Process Safety Lessons Learned
Process Safety Lessons Learned
Process Safety Lessons Learned
Process safety has been a popular topic these days. Unfortunately, it has hit
mainstream press because of high profile safety incidents such as last years
Deepwater Horizon accident in the Gulf of Mexico. On a positive note, process safety
isnt just for the experts anymore. Many process industry business leaders and
managers are taking a stern look at their organization and wondering if they are
protected or not. Still, some are making the mistake of assuming that their past success
operating safely is an indicator of future process-safety success.
I just read an article by Walt Boyes titled Process Plants Accidents Careful. We Dont
Want to Learn from This. Walt makes some really strong points about the lack of process
safety improvements over the past 25-plus years, since the 1984 Bhopal, India incident
got the process safety management (PSM) ball rolling. Walt once corrected me on a
point that he did not make in his article. A couple of years ago, I was talking to him
about the need to simplify regulatory compliance and he told me that I had it all wrong.
Walt said, If the goal is to be regulatory compliant, then you are missing the point.
Walts point was that regulatory compliance is not a goal to strive for. If you are hoping
to improve your safety by becoming regulatory compliant then you are setting
yourself up to fall woefully short of actually managing your process safety. The
regulatory compliant mindset can lead you onto all sorts of stray paths if you are not
careful. This is a major contributor to many ineffective safety programs and
management cultures today. During the investigations into the Deepwater Horizon
incident, we saw clear examples of very smart people making irrational decisions
because their goal was to meet the regulatory compliance requirements set by the
Mineral Management Service (MMS) in the Gulf of Mexico. Instead, it is important to
focus on the goalmanaging process safety.
Theres an old saying that if you think safety is expensive try an accident. Accidents
cost a lot of money, not only in damage to plant and claims to injuries but also in the
loss of the companys reputation.-Dr. Trevor Kletz
This week I read the IndustryWeek article, BP Refines Post-Spill Drilling Strategy. Less
than a year after the Deepwater Horizon incident, there are already signs of BPs top
management taking a leadership role in driving process safety management in their
company. Change like this isnt something that can be driven from the bottom up. You
need top down support to make this happen. The article discusses some of the safety
culture and management changes that the new CEO Robert Dudley says are happening
at BP. Dudley is quoted as saying that production shutdowns are costly, but safety is
good business.
My fear is that some of the other refineries within the United States will feel, that
couldnt happen to me. And the ones that feel that couldnt happen at their site are the
ones that are set up to have it happen there. Glenn Erwin
This is one of the major challenges that the process industry faces. After the Deepwater
Horizon incident, leaders from several multinational oil companies testified before
Congress that something like this couldnt happen to them. This is a natural response to
this kind of industry event. However, the major oil producers did come together after
recognition that their emergency response plans were all pretty much the same and
they were indeed subject to some of the same problems. Exxon Mobil, Shell, Conoco
Phillips, Chevron, and BP have since formed a non-profit organization, the Marine Well
Containment Company, which will provide a rapid response system to capture and
contain oil in the event of another blowout in the Gulf of Mexico.
Process safety deals with the fires, explosions, and toxic releases and things like that.
You can have a very good accident rate for what we call hard hat accidents and not
for process ones. Dr. Trevor Kletz
It is common to see process industry facilities with signs reminding you to hold onto
handrails, watch where you are walking, and to be careful not to be burned by spilled
coffee. If you drive down Highway 225 in southeast Houston, you are likely to see
dozens of signs outside of refineries and chemical plants that display hundreds of
thousands of man-hours without a lost time or total recordable incident. While this is
very important to celebrate personal safety management milestones, it has little
connection with process safety performance. Having a very low lost-time accident rate
can induce a feeling of complacency and a false sense that safety is being well
managed. Key lessons from recent incidents were the need to focus on leading and
lagging indicators in addition to personal safety metrics. The AIChE Center for Chemical
Process Safety (CCPS) has recently made significant progress developing process safety
metrics.
The fact that youve gone for 20 years without a catastrophic event is no guarantee
that there wont be one tomorrow. Prof. Andrew Hopkins
Personal safety focuses on preventing high frequency, lower consequence incidents like
slips, trips, and falls. Process safety focuses on preventing much lower frequency events
with a catastrophic consequence. Many process safety hazards are estimated to be
likely to occur only once in the life of a facility, or even only once in the life of an
industry.
Some hazardous event frequencies are measured in terms of once in thousands of
years. These events typically result from multiple causes related to a complex sequence
of failures in equipment, people, processes, and decision-making. So, often the process
industry celebrates the personal safety successes while having to fight complacency on
the need for continuous process safety vigilance. Some safety engineers complain that
change is hard to justify because current practices have not resulted in any safety
incidents. It often takes a catastrophic kind of event to invigorate the organizations
focus and commitment around process safety.
Control Valves in Process Safety Applications
Update and bump: I received great news from Riyaz that the ISA Kuwait section has
agreed to let us upload and link to their December 2009 newsletter containing Riyazs
article, When is a Safety Integrity Level (SIL) Rating of a Valve Required?
Id like to thank the ISA Kuwait staff and encourage readers in this region to join and
participate. Youll learn from their regular presentations by ISA Fellows and technology
participants, monthly newsletters, conferences & exhibitions, and connections with
other automation professionals.
Original post: Two questions were posed recently over at the ISA Safety Archives in a
thread, Valve in SIL verification (login required):
Q-1 Do we need to include valve in SIL verification or can we limit upto the Solenoid
operated valve considering valve as a mechanical device.
Q-2 To achieve SIL-2 we normally use 1oo2 configuration for final element. Here do we
need to use 1oo2 configuration of Solenoid valve or it shall be 1oo2 configuration of the
valve.
The feedback from the other listserv members, many who are prominent voices in the
process safety community, was that the valve must be included in the SIL verification
and that the 1oo2 configuration extends to the valve.
I checked with Emersons Riyaz Ali, whom you may recall from numerous process
safety-related posts, on this discussion thread. Riyaz shared an ISA Kuwait section
whitepaper, When is a Safety Integrity Level (SIL) Rating of a Valve Required?
Unfortunately, the ISA holds the copyright on this whitepaper so I cant provide a link to
it. Ill highlight a few points that Riyaz makes in the paper.
In the introduction, Riyaz notes that:
to establish an SIL suitability rating for a Safety Instrumented Function (SIF) loop, a
PFD value needs to be computed for components of loop (SIF loop consists of Sensor,
Logic Solver, Final Element) To calculate PFD, an equipment failure rate number is
required.
Riyaz enumerates 3 cases where control valves can be used as safety shutdown valves:
Control valves which are used only as an on/off single final element
Control valves which are used in a dual purpose context (both for control and safety)
Control valves which are used in a dual purpose context in addition (redundancy) to an
on/off valve
For the first case, the control valve would be the final control element in the SIF and this
SIF would need to have a safety integrity level (SIL) rating equal or greater than 1.
For the second case, Riyaz cites IEC 61511 part 1 clause 11.2.10 which states that a
device used to perform part of a safety instrumented function shall not be used for
basic process control purposes, where a failure of that device results in a failure of the
basic process control function which causes a demand on the safety instrumented
function, unless an analysis has been carried out to confirm that overall risk is
acceptable. He notes how this may be interpreted:
YES: If all possible failures of the control valve do not place a demand on any SIF than
control valve may be used with no further analysis. In this case, Control Valve is Final
Element of Safety Instrumented Function (SIF) Loop, needs to have SIL rating equal to
or above 1.
NO: If failure of the control valve will place a demand on a SIF than it may not be used
as the only final element in that SIF.
If failure of the control valve will not place a demand on SIF, for which it is intended but
may place demand on any other associated SIF than the control valve may be used in a
SIF only after detailed analysis. An additional step to further analysis will be necessary
in these cases to ensure that the dangerous failure rate of the shared equipment is
sufficiently low.
The control valve in this case would again be the final element of a SIF requiring a SIL
rating greater than 1.
In the third example of providing additional hardware fault tolerance for higher SIL
applications, mean time to fail (MTTF) of the control valve can be used in the probability
of failure on demand (PFDavg). He shares the failure fraction components and
equations for arriving at the PFDavg of the SIF. For this 3rd case, Riyaz shares [links
added]:
mechanical equipment like valve bodies and actuators do not have any diagnostics
capabilities. According to IEC 61508 part 2, table 2, with a hardware fault tolerance
(HFT) of zero, they can only be used in SIL 1 applications. A digital valve controller
mounted on a Final Control Element improves the diagnostic coverage factor, which in
turn improves the SFF number, allowing the possible use of higher SIL rated
applications (Per IEC 61508 part 2, table 3) by use of the Partial Stroke Test.
Riyaz sums of his thoughts that if the control valve is used as part of a SIF, then the
total PFDavg of the loop must meet the intended SIL level. If the control valve is used
for normal process control managed by the basic process control system (BPCS), then
per IEC61511-3 part 1, section 3.2.3, the control valves do not have SIL suitability.
I also wanted to refer you to an earlier post, Field Device Sharing Between Control and
Safety Systems, where we explored the case of sharing instruments between the BPCS
and safety instrumented system (SIS).
I turned to one of Emersons certified functional safety experts (CFSE) and long-time
process safety veteran, Len Laskowski, for his thoughts on the article. You may recall
Len from numerous process safety-related posts.
In our phone conversation, Lens first comment after reading the article was, This
sounds like the voices of experience. One does not just declare, On the next project we
will implement IEC 61511 and have life be happy ever after. As the article suggests, a
company needs to adopt the IEC 61511 Safety Life Cycle. This takes time and resources
that many process manufacturers underestimate. Len noted that by following the
Safety Life Cycle and doing the needed work will give process manufacturers the
foundation to properly execute a projectand more importantly, a safe facility.
He agreed with the authors of the large challenges confronting process manufacturers
when planning, designing, executing, and maintaining their operations using the IEC
61511 process safety lifecycle. The articles authors frame these challenges:
The Safety Instrumented System (SIS) standard, IEC 61511, is driving the need for new
engineering tools and Project Execution Plans (PEPs). The standard is a lifecycle
approach to defining, implementing and managing a safety instrumented system (SIS).
Industry discussions tend to focus on the technical aspects of the standard, but project
execution is proving to have an equal or perhaps greater impact on the quality and
success of an IEC 61511 project. This article describes a few of the challenges from the
EPC [engineering, procurement, and construction] and MAC [main automation
contractor] perspective, and suggests approaches to enhance IEC 61511 execution and
technical outcomes.
I asked Len what most caused these project to go awry and without hesitation he said it
was giving the upfront planning the time it requiresespecially if this is the first time the
process manufacturer has executed the project using the IEC 61511 approach or if the
process is new. Even with completed Hazard and Operability (HAZOP) studies and
validated layers of protection analysis (LOPA), it takes a lot of time and there is usually
quite a bit of recycle. One example Len cited was a pressure relief valve. When walking
through the hazard scenarios, discoveries may come up, such as insufficient sizing for
reverse flow conditions. Changes may have to be made which ripple to other safety
instrumented functions (SIFs).
Another example Len offered is alarm level settings for standalone alarms that are used
as an independent layer of protection. Questions must be asked and answered if
operators really have the required minimum amount of time to do something as a result
of the alarm condition. It also must be clear exactly what the operator must do to
alleviate the alarm condition. And ultimately, can all this be done within the process
safety time for the given condition? Resolving these questions takes cross-departmental
participation and it all adds up to increased time required on the projects front end.
Lens guidance to project engineers is to resist the temptation to shortcut this front end
planning. It will cost more on the backend of the project in terms of rework, will increase
project timelines, and will increase the difficulty in testing the safety instrumented
functions over time.
control of this PSM database is by a different group within the plant than the group that
manages the BPCS.
Lens closing thoughts for process manufacturers new to the IEC 61511 process is to
focus on the critical shutdown streams in their process. In most processes, there are a
few really important streams to close down to take the process to a safe state. The rest
are secondary effects to the key streams. Once the key streams are designed and
approved, the rest can be done. This often helps to simplify the safety requirements
specification (SRS) and make the ongoing support through the safety lifecycle more
manageable.
Having strong, experienced technical leaders on the front-end help minimize problems
as the process safety project progresses. Although this front-end work may seem time
consuming and expensive, Len shared the old safety saying, If you think safety is
expensive, try an accident!
Ed provides some cases where a wireless solution was the preferable one. They
involving timing to get installed, the speed of the process (process safety time), quicker
recovery from an accident, and providing redundant routes (one wired, one wireless).
means there is no redundancy. Project teams may have to re-visit the HAZOP analysis to
evaluate new safety integrity level (SIL) conditions.
Referring to the global safety standard, IEC 61508, Riyaz makes the following points:
Smart SOV (integral microprocessor based smart positioner + integral SOV) will be
classified as Type B device as per IEC61508 part 2 table 3. Smart positioner plus
external SOV pneumatically in series, SOV is still regarded as Type A simple device
improving reliability.
Type A and Type B definition is listed from IEC61508 part 2.
IEC 61508 part 2 clause 7.4.3.1.2 define Type A. A subsystem (see 7.4.2.11, note 1)
can be regarded as type A if, for the components required to achieve the safety
function:
the failure modes of all constituent components are well defined; and
the behaviour of the subsystem under fault conditions can be completely determined;
and
there is sufficient dependable failure data from field experience to show that the
claimed rates of failure for detected and undetected dangerous failures are met (see
7.4.7.3 and 7.4.7.4).
IEC61508 part 2 clause 7.4.3.1.3 defines Type B as a subsystem (see 7.4.2.11, note 1)
shall be regarded as type B if, for the components required to achieve the safety
function:
the failure mode of at least one constituent component is not well defined; or
the behaviour of the subsystem under fault conditions cannot be completely
determined; or
there is insufficient dependable failure data from field experience to support claims for
rates of failure for detected and undetected dangerous failures (see 7.4.7.3 and
7.4.7.4).
This means that if at least one of the components of a subsystem itself satisfies the
conditions for a type B subsystem then that subsystem must be regarded as type B
rather than type A. See also 7.4.2.11, note 1.
High Common Cause factor will result, if everything is integrated in one package vs
external SOV. Smart positioners for SIS and external SOV pneumatically in series
providing redundancy in case of Safety demand, providing higher reliability. This is in
line with IEC61511 part 3, clause 3.4 a) page 20 of 70, states, of probabilities and
considering common cause failures. It may be necessary to use redundant architectures
to achieve the required hardware safety integrity.
SOV health monitoring with physical results (pressure blip can be seen on ValveLink)
vs built in test of SOV with integral positioner have no definitive results. A smart
positioner digital valve controller (DVC) can test an SOV which is externally mounted
pneumatically in series. To improve MTTFs (Mean Time to Fail Spuriously), smart
positioners can use reverse type relay, which will NOT contribute to MTTFs. In case of
any electrical signal failure, or an input current signal to the smart positioner, this will
NOT cause a spurious trip.
Hence two devices pneumatically in series will have MTTFs for a single device (SOV
Type A device only). A smart positioner and SOV mounted externally pneumatically in
series will be ideal from safety reliability and plant availability.
Smart positioners with Integral SOVs will have high air consumption (67.8 scfh) for large
orifice compare to smart positioner with external SOV will have low bleed Relay (2.1
scfh). This is because external SOVs will NOT consume any air during normal operation.
The Fisher DVC6200 SIS provides an SIS Trigger capability like the black box of an
aircraft to provide rich data on a TRIP event for analysis by a safety engineer to help
avoid future trip conditions.
The author describes some cases where this reserve air volume might be needed, such
as when failure position of safety valves are not in the failsafe condition or when
operating conditions require and orderly, sequenced shutdown.
The equations to size the volume tank are given as well as who would typically supply
the equation parameters. For instance, the valve supplier typically supplies the safety
valve torque requirements and required leakage rates. The actuator supplier provides
the torque-to-supply pressure tables. The good news for those of us a little rusty in our
advanced math skills is that the equations are algebraic and the simplifying
assumptions err to the side of conservative volume sizing.
I sent a link of this great article to Emersons Len Laskowski, whom you may recall from
earlier process safety posts. Len is a principal technical consultant, registered
professional engineer, and certified functional safety expert (CFSE) and TV CFSE.
Len added that many engineers will tend to the conservative side and size the volume
tank for several strokes of a valve, even if it needs to operate only once in a single
stroke. This is mainly because extra capacity is relatively inexpensive, especially to
mitigate the risk of a larger hazard.
He shared a reactor emergency depressurization example as a typical application where
you might find volume tanks. Len wrote:
Typically, if this is a safety instrumented function (SIF) you want de-energized to trip
failsafe. The emergency depressurization valves are Fail Open on loss of air. A spurious
trip of this system would be bad news as the author suggests. It could create secondary
hazards as is suggested in IEC 61511 that need to be identified.
For example, if the air failure was extensive a large number of vessels all depressurizing
at once could overload a flare system. Too quick a depressurization of some chemicals
could cause auto refrigeration that could lead to a cooling of the vent piping below
design spec and the hazard of pipe embrittlement.
In some reactors, it would possibly blow catalyst out the vent system and possibly put
stress on reactor beds, or trays that could damage the internals of the vessel, due to
the large pressure differential caused by the emergency depressurization. These
secondary issues also need to be managed and are reasons why volume tanks are
needed.
Len has worked with process manufacturers to address some of these issues:
In some cases, a nitrogen or air bottle backup system would be used that have much
more capacity than a volume tank. I have also seen cases where nitrogen is
automatically switched in to back up a valve. This can be done by having a 3-way valve
hooked up so that the common goes to the final element, one side goes to Instrument
air and the other nitrogen.
You need some check valves to guard against reverse flow and have the valve actuator
off the Instrument air so that it cuts off the nitrogen when instrument air is present. This
is also a good setup when you have air motors that need a lot of air (gas) that need to
move big valves. With nitrogens toxicity in sufficient concentrations, these applications
are generally outdoors, well ventilated, and require close review.
Len complimented the author on his article and added a few more considerations for
process safety professionals. He wrote:
Other considerations that may be overlooked are common mode failures and testing.
Typically, one would put two check valves in the system because failure of one would
allow the tank to bleed out to the plant header. Also, care must be taken that the air is
clean and no dirt is allowed to get to the check valves, so a filter/ separator is really
required to ensure that the check valves have a good opportunity to operate.
Facilities to isolate the volume tank from the air supply and bleed the air upstream of
the check valves are also required not only to check that the system works initially but
also for future proof testing. Typically, these systems should be checked at the same
time the safety instrumented system (SIS) is proof tested. This is an easy item to
overlook and needs to be put on the testing schedule with the SIFs it supports.
I hope between the authors original article and Lens additional thoughts that there are
some pearls you can apply in your process safety efforts.
For the second case, Riyaz cites IEC 61511 part 1 clause 11.2.10 which states that a
device used to perform part of a safety instrumented function shall not be used for
basic process control purposes, where a failure of that device results in a failure of the
basic process control function which causes a demand on the safety instrumented
function, unless an analysis has been carried out to confirm that overall risk is
acceptable. He notes how this may be interpreted:
YES: If all possible failures of the control valve do not place a demand on any SIF than
control valve may be used with no further analysis. In this case, Control Valve is Final
Element of Safety Instrumented Function (SIF) Loop, needs to have SIL rating equal to
or above 1.
NO: If failure of the control valve will place a demand on a SIF than it may not be used
as the only final element in that SIF.
If failure of the control valve will not place a demand on SIF, for which it is intended but
may place demand on any other associated SIF than the control valve may be used in a
SIF only after detailed analysis. An additional step to further analysis will be necessary
in these cases to ensure that the dangerous failure rate of the shared equipment is
sufficiently low.
The control valve in this case would again be the final element of a SIF requiring a SIL
rating greater than 1.
In the third example of providing additional hardware fault tolerance for higher SIL
applications, mean time to fail (MTTF) of the control valve can be used in the probability
of failure on demand (PFDavg). He shares the failure fraction components and
equations for arriving at the PFDavg of the SIF. For this 3rd case, Riyaz shares [links
added]:
mechanical equipment like valve bodies and actuators do not have any diagnostics
capabilities. According to IEC 61508 part 2, table 2, with a hardware fault tolerance
(HFT) of zero, they can only be used in SIL 1 applications. A digital valve controller
mounted on a Final Control Element improves the diagnostic coverage factor, which in
turn improves the SFF number, allowing the possible use of higher SIL rated
applications (Per IEC 61508 part 2, table 3) by use of the Partial Stroke Test.
Riyaz sums of his thoughts that if the control valve is used as part of a SIF, then the
total PFDavg of the loop must meet the intended SIL level. If the control valve is used
for normal process control managed by the basic process control system (BPCS), then
per IEC61511-3 part 1, section 3.2.3, the control valves do not have SIL suitability.
I also wanted to refer you to an earlier post, Field Device Sharing Between Control and
Safety Systems, where we explored the case of sharing instruments between the BPCS
and safety instrumented system (SIS).
I had the opportunity to contribute a guest post, Common Cause Failures in Safety Valve
Positioners? It was based on a question I recently received. The question:
Its unclear to me whether position feedback from a smart positioner is truly
independent of the reference signal from the control system, as the positioner
ostensibly uses that same information as a measurement in its own local position
feedback loop (for which the reference signal is the setpoint). Im guessing its not in
most cases (and note that this trait is probably not unique to Emerson devices).
If youre driving the valve to a certain position with the reference, and then using the
position feedback to verify that the valve is actually at the position you drove it to,
there is a potential common-cause failure in the position sensing and processing. For
independence Id think you would have to either use other means to drive the valve
(e.g., a dump solenoid valve), or have position sensing distinct from that used by the
positioner.
Emersons Riyaz Ali responded:
Common cause factor is a key concern when using a position transmitter within a safety
valve positioner as is typically done.
Fisher FIELDVUE DVC6200 SIS digital valve controller
In the case of a valve positioning transmitter designed for process safety applications, it
is designed to isolate the positioning function. This design makes it completely
independent of the positioner, should input signal or power to positioner fail, or any
issue related to positioner cease functioning. The position transmitter continues to
function to provide the valves position.
As part of the certification process for use in safety instrumented functions up to safety
integrity level 2 (SIL 2), the position transmitter function is certified separately from the
positioner.
Process manufacturers managing the safety lifecycle for their plants follow the IEC
61511 standard. They rely on the suppliers to provide technologies including safety
shutdown valves, actuators, positioners, and positioning transmitters suitable for
application in level of risk they are mitigating.
Common Cause Failures in Safety Valve Positioners?*
February 25, 2014 by Jim Cahill
Filed Under: Actuators and Controls, Featured, Safety, Standards & Regulations, Valve
Selection
Tagged With: Emerson
A safety instrumented function, also known as a safety loop, includes the logic solver,
sensing device, and final control element. The final control element, often a valve, can
be the source of much discussion, since it is what moves to take the safety action.
An earlier Emerson Process Experts post, Providing Operators Process Control Valve
Position Feedback, stressed the importance of critical control valves having valve travel
feedback from independent devices such as position transmitters, limit switches, or
positioner output feedback.
A commenter wrote:
Its unclear to me whether position feedback from a smart positioner is truly
independent of the reference signal from the control system, as the positioner
ostensibly uses that same information as a measurement in its own local position
feedback loop (for which the reference signal is the setpoint). Im guessing its not in
most cases (and note that this trait is probably not unique to Emerson devices).
If youre driving the valve to a certain position with the reference, and then using the
position feedback to verify that the valve is actually at the position you drove it to,
there is a potential common-cause failure in the position sensing and processing. For
independence Id think you would have to either use other means to drive the valve
(e.g., a dump solenoid valve), or have position sensing distinct from that used by the
positioner.
Exidas Dr. William M Goble noted in a whitepaper, Estimating the Common Cause Beta
Factor:
Over the last few years, it has become recognized that common cause failures can have
a major negative impact on the safety and availability of redundant equipment The
whole value of redundancy may be ruined. This is clearly recognized by IEC 61508 and
probabilistic analysis now requires a quantitative assessment of common cause.
As part of the design for products used in safety instrumented systems, extensive
design and testing must be performed in accordance with the IEC 61508 global safety
standard. Specifically for this smart positioner, Emersons Riyaz Ali responded in an
email to me. He explained:
Common cause factor is a key concern when using a position transmitter within a safety
valve positioner as is typically done.
In the case of a valve positioning transmitter designed for process safety applications, it
is designed to isolate the positioning function. This design makes it completely
independent of the positioner, should input signal or power to positioner fail, or any
issue related to positioner cease functioning. The position transmitter continues to
function to provide the valves position.
As part of the certification process for use in safety instrumented functions up to safety
integrity level 2 (SIL 2), the position transmitter function is certified separately from the
positioner
Process manufacturers managing the safety lifecycle for their plants follow the IEC
61511 standard. They rely on the suppliers to provide technologies including safety
shutdown valves, actuators, positioners, and positioning transmitters suitable for
application in level of risk they are mitigating.
should most definitely be analyzed for overall cost, system effectiveness, efficiency,
and lifecycle expectations.
The best way to overcome valve failure is to ensure you are using the correct valve for
the job. The flow characteristic of the specific valve you are using can be highly
important in reducing your chance of valve failure if you are not dealing with an
isolation valve. The pump and the pump station make a big difference in the type of
valve you need to choose. Included in well-known valve failure issues are valve slam
and water hammer. These problems are associated with check valves. In order to
overcome valve failure in association with water hammer problems and valve slam, you
must ensure you are using the correct type of check valve with the right type of
features. Closing speed is an extremely important attribute of the check valve you are
choosing and care should be taken to determine the capabilities of the pump system
prior to making your valve selection.
The type of fluids used in the process the valves are handling is another aspect to note
when considering what ways you can overcome and prevent valve failure.
Documentation linked above discussing ways to minimize energy consumption via valve
selection is a detailed resource for reference when seeking to study the many ways
selection of a valve will aid in overcoming valve failure.
Valve Industry Knowledge Sharing
As is the mission of the Empowering Valves community, we strive to bring together
timely and essential information; delivering one location wherein individuals who
dedicate their professional careers to the pump and valve industry, as well as all who
interact with the valve industry, are able to more easily find information they need and
resources to obtain further details specific to their individual applications and projects.
If you have additional details regarding information, methods, and tools to overcome
valve failures, please share your knowledge with the online valve community by joining
the Empowering Valves LinkedIn Group and join in the discussions so that others
associated with your industry, and the world of citizens as a whole who are all affected
in one way or another by the pump and valve industry, can benefit from your shared
knowledge and experiences, making further advancements in technology possible in an
increasingly effective way!
Final elements used in safety applications typically remain stationary until a safety
demand arises which requests them to go to their safe stateeither fully open or fully
closed. Digital valve controllers, such as the DVC6200 SIS, have been certified by 3rd
party as standalone, suitable for use in safety applications up SIL 3 SIF loops.
Riyaz shared that many process manufacturers still opt to use solenoid valves (SOVs)
pneumatically mounted in series with the digital valve controllers. This approach
provides a redundant pneumatic path in case of a safety demand, where either device
will drive the emergency shutdown (ESD) valve (often tagged ZV) to the fail-safe
position should the primary ESD device (solenoid valve) fail to function. In this case, the
digital valve controller can drive the valve to a safe state.
Also, as we highlighted in an earlier post, Checking Your Safety Solenoid Valves, the
digital valve controller can sense and capture the data for the momentary pressure blip
across the solenoid valve to verify its health without causing the safety valve to move.
Riyaz explained that having a solenoid valve integral with a smart positioner would not
meet redundancy requirements. This arrangement will affect the PFDavg calculations as
per ISA TR84.00.02-2002 part 2. An integral SOV provides a one-out-of-one (1oo1)
arrangement where an external SOV provides a one-out-of-two (1oo2) approach in the
pneumatic path. The 1oo2 approach provides improved PFDavg over a 1oo1 single-box
approach.
If the SOV is external in the pneumatic line then the digital valve controller can monitor
its health and its test results can be sent directly to the control system on the plunger
movement within the SOV during the test. Similar tests can be done if the SOV is
integral to the digital valve controller but there are neither test reports generated nor
health status of internal SOV available at control system level.
Riyaz believes that an external solenoid valve pneumatically in series is a preferred
option due to redundancy in hardware to drive the valve to safe state. Per IEC 61508, a
smart SOV (integral microprocessor based smart positioner + integral SOV) will be
classified as Type B (IEC 61508 part 2 clause 7.4.3.1.3) device. This means the failure
mode of at least one constituent component is not well defined; or b) the behavior of
the subsystem under fault conditions cannot be completely determined; or there is
insufficient dependable failure data from field experience to support claims for rates of
failure for detected and undetected dangerous failures.
An SOV connected in externally in series would be a Type A (IEC 61508 part 2 clause
7.4.3.1.2) device. This means the failure modes of all constituent components are well
defined; and the behavior of the subsystem under fault conditions can be completely
determined, and there is sufficient dependable failure data from field experience to
show that the claimed rates of failure for detected and undetected dangerous failures
are met. Going from a Type A to Type B device will have an impact on safety reliability
and evaluation will be required for SIF loop for PFDavg calculation.
To improve MTTFs (Mean Time to Fail Spuriously), a smart positioner can use a reversetype relay, which will not contribute to MTTFs. In the case of an electrical signal failure
or input current signal, the smart positioner will not cause spurious trip. This means that
two devices connected pneumatically in series will have MTTFs for a single device (SOV
Type A device only). Smart positioner and SOV mounted externally pneumatically in
series support high safety reliability and plant availability.
A smart positioner with an integral SOV will have high air consumption (67.8 scfh) for
large orifice compare to a smart positioner with a similarly sized external SOV, which
will have a low-bleed relay (2.1 scfh). This is because external SOVs will NOT consume
any air during normal operation.
Riyaz closed suggesting that for SIS applications to keep accessories such as volume
boosters or solenoid valves (if required) as an external devices rather than integral. This
subject is still open and future technology developments may warrant another look at
the pros and cons of integral vs. external final element accessories in process safety
applications.
Update: The factors converting standard cubic feet per hour to cubic meters per hour
were incorrect and have been removed.
In the event of a safety demand, the final control element of a safety instrumented
function (SIF) loop is a key component to a process going to a safe state. Unlike the
logic solver or sensors (analog transmitters), the final control element requires a total
shutdown to check the mechanical integrity. With the invention of the digital valve
controller, a final control elements mechanical movement can be tested online by
moving a span of 10% or 15% without disrupting the process.
For those not familiar with two of the major international safety standards for process
manufacturers, IEC 61508 and IEC 61511, Riyaz provides this contrast:
IEC61511 is an industry specific version, specifically dealing with process industries in
the Functional Safety: Safety Instrumented Systems for the Process Industry Sector.
IEC61511 provides clarity to the use of IEC61508 in automation protection systems for
the process industries by using industry specific vocabulary, specific examples, and
tailored requirements.
As mentioned in the abstract, the final control element is a critical portion of the safety
instrumented function or safety loop to take the process to a safe state. It could be an
emergency shutdown valve, blow down valve, emergency isolation valve, emergency
venting valve, or on/off valve. These valves may remain dormant for long periods, so
they must be tested periodically to make sure they will operate properly upon a safety
demand situation.
Riyaz notes that conventional testing requires either process shutdowns or bypasses,
the latter which add complexity and risk to the process flow. Completely testing the
final control elements performance requires an in-line test that strokes the valve for
full travel.
Without bypasses, the loss of production means process manufacturers want to extend
these full stroke tests as long as possible, until the plant is shutdown for turnaround
maintenance.
Riyaz describes ways developed to extend the time intervals for the final control
element testing by partially stroking the valves. He writes:
It was recognized that the most likely failure mode of a discrete shutoff valve is to
remain stuck in its normal position. To test for this type of failure, it is not necessary to
completely stroke the valve to test its functionality. A large percentage of covert valve
failures can be detected if a limited form of testing can determine that the valve is not
stuck and will begin to move. Furthermore, if this type of test could be performed online
without shutting down the process, improvements in the PFDavg could possibly be
obtained without the loss of production.
Methods to perform this partial stroke testing include mechanical limiting devices and
more recently logic solver-based testing:
which sends fixed pulsations to the solenoid valve to monitor the subsequent
movement of the valve. The pulse duration is set to allow slightly more than the
required 10-15% movement. The feedback to valve movement is provided by an analog
limit switch.
Whichever method is used, written safety procedures are important to make sure plant
trips dont occur and proper documentation and maintenance is performed by properly
trained personnel.
Riyaz shares how a digital valve controller is a good solution for these partial stroke
tests because it:
receives a control signal from the logic solver. It incorporates travel feedback of the
valve position plus supply and actuator pneumatic pressures. This allows the smart
positioner to diagnose not only itself, but also the health of the valve and actuator.
Since the process is not shutdown, the tests can be run more frequently and initiated by
the logic solver, HART handheld communicator, panel, and/or PC. The tests are also
automatically documented and can provide comparisons between tests. In the event of
a safety demand, the digital valve controller can also provide a log to help understand
the sequence of events for post-event analysis.
He clarifies that partial stroke tests, do not eliminate the need for full stroke test;
however, it does extend the proof test interval. This extension is often long enough to
reach the plant turnaround where all the final control elements can have full stroke
testing performed.
If you are unfamiliar with some of these ways of partial stroke testing, you may want to
purchase the paper or review some of the past blog posts in which Iv
The purpose of this test is to improve PFDavg to possibly increase the safety integrity
level (SIL) rating of the safety valve in a safety instrumented function (SIF), to extend
the proof test interval, or a combination of both. Extending the proof test interval may
allow process operators to avoid additional downtime by scheduling proof tests during
turnarounds.
The author enumerates four methods of performing the PST: by the emergency
shutdown system (ESD), by a positioner-based device, by a 2-out-of-2 (2oo2) or 2-outof-3 (2oo3) redundant device, and by a 2-out-of-4-doubled diagnostic (2oo4D)
redundant device.
The part of the article that jumped out for me, which I needed to ask Emersons Riyaz
Ali about was:
Using a positioner-based device is perhaps the worst option, as it is a complete
misapplication of technology. Positioners should modulate control valves, whose
movement is very small. ESD valves on the other hand are fully open or fully closed,
and go from one state to the other as quickly as possible. Because positioners have a
very small Flow Factor (Cv), they cannot vent a valve diaphragm quickly as required to
satisfy the process safety time, and are suitable only for smaller valves. To compensate
for this deficiency, an interposing SOV can vent the valve diaphragm. This SOV is not
tested during the PST and remains in an open position for an extended period of time.
As such, it may not be able to close (vent) upon demand and is itself a source of both
dangerous failures and spurious trips.
In addition to the interposing SOV, positioners use a pneumatic valve-nozzle
arrangement, which operates independently of the positioner electronics. Given the
nozzle orifice plugs up (often by a tiny spec of dirt or water in the air supply), shutting
off the electronics will not vent the valve diaphragm. This is a dangerous failure mode,
as venting the diaphragm (closing the valve) is critical to achieving the safe state.
Unfortunately, most positioner product safety evaluations do not address this
dangerous failure mode.
Riyaz offers some counterpoints. Advanced positioners or digital valve controllers such
as the Fisher DVC6000 SIS have been designed specifically to operate safety shutdown
valves and has gone through the rigorous design, testing and certification process
defined in the IEC 61508 international safety standard for use up to SIL 3 applications.
This design, testing and certification process was developed to ensure the applicability
of the technology for this process safety application.
Riyaz notes that it is true that a very few applications do require shorter process safety
times. He points out that it is not necessary to use a solenoid valve (SOV) to improve
the stroking speed. Positioners can use pneumatic devices to achieve faster stroking
time. I discussed a quick-exhaust example in an earlier post. For process manufacturers
who still would like to use an SOV in the SIF loop, these SOVs have different capacities
to meet the stroking speed requirements. Also, some of the more modern positioners
like the DVC6000 SIS can also monitor the health of the SOV when its used with a
single-acting actuator. It performs checks for the dangerous failures of SOVs on-line
without affecting the process.
Some digital valve controllers, like the DVC6000 SIS, are suitable for use in a SIL3 SIF in
standalone mode. When used in standalone mode or in pneumatic series with SOV or
other pneumatic accessories, it continuously checks the pneumatic integrity
(functioning of I/P and pneumatic relay) to ensure that these components are working
and ready to drive the valves upon a safety demand (see figure 13). If, during normal
operation, any abnormality is noted, an alert is sent to the HOST system.
Riyaz also provides clarification that air quality requirements are always specified in
each product bulletin for pneumatically operated valves and specifically, the safety
manual of a field device always recommends to follow the ISA S7.0.01 air quality
standard, which specifies the air be clean, dry, without oil, water or any particulate
contaminates. For your IEC 61511 process safety risk mitigation efforts, partial stroke
testing performed by digital valve controllers can help you reduce the PFDavg on your
safety shutdown valves.
Typical reasons for needing this additional volume are when the failure position of the
valve is not the failsafe position or when operating requirements dictate a more
orderly shutdown than having the valve immediately going to its failure position.
A volume tank needs to be in place to supply a reserve volume for actuating the valve.
The question then comes of how to size this tank.
The volume of the tank, Vt, has to be large enough and under sufficient pressure, Pi, to
fill the volume of the actuator, Va, at the minimum pressure required by the actuator,
Pf, for the number of strokes required, s.
The values of Va and Pf need to come from the actuator manufacturer. Pf will change
depending on the torque required to stroke the valve, so input from the valve vendor
may also be necessary.
Typically, the valve vendor will calculate the required torque, which will vary depending
on the individual valve type, packing design, shutoff differential pressure, and required
leakage, and choose the actuator accordingly.
The actuator manufacturer should supply a table that relates torque to supply pressure,
and the engineer can select the appropriate pressure based on the required torque the
valve vendor has given. Pi will be the normal operating pressure of the air header.
s is the number of times the valve will need to stroke before the pressure reduces below
the point at which the valve can no longer actuate. This will depend on the operating
philosophy for this valve. The process, operations, and safety groups may have input
into determining an adequate value for s.
To begin developing an equation for sizing the tank, start with the simplest case, a
single stroke.
The gas in the volume tank will expand to fill the volume Vt + Va. There are two known
pressures, Pi and Pf. Since the gas expansion will be fairly quick, little heat will come
from or go into the environment. For this reason, we can take the gas expansion to be
adiabatic in our model.
An adiabatic process is one in which no heat is exchanged with the surroundings.
The other extreme case is isothermal, where the expansion takes place slowly enough
that the gas stays at constant temperature; this results in smaller calculated values
than the adiabatic assumption. Reality lies somewhere in between. Calculating the
process as adiabatic will provide some of the margin for error.
Thermodynamics tells us, the PVk is a constant for an adiabatic process. k is the ratio of
the specific heats, CP/CV, which in the case of air at pressures and temperatures of
interest, is approximately 1.4.
(1)
Pi, Pf, Va, and k are knowns, and we can readily solve for Vt :
(2)
Keep in mind the pressure units must be absolute (e.g. psia). Aside from that, the units
volume and pressureneed only be consistent. If the actuator volume is given in
cubic inches, the tank volume solved for will be in cubic inches (actuator volume in
gallons will yield tank volume in gallons, etc.).
If multiple strokes are required, the procedure is similar, but a bit more complicated.
The air in the volume tank expands to fill the volume in the volume tank and the
actuator. The volume in the actuator is then exhausted, and the remaining air in the
tank expands again to fill the volume in the volume tank and the actuator. For two
strokes, the two equations are:
P2 is the intermediate pressure in the volume tank after the first stroke. Solve each
equation for P2.
For more than two strokes, a similar system of equations can be set up, with the
intermediate pressures eliminated algebraically. The general formula is:
For multiple strokes, the strokes probably will not be in quick succession, which would
allow the tank air to warm to ambient temperature between strokes (it cools slightly
when it expands to fill the actuator). This will slightly reduce the amount of necessary
air because the pressure in the volume tank will increase with the temperature
increase. Because we cannot know ambient temperature in advance, it is impossible to
calculate this effect precisely. Since it is not significant, we can neglect it.
Another margin comes by the fact that tanks are available in discrete sizes. If one
calculates a volume of 8 gallons, 10 gallons is the best tank size, so 25% extra is
automatically built-in.
Some of the smaller standard sizes offered are 10, 15, 20, 30, 60, 80, and 120 gallons.
Note: Tubing volume is typically a negligible consideration. However, for long tubing
runs (greater than 75 feet), we may need to factor the volume in.
It is possible to reduce the air necessary by putting a downstream pressure regulator
between the volume tank and the actuator. In this case, the set pressure of the
regulator is set equal to, or very slightly higher than, the minimum pressure of the
actuator.
Doing so gives a similar adiabatic expansion, but since the actuator is being filled at the
same pressure each time, the end result is as though the air in the volume tank at the
starting pressure takes up Vt + sVa at the ending pressure, or: (10)
This is the result of equation (2) multiplied by the number of strokes. Also, in the
examples below, reducing the required air by adding a pressure regulator usually did
not reduce the selected tank size.
A volume tank for a throttling control valve requires a more complex analysis than what
we are looking at here. A throttling valve will have partial strokes. It may also have a
positioner, which is a constant bleed device, meaning the volume in the tank will leak
out over a fairly short period of time.
This analysis requires knowing the bleed rate (which varies depending on input
pressure), the amount of time the valve is expected to be available (multiplying these
two will yield a mass of air, though the variable bleed rate may require some
integration, either piecewise or continuous), and some estimate of the number of
strokes required.
This will not necessarily be a whole number; round up. One can then apply the same
sort of analysis given here to come up with air necessary to stroke the valve. Add the
air required by the bleed rate to the air required to stroke the valve, taking care to keep
consistent units.
For sizing volume tanks for on/off valves, use equation (9) or (11), as appropriate. A
nice result of these equations is it is not necessary to include a safety factor, as the
safety factor is a part of the simplifying assumptions. These will give the engineer a
quick way either to check the volume tank size recommended by the valve vendor or to
do the sizing oneself.
Terminology
Adiabatic process occurs with no exchange of heat between the system and its
environment.
Fail-safe or fail-secure describes a device or feature, which in the event of failure,
responds in a way that will cause no harm or at least a minimum of harm to other
devices or danger to personnel.
Actuator is a device to convert an electrical control signal to a physical action. Actuators
may be for flow-control valves, pumps, positioning drives, motors, switches, relays, and
meters.
Emersons Riyaz Ali, whom you may recall from earlier process safety-related posts,
responded [with my light edits]:
Partial stroke test (PST) is a diagnostics function, which is performed on line, in service,
hence minimum process interruption is highly desired. If the FAIL OPEN valve is
opened with sudden jerk, it can create a blurp or surge of process, which may create
unwanted resultsi.e. liquid service, sudden opening or closing of valve, which may lead
to the water hammer phenomena.
The Emerson Fisher DVC6000 SIS is specifically designed to stroke the valve during
PST using a RAMP algorithm, which stabilizes the process while lifting a valve from its
seat. Certainly, concern may occur if a DEMAND arises during a stroke test. The
DVC6000 SIS has built-in safeguards to immediately take a valve to its safe state with
the desired pneumatic path. In fact, the DVC6000 SIS has a unique feature, which
allows engineers to configure stroking speed as desired by a few industries. The Digital
Valve Controller is smart enough to differentiate between a Partial Stroke Test and a
Safety Demand.
We have seen a few oil producers using DVC6000 SIS with external flow restrictor in
pneumatic line to slow down valve travel to have process equilibrium during a SAFETY
DEMAND so that slam shut action does not cause piping breakage as well as a loss to
equipment by suddenly cutting down fuel. This may possibly lead in some of the
process spoilage of catalyst.
Depending upon need of Process Safety Time (PST) of a SIF [safety instrumented
function] loop, a few valve applications may require a Process Safety Time of less than 2
seconds. In such cases, it is always recommended to use external devices to allow
additional quick release of air volume from the actuator to meet the time line.
Immaterial of Digital Valve Controller manufacturer, positioners always operate during
normal condition at full pressure load, which as per characteristics, allows air to bleed. If
a positioner of high exhaust and fill capacity is used, it will bleed excessive air. The
Emerson Fisher DVC has been designed in such a manner that it has only an air
consumption of 2.1 scfh at 20 psi compare to positioners with a higher Cv, whose bleed
rates are exceptionally high (> 20 times of the DVC6000).
Once again, a Partial Stroke Test is diagnostics, which can be considered Safety
Related but NOT Safety Critical, hence, during test valve opening time should not be
pose any challenges.
Should you need more technical clarifications, I can provide details on one to one basis.
I forwarded the post and Flow Control article link to Riyaz Ali, whom you may recall from
an earlier post. Riyaz wanted to add to the conversation and make three specific points
in reference to the Flow Control article.
On the question regarding the use of digital valve positioners to perform partial testing
and its relationship to the proof test interval, Riyaz agrees that the proof test is far more
than a partial stroke test. The proof test can be performed on a final control element
either on-line when a bypass valve exists or offline when the process is shutdown, such
as during a plant turnaround. Many process manufacturers do not have large bypass
valves and seek to extend the interval between plant turnarounds as long as possible.
The on-line partial stroke testing provided by digital valve positioners can help extend
the time between proof tests. They do not replace these tests. Riyaz points to a Control
Engineering magazine article authored by Dr. Summers, Partial Stroke Testing of Safety
Block Valves, in which she points out:
Also affecting the SIL is diagnostic coverage and testing intervals of partial-stroke
testing to supplement full-stroke testing to reduce a block valves PFD.
Being a mechanical item, testing of SIS Final Control Element offers challenges but at
the same time represents a significant failure contributor to SIF loop. Partial stroke test
by digital valve positioners not only allows audit documentation but also allows
diagnostics health of valve, a key feature to improve reliability of SIF loop.
Riyaz did take exception to a statement in the article about throttling valves:
Positioner failures are the leading cause of control failure, so the positioner should not
be used to actuate the valve in an SIS application when preventing events associated
with a loss of control. Instead, a solenoid-operated valve should be used to
independently close the control valve.
He notes that control valves are better geometrically designed with proper actuator and
valve plug connection to reduce hysteresis, dead motion, sticktion, backlash etc.,
compare to shut down valves those are typically keyed shaft and mainly used for On
and Off function. The main concern for shut down valves is stuck condition. If initial
inertia force is broken during normal exercise of valve either through partial stroke test
or by modulating through DCS signal, it is very likely that valve will be available during
a safety demand, when required to bring the process to safe state.
His final point is on the question regarding smart positioners for partial stroke testing of
smart valves. Positioners operated by air have been used in process control industries
for years to improve performance of control loop. It is becoming rarer to come across a
process loop not without positioners, especially where the application improved process
variability. Based on its usage and benefits in process control, process manufacturers
have started using them for Safety Instrumented Systems also. Riyaz agrees with Dr.
Summers comment that positioners have smaller orifice but any thing larger than 8-12
size valve, even otherwise a Quick Exhaust Valve or similar mechanical device will be
used, if fast stroking speed is desired. Len Laskowski adds that the driving factor is
process safety time. Many times larger valves do not need to close in one or two
seconds, and in fact require a more controlled closure to avoid negative effects on
process and utility equipment. It all hinges on the process safety time for each
application.
Positioners by design are to bleed very small air to keep the air flowing as well keep
pressure higher than atmospheric so as avoid any external atmospheric corrosive gas
getting inside the housing. Also during partial stroke test positioners exhaust and fill the
air, which makes its mechanical parts moving and avoid any build up.
Digital valve positioners allows partial stroke testing, while process is running and
provides date and time stamp of test with capability to store and compare test results.
Also, being a microprocessor based, these positioners allow remote testing and retrieval
of data remotely. The main advantage is predictive maintenance by providing valve
degradation analysis, which is important to critical valves in safety related systems. If
by any chance valve is stuck, digital valve positioners are capable of providing alerts to
operators to fix the problem.
Improving Local Control around Safety Shutdown Valves
You have to admire the way a team of engineers when presented with a challenge,
come up with a better, less costly approach. Such is the case with a local control panel
for a safety valve that Emerson Fisher divisions Riyaz Ali showed me. You may recall
Riyaz from earlier posts on the topic of safety.
The challenge is that safety shutdown valves with conventional local control panels
have typically required ten input/output connections between the safety systems logic
solver, local control panel, solenoid and digital valve controller as the picture indicates.
These panels get hard wired signals from the safety instrumented systems logic solver
for light indication of valve Open, Close, and Ready to Reset. Also, if the logic solver
needs to open the valve after Ready to Reset light indicator, Valve Open signal
needs to be sent to local controller for field technician to open the valve on separate
pair of wire. It will also require an additional I/O for shutting the valve from local
controller in case of an emergency.
Now, many plants keep metrics on what it costs to install each I/O point, but a ballpark
figure of $2,000 USD per I/O point is typical.
The approach Riyaz describes is based on the Fisher LCP100 local control panel which
requires 5 I/O. This means roughly $10,000 savings per installed smart local control
panel. If your facility is a refinery, petrochemical, or chemical plant, this could add up,
based on your number of safety valves with local control panels. This panel digitally
communicates directly with Emersons Fisher DVC6000 digital valve controller to
eliminate the need for separate wiring for Valve Open and Close indication, Ready to
Reset indication, and pushbuttons for manual Valve Open and Close. These digital
communications also provide diagnostics to reduce the ongoing costs of maintenance
typical with hard-wired solutions.
Riyaz also points out the digital valve controller can provide on-line diagnostics and
partial-stroke testing to assist the process manufacturer in checking the safety
instrumented function which includes these shutdown valves.
As with most digital communications, the long term benefits in diagnostic coverage with
this integrated approach are usually greater than the initial benefits in installation cost
savings.
movement. What the technology team found through extensive research and
development is that the solenoid valve can be pulsed for a split second by smart SIS
logic solvers like the DeltaV SIS system.
This time window of the pulse is long enough for the solenoid valve to vent which
provides verification that it is functional. But the time window is short enough so that
the actuator does not bleed off enough pressure to make the SIS valve move.
Diagnostics in the DVC6000 SIS can sense and capture the data for the momentary
pressure blip across the solenoid valve during the test. It also records pressures, travel
information, and other diagnostic information.
Beyond solenoid testing, Riyaz mentioned the DVC6000 SIS is capable of collecting data
during a trip event, much like an airlines black box flight recorder. This data
collection can be triggered upon a change in actuator pressure, valve travel, input
current, pressure differential, travel deviation, travel cutoff, or an externally defined
trigger event. This data can be helpful when reviewing the causes of a safety trip as
well as having the data available for regulatory reporting.
One final point Riyaz emphasized is the DVC6000 SIS spurious trip protection which
provides maximum output pressure to the solenoid at minimum input signal in a case
where the 4-20mA signal between the smart logic solver and digital valve controller is
lost or severed.
Together, these technologies give process manufacturers an end-to-end way of
checking the safety instrumented functions including the solenoid valves, to assist their
design, implementation, and ongoing testing phases of the IEC 61511 safety lifecycle.