Abstract
This study examines the relationship between the specification of safe failure fraction and partial stroke testing provisions for valves deployed as final elements in safety instrumented functions.
I. Introduction
Partial stroke testing (PST) is a potentially useful provision in enhancing the confidence in shutdown valves, but there is routine confusion concerning the nature of its contribution. PST is typically deployed as a partial proof test, but some vendors and certification bodies routinely construe it to be a diagnostic provision. ‘All cats look the same in the dark?’ Well let us shed some light here and discover that these two moggies do in fact look subtly different.
II. Proof Test Versus Diagnostic
The stipulation in BS EN 61508 second
1
edition for low demand systems is that
the diagnostic test interval of any subsystem … shall be such that the sum of the diagnostic test interval and the time to perform the repair of a detected failure is less than the Mean Time To Restore (MTTR) used in the calculation to determine the achieved safety integrity for that safety function. (Clause 7.4.5.4)
Since PST is typically used at a relatively low frequency (with a period of days to months), the implication is that if PST were to be claimed as a diagnostic provision, the MTTR for detected failures would be correspondingly large. The key point is that a truly diagnostic provision will, all else remaining equal, increase the proportion of detected failures and reduce that of the undetected failures, and thereby improve the safe failure fraction (SFF). A partial proof test without an expanded MTTR nomination does NOT enhance the SFF; it improves the probability of failure on demand (PFD) by finding some potentially undetected dangerous failures. This distinction has been overlooked in some safety integrity level (SIL) certificates, and improved SFF is often cited for deployments with PST.
It has to be said that this is a relatively obscure point, although the claim of improved SFF is technically incorrect for a partial test as it is distinct from a diagnostic provision that is not to say that the confusion would lead to unsafe systems or practices. Note that if PST is claimed as a true diagnostic, the complication will definitely make the element type B (complex) and so the improved SFF would typically NOT reduce the requirement for hardware fault tolerance (HFT) over that for a type A (simple) element without PST. Indeed, if the improved SFF remains in the same band as the ‘unimproved’ SFF, there will be an increased requirement for HFT.
To explore the potential significance of these distinctions in terms of calculated PFD, consider a valve with a total mean time between failures of 50 years, with an inherent SFF of 60%, an annual 100% proof test and a partial stroke test every month that gives 80% coverage (of the dangerous failures). A partial stroke test will typically reveal faults with the solenoid valve or a stuck valve; it will not reveal failures associated with a full stroke or shut off capability. The PST may be regarded as either
A partial proof test, with no claim for diagnostic coverage (DC);
A true diagnostic provision with a corresponding MTTR (728 h). Note that the effective SFF with DC of 80% is 92%.
We may then compare the different bases on which performance may be assessed for the particular valve specification shown in Table 1 .
Comparison of performance assessments for given valve specification
PST: partial stroke testing; SFF: safe failure fraction; PFD: probability of failure on demand; MTTR: mean time to restore; DC: diagnostic coverage.
III. Conclusion
It can be seen that no gross errors are incurred with any of these approaches for PST. Note that the use of ‘improved’ SFF to account for the intermediate PST in simple PFD calculations (where a single 100% proof test interval is assumed) would not be conservative but may nevertheless be useful as an approximation. Perhaps the more significant point is that claims of improved SFF make for some difficulty in comparing certified offerings from vendors; the rigorously correct claim from one vendor (SFF of 60% in this example) may be seen as disadvantaged in comparison with the incorrect claim from a second vendor (declaring SFF of 92%) for items with identical reliability performance. Logically, we should consider only the SFF without PST unless the MTTR claimed includes the PST interval. It should be remembered that functional safety is not simply a number game (although many try to play it that way), and there is more to equipment selection than the raw, unqualified comparison of the numbers on certificates.