Sustaining safety systems with proof testing

Online Editor

Matthew Morton discusses the importance of carrying out safety instrumented function proof testing

The onshore & offshore petrochemical industry assets have a well-established, installed base of safety integrity level (SIL) rated systems. SIL is defined as the probability of a safety instrumented function (SIF) satisfactorily performing the required safety functions under all stated conditions within a set period of time. Put simply, SIL is a measure of performance required from a safety instrumented system to maintain or achieve the safety state.

However, there is a common misconception amongst end users that once a SIS is installed then they automatically have a functional, certified safety system going forwards. The reality is that from when a plant has a completed Stage 3 functional safety assessment (FSA) the SIS is only compliant until the date of the first cycle of proof testing.

Following the Stage 3 FSA, operators must follow a defined proof test schedule, performing tests as directed in the schedule and at the requisite frequency, or the SIS will no longer be compliant. More importantly, the real possibility exists that the plant is actually unsafe; as you can no longer expect that the SIS will operate correctly on demand.

Proof testing regimes must continue until decommissioning is completed, or the system is no longer needed for risk reduction. Periodic proof testing is not revalidating the SIS as a whole; it is checking that dangerous undetected failures (identified in the earlier stages of the life cycle) have not occurred, and if necessary, perform rectification measures.

Types of dangerous faults found during proof testing might include, for example, a level switch in a tank that must detect a low level (a dangerous state) sticking above this level. The level sensor spuriously indicating a low-level state is not dangerous as this is the trip state, but the switch sticking at a high level is dangerous as a genuine low level in the tank would not be signalled. Although oversimplified, this identifies the need for (and importance of) proof testing to identify faults that may have occurred and be silently awaiting a demand it cannot action.

Of course, a more effective approach to the above scenario would be to use an intelligent level transmitter that provides a level of self-diagnostics (and preferably independently certified for use at the SIL duty required). Close inspection of the device’s safety manual is required, and appropriate proof tests carried out.

To ensure effective proof testing, a good proof test procedure is required that clearly describes each test to be carried out, alongside clear pass/fail criteria, with space for recording results and signing off the system as returned to normal operation. This procedure should be developed in line with the SRS.

Defining the frequency at which the testing needs to take place and the expected rate of detection of faults (proof test coverage) provided by the proof test is part of the SIS design. The onus is then on the plant owners/operators to ensure that testing occurs to this schedule (and as per procedure). Proof testing schedules need to be considered with regards to plant operations. Plant operators need to consider whether they have the resources in-house to carry out the work effectively and, if not, outsourcing is often the most viable option.

Benefits of outsourcing proof testing

Proof tests are often carried out during plant shutdown and the lack of process product could reduce the effectiveness of the proof testing. It is important to ask the question “does your procedure actually meet the proof test coverage claim?”

Increasingly plant owners/operators are falling foul of HSE inspections by not addressing the above questions. The HSE is now paying particular attention and has specialists with an in-depth understanding of the intricacies of SIS and the requisite legislation.

With operational demands, de-manning strategies, retraining of existing in-house teams, such notices from the HSE are prompting oil & gas plants to outsource SIF proof testing to specialists to ensure the ongoing integrity of their SIS. This also provides a level of independence in the proof testing.

The benefit of outsourcing these specialist services is more than simply carrying out the tests. The first element of the service should be a thorough independent review of the actual proof testing procedures. Benefits of this include a practical review of the tests from a specialist company that understands both control systems and functional safety, ensuring proof testing procedures are realistic and can actually achieve the intended outcome.

In some cases, experts in this field have identified proof test procedures that are overly complex and ultimately unnecessary to fulfil the need of the safety life-cycle. Over testing impacts on operation by the cost of time to carry out the tests, as well as increasing the likelihood of tests not being carried out properly (or worse, not at all!).

Where proof test procedures are identified that are missing potentially dangerous faults then the basis of design may need revisiting – there is also a real possibility that the plant/process is not actually safe.

By outsourcing proof testing, plant operators can be confident that fully qualified personnel are reviewing their procedures and performing this essential service, ensuring they are compliant with all relevant legislation. Ultimately, this provides peace of mind and reduces risks.

Inspec Solutions provides a rigorous proof testing service to make sure that tests are done irrespective of customer plant demands/operator staffing. The company employs highly skilled and qualified engineers with the expertise to review procedures and perform accurate proof testing.

Matther Morton is technology director at Inspec Solutions