contents

Partial Stroke Testing

Implementing for the Right Reasons
Robin McCrea-Steele
Senior Safety Consultant Premier Consulting Services TV Functional Safety Expert ID 0101/04 California, U.S.A.

KEYWORDS
Safety Instrumented Systems, ESD Valves, On-line Proof Testing, Diagnostic Coverage, Safe Failure Fraction, Hardware Fault Tolerance, Valve Failure Modes.

ABSTRACT
Operational characteristics of static ESD valves impose design and testing requirements that are very different from those required for a control valve operating in a fully dynamic mode. Partial stroking of ESD valves can be a good complement to full stroke testing, as long as we have a clear understanding of the implications of the assumptions in diagnostic coverage and the credit taken for this type of test. This paper reviews the pros and cons of PST in the processing industries, from an independent and objective viewpoint, with absolutely no vested interest from either vendors or end-users.

INTRODUCTION
Improvements in mechanical reliability have permitted extending process plant turnaround periods from a traditional one or two years, to five or more years. This means, that in order to test an ESD valves functionality at a rate commensurate with the PFD requirements of the design SIL, alternative arrangements need to be implemented for online proof testing. Installing full-flow bypass valves can become burdensome and expensive for larger process piping, as well as posing safety concerns when the ESD valve is rendered nonoperational during on-line proof tests. Human error is also a concern with this type of online bypass-based test. Copyright 2005 by ISA. Presented at ISA EXPO 2005, 25-27 October 2005 McCormick Place Lakeside Center, Chicago, Illinois, www.isa.org

If we consider that the most common dangerous failure mode in a static ESD valve is stuck, on-line partial stroke testing seems to have come to the rescue at a time where smart technology is readily available to perform these functions effectively. End users embrace the idea that they can seemingly justify extending the full stroke testing period, eliminate physical bypasses, and improve the PFDavg of the SIF. Vendors of PST equipment are coming out of the woodwork with promises of a cure to all ailments. Some claims are even going to the extreme of providing unsubstantiated arguments for improvement of the SFF that justify overcoming IEC 61511/IEC61508 minimum hardware fault tolerance (i.e. redundancy) requirements. Partial stroking can be a good complement to full stroke testing, as long as we have a clear understanding of the implications of the assumptions in PTC Proof Test Coverage (sometimes mistakenly referred to as DC- Diagnostic Coverage) and the credit taken for this type of test. Any safety analysis demands a process of checks and balances. This paper provides an independent and objective functional safety management viewpoint.

ON-LINE PROOF TESTING

The objective of on-line proof testing is to detect covert undetected dangerous failures, which automatic diagnostics cannot pick-up. This is the only purpose. On-line proof testing does not detect random hardware failures related to spurious trips. You could proof test today and have a spurious trip tomorrow. Safety standards metrics for meeting a design SIL are solely concerned with the probability of a dangerous undetected failure appearing in the presence of a process demand on the SIS. Therefore, on-line proof testing is critical to the safety availability of an SIS. Increasing the proof test frequency is directly proportional to an improvement in lowering the average PFD. Consequently, increasing the SIL. To place DU failure rates in to perspective, the following chart shows the typical distribution across the subsystems of an SIF in the COG process industry.

SIF Failure Rate Distribution

Sensors 40%

DU = Dangerous undetected failure rate

Sensors Logic Solver 30% to 45% 5% to 15%

Final Elements 50%

Logic Solver 10%

Final Elements 40% to 55%

Copyright 2005 by ISA. Presented at ISA EXPO 2005, 25-27 October 2005 McCormick Place Lakeside Center, Chicago, Illinois, www.isa.org

The PFDavg of the SIF is influenced heavily by the weakest link

PARTIAL STROKE TESTING (PST)

ESD valve partial stroke testing (PST) is a method whereby a portion of the valve assembly is tested at a more frequent interval than the full test rate. In simple words: an accelerated (partial) proof test. Advantages of PST: May provide an improvement to the SIL of the SIF. Provides predictive maintenance data. May allow extension of the full stroke test (FST). May overcome IEC 61511 architectural constraints (Questionable). May reduce the need for valve bypasses. Valve is always available to respond to a process demand during the test period (when properly designed). Disadvantages of PST: Tests only a portion of the valve DU failures (30% to 70%) Not applicable to tight shut-off valves. May increase spurious trip rate. Incorporates additional equipment with its own testing requirements (Safe and dangerous failures). Potentially converts the valve/PST smart equipment assembly to a type B complex subcomponent, per IEC 61508-2. If PST always strokes 10%, buildup forms at 10% of stroke. Makes the plant manager nervous! (Oscillating ESD valve). ESD on-line partial stroke testing should be considered as a complement to full stroke testing and not in lieu of . The following table shows an overview of valve failures detected by PST and FST.
Valve Failure Modes
Mode
Valve Body Valve plug/seat Stem packing seized Air line to actuator crimped Air line blocked Valve Stem buildup Debris retained in seat Leak Fail to close Valve stuck Sluggish response Fail to close Valve stuck Fail to close

Effect

Test
Pressure Test at TA FST / Pressure test PST FST or PST w/speed of travel test PST or FST PST or FST FST / Pressure test

Copyright 2005 by ISA. Presented at ISA EXPO 2005, 25-27 October 2005 McCormick Place Lakeside Center, Chicago, Illinois, www.isa.org

TA: Turn around

FST: Full stroke test

PST: Partial stroke test

PST TECHNOLOGY
Partial stroke testing is not a new concept. It has been performed in different applications for many years. Traditionally, using mechanical devices, such as jammers, collars or engagement pins. What is new is the emerging technology that allows PST to be performed with limited human intervention in a semi-automatic way. Smart microprocessor based devices have been developed by a series of vendors. A partial list is shown below: ASCO Redundant solenoid arrangement. DRALLIM Pressure signature of actuator / SOV. DYNATORQUE Mechanical solution. EMERSON Fieldvue smart positioner. METSO Neles Valveguard. MOORE Ind. HART device w/any smart positioner. TYCO-Keystone Manual and automatic devices. Siemens / Masoneilan Smart positioner. Triconex / ABB / ICS PST control from Logic Solver. The objective of this paper is not to analyze technologies. The focus is to provide a perspective on the implications of the assumptions in diagnostic coverage and the credit taken for this type of test.

ESD VALVE ASSEMBLY FAILURE RATE DATA

Good failure rate data should be sourced from field experience and incorporate a breakdown by type of failure. FMEDA studies provide useful information, but usually do not reflect actual field conditions, such as environmental, external stresses, corrosive process fluids, etc. Industry data, such as OREDA (Offshore Reliability Data), published by DNV, incorporate field failure rates reported by leading off-shore oil and gas companies. This is a good reference for most process industries, specially on field equipment. OREDA lists the type of failure in categories like critical, degraded or incipient. Then the breakdown of each category shows failures rates for failed to close, failed to open, plugged, delayed operation, internal leakage, external leakage, etc. It also shows these failure rates in categories for lower, mean and upper ranges for a relation to the level of maintenance. Copyright 2005 by ISA. Presented at ISA EXPO 2005, 25-27 October 2005 McCormick Place Lakeside Center, Chicago, Illinois, www.isa.org

It is absolutely critical that the field failure rate data be analyzed per type, and be associated with the test that will detect it (PST or FST, on-line or at turnaround, etc.). An important clarification should be made in that although a Weibull bath tub distribution over time is a reality, random hardware failures are considered constant within the useful life of the valve assembly. Per international safety standards metrics, infant mortality is considered overcome and it is also assumed that preventive maintenance will replace parts before wear out.

EFFECT OF PST ON A TYPICAL SIF

Using Fault Tree Analysis, the author has worked a simple overpressure SIF example. The target is a high SIL 2, with a requirement to extend the one-year full stroke test to three years.
Overpressure SIF example
Triplicated transmitters Generic Logic Solver Single ESD valve
SIS
Logic Solver
PT1

PT2

PT3

Solenoid S1

24 V air

ISA TR 84.0.02 Generic Failure Rate Data: PT => LS => V =>

V1
Process line

DU = 0.025 f/y PFDavg = 2.4 E-4 DU = 0.02 f/y DU = 0.02 f/y

S =>

The initial calculation with a full stroke test interval of one year and no PST is shown, resulting in a mid SIL 1 that does not meet the high SIL 2 target.
Full stroke Test Interval TI = 1 year

SIF Failure

PFDavg = 2.08 x 10-2 RRF = 1/PFDavg = 48 MID SIL 1

TR84.0.02 p2 PT2003 => PFDavg = (DU)2 x (TI)2 PFDavg = (0.025)2 x 1y2 = 6.25 x 10-4

6.25 x 10-4
Pressure Xmtrs

2.4 x 10-4
Logic Solver

2 x 10-2
ESD Valve Assy

V1 PFDavg = DU x (TI/2) PFDavg = 0.02 x 1/2 = 0.01 = 1 x 10-2 S1 PFDavg = DU x (TI/2) PFDavg = 0.02 x 1/2 = 0.01 = 1 x 10-2

2oo3

1 x 10-2
PT1 PT2 PT3

1 x 10-2

V1

S1

SIF PFDavg = 6.25 x 10-4 + 2.4 x 10-4 + 200 x 10-4 = 208.65 x 10-4 = 2.08 x 10-2

Copyright 2005 by ISA. Presented at ISA EXPO 2005, 25-27 October 2005 McCormick Place Lakeside Center, Chicago, Illinois, www.isa.org

Partial stroke testing was implemented as shown below:

Overpressure SIF example (with PST device)
PT1

PT2

Solenoid S1

24 V

SIS
Logic Solver

PT3

24 V

Travel feedback

Smart Posit. Process line

air

HART Diagnostics

D.C.= 70% (Proof Test Coverage) AMS Valve DU = 0.02 f/y PST= 0.7 x 0.02 = 0.014 f/y FST= 0.3 x 0.02 = 0.006 f/y

V1

Assuming a proof test coverage of 70% for the partial stroke test (PST) run once per day and the full stroke remaining at once per year, the calculation rendered a low SIL 2:

Full stroke TI = 1 year Partial Stroke TI = 1 day

SIF Failure

PFDavg = 6.9 x 10-3 RRF = 1/PFDavg = 144 Low SIL 2

Valve DU = 0.02 f/y

For DC=70% (proof test coverage)

6.25 x 10-4
Pressure Xmtrs

6.038 x 10-3 2.4 x 10-4

Logic Solver
ESD Valve Assy

PST =

0.7 x 0.02 = 0.014 f/y

2oo3

PFDPST = PST x TI/2 PFDPST = 0.014 f/y x 1y/365d x 1d/2 PFDPST = 1.91 x 10-5
6.0 x 10-3

3.82 x 10-5

PT1

PT2

PT3

FST =
1.91 x 10-5 V1 S1 V1 S1 3.0 x 10-3

0.3 x 0.02 = 0.006 f/y

PST
SIF PFDavg = 6.25 x 10-4 + 2.4 x 10-4 + 60.38 x 10-4 = 6.9 x 10-3

FST

PFDFST = FST x TI/2 PFDFST = 0.006 f/y x 1y/2 PFDFST = 3.0 x 10-3

As shown above, the weakest link remained the valve assembly. Copyright 2005 by ISA. Presented at ISA EXPO 2005, 25-27 October 2005 McCormick Place Lakeside Center, Chicago, Illinois, www.isa.org

A redundant 1oo2 valve configuration was necessary to improve the PFDavg. The valve assembly fault tree is depicted below.

REDUNDANT VALVES Full stroke TI = 3 year Partial stroke TI = 3 months

ESD Valves Assy

ESD Redundant valve assy PFDavg = 3.36 x 10-4

1.22 x 10-5
ESD Valve Assy

3.24 x 10-4
ESD Valve Assy

3.5 x 10-3

3.5 x 10-3

1.8 x 10-2

1.8 x 10-2

1.75 x 10-3 V1

1.75 x 10-3 S1 V2 S2

9.0 x 10-3 V1 S1 V2 S2

9.0 x 10-3

PST
V1 S1 V2 S2 V1 S1 V2 S2

PST

FST

FST

PFDPST = PST x TI/2 = 0.014 f/y x 1y/12mth x 3mth/2 = 1.75 x 10-3 PFDFST = FST x TI/2 = 0.006 f/y x 3y/2 = 9.0 x 10-3

The dual redundant valve assembly, incorporated through a transition gate, is shown below.

REDUNDANT VALVES Full stroke TI = 3 year Partial stroke TI = 3 months

SIF Failure

PFDavg = 1.2 x 10-3 RRF = 1/PFDavg = 833 High SIL 2

6.25 x 10-4
Pressure Xmtrs

2.4 x 10-4
Logic Solver

3.36 x 10-4
ESD Valves Assy 2

2oo3

PT1

PT2

PT3

SIF PFDavg = 6.25 x 10-4 + 2.4 x 10-4 + 3.36 x 10-4 = 12.01 x 10-4 = 1.2 x 10-3

Copyright 2005 by ISA. Presented at ISA EXPO 2005, 25-27 October 2005 McCormick Place Lakeside Center, Chicago, Illinois, www.isa.org

The above configuration meets the target of a high SIL 2 with an extended full stroke test of three years and a PST of three months.

THE PROPER USE OF PST RESULTS

As shown in the above example, PST was directly instrumental in extending the full stoke test out to three years while meeting the target design of a high SIL 2 for the SIF. It is, however, very important that the assumptions for diagnostic coverage be substantiated and validated in order to be able to take the appropriate credit in the PFDavg calculations. Implemented for the right reasons, on-line partial stroke testing can be an important asset, and should be considered in the design. Done for the wrong reasons can lead to erroneous results and an unsafe design. For example, taking credit for PST with the intent of overcoming architectural constraints and minimum hardware fault tolerance specified in the safety standards, requires further analysis. The following review of safety integrity and Safe Failure Fraction in conjunction with the IEC safety standards architectural constraints, should facilitate the analysis. Safety integrity The safety integrity of an SIS has two mayor components: Hardware Safety Integrity
- Random hardware failure target measures established in IEC 61511

Systematic Safety Integrity

- Hardware systematic failures (Design, Common Cause, Stress, Environmental) - Software systematic failures

The first question to consider: Is a stuck valve a random hardware failure or a systematic failure? It would appear that if the valve stem is stuck due to over-tight packing, this would be a systematic failure. If the cause is over-stressed piping, this would also be considered systematic and not random. IEC 61508 and IEC 61511 address random hardware failures with target failure ranges for each SIL. On the other hand, systematic failures are addressed by implementing certain techniques and measures conducive to designing these out of the system.

Copyright 2005 by ISA. Presented at ISA EXPO 2005, 25-27 October 2005 McCormick Place Lakeside Center, Chicago, Illinois, www.isa.org

Safe Failure Fraction (SFF) Safe Failure Fraction is the fraction of safe failures and dangerous detected failures in relation to the total failures. The definition of SFF always refers to random hardware failures and not to systematic hardware failures.

Safe Undetected SU

Safe Detected SD

Dangerous Undetected DU

Dangerous Detected DD

IEC 61511-1 imposes a minimum hardware fault tolerance requirement for sensors and final elements without any reference to the SFF. However, if further analysis is appropriate, it allows the use of table 3 of IEC 61508-2.
IEC- 61508-2 Table 3 Architectural Constraints Type B subsystems Hardware fault tolerance Safe failure fraction < 60% 60% - < 90% 90% - < 99% 0 Not allowed SIL1 SIL2 SIL3 1 SIL1 SIL2 SIL3 SIL4 2 SIL2 SIL3 SIL4 SIL4 Note: Smart positioners and devices used in PST equipment are considered "PE" devices per IEC 61511 and IEC 61508 (Also referred to as "Type B" in IEC 61508).

99%

Using the above SFF equation, it is easy to see that if partial stroke testing (PST) could detect a portion of the dangerous undetected failures (DU) from the denominator and convert these in to dangerous detected failures (DD) in the numerator, we could obtain a improvement in the SFF. This would lead to a reduction in the hardware redundancy requirements in IEC 61508-2 Table 3 above, for any defined SIL. However, there are two problems to be faced: a- The (DU) element in the SFF equation only refers to random hardware failures. If the stuck stem is caused by a systematic failure, then it would be invalid to use PST to improve the SFF calculation. b- The detected failures in the SFF equation refer to those covered by automatic diagnostics. In order to consider the test as a diagnostic it needs to comply Copyright 2005 by ISA. Presented at ISA EXPO 2005, 25-27 October 2005 McCormick Place Lakeside Center, Chicago, Illinois, www.isa.org

with a timing requirement (i.e. half the process safety time in continuous demand mode or ten times faster than the probability of occurrence of a dangerous failure, in low demand mode). In general, PST will not meet the timing requirement of an automatic diagnostic. PST should really be categorized as a semi-automated accelerated proof testing procedure.

CONCLUSIONS
On-line partial stroke testing of ESD valves is an invaluable tool, if used correctly. Failure rate data used in the calculations should be derived from traceable field-based references. Take credit only for the portion of failures that PST can detect. Consider the implications of introducing additional smart programmable equipment for the automated PST, that conceivably could introduce additional dangerous undetected failures. Be aware that frequent PST may increase the probability of spurious trips. Use PST to improve the PFDavg of the safety instrumented function (SIF) and/or to extend the full stoke testing period. Remember that PST is a partial proof test and not an on-line diagnostic. PST should not be used to affect the safe failure fraction (SFF). Do not take credit for PST to justify overcoming redundancy requirements of the safety standards.

REFERENCES
IEC 61511, Part 1 & 2 Functional Safety: Safety Instrumented Systems for the process industry sector, Ed 1 - 2003 IEC-61508, Part 2 Functional Safety of electrical/electronic/programmable electronic safety related systems, Ed 1 - 1998 OREDA, Offshore Reliability Data Handbook, 4th Edition, 2002. Prepared by SINTEF Industrial Management and published by DNV- Det Norske Veritas, Norway. Guidelines for Safe Automation of Chemical Processes, Center for Chemical Process Safety, American Institute of Chemical Engineers, New York, NY 10017, 1993. Guidelines for Chemical Process Quantitative Risk Analysis, Center for Chemical Process Safety, American Institute of Chemical Engineers, New York, New York, 1989.

Copyright 2005 by ISA. Presented at ISA EXPO 2005, 25-27 October 2005 McCormick Place Lakeside Center, Chicago, Illinois, www.isa.org