Partial Stroke Tests: A way to increase the reliability of ESD valves – Part 2

Read part I here

3.0 Test Coverage Factor (TCF)

If the Safety Instrumented Systems (SIS) do not have redundancies (voting 1oo1), the PFD_AVG is given by the following relationship, where proof tests are assumed as perfect tests:

The SIS operates in low demand mode, which is the typical situation in process installations. The more the time T1 between two proof tests increases, the more the average value of the PFD increases. This aspect is shown by figure 3.

Fig. 3 – Effect induced on PFD_AVG by T1 (perfect proof tests)

In sites where SIS are used, the safety functions (SIF) have to be tested time after time in order to verify their availability. Proof tests are periodically carried out to detect the dangerous failure that internal diagnostics are not able to reveal. A 100% effective proof test is defined as “perfect proof test”. After such a test, the PFD is equal to zero once again.

In case of “perfect proof tests”, the PFD function has a characteristic “saw-tooth pattern” which ensures a constant average value of PFD over time. Perfect proof tests are somewhat unrealistic. Anyway, they are useful to understand more easily the effect induced on the PFD_AVE by “imperfect proof tests”: PFD_AVE is not more a constant but it tends to increase over time. For this reason, PFD_AVE inevitably trespasses the threshold that competes with lower values of the SIL levels (figure 4).

Fig. 4 – Effect induced on PFD_AVG by imperfect proof tests (T1 = 1 year)

Under imperfect test conditions, it is possible to distinguish between:

• detected failures during the proof test (DU,R);
• not detected failures at the end of the proof test (DU,NR).

Failures of the latter type are particularly dangerous. They can only be detected if SIS:

• are requested to intervene by the process;
• do not follow the request of the process by activating their safety functions in time.

To take the failures of the latter type into account, the failure rate λ _DU is further divided in two different rates.

Fig. 5 – “Detected failures and Undetected failures” by testing

The ratio between the dangerous failures rate detected by proof tests and the overall rate of dangerous failures is called “Test Coverage Factor (TCF)”:

TCF is an index of the quantity of “dangerous failures not detected by internal diagnostics” that are discovered during proof tests. Theoretically, TCF can be expressed as a percentage between 0% and 100%. Typical TCF values vary from 40% to 90%, although it is not easy to carry out proof tests with high effectiveness (90%).

4.0 Effects of proof tests on final elements reliability

Once devices for automated testing were installed on the 9995 final elements (figure 2), partial stroke tests were easily performed in the sites under observation.

Partial stroke tests involved rotating the valve stem a minimum of 15 degree, which allowed to test a portion of the valve failure modes. The remainder of the failure modes needed to be tested using full stroke tests. The main purpose of the partial stroke tests was to reduce the frequency of the full stroke tests that always require expensive site turnarounds.

Partial stroke tests were:

1. based upon a maintenance schedule;
2. programmed in the SIS logic solver or started by the operators.

The test results are shown below, in a tabular form.

Tab. 4 – Number of failures after PST

Number of final elements	9995
Number of failures after PST	62
Time	1 year (8760 hr)
Percentage of reported failures	60%
Estimated number of failures	103
λ DU,R	1193 FIT

Partial stroke tests showed that the main failure mode corresponded to Fail To Close (FTC) due to:

1. valve stem stuck;
2. “air line to actuator” plugged.

A complete functional test of the final elements required two more tests in succession:

1. Full Stroke Test (FST1);
2. Full Stroke Test in operating conditions (FST2).

Position switches were used to determine and document the successful completion of both tests. A HART station collected the test information and generated the test documentation. Of course, the use of the HART station further increased the cost of the final elements. As before, the test results are shown below, in a tabular form.

Tab. 5 – Number of failures after FST1

Number of final elements	9995
Number of failures after FST1	10
Time	1 year (8760 hr)
Percentage of reported failures	60%
Estimated number of failures	17
λ DU,R	191 FIT

Full stroke tests FST1 showed that the main failure mode corresponded to Delayed Operation (DOP) due to “air line to actuator” bent or crimped.

Tab. 6 – Number of failures after FST2

Number of final elements	9995
Number of failures after FST2	21
Time	1 year (8760 hr)
Percentage of reported failures	60%
Estimated number of failures	35
λDU,R	401 FIT

Full stroke tests FST2 showed that the main failure mode corresponded to Leakage in Closed Position (LCP) due to valve seat scarred because of chemical aggressions. In the following (tables 7 and 8), a synoptic of the three proof tests results is presented, together with the values of their Coverage Factors (λ_DU = 1981 FIT).

Tab. 7 – Values of λ_DU,R obtained after partial stroke and full stroke tests

type of test	λDU,R
PST (Partial Stroke Test)	1193 FIT
FST1 (Full Stroke Test)	191 FIT
FST2 (Full Stroke Test in operating conditions)	401 FIT

Tab. 8 – Values of λ_DU,NR and TCF obtained after tests in succession

tests in succession	λDU,NR	TCF
PST	788 FIT	60%
PST+FST1	597 FIT	70%
PST+FST1+FST2	196 FIT	90%

The decrease of λ_DU,NR is shown in tables 9, 10 and 11.

5.0 Conclusions

Two concluding remarks are given below.

1. A first concern is that partial stroke testing does not eliminate the need for full stroke testing.
2. Another major concern is that the process is unprotected while shutdown valves are being tested. In fact, valves are unavailable even during partial stroke tests. The fraction of time, while shutdown valves are tested, must be considered in the PFD calculation and contributes to the PFD increase.

Table 9 – Decrease in value of λ DU,NR due to proof testing PST

	only manual proof  tests	PST
λ S	4952 FIT	4952 FIT
λ DD	2971 FIT	4164 FIT
λ DU,NR	1981 FIT	788 FIT
λ	9904 FIT	9904 FIT

Table 10 – Decrease in value of λ DU,NR due to proof testing (PST + FST1)

		PST+FST1
λ S	4952 FIT	4952 FIT
λ DD	2971 FIT	4354 FIT
λ DU,NR	1981 FIT	597 FIT
λ	9904 FIT	9904 FIT

Table 11 – Decrease in value of λ DU,NR due to proof testing (PST + FST1 + FST2)

	only manual proof  tests	PST+FST1+FST2
λ S	4952 FIT	4952 FIT
λ DD	2971 FIT	4756 FIT
λ DU,NR	1981 FIT	196 FIT
λ	9904 FIT	9904 FIT

Table 12 – SFF values for both “valves subjected  to manual proof tests carried out at regular time T1”and “valves subjected to partial stroke tests also”

	only manual proof  tests	PST
λ S	4952 FIT	4952 FIT
λ DD	2971 FIT	4164 FIT
λ DU,NR	1981 FIT	788 FIT
λ	9904 FIT	9904 FIT
SFF	0,80	0,92

Table 12 shows the SFF values obtained for both “valves subjected to manual proof tests carried out at regular time T1” and “valves subjected to partial stroke tests also”.

The logic is as follows: performing partial stroke tests, in addition to those which are carried out at regular time T1, reduces the number of undetected failures and, at the same time, increases the number of detected failures. This logic results in a reduction in the DU, NR failure rate and a corresponding increase in the DD failure rate.

It is evident that the total failure rate must constantly remain equal to 9904 FIT. This is the basic hypothesis that was adopted from the beginning (see equation 2).

Fig. 6 – Relationship between HFT (Hardware Fault Tolerance) and SFF (Safe Failure Fraction)

HFT (Hardware Fault Tolerance) equal to “n” means that if “n+1” faults occur, the ESD valve is no longer in service. Therefore, HFT = 0 means that a single fault is bad enough to put the valve out of service.

Table 12 clearly shows the impact that partial stroke tests have on the SFF values, where SFF has the following meaning:

Let's now assume that SIL3 is required. Whether only manual proof tests are carried out on ESD valves at regular time T1, SFF is equal to 80% and SIL3 can be achieved if at least a simple redundancy is foreseen (HFT=1). This means that a back-up component must be provided for each valve (see Fig. 6).

If instead valves are subjected to partial stroke tests in addition to those which are carried out at regular time T1, SFF is equal to 92% and it is possible to obtain SIL3 without any redundancy (HFT=0).

No doubt, this is just enough to prove the increase in reliability that partial stroke tests bring to ESD valves.

---

References

[1] Kececioglu Dimitri, Ph.D. (2002). Reliability Engineering Handbook, Vol.I, DEStech Publications Inc., Lancaster USA
2] CEI EN 61508-6 (2011, February)
[3] TopWorx™ D-ESD: Partial Stroke & Emergency Shutdown, Emerson™
[4] Summers, Ph.D. (2006). Partial stroke testing of block valves,  Instrument Engineers Handbook, Volume 4, Chapter 6.9, SIS TECH Solutions
[5] De Lisio, Nigri (2017, March) Sistemi di sicurezza – Un’analisi basata sull’affidabilità; Ambiente e Sicurezza sul Lavoro, EPC Periodici
[6] Nigri (2019, May). La sicurezza funzionale applicata agli impianti di processo –Principi di base, Ambiente e Sicurezza sul Lavoro, EPC Periodici
[7] Nigri (2019, October). Sistemi strumentali di sicurezza – Riferimenti e metodi per verificare il livello di affidabilità, Ambiente e Sicurezza sul Lavoro, EPC Periodici
[8] Nigri (2019, December). Sistemi strumentali di sicurezza – La stima della probabilità di guasto, Ambiente e Sicurezza sul Lavoro, EPC Periodici
[9] Nigri, Delle Site, Vallerotonda (2019, November). Application of the SIL analysis to the safety systems of a process plant, Process Industry Informer
[10] Lundteigen, Rausand (2007, November). The effect of partial stroke testing on the reliability of safety valves, ESREL conference in Stavanger