sTaefsettiyn sgy osftems
A new publication from the Engineering Equipment and Materials Users
Association offers practical guidance on some of the problems which have
to be dealt with when testing real process plant equipment. Here, the
organisation introduces the topic and the document
The need to do thorough
By EEMUA
testing of safety
instrumented systems (SIS)
is well known and obvious,
because their function is
explicitly to provide protection. However,
a thorough testing approach should be
applied to all systems used to provide risk
reduction against a safety hazard, such as
all instrumented protective systems (IPS).
The American Institution of Chemical
Engineers defines an IPS as “a safety
system composed of a separate and
independent combination of sensors,
logic solvers, final elements, and support
systems that are designed and managed
to achieve a specified risk reduction.”
This explanation includes SIS, but
is much more general. Another reads:
“Instrumented protective systems are
any instrumented function designed to
protect against a hazard with any integrity.
IEC 61511-1 places specific requirements
on safety instrumented functions (SIFs),
which are IPS protecting safety hazards
with a required integrity of SIL1 or above.”
SIL1, safety integrity level 1, is the lowest
of four levels defined in functional safety
standard IEC EN 61508, and corresponds
to a probability of dangerous failure on
demand of 0.1-0.01.
That definition comes from ‘Proof
testing good practice for Instrumented
Protective Systems’, EEMUA 242,
which is intended for site engineers
working with system designers on new
IPS, but is also helpful for legacy IPS
where documentation of the design
is incomplete. Its emphasis is on the
practical aspects of proof testing, given
that every process plant has its own
specific requirements and that the ideal
of out of service end-to-end testing may
rarely be achievable because of operating
constraints.
Returning to those systems, an IPS may
include many of the following:
● Input devices including primary sensors
and input modules
● Logic associated with each input device
● Logic associated with combined inputs
● Alarm functions
● Logic programs
● Final control elements and output
modules
● Computational functions
● Manual trip(s) to bring the system to its
safe state
● User diagnostics.
It isn’t sufficient to test each of these
in isolation. What is needed is a convincing
demonstration that the whole ensemble
works end-to-end as expected in all
credible circumstances. This is usually
not a trivial exercise, and needs careful
planning, especially if the testing is to
proceed while the plant is operational.
PRACTICAL PROOF TESTING BASICS
A practical proof test may consist of all or
some of the following:
● Scheduled on-line proof testing of the
functioning of an IPS by carrying out a test
that is as close to end-to-end as possible,
but may include alternative methods of
observing the process connection of
sensors and/or partial testing of final
elements
● Scheduled on-line proof testing by
partial stroking of final elements through
intelligent positioner tests
● Scheduled off-line proof testing of the
full functioning of final elements
● Scheduled testing and overhaul of final
elements to ensure leak tightness to
required standards
● Scheduled off-line testing of diagnostic
functions of components and their
systems for ensuring appropriate
response, such as alarms
● Scheduled testing of supporting
systems, where required for safety
● Scheduled inspection/maintenance.
Where such a suite of tests is required,
choosing and scheduling individual tests
is part of specifying the proof testing
TEST & MEASUREMENT
68 www.operationsengineer.org.uk Autumn 2020
/www.operationsengineer.org.uk
