A question was posed this week to Emerson’s Mike Boudreaux about how to take credit for partial stoke tests in a performance verification process. Mike leads the process safety systems efforts and was presenting on this topic this week. He wrote up this post to recap the question and highlights from the seminar:
I had the opportunity to present a Safety Lifecycle Management seminar to a Canadian energy company earlier this week. Last year, Emerson launched a global Safety Lifecycle seminar program that is designed for business leaders and managers in the process industries, so that they can have a general understanding of existing industry standards and best practices for safety instrumented systems. The seminars describe the need for effective process safety metrics and safety lifecycle management systems. Safety lifecycle management is an important aspect of the IEC 61511 framework, and this topic is addressed prominently in the seminar agenda.
Here are each of the Safety Lifecycle Seminar presentations:
- Part 1 – Introduction
- Part 2 – Functional Safety Basics
- Part 3 – Safety Lifecycle Management
- Part 4 – Analysis Phase
- Part 5 – Implementation Phase
- Part 6 – Operation Phase
To help process manufacturers with their process safety educational efforts, the entire safety lifecycle management presentation is available for download and reuse under an Attribution-ShareAlike creative commons license.
One of the questions asked during my presentation was how to take credit for partial stroke testing and full stroke testing as part of a routine performance verification practice for final elements in safety instrumented systems. Because they are mechanical devices that can stick or fail to seat and stop flow, valves often contribute a significant amount (typically 50%) to the overall failure rate for a safety instrumented function (SIF). This is a very common question, because most people recognize that a partial stroke test is not capable of detecting whether a valve can fully close 100% and shut off flow. If this is the case, then what purpose does partial stroke testing serve?
The difference between a partial stroke test (PST) and a full stroke test (FST) is just as it sounds. In a partial stroke test the valve is moved by a small amount instead of fully stroking the valve to a closed position. A PST can be used to detect some failure modes of a final element, but not all of the identified failure modes. If the PST is performed automatically on-line at a high enough frequency, then it can be treated as a diagnostic test instead of a proof test. This improves the dangerous undetected failure rate and the safe failure fraction for the valve. Otherwise, a manual partial stroke test is treated as a proof test that partially tests some of the dangerous undetected failure modes. In almost all cases, a full stroke test is treated as a proof test.
Table 6.10e – Dangerous Failures, Failure Modes, and Test Strategy in the Instrument Engineers’ Handbook provides a summary of the different failures that can occur and the test strategy that can be used to diagnose these failures. The table is summarized in slide 22 of the “Part 6 – Operation Phase” presentation:
A partial stroke test can uncover problems related to failure to move or failure to close, but a full stroke test must be performed to uncover failures that prevent the valve from sealing off. The valve type, application environment, and shut-off requirements should be considered when determining the failure rates for each of the failure modes being considered. For example, valves in a dirty service will have a higher seal-off failure rate than valves in a clean service. When performing a PST, diagnostic credit can be taken for the failure modes that can be detected by the PST, but not for all of the failure modes that are addressed by a full stroke test. In addition to the mechanical failure modes of the actual valve operation, partial stroke testing also detects the ability for the valve controller to function as well.
So you still have to perform full stroke tests then, right? Right! However, the benefits of performing partial stroke tests are that they can be performed online while the process is running, they can be performed automatically by smart valve positioners, and they can extend the time between plant shutdowns. Additionally, performing PST’s can sometimes improve the SIL capability (PFDavg and the safe failure fraction) of a valve so that a single valve might be used instead of redundant valves.
Without partial stroke testing, safety valves will sit in an open position for very long periods of time without any movement. Many people speculate that friction based failures are less likely to occur in mechanical devices that are regularly moved. While you can consider this as a qualitative improvement, most people don’t take quantitative credit for reducing the failure rates. Testing will reveal failures, but it doesn’t reduce them.
As shown in the diagram below, the probability to fail on demand (PFD) increases over the time between proof tests. Without partial stroke testing, the full stroke proof test interval can be very short depending on the valve used and the safety integrity level (SIL) requirement for the safety instrumented function. By diagnosing some of the failure modes (but not all), the PFD is reduced when a PST is performed. However, at some point a full stroke test will need to be performed in order to diagnose the remaining failure modes that are related to failure of the valve to seal off. The PST can only reduce the PFD by a certain amount. There is still a residual PFD remaining that can only be diagnosed by a full stroke test. This is illustrated in slide 21 of the “Part 6 – Operation Phase” presentation:
PST and FST intervals are impacted by the SIL requirement for the safety loop, and the failure rates for the different failure modes. The design calculations can be very complicated and it is different if you are performing the PST automatically as a diagnostic or manually as a proof test, but the concept can be illustrated by the following simplified equation for PFDavg for a single valve:
PFDavg = [DC * λD * (TIPST/2)] + [(1-DC) * λD * (TIFST/2)] where:
- DC = Diagnostic Coverage of the partial stroke test
- λD = The dangerous failure rate of the safety valve
- TIFST = The full stroke test interval
- TIPST = The partial stroke test interval
The diagnostic coverage is a measure of effectiveness of the partial stroke test diagnostic to detect the failures that can occur in the valve. Another way to look at this is that DC is the ratio of the failures detected by partial stroke testing vs. the overall failure rate for the valve. Diagnostic coverage does not include any faults detected by proof tests. It is common to see 70% diagnostic coverage factors used by various consultants and engineering companies, but this needs to be evaluated in light of the application. The trickiest part in all of this is in determining the failure rates for each of the different failure modes for the service, environmental conditions, and valve type that is being used. This is an example where experience, knowledge, and training are important competency requirements for the safety role of SIF design and SIL verification.
Using device diagnostic and proof testing capabilities to diagnose failures is becoming a best practice for safety in the process industries. Another place where you see this kind of approach is in the partial proof test credit that you can take for testing the electronics of a transmitter without testing the sensor. For example, the 3051S owner’s manual provides two types of proof tests. The analog output loop test provides 50% coverage of dangerous undetected failures, whereas performing a 2-point sensor calibration proof test provides 95% coverage (see slide 18 in the “Part 6 – Operation Phase” presentation).
Thanks for a great summary, Mike!