Auma Sq 05.2 User manual

Part-turn actuators

SQ 05.2 –SQ 14.2/SQR 05.2 –SQR 14.2

SQEx 05.2 –SQEx 14.2/SQREx 05.2 –SQREx 14.2

with actuator controls

AC 01.2-SIL/ACExC 01.2-SIL

SIL version

Functional safetyManual

NOTICE for use!

This document is only valid with the latest operation instructions attached to the device, the attached manual as

well as the respectively pertaining technical and electrical data sheets.They are understood as reference

documents.

Purpose of the document:

The present document informs about the actions required for using the device in safety-related systems in

accordance with IEC 61508 or IEC 61511.

Reference documents:

●Operation instructions (Assembly and commissioning) for the actuator

●Manual (Operation and setting) AC 01.2/ACExC 01.2 actuator controls

●Manual (Device integration Fieldbus) AC(V) 01.2/AC(V)ExC 01.2 actuator controls

●Technical data for part-turn actuator and actuator controls.

Reference documents are available on the Internet at: http://www.auma.com.

Table of contents Page

51. Terminology............................................................................................................................ 51.1. Abbreviations and concepts

72. Application and validity......................................................................................................... 72.1. Range of application 72.2. Standards 72.3. Valid device types

83. Architecture, configuration and applications...................................................................... 83.1. Architecture (actuator sizing) 93.2. Configuration (setting)/version 113.3. Protection against uncontrolled operation (self-locking/brake) 113.4. Operation mode (low/high demand mode) 113.5. Further notes and indications on architecture 123.6. Applications (environmental conditions)

134. Safety instrumented systems and safety functions........................................................... 134.1. Safety instrumented system including an actuator 134.2. Safety functions 144.3. Safe inputs and outputs 144.4. Redundant system architecture 154.5. Examples of applications 174.6. System representation

185. Installation, commissioning and operation......................................................................... 185.1. Installation 205.2. Commissioning 205.3. Operation 215.4. Lifetime 215.5. Decommissioning

226. Indications on display............................................................................................................ 226.1. Status indications on SIL functions 236.2. SIL configuration warning 236.3. Backlight

Part-turn actuators

Table of contents with AC 01.2-SIL/ACExC 01.2-SIL

247. Signals..................................................................................................................................... 247.1. Signals via SIL module 247.2. SIL - fault signal via the standards actuator controls display (for troubleshooting support) 257.3. Status signals via output contacts (digital outputs) of standard actuator controls 267.4. Signals via fieldbus of standard actuator controls

278. Tests and maintenance.......................................................................................................... 278.1. Safety equipment: check 278.2. Internal actuator monitoring with control via standard actuator controls 278.3. Partial Valve Stroke Test (PVST): execute 298.4. Proof test (verification of safe actuator function) 308.4.1. Preliminary test 308.4.2. Check Safe ESD safety operation “Safe OPENING/CLOSING”318.4.3. Check SIL fault signal “Actuator monitoring”318.4.4. Check Safe ESD reaction for “Motor protection (thermal fault)”signals 328.4.5. Check Safe ESD reaction to “Limit seating with overload protection”(limit and/or torque

evaluation) 338.4.6. Check Safe ESD reaction to “Forced limit seating in end position”(limit evaluation) –

for actuators with electromechanical control unit 348.4.7. Check Safe ESD reaction to “Forced limit seating in end position”(limit evaluation) –

for actuators with electronic control unit and limit switches 358.4.8. Check Safe ESD reaction to “Forced torque seating in end position”(torque after limit

evaluation) 358.4.9. Check Safe ESD reaction for “no seating”(no evaluation of limit and torque) 378.4.10. Check Safe STOP function 378.4.11. Check combination of Safe ESD and Safe STOP function 388.5. Maintenance

399. Safety-related figures............................................................................................................. 399.1. Determination of the safety-related figures 409.2. Specific parameters for AC 01.2 actuator controls in SIL version with actuators of SQ .2

series

4510. SIL Certificate.........................................................................................................................

4611. Checklists............................................................................................................................... 4611.1. Commissioning checklist 4611.2. Proof test checklists 4611.2.1. Safe ESD safety operation (Safe OPENING/CLOSING) –irrespective of the selected

control unit 4611.2.2. SIL fault signal “Actuator monitoring”–irrespective of the selected control unit 4711.2.3. Safe ESD reaction for “Motor protection (thermal fault)”signals –irrespective of the

selected control unit 4811.2.4. Safe ESD reaction to “Limit seating with overload protection”(limit and/or torque eval-

uation) –for actuators with electromechanical control unit 4811.2.5. Safe ESD reaction to “Forced limit seating in end position”(limit evaluation) –for actu-

ators with electromechanical control unit 4911.2.6. Safe ESD reaction to “Forced limit seating in end position”(limit evaluation) –for actu-

ators with electronic control unit and limit switches 5011.2.7. Safe ESD reaction to Forced torque seating in end position (limit evaluation) –for actu-

ators with electromechanical control unit 5011.2.8. Safe ESD reaction to “No seating”–for actuators with electromechanical control unit

or with electronic control unit with limit switches

Part-turn actuators

with AC 01.2-SIL/ACExC 01.2-SIL Table of contents

5111.2.9. Safe STOP function –irrespective of the selected control unit 5211.2.10. Combination of Safe ESD and Safe STOP –irrespective of the selected control unit

55Index........................................................................................................................................

Part-turn actuators

Table of contents with AC 01.2-SIL/ACExC 01.2-SIL

1. Terminology

Information sources ●IEC 61508-4, Functional safety of electrical/electronic/programmable electronic

safety-related systems –Part 4: Definitions and abbreviations

●IEC 61511-1, Functional safety - Safety instrumented systems for the process

industry sector –Part 1:Framework, definitions, system, hardware and software

requirements

1.1. Abbreviations and concepts

To evaluate safety functions, the lambda values or the PFD value (Probability of

Dangerous Failure on Demand) and the SFF value (Safe Failure Fraction) are the

main requirements.Further figures are required to assess the individual components.

These figures are explained in the table below.

Table 1:Abbreviations of safety figures

DescriptionFull expressionAbbrevi-

ation Number of safe failuresLambda SafeλSNumber of dangerous failuresLambda DangerousλDNumber of undetected dangerous fail-

ures

Lambda Dangerous UndetectedλDU

Number of detected dangerous failuresLambda Dangerous DetectedλDD Diagnostic Coverage - ratio between

the failure rate of dangerous failures

detected by diagnostic tests and total

rate of dangerous failures of the com-

ponent or subsystem.The diagnostic

coverage does not include any failures

detected during proof tests.

Diagnostic CoverageDC

Mean time between the occurence of

two subsequent failures

Mean Time Between FailuresMTBF

Fraction of safe failures as well as of

detectable dangerous failures

Safe Failure FractionSFF

Average probability of dangerous fail-

ures on demand of a safety function.

Average Probability of dangerous Fail-

ure on Demand

PFDavg

Ability of a functional unit to execute a

required function while faults or devi-

ations are present.HFT = n means that

the function can still be safely executed

for up to n faults occurring at the same

time.

Hardware Fault ToleranceHFT

Interval for proof testProof test intervalTproof

SIL Safety Integrity Level

The international standard IEC 61508 defines 4 levels (SIL 1 through SIL 4).

Safety function Function to be implemented by a safety-related system for risk reduction with the

objective to achieve or maintain a safe state for the plant/equipment with respect to

a specific dangerous event.

Safety instrumented

function (SIF) Function with specified safety integrity level (SIL) to achieve functional safety.

Safety instrumented

system (SIS) Safety instrumented system for executing a single or several safety instrumented

functions.An SIS consists of sensor(s), logic system and actuator(s).

Safety-related system A safety-related system includes all factors (hardware, software, human factors)

necessary to implement one or several safety functions.Consequently failures of

safety function would result in a significant increase in safety risks for people and/or

the environment.

A safety-related system can comprise stand-alone systems dedicated to perform a

particular safety function or can be integrated into a plant.

Part-turn actuators

with AC 01.2-SIL/ACExC 01.2-SIL Terminology

Proof test Periodic test performed to detect dangerous hidden failures in a safety-related system

so that, if necessary, a repair can restore the system to an "as new" condition or as

close as practical to this condition.

MTTR (MeanTimeTo

Restoration) Mean time to restoration once a failure has occurred. Indicates the expected mean

time to achieve restoration of the system. It is therefore an important parameter for

system availability.The time for detecting the failure, planning tasks as well as

operating resources is also included.It should be reduced to a minimum.

MRT (Mean RepairTime) Mean repair time indicates the mean time required to repair a system.The MRT is

crucial when defining the reliability and availability of a system.The MRT should

preferably be small.

Device type (type A and

type B) Actuator controls can be regarded as type A devices if all of the following conditions

are met for all components required to achieve the safety instrumented function:

●The failure modes for all constituent components involved are well defined

●The behaviour under fault conditions can be completely determined.

●There is sufficient dependable failure data from the field to show that the claimed

rates of failure are met (confidence level min. 70 %).

Actuator controls shall be regarded as type B devices if one or several of the following

conditions are met:

●The failure of at least one constituent component is not well defined.

●The fault behaviour is not completely known.

●There is insufficient dependable failure data to support claims for rates of failure

for detected and undetected dangerous failures.

PTC (ProofTest Cover-

age) Proof test coverage describes the fraction of failures which can be detected by means

of a proof test.

Part-turn actuators

Terminology with AC 01.2-SIL/ACExC 01.2-SIL

2. Application and validity

2.1. Range of application

AUMA actuators and actuator controls in SIL version, with the safety functions

mentioned in this manual, are intended for operation of industrial valves and are

suitable for use in safety instrumented systems in accordance with IEC 61508 or

IEC 61511.

2.2. Standards

Both actuators and actuator controls meet the following requirements:

●IEC 61508 ED.2: Functional safety of electrical/electronic/programmable elec-

tronic safety-related systems

2.3. Valid device types

The data on functional safety contained in this manual applies to the device types

indicated hereafter.

Table 2:Overview on suitable device types

Power supplyType MotorActuator controlsActuator 3-phase AC currentAC 01.2 in SIL versionSQ 05.2 –SQ 14.2 3-phase AC currentAC 01.2 in SIL versionSQR 05.2 –SQR 14.2 3-phase AC currentACExC 01.2 in SIL versionSQEx 05.2 –SQEx 14.2 3-phase AC currentACExC 01.2 in SIL versionSQREx05.2–SQREx 14.2

Hardware, software and configuration of actuator and actuator controls must not be

modified without prior written consent by AUMA.Unauthorised modification may

have a negative impact on both safety figures and SIL capability of the products.

Information In applications with requirements on functional safety, only AUMA actuator controls

and actuators in SFC or SIL version may be used.

AUMA actuator controls and actuators in SIL version can among others be identified

from the letters “SIL”on the name plate.

Figure 1: Example of AC name plate with “SIL”marking

Figure 2: Example of SQ name plate with “SIL”marking

Part-turn actuators

with AC 01.2-SIL/ACExC 01.2-SIL Application and validity

3. Architecture, configuration and applications

3.1. Architecture (actuator sizing)

For actuator architecture (actuator sizing) the maximum torques, run torques and

operating times are taken into consideration.

Incorrect actuator architecture can lead to device damage within the safety-

related system!

Possible consequences:Valve damage, motor overheating, contactor seizure,

damage to the electronics, heating up or damage to cables.

→The actuator technical data must imperatively be observed when selecting the

actuator.

→Sufficient reserves have to be provided to ensure that actuators are capable of

reliably opening or closing the valve even in the event of an accident or under-

voltage.

Architecture when using the Safe STOP function

Information For the Safe STOP function, the motor is switched off, overrun may possibly occur!

Valve damage due to overrun!

→For the Safe STOP function (SS), the overrun of the arrangement (actuator,

gearbox, valve) and the reaction time have to be observed.

→If the application requires self-locking of the actuator, please consult AUMA.

Architecture when using the Safe ESD function

Actuators with electromechanical control unit:

The end position feedback (limit switching) and the torque signal of the

electromechanical control unit are safe signals, which can be integrated into a

safety-related system if they are directly wired to the XK customer output of the

actuator controls.However, this signal is not part of the certification by TÜV Nord.

Please refer to the specific safety manual for details regarding this signal.

For “SIL seating”= “no seating”(without end position protection), we recommend:

●To prevent valve damage during safety operation, we recommend, depending

on the stiffness, sizing the valve to 3 –5 times the maximum actuator torque.

●To avoid thermal damage due to excessive currents, we recommend monitoring

(assessing) the motor protection.

Actuators with electronic control unit MWG:

Information The end position feedback (limit switching) and the torque signal of the electronic

control unit MWG as well as all signals via the standard I/O interface and the fieldbus

interfaces are no safe signals.

●In case safe signals are required, they have to be implemented differently, e.g.

using switches on the valve.

●To prevent valve damage during safety operation, we recommend, depending

on the stiffness, sizing the valve to 3 –5 times the maximum actuator torque.

●To avoid thermal damage due to excessive currents, we recommend monitoring

(assessing) the motor protection.

Actuators with electronic control unit MWG including limit switches:

Information In this version, safe signalling can exclusively be ensured via limit switches if they

are directly wired to the XK customer output of the actuator controls.However, this

signal is not part of the certification by TÜV Nord. Please refer to the specific safety

manual for details regarding this signal.

Part-turn actuators

Architecture, configuration and applications with AC 01.2-SIL/ACExC 01.2-SIL

For “SIL seating”= “no seating”(without end position protection), we recommend:

●To prevent valve damage during safety operation, we recommend, depending

on the stiffness, sizing the valve to 3 –5 times the maximum actuator torque.

●To avoid thermal damage due to excessive currents, we recommend monitoring

(assessing) the motor protection.

Information For “SIL seating”= “Forced limit seating in end position”, the seating is performed

via limit switches in the end position.Since each switch has a hysteresis, the actuator

leaves the end position prior to limit switch release.Consequently, there is a marginal

range of actuator positions to the safety position, for which the limit switch is still

operated when leaving the safety position while the Safe ESD function is NOT

available.In this case, safety function triggering leads to actuator standstill. If the

range in question is approached from the opposite direction, this limitation does not

apply. In general this range is relatively small.However, for unfavourable configura-

tions, this range can amount to more than 10 % of the travel.

Should within the framework of unfavourable conditions the effect described above

represent an unacceptable limitation for the safety function, we recommend applying

the configuration “Forced torque seating in end position”or “no seating”for safety

operation.

Power supply

Information The plant operator is responsible for power supply.

3.2. Configuration (setting)/version

Configuration (setting) of safety-related functions is defined in the factory during

actuator controls assembly and validated during final inspection. Subsequent

modification of the configuration by the plant operator is not permissible.

General functions are set as described in the Operation instructions or the Manual

(Operation and setting) AUMATIC AC 01.2.

Configuration of safety-related functions is listed in the order-related technical data

sheet.

Configuration options for safety function

Table 3:

Configuration options for safety function

Short descriptionConfiguration

SIL function

Safe CLOSINGSafe ESD CLOSE/CLOSE

Safe OPENINGSafe ESD OPEN/OPEN

Safe STOP in direction CLOSE and direction OPENSafe STOP CLOSE/OPEN

SafeCLOSING andSafe STOPin direction CLOSE and direc-

tion OPEN

Safe ESD CLOSE/CLOSE + Safe STOP

CLOSE/OPEN

SafeOPENINGandSafeSTOPindirection CLOSEand direc-

tion OPEN

Safe ESD OPEN/OPEN + Safe STOP

CLOSE/OPEN

When configuring a Safe ESD function and a Safe STOP function, the Safe ESD

function is always prioritised compared to the Safe STOP function when requested

simultaneously.

Seating configuration options

Information Seating of standard actuator controls should be configured as set forth in the tables

below.

Part-turn actuators

with AC 01.2-SIL/ACExC 01.2-SIL Architecture, configuration and applications

Table 4:

For actuators with electromechanical control unit:

Configuration

Type of seating

Standard controls

Short descriptionConfiguration

SIL seating type

Freely selectableNo seating by limit or torque switches during

safety operation

1: No seating

Torque seatingSafety operation is stopped if both limit and

torque switches trip simultaneously

2: Forced torque seating

in end position

Limit seatingSafety operation is stopped by limit switch trip-

ping

3: Forced limit seating in

end position

Limit seatingSafety operation is stopped by tripping the limit

switches and/or the torque switches (overload

protection).

4: Limit seating with

overload protection

Table 5:

for actuators with electronic control unit MWG

Configuration

Type of seating

Standard controls

Short descriptionConfiguration

SIL seating type

Freely selectableNo seating by limit or torque switches during

safety operation

1: No seating

Table 6:

for actuators with electronic control unit MWG including limit switches

Configuration

Type of seating

Standard controls

Short descriptionConfiguration

SIL seating type

Limit seatingSafety operation is stopped by limit switch trip-

ping

3: Forced limit seating in

end position

Configuration options for motor protection assessment

Table 7:

Configuration options for motor protection assessment

Short descriptionConfiguration

SIL motor protection

Tripping of the motor protection (thermal fault) stops or prevents safety oper-

ation

Active

Motor protection has no impact on the safety operationInactive

Information “SIL motor protection”= “inactive”configuration is only set if explicitly required.The

version does not meet the Ex approval requirements.

Information If limit and/or torque switches for the end positions are available, precise setting is

imperative to ensure correct function of the “Safe end position feedback”or the “ESD

function”.For setting details related to the respective switches, please refer to oper-

ation instructions.

Configuration of “reaction monitoring”diagnostics and “Partial Valve Stroke

Test (PVST)”

Depending on the type of diagnostics specified, the reaction monitoring via blinker

transmitter or Partial Valve StrokeTest configurations have to be checked and

adapted, if required.

For detailed configuration options as well as detailed information on the PartialValve

StrokeTest (PVST), refer to Manual (Operation and setting) AUMATIC AC 01.2.

Please note that reaction monitoring may only be executed via the blinker

transmitter/SIL fault signal and not via the reaction monitoring function of the AC .2

firmware.

Part-turn actuators

Architecture, configuration and applications with AC 01.2-SIL/ACExC 01.2-SIL

3.3. Protection against uncontrolled operation (self-locking/brake)

For self-locking AUMA actuators, it can be assumed that a load up to maximum

torque will not result in uncontrolled valve operation from standstill due to valve torque

load.Consequently, in these cases, further protection against uncontrolled operation

is not imperatively required.This might become necessary if, for example, self-locking

can either not be guaranteed due to vibration or if it is insufficient.In addition, certain

applications may require active position locking, for example by using a brake.There

are user-specific standards demanding this type of protection.Therefore, each project

must be subject to individual verification if any further protection is required. In any

case, this protection is required for actuators without self-locking.

At the time of compilation of this document, the available actuators of the type ranges

below were self-locking: SQ 05.2 –SQ 14.2, SQR 05.2 –SQR 14.2, SQEx 05.2 –

SQEx 14.2 and SQREx 05.2 –SQREx 14.2.

If actuators with insufficient self-locking function paired with “Forced torque seating

in end position”SIL seating type are used for the safety function, the following effect

might occur:During ESD, the actuator operates to the end position and switches off

due to reaching the end position and the tripping torque.Thereafter, the gear train

is relieved and the torque falls below the preset limit value.As a matter of fact, the

actuator controls detect this incident and switch the actuator on again since the

behaviour is correctly considered as termination of the ESD condition.The latter

generates additional torque until the switching off condition is reached again, and

so on.The “pumping effect”of the actuator is the consequence.

To successfully avoid this incident, we recommend either selecting actuator or other

elements with sufficient self-locking within the gear train or –if acceptable from a

process and safety point of view –selecting “Forced limit seating in end position”as

safety function.

3.4. Operation mode (low/high demand mode)

The safety functions of the actuators supplied by AUMA are suitable for the low

demand mode and may only be used in this operation mode. If a non-safety

instrumented function of basic process control system is executed via the same

actuator in addition to the safety function, note that while considering the sum of

non-safety instrumented function, required tests and safety function, the defined

number of maximum permissible cycles1) for the respective actuator as well as the

maximumnumber of starts2) maynotbeexceeded duringdeploymentoftheactuator

within a safety instrumented system.

3.5. Further notes and indications on architecture

HFT is 0.

The systematic capability is 3 (SC=3).

Only flanges of F07 or FA 07 sizes or larger may be used for valve attachment.

If the actuator is equipped with one of the three position transmitter types, i.e.MWG,

RWG or EWG, these elements may not be integrated within the safety instrumented

system.

The actuator safety functions can be considered as type A device.

The operating time for a complete travel must exceed 4 seconds. Attention: Any

modification of the nominal swing angle (90°) results in operating time change.

Safetyfunction(s)andtheir feedbacksignals mayonlybeissuedviathedigitalinputs

and outputs of the SIL module.

The signal issued via SIL fault output must be permanently evaluated. If the

output signals a fault, assumption can be made that the safety function is not

available.The safety function must be checked without delay. Possibly further safety

measures are to be taken until the safety function is restored without fault.

1) Definition of “cycles”according to EN 15714-2:2010

2) Definition of “starts”according to EN 15714-2:2010

Part-turn actuators

with AC 01.2-SIL/ACExC 01.2-SIL Architecture, configuration and applications

3.6. Applications (environmental conditions)

When specifying and using the actuators within safety instrumented systems, make

sure that the permissible service conditions and the EMC requirements by the

peripheral devices are met.Service conditions are indicated in the technical data

sheet:

●Enclosure protection

●Corrosion protection

●Ambient temperature

●Vibration resistance

If the actual ambient temperatures exceed an average of +40 °C, the lambda values

have to be incremented by a safety factor. For an average temperature of +60 °C,

this factor is specified to 2.5.

For environmental tests, actuator and actuator controls were subjected to the following

standards:

●Dry heat: EN 60068-2-2

●Damp heat: EN 60068-2-30

●Cold: EN 60068-2-1

●Vibration test: IEC 60068-2-6

●Induced seismic vibration (earthquake):IEC 60068-3-33)

●Enclosure protection test IP68: EN 60529

●Salt spray test: EN ISO 12944-6

●Immunity requirements: EN 61326-3-1

●Emission: EN 61000-6-4

3) Thyristor version only

Part-turn actuators

Architecture, configuration and applications with AC 01.2-SIL/ACExC 01.2-SIL

4. Safety instrumented systems and safety functions

4.1. Safety instrumented system including an actuator

Typically, a safety instrumented system including an actuator is composed of the

components as shown in the figure.

Figure 3:Typical safety instrumented system

[1] Sensors

[2] Controls (safety PLC)

[3] Actuator with actuator controls

[4] Valve

[5] Process control system

Thesafety integrity level is alwaysassigned to an overallsafety instrumented system

and not to an individual component.

For an individual component (e.g.an actuator), safety figures are determined.These

figures are used to assign the devices to a potential safety integrity level (SIL).The

final classification of the safety instrumented system can only be made after assessing

and calculating all subsystems.

4.2. Safety functions

In calculating the safety figures of actuators, the following safety functions are taken

into account:

●Safe ESD function (Emergency Shut Down): Safe OPENING/CLOSING

-Redundant Safe ESDa and Safe ESDb signals (default: low active) make

the actuator run into the configured direction (OPEN/CLOSE), irrespective

of the selector switch position.

Part-turn actuators

with AC 01.2-SIL/ACExC 01.2-SIL Safety instrumented systems and safety functions

●Safe STOP function: Safe STOP

-Anoperationcommand of standard controls (in directions OPEN or CLOSE)

will only be executed if an additional enable signal for the operation com-

mand is applied.

-If this is not the case, operation in directions OPEN or CLOSE is stopped

or even suspended (motor is switched off).

- The Safe STOP function is effective for all operation commands of the

standard actuator controls, irrespective of the command source (e.g. Re-

mote or Local).

●Safe ESD function combined with Safe STOP function

-Safe ESD function has a higher priority i.e.if both functions are activated,

the actuator is operated into the configured direction (OPEN/CLOSE).

Information The safety functions of the AC .2-SIL / ACEXC .2-SIL are always controlled via

24 V DC.

“Safe end position feedback”is not part of the certification byTÜV Nord and neither

part of this safety manual. Please refer to the specific safety manual for details

regarding this function.

The different configuration options of the safety functions are described in the

<Configuration (setting)/version> chapter.

4.3. Safe inputs and outputs

Safe inputs for Safe OPENING/CLOSING (Safe ESD function):

●Safe ESDa

●Safe ESDb

Safe inputs for safe stop (Safe STOP function):

●Safe STOP OPEN

●Safe STOP CLOSE

Safe outputs (indication that it might not be possible to perform the safety function:

●SIL fault

●SIL ready

For detailed information on safe inputs and outputs, refer to <Configuration

(setting)/version> chapter and <Installation> chapter.

4.4. Redundant system architecture

Besides the already described typical safety instrumented system including an

actuator, safety can be increased by implementing a second, redundant valve and

actuator with actuator controls in SIL version into the safety instrumented system.

The decision on the appropriate version depends on the entire system.

Information Depending on the safety function and the safety instrumented task of this safety

function, it must be verified for each and every application whether and - if so - in

whichconfigurationa HFT>0 can be actually achievedwhenusingseveralactuators.

This applies in particular –but is not limited to –the Safe STOP safety function.

A possible example for Safe CLOSING or Safe OPENING is shown in figure 3 and

4. Another example, in which several actuators do NOT achieve redundancy, is a

Safe STOP function used to safely exclude the movement of mechanical system

parts, if, for example, the fire brigade has to access the plant section in question in

case of an emergency. For this application, use of two actuators does generally not

result in a 1oo2 but in a 2oo2 system in terms of safety effect to be achieved.

Therefore, the HFT is not increased in this case.

Part-turn actuators

Safety instrumented systems and safety functions with AC 01.2-SIL/ACExC 01.2-SIL

Figure 4: Redundant system with Safe ESD for Safe CLOSING

Figure 5: Redundant system with Safe ESD for Safe OPENING

4.5. Examples of applications

Safe OPENING of a pressure vessel using the Safe ESD function

The standard PLC controls the entire system. A system fault occurs if excessive

pressure is generated within the system.In this case, the safety PLC immediately

opens the valve for safe pressure relief.

Part-turn actuators

with AC 01.2-SIL/ACExC 01.2-SIL Safety instrumented systems and safety functions

Figure 6: Application example: Pressure vessel

Safe stop of locks to prevent destruction using the Safe STOP function.

Operationsafety (preventinghazardstopersonsand systems) is of utmost importance

for locks. Once the lock closes, no boats must be between the gates.Otherwise, the

Safe STOP function (e.g. via EMERGENCY Stop button) is executed.

Part-turn actuators

Safety instrumented systems and safety functions with AC 01.2-SIL/ACExC 01.2-SIL

Figure 7: Application example: Lock

4.6. System representation

The representation below shows the simplified design of an AC 01.2/ACExC 01.2

in SIL version.

Figure 8: Simplified system representation

Part-turn actuators

with AC 01.2-SIL/ACExC 01.2-SIL Safety instrumented systems and safety functions

5. Installation, commissioning and operation

Information Installation and commissioning have to be documented by means of an assembly

report and an inspection certificate. Installation and commissioning may only be

performed by authorised personnel who have been trained on functional safety.

The plant operator is responsible for ensuring power supply protection against

overvoltage and undervoltage during execution of a safety function.

5.1. Installation

Information The PIN assignments (XK ...) mentioned in this chapter (and also in other chapters)

are considered as standard assignments of AC 01.2-SIL/ACExC 01.2-SIL.In certain

configurations, this typical assignment is not respected with the objective to meet

specific equipment demands.In case of doubt, the assignment as indicated on the

pertaining wiring diagram is applicable.

General installation tasks (assembly, electrical connection) have to be performed

according to the operation instructions pertaining to the device and the enclosed

order-specific wiring diagram.

When operating and storing the devices in ambient temperatures below –25 °C,

ensure power supply of integral heating system.

Safety functions are connected via the SIL module integrated in the AC 01.2/ACExC

01.2 actuator controls.

The SIL fault must be connected to an input compatible with the required SIL level

of a safety PLC and subsequently analysed.

Figure 9: Connections for safety functions via SIL module

[1] Typical connection assignment for parallel control

[2] Typical connection assignment for fieldbus control

Input switching behaviour of Safe ESDa/ESDb and Safe STOP

OPEN/CLOSE:

●Input level = high level (standard: +24 V DC)

= No safety operation for Safe ESD function or

= No safe stop for Safe STOP function

●Input signal = low level (0 V DC or input open)

= Failure operation for Safe ESD function or

= Safe stop for Safe STOP function

Information The Safe ESDa and Safe ESDb inputs are redundant inputs for the same safety

function (depending on the configuration ESD OPEN or ESD CLOSE).Therefore,

the same level (high or low) should be applied to them.If “high”is applied at one of

the two ESDa or ESDb inputs and “low”at the other, this represents a fault state

within the safety instrumented system. In this instance, the actuator signals a “SIL

fault”. Since it is not clear whether the “high”level input or the “low”level input is

faulty, the safety function is performed for safety reasons.

Part-turn actuators

Installation, commissioning and operation with AC 01.2-SIL/ACExC 01.2-SIL

Information The Safe STOP OPEN and Safe STOP CLOSE inputs are two independent inputs

with independent functions:

●If Safe STOP OPEN = low level, the safety function inhibits operation in direction

OPEN (exception ESD OPEN)

●If Safe STOP CLOSE = low level, the safety function inhibits operation in direc-

tion CLOSE (exception ESD CLOSE)

Permissible input voltage range:

●High level: 15 –30 V DC

●Low level: max. 5 V DC

Signal behaviour of SIL ready and SIL failure outputs:

●SIL ready/ Absence of fault to be detected by diagnostics:

NO (NO contact) output = closed

NC (NC contact) output = open

●SIL fault/ Presence of fault to be detected by diagnostics:

NO (NO contact) output = open

NC (NC contact) output = closed

Customer connections for control

(typical assignment)

SignalDesignation

Wiring diagram [2] Fieldbus[1] Parallel XK 3XK 31Digital input for Safe ESD functionSafe ESDa XK 5XK 32Redundant input for Safe ESD functionSafe ESDb XK 7XK 33Reference potential for Safe ESDa and Safe ESDb0 V XK 8XK 35Digital input for Safe STOP function in direction CLOSESafe STOP CLOSE XK 9XK 37Reference potential for Safe STOP CLOSE0 V XK 10XK 36Digital input for Safe STOP function in direction OPENSafe STOP OPEN XK 11XK 38Reference potential for Safe STOP OPEN0 V XK 15XK 40NO contact of SIL fault signalSIL ready XK 14XK 39NC contact of SIL fault signalSIL failure XK 16XK 42Reference potential for SIL fault signalCom.

SIL fault displayed via SIL failure output

DescriptionFault causes

SIL Motor protection trippedThermal fault Torque fault in directions OPEN and/or CLOSETorque fault Current position feedback is outside permissible range.Fault position feed-

back One phase of power supply is missing.

Controls are not supplied with mains voltage

Phase failure

The phase conductors L1, L2 and L3 are connected in the wrong sequence.Phase sequence

fault The safety-related part of controls is without power supply.Power supply failure Temperature within controls housing too high

Failure of heating system for ambient temperatures below –25 °C

Temperature fault

Actuator of valve lockedFailure of actuator

monitoring Both signals Safe ESDa and Safe ESDb are not simultaneously on the same level.Fault in redundant

wiring Safe ESD Internal error of the SIL moduleInternal error

For further information on SIL faults and in particular to assist in troubleshooting,

refer to chapter <Indications>.

Installation and commissioning must be recorded and a final installation and

commissioning report must be issued.

Part-turn actuators

with AC 01.2-SIL/ACExC 01.2-SIL Installation, commissioning and operation

Information The basic function "automatic correction of direction of rotation" is not available for

this version.When connecting the power supply ensure that phases L1, L2 and L3

are correctly connected. For checking the direction of rotation, refer to operation in-

structions pertaining to the actuator.

The "external supply of electronics" option of the actuator controls refers to standard

actuator controls.In case of mains failure, the SIL module would no longer be

operable despite external supply of the electronics.

Information Limit switch setting for version with electronic control unit and SIL limit switches is

slightly different from the standard setting for the electromechanical control unit.

Refer to the supplement to operation instructions for correct setting (Y006.238).

5.2. Commissioning

The operation instructions pertaining to the device must be observed for general

commissioning.

Information For the Safe ESD function, operation into the safe position can be performed irre-

spective of the selector switch position (LOCAL - OFF - REMOTE) or the operating

status.Upon request of the safety function, the actuator will start operation even in

positions LOCAL and OFF or on system start.

Risk of immediate actuator start when switching on if the motor/handwheel

locking device was removed while the motor was in disengaged position!

Risk of personal injuries or damage to the valve

→Ensure that high level is present at the Safe ESDa/ESDb inputs when

switching on (default: +24 V DC).

If the actuator is operated over a longer period (for several hours) while the

motor is disengaged, this entails considerable wear of the actuator.Worst

case would be accidental start-up or even destruction of the actuator.

On delivery, the motor is disengaged to prevent accidental start-up of the actuator

as well as consequential personal injuries or damage to the valve.

If the actuator is connected to 3-phase AC current without high level is present at

the Safe ESDa/ESDb inputs (default: +24V DC), the motor will start without any

movement at the output drive.

→Operational actions have to be provided ensuring that the described state only

persists for a short time, i.e.a few minutes at the maximum.

→Remove the motor locking device prior to commissioning. It must only be used

for a short time during proof test.

After commissioning, the safe actuator function must be verified. Refer to <Proof

test> chapter.

5.3. Operation

Regular maintenance and device checks in determinedTproof intervals are the basis

for safe operation.The figures indicated in the <Safety figures> chapter are valid for

Tproof = 1 year.

For operation, both the pertaining operation instructions and the Manual (Operation

and setting) AC 01.2/ACExC 01.2 have to be observed.

In case of possible failures or defects of the safety system, safe function must be

guaranteed by introducing alternative actions.Furthermore, a detected fault including

fault description has to be sent to AUMA Riester GmbH & Co.KG. Autonomous

repair work by the plant operator is not permitted.

Part-turn actuators

Installation, commissioning and operation with AC 01.2-SIL/ACExC 01.2-SIL

Other manuals for SQ 05.2

This manual suits for next models

Table of contents

Popular Controllers manuals by other brands

CD Automation

CD Automation Revo C 3PH user manual

L-Acoustics

L-Acoustics LA4 user manual

Mitsubishi Electric

Mitsubishi Electric PZ-61DR-E Instruction book

Semicool

Semicool ERT-10-3-321C manual

rauland

rauland 2524 ChronoCom Programming manual

Dresser

Dresser RB 4000 DN100 instruction manual

AUTOFLAME

AUTOFLAME Mini Mk8 M.M. Installation and commissioning guide

SkoFlo Industries

SkoFlo Industries BPR10000MFB Series Operation and maintenance manual

LG MultiSITE MS8250 user manual

Regin

Regin PULSER X010 Series Instruction

Graco

Graco 26A814 instructions

SKYDANCE

SKYDANCE SC + R9 manual

Micha Solar

Micha Solar MSR2-30 product manual

Danfoss

Danfoss VLT HVAC Instruction

Cooper

Cooper GHG 635 operating instructions

ITT

ITT Conoflow GB 2800 Instruction and maintenance manual

Kostrzewa

Kostrzewa Twin Bio Luxury installation manual

Burkert

Burkert Positioner TopControl Basic quick start

AUMA SQ 05.2 User manual

Popular Controllers manuals by other brands