A safety instrumented function (SIF)’s purpose is to reduce the risk of a specific hazard. For example, an upset condition in an oil and gas production separator may cause a series of SIFs within a safety instrumented system (SIS) to shut in the wells feeding the separator.
A SIF contains a sensor, logic solver and final control element—often an emergency shutdown valve. As a mechanical component of this safety loop, the final control element has the greatest risk of failing on demand.
In an Offshore Technology Conference (OTC) paper and presentation, Filling Gaps in SIS Standards for Reliable, Cost Effective Safety Solutions, Emerson’s Shawn Statham, described the safety standards and the opportunity for greater clarity and solutions for the final control element portion of the SIF. Shawn’s presentation was part of the Striving Toward Safety Excellence in Offshore and Subsea Environments technical track.
IEC 61508 and IEC 61511 are two global safety standards governing the lifecycle of the safety instrumented system and all of its safety instrumented functions. Shawn defined a safety instrumented system as:
…designed to prevent or reduce hazardous events by taking the process to a safe state when predetermined conditions are violated in order to protect personnel, equipment and the environment, by mitigating the likelihood and severity of the potential risk.
The standards are performance based rather than prescriptive. A level of risk reduction is determined based up the severity of the hazard to be mitigated. The design of safety instrumented function must meet the safety integrity level (SIL) determined through the safety requirement specifications developed.
Shawn cited a statistic about automated block valves (ABVs) used in safety instrumented system applications. They contribute over 50% of the total probability of failure on demand (PFD). The reliability, safety, and design, of the final element will have a significant impact on the overall “RRF” Risk Reduction Factor.
The biggest challenge manufacturers and producers face in the ABVs used in safety applications is that these emergency shutdown valves are often composed of valves, actuators, and controllers from different suppliers. While the individual components may have the risk reduction factors required for the application, how these components are integrated together may impact the overall performance.
Reliability of these critical safety shutdown valves has become a high visibility issue due to challenges with systematic failures and spurious trips. Unfortunately, The IEC61511 safety lifecycle does not specifically address integration, and this has been left to best practices which have not always proven effective.
Considerations for this integration include performing a valve lifecycle analysis, carefully sizing the valve and actuator torques, carefully sizing the drive train components, and understanding how to test the performance effectively over the lifecycle of use.
One opportunity around testing is to perform partial stroke testing (PST) on a periodic basis to make sure the valve is not frozen in its current state. To effectively perform partial stroke testing, powerful analytical tools are needed. These tools can perform both partial and full stroke tests as required for their safety application.
The PSTs do not interfere with safety functionality while the test is performed a collect data to show the change in performance over time. This allows for planning when servicing may be required and helps to extend the time intervals between full stroke tests.
Look for future updates from Shawn as some of the challenges outlined in his presentations are more effectively addressed for manufacturers and producers.