Overview

On a live production facility, such as an Oil & Gas platform, the process will be continuous, and any downtime caused by Safety Instrument Function (SIF) testing can be very costly.

As these types of assets continue to push out planned maintenance outages to maximise production, new techniques are being explored to provide the same assurance and confidence that the assets Safety Instrumented Systems (SIS) will perform as designed in the event of a potential major accident hazard.

This case study will explore techniques on how SIF testing can be achieved with Sub System testing.

SIF Testing

Sub System Testing

Both the complete Safety Instrument System (SIS) and its Safety Instrument Functions (SIFs) can both be defined as three separate sub systems;

  • Sensor Subsystem
  • Logic Solver Subsystem
  • Final Element Sub System

To validate the functionality of the SIS / SIF, end to end testing needs to be performed to ensure the activation of the Sensor, through the Logic Solver, to the Final Element, actions as designed.

Each SIF will have a proof test interval defined as part of its Safety Requirement Specification (SRS), detailing the timescale between performing end to end testing.

Traditional means of SIF testing will require the live production system to be utilised. By activating the sensor (via a test medium, test tool etc), the SIS will respond accordingly and the executive actions of primary and secondary final elements will activate.

The SIS / SIF subsystems can be defined from a Proof Testing perspective as;

  • Input Sub System
    • Sensor (Including field wiring and any interface devices (barriers etc))
    • SIS Input Module (Including termination boards)
    • SIS Application Software Input Processing Logic
  • Logic Solver Sub System
    • SIS Processor
    • SIS Application Software comprised of;
      • Input Processing Logic
      • Cause and Effect (C&E) Processing Logic
      • Output Processing Logic
  • Output Sub System
    • SIS Application Software Output Processing Logic
    • SIS Output Module (Including termination boards)
    • Final Element (Including field wiring and any interface devices (relays etc))


Input Sub System Testing

When performing Input / Sensor testing on the live production system, this can carried out through inhibited testing.

By activating the maintenance inhibit on the Sensor within the Logic Solver (normally via HMI), this will defeat the C&E Logic and prevent the Final Elements from activating.

Activating the sensor in the field whilst inhibited on the live production system can provide the following;

  • Confirmation of field wiring between Sensor, any interface devices and the SIS Input Module.
  • Confirmation of Input Configuration and Channel Allocations etc within Logic Solver.
  • Confirmation of configured sensor ranges and trip settings, both within the Sensor and Logic Solver.
  • Confirmation of HMI functionality and communications.

An example Inhibited test can be shown below;

The above testing can be shown on the System Proof Testing Block Diagram, showing the elements covered by the Input Testing with Inhibits applied;

By performing inhibited testing of sensors, there is minimal risk to the continuous production and hence this testing can be performed at any time, normally as part of the annual Planned Maintenance (PM) activities.

Output Sub System Testing

When performing Output / End Element testing on the live production system, this can be achieved by individual trip testing, allowing for the individual output to be actioned without activating a C&E trip.

By activating the trip function on the Final Element within the Logic Solver (normally via HMI or SIS Engineering Workbench), this will bypass the C&E Logic action for the single Final Element, negating the need to activate Sensors which will likely action multiple Final Elements.

Tripping a single Final Element on the live production system can provide the following;

  • Confirmation of HMI functionality and communications.
  • Confirmation of Output Configuration and Channel Allocations etc within Logic Solver.
  • Confirmation of field wiring between SIS Output Module, any interface devices and the Final Element.
  • Confirmation of any Final Element feedbacks (Valve Limit Switches, Switch Gear contacts etc)

An example Single Final Element Test can be shown below;

The above testing can be shown on the System Proof Testing Block Diagram, showing the elements covered by the Output Testing with a single Trip applied;

By performing single output trip testing of final elements, the risk to the continuous production is significantly reduced. Plant operators can manage the process to account for a single trip according (e.g. a single valve closing), where traditional SIF testing would activate multiple trips which would be very difficult to perform without significant interruption to the production.

Logic Solver Sub System Testing

The above sections detail how we can fully exercise the Input sub system and the Output sub system.

As shown above, the only element of the SIS/SIF that has not been tested is the C&E Processing Logic.

Validating the C&E logic from sensor to final element on the live production facility will have significant impact on production, even for the most basic SIF. To mitigate this risk, off-site testing can be completed.

Assuming that the Logic Solver Sub System can be configured away from site, the C&E Processing Logic can be tested independently of the live production facility.

To take any credit for this off-site testing the following must be true;

  • SIS Logic Solver Application used for the testing is not modified or translated in anyway from the Live Production Systems version.
  • Testing on OEM approved equipment, either physical Logic Solver or OEM supplied emulator.
  • Testing must activate Input Channels and monitor Output Channels.

Off-site C&E Processing Logic Testing can provide the following;

  • Confirmation of Input Configuration within Logic Solver.
  • Confirmation of configured sensor ranges and trip settings within the Logic Solver.
  • Confirmation of C&E Logic, including voting, time delays, resets.
  • Confirmation of Output Configuration within Logic Solver.

The above testing, assuming that the conditions of testing have been met, can be shown below;

This testing can be completed for the individual SIF / Cause and Effect function, or for the complete SIS.

The following sections will detail how this off-site testing can be achieved utilising Automated Validation tools.

Combining Test Evidence

Assuming that the Input Sub System testing, Output Sub System testing and Logic Solver Sub System testing are completed as defined above, full credit for our end to end testing can be taken, whilst minimising the risk to production as much as practice.

The below shows the interaction between the different proof test stages, showing where the Logic Solver elements are covered by multiple tests.

Automated Logic Testing

Off-site testing of the Logic Solver can be achieved manually for individual SIFs, however quickly becomes a time intensive exercise for the full SIS. Utilising Automated Logic Validation tools, we can complete the Logic Solver Sub System testing in a controlled and cost effected manner, for all SIFs defined within the SIS.

Using VESTA, Process Safety Solutions automated validation software, a 100% automated C&E test of the SIS Application Software can be completed, covering all functions, including voting and time delays.

To allow the VESTA testing to meet the requirements of the Logic Solver Sub System defined above, the following requirements have to be met;

Proof Testing Requirement

VESTA capabilities

SIS Logic Solver Application used for the testing is not modified or translated in anyway from the Live Production Systems version

VESTA interfaces with a large number of SIS Logic Solver Targets (both Physical and OEM Emulators) via communication protocols.

To perform VESTA testing, the live production version of the SIS application logic is utilised and loaded onto the Logic Solver Target using the OEMs engineering workbench.

No modifications or translation to the application software is required to perform VESTA testing.

VESTA does not perform any simulation. Input points are exercised and output points are monitored.

Testing on OEM approved equipment, either physical Logic Solver or OEM supplied emulator.

Testing must activate Input Channels and monitor Output Channels.

VESTA perceives the SIS as a “Black Box” system, with VESTA has no intimate knowledge of the SIS Application Software.

VESTA utilises the outer most points of the SIS application logic possible, which is normally the I/O channels used by the application (the same points logically connected to the Input / Output Modules). By using the I/O channels, the offsite testing fully exercises the Input processing and Output processing logic elements of the application

Assuming that all Sensors, Final Elements and the live production SIS hardware are maintained in line with the SRS by the site maintenance team, performing an Annual VESTA test for the SIS, providing 100% test coverage of the Application Software Logic, provides coverage for all SIFs contained within the SIS, including the testing of all Primary and Secondary actions.

Automated Logic Testing Examples

Full System VESTA Testing

The following example is a real world example completed by Process Safety Solutions for one of our supported clients;

To support proof testing of plant SIFs, an Annual VESTA test on all plant SIS is required. This is to limit the risk to production on site and to significantly reduce the personnel required on site to conduct the testing.

Utilising VESTA to test the application logic of the SIS, which includes 1 of ESD, 2 of PSD, and 2 of F&G nodes, and utilising test definitions from CERES and LEDA (Process Safety Solutions C&E and Logigram Management Software), the full 100% logic testing was conducted off site.

  • Over 1,300 tests completed.
  • Over 5,000,000 state changes actioned.
  • 3,000 I/O.
  • Less than one week to complete.

This testing was done by running the site versions of the application logic on OEM supplied logic solver targets.

It is estimated that ~16,000 Hours are saved annually (assuming 2 SIF tests per shift by 2 technicians) by deploying the automated test strategy.

In reality, if all SIFs were tested on the live production facility, it could feasibly take over 300 days (assuming 4-5 SIFs per day) to complete. This means an ~80% plant outage each year for SIF testing only.

Assuming the production facility generates £1m per day and a ~80% plant outage each year for SIF testing, automated testing can prevent the loss of ~£300m each year.

Specific SIF VESTA Testing

The following example is a real world example completed by Process Safety Solutions for one of our supported clients;

A requirement to test a large number of SIS inputs and outputs was raised when two packages, which contained SIFs, was to be re-instated after being offline for a number of years.

Sensor and Final Element Testing could be completed on site but due to the interaction of Secondary Trip actions, C&E testing was being denied by operations.

As this client had their systems supported by the Process Safety Management Suite, with their Cause and Effects managed by CERES and Automated Testing performed by VESTA, the setup and testing of the required SIFs took less than 4 engineering hours to complete.

The testing required related to ~20 Sensors and ~1,100 Final Elements, and involved voting and time delay functions.


Writen by Myles Gowen MEng CEng FSEng (TÜV Rheinland) RFSE MInstMC


References

IEC 61511-1:2016 - Functional safety - Safety instrumented systems for the process industry sector - Part 1: Framework, definitions, system, hardware and application programming requirements

IEC 62881:2018 - Cause and Effect Matrix

HMI Screenshots developed by Process Safety Solutions utilising CODRA Panorama E2