Control valves used as trips?

[safcon]

A HAZOP I am currently participating in came upon the following situation: A fired furnace has three sets of burners. Two of the three sets are fed by a common header protected by a single double-block-and-bleed trip valve trio. These two burner sets have their own temperature or pressure control valves downstream of the trips. The third set of burners is on a separate fuel gas header. This line has an upstream block and bleed, which are dedicated trip valves. The downstream (burner side) trip valve, however, is also used as a fail-closed temperature control valve. The question arose as to whether such a "dual use" of the temperature valve is outlawed by FM or any other code. The team did not have resources conveniently available to research this question, and I wondered if any of you generous forum-goers might have an answer. Thanks in advance..

 

[pmover]

interesting...

while not an expert, but if i understand the situation, there is a single sensing element (thermocouple, rtd, etc.)controlling two different control elements (control valves on 2 seperate fuel piping systems).

while not thoroughly familiar with FM, NEC, or NFPA codes/standards, i'd certainly consider the operation of the fired heater fuel systems from the standpoint of that if fuel system 1 shutdown, then fuel system 1 will shutdown as well. perhaps a logic diagram will be useful here.

i trust this is helpful!
-pmover

 

[shobi]

ISA-S84.01 section 7.4.3.1 specifically prohibits the use of a control valve from the basic process control system (BPCS) as the only final element for SIL 3. It goes on to say, "A safety review shall be required to use a single BPCS control valve as the only final element for SIL 1 and 2."
...It then refers to Annex B (which is not a requirement of the standard and is provided for information only): "…it is generally necessary to provide separation between the BPCS and SIS functions." The annex goes on to suggest some cautions with regard to using a single valve for both the BPCS and safety instrumented system (SIS) in safety integrity level (SIL) 1 and 2 applications.
...The ISA book Safety Shutdown Systems: Design, Analysis and Justification makes a very strong statement recommending that the safety systems should be completely independent of the control system.
...Although dual use of final elements may be allowed with the proper analysis. If you forsee an incident involving the use of a dual-purpose valve did occur, I personally would not want to explain to the OSHA inspector or a jury that my main concern was to save money.

 

[Guidoo]

To Shobi,

You are suggesting that the control valve is the only final element. However, Safcon wrote that the system consist of "an upstream block and bleed, which are dedicated trip valves. The downstream (burner side) trip valve, however, is also used as a fail-closed temperature control valve."

Therefore, this system is not prohibited by ISA S84.01. However, it is in general not acceptable to use a control valve as a final element if:
- valve needs to be tight-shutoff (TSO) to prevent the hazardous event (since a control valve can not be TSO)
- activation of the trip could be caused by failure of this control valve

For this application, valve needs to be TSO, since even a small leakage would result in build-up of flammable atmosphere inside the heater box that could result in an explosion. Furtheremore, it is quite likely that at least some of the trips can be caused by failure of this control valve. For example, if the control valve gets stuck in the fully open position, this may result in activation of high outlet temperature trip, or flame may blow off. The trip would then try to close the control valve (by switching a solenoid in the IA supply line). However, since the control valve is stuck, it will still not close...

So my conclusion is that it in this case it is not allowed to use the control valve as final element for the Safety Instrumented System. I can add to that that I have seen quite a number of heater safeguarding systems, and that they always used a double block & bleed that was independent from the control valve.

 

[Guidoo]

As an addition to my previous post, I would like to refer to IEC 61511 part 1, section 11.2.10. This reads:

A device used to perform part of a Safety Instrumented Function shall not be used for basic process control purposes, where a failure of that device results in a failure of the basic process control function that causes a demand on the Safety Instrumented Function, unless an analysis has been carried out to confirm that the overall risk is acceptable.

Pffff... What a long sentence...

 

[Mike6158]

Hmm... I see the acronym SIL used so often these days.

The aformentioned ISA book Safety Shutdown Systems: Design, Analysis and Justification s an excellent resource as is the 3.5 day class. Personally I think that the ISA should require class attendance before they sell the book to anyone. I was lucky enough to have Paul Gruhn as my instructor. He co-authored the book and clarified a number of common misconceptions that arise from misinterpretation of the book.

I would be more concerned with apparent fact that the path from the double block and bleed valves to the burner assemblies is not clear of obstruction(s) (our standard requirement) than with using, but not taking credit for in the SIL calc, a control valve as a shutdown device. Too many people get caught up in what they think that they are reading. Tell me, what is the harm in shutting the control valve in the system described by the author of this thread on a trip? There is no harm. You DO NOT rely on the control valve as the ONLY shutdown source but you most definitely DO NOT fail to make use of it's ability to at least restrict the flow of fuel to the burner assemblies. To not do so would be negligent at best. However you cannot use the valve as a part of the SIS as has already been pointed out.

Next- Why is SIL even being brought up in this thread? Does anyone here know what the company that the author works for's criteria for each of the SIL classifications is? There is no defined criteria for each SIL level. The criteria is defined by the specific company for their specific needs. It is entirely possible that his application does not meet his companies criteria for even SIL 1 (admittedly this is a stretch since we are talking about a fired heater and there are NFPA standards to address this situation).


Last- This is just a pet peeve of mine but I find the NFPA requirements for fired heaters to be lacking. The standard does not address the process side in the least. Ie tube rupture.

 

[Guidoo]

To Mike6158:

You wrote:

"Next- Why is SIL even being brought up in this thread? Does anyone here know what the company that the author works for's criteria for each of the SIL classifications is? There is no defined criteria for each SIL level. The criteria is defined by the specific company for their specific needs. It is entirely possible that his application does not meet his companies criteria for even SIL 1"

After re-reading all posts, I want to state that nobody suggested that a specific SIL level was required. Your suggestion that his application may not meet his companies criteria for even SIL1 is entirely true, however very unlikely. This is especially so since the other two burners are safeguarded by double-block-and-bleed trips that are presumably independent from the BPCS. In a forum like this you often have to make assumptions since the question itself does not give all required information.

It is indeed a good idea to close the control valve anyway. Usually this is done by a forcing signal, where the BPCS puts the control valve on MANUAL, with 0% output. This is done more for operational reasons (for smooth restart of the heater), than for safeguarding reasons. You can certainly not take this into account when doing the SIL verification.

It would be nice if safcon could clarify:
- whether a prescriptive standard (such as NFPA) was used to design the heater safeguarding or a performance standard (such as IEC 61508/61511 or ISA S84.01)?
- whether a SIL Assessment was done for these trips?
- what the results of this SIL assessment were?
- whether the control valve was taken into account when verifying whether the system meets criteria for the required SIL level (both probability of failure on demand and hardware fault tolerance requirements)?
- whether the control valve is closed by a solenoid valve connected to the SIS or by a forcing signal from the BPCS?

 

[shobi]

SAFCON It's Your Call
A control valve can be used in lieu of a separate safety shutdown valve for SIS applications. One technique is to install a solenoid in series with the valve positioner, downstream of the positioner output. The solenoid valve is operated by a SIS signal when a process incident occurs, and its output supersedes that of the positioner to drive the valve to the shutdown position. In many cases this operating setup eliminates the need for an additional safety valve, piping, and installation space.
...While a control valve can be used for control and as a safety shutdown valve for SIS applications, there are tradeoffs to consider. Upside:
* Using the control valve will eliminate the cost of an additional valve and associated piping.
* The DCS will check for the availability of the modulating valve and will record valve travel as a way to document operation. This is not the case with discrete on/off solenoid-operated valves.
* When the control valve is equipped with a digital valve controller (DVC), the DVC can record valve travel, actuator pressure, setpoint, and other parameters for valve diagnostic purposes.
* A control valve uses a better designed/matched actuator and instrument package than does the typical on/off valve, with the result being tighter control.
Then there's the downside:
* The SIL level of an SIF loop will dictate whether or not valve redundancy can be eliminated.
* If a process is critical and no chances are to be taken in averting an incident, then a redundant valve is a must. The second valve could be an on/off unit that is operated via solenoid, or it could be another control valve operated by an independent SIS signal.
* The existing control valve may not be capable of meeting stroking speed or closure time requirements.
* Control valves typically are not designed to meet fire-safe standards.