Positioners and Partial Stroke Tests in Safety Applications

InTech magazine has a web exclusive on the importance of safety valves in a safety instrumented system. The article, Valve failure: Not an Option, describes methods of implementing partial stroke testing (PST) to reduce the probability of failure upon demand, average (PFDavg).

For those not familiar with a partial stroke test, I found this definition:

This test checks for valve movement without fully stroking the valve. Many applications will allow 10% movements to verify valve response without upsetting the critical process line. Diagnostic data is collected and an alert is given if the valve is stuck.

The purpose of this test is to improve PFDavg to possibly increase the safety integrity level (SIL) rating of the safety valve in a safety instrumented function (SIF), to extend the proof test interval, or a combination of both. Extending the proof test interval may allow process operators to avoid additional downtime by scheduling proof tests during turnarounds.

The author enumerates four methods of performing the PST: by the emergency shutdown system (ESD), by a positioner-based device, by a 2-out-of-2 (2oo2) or 2-out-of-3 (2oo3) redundant device, and by a 2-out-of-4-doubled diagnostic (2oo4D) redundant device.

The part of the article that jumped out for me, which I needed to ask Emerson’s Riyaz Ali about was:

Using a positioner-based device is perhaps the worst option, as it is a complete misapplication of technology. Positioners should modulate control valves, whose movement is very small. ESD valves on the other hand are fully open or fully closed, and go from one state to the other as quickly as possible. Because positioners have a very small Flow Factor (Cv), they cannot vent a valve diaphragm quickly as required to satisfy the process safety time, and are suitable only for smaller valves. To compensate for this deficiency, an interposing SOV can vent the valve diaphragm. This SOV is not tested during the PST and remains in an open position for an extended period of time. As such, it may not be able to close (vent) upon demand and is itself a source of both dangerous failures and spurious trips.

In addition to the interposing SOV, positioners use a pneumatic valve-nozzle arrangement, which operates independently of the positioner electronics. Given the nozzle orifice plugs up (often by a tiny spec of dirt or water in the air supply), shutting off the electronics will not vent the valve diaphragm. This is a dangerous failure mode, as venting the diaphragm (closing the valve) is critical to achieving the safe state. Unfortunately, most positioner product safety evaluations do not address this dangerous failure mode.

Riyaz offers some counterpoints. Advanced positioners or digital valve controllers such as the Fisher DVC6000 SIS have been designed specifically to operate safety shutdown valves and has gone through the rigorous design, testing and certification process defined in the IEC 61508 international safety standard for use up to SIL 3 applications. This design, testing and certification process was developed to ensure the applicability of the technology for this process safety application.

Riyaz notes that it is true that a very few applications do require shorter process safety times. He points out that it is not necessary to use a solenoid valve (SOV) to improve the stroking speed. Positioners can use pneumatic devices to achieve faster stroking time. I discussed a quick-exhaust example in an earlier post. For process manufacturers who still would like to use an SOV in the SIF loop, these SOVs have different capacities to meet the stroking speed requirements. Also, some of the more modern positioners like the DVC6000 SIS can also monitor the health of the SOV when it’s used with a single-acting actuator. It performs checks for the dangerous failures of SOVs on-line without affecting the process.

Safety Instrumented System Schematic with DVC6000 SIS Digital Valve Controller in 4-Wire System
Some digital valve controllers, like the DVC6000 SIS, are suitable for use in a SIL3 SIF in standalone mode. When used in standalone mode or in pneumatic series with SOV or other pneumatic accessories, it continuously checks the pneumatic integrity (functioning of I/P and pneumatic relay) to ensure that these components are working and ready to drive the valves upon a safety demand (see figure 13). If, during normal operation, any abnormality is noted, an alert is sent to the HOST system.

Riyaz also provides clarification that air quality requirements are always specified in each product bulletin for pneumatically operated valves and specifically, the safety manual of a field device always recommends to follow the ISA S7.0.01 air quality standard, which specifies the air be clean, dry, without oil, water or any particulate contaminates.

For your IEC 61511 process safety risk mitigation efforts, partial stroke testing performed by digital valve controllers can help you reduce the PFDavg on your safety shutdown valves.

GreenPodcast.gif MP3 | iTunes

Update: Welcome, Plant Engineering Live blog readers! Jack, I appreciate the great recap of this post!

Update 2: Thanks to Dr. Beckman for pointing out my error on 2004D in the comment section of this post. It is “diagnostic” and not “double” as I’d originally written. I’ve also shown Dr. Beckman’s comments to Riyaz and asked if he’d like to add a comment… stay tuned!

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

8 comments

  1. Jack Smith says:

    Jim, PST also does not account for the integrity of the valve seat, or lack thereof. Also, when testing during a shutdown or turnaround, many times shutoff valves are not tested under normal operating pressure. PST is all about statistics, of which Murphy’s Law is the enemy.

  2. Hi Jack, Thanks for your comment!

    I sat down and spoke with Riyaz to get his additional perspectives and some pictures and wanted to add them to the conversation.

    It is true that a partial stroke test, as its name indicates, does not check seat integrity for Normally Open valves (FAIL Close during Demand)–which is the normal operating conditions for the majority of safety shutdown valves. However, from past incidents, the major concern is that the shut down valves that don’t move periodically are susceptible to sticking or remaining stuck upon a safety demand.

    A basic law of physics are that stationary things will remain in same position until and unless they are jerked or exercised. It’s just like our human bodies, which require regular exercise to maintain flexibility and to avoid stiffness. For this same reason, a partial stroke test helps to break the initial static friction of the final control element in a SIF loop. This helps ensure that the safety shutdown valve is not jammed and is available on a safety demand. So, in addition to the diagnostic benefits, partial stroke testing also provides some failure prevention benefits.

    Your point raises a valid concern that the PST does not check the seating part of the valve stroke. However, a key part of the process safety design stage is that the selected valve be correctly sized based on process fluid, process parameters, metallurgy, actuator shut off, etc.

    Generally, on-off valves are not used to throttle energy during normal operation. As a result, appreciable wear and tear on trim area is not expected. Therefore, it is expected that the valve will shut to the desired shutoff leakage classification per its design. The concerns in this case are:

    • whether the valve remains in one state for long time without movement
    • will it move or not due to process build up (until something is stuck between plug and seat at the closure end of valve).

    This is where a partial stroke test is useful and has been proposed in the IEC 61511 part 2 section 11.4.5 as an “additional diagnostic”. A diagnostic coverage factor is applied in the SIF design calculations to account for partial diagnostics.

    For those infrequent applications where the valve remains closed during normal operations, the seating is not a concern because the valve will be fully open during a safety demand.

    Generally, mechanical items such as valves are tested for their seat leakage tightness in accordance to ANSI B 16.104 standard before it leaves the factory. As mechanical items, they follow bath tub curve characteristics for their useful lives. Normally for control valves, which throttles the energy, during shut down or turnaround period trim parts are rebuilt, inspected and tested as original to get the required seat leakage classification.

    Safety shutdown valves, on the other hand, are non-throttling (on/off) valves and not expected to have appreciable metal erosion on trim area. But, it is still a possibility and remains something to inspect these trim parts during a normal turnaround.

    With the advent of digital valve controllers mounted on these On-Off valves, it is easy to take an “X-ray” of the internals by running a valve signature test during shutdown or turnaround. These digital valve controllers, with their embedded intelligence, run the valve signature test by moving the valve from its zero to full travel and during the course of action, memorize the output pressures required to move the valve to desired travel.

    These microprocessor-based devices, like the DVC6000, have a built-in algorithm that in conjunction with its companion software, can compute the Seat Load required, Seat Load tested, etc. to inform the process manufacturer whether enough seat load is available to meet specified ANSI seat leakage rating.

    This not only saves appreciable maintenance work, but also saves considerable time during a shutdown to have the ability to check seat leakage at the valve without taking out of line to the workshop and dismantle for inspection of trim.

    Therefore, these digital valve controllers can be used for PST during normal operation to exercise movement and perform full stroke valve health tests during a turnaround or shutdown.

  3. Jack, I received this note from Emerson’s Steve Anderson with our Fisher FIELDVUE team:

    Jack,

    You make a good point about valve seat integrity.

    Riyaz mentioned valve signature for getting the seating profile (this is an offline test which performs a full stroke of the valve). Another capability of the digital instrument like the DVC6000 SIS is to gather data during an actual plant trip. The instrument can be set up to trigger on a trip and collect data at high rates within the positioner. This trigger data can be reviewed post-trip to get an indication of how the valve performed during the trip event, allowing maintenance activities to be planned accordingly.

  4. Dr. Lawrence Beckman says:

    Gentlemen, a few points of interest based on your comments:
    1) In a safety application, one need not close the valve completely to shutdown the process.
    Only a portion of the possible failure modes are tested by the PST; but then only partial credit is taken, typically 70%.
    2) The reliability of any external device (i.e., Quick Exhaust Valves which are not SIL rated)used in conjunction with positioners must be included in both the safety (PFDavg) and availability (Spurious Trip Rate)computations for the positioner.
    3) Positioners are simplex devices with no fault tolerance, and as such are suspectible to both dangerous failures and spurious trips.
    4) Positioners are not tested prior to conducting the PST of the ESD Valve, and an internal component failure could initiate a false trip of the process.

  5. Dr. Lawrence Beckman says:

    Please be advised that the “D” in the 2004D indicated that it has diagnostic capability, and can perform testing of its internal components prior to conducting the PST of the ESD Valve.
    The 2004D architecture which is TUV Rheinland approved up to SIL 3 is available commercially in the SILstroke-3 PST device from SafePlex Systems, Inc. at http://www.safeplexsystems.com.

  6. Dr. Beckman, I received this reply from Riyaz Ali who is currently traveling and asked me to post on his behalf. I’ve blockquoted his responses below your 4 points. Regards, Jim

    1) In a safety application, one need not close the valve completely to shutdown the process. Only a portion of the possible failure modes are tested by the PST; but then only partial credit is taken, typically 70%.

    It is true as name indicates PST is partial stroke test, providing partial diagnostic coverage. I do not believe that any presently available solution can do full stroke test of final control element (FCE), while plant is running and shutdown valve is in line.

    Based on previous accidents, statistics shows that the FCE is a larger contributor of failure in SIF loop. Assuming the valve is sized, selected and properly engineered with required shut off pressure, it should meet the full travel requirements. FCE failures are typically sticking or fully stuck due to process build up. This is again the same physics law, if stationary things remain static for longer time; its probability of successful movement when required is reduced considerably. Partial Stroke Test does exact same thing to exercise or break the resistance of mechanical non-movement.

    2) The reliability of any external device (i.e., Quick Exhaust Valves which are not SIL rated)used in conjunction with positioners must be included in both the safety (PFDavg) and availability (Spurious Trip Rate) computations for the positioner.

    Mechanical items like volume booster and QEV have been in the field for past three to four decades and have established their reliability. Furthermore, mechanical items failure mechanism differs compare to electrical / electronics or microprocessor based devices.

    3) Positioners are simplex devices with no fault tolerance, and as such are susceptible to both dangerous failures and spurious trips.

    Digital Valve Controllers, such as Emerson’s Fisher DVC6000 SIS, are microprocessor-based devices and they incorporate an intelligence algorithm, using various built-in sensors, to safe guard against spurious trip and dangerous failures. FMEDA completed by Emerson in conjunction with safety experts and reviewed / audited by a third party does furnish lambda (safe detected, safe undetected, dangerous detected, dangerous undetected) values. This can be used to compute MTTFs (Mean Time To Fail Spurious) and MTTFd (Mean Time To Fail Dangerous). The DVC6000 SIS has undergone the rigorous design, testing and certification process defined in the IEC 61508 international safety standard for use up to SIL 3 applications as a standalone device on strict evaluation by third party. By the way, Digital Valve Controllers are in use for SIS applications now for almost ten years and for BPCS applications, even longer.

    4) Positioners are not tested prior to conducting the PST of the ESD Valve, and an internal component failure could initiate a false trip of the process.

    Innovation in microprocessor-based positioners allows the DVC6000 SIS not only to stop slam shut and avoid spurious trips during PST but also to provide an alert on the issues with the health of Final Control Element.

  7. Can you explain me, Is it possible to initiate PST through HART protocol?
    If so can you brief it?

  8. riyaz ali says:

    PST command for DVC6000 / 6200 SIS can be initiated by

    • HART command from DeltaV SIS
    • HART command from Handheld
    • HART command from ValveLink standalone, SnapOn to AMS or PRM
    • HART command from ValveLink DTM SnapOn to FDT frame of any HOST Yokogawa, Emerson, ABB, Invensys, Honeywell etc.

    Aux Contact on DVC can also initiate PST
    o By shorting it locally
     By Push button on DVC or away from DVC or LCP100
    o By remotely, in case of remote dry contact to Aux can be sourced through Logic Solver (HOST)

Leave a Reply