Interlock SIL calculations

[keyvagirl]

We are a small to midrange chemical manufacturer. We are trying to perform SIL level verification on some interlocks associated with railcar unloading. The block valves have open and closed limit switches that alarm on command disagree (ie when the valve position on the limit switches disagrees with how the valve is commanded to go). A command disagree alarm requires immediate correction before the station can be used again.

We have multiple unloading stations. The valves used in the interlock are fully closed each time the railcar is switched out (at least 2-3 times per month) but we only do a full documented field verified and certified functional test 1/yr during a full plant turnaround. The historian captures each time the limit switches make open or closed and the alarm logs capture any alarms such as command disagree.

In SIL calculations how do we take credit for the increased reliability of the valves since they are much less likely to have an unrevealed failure than a valve without limit switches / command disagree alarms? Is it a form of partial stroke testing or do we account for it in a different factor?

We don’t want to have to fully document monthly trips since that will require a great deal more paper work and scheduling the testing is problematic since they are switched when they go empty not a planned schedule. Is the historian and alarm log sufficient documentation to prove we can take credit for the increased reliability?

 

[ajs1972]

Hello Keyvagirl:

In fact, the limit switches improve the reliability of solenoid, and its possible check it by partial testing. Please, check this document (pages 1 and 2).

Regards.

 

[ICLL]

It's not clear from your description of the rail car unloading, precisely what safety functions you are assessing the SIL values for.

Most engineers in the process industry work with SIFs and their SIL values for low demand functions that rarely if ever require to activate. In those cases the presence of the limit switches could be used to demonstrate a shorter test interval (assuming the valves are operated frequently for non-SIF related reasons). This might enable the calculation to demonstrate that the SIL of the SIF in question achieves, say, a SIL2 rather than a SIL1 becasue of the frequent testing.

However, I suspect you are talking about a high-demand, frequently-operated system, since you mention interlocks. IEC 61511 requires these to be treated as continuous mode SIFs. In this case, whether you could regard the limit switches as diagnostic would depend on the coupling between the diagnostic and the hazard.

For example, if the hazard could occur by the valve failing to reach, say, fully closed, each and every time it operates, then the limit switch would not be a valid diagnostic test, because the valve failing to close is the cause of the hazard. The fact that the valve was proved to reach closed last time doesn't affect the new hazard exposure, because the valve could have failed since the last operation, and that is the hazard. This is unlike in low demand systems where the safety system valve failure can't cause the hazard, and simply acts to prevent it.

Sorry to be so vague, but without knowing more of your precise process scenarios it's hard to be specific.

 

[keyvagirl]

Thanks for the response.
To give more detail. We have trip valves which close on the inlet and outlet of the railcar on detection of the chemical in the ambient air (indicating a leak), low pressure in the unloading hoses (indicating a leaking hose) or backflow in the nitrogen pad gas system (to prevent nitrogen system contamination). The valves are on/off tight shut-off ball valves. These are the same valves which also close when the railcar is empty (so nitrogen does not continue to flow through the lines causing operational issues downstream). The valves have closed limit switches with alarms on command disagree which means if the control system commands them to close and they don’t fully within a few seconds so that the close limit switch engages then an alarm rings. We have manual valves which are also closed before disconnection of the car but we take the automatic valves very seriously. Any station is removed from service and the valve repaired if a command disagree alarm sounds. Each station unloads multiple cars per month so there is an opportunity for the valves to fully stroke and the limit switch to engage frequently.
So that is the basis of my question. I have faith that these valves have more testing and are more reliable than normal shutoff valves that may not move for a year of more. How do I take credit for that reliability in our calculations per industry practice and what is required per industry standard for documenting this
Thanks

 

[knapee]

1) SIL 1 applications, where a control valve is used by the BPCS, a solenoid valve can be added in the control line to the valve actuator with the solenoid valve activated by the
LSS. Otherwise, an independent on-off valve should be added, actuated by the LSS.
2) SIL 2 applications typically require separation between the BPCS and SIS (separate
valves). SIL 2 applications requiring final element redundancy may use, in addition to
the dedicated open/close valve, a throttling control valve used by the BPCS. The
throttling valve must be actuated by the SIS via a solenoid valve installed in the control
line to the valve actuator.
3) SIL 3 applications typically require diverse separation between the BPCS and SIS
(separate and different valve type).
4) Motor Operated Valves (MOV) are typically not used in SIS applications. Providing a
reliable source of power, the use of reversing motor starter and the overall motor
operator complexity will generally eliminate the use of an MOV from consideration, even
in SIL 1 applications.
The MOV limit switches may be used as permissives or trip initiators in a safety
interlock.
5) When BPCS throttling control valves are used in an SIS, a logical output from the SIS to
the BPCS should place the related controller in manual and ramp the output to the valve
to match the corresponding tripped position.