This post was authored by Jim Cahill, chief blogger at Emerson Process Experts, and originally appeared on Jim Cahill's blog and is re-posted here with permission.
Update: I received great news from Riyaz that the ISA Kuwait section has agreed to let us upload and link to their newsletter containing Riyaz’s article: When is a Safety Integrity Level (SIL) Rating of a Valve Required?
I’d like to thank the ISA Kuwait staff and encourage readers in this region to join and participate. You’ll learn from their regular presentations by ISA Fellows and technology participants, monthly newsletters, conferences & exhibitions, and connections with other automation professionals.
Original post: Two questions were posed recently over at the ISA safety archives in a thread, Valve in SIL verification:
Q-1 Do we need to include valve in SIL verification or can we limit up to the solenoid operated valve considering valve as a mechanical device?
Q-2 To achieve SIL-2 we normally use 1oo2 configuration for final element. Here do we need to use 1oo2 configuration of Solenoid valve or it shall be 1oo2 configuration of the valve.
The feedback from the other listserv members, many who are prominent voices in the process safety community, was that the valve must be included in the SIL verification and that the 1oo2 configuration extends to the valve.
I checked with Emerson’s Riyaz Ali, whom you may recall from numerous process safety-related posts, on this discussion thread. Riyaz shared an ISA Kuwait section whitepaper, When is a Safety Integrity Level (SIL) Rating of a Valve Required? I’ll highlight a few points that Riyaz makes in the paper.
In the introduction, Riyaz notes that:
…to establish an SIL suitability rating for a Safety Instrumented Function (SIF) loop, a PFD value needs to be computed for components of loop (SIF loop consists of Sensor, Logic Solver, Final Element) To calculate PFD, an equipment failure rate number is required.
Riyaz enumerates 3 cases where control valves can be used as safety shutdown valves:
- Control valves which are used only as an on/off single final element
- Control valves which are used in a dual purpose context (both for control and safety)
- Control valves which are used in a dual purpose context in addition (redundancy) to an on/off valve
For the first case, the control valve would be the final control element in the SIF and this SIF would need to have a safety integrity level (SIL) rating equal or greater than 1.
For the second case, Riyaz cites IEC 61511 part 1 clause 11.2.10 which states that a device used to perform part of a safety instrumented function shall not be used for basic process control purposes, where a failure of that device results in a failure of the basic process control function which causes a demand on the safety instrumented function, unless an analysis has been carried out to confirm that overall risk is acceptable. He notes how this may be interpreted:
- YES: If all possible failures of the control valve do not place a demand on any SIF than control valve may be used with no further analysis. In this case, Control Valve is “Final Element” of Safety Instrumented Function (SIF) Loop, needs to have SIL rating equal to or above 1.
- NO: If failure of the control valve will place a demand on a SIF than it may not be used as the only final element in that SIF.
- If failure of the control valve will not place a demand on SIF, for which it is intended but may place demand on any other associated SIF than the control valve may be used in a SIF only after detailed analysis. An additional step to further analysis will be necessary in these cases to ensure that the dangerous failure rate of the shared equipment is sufficiently low.
The control valve in this case would again be the final element of a SIF requiring a SIL rating greater than 1.
In the third example of providing additional hardware fault tolerance for higher SIL applications, mean time to fail (MTTF) of the control valve can be used in the probability of failure on demand (PFDavg). He shares the failure fraction components and equations for arriving at the PFDavg of the SIF. For this 3rd case, Riyaz shares [links added]:
…mechanical equipment like valve bodies and actuators do not have any diagnostics capabilities. According to IEC 61508 part 2, table 2, with a hardware fault tolerance (HFT) of zero, they can only be used in SIL 1 applications. A digital valve controller mounted on a “Final Control Element” improves the diagnostic coverage factor, which in turn improves the SFF number, allowing the possible use of higher SIL rated applications (Per IEC 61508 part 2, table 3) by use of the Partial Stroke Test.
Riyaz sums of his thoughts that if the control valve is used as part of a SIF, then the total PFDavg of the loop must meet the intended SIL level. If the control valve is used for normal process control managed by the basic process control system (BPCS), then per IEC61511-3 part 1, section 3.2.3, the control valves do not have SIL suitability.
I also wanted to refer you to an earlier post, Field Device Sharing Between Control and Safety Systems, where we explored the case of sharing instruments between the BPCS and safety instrumented system (SIS).