Testing of safety systems17 September 2020

A new publication from the Engineering Equipment and Materials Users Association offers practical guidance on some of the problems which have to be dealt with when testing real process plant equipment. Here, the organisation introduces the topic and the document.

The need to do thorough testing of safety instrumented systems (SIS) is well known and obvious, because their function is explicitly to provide protection. However, a thorough testing approach should be applied to all systems used to provide risk reduction against a safety hazard, such as all instrumented protective systems (IPS).

The American Institution of Chemical Engineers defines an IPS as “a safety system composed of a separate and independent combination of sensors, logic solvers, final elements, and support systems that are designed and managed to achieve a specified risk reduction.”

This explanation includes SIS, but is much more general. Another reads: “Instrumented protective systems are any instrumented function designed to protect against a hazard with any integrity. IEC 61511-1 places specific requirements on safety instrumented functions (SIFs), which are IPS protecting safety hazards with a required integrity of SIL1 or above.” SIL1, safety integrity level 1, is the lowest of four levels defined in functional safety standard IEC EN 61508, and corresponds to a probability of dangerous failure on demand of 0.1-0.01.

That definition comes from ‘Proof testing good practice for Instrumented Protective Systems’, EEMUA 242, which is intended for site engineers working with system designers on new IPS, but is also helpful for legacy IPS where documentation of the design is incomplete. Its emphasis is on the practical aspects of proof testing, given that every process plant has its own specific requirements and that the ideal of out of service end-to-end testing may rarely be achievable because of operating constraints.

Returning to those systems, an IPS may include many of the following:

● Input devices including primary sensors and input modules

● Logic associated with each input device

● Logic associated with combined inputs

● Alarm functions

● Logic programs

● Final control elements and output modules

● Computational functions

● Manual trip(s) to bring the system to its safe state

● User diagnostics.

It isn’t sufficient to test each of these in isolation. What is needed is a convincing demonstration that the whole ensemble works end-to-end as expected in all credible circumstances. This is usually not a trivial exercise, and needs careful planning, especially if the testing is to proceed while the plant is operational.


A practical proof test may consist of all or some of the following:

● Scheduled on-line proof testing of the functioning of an IPS by carrying out a test that is as close to end-to-end as possible, but may include alternative methods of observing the process connection of sensors and/or partial testing of final elements

● Scheduled on-line proof testing by partial stroking of final elements through intelligent positioner tests

● Scheduled off-line proof testing of the full functioning of final elements

● Scheduled testing and overhaul of final elements to ensure leak tightness to required standards

● Scheduled off-line testing of diagnostic functions of components and their systems for ensuring appropriate response, such as alarms

● Scheduled testing of supporting systems, where required for safety

● Scheduled inspection/maintenance.

Where such a suite of tests is required, choosing and scheduling individual tests is part of specifying the proof testing requirements, and sets the test coverage for the demonstration of achieved SIL.

The suite of tests should aim to achieve a test coverage of 100% at some test interval, as otherwise a calculation of average probability of failure on demand (PFDavg) will result in an ever-increasing value.

The suite of tests must be scheduled in the maintenance management system and their results recorded in order to demonstrate successful proof testing.


What is included in practical proof tests? There is a hierarchy of tests that can be carried out which each have decreasing proof test coverage. As the proof test coverage decreases, alternative methods of revealing hidden failures must be developed (and possibly implemented off-line on longer intervals) for the parts of the IPS that are missed by the test.

For example, for testing sensors, such a hierarchy might have four levels. First could be a real process test – a test where process fluids at process conditions are used is the most realistic test of a sensor. However, this may often not be feasible without actually introducing the process hazard that the system is designed to protect against. Second could be an injected process test – a test where a simulation fluid is injected into the sensor as if it is process fluid. Third could be simulation of a process value on a sensor – a test where a smart sensor is instructed to act as though it has sensed a given process value. Fourth could be simulation of electrical signal from sensor – a test where the electrical signal (typically 4-20mA or Volt-free contact) is injected into the transmission from the sensor, or the sensor is instructed to give a particular electrical output.

Clearly it will be preferable to use the methods which are higher in the list and give higher proof test coverage if possible. This must be balanced against practicality, particularly if testing is carried out with the plant on line.

Likewise, for final elements, such as valves, there is a hierarchy for testing. At the top is a real flow stop – a test where the process can tolerate a real activation of the IPS so as to prove that the final action of the valve is successful in interrupting the flow of process fluid. Below that is a full travel test – a test where the process is not operating or the valve is bypassed and the IPS can be activated to cause the valve to fully travel. Below that is a partial travel test – a test where the valve is caused to move over a (usually small) portion of its overall travel.

Many system components include user diagnostics, which should form a part of the proof testing. The manufacturer’s advice should be followed.

Some IPS depend upon a supporting system such as a UPS, a hydraulic reservoir, or steam-traced impulse lines for correct operation. It is important to include those in the proof testing.

Redundant equipment in IPS, such as 1-out-of-n voted relays, or stopping multiple spared motor drives, introduce their own problems for testing. All paths through the system must be tested to ensure that all functionality is operational and all failure modes revealed. It may not be sufficient to trigger a test and observe the end result, as failures may not be revealed in redundant equipment.

Bypasses or overrides are sometimes available to facilitate testing. These may not simply consist of key overrides, but also include operation of field valves, and jamming mechanisms for valves. Their use needs care, and the test should ensure they are returned to normal at the end of testing.

Proof testing is carried out by humans, and good design of the test to avoid human failings is of utmost importance. Ensuring that the testing is in the best sequence to reveal errors in the most important parts of the test is critical. Suitable checks and second-set-of-eyes techniques should be designed in.

EEMUA 242, Proof Testing Good Practice for Instrumented Protective Systems, gives guidance on all the above and more.


Related Companies

This material is protected by MA Business copyright
See Terms and Conditions.
One-off usage is permitted but bulk copying is not.
For multiple copies contact the sales team.