I&M V 9535_DA
I&M
V_9535_DA
Safety Manual for Safety Integrated Systems
Page 1 of 29 E314141 - 07/2021 All Rights Reserved
©ASCO, L.P. 160 Park Avenue, Florham Park, New Jersey 07932
www.emerson.com
I&M V 9535_DA
T
ABLE OF CONTENTS
1 INTRODUCTION ................................................................................................................ 4
TERMS AND ABBREVIATIONS ...................................................................................... 4
ACRONYMS ............................................................................................................... 4
PRODUCT SUPPORT .................................................................................................. 5
RELATED LITERATURE ............................................................................................... 5
REFERENCE STANDARDS ........................................................................................... 5
2 RCS DEVICE DESCRIPTION .............................................................................................. 5
3 DESIGNING A SAFETY INSTRUMENTED FUNCTION USING AN ASCO RCS ............................. 6
SAFETY FUNCTION .................................................................................................... 6
ENVIRONMENTAL LIMITS ............................................................................................. 6
APPLICATION LIMITS .................................................................................................. 6
DESIGN VERIFICATION ............................................................................................... 7
SIL CAPABILITY ........................................................................................................ 7
3.5.1 SYSTEMATIC INTEGRITY ....................................................................................... 7
3.5.2 RANDOM INTEGRITY ............................................................................................ 7
3.5.3 SAFETY PARAMETERS ......................................................................................... 7
CONNECTION OF THE RCS TO THE SIS LOGIC-SOLVER ................................................ 8
GENERAL REQUIREMENTS ......................................................................................... 8
4 INSTALLATION AND COMMISSIONING ................................................................................. 9
INSTALLATION ........................................................................................................... 9
PHYSICAL LOCATION AND PLACEMENT ........................................................................ 9
ELECTRICAL CONNECTIONS ....................................................................................... 9
PNEUMATIC CONNECTIONS ...................................................................................... 10
5 RCS BLOCK DIAGRAM .................................................................................................. 10
1OO1HS, 2OO2 NORMALLY CLOSED WITH PRESSURE SWITCHES ............................... 10
1OO1HS, 2OO2 NORMALLY OPEN WITH PRESSURE SWITCHES ................................... 11
1OO1HS, 2OO2 NORMALLY CLOSED WITH PROXIMITY SWITCHES ............................... 11
1OO1HS, 2OO2 NORMALLY OPEN WITH PROXIMITY SWITCHES ................................... 12
2OO2 DOUBLE ACTING WITH PRESSURE SWITCHES ................................................... 13
2OO2 DOUBLE ACTING WITH PROXIMITY SWITCHES ................................................... 13
2OO3 NORMALLY CLOSED WITHOUT DIAGNOSTICS .................................................... 14
2OO3 NORMALLY CLOSED WITH PROXIMITY SWITCHES .............................................. 15
Page 2 of 29
©ASCO, L.P. 160 Park Avenue, Florham Park, New Jersey 07932
www.emerson.com
I&M V 9535_DA
6 RCS OPERATION AND TRUTH TABLES ............................................................................ 16
1OO1HS NORMALLY CLOSED .................................................................................. 16
1OO1HS NORMALLY OPEN ...................................................................................... 17
2OO2 NORMALLY CLOSED ....................................................................................... 18
2OO2 NORMALLY OPEN ........................................................................................... 19
2OO2 DOUBLE ACTING ............................................................................................ 20
2OO3 NORMALLY CLOSED WITHOUT DIAGNOSTICS .................................................... 21
2OO3 NORMALLY CLOSED WITH PROXIMITY SWITCHES .............................................. 22
7 RCS MAINTENANCE ...................................................................................................... 23
OPERATOR INTERFACE OPTIONS ................................ .............................................. 23
AUTOMATED DIAGNOSTIC TEST (ADT) ...................................................................... 23
7.2.1 STATE VERIFICATION TEST................................................................................. 24
7.2.2 VALVE DIAGNOSTIC TEST .................................................................................. 24
MANUALLY INITIATED DIAGNOSTIC TEST .................................................................... 27
PROOF TEST WITHOUT AUTOMATIC TESTING ............................................................. 27
PROOF TEST WITH AUTOMATIC PARTIAL VALVE STROKE TESTING ............................... 28
REPAIR AND REPLACEMENT ...................................................................................... 28
ASCO NOTIFICATION .............................................................................................. 28
8 STATUS OF THE DOCUMENT ................................ ............................................................ 28
RELEASES .............................................................................................................. 28
APPENDIX A – SIS CHECKLIST ............................................................................................. 29
Page 3 of 29
©ASCO, L.P. 160 Park Avenue, Florham Park, New Jersey 07932
www.emerson.com
I&M V 9535_DA
1 Introduction
This Safety Manual provides information necessary to design, install, verify and maintain a Safety Instrumented
Function (SIF) utilizing an ASCO Redundant Control System, RCS. This manual provides necessary
requirements for meeting the IEC 61508 or IEC 61511 functional safety standards.
Terms and Abbreviations
• Safety - Freedom from unacceptable risk of harm
• Functional Safety - The ability of a system to carry out the actions necessary to achieve or to maintain
a defined safe state for the equipment / machinery / plant / apparatus under control of the system
• Basic Safety - The equipment must be designed and manufactured such that it protects against risk
of damage to persons by electrical shock and other hazards and against resulting fire and explosion.
The protection must be effective under all conditions of the nominal operation and under single fault
condition
• Safety Assessment - The investigation to arrive at a judgment - based on evidence - of the safety
achieved by safety-related systems
• Fail-Safe State - State where the solenoid valve is de-energized and spring is extended.
• Fail Safe Failure - Failure which causes the valve to go to the defined fail-safe state without a demand
from the process.
• Fail Dangerous Failure - Failure that does not respond to a demand from the process (i.e. being
unable to go to the defined fail-safe state).
• Fail Dangerous Undetected - Failure that is dangerous and that is not being diagnosed by automatic
stroke testing.
• Fail Dangerous Detected - Failure that is dangerous but is detected by automatic stroke testing.
• Fail Annunciation Undetected - Failure that does not cause a false trip or prevent the safety function
but does cause loss of an automatic diagnostic and is not detected by another diagnostic.
• Fail Annunciation Detected - Failure that does not cause a false trip or prevent the safety function
but does cause loss of an automatic diagnostic or false diagnostic indication.
• Fail No Effect - Failure of a component that is part of the safety function but has no effect on the safety
function.
• Low demand Mode - Mode where the frequency of demands for operation made on a safety- related
system is no greater than twice the proof test frequency.
Acronyms
• FMEDA - Failure Modes, Effects and Diagnostic Analysis
• HFT - Hardware Fault Tolerance
• MOC - Management of Change. These are specific procedures often done when performing any work
activities in compliance with government regulatory authorities.
• MTTFS - Mean Time To Fail Spurious
• PFDavg - Average Probability of Failure on Demand
• SFF - Safe Failure Fraction, the fraction of the overall failure rate of a device that results in either a
safe fault or a diagnosed unsafe fault.
• SIF - Safety Instrumented Function, a set of equipment intended to reduce the risk due to a specific
hazard (a safety loop).
• SIL - Safety Integrity Level, discrete level (one out of a possible four) for specifying the safety integrity
requirements of the safety functions to be allocated to the E/E/PE safety-related systems where Safety
Integrity Level 4 has the highest level of safety integrity and Safety Integrity Level 1 has the lowest.
• SIS - Safety Instrumented System – Implementation of one or more Safety Instrumented Functions.
An SIS is composed of any combination of sensor(s), logic solver(s), and final element(s).
Page 4 of 29
©ASCO, L.P. 160 Park Avenue, Florham Park, New Jersey 07932
www.emerson.com
I&M V 9535_DA
Product Support
Product support can be obtained from:
ASCO Customer Support / Technical Support.
160 Park Ave.
Florham Park NJ 07932, USA
support@ascovalve.com
Tel. (800) 524-1023 or (973) 966-2000
Fax. (973) 966-2628
Related Literature
• Hardware Documents: ASCO RCS Operation Guide # V9512, V9709, V9957, V9958, and V9959.
• Guidelines/References: Safety Integrity Level Selection – Systematic Methods Including Layer of
Protection Analysis, ISBN 1-55617-777-1, ISA
• Control System Safety Evaluation and Reliability, 2nd Edition, ISBN 1-55617-638-8, ISA
• Safety Instrumented Systems Verification, Practical Probabilistic Calculations, ISBN 1-55617-909-9,
ISA
Reference Standards
• Functional Safety
• IEC 61508: 2000 Functional safety of electrical/electronic/ programmable electronic safety-related
systems
• ANSI/ISA 84.00.01-2004 (IEC 61511 Mod.) Functional Safety – Safety Instrumented Systems for the
Process Industry Sector
2 RCS Device Description
The RCS is an electro-mechanical and pneumatic system consisting of a set of two (2) or three (3) solenoid operated
valves and possibly one (1) pneumatically operated valve. The valves are interconnected to allow different
architectures for the control of pneumatically actuated block valves. It provides diagnostic components to verify the
state of the devices as well as enabling online testing of the devices. These components are pressure or proximity
switches monitoring the pneumatic pressures at critical points of the RCS assembly. In addition to the switches, an
Automated Diagnostic Test, ADT, can be implemented in a safety rated logic solver (not included). The ADT provides
the diagnostics necessary to achieve the safety ratings of the RCS. Alternatively, the Diagnostic Test can be initiated
manually. Manually initiated tests are very effective. However, these tests cannot be considered automatic
diagnostics in the sense of IEC 61508/IEC 61511.
Depending on the protected process, the safety action of the block valve can either be spring return open or spring
return close. The spring forced block valve actuator will receive air supply to move the block valve to the safe state
(NO) or the spring forced block valve actuator will be vented to move the block valve to the safe state (NC). The
piston type actuator will receive air to one side and be vented on the opposite side to move the block valve to the
safe state (DA). To account for these three action types, three different RCS versions are available for safety
applications:
• Normally Closed (NC)
• Normally Open (NO)
• Double Acting (DA)
The NC version is used to vent air from a spring-forced actuator if the solenoids are de-energized, the NO version
is used to supply air to a spring-forced actuator if the solenoids are de-energized. Both versions differ only in the air
duct routing within the manifold that connects the valves and the external ports.
The selection of the version has direct impact on the probability of failure on demand of the entire safety instrumented
function since the loss of instrument air for a NO RCS will inhibit the safety action of the block valve and decrease
safety integrity.
Page 5 of 29
©ASCO, L.P. 160 Park Avenue, Florham Park, New Jersey 07932
www.emerson.com
I&M V 9535_DA
The selection of the NO/NC version is based on the spring forced state of the controlled actuator. Most safety
applications will require that the vented state (spring forced position) of the block valve actuator be the safe state;
however, exceptions may require the pressurized state (not spring forced position) of the block valve actuator be the
safe state. In this case, additional requirements to ensure the integrity and availability of all energy sources will be
called for.
The Double Acting version is used with a piston type block actuator. The “safe” state of the process valve must be
determined. The Double Acting RCS will control air to the side of the process valve actuating cylinder that will drive
the process valve to the “safe” state and vent the opposite side of the process valve actuating cylinder in the same
operation.
The RCS is available in a 1oo1 simplex, 1oo1 Hot Standby (HS), 2oo2 Normally Open (NO) & Normally Closed
(NC), 2oo2 Double Acting (DA) and 2oo3 Normally Closed (NC) configuration. This manual covers the use of the
RCS in all modes.
In this safety manual, the signals to the RCS are defined in de-energized-to-safe configuration. In the case of a 2oo2
configuration, at least one of the two solenoid operated valves in the RCS has to be energized to prevent the block
valve from moving to the safe state. In a 2oo3 configuration at least two (2) solenoid operated valves in the RCS
must be energized to prevent the valve from moving to the safe state.
The switches have both normally open and normally closed contacts to provide indication of valve state. Truth Tables
contained in this manual provide status of the normally open contacts during various states.
3 Designing a Safety Instrumented Function using an ASCO
RCS
Safety Function
When de-energized, the ASCO RCS moves to its fail-safe position. Depending on the version specified,
Normally Closed (NC) or Normally Open (NO), the RCS will supply air or vent air depending on the piping of
the installation. The Double Acting RCS, when de-energized, will supply air to one side of the cylinder and vent
the opposite side of the cylinder at the same time.
As defined in IEC 61508, the RCS is intended to be a part of the final element subsystem and the achieved
SIL level of the designed function must be verified by the designer.
Environmental limits
The designer of a SIF must check that the product is rated for use within the expected environmental
limits.
Temperature: The RCS shall be mounted such that the internal temperature within the enclosure does not
exceed the specified temperature limits shown in the unit’s I&M.
Application limits
The application limits of an ASCO RCS are specified in the user manual, I&M:
• I&M V9512: 1oo1 and 2oo2 Aluminum with Pressure Switches
• I&M V9709: 1oo1 and 2oo2 Stainless steel with Pressure Switches.
• I&M V9957: 2oo2 Aluminum with Proximity Switches
• I&M V9958: 2oo3 Aluminum without diagnostics.
• I&M V9959: 2oo3 Aluminum with Proximity Switches
It is especially important that the designer checks for material compatibility considering on-site chemical
contaminants and air supply conditions. If the RCS is used outside of the application limits or with incompatible
materials, the reliability data provided becomes invalid.
Page 6 of 29
©ASCO, L.P. 160 Park Avenue, Florham Park, New Jersey 07932
www.emerson.com
I&M V 9535_DA
Design Verification
A detailed Failure Mode, Effects, and Diagnostics Analysis (FMEDA) report is available from ASCO Valves,
Inc. Refer to the appropriate FMEDA report for all failure rates and the expected useful lifetime.
• 1oo1 Simplex, 1oo1 Hot Standby, 2oo2 with Pressure Switches (ASC 08-12-44)
• 1oo1 Simplex, 1oo1 Hot Standby, 2oo2 with Proximity Switches (ASC 15-04-065)
• 1oo1 Simplex, 1oo1 Hot Standby, 2oo2 with Stainless Steel construction (ASC 14-09-018)
• 2oo2, 2oo3 redundant with Pressure or Proximity switches (ASC 20-02-115)
The achieved Safety Integrity Level (SIL) of an entire Safety Instrumented Function (SIF) design must be
verified by the designer via a calculation of PFDavg considering redundant architectures, proof test interval,
proof test effectiveness, any automatic diagnostics, average repair time and the specific failure rates of all
products included in the SIF. Each subsystem must be checked to assure compliance with minimum hardware
fault tolerance (HFT) requirements. The Exida exSILentia® tool is recommended for this purpose as it contains
accurate models for the RCS and its failure rates.
When using an ASCO RCS in a redundant configuration, a common cause factor of 5% should be included in
safety integrity calculations.
The failure rate data listed in the FMEDA report is only valid for the useful lifetime of an ASCO Solenoid. The
failure rates will increase sometime after this time period. Reliability calculations based on the data listed in the
FMEDA report for mission times beyond the lifetime may yield results that are too optimistic, i.e. the calculated
Safety Integrity Level will not be achieved.
SIL Capability
3.5.1 Systematic Integrity
This product has met manufacturer design process requirements for Safety Integrity Level (SIL) 3. These
are intended to achieve sufficient integrity against systematic errors of design by the manufacturer. A
Safety Instrumented Function (SIF) designed with this product must not be used at a SIL level higher
than the statement without “prior use” justification by end user or diverse technology redundancy in the
design.
3.5.2 Random Integrity
The RCS is a Type A Device.
The failure rate data used for the FMEDA meets the exida criteria for Route 2H (See FMEDA report
Section 5.1). Therefore, the Redundant Control System can be classified as a 2H device when the listed
failure rates are used. When 2H data is used for all of the devices in an element, then the element meets
the hardware architectural constraints up to SIL 2 at HFT=0 (or SIL 3 @ HFT=1) per Route 2H. If Route
2H is not applicable for the entire final element, the architectural constraints will need to be evaluated per
Route 1H.
When the final element assembly consists of many components (RCS, quick exhaust valve, actuator,
isolation valve, etc.) the SIL must be verified for the entire assembly using failure rates from all
components. This analysis must account for any hardware fault tolerance and architecture constraints.
3.5.3 Safety Parameters
For detailed failure rate information refer to the Failure Modes, Effects and Diagnostic Analysis Report for
the RCS.
Page 7 of 29
©ASCO, L.P. 160 Park Avenue, Florham Park, New Jersey 07932
www.emerson.com
I&M V 9535_DA
Connection of the RCS to the SIS Logic-solver
Pressure Switch
Proximity Switch
Construction
Gold Contacts
Silver Contacts
Palladium Silver
Electrical Rating
DC
1A Resistive @28VDC
0.5A Inductive @28VDC
5A Resistive @28VDC
3A Inductive @28VDC
0.5A Resistive @125VDC
3A Resistive @
24VDC
AC
1A @125VAC
5A @ 125VAC or 250VAC
4A @120VAC
2A @240VAC
Voltage Min. Pull In Drop Out
Coil Resistance @
20°C, +-10%
(DC) (mA) (mA) (Ohms)
12 84 13.9 102
24 42 7.0 410
48 21 3.6 1640
120 9 1.5 10,000
Voltage
Coil Resistance @
20°C, +-10%
(AC)
(Ohms)
120/60-110/50 85
230/50-240/50 450
1.4W
Wattage
Table 1.1 - Solenoid Specifications, Direct Current
Table 1.2 - Solenoid Specifications, Alternating Current
10.1W2550
VA Holding
VA Inrush
Wattage
The RCS is connected to the safety rated logic solver which is actively performing the safety function as well
as automatic diagnostics designed to diagnose potentially dangerous failures within the RCS. The isolating
valves solenoid control power shall be supplied by the safety rated logic solver via the safety function output.
Connections must be made according to the instructions supplied by the safety rated logic solver.
The output rating of the I/O module shall meet or exceed the electrical specifications of the valve solenoid:
Table 1 - Solenoid Specifications
If the safety rated logic solver output module provides line-integrity testing by pulse tests or other means, the
impedance range applicable for this test shall be within the RCS solenoid impedance.
If connected to a passive input module (a module that provides only the switching but not the switching
energy), the external power supply shall meet all pertinent electrical safety requirements specified by the
safety rated logic solver (i.e. IEC 61010).
The input rating of the I/O module shall meet the electrical specifications of the switches:
Table 2- Switch Specifications
NOTE: IEC 61508 requires de-rating, and the actual switch loads need to be less than the listed specifications.
If the safety rated logic solver input module requires line-end devices for open wire / short circuit wire protection,
these devices shall be mounted at the terminal block of the RCS according to the logic-solver manufacturer’s
instructions.
If the logic-solver input module provides line-integrity testing by pulse tests or other means the impedance range
applicable for this test shall be within the RCS pressure switch impedance.
General Requirements
• The system’s response time shall be less than process safety time. The RCS will switch between
two states in less than 500 ms.
Page 8 of 29
©ASCO, L.P. 160 Park Avenue, Florham Park, New Jersey 07932
www.emerson.com
I&M V 9535_DA
• All SIS components including the RCS must be operational before process start-up.
• The ADT shall be run at least once per month or ten times within the expected hazard demand
interval, whichever comes first. The ADT may be run as often as desired and is recommended every
24 hours.
• The user shall verify that the RCS is suitable for use in safety applications by confirming that the RCS
nameplate is properly marked.
• The programming used to implement the ADT shall not be modified without the accomplishment of
an impact analysis by a competent safety engineer.
• Personnel performing maintenance and testing on the RCS shall be competent to do so.
• Results from the ADT manually initiated tests, and proof tests shall be recorded and reviewed
periodically.
• The useful life of the RCS is discussed in the Failure Modes, Effects and Diagnostic Analysis Report
for the RCS.
4 Installation and Commissioning
Installation
• The ASCO Solenoid valve must be installed per standard installation practices outlined in the
Installation Manual.
• The environment must be checked to verify that environmental conditions do not exceed the ratings.
• The ASCO Solenoid must be accessible for physical inspection.
Physical Location and Placement
• The RCS shall be accessible with sufficient room for cabling and pneumatic connections and shall
allow manual proof testing of the bypass function.
• Pneumatic piping to the block valve shall be kept as short and straight as possible to minimize the
airflow restrictions and potential clogging of the exhaust line. Long or kinked pneumatic tubes may
also increase the block valve closure time.
• The Breather/Vent valve shall be accessible and should be inspected for obstruction during manual
proof testing.
• The RCS shall be mounted in a low vibration environment. If excessive vibration is expected, special
precautions shall be taken to ensure the integrity of electrical and pneumatic connectors or the
vibration should be reduced using appropriate damping mounts.
Electrical Connections
• The device requires external electrical connections. The energy for actuating the isolating valves is
provided by the control signal lines. The RCS device is available in the following control signal
configurations: 12 VDC, 24 VDC, 48VDC, 120 VDC, 120/60-110/50 VAC or 230/50-240/50 VAC.
• All wirings shall provide sufficient electrical isolation between adjacent signal lines and between
signal lines and ground.
• Stranded 16 to 18 AWG (or equivalent gauge and flexibility) shall be used.
• It is recommended that conduit sealant be used to prevent condensation from entering the enclosure
and, in Class 1 Div. 2 conditions will prevent hazardous gasses and vapors from migrating through
the conduit to the control room or open ignition source.
• Wiring shall be according to the National Electrical Code (ANSI-NFPA 70) or other applicable local
codes.
• The terminal clamps are designed for one wire only; DO NOT attempt to terminate multiple wires into
one terminal.
• Strip the wires to the recommended length appropriate for the termination block.
• Ensure all wire strands are fully inserted into the terminal block and no shorts between adjacent wires
on the terminal block are possible.
• Use care when running signal wiring near to, or crossing conduit or wiring that supplies power to
motors, solenoids, lighting, horns, bells, etc. Sufficient electrical isolation and shielding against
electromagnetic interference from items in the vicinity of the cable run shall be provided.
• AC power wiring should be run in a separate conduit from DC power. All power wiring to and from
the RCS should be in a grounded conduit. Outdoor cable runs shall be protected against lightning
strike.
Page 9 of 29
©ASCO, L.P. 160 Park Avenue, Florham Park, New Jersey 07932
www.emerson.com
Loading...