Valve failure: Not an option
Plenty of ways to partial stroke test valves, but one way will really add to bottom line
By Dr. Lawrence Beckman
In process facilities, there are valves, some for control of the process, others for process safety as part of the safety instrumented system (SIS). Some non-safety process valves are critical as well, because failure could result in a shutdown of the process, a spurious trip.
There is no option, safety-related or critical valves must stay in operation. From a production prospective, the operation of these valves is a major concern addressing operational availability and safety availability. You have to consider both to achieve optimal production and process safety performance.
Given valves lack internal diagnostics, a user needs to utilize functional diagnostics to perform diagnostic testing of the valve while it is in operation. One method to perform this functional testing on-line is Partial Stroke Testing (PST), which is suitable for use on safety (ESD) valves, as well as other critical valves.
PST—supplemental testing offers a method of testing the SIS valve by moving it, typically 15-25%, and back to the original position in a short period of time. The purpose of the test is to confirm the valve’s ability to move (not stuck in place) and its suitability for continued SIS service.
Only a portion of the valve’s dangerous failure modes can undergo testing during the partial stroke test; you can only test the remainder via full stroke testing and seating during the Proof Test. However, it is not necessary to close the valve completely to initiate a safe shutdown of the process.
The coverage factor of the PST is between 60% to 80% of the possible dangerous failure modes, based on an Failure Modes Effects and Diagnostics Analysis (FMEDA) for the type of valve under consideration. Comprehending this coverage factor in the reliability analysis will reveal the safety performance of the valve improved, and its Risk Reduction Factor increased.
Safety Instrumented Function
As part of an SIS, a typical Safety Instrumented Function (SIF) consists of the following: Sensors, Logic Solver, and Final Elements. The Final Elements are the valves with attached devices, and they typically contribute about 50% of the total probability of failure upon demand (PFD)avg of the SIF. You can determine a SIF’s performance to a target Safety Integrity Level (SIL) from its total PFDavg. As such, improving the PFDavg of the final element (valve and its operator) is the area of greatest opportunity for significant reduction of PFDavg; thereby increasing the SIL of the safety function or extending its Proof Test Interval.
Goals of partial stroke testing
In order to implement PST successfully, you should establish the following goals:
Cost effective installation
Simple to calibrate, operate, and test
Safe, on-line repair
Minimum impact on the existing SIF
Does not decrease the availability of the SIF. No spurious trips
Does not degrade the SIL rating of the SIF to which it is attached
Does not violate the Process Safety Time Constraints of the ESD valve
It is important to note if the installation of a PST device alters the dynamics of the valve (i.e., slower closing rate), the valve may no longer be suitable for use in the SIF, as it can no longer respond in the time (process safety time) required. If this is indeed the case, alternative plans must come into play to meet the process safety time constraint, and you will have to include them in the computation of the PFDavg for the valve and its associated SIF.
Partial stroke testing
Benefits of PST
Given that PST of the valve and it attached devices have been implemented successfully, you should be able to achieve the following benefits:
Increase the SIL (lower PFDavg) of the valve, keeping the Proof Test Interval constant
Lengthen the Proof Test Interval of the valve, keeping the SIL constant
Combination of the above
Eliminates the need for a second ESD valve in some cases
However, it is imperative that performing a PST of a critical or safety (ESD) valve does not cause a spurious trip of the process, due to a failure in the device performing the PST. Most spurious trips occur from solenoid valve (SOV) failures, and not by failures related to the valve itself. As such, the PST device should have internal diagnostics, be fully fault tolerant, and fail safe. Ideally, it should be capable of repair online without by-passing or disabling its safety function. In addition, it should prohibit over-stroking of the valve (because of a sluggish response), which could also initiate a spurious trip of the process due to excessive valve closure.
Methods of implementation
Typical devices used for implementing PST are as follows:
I) Use the ESD system to perform the test
II) Use a positioner-based device
III) Use a 2oo2 or 2oo3 redundant device
IV) Use a 2oo4D redundant device
As with most things, there are better choices for different situations.
I) While an ESD-based PST seems like an obvious solution, it has considerable deficiencies as follows:
a) It is expensive due to the cost of additional ESD I/O and field wiring.
b) It utilizes the same field devices, and as such provides no reduction in the dangerous or spurious failure rate of the SOV.
c) Minimal improvement in the PFDavg of the SIF.
d) No local testing capability.
e) No improvement in the operational availability of the SIF resulting from spurious trips due to SOV failure.
f) No online replacement of failed SOV.
g) Constrained by Management of Change (MOC) restrictions for the Logic Solver (PES).
II) Using a positioner-based device is perhaps the worst option, as it is a complete misapplication of technology. Positioners should modulate control valves, whose movement is very small. ESD valves on the other hand are fully open or fully closed, and go from one state to the other as quickly as possible. Because positioners have a very small Flow Factor (Cv), they cannot vent a valve diaphragm quickly as required to satisfy the process safety time, and are suitable only for smaller valves. To compensate for this deficiency, an interposing SOV can vent the valve diaphragm. This SOV is not tested during the PST and remains in an open position for an extended period of time. As such, it may not be able to close (vent) upon demand and is itself a source of both dangerous failures and spurious trips.
In addition to the interposing SOV, positioners use a pneumatic valve-nozzle arrangement, which operates independently of the positioner electronics. Given the nozzle orifice plugs up (often by a tiny spec of dirt or water in the air supply), shutting off the electronics will not vent the valve diaphragm. This is a dangerous failure mode, as venting the diaphragm (closing the valve) is critical to achieving the safe state. Unfortunately, most positioner product safety evaluations do not address this dangerous failure mode.
III) Using either 2oo2 or 2oo3 redundant devices also has some issues:
a) These devices do not undergo testing prior to conducting the PST, and could fail during the PST thus tripping the process.
b) To perform online repair, both devices require by-passing (completely disabling) the safety function.
c) The 2oo2 device is only fault tolerant in the air supply mode. To vent the ESD valve diaphragm, both SOVs have to operate properly (close). If either SOV is stuck open and fails to close, the valve diaphragm does not vent, the ESD valve does not close; and we experience a dangerous failure of the SIF due solely to a fault in the 2oo2 device.
d) The safety certification and SIL rating for the 2oo2 device mandates that it operate only as a 1oo1 device with hot backup. As such, only one of the SOVs is active. Frequent switching between SOVs must occur in order to maintain the SIL rating, and these transitions could be a source of spurious trips.
e) The 2oo3 device contains numerous check valves, which can stick because of dirt or water in the air supply. As such, this can itself be a source of dangerous failures and spurious trips.
IV) The ideal PST configuration is the 2oo4D architecture used in this device. This architecture provides two parallel paths, each path having two SOVs in series. It has the following operational advantages:
a) It is fail safe and fully fault tolerant (both air supply and exhaust). No single failure will prevent the correct operation of this device.
b) The device can completely test out prior to performing the PST. If there is a fault detected by internal diagnostics, the PST cancels out, and the fault gets hit with an alarm.
c) The device certification goes to SIL3 by TÜV Rheinland and provides immunity to spurious trips due to failures in the PST device.
d) You can repair the device online without disabling or by-passing the associated safety function.
e) Eliminates dangerous and spurious failures associated with the SOVs.
f) Immediate detection of SOV failures resulting from an uncommanded change of state.
g) The Cv of the device is large, and it is suitable for use on larger valves without external venting devices.
h) Local testing, diagnostic, and alarm capability.
i) You are able to prevent over stroking of the safety valve due to sluggish response.
j) The device automatically calibrates to the valve under actual process operating conditions.
k) The device is simple to install, operate, and maintain.
l) The device does not affect the MOC requirements for the PES.
In the design of the SIS, a quantitative determination occurs to see if the design meets the SIL required by the Safety Requirements Specification. For the single valve, the equation given in ISA-TR84.00.02-2002 – Part 2 for the average probability of failure on demand (PFDavg) is as follows:
where PFDavg is the average probability of failure on demand, λD is the failure-dangerous rate of the valve, and TI is the proof test interval.
There is an inherent assumption in this that the test at TI has a diagnostic coverage of 100%. This may not always be the case, as many times a valve tested during a shutdown or turnaround does not undergo testing at operating conditions, the leak tightness may not be tested, the valve may not be fully inspected, and a human who is subject to error does the test. So what some people call a full stroke test may in fact be a form of partial testing.
Now if we consider that we can stroke the valve a short distance that will test a portion of the possible failure modes, and we are doing this at a test interval different than the full stroke test interval, then we can expand Equation 1 to account for this as follows:
where PFDavg is the average probability of failure upon demand; DFPST is the Diagnostic Coverage Factor of the partial stroke valve test; λD is the dangerous failure rate of the valve and SOV; TIPST is the partial stroke test interval; TIPT is the proof (full stroke) test interval; and the full stroke valve test diagnostic coverage is considered to be 100%.
Note: Mean Time To Repair (MTTR) was negligible when compared to the PST interval.
Improved PFDavg and SIL
Base Case – No “PST” (0% Coverage) 1oo1 Ball Valve with 1oo1 Solenoid (PT Interval = 1 year)
PFDavg = 2.25 x 10-2 (SIL = 1.65)
Base Case – With “PST” (70% Coverage) 1oo1 Ball Valve with 1oo1 Solenoid (PT Interval = 1 year)
PFDavg = 7.36 x 10-3 (SIL = 2.13) PFDavg Reduction of 67%
Base Case – With “PST” (70% Coverage) 1oo1 Ball Valve with 2oo4D Solenoids (PT Interval = 1 year)
PFDavg = 3.31 x 10-3 (SIL = 2.50)
… PFDavg Reduction of 85%
* Solenoid MTBFdu = 50 years * PST Interval = 2 weeks
* Ball Valve MTBFdu = 40 years * PT Interval = 1 year
* PST Coverage Factor = 70%
Extended proof (full stroke) test interval
Base Case – No “PST” (0% Coverage) 1oo1 Ball Valve with 1oo1 Solenoid
PFDavg = 2.25 x 10-2 (SIL = 1.65) PT Interval = 1 year
Base Case – With “PST” (70% Coverage) 1oo1 Ball Valve with 1oo1 Solenoid
PFDavg = 2.25 x 10-2 (SIL = 1.65) PT Interval = 3.24 years
Base Case – With “PST” (70% Coverage) 1oo1 Ball Valve with 2oo4D Solenoids (No Dangerous SOV Failures)
PFDavg = 2.25 x 10-2 (SIL = 1.65)
… PT Interval = 5.91 years
* Solenoid MTBFdu = 50 years * PST Interval = 2 weeks
* Ball Valve MTBFdu = 40 years * PST Coverage Factor = 70%
It’s about the results
Using the above equation for PFDavg for a 1oo1 device, the above results occurred. Depending upon your objective (reduce the PFDavg or extend the Proof Test Interval), there was significant improvement.
For the case of Reducing the PFDavg of the Final Element, the Base Case (utilizing a 1oo1 Ball Valve and 1oo1 SOV with no PST) produced a SIL of 1.65. Conducting a PST of the Ball Valve increased the SIL to 2.13, a 67% improvement. Replacing the 1oo1 SOV with the 2oo4D SOVs eliminated dangerous SOV failures and increased the SIL to 2.50, an 85% improvement. In addition, the 2oo4D device virtually eliminates spurious trips of the process due to an SOV failure, or from conducting the PST of the valve.
For the case of Extending the Proof (Full Stroke) Test Interval, the Base Case utilized a one year Proof Test (PT) Interval. Conducting a PST of the Ball Valve extended the PT Interval to 3.24 years. Replacing the 1oo1 SOV with the 2oo4D SOVs eliminated dangerous SOV failures and increased the PT Interval to 5.91 years, an increase of nearly 600%. In addition, the 2oo4D device virtually eliminates spurious trips of the process due to an SOV failure, or from conducting the PST of the valve.
The PST of critical process and safety valves yields significant improvement in the safety performance of these devices. The PST device should be fully fault tolerant (air supply and exhaust), fail safe, and online repairable without disabling or by-passing the SIF. Implementing the PST device should not cause spurious process trips, a decrease in the SIL of the SIF, or violate process safety time constraints. The ideal PST device should contain internal diagnostics and be capable of verifying its fault-free operation prior to performing the PST of the valve.
Installing the 2oo4D device can satisfy all of the above requirements, while virtually eliminating dangerous failures and spurious trips of the process due to SOV failures, or from conducting the PST of the valve.
High safety availability and operational availability (no spurious trips due to the PST device) are important factors to consider when implementing PST. The virtual elimination of costly dangerous failures and spurious trips due to SOV failures, while extending the Proof (Full Stroke) Test Interval or increasing the safety performance (SIL), provides significant economic benefits; and makes an investment in the 2oo4D device very easy to rationalize.
ABOUT THE AUTHOR
Dr. Lawrence Beckman, who received his BS and Ph.D. degrees from Tulane University in Chemical Engineering, is president of SafePlex Systems, Inc. in Houston. He is a voting member of the ISA84 safety committee. His e-mail is email@example.com.
Return to Previous Page