when defining the reliability and availability of a system for safety operation. The MRT should
preferably be small.
Device type (type A and
type B)
Actuator controls version can be regarded as type A devices if all of the following conditions
are met for all components required to achieve the safety instrumented function:
• The failure modes for all constituent components involved are well defined.
• The behavior under fault conditions can be completely determined.
• There is sufficient dependable failure data from the field to show that the claimed rates of
failure are met (confidence level min. 70%).
Actuator controls shall be regarded as type B devices if one or several of the following
conditions are met:
• The failure of at least one constituent component is not well defined.
• The fault behavior is not completely known.
• There is insufficient dependable failure data to support claims for rates of failure for
detected and undetected dangerous failures.
PTC (Proof Test Cover-
age)
Proof test coverage describes the fraction of failures which can be detected by means of a
proof test.
Multi-turn actuators
SA series with Control 3.XX /NI/SIL
7
2 Application and validity
2.1 Range of application
AUMA actuators and actuator controls in SIL version are intended for operation of industrial
valves and are suitable for use in safety instrumented systems in accordance with IEC 61508
/ IEC 61511.
2.2 Standards
Actuators and actuator controls meet the following requirements:
• IEC 61508 ED.2: Functional safety of electrical/electronic/programmable electronic
safety-related systems
2.3 Valid device types
The data on functional safety contained in this manual applies to the device types indicated
hereafter.
Table 2: Overview on suitable device types
Hardware, software and configuration of actuator and actuator controls must not be modified
without prior written consent by AUMA. Unauthorized modification may have a negative
impact on both safety figures and SIL capability of the products.
Information
In applications with requirements on functional safety, only AUMA actuator controls and
actuators in SFC or SIL version may be used.
AUMA actuator controls and actuators in SIL version can be identified by the letters “SIL” on
the nameplate.
Figure 1: Example of name plate with “SIL” marking on EPAC.
Type
Power supply
Actuator
Controls
Motor
SA3 – SA100 EPAC controls in SIL version 3-phase AC current
SAR3 – SAR100 EPAC controls in SIL version 3-phase AC current
Multi-turn actuators
SA series with Control 3.XX /NI/SIL
8
3 Architecture, configuration and applications
3.1 Architecture (actuator sizing)
For actuator architecture (actuator sizing) the maximum torques, run torques and operating
times are taken into consideration.
Incorrect actuator architecture can lead to device damage within the safety- related
system!
Possible consequences can be valve damage, motor overheating, contactor jamming,
defective thyristors, heating up of cables or damage to cables.
→ The actuator technical data must imperatively be observed when selecting the
actuator.
→ Sufficient reserves have to be provided to ensure that actuators are capable of reliably
opening or closing the valve even in the event of an accident or under- voltage.
Architecture when using the Safe STOP function
Information
For the Safe STOP function, the motor is switched off, overrun may possibly occur!
Valve damage due to overrun!
→ For the Safe STOP function (SS), the overrun of the arrangement (actuator, gearbox,
valve) and the reaction time have to be observed.
→ If the application requires self-locking of the actuator, please consult AUMA.
Architecture when using the Safe STOP function
Actuators with electromechanical control unit:
For end position signaling (limit switching) and torque signaling via the electromechanical
control unit are safe signals which may be integrated into a safety-related system. However,
this signal is not part of the certification by TÜV Nord. Please refer to the specific safety
manual for details regarding this signal.
For “SIL seating” = “no seating” (without end position protection), we recommend:
• To prevent valve damage during safety operation, we recommend, depending on the
stiffness, sizing the valve to 3 – 5 times the maximum actuator torque.
• To avoid thermal damage due to excessive currents, we recommend monitoring
(assessing) the motor protection.
Actuators with electronic control unit MWG:
Information
For end position signaling (limit switching) and torque signaling via the electronic control unit
MWG are not considered as safe signals.
• In case safe signals are required, they have to be implemented differently, e.g. using
switches on the valve.
• To prevent valve damage during safety operation, we recommend, depending on the
stiffness, sizing the valve to 3 – 5 times the maximum actuator torque.
• To avoid thermal damage due to excessive currents, we recommend monitoring
(assessing) the motor protection.
NOTICE
NOTICE
Multi-turn actuators
SA series with Control 3.XX /NI/SIL
9
Actuators with electronic control unit MWG including limit switches:
Information
In this version, safe signaling can exclusively be ensured via limit switches. However, this
signal is not part of the certification by TÜV Nord. Please refer to the specific safety manual
for details regarding this signal.
For “SIL seating” = “no seating” (without end position protection), we recommend:
• To prevent valve damage during safety operation, we recommend, depending on the
stiffness, sizing the valve to 3 – 5 times the maximum actuator torque.
• To avoid thermal damage due to excessive currents, we recommend monitoring
(assessing) the motor protection.
Information
For “SIL seating” = “Forced limit seating in end position”, the seating is performed via limit
switches in the end position. Since, each switch has a hysteresis, the actuator leaves the end
position prior to limit switch release. Consequently, there is a marginal range of actuator
positions to the safety position, for which the limit switch is still operated when leaving the
safety position, while the Safe ESD function is NOT available. In this case, safety function
triggering leads to actuator standstill. If the range in question is approached from the opposite
direction, this limitation does not apply. In general this range is relatively small. However, for
unfavorable configurations (low number of turns per stroke), this range can amount to more
than 10 % of the total stroke.
Should within the framework of unfavorable conditions the effect described above represent
an unacceptable limitation for the safety function, we recommend applying the configuration
“Forced torque seating in end position” or “no seating” for safety operation.
Power Supply
Information
The plant operator is responsible for power supply.
3.2 Configuration (setting)/version
Configuration (setting) of safety-related functions is defined in the factory during actuator
controls assembly and validated during final inspection. Subsequent modification of the
configuration by the plant operator is not permissible.
General functions are set as described in the Operation instructions or the Manual (Operation
and setting) 3.XX EPAC actuator.
Configuration of safety-related functions is listed in the order-related technical data sheet.
Configuration options for safety function
Table 3:
When configuring a Safe ESD function and a Safe STOP function, the Safe ESD function is
always prioritized compared to the Safe STOP function when requested simultaneously.
Configuration options for safety function
Configuration
SIL function
Short description
Safe ESD CLOSE/CLOSE
Safe CLOSING
Safe ESD OPEN/OPEN
Safe OPENING
Safe STOP CLOSE/OPEN
Safe STOP in direction CLOSE and direction OPEN
Safe ESD CLOSE/CLOSE + Safe STOP
CLOSE/OPEN
Safe CLOSING and Safe STOP in direction CLOSE and direc-
tion OPEN
Safe ESD OPEN/OPEN + Safe STOP
CLOSE/OPEN
Safe OPENING and Safe STOP in direction CLOSE and direc-
tion OPEN
Multi-turn actuators
SA series with Control 3.XX /NI/SIL
10
Seating configuration options
Information
Seating of standard actuator controls should be configured as set forth in the tables below.
Table 4:
Table 5:
Table 6:
Configuration options for motor protection assessment
Table 7:
Information
“SIL motor protection” = “inactive” configuration is only set if explicitly required. The version
does not meet the Ex approval requirements.
3.3 Protection against uncontrolled operation (self-locking/brake)
For self-locking AUMA actuators, it can be assumed that a load up to nominal torque will not
result in uncontrolled valve operation from standstill due to valve torque load. Consequently,
in these cases, further protection against uncontrolled operation is not imperatively required.
However, certain applications may require active position locking, for example by using a
brake. There are user-specific standards demanding this type of protection. Therefore, each
project must be subject to individual verification if any further protection is required. In any
case this protection is required for actuators without self-locking.
For actuators with electromechanical control unit:
Configuration
SIL seating type
Short description
Configuration
Type of seating
Standard controls
1: No seating
No seating by limit or torque switches during
safety operation
Freely selectable
2: Forced torque seating
in end position
Safety operation is stopped if both limit and
torque switches trip simultaneously
Torque seating
3: Forced limit seating in
end position
Safety operation is stopped by limit switch trip-
ping
Limit seating
4: Limit seating with
overload protection
Safety operation is stopped by tripping the limit
switches and/or the torque switches (overload
protection).
Limit seating
For actuators with electronic control unit MWG
Configuration
SIL seating type
Short description
Configuration
Type of seating
Standard controls
1: No seating
No seating by limit or torque switches during
safety operation
Freely selectable
For actuators with electronic control unit MWG including limit switches
Configuration
SIL seating type
Short description
Configuration
Type of seating
Standard controls
3: Forced limit seating in
end position
Safety operation is stopped by limit switch trip-
ping
Limit seating
Configuration options for motor protection assessment
Configuration
SIL motor protection
Short description
Active
Tripping of the motor protection (thermal fault) stops or prevents safety oper-
ation
Inactive
Motor protection has no impact on the safety operation
Multi-turn actuators
SA series with Control 3.XX /NI/SIL
11
Table 8: Overview self-locking for AUMA actuators (at the time of printing of this document)
If actuators with insufficient self-locking function paired with “Forced torque seating in end
position” SIL seating type are used for the safety function, the following effect might occur:
During ESD, the actuator operates to the end position and switches off due to reaching
the travel position and the tripping torque. Thereafter, the gear train is relieved and the
torque falls below the preset limit value. As a matter of fact, the actuator controls detect
this incident and switch the actuator on again since the behavior is correctly considered
as termination of the ESD condition. The latter generates additional torque until the
switching off condition is reached again, and so on. The “pumping effect” of the actuator is
the consequence.
To successfully avoid this incident, we recommend either selecting actuator or other
elements with sufficient self-locking within the gear train or – if acceptable from a process and
safety point of view – selecting “Forced limit seating in end position” as safety function.
3.4 Operation mode (low/high demand mode)
The safety functions of the actuators supplied by AUMA are suitable for the low demand
mode and may only be used in this operation mode. If a non-safety instrumented function of
basic process control system is executed via the same actuator in addition to the safety
function, note that while considering the sum of non-safety instrumented function, required
1)
tests and safety function, the defined number of maximum permissible cycles for the
2)
respective actuator as well as the maximum number of starts may not be exceeded during
deployment of the actuator within a safety instrumented system.
3.5 Further notes and indications on architecture
HFT is 0.
The systematic capability is 3 (SC=3)
Only flanges of sizes or larger may be used for valve attachment.F07 or FA07
If the actuator is equipped with a position transmitter like MWG, RWG or EWG, they may not
be integrated within the safety instrumented system.
The actuator safety functions can be considered as type A device.
The operating time for a complete stroke must exceed 4 seconds. Attention: Any modification
of the nominal stroke results in operating time change.
Safety function(s) and their feedback signals may only be issued via the digital inputs and
outputs of the SIL module.
The signal issued via SIL fault output must be permanently evaluated. If the output
signals a fault, assumption can be made that the safety function is not available. The safety
function must be checked without delay. Possibly further safety measures are to be taken
until the safety function is restored without fault.
3.6 Applications (environmental conditions)
When specifying and using the actuators within safety instrumented systems, make sure that
the permissible service conditions and the EMC requirements by the peripheral devices are
met. Service conditions are indicated in the technical data sheets:
Type
Output speed
Self-locking
50 Hz
60 Hz
SA 3 – SA 100
90 rpm or below
108 rpm or below
Self-locking
SAR 3 – SAR 100
125 rpm or above
150 rpm or above
NOT self-locking
1) Definition of “cycles” according to EN 15714-2:2010
2) Definition of “starts” according to DIN EN 15714-2:2010
Multi-turn actuators
SA series with Control 3.XX /NI/SIL
12
• Enclosure protection test
• Corrosion protection test
• Ambient temperature
• Definition of “cycles” test
• Definition of “starts” test
• Vibration resistance
If the actual ambient temperatures exceed an average of +40 °C, the lambda values have to
be incremented by a safety factor. For an average temperature of +60 °C, this factor is
specified to 2.5.
For environmental test, actuator and actuator controls will be subjected to the following tests:
• Dry heat test
• Damp heat test
• Vibration test
• Induced seismic vibration (earthquake)
• Enclosure protection IP68 test
• Salt spray test
• Immunity requirements test
• Emission test
All SIL actuators will be with below caution label for identification.
NOTICE
Multi-turn actuators
SA series with Control 3.XX /NI/SIL
13
4 Safety instrumented systems and safety functions
4.1 Safety instrumented system including an actuator
Typically, a safety instrumented system including an actuator is composed of the
components as shown in the figure.
Figure 2: Typical safety instrumented system
[1] Sensors
[2] Controls (safety PLC)
[3] Actuator with actuator controls
[4] Valve
[5] Process control system
The safety integrity level is always assigned to an overall safety instrumented system and not
to an individual component.
For an individual component (e.g. an actuator), safety figures are determined. These figures
are used to assign the devices to a potential safety integrity level (SIL). The final classification
of the safety instrumented system can only be made after assessing and calculating all
subsystems.
4.2 Safety functions
In calculating the safety figures of actuators, the following safety functions are taken into
account:
• Safe ESD function (Emergency Shut Down): Safe OPENING/CLOSING
- Redundant Safe ESDa and Safe ESDb signals (standard: low active) make the
actuator travel to the configured direction (OPEN/CLOSE).
• Safe STOP function: Safe STOP
- An operation command of standard controls (in directions OPEN or CLOSE) will only
be executed if an additional enable signal for the operation command is applied.
- If this is not the case, operation in directions OPEN or CLOSE is stopped or even
suspended (motor is switched off).
• Safe ESD function combined with Safe STOP function.
- Safe ESD function has a higher priority i.e. if both functions are activated, the
actuator is operated into the configured direction (OPEN/CLOSE).
Multi-turn actuators
SA series with Control 3.XX /NI/SIL
14
“Safe end position feedback” is not part of the certification by TÜV Nord and neither part of
this safety manual. Please refer to the specific safety manual for details regarding this
function.
The different configuration options of the safety functions are described in the <Configuration
(setting)/version> chapter.
4.3 Safe inputs and outputs
Safe inputs for Safe OPENING/CLOSING (Safe ESD function):
• Safe ESDa
• Safe ESDb
Safe inputs for safe stop (Safe STOP function):
• Safe STOP OPEN
• Safe STOP CLOSE
Safe outputs (indication that it might not be possible to perform the safety function:
• SIL fault
• SIL ready
For detailed information on safe inputs and outputs, refer to <Configuration (setting)/version>
chapter and <Installation> chapter.
4.4 Redundant system architecture
Besides the already described typical safety instrumented system including an actuator,
safety can be increased by integrating a second, redundant valve and actuator with actuator
controls in SIL version into the safety instrumented system. The decision on the correct
version depends on the entire system. With the redundant system architecture shown below,
actuator with actuator controls achieve SIL 3 in accordance with IEC 61508.
Figure 3: Redundant system with Safe ESD for Safe CLOSING
Figure 4: Redundant system with Safe ESD for Safe OPENING
Multi-turn actuators
SA series with Control 3.XX /NI/SIL
15
4.5 Examples of applications
Safe OPENING of a pressure vessel using the Safe ESD function
The standard PLC controls the entire system. A system fault occurs if excessive pressure is
generated within the system. In this case, the safety PLC immediately opens the valve for
safe pressure relief.
Figure 5: Application example: Pressure vessel
Safe stop of locks to prevent destruction using the Safe STOP function.
Operation safety (preventing hazards to persons and systems) is of utmost importance for
locks. Once the lock closes, no boats must be between the gates. Otherwise, the Safe STOP
function (e.g. via EMERGENCY Stop button) is executed.
Figure 6: Application example: Lock
Multi-turn actuators
SA series with Control 3.XX /NI/SIL
16
4.6 System representation
The representation below shows the simplified design of an epac in SIL version.
Figure 7: Simplified system representation
Multi-turn actuators
SA series with Control 3.XX /NI/SIL
17
5 Installation, commissioning and operation
Information
Installation and commissioning have to be documented by means of an assembly report and
an inspection certificate. Installation and commissioning may only be performed by
authorised personnel who have been trained on functional safety.
The plant operator is responsible for ensuring power supply protection against over-voltage
and under-voltage during execution of a safety function.
5.1 Installation
Information
The PIN assignments (XK ...) mentioned in this chapter (and also in other chapters) are
considered as standard assignments of SA series with controls 3.XX /NI/SIL. In certain
configurations, this PIN assignment could be different and for the typical assignment refer to
wiring diagram as applicable.
General installation tasks (assembly, electrical connection) have to be performed according
to the operation instructions pertaining to the device and the enclosed order-specific wiring
diagram.
Safety functions are connected via the SIL module integrated in the SA series with 3.XX
/NI/SIL actuator controls.
SIL fault must be connected to a SIL2 compatible input of a safety PLC and subsequently
analyzed.
Figure 8: Connections for safety functions via SIL module
[1] Typical connection assignment for parallel control
[2] Typical connection assignment for fieldbus control
Input switching behavior of Safe ESDa/ESDb and Safe STOP OPEN/CLOSE:
•Input level = high level (standard: +24 V DC)
= No safety operation for Safe ESD function or
= No safe stop for Safe STOP function
•Input signal = low level (0 V DC or input open)
= Failure operation for Safe ESD function or
= Safe stop for Safe STOP function
Permissible input voltage range:
• High level: 15 – 30 V DC
• Low level: max. 5 V DC
Multi-turn actuators
SA series with Control 3.XX /NI/SIL
18
Signal behavior of SIL ready and SIL failure outputs:
•SIL ready/ Absence of fault to be detected by diagnostics:
NO (NO contact) output = closed
NC (NC contact) output = open
SIL fault displayed via SIL failure output
For further information on SIL faults and in particular to assist in troubleshooting, refer to
chapter <Indications>.
Information
In case of mains failure, the SIL module would no longer be operable.
5.2 Commissioning
The operation instructions pertaining to the device must be observed for general
commissioning.
Information
For the Safe ESD function, operation into the safe position can be performed irrespective of
the selector switch position (LOCAL - OFF - REMOTE) or the operating status. Even in
positions LOCAL and OFF or at system start, the actuator can start by triggering the safety
function.
Risk of immediate actuator start when switching on
Risk of personal injuries or damage to the valve
→ Ensure that high level is present at the Safe ESDa/ESDb inputs when switching
on (standard: +24 V DC).
Designation
Wiring diagram
Signal
Customer connections for
control (typical assignment)
[1] Parallel
[2] Fieldbus
Safe ESDa Digital input for Safe ESD function XK 31 XK 3
Safe ESDb Redundant input for Safe ESD function XK 32 XK 5
0 V Reference potential for Safe ESDa and Safe ESDb XK 33 XK 7
Safe STOP CLOSE Digital input for Safe STOP function in direction CLOSE XK 35 XK 8
0 V Reference potential for Safe STOP CLOSE XK 37 XK 9
Safe STOP OPEN Digital input for Safe STOP function in direction OPEN XK 36 XK 10
0 V Reference potential for Safe STOP OPEN XK 38 XK 11
SIL ready NO contact of SIL fault signal XK 40 XK 15
SIL failure NC contact of SIL fault signal XK 39 XK 14
Com. Reference potential for SIL fault signal XK 42 XK 16
Fault causes
SIL
Description
Thermal fault Motor protection tripped
Torque fault Torque fault in directions OPEN and/or CLOSE
Fault position feed-
back
Current position feedback is outside permissible range.
Phase failure One phase of power supply is missing.
Controls are not supplied with mains voltage
Power supply failure The safety-related part of controls is without power supply.
Failure of actuator
monitoring
Actuator not operated on Safe ESDa and ESDb command.
Fault in redundant
wiring Safe ESD
Both signals Safe ESDa and Safe ESDb are not simultaneously on the same
level.
Internal error Internal error of the SIL module
! CAUTION
Multi-turn actuators
SA series with Control 3.XX /NI/SIL
19
After commissioning, the safe actuator function must be verified. Refer to <Proof test>
chapter.
5.3 Operation
Regular maintenance and device checks in determined T intervals are the basis for safe
proof
operation. The figures indicated in the <Safety figures> chapter are valid for T = 1 year.
proof
For operation, both the pertaining operation instructions and the manual (Operation and
setting) SA series with epac 3.XX /NI/SIL have to be observed.
In case of possible failures or defects of the safety system, safe function must be guaranteed
by introducing alternative actions. Furthermore, a detected fault including fault description
has to be sent to AUMA. Autonomous repair work by the plant operator is not permitted.
5.4 Lifetime
Lifetime of actuators is described in the technical data sheets or the operation instructions.
Safety-related figures are valid for the cycles or modulating steps defined in the technical
data specifications for typical periods of up to 10 years (the criterion achieved first is valid).
After this period, the probability of failure increases.
Extending this period is basically feasible in many cases provided both manufacturer and
operator introduce respective actions in compliance with footnote N3 of IEC 61508-2:2010
7.4.9.5 b). This is the responsibility of the operator who will have to take appropriate and
suitable measures. Please contact us if you need support in identifying suitable measures.
5.5 Decommissioning
When decommissioning an actuator with safety functions, the following must be observed:
• Impact of decommissioning on relevant devices, equipment on other work must be
evaluated.
• Safety and warning instructions contained in the actuator operation instructions must be
met.
• Decommissioning must be carried out exclusively by suitably qualified personnel.
• Decommissioning must be recorded in compliance with regular requirements.
Multi-turn actuators
SA series with Control 3.XX /NI/SIL
20
6 Indications on display
This section contains indications of standard controls only available in SIL version. General
indications as well as settings and operation are described in the pertaining operation
instructions and in the manual (operation and setting) SA series with epac 3.XX /NI/SIL.
Information
Indications on the display are not part of a safety function! They must not be integrated in a
safety-related system!
The indications support the user on site at the device, to understand the safety function status
easily.
6.1 Status indications on SIL functions
Actuator controls may indicate status information on safety-related functions on the display.
SIL status (S001)
Indication Signals the safety function and the SIL fault indication status. S001
If the SIL symbol is shown in the header of the display, one of the following three
indications is active: , or .Safe ESD Safe STOP SIL fault
Figure 9: Safety function and SIL fault indication status
Warnings (S003)
Indication shows the numbers of warnings having occurred.S003
In case a occurs, the message is listed in indication . Refer to SIL fault SIL fault Details > S003
Status for further details.
Figure 10: Warning: SIL fault
Status indications on
display
Status
Safe ESD Safe ESD function (Safe OPENING/CLOSING) is active: Actuator
is operated in the configured direction (CLOSE/OPEN) (inputs
Safe ESDa/Safe ESDb = 0 V or open)
Safe STOP Safe STOP function is active, actuator stops (Safe STOP
OPEN or Safe STOP CLOSE = 0 V or open inputs)
SIL fault SIL fault signal active, i.e. possible problems when executing a
safety function (Safe ESD or Safe STOP).
Multi-turn actuators
SA series with Control 3.XX /NI/SIL
Other manuals for SA 3
1
This manual suits for next models
3
Table of contents
Other AUMA Controllers manuals
AUMA
AUMA SA 07.1 User manual
AUMA
AUMA SG 05.1-F05 User manual
AUMA
AUMA SA 25.1-UW User manual
AUMA
AUMA EQ 40 Assembly instructions
AUMA
AUMA SAEx 07.2 User manual
AUMA
AUMA TIGRON TR-M30X User manual
AUMA
AUMA SAR 16.2 User manual
AUMA
AUMA SA 3 User manual
AUMA
AUMA SBA 12 User manual
AUMA
AUMA GK 10.2 User manual
AUMA
AUMA SG 05.1 User manual
AUMA
AUMA SAEx 07.2 User manual
AUMA
AUMA TIGRON TR-M30X User manual
AUMA
AUMA PROFOX PF-M25X User manual
AUMA
AUMA SAEx 25.1 User manual
AUMA
AUMA SA 16.2 User manual
AUMA
AUMA SGM 04.1 User manual
AUMA
AUMA SAEx 07.2 User manual
AUMA
AUMA SA 07.1 User manual
AUMA
AUMA SAEx 07.2 User manual
