SILstroke: A 2oo4D Partial Stroke Testing Device for Safety

and Critical Valves

by
Dr. Lawrence Beckman
SafePlex Systems, Inc., Houston, Texas

Abstract

Valves lack internal diagnostics and in order to reveal valve failures it is necessary to
perform partial or full stoke testing. While performing the testing, it is essential not to
interfere with the inherent safety function (SIF), or cause a spurious trip of the process.
The purpose of this paper is to give the reader an overview and comparison of different
partial stroke testing options, and to demonstrate the benefits of the 2oo4D SILstroke fail
safe, fault tolerant solution.

Introduction

In process Facilities there are many valves in use. Some are for control of the process;
others are used for process safety, as part of the Safety Instrumented System (SIS). Some
non-safety process valves are critical as well, in that their failure could result in a
shutdown of the process – a spurious trip.

The focus of this paper is directed to these safety-related or critical valves and their
operation. From a production prospective, the operation of these valves is a major
concern addressing both operational availability and safety availability. Both need to be
considered to achieve optimal production and process safety performance.

Given that valves lack internal diagnostics, functional diagnostics must be utilized to
perform diagnostic testing of the valve, while it is in operation. One method to perform
this functional testing on-line is called Partial Stroke Testing (PST), which is suitable for
use on safety (ESD) valves, as well as other critical valves.

Partial Stroke Testing (PST) – Supplemental Testing

This technique offers a method of testing the SIS valve by moving it, typically 15-25%,
and back to the original position in a short period of time. The purpose of the test is to
confirm the valve’s ability to move (not stuck in place), and its suitability for continued
SIS service.

• Only a portion of the valve’s dangerous failure modes can be tested during the
partial stroke test; the remainder can only be tested by full stroke testing and
seating during the Proof Test. However, it should be noted that it is not necessary
to close the valve completely to initiate a safe shutdown of the process.

1
 • It is estimated that the coverage factor of the PST is between 60 - 80% of the
possible dangerous failure modes, based on an FMEDA for the type of valve
under consideration. Comprehending this coverage factor in the reliability
analysis will reveal that the safety performance of the valve has been improved,
and its Risk Reduction Factor (RRF) increased.

Safety Instrumented Function (SIF)

As part of an SIS, a typical SIF consists of the following: Sensors, Logic Solver and
Final Elements. The Final Elements are the valves with attached devices, and they
typically contribute about fifty (50%) of the total PFDavg of the SIF. An SIF’s
performance to a target Safety Integrity Level (SIL) is determined by its total PFDavg. As
such, improving the PFDavg of the final element (valve and its operator) is the area of
greatest opportunity for significant reduction of PFDavg; thereby increasing the SIL of the
safety function, or extending its Proof Test Interval.

PST
CLEAR
FAULT

Indicator

SIS SOV ESDV SW

SILstroke
SIS: Safety Instrumented System
SOV: Solenoid Valves
ESDV: Emergency Shutdown Valves
Application SW: Pressure Switch or Limit Switch
Program

Typical Diagram for Partial Stroke Testing

2
Goals of Partial Stroke Testing

In order to implement PST successfully, the following goals should be established:

• Cost effective installation.

• Simple to calibrate, operate, and test.
• Safe, on-line repair.
• Minimum impact on the existing SIF.
• Does not decrease the availability of the SIF. No spurious trips.
• Does not degrade the SIL rating of the safety function (SIF) to which it is
attached.
• Does not violate the Process Safety Time Constraints of the ESD valve, or the
minimum HFT = 1 requirement for SIL 3 (per IEC 61511).

It is important to note that if the installation of a PST device alters the dynamics of the
valve (i.e., slower closing rate), the valve may no longer be suitable for use in the SIF, as
it can no longer respond in the time (process safety time) required. If this is indeed the
case, other means must be used to meet the process safety time constraint, and they must
be included in the computation of the PFDavg for the valve and its associated SIF.

Benefits of PST

Given that Partial Stroke Testing of the valve and it attached devices (per the above
Diagram) have been implemented successfully, the following benefits can be achieved:

• Increase the SIL (lower PFDavg) of the valve, keeping the Proof Test Interval
constant.
• Lengthen the Proof Test Interval of the valve, keeping the SIL constant.
• Combination of both of the above.
• Eliminates the need for a second ESD valve in some cases.

However, it is imperative that performing a PST of a critical or safety (ESD) valve does
not cause a spurious trip of the process, due to a failure in the device performing the PST.
Most spurious trips are caused by SOV failures, and not by failures related to the valve
itself. As such, the PST device should have internal diagnostics, be fully fault tolerant,
and fail safe. Ideally, it should be capable of being repaired on-line without by-passing
or disabling the safety function to which it is associated. In addition, it should prohibit
over-stroking of the valve (because of a sluggish response) which could also initiate a
spurious trip of the process due to excessive valve closure.

3
Methods of Implementation

Typical devices used for implementing PST are as follows:

I) Use the ESD system to perform the test

II) Use a positioner based device
III) Use a 2oo2 or 2oo3 redundant device
IV) Use a 2oo4D device, such as SILstroke from SafePlex Systems, Inc.

We will discuss each of the above alternatives and evaluate the best option.

I) While an ESD based PST seems like an obvious solution, it has considerable
deficiencies as follows:

a) It is expensive due to the cost of additional ESD I/O and field wiring.
b) It utilizes the same field devices, and as such provides no reduction in the
dangerous or spurious failure rate of the SOV.
c) Minimal improvement in the PFDavg of the SIF.
d) No local testing capability.
e) No improvement in the operational availability of the SIF resulting from
spurious trips due to SOV failure.
f) No on-line replacement of failed SOV.
g) Constrained by MOC restrictions for the Logic Solver (PES).

II) Using a positioner based device is perhaps the worse option, as it is a

complete misapplication of technology. Positioners were developed for
modulating control valves, whose movement is very small. ESD valves on the
other hand are fully open or fully closed, and go from one state to the other as
quickly as possible. An SOV is far better suited for this application. Because
positioners have a very small Cv, they cannot vent an ESD valve diaphragm
quickly as required to satisfy the process safety time, and are suitable only for
smaller valves. To compensate for this deficiency, an interposing SOV or
QEV is used to vent the ESD valve diaphragm. This SOV or QEV is not
tested during the PST and remains in a static position for an extended period
of time. As such, it may not be able to close (vent) the ESD valve upon
demand, and is itself a source of both dangerous failures and spurious trips.

In addition to the interposing SOV or QEV, positioners use a pneumatic vane-

nozzle arrangement (I/P converter) which operates independently of the
positioner electronics. Given the nozzle orifice is plugged (by a tiny spec of
dirt or oil/water in the air supply), shutting off the electronics will not vent the
valve diaphragm. This is a dangerous failure mode, as venting the diaphragm
(closing the ESD valve) is critical to achieving the safe state. Unfortunately
this dangerous failure mode is not addressed in most positioner product safety
evaluations.

4
III) Using either 2oo2 or 2oo3 redundant devices also has some issues as follows:

a) These devices are not tested prior to conducting the PST, and could fail
during the PST thus tripping the process.
b) To perform on-line repair both devices require by-passing (completely
disabling) the safety function.
c) The 2oo2 device is only fault tolerant in the air supply mode. To vent the
ESD valve diaphragm, both SOVs have to operate properly (close). If
either SOV is stuck open and fails to close, the valve diaphragm does not
vent, the ESD valve does not close; and we experience a dangerous failure
of the SIF due solely to a fault in the 2oo2 device.
d) The safety certification and SIL rating for the 2oo2 device mandates that it
operate only as a 1oo1 device with hot backup. As such, only one of the
SOVs is active. Frequent switching between SOVs is required to maintain
the SIL rating, and these transitions could be a source of spurious trips.
e) The 2oo3 device contains numerous check valves which can stick because
of dirt or water in the air supply. As such, this can itself be a source of
both dangerous failures and spurious trips.

IV) The ideal PST configuration is the 2oo4D architecture used in the SILstroke
device. This patented architecture provides two parallel paths, each path
having two SOVs in series. It has the following operational advantages:

a) It is fail safe and fully fault tolerant (both air supply and exhaust). No
single failure will prevent the correct operation of this device. It meets the
minimum HFT = 1 requirement for SIL 3 (per IEC 61511).
b) The device is completely tested prior to performing the PST. If a fault is
detected by internal diagnostics, the PST is cancelled and the fault is
alarmed.
c) The device is certified to SIL3 by TÜV Rheinland, and provides superior
immunity to spurious trips due to failures in the PST device.
d) The device can be repaired on-line without disabling or by-passing the
associated safety function.
e) Elimination of dangerous and spurious failures associated with the SOVs.
f) Immediate detection and alarm of SOV failures resulting from an
uncommanded change of state.
g) The Cv of the device is large, and it is suitable for use on larger valves
without external venting devices.
h) Local testing, diagnostic and alarm capability.
i) Over stroking of the safety valve due to sluggish response is prevented.
j) The device automatically calibrates to the valve under actual process
operating conditions.
k) The device is simple to install, operate, and maintain., and need not be
installed directly on the ESD valve
l) The device does not affect the MOC requirements for the Safety Logic
Solver (PES).

5
Calculation of Benefits

Calculate Extended Proof Test Interval and Improved PFDavg

In the design of the SIS, a quantitative determination is done to see if the design meets
the SIL required by the Safety Requirements Specification (SRS). For the single valve,
the equation given in ISA-TR84.00.02-2002 – Part 2 for the average probability of failure
on demand (PFDavg) is as follows:

PFDavg = λD x TI Equation 1
2

where PFDavg is the average probability of failure on demand, λD is the failure-dangerous

rate of the valve, and TI is the proof test interval.

There is an inherent assumption herein that the full stroke test at test interval (TI) has a
diagnostic coverage of 100%. This may not always be the case, as many times a valve
tested during a shutdown or turnaround is not tested at operating conditions, the leak
tightness may not be tested, the valve may not be fully inspected, and the test is done by a
human being who is subject to error. So what some people call a full stroke test may in
fact be a form of partial testing.

Now if we consider that we can stroke the valve a short distance that will test a portion of
the possible failure modes, and we are doing this at a test interval different than the full
stroke test interval, then we can expand Equation 1 to account for this as follows:

PFDavg = DFPST x λD x TIPST + (1 – DFPST) x λD x TIPT

2 2

where PFDavg is the average probability of failure upon demand, DFPST is the Diagnostic
Coverage Factor of the partial stroke valve test, λD is the dangerous failure rate of the
valve and SOV, TIPST is the partial stroke test interval, TIPT is the proof (full stroke) test
interval; and the full stroke valve test diagnostic coverage is considered to be 100%.

Note: MTTR was considered negligible when compared to the PST interval.

Improved PFDavg and SIL

Base Case – No “PST” (0% Coverage) 1oo1 Ball Valve with 1oo1 Solenoid
(PT Interval = 1 year)

PFDavg = 2.25 x 10-2 (SIL = 1.65)

6
________________________________________________________________________

Base Case – With “PST” (70% Coverage) 1oo1 Ball Valve with 1oo1 Solenoid

(PT Interval = 1 year)

PFDavg = 7.36 x 10-3 (SIL = 2.13) PFDavg Reduction of 67%

SILstroke Case – With “PST” (70% Coverage) 1oo1 Ball Valve with 2oo4D Solenoids
(PT Interval = 1 year)

PFDavg = 3.31 x 10-3 (SIL = 2.50) . . . . . .

. . . . . . . . PFDavg Reduction of 85%

* Solenoid MTBFdu = 50 years * PST Interval = 2 weeks

* Ball Valve MTBFdu = 40 years * PT Interval = 1 year
* PST Coverage Factor = 70%

Extended Proof (Full Stroke) Test Interval

Base Case – No “PST” (0% Coverage) 1oo1 Ball Valve with 1oo1 Solenoid

PFDavg = 2.25 x 10-2 (SIL = 1.65) PT Interval = 1 year

Base Case – With “PST” (70% Coverage) 1oo1 Ball Valve with 1oo1 Solenoid

PFDavg = 2.25 x 10-2 (SIL = 1.65) PT Interval = 3.24 years

SILstroke Case – With “PST” (70% Coverage) 1oo1 Ball Valve with 2oo4D Solenoids
(No Dangerous SOV Failures)

PFDavg = 2.25 x 10-2 (SIL = 1.65). . . . . . . .

. . . . . . . . PT Interval = 5.91 years

* Solenoid MTBFdu = 50 years * PST Interval = 2 weeks

* Ball Valve MTBFdu = 40 years * PST Coverage Factor = 70%

7
Discussion of Results

Using the above equation for PFDavg for a 1oo1 device, we obtained the above results.
Depending upon your objective (reduce the PFDavg or extend the Proof Test Interval),
significant improvement was achieved.

For the case of Reducing the PFDavg of the Final Element, the Base Case (utilizing a 1oo1
Ball Valve and 1oo1 SOV with no PST) produced a SIL of 1.65. Conducting a PST of
the Ball Valve increased the SIL to 2.13, a 67% improvement. Replacing the 1oo1 SOV
with the 2oo4D SOVs (SILstroke) eliminated dangerous SOV failures and increased the
SIL to 2.50, an 85% improvement. In addition, SILstroke virtually eliminates spurious
trips of the process due to an SOV failure, or from conducting the PST of the valve.

For the case of Extending the Proof (Full Stroke) Test Interval, the Base Case utilized a
one (1) year Proof Test (PT) Interval. Conducting a PST of the Ball Valve extended the
PT Interval to 3.24 years. Replacing the 1oo1 SOV with the 2oo4D SOVs (SILstroke)
eliminated dangerous SOV failures and increased the PT Interval to 5.91 years, an
increase of nearly 600%. In addition, SILstroke virtually eliminates spurious trips of the
process due to an SOV failure, or from conducting the PST of the valve.

Conclusions

The PST of critical process and safety valves yields significant improvement in the safety
performance of these devices. The PST device should be fully fault tolerant (both air
supply and exhaust), fail safe and on-line repairable without disabling or by-passing the
SIF. Implementing the PST device should not cause spurious process trips, a decrease in
the SIL of the SIF, or violate process safety time constraints. The ideal PST device
should contain internal diagnostics, and be capable of verifying its fault-free operation
prior to performing the PST of the valve.

Installing the 2oo4D SILstroke device can satisfy all of the above requirements, while
virtually eliminating both dangerous failures and spurious trips of the process due to
SOV failures, or from conducting the PST of the valve.

Both high safety availability and operational availability (no spurious trips due to the PST
device) are important factors to consider when implementing PST. The virtual
elimination of both costly dangerous failures and spurious trips due to SOV failures,
while extending the Proof (Full Stroke) Test Interval or increasing the safety performance
(SIL), provides significant economic benefits; and makes an investment in the SILstroke
2oo4D device very easy to rationalize.