The IEC 61511 standard requires that the need for tight shutoff be specified in the safety requirements specifications.
Section 10.3 SIS safety requirements states,
10.3.1 These requirements shall be sufficient to design the SIS and include the following:
… A description of the SIS process output actions and the criteria for successful operation, for example, tight shut-off valves; …
While the need to specify tight-shutoff requirements, if required, is obvious from the standard, what is not so obvious is when the need for tight shutoff as a functional safety requirement is appropriate. In my opinion, that is virtually never. In fact, I have heard many engineers state – and I agree – that if tight shutoff of a valve is truly a requirement of your SIF, then your SIF is hopelessly poorly designed, and is a catastrophe waiting to happen.
Before getting into the details, let me explain what is generally meant by a tight shutoff valve. When valves are designed and tested, they are engineered to achieve a certain leakage category. The categories are defined and tests occur in accordance with ANSI/FCI 70-2 2006 (European equivalent standard IEC 60534-4). The leakage classes are defined in the following table.
Leakage Class Definitions
Leakage Rates for Class VI
When specifying the leakage class of a valve, if the term tight-shutoff is used, that typically implies the need for a leakage class of VI. As is evident from viewing the requirements for this class from the table above, it is very hard to achieve Class VI even from the design phase of a plant, let alone throughout its entire lifecycle. It is a wonder then, that engineers blithely list the requirement for tight shutoff as a functional safety requirement, when it is so difficult to actually achieve and consistently test for and maintain to.
Well, the reality is that tight-shutoff might often be a process requirement, but is rarely if ever a functional safety requirement. In order to determine if tight shutoff is a functional safety requirement, an engineer needs to make this consideration…
For a given safety function, when a demand is placed on that safety function, if the valve moves to the closed position, but the valve leaks through at the rate in the above table (for illustration, let’s say a 2 inch valve would leak through at 3 bubbles per minutes (0.45 mL per minute) will the consequences that the SIF is protecting against still occur? The answer to this question is almost universally no! Yet very often, a requirement for tight shutoff will still be listed in the SRS. This is a bad practice that will lead to confusion and excessive maintenance and testing in the operational phase.
Some of the confusion lies in the fact that other standards and other requirements would establish the need for tight shutoff, but that need is not a functional requirement of the SIF, and thus should not be documented as such. The most common example is fuel gas shutoff valves on fired equipment. For the SIF of high pressure causing the fuel gas valve (or valves) to close, there is frequently a specification of tight shutoff as a functional safety requirement. While tight shutoff should be specified, it is NOT a functional safety requirement. For the SIF under discussion, whether the shutoff is Class VI or Class III, the process will move to a safe state with respect to the hazard that the SIF is intended to protect against. The need for tight shutoff is independent of the action of the SIF. The need for tight shutoff, which is stipulated in standards like NFPA 86 for boilers, is based on the need to prevent slow leakage of gas into the firebox through closed shutoff valves while the fired device is not in service. While this requirement is valid, it is not a functional safety requirement of the SIF, and should not be treated as such. Otherwise, the tightness of shutoff would need to be established at every functional test of the SIF, and failure of the valve to be tightly shutoff would be considered a failure on demand of the SIF.
While the valve specification should indeed include the requirement for tight shutoff, it should be clear that this is not a functional safety requirement. I.e., this requirement does not need to be achieved in order for the SIF to achieve a safe state on demand. I would recommend that in the safety requirements specifications section for final elements, two fields are available. They should be:
Target Leakage Rate ______________
Achieved Leakage Rate Required to Achieve Safe State: Yes__ No__
In this way the engineer can clearly define what the design attributes of the valve need to be without overspecifying the testing requirements and the pass fail criteria for functional testing.