Hi @Tom Atkinson In my experience for similar scenarios we have always kept separate with one valve for safety and one valve for control. This mainly relates to independence requirements, for example, the LOPA takes credit for the BPCS closing the control valve, so the safety valve requires to be independent from this. Providing independence ok and no double credits being taken the standard does permit a single valve to be shared across safety and the BPCS, but not if failure of that component could place a demand upon the SIF. For example, an overfill valve being shared across both would not be allowed as failure of that shared valve could lead to an overfill scenario and place a demand upon the SIF. Separate to that if this is not the case then consideration would be for the types of valves in question. I have often come across scenarios where the modulating control valve is a globe valve and wouldn’t provide tight shut off (if this was required) that the ball valve would provide, so for this reason a separate valve was required. In relation to your other considerations such as control system related issues then providing no conflicts with any of the detail listed above (independence requirements, shut off type, etc) and the valve can be shared then this can be minimised by having the BPCS control signals to the valve positioner and the safety signal to the solenoid valve, so regardless of the BPCS command, the air to the valve would be shutoff and vented by the safety solenoid valve upon activation. I don’t believe CCF would apply even if two valves in this case as one would be for the BPCS and one safety, so either way with only one safety valve couldn’t be applied.

@Harvey Dearden Thanks for this input and sharing the book you have published on FS. Will look into getting this.

@Tom Atkinson Thanks for the input Tom. Yes each vessel has a routing valve for level control as part of the BPCS (controlled from an LT). The overfill valve is independent from the BPCS and operated by the safety system if a vessel high level switch activates. Each tank has its own high level so 1oo1, but all shut the same overfill valve on the common supply line (upstream of the branch off to each vessel). That’s an interesting one you have mentioned. I think the key thing there, and my understanding as to how you have set it up now is the input side is only a 1oo1, and not a 1oo20 say, as whilst the same valves shut, each tank only has one level switch, so regardless of the other tank switches if that specific tank level rises only one level switch can respond to protect against an overfill scenario. I would also need to know more details on the scenario but just when you mentioned a separate valve for this purpose - I think that’s a key point in the LOPA. I have reviewed sites where they had one inlet valve that was shared between the BPCS and the safety system. They did have a separate safety relay to deenergise but ultimately the same valve and when referencing their LOPA credit had been taken for a BPCS high level trip. In this case not suitable and a modification to correct as not independent.

@Iyan Putra Hi Iyan. I would just echo others comments here already in regard to the setting of the mission time and proof tests to ensure they are realistic to what the Asset will actually adhere to. It’s also got to make sense in terms of not just stating components will be replaced or overhauled to a new condition to improve the calculation. I noted above that a LOPA has been carried out and although no SIL requirement they still want to have safety rated trips. It’s very difficult to do this without really having a target as there are so many other factors that can be taken into account in addition to the mission time. Increasing proof tests and mission time can help with the calculation but it’s also more cost and effort involved when it may not actually be required. The system can then also be more costly to implement in terms of equipment and architecture selected in the design. Just thought I’d mention this when you noted the logic solver was SIL 3 capable as I have come across clients before that think buying SIL rated components make the given system SIL rated.

I agree @Richard Kelly and have also come across this before when looking at PTC values used in calculations, particularly on the final element with valves. Quite often the proof test will check the actuator and valve physically move, but the proof test is carried out during a shutdown, so there would be no indication if the valve wasn’t sealing. Unless there was a flow and differential pressure across the valve being measured or an inline flow transmitter, then if carried out offline the proof test would never capture this. There is guidance for realistic values to use but have again come across some optimistic values edging towards 100%. Testing elements offline can also be very different to when the process is in operation at higher pressures and higher/lower temperatures.

Both