Instruction Manual Supplement
D104484X012
785C Actuator
April 2019
Safety Manual for Fisher™ 785C Actuators
Purpose
This safety manual provides information necessary to design, install, verify, and maintain a Safety Instrumented
Function (SIF) utilizing the Fisher 785C actuator.
WARNING
This instruction manual supplement is not intended to be used as a stand-alone document. It must be used in conjunction
with the following manual:
Fisher 785C Actuator Instruction Manual (D104483X012)
Failure to use this instruction manual supplement in conjunction with the above referenced manual could result in personal
injury or property damage. If you have any questions regarding these instructions or need assistance in obtaining any of
these documents, contact your Emerson sales office
Introduction
.
This manual provides necessary requirements for meeting the IEC 61508 or IEC 61511 functional safety standards.
Figure 1. Fisher 785C Actuator
785C Double-Acting Springless Actuator
www.Fisher.com
785C Actuator
April 2019
Instruction Manual Supplement
D103398X012
Terms and Abbreviations
Safety: Freedom from unacceptable risk of harm.
Functional Safety: The ability of a system to carry out the actions necessary to achieve or to maintain a defined safe
state for the equipment / machinery / plant / apparatus under control of the system.
Basic Safety: The equipment must be designed and manufactured such that it protects against risk of injury to persons
by electrical shock and other hazards and against resulting fire and explosion. The protection must be effective under
all conditions of the nominal operation and under single fault condition.
Safety Assessment: The investigation to arrive at a judgment based on the facts of the safety achieved by
safetyrelated systems.
FailSafe State:
D State where valve actuator is deenergized and spring is extended. (785C single-acting spring return constructions).
D State where valve actuator is driven to or held in a predefined position by the control medium. (785C double-acting
springless constructions).
Fail Safe: Failure that causes the valve to go to the defined failsafe state without a demand from the process.
Fail Dangerous: Failure that does not respond to a demand from the process (i.e. being unable to go to the defined
failsafe state).
Fail Dangerous Undetected: Failure that is dangerous and that is not being diagnosed by automatic stroke testing.
Fail Dangerous Detected: Failure that is dangerous but is detected by automatic stroke testing.
Fail Annunciation Undetected: Failure that does not cause a false trip or prevent the safety function but does cause
loss of an automatic diagnostic and is not detected by another diagnostic.
Fail Annunciation Detected: Failure that does not cause a false trip or prevent the safety function but does cause loss of
an automatic diagnostic or false diagnostic indication.
Fail No Effect: Failure of a component that is part of the safety function but that has no effect on the safety function.
Low demand mode: Mode, where the frequency of demands for operation made on a safetyrelated system is no
greater than twice the proof test frequency.
Acronyms
FMEDA: Failure Modes, Effects and Diagnostic Analysis
HFT: Hardware Fault Tolerance
MOC: Management of Change. These are specific procedures often done when performing any work activities in
compliance with government regulatory authorities.
PFD
SFF: Safe Failure Fraction, the fraction of the overall failure rate of a device that results in either a safe fault or a
diagnosed unsafe fault.
SIF: Safety Instrumented Function, a set of equipment intended to reduce the risk due to a specific hazard (a safety
loop).
2
: Average Probability of Failure on Demand
AVG
Instruction Manual Supplement
D103398X012
SIL: Safety Integrity Level, discrete level (one out of a possible four) for specifying the safety integrity requirements of
the safety functions to be allocated to the E/E/PE safetyrelated systems where Safety Integrity Level 4 has the highest
level of safety integrity and Safety Integrity Level 1 has the lowest.
SIS: Safety Instrumented System – Implementation of one or more Safety Instrumented Functions. A SIS is composed
of any combination of sensor(s), logic solver(s), and final element(s).
785C Actuator
April 2019
Related Literature
Hardware Documents:
Bulletin:
61.2:785C, Fisher 785C Piston Actuator: D104412X012
Instruction Manual:
Fisher 785C Piston Actuator: D104483X012
Guidelines/References:
D Safety Integrity Level Selection – Systematic Methods Including Layer of Protection Analysis, ISBN 1556177771,
ISA
D Control System Safety Evaluation and Reliability, 2nd Edition, ISBN 1556176388, ISA
D Safety Instrumented Systems Verification, Practical Probabilistic Calculations, ISBN 1556179099, ISA
Reference Standards
Functional Safety
D IEC 61508: 2010 Functional safety of electrical/electronic/ programmable electronic safetyrelated systems
D ANSI/ISA 84.00.012004 (IEC 61511 Mod.) Functional Safety – Safety Instrumented Systems for the Process Industry
Sector
Product Description
The 785C Series pneumatic actuators are medium to large spring-return single acting or double-acting springless
piston actuators that provide accurate, high thrust output for short to long travel applications. The 785C actuators can
be installed on sliding-stem valves for throttling control or on-off applications.
The single-acting actuator constructions feature an internal bias spring that forces the actuator piston rod to extend or
retract upon a loss of supply pressure, thereby ensuring a fail-closed or fail-open mode of operation. This effectively
eliminates the need for a trip valve and volume tank in most constructions.
An optional manual override (top mounted handwheel or side mounted handpump) is capable of extending or
retracting the actuator manually and can be engaged at any position from full open to full close. The top-mounted
handwheel utilizes an engagement lever that couples the handwheel and piston rod. The handpump has a hydraulic
cylinder attached to the piston rod. This enables the handpump to operate the actuator manually, unless the
handpump is set to bypass position.
3
785C Actuator
April 2019
Instruction Manual Supplement
D103398X012
Designing a SIF Using a Fisher 785C Actuator
Safety Function
The double-acting springless 785C actuator constructions will maintain functionality so the actuator can be moved
into the application dependent safe state by means of the control medium. When the spring-return 785C actuator is
de-energized, the actuator and valve shall move to its fail-safe position. Depending on which configuration is specified
fail-closed or fail-open, the actuator will move the valve control element to close off the flow path through the valve
body or open the flow path through the valve body.
The 785C actuator is intended to be part of a final element subsystem as defined per IEC 61508 and the achieved SIL
level of the designed function must be verified by the designer.
Environmental Limits
The designer of an SIF must check that the product is rated for use within the expected environmental limits. Refer to
the Fisher 785C Actuator Product Bulletin (D104412X012
) for environmental limits.
Application limits
The 785C series actuator materials of construction are specified in the product bulletin. A range of materials for
certain parts are available for various applications. The serial card will indicate what the materials of construction are
for a specific actuator. It is especially important that the designer check for material compatibility considering onsite
chemical contaminants and air supply conditions. If the 785C series actuator is used outside of the application limits or
with incompatible materials, the reliability data provided becomes invalid.
Diagnostic Response Time
A 785C series actuator does not perform any automatic diagnostic functions by itself and therefore it has no
diagnostic response time of its own. However, automatic diagnostics of the final control subsystem may be performed
such as Partial Valve Stroke Testing (PVST). This typically will exercise the actuator and valve over a small percentage of
its normal travel without adversely affecting the flow through the valve. If any failures of this PVST are automatically
detected and annunciated, the diagnostic response time will be the PVST interval time. The PVST must be performed
10 times more often than an expected demand in order for credit to be given for this test.
Design Verification
The achieved SIL of an entire SIF design must be verified by the designer via a calculation of PFD
architecture, proof test interval, proof test effectiveness, any automatic diagnostics, average repair time and the
specific failure rates of all products included in the SIF. Each subsystem must be checked to assure compliance with
minimum HFT requirements.
When using a 785C series actuator in a redundant configuration, a common cause factor of at least 10% should be
included in the Safety Integrity calculations. This value is dependent on the level of common cause training and
maintenance in use at the end user's facility.
considering
AVG
The failure rate data listed in the SIL certificate is only valid for the useful lifetime of a 785C series actuator. The failure
rates will increase after this time period. Reliability calculations based on the data listed in the SIL certificate for
mission times beyond the useful lifetime may yield results that are too optimistic, i.e. the calculated Safety Integrity
Level will not be achieved.
4
Instruction Manual Supplement
D103398X012
785C Actuator
April 2019
SIL Capability
Systematic Integrity
The product has met manufacturer design process requirements of SIL 3. These are intended to achieve sufficient
integrity against systematic errors of design by the manufacturer. A SIF designed with this product must not be used at
a SIL level higher than stated without “prior use” justification by the end user or diverse technology redundancy in the
design.
Random Integrity
The Fisher 785C series actuator is classified as a Type A device according to IEC 61508, having a hardware fault
tolerance of 0. The complete final element subsystem, with a 785C series actuator and sliding stem valve as the final
control element, will need to be evaluated to determine the Safe Failure Fraction of the subsystem. If the SFF for the
entire final element subsystem is between 60% and 90%, a design can meet SIL 2 @ HFT=0.
Safety Parameters
For detailed failure rate information refer to the SIL certificate for the Fisher 785C Spring Return actuators or the SIL
certificate for the Fisher 785C Double Acting actuators.
Connection of the Fisher 785 Actuator to the SIS Logic-solver
The final element subsystem (consisting of a positioner, 785C series actuator, and a sliding-stem valve) is connected
to the safety rated logic solver which is actively performing the Safety Function as well as any automatic diagnostics
designed to diagnose potentially dangerous failures within the 785C series actuator, valve and any other final element
components (i.e. Partial Valve Stroke Test).
General Requirements
The system's response time shall be less than process safety time. The final control element subsystem needs to be
sized properly to assure that the response time is less than the required process safety time. The 785C series actuator
will move the valve to its safe state in less than the required SIF's safety time under the specified conditions.
All SIS components including the 785C series actuator must be operational before process startup.
The user shall verify that the 785C series actuator is suitable for use in safety applications.
Personnel performing maintenance and testing on the 785C series actuator and valve shall be competent to do so.
Results from the proof tests shall be recorded and reviewed periodically.
The useful life of the 785C series actuator is expected to be approximately 25 years with proper maintenance but
depends on operating conditions and construction materials.
Installation and Commissioning
Installation
WARNING
To ensure safe and proper functioning of equipment, users of this document must carefully read all instructions, warnings,
and cautions in each applicable instruction manual.
5
785C Actuator
April 2019
The Fisher 785C series actuator must be installed per standard practices outlined in the instruction manual.
The environment must be checked to verify that environmental conditions do not exceed the ratings.
The 785C actuator must be accessible for physical inspection.
Instruction Manual Supplement
D103398X012
Physical Location and Placement
The 785C series actuator shall be accessible with sufficient room for the valve, actuator, pneumatic connections, and
any other components of the final control element. Provisions shall be made to allow for manual proof testing.
Pneumatic piping to the actuator shall be kept as short and straight as possible to minimize the airflow restrictions and
potential clogging. Long or kinked pneumatic tubes may also increase the valve closure time.
The 785C series actuator shall be mounted in a low vibration environment. If excessive vibration can be expected
special precautions shall be taken to ensure the integrity of pneumatic connectors or the vibration should be reduced
using appropriate damping mounts.
Pneumatic Connections
Recommended piping for the inlet and outlet pneumatic connections to the 785C series actuator is stainless steel
tubing. The length of tubing between the 785C series actuator and the control device, such as a solenoid valve, shall
be kept as short as possible and free of kinks.
The process air pressure shall meet the requirements set forth in the installation manual.
The process air capacity shall be sufficient to move the valve within the required time.
The actuator is shipped with two plastic NPT plugs in the ports to keep the cylinder free of debris. Verify these have
been replaced with appropriate pressure retaining components before pressurizing.
Note
The plastic NPT plugs may be removed by the Fisher factory during manufacturing for mounting of a valve controller, positioner, or
other final element component.
6
Instruction Manual Supplement
D103398X012
785C Actuator
April 2019
Operation and Maintenance
Suggested Proof Test
The objective of proof testing is to detect failures within a 785C series actuator that are not detected by any automatic
diagnostics of the system. Of main concern are undetected failures that prevent the Safety Instrumented Function
from performing its intended function.
The frequency of proof testing, or the proof test interval, is to be determined in reliability calculations for the Safety
Instrumented Functions for which a 785C series actuator is applied. The proof tests must be performed more
frequently than or as frequently as specified in the calculation in order to maintain the required Safety Integrity of the
Safety Instrumented Function.
The proof test shown in table 1 is recommended. The results of the proof test should be recorded and any failures that
are detected and that compromise functional safety should be reported to Emerson Automation Solutions. The
suggested proof test consists of a full stroke of the 785C series actuator.
The person(s) performing the proof test of a 785C series actuator should be trained in SIS operations, including bypass
procedures, valve maintenance and company Management of Change procedures. No special tools are required.
Table 1. Recommended Full Stroke Proof Test
Step Action
1 Bypass the safety function and take appropriate action to avoid a false trip.
2 Interrupt or change the signal/supply to the 785C actuator to force the actuator and valve to perform a full stroke
3 Restore the supply/signal to the 785C actuator and confirm that the normal operating state was achieved.
4 Inspect the 785C actuator and the other final control element components for any leaks, visible damage or contamination.
5 Record the test results and any failures in your company's SIF inspection database.
6 Remove the bypass and restore normal operation.
to the FailSafe state and confirm that the Safe State was achieved and within the correct time.
Repair and replacement
Repair and replacement procedures in the instruction manuals must be followed.
Manufacturer Notification
Any failures that are detected and that compromise functional safety should be reported to Emerson. Please contact
your Emerson sales office
.
7
785C Actuator
April 2019
Instruction Manual Supplement
D103398X012
Appendix A
Sample Startup Checklist
This appendix provides a sample Startup Checklist for a 785C actuator. A Startup Checklist will provide guidance
during the final control elements emplo
Start-Up Checklist
The following checklist may be used as a guide to employ the 785C actuator in a safety critical SIF compliant to
IEC61508.
yment.
# Activity Result
Design
Target Safety Integrity Level and PFD
Correct valve mode chosen (Failclosed, Failopen)
Design decision documented
Pneumatic compatibility and suitability verified
SIS logic solver requirements for valve tests defined and documented
Routing of pneumatic connections determined
SIS logic solver requirements for partial stroke tests defined and
documented
Design formally reviewed and suitability formally assessed
Implementation
Physical location appropriate
Pneumatic connections appropriate and according to applicable codes
SIS logic solver valve actuation test implemented
Maintenance instructions for proof test released
Verification and test plan released
Implementation formally reviewed and suitability formally assessed
Verification and Testing
Electrical connections verified and tested
Pneumatic connection verified and tested
SIS logic solver valve actuation test verified
Safety loop function verified
Safety loop timing measured
Bypass function tested
Verification and test results formally reviewed and suitability formally
assessed
Maintenance
Tubing blockage / partial blockage tested
Safety loop function tested
determined
AVG
Verified
By Date
Neither Emerson, Emerson Automation Solutions, nor any of their affiliated entities assumes responsibility for the selection, use or maintenance
of any product. Responsibility for proper selection, use, and maintenance of any product remains solely with the purchaser and end user.
Fisher is a mark owned by one of the companies in the Emerson Automation Solutions business unit of Emerson Electric Co. Emerson Automation Solutions,
Emerson, and the Emerson logo are trademarks and service marks of Emerson Electric Co. All other marks are the property of their respective owners.
The contents of this publication are presented for informational purposes only, and while every effort has been made to ensure their accuracy, they are not
to be construed as warranties or guarantees, express or implied, regarding the products or services described herein or their use or applicability. All sales are
governed by our terms and conditions, which are available upon request. We reserve the right to modify or improve the designs or specifications of such
products at any time without notice.
Emerson Automation Solutions
Marshalltown, Iowa 50158 USA
Sorocaba, 18087 Brazil
Cernay, 68700 France
Dubai, United Arab Emirates
Singapore 128461 Singapore
www.Fisher.com
8
E 2019 Fisher Controls International LLC. All rights reserved.
Loading...