A prior blog on the Kenexis web site related to the requirements for tight-shutoff (TSO) for valves that are part of a safety instrumented function generated a lot of interest in the engineering community. A link to that blog is shown below.
Tight Shutoff Requirements in SRS Blog
After writing that blog, Kenexis routinely received requests for instructions on how to best determine whether or not tight shutoff is required for a shutoff valve and to facilitate workshops for making this determination and documenting the results. As a result, we have decided to prepare this blog to explain the process and provide an example.
It is important to remember that in risk analysis absolute numbers are difficult to calculate, and are generally unnecessary. In this case, we specifically refer to the calculation of the exact and specific leak rate of a valve that will prevent a SIF from achieving a safe state with regards to the specific hazard that it is intended to protect against. What is important is not absolute numbers, but boundaries. One really only needs to know whether or not a leak rate beyond a certain value will prevent a SIF from failing to perform its safety action.
In the case of valves, we can use the leak classification table as a basis. The lowest defined leak tolerance is for Class II valves, which is 0.5% of rated flow. If it can be determined that if the shutoff valve closes, but a leakage of 0.5% (or 1% to be conservative) still persists, will that still be sufficient to prevent the hazard safeguarded by the SIF from occurring, then tight-shutoff of the valve is not required to achieve functional safety for the SIF.
Consider the following example. A high pressure pump in a hydrotreater increases charge pressure from 50 PSI to 1,000 PSI. There is a shutoff valve on the discharge of the pump that, upon detection of low flow from the pump, will close, preventing the high pressure reaction circuit from back-flowing into the low pressure feed system, causing over-pressure and rupture of the feed drum which is not rated for the high pressure, and not able to relieve the full backflow rate.
In order to determine tight-shutoff requirements, a workshop team should consider all of the LOPA scenarios of all of the SIF that employ that valve. For each scenario (i.e., each initiating event) assume that the SIF is required to activate, and does so successfully, but leaks 1% of the rated flow of the valve. In this case, is a safe state still achieved with respect to the hazard that the SIF is designed to prevent.
In the case of the hydrotreater anti-backflow valve, the valve is intended to prevent against backflow which will cause the feed surge drum to overpressure and rupture. The question that needs to be answered is, “Will a 1% of rated flow leakage rate still allow the drum to overpressure and rupture?” In this case, the answer is no. The feed surge drum is equipped with a relief valve, that if design in accordance to the recommendations in API 521 can relieve a 10% of rated flow backflow condition. As such, tight shutoff is not a functional safety requirement for the SIF.
In many cases, the determination as to whether or not the leak flow will prevent a safe state with respect to the protected hazard from being achieved can be adequately done via a workshop discussion with a multidisciplinary team. In some cases though, a process engineering calculation will need to be performed for calculation. At the end of this analysis the specification of allowable leak rate need not be a specific value, but a boundary, such as Leak Rate < 1% of rated valve flow, and the if a valve classification is required it can be specified as Class I or N/A.