Proof Test Procedure Effectiveness on Safety Instrumented Systems

Naresh Bajaj, P.Eng., CFSP Electrical and Control Engineer, Autopro Automation Consultants Ltd. Stephane Boily, P.Eng., CFSE Safety System Technology Manager Autopro Automation Consultants Ltd. 2012 Safety Control Systems Conference

Agenda
Introduction Diagnostic Tests Vs. Proof Tests Influence of Proof test coverage (CPT) on PFDavg and SIL integrity Methods to quantify CPT Proof test procedure development process Guidelines in building effective proof test procedure

Introduction
Periodic proof test and diagnostic test are integral elements of the overall Safety Instrumented System(SIS) design Primary objective is to reveal undetected failures It ensures that the system will provide the risk reduction required to safely operate the facility.

Diagnostic Tests Vs. Proof Tests

Proof Test: test performed to reveal undetected faults in a safety instrumented system so that, if necessary, the system can be restored to its designed functionality (IEC 61511-2003 part 1 clause 3.2.58). Diagnostic test: tests are normally referred to as online tests or automated tests and are performed either continuously or very frequently. Diagnostic tests detect dangerous failures and can change them to safe detected failures.

Proof Test Coverage (CPT)

The proof test coverage factor (CPT) gives the fraction of dangerous undetected failures which can be detected by proof testing. Proof test coverage is calculated as:
=
Where:

is the proof test coverage; is the dangerous undetected failure rate identified by the proof test; and is the total dangerous undetected failure rate.

Effect of CPT on PFDavg

The following simplified equation can be used to calculate the PFDavg for a 1oo1 configuration.

1 = + 2 2
: Proof test interval : Mission Time

Where:

Effect of CPT on PFDavg for a generic flow transmitter

Effect of CPT on PFDavg for a generic flow transmitter

=9.00*10-7failures/hour, TI= 3 years, MT= 10 years and = 10%

Impact of CPT on PFDavg for a generic flow transmitter

Proof Test Coverage 100 99 98 97 96 95 94 93 92 91 90 85 80 75 70 65 60 55 50 45 40 35 30 25 20 15 10 5 0 PFDavg 1oo1 0.0121 0.0125 0.0128 0.0131 0.0134 0.0137 0.0140 0.0143 0.0146 0.0149 0.0152 0.0168 0.0183 0.0198 0.0214 0.0229 0.0244 0.0259 0.0275 0.0290 0.0305 0.0320 0.0335 0.0350 0.0365 0.0380 0.0396 0.0411 0.0426 Change (%) 0 3 6 8 11 13 16 18 21 23 26 39 51 64 77 89 102 114 127 140 152 164 177 189 202 214 227 240 252 PFDavg 1oo2 0.001390 0.001430 0.001480 0.001520 0.001560 0.001610 0.001650 0.001690 0.001740 0.001780 0.001830 0.002050 0.002270 0.002500 0.002730 0.002970 0.003200 0.003440 0.003680 0.003930 0.004180 0.004430 0.004680 0.004940 0.005200 0.005460 0.005720 0.005990 0.006260 Change (%) 0 3 6 9 12 16 19 22 25 28 32 47 63 80 96 114 130 147 165 183 201 219 237 255 274 293 312 331 350 PFDavg 2oo2 0.0227 0.0233 0.0238 0.0244 0.0249 0.0255 0.0260 0.0266 0.0272 0.0277 0.0283 0.0310 0.0338 0.0365 0.0393 0.0420 0.0447 0.0474 0.0501 0.0528 0.0555 0.0582 0.0608 0.0635 0.0661 0.0687 0.0714 0.0740 0.0766 Change (%) 0 3 5 7 10 12 15 17 20 22 25 37 49 61 73 85 97 109 121 133 144 156 168 180 191 203 215 226 237 PFDavg 2oo3 0.00229 0.00236 0.00244 0.00252 0.00260 0.00268 0.00276 0.00284 0.00292 0.00300 0.00308 0.00349 0.00390 0.00432 0.00475 0.00518 0.00562 0.00607 0.00652 0.00698 0.00745 0.00792 0.00840 0.00889 0.00938 0.00988 0.01040 0.01090 0.01140 Change (%) 0 3 7 10 14 17 21 24 28 31 34 52 70 89 107 126 145 165 185 205 225 246 267 288 310 331 354 376 398

Determining CPT
Certified Equipment
Proof test procedure and CPT provided by manufacturer.

Credit System
Estimating CPT for existing facilities with no data available.

Failure rate databases & data collection programs

CPT calculated from failure modes and associated failure rates

Certified Equipment

Certified Equipment

Estimating CPT - Credit System

Background
Older facility designed prior to IEC 61511
Designed with good engineering practices of the time RRF required by IPFs was not evaluated

Estimating CPT - Credit System

Background (cont.)
Management decision to move towards IEC 61511
Hazard and risk assessments now provide RR requirements and identify IPLs As Is SRS developed for identified SIFs As Is RRF achieved by SIFs
Existing test plans reviewed

Recommendations for corrections and improvements

Estimating CPT - Credit System

Challenges
No failure data available for devices
Failure rates unavailable Failure modes may not be well known
CPT difficult to estimate

CPT estimating table for sensors

Example CPT estimate for sensor

Existing test plan states:
Visual inspection Three point calibration check Field signal test

Total 60%

CPT estimating table for valves

Example CPT estimate for valve

Existing test plans state:
Visual inspection Time the stroking speed of valve Full stroke test of the valve

Pressure leak-by test

Total 65%

CPT from Failure Rate Database

1) full stroke test Proof Test Coverage = 250/(250+200+100+25) = 43% 2) Time stroking test Proof Test Coverage = 200/(250+200+100+25) = 35% 3) Leak test Proof Test Coverage = 100/(250+200+100+25) = 17%

Guidelines in developing proof test procedure

When testing sensors, it is imperative that proof tests should take into consideration different characteristics of the sensors (linearity, hysteresis etc.). When testing valves, it is imperative that the proof test is able to detect different type of failures modes (seat plugged, etc.) The proof testing should also take in consideration the auxiliary equipment, such as power, instrument air, and heat tracing. Personnel performing the test should be competent and able to interpret the result. All successful and unsuccessful test records will be documented and maintained as records. The SRS should document the dangerous failure modes in order to assist with the development of the proof test procedures.

Poor Practices
Developing proof test procedures in a cocoon without the participation of the maintenance technicians who will be responsible for executing them. Calibrating the sensors prior to performing the trip test. Cleaning or performing preventive maintenance prior to performing the trip test. Claiming 100% proof test coverage.

Conclusion
The proof testing of SIS is defined in the safety standards (IEC 61508 and 61511) but the interpretation of it is ambiguous. It was confirmed that the impact of the CPT is real. Theres no such thing as a perfect proof test although it is desirable to strive to get as close to it as possible. Choosing accurate CPT has its own limitations due to different practical considerations and various factors influence the outcome.

References
[1] Feng Tao, Users need detailed reliability analysis not just numbers, IDC Safety Control Systems Conference 2010 [2] W.M. Goble and H.Cheddie, Safety Instrumented Systems Verification, Practical Probabilistic Calculations [3] OBrien, C. and Bredemeyer, L., Final Elements & the IEC 61508 and IEC 61511 Functional Safety Standards, [4] Safety Equipment Reliability Handbook, exida [5] D. Fournier, How critical is Proof Test Coverage?, You asked: Functional Safety Clarified, Canadian Process Equipment & Control News Aug 2009 [6] Principles for proof testing of safety instrumented systems in the chemical industry, Health & Safety Executive, contract research report 428/2002. [7] Gyrgy Baradits, Jnos Madr, Jnos Abonyi, Novel Model of Proof Test Coverage Factor, 10th International Symposium of Hungarian Researchers on Computational Intelligence and Informatics, Nov 2009