“To many, total abstinence is easier than perfect moderation.” —St. Augustine
“Check valves are worthless.”
Every engineer I know has heard that. Many believe it. Quite a few have said it. Yet, check valves are still made and installed. How worthless could they be?
Why Use Check Valves?
Check valves are designed to allow flow in only one direction. Whether swing check, ball check, or some other design, check valves have one way in, one way out, and an internal mechanism that opens to flow when it is in the right direction and seals against flow when it is in the other direction. Some equipment, such as double diaphragm pumps, use check valves as an essential element of proper operation. Other equipment, such as back flow preventers, use check valves to prevent unsafe operation that normally does not occur under proper operating conditions.
Invariably, it’s the check valves used for safety that get hung with the “worthless” label. Many argue that when it comes to safety, there should be no credit for check valves.
If check valves are of no value, then there is no point in installing them. On the other hand, if they serve a purpose, then there must be some credit to take during a Process Hazard Analysis (PHA) or Layer of Protection Analysis (LOPA).
Check valves are not absolute protections against reverse flow. They prevent bulk reverse flow but will often allow small amounts to flow by. There are many different designs for check valves, but all rely on mechanisms that open to allow flow in one direction and close to prevent flow in the reverse direction. These mechanisms all have the potential to stick open or to be held open by debris. Many of these mechanisms have the potential to corrode or fall out. Given these concerns, it is easy to see how a black-and-white view of safeguards would lead to the conclusions that no credit should be taken for check valves.
Modern risk assessment does not take a black-and-white view of hazards or safeguards but recognizes that everything fails and those failures have a probability that can be calculated. It is this view that allows some credit to be taken for check valves in PHAs and LOPAs, at least when certain conditions are met.
Process Hazard Analysis
As a matter of practice, a PHA should list all existing safeguards against any particular hazard. Check valves are safeguards against reverse flow, and when they have been installed, they should be listed. How much credit should be taken during the likelihood assessment, however, is a different question.
The HazOp team needs to decide if the check valve is an effective safeguard. Is it used in clean service? Is the hazard one of bulk reverse flow? Does the check valve have a history of successful use? These are all indications that the check valve is an effective safeguard, in which case a level of protection can be achieved. On the other hand, does the check valve have a history of not working? If so, it should receive no credit in the PHA likelihood assessment.
Layers of Protection Analysis
Check valves are almost exclusively used as safeguards, rather than as active design features. The ball checks in double-diaphragm pumps are a notable exception. As a rule then, check valves are potential independent layers of protections (IPLs) in a LOPA scenario. It is not typical that the failure of a check valve is the cause of a LOPA scenario; the cause of the reverse flow comes from some other failure. A check valve failure is typically a failure to protect, not a cause.
To be counted as an IPL, a check valve must satisfy the three criteria of all IPLs: effectiveness, independence, and auditability.
Effectiveness. To be considered effective, an IPL must be able to prevent the LOPA scenario from occurring in the absence of all other IPLs. When it performs as designed, it should be able to prevent the event in question all by itself. This is also true of check valves that are to be considered IPLs. Specific to check valves, the scenario should not depend on preventing small reverse flows or on the check valve being bubble tight when in the closed position. Rather, the scenario should only involve bulk reverse flow. The scenario should not include flow of sticky, dirty, or solids-laden fluids through the check valve, any of which could reasonably be expected to prevent the check mechanism from closing. In any case, any check valve that has a history of being unable to prevent back flow should be considered ineffective.
Independence. Generally, an IPL is independent when the failure of another IPL has no impact on its effectiveness, when its failure has no impact on the effectiveness of another IPL, and when its failure is not the cause of the scenario at hand. Single check valves, being isolated mechanical devices, typically have no difficulty satisfying the criterion of “independence”.
Auditability. An IPL can only be considered auditable when there is a means to verify that the IPL is functioning as intended, and verification is performed as scheduled. If a check valve is installed but cannot be tested or inspected, it is not auditable. If a check valve is installed so it can be tested and inspected, but there is not an active audit program that periodically tests and inspects the check valve, it does not satisfy this criterion. Furthermore, if the check valve is audited and found to not work as designed, it must be repaired. In the case of a check valve failure, effectiveness should also be considered. If a test and inspection reveals the failure of a check valve, serious thought should be given to whether the check valve can be considered effective. A typical audit frequency for check valves is annual; however, a different frequency may be justified once the test history is developed.
Credit as an IPL
If a check valve meets the three criteria for consideration as an IPL then it is creditable as a measure of risk reduction. In a LOPA, a single check valve as an IPL gets credit for one order of magnitude risk reduction: Probability of Failure on Demand (PFD) = 0.1 and Risk Reduction Factor (RRF) = 10.
Often, multiple check valves are installed on the same process pipeline in order to achieve greater risk reduction. There is a limit, however, to the amount of risk reduction that multiple check valves can achieve. At some point, the problem that causes one check valve to fail will cause all check valves in the pipeline to fail. We know this as “common cause failure”, which we must treat with caution. We must take common cause failure into account because it directly affects the credit that we may take when using more than one check valve as a means of protection.
Two Check Valves. If there were no common cause failures, the PFD for two check valves would be:
PFD = 0.1 x 0.1 = 0.01
The RRF for two check valves would be:
RRF = 10 x 10 = 100
As much as 10% of the problems that would cause one check valve to fail, however, are of a nature to cause all check valves in that service to fail—common cause failures. This is especially true when the check valves are of the same design. This means that the calculation for the PFD for two check valves should be:
PFD = (0.1 x 90%) x (0.1 x 90%) + (0.1 x 10%) = 0.0181 → 0.01
Likewise, the RRF should be:
RRF = 1/PFD = 1 / 0.0181 = 55 → 100
Looking at either PFD or RRF, it is reasonable to consider the risk reduction from a pair of check valves in series as approaching two orders of magnitude. In a LOPA, then, it is reasonable to take credit for two check valves, especially when they are of different design, which will make the common cause failure contribution less than 10%.
Three or More Check Valves. Given that two check valves in series is better than a single check valve, does it follow that three check valves in series is better still?
When considering three check valves with no common cause failures, the PFD would be:
0.1 x 0.1 x 0.1 = 0.001.
The RRF for three check valves in series with no common cause failures would be:
RRF = 10 x 10 x 10 = 1,000
Once a 10% common cause failure rate is included, however, the PFD for three check valves gets much worse:
PFD = (0.1 x 90%)3 + (0.1 x 10%) = 0.0107 → 0.01 ≠ 0.001,
Likewise, the RRF would be:
RRF = 1/PFD = 1 / 0.0107 = 93 → 100 ≠ 1,000
Clearly, the risk reduction provided by three check valves is still only two orders of magnitude. Moreover, additional check valves beyond three do not make the risk reduction any better than two orders of magnitude. Therefore, it is appropriate to take credit for one check valve or two check valves that qualify as IPLs, but no more than two.
Take Credit for Check Valves in Perfect Moderation
Check valves are safeguards that prevent hazardous conditions that result from reverse bulk flow. You should acknowledge them in PHAs. As for taking credit for a check valve, don’t be too quick to jump to the “they’re worthless” conclusion. The amount of credit that you take for a check valve should depend on the service and history of the check valve.
In a LOPA, evaluate a check valve as you would any other IPL: for effectiveness, for independence, and for auditability. Typically, the hardest criteria to meet will be auditability. Assuming that a check valve meets the criteria of an IPL, it’s appropriate for you take credit for up to one order of magnitude risk reduction. A second check valve can increase the credit up to two orders of magnitude, though only after you have shown that both check valves meet the criteria of an IPL.
It may be that you decide that the effort to qualify a check valve as an IPL is beyond you. In which case, St. Augustine’s admonition about total abstinence being easier than perfect moderation may come into play. It’s not because it has to be that way; it’s because you choose to make it that way. Otherwise, install them and take credit for them, as your analysis shows is appropriate.