In Part 1, I covered the emerging trends in the valve assembly market, how these trends relate to IEC 61511 requirements, and the anatomy of final elements.
Now let’s discuss why we need to show requirements traceability down through the design of the safety instrumented function and then onto the specific devices in the final elements.
Requirements Traceability for SIL Verification
With a safety instrumented system, a safety instrumented function SRS will describe what the function needs to do. That can be broken down into what we need from the sensor, the logic solver, and the final element. In the final element, at a minimum we're typically going to see a valve, actuator, and solenoid.
The functional requirements include:
- What does this system need to do?
- What are the time requirements?
- What are the diagnostic requirements?
- What are the integrity requirements (such as, what SIL level does it need to meet?)
These requirements need to be traceabledown and applied as appropriate to the devices that go into the final element. It also needs to be validated coming back out of that integration step to show that they've been met.
For SIL verification, all components that are part of an assembly need to be included in the calculation. Some OEMs have the coupling and bracketing with their device, and many don't. (From my experience, less than twenty percent of valve and actuators have all the components that you need to assemble.)
The failure of those components, such as a coupling, needs to be identified and added into the SIL verification calculation as potential additional failures. You need a list of what is in that final element, such as feedback switches. (If the switches are just there for information, and you're not claiming diagnostics such as partial valve stroke testing, then you don't need to be as concerned about them.)
If you've done your SIL verification calculations, taking credit for partial valve stroke testing, and you’re counting on those feedback switches to be there, then you can see what it takes to mount them. Keep in mind, the switches themselves need to be included in the calculations. That's an important step.
In addition to including the parts, we need to make sure that they're designed properly. The first critical step would be sizing the actuator and the valve correctly. If the actuator is undersized, it's not going to have enough force to close the valve at maximum conditions. If the actuator is oversized, then the valve stem might snap.
Things like mounting brackets and couplings must be designed not just for strength, but also rigidity, so that they don't get misaligned over time.
The Need for the Same Rigor as Main Devices
Let’s say you are a control system integrator. You won’t know whether the mechanical design was done correctly.
Somebody needs to own that. If the valve manufacturer under-designed the valve stem and it isn’t going to work, we—collectively as professionals in functional safety—need to be sure that those components that are going into that assembly are properly designed.
There is a degree of rigor and traceability that is required in both the design of these components and the production and assembly of these components. It's not that every bracket manufacturer must be 61508 certified, but there should be some traceability to show that. You should use good design principles: have a specification; design to it; record the results, and have objective evidence that it’s valid and the design will work.
In Part 3, we will discuss what typical mechanical design documents look like and what we look for in those documents.