Woodward High Output DVP, 12KW TB Input/Output 8200-556
High Output DVP, 12KW TB Input/Output 8200-556
TB Input/Output, SIL Certified 8200-558
8.1 Product Variations Certified
The SIL3 rated Digital Valve Positioner (DVP) for fuel shutoff is designed and certified to the functional
safety standards detailed in IEC61508. Parts 1 through 7. Reference the product FMEDA: WOO 15-02
076 R001 V1R1. The FMEDA was performed by EXIDA.
The functional safety requirement in this manual applies to all DVP5000-S, DVP10000-S and
DVP12000-S products. The –S after the product name designates it as a SIL certified product. These SIL
rated DVPs will have a Fail Safe Dangerous Undetected (DU) FIT of less than 28 FITS for ESTOP
(External Shutdown) function.
The DVP5000-S, DVP10000-S, and DVP12000-S are certified for use in applications up to SIL3
according to IEC61508.
The DVP family is designed and verified to withstand the worst-case (or greater) expected environmental
conditions as listed in other sections of this manual.
8.2 Covered DVP Versions
All DVP5000-S, DVP10000-S and DVP12000-S variations are covered.
8.3 SFF (Safe Failure Fraction) for the DVP
The DVP is only one part of a shutoff system that supports an over-speed shutdown SIF (Safety
Instrumented Function). This system consists of a speed sensor, a processing unit, and a fuel shutoff
actuation sub-system of which the DVP is a component.
The SFF (Safe Failure Fraction) for each subsystem should be calculated. The SFF summarizes the
fraction of failures which lead to a safe state plus the fraction of failures which will be detected by
diagnostic measures and lead to a defined safety action. This is reflected in the following formulas for
SFF:
SFF = λSD + λSU + λDD / λTOTAL
where λTOTAL = λSD + λSU + λDD + λDU
The failure rates listed below, for only the DVP, do not include failures due to wear-out of any components.
They reflect random failures and include failures due to external events such as unexpected use. Reference
the FMEDA: WOO 17-12-085 R001 V1R1 for detailed information concerning the SFF and PDF
According to IEC 61508 the architectural constraints of an element must be determined. This can be done
by following the 1H approach according to 7.4.4.2 of IEC 61508 or the 2H approach according to 7.4.4.3
of IEC 61508. The 1H approach should be used for the DVP.
8.4 Response Time Data
The response time of the DVP for the described SIF is < 10ms.
The DVP response time is defined as the time from removal of the ESTOP (External Shutdown) signal to
the time that power is removed from the actuator. The time to close the actuator depends on the specific
actuator and its return mechanism. That information can be found in the specific actuator/valve manual.
8.5 Limitations
DVP5000DVP10000DVP12000
When proper installation, maintenance, proof testing, and environmental limitations are observed, the
useful life of the DVP is 90000 hours (10.25 years).
8.6 Management of Functional Safety
The DVP is intended for use according to the requirements of a safety lifecycle management process
such as IEC61508 or IEC61511. The safety performance numbers in this chapter can be used for the
evaluation of the overall safety lifecycle.
8.7 Restrictions
The user must complete a full functional check of the DVP after initial installation and after any
modification of the overall safety system. No modification shall be made to the DVP unless directed by
Woodward. This functional check should include as much of the safety system as possible, such as
sensors, transmitters, actuators, and trip blocks. The results of any functional check shall be recorded for
future review.
Operate the DVP within the published specifications in this manual.
8.8 Competence of Personnel
All personnel involved in the installation and maintenance of the DVP must have appropriate training.
Training and guidance materials are included in this DVP manual 26773.
These personnel shall report back to Woodward any failures detected during operation that may impact
functional safety.
8.9 Operation and Maintenance Practice
A periodic proof (functional) test of the DVP is required to verify that any dangerous faults not detected by
safety controller internal run-time diagnostics are detected. More information is in the “Proof Test” section
below. The frequency of the proof test is determined by the overall safety system design. The safety
numbers are given in the following sections to help the system integrator determine the appropriate test
interval.
The DVP does not require special tools for operation or maintenance of the DVP.
8.10 Installation and Site Acceptance Testing
Installation and use of the DVP must conform to the guidelines and restrictions included in this manual.
No other information is needed for installation, programming, or maintenance.
8.11 Functional Testing After Initial Installation
A functional test of the DVP is required prior to use in a safety system. This should be done as part of the
overall safety system installation check and should include all I/O interfaces to and from the DVP. For
guidance on the functional test, see the Proof Test procedure below.
8.12 Functional Testing After Changes
A functional test of the DVP is required after making any changes that affect the safety system. Although
there are functions in the DVP that are not directly safety related, it is recommended that a functional test be
performed after any change.
8.13 Proof Test (Functional Test)
The DVP must be periodically proof tested to ensure there are no dangerous faults present that are
undetected by on-line diagnostics. This proof test should be performed at least once per year. A
recommended proof test is described below.
Suggested Proof Test Procedure:
1. Connect Service Tool.
2. Enable actuator output by enabling the External Shutdown Input (input signal is high) and placing the
unit into position control mode (either manual or remote from an external demand signal). The safety
function is enabled with this action.
3. Use the DVP Service Tool to monitor the Internal Bus Voltage. This should typically be within a few
volts of the DVP input voltage.
Note: The service tool accesses the two input voltages (Input Voltage 1 and Input Voltage 2) and the
Internal Bus Voltage. It is important to read the Internal Bus Voltage for this test. The Internal Bus
Voltage is interrupted as part of the safety function.
4. Open the External Shutdown input, allowing the actuator to move to a fail-safe state. Verify steps “a”
and “b”. This procedure verifies that the safety function is operational.
a. On the Status Overview Page, verify the Internal Bus Voltage is decreasing from the value in
Input Voltage 1 and 2. It may take several minutes for the voltage to go below 20V.
On the Fault Status/Configuration Page, verify that the E-STOP 1 Tripped and E-STOP 2
Tripped are active: