invest in confidence - bernard controls

LAB

EL

SIL Actuators

Invest in Confidence

Contents

All you have to know about SIL > 4

SIL by BERNARD CONTROLS > 8

BERNARD CONTROLS actuators with SIL > 10

SIL Certified functions > 11

INTELLI+® SIL layout > 12

Technical specifications > 14

SIL certified signaling functions

More than safety commands

WITH BERNARD CONTROLS, ACHIEVE A NEW STEP FORWARD

IN THE SECURITY OF YOUR PROCESSES:

- SIL2 (SIL3 IN 1OO2) CERTIFIED ESD FUNCTIONS

- SIL2 CERTIFIED SIGNALING FUNCTIONS

The BC Premium label is the guarantee of high performance, reliable and innovative actuation solutions designed to sustain severe environmental and operational conditions.Decades of return of experience from very demanding applications such as nuclear qualified valves’ actuation have shaped our technical orientations and our commitment to quality and safety.Moreover, BC Premium labeled products offer user-friendliness and extremely low level of maintenance requirements.

In the spirit of the BC PREMIUM label, taking into account market demands for increased functional safety, BERNARD CONTROLS designs and produces SIL certified actuators.

All you have to know about SIL

PFDavgProbability of Failure

on Demand

PFHProbability of dangerous

Failure per Hour

SILSafety Integrity Level

RRFRisk Reduction Factor

(RRF = 1/PFD)

10-1 to 10-2 10-5 to 10-6 1 10 to 100

10-2 to 10-3 10-6 to 10-7 2 100 to 1000

10-3 to 10-4 10-7 to 10-8 3 1000 to 10.000

10-4 to 10-5 10-8 to 10-9 4 10.000 to 100.000

Low demand modeHigh demand mode

or continuous mode

Functional safetyIndustrial installations, whether chemical, petrochemical or any others, have been subject to continuously toughening performance and security requirements in the past decades. These requirements coupled with industrial accidents have brought increased attention to the securing of industrial processes and to the concept of functional safety. In the 1990’s, producers and end users of electronical equipments moved toward the setting of some standards that would help to control risks. This movement led to the IEC 61508 and, later, IEC 61511 standards which introduce the concept of SIL - Safety Integrity Level - as a measure of the level of security provided by a technical measurement of a risk control system.

These standards make us not only consider the possibility of a failure as real but also evaluate the probability of fault of the system and secure the ability to detect any fault as soon as it appears. In other words, it implies to implement safety functions to reduce the risk and consequences of a failure. The IEC 61508 standard defines a methodology to measure and reduce the risk on safety-related systems (SIS) or subsystems (SIF), while granting a SIL value (1 to 4) to SIS. This standard is mainly written to focus on E/E/PE (Electric/Electronic/Programmable Electronic) devices.

Level of confidence According to IEC 61508, the level of confidence is measured in PFD* or PFH*. This is a probability calculation based on a global evaluation (FMEDA) of safety function(s). Based on the PFD value, it’s possible to define a Safety Integrity Level (SIL) between 1 & 4.

Please note that the SIL assessment is always linked to a safety–related function of a device, not to a product itself. For example, an electrical actuator can propose an ESD function with SIL assessment, but the other functions of the actuator are not necessarily SIL complying.

*See Lexicon page 74

DCSProcess

PLCSafety

Commands

Signaling

ESD command

SAFETY INSTRUMENTED SYSTEM

SIF 4

SIF 1SIF 2SIF 3SIF x

Safety Instrumented System - SISA safety function is always included in a command chain using

Sensors (measures),

PLC (treatment and commands),

Safety device (operating components).

The IEC 61511 standard details how to develop a Safety Instrumented System with SIL assessment. The Safety Instrumented System (SIS) is made up of several Safety Intrumented Functions (SIF). Each SIF has its own SIL level. The combination of all these levels determines the SIL capability of the whole system. More specifically, it’s possible to use redundancies to improve the SIL .

Example of SIS, driving to ESD command:

Main characteristic valuesFMEDA drives to identify 4 kinds of possible failures on each SIF. A rate is calculated accordingly:

λSD Total failure rate for safe detected failures λSU Total failure rate for safe undetected failures λDD Total failure rate for dangerous detected failures λDU Total failure rate for dangerous undetected failures

SIL Actuators 5

LAB

EL

The SFF (Safe Failure Fraction) is the probability of the system failing in a safe state. It is a percentage calculated as follow:SFF = (All failures” minus “dangerous undetected) / “All failures”

According to the level of complexity, the expectations of the standard are not the same. Type A concerns simple subsystem (E/E), Type B concerns complex subsystem with Programmable electronics such as BERNARD CONTROLS INTELLI+®. The SFF may take into account a Hardware Fault Tolerance (HFT): HFT = x means, that x+1 faults could cause a loss of the safety function.

Safe Failure Fraction (SFF)

Hardware Fault Tolerance

(Type A – simple subsystem)

Hardware Fault Tolerance

(Type B – complex subsystem)

0 1 2 0 1 2

<60% SIL1 SIL2 SIL3 Not SIL SIL1 SIL2

60 to 90% SIL2 SIL3 SIL4 SIL1 SIL2 SIL3

90 to 99% SIL3 SIL4 SIL4 SIL2 SIL3 SIL4

>99% SIL3 SIL4 SIL4 SIL3 SIL4 SIL4

Redundancy In practical terms, the PFD (or PFH) of a Safety Instrumented System is the addition of the PFD (or PFH) of each Safety Instrumented Function. Example:PFD(SIS) = PFD(Sensor) + PFD(PLC) + PFD(Actuator)

The PFD of the SIS is higher than the PFD of each SIF included in the SIS. This can drive to a safety integrity level lower than the one expected.

According to IEC61508, it is possible to increase the safety integrity level by using redundant configurations. In ‘one out of two’ (1oo2) configuration, it is possible to propose and certify a SIL3 level using a combination of two redundant SIL2 functions.

1oo2 configuration for SIL3

assessment with ESD Close

1oo2 configuration for SIL3

assessment with ESD Open

6

ESD Emergency Shut Down (driving to 3 possibility: ESD Close, ESD Open, ESD Stayput)

FMEDA (Failure Modes, Effects and Diagnostic Analysis) Methodology to identify and evaluate the effects of different component failure modes, to determine what could eliminate or reduce the chance of failure, and to document a system in consideration.

HFT Hardware Fault Tolerance is the number of fault accepted by the subsystem without losing its SIL assessment.

High demand mode

(or continuous mode) Frequency of demands on a safety-related system greater than one per year or greater than twice the proof-test frequency.

Low demand mode

Frequency of demands on a safety-related system lower than once a year and lower than twice the proof-test frequency.

MTBF Mean Time Between Failure. MTBF is a probability of the mean time between failures. This value is generally used as MTTF (Mean Time To - first - Failure)

MTTR Mean Time To Repair (BC value = 8h)

PFD or PFDavgAverage probability of failure on demand (Applicable on low demand mode – less than once a year). The PFD increase constantly.

PFH Probability of dangerous failure per hour (Applicable on High demand mode or continuous mode).

Proof test interval

Interval between periodic tests performed to detect failures in a safety-related system. This allows decreasing the PFD average.

RRF Risk Reduction Factor is equal to 1/PFD.

SFF Safe Failure Fraction is the probability of the system failing in a safe state. SFF = (“All failures” minus “dangerous undetected”) / “All failures”.

SIF Safety instrumented function is a subsystem of safety function. The SIF has its own level of confidence.

SIL Safety Integrity Level applicable to a system or a subsystem. The higher the value, the higher the level of confidence.

SIS Safety instrumented system including one or several SIF.

TYPE A Refer to non-programmable Electronic in general (simple subsystem).

TYPE B Refer to programmable Electronic in general (complex subsystem).

1oo2 (1 out of 2)

Redundant configuration of a safety function, this may increase the SIL value by putting in series or in parallel two safety functions.

Lexicon

7

LAB

EL

SIL Actuators

Strongly committed to address customers’ most demanding requirements, BERNARD CONTROLS offers weatherproof & explosionproof quarter-turn and multiturn actuators with SIL. These actuators have been specially designed with SIL in mind since BERNARD CONTROLS has created a fully dedicated electronics for these INTELLI+® actuators.

SIL by BERNARD CONTROLSIncreased security for your processes

SIL certification on ESD functionsThanks to its fully dedicated control board, BERNARD CONTROLS propose a SIL2 assessment on the following safety instrumented functions:

ESD Open ESD Close ESD Stayput

When the customer wants to increase even more the safety integrity level by using a redundant configuration (1oo2), BERNARD CONTROLS also proposes SIL3 assessment on the following functions:

ESD Open ESD Close

SIL certification on signaling functions

DCSProcess

PLCSafety

Commands

Signaling

SIL SIGNALING

ESD command

SIS WITH SIL ASSESSMENT

SIF 4

SIF 1SIF 2SIF 3SIF X

If sensors leading to an emergency shut-down (flow, pressure, smoke...) are subject to the requirements of SIL assessment, the signaling of the actuator also proves to be a key element of the Safety Instrumented System. Indeed, in case of emergency, ensuring the good functioning of safety commands is not enough: the accuracy of signaling data is essential to make the good decision and activate the ESD functions. Relying on many years of customers’ feedback, BERNARD CONTROLS has included this key criterion in its SIL specifications and offer SIL2 assessment on the following signaling functions:

Valve opened Valve closed 4/20mA position signal (optional function)

8

BC technology for SILIn addition to a fully dedicated control board designed for SIL requirements, BERNARD CONTROLS has also designed a new absolute position sensor. This absolute 16-bit position encoder features a built in self-test checking permanently photodiodes as well as the consistency of position encoding and communication.

BC INTELLI+® standard featuresSafety and reliability have always been at the heart of BERNARD CONTROLS product development. The proof is the INTELLI+® intelligent integrated control launched more than 10 years ago, and continuously improved thanks to clients’ feedback and customer-oriented innovation. It thus features key functions that strengthen installation security and ease commissioning, use and maintenance of the MOV:

• Non-intrusive settings, local & remote control

• Accurate information with absolute torque and position sensors

• Increased security and easy maintenance with constant self-monitoring, valve torque curve, torque monitoring…

• Fieldbus communication with Profibus DP, HART, Modbus and Foundation fieldbus protocols

• Infra-red or Bluetooth communication

Moreover, if the accuracy of signaling functions is crucial to make the good decision, their availability is even more important at first. Thanks to the 24VDC back-up supply available on BC actuators, signaling is maintained, and SIL2 certified, even in case of loss of main power supply. Monitoring of the 24VDC is configurable in INTELLI+® SIL.

Thanks to BERNARD CONTROLS’ SIL certified signaling functions, you can base your decision on a reliable signaling coming from the actuator.

9

LAB

EL

SIL Actuators

MULTITURN STX RANGESTX6 to STX140 (60 to 1400 Nm)

Explosionproof actuators Adaptation to all types of valves: Quarter turn – Multiturn - Linear Adaptation to specifications of engineering companies IP 68 (10m/96h) Compliance with international explosionproof standards: ATEX, INMETRO Brazil, IEC-Ex, GOST-R / CUSTOMS UNION, NEMA 7 & 9...

Type of operation: On/Off, Modulating Class III Special configurations: Corrosion protection, Fire protection, Extreme temperatures INTELLI+®, intelligent control Easy and fast commissioning Optimized maintenance level

MULTITURN ST175 & ST220(1750 to 2200 Nm)

QUARTER-TURN SQX RANGESQX18 to SQX80 (200 to 800 Nm

direct quarter-turn actuators)

BERNARD CONTROLS actuators with SIL

Weatherproof actuators Adaptation to all types of valves: Quarter Turn – Multiturn - Linear Adaptation to specifications of engineering companies IP 68 (5m/72h)

Type of operation: On/Off, Modulating Class III INTELLI+®, intelligent control Easy and fast commissioning Optimized maintenance level

MULTITURN ST & ASM RANGESST6 to ST220 (60 to 2200 Nm) and ASM0 to ASM3

QUARTER-TURN SQ RANGESQ20 to SQ80 (200 to 800 Nm)

10

SIL Certified functions Emergency functions - characteristic values ESD OPEN, ESD CLOSE, ESD STAYPUT

HFT Hardware fault tolerance 0

λSD Safe failures detected 87,53 FIT

λSU Safe failures undetected 6270,18 FIT

λDD Dangerous failures detected 1121 FIT

λDU Dangerous failures undetected 127,58 FIT

PFDavg Probability of failure on demand

T1*=1 year 4,455 E-03

T1*=2 year 8,900 E-03

T1*=5 year 2,224 E-02

SFF Safe failure fraction 91.6%

SIL Safety integrity level 2

MTBF Mean time between failures 400.000 h

MTTR Mean Time To Repair 8 h

*T1 is the proof test interval

4/20 mA POSITION SIGNAL




λDD Dangerous failures detected 14392,96 FIT


PFH* Probability of dangerous failure per hour 1,927 E-07





*Nota: PFH is not linked to a proof test interval

Signaling functions - characteristic valuesVALVE OPENED / VALVE CLOSED SIGNALING




λDD Dangerous failures detected 9496,61 FIT


PFH Probability of dangerous failure per hour 1,962 E-07





Actuators with SIL 11

LAB

EL

INTELLI+® SIL layout

INTELLI+®

CONTROL

12

Type of operation

On/Off or Class III positioning, max number of starts depending on ambient T°C and max admissible start specified on the user manual:• -40° to 40°C > 360 start/hour max• 40° to 60°C > 190 start/hour max• 60° to 68°C > 155 start/hour max

Power supply• 3-phase (50 or 60Hz – Every voltage up to 690VAC)• No automatic phase correction

Enclosure protection

SQ, ASM: IP67 (or IP68 -5m/72h in option) ST: IP68 – 5m/72hSQX/STX: IP68 – 10m/96h

Ambient temperature

Ambient temperature operating range: • Standard: -20°C ...+68°C ( -4°F ... +154°F) • Low temperature grease option: -40°C ...+68°C ( -40°F ... +154°F)

Vibration resistance 2g (19,6 m/s²) at 10-500 Hz (tested according to IEC60068-2-6)

Double-sealing protection

For protection of the electronics, the control compartment of the actuator is fully isolated from the wiring compartment:• Weather proof design: standard• Explosion proof design: standard (except in case of separated box)

Open/Close input

• Isolated by opto-couplers• Command by voltage: 10 to 55 and 90 to 250 V DC/AC• Command by dry contacts: use INTELLI+® internal DC supply• Minimum pulse duration: 100ms

Safety function * with SILinput command

• SIL2 certified ESD functions - Emergency Open, - Emergency Close, - Emergency Stayput• SIL3 certified functions in 1oo2 configuration - Emergency Open: Valves in parallel - Emergency Close: Valves in series• Redundant input isolated by opto-couplers• Command by voltage: 10 to 55 and 90 to 250 V DC/AC• Command by dry contacts: Forbidden• Command validated in case of loss of command voltage

Analog input (option)

• Standard input signal: 4-20 mAAlso possible: • Input signal: 0-20 mA or Input signal: 0-10 V • in current: impedance of 160 Ohms• in voltage: impedance of 11 KOhms

Analog output with SIL2 (option)

• 4/20mA current loop (Increasing current = Opening): Fixed parameter

• External supply between 12 and 30 VDC (750Ω max at 24VDC)• Analog output with built-in self-test

Signaling relays with SIL2

• ‘Opened’ and ‘closed’ signaling with SIL2 • Limited to 100.000 actions• Contact configuration: SPST latching relays

(Contact closed = position reached)• Minimum current 10mA at 5V• 5A at 250V AC or 5A at 30V DC max. (with resistive load)

* We remind you that the activation of ESD functions is subject to power supply of the actuator

Technical specifications

14

BUREAU VERITAS Certificate n°2416601Standard IEC 61 508 Ed2 Part 1, 2, 3, 4.

Signaling relays

• 2 relays: each information can be freely selected among a total of 23 available • Contact configuration: SPST normally open • Minimum current 10mA at 5V• 5A at 250V AC or 5A at 30V DC max. (with resistive load)

Fault relay for safety functions with SIL

• Relay confirming the safety integrity level of the safety functions• Contact configuration: SPST Normally open (closed when there’s no fault detected)• Minimum current 10mA at 5V • 5A at 250V AC or 5A at 30V DC max. (with resistive load)

Fault relay for signaling with SIL

• Relay confirming the safety integrity level of the signaling (Open, Close, 4/20mA)• Contact configuration: SPST Normally open (Closed when there’s no fault detected)• Minimum current 10mA at 5V• 5A at 250V AC or 5A at 30V DC max. (with resistive load)

Electrical connection Screw type terminals or ring tongue terminals

Cable entriesStandard configurations (other on request):• Weatherproof: 3xM20 (additional 4xM16 with fieldbus)• Explosion proof: 1>1/2NPT + 2x1>NPT (additional 4x3/4”NPT with fieldbus)

Power circuit • Power contactors limited to 1.300.000 actions

Fuse protectionPrimary fuse (6.3 x 32mm - 0.5 A) located on the transformer Two automatic fuses for low voltages

Advanced functions available by fieldbus command

• Partial Stroke Test• Auto/On-Off (selection between proportional input and Open/close input)• Local control inhibition (and equivalent associated functions)• Safety position when losing fieldbus command (‘Stayput’ in standard)


LAB

EL

More than 50 agents and distributors worldwide. Contact details on www.bernardcontrols.com

B E R N A R D C O N T R O L S G R O U PCORPORATE HEADQUARTERS4 rue d’Arsonval - CS 70091 / 95505 Gonesse CEDEX France / Tel. : +33 (0)1 34 07 71 00 / Fax : +33 (0)1 34 07 71 01 / [email protected]

CONTACT BY OPERATING AREAS

>AMERICA

NORTH AMERICABERNARD CONTROLS UNITED STATES [email protected]. +1 281 578 66 66

SOUTH AMERICABERNARD CONTROLS LATIN [email protected]. +1 281 578 66 66

>ASIA

CHINABERNARD CONTROLS CHINA &BERNARD CONTROLS CHINA [email protected]. +86 (0) 10 6789 2861

KOREABERNARD CONTROLS [email protected]. +82 2 553 6957

SINGAPOREBERNARD CONTROLS [email protected]. +65 65 654 227

>EUROPE

BELGIUMBERNARD CONTROLS BENELUXNIVELLES (BRUSSELS)[email protected]@bernardcontrols.comTel. +32 (0)2 343 41 22

FRANCEBERNARD CONTROLS FRANCE &BERNARD CONTROLS NUCLEAR FRANCEGONESSE (PARIS)[email protected]. +33 (0)1 34 07 71 00

GERMANYBERNARD CONTROLS DEUFRATROISDORF (KÖLN)[email protected]. +49 2241 9834 0

ITALYBERNARD CONTROLS ITALIARHO (MILANO)[email protected]. +39 02 931 85 233

RUSSIABERNARD CONTROLS [email protected]. +33 (0)1 34 07 71 00

SPAINBERNARD CONTROLS [email protected]. +34 91 30 41 139

>INDIA, MIDDLE EAST & AFRICA

AFRICABERNARD CONTROLS AFRICAABIDJAN - IVORY [email protected]. + 225 21 34 07 82

INDIABERNARD CONTROLS [email protected]. +971 4 880 0660

MIDDLE-EASTBERNARD CONTROLS MIDDLE-EASTDUBAI - [email protected]. +971 4 880 0660

All

data

in t

his

bro

chu

re a

re g

iven

for

info

rmat

ion

on

ly a

nd

are

subj

ect

to c

han

ge w

ith

out

not

ice.

CAT

02

-06

_EN

G_G

RP

_rev

02

b

invest in confidence - bernard controls

Documents