Strategic Proof Testing

Dr William Goble - exida

Standards
Certification
Education & Training
Publishing
Conferences & Exhibits
Strategic Proof Testing

William Goble
Sellersville, PA., USA +1-215-453-1720
www.exida.com

2
 IEC 61511 Safety Life Cycle

Risk Analysis and Protection Layer Design

Management Safety
of Functional Lifecycle
Sub-clause 8 Verification
Safety and Structure
Functional and
Allocation of Safety Functions to Safety Instrumented
Safety Planning
Assessment Systems or Other Means of Risk Reduction
Sub-clause 9

Safety Requirements Specification

for the Safety Instrumented System ANALYSIS
Sub-clause 10

Design and Development of Design and Development of

Safety Instrumented System Other Means of Risk Reduction
Sub-clause 11 Sub-clause 9

Installation, Commissioning, and Validation

Sub-clause 14 REALIZATION
Operation and Maintenance
Sub-clause 15 OPERATION
Sub-
Sub-
clause
clause Modification Decommissioning
Clause 5 7, 12.7
6.2
Sub-clause 15.4 Sub-clause 16

3
 Risk Analysis and Protection Layer Design
Sub-clause 8
SIS Design
Allocation of Safety Functions to Safety Instrumented
Systems or Other Means of Risk Reduction
Sub-clause 9
Safety Requirements Specification -
Safety Requirements Specification
for the Safety Instrumented System ANALYSIS Functional Description of each Safety
Sub-clause 10
Instrumented Function, Target SIL,
Design and Development of Design and Development of
Safety Instrumented System Other Means of Risk Reduction Mitigated Hazards, Process parameters,
Sub-clause 11 Sub-clause 9
Logic, Bypass/Maintenance
Installation, Commissioning, and Validation
Sub-clause 14 REALIZATION requirements, Response time, etc
Operation and Maintenance
Sub-clause 15 OPERATION
Decommissioning
Modification
Sub-clause 15.4 Sub-clause 16 7a. Select Choose sensor, logic solver
Technology and final element technology

7. SIS Conceptual 7b. Select Redundancy: 1oo1,1oo2,

Design Architecture 2oo3, 1oo2D
Manufacturer’s
Failure Data 7c. Determine
Test Philosophy
Failure Data
Database
No SIL
Achieved? 7d. Reliability, SILs Achieved
Yes Safety Evaluation
Manufacturer’s
Safety Manual
8. SIS Detailed
Design Detailed Design Documentation -
Loop Diagrams, Wiring Diagrams, Logic
Diagrams, Panel Layout, PLC
10. SIS Installation, Programming, Installation
Manufacturer’s 9. Installation
Installation Commissioning Requirements, Commissioning
Instructions & Commission and Pre-startup Requirements, etc.
Planning Acceptance Test
Copyright © 2000-2010 exida.com – used with permission
4
 Test Philosophy
Filosofía de Pruebas

How will the sensors, controller and

Select Technology final elements be tested?
How frequently?
Select Architecture

PERIODIC INSPECTION
Determine Test Time Interval: 5 Years, 1 Year, 6 Mos, 3 Mos.
Philosophy
Procedure: Shutdown Plant?
Reliability Bypass SIS?
Evaluation
Transmitter Testing?
Performance No Valve / Actuator Testing?
Target Met?

Yes, proceed

5
 SIF Verification Task
Safety Requirements- Verificación de las FIS
Specification - Safety
Function Requirements
including target SIL

Manufacturer’s
Failure Data
7d. Reliability and
Failure Data Safety Evaluation
Database

PFDavg, RRF
MTTFS,
SIL achieved

6
 Proof Test

The purpose of the Proof test is to

verify that safety instrumented Assume
works properly. It is assumed that 100%
if it “trips” properly it has not failed. Diagnostic
Typical Procedure: coverage ??
1. Block valve from closing.
2. Move input signal above trip point.
3. Verify that valve attempted to close.
4. Move input signal back to normal
below trip point.
5. Remove valve block.
7
 100% Coverage?

100% coverage is not likely due to intermittent

faults and not exercising all functionality.
Assume
Transmitter failures 100%
Logic Solver Failures Diagnostic
coverage??
Final Elements Failures
What are the DUs? What are the
dangerous failures not detected by
any automatic diagnostics?

8
 Pressure Transmitters
Transmisores de Presión

– Failure Modes
– Output Saturated Hi
– Output Saturated Lo
S/D – Frozen Output
– Indication Error Hi
– Indication Error Lo
– Output cannot get to 100%
D – Output cannot get to 0%
– Internal automatic diagnostic circuit
failed
D – Temperature compensation circuit
failed
A
?

9
 Actuator Failure Modes
Modos de Falla de un Actuador

– Failure Modes
– Severe leak/loss of air pressure
S – Clogged air inlet – trapped air
– Damaged/jammed spring – no
D return force
– Jammed shaft – no movement
D – Damaged shaft – no force / torque
– Automatic partial stroke box fails

D
A

10
 Ball Valve Failure Modes
Modos de Falla de una Válvula de Bola

– Failure Modes
D • No movement /
excessive force-
torque required
D • Leaky seal – cannot
stop flow

– Application issues
• Environment
• Tight shut off

11
 Proof Test

The purpose of the Proof test is to verify that

safety instrumented works properly. It is assumed
that if it works properly it has not failed.

The purpose of the Proof test is to

detect any failures not detected by
automatic on-line diagnostics –
dangerous failures, diagnostic
failures, parametric failures

12
 Safety Manual
Manual de Seguridad

• Products intended for SIF applications are supplied with a “Safety Manual.”
– The “safety manual” may be part of another document
• The Safety Manual contains important restrictions on how the product must be
used in order to maintain safety.
– Environmental restrictions
– Design restrictions
– Periodic Inspection / Test requirements
– Failure rate / failure mode data

13
Failure Modes, Effects and Diagnostic Analysis (FMEDA)

FMEDA for Conventional PES Input Circuit

Failure Modes and Effects Analysis Failures/billion hours Safe Dangerous
Component Mode Effect Criticality FIT Safe Dang. Det. Diagnostic Covered Covered
FIT
R1 - 1K short loose filter 1 Safe 0.13 0.125 0 0 0 0
open read logic 0 1 Safe 0.5 0.5 0 1 read input open 0.5 0
C1- 0.18 short read logic 0 1 Safe 2 2 0 0 0 0
open loose filter 1 Safe 0.5 0.5 0 0 0 0
R2 - 200K short overvoltage 0 Dang. 0.13 0 0.13 0 0 0
open read logic 0 1 Safe 0.5 0.5 0 1 read input open 0.5 0
R3 - 10K short read logic 0 1 Safe 0.13 0.125 0 0 0 0
open overvoltage 0 Dang. 0.5 0 0.5 0 0 0
D1 short read logic 0 1 Safe 2 2 0 0 0 0
open blow out circuit 0 Dang. 5 0 5 0 0 0

D2 short read logic 1 0 Dang. 2 0 2 0 0 0

open blow out circuit 0 Dang. 5 0 5 0 0 0
OC1 led dim no light 1 Safe 28 28 0 0 0 0
tran. short read logic 1 0 Dang. 19 0 19 0 0 0
tran. open read logic 0 1 Safe 5 5 0 0 0 0
R4 - 10k short read logic 0 1 Safe 0.13 0.125 0 0 0 0
open read logic 1 0 Dang. 0.5 0 0.5 0 0 0
71 38.88 32.1 1 0
Total Safe Dang. Safe Coverage 0.0257
Failure Rates
Dangerous
Coverage 0

From ISA Book: Control Systems Safety Evaluation and Reliability, W.M. Goble, 1998 used with permission.

14
Failure Modes, Effects and Diagnostic Analysis (FMEDA)

PROVIDES:
• IEC 61508 Safe Failure Fraction
• Coverage Factors: CD, CS
• Failure Rates: λS, λD, λSD, λSU, λDD, λDU
Also can provide PROOF TEST
EFFECTIVENESS

15
 Safety Manual
Test Content

From Rosemount
3051S, Safety:
Proof Test 1 –
65%
Proof Test 2 –
98%
Why bother with
proof test 1?

Copyright 2006 – 2010, Emerson Process Management, Rosemount 16

From Rosemount
3051S, Safety: Safety Manual
Test Content
Proof Test 1 – 65%
Proof Test 2 – 98%
Why bother with
proof test 1?
Because the time
interval between the
more expense
PROOF TEST 2 can
extended several
years!!

17
 Strategic Proof Test

The purpose of the Proof test is to detect any

failures not detected by automatic on-line
diagnostics.
1. We can design proof test procedures that easier to
perform, cost less and are more likely to actually get
done.
2. By understanding the actual DU/AU failures in our
instruments we can significantly improve our test
coverage as well as lower cost.

18
 Questions?

Copies of presentation – wgoble@exida.com

19