Partial stroking of valves used in safety instrumented systems (SISs) has been a hot topic for a decade. The recent release of safety standards has ratcheted up discussion even more. However, few people seem to understand the real reasons for such tests. There are two main drivers for partial stroking of valves: the desire to extend manual test intervals to as long as possible; and to reduce the amount of redundant hardware required for higher safety integrity levels (SILs). Like most things in life, it all boils down to one thing: trying to save money.
Figure 1. Moving valve a set amount helps assure its functionality.
Control systems regulate a process by maintaining temperature, pressure, level, flow and other variables within normal limits. They are active dynamic systems in which most failures are inherently self revealing. For example, if a constantly cycling analog control valve were to fail stuck, the problem would become apparent rather quickly. Safety systems, however, only monitor the process. They are designed to automatically bring the process or the equipment to a safe state if any safety conditions are violated. Because these systems usually are dormant, not all failures are self revealing. For example, if a normally open isolation valve were to become stuck open, there would be no indication of a problem.
Safety system standards are performance based, not prescriptive. Essentially, the greater the level of process risk, the better the safety system needs to be to control it. Standards don’t mandate such things as technologies or manual test intervals. They do, however, specify the performance requirements. A variety of techniques may be used to come up with the required SIL. Table 1 lists the performance requirements for the four integrity levels defined in the standards.
Table 1. Each step up in SIL mandates at least an order-of-magnitude improvement in performance.
While the standards do not mandate redundancy levels, they do come close. They try to make it clear that a system consists of sensors, logic and final elements. As with most things, a chain is only as strong as its weakest link. For all those who think SIL-3 applications can simply be solved by throwing in a SIL-3-certified logic box (as some have thought for a long time), nothing could be further from the truth. SIL-2 and higher applications typically require redundant field devices. This is shown in a simple and obvious manner with the fault tolerance tables listed in the standards such as Table 2.
Table 2. Implicit redundancy requirements for field devices can be reduced in some cases by testing. Source: IEC 61511.
A minimum hardware fault tolerance of N means that N+1 devices failing dangerously (i.e., not functioning when called upon) will result in a loss of the safety function. A fault tolerance of 0 means that if a single device fails the function won’t work. This is a simplex or non-redundant configuration. A fault tolerance of 1 means that two simultaneous failures will kayo the function. This is a one-out-of-two (1oo2) or a two-out-of-three (2oo3) configuration.
While the purchase price of some sensors may be only a few hundred dollars, the total installed cost can be an order-of-magnitude higher (e.g., $8,000). Adding just a single redundant sensor to reach SIL-2 performance levels therefore isn’t a cheap proposition. The total installed cost of redundant valves will be even higher — tens or even hundreds of thousands of dollars. How many redundant valves do plants really want to install (as opposed to how many vendors would like to sell)?
However, the standards do allow the fault tolerance numbers in the table to be decreased by one under certain circumstances. (The standards also state how the numbers may need to be increased by one under other circumstances.) This means a single sensor or valve may be able to meet SIL-2 performance. The key is using devices with proven low failure rates or extensive diagnostics. The assumption always is that when the diagnostics detect a problem (e.g., the solenoid or valve body is starting to stick, meaning the valve may not close when required), the plant quickly responds to bring the device back to “as-new” condition.
Not much can be done to lower the failure rate of most field devices. After all, vendors strive to provide high-quality sensors and valves with the fewest number of components possible. The problem simply stems from the harshness of the application environment. Devices fail due to high temperature, corrosion, erosion, vibration, shock, EMI/RFI, grounding and electrical shorts, plugged sensing lines, etc.
Because devices used in SISs usually are dormant and not all failures are self-revealing, all devices must be periodically tested. The frequency of testing isn’t mandated by industry standards (with rare exceptions). Test intervals are based on failure rates and modes of the hardware, the level of redundancy, the desired level of performance (i.e., SIL target) and the quantity of devices.
Manual testing of valves (e.g., closing them) typically requires shutting a process down. This is something most plants naturally are loathe to do. Not only must technicians be paid and potentially placed in harm’s way, but the costs of lost production downtime usually are significant. Valves can be stroked online if bypasses are installed, but this results in more piping, a larger total footprint, higher initial cost, and additional procedures that must be monitored and controlled.