Process Safety Lessons Learned

8/9/2019 Process Safety Lessons Learned

1/39


2/39

Phillips, he%ron, and +P ha%e since formed a non(prot organiation, the "arine *ellontainment ompany, which will pro%ide a rapid response system to capture andcontain oil in the e%ent of another blowout in the !ulf of "e#ico.

8Process safety deals with the res, e#plosions, and to#ic releases and things li'e that. >ou can ha%e a %ery good accident rate for what we call 8hard hat accidents9 and not

for process ones.9 - Dr. /re%or


3/39

$riginal postB /wo ;uestions were posed recently o%er at the )S Safety rchi%es in athread, Aal%e in S)L %erication 6login re;uired7B

F(2 Do we need to include %al%e in S)L %erication or can we limit upto the Solenoidoperated %al%e considering %al%e as a mechanical de%ice.

F(0 /o achie%e S)L(0 we normally use 2oo0 conguration for nal element. Here do weneed to use 2oo0 conguration of Solenoid %al%e or it shall be 2oo0 conguration of the%al%e.

/he feedbac' from the other listser% members, many who are prominent %oices in theprocess safety community, was that the %al%e must be included in the S)L %ericationand that the 2oo0 conguration e#tends to the %al%e.

) chec'ed with ?merson’s =iya li, whom you may recall from numerous processsafety(related posts, on this discussion thread. =iya shared an )S


4/39

function, unless an analysis has been carried out to conrm that o%erall ris' isacceptable. He notes how this may be interpretedB

>?SB )f all possible failures of the control %al%e do not place a demand on any S) thancontrol %al%e may be used with no further analysis. )n this case, ontrol Aal%e is 8inal?lement9 of Safety )nstrumented unction 6S)7 Loop, needs to ha%e S)L rating e;ual to

or abo%e 2.K$B )f failure of the control %al%e will place a demand on a S) than it may not be usedas the only nal element in that S).

)f failure of the control %al%e will not place a demand on S), for which it is intended butmay place demand on any other associated S) than the control %al%e may be used in aS) only after detailed analysis. n additional step to further analysis will be necessaryin these cases to ensure that the dangerous failure rate of the shared e;uipment issuciently low.

/he control %al%e in this case would again be the nal element of a S) re;uiring a S)Lrating greater than 2.

)n the third e#ample of pro%iding additional hardware fault tolerance for higher S)Lapplications, mean time to fail 6"//7 of the control %al%e can be used in the probabilityof failure on demand 6PDa%g7. He shares the failure fraction components ande;uations for arri%ing at the PDa%g of the S). or this rd case, =iya shares Mlin'saddedNB

Gmechanical e;uipment li'e %al%e bodies and actuators do not ha%e any diagnosticscapabilities. ccording to )? J21@4 part 0, table 0, with a hardware fault tolerance6H/7 of ero, they can only be used in S)L 2 applications. digital %al%e controllermounted on a 8inal ontrol ?lement9 impro%es the diagnostic co%erage factor, which inturn impro%es the S number, allowing the possible use of higher S)L ratedapplications 6Per )? J21@4 part 0, table 7 by use of the Partial Stro'e /est.

=iya sums of his thoughts that if the control %al%e is used as part of a S), then thetotal PDa%g of the loop must meet the intended S)L le%el. )f the control %al%e is usedfor normal process control managed by the basic process control system 6+PS7, thenper )?J2122( part 2, section .0., the control %al%es do not ha%e S)L suitability.

) also wanted to refer you to an earlier post, ield De%ice Sharing +etween ontrol andSafety Systems, where we e#plored the case of sharing instruments between the +PSand safety instrumented system 6S)S7.

?#ecuting )? J2122 Process Safety Pro&ects

ontrol!lobal.com has an e#cellent article on the global process safety standard, )?J2122. /he article, )? J2122 )mplementation - /he ?#ecution hallenge, shares thee#periences of two "ustang ?ngineering process automation pro&ect %eterans.


5/39

) turned to one of ?merson’s certied functional safety e#perts 6S?7 and long(timeprocess safety %eteran, Len Las'ows'i, for his thoughts on the article. >ou may recallLen from numerous process safety(related posts.

)n our phone con%ersation, Len’s rst comment after reading the article was, 8/his

sounds li'e the %oices of e#perience. $ne does not &ust declare, O$n the ne#t pro&ect wewill implement )? J2122 and ha%e life be happy e%er after. s the article suggests, acompany needs to adopt the )? J2122 Safety Life ycle. /his ta'es time and resourcesthat many process manufacturers underestimate.9 Len noted that by following theSafety Life ycle and doing the needed wor' will gi%e process manufacturers thefoundation to properly e#ecute a pro&ect-and more importantly, a safe facility.

He agreed with the authors of the large challenges confronting process manufacturerswhen planning, designing, e#ecuting, and maintaining their operations using the )?J2122 process safety lifecycle. /he article’s authors frame these challengesB

/he Safety )nstrumented System 6S)S7 standard, )? J2122, is dri%ing the need for newengineering tools and Pro&ect ?#ecution Plans 6P?Ps7. /he standard is a lifecycleapproach to dening, implementing and managing a safety instrumented system 6S)S7.)ndustry discussions tend to focus on the technical aspects of the standard, but pro&ecte#ecution is pro%ing to ha%e an e;ual or perhaps greater impact on the ;uality andsuccess of an )? J2122 pro&ect. /his article describes a few of the challenges from the?P Mengineering, procurement, and constructionN and " Mmain automationcontractorN perspecti%e, and suggests approaches to enhance )? J2122 e#ecution andtechnical outcomes.

) as'ed Len what most caused these pro&ect to go awry and without hesitation he said it

was gi%ing the upfront planning the time it re;uires-especially if this is the rst time theprocess manufacturer has e#ecuted the pro&ect using the )? J2122 approach or if theprocess is new. ?%en with completed Haard and $perability 6HQ$P7 studies and%alidated layers of protection analysis 6L$P7, it ta'es a lot of time and there is usually;uite a bit of recycle. $ne e#ample Len cited was a pressure relief %al%e. *hen wal'ingthrough the haard scenarios, disco%eries may come up, such as insucient siing forre%erse Row conditions. hanges may ha%e to be made which ripple to other safetyinstrumented functions 6S)s7.

nother e#ample Len o:ered is alarm le%el settings for standalone alarms that are usedas an independent layer of protection. Fuestions must be as'ed and answered ifoperators really ha%e the re;uired minimum amount of time to do something as a resultof the alarm condition. )t also must be clear e#actly what the operator must do to

alle%iate the alarm condition. nd ultimately, can all this be done within the processsafety time for the gi%en conditionC =esol%ing these ;uestions ta'es cross(departmentalparticipation and it all adds up to increased time re;uired on the pro&ect’s front end.

Len’s guidance to pro&ect engineers is to resist the temptation to shortcut this front endplanning. )t will cost more on the bac'end of the pro&ect in terms of rewor', will increasepro&ect timelines, and will increase the diculty in testing the safety instrumentedfunctions o%er time.


6/39

"ore /houghts on ?#ecuting )? J2122 Process Safety Pro&ects

Last riday ) highlighted thoughts from ?merson process safety e#pert, Len Las'ows'i inthe post, ?#ecuting )? J2122 Process Safety Pro&ects. He shared more than ) could tin a single post, so today’s post will share the balance.

$ne of the points made by the authors of the article, )? J2122 )mplementation - /he?#ecution hallenge, wasB

/he information re;uired to fully dene and document a S) may entail 5@ or moreuni;ue data items. /he source and detail re;uired to document each item must bedened clearly. /he e:ort to gather, trac' and re%iew this data can be signicant. or alarge pro&ect, the wor' includes migrating and recording large amounts of data thatmay be pro%ided in di:erent formats, at di:erent times and by di:erent disciplines andorganiations, so some companies de%elop in(house S=S database tools to impro%e

producti%ity, reduce errors and trac' S) de%elopment and appro%al status.

Len agreed with the challenge of managing this amount of data items re;uired for manysafety instrumented functions 6S)s7. /he cause(and(e:ect matrices may pro%ide 01 to@ data items. $ther decisions about test fre;uencies and co%erage factors lead toadditional data items. !i%en this large %olume of data per S), ha%ing a database tomanage the de%elopment and appro%al status is critical. /he authors as'B

common scope ;uestion is what are the pro&ect re;uirements for documentingprotecti%e instrumented functions 6P)7 that are not re;uired by the L$P Mlayer of

protection analysisNIPH Mprocess haard analysisN. re P)s documented in the S=SC Dothe S) analysis and %erication steps apply to P)sC *ill the S=S di:erentiate betweenS)s and P)sC

Len cautioned against using tools such as )ntergraph’s SmartPlant )nstrumentation6)Ktools7 that manage your basic process control system 6+PS7 )I$ as the place tomanage your process safety management 6PS"7 database. typical plant may ha%e@@@ )I$ under control by the +PS and @@ )I$ under control of the safetyinstrumented system 6S)S7. Local, state, and federal regulations re;uire a well(documented management of change process for any process safety(related changes.

"i#ing your +PS )I$ into this change process is as'ing for trouble. Processmanufacturers need the Re#ibility to ma'e changes to the +PS to operate andoptimie their processes in an ecient manner. Programs such as )Ktools may be o'ayfor de%eloping initial )I$ lists, ma'ing instrument specs, and other parts of the designprocess, but not for long(term documentation and management of change.

)nstead, Len recommended a simple spreadsheet for the S)S )I$, which is much easierto control and re;uires no special training. )t contains the S)S database settings, causeand e:ect matri# settings including engineering units, pre(trip, and trip le%els. $ften the


7/39

control of this PS" database is by a di:erent group within the plant than the group thatmanages the +PS.

Len’s closing thoughts for process manufacturer’s new to the )? J2122 process is tofocus on the critical shutdown streams in their process. )n most processes, there are afew really important streams to close down to ta'e the process to a safe state. /he rest

are secondary e:ects to the 'ey streams. $nce the 'ey streams are designed andappro%ed, the rest can be done. /his often helps to simplify the safety re;uirementsspecication 6S=S7 and ma'e the ongoing support through the safety lifecycle moremanageable.

Ha%ing strong, e#perienced technical leaders on the front(end help minimie problemsas the process safety pro&ect progresses. lthough this front(end wor' may seem timeconsuming and e#pensi%e, Len shared the old safety saying, 8)f you thin' safety ise#pensi%e, try an accident9

*ired Aersus *ireless =is' nalysis for Process )nstrumentation "easurements

How does wireless communications compare against wired communications for processinstrumentationC /hat was the sub&ect of an ?merson ?#change presentation by


8/39

?d pro%ides some cases where a wireless solution was the preferable one. /heyin%ol%ing timing to get installed, the speed of the process 6process safety time7, ;uic'erreco%ery from an accident, and pro%iding redundant routes 6one wired, one wireless7.

Safety )nstrumented System Solenoid($perated Aal%e pproaches

Last wee' at the ?merson ?#change conference, ) caught up with ?merson’s =iya li. >ou may recall =iya from many safety instrumented system(related posts. *ediscussed some of the trends in integrated positioners solenoid %al%es limit

switches %al%e position transmitters. =iya felt that this approach not in line with thesafety instrumented system 6S)S7 general philosophy for se%eral reasons.

or these de%ices with an integral solenoid(operated %al%e 6S$A7, the pneumatic path isonly a single path and the re;uirement for a redundant path will not be met.

/his will a:ect the PDa%g calculations as per )S /=45.@@.@0(0@@0 part 0 using thesimplied e;uation for a one(out(of(one 62oo27 arrangementB

Vdu # / I0 6KoteB Vdu is dangerous undetected failure rate of e;uipment under control6?U7 and / is test inter%al.7

or solutions with e#ternal S$As in series with smart positioners, this 2oo0 approachhas a PDa%gB

Vdu # /0 I

2oo0 arrangement pro%ides an impro%ed PDa%g o%er a 2oo2 single bo#arrangement.

=iya notes that going to e#ternal S$A will impro%e safety reliability, which meanseither the S$A or smart positioner are capable of ta'ing a %al%e to safe state. *ithintegral S$As with smart positioners, only one pneumatic path is a%ailable, which


9/39

means there is no redundancy. Pro&ect teams may ha%e to re(%isit the HQ$P analysis toe%aluate new safety integrity le%el 6S)L7 conditions.

=eferring to the global safety standard, )? J21@4, =iya ma'es the following pointsB

Smart S$A 6integral microprocessor based smart positioner integral S$A7 will beclassied as /ype + de%ice as per )?J21@4 part 0 table . Smart positioner plus

e#ternal S$A pneumatically in series, S$A is still regarded as /ype simple de%iceimpro%ing reliability.

/ype and /ype + denition is listed from )?J21@4 part 0.

)? J21@4 part 0 - clause T.5..2.0 dene /ype . subsystem 6see T.5.0.22, note 27can be regarded as type if, for the components re;uired to achie%e the safetyfunctionB

the failure modes of all constituent components are well denedW and

the beha%iour of the subsystem under fault conditions can be completely determinedWand

there is sucient dependable failure data from eld e#perience to show that theclaimed rates of failure for detected and undetected dangerous failures are met 6seeT.5.T. and T.5.T.57.

)?J21@4 part 0 - clause T.5..2. denes /ype + as a subsystem 6see T.5.0.22, note 27shall be regarded as type + if, for the components re;uired to achie%e the safetyfunctionB

the failure mode of at least one constituent component is not well denedW or

the beha%iour of the subsystem under fault conditions cannot be completelydeterminedW or

there is insucient dependable failure data from eld e#perience to support claims forrates of failure for detected and undetected dangerous failures 6see T.5.T. andT.5.T.57.

/his means that if at least one of the components of a subsystem itself satises theconditions for a type + subsystem then that subsystem must be regarded as type +rather than type . See also T.5.0.22, note 2.

High ommon ause factor will result, if e%erything is integrated in one pac'age %se#ternal S$A. Smart positioners for S)S and e#ternal S$A pneumatically in seriespro%iding redundancy in case of Safety demand, pro%iding higher reliability. /his is inline with )?J2122 part , clause .5 a7 page 0@ of T@, states, 8Gof probabilities andconsidering common cause failures. )t may be necessary to use redundant architecturesto achie%e the re;uired hardware safety integrity.9

S$A health monitoring with physical results 6pressure blip - can be seen on Aal%eLin'7%s built in test of S$A with integral positioner ha%e no deniti%e results. smartpositioner digital %al%e controller 6DA7 can test an S$A which is e#ternally mountedpneumatically in series. /o impro%e "//s 6"ean /ime to ail Spuriously7, smartpositioners can use re%erse type relay, which will K$/ contribute to "//s. )n case ofany electrical signal failure, or an input current signal to the smart positioner, this willK$/ cause a spurious trip.


10/39

Hence two de%ices pneumatically in series will ha%e "//s for a single de%ice 6S$A /ype de%ice only7. smart positioner and S$A mounted e#ternally pneumatically inseries will be ideal from safety reliability and plant a%ailability.

Smart positioners with )ntegral S$As will ha%e high air consumption 6JT.4 scfh7 for largeorice compare to smart positioner with e#ternal S$A will ha%e low bleed =elay 60.2scfh7. /his is because e#ternal S$As will K$/ consume any air during normal operation.

/he isher DAJ0@@ S)S pro%ides an S)S /rigger capability li'e the blac' bo# of anaircraft to pro%ide rich data on a /=)P e%ent for analysis by a safety engineer to helpa%oid future trip conditions.

Aolume /an' onsiderations in Process Safety pplications

) saw a great process safety article in )n/ech magaine titled, *hen failsafe isn’tenough. )t gi%e a 8howto9 approach to %olume tan' siing for reser%e air pressurere;uired for an orderly safety shutdown.


11/39

/he author describes some cases where this reser%e air %olume might be needed, suchas when failure position of safety %al%es are not in the failsafe condition or whenoperating conditions re;uire and orderly, se;uenced shutdown.

/he e;uations to sie the %olume tan' are gi%en as well as who would typically supply

the e;uation parameters. or instance, the %al%e supplier typically supplies the safety%al%e tor;ue re;uirements and re;uired lea'age rates. /he actuator supplier pro%idesthe tor;ue(to(supply pressure tables. /he good news for those of us a little rusty in ourad%anced math s'ills is that the e;uations are algebraic and the simplifyingassumptions err to the side of conser%ati%e %olume siing.

) sent a lin' of this great article to ?merson’s Len Las'ows'i, whom you may recall fromearlier process safety posts. Len is a principal technical consultant, registeredprofessional engineer, and certied functional safety e#pert 6S?7 and /XA S?.

Len added that many engineers will tend to the conser%ati%e side and sie the %olumetan' for se%eral stro'es of a %al%e, e%en if it needs to operate only once in a singlestro'e. /his is mainly because e#tra capacity is relati%ely ine#pensi%e, especially tomitigate the ris' of a larger haard.

He shared a reactor emergency depressuriation e#ample as a typical application whereyou might nd %olume tan's. Len wroteB

/ypically, if this is a safety instrumented function 6S)7 you want de(energied to tripfailsafe. /he emergency depressuriation %al%es are ail $pen on loss of air. spurious

trip of this system would be bad news as the author suggests. )t could create secondaryhaards as is suggested in )? J2122 that need to be identied.

or e#ample, if the air failure was e#tensi%e a large number of %essels all depressuriingat once could o%erload a Rare system. /oo ;uic' a depressuriation of some chemicalscould cause auto refrigeration that could lead to a cooling of the %ent piping belowdesign spec and the haard of pipe embrittlement.

)n some reactors, it would possibly blow catalyst out the %ent system and possibly putstress on reactor beds, or trays that could damage the internals of the %essel, due to

the large pressure di:erential caused by the emergency depressuriation. /hesesecondary issues also need to be managed and are reasons why %olume tan's areneeded.

Len has wor'ed with process manufacturers to address some of these issuesB


12/39

)n some cases, a nitrogen or air bottle bac'up system would be used that ha%e muchmore capacity than a %olume tan'. ) ha%e also seen cases where nitrogen isautomatically switched in to bac' up a %al%e. /his can be done by ha%ing a (way %al%ehoo'ed up so that the common goes to the nal element, one side goes to )nstrumentair and the other nitrogen.

>ou need some chec' %al%es to guard against re%erse Row and ha%e the %al%e actuatoro: the )nstrument air so that it cuts o: the nitrogen when instrument air is present. /hisis also a good setup when you ha%e air motors that need a lot of air 6gas7 that need tomo%e big %al%es. *ith nitrogen’s to#icity in sucient concentrations, these applicationsare generally outdoors, well %entilated, and re;uire close re%iew.

Len complimented the author on his article and added a few more considerations forprocess safety professionals. He wroteB

$ther considerations that may be o%erloo'ed are common mode failures and testing. /ypically, one would put two chec' %al%es in the system because failure of one wouldallow the tan' to bleed out to the plant header. lso, care must be ta'en that the air isclean and no dirt is allowed to get to the chec' %al%es, so a lterI separator is really

re;uired to ensure that the chec' %al%es ha%e a good opportunity to operate.acilities to isolate the %olume tan' from the air supply and bleed the air upstream ofthe chec' %al%es are also re;uired not only to chec' that the system wor's initially butalso for future proof testing. /ypically, these systems should be chec'ed at the sametime the safety instrumented system 6S)S7 is proof tested. /his is an easy item too%erloo' and needs to be put on the testing schedule with the S)’s it supports.

) hope between the author’s original article and Len’s additional thoughts that there aresome pearls you can apply in your process safety e:orts.

Primer on Safety )nstrumented Systems and Process Safety

/he low ontrol magaine website has a great Safety )nstrumented Systems Primerinter%iew with ?merson’s "i'e +oudreau#. >ou may recall "i'e and his %iews on processsafety and safety instrumented systems in earlier posts.

)f you’re not already steeped in the language of process safety with things li'e safetyintegrity le%els 6S)L7, safety instrumented functions 6S)7, )? J2122, etc., the ;uestionsand answers help pro%ide a good primer. )’ll share &ust a few snippets from the FE, butyou’ll want to read the entire inter%iew.

"i'e addresses the ;uestion on how safety instrumented systems 6S)S7 ha%e come tobeB

"uch of the focus has been to reduce process ris' through inherently safe design andindependent layers of protection 6)PL7. Safety instrumented systems are one of themany layers of protection that are used to deli%er increased process safety.


13/39

urther on this point, he describes why an S)S is importantB

*hen a process cannot practically be designed to be inherently safe, an S)S can be

used to reduce ris's to an acceptable le%el. n S)S can be designed to deli%er aspecied safety integrity le%el 6S)L7 of ris' reduction. )? J21@4 denes S)L 2 throughS)L 5, with each S)L designating a relati%e le%el of ris' reduction pro%ided by a safetyinstrumented function 6S)7 by an additional order of magnitude.

or those new to the world of process safety, "i'e also shares his %iew on commonpitfalls in process safety S)S design and implementationB

*hen de%eloping a safety re;uirements specication 6S=S7, process manufacturerssometimes go o%erboard and ma'e the S=S too comple# to be practical, or they go inthe opposite direction and don’t pro%ide a consistent set of documentationG the S=Sshould pro%ide a functional description and the integrity re;uirements for each S). /he

S=S is the document against which all of the safety lifecycle acti%ities are %eried and%alidated. s such, it is important that this documentation be simple to use andmaintain.

/he other ma&or pitfall is the comple#ity of S) design and S)L %erication. "i'e o:ersB


14/39

participants, monthly newsletters, conferences E e#hibitions, and connections withother automation professionals.

$riginal postB /wo ;uestions were posed recently o%er at the )S Safety rchi%es in athread, Aal%e in S)L %erication 6login re;uired7B

F(2 Do we need to include %al%e in S)L %erication or can we limit upto the Solenoidoperated %al%e considering %al%e as a mechanical de%ice.

F(0 /o achie%e S)L(0 we normally use 2oo0 conguration for nal element. Here do weneed to use 2oo0 conguration of Solenoid %al%e or it shall be 2oo0 conguration of the%al%e.

/he feedbac' from the other listser% members, many who are prominent %oices in the

process safety community, was that the %al%e must be included in the S)L %ericationand that the 2oo0 conguration e#tends to the %al%e.

) chec'ed with ?merson’s =iya li, whom you may recall from numerous processsafety(related posts, on this discussion thread. =iya shared an )S


15/39

or the second case, =iya cites )? J2122 part 2 clause 22.0.2@ which states that ade%ice used to perform part of a safety instrumented function shall not be used forbasic process control purposes, where a failure of that de%ice results in a failure of thebasic process control function which causes a demand on the safety instrumentedfunction, unless an analysis has been carried out to conrm that o%erall ris' isacceptable. He notes how this may be interpretedB

>?SB )f all possible failures of the control %al%e do not place a demand on any S) thancontrol %al%e may be used with no further analysis. )n this case, ontrol Aal%e is 8inal?lement9 of Safety )nstrumented unction 6S)7 Loop, needs to ha%e S)L rating e;ual toor abo%e 2.

K$B )f failure of the control %al%e will place a demand on a S) than it may not be usedas the only nal element in that S).

)f failure of the control %al%e will not place a demand on S), for which it is intended butmay place demand on any other associated S) than the control %al%e may be used in aS) only after detailed analysis. n additional step to further analysis will be necessaryin these cases to ensure that the dangerous failure rate of the shared e;uipment is

suciently low. /he control %al%e in this case would again be the nal element of a S) re;uiring a S)Lrating greater than 2.

)n the third e#ample of pro%iding additional hardware fault tolerance for higher S)Lapplications, mean time to fail 6"//7 of the control %al%e can be used in the probabilityof failure on demand 6PDa%g7. He shares the failure fraction components ande;uations for arri%ing at the PDa%g of the S). or this rd case, =iya shares Mlin'saddedNB

Gmechanical e;uipment li'e %al%e bodies and actuators do not ha%e any diagnosticscapabilities. ccording to )? J21@4 part 0, table 0, with a hardware fault tolerance6H/7 of ero, they can only be used in S)L 2 applications. digital %al%e controller

mounted on a 8inal ontrol ?lement9 impro%es the diagnostic co%erage factor, which inturn impro%es the S number, allowing the possible use of higher S)L ratedapplications 6Per )? J21@4 part 0, table 7 by use of the Partial Stro'e /est.

=iya sums of his thoughts that if the control %al%e is used as part of a S), then thetotal PDa%g of the loop must meet the intended S)L le%el. )f the control %al%e is usedfor normal process control managed by the basic process control system 6+PS7, thenper )?J2122( part 2, section .0., the control %al%es do not ha%e S)L suitability.

) also wanted to refer you to an earlier post, ield De%ice Sharing +etween ontrol andSafety Systems, where we e#plored the case of sharing instruments between the +PSand safety instrumented system 6S)S7.

Safety Aal%e Positioners and ommon ause ailure Fuestions

)f you wor' with pumps in your facility, you may be familiar with the ?mpowering Pumpssite, a wealth of information to help you with these important assets in your plant.ounder harli


16/39

) had the opportunity to contribute a guest post, ommon ause ailures in Safety Aal%ePositionersC )t was based on a ;uestion ) recently recei%ed. /he ;uestionB

)t’s unclear to me whether position feedbac' from a smart positioner is trulyindependent of the reference signal from the control system, as the positionerostensibly uses that same information as a measurement in its own local position

feedbac' loop 6for which the reference signal is the setpoint7. )’m guessing it’s not inmost cases 6and note that this trait is probably not uni;ue to ?merson de%ices7.

)f you’re dri%ing the %al%e to a certain position with the reference, and then using theposition feedbac' to %erify that the %al%e is actually at the position you dro%e it to,there is a potential common(cause failure in the position sensing and processing. orindependence )’d thin' you would ha%e to either use other means to dri%e the %al%e6e.g., a dump solenoid %al%e7, or ha%e position sensing distinct from that used by thepositioner.

?merson’s =iya li respondedB

ommon cause factor is a 'ey concern when using a position transmitter within a safety%al%e positioner as is typically done.

isher )?LDAU? DAJ0@@ S)S digital %al%e controller

)n the case of a %al%e positioning transmitter designed for process safety applications, itis designed to isolate the positioning function. /his design ma'es it completelyindependent of the positioner, should input signal or power to positioner fail, or anyissue related to positioner cease functioning. /he position transmitter continues tofunction to pro%ide the %al%e’s position.

s part of the certication process for use in safety instrumented functions up to safetyintegrity le%el 0 6S)L 07, the position transmitter function is certied separately from thepositioner.

Process manufacturers managing the safety lifecycle for their plants follow the )?

J2122 standard. /hey rely on the suppliers to pro%ide technologies including safetyshutdown %al%es, actuators, positioners, and positioning transmitters suitable forapplication in le%el of ris' they are mitigating.

ommon ause ailures in Safety Aal%e PositionersCY

ebruary 01, 0@25 by Zim ahill

iled UnderB ctuators and ontrols, eatured, Safety, Standards E =egulations, Aal%eSelection

/agged *ithB ?merson

safety instrumented function, also 'nown as a safety loop, includes the logic sol%er,sensing de%ice, and nal control element. /he nal control element, often a %al%e, canbe the source of much discussion, since it is what mo%es to ta'e the safety action.

n earlier ?merson Process ?#perts post, Pro%iding $perators Process ontrol Aal%ePosition eedbac', stressed the importance of critical control %al%es ha%ing %al%e tra%elfeedbac' from independent de%ices such as position transmitters, limit switches, orpositioner output feedbac'.


17/39

commenter wroteB

)t’s unclear to me whether position feedbac' from a smart positioner is truly

independent of the reference signal from the control system, as the positionerostensibly uses that same information as a measurement in its own local positionfeedbac' loop 6for which the reference signal is the setpoint7. )’m guessing it’s not inmost cases 6and note that this trait is probably not uni;ue to ?merson de%ices7.

)f you’re dri%ing the %al%e to a certain position with the reference, and then using theposition feedbac' to %erify that the %al%e is actually at the position you dro%e it to,there is a potential common(cause failure in the position sensing and processing. orindependence )’d thin' you would ha%e to either use other means to dri%e the %al%e6e.g., a dump solenoid %al%e7, or ha%e position sensing distinct from that used by thepositioner.

?#ida’s Dr. *illiam " !oble noted in a whitepaper, ?stimating the ommon ause +etaactorB

$%er the last few years, it has become recognied that common cause failures can ha%ea ma&or negati%e impact on the safety and a%ailability of redundant e;uipmentG /hewhole %alue of redundancy may be ruined. /his is clearly recognied by )? J21@4 andprobabilistic analysis now re;uires a ;uantitati%e assessment of common cause.

s part of the design for products used in safety instrumented systems, e#tensi%edesign and testing must be performed in accordance with the )? J21@4 global safetystandard. Specically for this smart positioner, ?merson’s =iya li responded in an

email to me. He e#plainedBommon cause factor is a 'ey concern when using a position transmitter within a safety%al%e positioner as is typically done.

)n the case of a %al%e positioning transmitter designed for process safety applications, itis designed to isolate the positioning function. /his design ma'es it completelyindependent of the positioner, should input signal or power to positioner fail, or anyissue related to positioner cease functioning. /he position transmitter continues tofunction to pro%ide the %al%e’s position.

s part of the certication process for use in safety instrumented functions up to safetyintegrity le%el 0 6S)L 07, the position transmitter function is certied separately from thepositioner

Process manufacturers managing the safety lifecycle for their plants follow the )?J2122 standard. /hey rely on the suppliers to pro%ide technologies including safetyshutdown %al%es, actuators, positioners, and positioning transmitters suitable forapplication in le%el of ris' they are mitigating.

$%ercoming Aal%e ailure [ /ools and "ethodsY


18/39

"arch 0T, 0@25 by +eyond the lange Sta: ?ditor

iled UnderB +eyond /he lange, ?missions, eatured, ugiti%e ?missions ontrol,"aintenance E =eliability, Aal%e Selection

/agged *ithB ?nergy ost alculator, Aal("atic

Understanding the reasons behind %al%e failure is the best way to dramatically decreasethe probability of %al%e failureW ensuring increased o%erall system reliability within allpro&ect, plant, and facility applications.

omprehending the conse;uences of %al%e failure is another e#tremely importantelement to e%aluate when considering life cycle costs, energy eciency, related costsand regulations, as well as connected maintenance details.

n e#cellent resource for education on the prospect of %al%e failure reduction is this

article in Aal("atic discussing "inimiing ?nergy onsumption through Aal%e Selection.$ne of the tric'iest industry issues associated with %al%es today is the actual %al%eselection process. /here are misunderstandings by some in terms of the ease of %al%eproduct choice in actually utiliing the correct %al%e product for each application.

Some ha%e in the past belie%ed the old adage Omore is better’ when pic'ing out %al%esand assumed that because their selections seemed to t and wor' within the system,that they were acceptable choices. Howe%er, e%en though a %al%e may appear to wor'or function within a systemW this does not mean it is the appropriate %al%e for the &ob."ore is not always betterW in fact, it can be worse in terms of %al%e selection, energyeciency, and ultimately %al%e failure.

hoosing the right %al%e for each &ob, system, or application can mean large sa%ings foran industrial company in terms of energy sa%ings, as well as in the lac' of potentialnes associated with an unacceptable amount of fugiti%e emissions as unfortunatelyreleased in situations where the wrong %al%e selection was made.

/ools for $%ercoming Aal%e ailure

n impressi%ely helpful tool for use in impro%ing %al%e energy eciency, as well as

o%ercoming %al%e failure is the Aal("atic’s ?nergy ost alculator for Aal%es. *ith thistool you can en&oy %iewing the pro&ection of 5@ years of energy cost sa%ings inassociation with your specic application’s information. /he cost calculator will thencalculate headloss in connection with the specic %al%e and its application.

*or'ing to a%oid %al%e failure in any pro&ect or system is really of prime importance topay attention to since the %al%e plays such an important role in controlling Row,pressure, and air release, etc. /he operational e:ect of each %al%e within each system


19/39

should most denitely be analyed for o%erall cost, system e:ecti%eness, eciency,and lifecycle e#pectations.

/he best way to o%ercome %al%e failure is to ensure you are using the correct %al%e forthe &ob. /he Row characteristic of the specic %al%e you are using can be highly

important in reducing your chance of %al%e failure if you are not dealing with anisolation %al%e. /he pump and the pump station ma'e a big di:erence in the type of%al%e you need to choose. )ncluded in well('nown %al%e failure issues are %al%e slamand water hammer. /hese problems are associated with chec' %al%es. )n order too%ercome %al%e failure in association with water hammer problems and %al%e slam, youmust ensure you are using the correct type of chec' %al%e with the right type offeatures. losing speed is an e#tremely important attribute of the chec' %al%e you arechoosing and care should be ta'en to determine the capabilities of the pump systemprior to ma'ing your %al%e selection.

/he type of Ruids used in the process the %al%es are handling is another aspect to notewhen considering what ways you can o%ercome and pre%ent %al%e failure.

Documentation lin'ed abo%e discussing ways to minimie energy consumption %ia %al%eselection is a detailed resource for reference when see'ing to study the many waysselection of a %al%e will aid in o%ercoming %al%e failure.

Aal%e )ndustry


20/39

inal elements used in safety applications typically remain stationary until a safetydemand arises which re;uests them to go to their safe state\either fully open or fullyclosed. Digital %al%e controllers, such as the DAJ0@@ S)S, ha%e been certied by rdparty as standalone, suitable for use in safety applications up S)L S) loops.

=iya shared that many process manufacturers still opt to use solenoid %al%es 6S$As7pneumatically mounted in series with the digital %al%e controllers. /his approachpro%ides a redundant pneumatic path in case of a safety demand, where either de%icewill dri%e the emergency shutdown 6?SD7 %al%e 6often tagged QA7 to the fail(safe

position should the primary ?SD de%ice 6solenoid %al%e7 fail to function. )n this case, thedigital %al%e controller can dri%e the %al%e to a safe state.

lso, as we highlighted in an earlier post, hec'ing >our Safety Solenoid Aal%es, thedigital %al%e controller can sense and capture the data for the momentary pressure blipacross the solenoid %al%e to %erify its health without causing the safety %al%e to mo%e.

=iya e#plained that ha%ing a solenoid %al%e integral with a smart positioner would notmeet redundancy re;uirements. /his arrangement will a:ect the PDa%g calculations asper )S /=45.@@.@0(0@@0 part 0. n integral S$A pro%ides a one(out(of(one 62oo27

arrangement where an e#ternal S$A pro%ides a one(out(of(two 62oo07 approach in thepneumatic path. /he 2oo0 approach pro%ides impro%ed PDa%g o%er a 2oo2 single(bo#approach.

)f the S$A is e#ternal in the pneumatic line then the digital %al%e controller can monitorits health and its test results can be sent directly to the control system on the plungermo%ement within the S$A during the test. Similar tests can be done if the S$A is


21/39

integral to the digital %al%e controller but there are neither test reports generated norhealth status of internal S$A a%ailable at control system le%el.

=iya belie%es that an e#ternal solenoid %al%e pneumatically in series is a preferredoption due to redundancy in hardware to dri%e the %al%e to safe state. Per )? J21@4, a

smart S$A 6integral microprocessor based smart positioner integral S$A7 will beclassied as /ype + 6)? J21@4 part 0 - clause T.5..2.7 de%ice. /his means the failuremode of at least one constituent component is not well denedW or b7 the beha%ior ofthe subsystem under fault conditions cannot be completely determinedW or there isinsucient dependable failure data from eld e#perience to support claims for rates offailure for detected and undetected dangerous failures.

n S$A connected in e#ternally in series would be a /ype 6)? J21@4 part 0 - clauseT.5..2.07 de%ice. /his means the failure modes of all constituent components are welldenedW and the beha%ior of the subsystem under fault conditions can be completelydetermined, and there is sucient dependable failure data from eld e#perience toshow that the claimed rates of failure for detected and undetected dangerous failures

are met. !oing from a /ype to /ype + de%ice will ha%e an impact on safety reliabilityand e%aluation will be re;uired for S) loop for PDa%g calculation.

/o impro%e "//s 6"ean /ime to ail Spuriously7, a smart positioner can use a re%erse(type relay, which will not contribute to "//s. )n the case of an electrical signal failureor input current signal, the smart positioner will not cause spurious trip. /his means thattwo de%ices connected pneumatically in series will ha%e "//s for a single de%ice 6S$A

/ype de%ice only7. Smart positioner and S$A mounted e#ternally pneumatically inseries support high safety reliability and plant a%ailability.

smart positioner with an integral S$A will ha%e high air consumption 6JT.4 scfh7 forlarge orice compare to a smart positioner with a similarly sied e#ternal S$A, whichwill ha%e a low(bleed relay 60.2 scfh7. /his is because e#ternal S$As will K$/ consume

any air during normal operation.=iya closed suggesting that for S)S applications to 'eep accessories such as %olumeboosters or solenoid %al%es 6if re;uired7 as an e#ternal de%ices rather than integral. /hissub&ect is still open and future technology de%elopments may warrant another loo' atthe pros and cons of integral %s. e#ternal nal element accessories in process safetyapplications.

UpdateB /he factors con%erting standard cubic feet per hour to cubic meters per hourwere incorrect and ha%e been remo%ed.

inal ontrol ?lement Partial Stro'e /esting

?merson’s =iya li, whom you may recall from earlier posts, wrote an )nside unctionalSafety article recently titled, Digital /echnologyB remedy for sic' shutdown %al%es inSafety )nstrumented System 6S)S7 applications. /he paper is a%ailable for purchase from)nside unctional Safety, so ) can’t upload or lin' to it, but )’ll highlight a few points=iya ma'es. Here’s a portion of the abstractB


22/39

)n the e%ent of a safety demand, the nal control element of a safety instrumentedfunction 6S)7 loop is a 'ey component to a process going to a safe state. Unli'e thelogic sol%er or sensors 6analog transmitters7, the nal control element re;uires a totalshutdown to chec' the mechanical integrity. *ith the in%ention of the digital %al%e

controller, a nal control element’s mechanical mo%ement can be tested online bymo%ing a span of 2@] or 21] without disrupting the process.

or those not familiar with two of the ma&or international safety standards for processmanufacturers, )? J21@4 and )? J2122, =iya pro%ides this contrastB

)?J2122 is an industry specic %ersion, specically dealing with process industries inthe 8unctional SafetyB Safety )nstrumented Systems for the Process )ndustry Sector.9)?J2122 pro%ides clarity to the use of )?J21@4 in automation protection systems forthe process industries by using industry specic %ocabulary, specic e#amples, and

tailored re;uirements.

s mentioned in the abstract, the nal control element is a critical portion of the safetyinstrumented function or safety loop to ta'e the process to a safe state. )t could be anemergency shutdown %al%e, blow down %al%e, emergency isolation %al%e, emergency%enting %al%e, or onIo: %al%e. /hese %al%es may remain dormant for long periods, sothey must be tested periodically to ma'e sure they will operate properly upon a safetydemand situation.

=iya notes that con%entional testing re;uires either process shutdowns or bypasses,

the latter which add comple#ity and ris' to the process Row. ompletely testing thenal control element’s performance re;uires 8Gan in(line test that stro'es the %al%e forfull tra%el.9

*ithout bypasses, the loss of production means process manufacturers want to e#tendthese full stro'e tests as long as possible, until the plant is shutdown for turnaroundmaintenance.

=iya describes ways de%eloped to e#tend the time inter%als for the nal controlelement testing by partially stro'ing the %al%es. He writesB

)t was recognied that the most li'ely failure mode of a discrete shuto: %al%e is toremain stuc' in its normal position. /o test for this type of failure, it is not necessary tocompletely stro'e the %al%e to test its functionality. large percentage of co%ert %al%efailures can be detected if a limited form of testing can determine that the %al%e is notstuc' and will begin to mo%e. urthermore, if this type of test could be performed onlinewithout shutting down the process, impro%ements in the PDa%g could possibly beobtained without the loss of production.


23/39

"ethods to perform this partial stro'e testing include mechanical limiting de%ices andmore recently logic sol%er(based testingB

Gwhich sends #ed pulsations to the solenoid %al%e to monitor the subse;uentmo%ement of the %al%e. /he pulse duration is set to allow slightly more than there;uired 2@(21] mo%ement. /he feedbac' to %al%e mo%ement is pro%ided by an analoglimit switch.

*hiche%er method is used, written safety procedures are important to ma'e sure planttrips don’t occur and proper documentation and maintenance is performed by properlytrained personnel.

=iya shares how a digital %al%e controller is a good solution for these partial stro'etests because itB

Grecei%es a control signal from the logic sol%er. )t incorporates tra%el feedbac' of the%al%e position plus supply and actuator pneumatic pressures. /his allows the smart

positioner to diagnose not only itself, but also the health of the %al%e and actuator.Since the process is not shutdown, the tests can be run more fre;uently and initiated bythe logic sol%er, H=/ handheld communicator, panel, andIor P. /he tests are alsoautomatically documented and can pro%ide comparisons between tests. )n the e%ent ofa safety demand, the digital %al%e controller can also pro%ide a log to help understandthe se;uence of e%ents for post(e%ent analysis.

He claries that partial stro'e tests, 8Gdo not eliminate the need for full stro'e testWhowe%er, it does e#tend the proof test inter%al.9 /his e#tension is often long enough toreach the plant turnaround where all the nal control elements can ha%e full stro'etesting performed.

)f you are unfamiliar with some of these ways of partial stro'e testing, you may want topurchase the paper or re%iew some of the past blog posts in which )’%

Positioners and Partial Stro'e /ests in Safety pplications

)n/ech magaine has a web e#clusi%e on the importance of safety %al%es in a safetyinstrumented system. /he article, Aal%e failureB Kot an $ption, describes methods ofimplementing partial stro'e testing 6PS/7 to reduce the probability of failure upondemand, a%erage 6PDa%g7.

or those not familiar with a partial stro'e test, ) found this denitionB

/his test chec's for %al%e mo%ement without fully stro'ing the %al%e. "any applicationswill allow 2@] mo%ements to %erify %al%e response without upsetting the criticalprocess line. Diagnostic data is collected and an alert is gi%en if the %al%e is stuc'.


24/39

/he purpose of this test is to impro%e PDa%g to possibly increase the safety integrityle%el 6S)L7 rating of the safety %al%e in a safety instrumented function 6S)7, to e#tendthe proof test inter%al, or a combination of both. ?#tending the proof test inter%al mayallow process operators to a%oid additional downtime by scheduling proof tests during

turnarounds.

/he author enumerates four methods of performing the PS/B by the emergencyshutdown system 6?SD7, by a positioner(based de%ice, by a 0(out(of(0 60oo07 or 0(out(of( 60oo7 redundant de%ice, and by a 0(out(of(5(doubled diagnostic 60oo5D7redundant de%ice.

/he part of the article that &umped out for me, which ) needed to as' ?merson’s =iyali about wasB

Using a positioner(based de%ice is perhaps the worst option, as it is a completemisapplication of technology. Positioners should modulate control %al%es, whosemo%ement is %ery small. ?SD %al%es on the other hand are fully open or fully closed,and go from one state to the other as ;uic'ly as possible. +ecause positioners ha%e a%ery small low actor 6%7, they cannot %ent a %al%e diaphragm ;uic'ly as re;uired tosatisfy the process safety time, and are suitable only for smaller %al%es. /o compensatefor this deciency, an interposing S$A can %ent the %al%e diaphragm. /his S$A is nottested during the PS/ and remains in an open position for an e#tended period of time.s such, it may not be able to close 6%ent7 upon demand and is itself a source of bothdangerous failures and spurious trips.

)n addition to the interposing S$A, positioners use a pneumatic %al%e(nole

arrangement, which operates independently of the positioner electronics. !i%en thenole orice plugs up 6often by a tiny spec of dirt or water in the air supply7, shuttingo: the electronics will not %ent the %al%e diaphragm. /his is a dangerous failure mode,as %enting the diaphragm 6closing the %al%e7 is critical to achie%ing the safe state.Unfortunately, most positioner product safety e%aluations do not address thisdangerous failure mode.

=iya o:ers some counterpoints. d%anced positioners or digital %al%e controllers suchas the isher DAJ@@@ S)S ha%e been designed specically to operate safety shutdown%al%es and has gone through the rigorous design, testing and certication processdened in the )? J21@4 international safety standard for use up to S)L applications.

/his design, testing and certication process was de%eloped to ensure the applicability

of the technology for this process safety application.=iya notes that it is true that a %ery few applications do re;uire shorter process safetytimes. He points out that it is not necessary to use a solenoid %al%e 6S$A7 to impro%ethe stro'ing speed. Positioners can use pneumatic de%ices to achie%e faster stro'ingtime. ) discussed a ;uic'(e#haust e#ample in an earlier post. or process manufacturerswho still would li'e to use an S$A in the S) loop, these S$As ha%e di:erent capacitiesto meet the stro'ing speed re;uirements. lso, some of the more modern positionersli'e the DAJ@@@ S)S can also monitor the health of the S$A when it’s used with a


25/39

single(acting actuator. )t performs chec's for the dangerous failures of S$As on(linewithout a:ecting the process.

Some digital %al%e controllers, li'e the DAJ@@@ S)S, are suitable for use in a S)L S) instandalone mode. *hen used in standalone mode or in pneumatic series with S$A orother pneumatic accessories, it continuously chec's the pneumatic integrity6functioning of )IP and pneumatic relay7 to ensure that these components are wor'ing

and ready to dri%e the %al%es upon a safety demand 6see gure 27. )f, during normaloperation, any abnormality is noted, an alert is sent to the H$S/ system.

=iya also pro%ides clarication that air ;uality re;uirements are always specied ineach product bulletin for pneumatically operated %al%es and specically, the safetymanual of a eld de%ice always recommends to follow the )S ST.@.@2 air ;ualitystandard, which species the air be clean, dry, without oil, water or any particulatecontaminates. or your )? J2122 process safety ris' mitigation e:orts, partial stro'etesting performed by digital %al%e controllers can help you reduce the PDa%g on yoursafety shutdown %al%es.

*hen failsafe isn^t enough

n orderly shutdown is imperati%eB /hese e;uations gi%e a ;uic' way to chec' therecommended(%olume tan' sie or to do the siing oneselfS/ $=*=D

/he failure position of a %al%e is not always its failsafe position.

Aolume tan's supply a reser%e air for actuating a %al%e.

%olume tan' for a throttling control %al%e re;uires a comple# analysis.

+y +ryce ?lliott

"any times, processes will re;uire reser%e %olumes of air for %al%e actuation on failureof the air header.


26/39

/ypical reasons for needing this additional %olume are when the failure position of the%al%e is not the 8failsafe9 position or when operating re;uirements dictate a moreorderly shutdown than ha%ing the %al%e immediately going to its failure position.

%olume tan' needs to be in place to supply a reser%e %olume for actuating the %al%e.

/he ;uestion then comes of how to sie this tan'. /he %olume of the tan', At, has to be large enough and under sucient pressure, Pi, toll the %olume of the actuator, Aa, at the minimum pressure re;uired by the actuator,Pf, for the number of stro'es re;uired, s.

/he %alues of Aa and Pf need to come from the actuator manufacturer. Pf will changedepending on the tor;ue re;uired to stro'e the %al%e, so input from the %al%e %endormay also be necessary.

/ypically, the %al%e %endor will calculate the re;uired tor;ue, which will %ary dependingon the indi%idual %al%e type, pac'ing design, shuto: di:erential pressure, and re;uiredlea'age, and choose the actuator accordingly.

/he actuator manufacturer should supply a table that relates tor;ue to supply pressure,and the engineer can select the appropriate pressure based on the re;uired tor;ue the%al%e %endor has gi%en. Pi will be the normal operating pressure of the air header.

s is the number of times the %al%e will need to stro'e before the pressure reduces belowthe point at which the %al%e can no longer actuate. /his will depend on the operatingphilosophy for this %al%e. /he process, operations, and safety groups may ha%e inputinto determining an ade;uate %alue for s.

/o begin de%eloping an e;uation for siing the tan', start with the simplest case, asingle stro'e.


27/39

/he gas in the %olume tan' will e#pand to ll the %olume At Aa. /here are two 'nownpressures, Pi and Pf. Since the gas e#pansion will be fairly ;uic', little heat will comefrom or go into the en%ironment. or this reason, we can ta'e the gas e#pansion to beadiabatic in our model.

n adiabatic process is one in which no heat is e#changed with the surroundings.

/he other e#treme case is isothermal, where the e#pansion ta'es place slowly enoughthat the gas stays at constant temperatureW this results in smaller calculated %aluesthan the adiabatic assumption. =eality lies somewhere in between. alculating theprocess as adiabatic will pro%ide some of the 8margin for error.9

/hermodynamics tells us, the PA' is a constant for an adiabatic process. ' is the ratio of the specic heats, PIA, which in the case of air at pressures and temperatures ofinterest, is appro#imately 2.5.

/he e;uation isB 627

Pi, Pf, Aa, and ' are 'nowns, and we can readily sol%e for At B

607


28/39

P0 is the intermediate pressure in the %olume tan' after the rst stro'e. Sol%e eache;uation for P0.

Set 617 and 6J7 e;ual to one another, eliminating P0.

Sol%ing 6T7 for At yieldsB


29/39

or more than two stro'es, a similar system of e;uations can be set up, with theintermediate pressures eliminated algebraically. /he general formula isB

or multiple stro'es, the stro'es probably will not be in ;uic' succession, which would

allow the tan' air to warm to ambient temperature between stro'es 6it cools slightlywhen it e#pands to ll the actuator7. /his will slightly reduce the amount of necessaryair because the pressure in the %olume tan' will increase with the temperatureincrease. +ecause we cannot 'now ambient temperature in ad%ance, it is impossible tocalculate this e:ect precisely. Since it is not signicant, we can neglect it.


30/39

nother margin comes by the fact that tan's are a%ailable in discrete sies. )f onecalculates a %olume of 4 gallons, 2@ gallons is the best tan' sie, so 01] e#tra isautomatically built(in.

Some of the smaller standard sies o:ered are 2@, 21, 0@, @, J@, 4@, and 20@ gallons.KoteB /ubing %olume is typically a negligible consideration. Howe%er, for long tubingruns 6greater than T1 feet7, we may need to factor the %olume in.

)t is possible to reduce the air necessary by putting a downstream pressure regulatorbetween the %olume tan' and the actuator. )n this case, the set pressure of theregulator is set e;ual to, or %ery slightly higher than, the minimum pressure of theactuator.

Doing so gi%es a similar adiabatic e#pansion, but since the actuator is being lled at thesame pressure each time, the end result is as though the air in the %olume tan' at thestarting pressure ta'es up At sAa at the ending pressure, orB 62@7

Sol%ing for At gi%esB_


31/39

/his is the result of e;uation 607 multiplied by the number of stro'es. lso, in thee#amples below, reducing the re;uired air by adding a pressure regulator usually didnot reduce the selected tan' sie.

%olume tan' for a throttling control %al%e re;uires a more comple# analysis than whatwe are loo'ing at here. throttling %al%e will ha%e partial stro'es. )t may also ha%e apositioner, which is a constant bleed de%ice, meaning the %olume in the tan' will lea'out o%er a fairly short period of time.

/his analysis re;uires 'nowing the bleed rate 6which %aries depending on inputpressure7, the amount of time the %al%e is e#pected to be a%ailable 6multiplying thesetwo will yield a mass of air, though the %ariable bleed rate may re;uire someintegration, either piecewise or continuous7, and some estimate of the number ofstro'es re;uired.

/his will not necessarily be a whole numberW round up. $ne can then apply the samesort of analysis gi%en here to come up with air necessary to stro'e the %al%e. dd theair re;uired by the bleed rate to the air re;uired to stro'e the %al%e, ta'ing care to 'eepconsistent units.

or siing %olume tan's for onIo: %al%es, use e;uation 637 or 6227, as appropriate. nice result of these e;uations is it is not necessary to include a 8safety factor,9 as the


32/39

safety factor is a part of the simplifying assumptions. /hese will gi%e the engineer a;uic' way either to chec' the %olume tan' sie recommended by the %al%e %endor or todo the siing oneself.

/erminology

diabatic process occurs with no e#change of heat between the system and its

en%ironment.ail(safe or fail(secure describes a de%ice or feature, which in the e%ent of failure,responds in a way that will cause no harm or at least a minimum of harm to otherde%ices or danger to personnel.

ctuator is a de%ice to con%ert an electrical control signal to a physical action. ctuatorsmay be for Row(control %al%es, pumps, positioning dri%es, motors, switches, relays, andmeters.

Solutions for S)S and oundation ieldbus

)’m luc'y enough to recei%e a copy of ndrew +ond’s )ndustrial utomation )nsidernewsletter each month through an ?merson subscription agreement. ndrew co%ers thehappenings among the automation suppliers and standards bodies. >ou can also ndsome of ndrew’s writings on the ontrol!lobal.com site.

)n the Ko%ember 0@@4 newsletter, one item that caught some attention around herewas this nuggetB

Grst /XA(appro%ed S)L oundation eldbus safety %al%e controller to appear on themar'et. /he de%ice deli%ers status changes automatically %ia oundation eldbus andincorporates real time alarm management eliminating the need for e#ternal wiring or)I$ cards.

) ha%e the pri%ilege of wor'ing in the %icinity of two %ery 'nowledgeable people withrespect to process safety, =iya li and "i'e +oudreau#.

=iya notes that the oundation S) specications are still under de%elopment. )n arecent ieldbus oundation release, it ;uotes =’s Larry $’+rienB

)t is %ery clear that end users want this technology and are stri%ing to include (S)systems in their pro&ect specications. "any ma&or end users will probably be specifying(S) systems for their new pro&ects starting in 0@22.


33/39

September 0@@4 = whitepaper, oundation ieldbus Safety )nstrumented unctionsorge the uture of Process Safety, pro%ides bac'ground on the oundation S) standardad%ancement and its current draft status. "i'e and =iya were present at the successful"ay 0@@4 oundation S) end user demonstration pro&ect in msterdam, and "i'eshared his e#periences with me. =iya also shared that one of the function bloc's, theS)`D$ bloc', will not be a%ailable from the ieldbus oundation until the rst half of

0@@3.

"any automation suppliers are de%eloping products based on the current oundationS) draft, including ?merson. ) as'ed =iya about the current solution ?merson pro%idesuntil the standard is ratied. =iya respondedB

/he current solution for use in a oundation eldbus S)S application is to use theDAJ@@@f PD instrument. Se%eral hundred units ha%e been supplied worldwide toprocess manufacturers where partial stro'e test scripts are run from host systems, suchas the DeltaA system and "S De%ice "anager.

)n this application, process manufacturers use a solenoid %al%e operated by a hardwired

digital output from the S)S logic sol%er.=iya e#pects that until process manufacturers ha%e sucient e#perience, they willcontinue to use an independent solenoid %al%e to ta'e the S)S %al%e to the fail state,while at the same time using a DAJ@@@f PD for partial stro'e diagnostics usingoundation eldbus through the basic process control system 6+PS7.

"i'e notes that both the DeltaA and DeltaA S)S systems are capable of performingthese safety instrumented function predicti%e diagnostics. /he DeltaA system is beingused to perform partial stro'e testing with the DAJ@@@f PD using oundation eldbuscommunications. /he DeltaA S)S system is being used to automate partial stro'e testingwith the DAJ@@@ S)S safety %al%e controller using H=/ communications. /hisadditional diagnostic co%erage assists process manufacturers with their )? J2122

safety lifecycle e:orts.Using diagnostics enabled by oundation eldbus and H=/ communications, theDeltaA and DeltaA S)S systems with DAJ@@@ digital %al%e controllers can pro%ide manyof the benets today that are promised by oundation S) in the future.

ddressing Safety Aal%e $pening /imes with Partial Stro'e /ests

;uestion came into the )S’s Safety email list concerning the use of %al%e positioners

in partial stro'e tests for %al%es used in safety shutdown applications. /he personas'ing the ;uestion wroteB

) was informed that PS/ using positioner such as the isherI?merson has got problemwhen rst opening the %al%e because the A %alue of the positioner is small so it willta'e a %ery long time to open for large %al%esIactuators. Please ad%ise if this commentis %alid.


34/39

?merson’s =iya li, whom you may recall from earlier process safety(related posts,responded Mwith my light editsNB

Partial stro'e test 6PS/7 is a diagnostics function, which is performed on line, in ser%ice,hence minimum process interruption is highly desired. )f the 8)L $P?K9 %al%e isopened with sudden &er', it can create a blurp or surge of process, which may createunwanted results-i.e. li;uid ser%ice, sudden opening or closing of %al%e, which may leadto the 8water hammer9 phenomena.

/he ?merson - isher DAJ@@@ S)S is specically designed to stro'e the %al%e duringPS/ using a ="P algorithm, which stabilies the process while lifting a %al%e from itsseat. ertainly, concern may occur if a D?"KD arises during a stro'e test. /heDAJ@@@ S)S has built(in safeguards to immediately ta'e a %al%e to its safe state withthe desired pneumatic path. )n fact, the DAJ@@@ S)S has a uni;ue feature, which

allows engineers to congure stro'ing speed as desired by a few industries. /he DigitalAal%e ontroller is smart enough to di:erentiate between a Partial Stro'e /est and aSafety Demand.

*e ha%e seen a few oil producers using DAJ@@@ S)S with e#ternal Row restrictor inpneumatic line to slow down %al%e tra%el to ha%e process e;uilibrium during a S?/>D?"KD so that slam shut action does not cause piping brea'age as well as a loss toe;uipment by suddenly cutting down fuel. /his may possibly lead in some of theprocess spoilage of catalyst.

Depending upon need of Process Safety /ime 6PS/7 of a S) Msafety instrumentedfunctionN loop, a few %al%e applications may re;uire a Process Safety /ime of less than 0seconds. )n such cases, it is always recommended to use e#ternal de%ices to allowadditional ;uic' release of air %olume from the actuator to meet the time line.

)mmaterial of Digital Aal%e ontroller manufacturer, positioners always operate duringnormal condition at full pressure load, which as per characteristics, allows air to bleed. )f a positioner of high e#haust and ll capacity is used, it will bleed e#cessi%e air. /he?merson - isher DA has been designed in such a manner that it has only an airconsumption of 0.2 scfh at 0@ psi compare to positioners with a higher %, whose bleedrates are e#ceptionally high 6 0@ times of the DAJ@@@7.

$nce again, a Partial Stro'e /est is diagnostics, which can be considered 8Safety=elated9 but K$/ 8Safety ritical9, hence, during test %al%e opening time should not bepose any challenges.

Should you need more technical clarications, ) can pro%ide details on one to one basis.


35/39

nother list member noted this issue in his response to =iyaB

)t is a %ery simply matter to restrict the e#haust rate of the diaphragm during the partialstro'e test, and thus slow the stro'ing speed to whate%er speed is desired. /his wouldeliminate any concerns of o%erstro'ing, or rapid %al%e mo%ement. Howe%er, since we

are in the hysteresis range 621]7 of the %al%e, problems resulting from rapid mo%ementshould be minimal to start with.

Using a ;uic' e#haust de%ice to %ent the %al%e diaphragm 6to compensate for the small% of the positioner7 must be accounted for in the PDa%g calculation of the nalelement for the S). /his simple# de%ice is a critical part of the S) and cannot beignored.

=iya addressed this concern Magain with my light editsNB

s e#plained in my pre%ious email, when using microprocessor(based de%ice or anyother means to initiate PS/ for Safety Shut Down %al%es, in line in ser%ice, Fuic'

?#haust Aal%es 6F?A7 typically show instability. +ased on lab tests and past elde#perience, it has been obser%ed that the F?A comes in action for water columnPressure Di:erence, which may lead to uncontrolled tra%el, during PS/ test.

)n such situations, it is preferable to use a Aolume +ooster, which helps in bothdirections 6opening and closing7. lso as claried by Manother email responderN, that the%olume booster is chec'ed during a PS/.

s you rightly said, Aolume +ooster 'inds of mechanical de%ices are simple#. /hese /ype de%ices ha%e been in the eld o%er the past four decades, and for sure ha%ealready established its all(possible failure modes in its operating run. /his would pro%idebenecial leads to manufacturers to incorporate in design. /herefore, it is less li'elythat any reliability issues may not ha%e been ta'en into account and corrected by

manufacturers of mechanical components.Some additional ;uestions came in about the certication reports. ?#ida’s Dr. +ill !oblepointed the ;uestioner to where the partial stro'e test certication reports are locatedon the ?#ida website. Here are the lin's to the DAJ@@@ assessment report andDAJ@@@ certicate for use in emergency shutdown 6?SD7 partial stro'e %al%e monitorapplications.

)f you’re in%ol%ed with process safety at your plant, ) hope these clarications by =iyahelp to address similar ;uestions that you may ha%e.

Partial(Stro'e /ests, Proof /ests, and Smart Positioners in Safety pplications

+efore the holidays, Da%e Harrold wrote a post, *ee +it "ore bout Safety)nstrumented Systems, in his Da%e + !roup blog. He describes his wor' with Dr.ngela Summers, founderIpresident of S)S(/ech Solutions on a guidelines boo' for theglobal )? J2122 safety standards. Da%e also referenced an S)S(related FE articlengela wrote for low ontrol magaine.


36/39

) forwarded the post and low ontrol article lin' to =iya li, whom you may recall froman earlier post. =iya wanted to add to the con%ersation and ma'e three specic pointsin reference to the low ontrol article.

$n the ;uestion regarding the use of digital %al%e positioners to perform partial testing

and its relationship to the proof test inter%al, =iya agrees that the proof test is far morethan a partial stro'e test. /he proof test can be performed on a nal control elementeither on(line when a bypass %al%e e#ists or oine when the process is shutdown, suchas during a plant turnaround. "any process manufacturers do not ha%e large bypass%al%es and see' to e#tend the inter%al between plant turnarounds as long as possible.

/he on(line partial stro'e testing pro%ided by digital %al%e positioners can help e#tendthe time between proof tests. /hey do not replace these tests. =iya points to a ontrol?ngineering magaine article authored by Dr. Summers, Partial Stro'e /esting of Safety+loc' Aal%es, in which she points outB

lso a:ecting the S)L is diagnostic co%erage and testing inter%als of partial(stro'etesting to supplement full(stro'e testing to reduce a bloc' %al%e’s PD.

+eing a mechanical item, testing of S)S 8inal ontrol ?lement9 o:ers challenges but atthe same time represents a signicant failure contributor to S) loop. Partial stro'e testby digital %al%e positioners not only allows 8audit documentation9 but also allowsdiagnostics health of %al%e, a 'ey feature to impro%e reliability of S) loop.

=iya did ta'e e#ception to a statement in the article about throttling %al%esB

Positioner failures are the leading cause of control failure, so the positioner should not

be used to actuate the %al%e in an S)S application when pre%enting e%ents associatedwith a loss of control. )nstead, a solenoid(operated %al%e should be used toindependently close the control %al%e.

He notes that control %al%es are better geometrically designed with proper actuator and%al%e plug connection to reduce hysteresis, dead motion, stic'tion, bac'lash etc.,compare to shut down %al%es those are typically 'eyed shaft and mainly used for $nand $: function. /he main concern for shut down %al%es is stuc' condition. )f initialinertia force is bro'en during normal e#ercise of %al%e either through partial stro'e testor by modulating through DS signal, it is %ery li'ely that %al%e will be a%ailable during

a safety demand, when re;uired to bring the process to safe state.His nal point is on the ;uestion regarding smart positioners for partial stro'e testing ofsmart %al%es. Positioners operated by air ha%e been used in process control industriesfor years to impro%e performance of control loop. )t is becoming rarer to come across aprocess loop not without positioners, especially where the application impro%ed process%ariability. +ased on its usage and benets in process control, process manufacturersha%e started using them for Safety )nstrumented Systems also. =iya agrees with Dr.Summers comment that positioners ha%e smaller orice but any thing larger than 4(20


37/39

sie %al%e, e%en otherwise a Fuic' ?#haust Aal%e or similar mechanical de%ice will beused, if fast stro'ing speed is desired. Len Las'ows'i adds that the dri%ing factor isprocess safety time. "any times larger %al%es do not need to close in one or twoseconds, and in fact re;uire a more controlled closure to a%oid negati%e e:ects onprocess and utility e;uipment. )t all hinges on the process safety time for eachapplication.

Positioners by design are to bleed %ery small air to 'eep the air Rowing as well 'eeppressure higher than atmospheric so as a%oid any e#ternal atmospheric corrosi%e gasgetting inside the housing. lso during partial stro'e test positioners e#haust and ll theair, which ma'es its mechanical parts mo%ing and a%oid any build up.

Digital %al%e positioners allows partial stro'e testing, while process is running andpro%ides date and time stamp of test with capability to store and compare test results.lso, being a microprocessor based, these positioners allow remote testing and retrie%alof data remotely. /he main ad%antage is predicti%e maintenance by pro%iding %al%edegradation analysis, which is important to critical %al%es in safety related systems. )fby any chance %al%e is stuc', digital %al%e positioners are capable of pro%iding alerts tooperators to # the problem.

)mpro%ing Local ontrol around Safety Shutdown Aal%es

>ou ha%e to admire the way a team of engineers when presented with a challenge,come up with a better, less costly approach. Such is the case with a local control panelfor a safety %al%e that ?merson isher di%ision’s =iya li showed me. >ou may recall=iya from earlier posts on the topic of safety.

/he challenge is that safety shutdown %al%es with con%entional local control panelsha%e typically re;uired ten inputIoutput connections between the safety system’s logicsol%er, local control panel, solenoid and digital %al%e controller as the picture indicates.

/hese panels get hard wired signals from the safety instrumented system’s logic sol%er

for light indication of %al%e $pen, lose, and =eady to =eset. lso, if the logic sol%erneeds to open the %al%e after 8=eady to =eset9 light indicator, 8Aal%e $pen9 signalneeds to be sent to local controller for eld technician to open the %al%e on separatepair of wire. )t will also re;uire an additional )I$ for shutting the %al%e from localcontroller in case of an emergency.

Kow, many plants 'eep metrics on what it costs to install each )I$ point, but a ballpar'gure of 0,@@@ USD per )I$ point is typical.


38/39

/he approach =iya describes is based on the isher LP2@@ local control panel whichre;uires 1 )I$. /his means roughly 2@,@@@ sa%ings per installed smart local controlpanel. )f your facility is a renery, petrochemical, or chemical plant, this could add up,based on your number of safety %al%es with local control panels. /his panel digitallycommunicates directly with ?merson’s isher DAJ@@@ digital %al%e controller toeliminate the need for separate wiring for Aal%e $pen and lose indication, =eady to

=eset indication, and pushbuttons for manual Aal%e $pen and lose. /hese digitalcommunications also pro%ide diagnostics to reduce the ongoing costs of maintenancetypical with hard(wired solutions.

=iya also points out the digital %al%e controller can pro%ide on(line diagnostics andpartial(stro'e testing to assist the process manufacturer in chec'ing the safetyinstrumented function which includes these shutdown %al%es.

s with most digital communications, the long term benets in diagnostic co%erage withthis integrated approach are usually greater than the initial benets in installation costsa%ings.

hec'ing >our Safety Solenoid Aal%es

)n an earlier post ) discussed the critical role the nal control element plays in a safetyloop or safety instrumented function 6S)7 in safety parlance. /his e;uipment mostlystays in one position until called upon to mo%e should an emergency situation arise.Digital %al%e controllers li'e the ield%ue DAJ@@@ S)S pro%ide partial stro'ing of the%al%e to process manufacturers design their safety instrumented functions to reducethe Probability of ailure on Demand 6PD7.

?%en with the ad%ancement of intelligence in digital %al%e controllers to do this partialstro'e testing, a problem remained in testing the solenoid %al%es used in the safetyinstrumented function. /hese solenoid %al%es are installed to ;uic'ly bleed the airsupply to the %al%e actuator that is holding the S)S %al%e open or closed. /he only realway to test this solenoid %al%e has been to trip it causing the safety function to occur.

/hese spurious trips can be ;uite strenuous on the plant piping and process e;uipment.

=iya li, a de%elopment manager in ?merson’s isher di%ision showed me the latestad%ancements to the DAJ@@@ S)S to test the solenoid without causing safety %al%e


39/39

mo%ement. *hat the technology team found through e#tensi%e research andde%elopment is that the solenoid %al%e can be pulsed for a split second by smart S)Slogic sol%ers li'e the DeltaA S)S system.

/his time window of the pulse is long enough for the solenoid %al%e to %ent whichpro%ides %erication that it is functional. +ut the time window is short enough so that

the actuator does not bleed o: enough pressure to ma'e the S)S %al%e mo%e.Diagnostics in the DAJ@@@ S)S can sense and capture the data for the momentarypressure blip across the solenoid %al%e during the test. )t also records pressures, tra%elinformation, and other diagnostic information.

+eyond solenoid testing, =iya mentioned the DAJ@@@ S)S is capable of collecting dataduring a trip e%ent, much li'e an airline’s 8blac' bo#9 Right recorder. /his datacollection can be triggered upon a change in actuator pressure, %al%e tra%el, inputcurrent, pressure di:erential, tra%el de%iation, tra%el cuto:, or an e#ternally denedtrigger e%ent. /his data can be helpful when re%iewing the causes of a safety trip aswell as ha%ing the data a%ailable for regulatory reporting.

$ne nal point =iya emphasied is the DAJ@@@ S)S spurious trip protection which

pro%ides ma#imum output pressure to the solenoid at minimum input signal in a casewhere the 5(0@m signal between the smart logic sol%er and digital %al%e controller islost or se%ered.

/ogether, these technologies gi%e process manufacturers an end(to(end way ofchec'ing the safety instrumented functions including the solenoid %al%es, to assist theirdesign, implementation, and ongoing testing phases of the )? J2122 safety lifecycle.

Documents

Process Safety Lessons Learned