Emerson Bettis Safety Manual
Bettis RPE-Series
SIL Safety Manual
SIL Safety Manual
DOC.SILM.BE.EN Rev. 1
March 2019
Notes
March 2019
SIL Safety Manual
DOC.SILM.BE.EN Rev. 1
This page is intentionally left bank
SIL Safety Manual
DOC.SILM.BE.EN Rev. 1
Table of Contents
Section 1: Introduction
Section 2: Functional Specification
Section 3: Configuration of the Product
Section 4: Service Condition Limitations (Limitation of Use)
Section 5: Expected Lifetime
Section 6: Failure Modes and Estimated Failure Rates
Table of Contents
March 2019
Section 7: Installation and Site Acceptance Procedure
Section 8: Periodic Test and Maintenance Requirements
8.1 General ...................................................................................................... 9
8.2 Full-Stroke Test .......................................................................................... 9
8.3 Partial-Stroke Test .................................................................................... 12
8.4 Proof Test and Periodic Maintenance ........................................................ 15
Section 9: Architectural Constraints
Section 10: Common Cause Factors
Section 11: Mean Repair Time
Section 12: Systematic Capability
Table of Contents
I
Section 1: Introduction
March 2019
Section 1: Introduction
Purpose of this Safety Manual, written in compliance with IEC 61508-2, Annex D, is to give
all the necessary information to the system integrator for a correct use of the product in
Safety Instrumented Systems for SIL classified applications.
SIL Safety Manual
DOC.SILM.BE.EN Rev. 1
1
Introduction
SIL Safety Manual
DOC.SILM.BE.EN Rev. 1
Section 2: Functional Specification
Section 2: Functional Specification
The safety function for Bettis RPE-Series pneumatic actuator is defined as follows:
Double-Acting Scenario:
a. When an unsafe condition is detected in a plant by a process sensor, the
controller, via actuator control system, drives the Actuator to close the
shut-down valve, depressurizing (if under pressure) the Opening side of
the actuator and pressurizing the Closing side of the actuator.
b. When an unsafe condition is detected in a plant by a process sensor, the
controller, via actuator control system drives the Actuator to open the
blow-down valve, depressurizing (if under pressure ) the Closing side
of the pneumatic actuator and pressurizing the Opening side of the
pneumatic actuator.
Single-Acting Scenario:
a. When an unsafe condition is detected in a plant by a process sensor, the
controller, via actuator control system drives the Actuator to rotate with
sufficient torque to move a valve to its fail-safe state when hold-position
air pressure is released.
The Bettis brand Actuator Selection Procedure provides functional definition with specifics
on input variables and performance.
March 2019
In any case, the choice of the safety function to be implemented is responsibility of the
system integrator.
Functional Specication
2
Section 3: Configuration of the product
March 2019
SIL Safety Manual
DOC.SILM.BE.EN Rev. 1
Section 3: Configuration of the Product
The Bettis RPE-Series are pneumatically operated actuators designed to operate Ball / Plug
/ Butterfly valves, automation of louvers and dampers & automation of any
quarter-turn mechanism. Both the double-acting and single-acting (spring-return) versions
of the Bettis RPE-Series pneumatic actuators are designed in such a way that there are no
moving parts on the outside (with the exception of the position indicator). This makes
them safe, easy to install and virtually maintenance free.
For further details about actuator configurations, please refer to the Bettis RPE-Series
product data sheets, Safety guide and Installation, Operation and Maintenance manual.
3
Conguration of the product
AB
A
B
A
B
A
B
Pistons Pistons
Pinion
SIL Safety Manual
DOC.SILM.BE.EN Rev. 1
Section 4: Service Condition Limitations (Limitation of Use)
March 2019
Section 4: Service Condition Limitations
(Limitation of Use)
The operating capabilities are listed below:
• Maximum Operating Pressure:
– Pneumatic Service
– Up to 120 psig (8.3 barg)
• Ambient Temperature:
Temperature extremes require different solutions to maintain actuator operational
integrity and reliability. For each Bettis RPE-Series actuator is available in three
different temperature executions.
– -20 °C to +80 °C (-4 °F to +176 °F) Standard temperature
– -10 °C to +120 °C (+14 °F to +250 °F) High Temperature
– -40 °C to +80 °C (-40 °F to +176 °F) Low Temperature
• Torque Output Range:
– Double-Acting Bettis RPE-Series actuators, requiring pressure to rotate in
either direction, are available with a torque range between 4.8 Nm
(44 lbf.in) and 6,490 Nm (59000 lbf.in)
– The Bettis RPE-Series spring-return models require pressure in only one
direction of travel and are suitable for air-fail close and air-fail to open
applications without modification. These models are available with a
spring end torque between 2 Nm (20 lbf.in) and 2394 Nm (21000 lbf.in)
• Safety Function:
For spring-return models, the safety function is self-evident performed by the
springs. The safety function of double-acting models should be performed by the
A-chamber for safety related systems.
Figure 1 Use the A-Chamber for Safety Related Systems on Double-Acting Actuators
Assembly Code: CW Assembly Code: CC
= Safety Function is = Safety Function is
Counterclockwise Rotation Clockwise Rotation
Pinion
Pistons
Service Condition Limitations (Limitation of Use)
Pistons
4
Section 4: Service Condition Limitations (Limitation of Use)
March 2019
• Use of manual override:
The use of a manual override is not recommended in a SIL classified application, as
it results in a bypass of the safety function. In case the manual override is used, the
following requirements must be fulfilled, or the Functional Safety Certification will
become invalid:
– The manual override shall be protected to prevent unauthorized use.
(e.g. by key locks in conjunction with effective management controls.).
– The users authorized to operate on the actuator shall be skilled personnel;
– The maximum duration of the manual override shall be defined.
– If necessary, compensatory measures to allow the safe operation of the
process shall be defined (responsibility of the final user).
• When test or bypass facilities are included in the SIS (safety integrated system),
they shall conform with the following:
– The SIS shall be designed in accordance with the maintenance and testing
requirements defined in the SRS (safety requirement specification).
– The operator shall be alerted to the bypass of any portion of the SIS via an
alarm or operating procedure.
Before selecting remote operating mode control of actuator, the manual override must be
disengaged according to the relevant Installation, Operation and Maintenance Manual.
SIL Safety Manual
DOC.SILM.BE.EN Rev. 1
The position selected (remote/automatic control or local /manual control) can be achieved
with a specific technical solution that does not allow to reach an intermediate position
lever’s and avoids unintentional activation.
The engagement of the manual override shall be signaled, at least locally, according to
IOM. As optional request from final user, to determine if the manual override is engaged,
an electrical signal using contact switching can be provided to communicate the status to
the control room.
• Loss of utility:
For double acting configurations that on loss of utility (e.g., electrical power, or
pneumatic supply) does not fail to the safe state a system for detecting
and alarming of loss of utility and SIS circuit integrity shall be implemented.
(e.g., end-of-line monitoring, supply pressure measurement), and action taken
according to Par. 11.3 of IEC. 61511-1.
5
Service Condition Limitations (Limitation of Use)
Loading...