All Search Results matching “riyaz ali”

My good friend Riyaz Ali, whom you may recall from earlier process safety and digital valve controller-related posts, was kind enough to send me an article he's recently written. The subject is performance diagnostics for control valves.

Since control valves are in the heart of the action controlling the flow of the process, they are usually located in difficult places such as hazardous areas, outside, cramped spaces, etc. These control valves are also expected to operate for longer periods without shutdown, as I highlighted in a recent plant turnaround post.

In the article, Riyaz shares how digital valve controllers receive positioning feedback on valve travel in addition to supply and actuator pneumatic pressures. Combining this information allows the on-board diagnostics to diagnose the digital valve controller itself, the valve, and the actuator.

Riyaz highlights five on-line (in service) diagnostics including supply pressure, relay adjustment, travel deviation, current-to-pressure (I/P) & relay integrity, and air mass flow rate performed by these smart positioners.

The supply pressure diagnostic examines the travel setpoint, travel, and supply pressure to look for any supply abnormalities in and to detect any supply droop during large travel excursions. This can help spot supply line restrictions that may have cropped up.

The relay adjustment diagnostic measures supply pressure, port A pressure, and port B pressure. This diagnostic monitors crossover pressure on double-acting actuators. The diagnostic also helps in setting the crossover pressure on large-volume actuators.

The travel deviation diagnostic looks at travel setpoint, travel, port A pressure, and port B pressure. It monitors actuator pressure and travel deviation from setpoint. This help plant personnel find stuck control valves, active interlocks, low supply pressure, or travel calibration shifts.

The I/P & relay integrity diagnostic looks at travel setpoint, travel, and I/P drive signal. This diagnostic checks for conditions such as plugging of the I/P primary, I/P nozzle, failures in the instrument diaphragms and O-rings, and I/P calibration shifts.

The final diagnostic that Riyaz highlights is air mass flow. It looks at supply pressure, relay position, port A pressure, and port B pressure. It estimates airflow through the relay and helps to detect leaks in the actuator or tubing to the actuator. It can also detect leaks downstream of the relay.

Riyaz shared this story of the air mass flow diagnostic with me. A process manufacturer has a double-acting actuator on a critical application. They discovered that a change in load did not move the valve, even though the automation system was correctly driving the signal to the digital valve controller.

Through the air mass flow rate diagnostic, they were able to detect that air was leaking and were able to make up the leaking air to move the valve to specified position. This helped tide them over until the next planned shutdown to inspect the actuator. When they opened the actuator, they discovered a missing o-ring that separates the top and bottom port of the actuator.

These air mass flow rate diagnostics help discover the problem to allow them to perform a workaround to run the valve until they could plan appropriate action to inspect the internals of actuator.

Riyaz notes that you can initiate all of these diagnostics together in a one-button sweep to help quickly troubleshoot issues around an improperly performing valve. In the article, Riyaz offers more detailed descriptions of the diagnostics and pictures of what the diagnostics look like from the AMS Valvelink software. I'll update the post and link to the article once it's posted and available on the web.

MP3 | iTunes

Emerson's Riyaz Ali, whom you may recall from earlier posts, wrote an Inside Functional Safety article recently titled, Digital Technology: A remedy for sick shutdown valves in Safety Instrumented System (SIS) applications. The paper is available for purchase from Inside Functional Safety, so I can't upload or link to it, but I'll highlight a few points Riyaz makes. Here's a portion of the abstract:

In the event of a safety demand, the final control element of a safety instrumented function (SIF) loop is a key component to a process going to a safe state. Unlike the logic solver or sensors (analog transmitters), the final control element requires a total shutdown to check the mechanical integrity. With the invention of the digital valve controller, a final control element's mechanical movement can be tested online by moving a span of 10% or 15% without disrupting the process.

For those not familiar with two of the major international safety standards for process manufacturers, IEC 61508 and IEC 61511, Riyaz provides this contrast:

IEC61511 is an industry specific version, specifically dealing with process industries in the "Functional Safety: Safety Instrumented Systems for the Process Industry Sector." IEC61511 provides clarity to the use of IEC61508 in automation protection systems for the process industries by using industry specific vocabulary, specific examples, and tailored requirements.

As mentioned in the abstract, the final control element is a critical portion of the safety instrumented function or safety loop to take the process to a safe state. It could be an emergency shutdown valve, blow down valve, emergency isolation valve, emergency venting valve, or on/off valve. These valves may remain dormant for long periods, so they must be tested periodically to make sure they will operate properly upon a safety demand situation.

Riyaz notes that conventional testing requires either process shutdowns or bypasses, the latter which add complexity and risk to the process flow. Completely testing the final control element's performance requires "...an in-line test that strokes the valve for full travel."

Without bypasses, the loss of production means process manufacturers want to extend these full stroke tests as long as possible, until the plant is shutdown for turnaround maintenance.

Riyaz describes ways developed to extend the time intervals for the final control element testing by partially stroking the valves. He writes:

It was recognized that the most likely failure mode of a discrete shutoff valve is to remain stuck in its normal position. To test for this type of failure, it is not necessary to completely stroke the valve to test its functionality. A large percentage of covert valve failures can be detected if a limited form of testing can determine that the valve is not stuck and will begin to move. Furthermore, if this type of test could be performed online without shutting down the process, improvements in the PFDavg could possibly be obtained without the loss of production.

Methods to perform this partial stroke testing include mechanical limiting devices and more recently logic solver-based testing:

...which sends fixed pulsations to the solenoid valve to monitor the subsequent movement of the valve. The pulse duration is set to allow slightly more than the required 10-15% movement. The feedback to valve movement is provided by an analog limit switch.

Whichever method is used, written safety procedures are important to make sure plant trips don't occur and proper documentation and maintenance is performed by properly trained personnel.

Riyaz shares how a digital valve controller is a good solution for these partial stroke tests because it:

...receives a control signal from the logic solver. It incorporates travel feedback of the valve position plus supply and actuator pneumatic pressures. This allows the smart positioner to diagnose not only itself, but also the health of the valve and actuator.

Since the process is not shutdown, the tests can be run more frequently and initiated by the logic solver, HART handheld communicator, panel, and/or PC. The tests are also automatically documented and can provide comparisons between tests. In the event of a safety demand, the digital valve controller can also provide a log to help understand the sequence of events for post-event analysis.

He clarifies that partial stroke tests, "...do not eliminate the need for full stroke test; however, it does extend the proof test interval." This extension is often long enough to reach the plant turnaround where all the final control elements can have full stroke testing performed.

If you are unfamiliar with some of these ways of partial stroke testing, you may want to purchase the paper or review some of the past blog posts in which I've featured Riyaz.

MP3 | iTunes

InTech magazine has a web exclusive on the importance of safety valves in a safety instrumented system. The article, Valve failure: Not an Option, describes methods of implementing partial stroke testing (PST) to reduce the probability of failure upon demand, average (PFD_avg).

For those not familiar with a partial stroke test, I found this definition:

This test checks for valve movement without fully stroking the valve. Many applications will allow 10% movements to verify valve response without upsetting the critical process line. Diagnostic data is collected and an alert is given if the valve is stuck.

The purpose of this test is to improve PFD_avg to possibly increase the safety integrity level (SIL) rating of the safety valve in a safety instrumented function (SIF), to extend the proof test interval, or a combination of both. Extending the proof test interval may allow process operators to avoid additional downtime by scheduling proof tests during turnarounds.

The author enumerates four methods of performing the PST: by the emergency shutdown system (ESD), by a positioner-based device, by a 2-out-of-2 (2oo2) or 2-out-of-3 (2oo3) redundant device, and by a 2-out-of-4-doubled diagnostic (2oo4D) redundant device.

The part of the article that jumped out for me, which I needed to ask Emerson's Riyaz Ali about was:

Using a positioner-based device is perhaps the worst option, as it is a complete misapplication of technology. Positioners should modulate control valves, whose movement is very small. ESD valves on the other hand are fully open or fully closed, and go from one state to the other as quickly as possible. Because positioners have a very small Flow Factor (Cv), they cannot vent a valve diaphragm quickly as required to satisfy the process safety time, and are suitable only for smaller valves. To compensate for this deficiency, an interposing SOV can vent the valve diaphragm. This SOV is not tested during the PST and remains in an open position for an extended period of time. As such, it may not be able to close (vent) upon demand and is itself a source of both dangerous failures and spurious trips.

In addition to the interposing SOV, positioners use a pneumatic valve-nozzle arrangement, which operates independently of the positioner electronics. Given the nozzle orifice plugs up (often by a tiny spec of dirt or water in the air supply), shutting off the electronics will not vent the valve diaphragm. This is a dangerous failure mode, as venting the diaphragm (closing the valve) is critical to achieving the safe state. Unfortunately, most positioner product safety evaluations do not address this dangerous failure mode.

Riyaz offers some counterpoints. Advanced positioners or digital valve controllers such as the Fisher DVC6000 SIS have been designed specifically to operate safety shutdown valves and has gone through the rigorous design, testing and certification process defined in the IEC 61508 international safety standard for use up to SIL 3 applications. This design, testing and certification process was developed to ensure the applicability of the technology for this process safety application.

Riyaz notes that it is true that a very few applications do require shorter process safety times. He points out that it is not necessary to use a solenoid valve (SOV) to improve the stroking speed. Positioners can use pneumatic devices to achieve faster stroking time. I discussed a quick-exhaust example in an earlier post. For process manufacturers who still would like to use an SOV in the SIF loop, these SOVs have different capacities to meet the stroking speed requirements. Also, some of the more modern positioners like the DVC6000 SIS can also monitor the health of the SOV when it's used with a single-acting actuator. It performs checks for the dangerous failures of SOVs on-line without affecting the process.

Some digital valve controllers, like the DVC6000 SIS, are suitable for use in a SIL3 SIF in standalone mode. When used in standalone mode or in pneumatic series with SOV or other pneumatic accessories, it continuously checks the pneumatic integrity (functioning of I/P and pneumatic relay) to ensure that these components are working and ready to drive the valves upon a safety demand (see figure 13). If, during normal operation, any abnormality is noted, an alert is sent to the HOST system.

Riyaz also provides clarification that air quality requirements are always specified in each product bulletin for pneumatically operated valves and specifically, the safety manual of a field device always recommends to follow the ISA S7.0.01 air quality standard, which specifies the air be clean, dry, without oil, water or any particulate contaminates.

For your IEC 61511 process safety risk mitigation efforts, partial stroke testing performed by digital valve controllers can help you reduce the PFD_avg on your safety shutdown valves.

MP3 | iTunes

Update: Welcome, Plant Engineering Live blog readers! Jack, I appreciate the great recap of this post!

Update 2: Thanks to Dr. Beckman for pointing out my error on 2004D in the comment section of this post. It is "diagnostic" and not "double" as I'd originally written. I've also shown Dr. Beckman's comments to Riyaz and asked if he'd like to add a comment... stay tuned!

I'm lucky enough to receive a copy of Andrew Bond's Industrial Automation Insider newsletter each month through an Emerson subscription agreement. Andrew covers the happenings among the automation suppliers and standards bodies. You can also find some of Andrew's writings on the ControlGlobal.com site.

In the November 2008 newsletter, one item that caught some attention around here was this nugget:

...first TÜV-approved SIL3 Foundation fieldbus safety valve controller to appear on the market. The device delivers status changes automatically via Foundation fieldbus and incorporates real time alarm management eliminating the need for external wiring or I/O cards.

I have the privilege of working in the vicinity of two very knowledgeable people with respect to process safety, Riyaz Ali and Mike Boudreaux.

Riyaz notes that the Foundation SIF specifications are still under development. In a recent Fieldbus Foundation release, it quotes ARC's Larry O'Brien:

It is very clear that end users want this technology and are striving to include FF-SIF systems in their project specifications. Many major end users will probably be specifying FF-SIF systems for their new projects starting in 2011.

A September 2008 ARC whitepaper, Foundation Fieldbus Safety Instrumented Functions Forge the Future of Process Safety, provides background on the Foundation SIF standard advancement and its current draft status. Mike and Riyaz were present at the successful May 2008 Foundation SIF end user demonstration project in Amsterdam, and Mike shared his experiences with me. Riyaz also shared that one of the function blocks, the SIF_DO block, will not be available from the Fieldbus Foundation until the first half of 2009.

Many automation suppliers are developing products based on the current Foundation SIF draft, including Emerson. I asked Riyaz about the current solution Emerson provides until the standard is ratified. Riyaz responded:

The current solution for use in a Foundation fieldbus SIS application is to use the DVC6000f PD instrument. Several hundred units have been supplied worldwide to process manufacturers where partial stroke test scripts are run from host systems, such as the DeltaV system and AMS Device Manager.

In this application, process manufacturers use a solenoid valve operated by a hardwired digital output from the SIS logic solver.

Riyaz expects that until process manufacturers have sufficient experience, they will continue to use an independent solenoid valve to take the SIS valve to the fail state, while at the same time using a DVC6000f PD for partial stroke diagnostics using Foundation fieldbus through the basic process control system (BPCS).

Mike notes that both the DeltaV and DeltaV SIS systems are capable of performing these safety instrumented function predictive diagnostics. The DeltaV system is being used to perform partial stroke testing with the DVC6000f PD using Foundation fieldbus communications. The DeltaV SIS system is being used to automate partial stroke testing with the DVC6000 SIS safety valve controller using HART communications. This additional diagnostic coverage assists process manufacturers with their IEC 61511 safety lifecycle efforts.

Using diagnostics enabled by Foundation fieldbus and HART communications, the DeltaV and DeltaV SIS systems with DVC6000 digital valve controllers can provide many of the benefits today that are promised by Foundation SIF in the future.

MP3 | iTunes

Update: Next week is the Thanksgiving holidays in the U.S. and I'll not be posting. We'll be upgrading our version of Movable Type software. Wish us luck!

I received an email last week with some questions to an earlier post, Checking Your Safety Solenoid Valves. While protecting the emailer's anonymity, I thought I'd share the questions and answers provided by Emerson's Riyaz Ali with you.

The first question was about the assertion, "What the technology team found through extensive research and development is that the solenoid valve can be pulsed for a split second by smart SIS logic solvers like the DeltaV SIS system." The question was:

The apparent assumption here is that the DVC6000 SIS is added to the solenoid valve installation but does not replace it. This raises the question of what benefit the DVC6000 SIS has over other versions.

Riyaz responded:

The digital valve controller (DVC) is used as a diagnostics device to initiate partial stroke tests (PST) and to continuously monitor the health of valve, even if there is no change in input signal to the DVC. The DVC6000 SIS is certified for use in Safety Instrumented Function loop without solenoid-operated valves (SOV). Applications which require faster stroking speed and where a process manufacturer is more concerned about "safety availability" and would like to have either or device pneumatically in series to take the final element to a safe state, will employ DVC and SOV.

It is true that physically the DVC6000 and DVC6000 SIS have the same components (except sticker on cover and different firmware in microprocessor) but unlike the general DVC used for process control, the DVC6000 SIS for safety has built in:

• safe guard against spurious trip during PST
• PST on line in service without change of input signal
• configurable stroking speed to ramp (rather than step) slowly of fast during partial stroke test
• capture the PST test results and store in the non volatile memory of device
• using associated software allows the analyzed test results of health of the final Element
• audit documentation (comparisons and storage)
• returns the valve to its normal state after completion of test
• manual reset feature
• automate PST without any other user interface

A second question arose about what value there is if the DVC6000 goes to zero mA and loses power and thus losing its diagnostic:

Again, it doesn't appear that the SIS version is bringing anything to the party. If configured in the 0-20mA or 0-24 volt DC scheme and used as part of the safety trip, communications are lost during the trip and the feature described does not apply. If it is not used to trip the valve, why use the SIS derivative?

Riyaz answered:

When DVC is used with 0-20mA or 0-24VDC, it only loses its capability to trigger the event in the case of "Safety Demand". It otherwise has all other capabilities of a DVC6000 SIS operated by 4mA. When used with 0ma or 0VDC, DVC does take an active part in "Safety Shutdown" and makes "Final Element" to attain "Safe State". The DVC6000 SIS, when operated with 4-20mA, can capture and store the results in the nonvolatile memory for study and understanding of event which could provide vital clues of the event and also could provide learning lessons for the future. This provides the opportunity for safety reliability engineers to access and evaluate the "Demand Condition". Also, the details obtained can be used with regulatory bodies who would like to have audit of device in the case of demand.

The whole purpose of migrating from discrete on-off switch contacts to analog input (sensors) / output (final element) for logic solvers have evolved use of microprocessor-based field devices in safety instrumented systems. If one uses microprocessor-based devices then why should they not use 4-20mA instead of 0-20mA? I am still in the opinion that the analog signal for field device provides continuous monitoring by logic solver for its input and output. If one decides to use microprocessor-based devices, it makes sense to use 4-20mA rather than 0-20mA for the DVC, which does not offer any advantages. On top of it, the DVC6000 SIS when used with 4-20mA is certified for its compliance to IEC 61508.

The final question came up when I wrote, "One final point Riyaz emphasized is the DVC6000 SIS spurious trip protection which provides maximum output pressure to the solenoid at minimum input signal in a case where the 4-20mA signal between the smart logic solver and digital valve controller is lost or severed." The question was:

Here the SIS is driven by a 4-20 mA signal but, amazingly, it is configured to fail to danger on loss of the control signal. I still don't see the benefit of the DVC6000SIS over its siblings.

Riyaz responded:

This is typically ETT (Energize to Trip) scenario, where during normal operation customer will use 4mA (because plant availability is highest) and upon Safety Demand customer would like to provide 20mA to DVC so that DVC can trip the valve.

In fact, one of the major oil and gas producers has already used this same scenario in their plant. They are using SOV to trip the valve and DVC for diagnostics, partial stroke test and SOV health test and uses DVC with reverse relay. Even if someone cuts the power to input signal of DVC, it still supplies full pressure to avoid any spurious trips.

I thought sharing this email exchange might provide answers for your IEC 61511 compliance efforts if you had similar questions when reading the earlier post.

Two very knowledgeable people in safety instrumented systems (SIS), Mike Boudreaux and Riyaz Ali, shared with me the story behind the recent news about the DVC6000 SIS digital valve controller (operated by 4-20mA) being certified to be compliant with IEC 61508 for use up to SIL 3 safety instrumented functions (SIF).

With this certification, DeltaV SIS logic solver's HART two-state, 4-20mA output and the Fisher DVC6000 SIS without any additional solenoids or other auxiliary devices can be used for SIL 3 applications. This configuration provides capturing trip events during safety demand, which provides crucial data for reliability and analysis by safety engineers of event. It's also helpful information for regulatory audits.

Now, I used my trusty friend Google to learn more about the HART two-state channel and found this page in DeltaV Books On-Line on the function block in the logic solver that helps make this happen. Basically:

...DeltaV SIS Logic Solver Digital Valve Controller (LSDVC) function block provides an interface to the DVC6000 SIS for safety shutdown and for partial stroke testing. The HART Two-state Output Channel provides the control signal and the HART communications path to the digital valve controller. You can configure the output channel to have an OFF_CURRENT of 0 mA or 4 mA. The control signal can command the valve controller to the tripped state regardless of the configured OFF_CURRENT value. Using an OFF_CURRENT value of 4 mA allows HART communication between the Logic Solver and the valve controller whether the valve controller is in the normal or the trip state. When the OFF_CURRENT is 0 mA, the power is removed entirely when the LSDVC function block drives the channel Off.

Mike noted that continuous diagnostics is possible because the valve closes when delivered a 4 mA signal. The DVC6000 SIS records the results of a demand event by logging all the results of travel and pressure data points in the microprocessor memory. This event log is critical for plant personnel, reliability engineers, and auditing authority to understand the final element status before and after the trip or demand event. Before the new certification was obtained, diagnostics would be lost on shutdown because the signal to the DVC would be 0 mA.

These on-line diagnostics coupled with partial stroke testing can be automatically initiated from the DeltaV SIS logic solver. This means that the final control element is periodically checked to help protect against spurious trips and to test for demand availability. The operator can also manually initiate these partial stroke tests from operator faceplates. The DVC6000 provides pass/fail status back via HART digital communications for alarming and historical event recording.

Riyaz pointed out that Type B devices (generally microprocessor-based) the IEC 61508 international safety standard (part 2, table 3) mandates redundancy in SIL 3 applications. This means the DVC6000 SIS connected to the DeltaV SIS HART two-state channel is suitable for SIL 1 and SIL 2 applications without redundancy, but for SIL 3 SIFs, IEC61508 mandates a full redundancy or hardware fault tolerance of one.

Achieving this certification helps reduce the components in these SIFs and increase the diagnostic coverage and capture of historical SIS information on demand.

I received an email with a great question to an earlier post, Improving Local Control around Safety Shutdown Valves. The question was:

Can you provide more information on your Local Control panel with Safety Shutdown Valve that haves a quick exhaust systems; can the partial stoke test not close the valve do to differential pressure on the quick exhaust system. Also if a shutdown signal is given during a test will it close the valve?

I spoke to Riyaz Ali, who shared his expertise in the earlier post. Here's his great answer in its entirety with picture and hyperlink added by me:

It is true that use of quick exhaust valve (QEV) on large valve with DVC6000 SIS for partial stroke test may dump large air during test. Generally, QEV operates on water column pressure differential and are sensitive. However, we recommend using volume booster on those applications where stroking speed is concern. One may argue that Volume Booster is for "Fill" time and not for "Exhaust". However, we have done test in the lab and established that volume booster will be much better pneumatic accessories, specifically when used with DVC6000 SIS for partial stroke test without causing instability in the operation during partial stroke test and as well meeting stroking speed requirements.

The picture illustrates a schematic of a large spring-return piston actuator with a DVC6000 and a volume booster to achieve a stroking speed requirement of less than two seconds.

During PST test, if demand arises DVC6000 SIS will take valve to safe state.

Here is more information about the LCP100 (Local Control Panel) for your perusal.

I hope that pulling this process safety-related question out of the realm of email into the open might help someone else with similar questions.

Update: I'd like to thank commenter JM for pointing out my LCP100 hyperlink going to the wrong spot. I've fixed. Thanks, JM!

In the world of process safety, technology continues to advance to assist process manufacturers in their IEC 61511 safety compliance efforts. I saw a recent press release on enhancements to the Fisher DVC6000 digital valve controller. The news was:

...enhancements include manual reset, a stored safety demand event log, pass / fail status after a partial stroke test, and third party certification to SIL3, SIF loop.

I asked Riyaz Ali, whom you may recall from earlier posts, to simplify what this all means for me. The stored safety demand event log he likened to an airplane black box recorder. If a process upset condition triggers a safety demand on a valve controlled by the DVC6000 SIS (operated by 4-20mA input signal), it in turn automatically triggers an event log to capture the data into non-volatile memory locally in the digital valve controller.

This log keeps pre- and post-event data of the operating conditions surrounding the safety demand event. Examples of the type of data stored away in this event log include: travel, travel setpoint, output pressure with time in seconds, graphical representation of data points and date and time stamp of the trigger event for regulatory compliance.

Riyaz also described for me the partial stoke testing reporting. It now will provide pass/fail status and a signature curve of the valve stem movement. These partial stroke tests periodically diagnose the SIS valve to help ensure its availability. Also, a specially designed built-in relay provides protection against spurious trips which improves overall process availability. Other information provided back to the AMS ValveLink software includes diagnostics on stick slip, shaft integrity and maximum and minimum torque values.

For the DVC6000 SIS, the Fisher team achieved third-party certification for compliance to the IEC 61508 international safety standard for use in a SIL 3 safety instrumented function. This means that process manufacturers can use the DVC6000 SIS as part of the safety instrumented function in the SIL 3 loops they identify as part of their risk assessment and risk mitigation strategy.

Having all these digital valve controllers keeping logs of what's going on especially around upset conditions can greatly assist root cause investigations and help avoid future abnormal situations. And the diagnostics coming from the partial stroke tests can help process manufacturers avoid these abnormal conditions in the first place.

I caught up with Riyaz Ali who is in our organization managing Emerson's Fisher brand of valves and regulators. You may recall Riyaz from some earlier posts on safety valve local control panels, partial-stroke test in safety applications, and testing safety solenoid valves.

Riyaz has been hearing more and more questions from process manufacturers, consultants, integrators, and other automation professionals about the adoption of the IEC 61508 and IEC 61511 international safety standards. These questions tend to get very specific about the safety integrity levels (SIL) for the components within the Safety Instrumented Function (safety loop.) Today all components of the safety instrumented function (SIF) including the logic solver, sensor, and final control element may have microprocessors that can perform self-diagnostics and communicate these diagnostics digitally to the logic solver.

Riyaz wanted to help clarify some questions on SIL ratings and field devices. If a process manufacturer hears that that field device is "SIL 3-rated" in accordance with IEC 61508, this is not the case. Field devices alone are not capable of a particular SIL rating.

These devices may be suitable for use in a SIL 3-rated safety instrumented function. In other words, this SIL rating applies to the entire loop and not the individual components within the loop.

The second key point Riyaz made with me is that a single microprocessor-based device (categorized as Type B in the IEC 61508 part 2, table 3) cannot have suitability for use in a SIL 3 safety instrumented function without additional hardware fault tolerance per these IEC standards.

Obviously, there is quite a bit to these safety standards and their application, and I hope some of these blog posts on the topic of safety help you in your adoption of these standards in your facilities.

You have to admire the way a team of engineers when presented with a challenge, come up with a better, less costly approach. Such is the case with a local control panel for a safety valve that Emerson Fisher division's Riyaz Ali showed me. You may recall Riyaz from earlier posts on the topic of safety.

The challenge is that safety shutdown valves with conventional local control panels have typically required ten input/output connections between the safety system's logic solver, local control panel, solenoid and digital valve controller as the picture indicates. These panels get hard wired signals from the safety instrumented system's logic solver for light indication of valve Open, Close, and Ready to Reset. Also, if the logic solver needs to open the valve after "Ready to Reset" light indicator, "Valve Open" signal needs to be sent to local controller for field technician to open the valve on separate pair of wire. It will also require an additional I/O for shutting the valve from local controller in case of an emergency.

Now, many plants keep metrics on what it costs to install each I/O point, but a ballpark figure of $2,000 USD per I/O point is typical.

The approach Riyaz describes is based on the Fisher LCP100 local control panel which requires 5 I/O. This means roughly $10,000 savings per installed smart local control panel. If your facility is a refinery, petrochemical, or chemical plant, this could add up, based on your number of safety valves with local control panels. This panel digitally communicates directly with Emerson's Fisher DVC6000 digital valve controller to eliminate the need for separate wiring for Valve Open and Close indication, Ready to Reset indication, and pushbuttons for manual Valve Open and Close. These digital communications also provide diagnostics to reduce the ongoing costs of maintenance typical with hard-wired solutions.

Riyaz also points out the digital valve controller can provide on-line diagnostics and partial-stroke testing to assist the process manufacturer in checking the safety instrumented function which includes these shutdown valves.

As with most digital communications, the long term benefits in diagnostic coverage with this integrated approach are usually greater than the initial benefits in installation cost savings.

Before the holidays, Dave Harrold wrote a post, A Wee Bit More About Safety Instrumented Systems, in his Dave @ AFAB Group blog. He describes his work with Dr. Angela Summers, founder/president of SIS-Tech Solutions on a guidelines book for the global IEC 61511 safety standards. Dave also referenced an SIS-related Q&A article Angela wrote for Flow Control magazine.

I forwarded the post and Flow Control article link to Riyaz Ali, whom you may recall from an earlier post. Riyaz wanted to add to the conversation and make three specific points in reference to the Flow Control article.

On the question regarding the use of digital valve positioners to perform partial testing and its relationship to the proof test interval, Riyaz agrees that the proof test is far more than a partial stroke test. The proof test can be performed on a final control element either on-line when a bypass valve exists or offline when the process is shutdown, such as during a plant turnaround. Many process manufacturers do not have large bypass valves and seek to extend the interval between plant turnarounds as long as possible. The on-line partial stroke testing provided by digital valve positioners can help extend the time between proof tests. They do not replace these tests. Riyaz points to a Control Engineering magazine article authored by Dr. Summers, Partial Stroke Testing of Safety Block Valves, in which she points out:

Also affecting the SIL is diagnostic coverage and testing intervals of partial-stroke testing to supplement full-stroke testing to reduce a block valve's PFD.

Being a mechanical item, testing of SIS "Final Control Element" offers challenges but at the same time represents a significant failure contributor to SIF loop. Partial stroke test by digital valve positioners not only allows "audit documentation" but also allows diagnostics health of valve, a key feature to improve reliability of SIF loop.

Riyaz did take exception to a statement in the article about throttling valves:

Positioner failures are the leading cause of control failure, so the positioner should not be used to actuate the valve in an SIS application when preventing events associated with a loss of control. Instead, a solenoid-operated valve should be used to independently close the control valve.

He notes that control valves are better geometrically designed with proper actuator and valve plug connection to reduce hysteresis, dead motion, sticktion, backlash etc., compare to shut down valves those are typically keyed shaft and mainly used for On and Off function. The main concern for shut down valves is stuck condition. If initial inertia force is broken during normal exercise of valve either through partial stroke test or by modulating through DCS signal, it is very likely that valve will be available during a safety demand, when required to bring the process to safe state.

His final point is on the question regarding smart positioners for partial stroke testing of smart valves. Positioners operated by air have been used in process control industries for years to improve performance of control loop. It is becoming rarer to come across a process loop not without positioners, especially where the application improved process variability. Based on its usage and benefits in process control, process manufacturers have started using them for Safety Instrumented Systems also. Riyaz agrees with Dr. Summers comment that positioners have smaller orifice but any thing larger than 8"-12" size valve, even otherwise a Quick Exhaust Valve or similar mechanical device will be used, if fast stroking speed is desired. Len Laskowski adds that the driving factor is process safety time. Many times larger valves do not need to close in one or two seconds, and in fact require a more controlled closure to avoid negative effects on process and utility equipment. It all hinges on the process safety time for each application.

Positioners by design are to bleed very small air to keep the air flowing as well keep pressure higher than atmospheric so as avoid any external atmospheric corrosive gas getting inside the housing. Also during partial stroke test positioners exhaust and fill the air, which makes its mechanical parts moving and avoid any build up.

Digital valve positioners allows partial stroke testing, while process is running and provides date and time stamp of test with capability to store and compare test results. Also, being a microprocessor based, these positioners allow remote testing and retrieval of data remotely. The main advantage is predictive maintenance by providing valve degradation analysis, which is important to critical valves in safety related systems. If by any chance valve is stuck, digital valve positioners are capable of providing alerts to operators to fix the problem.

In an earlier post I discussed the critical role the final control element plays in a safety loop or safety instrumented function (SIF) in safety parlance. This equipment mostly stays in one position until called upon to move should an emergency situation arise. Digital valve controllers like the Fieldvue DVC6000 SIS provide partial stroking of the valve to process manufacturers design their safety instrumented functions to reduce the Probability of Failure on Demand (PFD).

Even with the advancement of intelligence in digital valve controllers to do this partial stroke testing, a problem remained in testing the solenoid valves used in the safety instrumented function. These solenoid valves are installed to quickly bleed the air supply to the valve actuator that is holding the SIS valve open or closed. The only real way to test this solenoid valve has been to trip it causing the safety function to occur. These spurious trips can be quite strenuous on the plant piping and process equipment.

Riyaz Ali, a development manager in Emerson's Fisher division showed me the latest advancements to the DVC6000 SIS to test the solenoid without causing safety valve movement. What the technology team found through extensive research and development is that the solenoid valve can be pulsed for a split second by smart SIS logic solvers like the DeltaV SIS system.

This time window of the pulse is long enough for the solenoid valve to vent which provides verification that it is functional. But the time window is short enough so that the actuator does not bleed off enough pressure to make the SIS valve move. Diagnostics in the DVC6000 SIS can sense and capture the data for the momentary pressure blip across the solenoid valve during the test. It also records pressures, travel information, and other diagnostic information.

Beyond solenoid testing, Riyaz mentioned the DVC6000 SIS is capable of collecting data during a trip event, much like an airline's "black box" flight recorder. This data collection can be triggered upon a change in actuator pressure, valve travel, input current, pressure differential, travel deviation, travel cutoff, or an externally defined trigger event. This data can be helpful when reviewing the causes of a safety trip as well as having the data available for regulatory reporting.

One final point Riyaz emphasized is the DVC6000 SIS spurious trip protection which provides maximum output pressure to the solenoid at minimum input signal in a case where the 4-20mA signal between the smart logic solver and digital valve controller is lost or severed.

Together, these technologies give process manufacturers an end-to-end way of checking the safety instrumented functions including the solenoid valves, to assist their design, implementation, and ongoing testing phases of the IEC 61511 safety lifecycle.