Final elements, comprising shutdown valve, actuator, solenoid valve and most often a limit switch, are associated with the highest failure rates within a safety instrumented function. Therefore, online testing seems to be the cure to avoid frequent full test periods with plant shutdown.
Partial stroke testing means partial movement of the safety valve without interfering with the operation of the process in any way. Successful movement is intended to prove that the valve can be operated. As simple and convincing as this procedure might look at first glance, the quantification and implementation into the process environment poses certain challenges. The most important issues are:
* Evaluating and giving a quantitative assessment of the diagnostic coverage factor.
* Applying this procedure during operation without generating negative effects on availability and safety.
* Proving that the partial stroke occurred despite the fact that the valve positioner usually has no validated software.
The presentation proposes to treat the implementation of partial stroke as part of the management life cycle of a safety instrumented function (SIF). Following this line of consideration, diagnostic coverage can be determined. A solution for proof and validation of the actual testing in the field is proposed. Integration into the instrument and system environment of the safety programmable logic controller (PLC) and basic process control system is important to make full use of the implemented features, even beyond online testing. Two alternative configurations are discussed with their advantages and drawbacks.
Life cycle management in accordance with IEC 61511
The core element of IEC 61508/61511 is the management of functional safety. For safety instrumented systems (SIS), the stages of the safety life cycle have to be determined and implemented.
According to IEC 61511-1, Chapter 5, Fig. 8, this comprises the steps of hazard analysis, the allocation of safety functions as well as the design and engineering of the safety system. Very important steps are the validation of the system after installation and commissioning and the rules for operation and maintenance of the system. A clear maintenance strategy has to be designed.
Unfortunately, the discussion between manufacturers and operators is quite often focused on the failure rates (lambda values) only: It is assumed that, for IEC 61511 compliance, it is sufficient that the manufacturers can supply the appropriate lambda values for the targeted SIL. However, it must be noted that:
* A SIL level only applies to the complete safety instrumented function. This statement seems to be obvious to the expert, but day-to-day experience shows that it is not generally known.
* The failure rate is only one of the elements governing the SIL level of a safety loop. Achieving a SIL level is not only a matter of getting a 'reliable' device from the manufacturers and squeezing them for lambda values. The SIL level is determined by many factors including the hardware, the architecture of the SIF, the quality of instruments used and their matching the given hazard. Then there is also the maintenance strategy, the experience and training of field personnel and the procedures for testing and repair.
The valve train as a decisive factor of a SIF
The selection of the final element is an important point. An analysis of the process and hazard should clarify critical points and possible failure modes. In order to avoid failure modes as far as possible, the selection of valve technology and design is crucial. Furthermore, the performance of the final element is governed by the interaction of all components; factors including the valve's sealing ability, excessive actuator force, closing speed and others are important and should be stated explicitly. The analysis of the process is used as the backbone of the maintenance structure and testing procedures to be defined later. Reliability characteristics of final elements should be stated by the manufacturer.
IEC 61511 emphasises proven-in-use figures by providing a bonus of 1 in the required hardware fault tolerance (Table 1). The general figures for reliability as provided by the manufacturer have to be validated by the operators for their given processes as operations in chemical and petrochemical plants can be quite different. Valve performance is influenced by many factors, such as the medium handled, pressure drop, operating temperature of the medium and the environment, presence of erosive particles in the medium, etc. Consequently, the responsibility for the correct use of the valve in the plant and the reliability in a given process rests with the operators. The issue of mechanical, pneumatic and electric interfaces between the single components of a SIF is quite often underestimated as well. As QC data show, the mechanical linkage between positioner and valve is the most common cause of failure apart from air problems. Consequently, the final element should be analysed for failure modes as a block, comprising valve, actuator, solenoid valve, mechanical linkage, pneumatic and electric connections between the components and towards the DCS system. This comprehensive scope will provide much more realistic data than the easy way of adding up the lambda values of the components as provided by the manufacturer.
Online testing of a SIF
In accordance with Figure 1, testing is one of the crucial factors governing the PFD value, which determines the achieved SIL level. There are two main elements of influence: the frequency of testing and the diagnostic coverage. A low PFD value calls for frequent testing. However, as testing usually can be done during shutdown only, this safety requirement stands directly opposed to the desire for high availability. This conflict can be resolved by online testing. A testing procedure applicable to valves is the method known as partial stroke testing. The valve is not fully stroked, but moved by 10% for example, without influencing the process or at least without the need for shutting down the process. In order to have a high diagnostic coverage, it is beneficial to arm the testing procedure with elaborate means. The purely on/off indication that is associated with shutdown valves (valve closed is reported by an inductive switch with limited accuracy of only several percent, with additional effects of temperature drift and the need for tedious mechanical adjustment) can be replaced by the diagnostic tools of a state-of-the-art positioner as well as by analog and continuous measurement. This measurement is performed with high precision, possibly calibrated by auto-tuning, resulting in accurate and reliable information on the position and even on the position as a function of time. Time stamping of these data is possible. Information on the plot of travel over time is also available. In order to perform such a testing procedure, the solenoid valve has to be replaced or complemented by additional means.
Different ways of instrumentation are possible. A mechanical system or alternatively the control logic of the safety PLC may be used. The most promising solution is the use of a digital positioner with implemented diagnostic features. Regardless of the method used, the following points can serve as a checklist:
* Is the safety function available during testing? (The use of mechanical instruments for partial stroke testing is critical.)
* Should instruments unknown to the plant and the maintenance staff be used? (The invention of new 'smart boxes' and specialised equipment is not favoured by IEC 61508.)
* Has a quantitative assessment of the diagnostic coverage (DC) factor been made? Once the diagnostic coverage factor has been determined, the improvement of the PFD can be calculated:
PFD(1001) = DC*λdTIa/2+(1-DC)*λd*(TIm/2)
• λd = dangerous failure rate.
• TIa = partial stroke test.
• TIm = manual test interval.
• DC = diagnostic coverage factor.
* Safety vs availability: Will overshooting of the valve during testing pose any danger to the operation of the plant?
* Is there any proof for the partial stroke? As the software of valve positioners is generally not approved, how can I prove and validate that a partial stroke has actually taken place?
* Finally, what can possibly be achieved? There are articles stating that a diagnostic coverage of approximately 60% to 70% cannot be surpassed, which would result in the test interval being extended by a factor of 2.
Diagnostic coverage
The issue of diagnostic coverage is most often under debate between manufacturers and operators. The diagnostic coverage factor specifies the percentage of all possible failure modes that can be detected by online testing. Therefore, it is implied that:
* All failure modes are analysed and known.
* A set of precise and well-defined diagnostic tools and methods is available.
Following this line of thinking, it is obvious that the standard question from operators to manufacturers, "What is the diagnostic coverage factor for the positioner?" - is not addressing the issue in a correct manner. Manufacturers can only answer by stating:
* The available diagnostic methods.
* Reliability data for valve and for positioner.
* Perhaps failure modes in general for the valve.
* Advice on how to use the valve.
The diagnostic coverage factor cannot be evaluated by only looking at the instrumentation of the SIF. As with operation of the valve in general, it is the clear responsibility of the end users to analyse the situation for their specific processes. Failure modes are different for different media. A valve handling clean gas will face different problems to those of a valve handling a crystallising medium.
Valve selection has to be done with regards to pressure drop, output velocity, basic valve design and materials, and is crucial to failure modes. Once the failure modes have been determined, they can be compared to the results obtained by online testing of partial stroke in general - and considering the diagnostic power and features of the chosen positioner in particular.
The analysis of the failure modes and the diagnostic power available could be combined by performing an FMEDA. An example is given in Table 2. This method allows a realistic diagnostic coverage factor to be determined.
Validation of partial stroke
The need for validation of the partial stroke procedure is obvious when it is used to justify an improved PFD value for the SIF. However, this validation or proof cannot be generated by the software of the valve positioner. Normally, the positioner software used in the field is not certified according to IEC 61508.
The problem is in the restricted electric power available in field instruments, which limits the available computing power. This limited computing power poses restrictions on the use of software tools, object-oriented programming, etc. Certified positioners on the market are available, but they are certified only for shutting down the valve in case the electric power at the input terminals of the positioner fails completely. This obstacle can be overcome by using additional instrumentation, for example a positioner with an inductive limit switch integrated into the positioner housing. The signal of this limit switch does not depend on the software; it is available as an approved device with SIL rating. The limit switch should be mechanically adjusted to record the partial stroke procedure (for example valve position 90%).
The output is wired to the safety PLC. Using this configuration, the signal of the limit switch is recorded and can be marked with a time stamp within the safety PLC. This 'chain' of approved components ensures that the partial stroke is recorded in a reliable way. Furthermore, the diagnostic data generated by the partial stroke and stored in the positioner, such as the valve speed, dead time, precise position of valve and smoothness of valve travel, can be validated by comparing their time stamp with the time stamp recorded by the safety PLC.
Problem of overshooting, safety vs availability
Quite often, the 'slip-stick effect' occurs in valves that remain in one position for an extended period of time. As static friction is higher than dynamic friction, there might be the tendency of overshooting the target set point (eg, 90% of full range) for partial stroke testing. This may be a risk for the operation of the plant, ending in unplanned shutdown. Therefore, parameters for precise control and termination of the partial stroke tests are necessary. Parameters may comprise:
* Time to allow the actuator pressure to settle to a defined value before partial stroke.
* Ramp time to limit the speed of movement.
* Maximum time for test.
* Maximum permissible valve position; overshooting this position will result in the test being terminated.
* Minimum permissible air pressure in the actuator.
Proposal for integration into plant instrumentation
All the instrumentation needed at a shutdown valve can be combined into one mechanical package (solenoid valve, positioner for diagnostics, limit switch, alarm generation) (Figure 3). This results in reduced mechanical interfaces and consequently, in enhanced reliability. Therefore, it is the preferred solution. The integration into the system environment should fit seamlessly into the existing installation. There are connections along two lines: The safety functions (shutdown, recording of limit switch) are wired to the safety PLC, the diagnostic information is routed via HART protocol to the asset management system. It is important to avoid extra procedures for partial stroke testing and the generated data; instead, partial stroke testing should be an integral part of the general maintenance and asset management strategy and the handling of diagnostic data.
The implemented features can be used in a wider scope than for partial stroke testing only:
* Documenting and filing data over the lifetime of the SIF. It is important for end users to generate their own SIF performance databases over the life cycle. Therefore, the features for detailed monitoring, digital documentation of tests and test results are essential.
* Full stroke testing of the SIF during plant shutdown can be supported by the diagnostic features implemented in the positioner. The current practice of shutting down the valve and purely monitoring the end position can be replaced by more detailed diagnostics, more effectively targeting the failure modes as stated in the HAZOP analysis. All considerations for diagnostic coverage as outlined above also apply for full stroke testing.
In general, there are two basic choices of instrumentation:
a) The first choice is having one physical device for shutting down the valve and another for performing valve diagnostics. This means having a separate solenoid valve and positioner, even if they may be combined in one housing. This kind of configuration is also perfectly suitable for monitoring full stroke testing of the valve because the positioner is always powered and can monitor even the complete shutdown of the safety valve. One opportunity available with this configuration is to monitor safety valve operation and performance during spurious trips (Figure 4).
b) Another configuration would be to eliminate the solenoid valve and have the valve shut down by the positioner. There are certified positioners that permit this configuration, which has the great and appealing advantage that the function of the 'solenoid valve' (the pneumatic path of the positioner) is subjected to a test during partial stroke testing. Therefore, it should be possible to detect any failure in the pneumatic path of the 'solenoid valve', resulting in a diagnostic coverage of 100% for this instrument. The disadvantage, however, would be that a demand for full stroke (removal of energy at positioner input) would inhibit the microprocessor from working and therefore, no diagnostic capabilities would be available during this operation, making full stroke monitoring impossible.
Conclusion
Partial stroke testing is not an isolated measure that will cure any deficiency of the valve design in a SIF. The use and effectiveness of partial stroke testing is governed by many factors, crucial factors being for example the diagnostic coverage and proof that a valid test was performed. A successful strategy should implement partial stroke testing as part of life cycle management. This would give a solid background to the diagnostic coverage. Additional benefits may arise during full stroke testing and by documenting and filing the results of any test performed on the final elements. Seamless integration into the automation concept is key to a successful application of this technology. Finally, with the currently available technology, operators need to choose between monitoring full stroke or alternatively testing the pneumatic path of the 'smart solenoid valve'.
| Tel: | +27 21 552 6088/9 |
| Email: | [email protected] |
| www: | www.southafrica.samsongroup.com |
| Articles: | More information and articles about Samson Controls |
© Technews Publishing (Pty) Ltd | All Rights Reserved
printer friendly version