During the process of SIL verification calculations, analysts are often required to assess the effectiveness of performing partial stroke testing. Partial stroke testing is a type of diagnostic. Diagnostics have a beneficial effect on the failure probability of a component because if a failure occurs, it can be rapidly detected and repaired, leaving the component in an unavailable state for a much shorter period of time.
The verification of the achievement of specified Safety Integrity Level (SIL) targets requires calculation of the achieved Average Probability of Failure on Demand (PFDavg) of each Safety Instrumented Function (SIF). In accordance with IEC 61511 (Clause 11.9.2).
11.9.2 The calculated probability of failure of each safety instrumented function due to hardware failures shall take into account
b) the estimated rate of failure of each subsystem, due to random hardware faults, in any modes which would cause a dangerous failure of the SIS but which are detected by diagnostics tests;
c) the estimated rate of failure of each subsystem, due to random hardware faults, in any modes which would cause a dangerous failure of the SIS which are undetected by diagnostics tests;
Clearly, the above requires to the consideration of diagnostic testing in the calculation of PFDavg.
In many cases, end users of SIS elect to employ partial stroke testing (PST) as a means for diagnosing faults in valve systems (potentially including actuators, positioners, and solenoid valves). There are myriad ways of accomplishing PST, but ultimately, the valve is cause to move a small portion of its total travel, and then measurements are made to determine whether or not the movement has occurred.
In the performance of PFDavg calculations, the beneficial effect of partial stroke testing is considered mathematically by dividing the dangerous undetected failure rate into a component that is detectable, and a component that is not detectable. The dangerous undetected portion is calculated by multiplying the dangerous failure rate by the diagnostic coverage of the partial stroke test. Similarly, the dangerous undetected portion is calculated by multiplying the dangerous failure rate by one minus the diagnostic coverage.
While the dangerous failure rate of valves can be determined from a standard source of failure rate data, such as the Kenexis Failure Rate Database, the diagnostic coverage of the partial stroke test is not so easy to ascertain. Since valve performance is strongly impacted by the environment in which the valve is placed, one cannot assume that the diagnostic coverage is solely an attribute of the valve which can be simply listed in a data book or published by the vendor. Due to the difficulty in obtaining partial stroke test diagnostic coverages, rules of thumb are typically applied that are based on analysis and experience.
When performing PFDavg calculations on an actual project, the following table can be considered as typical values to be used for the selection of an appropriate PST diagnostic coverage. These numbers can be used as the first pass, unless a more detailed analysis is desired by the asset owner or the results from using the numbers in the table below are not satisfactory.
PST Diagnostic Coverage
|Severe Service – e.g., depositing, coating, corrosive, flashing, high differential pressure
|Very Clean Service – e.g. ambient temperature utility purchased natural gas
In some cases, a more detailed analysis of the PST coverage is required. In these cases, the analyst will be required to perform a failure modes, effects, and diagnostics analysis (FMEDA). Obviously, this can only be done in situations where substantial and detailed failure data which is broken down by individual failure modes is available. In these cases, the analyst can use the Kenexis Failure Modes and Effects Analysis Worksheet Template (download from http://126.96.36.199/~kenexisc/resources/). Using the template, all of the failure modes from the data source are entered. Each failure mode will be assessed to determine if it is safe, dangerous, or no effect. For the dangerous detected failure modes, the project engineer will assess whether or not the means of partial stroke testing under consideration will detect the failure mode. If so, it is marked with a “1” in the detectability column. The PST diagnostic coverage is then automatically calculated as the rate of detected dangerous failures divided by the total dangerous failure rate.