ISA S84.

01
Application of Safety
Instrumented Systems for the
Process Industry

Testing of SIS Valves

ISA SP84.01 Origins / Direction
• Grew out of OSHA (1910.119) and EPA (40CFR
Part 68) mandates
• ISA specification will be superseded by IEC
61511, Functional safety of Safety Instrumented
Systems for the Process Industry Sector
• IEC 61511 imposes additional redundancy
requirements to achieve high SIL rating; these can
be mitigated where diagnostics are shown to be
used to provide predictive maintenance.
 ISA SP84-01 Requirements
• 1.1.2 The SIS includes all elements from sensor to the final
element, including inputs, outputs, power supply and logic
solvers. SIS user interface may be in the SIS.
• 1.1.3 Other interfaces to the SIS are considered part of the
SIS if they have potential impact on its safety function.
• 7.9.3 a) SIS shall be designed in accordance with the
maintenance and testing requirements defined in the Safety
Requirement Specifications.
• 7.9.1 Where the interval between scheduled process
downtime is greater than the functional test interval, then
on-line testing facilities are required.
 ISA SP84-01 Requirements
• 9.7 Functional testing - Not all system faults are self
revealing. Covert faults that may inhibit SIS action, this
can only be detected by testing the entire system
• 9.7.1 Periodic functional tests shall be conducted using a
documented procedure to detect covert faults that prevent
the SIS from operating as per the Safety Requirement
Specifications.
• 9.7.2 The entire SIS shall be tested including the
sensor(s), the logic solver, and the final element(s) (e.g.
shutdown valves, motors)
• Integral (entire system) testing not required except for pre-
startup acceptance
 ISA SP84-01 Requirements
(cont’d)
• 7.9.3 b) The operator shall be alerted to the
bypass of any portion of the SIS via an alarm
and/or operating procedure. (ISA S84.01)
• 7.9.3 c) Bypassing of any portion of the SIS shall
not result in the loss of detection and/or
annunciation of the condition being monitored.
(ISA S84.01)
 ISA SP84-01 Requirements
(cont’d)
• The PFD for the entire SIS is the sum of the PFD
for each element.
• Low complexity Field devices contribute most to
total PFD.
• “85% of the PFD is allocated to the field devices
and the remaining 15% to the Programmable
Electronic System. Any safety system design that
does not fully comprehend the effect of the field
devices (sensor and final control elements) is
woefully incomplete and consequently
inadequate.”
(ISA S84.01)
Probability of Failure (PFD)
PFD = (λD) * TI/2
Where
λD = component dangerous failure rate (1)
TI = testing interval
PFD = DCpt(λD) * TIpt/2 + (1- DCpt)(λD) * TIft/2
Where
DCpt = Diagnostic Coverage Factor
TIpt = testing interval, partial stroke
TIft = testing interval, full stroke
(1) See OREDA, 1997
Safety Integrity Level (SIL)
• SIL 1, 10-1 < PFD < 10-2
• SIL 2, 10-2 < PFD < 10-3
• SIL 3, 10-3 < PFD < 10-4
 Graph of PFD against time
Operational unavailability

90%
10-1
50%

10%
10-2

10-3
Test interval time
t=0
 Graph of PFD against time
Operational unavailability to achieve SIL level

10-1 SIL 1

10-2 SIL 2

10-3 SIL 3
Test

Test

Test
t=0
 Graph of PFD against time to achieve SIL 2
Operational unavailability

10-1 SIL 1

10-2 SIL 2

10-3 SIL 3
Test

Test

Test

Test

Test

Test
t=0
 Factors Effecting Testing
Frequency
• SIL Level
• Failure rate of valve in intended service
• Valve manufacturer’s recommendation
• Operational constraints
• Level of redundancy
• Good engineering practice
 On-Line SIS Valve Testing
Alternatives
• Bypass Valves
• Partial Stroke Testing
 Bypass Valves
• Pros • Cons
• “Complete” diagnostic • Expensive
coverage factor • May limit process
• Can allow for ESD throughput unless full
Valve removal / repair size bypass used
with unit running
 Partial Stroke Testing
• Allows more flexible testing intervals
• Diagnostic coverage credit varies from
50% - 70% credit (vs. full stroke test) for
detecting valves dangerous failure modes;
DCpt a function of the specific partial stroke
mechanism used
 Partial Stroke Testing
Mechanical / Jammers
Pros Cons
• Labor intensive
• High Diagnostic
• Require tight
Coverage administrative procedures
• Simple • Added risk of spurious
• Generally inexpensive trip
• No diagnostics
• Valve unavailable during
test
 Partial Stroke Testing (Cont’d)
SIS Logic Solver
Pros Cons
• High Diagnostic Coverage • Generally expensive
• Can provide diagnostics • Added software in logic
• Testing can be automated solver
• Valve available during test • Added risk of spurious
trip
• Violates principle of using
separate technology /
hardware between DCS,
SIS and testing
 Partial Stroke Testing (Cont’d)
Proportional Control
Cons
Pros
• Requires addition of
• Can provide digital valve positioner
diagnostics (adds to system PFD)
• Testing can be • Higher wiring costs
• May not have high
automated diagnostic coverage
• Valve available during • Doesn’t test valve at
test actual speed of operation
• Increased spurious trip
rate
 Partial Stroke Testing (Cont’d)
Manufacturer “D”
Pros Cons
• Provides diagnostics
• Higher wiring costs
• High diagnostic coverage
• Testing can be automated • Slightly increased
• Valve available during test spurious trip rate
• Tests valve in real time
operating speed
• Does not increase PFD of
system
• Available feature to allow
data capture during trip
 Conclusion
• Testing of SIS valves represents a
significant challenge, involving safety and
operational constraints
• Partial stroke testing can:
– Provide improvement in PFD over full stroke
testing alone
– Provide diagnostic capability about current
valve operation and future potential failures
 Presentation facilitated by
Process Safety Systems
in conjunction with

The Drallim LMT System

And International/Company
Standards on Safety Related
Systems.

D.M.Essam Drallim Industries Ltd