Can We Use Control Valves for Safety Shutdown?

April 1, 2003
Readers Help a Reader Solve This Control Problem

A Reader Writes:

We would like to avoid the cost of separate valves by using existing modulating valves for safety shutdown. Is this an acceptable practice under any circumstances? If so, where and how can it be done?

--From January 2003 CONTROL

Solutions

Just Dont Do It

There is not an acceptable practice under any circumstances. Each circumstance has to be reviewed based on the safety integrity level required. Please refer to ISA Standards and Technical Reports, ANSI/ISA-84.01, TR84.00.02 parts 1 to 5, TR84.00.03. Also refer to past articles published in CONTROL magazine such as "The Complete Safety System," December 2000.

(From Safety Systems to Operational Integrity)

...ISA S84.01 paragraph 7.4.3.1: "A control valve from the BPCS [basic process control system] shall not be used as the only final element for SIL-3. A safety review shall be required to use a single BPCS control valve as the only final element for SIL-1 and SIL-2. For additional information see B.1.6."

...Even if you meet the ISA S84.01 requirements, you need to validate that your complete design meets the particular Safety Function SIL requirement. This is dependent on the specific equipment failure data, the levels of redundancy used, and test frequencies. The validation calculation is done for all of the safety function components as a group. Individual component SIL ratings do not ensure system compliance.

Brian Smith, C.E.T., Senior Instrument/Electrical Designer
Nova Chemicals (Canada) Ltd., Sarnia, Ontario

It Depends on the Danger

As long as single-component failure doesn't jeopardize the safety of the personnel, it is allowable to use the control valve as a safety shutdown system. This can be done multiple ways depending upon the process and safety requirement.

(Personnel Functional Safety Certification: Not All Programs Are Created Equal)

...In a chemical plant where plant safety (not toxicity) is concerned, it is achieved by installing one or two solenoid valves in the air signal line from positioner output to actuator. These valves could be operated from a safety system or one could be from the DCS and the other for safety shutdown.

...Generally, a control valve has Class IV leakage, and if the process involves toxic and flammable liquid, it is advisable to use a remote operated on-off valve downstream of the control valve to isolate the system totally.

...The control system engineer is in the best position to decide what level of safety is required and what chemicals are involved before making a decision. Keep in mind cost of an additional control valve is nothing compared to the loss of life that may occur if the problem is not investigated thoroughly.

Imtiyaz Mohammed Arab, Senior Engineer, Control System
Bechtel National, Waste Treatment Plant, Richland, Wash.

S84 Sort of Says No

ISA-S84.01 section 7.4.3.1 specifically prohibits the use of a control valve from the basic process control system (BPCS) as the only final element for SIL 3. It goes on to say, "A safety review shall be required to use a single BPCS control valve as the only final element for SIL 1 and 2."

...It then refers to Annex B (which is not a requirement of the standard and is provided for information only): "It is generally necessary to provide separation between the BPCS and SIS functions." The annex goes on to suggest some cautions with regard to using a single valve for both the BPCS and safety instrumented system (SIS) in safety integrity level (SIL) 1 and 2 applications.

...The ISA book Safety Shutdown Systems: Design, Analysis and Justification makes a very strong statement recommending that the safety systems should be completely independent of the control system.

...Although dual use of final elements may be allowed with the proper analysis, if an incident at a plant involving the use of a dual-purpose valve did occur, I personally would not want to explain to the OSHA inspector or a jury that my main concern was to save money.

Fred Porth, SIS Product Marketing Manager
Metso Automation, www.metso.com

Pay Now or Pay Later

There are several reasons for using separate valves for safety shut down:

  1. NFPA requires it on industrial burners.
  2. Most valve actuators are not spring-loaded and will rest in place on power interruption.
  3. Actuators that are spring-loaded may take as long as 80 sec. to shut down on power interruption.
  4. Your insurance company may refuse to pay in case of an accident.

Nobody wants to accept extra expense in a control system. But in this case, safety is the prime factor.

Dennis Hablewitz, Product Specialist
Eurotherm/Barber-Colman, www.eurotherm.com

OK if Fail Open

Conventional control valves are generally not able to effect positive shutdown when required to completely shut off flow. The sealing components are usually worn or abraded from effluent impingement. On the other hand, if the valve is required to fail in the open position it is a relatively simple matter of providing external electrical, hydraulic, or air circuitry that would override the metering/modulating function.

(Control Valve Innovations)

...Plug, ball, gate, or butterfly valves can be used for closed shutdown with varying degrees of success. As a very broad statement, their effectiveness is a function of the abrasive or wearing qualities of the effluent controlled. Of course, the most effective safety valving is either full closed or open, protecting the sealing elements from being compromised by the effluent (except in the case of butterfly valves which have sealing surfaces fully exposed when partially or fully open). All parameters of the intended use must be examined in detail to provide a definitive assessment of the intended application.

Michael Karr, Executive Vice President, COO
Vulcan J.M. Intl., www.vulcanjm.com

Analog Valve Cant Do It

Two key safety principles come into play here: One, the safety system must be independent of the control system and, two, for process control the accepted safe state is the de-energized state. I suppose one could use an analog control valve for the first principle but don't see how it could be used for the second principle. I would say that a control valve cannot be used as a safety shutdown valve.

...Being in the intrinsic safety isolator business, I also must note that the leading companies in our business do not rate analog I.S. isolators for Safety Integrity Levels.

(Hero Engineering Functional Safety Management Engineering Services Certified as SIL 3)

...I must add that the mechanism for the shutdown must allow for quick action when the power is shut off to the valve and I do not think that a control valve is designed for this response.

Mike McElroy, Business Development Manager
Pepperl+Fuchs, www.am.pepperl-fuchs.com

NC Solenoid Valves Suffice

Generally speaking, two-way and three-way normally closed solenoid valves with synthetic rubber seals are considered to be "safety shut-off" valves, and are usually listed with an agency like UL as such. This means that in the event of loss of electrical power to the coil, the valve fails in the closed position, which is most desirable. These solenoid valves can be used anywhere that it is required to shut off gases or liquids in the event of power loss.

Mark Emond, Technical Service Representative
Parker Fluid Control, www.parker.com

(How to perform Solenoid Testing)

More Trouble Than Its Worth

Sure it can be done. The reason it hasn't may be due to one or more of the following:

  1. Pneumatic valve positioners are much more expensive than conventional solenoid-operated valves.
  2. Not too many safety PLCs on the market offer a certified 4-20 mA output (some do; for example the Quadlog system offers a TUV-certified 4-20 mA analog output module).
  3. Control valves often aren't designed for tight shutoff, they are typically designed for better control (hence the added cost).
  4. Typically, the vendors that manufacture and sell control valves and valve positioners have not sought the necessary failure rate data to meet the IEC 61508 standard.
  5. Due to their operational nature, control valves require more maintenance than shutoff valves and have a higher demand on compressed air.

...Most of todays safety shutoff valves are solenoid-operated shutoff valves. The solenoid valve sits on top of a valve actuator and responds to a discrete (on/off) signal from the safety system. The solenoid will either allow compressed air to drive the valve closed or release air while a spring closes the valve.

...An electrical/pneumatic (I/P) positioner works on top of a control valve actuator. The positioner receives a 4-20 mA signal from the safety system and allows the valve to go to any position between full open and full closed. Some of the possible benefits of using a control valve are:

  1. Using the positioner, users can partially close the valve to validate system performance. Today, users would have to shut down the process to test shutoff valves.
  2. The positioners intelligence would allow users to obtain valuable diagnostics for preventive maintenance and safety records.
  3. Bus technology like Profibus, HART, or Foundation fieldbus are often available with today's positioners, adding additional advantages.

Charles Fialkowski, Product Manager, Safety Systems
Siemens Energy and Automation, www.sea.siemens.com

Its Your Call

A control valve can be used in lieu of a separate safety shutdown valve for SIS applications. One technique is to install a solenoid in series with the valve positioner, downstream of the positioner output. The solenoid valve is operated by a SIS signal when a process incident occurs, and its output supersedes that of the positioner to drive the valve to the shutdown position. In many cases this operating setup eliminates the need for an additional safety valve, piping, and installation space.

(Safety instrumented systems (SIS) used for non-safety applications)

...While a control valve can be used for control and as a safety shutdown valve for SIS applications, there are tradeoffs to consider. Upside:

  • Using the control valve will eliminate the cost of an additional valve and associated piping.
  • The DCS will check for the availability of the modulating valve and will record valve travel as a way to document operation. This is not the case with discrete on/off solenoid-operated valves.
  • When the control valve is equipped with a digital valve controller (DVC), the DVC can record valve travel, actuator pressure, setpoint, and other parameters for valve diagnostic purposes.
  • A control valve uses a better designed/matched actuator and instrument package than does the typical on/off valve, with the result being tighter control.

Then theres the downside:

  • The SIL level of an SIF loop will dictate whether or not valve redundancy can be eliminated.
  • If a process is critical and no chances are to be taken in averting an incident, then a redundant valve is a must. The second valve could be an on/off unit that is operated via solenoid, or it could be another control valve operated by an independent SIS signal.
  • The existing control valve may not be capable of meeting stroking speed or closure time requirements.
  • Control valves typically are not designed to meet fire-safe standards.

Riyaz Ali, FieldVue Business Development Manager
Fisher Controls Intl., www.fisher.com

Help for Electric Actuators

Each application is different and one must first list what instances would initiate safety shutdown procedures. Then decide under each of these conditions how your valve will respond or be controlled.

...One of the main issues with electric actuators when power is lost is the actuator generally must be manually manipulated to place the valve in a fail-safe state. M-Systems new PSN3 electric actuator will automatically go to the user's specified failsafe state. This is accomplished by the PSN3's internal backup NiCad battery, which provides power to move the valve to the user-specified failsafe state if the main actuator power should fail.

...The main benefit: Safety personnel are not required to go to each valve and manually place them in a failsafe state. This is a major time-saver and eliminates potential human error of placing valves into a non-failsafe state under fault conditions. Additionally, it is possible that this may remove the requirement for separate manual safety valves.

Gary Labadie, Sales/Marketing Manager
M-System, www.m-system.com

Mays Problem

How Much Cooling Is Too Much?

We specify coolers for enclosures that end up in a wide range of ambient temperatures and humidities. My boss says we should simplify operations by using the same refrigeration unit, but this means in some cases the unit will have much more than the calculated minimum capacity. What problems could this cause? How could we avoid them?