Process Safety Lessons Learned

Process safety has been a popular topic these days. Unfortunately, it has hit
mainstream press because of high profile safety incidents such as last years
Deepwater Horizon accident in the Gulf of Mexico. On a positive note, process safety
isnt just for the experts anymore. Many process industry business leaders and
managers are taking a stern look at their organization and wondering if they are
protected or not. Still, some are making the mistake of assuming that their past success
operating safely is an indicator of future process-safety success.
I just read an article by Walt Boyes titled Process Plants Accidents Careful. We Dont
Want to Learn from This. Walt makes some really strong points about the lack of process
safety improvements over the past 25-plus years, since the 1984 Bhopal, India incident
got the process safety management (PSM) ball rolling. Walt once corrected me on a
point that he did not make in his article. A couple of years ago, I was talking to him
about the need to simplify regulatory compliance and he told me that I had it all wrong.
Walt said, If the goal is to be regulatory compliant, then you are missing the point.
Walts point was that regulatory compliance is not a goal to strive for. If you are hoping
to improve your safety by becoming regulatory compliant then you are setting
yourself up to fall woefully short of actually managing your process safety. The
regulatory compliant mindset can lead you onto all sorts of stray paths if you are not
careful. This is a major contributor to many ineffective safety programs and
management cultures today. During the investigations into the Deepwater Horizon
incident, we saw clear examples of very smart people making irrational decisions
because their goal was to meet the regulatory compliance requirements set by the
Mineral Management Service (MMS) in the Gulf of Mexico. Instead, it is important to
focus on the goalmanaging process safety.
Theres an old saying that if you think safety is expensive try an accident. Accidents
cost a lot of money, not only in damage to plant and claims to injuries but also in the
loss of the companys reputation.-Dr. Trevor Kletz
This week I read the IndustryWeek article, BP Refines Post-Spill Drilling Strategy. Less
than a year after the Deepwater Horizon incident, there are already signs of BPs top
management taking a leadership role in driving process safety management in their
company. Change like this isnt something that can be driven from the bottom up. You
need top down support to make this happen. The article discusses some of the safety
culture and management changes that the new CEO Robert Dudley says are happening
at BP. Dudley is quoted as saying that production shutdowns are costly, but safety is
good business.
My fear is that some of the other refineries within the United States will feel, that
couldnt happen to me. And the ones that feel that couldnt happen at their site are the
ones that are set up to have it happen there. Glenn Erwin
This is one of the major challenges that the process industry faces. After the Deepwater
Horizon incident, leaders from several multinational oil companies testified before
Congress that something like this couldnt happen to them. This is a natural response to
this kind of industry event. However, the major oil producers did come together after
recognition that their emergency response plans were all pretty much the same and
they were indeed subject to some of the same problems. Exxon Mobil, Shell, Conoco

Phillips, Chevron, and BP have since formed a non-profit organization, the Marine Well
Containment Company, which will provide a rapid response system to capture and
contain oil in the event of another blowout in the Gulf of Mexico.
Process safety deals with the fires, explosions, and toxic releases and things like that.
You can have a very good accident rate for what we call hard hat accidents and not
for process ones. Dr. Trevor Kletz
It is common to see process industry facilities with signs reminding you to hold onto
handrails, watch where you are walking, and to be careful not to be burned by spilled
coffee. If you drive down Highway 225 in southeast Houston, you are likely to see
dozens of signs outside of refineries and chemical plants that display hundreds of
thousands of man-hours without a lost time or total recordable incident. While this is
very important to celebrate personal safety management milestones, it has little
connection with process safety performance. Having a very low lost-time accident rate
can induce a feeling of complacency and a false sense that safety is being well
managed. Key lessons from recent incidents were the need to focus on leading and
lagging indicators in addition to personal safety metrics. The AIChE Center for Chemical
Process Safety (CCPS) has recently made significant progress developing process safety
metrics.
The fact that youve gone for 20 years without a catastrophic event is no guarantee
that there wont be one tomorrow. Prof. Andrew Hopkins
Personal safety focuses on preventing high frequency, lower consequence incidents like
slips, trips, and falls. Process safety focuses on preventing much lower frequency events
with a catastrophic consequence. Many process safety hazards are estimated to be
likely to occur only once in the life of a facility, or even only once in the life of an
industry.
Some hazardous event frequencies are measured in terms of once in thousands of
years. These events typically result from multiple causes related to a complex sequence
of failures in equipment, people, processes, and decision-making. So, often the process
industry celebrates the personal safety successes while having to fight complacency on
the need for continuous process safety vigilance. Some safety engineers complain that
change is hard to justify because current practices have not resulted in any safety
incidents. It often takes a catastrophic kind of event to invigorate the organizations
focus and commitment around process safety.
Control Valves in Process Safety Applications
Update and bump: I received great news from Riyaz that the ISA Kuwait section has
agreed to let us upload and link to their December 2009 newsletter containing Riyazs
article, When is a Safety Integrity Level (SIL) Rating of a Valve Required?
Id like to thank the ISA Kuwait staff and encourage readers in this region to join and
participate. Youll learn from their regular presentations by ISA Fellows and technology
participants, monthly newsletters, conferences & exhibitions, and connections with
other automation professionals.

Original post: Two questions were posed recently over at the ISA Safety Archives in a
thread, Valve in SIL verification (login required):
Q-1 Do we need to include valve in SIL verification or can we limit upto the Solenoid
operated valve considering valve as a mechanical device.
Q-2 To achieve SIL-2 we normally use 1oo2 configuration for final element. Here do we
need to use 1oo2 configuration of Solenoid valve or it shall be 1oo2 configuration of the
valve.
The feedback from the other listserv members, many who are prominent voices in the
process safety community, was that the valve must be included in the SIL verification
and that the 1oo2 configuration extends to the valve.
I checked with Emersons Riyaz Ali, whom you may recall from numerous process
safety-related posts, on this discussion thread. Riyaz shared an ISA Kuwait section
whitepaper, When is a Safety Integrity Level (SIL) Rating of a Valve Required?
Unfortunately, the ISA holds the copyright on this whitepaper so I cant provide a link to
it. Ill highlight a few points that Riyaz makes in the paper.
In the introduction, Riyaz notes that:
to establish an SIL suitability rating for a Safety Instrumented Function (SIF) loop, a
PFD value needs to be computed for components of loop (SIF loop consists of Sensor,
Logic Solver, Final Element) To calculate PFD, an equipment failure rate number is
required.
Riyaz enumerates 3 cases where control valves can be used as safety shutdown valves:
Control valves which are used only as an on/off single final element
Control valves which are used in a dual purpose context (both for control and safety)
Control valves which are used in a dual purpose context in addition (redundancy) to an
on/off valve
For the first case, the control valve would be the final control element in the SIF and this
SIF would need to have a safety integrity level (SIL) rating equal or greater than 1.
For the second case, Riyaz cites IEC 61511 part 1 clause 11.2.10 which states that a
device used to perform part of a safety instrumented function shall not be used for
basic process control purposes, where a failure of that device results in a failure of the
basic process control function which causes a demand on the safety instrumented

function, unless an analysis has been carried out to confirm that overall risk is
acceptable. He notes how this may be interpreted:
YES: If all possible failures of the control valve do not place a demand on any SIF than
control valve may be used with no further analysis. In this case, Control Valve is Final
Element of Safety Instrumented Function (SIF) Loop, needs to have SIL rating equal to
or above 1.
NO: If failure of the control valve will place a demand on a SIF than it may not be used
as the only final element in that SIF.
If failure of the control valve will not place a demand on SIF, for which it is intended but
may place demand on any other associated SIF than the control valve may be used in a
SIF only after detailed analysis. An additional step to further analysis will be necessary
in these cases to ensure that the dangerous failure rate of the shared equipment is
sufficiently low.
The control valve in this case would again be the final element of a SIF requiring a SIL
rating greater than 1.
In the third example of providing additional hardware fault tolerance for higher SIL
applications, mean time to fail (MTTF) of the control valve can be used in the probability
of failure on demand (PFDavg). He shares the failure fraction components and
equations for arriving at the PFDavg of the SIF. For this 3rd case, Riyaz shares [links
added]:
mechanical equipment like valve bodies and actuators do not have any diagnostics
capabilities. According to IEC 61508 part 2, table 2, with a hardware fault tolerance
(HFT) of zero, they can only be used in SIL 1 applications. A digital valve controller
mounted on a Final Control Element improves the diagnostic coverage factor, which in
turn improves the SFF number, allowing the possible use of higher SIL rated
applications (Per IEC 61508 part 2, table 3) by use of the Partial Stroke Test.
Riyaz sums of his thoughts that if the control valve is used as part of a SIF, then the
total PFDavg of the loop must meet the intended SIL level. If the control valve is used
for normal process control managed by the basic process control system (BPCS), then
per IEC61511-3 part 1, section 3.2.3, the control valves do not have SIL suitability.
I also wanted to refer you to an earlier post, Field Device Sharing Between Control and
Safety Systems, where we explored the case of sharing instruments between the BPCS
and safety instrumented system (SIS).

Executing IEC 61511 Process Safety Projects

ControlGlobal.com has an excellent article on the global process safety standard, IEC
61511. The article, IEC 61511 Implementation The Execution Challenge, shares the
experiences of two Mustang Engineering process automation project veterans.

I turned to one of Emersons certified functional safety experts (CFSE) and long-time
process safety veteran, Len Laskowski, for his thoughts on the article. You may recall
Len from numerous process safety-related posts.
In our phone conversation, Lens first comment after reading the article was, This
sounds like the voices of experience. One does not just declare, On the next project we
will implement IEC 61511 and have life be happy ever after. As the article suggests, a
company needs to adopt the IEC 61511 Safety Life Cycle. This takes time and resources
that many process manufacturers underestimate. Len noted that by following the
Safety Life Cycle and doing the needed work will give process manufacturers the
foundation to properly execute a projectand more importantly, a safe facility.
He agreed with the authors of the large challenges confronting process manufacturers
when planning, designing, executing, and maintaining their operations using the IEC
61511 process safety lifecycle. The articles authors frame these challenges:
The Safety Instrumented System (SIS) standard, IEC 61511, is driving the need for new
engineering tools and Project Execution Plans (PEPs). The standard is a lifecycle
approach to defining, implementing and managing a safety instrumented system (SIS).
Industry discussions tend to focus on the technical aspects of the standard, but project
execution is proving to have an equal or perhaps greater impact on the quality and
success of an IEC 61511 project. This article describes a few of the challenges from the
EPC [engineering, procurement, and construction] and MAC [main automation
contractor] perspective, and suggests approaches to enhance IEC 61511 execution and
technical outcomes.
I asked Len what most caused these project to go awry and without hesitation he said it
was giving the upfront planning the time it requiresespecially if this is the first time the
process manufacturer has executed the project using the IEC 61511 approach or if the
process is new. Even with completed Hazard and Operability (HAZOP) studies and
validated layers of protection analysis (LOPA), it takes a lot of time and there is usually
quite a bit of recycle. One example Len cited was a pressure relief valve. When walking
through the hazard scenarios, discoveries may come up, such as insufficient sizing for
reverse flow conditions. Changes may have to be made which ripple to other safety
instrumented functions (SIFs).
Another example Len offered is alarm level settings for standalone alarms that are used
as an independent layer of protection. Questions must be asked and answered if
operators really have the required minimum amount of time to do something as a result
of the alarm condition. It also must be clear exactly what the operator must do to
alleviate the alarm condition. And ultimately, can all this be done within the process
safety time for the given condition? Resolving these questions takes cross-departmental
participation and it all adds up to increased time required on the projects front end.
Lens guidance to project engineers is to resist the temptation to shortcut this front end
planning. It will cost more on the backend of the project in terms of rework, will increase
project timelines, and will increase the difficulty in testing the safety instrumented
functions over time.

More Thoughts on Executing IEC 61511 Process Safety Projects

Last Friday I highlighted thoughts from Emerson process safety expert, Len Laskowski in
the post, Executing IEC 61511 Process Safety Projects. He shared more than I could fit
in a single post, so todays post will share the balance.
One of the points made by the authors of the article, IEC 61511 Implementation The
Execution Challenge, was:
The information required to fully define and document a SIF may entail 40 or more
unique data items. The source and detail required to document each item must be
defined clearly. The effort to gather, track and review this data can be significant. For a
large project, the work includes migrating and recording large amounts of data that
may be provided in different formats, at different times and by different disciplines and
organizations, so some companies develop in-house SRS database tools to improve
productivity, reduce errors and track SIF development and approval status.
Len agreed with the challenge of managing this amount of data items required for many
safety instrumented functions (SIFs). The cause-and-effect matrices may provide 25 to
30 data items. Other decisions about test frequencies and coverage factors lead to
additional data items. Given this large volume of data per SIF, having a database to
manage the development and approval status is critical. The authors ask:
A common scope question is what are the project requirements for documenting
protective instrumented functions (PIF) that are not required by the LOPA [layer of
protection analysis]/PHA [process hazard analysis]. Are PIFs documented in the SRS? Do
the SIF analysis and verification steps apply to PIFs? Will the SRS differentiate between
SIFs and PIFs?
Len cautioned against using tools such as Intergraphs SmartPlant Instrumentation
(INtools) that manage your basic process control system (BPCS) I/O as the place to
manage your process safety management (PSM) database. A typical plant may have
3000 I/O under control by the BPCS and 300 I/O under control of the safety
instrumented system (SIS). Local, state, and federal regulations require a welldocumented management of change process for any process safety-related changes.
Mixing your BPCS I/O into this change process is asking for trouble. Process
manufacturers need the flexibility to make changes to the BPCS to operate and
optimize their processes in an efficient manner. Programs such as INtools may be okay
for developing initial I/O lists, making instrument specs, and other parts of the design
process, but not for long-term documentation and management of change.
Instead, Len recommended a simple spreadsheet for the SIS I/O, which is much easier
to control and requires no special training. It contains the SIS database settings, cause
and effect matrix settings including engineering units, pre-trip, and trip levels. Often the

control of this PSM database is by a different group within the plant than the group that
manages the BPCS.
Lens closing thoughts for process manufacturers new to the IEC 61511 process is to
focus on the critical shutdown streams in their process. In most processes, there are a
few really important streams to close down to take the process to a safe state. The rest
are secondary effects to the key streams. Once the key streams are designed and
approved, the rest can be done. This often helps to simplify the safety requirements
specification (SRS) and make the ongoing support through the safety lifecycle more
manageable.
Having strong, experienced technical leaders on the front-end help minimize problems
as the process safety project progresses. Although this front-end work may seem time
consuming and expensive, Len shared the old safety saying, If you think safety is
expensive, try an accident!

Wired Versus Wireless Risk Analysis for Process Instrumentation Measurements

How does wireless communications compare against wired communications for process
instrumentation? That was the subject of an Emerson Exchange presentation by
Kenexis Ed Marszal and Emersons Gary Hawkins. Their presentation, Risk analysis of
wired versus wireless transmission of process measurements was recently narrated by
Ed as an encore presentation and uploaded to YouTube.
In this 30:31 video, Emerson Exchange 2014 Wired V Wireless, he discusses the
strengths and limitations of using wireless communications for both basic process
control and safety. He presents a typical fault tree analysis comparing the
communication types along with case studies where wireless communications have
been used successfully.
Ed opened some of the common perceptions among instrumentation and automation
professionals who believe that wireless is not as reliable as wired transmission and not
suitable for critical, safety-related services. Both perceptions he noted are not
necessarily true. Nothing in the IEC 61508 and IEC 61511 global safety standards
preclude the use of wireless devices. The risks must be accessed like every other
component in the safety instrumented function for the SIL levels to be achieved.
He described tools that are used in risk analysis. Some, like layer of protection analysis
(LOPA), are semi-quantitative and look at order of magnitude jumps in risk. Another
qualitative tool that has been used for many years are probability versus severity
matrices.
Beyond qualitative analysis is quantitative analysis. Simplified fault tree analysis can be
used to provide different levels of accuracy and precision to the analysis to be
performed. Outcomes of the analysis can be expected to differ from site to site due to
differences in the sites.
At 5:35 of the video, Ed provides a general description of fault tree analysis and 7:20 he
describes the safety nomenclature used for the wired vs. wireless risk analysis. This
analysis begins at 10:45 looking at a fault tree analysis for wired transmission of
instrumentation information. At 14:50 the wireless transmission analysis begins.

Ed provides some cases where a wireless solution was the preferable one. They
involving timing to get installed, the speed of the process (process safety time), quicker
recovery from an accident, and providing redundant routes (one wired, one wireless).

Safety Instrumented System Solenoid-Operated Valve Approaches

Last week at the Emerson Exchange conference, I caught up with Emersons Riyaz Ali.
You may recall Riyaz from many safety instrumented system-related posts. We
discussed some of the trends in integrated positioners + solenoid valves + limit
switches + valve position transmitters. Riyaz felt that this approach not in line with the
safety instrumented system (SIS) general philosophy for several reasons.
For these devices with an integral solenoid-operated valve (SOV), the pneumatic path is
only a single path and the requirement for a redundant path will not be met.
This will affect the PFDavg calculations as per ISA TR84.00.02-2002 part 2 using the
simplified equation for a one-out-of-one (1oo1) arrangement:
du x T /2 (Note: du is dangerous undetected failure rate of equipment under control
(EUC) and T is test interval.)
For solutions with external SOVs in series with smart positioners, this 1oo2 approach
has a PFDavg:
du x T2 /3
A 1oo2 arrangement provides an improved PFDavg over a 1oo1 single box
arrangement.
Riyaz notes that going to external SOV will improve safety reliability, which means
either the SOV or smart positioner are capable of taking a valve to safe state. With
integral SOVs with smart positioners, only one pneumatic path is available, which

means there is no redundancy. Project teams may have to re-visit the HAZOP analysis to
evaluate new safety integrity level (SIL) conditions.
Referring to the global safety standard, IEC 61508, Riyaz makes the following points:
Smart SOV (integral microprocessor based smart positioner + integral SOV) will be
classified as Type B device as per IEC61508 part 2 table 3. Smart positioner plus
external SOV pneumatically in series, SOV is still regarded as Type A simple device
improving reliability.
Type A and Type B definition is listed from IEC61508 part 2.
IEC 61508 part 2 clause 7.4.3.1.2 define Type A. A subsystem (see 7.4.2.11, note 1)
can be regarded as type A if, for the components required to achieve the safety
function:
the failure modes of all constituent components are well defined; and
the behaviour of the subsystem under fault conditions can be completely determined;
and
there is sufficient dependable failure data from field experience to show that the
claimed rates of failure for detected and undetected dangerous failures are met (see
7.4.7.3 and 7.4.7.4).
IEC61508 part 2 clause 7.4.3.1.3 defines Type B as a subsystem (see 7.4.2.11, note 1)
shall be regarded as type B if, for the components required to achieve the safety
function:
the failure mode of at least one constituent component is not well defined; or
the behaviour of the subsystem under fault conditions cannot be completely
determined; or
there is insufficient dependable failure data from field experience to support claims for
rates of failure for detected and undetected dangerous failures (see 7.4.7.3 and
7.4.7.4).
This means that if at least one of the components of a subsystem itself satisfies the
conditions for a type B subsystem then that subsystem must be regarded as type B
rather than type A. See also 7.4.2.11, note 1.
High Common Cause factor will result, if everything is integrated in one package vs
external SOV. Smart positioners for SIS and external SOV pneumatically in series
providing redundancy in case of Safety demand, providing higher reliability. This is in
line with IEC61511 part 3, clause 3.4 a) page 20 of 70, states, of probabilities and
considering common cause failures. It may be necessary to use redundant architectures
to achieve the required hardware safety integrity.
SOV health monitoring with physical results (pressure blip can be seen on ValveLink)
vs built in test of SOV with integral positioner have no definitive results. A smart
positioner digital valve controller (DVC) can test an SOV which is externally mounted
pneumatically in series. To improve MTTFs (Mean Time to Fail Spuriously), smart
positioners can use reverse type relay, which will NOT contribute to MTTFs. In case of
any electrical signal failure, or an input current signal to the smart positioner, this will
NOT cause a spurious trip.

Hence two devices pneumatically in series will have MTTFs for a single device (SOV
Type A device only). A smart positioner and SOV mounted externally pneumatically in
series will be ideal from safety reliability and plant availability.
Smart positioners with Integral SOVs will have high air consumption (67.8 scfh) for large
orifice compare to smart positioner with external SOV will have low bleed Relay (2.1
scfh). This is because external SOVs will NOT consume any air during normal operation.
The Fisher DVC6200 SIS provides an SIS Trigger capability like the black box of an
aircraft to provide rich data on a TRIP event for analysis by a safety engineer to help
avoid future trip conditions.

Volume Tank Considerations in Process Safety Applications

I saw a great process safety article in InTech magazine titled, When failsafe isnt
enough. It give a howto approach to volume tank sizing for reserve air pressure
required for an orderly safety shutdown.

The author describes some cases where this reserve air volume might be needed, such
as when failure position of safety valves are not in the failsafe condition or when
operating conditions require and orderly, sequenced shutdown.
The equations to size the volume tank are given as well as who would typically supply
the equation parameters. For instance, the valve supplier typically supplies the safety
valve torque requirements and required leakage rates. The actuator supplier provides
the torque-to-supply pressure tables. The good news for those of us a little rusty in our
advanced math skills is that the equations are algebraic and the simplifying
assumptions err to the side of conservative volume sizing.
I sent a link of this great article to Emersons Len Laskowski, whom you may recall from
earlier process safety posts. Len is a principal technical consultant, registered
professional engineer, and certified functional safety expert (CFSE) and TV CFSE.
Len added that many engineers will tend to the conservative side and size the volume
tank for several strokes of a valve, even if it needs to operate only once in a single
stroke. This is mainly because extra capacity is relatively inexpensive, especially to
mitigate the risk of a larger hazard.
He shared a reactor emergency depressurization example as a typical application where
you might find volume tanks. Len wrote:
Typically, if this is a safety instrumented function (SIF) you want de-energized to trip
failsafe. The emergency depressurization valves are Fail Open on loss of air. A spurious
trip of this system would be bad news as the author suggests. It could create secondary
hazards as is suggested in IEC 61511 that need to be identified.
For example, if the air failure was extensive a large number of vessels all depressurizing
at once could overload a flare system. Too quick a depressurization of some chemicals
could cause auto refrigeration that could lead to a cooling of the vent piping below
design spec and the hazard of pipe embrittlement.
In some reactors, it would possibly blow catalyst out the vent system and possibly put
stress on reactor beds, or trays that could damage the internals of the vessel, due to
the large pressure differential caused by the emergency depressurization. These
secondary issues also need to be managed and are reasons why volume tanks are
needed.
Len has worked with process manufacturers to address some of these issues:

In some cases, a nitrogen or air bottle backup system would be used that have much
more capacity than a volume tank. I have also seen cases where nitrogen is
automatically switched in to back up a valve. This can be done by having a 3-way valve
hooked up so that the common goes to the final element, one side goes to Instrument
air and the other nitrogen.
You need some check valves to guard against reverse flow and have the valve actuator
off the Instrument air so that it cuts off the nitrogen when instrument air is present. This
is also a good setup when you have air motors that need a lot of air (gas) that need to
move big valves. With nitrogens toxicity in sufficient concentrations, these applications
are generally outdoors, well ventilated, and require close review.
Len complimented the author on his article and added a few more considerations for
process safety professionals. He wrote:
Other considerations that may be overlooked are common mode failures and testing.
Typically, one would put two check valves in the system because failure of one would
allow the tank to bleed out to the plant header. Also, care must be taken that the air is
clean and no dirt is allowed to get to the check valves, so a filter/ separator is really
required to ensure that the check valves have a good opportunity to operate.
Facilities to isolate the volume tank from the air supply and bleed the air upstream of
the check valves are also required not only to check that the system works initially but
also for future proof testing. Typically, these systems should be checked at the same
time the safety instrumented system (SIS) is proof tested. This is an easy item to
overlook and needs to be put on the testing schedule with the SIFs it supports.
I hope between the authors original article and Lens additional thoughts that there are
some pearls you can apply in your process safety efforts.

Primer on Safety Instrumented Systems and Process Safety

The Flow Control magazine website has a great Safety Instrumented Systems Primer
interview with Emersons Mike Boudreaux. You may recall Mike and his views on process
safety and safety instrumented systems in earlier posts.
If youre not already steeped in the language of process safety with things like safety
integrity levels (SIL), safety instrumented functions (SIF), IEC 61511, etc., the questions
and answers help provide a good primer. Ill share just a few snippets from the Q&A, but
youll want to read the entire interview.
Mike addresses the question on how safety instrumented systems (SIS) have come to
be:
Much of the focus has been to reduce process risk through inherently safe design and
independent layers of protection (IPL). Safety instrumented systems are one of the
many layers of protection that are used to deliver increased process safety.

Further on this point, he describes why an SIS is important:

When a process cannot practically be designed to be inherently safe, an SIS can be
used to reduce risks to an acceptable level. An SIS can be designed to deliver a
specified safety integrity level (SIL) of risk reduction. IEC 61508 defines SIL 1 through
SIL 4, with each SIL designating a relative level of risk reduction provided by a safety
instrumented function (SIF) by an additional order of magnitude.
For those new to the world of process safety, Mike also shares his view on common
pitfalls in process safety SIS design and implementation:
When developing a safety requirements specification (SRS), process manufacturers
sometimes go overboard and make the SRS too complex to be practical, or they go in
the opposite direction and dont provide a consistent set of documentation the SRS
should provide a functional description and the integrity requirements for each SIF. The
SRS is the document against which all of the safety lifecycle activities are verified and
validated. As such, it is important that this documentation be simple to use and
maintain.
The other major pitfall is the complexity of SIF design and SIL verification. Mike offers:
Knowing which devices to use, selecting the appropriate hardware fault tolerance,
correctly applying prior-use data, and designing the most economical SIF to minimize
capital and operating costs while maximizing availability, can be a difficult task. Endusers should make sure the people performing this work are competent in the area of
process safety systems design and, more specifically, SIF design and SIL verification.
On advancements in SIS design strategy, Mike describes how technology is playing a
key role:
Improved device diagnostics is being driven by technology advancements in
microprocessors and device design. Diagnostics reduces the dangerous undetected
failure rates for devices. Automated online proof testing and device diagnostics will
deliver safer systems, because failures will be detected whenever they occur. I hope
youll get as much from the interview as I did.

Control Valves in Process Safety Applications

Update and bump: I received great news from Riyaz that the ISA Kuwait section has
agreed to let us upload and link to their December 2009 newsletter containing Riyazs
article, When is a Safety Integrity Level (SIL) Rating of a Valve Required?
Id like to thank the ISA Kuwait staff and encourage readers in this region to join and
participate. Youll learn from their regular presentations by ISA Fellows and technology

participants, monthly newsletters, conferences & exhibitions, and connections with

other automation professionals.
Original post: Two questions were posed recently over at the ISA Safety Archives in a
thread, Valve in SIL verification (login required):
Q-1 Do we need to include valve in SIL verification or can we limit upto the Solenoid
operated valve considering valve as a mechanical device.
Q-2 To achieve SIL-2 we normally use 1oo2 configuration for final element. Here do we
need to use 1oo2 configuration of Solenoid valve or it shall be 1oo2 configuration of the
valve.
The feedback from the other listserv members, many who are prominent voices in the
process safety community, was that the valve must be included in the SIL verification
and that the 1oo2 configuration extends to the valve.
I checked with Emersons Riyaz Ali, whom you may recall from numerous process
safety-related posts, on this discussion thread. Riyaz shared an ISA Kuwait section
whitepaper, When is a Safety Integrity Level (SIL) Rating of a Valve Required?
Unfortunately, the ISA holds the copyright on this whitepaper so I cant provide a link to
it. Ill highlight a few points that Riyaz makes in the paper.
In the introduction, Riyaz notes that:
to establish an SIL suitability rating for a Safety Instrumented Function (SIF) loop, a
PFD value needs to be computed for components of loop (SIF loop consists of Sensor,
Logic Solver, Final Element) To calculate PFD, an equipment failure rate number is
required.
Riyaz enumerates 3 cases where control valves can be used as safety shutdown valves:
Control valves which are used only as an on/off single final element
Control valves which are used in a dual purpose context (both for control and safety)
Control valves which are used in a dual purpose context in addition (redundancy) to an
on/off valve
For the first case, the control valve would be the final control element in the SIF and this
SIF would need to have a safety integrity level (SIL) rating equal or greater than 1.

For the second case, Riyaz cites IEC 61511 part 1 clause 11.2.10 which states that a
device used to perform part of a safety instrumented function shall not be used for
basic process control purposes, where a failure of that device results in a failure of the
basic process control function which causes a demand on the safety instrumented
function, unless an analysis has been carried out to confirm that overall risk is
acceptable. He notes how this may be interpreted:
YES: If all possible failures of the control valve do not place a demand on any SIF than
control valve may be used with no further analysis. In this case, Control Valve is Final
Element of Safety Instrumented Function (SIF) Loop, needs to have SIL rating equal to
or above 1.
NO: If failure of the control valve will place a demand on a SIF than it may not be used
as the only final element in that SIF.
If failure of the control valve will not place a demand on SIF, for which it is intended but
may place demand on any other associated SIF than the control valve may be used in a
SIF only after detailed analysis. An additional step to further analysis will be necessary
in these cases to ensure that the dangerous failure rate of the shared equipment is
sufficiently low.
The control valve in this case would again be the final element of a SIF requiring a SIL
rating greater than 1.
In the third example of providing additional hardware fault tolerance for higher SIL
applications, mean time to fail (MTTF) of the control valve can be used in the probability
of failure on demand (PFDavg). He shares the failure fraction components and
equations for arriving at the PFDavg of the SIF. For this 3rd case, Riyaz shares [links
added]:
mechanical equipment like valve bodies and actuators do not have any diagnostics
capabilities. According to IEC 61508 part 2, table 2, with a hardware fault tolerance
(HFT) of zero, they can only be used in SIL 1 applications. A digital valve controller
mounted on a Final Control Element improves the diagnostic coverage factor, which in
turn improves the SFF number, allowing the possible use of higher SIL rated
applications (Per IEC 61508 part 2, table 3) by use of the Partial Stroke Test.
Riyaz sums of his thoughts that if the control valve is used as part of a SIF, then the
total PFDavg of the loop must meet the intended SIL level. If the control valve is used
for normal process control managed by the basic process control system (BPCS), then
per IEC61511-3 part 1, section 3.2.3, the control valves do not have SIL suitability.
I also wanted to refer you to an earlier post, Field Device Sharing Between Control and
Safety Systems, where we explored the case of sharing instruments between the BPCS
and safety instrumented system (SIS).

Safety Valve Positioners and Common Cause Failure Questions

If you work with pumps in your facility, you may be familiar with the Empowering Pumps
site, a wealth of information to help you with these important assets in your plant.
Founder Charli K. Matthews has launched something similar for valves, Empowering
Valves.

I had the opportunity to contribute a guest post, Common Cause Failures in Safety Valve
Positioners? It was based on a question I recently received. The question:
Its unclear to me whether position feedback from a smart positioner is truly
independent of the reference signal from the control system, as the positioner
ostensibly uses that same information as a measurement in its own local position
feedback loop (for which the reference signal is the setpoint). Im guessing its not in
most cases (and note that this trait is probably not unique to Emerson devices).
If youre driving the valve to a certain position with the reference, and then using the
position feedback to verify that the valve is actually at the position you drove it to,
there is a potential common-cause failure in the position sensing and processing. For
independence Id think you would have to either use other means to drive the valve
(e.g., a dump solenoid valve), or have position sensing distinct from that used by the
positioner.
Emersons Riyaz Ali responded:
Common cause factor is a key concern when using a position transmitter within a safety
valve positioner as is typically done.
Fisher FIELDVUE DVC6200 SIS digital valve controller
In the case of a valve positioning transmitter designed for process safety applications, it
is designed to isolate the positioning function. This design makes it completely
independent of the positioner, should input signal or power to positioner fail, or any
issue related to positioner cease functioning. The position transmitter continues to
function to provide the valves position.
As part of the certification process for use in safety instrumented functions up to safety
integrity level 2 (SIL 2), the position transmitter function is certified separately from the
positioner.
Process manufacturers managing the safety lifecycle for their plants follow the IEC
61511 standard. They rely on the suppliers to provide technologies including safety
shutdown valves, actuators, positioners, and positioning transmitters suitable for
application in level of risk they are mitigating.
Common Cause Failures in Safety Valve Positioners?*
February 25, 2014 by Jim Cahill
Filed Under: Actuators and Controls, Featured, Safety, Standards & Regulations, Valve
Selection
Tagged With: Emerson
A safety instrumented function, also known as a safety loop, includes the logic solver,
sensing device, and final control element. The final control element, often a valve, can
be the source of much discussion, since it is what moves to take the safety action.
An earlier Emerson Process Experts post, Providing Operators Process Control Valve
Position Feedback, stressed the importance of critical control valves having valve travel
feedback from independent devices such as position transmitters, limit switches, or
positioner output feedback.

A commenter wrote:
Its unclear to me whether position feedback from a smart positioner is truly
independent of the reference signal from the control system, as the positioner
ostensibly uses that same information as a measurement in its own local position
feedback loop (for which the reference signal is the setpoint). Im guessing its not in
most cases (and note that this trait is probably not unique to Emerson devices).
If youre driving the valve to a certain position with the reference, and then using the
position feedback to verify that the valve is actually at the position you drove it to,
there is a potential common-cause failure in the position sensing and processing. For
independence Id think you would have to either use other means to drive the valve
(e.g., a dump solenoid valve), or have position sensing distinct from that used by the
positioner.
Exidas Dr. William M Goble noted in a whitepaper, Estimating the Common Cause Beta
Factor:
Over the last few years, it has become recognized that common cause failures can have
a major negative impact on the safety and availability of redundant equipment The
whole value of redundancy may be ruined. This is clearly recognized by IEC 61508 and
probabilistic analysis now requires a quantitative assessment of common cause.
As part of the design for products used in safety instrumented systems, extensive
design and testing must be performed in accordance with the IEC 61508 global safety
standard. Specifically for this smart positioner, Emersons Riyaz Ali responded in an
email to me. He explained:
Common cause factor is a key concern when using a position transmitter within a safety
valve positioner as is typically done.
In the case of a valve positioning transmitter designed for process safety applications, it
is designed to isolate the positioning function. This design makes it completely
independent of the positioner, should input signal or power to positioner fail, or any
issue related to positioner cease functioning. The position transmitter continues to
function to provide the valves position.
As part of the certification process for use in safety instrumented functions up to safety
integrity level 2 (SIL 2), the position transmitter function is certified separately from the
positioner
Process manufacturers managing the safety lifecycle for their plants follow the IEC
61511 standard. They rely on the suppliers to provide technologies including safety
shutdown valves, actuators, positioners, and positioning transmitters suitable for
application in level of risk they are mitigating.

Overcoming Valve Failure | Tools and Methods*

March 27, 2014 by Beyond the Flange Staff Editor

Filed Under: Beyond The Flange, Emissions, Featured, Fugitive Emissions Control,
Maintenance & Reliability, Valve Selection
Tagged With: Energy Cost Calculator, Val-Matic
Understanding the reasons behind valve failure is the best way to dramatically decrease
the probability of valve failure; ensuring increased overall system reliability within all
project, plant, and facility applications.
Comprehending the consequences of valve failure is another extremely important
element to evaluate when considering life cycle costs, energy efficiency, related costs
and regulations, as well as connected maintenance details.
An excellent resource for education on the prospect of valve failure reduction is this
article in Val-Matic discussing Minimizing Energy Consumption through Valve Selection.
One of the trickiest industry issues associated with valves today is the actual valve
selection process. There are misunderstandings by some in terms of the ease of valve
product choice in actually utilizing the correct valve product for each application.
Some have in the past believed the old adage more is better when picking out valves
and assumed that because their selections seemed to fit and work within the system,
that they were acceptable choices. However, even though a valve may appear to work
or function within a system; this does not mean it is the appropriate valve for the job.
More is not always better; in fact, it can be worse in terms of valve selection, energy
efficiency, and ultimately valve failure.
Choosing the right valve for each job, system, or application can mean large savings for
an industrial company in terms of energy savings, as well as in the lack of potential
fines associated with an unacceptable amount of fugitive emissions as unfortunately
released in situations where the wrong valve selection was made.
Tools for Overcoming Valve Failure
An impressively helpful tool for use in improving valve energy efficiency, as well as
overcoming valve failure is the Val-Matics Energy Cost Calculator for Valves. With this
tool you can enjoy viewing the projection of 40 years of energy cost savings in
association with your specific applications information. The cost calculator will then
calculate headloss in connection with the specific valve and its application.
Working to avoid valve failure in any project or system is really of prime importance to
pay attention to since the valve plays such an important role in controlling flow,
pressure, and air release, etc. The operational effect of each valve within each system

should most definitely be analyzed for overall cost, system effectiveness, efficiency,
and lifecycle expectations.
The best way to overcome valve failure is to ensure you are using the correct valve for
the job. The flow characteristic of the specific valve you are using can be highly
important in reducing your chance of valve failure if you are not dealing with an
isolation valve. The pump and the pump station make a big difference in the type of
valve you need to choose. Included in well-known valve failure issues are valve slam
and water hammer. These problems are associated with check valves. In order to
overcome valve failure in association with water hammer problems and valve slam, you
must ensure you are using the correct type of check valve with the right type of
features. Closing speed is an extremely important attribute of the check valve you are
choosing and care should be taken to determine the capabilities of the pump system
prior to making your valve selection.
The type of fluids used in the process the valves are handling is another aspect to note
when considering what ways you can overcome and prevent valve failure.
Documentation linked above discussing ways to minimize energy consumption via valve
selection is a detailed resource for reference when seeking to study the many ways
selection of a valve will aid in overcoming valve failure.
Valve Industry Knowledge Sharing
As is the mission of the Empowering Valves community, we strive to bring together
timely and essential information; delivering one location wherein individuals who
dedicate their professional careers to the pump and valve industry, as well as all who
interact with the valve industry, are able to more easily find information they need and
resources to obtain further details specific to their individual applications and projects.
If you have additional details regarding information, methods, and tools to overcome
valve failures, please share your knowledge with the online valve community by joining
the Empowering Valves LinkedIn Group and join in the discussions so that others
associated with your industry, and the world of citizens as a whole who are all affected
in one way or another by the pump and valve industry, can benefit from your shared
knowledge and experiences, making further advancements in technology possible in an
increasingly effective way!

Separate Versus Integral Final Element Accessories in Safety Applications

Final elements such as safety shutdown valves, emergency isolation valves, blowdown
valves, etc., in safety instrumented functions (SIFs) are equipped with various
accessories such as digital valve controllers, solenoid valves (SOV), and volume
boosters, to name a few.
Emersons Riyaz Ali shared a draft of a paper he is developing about the different
approaches with respect to smart positioners and solenoid valves in process safety
applications. He noted that the IEC 61511 global safety standard defines a safety
instrumented system (SIS) as an instrumented system used to implement one or more
SIFs.

Final elements used in safety applications typically remain stationary until a safety
demand arises which requests them to go to their safe stateeither fully open or fully
closed. Digital valve controllers, such as the DVC6200 SIS, have been certified by 3rd
party as standalone, suitable for use in safety applications up SIL 3 SIF loops.

Riyaz shared that many process manufacturers still opt to use solenoid valves (SOVs)
pneumatically mounted in series with the digital valve controllers. This approach
provides a redundant pneumatic path in case of a safety demand, where either device
will drive the emergency shutdown (ESD) valve (often tagged ZV) to the fail-safe
position should the primary ESD device (solenoid valve) fail to function. In this case, the
digital valve controller can drive the valve to a safe state.
Also, as we highlighted in an earlier post, Checking Your Safety Solenoid Valves, the
digital valve controller can sense and capture the data for the momentary pressure blip
across the solenoid valve to verify its health without causing the safety valve to move.
Riyaz explained that having a solenoid valve integral with a smart positioner would not
meet redundancy requirements. This arrangement will affect the PFDavg calculations as
per ISA TR84.00.02-2002 part 2. An integral SOV provides a one-out-of-one (1oo1)
arrangement where an external SOV provides a one-out-of-two (1oo2) approach in the
pneumatic path. The 1oo2 approach provides improved PFDavg over a 1oo1 single-box
approach.
If the SOV is external in the pneumatic line then the digital valve controller can monitor
its health and its test results can be sent directly to the control system on the plunger
movement within the SOV during the test. Similar tests can be done if the SOV is

integral to the digital valve controller but there are neither test reports generated nor
health status of internal SOV available at control system level.
Riyaz believes that an external solenoid valve pneumatically in series is a preferred
option due to redundancy in hardware to drive the valve to safe state. Per IEC 61508, a
smart SOV (integral microprocessor based smart positioner + integral SOV) will be
classified as Type B (IEC 61508 part 2 clause 7.4.3.1.3) device. This means the failure
mode of at least one constituent component is not well defined; or b) the behavior of
the subsystem under fault conditions cannot be completely determined; or there is
insufficient dependable failure data from field experience to support claims for rates of
failure for detected and undetected dangerous failures.
An SOV connected in externally in series would be a Type A (IEC 61508 part 2 clause
7.4.3.1.2) device. This means the failure modes of all constituent components are well
defined; and the behavior of the subsystem under fault conditions can be completely
determined, and there is sufficient dependable failure data from field experience to
show that the claimed rates of failure for detected and undetected dangerous failures
are met. Going from a Type A to Type B device will have an impact on safety reliability
and evaluation will be required for SIF loop for PFDavg calculation.
To improve MTTFs (Mean Time to Fail Spuriously), a smart positioner can use a reversetype relay, which will not contribute to MTTFs. In the case of an electrical signal failure
or input current signal, the smart positioner will not cause spurious trip. This means that
two devices connected pneumatically in series will have MTTFs for a single device (SOV
Type A device only). Smart positioner and SOV mounted externally pneumatically in
series support high safety reliability and plant availability.
A smart positioner with an integral SOV will have high air consumption (67.8 scfh) for
large orifice compare to a smart positioner with a similarly sized external SOV, which
will have a low-bleed relay (2.1 scfh). This is because external SOVs will NOT consume
any air during normal operation.
Riyaz closed suggesting that for SIS applications to keep accessories such as volume
boosters or solenoid valves (if required) as an external devices rather than integral. This
subject is still open and future technology developments may warrant another look at
the pros and cons of integral vs. external final element accessories in process safety
applications.
Update: The factors converting standard cubic feet per hour to cubic meters per hour
were incorrect and have been removed.

Final Control Element Partial Stroke Testing

Emersons Riyaz Ali, whom you may recall from earlier posts, wrote an Inside Functional
Safety article recently titled, Digital Technology: A remedy for sick shutdown valves in
Safety Instrumented System (SIS) applications. The paper is available for purchase from
Inside Functional Safety, so I cant upload or link to it, but Ill highlight a few points
Riyaz makes. Heres a portion of the abstract:

In the event of a safety demand, the final control element of a safety instrumented
function (SIF) loop is a key component to a process going to a safe state. Unlike the
logic solver or sensors (analog transmitters), the final control element requires a total
shutdown to check the mechanical integrity. With the invention of the digital valve
controller, a final control elements mechanical movement can be tested online by
moving a span of 10% or 15% without disrupting the process.
For those not familiar with two of the major international safety standards for process
manufacturers, IEC 61508 and IEC 61511, Riyaz provides this contrast:
IEC61511 is an industry specific version, specifically dealing with process industries in
the Functional Safety: Safety Instrumented Systems for the Process Industry Sector.
IEC61511 provides clarity to the use of IEC61508 in automation protection systems for
the process industries by using industry specific vocabulary, specific examples, and
tailored requirements.
As mentioned in the abstract, the final control element is a critical portion of the safety
instrumented function or safety loop to take the process to a safe state. It could be an
emergency shutdown valve, blow down valve, emergency isolation valve, emergency
venting valve, or on/off valve. These valves may remain dormant for long periods, so
they must be tested periodically to make sure they will operate properly upon a safety
demand situation.
Riyaz notes that conventional testing requires either process shutdowns or bypasses,
the latter which add complexity and risk to the process flow. Completely testing the
final control elements performance requires an in-line test that strokes the valve for
full travel.
Without bypasses, the loss of production means process manufacturers want to extend
these full stroke tests as long as possible, until the plant is shutdown for turnaround
maintenance.
Riyaz describes ways developed to extend the time intervals for the final control
element testing by partially stroking the valves. He writes:
It was recognized that the most likely failure mode of a discrete shutoff valve is to
remain stuck in its normal position. To test for this type of failure, it is not necessary to
completely stroke the valve to test its functionality. A large percentage of covert valve
failures can be detected if a limited form of testing can determine that the valve is not
stuck and will begin to move. Furthermore, if this type of test could be performed online
without shutting down the process, improvements in the PFDavg could possibly be
obtained without the loss of production.

Methods to perform this partial stroke testing include mechanical limiting devices and
more recently logic solver-based testing:
which sends fixed pulsations to the solenoid valve to monitor the subsequent
movement of the valve. The pulse duration is set to allow slightly more than the
required 10-15% movement. The feedback to valve movement is provided by an analog
limit switch.
Whichever method is used, written safety procedures are important to make sure plant
trips dont occur and proper documentation and maintenance is performed by properly
trained personnel.
Riyaz shares how a digital valve controller is a good solution for these partial stroke
tests because it:
receives a control signal from the logic solver. It incorporates travel feedback of the
valve position plus supply and actuator pneumatic pressures. This allows the smart
positioner to diagnose not only itself, but also the health of the valve and actuator.
Since the process is not shutdown, the tests can be run more frequently and initiated by
the logic solver, HART handheld communicator, panel, and/or PC. The tests are also
automatically documented and can provide comparisons between tests. In the event of
a safety demand, the digital valve controller can also provide a log to help understand
the sequence of events for post-event analysis.
He clarifies that partial stroke tests, do not eliminate the need for full stroke test;
however, it does extend the proof test interval. This extension is often long enough to
reach the plant turnaround where all the final control elements can have full stroke
testing performed.
If you are unfamiliar with some of these ways of partial stroke testing, you may want to
purchase the paper or review some of the past blog posts in which Iv

Positioners and Partial Stroke Tests in Safety Applications

InTech magazine has a web exclusive on the importance of safety valves in a safety
instrumented system. The article, Valve failure: Not an Option, describes methods of
implementing partial stroke testing (PST) to reduce the probability of failure upon
demand, average (PFDavg).
For those not familiar with a partial stroke test, I found this definition:
This test checks for valve movement without fully stroking the valve. Many applications
will allow 10% movements to verify valve response without upsetting the critical
process line. Diagnostic data is collected and an alert is given if the valve is stuck.

The purpose of this test is to improve PFDavg to possibly increase the safety integrity
level (SIL) rating of the safety valve in a safety instrumented function (SIF), to extend
the proof test interval, or a combination of both. Extending the proof test interval may
allow process operators to avoid additional downtime by scheduling proof tests during
turnarounds.
The author enumerates four methods of performing the PST: by the emergency
shutdown system (ESD), by a positioner-based device, by a 2-out-of-2 (2oo2) or 2-outof-3 (2oo3) redundant device, and by a 2-out-of-4-doubled diagnostic (2oo4D)
redundant device.
The part of the article that jumped out for me, which I needed to ask Emersons Riyaz
Ali about was:
Using a positioner-based device is perhaps the worst option, as it is a complete
misapplication of technology. Positioners should modulate control valves, whose
movement is very small. ESD valves on the other hand are fully open or fully closed,
and go from one state to the other as quickly as possible. Because positioners have a
very small Flow Factor (Cv), they cannot vent a valve diaphragm quickly as required to
satisfy the process safety time, and are suitable only for smaller valves. To compensate
for this deficiency, an interposing SOV can vent the valve diaphragm. This SOV is not
tested during the PST and remains in an open position for an extended period of time.
As such, it may not be able to close (vent) upon demand and is itself a source of both
dangerous failures and spurious trips.
In addition to the interposing SOV, positioners use a pneumatic valve-nozzle
arrangement, which operates independently of the positioner electronics. Given the
nozzle orifice plugs up (often by a tiny spec of dirt or water in the air supply), shutting
off the electronics will not vent the valve diaphragm. This is a dangerous failure mode,
as venting the diaphragm (closing the valve) is critical to achieving the safe state.
Unfortunately, most positioner product safety evaluations do not address this
dangerous failure mode.
Riyaz offers some counterpoints. Advanced positioners or digital valve controllers such
as the Fisher DVC6000 SIS have been designed specifically to operate safety shutdown
valves and has gone through the rigorous design, testing and certification process
defined in the IEC 61508 international safety standard for use up to SIL 3 applications.
This design, testing and certification process was developed to ensure the applicability
of the technology for this process safety application.
Riyaz notes that it is true that a very few applications do require shorter process safety
times. He points out that it is not necessary to use a solenoid valve (SOV) to improve
the stroking speed. Positioners can use pneumatic devices to achieve faster stroking
time. I discussed a quick-exhaust example in an earlier post. For process manufacturers
who still would like to use an SOV in the SIF loop, these SOVs have different capacities
to meet the stroking speed requirements. Also, some of the more modern positioners
like the DVC6000 SIS can also monitor the health of the SOV when its used with a

single-acting actuator. It performs checks for the dangerous failures of SOVs on-line
without affecting the process.

Some digital valve controllers, like the DVC6000 SIS, are suitable for use in a SIL3 SIF in
standalone mode. When used in standalone mode or in pneumatic series with SOV or
other pneumatic accessories, it continuously checks the pneumatic integrity
(functioning of I/P and pneumatic relay) to ensure that these components are working
and ready to drive the valves upon a safety demand (see figure 13). If, during normal
operation, any abnormality is noted, an alert is sent to the HOST system.
Riyaz also provides clarification that air quality requirements are always specified in
each product bulletin for pneumatically operated valves and specifically, the safety
manual of a field device always recommends to follow the ISA S7.0.01 air quality
standard, which specifies the air be clean, dry, without oil, water or any particulate
contaminates. For your IEC 61511 process safety risk mitigation efforts, partial stroke
testing performed by digital valve controllers can help you reduce the PFDavg on your
safety shutdown valves.

When failsafe isn't enough

An orderly shutdown is imperative: These equations give a quick way to check the
recommended-volume tank size or to do the sizing oneselfFAST FORWARD
The failure position of a valve is not always its failsafe position.
Volume tanks supply a reserve air for actuating a valve.
A volume tank for a throttling control valve requires a complex analysis.
By Bryce Elliott
Many times, processes will require reserve volumes of air for valve actuation on failure
of the air header.

Typical reasons for needing this additional volume are when the failure position of the
valve is not the failsafe position or when operating requirements dictate a more
orderly shutdown than having the valve immediately going to its failure position.
A volume tank needs to be in place to supply a reserve volume for actuating the valve.
The question then comes of how to size this tank.
The volume of the tank, Vt, has to be large enough and under sufficient pressure, Pi, to
fill the volume of the actuator, Va, at the minimum pressure required by the actuator,
Pf, for the number of strokes required, s.
The values of Va and Pf need to come from the actuator manufacturer. Pf will change
depending on the torque required to stroke the valve, so input from the valve vendor
may also be necessary.
Typically, the valve vendor will calculate the required torque, which will vary depending
on the individual valve type, packing design, shutoff differential pressure, and required
leakage, and choose the actuator accordingly.
The actuator manufacturer should supply a table that relates torque to supply pressure,
and the engineer can select the appropriate pressure based on the required torque the
valve vendor has given. Pi will be the normal operating pressure of the air header.
s is the number of times the valve will need to stroke before the pressure reduces below
the point at which the valve can no longer actuate. This will depend on the operating
philosophy for this valve. The process, operations, and safety groups may have input
into determining an adequate value for s.

To begin developing an equation for sizing the tank, start with the simplest case, a
single stroke.

The gas in the volume tank will expand to fill the volume Vt + Va. There are two known
pressures, Pi and Pf. Since the gas expansion will be fairly quick, little heat will come
from or go into the environment. For this reason, we can take the gas expansion to be
adiabatic in our model.
An adiabatic process is one in which no heat is exchanged with the surroundings.
The other extreme case is isothermal, where the expansion takes place slowly enough
that the gas stays at constant temperature; this results in smaller calculated values
than the adiabatic assumption. Reality lies somewhere in between. Calculating the
process as adiabatic will provide some of the margin for error.
Thermodynamics tells us, the PVk is a constant for an adiabatic process. k is the ratio of
the specific heats, CP/CV, which in the case of air at pressures and temperatures of
interest, is approximately 1.4.

The equation is:

(1)

Pi, Pf, Va, and k are knowns, and we can readily solve for Vt :

(2)
Keep in mind the pressure units must be absolute (e.g. psia). Aside from that, the units
volume and pressureneed only be consistent. If the actuator volume is given in
cubic inches, the tank volume solved for will be in cubic inches (actuator volume in
gallons will yield tank volume in gallons, etc.).
If multiple strokes are required, the procedure is similar, but a bit more complicated.
The air in the volume tank expands to fill the volume in the volume tank and the
actuator. The volume in the actuator is then exhausted, and the remaining air in the
tank expands again to fill the volume in the volume tank and the actuator. For two
strokes, the two equations are:

P2 is the intermediate pressure in the volume tank after the first stroke. Solve each
equation for P2.

Set (5) and (6) equal to one another, eliminating P2.

Solving (7) for Vt yields:

For more than two strokes, a similar system of equations can be set up, with the
intermediate pressures eliminated algebraically. The general formula is:

For multiple strokes, the strokes probably will not be in quick succession, which would
allow the tank air to warm to ambient temperature between strokes (it cools slightly
when it expands to fill the actuator). This will slightly reduce the amount of necessary
air because the pressure in the volume tank will increase with the temperature
increase. Because we cannot know ambient temperature in advance, it is impossible to
calculate this effect precisely. Since it is not significant, we can neglect it.

Another margin comes by the fact that tanks are available in discrete sizes. If one
calculates a volume of 8 gallons, 10 gallons is the best tank size, so 25% extra is
automatically built-in.
Some of the smaller standard sizes offered are 10, 15, 20, 30, 60, 80, and 120 gallons.
Note: Tubing volume is typically a negligible consideration. However, for long tubing
runs (greater than 75 feet), we may need to factor the volume in.
It is possible to reduce the air necessary by putting a downstream pressure regulator
between the volume tank and the actuator. In this case, the set pressure of the
regulator is set equal to, or very slightly higher than, the minimum pressure of the
actuator.
Doing so gives a similar adiabatic expansion, but since the actuator is being filled at the
same pressure each time, the end result is as though the air in the volume tank at the
starting pressure takes up Vt + sVa at the ending pressure, or: (10)

Solving for Vt gives:\

This is the result of equation (2) multiplied by the number of strokes. Also, in the
examples below, reducing the required air by adding a pressure regulator usually did
not reduce the selected tank size.
A volume tank for a throttling control valve requires a more complex analysis than what
we are looking at here. A throttling valve will have partial strokes. It may also have a
positioner, which is a constant bleed device, meaning the volume in the tank will leak
out over a fairly short period of time.
This analysis requires knowing the bleed rate (which varies depending on input
pressure), the amount of time the valve is expected to be available (multiplying these
two will yield a mass of air, though the variable bleed rate may require some
integration, either piecewise or continuous), and some estimate of the number of
strokes required.

This will not necessarily be a whole number; round up. One can then apply the same
sort of analysis given here to come up with air necessary to stroke the valve. Add the
air required by the bleed rate to the air required to stroke the valve, taking care to keep
consistent units.
For sizing volume tanks for on/off valves, use equation (9) or (11), as appropriate. A
nice result of these equations is it is not necessary to include a safety factor, as the

safety factor is a part of the simplifying assumptions. These will give the engineer a
quick way either to check the volume tank size recommended by the valve vendor or to
do the sizing oneself.
Terminology
Adiabatic process occurs with no exchange of heat between the system and its
environment.
Fail-safe or fail-secure describes a device or feature, which in the event of failure,
responds in a way that will cause no harm or at least a minimum of harm to other
devices or danger to personnel.
Actuator is a device to convert an electrical control signal to a physical action. Actuators
may be for flow-control valves, pumps, positioning drives, motors, switches, relays, and
meters.

Solutions for SIS and Foundation Fieldbus

Im lucky enough to receive a copy of Andrew Bonds Industrial Automation Insider
newsletter each month through an Emerson subscription agreement. Andrew covers the
happenings among the automation suppliers and standards bodies. You can also find
some of Andrews writings on the ControlGlobal.com site.
In the November 2008 newsletter, one item that caught some attention around here
was this nugget:
first TV-approved SIL3 Foundation fieldbus safety valve controller to appear on the
market. The device delivers status changes automatically via Foundation fieldbus and
incorporates real time alarm management eliminating the need for external wiring or
I/O cards.
I have the privilege of working in the vicinity of two very knowledgeable people with
respect to process safety, Riyaz Ali and Mike Boudreaux.
Riyaz notes that the Foundation SIF specifications are still under development. In a
recent Fieldbus Foundation release, it quotes ARCs Larry OBrien:
It is very clear that end users want this technology and are striving to include FF-SIF
systems in their project specifications. Many major end users will probably be specifying
FF-SIF systems for their new projects starting in 2011.

A September 2008 ARC whitepaper, Foundation Fieldbus Safety Instrumented Functions

Forge the Future of Process Safety, provides background on the Foundation SIF standard
advancement and its current draft status. Mike and Riyaz were present at the successful
May 2008 Foundation SIF end user demonstration project in Amsterdam, and Mike
shared his experiences with me. Riyaz also shared that one of the function blocks, the
SIF_DO block, will not be available from the Fieldbus Foundation until the first half of
2009.
Many automation suppliers are developing products based on the current Foundation
SIF draft, including Emerson. I asked Riyaz about the current solution Emerson provides
until the standard is ratified. Riyaz responded:
The current solution for use in a Foundation fieldbus SIS application is to use the
DVC6000f PD instrument. Several hundred units have been supplied worldwide to
process manufacturers where partial stroke test scripts are run from host systems, such
as the DeltaV system and AMS Device Manager.
In this application, process manufacturers use a solenoid valve operated by a hardwired
digital output from the SIS logic solver.
Riyaz expects that until process manufacturers have sufficient experience, they will
continue to use an independent solenoid valve to take the SIS valve to the fail state,
while at the same time using a DVC6000f PD for partial stroke diagnostics using
Foundation fieldbus through the basic process control system (BPCS).
Mike notes that both the DeltaV and DeltaV SIS systems are capable of performing
these safety instrumented function predictive diagnostics. The DeltaV system is being
used to perform partial stroke testing with the DVC6000f PD using Foundation fieldbus
communications. The DeltaV SIS system is being used to automate partial stroke testing
with the DVC6000 SIS safety valve controller using HART communications. This
additional diagnostic coverage assists process manufacturers with their IEC 61511
safety lifecycle efforts.
Using diagnostics enabled by Foundation fieldbus and HART communications, the
DeltaV and DeltaV SIS systems with DVC6000 digital valve controllers can provide many
of the benefits today that are promised by Foundation SIF in the future.

Addressing Safety Valve Opening Times with Partial Stroke Tests

A question came into the ISAs Safety email list concerning the use of valve positioners
in partial stroke tests for valves used in safety shutdown applications. The person
asking the question wrote:
I was informed that PST using positioner such as the Fisher/Emerson has got problem
when first opening the valve because the CV value of the positioner is small so it will
take a very long time to open for large valves/actuators. Please advise if this comment
is valid.

Emersons Riyaz Ali, whom you may recall from earlier process safety-related posts,
responded [with my light edits]:
Partial stroke test (PST) is a diagnostics function, which is performed on line, in service,
hence minimum process interruption is highly desired. If the FAIL OPEN valve is
opened with sudden jerk, it can create a blurp or surge of process, which may create
unwanted resultsi.e. liquid service, sudden opening or closing of valve, which may lead
to the water hammer phenomena.
The Emerson Fisher DVC6000 SIS is specifically designed to stroke the valve during
PST using a RAMP algorithm, which stabilizes the process while lifting a valve from its
seat. Certainly, concern may occur if a DEMAND arises during a stroke test. The
DVC6000 SIS has built-in safeguards to immediately take a valve to its safe state with
the desired pneumatic path. In fact, the DVC6000 SIS has a unique feature, which
allows engineers to configure stroking speed as desired by a few industries. The Digital
Valve Controller is smart enough to differentiate between a Partial Stroke Test and a
Safety Demand.
We have seen a few oil producers using DVC6000 SIS with external flow restrictor in
pneumatic line to slow down valve travel to have process equilibrium during a SAFETY
DEMAND so that slam shut action does not cause piping breakage as well as a loss to
equipment by suddenly cutting down fuel. This may possibly lead in some of the
process spoilage of catalyst.
Depending upon need of Process Safety Time (PST) of a SIF [safety instrumented
function] loop, a few valve applications may require a Process Safety Time of less than 2
seconds. In such cases, it is always recommended to use external devices to allow
additional quick release of air volume from the actuator to meet the time line.
Immaterial of Digital Valve Controller manufacturer, positioners always operate during
normal condition at full pressure load, which as per characteristics, allows air to bleed. If
a positioner of high exhaust and fill capacity is used, it will bleed excessive air. The
Emerson Fisher DVC has been designed in such a manner that it has only an air
consumption of 2.1 scfh at 20 psi compare to positioners with a higher Cv, whose bleed
rates are exceptionally high (> 20 times of the DVC6000).
Once again, a Partial Stroke Test is diagnostics, which can be considered Safety
Related but NOT Safety Critical, hence, during test valve opening time should not be
pose any challenges.
Should you need more technical clarifications, I can provide details on one to one basis.

Another list member noted this issue in his response to Riyaz:

It is a very simply matter to restrict the exhaust rate of the diaphragm during the partial
stroke test, and thus slow the stroking speed to whatever speed is desired. This would
eliminate any concerns of overstroking, or rapid valve movement. However, since we
are in the hysteresis range (15%) of the valve, problems resulting from rapid movement
should be minimal to start with.
Using a quick exhaust device to vent the valve diaphragm (to compensate for the small
Cv of the positioner) must be accounted for in the PFDavg calculation of the final
element for the SIF. This simplex device is a critical part of the SIF and cannot be
ignored.
Riyaz addressed this concern [again with my light edits]:
As explained in my previous email, when using microprocessor-based device or any
other means to initiate PST for Safety Shut Down valves, in line in service, Quick
Exhaust Valves (QEV) typically show instability. Based on lab tests and past field
experience, it has been observed that the QEV comes in action for water column
Pressure Difference, which may lead to uncontrolled travel, during PST test.
In such situations, it is preferable to use a Volume Booster, which helps in both
directions (opening and closing). Also as clarified by [another email responder], that the
volume booster is checked during a PST.
As you rightly said, Volume Booster kinds of mechanical devices are simplex. These
Type A devices have been in the field over the past four decades, and for sure have
already established its all-possible failure modes in its operating run. This would provide
beneficial leads to manufacturers to incorporate in design. Therefore, it is less likely
that any reliability issues may not have been taken into account and corrected by
manufacturers of mechanical components.
Some additional questions came in about the certification reports. Exidas Dr. Bill Goble
pointed the questioner to where the partial stroke test certification reports are located
on the Exida website. Here are the links to the DVC6000 assessment report and
DVC6000 certificate for use in emergency shutdown (ESD) partial stroke valve monitor
applications.
If youre involved with process safety at your plant, I hope these clarifications by Riyaz
help to address similar questions that you may have.
Partial-Stroke Tests, Proof Tests, and Smart Positioners in Safety Applications
Before the holidays, Dave Harrold wrote a post, A Wee Bit More About Safety
Instrumented Systems, in his Dave @ AFAB Group blog. He describes his work with Dr.
Angela Summers, founder/president of SIS-Tech Solutions on a guidelines book for the
global IEC 61511 safety standards. Dave also referenced an SIS-related Q&A article
Angela wrote for Flow Control magazine.

I forwarded the post and Flow Control article link to Riyaz Ali, whom you may recall from
an earlier post. Riyaz wanted to add to the conversation and make three specific points
in reference to the Flow Control article.
On the question regarding the use of digital valve positioners to perform partial testing
and its relationship to the proof test interval, Riyaz agrees that the proof test is far more
than a partial stroke test. The proof test can be performed on a final control element
either on-line when a bypass valve exists or offline when the process is shutdown, such
as during a plant turnaround. Many process manufacturers do not have large bypass
valves and seek to extend the interval between plant turnarounds as long as possible.
The on-line partial stroke testing provided by digital valve positioners can help extend
the time between proof tests. They do not replace these tests. Riyaz points to a Control
Engineering magazine article authored by Dr. Summers, Partial Stroke Testing of Safety
Block Valves, in which she points out:
Also affecting the SIL is diagnostic coverage and testing intervals of partial-stroke
testing to supplement full-stroke testing to reduce a block valves PFD.

Being a mechanical item, testing of SIS Final Control Element offers challenges but at
the same time represents a significant failure contributor to SIF loop. Partial stroke test
by digital valve positioners not only allows audit documentation but also allows
diagnostics health of valve, a key feature to improve reliability of SIF loop.
Riyaz did take exception to a statement in the article about throttling valves:
Positioner failures are the leading cause of control failure, so the positioner should not
be used to actuate the valve in an SIS application when preventing events associated
with a loss of control. Instead, a solenoid-operated valve should be used to
independently close the control valve.

He notes that control valves are better geometrically designed with proper actuator and
valve plug connection to reduce hysteresis, dead motion, sticktion, backlash etc.,
compare to shut down valves those are typically keyed shaft and mainly used for On
and Off function. The main concern for shut down valves is stuck condition. If initial
inertia force is broken during normal exercise of valve either through partial stroke test
or by modulating through DCS signal, it is very likely that valve will be available during
a safety demand, when required to bring the process to safe state.
His final point is on the question regarding smart positioners for partial stroke testing of
smart valves. Positioners operated by air have been used in process control industries
for years to improve performance of control loop. It is becoming rarer to come across a
process loop not without positioners, especially where the application improved process
variability. Based on its usage and benefits in process control, process manufacturers
have started using them for Safety Instrumented Systems also. Riyaz agrees with Dr.
Summers comment that positioners have smaller orifice but any thing larger than 8-12

size valve, even otherwise a Quick Exhaust Valve or similar mechanical device will be
used, if fast stroking speed is desired. Len Laskowski adds that the driving factor is
process safety time. Many times larger valves do not need to close in one or two
seconds, and in fact require a more controlled closure to avoid negative effects on
process and utility equipment. It all hinges on the process safety time for each
application.
Positioners by design are to bleed very small air to keep the air flowing as well keep
pressure higher than atmospheric so as avoid any external atmospheric corrosive gas
getting inside the housing. Also during partial stroke test positioners exhaust and fill the
air, which makes its mechanical parts moving and avoid any build up.
Digital valve positioners allows partial stroke testing, while process is running and
provides date and time stamp of test with capability to store and compare test results.
Also, being a microprocessor based, these positioners allow remote testing and retrieval
of data remotely. The main advantage is predictive maintenance by providing valve
degradation analysis, which is important to critical valves in safety related systems. If
by any chance valve is stuck, digital valve positioners are capable of providing alerts to
operators to fix the problem.
Improving Local Control around Safety Shutdown Valves
You have to admire the way a team of engineers when presented with a challenge,
come up with a better, less costly approach. Such is the case with a local control panel
for a safety valve that Emerson Fisher divisions Riyaz Ali showed me. You may recall
Riyaz from earlier posts on the topic of safety.

The challenge is that safety shutdown valves with conventional local control panels
have typically required ten input/output connections between the safety systems logic
solver, local control panel, solenoid and digital valve controller as the picture indicates.
These panels get hard wired signals from the safety instrumented systems logic solver
for light indication of valve Open, Close, and Ready to Reset. Also, if the logic solver
needs to open the valve after Ready to Reset light indicator, Valve Open signal
needs to be sent to local controller for field technician to open the valve on separate
pair of wire. It will also require an additional I/O for shutting the valve from local
controller in case of an emergency.
Now, many plants keep metrics on what it costs to install each I/O point, but a ballpark
figure of $2,000 USD per I/O point is typical.

The approach Riyaz describes is based on the Fisher LCP100 local control panel which
requires 5 I/O. This means roughly $10,000 savings per installed smart local control
panel. If your facility is a refinery, petrochemical, or chemical plant, this could add up,
based on your number of safety valves with local control panels. This panel digitally
communicates directly with Emersons Fisher DVC6000 digital valve controller to
eliminate the need for separate wiring for Valve Open and Close indication, Ready to
Reset indication, and pushbuttons for manual Valve Open and Close. These digital
communications also provide diagnostics to reduce the ongoing costs of maintenance
typical with hard-wired solutions.
Riyaz also points out the digital valve controller can provide on-line diagnostics and
partial-stroke testing to assist the process manufacturer in checking the safety
instrumented function which includes these shutdown valves.
As with most digital communications, the long term benefits in diagnostic coverage with
this integrated approach are usually greater than the initial benefits in installation cost
savings.

Checking Your Safety Solenoid Valves

In an earlier post I discussed the critical role the final control element plays in a safety
loop or safety instrumented function (SIF) in safety parlance. This equipment mostly
stays in one position until called upon to move should an emergency situation arise.
Digital valve controllers like the Fieldvue DVC6000 SIS provide partial stroking of the
valve to process manufacturers design their safety instrumented functions to reduce
the Probability of Failure on Demand (PFD).
Even with the advancement of intelligence in digital valve controllers to do this partial
stroke testing, a problem remained in testing the solenoid valves used in the safety
instrumented function. These solenoid valves are installed to quickly bleed the air
supply to the valve actuator that is holding the SIS valve open or closed. The only real
way to test this solenoid valve has been to trip it causing the safety function to occur.
These spurious trips can be quite strenuous on the plant piping and process equipment.
Riyaz Ali, a development manager in Emersons Fisher division showed me the latest
advancements to the DVC6000 SIS to test the solenoid without causing safety valve

movement. What the technology team found through extensive research and
development is that the solenoid valve can be pulsed for a split second by smart SIS
logic solvers like the DeltaV SIS system.
This time window of the pulse is long enough for the solenoid valve to vent which
provides verification that it is functional. But the time window is short enough so that
the actuator does not bleed off enough pressure to make the SIS valve move.
Diagnostics in the DVC6000 SIS can sense and capture the data for the momentary
pressure blip across the solenoid valve during the test. It also records pressures, travel
information, and other diagnostic information.
Beyond solenoid testing, Riyaz mentioned the DVC6000 SIS is capable of collecting data
during a trip event, much like an airlines black box flight recorder. This data
collection can be triggered upon a change in actuator pressure, valve travel, input
current, pressure differential, travel deviation, travel cutoff, or an externally defined
trigger event. This data can be helpful when reviewing the causes of a safety trip as
well as having the data available for regulatory reporting.
One final point Riyaz emphasized is the DVC6000 SIS spurious trip protection which
provides maximum output pressure to the solenoid at minimum input signal in a case
where the 4-20mA signal between the smart logic solver and digital valve controller is
lost or severed.
Together, these technologies give process manufacturers an end-to-end way of
checking the safety instrumented functions including the solenoid valves, to assist their
design, implementation, and ongoing testing phases of the IEC 61511 safety lifecycle.