Keystone Figure 89 (F89) Pneumatic Actuator SIL Safety Manual, Keystone-EN Manuals & Guides

KEYSTONE F89 PNEUMATIC ACTUATOR

SIL SAFETY MANUAL

SIL safety manual for F89 Rack and Pinion Pneumatic Actuators

CONTENTS

1 Functional specification .......................... 1

2 Configuration of the product ................... 1

3 Service condition limitations (limitation of

use) ......................................................... 2

4 Expected lifetime .................................... 2

5 Failure modes and estimated failure

rates ....................................................... 3

6 Installation and site acceptance

procedure ................................................ 4

7 Periodic test and maintenance

requirements .......................................... 4

7.1 General ........................................................ 4

7.2 Full-stroke test ........................................... 4

7.3 Partial-stroke test ...................................... 4

7.4 Proof test and periodic maintenance ......... 4

8 Hardware fault tolerance ....................... 5

9 Classification .......................................... 5

10 Safe failure fraction ................................ 5

11 Mean repair time .................................... 5

12 Systematic capability .............................. 5

1 FUNCTIONAL SPECIFICATION

The safety function for Keystone F89 R&P ­Series pneumatic actuator is defined as follows:

Double-Acting scenario:

a. When an unsafe condition is detected in a

plant by a process sensor, the controller, via
actuator control system, drives the actuator
to close the shut-down valve, depressurizing
(if under pressure) the opening side of the
actuator and pressurizing the closing side of
the actuator.

b. When an unsafe condition is detected in a

plant by a process sensor, the controller, via
actuator control system drives the actuator
to open the blow-down valve, depressurizing
(if under pressure) the closing side of the
pneumatic actuator and pressurizing the
opening side of the pneumatic actuator.

Single-Acting scenario:

a. When an unsafe condition is detected in a

plant by a process sensor, the controller, via
actuator control system drives the actuator to
rotate with sufficient torque to move a valve
to its fail-safe state when hold-position air
pressure is released.

The Keystone Brand Actuator Selection
Procedure provides functional definition with
specifics on input variables and performance.
In any case, the choice of the safety function to
be implemented is responsibility of the system
integrator.

2 CONFIGURATION OF THE PRODUCT

The Keystone F89 R&P - Series are
pneumatically-operated actuators designed to
operate butterfly, ball valves and any quarter­turn mechanism. It is suitable for a range of
applications in industries such as processing,
chemical, food and beverage, mining, power
and water, and available globally. Both the
double-acting and single-acting (spring-return)
versions of the Keystone F89 R&P - Series
pneumatic actuators are designed in such
a way that there are no moving parts on the
outside (except for the position indicator). This
makes them safe, easy to install and virtually
maintenance free.

For further details about actuator
configurations, please refer to the Keystone F89
R&P - Series Product Data Sheets, safety guide
and Installation, Operation and Maintenance
Manual

Emerson.com/FinalControl VCOSI-16511-EN 21/07

© 2021 Emerson. All Rights Reserved.

KEYSTONE F89 PNEUMATIC ACTUATOR

SIL SAFETY MANUAL

3 SERVICE CONDITION LIMITATIONS
(LIMITATION OF USE)

The operating capabilities are listed below:

• Operating medium: Compressed air (dry and

lubricated)

• Maximum Operating Pressure:

- Pneumatic service.

- 8.3 bar (120 psi) max. dynamic

- 10 bar (140 psi) max. static

• Temperature range: Temperature extremes

require different solutions to maintain
actuator operational integrity and reliability.
For each Keystone F89 - Series actuator
is available in three different temperature
executions.

- Standard temperature version:

-20 °C to 80 °C (-4 °F to 176 °F)

- Low temperature version:

-52 °C to 65 °C (-62 °F to 149 °F)

- High temperature version:

-15 °C to 150 °C (-5 °F to 302 °F)

• Torque output range:

- Double-acting F89 R&P - Series actuators,

requiring pressure to rotate in either
direction, are available with a torque range
between 11 Nm (97 lbf.in) and 4173 Nm
(36,955 lbf.in)

- Spring-return F89 - Series actuators,

require pressure in only one direction of
travel and are suitable for air-fail close
and air-fail to open applications without
modification. These models are available
with a spring end torque between 6 Nm
(51 lbf.in) and 1663 Nm (14,729 lbf.in)

• Travel adjustment:

- Optimized product flow with standard

mounted travel stops for valve position
adjustment in open and close position
(+/- 5° at each end of travel)

- 0-100% travel stop available on request

• Safety function:

- Pre-compressed spring cartridge design for

ease of assembly and disassembly

- Anti-blowout drive pinion

- No stopper bolt extends beyond the body

- Integrated connections

- Fail-safe actuator, spring-close and spring-

open

- Adjustable stopper (+/- 5°)

Use the 4 (B)-Port for safety related systems on
Double-acting actuators:

Assembly Code: CW

= Safety function is counterclockwise rotation

2 (A)

4 (B)

2 (A)

4 (B)

4 EXPECTED LIFETIME

Actuator lifetime (for which failure rates
indicated in section 5 are ensured) strongly
depends on operating conditions.

For normal service conditions, Keystone
F89 R&P - Series actuators can be in good
conditions with max 500,000 cycles or 15 years
with regular inspection whichever comes first.
Normal working life is the number of cycles as
defined in Table 1 of EN 15714-3.

Keystone F89 R&P Series carry a warranty
period of:

• 12 months after installation or 18 months
after delivery, whichever is earlier.

Assembly Code: CC

= Safety function is clockwise rotation

4 (B)

2 (A)

2 (A)4 (B)

2

02

KEYSTONE F89 PNEUMATIC ACTUATOR

SIL SAFETY MANUAL

5 FAILURE MODES AND ESTIMATED FAILURE RATES

Warranty data and details from the extensive testing that is performed in-house by the
manufactures were used to perform the calculations. Failure data for 2016-17 were provided by
the company and used in this study.

• Determination of SIL parameters

Based on the FMEDA study carried out for actuator series, the individual failure rates, SFF

and DC were calculated. The results are given in below table covering the variants of Keystone
actuator F89 R&P – Series:

TABLE 1 - DETERMINATION OF SIL PARAMETERS

Variants

Spring return (SR) 7.16E-09 0.00E+00 1.79E-09 7.45E-10 92 71
Double Acting (DA)

7.31E-09 0.00E+00 1.91E-09 4.77E-10 95 80

• Failure distribution

An analysis of the failures was carried out for the individual components and is given in following

table:

TABLE 2 - FAILURE DISTRIBUTION

Types of Keystone Actuator F89 Component Failures (%)

Spring Return (SR)

Double Acting (DA)

Failure rate (number of failures/hrs.) SFF DC

ʎSD ʎSU ʎDD ʎDU

End cap washer 12

Bolt – end cap 12

Piston 9

End cap 9

O-ring (piston) 9

Spring Cartridge Assembly 6

End cap washer 13

Bolt – end cap 13

Piston 10

End cap 10

O-ring (piston) 10

Body 7

% %

The FMEDA analysis shows that components such as pinion and end cap contribute significantly to
the dangerous undetected failure mode. The company may address the causes for such failures.

3

KEYSTONE F89 PNEUMATIC ACTUATOR

SIL SAFETY MANUAL

6 INSTALLATION AND SITE ACCEPTANCE
PROCEDURE

Any necessary installation and site acceptance
procedures are discussed in the Keystone F89
R&P - Series actuators Installation, Operation
and Maintenance manual. The Installation,
Operation and Maintenance manual defines
exercising of the actuator after installation and
defines testing after maintenance.

7 PERIODIC TEST AND MAINTENANCE
REQUIREMENTS

Any necessary installation and site acceptance
procedures are discussed in the Keystone F89
R&P - Series actuators Installation, Operation
and Maintenance manual. The Installation,
Operation and Maintenance manual defines
exercising of the actuator after installation and
defines testing after maintenance.

7.1 General

Please consider that the information in this
paragraph are relevant only in regards of
Reliability Tests; please refer to Document,
Installation, Operation and Maintenance
manual for detailed information about product
maintenance, handling and storage.

Diagnostic tests may be made to increase the
system reliability (Full-stroke or Partial-stroke
test).

“On-site” tests depend on project/plant
facilities/requirements; however, a functional
test must be executed on site, prior actuator
operation

7.2 Full-Stroke test

The “Full-Stroke Test” (“On-line”) must be
performed to satisfy the PFD

AVG (average

probability of failure on demand) value.
The full-test frequencies will be defined by the
final integrator in relation to the defined SIL
level to achieve.

• Procedure:

- Operate the actuator/valve assembly for
No. 2 open/close complete cycles with
complete closing of the valve.

- Verify the correct performing of open – close
maneuver (for example, check locally, or
automatically via ogic solver, the correct
movement of the actuator/valve).

Considering the application of the above
described Full-Stroke Test Procedure, the
“Test Coverage” can be considered 99%.

7.3 Partial-Stroke test

The “Partial-Stroke Test” (“On-line”) can be
performed to improve the PFD

AVG value.

A typical partial-stroke value is 15% of the
stroke.

The “Partial-Stroke Test” (“On-line”) can be
performed to satisfy PFD

AVG (average probability

of failure on demand) value.

• Recommended Test Interval = 1 to 3 months.

• Procedure:

- Operate the actuator/valve assembly for
No. 1 open/close cycles 15/20% of the
stroke.

- Verify the correct performing of partial­stroke operation (for example, check locally,
or automatically via logic solver, or via the
PST system the correct movement of the
actuator/valve till 15/20% of the stroke).

The above parameters to check will depend
from the partial-stroke test system available.
Considering the application of the above
described Partial-Stroke Test procedure, the
“Diagnostic Coverage” is >90%.

7.4 Proof test and periodic maintenance

We advise to perform the following checks
upon each proof test interval complying with
the rules and regulations of the country of final
installation:

• Visually check the entire actuator as well as

the control system (where foreseen).

• Ensure there are no leaks on the actuator

parts under pressure.

• Check pneumatic connections for leaks.

Tighten tube fittings as required.

• Check if manual override (where foreseen) is

regular.

• Check if pneumatic filter cartridge (where

foreseen) is sound and filter bowl (where
foreseen) has been cleaned properly.

• Check the setting of the relief valves (where

foreseen).

• Verify that the power fluid supply pressure

value is within the required range.

• Remove built-up dust and dirt from all

actuator surfaces.

• Inspect actuator paint work for damages

to ensure continued corrosion protection.
Touch-up as required in accordance with the
applicable paint specification.

• Operate the actuator/valve assembly for

No. 2 open/close complete cycles with
complete closing of the valve.

• Verify the correct performing of open – close

operations (for example, check locally, or
automatically via logic solver, the correct
movement of the actuator).

The Installation, Operation and Maintenance
manual defines under normal operating
conditions and when basic pneumatic system
maintenance procedures are applied, the F89
actuator will require minimum maintenance
for hundred thousand of cycle. If O-ring wear
out and air leakage occurs, a soft goods kit can
be ordered. This addresses components that
may have age-related degradation. When the
maintenance interval has elapsed, a complete
overhaul of the actuator is required.

4

KEYSTONE F89 PNEUMATIC ACTUATOR

SIL SAFETY MANUAL

8 HARDWARE FAULT TOLERANCE

The hardware fault tolerance of the device is 0.

The requirements of minimum hardware fault
tolerance (HFT) according to Tab.6 of
IEC 61511-1 have to be observed but, as long
as an assessment report has been performed
fully in compliance with IEC 61508 part 1 to 7,
alternative fault tolerance requirements have to
be considered applicable according to Table 2
of IEC 61508-2 as per par. 11.4.5 of
IEC 61511-1.

9 CLASSIFICATION

The equipment is classified Type A according to
IEC 61508-2.

10 SAFE FAILURE FRACTION

SFF = 0 without external diagnostic tests.

SFF > 0 with external diagnostic tests, carried
out according to definition 3.8.7 of IEC 61508-4.

• SFF = 91% with Partial-Stroke Test.

• SFF = 99% with Full-Stroke Test.

11 MEAN REPAIR TIME

Mean Repair Time (MRT) of the actuator is
assumed to be 24 hours.

NOTICE

The MRT is estimated considering availability of
skilled personnel for maintenance, spare parts
and adequate tools and materials on site (that is,
it encompasses the effective time to repair and
the time before the component is put back into
operation).

Procedures to repair or replace the Keystone
F89 R&P - Series actuators are provided in
the respective Installation, Operation and
Maintenance manual. Please refer to the
Installation, Operation and Maintenance manual
for any tools required for repair and replacement
and required competency of technicians.
Maintenance and subsequent test procedures
are also covered in the Installation, Operation and
Maintenance manual. Any failures, identified by
the end-user during maintenance, repair or proof
testing, that potentially impact the functional
safety of the Keystone F89 R&P - Series actuators
should be reported back to Emerson Customer
Service Coordinator.

12 SYSTEMATIC CAPABILITY

The systematic capability of the device is 3.

This systematic capability is guaranteed only if
the user:

• Use the device according to the instructions
for use and to the present manual.

• Use the device in the appropriate environment
(limitation of use).

The SFF shall be evaluated for the entire final
element sub-system.

The diagnostic test shall be performed
considerably more often than the demand of
the safety function.

VCOSI-16511-EN © 2021 Emerson Electric Co. All rights reserved 07/21. Keystone is a mark owned by one of the companies in the Emerson Automation Solutions business
unit of Emerson Electric Co. The Emerson logo is a trademark and service mark of Emerson Electric Co. All other marks are the property of their prospective owners.

The contents of this publication are presented for informational purposes only, and while every effort has been made to ensure their accuracy, they are not to be construed
as warranties or guarantees, express or implied, regarding the products or services described herein or their use or applicability. All sales are governed by our terms and
conditions, which are available upon request. We reserve the right to modify or improve the designs or specifications of such products at any time without notice.

Emerson Electric Co. does not assume responsibility for the selection, use or maintenance of any product. Responsibility for proper selection, use and maintenance of
any Emerson Electric Co. product remains solely with the purchaser.

Emerson.com/FinalControl

5