In this short guide we will learn something about proof testing Safety Instrumented Systems.
What is a Proof Test of a Safety Instrumented System?
Proof testing is the process by which the end user actually tests whether the Safety Instrumented System is actually working as intended. A Proof test has to be carried out for every Safety Instrumented Function (SIF for short). For example, if a SIF is supposed to prevent the overfilling of a storage tank by shutting off the inlet valve, when the level exceeds the trip point, then we need to proof test this safety function periodically to ensure that the SIF is still working. This is known as a proof test.
Note that each SIF has its own proof test. When we say we carry out a proof test of a Safety Instrumented System, in reality, we are carrying out the proof testing of individual Safety Instrumented Functions.
Why is a Proof Test necessary?
Safety Instrumented Functions, especially where they of the low demand type (such as in the Process Industries) are idle most of the time when the plant is running smoothly. They need to act (trip the plant) when an unsafe condition is triggered. Because the SIF is idle most of the time, we have no way to ensure that it will really work when demanded. To ensure that the SIF is still in working condition, it is proof tested periodically. Thus undetected dangerous failures of the SIF can be detected via a proof test, before it actually inhibits the SIF from working upon demand. In other words, we proactively try to find dangerous failures of the SIF via a proof test.
For example, imagine there is an Emergency Stop button on a machine. It is not used for many years because the machine runs smoothly and there was no reason to use it. Over a period of time the circuitry inside may have degraded and perhaps, it has already failed (but we do not know). When there is a problem and somebody presses it, the person realizes that it is not working (which is too late!). To avoid this situation, all SIFs should be periodically proof tested.
—— Download this excellent free ebook on Functional Safety & SIL today (Guide continues below) ——
How does one carry out a Proof Test? What is an end to end proof test?
There are different ways to carry out proof testing, depending on the design and complexity of the SIF. If the SIF is complex, with many redundant parts and voting logic, it becomes a complicated task to really proof test it correctly and without causing any process upsets or accidents. For example, suppose a SIF has two input sensors/transmitters in voting logic (1oo2), connected to a redundant logic solver pair (also 1oo2) that drives a final element (say an on/off valve). If the process pressure exceeds the trip value then the valve should shut off.
When we test the SIF end to end, say by increasing the actual process value (without jeopardizing process safety), it is not merely enough to observe that the SIF actuated and the valve shut off. How do we know which of the two sensors acted first or which of the two logic solvers acted first? Thus you can see that an end to end test may not actually be enough to “prove” that all components of the SIF worked. Therefore one must design a proof test that really tests every component of the SIF satisfactorily.
Learn all about Proof Testing when you take the Abhisam Safety Instrumented Systems course. Get certified as a SIS Professional.
What about diagnostics?
Self diagnostics is a great feature, but no diagnostic coverage is 100%, which means all faults cannot be diagnosed by the self diagnostics circuitry. Only a full 100% proof test can reveal all the faults in a SIF.
What is a Proof Test Interval?
The frequency between two proof tests is known as a proof test interval. The proof test interval should be set in a way that balances the maintenance of safety integrity of the SIF, while not interrupting the process frequently to carry out the proof test.
When we first design and install the SIF, we make certain calculations about it’s Safety Integrity Level (SIL). It has a certain calculated PFDavg (average Probability to Fail on Demand). This deteriorates over time and hence we have to periodically carry out a proof test to ensure that the PFDavg is within the accepted levels.
What is a Partial Proof Test?
When only some components of the SIF are proof tested, or only one component is partly tested, it is referred to as a partial proof test.
What is a Partial Stroke Test?
When a control valve or on/off valve is not tested fully meaning that the complete opening or closing the valve is not done, but only a part of the travel is tested, (from open to close or vice versa), it is known as partial stroke testing. The valve stroke is the travel path of the stem of the valve (or the part that actually drives the valve from open to close and back). See picture for an example of the stem of a Diaphragm type pneumatic control valve.
When one tests this partially it is said to be a partial stroke test
Can a partial stroke test be a substitute for a full stroke test?
Not really 100%. However, a partial stroke test gives us higher confidence that the valve is not stuck in it current position and will move when demanded by the SIF. However, there is no guarantee that the valve will actually complete the entire travel when demanded.
Proof Testing Principles for Safety Instrumented Systems
Here are some principles for proof testing of safety instrumented systems.
The Proof testing procedure must be defined for every SIF at the time the Safety Requirements Specification is decided. This will reduce a lot of problems later on, at the the time when we actually carry out a proof test.Proof testing should be carried out according to standards such as IEC 61508, IEC 61511 /ISA S84 (for the process industry).
Furthermore, we need to take care of the following:
- Every SIF testing procedure should be documented and repeated the same way for every proof test.
- The proof test should be realistic so that 100% of all the components are tested. One cannot have a simulation of the behavior of some parts and then claim a 100% proof test.
- The proof test should not itself cause any safety issues. For example, removing any components or injecting any pressures, etc should not cause process upsets or accidents. That is why it is generally carried out during plant shutdowns.
- If a proof test is carried out during normal operation, then effectively the SIF is not available at that time. An alternate means of risk reduction should be implemented so that the process safety is not compromised.
- Ideally the setup for the proof test should be part of the installation, so that any trained technician should be able to carry it out without the help of external contractors.
- If the proof test fails, then this must be recorded and the management informed accordingly. The SIF should be immediately repaired. An alternative arrangement for ensuring the process safety must be implemented immediately. The failure data should be sent to the supplier of the SIF for their corrective actions. The proof test interval now must be reduced accordingly.