Ever wondered about proof testing a safety instrumented system?
Proof testing is a term that was first coined in the original IEC 61511 standard (functional safety - safety instrumented systems for the process industry sector). Unlike regular testing to see if a system performs as required by a specification, a SIF proof test should be designed to reveal otherwise unrevealed faults.
In the process industry sector, a safety instrumented system (SIS) is often operating in low demand, where each safety instrumented function (SIF) final element is effectively dormant until it is needed to act.
Consider a simple SIF to detect the level in a tank and close a shut-off valve on the tank inlet to avoid overflow. Between demands the shut-off valve is open, and there is no way of knowing that it will definitely close if there is a demand.
We would rightly expect the likelihood of valve closure to be very high if the system has just been fully validation tested. The validation test is the main test which checks that system meets specification when it is first put into service. For the typical SIS, this validation test should involve a very stringent and documented inspection and test procedure.
So, on day one of operation, we expect the likelihood of valve closure (if a high-level demand occurs) to be very high. However, if there are no further demands, what is the likelihood that the valve will close on day 365 (after 1 year) or day 3650 (after 10 years). That is a very difficult question to answer. However, we can all relate to the possibility that without further inspection, testing and maintenance, the likelihood of there being an undesired fault simply increases with time.
SIS inspection, SIS proof testing and maintenance are crucial activities to ensure systems remain safe over their lifetime. But what is involved?
The following steps are explained in more depth in our safety instrumented systems online course. In a live plant situation, the steps below will only begin once authorisation or "permit-to-work" has been issued by operations.
Documentation - the "As-built" record
Inspection and proof testing a safety instrumented system should not begin without an extensive check of the available documentation.
For SIS/SIF it is crucial that the "As-built" (or As-Validated) documents are available. This may include numerous different documents, but the principle sources are likely to be the following:
Sometimes these documents can be conflicting if they have not been well controlled, especially in older systems. If that is the case, then it is important to note the discrepancy and understand which is the correct record before proceeding.
Inspection First - "As-found"
The condition of equipment has to be established first. Often, problems can be anticipated in advance of failures, and physical SIS inspection is the way to get that pre-warning. Below are a few inspection examples for safety-related equipment that do not require any physical test:
The above list is not exhaustive. The equipment supplier should give additional advice in their installation, operation/maintenance manual, so that's an important source to check.
Record the "As-found" equipment condition
At the completion of inspection, the "As-found" status of the equipment should be recorded BEFORE any test or rectification of problems takes place. This is to ensure that systematic causes of problems are captured prior to problems being fixed.
SIF Proof Test to the "As-left" Condition
A function check, or safety instrumented function proof test is also often called a "loop check". The goal is to exercise every active device in the safety loop (or SIF), whether that is completed in one step or multiple steps. In a way, this is a subset or repeat of many of the steps that should have occurred at the original validation test.
Although already noted above, the "As-found" status still applies to this step. For example, if a different trip or alarm setting is noted during the testing step, it is important to record this before making any adjustments.
SIF proof testing is best completed off-line, when the equipment is not in service protecting against a real hazard. If on-line testing is required for reasons of continued production, this has to be even more closely controlled and monitored.
An article like this cannot go into every nuance and step involved in testing types of equipment, so here's a list of what I think a good proof test procedure and template should include:
It is important to get consistency in how inspection and testing are recorded so that these records can really be used for improvement and elimination of potentially dangerous systematic failure.