By Rick Hanner (CFSE, ISA 84 Ex.) & Keith Brumbaugh (CFSE, PE)
This blog post will examine the concept of taking proof test credit for an unplanned shutdown in order to delay a Safety Instrumented Function (SIF) proof testing deadline. If scheduled outages go according to plan, this is unnecessary; however, when an outage gets postponed, credit for the unplanned trip may be needed to confirm the SIF still achieves its target risk reduction.
Safety Instrumented Functions (SIFs) are required to be proof tested at specific intervals (expressed in months or years) in order to justify the calculated probability of failure on demand. Proof tests are performed to detect dangerous covert failures, which can render the SIF inoperable when it is most needed during a hazardous event. These proof tests are given a specified amount of coverage expressed as a percent of the dangerous failures detected vs total failures (detected and undetected).
A proof test is typically undertaken during scheduled plant outages (for example, a turnaround). Unfortunately, the timing of an outage often shifts due to external circumstances. If the calculated SIF proof test interval is equal to the outage timing, then delaying an outage could result in a SIF that is no longer meeting its calculated probability of failure on demand. If the delay is long enough, the SIF could potentially fall below its performance target. This could result in the plant operating with an unmitigated risk gap.
The concept of taking credit for an unplanned shutdown boils down to the fact that during an unplanned shutdown, all devices will typically trip and move to their safe state. This would apply to almost any SIF’s final elements (typically a valve or a pump). Using valves for example, many SIF valves are fail closed. If the air is vented from the actuator, or if the power is removed, the valve should close. If a final element is able to transition from the operating state to the safe state, and the transition can be proven, this is proof of the final element’s ability to function on demand. This actuation can be assigned appropriate coverage credit, and the credit can be applied to satisfy part of the SIF proof testing requirements, allowing for a delay in the full proof test.
What devices can we take credit for?
When determining what devices to credit in a trip, we need to examine what sensors, logic solvers, and final elements were involved. The first question we want to answer is what caused the trip: the SIF sensor or something else? For the logic solver, we need to determine how the trip was commanded. For the final element, we need to figure out what moved (or stopped moving).
Typically SIF sensors will not be demanded during an unplanned shutdown. These devices are monitoring for a process upset. Unless the source of the unplanned shutdown was due to a process excursion involving the actual SIF, then the SIF sensor will be reading normal during the trip. Consequently, there would be no proof of the successful function of the sensor. Fortunately, this is not typically an issue as sensors are rarely the driving factor in a SIL calculation.
For final elements such as valves, the valve body can almost always receive credit as long as it moved. The actuator, solenoid, and positioner will need a closer look, as well as the mechanism performing the trip of the valve. The user needs to consider what form of actuator and solenoid (or other positioner) was involved in the trip. This particularly makes a difference when a smart SIL-certified positioner is used rather than a solenoid. If the SIS logic did not demand the trip, it is possible the solenoid never moved and thus would not receive credit. On the other hand, when a valve uses a SIL-certified positioner, these are often driven to 0% during a shutdown by either the SIS logic solver, or even requested by the BPCS logic solver. Solenoids and positioners operate differently, so moving a positioner is not the same as breaking the circuit of a solenoid. The same concepts apply for other types of final elements. For example, for equipment driven by a motor, we need to figure out if the motor was stopped by the SIF relay or a BPCS relay.
How much credit can we take?
The next important question we need to answer is how much coverage credit we can take. Crediting the equivalent of a full stroke proof test is not recommended for an unplanned shutdown. In SIL calculations for valves, varying amounts of credit are given depending on whether you are performing a full stroke test or a partial stroke test, with the amount of credit determined by the robustness of the test. For example, a full stroke proof test could provide 90% proof test coverage, particularly if a leak test is performed. A partial stroke test might give 60% credit for moving the valve a minimal amount closed and then back open within a few seconds. As it can be reasoned, the partial stroke would detect only a subset of the failures that would be detected by the full stroke proof test. Because the partial stroke test only strokes the valve a portion of the total travel possible (and doesn’t fully close it), the partial stroke test would tell nothing about the integrity of the valve seat and associated leakage.
The amount of credit possible due to an unplanned trip will not be the same as a full stroke proof test credit. The practitioner would need to examine what portion of failures would be detected during an unplanned trip (much like the partial stroke test). For example, the practitioner might assume the valve moved from the unsafe state to the safe state during the shutdown, but this would need proven. They might look to see if there is valve position feedback, including possibly a physical valve inspection at the time of the trip. If the practitioner does not have any indication that the valve moved, then it’s not possible to say the valve actually did. It is possible some other equipment brought the process to the safe state independent of the valve. Without feedback of the actual valve, the practitioner will never know if the valve actually moved.
For motor driven equipment, positive indication of motor stoppage should be examined. For other types of final elements, such as electrostatic precipitators, credit for an unplanned trip requires verification by other means.
Other Considerations
Finally, we should confirm our devices are still operating within their design parameters (e.g. have they exceeded their manufacturer recommended replacement interval). Useful life is typically provided by the device vendor and has various connotations, one of which is how long a device’s failure rates are considered valid. If useful life is exceeded, the device may no longer have the same failure rate assumed in the SIL calculation. Useful life is typically longer than the proof test interval, and it becomes more relevant to this discussion as the devices ages. If the useful life will be expended by the next planned test, and the credit for the unplanned shutdown will push the turnaround beyond the useful life, then the device should be replaced during the unplanned shutdown.
In summary, credit can be taken for an unplanned shutdown, but there must be careful consideration of the circumstances and justification. A primary concern in this process is that over crediting the test can lead to non-conservative results and additional risk. The practitioner must understand the mechanics of the unplanned shutdown to ensure appropriate credit is taken.