A Reader Writes:
We would like to avoid the cost of separate valves by using existing modulating valves for safety shutdown. Is this an acceptable practice under any circumstances? If so, where and how can it be done?
--From January 2003 CONTROL
Just Dont Do It
There is not an acceptable practice under any circumstances. Each circumstance has to be reviewed based on the safety integrity level required. Please refer to ISA Standards and Technical Reports, ANSI/ISA-84.01, TR84.00.02 parts 1 to 5, TR84.00.03. Also refer to past articles published in CONTROL magazine such as "The Complete Safety System," December 2000.
(From Safety Systems to Operational Integrity)
...ISA S84.01 paragraph 126.96.36.199: "A control valve from the BPCS [basic process control system] shall not be used as the only final element for SIL-3. A safety review shall be required to use a single BPCS control valve as the only final element for SIL-1 and SIL-2. For additional information see B.1.6."
...Even if you meet the ISA S84.01 requirements, you need to validate that your complete design meets the particular Safety Function SIL requirement. This is dependent on the specific equipment failure data, the levels of redundancy used, and test frequencies. The validation calculation is done for all of the safety function components as a group. Individual component SIL ratings do not ensure system compliance.
Brian Smith, C.E.T., Senior Instrument/Electrical Designer
Nova Chemicals (Canada) Ltd., Sarnia, Ontario
It Depends on the Danger
As long as single-component failure doesn't jeopardize the safety of the personnel, it is allowable to use the control valve as a safety shutdown system. This can be done multiple ways depending upon the process and safety requirement.
(Personnel Functional Safety Certification: Not All Programs Are Created Equal)
...In a chemical plant where plant safety (not toxicity) is concerned, it is achieved by installing one or two solenoid valves in the air signal line from positioner output to actuator. These valves could be operated from a safety system or one could be from the DCS and the other for safety shutdown.
...Generally, a control valve has Class IV leakage, and if the process involves toxic and flammable liquid, it is advisable to use a remote operated on-off valve downstream of the control valve to isolate the system totally.
...The control system engineer is in the best position to decide what level of safety is required and what chemicals are involved before making a decision. Keep in mind cost of an additional control valve is nothing compared to the loss of life that may occur if the problem is not investigated thoroughly.
Imtiyaz Mohammed Arab, Senior Engineer, Control System
Bechtel National, Waste Treatment Plant, Richland, Wash.
S84 Sort of Says No
ISA-S84.01 section 188.8.131.52 specifically prohibits the use of a control valve from the basic process control system (BPCS) as the only final element for SIL 3. It goes on to say, "A safety review shall be required to use a single BPCS control valve as the only final element for SIL 1 and 2."
...It then refers to Annex B (which is not a requirement of the standard and is provided for information only): "It is generally necessary to provide separation between the BPCS and SIS functions." The annex goes on to suggest some cautions with regard to using a single valve for both the BPCS and safety instrumented system (SIS) in safety integrity level (SIL) 1 and 2 applications.
...The ISA book Safety Shutdown Systems: Design, Analysis and Justification makes a very strong statement recommending that the safety systems should be completely independent of the control system.
...Although dual use of final elements may be allowed with the proper analysis, if an incident at a plant involving the use of a dual-purpose valve did occur, I personally would not want to explain to the OSHA inspector or a jury that my main concern was to save money.
Fred Porth, SIS Product Marketing Manager
Metso Automation, www.metso.com
Pay Now or Pay Later
There are several reasons for using separate valves for safety shut down:
- NFPA requires it on industrial burners.
- Most valve actuators are not spring-loaded and will rest in place on power interruption.
- Actuators that are spring-loaded may take as long as 80 sec. to shut down on power interruption.
- Your insurance company may refuse to pay in case of an accident.
Nobody wants to accept extra expense in a control system. But in this case, safety is the prime factor.
Dennis Hablewitz, Product Specialist
OK if Fail Open
Conventional control valves are generally not able to effect positive shutdown when required to completely shut off flow. The sealing components are usually worn or abraded from effluent impingement. On the other hand, if the valve is required to fail in the open position it is a relatively simple matter of providing external electrical, hydraulic, or air circuitry that would override the metering/modulating function.