A safety instrumented function, also known as a safety loop, includes the logic solver, sensing device, and final control element. The final control element, often a valve, can be the source of much discussion, since it is what moves to take the safety action.
An earlier Emerson Process Experts post, Providing Operators Process Control Valve Position Feedback, stressed the importance of critical control valves having valve travel feedback from independent devices such as position transmitters, limit switches, or positioner output feedback.
A commenter wrote:
It’s unclear to me whether position feedback from a smart positioner is truly independent of the reference signal from the control system, as the positioner ostensibly uses that same information as a measurement in its own local position feedback loop (for which the reference signal is the setpoint). I’m guessing it’s not in most cases (and note that this trait is probably not unique to Emerson devices).
If you’re driving the valve to a certain position with the reference, and then using the position feedback to verify that the valve is actually at the position you drove it to, there is a potential common-cause failure in the position sensing and processing. For independence I’d think you would have to either use other means to drive the valve (e.g., a dump solenoid valve), or have position sensing distinct from that used by the positioner.
Over the last few years, it has become recognized that common cause failures can have a major negative impact on the safety and availability of redundant equipment… The whole value of redundancy may be ruined. This is clearly recognized by IEC 61508 and probabilistic analysis now requires a quantitative assessment of common cause.
As part of the design for products used in safety instrumented systems, extensive design and testing must be performed in accordance with the IEC 61508 global safety standard. Specifically for this smart positioner, Emerson’s Riyaz Ali responded in an email to me. He explained:
Common cause factor is a key concern when using a position transmitter within a safety valve positioner as is typically done.
In the case of a valve positioning transmitter designed for process safety applications, it is designed to isolate the positioning function. This design makes it completely independent of the positioner, should input signal or power to positioner fail, or any issue related to positioner cease functioning. The position transmitter continues to function to provide the valve’s position.
As part of the certification process for use in safety instrumented functions up to safety integrity level 2 (SIL 2), the position transmitter function is certified separately from the positioner.
Process manufacturers managing the safety lifecycle for their plants follow the IEC 61511 standard. They rely on the suppliers to provide technologies including safety shutdown valves, actuators, positioners, and positioning transmitters suitable for application in level of risk they are mitigating.