Proof Testing of Safety Instrumented Systems in the Onshore Chemical / Specialist Industry

SPC/Technical/General/48 Version No: 1 OG status: Fully Open Author unit / section: HID CI1F Target audience: C&I specialist inspectors onshore chemical industry

Purpose Audience Relevant Acts and Regulations Relevant Good Practice Related Documents Background Approach Management of Proof Testing Further Information Annexe A Relationship between Proof Testing and Reliability Annexe B Consideration of Partial Testing

Purpose
1.To inform specialist inspectors of the expected standards on proof testing for demand mode safety instrumented systems in the onshore chemical and specialist industries.

Audience
2. Specialist inspectors within HID - CI & SI divisions, and CTG. It may also be of interest to specialist inspectors in HID offshore division and Health and Safety Laboratory.

Relevant Acts and Regulations

3.Health and Safety at Work Act 1974 (as amended) Control of Major Accident Hazards (COMAH) Regulations 1999 (as amended)

Management of Health and Safety at Work Regulations 1999 (as amended) Provision and Use of Work Equipment Regulations 1998 (as amended)

Relevant Good Practice

4.BS EN 61508 Parts 1-8 Functional safety of electrical/electronic/programmable electronic safety related systems BS EN 61511:2004 Parts 1-3 Functional safety Safety Instrumented Systems for the Process Industry Sector IEC 60300-3-2: Dependability management - Part 3-2: application guide- Collection of dependability data from the field. ISO 14224: Petroleum, Petrochemical and gas industries - Collection and exchange of reliability and maintenance data for equipment. BS EN ISO 10418:2003 Petroleum and natural gas industries. Offshore production Installations. Analysis, design, installation and testing of basic surface process safety systems (especially Annex G)

Related Documents
(Note this is not an exhaustive list) 5.Guide to the application of IEC 61511 to safety instrumented systems in the UK process industries (EEMUA Publication 222) CRR 428/200 Principles for proof testing of safety instrumented systems in the chemical industry Offshore Information Sheet No. x/2010 (not yet issued) Proof testing of Emergency Shutdown Systems (ESD) Partial-Stroke Testing Of Block Valves Angela E. Summers, Ph.D. Testing of SIS Valves - William L. Mostia, Jr. P.E. The effects of partial stroke testing on SIL level Exida.com

Background
6.During normal operation, components of the safety instrumented system (SIS) are subject to the possibility of random hardware failures. These failures may be safe failures that could lead to spurious trips or dangerous failures that may prevent the SIS operating

correctly when required. Dangerous failures may not be revealed and therefore there may be no indication that these failures exists. Over time, the likelihood that an unrevealed dangerous failure has occurred increases. Therefore the probability that the SIS will not operate as required in the event of a demand due to a random hardware failure (often called probability of failure on demand - PFD) also increases over time. Proof testing is a test performed to reveal undetected faults in a safety instrumented system (SIS) so that, if necessary, the SIS can be restored to its designed functionality [BS EN 61511-1:2004 3.2.58]. By revealing all undetected faults, the PFD is effectively reset back to the designed value. Although note that only faults that prevent the SIS completing the defined safety function are relevant. This suggests that when designing proof test methods it is necessary to consider both undetected faults and also the safety functions functionality, i.e. the safety requirements specification (SRS). It is important to distinguish between a function test of a SIF and a proof test. Some SIFs are designed with redundant components (e.g. a 1oo2 voting system). Failure of a redundant component would not be revealed during a test of the function (i.e. high pressure may close the valve even with one of the redundant solenoid valves failed). A proof test is designed to prove the integrity of the SIF by testing all components of the SIF which would include testing of the redundant solenoid valves. Many duty holders use simple reliability calculations (see Annexe A below) to demonstrate that the average PFD of a particular safety instrumented function (SIF) meets the PFD requirements as specified in the SRS. This may form part of the dutyholders demonstration that a particular risk has been reduced to ALARP. However, if the some of the assumptions made within the reliability calculations are incorrect then the level of risk reduction provided by the SIS may not meet the PFD specified in the SRS and therefore the risk may not be reduced to ALARP. Some of the assumptions made within the reliability calculations that may be incorrect are as follows: The proof testing interval or methodology has been specified on the basis of incorrect data, e.g. where a components dangerous failure rate has been assumed to be lower than is actually achieved in service (e.g. due to environmental factors or over optimistic claims). A higher component dangerous failure rate will lead to a higher average SIF PFD, which may exceed the limit specified in the SRS.

The actual proof test interval is different from the interval assumed in the calculation. Longer test intervals will lead to a higher average SIF PFD, which may exceed the limit specified in the SRS. The proof testing does not reveal all faults that prevent the SIS performing its designed functionality and allow them to be repaired in a timely and safe manner. If faults are not revealed then the actual PFD will continue to increase over time, and will eventually exceed the limit specified in the SRS (see Annexe B). The proof testing does not fully cover all components of the SIS (e.g. due to test switches / simulation which may not cover the measurement component or not testing output elements). If faults are not revealed because some components are not tested, then the actual PFD will continue to increase over time, and will eventually exceed the limit specified in the SRS (see Annexe B).

Approach - Proof Testing Methods

7.The reliability calculation assumes that a proof test restores the SIS to its designed functionality, i.e. the SIS operating as specified in the safety requirements specification (SRS). Therefore, in order for the duty holder to define the proof test, the safety function must be well defined (e.g. time to close, tight shutoff, action on single sensor failure etc.). It is recognised that it is sometimes not possible to test some components (e.g. one use items such as suppression systems powder canister or some inline flow meters). In these cases equivalent measures should be taken for these components to achieve the same outcome (e.g. replacement or corroborative measurements). For the purposes of this document, these equivalent measures shall be considered as part of the proof test even if they are not an actual test. The objective of the proof test is to reveal undetected faults in the SIS. Therefore it is important to consider the possible component failure modes and their effect on the safety function. For example, relay contacts are known to weld together and therefore the proof test should establish that the relay contacts open on demand. Failure modes are often well known for simple components (i.e. type A components as defined in BS EN 61508/11) and therefore the proof test can often be well defined with a high degree of confidence that all undetected faults will be revealed. With more complex devices, the failure modes are not always known and therefore a reasonable set of failure modes should be determined from experience, fault trees, failure mode effect analysis studies etc. In all cases, the requirements of the safety function should be tested as a minimum. Some typical examples of proof testing that may not reveal all unrevealed faults are given below.

Partial stroke testing

Valves checked to limit switch / solenoid Output elements not tested Test buttons on switches, e.g. built in test facilities - these may or may not reveal all faults Transmitters put into test mode and signals injected (usually with smart / fieldbus transmitters) Pressure transmitters tested from manifold, i.e. Impulse lines not tested Equipment not tested in normal position

In new SIS, duty holders should ensure that the SIS and associated process are designed with testing in mind so that a full end-to-end test (or equivalent), revealing all undetected faults can be achieved. Consideration should be given to components that are easier to test online if necessary. For legacy SIS, the aim should be to achieve a full end-to-end test (or equivalent), revealing all undetected faults, where it is reasonably practicable to do so. One possible way to achieve this would be to review proof test procedures and determine which undetected faults are not being revealed by the current proof testing regime (a gap analysis against current standards). Where it is reasonably practicable the test can be improved or alternative measures identified to reveal these faults. For example, where a valve requiring tight shutoff is tested only to a limit switch, the valve might be periodically overhauled which may include leak testing to demonstrate tight shutoff etc. It may be that these alternative measures identified cannot be achieved during normal proof testing (e.g. because it requires the valve to be removed). In these cases, the proof testing shall be considered as partial proof testing. Whenever partial testing proof testing is carried out, eventually the PFD of the SIS will exceed requirements because the PFD of the untested parts become dominant see Annexe B. Therefore partial testing must eventually be followed up with a full proof test or alternative measures that identify all unrevealed faults, albeit at a different proof test interval. If different parts of the SIS are tested at different intervals (either because of operational constraints or because of partial proof tests) then it should be demonstrated that the PFD remains within the limit set by the requirements specification (e.g. within the reliability calculation see Annexe B). It is common practice to test parts of the SIS at different times to fit in with operational constraints. Where this occurs, measures should be taken to ensure that no parts of the safety function are missed.

Diagnostic features are often used to improve the reliability and safe fail fraction of equipment. This may include diagnostic functions built into components by manufactures (e.g. memory checking) or diagnostics implemented during the design of the SIF (e.g. transmitter under/over range). Note the difference between diagnostic coverage and proof testing. Diagnostic coverage refers to methods which detect what would otherwise be a dangerous failure and turn it into a safe failure (also called a detected dangerous failure) within the process safety time. Whereas proof testing, is a method of revealing dangerous failures at a pre-defined period. A diagnosed failure should have the same result as a safe failure. This does not necessarily mean that a safety function will trip when a diagnostic failure is detected, for example where voted input systems are used. Proof testing should include appropriate testing of diagnostic functions since they contribute to meeting the PFD and fault tolerance requirements and therefore the safety requirements specification. Some component built-in diagnostic functions (e.g. memory checking in safety PLCs or smart instruments) may be difficult to fully test since the initiating conditions cannot be simulated. In these cases reasonable efforts should be made during the test to confirm that the diagnostics are operational based upon discussions with the component manufacturer. In some cases it may be that the diagnostics are operational at all times and no further testing is possible, however this should be explored and documented. Faults may be detected by diagnostics or by proof tests or due to safe failures. The safety requirements specification should specify the actions to be taken in the event of a fault being detected. Detection of a fault shall result in appropriate actions being taken. This may require action taken to achieve a safe state or possibly continued operation within the specified MTTR (mean time to restoration) depending upon the hardware arrangement and safety function. Note that every safety function should also be subject to visual inspection to identify unauthorised modifications and signs of deterioration. This inspection needs to include all parts of the loop, include field junction boxes. Inspection may be carried out as a separate exercise or as part of the proof test.

Proof Testing Methods Summary of Requirements

[Note the references to good practice below provide links to the associated part of the standard and do not necessarily imply that the preceding paragraph is a requirement of that standard]

8.Proof testing procedures should be based upon a well defined safety requirements specification. Inspectors should ensure that the safety function is defined and its requirements reflected within the proof test procedure (e.g. time to close, tight shutoff, action on single sensor failure etc.). [Relevant good practice BS EN 61511-1 clause 10 & 16.3.1] Proof testing should be designed to reveal all undetected dangerous failures and therefore should be based upon the failure modes of the components. Tests should reveal all known or predicted relevant failure modes. [Relevant good practice BS EN 61511-1 clause 16.3.1] With new build, proof testing should be considered during the design stages. The SIF should be designed to allow a proof test or other equivalent measures that fully restores the SIF to its designed functionality. [Relevant good practice BS EN 61511-1 clause 11.8] For legacy SIS, the duty holder should complete a gap assessment to identify undetected faults that are not revealed by the current proof test procedure. Where gaps are identified additional measures should be taken to close the gaps where reasonably practicable (e.g. valve overhauls etc.). Where partial proof testing is carried out then this should be reflected in the reliability calculation. Partial testing includes: built in test functions that do not have full test coverage, situations when some parts of the SIS are tested at different proof test intervals (e.g. testing outputs only during shutdown) etc. [Relevant good practice BS EN 61511-1 clause 11.9 & 16.3.1.3] Partial proof testing strategies will ultimately require a full proof test or other equivalent measures at some time otherwise the SIF will eventually not meet its SIL requirements (whatever the failure rates of the components). It is acceptable for a full test to only occur every nth test, with partial testing in between as long as this is reflected in the reliability calculation. [Relevant good practice BS EN 61511-1 clause 16.3.1.2 & 16.3.1.3] A full end-to-end test is required. If the test is carried out in parts then measures should be taken to ensure that no part of the safety function is missed. [Relevant good practice BS EN 61511-1 clause 16.3.1.2] Proof testing should also be designed to reveal undetected faults in the diagnostic facilities that could prevent the SIS operating in accordance with the safety function (e.g. by

reducing its integrity). Where diagnostic features are built-in to components (e.g. memory checking) then reasonably practicable efforts should be made to ensure that these diagnostics are operating correctly. [Relevant good practice BS EN 61511-1 clause 16.3.1.1, 16.3.1.3 & 11.9] The safety requirements specification should specify the actions to be taken in the event of fault being detected. Detection of a fault shall result in appropriate actions being taken. This may require action taken to achieve a safe state or possibly continued operation within the specified MTTR (mean time to restoration) depending upon the hardware arrangement and safety function. [Relevant good practice BS EN 61511-1 clause 10 & 11.3] All SIS should be subject to periodic visual inspection, including all components (e.g. junction boxes) to detect unauthorised modifications or deterioration etc. Inspection may be carried out during the proof test or as a separate exercise. [Relevant good practice BS EN 61511-1 clause 16.3.2]

Proof Test Intervals

9. Proof test intervals affect the average PFD of the SIS. If proof tests are delayed, the PFD of the SIS will increase, effectively reducing the risk reduction offered by the SIS. Delay of proof testing should not be normal practice. [Relevant good practice BS EN 61511-1 clause 10 & 11.3] Occasional short term operation (e.g. 10% of proof test interval) of a SIS beyond its scheduled proof test interval could be considered. This can only be considered on a case by case basis if a conservative approach to design has been adopted and other reliable layers of protection are available. If a SIS is to be operated past its scheduled proof test then, if necessary, other risk reduction measures should be taken such that the overall level of risk is not increased. If operation is continued, it is expected that a formally authorised written demonstration is made showing that risks continue to be reduced to ALARP. If a proof test interval is to be exceeded, it is expected that a formally authorised written demonstration is made showing that overall risks continue to be reduced to ALARP. This may include providing alternative risk reduction measures or reducing the risk through other ways.

Management of Proof Testing

10. Human errors during proof testing may result in dangerous failures being introduced or overlooked, and therefore may also result in SIF failures. Management arrangements should therefore be in place to ensure proof testing is completed correctly. These should include measures for ensuring adequate management of competency for those managing, specifying, or undertaking proof testing and consideration of the appropriate human factors. [Relevant good practice BS EN 61511-1 clauses 5.2.2.2, 11.2.5, 11.2.6] Arrangements for proof testing should be documented, and SIS maintenance, inspection and proof test outcomes (before and after states), including unplanned work should be recorded. The arrangements taken for proof testing should also be reviewed on a regular basis in the light of operating experience and relevant maintenance records and information. [Relevant good practice BS EN 61511-1 clause 16.2.7, 16.2.8, 16.3.1.1 & 16.3.3] Further Information Nic Butcher HID CI2E Nic.Butcher@hse.gsi.gov.uk

Annexe A - Relationship between Proof Testing and Reliability

11. A SIS is considered to be a number of physical components that are each subject to random hardware failures. The reliability of a SIS is a function of the proof test interval (i.e. the time between proof tests), the failure rates of the individual components and time of operation, as follows: For a demand mode systems, the reliability of a system is normally expressed as the probability of system failing to operate on demand (PFD). PFD increases over time in an exponential fashion (although for relatively short proof test intervals, it is often approximated to a linear relationship). For example, if a fully operating system is put into operation at a particular time, its PFD is zero, since we know that it is a fully operating system. As time increases, un-revealed failures are expected to occur to the system components in a random fashion and therefore the PFD of the system increases. The rate at which the PFD increases over time will depend upon the failure rates of the components. The purpose of proof testing is to reveal all undetected dangerous failures that would prevent the system performing its designed functionality (i.e. PFDAV with respect to the safety function is back to zero). This should occur before the PFD gets higher than the target PFD.

Once a test interval is known, then the average PFD (PFDAV) across the test interval period can easily be calculated and compared against the target PFD. This can then form part of the demonstration that the SIS provides the necessary risk reduction.

Where:

[Equations taken from BS EN 61508-6:2001 B2.2.1 and assuming mean time to repair is small relative to the proof test interval. Note these equations have been simplified for the purposes of demonstration of particular issues. These equations are suitable for low demand modes of operation only, i.e. where demand frequency 1 per year and 2 x proof test frequency BS EN 61508:-4:2001 3.5.12.

This equation is an approximation that is only valid when 0.2]

, and typically <

So if the failure rate of a particular component was 0.02 per year then with a 1 year proof test interval the PFDAV would be 0.01. Similarly for 2 year interval the PFDAV would be 0.02. By running the equation in reverse, if a PFDAV of 0.001 was required then the proof test interval would be 0.1 years (about 36 days).

Annexe B Consideration of Partial Testing

12. The equations shown in Annexe A can be modified to consider proof testing of different parts of the system at different intervals. Taking the equations:

Where:

[Equations taken from BS EN 61508-6:2001 B2.2.1 and assuming mean time to repair is small relative to the proof test interval Note these equations have been simplified for the purposes of demonstration of particular issues.] These equations are suitable for low demand modes of operation only, i.e. where demand frequency 1 per year and 2 x proof test frequency BS EN 61508:-4:2001 3.5.12. The PFDAV can be calculated for each component of the system (e.g. S Sensor, LS Logic Solver and FE Final Element) and then summed together.

[This approach is only valid for small values of PFD] This approach can also be used to further break down a component into failure modes (for example where partial stroke testing is used). For example if the final element is a valve required to close to achieve the safety function and the failure modes were as follows (note these figures and failure modes are illustrative only and should not be used) Failure Mode Solenoid fails to vent Valve sticks open Valve doesnt fully close or passes Other unknown failures TOTAL Failure Rate (per year) 0.005 0.004 0.001 0.006 0.016 Detected by partial stroke testing? Yes Yes No No

If we assume that the plant is only shut down every 4 years, without partial stroke testing then the PFD for this valve would be:

However, with partial stroke proof testing every 3 months (0.25 years):

The PFDAV is more than halved with the partial stroke proof testing in this example. Note that this partial valve test is assumed to be a proof test not a diagnostic test, since it doesnt detect and action failures found within the process safety time. In the above equation note that the first term on the right hand side refers to failures of the system that are detected during partial stroke testing and the second term refers to the remaining failures that are only tested every 4 years at shutdown. Therefore, even if we did the partial stroke testing almost constantly (e.g. every hour = 0.0001 years), such that the first term became almost zero, the minimum PFDAV value would be 0.014 This shows the effect of partial testing, i.e. it doesnt matter if you test part of the system very well, the failure rate will eventually be dominated by the parts of the system that are not tested. This can also be show graphically (see below):

Note on the graph the PFD is shown as varies over time (note this is PFD not PFDAV). The red line represents the scenario where no partial testing is done. Only a full test is done every 4 years. The blue line represents the PFD of the system with partial testing. Note that the PFD of the untested part of the system (black line) increases until 4 years when a full test is carried out. By the end of the 4 years, the PFD is dominated by the untested part of the system.

Note that in a low demand system, the object is to discover dangerous failures through proof testing before they are discovered by a real demand. For this reason, the demand frequency should be considerably lower than the proof testing frequency. With partial proof testing the demand frequency should be considerably lower than the worst case proof test frequency (i.e. considerably lower than once per 4 years proof test in the above example). Typically, the following rule of thumb should be satisfied: