Testing of the safety instrumented system (SIS) is a critical lifecycle task that ensures the proper operation of functional safety devices, identifies component failures that can be repaired and tracked, allows tolerable risk goals of the organization to be achieved, and maintains compliance with functional safety standards and safety regulations. While testing of functional devices offers many benefits, it also presents a burden in terms of expenses associated with downtime and lost profit opportunity resulting from extended shutdowns required in order to allow the tests to occur. As a result, optimization of the required testing of safety instrumented systems presents an opportunity to significantly reduce significant costs associated with testing.
To assist in streamlining and optimizing testing of SIS functional devices, the following modifications to test plan procedures are recommended:
Performing Partial Tests Outside the Turnaround Window During Plant Operation
IEC 61511 (ISA 84) allow for testing of the safety instrumented system in parts, and in some industries where large long-term shutdowns are simply not possible (e.g., offshore oil production), testing of SIS in parts instead of a complete test of the loop from sensor(s) to the final element(s) is the norm. By creating test plans for individual field instruments, and properly executing these tests (along with associated calibrations of sensors) while the plant is still in operation, before the turnaround shutdown, the amount of time required for testing while the plant is shutdown is reduced, preventing costly business interruption. For a typical process plant, this action alone can reduce SIS testing time while the plant is shut down by 50-75%, or 2-3 days. This approach is almost always feasible for sensors, and if the appropriate bypassing equipment is available, can even be feasible for shutdown valves.
Removal of Unnecessary Tests from Functional Test Plans
Functional tests of SIS instrumentation are required to identify all potential modes of failure of the instrumentation that could result in the safety instrumented function not being able to perform its intended safety action. There are some failure modes, though, that do not affect the ability of a SIF to achieve its safety objective, and thus do not need to be considered during the periodic functional tests. The best example of unnecessary testing is verification of the achievement of “bubble tight” shutoff when it is not, in fact, required. In many early SIS designs engineers specified the requirement for “tight shut-off” in order to be conservative, and without considering whether or not it is actually necessary. If leakage of a few bubbles per minute through a closed valve will not prevent the SIF from taking the process to a safe state, then tight shut-off specification is not required. If it is not required then performing expensive and time-consuming leak testing (let alone removal of the valve for rebuilding at every turnaround in order to preserve the tight shutoff status) is also not required.
Removal of Ancillary Logic Functions Where SIS Logic is Unchanged
SIS logic often contains tens of thousands of combinations and permutation of input statuses, voting arrangements, and bypasses. While verifying that every potential combination performs as expected is important for an initial one-time validation, it is unnecessary and costly for subsequent periodic testing. If the logic of the PLC has not changed, it is only necessary to test the functionality of one configuration of a voting arrangement (for instance, in a 2oo3 vote, select two of the three transmitters, set the two past their trip point, and then verify that the SIS action is triggered). Also, it is not necessary to test the functionality of bypasses or resets for function tests other than initial validation or after logic change.
Limiting Final Element Functional Tests Regardless of How Many Inputs Cause Their Activation
Verification of the proper operation of a final element is a cumbersome and time-consuming task because a lot of effort is required to set them into operational position and dedicated resources need to be deployed into the field at their location to witness and time their movement. Also, in a lot of cases many sensors can activate a single final element subsystem. A single activation of the final element is sufficient to prove its operational state and the lack of the presence of dangerous undetected failures. Test plans should be written so that final elements are only activated once or twice per turnaround, and the balance of testing that causes activation of the final element will be confirmed through PLC output channel status.
Testing Activation of Final Elements Based Only on Safety-Critical Sensors in the Equipment Item Group
Often final elements are activated for a wide variety of reasons that are not safety related. Once a shutdown is initiated, SIS logic frequently causes many final elements to move to their safe state in order to move the entire process to a known state that will facilitate restart of the plant. Verification of the movement of the final elements for these non-safety-critical additional actions should not be performed as it results in unnecessary effort and extension of the turnaround duration.
Extending the Test Interval as Long as Reasonably Possible
Typically, the timing of a plant turnaround is primarily the result of maintenance requirements for major pieces of equipment. Where the limiting factor to SIS achieved risk reduction is testing of SIS instrumentation, reviewing and modifying SIS equipment design may enable an existing test interval to be extended so long as the SIS is still capable of meeting the required risk reduction target (i.e. Safety Integrity Level