top of page

Proof Testing: SIS follow-up during Operations

  • Writer: Isabella Bergström | Consultant
    Isabella Bergström | Consultant
  • May 19
  • 7 min read

In this article:



Proof testing of the Safety Instrumented System (SIS) and its Safety Instrumented Functions (SIFs) is a crucial part of the functional safety lifecycle and vital to ensure the reliability of the SIFs during the operating phase. Proof testing shall, in accordance with IEC 61511-1, be conducted using a written procedure to reveal undetected failures in the SIS. Development of Proof Test Procedures (PTPs) requires integration with other functional safety documents developed as part of the SIS lifecycle, as well as collaboration between multiple disciplines to ensure effective and user friendly PTPs. This insight covers the main steps to follow when preparing PTPs, executing proof testing, and the key factors impacting the results.


Proof Testing - Man doing Maintenance

What is Proof Testing?

Proof testing is performed at regular intervals to reveal Dangerous Undetected (DU) faults in a SIF’s components; the intention is to reveal these faults before there is a demand on the SIF to ensure that it operates as intended and meets the required Average Probability of Failure on Demand (PFDavg) specified in the Safety Requirement Specification (SRS).


The whole SIF shall, according to IEC 61511-1, be tested, including the sensing element(s), logic solver and final element(s) at a regular Proof Test Interval (PTI) stated in the SRS.

Steps to how a SIF shall be tested: Sensor > Logic Solver > Final element

Main steps of conducting Proof Testing

The proof test operation can be divided into the following four phases:

  • Preparation: Before the test is initiated, the operator shall review the SIF design (including SIF functionality, bypass requirements, etc.) and ensure that the requirements are understood.


  • Execution: Start the test by determining the system status in testing mode (bypass mode, shutdown, etc.). As part of the proof test, the following main steps are recommended:

    • Visual inspection of SIF components to ensure that there are no unauthorized modifications or degradation (e.g., corrosion, missing bolts or covers, broken circuits, leaks, etc.).

    • Confirm the trip set-point of sensor and record the measured trip value.

    • Confirm the voting configuration of the sensor.

    • Confirm that the trip from the sensor sends a signal to the logic solver.

    • Confirm the action upon de-energize/energize of the final element and that the final elements react as intended when the signal from the logic solver is received.

    • Confirm and record the response time of the SIF, from initiation to safe state.

    • Perform proof test of the sensor, logic solver and final element in accordance with the safety manuals (if not incorporated to the proof test procedure itself).

    • Reset SIF from test mode and confirm that it is in operational mode.


  • Evaluation: The results from the proof test shall be evaluated to ensure that the proof test is complete and if any further actions are required. If any of the steps are recorded as “not passed”, ensure that corrective actions are applied and redo the test.


  • Documentation: To follow-up on the SIF performance, it is important that the proof test results are recorded and signed off by the operator performing the proof test and verified by a supervisor. The test results shall be used to verify that the SIF meets its design intention and PFDavg requirements.


Key factors for successful Proof Testing

Proof testing shall be performed using a written procedure. PTP shall, as per IEC 61 511-1 Clause 19.2.11, describe every step to be performed and include the correct operation of the sensor and final element, as well as correct logic action and alarms/indications.


It is important that the poof test procedure is user friendly to allow for efficient and correct testing of the SIF. Consider the following when creating the proof test procedures:

  • Easy access to important SIF information (such as RBD, P&ID and C&E reference, sensor tag and type, logic action, final element tag and action, etc.). This also includes access to Safety Manuals containing the component specific PTPs (if not incorporated into the PTP).


  • Avoid unnecessary information that is not relevant for the proof testing. Remember that the PTP will be used in the plant and unnecessary information will make it harder to find the information required.


  • Create a smart layout design that allows for proper documentation of the proof test results (such as comments, remarks, failure type, etc.).


Multidisciplinary involvement: It is important to involve all relevant disciplines in the development of PTPs. If PTPs are developed by one discipline only, the integration with other functional safety documents can be lost or the procedures may lack practical information needed for the operation. It is recommended to include at least the functional safety responsible, Automation and Instrumentation and Maintenance in the development of PTPs.


Competence: the personnel performing proof testing shall be trained on how to conduct them in accordance with IEC 61511 and understand the design of the function being tested. This includes:

  • Actions of the SIF (e.g., trip points, trip actions, etc.).

  • The hazardous event the SIF intends to prevent.

  • Operation of the SIF and management of bypass/overrides switches and when it is allowed.

  • Manual operation of the SIF and when it is required (manual shutdown, manual start-up, etc.).

  • Actions to be taken upon detection of faults in the SIF from diagnostic alarms.

  • Verification of diagnostic alarms.


Documentation and follow-up: the results of the proof test shall be recorded in a way that someone else can confirm that the complete proof test was completed and that any detected failures were followed up and appropriately addressed. This includes:

  • Date when the test was performed.

  • The person performing the test.

  • Pass test (yes/no) and signature of the test responsible per testing step.

  • Tag number of the component being tested.

  • Measured value.

  • In case of failure, failure type and failure description shall be added. Once the reason for the failure has been determined and the failed component(s) are repaired, the proof test shall be repeated.


Tools and instruments needed to complete the proof test shall be described in the PTP to ensure that it is performed using the correct equipment. It is also necessary to ensure that the personnel involved have every tool available before performing the test.


What is Proof Test Coverage (PTC) and why is it important?

The Proof Test Coverage (PTC) defines the fraction of Dangerous Undetected (DU) failures that are expected to be revealed by the periodic proof test of the SIF and its subcomponents. For most components, there will always be some failure modes that are unknown and cannot be detected through proof testing. Hence, PTC above 98% are generally considered optimistic and shall only be used for very basic components.


Complex devices with high fault diagnosis, like logic solvers, may have a Proof Test Interval (PTI) corresponding to the defined lifetime of the device. This is usually defined by the vendor based on whether it is possible to perform a complete proof test after installation. It is important to read and understand the Safety Manual of the device to determine if periodical functional test is required and ensure that the specific lifetime is not exceeded.


For PTC above 90%, training and competence of personnel is a key factor. The table below provides guidance for the respective PTC level depending on the proof test procedure in place and the competence of the personnel, as per the Safety Critical Systems Handbook, Fourth Edition (2016).

PTC

Description of requirements (for the process industry)

Applied to

98%

Detailed written proof test procedure for each SIF, process variable manipulated and executive action confirmed, staff training.

Whole SIS loop (e.g. sensor and valve)

95%

General written proof test procedures, process variable manipulated and executive action confirmed, some staff training.

Whole SIS loop (e.g. sensor and valve)

90%

Some written proof test procedures, some uncertainty in the degree of fully testing, no records of adequate staff training, or SIF is complex which makes it difficult to fully test with full range of parameters.

Whole SIS loop (e.g. sensor and valve)

80%

Proof test coverage for valve only, tight shut-off required but not fully confirmed.

Valve only

50%

Proof test coverage only for sensor, where only the electrical signal is manipulated.

Sensor only

An estimate of the typical interval (T2) for the non proof-test coverage is 10 years, unless another interval can be supported.

 


The effect from the proof testing is further illustrated in the figure below from the PDS Data Handbook (2021). If the PTC is 100% the proof test is assumed to reveal all possible failures within the proof test interval and keep the PFDavg constant throughout the lifetime of the SIF. This means that the SIF is considered as new after the proof test. However, if the PCT is 98% or lower which is more realistic for most components, the PFDavg will increase for each year in production as shown with the red colored graph below.

Graph explaining the effect from proof testing

With a PTC below 100%, the PFDavg will increase each year in operation. Therefore, it is important to confirm that the SIF meets the SIL requirements during the operational phase, taking into account failure data from the operation. To improve the PFDavg, the PTI can be reduced, or the design of the SIF can be changed (e.g., change configuration or device type, etc.).


Difference between Proof Test Coverage (PTC) and Diagnostic Coverage (DC)?

The proof test coverage (PTC) defines the fraction of Dangerous Undetected (DU) failures detected by the proof test, while the Diagnostic Coverage (DC) defines the fraction of Dangerous and Safe Detected (DD and SD) failures detected by the SIS itself. DC includes both component’s internal self-diagnostic and external diagnostic facilities installed by the user.


Proof testing and diagnostics both intend to detect failures to ensure that the SIF is functioning as intended. The main practical difference between PTC and DC, is that proof testing is performed manually by an operator, while diagnostic is performed automatically by the SIS. Upon diagnostic failure detection, the SIF/SIS should go to safe state and/or generate an alarm to the operator depending on the type of failure.


Proof test follow-up during operations

The Proof Test Intervals (PTI) shall, in accordance with IEC 61511-1 be re-evaluated at regular intervals based on the historical data from proof testing and other types of testing or inspections. If the failure rates are higher than expected, or if there are any other problems identified for the SIF, the PTI can be reduced to account for this.


It is also important to review the proof test procedures during the operational phase to ensure that they are effective and work as intended. Of special importance is that any operational changes during the lifetime of the plant is recognised and updated in the PTPs for the affected SIFs, such as changes to:


  • Set points used for primary elements (transmitters, etc.), voting requirements, etc.

  • Functional requirements for the SIF and the final elements, like closure times for valves, internal leakage rates, etc.



Image by Thought Catalog

SUBSCRIBE TO RECEIVE OUR NEWS & INSIGHTS

Thanks for submitting!

© 2022 ORS Consulting. All Rights Reserved.

bottom of page