partial stroke testing implementing for the right reasons

Copyright 2005 by ISA. Presented at ISA EXPO 2005, 25-27 October 2005

McCormick Place Lakeside Center, Chicago, Illinois, www.isa.org

Partial Stroke Testing Implementing for the Right Reasons

Robin McCrea-Steele Senior Safety Consultant – Premier Consulting Services

TÜV Functional Safety Expert – ID 0101/04

California, U.S.A.

KEYWORDS Safety Instrumented Systems, ESD Valves, On-line Proof Testing, Diagnostic Coverage,

Safe Failure Fraction, Hardware Fault Tolerance, Valve Failure Modes.

ABSTRACT Operational characteristics of static ESD valves impose design and testing requirements that are very different from those required for a control valve operating in a fully dynamic mode. Partial stroking of ESD valves can be a good complement to full stroke testing, as long as we have a clear understanding of the implications of the assumptions in diagnostic coverage and the credit taken for this type of test. This paper reviews the pros and cons of PST in the processing industries, from an independent and objective viewpoint, with absolutely no vested interest from either vendors or end-users.

INTRODUCTION Improvements in mechanical reliability have permitted extending process plant turnaround periods from a traditional one or two years, to five or more years. This means, that in order to test an ESD valve’s functionality at a rate commensurate with the PFD requirements of the design SIL, alternative arrangements need to be implemented for on-line proof testing. Installing full-flow bypass valves can become burdensome and expensive for larger process piping, as well as posing safety concerns when the ESD valve is rendered non-operational during on-line proof tests. Human error is also a concern with this type of on-line bypass-based test.

contents



If we consider that the most common dangerous failure mode in a static ESD valve is “stuck”, on-line partial stroke testing seems to have come to the rescue at a time where smart technology is readily available to perform these functions effectively. End users embrace the idea that they can seemingly justify extending the full stroke testing period, eliminate physical bypasses, and improve the PFDavg of the SIF. Vendors of PST equipment are coming out of the woodwork with promises of a “cure to all ailments”. Some claims are even going to the extreme of providing unsubstantiated arguments for improvement of the SFF that justify overcoming IEC 61511/IEC61508 minimum hardware fault tolerance (i.e. redundancy) requirements. Partial stroking can be a good complement to full stroke testing, as long as we have a clear understanding of the implications of the assumptions in PTC – “Proof Test Coverage” (sometimes mistakenly referred to as “DC- Diagnostic Coverage) and the credit taken for this type of test. Any safety analysis demands a process of checks and balances. This paper provides an independent and objective functional safety management viewpoint.

ON-LINE PROOF TESTING The objective of on-line proof testing is to detect covert undetected dangerous failures, which automatic diagnostics cannot pick-up. This is the only purpose. On-line proof testing does not detect random hardware failures related to spurious trips. You could proof test today and have a spurious trip tomorrow. Safety standards’ metrics for meeting a design SIL are solely concerned with the probability of a dangerous undetected failure appearing in the presence of a process demand on the SIS. Therefore, on-line proof testing is critical to the safety availability of an SIS. Increasing the proof test frequency is directly proportional to an improvement in lowering the average PFD. Consequently, increasing the SIL. To place λDU failure rates in to perspective, the following chart shows the typical distribution across the subsystems of an SIF in the COG process industry.

SIF Failure Rate Distribution

Sensors 40%

Logic Solver 10%

Final Elements

50%

• Sensors 30% to 45%

• Logic Solver 5% to 15%

• Final Elements 40% to 55%

λDU = Dangerous undetected failure rate



PARTIAL STROKE TESTING (PST) ESD valve partial stroke testing (PST) is a method whereby a portion of the valve assembly is tested at a more frequent interval than the full test rate. In simple words: an accelerated (partial) proof test. Advantages of PST: • May provide an improvement to the SIL of the SIF. • Provides predictive maintenance data. • May allow extension of the full stroke test (FST). • May overcome IEC 61511 architectural constraints (Questionable). • May reduce the need for valve bypasses. • Valve is always available to respond to a process demand during the test period (when properly designed). Disadvantages of PST: •Tests only a portion of the valve DU failures (30% to 70%) • Not applicable to tight shut-off valves. • May increase spurious trip rate. • Incorporates additional equipment with its own testing requirements (Safe and dangerous failures). • Potentially converts the valve/PST smart equipment assembly to a type “B” complex subcomponent, per IEC 61508-2. • If PST always strokes 10%, buildup forms at 10% of stroke. • Makes the plant manager nervous! (Oscillating ESD valve). ESD on-line partial stroke testing should be considered as a complement to full stroke testing and not “in lieu of ”. The following table shows an overview of valve failures detected by PST and FST.

The PFDavg of the SIF is influenced heavily by the weakest link

FST / Pressure testFail to closeDebris retained in seatPST or FSTValve stuckValve Stem buildup

PST or FSTFail to closeAir line blocked

FST or PST w/speed of travel test

Sluggish responseAir line to actuator crimped

PSTValve stuckStem packing seized

FST / Pressure testFail to closeValve plug/seatPressure Test at TALeakValve Body

TestEffectMode

Valve Failure Modes

FST / Pressure testFail to closeDebris retained in seatPST or FSTValve stuckValve Stem buildup

PST or FSTFail to closeAir line blocked

FST or PST w/speed of travel test

Sluggish responseAir line to actuator crimped

PSTValve stuckStem packing seized

FST / Pressure testFail to closeValve plug/seatPressure Test at TALeakValve Body

TestEffectMode

Valve Failure Modes



PST TECHNOLOGY Partial stroke testing is not a new concept. It has been performed in different applications for many years. Traditionally, using mechanical devices, such as jammers, collars or engagement pins. What is new is the emerging technology that allows PST to be performed with limited human intervention in a semi-automatic way. Smart microprocessor based devices have been developed by a series of vendors. A partial list is shown below: • ASCO – Redundant solenoid arrangement. • DRALLIM – Pressure signature of actuator / SOV. • DYNATORQUE – Mechanical solution. • EMERSON – Fieldvue smart positioner. • METSO – Neles Valveguard. • MOORE Ind. – HART device w/any smart positioner. • TYCO-Keystone – Manual and automatic devices. • Siemens / Masoneilan – Smart positioner. • Triconex / ABB / ICS – PST control from Logic Solver. The objective of this paper is not to analyze technologies. The focus is to provide a perspective on the implications of the assumptions in diagnostic coverage and the credit taken for this type of test.

ESD VALVE ASSEMBLY FAILURE RATE DATA Good failure rate data should be sourced from field experience and incorporate a breakdown by type of failure. FMEDA studies provide useful information, but usually do not reflect actual field conditions, such as environmental, external stresses, corrosive process fluids, etc. Industry data, such as OREDA (Offshore Reliability Data), published by DNV, incorporate field failure rates reported by leading off-shore oil and gas companies. This is a good reference for most process industries, specially on field equipment. OREDA lists the type of failure in categories like critical, degraded or incipient. Then the breakdown of each category shows failures rates for failed to close, failed to open, plugged, delayed operation, internal leakage, external leakage, etc. It also shows these failure rates in categories for lower, mean and upper ranges for a relation to the level of maintenance.

TA: Turn around FST: Full stroke test PST: Partial stroke test



It is absolutely critical that the field failure rate data be analyzed per type, and be associated with the test that will detect it (PST or FST, on-line or at turnaround, etc.). An important clarification should be made in that although a Weibull “bath tub” distribution over time is a reality, random hardware failures are considered constant within the useful life of the valve assembly. Per international safety standards’ metrics, infant mortality is considered overcome and it is also assumed that preventive maintenance will replace parts before wear out.

EFFECT OF PST ON A TYPICAL SIF Using Fault Tree Analysis, the author has worked a simple overpressure SIF example. The target is a high SIL 2, with a requirement to extend the one-year full stroke test to three years. The initial calculation with a full stroke test interval of one year and no PST is shown, resulting in a mid SIL 1 that does not meet the high SIL 2 target.

Logic Solver

SIF Failure

PT1 PT2 PT3

2oo3

Pressure Xmtrs

Full stroke Test Interval

TI = 1 year

1 x 10-2 1 x 10-2

2 x 10-22.4 x 10-46.25 x 10-4

SIF PFDavg = 6.25 x 10-4 + 2.4 x 10-4 + 200 x 10-4 = 208.65 x 10-4 = 2.08 x 10-2

PFDavg = 2.08 x 10-2

RRF = 1/PFDavg = 48 MID SIL 1

ESD Valve Assy

V1 S1

Logic Solver

SIF Failure

PT1 PT2 PT3

2oo3

Pressure Xmtrs

PT1 PT2 PT3

2oo3

Pressure Xmtrs

Full stroke Test Interval

TI = 1 year

1 x 10-2 1 x 10-2

2 x 10-22.4 x 10-46.25 x 10-4

SIF PFDavg = 6.25 x 10-4 + 2.4 x 10-4 + 200 x 10-4 = 208.65 x 10-4 = 2.08 x 10-2

PFDavg = 2.08 x 10-2

RRF = 1/PFDavg = 48 MID SIL 1

ESD Valve Assy

V1 S1

ESD Valve Assy

V1 S1

S I SLogic Solver

Process line

24 V

air

PT1

PT2

PT3

V1

Solenoid S1

ISA TR 84.0.02 Generic Failure Rate Data:

PT => λDU = 0.025 f/y

LS => PFDavg = 2.4 E-4

V => λDU = 0.02 f/y

S => λDU = 0.02 f/y

Overpressure SIF example• Triplicated transmitters

• Generic Logic Solver

• Single ESD valve

S I SLogic Solver

S I SLogic Solver

Process line

24 V

air

PT1

PT2

PT3

V1

Solenoid S1

ISA TR 84.0.02 Generic Failure Rate Data:

PT => λDU = 0.025 f/y

LS => PFDavg = 2.4 E-4

V => λDU = 0.02 f/y

S => λDU = 0.02 f/y

Overpressure SIF example• Triplicated transmitters

• Generic Logic Solver

• Single ESD valve

TR84.0.02 p2 PT2003 => PFDavg = (λDU)2 x (TI)2

PFDavg = (0.025)2 x 1y2 = 6.25 x 10-4

V1 PFDavg = λDU x (TI/2) PFDavg = 0.02 x 1/2 = 0.01 = 1 x 10-2

S1 PFDavg = λDU x (TI/2) PFDavg = 0.02 x 1/2 = 0.01 = 1 x 10-2



Partial stroke testing was implemented as shown below: Assuming a proof test coverage of 70% for the partial stroke test (PST) run once per day and the full stroke remaining at once per year, the calculation rendered a low SIL 2: As shown above, the weakest link remained the valve assembly.

Logic Solver

SIF Failure

PT1 PT2 PT3

2oo3

Pressure Xmtrs

Full stroke TI = 1 year

Partial Stroke TI = 1 day

2.4 x 10-46.25 x 10-4

ESD Valve Assy

V1 S1 V1 S1

PST FST

PFDavg = 6.9 x 10-3

RRF = 1/PFDavg = 144 Low SIL 2

SIF PFDavg = 6.25 x 10-4 + 2.4 x 10-4 + 60.38 x 10-4 = 6.9 x 10-3

1.91 x 10-5 3.0 x 10-3

3.82 x 10-5 6.0 x 10-3

6.038 x 10-3

Logic Solver

SIF Failure

PT1 PT2 PT3

2oo3

Pressure Xmtrs

PT1 PT2 PT3

2oo3

Pressure Xmtrs


Partial Stroke TI = 1 day

2.4 x 10-46.25 x 10-4

ESD Valve Assy

V1 S1 V1 S1

PST FST

ESD Valve Assy

V1 S1 V1 S1

PST FST

PFDavg = 6.9 x 10-3

RRF = 1/PFDavg = 144 Low SIL 2

SIF PFDavg = 6.25 x 10-4 + 2.4 x 10-4 + 60.38 x 10-4 = 6.9 x 10-3

1.91 x 10-5 3.0 x 10-3

3.82 x 10-5 6.0 x 10-3

6.038 x 10-3

Valve λDU = 0.02 f/y For DC=70% (proof test coverage) λ PST = 0.7 x 0.02 = 0.014 f/y PFDPST = λPST x TI/2 PFDPST = 0.014 f/y x 1y/365d x 1d/2 PFDPST = 1.91 x 10-5 λ FST = 0.3 x 0.02 = 0.006 f/y PFDFST = λFST x TI/2 PFDFST = 0.006 f/y x 1y/2 PFDFST = 3.0 x 10-3

S I SLogic Solver

Smart Posit.

Process line

24 V

HART Diagnostics

AMSTravel feedback

air

24 V

PT1

PT2

PT3

V1

Solenoid S1

Overpressure SIF example

(with PST device)

D.C.= 70% (Proof Test Coverage)

Valve λDU = 0.02 f/y

λPST= 0.7 x 0.02 = 0.014 f/y

λFST= 0.3 x 0.02 = 0.006 f/y

S I SLogic Solver

S I SLogic Solver

Smart Posit.

Process line

24 V

HART Diagnostics

AMSTravel feedback

air

24 V

PT1

PT2

PT3

V1

Solenoid S1

Overpressure SIF example

(with PST device)

D.C.= 70% (Proof Test Coverage)

Valve λDU = 0.02 f/y

λPST= 0.7 x 0.02 = 0.014 f/y

λFST= 0.3 x 0.02 = 0.006 f/y



A redundant 1oo2 valve configuration was necessary to improve the PFDavg. The valve assembly fault tree is depicted below. The dual redundant valve assembly, incorporated through a transition gate, is shown below.

REDUNDANT VALVES


Partial stroke TI = 3 months

9.0 x 10-3 9.0 x 10-3

1.8 x 10-2

ESD Valve Assy

V1 S1 V2 S2

FST FST

1.8 x 10-2

3.24 x 10-4

PST PST

3.5 x 10-3

ESD Valve Assy

V1 S1 V2 S2

1.22 x 10-5

3.5 x 10-3

1.75 x 10-31.75 x 10-3

ESD Redundant valve assy

PFDavg = 3.36 x 10-4

V1 – S1 – V2 – S2 PFDPST = λPST x TI/2 = 0.014 f/y x 1y/12mth x 3mth/2 = 1.75 x 10-3

V1 – S1 – V2 – S2 PFDFST = λFST x TI/2 = 0.006 f/y x 3y/2 = 9.0 x 10-3

ESD Valves Assy

REDUNDANT VALVES



9.0 x 10-3 9.0 x 10-3

1.8 x 10-2

ESD Valve Assy

V1 S1 V2 S2

FST FST

1.8 x 10-2

3.24 x 10-4

ESD Valve Assy

V1 S1 V2 S2

FST FST

1.8 x 10-2

3.24 x 10-4

PST PST

3.5 x 10-3

ESD Valve Assy

V1 S1 V2 S2

1.22 x 10-5

ESD Valve Assy

V1 S1 V2 S2

1.22 x 10-5

3.5 x 10-3

1.75 x 10-31.75 x 10-3

ESD Redundant valve assy

PFDavg = 3.36 x 10-4

V1 – S1 – V2 – S2 PFDPST = λPST x TI/2 = 0.014 f/y x 1y/12mth x 3mth/2 = 1.75 x 10-3

V1 – S1 – V2 – S2 PFDFST = λFST x TI/2 = 0.006 f/y x 3y/2 = 9.0 x 10-3

ESD Valves Assy

ESD Valves Assy

Logic Solver

SIF Failure

PT1 PT2 PT3

2oo3

Pressure Xmtrs

REDUNDANT VALVES



2.4 x 10-46.25 x 10-4

SIF PFDavg = 6.25 x 10-4 + 2.4 x 10-4 + 3.36 x 10-4 = 12.01 x 10-4 = 1.2 x 10-3

PFDavg = 1.2 x 10-3

RRF = 1/PFDavg = 833 High SIL 2

ESD Valves Assy

2

3.36 x 10-4

Logic Solver

SIF Failure

PT1 PT2 PT3

2oo3

Pressure Xmtrs

PT1 PT2 PT3

2oo3

Pressure Xmtrs

REDUNDANT VALVES



2.4 x 10-46.25 x 10-4

SIF PFDavg = 6.25 x 10-4 + 2.4 x 10-4 + 3.36 x 10-4 = 12.01 x 10-4 = 1.2 x 10-3

PFDavg = 1.2 x 10-3

RRF = 1/PFDavg = 833 High SIL 2

ESD Valves Assy

2

ESD Valves Assy

2

3.36 x 10-4



The above configuration meets the target of a high SIL 2 with an extended full stroke test of three years and a PST of three months.

THE PROPER USE OF PST RESULTS As shown in the above example, PST was directly instrumental in extending the full stoke test out to three years while meeting the target design of a high SIL 2 for the SIF. It is, however, very important that the assumptions for diagnostic coverage be substantiated and validated in order to be able to take the appropriate credit in the PFDavg calculations. Implemented for the right reasons, on-line partial stroke testing can be an important asset, and should be considered in the design. Done for the wrong reasons can lead to erroneous results and an unsafe design. For example, taking credit for PST with the intent of overcoming architectural constraints and minimum hardware fault tolerance specified in the safety standards’, requires further analysis. The following review of “safety integrity” and “Safe Failure Fraction” in conjunction with the IEC safety standards’ architectural constraints, should facilitate the analysis. Safety integrity The safety integrity of an SIS has two mayor components:

The first question to consider: Is a stuck valve a random hardware failure or a systematic failure? It would appear that if the valve stem is stuck due to over-tight packing, this would be a systematic failure. If the cause is over-stressed piping, this would also be considered systematic and not random. IEC 61508 and IEC 61511 address random hardware failures with target failure ranges for each SIL. On the other hand, systematic failures are addressed by implementing certain techniques and measures conducive to designing these out of the system.

• Systematic Safety Integrity - Hardware systematic failures (Design, Common Cause, Stress, Environmental) - Software systematic failures

• Hardware Safety Integrity - Random hardware failure target

measures established in IEC 61511



Safe Failure Fraction (SFF) Safe Failure Fraction is the fraction of safe failures and dangerous detected failures in relation to the total failures. The definition of SFF always refers to random hardware failures and not to systematic hardware failures. IEC 61511-1 imposes a minimum hardware fault tolerance requirement for sensors and final elements without any reference to the SFF. However, if further analysis is appropriate, it allows the use of table 3 of IEC 61508-2.

IEC- 61508-2 Table 3 – Architectural Constraints – Type B subsystems

Using the above SFF equation, it is easy to see that if partial stroke testing (PST) could detect a portion of the dangerous undetected failures (λDU) from the denominator and convert these in to dangerous detected failures (λDD) in the numerator, we could obtain a improvement in the SFF. This would lead to a reduction in the hardware redundancy requirements in IEC 61508-2 Table 3 above, for any defined SIL. However, there are two problems to be faced:

a- The (λDU) element in the SFF equation only refers to random hardware failures. If the stuck stem is caused by a systematic failure, then it would be invalid to use PST to improve the SFF calculation.

b- The detected failures in the SFF equation refer to those covered by automatic diagnostics. In order to consider the test as a “diagnostic” it needs to comply

Safe Undetected SU

Safe Detected SD

Dangerous Undetected DU

Dangerous Detected DD

Note: Smart positioners and devices used in PST equipment are considered "PE" devices per IEC 61511 and IEC 61508 (Also referred to as "Type B" in IEC 61508).

Hardware fault tolerance Safe failure fraction

0 1 2 < 60% Not allowed SIL1 SIL2

60% - < 90% SIL1 SIL2 SIL3 90% - < 99% SIL2 SIL3 SIL4

≥ 99% SIL3 SIL4 SIL4



with a timing requirement (i.e. half the process safety time in continuous demand mode or ten times faster than the probability of occurrence of a dangerous failure, in low demand mode). In general, PST will not meet the timing requirement of an automatic diagnostic. PST should really be categorized as a semi-automated accelerated proof testing procedure.

CONCLUSIONS On-line partial stroke testing of ESD valves is an invaluable tool, if used correctly.

• Failure rate data used in the calculations should be derived from traceable “field-based” references.

• Take credit only for the portion of failures that PST can detect. • Consider the implications of introducing additional smart programmable

equipment for the automated PST, that conceivably could introduce additional dangerous undetected failures.

• Be aware that frequent PST may increase the probability of spurious trips. • Use PST to improve the PFDavg of the safety instrumented function (SIF) and/or

to extend the full stoke testing period. • Remember that PST is a partial proof test and not an on-line diagnostic. PST

should not be used to affect the safe failure fraction (SFF). • Do not take credit for PST to justify overcoming redundancy requirements of the

safety standards.

REFERENCES • IEC 61511, Part 1 & 2 “ Functional Safety: Safety Instrumented Systems for the process industry

sector”, Ed 1 - 2003

• IEC-61508, Part 2 “Functional Safety of electrical/electronic/programmable electronic safety related systems”, Ed 1 - 1998

• OREDA, “Offshore Reliability Data Handbook,” 4th Edition, 2002. Prepared by SINTEF Industrial Management and published by DNV- Det Norske Veritas, Norway.

• “Guidelines for Safe Automation of Chemical Processes”, Center for Chemical Process Safety, American Institute of Chemical Engineers, New York, NY 10017, 1993.

• Guidelines for Chemical Process Quantitative Risk Analysis, Center for Chemical Process Safety, American Institute of Chemical Engineers, New York, New York, 1989.

partial stroke testing implementing for the right reasons

Documents