...

June 4

Proof Testing a Safety Instrumented System

Ever wondered about proof testing a safety instrumented system? 

Proof testing is a term that was first coined in the original IEC 61511 standard (functional safety - safety instrumented systems for the process industry sector). Unlike regular testing to see if a system performs as required by a specification, a SIF proof test should be designed to reveal otherwise unrevealed faults.

Background

In the process industry sector, a safety instrumented system (SIS) is often operating in low demand, where each safety instrumented function (SIF) final element is effectively dormant until it is needed to act.

Consider a simple SIF to detect the level in a tank and close a shut-off valve on the tank inlet to avoid overflow. Between demands the shut-off valve is open, and there is no way of knowing that it will definitely close if there is a demand.

We would rightly expect the likelihood of valve closure to be very high if the system has just been fully validation tested. The validation test is the main test which checks that system meets specification when it is first put into service. For the typical SIS, this validation test should involve a very stringent and documented inspection and test procedure.

So, on day one of operation, we expect the likelihood of valve closure (if a high-level demand occurs) to be very high. However, if there are no further demands, what is the likelihood that the valve will close on day 365 (after 1 year) or day 3650 (after 10 years). That is a very difficult question to answer. However, we can all relate to the possibility that without further inspection, testing and maintenance, the likelihood of there being an undesired fault simply increases with time.

SIS inspection, SIS proof testing and maintenance are crucial activities to ensure systems remain safe over their lifetime. But what is involved?

The following steps are explained in more depth in our online courses. In a live plant situation, the steps below will only begin once authorisation or "permit-to-work" has been issued by operations.

Documentation - the "As-built" record

Inspection and proof testing a safety instrumented system should not begin without an extensive check of the available documentation.

For SIS/SIF it is crucial that the "As-built" (or As-Validated) documents are available. This may include numerous different documents, but the principle sources are likely to be the following:

  • Piping and Instrumentation Diagrams
  • Cause and Effects Diagrams
  • Safety Requirements Specification
  • Proof test procedure

Sometimes these documents can be conflicting if they have not been well controlled, especially in older systems. If that is the case, then it is important to note the discrepancy and understand which is the correct record before proceeding.

Inspection First - "As-found"

The condition of equipment has to be established first. Often, problems can be anticipated in advance of failures, and physical SIS inspection is the way to get that pre-warning. Below are a few inspection examples for safety-related equipment that do not require any physical test:

  • Inspect for obvious damage or signs of corrosion
  • Check equipment tags / SIF identification
  • Check software and/or firmare revisions match document records
  • Check for wiring, cable or termination issues
  • Look for kinks or damage to impulse lines
  • Check for poorly supported tubing or pipework
  • Cabinet security from unauthorised access
  • Signs of moisture/water ingress where it should not be
  • Leaks from piping or actuator gaskets
  • Valve stem corrosion

The above list is not exhaustive. The equipment supplier should give additional advice in their installation, operation/maintenance manual, so that's an important source to check.

Record the "As-found" equipment condition

At the completion of inspection, the "As-found" status of the equipment should be recorded BEFORE any test or rectification of problems takes place. This is to ensure that systematic causes of problems are captured prior to problems being fixed.

SIF Proof Test to the "As-left" Condition

A function check, or safety instrumented function proof test is also often called a "loop check". The goal is to exercise every active device in the safety loop (or SIF), whether that is completed in one step or multiple steps. In a way, this is a subset or repeat of many of the steps that should have occurred at the original validation test.

Although already noted above, the "As-found" status still applies to this step. For example, if a different trip or alarm setting is noted during the testing step, it is important to record this before making any adjustments.

SIF proof testing is best completed off-line, when the equipment is not in service protecting against a real hazard. If on-line testing is required for reasons of continued production, this has to be even more closely controlled and monitored.

An article like this cannot go into every nuance and step involved in testing types of equipment, so here's a list of what I think a good proof test procedure and template should include:

  • Document name, unique number, issue date, author and revision information
  • A list of documentation that must be reviewed before the test takes place
  • Information on who is qualified to use the procedure and perform each task
  • Special tools, access requirements or equipment needed for the test
  • Instruction & fields to record tags, SIF loop identifier, software and firmware, where applicable
  • Specific instruction and fields to record the "As-found" condition of each active SIF device
  • Detail of the hazard and consequences of failure, with mitigating measures for on-line tests
  • Detailed step-by-step task instructions for the test
  • Pass / Fail criteria per step, with room for comments
  • Space to record the "As-left" condition of each device
  • Space to record the tester name, signature and date(s) of the test 

It is important to get consistency in how inspection and testing are recorded so that these records can really be used for improvement and elimination of potentially dangerous systematic failure.

About the author

Jon Keswick, CFSE

Jon Keswick is a Certified Functional Safety Expert (CFSE) and founder of eFunctionalSafety. Feel free to make contact via Linked-In or comment on any of the eFunctionalSafety blog pages.

Related posts

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}
>
Success message!
Warning message!
Error message!