A reader emailed some great questions to an earlier post, Clarifications on the Use of the DVC6000 SIS in Safety Applications. The post, featuring the thoughts of Emerson’s Riyaz Ali, addressed misconceptions about the use of digital valve controllers and solenoids in safety instrumented functions (SIFs).
I turned to Riyaz to help me address the questions. Since process safety has its own tribal language, I also wanted to descramble the acronyms and link to descriptions/definitions where possible.
Here’s the first question [hyperlinks added]:
In the 4-20mA DETT [de-energize to trip] configuration, the DVC6000 is a Type B element with a SFF [safe failure fraction] of just a hair under 90%. If we use 61508-2 Table 3 that gives me a maximum SIL [safety integrity level] claim of 1 for HFT [hardware fault tolerance] of 0. Am I incorrect?
Please note that you need to use the failure rate number for the SFF computation as shown in the attached certificate with the Partial Valve stroke Test (w/PVST), which will yield SFF results of roughly 97%, leading to SIL2 with HFT of 0 based on IEC 61508 part 2, Table 3 for Type B device.
The second question:
If I had the 0-20mA DETT configuration DVC6000, I could make a SIL 2 claim with HFT of 0 because it is a Type A element. Am I incorrect?
Yes, in fact you can go up to SIL3 with HFT of 0 but it is practically not possible. Please see attached email from industry expert Dr Bill Goble. I am in fully agreement with him and support technically his views, which I believe to be true from my safety instrumented system field experiences.
In his response, Riyaz refers to one of Dr. Goble’s responses on the ISA Safety email list. Dr. Goble wrote:
I would not say that there is a rule “mandating” 2 valves for SIL 3. The statement is true if one follows only the field instrument table in 61511.
But there is a note that allows the use of the 61508 table set. In that standard it is theoretically possible to use one valve for SIL 3 if the valve meets the SFF numbers.
Now, as a practical matter I cannot argue with Paul. In looking over our database of 8000+ SIF calculations I do not recall ever seeing a calculation for a SIL 3 SIF that did not require 2 valves. So I like to put it like this – as a practical matter, 2 valves are required to meet SIL 3. This happens when realistic valves are used for proof test intervals and proof test effectiveness.
The third question:
In the following schematic where 04 is a DVC6000 4-20mA DETT and 02 and ASCO 327B0 solenoid valves, it seems to me that I have HFT of 1 and should be able to make a claim of SIL 2, but no higher. Am I incorrect?
It is true that the DVC and SOV [solenoid valve] pneumatically in series provides a hardware fault tolerance of 1. But this is not right as per the IEC standard. To claim HFT of 1, you need to have one complete independent valve.
The final question:
Is it not possible to configure the solenoid valves in a 1oo2 [one out of two] instead of a 2oo2 [two out of two]?
Certainly it is possible to configure and SOV in a 2oo2 voting arrangement. It is entirely a process manufacturer’s choice. See these typical schematics. This is just for example purposes. It may change depending upon specific application and needs.
I hope these answers help if you have similar questions and the acronym unscrambling and links help if you’re new to the vernacular of process safety.