Valve Actuator Failure Modes and Safety Instrumented System Integration

Valves and their actuators that are part of a safety instrumented system (SIS) must be designed, specified, tested, and maintained with a systematic understanding of their failure modes and how those failures affect the safety function. Unlike process control valves where a failure to respond promptly to a setpoint change merely causes a process deviation, a safety valve failure to operate on demand can allow a hazardous process condition to develop that could result in injury, death, or environmental damage. The IEC 61511 standard governing safety instrumented systems requires rigorous analysis of valve failure modes, dangerous failure rates, and proof testing requirements.

Valve and Actuator Failure Modes

Valve failure modes are categorized based on their safety significance. A dangerous failure is one that prevents the safety valve from performing its intended safety function when demanded. For a fail-close safety valve, a dangerous failure is any failure that prevents the valve from closing on demand: stuck-open due to packing seizure, actuator spring failure, solenoid valve malfunction, loss of instrument signal, or mechanical jamming of the closure element. A safe failure is one that causes the valve to operate in its safe direction (closing for a fail-close valve) without a process demand, which may cause a process upset but does not compromise safety.

• Dangerous undetected (DU): failure that prevents safety action, not detected by diagnostics

• Dangerous detected (DD): failure that prevents safety action, detected by diagnostics or monitoring

• Safe undetected (SU): spurious trip failure, not detected until the valve operates

• Safe detected (SD): spurious trip detected by diagnostics before actual valve operation

• No effect (NE): failure that does not affect the valve's safety function

Partial Stroke Testing

Partial stroke testing (PST) is a diagnostic technique that exercises a safety valve through a partial portion of its stroke (typically 10 to 20 percent of full travel) while the process remains on-line. The test verifies that the valve and actuator are mechanically capable of beginning to move when the trip signal is applied, detecting the most common dangerous failure modes including stuck stem, loss of actuator air, and solenoid valve failure, without requiring the valve to fully close and interrupt the process. Smart positioners with PST capability can execute partial stroke tests automatically on a scheduled basis and report the results to the safety system, providing diagnostic coverage that greatly reduces the dangerous failure rate.

IEC 61511 Requirements and SIL Verification

IEC 61511 requires that each safety instrumented function (SIF) achieve a specific safety integrity level (SIL) target, expressed as a maximum probability of failure on demand (PFD). The valve and actuator assembly contributes to the overall SIF PFD and must be characterized by its dangerous failure rate (lambda D) and diagnostic coverage (DC). Valve failure rate data is available from industry databases such as OREDA and from manufacturer reliability data. The required proof test interval is calculated to keep the accumulated PFD within the SIL target. Typical proof test intervals for SIL 2 safety valves range from 1 to 5 years depending on the valve type, failure rate, and diagnostic coverage provided by PST.