2012 Safety Control Systems Conference

Proof Test Procedure Effectivenesson Safety Instrumented Systems

Naresh Bajaj, P.Eng., CFSPElectrical and Control Engineer,

Autopro Automation Consultants Ltd.

Stephane Boily, P.Eng., CFSESafety System Technology ManagerAutopro Automation Consultants Ltd.

Agenda

• Introduction• Diagnostic Tests Vs. Proof Tests• Influence of Proof test coverage (CPT) on

PFDavg and SIL integrity• Methods to quantify CPT

• Proof test procedure development process

• Guidelines in building effective proof test procedure

Introduction

• Periodic proof test and diagnostic test are integral elements of the overall Safety Instrumented System(SIS) design

• Primary objective is to reveal undetected failures

• It ensures that the system will provide the risk reduction required to safely operate the facility.

Diagnostic Tests Vs. Proof Tests

• Proof Test: “test performed to reveal undetected faults in a safety instrumented system so that, if necessary, the system can be restored to its designed functionality” (IEC 61511-2003 part 1 clause 3.2.58).

• Diagnostic test: tests are normally referred to as online tests or automated tests and are performed either continuously or very frequently. Diagnostic tests detect dangerous failures and can change them to “safe detected” failures.

Proof Test Coverage (CPT)

• The proof test coverage factor (CPT) gives the fraction of dangerous undetected failures which can be detected by proof testing.

• Proof test coverage is calculated as:𝐶𝑃𝑇 = 𝜆𝐷𝑈𝐼𝑑𝑒𝑛𝑡𝑖𝑓𝑖𝑒𝑑 𝑏𝑦 𝑃𝑇𝜆𝐷𝑈𝑇𝑜𝑡𝑎𝑙 Where: 𝐶𝑃𝑇 is the proof test coverage; 𝜆𝐷𝑈𝐼𝑑𝑒𝑛𝑡𝑖𝑓𝑖𝑒𝑑 𝑏𝑦 𝑃𝑇 is the dangerous undetected failure rate identified by the

proof test; and 𝜆𝐷𝑈𝑇𝑜𝑡𝑎𝑙 is the total dangerous undetected failure rate.

Effect of CPT on PFDavg

• The following simplified equation can be used to calculate the PFDavg for a 1oo1 configuration.

𝑃𝐹𝐷𝐴𝑉𝐺 = 𝜆𝐷𝑈𝑇𝑜𝑡𝑎𝑙 × 𝐶𝑃𝑇 × 𝑇𝐼2 + 𝜆𝐷𝑈𝑇𝑜𝑡𝑎𝑙 × ሺ1− 𝐶𝑃𝑇ሻ× 𝑀𝑇2

Where: 𝑇𝐼 : Proof test interval 𝑀𝑇 : Mission Time

Effect of CPT on PFDavg for a generic flow transmitter

Effect of CPT on PFDavg for a generic flow transmitter

𝜆𝐷𝑈𝑇𝑜𝑡𝑎𝑙 =9.00*10-7failures/hour, TI= 3 years, MT= 10 years and β = 10%

Impact of CPT on PFDavg for a generic flow transmitter

Proof Test Coverage

PFDavg 1oo1

Change (%)

PFDavg 1oo2

Change (%)

PFDavg 2oo2

Change (%)

PFDavg 2oo3

Change (%)

100 0.0121 0 0.001390 0 0.0227 0 0.00229 099 0.0125 3 0.001430 3 0.0233 3 0.00236 398 0.0128 6 0.001480 6 0.0238 5 0.00244 797 0.0131 8 0.001520 9 0.0244 7 0.00252 1096 0.0134 11 0.001560 12 0.0249 10 0.00260 1495 0.0137 13 0.001610 16 0.0255 12 0.00268 1794 0.0140 16 0.001650 19 0.0260 15 0.00276 2193 0.0143 18 0.001690 22 0.0266 17 0.00284 2492 0.0146 21 0.001740 25 0.0272 20 0.00292 2891 0.0149 23 0.001780 28 0.0277 22 0.00300 3190 0.0152 26 0.001830 32 0.0283 25 0.00308 3485 0.0168 39 0.002050 47 0.0310 37 0.00349 5280 0.0183 51 0.002270 63 0.0338 49 0.00390 7075 0.0198 64 0.002500 80 0.0365 61 0.00432 8970 0.0214 77 0.002730 96 0.0393 73 0.00475 10765 0.0229 89 0.002970 114 0.0420 85 0.00518 12660 0.0244 102 0.003200 130 0.0447 97 0.00562 14555 0.0259 114 0.003440 147 0.0474 109 0.00607 16550 0.0275 127 0.003680 165 0.0501 121 0.00652 18545 0.0290 140 0.003930 183 0.0528 133 0.00698 20540 0.0305 152 0.004180 201 0.0555 144 0.00745 22535 0.0320 164 0.004430 219 0.0582 156 0.00792 24630 0.0335 177 0.004680 237 0.0608 168 0.00840 26725 0.0350 189 0.004940 255 0.0635 180 0.00889 28820 0.0365 202 0.005200 274 0.0661 191 0.00938 31015 0.0380 214 0.005460 293 0.0687 203 0.00988 33110 0.0396 227 0.005720 312 0.0714 215 0.01040 3545 0.0411 240 0.005990 331 0.0740 226 0.01090 3760 0.0426 252 0.006260 350 0.0766 237 0.01140 398

Determining CPT

• Certified Equipment– Proof test procedure and CPT provided

by manufacturer.• Credit System

– Estimating CPT for existing facilities with no data available.

• Failure rate databases & data collection programs– CPT calculated from failure modes and

associated failure rates

Certified Equipment

Certified Equipment

Estimating CPT - Credit System

• Background– Older facility designed prior to IEC 61511

• Designed with good engineering practices of the time

• RRF required by IPFs was not evaluated

Estimating CPT - Credit System

• Background (cont.)– Management decision to move towards

IEC 61511• Hazard and risk assessments now provide

RR requirements and identify IPLs• “As Is” SRS developed for identified SIFs• “As Is” RRF achieved by SIFs

– Existing test plans reviewed

• Recommendations for corrections and improvements

Estimating CPT - Credit System

• Challenges– No failure data available for devices

• Failure rates unavailable• Failure modes may not be well known

– CPT difficult to estimate

CPT estimating table for sensors

Example CPT estimate for sensor

• Existing test plan states:– Visual inspection

– Three point calibration check

– Field signal test

• Total 60%

20%

20%

20%

CPT estimating table for valves

Example CPT estimate for valve

• Existing test plans state:– Visual inspection

– Time the stroking speed of valve

– Full stroke test of the valve

– Pressure leak-by test

• Total 65%

20%

20%

20%

5%

CPT from Failure Rate Database

• 1) full stroke test Proof Test Coverage= 250/(250+200+100+25) = 43%

• 2) Time stroking test Proof Test Coverage= 200/(250+200+100+25) = 35%

• 3) Leak test Proof Test Coverage= 100/(250+200+100+25) = 17%

Guidelines in developing proof test procedure

• When testing sensors, it is imperative that proof tests should take into consideration different characteristics of the sensors (linearity, hysteresis etc.).

• When testing valves, it is imperative that the proof test is able to detect different type of failures modes (seat plugged, etc.)

• The proof testing should also take in consideration the auxiliary equipment, such as power, instrument air, and heat tracing.

• Personnel performing the test should be competent and able to interpret the result.

• All successful and unsuccessful test records will be documented and maintained as records.

• The SRS should document the dangerous failure modes in order to assist with the development of the proof test procedures.

Poor Practices

• Developing proof test procedures in a cocoon without the participation of the maintenance technicians who will be responsible for executing them.

• Calibrating the sensors prior to performing the trip test.

• Cleaning or performing preventive maintenance prior to performing the trip test.

• Claiming 100% proof test coverage.

Conclusion

• The proof testing of SIS is defined in the safety standards (IEC 61508 and 61511) but the interpretation of it is ambiguous.

• It was confirmed that the impact of the CPT is real. • There’s no such thing as a perfect proof test

although it is desirable to strive to get as close to it as possible.

• Choosing accurate CPT has its own limitations due to different practical considerations and various factors influence the outcome.

References• [1] Feng Tao, Users need detailed reliability analysis not just numbers,

IDC Safety Control Systems Conference 2010• [2] W.M. Goble and H.Cheddie, Safety Instrumented Systems

Verification, Practical Probabilistic Calculations• [3] O’Brien, C. and Bredemeyer, L., Final Elements & the IEC 61508

and IEC 61511 Functional Safety Standards,• [4] Safety Equipment Reliability Handbook, exida• [5] D. Fournier, How critical is Proof Test Coverage?, You asked:

Functional Safety Clarified, Canadian Process Equipment & Control News Aug 2009

• [6] Principles for proof testing of safety instrumented systems in the chemical industry, Health & Safety Executive, contract research report 428/2002.

• [7] György Baradits, János Madár, János Abonyi, Novel Model of Proof Test Coverage Factor, 10th International Symposium of Hungarian Researchers on Computational Intelligence and Informatics, Nov 2009