16 requirements for safety integrity, 1 fail safe state, 2 safety function – Flowserve 500+ Series Logix User Manual

User Instructions - Logix® 500+ Series Digital Positioners FCD LGENIM0105-10 11/13

flowserve.com

43

16 REQUIREMENTS FOR SAFETY

INTEGRITY

This section provides information and additional user
responsibilities in order to meet up to Safety Integrity Level 3
(SIL 3) per IEC 61508.

The safety function of the positioner is to go to the fail-safe
state (vent air from the actuator) given a low power condition
to the 4 to 20 mA input terminal.

16.1 Fail Safe State

The fail safe state for a positioner with a three-way (Single-
Acting), Poppet Style Relay is when the relay valve is at less
than 5% of full stroke such that output port B (Y1) is venting.

The fail safe state for a positioner with a three-way (Single-
Acting), Spool Style Relay is when the relay valve is at less
than 5% of full stroke such that output port A (Labeled Y1) is
venting.

The fail safe state for a positioner with a four-way (Double-
Acting), Spool Style Relay is when the relay valve is at less
than 5% of full stroke such that output port A (labeled Y1) is
venting and port A (labeled Y2) is open to supply pressure.

NOTE: The fail safe states above represent the fail safe state
of the positioner. The valve fail safe state may be different
depending on spring configuration and tubing. Ensure the
valve fail-safe state is appropriate for your application.

16.2 Safety Function

The Logix 520MD+ positioner moves to fail-safe state upon
the removal of analog input power (less than 3.6 mA)

16.3 Fail Safe State Response Time

Test to find the final valve assembly response time to ensure
it meets application-specific requirements. Response times
will vary widely with actuator size, the use of boosters, stroke
length, starting position, fail-safe direction, tubing size, supply
pressure, and temperature. The air flow capacity also affects
the response time. See section 2.3 Pneumatic Output for air
flow capacity.

A typical* response time for the spool relay to move to a fail-
safe state due to a sudden command change was found to
be 0.06 seconds. (The response time was 0.50 s at -40C
and .35 s at 85C.)

The time for the valve to move to from 50% to 0% under the
same conditions was found to be 0.22 s. Friction in this case
was 49.5 lbs (220 N).

*Tests were with a 25 inch double acting Mark 1 actuator, 0.75 inch (19 mm)
stroke, ambient temperature 74°F (23.3 °C), 60 PSI (4.1 bar) supply, quarter
inch tubing, starting at 50% open, moving to fully closed. Friction was
calculated with a bi-directional ramp test at a rate of 10 seconds/100%.

A typical** response time for the poppet relay to move to a
fail-safe state due to a sudden command change was found
to be 0.10 s at 22 C, 0.23 s at -40 C and .13 s at 85 C.

**Tests were with 60 PSI (4.1 bar) supply pressure.

NOTE: During the stroke calibration (Quick-Cal), valve stroke
times are measured and recorded in the positioner. To view
them, see tuning parameters on the positioner menu or in the
DTM.

16.4 Positioner Model Selection and

Specification

Any Logix 520MD+ positioner can be used for up to SIL 3
applications as stated above.

16.5 Installation

Ensure installation of the positioner is properly performed
according to this manual. Ensure tubing is configured to the
actuator so that the fail-safe state of the positioner matches
the desired fail-safe state of the valve.

16.6 Required Configuration Settings

The following user settable options must be properly
configured for the individual application in order to provide
the designed safety integrity for that application.
•

Calibrate the analog input (command). The fail safe state
of the valve must correspond to the analog input
command at less than 3.6 mA.

•

It is recommended to lock the local interface to prevent
unintended adjustments of the settings by an
unauthorized user.

16.7 Maximum Achievable SIL

The Flowserve 520MD+ Valve Positioner covered by this
safety manual is suitable for use in low demand mode of
operation Safety Integrity Functions (SIF) up to SIL 2 in
simplex (1oo1) and SIL 3 in redundant (1oo2) configurations.
The achieved SIL for a particular SIF needs to be verified by
PFD

AVG

calculation for the entire SIF including the failure

rates of the associated sensors and valves that are also part
of the SIF.

For details, contact your Flowserve representative for Failure
Mode, Effects, and Diagnostics Analysis (FMEDA) report
number 520+ is FLO 11-02-062 R001 for Logix 520MD+.

16.8 Reliability data

For reliability data, a detailed Failure Mode, Effects, and
Diagnostics Analysis (FMEDA) report has been prepared and
is available from Flowserve with all failure rates and failure
modes for use in SIL verification. See FMEDA report number
FLO 11-02-062 R001 for Logix 520MD+.

NOTE: The failure rates of the associated sensors, logic
solver, valves and actuators need to be accounted for in the
Safety Instrumented Function (SIF) level PFD

AVG

calculation.

16.9 Lifetime limits

The expected lifetime of the Flowserve 520MD+ Positioner is
approximately 10 years. The reliability data listed the FMEDA
report is only valid for this period. The failure rates of the
Flowserve 520MD+ Valve Positioner may increase sometime
after this period. Reliability calculations based on the data
listed in the FMEDA report for lifetimes beyond 10 years may
yield results that are too optimistic, i.e. the calculated Safety
Integrity Level may not be achieved.

16.10 Proof Testing

The objective of proof testing when used in low demand
mode of operation is to detect failures within the Flowserve
520MD+ Valve Positioner and its associated sensors and
actuators that may not be detected by the normal self-
diagnostics. Of main concern are undetected failures that
prevent the safety instrumented function from performing its
intended function.

The frequency of the proof tests (or the proof test interval) is
to be determined in the reliability calculations for the safety
instrumented functions for which the Flowserve 520MD+
Valve Positioner is applied. The actual proof tests must be
performed at least as frequently as specified in the
calculation in order to maintain required safety integrity of the
safety instrumented function.