Email Email Print Print
Clip Clip & File

Software, Automation & Control :: Instrumentation, Automation & Control

January 1, 2011

Safety-Instrumented Systems: Control Valves As Final Elements

The scenarios presented here highlight the advantages and disadvantages of using a control valve in an SIS

Afton Coleman, Emerson Process Management

History is a constant reminder that accidents and catastrophic events can and do occur in process environments. As processes become more complex (for instance, allowing for greater operating temperatures and pressures to be used) and existing basic process control systems (BPCS) and safety systems age, risk reduction becomes more challenging. Regulations from the U.S. Occupational Safety and Health Admin. (OSHA; Washington, D.C.) and the Environmental Protection Agency (EPA) and international regulatory bodies have been put in place to help prevent and mitigate damage and injury.

Notable international standards addressing process safety include IEC 61511 and ISA 84.01. These standards cover the design and management requirements for a safety-instrumented system (SIS) from cradle to grave. An SIS contains one or more safety-instrumented functions (SIF), such as logic solvers, sensors and final control elements that act independently and separately from the basic process control system. These SIFs are selected for a given safety configuration to address site-specific hazards or events.

During system design, all constituents of the SIS must be addressed, especially the final control element, which consists of the valve and actuator, and any instrument and other accessories that can affect the valve’s movement. Data have shown that the final control element can be responsible for 50% or more of SIS failures. Any component of the final control element that can affect the safety function must be considered in the safety analysis. This includes the valve and actuator and other components (such as the positioner, solenoids and volume boosters) that can affect the valve’s ability to return to its safe state.

Since the final control element is often the weakest link of an SIS, the proper valve and actuator must be selected to improve reliability and availability and to minimize risk. In certain circumstances, the use of a control valve can provide the optimal solution to this problem. There is no specific industry requirement that defines which valve design can be used in an SIS, so control valves do not need to be limited to the realm of the BPCS. With careful consideration, a control valve can also be used as either a final control element or as a redundant element within an SIS. When designing an SIS, the use of a control valve can be considered in three potential configurations, each of which is discussed:

1. Single control valve used only for on-off safety

2. Single control valve used for both safety and control

3. Control valve used as a redundant final control element

Each configuration has its advantages and limitations, and, as with any SIS design, a thorough hazard analysis and complete knowledge of the process and its safety requirements are required to guide the selection of appropriate hardware.

    Configuration 1: Control valve used only for on-off safety. In this scenario, shown in Figure 1, a single control valve acts as the safety valve. A digital valve controller (DVC) instructs the valve to travel to its safe state upon signal from the safety logic solver (SLS), depicted as a safety PLC. This device is also capable of performing partial stroke testing and performing valve diagnostics. In fact, some digital valve controllers available can monitor the health of the external solenoid valve. A solenoid valve (not pictured) could be used as a redundant element or in place of the digital valve controller, however using a digital valve controller to perform the safety function has increased in prevalence due to its diagnostic capabilities and ability to log events and testing.

The control valve should be chosen for its suitability in the process media (considering capacity, shutoff, proper material selection and so on), and reliability. Reliability can be determined as a function of proven-in-use data (such as that compiled by the manufacturer, by a third party, or from documented user experience data), or failure-rate values (lambda), which are based on FMEDA studies, and are commonly available in third-party certificates or generically available. This failure rate information can be used to calculate the probability of failure upon demand (PFD), which can be correlated to a safety integrity level (SIL). The use of a control valve as a safety valve provides economic efficiencies, too, by increasing the number of common parts that are maintained in inventory, assuming that the SIS final control element is the same product as the one used in the BPCS.

    Configuration 2: Single control valve shared for safety and control. This particular application of a final control element should be considered with great care. IEC 61511 sets strict guidelines and advises that the user should, whenever possible, keep the SIS independent and separate from the BPCS. Figure 2 shows the final control element with digital valve controller that is designed as part of a BPCS throttling control. The valve also has a solenoid that the safety logic solver commands to perform its safety function upon demand.

The advantage of this configuration is that the final control element is essentially self-testing. As the valve is expected to throttle to perform its BPCS function, the end user can be confident that the valve is able to move when commanded. Another advantage is the resulting cost savings that come from having only one valve perform both BPCS and SIS functions, as well as the benefit from having common parts with other BPCS valves in the facility.

 Figure 1. This figure shows a control valve being used solely for on-off safety. The digital valve controller is connected only to the safety PLC, which is monitoring the process for dangerous conditions and will command the final control element to act in a safety demand
FIGURE 2. In this configuration, a control valve is used in both the BPCS and SIS. The smart digital valve controller is connected to the BPCS (DCS throttling), which allows for typical non-safety use. Meanwhile, the safety PLC is actively monitoring conditions so in the case of a safety demand, it will command the solenoid valve to act and override the BPCS to take the valve to its safe state
FIGURE 3. The primary emergency shutdown valve is pictured on the right, with the digital valve controller responding to signals from the safety PLC. The redundant final control element is shown on the left, which is pictured as dual use, with the digital valve controller positioning to the BPCS (DCS throttling), and the solenoid valve connected to the safety PLC

However, the limitation associated with applying a control valve in this fashion is that the valve working for the BPCS cannot cause the safety event that the valve is expected to address in the SIS. In other words, the final control element cannot be the cause of the problem it is expected to mitigate — rather, it can only be used for a safety function that is completely independent of its purpose as a control valve with the BPCS. For this reason, this type of application is technically a less-viable option, and should only be utilized with a complete and thoroughly considered up-front analysis (including process suitability, HAZOP and safety-lifecycle analysis) that ensures that this potential conflict between BPCS and SIS will not exist.

    Configuration 3: Control valve used as a redundant element.  A control valve can also be used as a redundant element to an emergency shutdown valve. Figure 3 shows the control valve connected in a similar way to what described in Configuration 2. The digital valve controller provides throttling control, and the solenoid valve waits for a signal from the safety logic solver to perform the final control element’s safety function.

Figure 3 also shows a second valve in series. Both valves will perform the safety function upon a safety demand, however, in the case that one experiences an issue and cannot perform the safety function, having a redundant valve improves the likelihood that the process will be shutdown safely. Two final control elements in a redundant configuration can also be solely used to perform the SIF and not be dual use (this is not pictured).

The scenario shown in Figure 3 will be a fail-closed valve. For a fail-open configuration, the redundant elements should be in parallel, both valves would be designed to be normally closed, and both final control elements would be connected to the safety logic solver ready to respond to a safety demand.

The advantage of using a control valve as a redundant safety element is that redundancy, when implemented correctly, improves diagnostic coverage and can improve the SIL rating. The primary drawback of this type of design is the cost of purchasing and maintaining multiple final control elements, as well as increased risk of spurious trips. n

  Edited by Suzanne Shelley  



Afton Coleman, CFSP, is an applications engineer at Emerson Process Management, Fisher Div. (1704 Governor Rd. Marshalltown, IA 50158; Email:; Phone: 1-641-754-3439). She has experience working with valve applications in the chemical, petrochemical, pulp-and-paper, metals-and-mining, and nuclear industries. Coleman has been supporting safety-instrumented systems in her current role since 2006. She holds a B.S.Ch.E from the University of Iowa, and has been employed with Emerson Process Management since 2005. 

Comments (2) for Safety-Instrumented Systems: Control Valves As Final Elements
Excellent article. Should be expanded to include the advantages of xooy voting to increase reliability and also to prevent spurious trips
Posted by s ganeshan on Thursday, January 26, 2012 @ 08:24 AM
Interesting article, although quite misleading if applied to regulated industries. In general, control valves are less reliable than certified solenoid valves. Obtaining reliability data for control valves is difficult and there are not many certified options, if any. Using the same valve for both BPCS and SIS is not recommended and for good reason. In many jurisdictions it is even unlawful to use a combined valve as a safety valve. If kept separate, the BPCS can be counted on to give significant risk reduction but it should in general not be used as part of the SIS loop.
Posted by HÃ¥kon Dahl-Olsen on Monday, June 25, 2012 @ 09:42 PM

Add a Comment


Please enter the letters or numbers you see in the image. (refresh)

More Instrumentation, Automation & Control

Related Stories

LinkedIn Groups

Our LinkedIn group is now over 33,000 members strong!

  1. Join other CPI professionals from all over the globe and share best practices, expertise, concerns and more.
  2. Provide feedback to Chemical Engineering Editors

Current members represent Worley Parsons, DuPont, SABIC, Fluor, Air Products, LyondellBasell, Nalco, Dow Chemical, Dow Corning, BASF, Jacobs Engineering, ExxonMobil, Shell, Chevron and more.

Join Now

We also offer the following subgroup for more targeted discussions:

Search the Buyers' Guide

Plant Cost Index

Facts at Your Fingertips (archive)

Ask the Experts

Back Issues
To access this area, please log in or create an account.
Forgot your password?
Request it now.
Live chat by BoldChat