Typical devices used for implementing PST are as follows:
I) Use the ESD system to perform the test
II) Use a positioner-based device
III) Use a 2oo2 or 2oo3 redundant device
IV) Use a 2oo4D redundant device
As with most things, there are better choices for different situations.
I) While an ESD-based PST seems like an obvious solution, it has considerable deficiencies as follows:
a) It is expensive due to the cost of additional ESD I/O and field wiring.
b) It utilizes the same field devices, and as such provides no reduction in the dangerous or spurious failure rate of the SOV.
c) Minimal improvement in the PFDavg of the SIF.
d) No local testing capability.
e) No improvement in the operational availability of the SIF resulting from spurious trips due to SOV failure.
f) No online replacement of failed SOV.
g) Constrained by Management of Change (MOC) restrictions for the Logic Solver (PES).
II) Using a positioner-based device is perhaps the worst option, as it is a complete misapplication of technology. Positioners should modulate control valves, whose movement is very small. ESD valves on the other hand are fully open or fully closed, and go from one state to the other as quickly as possible. Because positioners have a very small Flow Factor (Cv), they cannot vent a valve diaphragm quickly as required to satisfy the process safety time, and are suitable only for smaller valves. To compensate for this deficiency, an interposing SOV can vent the valve diaphragm. This SOV is not tested during the PST and remains in an open position for an extended period of time. As such, it may not be able to close (vent) upon demand and is itself a source of both dangerous failures and spurious trips.
In addition to the interposing SOV, positioners use a pneumatic valve-nozzle arrangement, which operates independently of the positioner electronics. Given the nozzle orifice plugs up (often by a tiny spec of dirt or water in the air supply), shutting off the electronics will not vent the valve diaphragm. This is a dangerous failure mode, as venting the diaphragm (closing the valve) is critical to achieving the safe state. Unfortunately, most positioner product safety evaluations do not address this dangerous failure mode.
III) Using either 2oo2 or 2oo3 redundant devices also has some issues:
a) These devices do not undergo testing prior to conducting the PST, and could fail during the PST thus tripping the process.
b) To perform online repair, both devices require by-passing (completely disabling) the safety function.
c) The 2oo2 device is only fault tolerant in the air supply mode. To vent the ESD valve diaphragm, both SOVs have to operate properly (close). If either SOV is stuck open and fails to close, the valve diaphragm does not vent, the ESD valve does not close; and we experience a dangerous failure of the SIF due solely to a fault in the 2oo2 device.
d) The safety certification and SIL rating for the 2oo2 device mandates that it operate only as a 1oo1 device with hot backup. As such, only one of the SOVs is active. Frequent switching between SOVs must occur in order to maintain the SIL rating, and these transitions could be a source of spurious trips.
e) The 2oo3 device contains numerous check valves, which can stick because of dirt or water in the air supply. As such, this can itself be a source of dangerous failures and spurious trips.
IV) The ideal PST configuration is the 2oo4D architecture used in this device. This architecture provides two parallel paths, each path having two SOVs in series. It has the following operational advantages:
a) It is fail safe and fully fault tolerant (both air supply and exhaust). No single failure will prevent the correct operation of this device.
b) The device can completely test out prior to performing the PST. If there is a fault detected by internal diagnostics, the PST cancels out, and the fault gets hit with an alarm.
c) The device certification goes to SIL3 by TÜV Rheinland and provides immunity to spurious trips due to failures in the PST device.
d) You can repair the device online without disabling or by-passing the associated safety function.
e) Eliminates dangerous and spurious failures associated with the SOVs.
f) Immediate detection of SOV failures resulting from an uncommanded change of state.
g) The Cv of the device is large, and it is suitable for use on larger valves without external venting devices.
h) Local testing, diagnostic, and alarm capability.
i) You are able to prevent over stroking of the safety valve due to sluggish response.
j) The device automatically calibrates to the valve under actual process operating conditions.
k) The device is simple to install, operate, and maintain.
l) The device does not affect the MOC requirements for the PES.
Author - Dr. Lawrence Beckman