AUMA SAR 16.2, SA 16.2, SAEx 16.2, SAREx 07.2, SAV 07.2 User Manual

Multi-turn actuators
SA/SAR 07.2 – 16.2 / SAEx/SAREx 07.2 – 16.2
SAV/SARV 07.2 – 16.2 / SAVEx/SARVEx 07.2 – 16.2
with actuator controls
AC 01.2/ACExC 01.2
ACV 01.2/ACVExC 01.2
SFC version

Functional safetyManual

Multi-turn actuators

Table of contents SA .2 with AC(V) 01.2/AC(V)ExC 01.2

NOTICE for use!

This document is only valid with the latest operation instructions attached to the device, the attached manual,
the attached declaration of incorporation as well as the respectively pertaining technical and electrical data sheets.
They are understood as reference documents.

Purpose of the document:

The present documents informs about the actions required for using the device in safety-related systems in
accordance with IEC 61508 or IEC 61511.

Reference documents:

●

exida report no. AUMA 10-12-035 R005E

●

Operation instructions (Assembly, operation, commissioning) for actuator

●

Manual (Operation and setting) actuator controls AC 01.2/ACExC 01.2

●

Manual (Operation and setting) actuator controls ACV 01.2/ACVExC 01.2

●

Manual (Device integration Fieldbus) AC 01.2/ACExC 01.2 / ACV 01.2/ACVExC 01.2

Reference documents are available on the Internet at: http://www.auma.com.

Table of contents Page

104. Safety instrumented systems and safety functions...........................................................

115. Installation, commissioning and operation.........................................................................

115.1. Installation

115.2. Commissioning

115.3. Operation

115.4. Lifetime

125.5. Decommissioning

41. Terminology............................................................................................................................

41.1. Abbreviations and concepts

62. Application and validity.........................................................................................................

62.1. Range of application

62.2. Standards

62.3. Valid device types

73. Architecture, configuration and applications......................................................................

73.1. Architecture (actuator sizing)

73.2. Configuration (setting)

73.3. Protection against uncontrolled operation (self-locking/brake)

83.4. Operation mode (low/high demand mode)

83.5. Further notes and indications on architecture

93.6. Applications (environmental conditions)

136. Tests and maintenance..........................................................................................................

136.1. Safety equipment: check

136.2. Proof test (verification of safe actuator function)

136.2.1. Preliminary tests

136.2.2. Review and validation of the “Safe end position signal” safety function

146.2.3. Checking the collective fault signal

146.3. Partial Valve Stroke Test (PVST)

146.4. Maintenance

2

Multi-turn actuators
SA .2 with AC(V) 01.2/AC(V)ExC 01.2 Table of contents

157. Safety-related figures.............................................................................................................

157.1. Determination of the safety-related figures

168. SIL Declaration of Conformity (example).............................................................................

21Index........................................................................................................................................

22Addresses...............................................................................................................................

3

Multi-turn actuators

Terminology SA .2 with AC(V) 01.2/AC(V)ExC 01.2

1. Terminology

●

Information sources

1.1. Abbreviations and concepts

IEC 61508-4, Functional safety of electrical/electronic/programmable electronic
safety-related systems – Part 4: Definitions and abbreviations

●

IEC 61511-1, Functional safety - Safety instrumented systems for the process
industry sector – Part 1: Fr amework, definitions, system, hardware and softw are
requirements

To evaluate safety functions, the lambda values or the PFD value (Probability of
Dangerous Failure on Demand) and the SFF value (Safe Failure Fraction) are the
main requirements. Further figures are required to assess the individual components.
These figures are explained in the table below.

Table 1: Abbreviations of safety figures

ation

S
D
DU

DD

PFD

proof

avg

Lambda Dangerous Undetectedλ

Diagnostic CoverageDC

Mean Time Between FailuresMTBF

Safe Failure FractionSFF

Aver age Probability of dangerous Fail­ure on Demand

Hardware Failure ToleranceHFT

DescriptionFull expressionAbbrevi-

Number of safe failuresLambda Safeλ
Number of dangerous failuresLambda Dangerousλ
Number of undetected dangerous fail-

ures
Number of detected dangerous failuresLambda Dangerous Detectedλ
Diagnostic Coverage - ratio between

the failure rate of dangerous failures
detected by diagnostic tests and total
rate of dangerous failures of the com­ponent or subsystem.The diagnostic
coverage does not include any f ailures
detected during proof tests.

Mean time between the occurence of
two subsequent failures

Fraction of safe failures as well as of
detectable dangerous failures

Average probability of dangerous fail­ures on demand of a safety function.

Ability of a functional unit to execute a
required function while faults or devi­ations are present. HFT = n means that
the function can still be safely ex ecuted
for up to n faults occurring at the same
time.

Interval for proof testProof test intervalT

Safety function

Safety instrumented

function (SIF)

Safety instrumented

system (SIS)

Safety-related system

4

Safety Integrity Level

SIL

The international standard IEC 61508 defines 4 levels (SIL 1 through SIL 4).
Function to be implemented by a safety-related system for risk reduction with the

objective to achieve or maintain a safe state for the plant/equipment with respect to
a specific dangerous event.

Function with specified safety integrity level (SIL) to achieve functional safety.
Safety instrumented system for executing a single or several safety instrumented

functions. An SIS consists of sensor(s), logic system and actuator(s).
A safety-related system includes all factors (hardware, software, human factors)

necessary to implement one or several safety functions. Consequently failures of
safety function would result in a significant increase in saf ety risks for people and/or
the environment.

A safety-related system can comprise stand-alone systems dedicated to perform a
particular safety function or can be integrated into a plant.

Multi-turn actuators
SA .2 with AC(V) 01.2/AC(V)ExC 01.2 Terminology

Proof test

MTTR (Mean Time To

Restoration)

MRT (Mean Repair Time)

Device type (type A and

type B)

Periodic test performed to detect dangerous hidden f ailures in a safety-related system
so that, if necessary, a repair can restore the system to an "as new" condition or as
close as practical to this condition.

Mean time to restoration once a failure has occurred. Indicates the expected mean
time to achieve restoration of the system. It is therefore an important parameter for
system availability.The time for detecting the failure, planning tasks as well as
operating resources is also included. It should be reduced to a minimum.

Mean repair time indicates the mean time required to repair a system.The MRT is
crucial when defining the reliability and availability of a system.The MRT should
preferably be small.

Actuator controls can be regarded as type A devices if all of the follo wing conditions
are met for all components required to achieve the safety instrumented function:

●

The failure modes for all constituent components involved are well defined

●

The behaviour under fault conditions can be completely determined.

●

There is sufficient dependable failure data from the field to show that the claimed
rates of failure are met (confidence level min. 70 %).

Actuator controls shall be regarded as type B devices if one or sev eral of the follo wing
conditions are met:

●

The failure of at least one constituent component is not well defined.

●

The fault behaviour is not completely known.

●

There is insufficient dependable failure data to support claims for rates of f ailure
for detected and undetected dangerous failures.

PTC (Proof Test Cover-

age)

Proof test coverage describes the fraction of f ailures which can be detected by means
of a proof test.

5

Multi-turn actuators

Application and validity SA .2 with AC(V) 01.2/AC(V)ExC 01.2

2. Application and validity

2.1. Range of application

AUMA actuators and actuator controls with the safety functions mentioned in this
manual are intended for operation of industrial valves and are suitable for use in
safety instrumented systems in accordance with IEC 61508 or IEC 61511.

2.2. Standards

Both actuators and actuator controls meet the following requirements:
For safety functions “Safe end position fieedback”: IEC 61508-2:2010
The safety figures of the devices described meet the requirements of IEC 61508 in

the respective SIL level with regard to failure rates and architecture requirements.
However, this does not imply that all further requirements of IEC 61508 are met.

2.3. Valid device types

The data on functional safety contained in this manual applies to the device types
indicated.

Table 2: Overview on suitable device types

Type
Actuator

SA 07.2 – SA 16.2
SAR 07.2 – SAR 16.2
in SFC version

SAEx 07.2 – SAEx 16.2
SAREx 07.2 – SAREx 16.2
in SFC version

SAV/SARV 07.2 – 16.2
SAVEx/SAR VEx 07.2 – 16.2
in SFC version

Information

Type
Actuator controls

in SFC version

in SFC version

in SFC version

Power supply

Any supplyAC 01.2

S2 - 30 min
S4 - 25 %
S4 - 50 %

Any supplyACExC 01.2

S2 - 30 min
S4 - 25 %
S4 - 50 %

Any supplyACV/ACVExC 01.2

S2 - 30 min
S4 - 25 %
S4 - 50 %

ControlType of dutyMotor

Safe end position feedbackS2 - 15 min

Safe end position feedbackS2 - 15 min

Safe end position feedbackS2 - 15 min

Hardware, software and configuration of actuator and actuator controls must not be
modified without prior written consent by AUMA. Unauthorised modification may
have a negative impact on both safety figures and SIL capability of the products.

In applications with requirements on functional safety, only AUMA actuator controls
and actuators in SFC or SIL version may be used. SFC stands for “Safety Figure
Calculated”.This designation identifies AUMA products for which saf ety figures were
calculated on the basis of FMEDA from field data and generic data (for detailed in­formation refer to <Determination of the figures>).
AUMA actuator controls and actuators in SFC v ersion can among others be identified
from the letters "SFC" following the type designation on the name plate.

Figure 1: Example of name plate with “SFC” marking

6

Multi-turn actuators
SA .2 with AC(V) 01.2/AC(V)ExC 01.2 Architecture, configuration and applications

3. Architecture, configuration and applications

3.1. Architecture (actuator sizing)

For actuator architecture (actuator sizing) the maximum torques, run torques and
operating times are taken into consideration.

Incorrect actuator architecture can lead to device damage within the safety­related system!

Possib le consequences can be valve damage , motor overheating, contactor jamming,
defective thyristors, heating up or damage to cables.

→

The actuator technical data must imperatively be observed when selecting the
actuator.

→

Sufficient reserves have to be provided to ensure that actuators are capab le of
reliably opening or closing the valve even in the event of an accident or under­voltage.

Information

For the “Safe end position feedback” safety function, heed that signalling is made
via mechanical switches. Since these elements have an unav oidab le h ysteresis , the
actuator slightly leaves the end position before the end position signal is deleted.
Consequently, there is a marginal range of actuator positions to the safety position,
for which the end position is still signalled although the actuator has already left the
end position during operation from safety position. If the range in question is ap­proached from the opposite direction, this limitation does not apply. In general this
range is relatively small. However, for unfavourable configurations (low number of
turns per stroke), this range can amount to more than 10 % of the total stroke.
Should, within the framework of unfa v ourab le conditions, the eff ect described abov e
represent an unacceptable limitation for the saf ety function, we recommend ev aluating
both limit and torque switches for the end position feedback.

Power supply

Information

The plant operator is responsible for power supply.

3.2. Configuration (setting)

Configuration (setting) of the safety-related functions is performed as described in
the operation instructions or in the present manual (functional safety).

Information

An exact setting of torque and end position switches f or the end positions is imperat­ively required to ensure correct function of “Safe end position feedback”. For setting
details related to the respective switches, please refer to operation instructions.

Configuration of reaction monitoring diagnostics and Partial V alve Str oke T est
(PVST)

Depending on the type of diagnostics required, the reaction monitoring or Partial
Valve Stroke Test configurations have to be checked and adapted, if required.

For detailed configuration options on reaction monitoring as well as detailed
information on the Partial Valve Stroke Test (PVST), refer to Manual (Operation and
setting) AUMATIC AC 01.2.

3.3. Protection against uncontrolled operation (self-locking/brake)

For self-locking AUMA actuators, it can be assumed that a load up to maximum
torque will not result in uncontrolled valve operation from standstill due to v alve torque
load. Consequently, in these cases, further protection against uncontrolled operation
is not imperatively required. Howe ver , certain applications may require activ e position
locking, for e xample b y using a brake .There are user-specific standards demanding
this type of protection.Therefore, each project must be subject to individual verification
if any further protection is required. In any case, this protection is required for
actuators without self-locking.

7

Multi-turn actuators

Architecture, configuration and applications SA .2 with AC(V) 01.2/AC(V)ExC 01.2

Table 3: Overview self-locking for AUMA actuators (at the time of printing of this document)

Self-lockingOutput speedType

60 Hz50 Hz

Self-locking≤ 108 rpm≤ 90 rpmSA 07.2 – SA 16.2
SAR 07.2 – SAR 16.2
SAEx 07.2 – SAEx 16.2
SAREx 07.2 – SAREx 16.2

SAV 07.2 – SAV 16.2
SARV 07.2 – SARV 16.2
SAVEx 07.2 – SAVEx 16.2
SARVEx 07.2 – SARVEx 16.2

and 12 – 120 1/min

NOT self-locking≥ 150 rpm≥ 125 rpm

Self-lockingSpeed range variants 6 – 60 1/min

NOT self-lockingSpeed range variant 24 – 240 1/min

3.4. Operation mode (low/high demand mode)

The safety functions of the actuators supplied by AUMA are suitable for the low
demand mode and may only be used in this operation mode. If a non-safety
instrumented function of basic process control system is executed via the same
actuator in addition to the safety function, note that while considering the sum of
non-safety instrumented function, required tests and safety function, the defined
number of maximum permissible cycles1) for the respective actuator as well as the
maximum number of starts2) may not be exceeded during deplo yment of the actuator
within a safety instrumented system.

Only the “safe end position feedback” safety function can be operated beyond
the limitations mentioned above under certain conditions even in operation mode
with high demand rate, provided the following requirements and limitations are
heeded:

●

When considering the sum consisting of non-safety instrumented function, re­quired tests and safety function, the number of maximum cycles of the actuator
end position switches as well as the maximum number of starts during actuator
deployment are not exceeded in a safety instrumented system.

●

When considering the sum consisting of non-safety instrumented function, re­quired tests and safety function, the number of maximum cycles f or the respect­ive actuator as well as the maximum number of permissible cycles1) or starts
are not exceeded, if appropriate scaling rules are applied.

●

Lubrication is checked at regular intervals and the lubricant changed if required,
however, at least every 10 years.

●

Every 20,000 cycles1) or starts2) (whatever occurs earlier), the crown wheel and
the worm wheel are checked for wear and replaced if required.

●

The end user makes sure that a test rate (PVST) is achieved for the “Saf e end
position feedback” safety function, complying with the demand r ate to be expec­ted according to the applicable standards for the respective application.

●

All requirements in accordance with the “Technical data for switches” (Y004.619)
data sheet are respected. In particular , the permissible minimum and maximum
currents and voltages.

●

The number of cycles1) as well as the number of cycles of each limit and torque
switch do not exceed the values stipulated in the table below:

2)

Table 4:

switch as well as cycles according to EN 15714­2:2010

3.5. Further notes and indications on architecture

HFT is 0.
Only flanges of F07 or FA 07 sizes or larger may be used for valve attachment.

1) Definition of “cycles” according to EN 15714-2:2010

2) Definition of “starts” according to DIN EN 15714-2:2010

8

Class C (Modulation)Classes A and B

GoldGoldSilverSilverGoldSilverContact material
50 V/400 mA30 V/30 mA250 V AC/5 A30 V/30 mAMaximum electrical load
< 20,000< 100,000< 20,000< 100,000< 20,000< 20,000Number of permissible cycles of end position