Intelligent valve technology and partial stroke testing
Smart valves can simplify deployment of safety systems and provide a higher level of plant protection through more effective testing. Safety instrumented systems (SISs) have become essential components of today’s new process plants. This advance has been driven by a variety of forces, from new industry standards to increased pressure from governmental agencies worldwide and lessons learned following high-profile accidents. Partial stroke tests (PSTs) of emergency shutdown (ESD) valves have long been used to improve SIS performance. By monitoring these critical valves regularly, PSTs help ensure the system’s ability to shut a process down in the event of an emergency. See more charts and graphs.
Davide Brambilla and Sandro Esposito, Dresser Masoneilan
Safety instrumented systems (SISs) have become essential components of today’s new process plants. This advance has been driven by a variety of forces, from new industry standards to increased pressure from governmental agencies worldwide and lessons learned following high-profile accidents. Partial stroke tests (PSTs) of emergency shutdown (ESD) valves have long been used to improve SIS performance. By monitoring these critical valves regularly, PSTs help ensure the system’s ability to shut a process down in the event of an emergency.
The introduction of digital technology for ESD valves has made PSTs more effective and easier to implement, helping plant personnel better balance their need to achieve higher plant integrity and safety with such considerations as spurious trip rate, initial investment costs, ongoing operational costs, system integration, and documentation needs.
This article will discuss how PSTs improve SIS performance, review the advantages of using digital shutdown devices to conduct PSTs, and outline steps to help plant personnel effectively implement this new technology.
Functional safety design essentials
A SIS is composed of one or more safety instrumented functions (SIFs), each of which protects a specific process function. A SIF consists of three key elements: sensor(s), logic solver, and final control element(s), and is designed in accordance with IEC 61508 and IEC 61511 to meet a desired safety integrity level (SIL).
SIL is defined in IEC 61508 and is a function of the risk reduction factor (RRF). There are four SIL levels, with SIL 4 having the highest availability for a given safety function and SIL 1 having the lowest availability.
The RRF required for a given SIF is determined by a hazard and operability (HAZOP) study. In a HAZOP study, dangerous events are identified and quantified in terms of such factors as the potential for serious injury, equipment damage, lost production, and harm to the environment. If the study shows that the potential for these events to occur is too great, or that the ramifications of such an event would be intolerable, an RRF is calculated to bring the risk to an acceptable level.
Once the RRF is specified, the SIL budget for the protection layer is determined by calculating the probability of failure on demand (PFDavg) for each SIF component and the SIF as a whole. PFDavg is an assessment of the likelihood that the safety system will not work as designed in an emergency and is the reciprocal of the RRF (PFDavg = 1 / RRF). The SIF will then be designed to meet the desired SIL.
Achieving a lower PFDavg
Experience shows – and international literature supports – that the emergency shutdown valve is the primary source of SIF faults. The mechanical nature of the valve and the “on-demand” role that it plays make it the part of the system that is most susceptible to failure. To improve the functional safety of a plant, therefore, it makes sense to focus efforts there.
The examples in Figure 1 demonstrate how conducting periodic PSTs on ESD valves can lower PFDavg and contribute to a higher SIL rating and improved system integrity. The equipment and systems in the two examples are identical and both factor in annual full stroke tests (FSTs), as PSTs do not eliminate the need for full stroke tests. The second example adds PSTs every 60 days to the equation.
With the addition of periodic PSTs, the PFDavg for the valve/actuator assembly drops from 1.1E-03 to 4.5E-04. According to IEC 61508, in order to achieve such an improvement in PFDavg, the results of the diagnostic tests must be transmitted to the user via a field-proven mechanism. This requirement makes perfect sense; if the diagnostic results are unknown to the user, they cannot be used in calculating RRF or PFDavg. Digital communication standards are emerging to allow transmission of such diagnostics in a reliable fashion.
Figure 2 further illustrates how conducting periodic PSTs can lower the PFDavg of an entire SIF and, in particular, the PFDavg of an ESD valve.
In addition, running PSTs improves the safe failure fraction (SFF) of the ESD valve – the fraction of failures that are either safe failures or detected dangerous failures – by approximately 10% to 20%. (See Figure 3.) This can be the final hurdle to achieving a SFF of greater than 90% and being able to use the valve in a SIL 3 application with a hardware fault tolerance of zero.
Simpler architecture is usually better
Some safety engineers advocate using redundant solenoids and complicated shutdown panels for the ESD valve to lower the PFDavg of the emergency isolation valve. In most cases, these strategies will, however, deliver only a small improvement in the PFDavg of the entire SIF while complicating the system design, increasing costs and raising the spurious trip rate (STR), a measure of the false shutdown rate. (See Figure 4.) As the old instrument people repeatedly said, “More devices lead to more failures!”
Every application is different and, in some cases, the use of additional devices may be the best way to achieve the specified SIL level. “Best practices” are, however, moving toward a philosophy of building architectures with the minimum number of devices necessary to achieve the target SIL.
Choosing PST techniques
There are, of course, several ways to conduct PSTs. The need to test more frequently and to store test data gives the clear edge to a newer technique that may be less familiar to many plant operators – using digital shutdown devices.
Traditional PST techniques, such as using mechanical jammers, pneumatic panels, and electro-pneumatic panels, can be used to monitor SIF health, but each has significant shortcomings. Mechanical jammers are the simplest and least costly option, but the plant is left unprotected during the test and the need to manually place the blocks creates opportunities for human error. Pneumatic panels are a proven, reliable, and well-accepted option, but are costly, involve complex testing procedures, do not allow for remote testing, and do not provide determinative data. Similarly, electro-pneumatic panels are expensive, require the tester to be on site, and do not provide determinative data.
Adding intelligence to a shutdown device can overcome these shortcomings and help integrate it more easily with a safety system. It also helps make it easier to implement PSTs and provide greater diagnostic coverage (the fraction of dangerous failures that will be detected) of the ESD valve. As shown in Figure 5, smart devices are also a budget-friendly option, typically costing less than pneumatic or solenoid panels.
Using digital shutdown devices
A key advantage of using a digital shutdown device is the ability to initiate a test using various triggering methods based on the specific situation and the user’s preferences. Options include:
- Local test initiation using a built-in LCD;
- Remote test initiation using a digital protocol, such as HART or the emerging Foundation Fieldbus SIF;
- Initiating the test from a logic solver using a 4-20 mA analog command; and
- Fully automated test initiation using a built-in scheduler.
Once a digital shutdown device receives the command to execute a test, it precisely controls the pressure inside the actuator chamber to achieve smooth and consistent back-and-forth valve movement during the test. This controlled ramping helps ensure the accuracy of the measurements and, even more important, reduces the chance of spurious trips and process upsets. The ESD valve is closed at the set speed until it reaches the target valve opening specified by the end user – typically between 5% and 30% of the normal state of the ESD valve – and is then opened again at the set speed. The safety function of the ESD valve remains available throughout the PST, continuing to protect the plant.
A variety of manufacturers now offer digital shutdown devices that are SIL 3-compliant in accordance with IEC 61508, allowing them to be used in SIFs, even in such high-risk facilities as refineries, offshore platforms, and petrochemical plants. These smart devices typically provide greater diagnostic coverage than other PST methods because the embedded sensors (position, actuator pressure, air supply, etc.) can precisely detect failure modes of the ESD assembly.
Figure 6 summarizes key features of PSTs using digital shutdown devices and their benefits.
In addition, by analyzing travel versus actuator pressure during ramping down and ramping up, digital shutdown devices can capture valuable diagnostic information about accessories downstream of the positioner, such as solenoids, volume boosters, and quick exhausts. (See Figure 7)
Data where needed
Using digital shutdown devices to conduct PSTs also puts historical data at plant personnel’s fingertips, allowing them to manage assets more effectively over time and helping streamline recordkeeping and other compliance efforts.
Personnel can more easily access data required by the U.S. Department of Labor’s Occupational Safety and Health Administration (OSHA) and other organizations.
The data also give plant personnel a clear picture of KPIs (key performance indicators) over time. Operators can then plan appropriate predictive maintenance activities and avoid added disruption and costs associated with reactive maintenance activities.
Figure 8 summarizes these compliance-related benefits.
Powerful and flexible tool
Until recently, managing the integrity of ESD valves was labor-intensive and not automated. The resulting costs and the potential for causing an unwanted process upset led many plant managers to avoid implementing PSTs. Today’s smart shutdown devices eliminate those roadblocks.
Among the typical capabilities and features of PST controllers are:
• Embedded PST parameters;
• Embedded PST scheduler;
• PSTs can be conducted locally or remotely;
• Built-in storage for PST signatures;
• Built-in storage for safety demand signatures;
• Built-in pass/fail criteria;
• Discrete or digital annunciation of diagnostics; and
• Automated signature analysis for KPIs, including friction, breakout force, filling/exhaust capacity, spring range, air supply drooping, etc.
Digital shutdown devices can be programmed to conduct PSTs automatically, or the tests can be run on demand, giving plant personnel maximum scheduling flexibility. Digital shutdown devices also allow PSTs to be conducted remotely using a HART or a 4-20 mA analog signal, eliminating the need to have personnel on-site to perform the test.
In recent years, digital shutdown devices have been introduced that maintain live digital communication during a shutdown, allowing plant personnel to confirm that the valve has closed properly and ensuring that relevant data is captured for later analysis.
PSTs do not eliminate the need to conduct full stroke tests, during which the process is shut down. But, the same digital shutdown devices used to conduct PSTs can do double duty and also be used to conduct these more comprehensive proof tests.
In recent years, controllers with new “second-generation” smart shutdown devices have been introduced that offer powerful new capabilities and address challenges that end users may have previously faced when using digital shutdown devices to conduct PSTs.
First, many of the new devices run periodic self tests to detect any potential issues that would compromise the safety function, such as an electronics malfunction, clogged vent, or air line restriction. (See Figure 9.)
As mentioned earlier, some digital shutdown devices also maintain live communication during a process shutdown. Some are certified for use in SIL 3 applications as Type A, meaning redundancy may not be required. They also give plant personnel access to a variety of useful information during an emergency, including the current travel feedback signal and limit switch.
Finally, a HART-enabled digital shutdown device will record the shutdown signature when the valve closes in an emergency. Functioning much like the “black box” on an airplane, the device captures valve performance data for later analysis (See Figure 7). Moreover, because the closing and resetting of the valve is documented, it can be counted as a full proof test of the valve – restarting the countdown to when the ESD valve must undergo its next full stroke test.
Figures 10 and 11 summarize the diagnostic capabilities of second-generation smart shutdown devices and the valve performance problems they can help plant personnel detect.
Implementing PSTs in a SIS
According to IEC 61508, the diagnostic coverage provided by PSTs can be utilized in calculating PFDavg as long as the following two criteria are met:
1. The test is fully automated. Automation ensures that the tests are executed at the interval that was specified in the PFDavg calculation, eliminating the risk that a potentially unsafe situation will go undetected because plant personnel inadvertently fail to complete a scheduled test.
2. The outcome of the test (pass/fail) is communicated to the user via an approved technology, such as a discrete signal (See Figure 12). This communication is essential so that plant personnel are aware of potentially unsafe situations that will require intervention. Just like the “check engine” or “low oil pressure” lights on a car’s dashboard warn the driver of a potential problem, these notifications make plant personnel aware of ESD valve performance issues that must be addressed.
Legacy logic solvers
Digital shutdown devices can be incorporated into older safety systems that use a 0-24 V dc signal and, in some cases, into systems that use a 4-20 mA signal. In a 0-24 V dc application, the PST can be launched using the built-in scheduler in the field device, using the local LCD (if available) or HART.
If HART is to be used, a signal conditioner may be required to increase the impedance of the circuit. With the recent introduction of wireless communication, an adaptor can be installed on the digital shutdown device, eliminating the need for the signal conditioner and simplifying the wiring.
If the logic solver has an analog output card, the PST can be launched remotely by setting the loop current to a specific value. By adjusting the signal, the end user can integrate partial stroke testing within the logic solver and ensure the traceability of when the test was executed.
Newer safety systems
Safety system manufacturers have begun offering HART-enabled analog output cards so that smart shutdown devices can be integrated into the system easily, enabling PSTs to be executed from a common user interface and allowing test results to be stored automatically in a data management system.
In addition, most manufacturers now offer systems with SIL 3-certified analog output, allowing the user to implement a 4-20 mA digital shutdown device using a single wire pair, simplifying implementation and helping reduce costs.
Must-haves for implementation
Figures 13 to 15 show three common setups for implementing smart shutdown devices in partial stroke testing. Each features the following characteristics that are essential to any application:
- Integrated: The digital shutdown device is integrated with the rest of the safety system. It is not an isolated “island of automation.”
- Automated: PST execution is fully automated, preventing human error. Test results are automatically communicated to the user, providing actionable information about potential valve performance problems.
- Versatile and accessible: PSTs can be safely executed, and the results accessed, from the logic solver.
- User-friendly: Tests are easy to execute and the results are easy to understand. The user should not need to be an expert in ESD valves or digital shutdown devices to complete the test and interpret the results.
Aristotle said, “We are what we repeatedly do. Excellence, therefore, is not an act, but a habit.” Improving plant integrity requires consistency in applying reliable, integrated, and automated solutions that allow a systematic approach to monitoring critical equipment.
A program of periodic PSTs can help ensure that an SIS functions properly in an emergency by addressing the single biggest cause of SIF faults – the final control element – while reducing the frequency of full stroke tests. Today’s intelligent shutdown devices make PSTs an even more powerful tool and make implementing them easy and cost-effective, allowing plant personnel to achieve high SIL 3 levels while delivering a greater diagnostic coverage factor, greater flexibility in implementing and scheduling PSTs, and, with the right software, improved communication.
- Also read:
- Davide Brambilla, Dott. Eng., is digital product specialist for western, eastern, and southern Europe and CIS for Dresser Masoneilan, a global partner in process control valves and solutions for more than 125 years (www.dresser.com). With more than 10 years of experience in the automation and valve industries, Mr. Brambilla is part of the team that designs the architecture of new digital instruments for use in Dresser Masoneilan’s SMART Valve Interface. He graduated from the University of Politecnico in Milan, Italy with degrees in mechanical and industrial engineering. Reach him at davide.brambilla(at)dresser.com.
- Sandro Esposito is global marketing manager for digital and SMART products at Dresser Masoneilan. A 16-year veteran of the control valve and process automation industries, he has extensive experience with emergency shutdown valve diagnostics and system integration. He is the architect of the initial Dresser Masoneilan partial stroke testing device, the first SIL 3-certified intelligent device on the market. He graduated from Ahuntsic College in Montreal with a degree in instrumentation and process controls. Reach him at sandro.esposito(at)dresser.com.