Partial stroking of valves used in safety instrumented systems (SISs) has been a hot topic for a decade. The recent release of safety standards has ratcheted up discussion even more. However, few people seem to understand the real reasons for such tests. There are two main drivers for partial stroking of valves: the desire to extend manual test intervals to as long as possible; and to reduce the amount of redundant hardware required for higher safety integrity levels (SILs). Like most things in life, it all boils down to one thing: trying to save money.
Figure 1. Moving valve a set amount helps assure its functionality.
Control systems regulate a process by maintaining temperature, pressure, level, flow and other variables within normal limits. They are active dynamic systems in which most failures are inherently self revealing. For example, if a constantly cycling analog control valve were to fail stuck, the problem would become apparent rather quickly. Safety systems, however, only monitor the process. They are designed to automatically bring the process or the equipment to a safe state if any safety conditions are violated. Because these systems usually are dormant, not all failures are self revealing. For example, if a normally open isolation valve were to become stuck open, there would be no indication of a problem.
Safety system standards are performance based, not prescriptive. Essentially, the greater the level of process risk, the better the safety system needs to be to control it. Standards don’t mandate such things as technologies or manual test intervals. They do, however, specify the performance requirements. A variety of techniques may be used to come up with the required SIL. Table 1 lists the performance requirements for the four integrity levels defined in the standards.
Table 1. Each step up in SIL mandates at least an order-of-magnitude improvement in performance.
Hardware implications
While the standards do not mandate redundancy levels, they do come close. They try to make it clear that a system consists of sensors, logic and final elements. As with most things, a chain is only as strong as its weakest link. For all those who think SIL-3 applications can simply be solved by throwing in a SIL-3-certified logic box (as some have thought for a long time), nothing could be further from the truth. SIL-2 and higher applications typically require redundant field devices. This is shown in a simple and obvious manner with the fault tolerance tables listed in the standards such as Table 2.
Table 2. Implicit redundancy requirements for field devices can be reduced in some cases by testing. Source: IEC 61511.
A minimum hardware fault tolerance of N means that N+1 devices failing dangerously (i.e., not functioning when called upon) will result in a loss of the safety function. A fault tolerance of 0 means that if a single device fails the function won’t work. This is a simplex or non-redundant configuration. A fault tolerance of 1 means that two simultaneous failures will kayo the function. This is a one-out-of-two (1oo2) or a two-out-of-three (2oo3) configuration.
While the purchase price of some sensors may be only a few hundred dollars, the total installed cost can be an order-of-magnitude higher (e.g., $8,000). Adding just a single redundant sensor to reach SIL-2 performance levels therefore isn’t a cheap proposition. The total installed cost of redundant valves will be even higher — tens or even hundreds of thousands of dollars. How many redundant valves do plants really want to install (as opposed to how many vendors would like to sell)?
However, the standards do allow the fault tolerance numbers in the table to be decreased by one under certain circumstances. (The standards also state how the numbers may need to be increased by one under other circumstances.) This means a single sensor or valve may be able to meet SIL-2 performance. The key is using devices with proven low failure rates or extensive diagnostics. The assumption always is that when the diagnostics detect a problem (e.g., the solenoid or valve body is starting to stick, meaning the valve may not close when required), the plant quickly responds to bring the device back to “as-new” condition.
Not much can be done to lower the failure rate of most field devices. After all, vendors strive to provide high-quality sensors and valves with the fewest number of components possible. The problem simply stems from the harshness of the application environment. Devices fail due to high temperature, corrosion, erosion, vibration, shock, EMI/RFI, grounding and electrical shorts, plugged sensing lines, etc.
Because devices used in SISs usually are dormant and not all failures are self-revealing, all devices must be periodically tested. The frequency of testing isn’t mandated by industry standards (with rare exceptions). Test intervals are based on failure rates and modes of the hardware, the level of redundancy, the desired level of performance (i.e., SIL target) and the quantity of devices.
Manual testing of valves (e.g., closing them) typically requires shutting a process down. This is something most plants naturally are loathe to do. Not only must technicians be paid and potentially placed in harm’s way, but the costs of lost production downtime usually are significant. Valves can be stroked online if bypasses are installed, but this results in more piping, a larger total footprint, higher initial cost, and additional procedures that must be monitored and controlled.
Diagnostics are crucial
The key to achieving a higher SIL with less hardware is greater levels of diagnostics. A number of sensor manufacturers (e.g., ABB, Emerson and Yokogawa) have SIL-2-rated safety transmitters. These devices offer levels of diagnostics much higher than those in standard transmitters. The diagnostics can detect potentially dangerous failures that would prevent the sensor from operating on demand.
What sort of diagnostics are needed for valves in safety applications? Most safety-related valves are left in single positions for extended periods of time. The Pareto Principle (the 80/20 rule) and common experience indicate the most common failure mode of safety-related valves is “stuck.” You don’t need to completely close a valve to determine whether it’s stuck open; a partial stroke would suffice to check for the majority of failures. With such testing, a single valve can meet SIL-2 performance.
Let’s put this in a personal context: If you use your lawn mower every week in the summer to cut your grass, how confident are you that it would start each week? Now, if you leave it in the garage filled with gas over the entire winter without ever running, how confident are you that it would start in the spring?
At least nine companies offer packaged partial-stroking solutions — in alphabetical order: Asco, Drallim, Dynatorque, Emerson, ICS Triplex, Metso, Netherlocks, Safeplex, and Tyco.
Some are manual methods only and are often referred to as “jammers.” These need an operator to be physically present at the valve. Some manual methods require the insertion of a special key. Some end users have designed their own “home-grown” solutions.
Other methods are automated, so an operator needn’t be present at the valve. These solutions typically require the vendor’s specific hardware (valve, actuator or positioner) and software (used to record and analyze valve performance). Other automated solutions are controller retrofits that will work with just about any valve assembly.
At least one solution is incorporated into the SIS hardware itself and can work with most existing valves simply with the addition of limit switches or proximity devices. This means no additional controller hardware or software is required.
A safe way to save
The primary benefit of partial stroking of safety valves is saving money, either from reducing manual testing or eliminating the need for redundant hardware. In SIL-1 applications, manual test intervals can be stretched from the original one or two years to upwards of five years (naturally depending upon the failure rates and assumptions used in the modeling). SIL-2 and above applications historically required redundant valves. However, a single valve with partial stroking can offer the same performance as two standard valves. Considering not only the purchase price of the valve, but the total costs associated with installation, the financial benefits are considerable (e.g., tens or hundreds of thousands of dollars per assembly).
References
- “Functional safety: safety instrumented systems for the process industry sector,”ANSI/ISA-84.00.01-2004 Parts 1-3 (IEC 61511-1 Mod), ISA, Research Triangle Park, N.C. (2004).
- “Identification of emergency shutdown systems and control that are critical to maintaining safety in process industries,” ANSI/ISA S91.01, ISA, Research Triangle Park, N.C. (2001).
- “Functional safety of electrical/electronic/programmable electronic safety-related systems, Standard 61508, International Electrotechnical Commission, Geneva, Switz. (1999-2000).
- Fillion, E., “Digital approaches to safety instrumented systems provide faster ROI,” p. 55, Hydrocarbon Processing (Nov. 2006).
- Bingham, K., “Partial stroke testing of emergency shutdown valves,” PROCESSWest, p. 49 (Summer 2005).
- Lewis, C., “Coming of age: the economic case for large-scale use of wireless sensors is overwhelmingly favorable,” p. 51, InTech (July 2005).
- Gruhn, P., “Valve signatures and partial stroke testing,” p. 65, Hydrocarbon Processing (Jan. 2003).
- Gruhn, P., “Increase plant safety with online valve testing,” p. 39, InTech (Feb. 1998).
Paul Gruhn, PE, CFSE, is a safety product specialist at ICS Triplex, Houston, Texas. E-mail him at [email protected].