ISA-TR84.00.03-2012 Mech Integrity SIS

TECHNICAL REPORT ISA-TR84.00.03-2012

Mechanical Integrity of Safety Instrumented Systems (SIS)

Approved 28 August 2012

ISA-TR84.00.03-2012 Mechanical Integrity of Safety Instrumented Systems (SIS) ISBN: 978-1-937560-57-7 Copyright © 2012 by ISA. All rights reserved. Not for resale. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means (electronic mechanical, photocopying, recording, or otherwise), without the prior written permission of the Publisher. ISA 67 Alexander Drive P.O. Box 12277 Research Triangle Park, North Carolina 27709

- 3 - ISA-TR84.00.03-2012

Preface

This preface, as well as all footnotes and annexes, is included for information purposes and is not part of ISA-TR84.00.03-2012.

This document has been prepared as part of the service of ISA towards a goal of uniformity in the field of instrumentation. To be of real value, this document should not be static but should be subject to periodic review. Toward this end, the Society welcomes all comments and criticisms and asks that they be addressed to the Secretary, Standards and Practices Board; ISA; 67 Alexander Drive; P. O. Box 12277; Research Triangle Park, NC 27709; Telephone (919) 549 -8411; Fax (919) 549-8288; E-mail: [email protected].

The ISA Standards and Practices Department is aware of the growing need for attention to the metric system of units in general, and the International System of Units (SI) in particular, in the preparation of instrumentation standards. The Department is further aware of the benefits to USA users of ISA standards of incorporating suitable references to the SI (and the metric system) in their business and professional dealings with other countries. Toward this end , this Department will endeavor to introduce SI-acceptable metric units in all new and revised standards, recommended practices, and technical reports to the greatest extent possible. Standard for Use of the International System of Units (SI): The Modern Metric System, published by the American Society for Testing & Materials as IEEE/ASTM SI 10-97, and future revisions, will be the reference guide for definitions, symbols, abbreviations, and conversion factors.

It is the policy of ISA to encourage and welcome the participation of all concerned individuals and interests in the development of ISA standards, recommended practices, and technical reports. Participation in the ISA standards-making process by an individual in no way constitutes endorsement by the employer of that individual, of ISA, or of any of the standards, recommended practices, and technical reports that ISA develops.

CAUTION — ISA ADHERES TO THE POLICY OF THE AMERICAN NATIONAL STANDARDS INSTITUTE WITH REGARD TO PATENTS. IF ISA IS INFORMED OF AN EXISTING PATENT THAT IS REQUIRED FOR USE OF THE DOCUMENT, IT WILL REQUIRE THE OWNER OF THE PATENT TO EITHER GRANT A ROYALTY-FREE LICENSE FOR USE OF THE PATENT BY USERS COMPLYING WITH THE DOCUMENT OR A LICENSE ON REASONABLE TERMS AND CONDITIONS THAT ARE FREE FROM UNFAIR DISCRIMINATION.

EVEN IF ISA IS UNAWARE OF ANY PATENT COVERING THIS DOCUMENT, THE USER IS CAUTIONED THAT IMPLEMENTATION OF THE DOCUMENT MAY REQUIRE USE OF TECHNIQUES, PROCESSES, OR MATERIALS COVERED BY PATENT RIGHTS. ISA TAKES NO POSITION ON THE EXISTENCE OR VALIDITY OF ANY PATENT RIGHTS THAT MAY BE INVOLVED IN IMPLEMENTING THE DOCUMENT. ISA IS NOT RESPONSIBLE FOR IDENTIFYING ALL PATENTS THAT MAY REQUIRE A LICENSE BEFORE IMPLEMENTATION OF THE DOCUMENT OR FOR INVESTIGATING THE VALIDITY OR SCOPE OF ANY PATENTS BROUGHT TO ITS ATTENTION. THE USER SHOULD CAREFULLY INVESTIGATE RELEVANT PATENTS BEFORE USING THE DOCUMENT FOR THE USER’S INTENDED APPLICATION.

HOWEVER, ISA ASKS THAT ANYONE REVIEWING THIS DOCUMENT WHO IS AWARE OF ANY PATENTS THAT MAY IMPACT IMPLEMENTATION OF THE DOCUMENT NOTIFY THE ISA STANDARDS AND PRACTICES DEPARTMENT OF THE PATENT AND ITS OWNER.

ADDITIONALLY, THE USE OF THIS DOCUMENT MAY INVOLVE HAZARDOUS MATERIALS, OPERATIONS OR EQUIPMENT. THE DOCUMENT CANNOT ANTICIPATE ALL POSSIBLE APPLICATIONS OR ADDRESS ALL POSSIBLE SAFETY ISSUES ASSOCIATED WITH USE IN HAZARDOUS CONDITIONS. THE USER OF THIS DOCUMENT MUST EXERCISE SOUND PROFESSIONAL JUDGMENT CONCERNING ITS USE AND APPLICABILITY UNDER THE

mailto:[email protected]

ISA-TR84.00.03-2012 - 4 -

USER’S PARTICULAR CIRCUMSTANCES. THE USER MUST ALSO CONSIDER THE APPLICABILITY OF ANY GOVERNMENTAL REGULATORY LIMITATIONS AND ESTABLISHED SAFETY AND HEALTH PRACTICES BEFORE IMPLEMENTING THIS DOCUMENT.

THE USER OF THIS DOCUMENT SHOULD BE AWARE THAT THIS DOCUMENT MAY BE IMPACTED BY ELECTRONIC SECURITY ISSUES. THE COMMITTEE HAS NOT YET ADDRESSED THE POTENTIAL ISSUES IN THIS VERSION.

The following served as members of ISA84 in developing this technical report:

NAME COMPANY W. Johnson, Chair Consultant V. Maggioli, Co-Managing Director Feltronics Corp D. Zetterberg, Co-Managing Director Chevron Energy Technology Company K. Gandhi, Working Group Chair KBR A. Summers, Working Group Editor SIS-TECH Solutions LP R. Adamski RA Safety Consulting LLC T. Ando Yokogawa Electric Co R. Avali Westinghouse Electric Corp L. Beckman Safeplex Systems Inc J. Campbell Consultant I. Chen Aramco R. Chittilapilly Oil & Natural Gas Corp M. Coppler Det Norske Veritas Certification Inc M. Corbo ExxonMobil P. Early Langdon Coffman Services C. Fialkowski Siemens Inc I. Gibson Consultant J. Gilman JFG Technology Transfer LLC W. Goble Exida Com LLC P. Gruhn ICS Triplex B. Hampshire BP J. Harris UOP A Honeywell Company J. Jamison EnCana Corporation Ltd R. Johnson Consultant K. Klein Chevron T. Layer Emerson Process Management E. Marszal Kenexis Consulting Corp N. McLeod ARKEMA M. Mollicone SYM Consultoria G. Ramachandran Systems Research Intl Inc R. Roberts Suncor Energy Inc M. Scott AE Solutions D. Sniezek Lockheed Martin Federal Services C. Sossman CLS Tech-Reg Consultants R. Strube Universal Instruments Corporation L. Suttinger Savannah River Nuclear Solutions T. Walczak Conversions Inc M. Weber System Safety Inc A. Woltman Shell Projects and Technology-Engineering P. Wright BHP Engineering & Construction Inc

- 5 - ISA-TR84.00.03-2012

This technical report was approved for publication by the ISA Standards and Practices Board on 28 August 2012. NAME COMPANY D. Dunn, Vice President Aramco Services Co. D. Bartusiak ExxonMobil Chemical Co. P. Brett Honeywell Inc. J. Campbell Consultant M. Coppler Det Norske Veritas Certification Inc. E. Cosman The Dow Chemical Company B. Dumortier Schneider Electric J. Federlein Federlein & Assoc. Inc. J. Gilsinn NIST/EL E. Icayan ACES Inc. J. Jamison EnCana Corporation Ltd. K. P. Lindner Endress + Hauser Process Solutions AG V. Maggioli Feltronics Corp. T. McAvinew Instrumentation and Control Engineering, LLC R. Reimer Rockwell Automation S. Russell Valero Energy Corp. N. Sands DuPont H. Sasajima Azbil Corp. T. Schnaare Rosemount Inc. J. Tatera Tatera & Associates Inc. I. Verhappen Yokogawa Canada Inc. W. Weidman WCW Consulting J. Weiss Applied Control Solutions LLC M. Wilkins Yokogawa IA Global Marketing (USMK) D. Zetterberg Chevron Energy Technology Co.

This page intentionally left blank.

- 7 - ISA-TR84.00.03-2012

Contents 1 Scope and purpose ........................................................................................................ 13

2 Audience ........................................................................................................................ 14

3 Definitions ...................................................................................................................... 16

4 Abbreviations/Acronyms ................................................................................................. 20

5 MI planning considerations ............................................................................................. 22

5.1 Identification of the equipment and systems to be covered by SIS MI .................... 24

5.2 Determination of the maintenance strategy to be used for each type of equipment ............................................................................................................. 26

5.3 Collection and retention of lifecycle documentation ............................................... 26

5.4 Defining personnel roles and responsibilities and ensuring competency ................ 27

5.5 Ensuring maintenance personnel skills and training .............................................. 27

5.6 Defining management system and performance metrics ........................................ 28

5.7 Implementing configuration management and management of change .................. 31

5.8 Performing audits to determine MI program compliance ........................................ 31

6 MI activity considerations ............................................................................................... 32

6.1 Planning and performing inspections ..................................................................... 33

6.2 Planning and performing repair ............................................................................. 34

6.3 Planning and performing preventive maintenance ................................................. 34

6.4 Planning and performing calibrations .................................................................... 35

6.5 Planning and performing proof tests ...................................................................... 37

6.6 Planning and performing bypasses........................................................................ 46

6.7 Defining pass/fail criteria ....................................................................................... 47

6.8 Developing validation plan and procedures ........................................................... 50

6.9 Developing Factory Acceptance Test (FAT), commissioning, and Site Acceptance Test (SAT) procedures ....................................................................... 51

7 References .................................................................................................................... 60

Annex A — Example training documentation ........................................................................ 61

Annex B — Example demand logs ........................................................................................ 65

Annex C — Example failure reports ...................................................................................... 69

Annex D — Effective procedure writing, verification and implementation .............................. 71

D.1 Format .................................................................................................................. 73

D.2 Test scope ............................................................................................................ 74

D.3 Related reference data, drawings, documentation, procedures .............................. 74

D.4 Personnel safety considerations ............................................................................ 74

D.5 Planning ............................................................................................................... 75

D.6 Notification (Operations, Facility, etc.) .................................................................. 75

D.7 Operating procedure requirements ........................................................................ 75

D.8 Procedure verification ........................................................................................... 76

D.9 Procedure analysis ............................................................................................... 76

D.10 Continuous improvement....................................................................................... 77

D.11 Modification .......................................................................................................... 77

Annex E — Example inspection items and forms .................................................................. 79

ISA-TR84.00.03-2012 - 8 -

E.1 General field inspection items ............................................................................... 79

E.2 Sensors ................................................................................................................ 80

E.3 Final elements ...................................................................................................... 80

E.4 Logic solvers ......................................................................................................... 81

E.5 Wiring connections ................................................................................................ 81

E.6 Power and grounding/bonding ............................................................................... 82

Annex F — Example calibration forms .................................................................................. 85

Annex G — Preventive maintenance .................................................................................... 87

G.1 Identification of preventive maintenance tasks ...................................................... 87

G.2 Criticality ............................................................................................................... 88

G.3 Timing ................................................................................................................... 88

G.4 Documentation ...................................................................................................... 90

Annex H — Example proof test template and procedures ..................................................... 91

Annex I — Proof test examples for various SIF technologies ................................................ 95

I.1 General considerations ......................................................................................... 95

I.2 Sensor testing ....................................................................................................... 98

I.3 Temperature ....................................................................................................... 101

I.4 Flow .................................................................................................................... 105

I.5 Level ................................................................................................................... 108

I.6 Process analyzers ............................................................................................... 109

I.7 PES logic solver .................................................................................................. 110

I.8 HMI ..................................................................................................................... 113

I.9 Communications ................................................................................................. 114

I.10 Power supplies ................................................................................................... 115

I.11 Interposing relays ............................................................................................... 115

I.12 Final element testing ........................................................................................... 115

I.13 Testing of manual/automatic response to SIS failure ........................................... 126

I.14 Testing of bypasses ............................................................................................ 127

Annex J — Deferral considerations and example procedures .............................................. 129

J.1 Example deferral approval procedure .................................................................. 129

J.2 Example test deferral process ............................................................................. 130

J.3 Test due date deferral approval form................................................................... 132

J.4 Example repair deferral procedure ...................................................................... 133

J.5 Example repair due date deferral form ................................................................ 135

Annex K — Example bypass approval procedures .............................................................. 137

K.1 Example bypass approval procedure 1 ................................................................ 137

K.2 Example bypass approval procedure 2 ................................................................ 142

K.3 Example bypass log ............................................................................................ 145

Annex L — Validation planning ........................................................................................... 147

- 9 - ISA-TR84.00.03-2012

Foreword

ANSI/ISA-84.00.01-2004 gives requirements for the specification, design, installation, operation and maintenance of SIS, so that it can be confidently entrusted to place and/or maintain the process in a safe state. These requirements are presented in the standard using the safety lifecycle shown in ANSI/ISA-84.00.01-2004-1 Figure 8 and described in ANSI/ISA-84.00.01-2004-1 Table 2.

The ISA84 committee has developed a series of complementary technical reports to provide guidance, as well as practical examples of implementation, on various topics and applications. Three of these technical reports, ISA-TR84.00.02, ISA-TR84.00.03, and ISA-TR84.00.04, provide informative guidance related to specific phases of the Safety Instrumented System (SIS) lifecycle. Figure 8 and Table 2 have been adapted for this foreword as shown in ISA-TR84.00.04 Figure 1 and Table 1, respectively. A brief overview of each technical report is given below including the report’s relationship to the lifecycle requirements and the intended scope of each report’s guidance.

ISA-TR84.00.02—Safety Integrity Level (SIL) Verification of Safety Instrumented Functions—Lifecycle phase 4 requires verification that the intended or installed SIS m eets its specified SIL. To support the calculation of the average probability of failure on demand as required by ANSI/ISA-84.00.01 Clause 11.9, ISA-TR84.00.02 provides guidance on the following: a) assessing random and systematic failures, failure modes and failure rates; b) understanding the impact of diagnostics and mechanical integrity (MI) activities on the SIL and reliability; c) identifying sources of common cause, common mode and systematic failures; and d) using quantitative methodologies to verify the SIL and spurious trip rate. The approaches outlined in this document are performance-based; consequently, the reader is cautioned to understand that the examples provided do not represent prescriptive architectural configurations or MI requirements for any given SIL. Once an SIS is designed and installed, the ability to maintain the specified SIL requires the implementation of a structured MI program as described in ISA-TR84.00.03.

ISA-TR84.00.03—Mechanical Integrity of Safety Instrumented Systems (SIS)—Lifecycle phases 5 and 6 involve the installation and testing of the SIS, the validation that the SIS meets the safety requirements specification, and the assurance that functional safety is maintained during long term operation and maintenance. An important aspect of achieving and maintaining the SIS integrity and its specified SIL is the implementation of an MI program that provides quality assurance of the installed SIS performance. This technical report is an informative document providing guidance on establishing an effective MI program that demonstrates through traceable and auditable documentation that the SIS and its equipment are main tained in the “as good as new” condition. The technical report addresses the identification of personnel roles and responsibilities when establishing an MI plan, important considerations in establishing an effective MI program, and detailed examples to illustrate user work processes used to support various activities of the MI program. Data and information collected as part of the MI program can be used to validate the SIL Verification calculations as discussed in ISA-TR84.00.02 and the selection and continued use of devices as discussed in ISA-TR84.00.04 Annex L.

ISA-TR84.00.04—Guidelines for the Implementation of ANSI/ISA-84.00.01—Lifecycle phases 2, 4, 9 and 10 address the management of functional safety, allocation of safety functions to protection layers, SIS design and engineering, and SIS verification. This technical report is divided into two parts. Part 1 provides an overview of the SIS lifecycle with references to annexes containing more detailed guidance on various subjects. Part 2 provides an end-user example of "how to" implement ANSI/ISA-84.00.01. This report covers many aspects of the safety lifecycle including such topics as: "grandfathering" existing SISs (Clause 3 and Annex A); operator initiated functions (Annex B), separation of the Basic Process Control System (BPCS) and SIS (Annex F), field device and logic solver selection (Annex L), manual shutdown

ISA-TR84.00.03-2012 - 10 -

considerations (Annex P), and design/installation considerations (e.g., wiring, power, relationship to BPCS, common mode impacts, fault tolerance, etc. – Annex N). ISA-TR84.00.02 expands Annex G, which only provides a brief introduction to the topic of failure calculations. ISA-TR84.00.04 does not address the MI program, which is discussed in ISA-TR84.00.03.

Figure 1 — SIS safety lifecycle phases (modified ANSI/ISA-84.00.01-1 Figure 8)

- 11 - ISA-TR84.00.03-2012

Table 1 — SIS safety lifecycle overview (modified ANSI/ISA-84.00.01-1 Table 2)

Safety lifecycle phase or

activity

Objectives ANSI/ISA-84.00.01

requirements

clause

ISA-84

Technical Report

reference

Figure

1 box

number

Title

1 Hazard and risk analysis

To determine the hazards and hazardous events of the process and associated equipment, the sequence of events leading to the hazardous event, the process risks associated with the hazardous event the requirements for risk reduction and the safety functions required to achieve the necessary risk reduction.

8 None

2 Allocation of safety functions to protection layers

Allocation of safety functions to protection layers and for each safety instrumented function, the associated safety integrity level.

9 ISA-TR84.00.04 Annexes B, F, and J

3 SIS safety requirements specification

To specify the requirements for each SIS, in terms of the required safety instrumented functions and their associated safety integrity, in order to achieve the required functional safety.

10 No specific guidance on documenting the SRS. An example is shown in ISA-TR84.00.04 Part 2. All three technical reports (ISA-TR84.00.02, 03, and 04) provide fundamental considerations for SRS development

4 SIS design and engineering

To design the SIS to meet the requirements for safety instrumented functions and safety integrity.

11 & 12.4 ISA-TR84.00.04 Annexes F, G, I, K, L, M, N, O, P, and Q

ISA-TR84.00.02

5 SIS installation commissioning and validation

To integrate and test the SIS.

To validate that the SIS meets, in all respects, the requirements for safety in terms of the required safety instrumented functions and the required safety integrity.

12.3, 14, 15 ISA-TR84.00.03

6 SIS operation and maintenance

To ensure that the functional safety of the SIS is maintained during operation and maintenance

16 ISA-TR84.00.03

(Continued on next page)

ISA-TR84.00.03-2012 - 12 -

Safety lifecycle phase or

activity

Objectives ANSI/ISA-84.00.01

requirements

clause

ISA-84

Technical Report

reference

Figure

1 box

number

Title

7 SIS modification To make corrections, enhancements or adaptations to the SIS, ensuring that the required safety integrity level is achieved and maintained.

17 Apply appropriate safety lifecycle phase during management of change activity

8 Decommissioning To ensure proper review, sector organization, and ensure SIF remain appropriate.

18 Apply appropriate safety lifecycle phase during project execution

9 SIS verification To test and evaluate the outputs of a given phase to ensure correctness and consistency with respect to the products and standards provided as input to that phase.

7, 12.7 ISA-TR84.00.04 Annex C, ISA-TR84.00.03, and ISA-TR84.00.02

10 SIS functional safety assessment

To investigate and arrive at a judgement on the functional safety achieved by the SIS.

5 ISA-TR84.00.04 Clause 3 and Annexes A, C, D, E, and S

(Table 1 cont’d from previous page)

- 13 - ISA-TR84.00.03-2012

1 Scope and purpose

A process hazards analysis is used to identify the safety functions necessary to reduce the risk of identified hazardous events. When a safety function is implemented in a safety instrumented system (SIS), the risk reduction required from the safety instrumented function (SIF) is related to one of four discrete safety integrity levels (SIL). The function and system are designed and managed according to ANSI/ISA-84.00.01, which establishes requirements necessary to claim the specified SIL for the SIS throughout its life.

A critical aspect of maintaining the SIL is the implementation of a mechanical integrity (MI) program that monitors the installed performance of the SIS equipment and takes corrective action when the performance does not meet the requirements. This technical report is an informative document providing guidance on establishing an effective MI program that demonstrates through traceable and auditable documentation that the SIS and its equipment is maintained in the “as good as new” condition

This edition of ISA-TR84.00.03 provides considerations for establishing an MI program for SIS; it focuses on how to plan and implement a comprehensive MI program rather than including specific test procedures as in the previous edition. This technical report does not provide complete details on how to safely or fully execute all MI activities in an operating facility. Individuals who are assigned responsibility for MI activities must determine what is necessary to maintain the safety integrity of a specific SIS.

The MI program involves many activities that occur throughout the SIS lifecycle, but it predominantly focuses on the timely detection and correction of incipient/degraded conditions and complete failures to ensure that the SIS operates as specified when required. Rigorous inspection and complete proof testing is required for all SIS equipment whether existing or new. While the frequency of these activities may vary due to the required SIL, the purpose and goal of inspection and proof testing are not affected by the SIL.

Inspection and proof testing is required to:

meet regulatory requirements

meet ANSI/ISA-84.00.01 requirements

meet equipment manufacturer requirements (e.g., safety manual)

demonstrate through witnessed test and preventive maintenance records that the equipment is being maintained in the “as good as new” condition

detect and correct unrevealed failures

verify that the MI program and test interval are sufficient to ensure functional and integrity requirements are met for the equipment life

monitor equipment for degradation mechanisms (incipient and degraded) which may compromise future performance

identify when equipment has reached wear-out and requires replacement

provide data and information to facilitate the evaluation of MI program success and to support continuous improvement

The technical report addresses:

the identification of personnel roles and responsibilities when developing an MI plan,

important considerations in establishing an effective MI program, and

detailed guidance and examples to support user-specific work processes as part of an overall MI program.

ISA-TR84.00.03-2012 - 14 -

2 Audience

The successful design and management of SIS is dependent on many departments within an operating facility. Likewise, an effective MI program is a fundamental element of the SIS lifecycle with many departments having responsibility. Consequently, the target audience of this technical report is very broad and includes all personnel who impact program success. These personnel perform certain roles and have responsibility for execution of many different tasks during various lifecycle phases. Typical roles and responsibilities include:

Engineering Manager --- Ensures that engineering work processes are in place to determine the required rigor of the MI program for all SIS, and subsequently to ensure that Operations and Maintenance departments are engaged in determining how this testing can be accommodated in a practical and effective manner.

Design Engineer --- Ensures maintenance provisions for safe and cost effective inspections and testing are met as the SIS proceeds through the design phase.

Project Manufacturing/Operations Representative --- Ensures all roles communicate and fulfill their responsibilities on projects, including development of validation, commissioning, proof test procedures and documentation handoffs.

Process Automation/Control System Engineer --- Ensures all aspects of on-line testing, demand tracking, bypassing are adequately addressed in design phase to deliver necessary functionally across operations lifecycle including appropriate use of process historians to track demands on the SIS.

Process Engineer --- Provides operation and technical information to ensure testing and associated procedures are completed satisfactorily and no new hazards are introduced during this process.

PSM Manager --- Ensures that recommendations related to the SIS are tracked to completion and that an effective Management of Change (MOC) process is in place, which involves review and approval of proposed changes to SIS by competent personnel.

Maintenance Manager --- Ensures that an effective management system is in place to execute reliability and maintenance activities required to ensure SIS integrity including a training program for maintenance personnel to maintain qualifications.

Operations Manager --- Ensures that Operating personnel are committed to providing the opportunity for identified MI activities to take place in a planned manner including a training program for Operations personnel to maintain qualifications. This role has the ultimate responsibility to ensure the lifecycle management rigor and SIS integrity within the operating facility.

Management Team --- Consists of the Project Manager, Maintenance Manager and Operations Manager and ensures that competent and trained personnel receive the appropriate level of support are available to carry out the identified activities and tha t SIS installations are maintained inspected, tested and operated in accordance with ANSI/ISA -84.00.01.

SIS Specialist/Engineer --- Works with both Engineering and Maintenance personnel to develop and maintain the SIS equipment list and to define the MI requirements necessary to ensure SIS integrity throughout the lifecycle of the facility. To ensure that SIS are appropriately installed, inspected, tested and validated to demonstrate correct functionality and performance prior to handover to Operations.

Reliability Specialist --- Advises the SIS Specialist/Engineer on appropriate testing and reliability techniques. To apply the management system and ensure that testing activities are performed effectively with appropriate supporting documentation including p rocedures and results records. To address any non-compliance/failures in a timely and effective manner that addresses the root cause of the failure to minimize repeat failures. To facilitate data capture and analysis in support of on-going demonstration of SIS MI and continuous improvement.

- 15 - ISA-TR84.00.03-2012

Maintenance (and Construction) Supervision --- Understands the importance of SIS MI and provides the necessary resources to ensure that all identified MI activities are completed in a planned manner.

Maintenance (and Construction) Technician --- Understands purpose and function of the SIS, the importance of inspection, preventive maintenance and testing plans, and how to complete the required documentation to support data collection.

Testing Personnel --- Appreciate the concepts of SIS MI and the rigor required in the identification and reporting of SIS failures.

Training Coordinators --- Ensures training of all roles impacting or impacted by SIS across the plant operating lifecycle occurs in a timely manner.

It is expected that those persons identified as the audience possess an understanding of the requirements of ANSI/ISA-84.00.01 appropriate to their level of responsibility and technical expectation.

ISA-TR84.00.03-2012 - 16 -

3 Definitions

Definitions which are new and not previously documented in ANSI/ISA-84.00.01 are indicated with (*).

3.1 allowable time to repair* length of time that has been determined by hazard and risk analysis to be acceptable for continued process operation with degraded or disabled equipment . Time is often constrained by Operations ability to maintain the necessary compensating measure.

3.1.1 application program program specific to the user application. In general, it contains logic sequences, permissives, limits and expressions that control the input, output, calculations, and decisions necessary to meet the SIS functional requirements.

3.1.2 Application Program Factory Acceptance Test (APFAT)* formal testing of the configuration. The advantage of this type of test is that it can be independent of all or most of the physical hardware, thereby supporting the concept of an HWFAT. See FAT.

3.1.3 as good as new* equipment is maintained in a manner that sustains its useful life. “As good as new” often refers to the initial condition after proof test and subsequent repair/overhaul (as needed ) so that the probability of failure at time 0 is zero and the failure rate expected during the useful life is unchanged.

NOTE When a device is returned to its “as good as new condition,” the expectation is that the as -left condition will support operation within specification until the next scheduled proof test.

3.1.4 compensating measure* planned and documented means for managing risk that are implemented during any period of maintenance or process operation with known faults or failures in the SIS, which re sult in increased risk

3.1.5 complete failure* failure that results in a 100% loss of a required function. The failure can be further classified as safe or dangerous depending on the application and desired operation.

3.1.6 degraded condition* failure that results in a partial loss of function, that is less than “as good as new,” but does not result in a complete loss of the function. Degraded condition also includes any time a portion of the SIF is bypassed, but is still able to perform its function automatically.

3.1.7 detected failure in relation to hardware failures and software faults, detected by the diagnostic test s or through normal operation. Synonyms include announced, revealed and overt.

NOTE* Software faults can include errors within the application program, embedded program (operating system), embedded firmware, or utility software (programming panel).

- 17 - ISA-TR84.00.03-2012

3.1.8 failure

the termination of the ability of equipment a functional unit to perform a required function

3.1.9 failure cause* the circumstances during design, manufacture, or use which led to failure

3.1.10 failure mechanism*

the physical, chemical, or other process, or combination of processes, that has led to failure

3.1.11 failure mode* the observed manner of failure. The failure modes describe the loss of required system function(s) that result from failures.

3.1.12 failure to activate* occurs when the SIS does not respond to the process deviation and an event occurs or the SIS needs to be manually activated

3.1.13 fitness for service* management system used to assess the current condition of equipment to determine whether it is capable of continuing operation within equipment specification until the next opportunity to test or perform maintenance

3.1.14 Hardware Factory Acceptance Test (HWFAT)* testing of SIS equipment, panels I/O, power supplies, panel grounding, and related equipment at the manufacturer’s fabrication facility to insure that the SIS equipment has been installed and wired properly

3.1.15 Integrated Factory Acceptance Test (IFAT)* formal testing of SIS and BPCS simultaneously to insure that the combine actions result in the desired safe automation of the process

3.1.16 incipient condition* the equipment operates within specification but in its current state is likely to result in a degraded condition or complete failure if corrective action is not taken

3.1.17 integrity*

ability of the SIS to perform the required SIF as and when required

3.1.18 Mean Repair Time (MRT)* expected overall repair time

NOTE MRT encompasses the times (b), (c) and (d) of the times for MTTR.

3.1.19 Mean Time between Failure (MTBF)* for a repairable device, mean time to failure + the mean time to restoration

ISA-TR84.00.03-2012 - 18 -

3.1.20 Mean Time to Failure (MTTF)* the average time before equipment’s first failure. May refer to all failures, specific failure classifications, specific failure modes, or specific failure causes.

3.1.21 Mean Time to Repair*

term has been replaced by Mean Time to Restoration or Mean Repair Time

3.1.22 Mean Time to Restoration (MTTR)*

expected time to achieve restoration

NOTE MTTR encompasses:

a) the time to detect the failure; and

b) the time spent before starting the repair; and

c) the effective time to repair; and

d) the time before the device is put back into operation.

The start time for (b) is the end of (a); the start time for (c) is the end of (b); the start time for (d) is the end of (c).

3.1.23 mechanical integrity* management system assuring equipment is inspected, maintained, tested and operated in a safe manner consistent with its risk reduction allocation

3.1.24 out of service*

includes any time the SIF is unavailable during an operating mode where the hazard exists

3.1.25 partial testing* method of proof testing that checks a portion of the failures of a device, e.g., partial stroke testing of valves and simulation of input or output signals

3.1.26 pass/fail criteria* pre-established criteria that define the acceptability of equipment operation relative to the SRS and equipment specification

3.1.27 proof test test performed to reveal undetected faults in a safety instrumented system so that, if necessary, the system can be restored to its designed functionality

3.1.28 proof test coverage* expressed as the percentage of failures that can be detected by the proof test. A complete proof test should provide 100% coverage of the failures.

3.1.29 reliability* ability of a system or device to perform its specified function under stated conditions for a specified period of time

- 19 - ISA-TR84.00.03-2012

3.1.30 safety instrumented function (SIF) safety function with a specified safety integrity level which is necessary to achieve functional safety and which can be either a safety instrumented protection function or a safet y instrumented control function

3.1.31 safety instrumented system (SIS) instrumented system used to implement one or more safety instrumented functions. An SIS is composed of any combination of sensor (s), logic solver (s) and final elements (s).

3.1.32 site integration test (SIT) formal testing of the ability of the SIS and BPCS to be able to properly communicate with each other once those systems have been installed in the field. It also can include any third party systems that need to interface with the BPCS.

3.1.33 useful life* the portion of equipment’s life where the failure rate can be considered consta nt where early life failures have been corrected and end of life failures have not begun

3.1.34 wear-out*

the time when equipment’s failure rate begins to increase due to various failure mechanisms

ISA-TR84.00.03-2012 - 20 -

4 Abbreviations/Acronyms

Abbreviations which are new and not previously documented in ANSI/ISA-84.00.01 are indicated with (*)

AC/DC Alternating Current/Direct Current

ANSI American National Standards Institute

APFAT* Application Program Factory Acceptance Test

BPCS Basic Process Control System

CCPS* Center for Chemical Process Safety

EH&S Environment Health and Safety

ESD Emergency Shutdown System

EWS Engineering Work Station

FAT Factory Acceptance Test

FMEA* Failure Mode and Effects Analysis

HMI Human Machine Interface

HSE Health and Safety Executive

HWFAT* Hardware Factory Acceptance Test

IEC International Electrotechnical Commission

IFAT* Integrated Factory Acceptance Test

I/O* Input/Output

ISA International Society of Automation

IT Information Technology

MI Mechanical Integrity

MOC Management of Change

MTBF* Mean Time between Failure

MTTF* Mean Time to Failure

MTTR* Mean Time to Repair (also known as Mean Time to Restoration)

NIST National Institute of Standards and Technology

OSHA* Occupational Safety and Health Administration

PERD* Process Equipment Reliability Database

PES Programmable Electronic Systems

- 21 - ISA-TR84.00.03-2012

PFDavg Average Probability of Failure on Demand

P&IDs* Piping and Instrumentation Diagrams

PHA* Process Hazard Analysis

PLC Programmable Logic Controller

PPE* Personal Protective Equipment

PSD Process Shutdown System

PSM* Process Safety Management

RTD Resistance Temperature Detector

SAT Site Acceptance Test

S/D Shutdown

SIF Safety Instrumented Function

SIL Safety Integrity Level

SIS Safety Instrumented System

SIT* Site Integration Test

SOE Sequence of Events

SRS Safety Requirements Specification

TC Thermocouple

UPS* Uninterruptible Power Supply

1oo1 one-out-of-one

1oo2 one-out-of-two

2oo3 two-out-of-three

ISA-TR84.00.03-2012 - 22 -

5 MI planning considerations

For SIS, planning is covered in ANSI/ISA-84.00.01 Clauses 5, 6, 7 15, 16, and 17. MI planning involves establishing the management system and the maintenance requirements (e.g., inspection, preventive maintenance, and proof testing) for the SIS equipment. With limited resources, it is important to identify and classify instrumentation and controls, so that plant personnel know what equipment must be managed as safety. Fundamentally, all equipment is covered by MI but only a portion of the equipment must be rigorously managed according to ANSI/ISA-84.00.01. Classification is performed and documented during the process hazards analysis as discussed in the standard ISA-84.91.01 and technical report ISA-TR91.00.02. The MI program should cover all equipment required to support the SIF integrity and reliability, including sensors, logic solvers, final elements, utilities, communications, and diagnostic equipment.

The facility safety and operating culture should be considered when designing the SIS, because the culture affects the MI program, which must be capable of supporting the SIS functional and integrity requirements defined in the safety requirements specification (SRS). Once an SIS is designed and implemented, independence, integrity, functionality and reliability become inhe rent attributes of the installation, which are proven through periodic MI activities, such as inspection and testing, and supported through preventive maintenance and planned replacement/upgrade. Auditability, access security, and management of change are attributes of the management system, which are proven through periodic assessment and auditing activities. These core attributes, namely independence, integrity, functionality, reliability, auditability, access security, and management of change, must be managed throughout the SIS lifecycle with sufficient rigor so that the SIS achieves and maintains the required safety integrity.

The planning phase of the ANSI/ISA-84.00.01 lifecycle includes development of MI procedures and implementation of training programs for a variety of activities:

documentation transfer and lifecycle management from Design Engineering to Facility Maintenance and Operations,

identification of the minimum data fields to be included in the facility maintenance management system,

NOTE These data fields are intended to support scheduling of inspections and tests and the capture of data and information for tracking failures impacting integrity and reliability

commissioning procedures and documentation of corrective actions,

identification and tagging of SIS equipment in the field,

managing failure conditions during plant operation, inspection, preventive maintenance, and proof testing,

controlling and monitoring the use of bypasses,

investigation of process demands, spurious trips, and dangerous failures,

performing follow-up failure investigations and communicating findings for continuous improvement,

minimum required inspection and preventive maintenance practices to maintain equipment MI,

minimum required proof testing to ensure correct operation of equipment,

minimum requirements for proof testing following modification and repair,

change management, including specific provisions for access security, configuration management, planned modification, temporary modification, and decommissioning, and

appropriate degree of training for impacted personnel within Operations and Maintenance.

Figure 2 provides an illustration of the safety lifecycle relative to MI activities. As the project moves from concept through detailed design, a validation plan is developed to ensure the SIS

- 23 - ISA-TR84.00.03-2012

meets the desired functionality and integrity. Validation demonstrates that each SIF and its supporting utilities/diagnostics fully achieve the SRS prior to being placed into service. Validation is required for any new or modified SIS.

A Factory Acceptance Test (FAT) of the SIS logic solver and other packaged equipment is generally conducted prior to site installation. An FAT allows rigorous testing of the equipment in a controlled environment without the time pressure that often occurs during on -site testing. ANSI/ISA-84.00.01 does not require an FAT to be performed, but many users consider the FAT a cost effective means of ensuring that packaged equipment, such as logic solvers, work according to specification.

During construction and commissioning, the SIF sensors, final elements and ancillary support equipment (e.g., air supplies, power supplies, communications, and interfaces) are installed according to design documents and installation details. Inspection and commissioning procedures are used to ensure the SIS equipment is installed and operating properly. Following equipment commissioning, validation is conducted. Validation includes evidence from an end-to-end test of the installed SIS and its SIF operate as required. Validation should be performed after major process or SIS modifications.

Once operational and for as long as the plant continues to operate, the SI S equipment should be periodically inspected to detect incipient and degraded conditions and to initiate corrective action through equipment repair or replacement. Preventive maintenance whether on a fixed schedule or based on condition is conducted to replace wearable or short-life parts to extend the useful life of the equipment. Proof testing is required to demonstrate that the SIS equipment is operating as specified and to identify deviations from acceptable operation so they can be corrected. Test records provide documented proof that the SIS is achieving the required safety integrity level (SIL). All SIS equipment should be tested, including field sensors, final control elements, logic solvers, Human Machine Interfaces (HMI), communication links with o ther systems, user application program, and any required support systems, such as power or instrument air.

Many processes have operating cycles that are longer than the test interval necessary to theoretically achieve the SIL. Therefore, the ability to perform testing while the process remains in operation (e.g., on-line) is often desirable. The requirements of ANSI/ISA-84.00.01 can be met using off-line testing with the process shutdown, on-line testing with the process in operation or a combination of on-line and off-line testing. All means of testing can be supported by manual and automated procedures and techniques.

This technical report provides guidance and examples for off -line and on-line testing based on the experience of the working group members, but these examples should not be considered the only means for achieving the objectives of ANSI/ISA-84.00.01.

There are several considerations that go into developing a holistic MI program. Each of these considerations is discussed in more detail in later clauses:

identification of the equipment and systems to be covered by SIS MI

determination of the maintenance strategy to be used for each type of equipment

collection and retention of lifecycle documentation

defining personnel roles and responsibilities and ensuring competency

defining management system and performance metrics

implementing configuration management and management of change

performing audits to determine MI program compliance

ISA-TR84.00.03-2012 - 24 -

5.1 Identification of the equipment and systems to be covered by SIS MI

The following information at a minimum should be transferred from the design information to the organization responsible for facility maintenance and record system to ensure proper scheduling and completion of inspections, preventive maintenance, proof tests and reliability improvement:

production unit or plant identification (e.g., hydrocarbon a lpha 1)

process unit within the production unit (e.g., quench unit)

tag item number (e.g., FT-10001)

NOTE Any facility testing or calibration equipment used to validate or test SIS devices should also be identified in the maintenance management system to ensure calibration certifications are performed as required.

location description (e.g., T-630 discharge)

manufacturer (e.g. XYZ Instruments, Inc.)

model number (e.g.,1234DP)

pipe spec or process description (e.g., river water)

equipment group or family (e.g., f low)

equipment type (e.g., vortex)

serial number

SIF identification number

date installed

calibration, tolerance, and configuration values (e.g., span, filtering, square root extraction, fail-direction on detected fault, leak tightness)

inspection/proof test interval

NOTE The maintenance management system is used to generate notifications for inspections, preventive maintenance, and proof tests based on last maintenance date and specified interval.

- 25 - ISA-TR84.00.03-2012

Figure 2 — Mechanical integrity across the lifecycle

Project Execution

Hazard

Review

Design

Construction

Commission Plant

PSSR

Mechanical Integrity

Develop Validation Plan

Staging

(FAT)

Install

Commission

Validation

(SAT)

PSSR

Data Capture and

Assess

Performance

Inspection, Preventive

Maintenance, and Proof

Test

Startup Operate Plant

Operation

The figure shows conceptually where the MI (mechanical integrity) program and its specific activities fit into an overall project and subsequent plant operation.

ISA-TR84.00.03-2012 - 26 -

5.2 Determination of the maintenance strategy to be used for each type of equipment

The MI plan ensures that the facility maintenance strategy is in agreement with the intent of the SIS MI program – that the equipment is maintained in the “as good as new” condition through its lifecycle. There are three basic maintenance strategies employed within the process industry, depending on the type of equipment:

Preventive (planned) maintenance: Specifically defined maintenance is performed on a periodic schedule, e.g., annual change out of air supply filters on automated valves.

Predictive (condition-based) maintenance: Applicable maintenance is initiated based on monitoring equipment condition through inspection, diagnostics, and observation, e.g., valve response to control signal is sluggish, indicating that a particular type of maintenance such as an air filter change out is required.

Corrective (reactive) maintenance, also known as “run to failure”: Neither preventive nor predictive maintenance is performed. Repair or replacement is initiated based on detecting equipment failure. Though a viable maintenance strategy for some general equipment population, it should not be used for SIS equipment where dangerous undetected failures can occur.

Effective MI planning ensures that the maintenance strategy is consistent with maintaining the SIS integrity. The SIS MI plan should be a component of the facility’s overall MI plan. The plan begins its development in the early stages of design to ensure the needs of the operating facility are addressed and that test and maintenance facilities are implemented to meet procedure requirements. MI planning includes the development of procedures on how to plan, per form and document the following:

inspections

repairs

preventive maintenance

calibrations

proof tests

reliability data capture and analysis

loop check/commissioning procedures

validation procedures

feedback to ensure continuous improvement

5.3 Collection and retention of lifecycle documentation

Various disciplines are involved in developing lifecycle documentation, including Operations, Maintenance, and Design Engineering. The owner/operator is the ultimate owner of documentation generated by Engineering and Maintenance. Documentation should be treated as a long-term asset similar to the equipment within the operating facility. Engineering and Maintenance uses and maintains the various documents described within the technical report. The MI plan should define which documents will be transferred from Engineering to Maintenance/Operations, where and in what form the master documents will be stored, who will be the custodian, role(s) or person(s) who will maintain the master documents as evergreen. The MI plan sets the foundation on how procedures such as those for proof testing and reliability are accessed and maintained to provide for continuous improvement and value delivery.

All operating facilities should comply with their respective corporate records retention guidelines and policies. The records may be maintained electronically or hard copy in on -site or off-site storage. MI records are needed for tracking and trending equipment failure. These records are typically reviewed whenever a functional safety assessment (see ISA-TR84.00.04 Annex D), prior use assessment (see ISA-TR84.00.04 Annex L User approval) or audit (see ISA-

- 27 - ISA-TR84.00.03-2012

TR84.00.04 Annex E) is performed. Regulatory authorities may establish the minimum retenti on period for MI records. For example, OSHA PSM requires that records to be maintained for the facility life. Practically, records should be retained in a form and for a period of time sufficient to support user approval and reliability assessment of equipment.

5.4 Defining personnel roles and responsibilities and ensuring competency

MI planning also ensures that personnel understand their roles and responsibilities in suppor ting the maintenance strategy. Maintenance/Reliability personnel have a significant role in MI planning and execution, but Operations and Engineering must support many specific tasks. Maintenance/Reliability, including supervision, engineers, mechanics, and I&E technicians, develop the SIS MI plan with dialogue and input from Operations and Design Engineering. Successful completion of tasks defined in planning requires the active involvement of various disciplines.

All personnel associated with the SIS, including Management, Operations, Maintenance, and Engineering, should be competent in performing their assigned tasks. Management should understand how the SIS operates to reduce risk and how their decisions affect its integrity. Engineering choices influence the SIS design, test facilities, and proof test interval, so they should understand how their choices affect long-term operation and maintenance. Maintenance and Operations personnel need to have the knowledge, training and skills necessary to ensure the SIS integrity is maintained throughout its installed life. Competency for all personnel extends beyond simple knowledge of how to perform basic tasks; it also includes knowledge of how the SIS equipment functions to achieve or maintain a safe state of the process.

Consequently, unlike other process safety programs, the training and skills for SIS MI cover a significant range of subjects. It is generally not possible to provide a single training package for everyone. Rather it requires the training program to be tailored to support the site culture and the specific SIS equipment.

5.5 Ensuring maintenance personnel skills and training

This subclause specifically addresses the skills and training necessary for Maintenance personnel who support SIS MI. Maintenance training includes maintenance management that directs and funds the maintenance activities, the instrumentation technicians, the electricians, and the mechanics. Maintenance personnel need to have an understanding of the importance of the SIS, how they affect the performance of those systems, what skills they should have before working on SIS, and how they should identify, correct and report failures of SIS equipment.

The goal of the training program is to give the maintenance personnel the skills and know ledge needed to maintain the SIS equipment. The training program typically covers three subject areas 1) safe work practices and procedures, 2) basic skills required to be an instrumentation and electrical technician, and 3) SIS specific training. In the performance of maintenance work, consistency and quality of work execution is important in minimizing systematic failures. A procedure for all aspects of the maintenance work helps ensure that consistency. This will be the basis for the training program.

For basic skills, community colleges and private training centers offer varying training programs. There are many resources available to a user who is developing a training program, for example: ISA Certified Control Systems Technician Program, ISA-67.14.01-2000, Qualifications and Certification of Instrumentation and Control Technicians in Nuclear Facilities, and ISA -TR98.00.02-2006, Skill Standards for Control Systems Technicians.

SIS specific training focuses on the activities performed by maintenance personnel:

understanding pass-fail criteria

documenting as-found/as-left

ISA-TR84.00.03-2012 - 28 -

recording and reporting failure

recognizing common cause failure

permitting

bypassing

use of safety approved equipment for repair or replacement

use of approved and standardized equipment, such as calibration equipment

inspection and testing

management of change, including configuration management

preventive maintenance techniques

troubleshooting skills

The training can be provided in many different forms, such as classroom, hands on, self-study, and computer-based training. Training can be conducted internally or externally. Classroom or computer-based training is generally not sufficient, because skill development requires exposure to the equipment and hands-on practice. Basic skills training should incorporate actual demonstration of the required tasks, such as transmitter calibration, to ensure comprehension. Documentation of maintenance training can be a challenge, especially for large sites or sites relying on contract personnel. Annex A – Example training documentation shows an example of how some users approach training documentation.

5.6 Defining management system and performance metrics

Throughout the process equipment life, numerous assumptions are made about the SIS equipment used to achieve or maintain a safe state of the process with respect to identified hazardous events. The process hazards analysis made assumptions about the initiating cause frequency and SIF risk reduction. These expectations led to a SRS where SIF functional and MI requirements were specified. The SIL verification calculations made assumptions about the failure modes and failure rates of the SIS equipment.

A health and safety executive (HSE) study found that 32% of loss-of-containment events were caused by process and safety equipment failure due to inadequate design and maintenance (HSE, 2005). Safety equipment performance is limited by the rigor, timeliness, and r epeatability of MI activities. Metrics, including leading and lagging indicators, are used as a means for assessing work execution and SIS performance against requirements. When implementing metrics, always ensure that the intent of the metric is understood – the SIS is demonstrated to meet the functional and integrity requirements – rather than simply managing the metric itself.

5.6.1 Management system metrics

Most management system metrics focus on schedules, which are not indicative of work quality. A proof-test schedule can be developed with an unreasonably long interval or testing can be performed inadequately, creating an illusion where the metrics indicate a well -maintained system while equipment is failing in the field. A focus on the percentage of success or failure of various activities can lead to normalization of some failures, which is unacceptable for SIS. Any piece of failed SIS equipment represents a degradation of the risk reduction strategy. Consideration should also be given to out-of-service periods where equipment has failed and is awaiting repair or is bypassed for maintenance and test ing.

5.6.2 Performance metrics

The success of the MI program is proven by its MI data, which demonstrates that the SIS can achieve the performance assumed during the process hazards analysis. Inspection, preventive maintenance and proof testing are activities used to identify deviation from acceptable operation, so that maintenance can be performed to ensure the SIS integrity. Understanding what to test

- 29 - ISA-TR84.00.03-2012

and how to judge pass/fail criteria is critical to MI program success. The proper documentation and analysis of equipment failure is necessary to ensure the assumptions in the SRS are achieved and to drive continuous improvement long-term.

Periodically the actual equipment performance should be compared to the expected performance to determine whether the SIS equipment is suitable for continued use as is or whether improvement should be initiated. Repeated SIS failures indicate that the MI program is not achieving its intent – to maintain the SIS equipment in the “as good as new” condition. There are five facets of SIF performance to monitor:

process demands,

detected faults,

dangerous failures,

spurious operation, and

personnel conformance to work practices.

When performance gaps are identified, root cause analysis should be conducted to (1) describe what caused the identified failure, (2) determine the failure impact (3) identify the underlying reasons for the failure, (4) implement corrective actions, and 5) verify that the corrective actions addressed the cause. Consideration should then be given to changing t he design, installation, operation, and maintenance practices to reduce the likelihood of failure re-occurrence. Annex B – Example demand logs provides examples of demand logs and trip reports. Annex C – Example failure reports provides examples of device failure reports.

The data necessary to perform reliability analysis can come from any of the tasks, which are par t of the maintenance strategy. The most difficult part of instituting reliability improvement is the culture change necessary for data capture and classification, which must be supported by Maintenance, Testing, and Operations personnel. Training and positive re-enforcement is necessary to maintain this effort. Failure reports can be collected from across a facility or a company and used to identify patterns of failure, indicating systematic or common cause problems. One means of monitoring failures is provided by the CCPS/AIChE Process Equipment Reliability Database (PERD) initiative. This program develops and distributes failure classification taxonomies.

ISA-TR84.00.03-2012 - 30 -

Table 2 — Key performance indicators (excerpted from ISA-TR84.00.04 Annex R)

The following metrics are recommended for the SIS MI program

Key performance indicator Formula - Deliverable

Inspections: Percent SIF overdue % KPI = 100 X (No. overdue / No. scheduled)

Inspections: Days overdue Pareto chart listing days behind schedule

- This may be used to measure currently overdue inspections or completed inspections for comparison purposes

Inspections: Percent failed % KPI = 100 X (No. failed / No. performed)

Proof tests: Percent SIF overdue % KPI = 100 X (No. overdue / No. scheduled)

Proof tests: Days SIF overdue Pareto chart listing days behind schedule

- This may be used to measure currently overdue proof tests or completed proof tests for comparison purposes

Proof tests: Percent SIF failed % KPI = 100 X (No. failed / No. performed)

Corrective maintenance: Percent SIF overdue

% KPI = 100 X (No. overdue / No. scheduled)

Corrective maintenance: Days SIF overdue

Pareto chart listing days corrective maintenance behind schedule

- This may be used to measure currently overdue corrective maintenance or completed corrective maintenance for comparison purposes

Corrective maintenance: Percent failed specification criteria

% KPI = 100 X (No. failed specification criteria / No. performed)

Failure to activate: Percent SIF failed

% KPI = 100 X (No. SIF failed to activate / Total no. of SIF)

Shutdowns: Percent SIF spurious % KPI = 100 X (No. spurious SIF initiated shutdowns / Total No. of SIF systems)

SIF out of service: Total hours Pareto chart listing hours out of service

- This may be used to measure SIF currently out of service or restored out of service SIF for comparison purposes

SIF out of service: Percent % KPI = 100 X (No. out of service hours / Total no. process hours)

SIF degraded: Percent % KPI = 100 X (No. hours SIF degraded/ Total number of process hours)

SIF out of service: Hours beyond specified repair time

Pareto chart listing hours beyond specified repair t ime

- This may be used to measure SIF currently beyond specified repair time or repaired SIF that had exceeded specified repair time for comparison purposes

SIF out of service: Percent beyond specified repair time

% KPI = 100 X (No. SIF beyond specified repair time / Total no. of SIF out of service during measurement interval)

SIF out of service: Percent not approved by MOC

% KPI = 100 X (No. out of service & not approved by MOC / Total out of service SIF)

- 31 - ISA-TR84.00.03-2012

5.7 Implementing configuration management and management of change

Change is inevitable and equipment occasionally needs to be replaced, repaired, or upgraded. The process facility may be expanded, leading to additional hazardous events requiring new SIF or placing new requirements on existing SIF. Process and operational changes should be reviewed through management of change to determine how these changes affect the SIS design and operating basis. The manufacturer may discontinue or obsolete SIS equipment so replacement-in-kind is no longer feasible. Planning must be put in place to ensure that necessary changes do not increase the risk of hazardous events.

No SIS equipment or program modification should be made without first carrying out a review to ensure the change does not affect the functionality of the SIF or reduce the risk reduction provided by the SIF. Validation testing should be done to ensure correct operation when the SIF or SIS equipment is changed.

For SIS, management of change includes configuration management and replacement -in-kind to ensure:

appropriate analysis is conducted prior to change implementation,

approval is obtained from affected parties,

change is consistent with current practices,

documentation is completed and consistent with field application, and

risk is not adversely affected.

Effective management of change requires the use of administrative and physical means to prevent unauthorized or inadvertent changes. Since the SRS involved input from many disciplines, changes should be assessed and approved by similar disciplines. Such evaluation is needed for any change, other than replacement in kind, such as:

adding new SIS equipment,

changing functional operation of the SIF,

changing the integrity requirements for the SIF,

changing the materials of construction,

changing the required speed of response,

removing or decommissioning SIS equipment,

changing the SIS equipment specification,

changing the brand or model of SIS equipment,

modifying the SIS equipment installation details,

changing the SIS alarm or trip setpoints,

changing SIS equipment firmware,

changing the SIS application program, and

modifying SIS inspection, preventive maintenance, and proof test procedures.

5.8 Performing audits to determine MI program compliance

ISA-TR84.00.04 Annex E provides guidance on developing and implementing an auditing program to ensure ANSI/ISA-84.00.01 compliance. Periodic auditing of the operating, maintenance, and engineering procedures should be performed to ensure that procedures are consistent with actual work practices, personnel are receiving training as required, training is up-to-date with latest practices, and training is comprehensive and technically appropriate.

ISA-TR84.00.03-2012 - 32 -

Furthermore, it is important to verify that the training is occurring at the designated time intervals, and training records are being maintained.

Audits should follow a protocol that ensures procedures are up-to-date, personnel are familiar with the procedures, and the instructions are being followed. Auditing is generally performed at a 3-5 year interval, typically corresponding with the process safety management audit schedule. More frequent auditing may be required if there are numerous or repeated findings.

The audit should review records, information, and documentation to determine whether procedures are being adhered to. Audit findings should be addressed in a timely manner and tracked to completion. Shortcomings identified in the audit should be addressed with an action plan that establishes a schedule and assigns responsibility for correcting deficiencies to specific personnel or departments.

Audits should be performed to verify that the procedures related to SIF and, in particular, those outlined in the MI plan remain in force throughout the life of the SIF. Records of audits and their results should be documented and maintained in plant records.

6 MI activity considerations

The MI program is intended to ensure that SIS equipment is maintained in the “as good as new” condition throughout its installed life. Inspection, preventive maintenance and proof testing are activities used to identify deviation from acceptable operation, so that repair or replacement can be performed to ensure safe and reliable operation. MI activities should be covered by written procedures that specify the steps required to ensure that the activity is consistently performed and documented (see Annex D – Effective procedure writing, verification, and implementation). Procedures should include safe work practices, permitting, and notification requirements.

An effective mechanical integrity (MI) program is required to detect failure so that it can be corrected in a timely manner. Incipient and degraded conditions can be identified through inspection or diagnostics, while complete failures are often identified by proof test. The MI program also includes preventive maintenance activities. When equipment is known to have consumable components (e.g., batteries, catalytic bead sensor, etc.), preventive maintenance activities ensure that these components are replaced on a periodic basis. Inspectio n and automated diagnostics can identify degraded device conditions triggering maintenance. Inspection, diagnostics and preventive maintenance complement periodic proof testing, which is necessary to identify undetected failures prior to a demand being placed upon the SIF. Together, MI activities increase the likelihood that the SIF functions correctly throughout its installed life.

Without a sound MI program incorporating periodic inspection, appropriate response to diagnostics, preventive maintenance and proof testing, one runs the risk of running equipment to dangerous failure. It is essential that equipment be maintained such that it meets the functional and integrity requirements defined in the SRS. Inspection and preventive maintenance programs are necessary for achieving the equipment’s assumed performance criteria in the SIL verification calculations. The lack of a good MI program for the SIS devices, the SIF and associated utilities supporting the SIS will result in increased spurious and dangerous f ailure rates for the SIS.

The SIF design should consider the requirements for testing including on-line and off-line test facilities, and the SRS should identify the required test intervals for the SIS equipment. The required test time can be significantly reduced if test requirements are considered an integral part of the SIS design. Test facilities should be designed to minimize the physical modifications required for testing (e.g., jumpers or lifting wires) and the operation of test facilities should be addressed during validation planning.

Personnel should know what to inspect, test, and document and the differences between how these activities are executed for safety equipment versus non-safety equipment. Understanding how to judge pass/fail criteria and the current condition of the equipment is critical to MI program

- 33 - ISA-TR84.00.03-2012

success. Before one can define pass/fail criteria, it is necessary to understand what failures and failure modes are critical with respect to the required SIF performance. A significant activity within the MI program is the documentation of the “as -found” and “as-left” condition during the inspections and tests. This enables analysis of actual performance versus the required performance over time so that the installed integrity is periodically verified.

MI consists of many activities involving multiple departments and roles, which must be planned and coordinated throughout the facility life. This clause briefly describes those activities following a chronological sequence as practically feasible. There are some tasks that need to be performed concurrently. Management of the work process and tasks is important, as the MI activities must be reconciled with the planned and scheduled outages. Good planning and effective management of change procedures are needed to deal with the real-world needs of the operating facility, including deferred turnarounds, unplanned forces of nature, random equipment failures, etc. For the overall MI program to accomplish its mission, the personnel involved need to be sufficiently competent to successfully execute the MI activities.

This clause provides guidance related to the following MI activities:

planning and performing inspections

planning and performing repair

planning and performing preventive maintenance

planning and performing calibrations

planning and performing proof tests

planning and performing reliability analysis

6.1 Planning and performing inspections

The physical condition of the SIS equipment should receive a thorough mechanical inspection on a regular scheduled basis as determined by the historical performance of the installed equipment in the operating environment. This is especially true for field equipment exposed to environmental conditions and operating impact such as corrosion, process spills, leaks, etc. Inspections should be documented and any corrective action needed should be initiated immediately through site work order processes as discussed in 6.2).

As a general practice, a thorough inspection should be performed each time a proof test is performed, but this is generally not the only time an inspection is performed, since proof test intervals may extend beyond the interval required to detect and correct incipient and degraded conditions. The inspection interval should take into consideration ambient conditions such as heat, cold, salt, dust, dirt, rain, wind, insect activity and plant painting programs.

An inspection program is intended to monitor the apparent condition of equipment and its capability to operate as required to meet the SRS. An example of a condition that could limit the performance capability of SIS equipment would be corrosion build -up around the stem of a rising stem valve used to isolate a process stream. The build-up, if not identified and corrected, could prevent the valve from stroking all the way or even at all. Consequently, visual inspection should be performed periodically to verify installation quality and correctness, enhancing the integrity and reliability of the SIF.

Annex E – Example inspection items and forms provides additional examples of items to inspect associated with sensors, logic solvers, final elements, and wiring, typical problems that might be found with these items, and an inspection form. If a defect is found during the inspection it should be corrected at the time of the finding if possible. If the defect cannot be corrected immediately then a work order should be generated to repair the defect as soon as practical. The nature of the defect should be described on the inspection form.

ISA-TR84.00.03-2012 - 34 -

6.2 Planning and performing repair

Repair work is performed to correct revealed faults in a timely manner. In general, this means that the repair should be done as soon as it can be scheduled and safely executed. As faults are found and corrected, the repair information should be recorded for later review as part of continuous improvement. A repair work order can be generated as a result of any of the following:

Shift operator identifies potential problem/failure during normal daily field rounds .

Maintenance personnel identify potential problem/failure during scheduled inspection.

Testing or maintenance personnel identify potential problem/failure during execution of proof test.

On-line diagnostics identifies potential problem/failure .

Problem/failure is identified due to spurious trip.

Testing after repair should include the following activities, depending on what repair work has been completed.

1) Sensor: Exercise sensor input and verify alarm and trip setpoints are correct. Use the applicable section of the SIF test procedure and complete the required documentation for the equipment checked.

2) Final element: Exercise all outputs that actuate final control elements and observe output actions. Verify any feedback (limit switches, position indication, etc.) associated wit h the final control elements is functional. Use the applicable section of the SIF test procedure and complete the required documentation for the equipment checked.

3) Logic solver: The test will vary depending on the extent of the repair and its potential effect on the logic solver hardware or application program. Perform test of affected hardware, application program, or configuration to ensure proper operation and complete the required documentation.

Upon completion of the work and any required repairs, the work order and any test documentation should be signed by the person performing the work. It should be understood that the Reliability Engineer may need to dialogue with the person who signed off the form. Repeat maintenance offenders such as repeat work orders to address performance issues should be investigated so that action can be taken to minimize failure. These actions may include recommendations to change the MI plan, such as shortening the test interval and even re-evaluating the design, specification or installation.

6.3 Planning and performing preventive maintenance

Preventive maintenance may be required to extend the useful life of the overall equipment when some part has a shorter life, such as soft goods in sealing service. The failure rate of a lin kage may be quite different in the case of periodic oiling (i.e., preventive or predictive maintenance) versus no oiling (i.e., corrective maintenance). Today’s SISs employ a great deal of diagnostics, which support preventive maintenance based on the observed condition of the equipment. Routine visual inspections may also initiate preventive maintenance, as those inspections can uncover incipient/degraded conditions that need to be corrected. The periodic proof test is intended to identify and to correct degradation and complete failures, but not all degradation and failures can be identified through testing alone. Thus, proof tests activities are often supplemented with thorough physical inspection and preventive maintenance tasks. As the time interval between periodic proof testing is increased, there is a need to improve the effectiven ess of preventive maintenance. Refer to Annex E for more guidance on inspection and Annex G for more guidance on preventive maintenance.

Preventive maintenance is performed based on manufacturer recommendations and past experience with the equipment in similar operating environments that indicates equipment

- 35 - ISA-TR84.00.03-2012

reliability is maintained when certain items are proactively repaired or overhauled. The preventive maintenance schedule and procedure may be modified over the equipment life due to information collected during inspections, proof tests and repair work. Activities must include proper documentation and retention of preventive maintenance actions, e.g., what part needed corrective action/repair and why.

6.4 Planning and performing calibrations

All SIS equipment should be calibrated prior to placing the SIF in service. Calibration can be performed by the manufacturer or by the user in the workshop or field. Calibration test equipmen t traceable to a recognized standards performance organization should be used to perform a minimum three-point calibration (e.g., 5%, 50%, 95% to prevent scaling errors) over the full signal range of the loop’s sensor/transmitter to the final readout devic e. Valves should be calibrated to proper stroke length for full open and full closed positions. Any valve that is not required to close or open to full stroke position should be calibrated at the appropriate position prior to placing in service.

Correct functionality between transmitters and the SIS logic solver is essential to effective SIF operation. Failure to ensure that this has been installed and configured correctly can lead to SIF failure in the event of a demand. The configuration of all analog transmitters should be tested to ensure that they function in accordance with how the logic solver is configured. The following items should be confirmed:

Calibrated range of the transmitter should be the same as the range configured in the logic solver.

Saturation HI/LO current value parameters in the transmitter should be configured to specified values.

The BADPV HI/LO current value thresholds in the logic solver should be configured to specified values that are outside of the saturation HI/LO parameter range in the respective transmitter.

The Fail HI/LO direction in the transmitter should be confirmed to be configured as specified .

The Fail current value that the transmitter defaults to when a fault is detected should be configured to a value above/below the BADPV HI/LO thresholds in the logic solver.

ISA-TR84.00.03-2012 - 36 -

Figure 3 depicts a suggested transmitter and logic solver analogue input configuration.

Normal Operation

NOTE: Tx configuration parameters are NAMUR suggested values. Logic solver BADPV settings are

suggested to align with NAMUR Tx configuration.

4mA

3.7mA

20mA

3.8mA 20.5mA

3.6mA

21.5mA

Lo

saturation

High

saturation

Lo failed

state

22.5mA

High failed

state

BADPV

Lo

BADPV

High

Logic solver configuration

Transmitter configuration

Figure 3 — Example of transmitter and logic solver analogue input configuration

An instrument calibration record should contain the following data fields at a minimum:

tag number/identification number

manufacturer model number

serial number

process location

calibration range and tolerance

calibration date

test standard

as-found/as-left

comments

special consideration, e.g., signal filtering, dampening, failure detection hi/low, etc.

technician name, signature and date

supervisor/approver name, signature, and date

Calibration procedures should be available for each type of SIS equipment (See Annex F – Example calibration forms). In general, calibration procedures recommended by the manufacturer should be followed. Where additional requirements (e.g., response time of instruments or valves) are necessary to perform the specified function, these should be taken into account in the calibration procedures.

A good practice is to include “reasonableness” checks as part of the calibration procedure. For example, on-line calibration procedures may include a step in which Operations compares the process variable readings from newly calibrated field sensors to other process measurements. Similarly, a reasonableness check for off -line calibration can be performed after the unit has been re-started. This additional step minimizes the likelihood of a systematic failure during calibration.

NOTE Common cause failure can arise when redundant sensors are calibrated at the same time by the same person using the same test equipment or standard. Where an instrument technician miscalibrates one sensor, he/she is very likely to miscalibrate the others. Special concerns for these failures arise in calibration of redundant process analyzers using a single mixed sample and in SIL 3 SISs with non-diverse process measurements.

- 37 - ISA-TR84.00.03-2012

6.5 Planning and performing proof tests

Personnel associated with the Maintenance, Operations, Design Engineering, and Process Control organizations support the planning, development and execution of proof tests. Periodic proof tests are executed to detect unrevealed failures - failures that may have existed since the last periodic test. This activity is a quality control check that verifies that the facility is operating with its intended safety integrity. Inspection and proof testing is not a substitute for preventive maintenance and repair. Detailed recording of inspection and test observations are essential for supporting failure tracking and investigation. Proof tests include checking not only the SIS functionality, but also any SIS alarms and indications (e.g., diagnostic, pre -trip, and trip alarms). Similar tests should be periodically performed on the overall system, including main processors, input/output modules, communications links, power, relays, and SIS grounding. Each test serves as an opportunity for personnel to see the SIS equipment in action and to validate the procedures associated with its operation.

Procedures should be in place to assure that all test and calibration equipment used on the SIS equipment is properly maintained, calibrated (certified per standard, if necessary), and ful ly operational (See Annex H – Example proof test template and procedures and Annex I – Proof test examples for various SIF technologies). Calibration cycles of test equipment should follow manufacturer recommendations and methods to assure the accuracy of the equipment. It is recommended that field test/calibration equipment be checked/calibrated against a National Institute of Standards and Technology (NIST) traceable standard on an annual basis. Calibration labs will normally provide a calibration stamp along with calibration documentation for the device being calibrated. In general, field test/calibration equipment that is found to be out of calibration, past established calibration dates, poorly maintained, or in poor physical condition shou ld not be used on SIS systems. If a facility owns test/calibration devices, the devices should be assigned a tag name, which should be entered into the maintenance management system to ensure calibrations are performed in the recommended time frame.

Proof test procedure development should begin in the design phase so that any considerations or issues associated with the test interval or bypassing can be addressed properly. Good communications with maintenance is necessary to provide the most effective and efficient pro of test procedure to guard against the need for unnecessary shutdowns or extended test deferrals.

In addition to providing a step-by-step procedure on how to test the SIF or SIS equipment against the SRS, the proof test procedure should address:

approvals and notifications required for test execution, e.g., notification of operators

description of the expected SIF or SIS equipment operation, as appropriate

work scope, e.g., what will be checked, such as flow rate, valve closure, etc.

when applicable, how tests may affect other SIF or operating systems and how to address impact

where applicable, how the SIF or SIS equipment is affected by bypasses

required notifications during test, such as notifying the operator when alarms are activated

once the test is complete, how the SIF or SIS equipment is brought back on line

To support any on-line tests, operating procedures should ensure that any loss of risk reduction due to the SIF or SIS equipment being out of service is provided by compensating measures (refer to ISA-TR84.00.04 Annex P). Prior to approving bypassing or performing the test, operations should review any special precautions or compensating measures required during the bypass or test period.

Does Operations have an equivalent process variable to monitor when the SIF process sensor is in bypass?

ISA-TR84.00.03-2012 - 38 -

Does Operations have control of a final element that can be used to shutdown the process independently during testing when the output is in bypass?

Discuss what if a process demand occurs while in bypass? What should Operations do? What should Maintenance do?

Is there sufficient time for the operator to take action?

Is there communication with Maintenance on when to evacuate to a safe location?

Discuss what if an operator-initiated trip is required while bypassed. What should Operations do? What should Maintenance do?

The test procedure should include return to service provisions to assure proper transfer of SIS equipment responsibility from Maintenance to Operations. The operator should confirm by process condition or equipment observation that the SIS equipment is on-line. Operations should approve work completion closing the work permit. Additional supervisory sign off may be appropriate in some cases.

6.5.1 Proof test planning

Performing proof tests can be costly if not appropriately planned. When the SIF is designed such that off-line testing is required, additional costs are incurred due to loss of production and environmental/safety impacts during the shutdown and subsequent start-up. It is therefore highly recommended that proof testing be discussed and planned for during the projec t design phase with input from Maintenance and Operations.

Proof testing is often accomplished through a number of discrete activities that test parts of the SIF at different times with sufficient overlap of the tests that all parts are demonst rated to function as intended. Fortunately, increased levels of automation, enhanced programming techniques, and new test techniques can be used to execute safe and comprehensive testing of individual devices or segments (e.g., input to logic solver) of the SIS while the process is running.

A periodic end-to-end test should be considered to ensure proper functioning of the entire system. Where the dynamics of the entire end-to-end SIF is crucial, the complete SIF should be tested together to ensure specification compliance, e.g., the thermowell, the thermocouple, the transmitter, the input cycle time, the logic cycle time, the output signal cycle time and all o f the components required for operation of the final elements, such as volume boosters, pneumatic tubing size and length.

A key question concerns whether SIF testing must be done as an integrated test or whether various parts of the SIF can be tested at different times as necessary to achieve the SIL. Testing is performed to identify incipient/degraded conditions and equipment failure. Whether these issues are found piecemeal or through an end-to-end test is not important. Their timely detection and correction is. ANSI/ISA-84.00.01 does not specify that all proof testing must take place at the same time. It does require full validation using an end-to-end test prior to placing a new or modified SIF in service. However after that, the user is free to structure proof testing to achieve the SIL and reliability requirements for each SIF, e.g., individual SIS equipment or SIF segment tests.

Personnel and resource requirements should consider whether workshop or calibration/test lab facilities will be provided on-site, off-site, or at a manufacturer’s premises, so the time required for troubleshooting, repair, and proof testing can be estimated. Tool availability and personnel competency in these tools affect how quickly MI activities can be conducted and the achie vable installation quality and equipment integrity. Therefore, planning is an important activity to address both the safety requirements necessary to maintain the required SIL and to minimize the cost. Once a plan has been documented, the various activities can be scheduled.

- 39 - ISA-TR84.00.03-2012

When performing segment testing rather than end-to-end testing, it is critical to ensure that the discrete activities account for, or overlap, all interfaces. For example, SIF proof tests should cover the sensor, input wiring, input systems, communications, logic solver operation, output systems, relays (especially for voted relay outputs), output wiring, and final element, so that the operation of the entire circuit is demonstrated. Figure 4 illustrates an SIF that has been divided into 3 overlapping segments for testing. Any project or change impacting the SIS should address test requirements and the provision for competent resources to analyze discrepancies or changes.

Test plan documentation should include:

procedures to test each SIF or SIS equipment

descriptions of the common aspects of the SIS (e.g., PE logic solver and associated equipment) and its associated safety requirements or references to the SRS

procedures that defines testing following on-line repair or modification

reporting requirements

NOTE Current standards require documentation of as-found/as-left test results. This information is used to verify the assumptions used in the reliability calculations.

who will review proof test results and records to ensure completeness and work quality

competency requirements for persons performing the inspections, tests and repairs

Figure 4 — Example of SIF segment tests illustrating overlapping segments

6.5.2 Test interval basis

The SRS should specify the required proof test intervals for the SIS equipment, which are necessary to support quality assurance of the MI plan. The proof test intervals for the sensors, logic solvers, and final elements may be different due to the individual device technology integrity and reliability. Some devices may be tested using manual or automated on-line testing. Others may require a plant turnaround in order to fully test the device operation. During the design phase, the planned turnaround interval should be considered to determine whether on -line testing is needed to demonstrate the required SIF performance. Follow-up testing of SIS equipment may be considered at intervals shorter than the complete proof test to improve the SIF performance. Factors that impact the frequency of these tests include:

process severity for sensors and final elements

Sensing Elements

Final Control

Elements

Control Logic

I/O I/O

Common System Aspects

ISA-TR84.00.03-2012 - 40 -

accuracy of measurements required for safety

need for positive isolation of streams by valve action

mechanical wear and tear on equipment

desire for longer test interval between complete proof tests

Test intervals should be documented in the facility’s maintenance management system. The proof test interval can be determined using a combination of good engineering practice, manufacturer recommendations, operating history, insurance requirements, industry standards, operational constraints and the risk reduction requirements. It is always permissible to test more frequently that what is specified in the SRS. Since operational issues can affect the test window, meeting the exact test interval may be difficult at times. The MI plan should define the allowable test interval variation, including management approvals for test deferral (refer to 6.5.4 for more guidance on deferrals and approvals).

NOTE Test intervals may be impacted by unplanned repairs or replacement. If a proof test is performed and documented, consideration may be given to resetting the next test date, recognizing that the proof test interval documented in the SRS may not be exceeded.

When establishing a proof test interval basis, it is necessary to first consider how long unit operations are expected to continue between outages required to conduct off-line testing. Regulatory authorities may also require testing at intervals shorter than the planned outage schedule. These situations can have a considerable impact on the SIS design, as it may be necessary to include the ability to perform on-line testing or may require more complex architectures to achieve the needed risk reduction wi th a long proof test interval. Once the access and maintenance constraints are understood, the design must provide equipment in an architecture that is sufficient to achieve the required risk reduction with the specified proof test interval.

The MI plan should consider the useful life of the selected SIS equipment. The SIL verification calculations (refer to ISA-TR84.00.02) are based on the estimated dangerous failure rate during the equipment’s useful life. When equipment is operated beyond its useful life , the dangerous failure rate begins to increase over time, leading the SIL verification calculation to become increasingly optimistic. Consequently, it is important to monitor the SIS at a frequency sufficient to detect when the failure rate begins to increase over time, so that the actual performance is maintained comparable to the design assumptions. Monitoring the SIS performance is requ ired by ANSI/ISA-84.00.01-2004, 5.2.5.3. User approval as discussed in ISA-TR84.00.04 Annex L relies on prior use information to determine whether equipment is fit for service, whether in a new installation or in an existing one. The approval process acknowledges that once the equipment is installed the in-service performance may indicate the need to modify the design, specification, installation, or mechanical integrity plan to bring the SIS performance into alignment with expectations; it may also indicate the need to remove equipment from service.

With regards to useful life, there are two important considerations: 1) understanding what component/parts limit the overall equipment useful life and establishing a mechanical integrity plan to deal with those components/parts within a suitable timely basis and 2) monitoring the equipment to identify when it has reached wear-out. In many cases, consumable parts or individual parts with a known life dictate the useful life of SIS equipment. The user approval process (see ISA-TR84.00.04 Annex L) should include identifying what limits the useful life of the SIS equipment, so that consideration can be given as to whether it is feasible and cost effective to replace the consumable parts to extend the useful life or to control the conditions that accelerate degradation. Inspection or proof test intervals should not exceed the known use ful life and consideration should be given to decreasing the intervals as the end of useful life approaches. To maintain the required risk reduction and to allow the desired proof test interval, it may be necessary to design the system to allow on-line replacement of the weaker parts.

- 41 - ISA-TR84.00.03-2012

The user is cautioned however that there are some instruments that exhibit a clear break between pass and fail. For instance, a capacitor in a transmitter has a specific life dependent on its materials of construction and operating environment. When it is sufficiently degraded, the instrument will not be able to perform its function(s). In the illustrated example, the user should consider the capacitor and the remaining equipment components. In most cases, a MI program designed around the equipment produces the most effective solution from both a pe rformance and cost perspective. In the case of equipment like transmitters and solenoid valves, repair is generally not cost effective, so replacement is often performed.

6.5.3 Ensuring safe work practices

Incidents involving testing have been caused by many different factors including:

inadequate test coordination with Operations

inadequate return to service procedure

inadequate communication and coordination with adjacent Operations and Maintenance who were unaware of test being conducted and the impact of testing on their situation

SIS equipment failure

improper bypassing

poor test facility design

misunderstood or incomplete test procedures

lack of personnel competency and training

Common incidents as a result of testing include:

beginning a test without satisfying the pre-test conditions

attempting to start-up when a test is still in progress

violations of lock-out/tag-out

leaving SIS equipment bypassed (trip point, relay, timer, or valve) long-term in error

working on the wrong device (e.g. SIF relies on redundant sensors – meant to test A, but tested B instead)

leaving a transmitter with a simulated signal or point in manual source mode

leaving analyzers in zero or span

To prevent these incidents from occurring, MI planning should ensure that inspection/proof test and bypass procedures are clearly documented and that personnel are adequately trained to perform their required tasks. These incidents are further reduced through job safety analysis and human reliability studies. Human factors should be considered during test facility design and procedure documentation, such as requiring that test conditions be satisfied before a test facility is enabled or that cross-checks be performed to ensure that SIS equipment is fully operational after test.

Complete testing may require the process equipment to be on-line. Safe operation must be ensured through work practices and procedure execution. Depending on site procedures, safe work practices may be covered under permitting requirements or may be addressed in the test procedures. Where permits are required, they should be listed in the procedure. Prior to any testing, a review of the tests to be conducted and the procedures for performing these tes ts should be carried out by persons from Instrument/Electrical Maintenance, Operations, and Technical who are familiar with the process and the SIF. This review should reinforce validating the SIF or SIS equipment against the pass-fail criteria, documenting as-found/as-left, recording and reporting failure and recognizing common cause failure.

ISA-TR84.00.03-2012 - 42 -

6.5.4 Deferrals and approvals

MI programs and the designs that support them should be developed so that the potential need to extend inspection or proof testing is an exceptional event, not a matter of routine. Deferrals need to be handled using the management of change process that includes a technical review to ensure the company’s risk criteria is not being violated. In the event that it is, then temporary compensating measures should be put into place until the protection is returned to the “as good as new” condition.

The most common MI deferrals are requests to delay inspec tions, proof tests, or repair. Common reasons for deferral are as follows:

The equipment that the SIF is protecting is out of service. The SIF must be tested prior to the equipment being returned to service.

A turnaround is scheduled shortly after the scheduled test of the SIF. The intent is to perform the test during the turnaround.

Spare parts or other required resources are not currently available .

The equipment cannot be accessed or repaired on-line.

Deferrals can be addressed by implementing a deferral procedure or through plant MOC. Annex J – Deferral considerations and example procedures provides an example of a deferral procedure. The purpose of the deferral procedure or approval process is to ensure that the risk associated with the deferral is understood and that any additional risk caused by the d eferral is properly addressed. Management should be made aware of the risks involved with delay of SIS inspection, test, and repair and approve deferments on a case-by-case basis.

Probability of failure of an SIF increases as a function of time. The longer the proof test interval, the higher the average probability of failure on demand (PFDavg), potentially resulting in the SIS not achieving the risk reduction defined in the SRS. Deferring on-line or off-line tests such that the test interval is greater than the specified interval may negatively degrade the SIF performance. The approval process should examine the impact of the deferral on the SIF integrity prior to approving the deferral. Justification should consider historical performance, such as inspection, work order and proof test records, the integrity of planned compensating measures, and the SRS. The SIL verification calculation should be reviewed to determine whether the deferral will compromise the overall SIF performance.

Deferrals must be approved and authorized by competent personnel who are accountable for safe operation, understand the equipment operation, the risk the SIF is designed to reduce, and the equipment reliability history. Typically, Operations, Maintenance, and Technical representatives are involved in the approval processes. In some cases, there may be different levels of required review and approval dependent on the SIF complexity, the SIL, the potential event consequence severity that the SIF is protecting against, and the planned deferral leng th. An example of this is shown in Table 2.

Table 2 — Example of temporary test or inspection deferral authorization

In compliance Unit supervisor

manager Site manager

Operating group V.P. and process safety

Less than or equal to 30 days beyond test or inspection due date

31 to 60 days beyond test or inspection due date

61 to 90 days beyond test or inspection due date

> 90 days beyond test or inspection due date.

- 43 - ISA-TR84.00.03-2012

6.5.5 Proof test strategy

Each SIF in the SIS should be identified, including its inputs, outputs, and the required logic to be performed using the inputs and outputs. A test procedure should define how each piece of SIS equipment or segment is tested. All equipment necessary for performing testing should be identified and verified suitable for tests to be performed. This includes calibration equipment with traceable performance. If any equipment is shared by multiple SIF, the proof test strategy should take this into account to guard against unnecessary testing, e.g., block valve shared among several independent SIF.

6.5.5.1 Off-line testing

The most common test of an SIF is the off-line manual proof test. This test is performed while the process being protected is not in operation thus allowing all features of the SIS equipment, SIF segment, or SIF to be validated. The primary purpose of this testing is to detect dangerous unrevealed faults that exist in the SIF. When the SIF is properly designed and maintained, this testing should rarely find faults. There are, however, multiple ways that tests can be performed. This subclause will describe techniques and procedures that are known to be effective in carrying out the proof test.

Off-line end-to-end testing of the complete SIS should be performed prior to placing the SIS in service. This is described as validation in ANSI/ISA-84.00.01-2004 and demonstrates that the SIS operates according to the SRS.

NOTE After the initial validation has been performed, subsequent tests that demonstrate the operation of the SIS equipment or SIF segments are referred to as a proof test.

SIF proof testing should be performed at intervals determined by one or more of the following criteria:

the test interval specified in the SRS

the test interval recommended by the equipment manufacturer

when changes are made to logic, impacting the function of the SIF

when the process or equipment is taken out of service for scheduled maintenance activities that require work involving SIS equipment

company policy requiring complete SIF testing on a predefined schedule

after extended down time of the SIS (see deferrals clause)

6.5.5.2 On-line testing

On-line testing may be necessary where the normal operating cycle of the process between scheduled shutdowns is greater than the test interval defined in the SRS. Maintaining the required SIF integrity requires that this test interval be maintained. Therefore, the testing of some SIF will require executing on-line testing.

Before performing an on-line test, it is important to ensure the process has stable operating conditions. Stable operating conditions include no major rate changes, emergency situations, process upsets, etc. On-line testing may require bypassing of the equipment to be tested. In some cases the risk of being in bypass may require presence of a field operator as the compensating measure. This will introduce stress on those performing the testing as well as any operators providing the protection. It is therefore imperative that on -line testing be performed under closely controlled and monitored conditions using procedures that have been technica lly reviewed and previously executed off-line. On-line testing should not be started unless it can be worked step by step to completion with no anticipated interruptions. Once the inputs or outputs are bypassed, a dedicated operator should monitor the process continuously in case there is a process demand, requiring shutdown. Once the manual bypass valves are opened or closed, a dedicated field operator should be available to close or open the block valves quickly if a process

ISA-TR84.00.03-2012 - 44 -

demand occurs. During the on-line test, the operator should be capable of manually tripping the SIF via a manual shutdown switch, which initiates the SIF final elements in the event a trip is required. All personnel involved in on-line testing of SIS equipment should be aware of the procedures to follow in case a process demand occurs while the testing is in progress.

6.5.5.3 Effect of incomplete testing

An effective test will detect all hidden dangerous failures and degraded conditions. The SIF can then be restored to full operation. When effective testing occurs on schedule, the risk reduction is maintained at the desired level. As shown in Figure 5, the SIF probability of failure increases as a function of time. With complete testing at the required proof test interval, the PFDavg will continue to provide a level of performance assumed in the SIL verification.

Figure 5 — Change in PFD(t) as a function of time and test interval

If the testing is not done effectively, some hidden dangerous failures will not be detected.

Figure 6 illustrates how the PFDavg will increase over time during the life of the equipment.

Figure 6 — Increase of PFD(t) over time due to partial testing

If testing is not completed effectively as scheduled, the SIS performance will inevitably deteriorate. If tests are also ineffective and durations between tests are increased, the PFDavg will increase as shown in Figure 7. It becomes more likely that the r isk reduction needed to maintain the tolerable risk will not be provided by the SIS.

- 45 - ISA-TR84.00.03-2012

Figure 7 — Increase of PFD(t) over time due to incomplete testing

6.5.5.4 Relationship of diagnostics to proof testing

Diagnostics help to reduce the number of undetected failures that can occur by alerting the operating and maintenance personnel that repairs need to be made. In SIF, these diagnostics should vote to initiate the safety action unless redundancy is provided to ensure the required SIL is maintained. Diagnostics are used to identify specific failure modes of equipment. Diagnostics are not a replacement for proof testing. When diagnostics detect degraded or complete failure, repair or replacement occurs such that the equipment is returned to the “as good as new” condition. Unlike a proof test, the diagnostics do not inspect for incipient conditions. Although diagnostics are never a full replacement for routine inspections or proof tests, their benefits may allow greater time intervals between complete proof tests while ensuring the required risk reduction is provided.

6.5.5.5 Proof testing by demand

Trips related to process demands or manually initiated shutdowns can be treated as proof tests if adequate verification is performed and documentation similar to a proof test is created after the trip. To be considered a proof test, the following should occur:

confirmation the demand was not caused due to failure of the component to be tested

proper documentation

visual inspection of equipment being tested

confirmation of expected action of the equipment being tested

confirmation of functional requirements of the equipment being tested

pre-demand and post-demand status

Since the test will be reactive and unexpected, a robust sys tem designed to track the trip and document the cause should be in place in order to take credit for the demand as a test. The required data for proper documentation also needs to be created, stored and retained. If the data is gathered manually, resources (electronic and or personnel) will be necessary during the process interruption and this should be taken into account during trip response and start -up activity planning. Before start-up, the affected SIS equipment should be visually inspected, along with any auxiliary systems, to the same rigor of a planned proof test. Automated methods of gathering the data are generally preferable because personnel are usually focused on returning the process to a normal /safe operating state after an SIF demand. Detail ed analysis of the data can be performed at a later time by qualified personnel once start -up is complete.

ISA-TR84.00.03-2012 - 46 -

Implementation of a system to take credit for a demand may not be appropriate for all applications based upon the test interval and testing strategy of SIF at a location. For example, if an SIF proof test interval was every three years and coincided with the plant shutdown / turnaround schedule, there would be little benefit for taking credit for a proof test of the final element if the trip occurred one year into the cycle. It may be more beneficial to design the SIF’s test interval through diagnostics and a robust architecture to meet or exceed the available testing duration opportunity rather than developing a comprehensive system that can take cred it for demand trips. On the other hand, if the testing strategy consisted of small segments that could be tested independently of a larger system or were needed to operate during the planned turnaround, the benefit could be greater. An example would be an individual oil well or a cooling / heating system for a vessel with inventory.

Typically, demand tests are focused on final elements, since sensor and logic solver tests can be performed on-line. However, this does not limit the potential for demonstrating a complete proof test of SIF after a demand. The most important aspect is that the demand test generates data and documentation equivalent to a planned proof test for the demand to be considered a proof test (i.e., functional requirements incorporated into the equipment proof test and associated pass/fail criteria should be demonstrated and appropriate evidence gathered during the demand).

Using the data gathered, the final element can be documented that it passed or failed the functional requirements. It is important to note that a final control element may be a part of multiple SIF and so the data should be compared to its most stringent functional requirements. Failure to pass a functional requirement should be viewed as a failed test and the proper procedures followed to restore the functionality of the device.

6.6 Planning and performing bypasses

An SIF is considered bypassed when the output is intentionally prevented from acting to achieve or maintain a safe state of the process. A bypass can occur if the signal is forced, terminal wiring is jumpered, trip settings are such that the trip will not occur, valve is clamped, or physical/logical bypasses are initiated. Start-up bypasses are sometimes required during plant start-up due to the required SIF functionality, e.g., low flow cut-off for a pump. They are sometimes necessary to allow maintenance or testing to be performed while the process is still operational, reducing downtime required for testing thus improving process reliability. However, bypassing SIF often means that the process equipment is less protected and more vulnerable to a hazardous event should a process demand occur.

Bypasses increase the potential for systematic errors. SIF in bypass are not available to operate when a process demand occurs, so bypass periods should be tracked and minimized. The use of bypasses should be reviewed and approved under a MOC process that involves procedures, administrative control, and access security provisions. Bypasses are considered acceptable, as long as their use is controlled and the risk is properly managed.

When bypasses are initiated, the bypass may result in impairment of the function or in its disablement. If the SIF is not fault tolerant, the bypass of a single device results in complete loss, or disablement, of the SIF. If the SIF is fault tolerant, a single device in bypass does not impair the SIF, but it often reduces the SIL of the SIF. For this reason, an analysis of the increased risk during bypassing should be performed so that compensa ting measures can be identified to address any increased risk.

If the bypass is implemented while the process is on-line, there is generally increased risk. A bypass permit system is generally used to satisfy MOC requirements and to provide traceable and auditable MOC documentation (See Annex K - Example bypass approval procedures). An assessment should be performed to identify the conditions under which the risk can be safely managed and the compensating measures that provide risk reduction equivalent to the degree of system impairment. The bypass period should be limited to what is necessary to test or repair SIS equipment.

- 47 - ISA-TR84.00.03-2012

The operator should be informed, by alarm or by procedure, when any part of an SIS is bypassed. Some companies choose to send notifications to Operations supervision as well. Bypass alarms should “ring back” functionality, where alarms are periodically repeated after shift change to ensure acknowledgement that the alarm is in bypass. Compensating measures necessary to maintain safe operation when bypasses are active should be clearly identified and documented in operating procedures.

Proof tests usually require bypassing SIS equipment. Bypass safe work practice requires the documentation of the installation and removal of each bypass. Test procedures often include the bypass permit requirements. Test procedures should specify for each bypass the approval and confirmation of:

the activation of each bypass, force or override

the use of each bypass, such as approval to install, tracking bypass period, maximum bypass time

the removal of each bypass, force, or override

6.7 Defining pass/fail criteria

It is repeatedly stated in this technical report that the mechanical integrity plan seeks to maintain equipment in the “as good as new” condition, but what does that mean? Essentially, the installed equipment must function in the operating environment as intended and support the risk reduction necessary to meet the process hazards analysis requirements. The equipment is not “as good as new” when the mechanical integrity records show increasing failure or wear out. Each piece of equipment has failure modes that can be detected by observation, diagnostics or tests. These failure modes can result in degraded conditions or complete failure of the equipment. Pass/fail criteria determine when the failure mode results in the equipment not being capable of operating as needed.

MI records document the acceptability of equipment operation. The as -found condition provides evidence of the equipment operation at the initiation of the MI activities. If the as-found condition meets the pass/fail criteria, the equipment is operating as intended and the equipment is said to “pass” the inspection or test. Well defined pass/fail criteria ensures that the as -left condition supports equipment that can be considered “as good as new” when returned to service. As an example, the specified as-left tolerance for an instrument may be tighter than the pass/fail criteria applied to the as-found reading, to allow for expected dr ift during the operating cycle. The expectation is that as-left condition will support operation within specification until the next scheduled proof test.

6.7.1 Identifying failure modes

Failure mode is defined as the observed manner of failure. Generally this observation involves determining that some function of the equipment has been lost or that a degraded condition exists. It is most convenient to think of a failure mode as a loss of a particular function provided by the equipment. Most equipment have multiple functions, therefore most equipment have several failure modes. With respect to SIF, these failure modes may be considered safe, i.e. causes the process to be placed in a safe state, or dangerous, i.e. fails to operate when there is a process demand. Whether a specific failure mode is safe or dangerous is highly dependent upon the process and the SIS design. For instance a transmitter does not know whether high or low flow represents a hazardous condition. If the failure results in a high output on a lo w trip or low output on a high trip, the failure is dangerous. Conversely, if the failure results in a high output on a high trip or low output on a low trip, the failure is safe. Even with a switch contact, safe and dangerous take on different meanings for energize-to-trip and de-energize-to-trip. Where increased ventilation or fire water pumps are required, the switch failing open is dangerous.

ISA-TR84.00.03-2012 - 48 -

Once the failure modes for a specific application have been determined, improvements to both safety and reliability can be gained if diagnostics coupled with appropriate architectures are properly employed. Diagnostics help to reduce the number of undetected failures that can occur by alerting the operating and maintenance personnel that repairs need to be made. It should be recognized that diagnostics are themselves acting as protection for the equipment and may also be prone to undetected failures. This propensity is dependent upon the particular diagnostic. Any time that diagnostics are being used to enhance the SIS performance, they need to be addressed and considered in the overall MI program.

An example of a complete listing of failure modes for a remote actuated valve is included in Table 3.

Table 3 — Remote actuated valve failure modes Description

Complete failures

Fail to closed position

Fail to open position

Fail to close on demand

Fail to open on demand

Frozen position

Valve rupture

Seal/Packing blowout Partial Failures

Reduced capacity

Seat leakage

External leak

External leak - Body/Bonnet

External Leak - Packing/Seal

Fugitive emission

Controlled variable high

Controlled variable low

Fail to hold position

Unstable control (hunting)

Responds too quickly

Responds too slowly

Excessive noise

Incipient Conditions

Body cracked

Body eroded

Body corroded

Body material wrong

Guide fouled

Guide galled

Guide corroded

Guide worn

Stem fouled

Stem galled

Stem corroded

Stem bent

Stem worn

Seat fouled

Seat cut

Seat eroded

Seat corroded

Seat excessive wear

Seat (soft) embedded debris

Seat (soft) overheat evidence

Seat loading mechanism dysfunctional

Spring cracked

Spring corroded

Spring fatigued

Spring rubbing

Improperly installed

Excessive vibration

(Excerpted from CCPS PERD Remote Actuated Valve Taxonomy)

6.7.2 Defining “as good as new”

Once facilities are commissioned and placed into operation, equipment and systems begin to wear out due to a variety of mechanisms. Like other facility equipment, SIS equipment is maintained under the MI program. For SIS, a rigorous MI program, with the subsequent reliability data collection and analysis, is necessary to ensure that the equipment is maintained in the “as good as new” condition and meets the design functionality defined in the SRS. MI procedures define the inspection, preventive maintenance and proof test activities necessary t o assure the equipment integrity and to determine when equipment requires replacement or upgrade. As reliability data is captured and analyzed, inspection, preventive maintenance and proof test procedure intervals may be adjusted. Inspection and preventive maintenance should be sufficient to ensure equipment is not run to failure and to identify potential failures and to prevent dangerous failure.

6.7.3 Detecting wear out

When wear out occurs, the SIS may not provide the expected level of protection. The lifecyc le assumes that equipment will be maintained in a manner that assures it remains in its useful life

- 49 - ISA-TR84.00.03-2012

where the failures occur on a random basis. Wear out can be identified by monitoring equipment at a frequency that is sufficient to detect an increase in fa ilures over time. When the number of reported equipment failures trends upward, wear-out is a likely cause. An increased failure rate would indicate that action should be taken to repair or replace the ageing equipment; otherwise other means of protection should be implemented to address potential risk gaps. The mean time between work orders or the frequency of diagnostic alarms can also be examined. A short mean time between work orders or high diagnostic alarm rate would indicate wear out or some other failure mechanism that requires further investigation and resolution.

6.7.4 Defining as-found/as-left

Most MI personnel recognize the need to document the results of the proof tests as they move through the testing process. What is sometimes overlooked is to docum ent the as-found/as-left conditions. The as-found condition is the initial state of the equipment prior to any corrective action or preventive maintenance activity. The as-left condition is the final state of the SIS equipment after MI activities have been completed.

As-found information is critical to understanding the actual degradation or failure rate of the equipment. For a successful test, it documents that the SIS equipment successfully achieved design intent. As a general rule, if hardware must be repaired or replaced, or settings/configuration must be changed, record the original state or value before making the change. When the as-found condition does not meet the design intent, corrective action should be taken and previous MI history should be reviewed to see if the problem has occurred previously. If so, a root cause analysis should be conducted so that changes to the design or MI plan can be identified to reduce the likelihood of re-occurrence.

The as-left condition should indicate that the equipment is in its “as good as new” condition and ready to return to service. Documenting the as-left information serves several purposes. It formally records the state that the SIS equipment was left in after testing. When the SIS equipment is being returned to service, this documentation provides a good crosscheck against the as-found information to verify that SIS equipment is operating as required.

Examples of typical forms used to document “as-found/as-left” are included in Annexes E through H.

6.7.5 MI documentation

As part of the MI program within process safety management, regulatory agencies require as -found/as-left conditions to be documented as part of any inspection or test in accordance with written procedures. The following information generally represents the minimum information required for SIF and systems:

date of inspection or test

name of the person who performed the inspection or test

serial number or other identifier of the equipment on which the inspection or test was performed

description of the inspection or test performed

inspection / test results prior to any maintenance activity being performed whatsoever

documentation of work performed (if any)

test result following any maintenance activity

While required by regulatory agencies, the intent of this documentation from a lifecycle perspective is as follows:

provide information for measuring and tracking performance (re fer to ISA-TR84.00.03, 5.6)

ISA-TR84.00.03-2012 - 50 -

support prior use analysis of installed equipment (refer to ISA-TR84.00.04-1 Annex L)

support estimation of the equipment failure rate and probability of failure on demand (refer to ISA-TR84.00.02)

identify systematic/common cause problems that should be minimized through management system activities or taken into account in the SIL verification calculation (refer to ISA-TR84.00.02)

6.8 Developing validation plan and procedures

Process Control, Operations, Design Engineering, and Maintenance personnel are involved in developing the validation plan and procedures. SIF validation (sometimes referred to as a Site Acceptance Test “SAT”) is intended to demonstrate through inspection and functional testing that the SIF meets all aspects of the SRS as installed before starting any operation of the process equipment for production purposes. Validation provides proof that the SIS, including those utilities and diagnostics required for the system or function to perform as required meets the SRS intent, is installed in accordance with construction, installation and detailed engineering requirements, and is ready for process equipment start-up. It is generally witnessed by process control and production (or manufacturing) representatives. Although validation is often considered an inherent part of the project implementation and construction phases, this activity also provides an opportunity for facility personnel to become familiar with the operation of SIS equipment and its actions prior to the facility commencing full operation.

SIF validation can only be performed after all mechanical, electrical, instrument, SIS and supporting utilities have been installed. Validation or functional test of the SIF is performed by simulating the process and watching for the proper response of the log ic solver and field equipment. The validation is a “whole loop” test using the actual field sensors, logic solvers and final elements (e.g., pressure transmitters, block valves, pumps, air supplies, etc.). It is normally performed once unless there is a fundamental change to the process design or significant modification of the SIS.

Validation completion establishes the date from which individual SIS equipment or segm ent proof tests are scheduled. Validation records provide the baseline for subsequent revalidations or proof tests. As such, strict adherence to the testing protocols with appropriate supervision and signature approval to confirm complete and ready to operate. Any deviations need to be managed according to a validation plan.

6.8.1 Validation plan development

A successful SIF validation is a culmination of many related steps throughout a project process. A validation plan ensures these steps are completed as required. The validation plan should identify the related steps and step execution timing, outlining the required resources, the expected level of involvement of each participant, the protocol to be followed during the inspection or test, the order in which the SIS or SIF segments are to be tested, and the scope of each test. The plan should also define how and to whom failures should be reported, as well as how they will be resolved. Annex L – Example validation plan provides an example of a validation plan.

To support any validation plan development, it is necessary to have the safety requirement specification and detailed design information, including but not limited to:

instrument specification sheets,

logic flow diagrams or Boolean drawings for application program testing,

cause and effect matrices and loop drawings for maintenance troubleshooting, and

SIF I/O and set point list.

- 51 - ISA-TR84.00.03-2012

This information should be consistent and accurate, and one set of documentation should be considered as master for validation execution.

It is also necessary to have inspection procedures, test procedures and pass fail criteria documented for each activity. Annexes E through I give specific examples for each activity.

When planning site validation, it is essential that the discrete activities do not undo previous work. A test should not be negated by subsequent alterations due to construction, commissioning or other activities that follow completion of the test. Field clean-up of deficiencies found during the commissioning / loop check phase should be repaired prior to start of validation. This reduces the potential for unforeseen delays during the validation execution.

6.9 Developing Factory Acceptance Test (FAT), commissioning, and Site Acceptance Test (SAT) procedures

Engineering, Construction, and Maintenance personnel have significant roles and responsibilities in executing the FAT, commissioning the SIS, and conducting validation (SAT). These activities should be conducted in a logical and organized manner to minimize the probability of human error or equipment damage and to ensure rigorous testing and validation is completed.

6.9.1 Factory Acceptance Test

An FAT is not required by IEC 61511-1 Clause 13, which is the only informative clause in Part 1. The FAT may be conducted for any portion of an SIF or on the entire SIS and it may rely on simulated inputs uses switches and analog dials or simulation software. The user may elect to only perform the Site Acceptance Test. In general, FATs are conducted on vendor-packaged systems, hardwired panels, and PE logic solvers. An FAT is routinely performed for programmable electronic (PE) systems, where it may involve an integrated test of the SIS logic solver and the BPCS. The FAT verifies the ability of the BPCS to communicate with the SIS logic solver, its communication security, and its ability to meet the SRS. Additionally, PE hardware, firmware, and application program may be tested before installation and commissio ning in the field.

An FAT is a test performed in a controlled setting, usually at the manufacturer, integrator, or engineering contractor location. The FAT is a series of tests performed by the system supplier, as required by the customer, to ensure the system meets design specifications and was built with the required integrity. The FAT verifies that the supplier is providing SIS equipment that function according to the SRS, the application program specification where applicable, and other contracted documents. During the FAT, the owner/operator is generally an observer.

Some manufacturers and users may wish to break the FAT into phases or distinct tests performed at different times. Some typical FAT phases are:

1) Hardware Factory Acceptance Test (HWFAT) is the test of SIS equipment, panels, I/O, power supplies, panel grounding and related equipment at the supplier’s facility to ensure that the SIS equipment has been installed and wired according to specification and that there are no faulty devices. Also fault injection testing on the hardware can be performed at this time to ensure proper operation with respect to redundancy and safe failure modes. Depending on system architecture and capabilities, the final software configuration may or may not need to be configured in the logic solver. The advantage of doing this type of test is for systems that are capable of testing the hardware and software independently of each other. The hardware can be tested earlier in the project lifecycle and delivered to the field earlier to potentially shorten the construction schedule. This concept is not unique to SIS and can also pertain to the BPCS.

2) Application Program Factory Acceptance Test (APFAT) is the formal testing of the configuration in the SIS to ensure that it conforms to the SRS, cause and effect or logic narrative. Trips, resets, alarms, bypasses as well as graphics and all modes of operation are

ISA-TR84.00.03-2012 - 52 -

tested. Fault injection testing, voter degradation and other items described in the SRS are tested. This may be done using physical devices to simulate field I/O or software simulation techniques depending on the capabilities of the system. The advantage of this type of test is that it allows for the application program configuration to be independent of the project hardware and can typically be later in the project lifecycle allowing for more complete definition. This concept is not unique to SIS and can also pertain to the BPCS.

3) Integrated Factory Acceptance Test (IFAT) is the formal testing of the SIS and BPCS simultaneously so that combined actions result in the desired safe automation of the process facility. This test may or may not require all or part of the SIS and BPCS hardware to be present depending on system(s) capability. A SIS may have secondary non-safety actions or trips performed in the BPCS to aid Operations in restarting the unit after a trip. For example a typical action maybe putting a control loop in manual and moving the control valve to the safe state upon the trip of an SIF. Another example would be ensuring the BPCS cannot move its control valve when the SIS has final control of the device. This test is performed prior to the configuration being installed in the field. The advantage of this type of testing is to expedite field commissioning by minimizing configuration errors.

The above FAT phases are typically conducted wherever there are more resources available to rigorously test and correct operational issues if needed. Performing the work at the factory generally provides an economic benefit to the project in terms of scheduling and less rework in the field, which is more costly. The four (4) main objectives of the FAT are stated in Table 4. Each objective is further divided into specific goals that should be considered in developing the FAT procedure.

- 53 - ISA-TR84.00.03-2012

Table 4 — FAT objectives and associated goals

The tests listed below can be a specific sub-set of the supplier's standard tests. These tests are not intended to eliminate any of the supplier's standard tests, but to specifically highlight typical tests conducted as part of an FAT.

inventory the hardware items in the system, point out any discrepancies at the start of staging, and find out when these items will arrive. The FAT should only be conducted if a fully functional system can be tested. Verify all the items purchased function properly including each type of I/O card, HMI equipment, and other items such as printers. After the FAT is successfully completed and accepted, the owner/operator periodically performs hardware and application program testing.

physically inspect the hardware. Inventory and system layout must be checked based on the specification. The I/O wiring and layout should be checked. The HMI and related system hardware integration should also be inspected.

validate communications through the various levels of the SIS to the HMI. The following need to be checked for integrity:

internal logic solver communication

I/O module to logic solver communication

intra-module communication network

logic solver network to HMI network server communications

OBJECTIVES

GOALS

Goal-1 Goal-2 Goal-3 Goal-4

(1) Supplier site

hardware and

system checkout

sometimes referred

to as the HWFAT

Verify supplier tests

were completed.

Test and verify all SIS

equipment/

components before

field installation.

Establish a basis in

case problems/ defects

show up in field.

Minimize product

defects and

manufacturing errors.

Reduce start-up

and commissioning

time.

Ensure system will

perform its safety

shutdown functions

on demand.

Reduce start-up and

commissioning time.

(2) SIS configuration

checkout sometimes

referred to as the

SWFAT

Test and verify all

design and SIS

configuration work

before field start-

up/commissioning.

Ensure that Engineering

Support and Operations

personnel agree that

the SIS configuration

meets the application

requirements.

Reduce start-up

and commissioning

time.

Reduce start-up and

commissioning time.

(3) "Open" SIS

sometimes referred

to as the IFAT

Prove that there are no

compatibility issues

with the integration of

the SIS with non-SIS

supplier-specific

hardware or

application programs.

Test the performance of

the SIS and all non-SIS

supplier-specific

hardware and

application programs in

their control

environment.

Test and verify all

SIS equipment/

components before

field installation.

Establish a basis in

case problems/

defects show up in

field

(4) Training Train operating and

support personnel

before field

installation.

Training key operating

personnel before start-

up and commissioning.

Reduce start-up

and commissioning

time.

ISA-TR84.00.03-2012 - 54 -

HMI network communications (such as Ethernet)

printers

modems

when a historian is included in the scope, communication to historical data logger needs to be confirmed, as well as proper communication with redundancy failure for any of the above communication protocols that are implemented with redundancy.

proper operation of power supplies should be validated as well as the distribution wiring. The following needs to be checked for integrity:

module power supply

I/O power supply

proper I/O card failure

proper control card failure

logic solver battery power backup

I/O module redundancy

SIS grounding integrity

for an instrumented system that has segregated safety layers, it is necessary to inspect, test out, and verify that module power and I/O power are insta lled in accordance with the requirements as documented in the equipment safety manual.

for I/O power supply that does not have a built -in system alarm on loss of power, confirm external signal wiring (e.g., as 24 VDC discrete input or voltage input) into the control system and verify the alarm.

perform an SIS hardware and operating system software check versus SRS to the extent necessary to prove correct functionality. I/O channels need to be tested with proper simulation panels and equipment. The I/O test needs to be conducted with signal generators and original termination units in place.

special attention needs to be given to observing and recording events or discrepancies in the area of system reliability and designed redundancy functions. If any system component failure does not generate automatic-failure-reporting to the operator, it needs to be recorded and resolved with the assistance from the supplier. If proper "fail -over" to the backup component does not occur automatically within a designed redundancy, a discrepancy report with proper punch listing needs to be documented for a root-cause analysis and final resolution.

proper operation of the HMI and Engineering Work Station (EWS) needs to be confirmed. The EWS is defined as the main configuration station that has application program & I/O configuration capability. Occasionally, the EWS also has HMI console capability.

Site Integration Test (SIT) is the formal testing of the ability of the SIS and BPCS to be able to properly communicate with each other once those systems have been installed in the field. It also can include any third party systems that need to interface with the BPCS.

6.9.2 Installation and commissioning

After the SIS equipment is delivered to the site and has been installed, it needs to undergo the appropriate inspection and commissioning processes before validation (or Site Acceptance Test) can be completed. Figure 8 provides an illustration of the conceptual work process.

Typically, physical inspection is the first task to be performed once an instrument is turned over from construction. Physical inspections need to be documented to provide evidence of what was checked and whether the device passed or failed. It is recommended that field inspection reports be filled out for every piece of instrumentation. Failed equipment needs to be repaired or replaced before proceeding to commissioning. Physical inspections need to be performed prior to

- 55 - ISA-TR84.00.03-2012

commissioning as improper physical installation may require removal or alteration of the instrument and therefore would require “re-commissioning” the instrument. In some cases, physical inspections may be performed on skidded equipment while still at the supplier's site if appropriate. Physical inspections done at supplier sites should be spot checked once permanently installed at site to ensure no damage was done during transportation.

Commissioning is intended to ensure the wiring is landed on the proper termination point and to verify the overall integrity of the loop from field device, through I/O modules, logic solver, and to the HMI operator console displays as well as the final elements. Commissioning activities include:

all hardware properly installed according to manufacturer's requirements

check of all installed hardware according to system drawings

proper installation of computers/workstations

check of all diagnostic systems statistics

routing of cables and wires verified for proper AC/DC segregation

ensuring all cables and wires are properly supported

ensuring all cable connectors are secure and relieved of stress

ensure wiring is landed on the proper termination and verify overall wiring loop integrit y for all field instrumentation

verify proper crimping and perform a tightness check

verify proper instrument range by use of a calibration check (field check)

verify proper labeling and identification as SIS equipment

verify engineering units, tag name, and diagnostics, etc. of each instrument according to specification

verify SIS input range is in agreement with field instrumentation and specification

verify and confirm proper operation of the instruments, sensors and final elements according to supplier and specifications

verify proper installation of air supplies

verify proper grounding by visual inspection and perform grounding test

verify proper freeze protection

verification that HMI system network topology is installed according to design drawings

verification of security settings for field and SIS devices (e.g., password prot ection or jumpers)

The emergency back-up power (e.g., uninterruptible power supply (UPS), battery banks, auxiliary generation, transfer switch, etc.) should be fully tested to provide:

adequate bumpless power to all appropriate devices

prevent loss of critical data parameter

retain SIS application program

provide adequate time for the operating personnel to place the facility in a safe mode in case of extended power interruptions

UPS circuit labeling should be checked for correctness as to not place any und ue load from non-critical devices being plugged into UPS outlets.

ISA-TR84.00.03-2012 - 56 -

Backup generator systems should be tested to work in conjunction with the UPS system to provide adequate power coverage.

All backup power systems should be verified to provide appropriate alarms and diagnostics. The interfaces between the SIS and the back-up power systems needs to be functionality checked to the greatest extent possible. Functionality tests should be initiated at the back -up power system while observing proper operation of the SIS. It is not acceptable to lift interface wires. The goal is to test the system as a whole to the greatest extent possible.

The piping and instrumentation d iagrams (P&ID’s) or cable/instrument schedules can be used as a record of equipment checked. Proper documentation of commissioning should be stored on a loop-by-loop basis and become a permanent record at the site.

6.9.3 Validation completion (Site Acceptance Test)

Validation can be completed once the SIS equipment installation, inspection and commiss ioning is confirmed. Validation is sometimes referred to as the Site Acceptance Test (SAT). Validation demonstrates that all installed SIS equipment fully meets the SRS. In executing validation, emphasis should be on completing the functional testing of each SIF to demonstrate its operation according to the SRS, not on correcting deficiencies. It is expected that most, if not all, deficiencies have been identified during earlier verification activities, such as the FAT, field equipment installation, inspection, commissioning and loop checks. If these earlier verification activities are thoroughly performed, validation should progress smoothly and on schedule.

When the scope of functional testing of each SIF is determined for inclusion in the Validation, consideration should be given to logical testing already performed during the FAT. Each SIF should be proven to be functional regardless of the FAT, however extensive testing of all possible combinations of voting conditions that can activate a SIF may not be necessary as part of the Validation if there is good documentation in place that records the testing results of the relevant logical configurations during the FAT AND effective MOC of the logic solver

configuration can be demonstrated from the time that the FAT was completed.

The overall project plan should include the SIS design and construction activities impacting on -site validation requirements. These activities include:

Factory Acceptance Test

SIS equipment installation and commissioning

Various aspects of the SIS should be tested and confirmed as a part of validation, including but not limited to the following:

set points and ranges,

status of sensors and final elements,

operator interface,

diagnostic indications, such as out of bounds, deviation, or not in commanded state,

indication of any automated logic changes, such as voting degradation or fault handling,

indication of where the process is in its sequence, if applicable,

indication that an SIF has taken action,

indication of SIF bypass,

operation of manual shutdown facilities,

operation of resets,

indication of SIS support system loss,

failure of environmental conditioning equipment, which supports the SIS,

- 57 - ISA-TR84.00.03-2012

response time, and

criticality requirements, such as valve shutoff tightness and closure s peed.

All auxiliary systems associated with the SIS need to be checked with the appropriate rigor and thoroughness. Examples of auxiliary systems are:

controls or control systems external to the main SIS

Foreign Device Interfaces between the SIS and an external party

stand alone historian data collecting devices

billing systems either internal to the logic solver or external systems

callout systems for unmanned plants

remote access

remote control

The interfaces between the SIS and the auxiliary systems must be proof tested to the greatest extent possible. Proof tests should be initiated at the auxiliary system while observing proper operation of auxiliary system and the SIS inputs and responses. It is not acceptable to lift interface wires. The goal is to test the system as a whole to the greatest extent possible.

Testing should be performed to ensure design intent of the auxiliary system failure modes and the failure modes of the interface signals to the SIS. Normally these auxiliary systems and interfaces are designed fail safe. Testing for fail safe functionality may include loss of power, loss of instrument air, loss of communications, loss of interface wiring, etc.

The outcome of a successful validation provides an auditable documentation trail, which proves that the designed and constructed SIS operates according to the SRS and equipment specification. Discrepancies identified during validation should be corrected and tracked to completion. Documentation should incorporate signoff sheets identifying t he personnel who conducted tests or served as verifiers for various work activities.

When the SIS is approved for service, site safety, permitting, and facility management of change procedures for in-service systems will apply. Validation approval indicates that necessary parties agree that the SIS operates as required in the operating environment and is ready for the process unit startup. Documentation should include a formal notice of turnover to the site management.

Note that completion of the SIS validation does not approve the SIS for handover to Operations on its own. A Stage 3 Functional Safety Assessment and a Pre-Startup Safety Review are required to be completed prior to handover.

ISA-TR84.00.03-2012 - 58 -

Table 5 — Validation roles and responsibilities

The following roles and responsibilities relating to SIS validation are listed as a recommendation for its completion.

SIS Specialist/Engineer

Responsibility Qualifications

Overall responsibility for planning and

executing the SIS validation and ensuring that

it is completed with appropriate documented

results.

Sufficient experience and training in working on SIS related

projects/equipment.

Possesses a detailed understanding of ANSI/ISA-84.00.01-2004

(IEC 61511 MOD).

Construction or Maintenance Supervision/Technician


Represent the owner of the SIS in confirming

that all validation activities are effectively

carried out.

Sufficient experience and training in working on SIS related

projects/equipment.

Possesses a working understanding of ANSI/ISA-84.00.01-2004

(IEC 61511 MOD).

Independent Reviewer


Performing a peer review along with the SIS

engineer to make a general judgment that the

validation plan is appropriate, and that

evidence of completion that is provided is

sufficient.

Sufficient experience and training in working in a related job role

(Instrumentation, Process, and Process Safety Management).

Possesses an awareness of ANSI/ISA-84.00.01-2004 (IEC 61511

MOD).

Independent of the project team and should have had no

involvement in its execution.

Management Team Representative


Approval of the individuals that will be

performing the above three roles as they relate

to this specific project. This approval is to

confirm that these individuals have sufficient

experience and professional standing in order

to undertake these responsibilities.

Sufficient experience in the industry.

Possesses a basic awareness of ANSI/ISA-84.00.01-2004 (IEC

61511 MOD).

- 59 - ISA-TR84.00.03-2012

Figure 8 — Validation flowchart

Visual

Inspection of

Devices

System

Ready For

Start Up

Control/Safety

System

Visual

Inspection

Validation of:

- SIS

- Each SIF

- Essential diagnostic alarms

- Non-safety critical interlocks

- Process alarms

Redundancy

and I/O

Segregation

checkout

Backup/Redundant

Power Checkout (UPS,

diesel generator)

Site

Acceptance

Test (SAT)

Functional

Checkout of

Auxiliary

Systems

Functional

Checkout of

Shutdown

Logic

Functional

Checkout of

Control Logic

Loop

Checking

Instrument AirNormal Power

Checkout

Checkout of

Auxiliary

Systems (FDI,

Historian)

UtilitiesBPCS / SISInstruments

Inspection, Loop

Check and

Commissioning

Validation

Functional Safety Assessment Stage 3 Prior to Start Up

ISA-TR84.00.03-2012 - 60 -

7 References

Health and Safety Executive, Findings from Voluntary Reporting of Loss of Containment Incidents 2004/2005, Hazardous Installations Directorate, Chemical Industries Division, St Anne’s House, Bootle, UK, 2005.

ANSI/FCI 70-2-2006, Control Valve Seat Leakage.

ANSI/ISA-84.00.01-2004 (IEC 61511 Modified), Functional Safety: Safety Instrumented Systems for the Process Industry Sector, www.isa.org.

API 598, Valve Inspection and Testing, Ninth Edition, American Petroleum Institute, 2009 Edition.

CCPS – Process Equipment Reliability Database (PERD), American Institute of Chemical Engineers, Center for Chemical Process Safety.

IEC 60534-4, Industrial Process Control Valves Part 4: Inspection and Routine Testing.

ANSI/ISA-84.91.01-2012, Identification and Mechanical Integrity of Safety Controls, Alarms, and Interlocks in the Process Industry, Research Triangle Park, NC. www.isa.org

ISA-TR84.00.02-2002, Parts 1-5, Safety Instrumented Functions (SIF) Safety Integrity Level (SIL) Evaluation Techniques Package, www.isa.org.

ISA-TR84.00.03-2002, Guidance for Testing of Process Sector Safety Instrumented Functions (SIF) Implemented as or Within Safety Instrumented Systems (SIS), www.isa.org

ISA-TR84.00.04-2011, Guidelines on the Implementation of ANSI/ISA-84.00.01-2004 (IEC 61511 Modified), Research Triangle Park, NC (2006). www.isa.org

NAMUR Ne43 Standardization of the Signal Level for the Breakdown Information of Digital Transmitters.

NFPA 86, Ovens and Furnaces, National Fire Protection Association, 2003 Edition.

NFPA 70e, Standard for Electrical Safety in The Workplace, National Fire Protection Association, 2012 Edition.

http://www.isa.org/

- 61 - ISA-TR84.00.03-2012

Annex A — Example training documentation

SIS related training should be part of an individual’s comprehensive training plan and should be tracked through an operating facilities training documentation and management system as shown in Figure A.1 below. The first document shows how one company documents the training in an electronic database to track the training of each individual. The second example shows a checklist used for performing and documenting the training. The checklist identifies the training required and as the trainee completes the training a trainer will sign off that the tasks have been completed.

Form A.1

ISA-TR84.00.03-2012 - 62 -

- 63 - ISA-TR84.00.03-2012

Form A.2 — Training documentation and process

The following NOTES apply to all tasks.

1. Circling perform or simulate [P, S] must indicate method of accomplishment for each skills demonstration. Skill

demonstrations that are provided with a [P] only must be performed.

2. Initiating of task certifies the person for INDEPENDENT operation.

3. Person initiating the successful completion of the knowledge requirements must be a qualified craft technician,

supervisor or other knowledgeable personnel.

TASK # TASK STATEMENT REFERENCE (P/S) INIT

TASK 1 DRAW the following instrument symbols :

a) Pneumatic signal lines b) Electrical/electronic signal lines

c) Control room mounted instrument/field mounted instrument

P/S

TASK 2 DRAW a closed loop flow control system naming the

components and showing proper symbols for each component

P/S

TASK 3 CALIBRATE a pneumatic controller that has proportional plus

reset action

P/S

TASK 4 CALIBRATE a magnetic flow transmitter P/S

TASK 5 CALIBRATE/ADJUST/REPAIR a Varec P/S

TASK 6 CALIBRATE/ADJUST/REPAIR an interface level P/S

TASK 7 CALIBRATE/ADJUST/REPAIR a level transmitter loop P/S

TASK 8 CALIBRATE a SMART transmitter P/S

TASK 9 PERFORM the following to the SIS PLC system:

EXPLAIN the purpose

STATE the inputs and outputs of the SIS PLC system

Using the PLC operating instructions, ACCESS data in PLC to determine the source of a problem

IDENTIFY and REPLACE failed board

COPY error codes and fault details to diskette

PERFORM functional checkout

P/S

TASK

10

CALIBRATE the following transmitters:

Differential pressure

Pressure

P/S

TASK

11

PERFORM an SIS bypass P/S

TASK

12

COMPLETE bypass authorization form

EXPLAIN the different level for bypass approvals

STATE location of an active SIS bypass form

STATE the location of a completed (inactive) bypass form

Using corporate SIS document as a reference, STATE the acceptable reasons for bypassing an SIS

P/S

ISA-TR84.00.03-2012 - 64 -

TASK

13

PERFORM the following SIS valve performance tests

TIMING TEST

BUBBLE TEST

FUNCTIONAL TEST (what is the content of this test?)

EXPLAIN the purpose of each of the above test

STATE the location of the test sheets

Using a test sheet, EXPLAIN the performance parameters for

the respective test

P/S

1st Attempt

2nd Attempt

3rd Attempt

______________________ / ________

Evaluator Date

Trainee has successfully completed all

performance evaluation requirements, and is

approved to perform this task INDEPENDENTLY.

______________________ / ________

Trainee Date

- 65 - ISA-TR84.00.03-2012

Annex B — Example demand logs

A demand occurs when a process deviation results in the need for the SIS to take action to achieve or maintain a safe state. Demands should be recorded and tracked so that their frequency can be compared to the assumptions in the process hazards analysis. Repeated demands often indicate a reliability problem with SIS or operating procedures. Repeated demands should be investigated and actions taken to reduce the frequency where possible. This annex provides examples of demand logs. Users may develop other log sheets or reports incorporating similar information or use other forms of documentation to record a nd track demands.

Form B.1 — Demand log

Facility ______________________ Plant ______________________ SIF ID # (e.g., loop number or description) ____________________ Demand start date: _____________ Start time: _____________ Demand end date: ______________ End time: _____________ SIS type involved: (Circle applicable type) Shutdown – Go to (1) Permissive – Go to (2) Auto-Start – Go to (3)

1) Shutdown info

Did shutdown function? Yes No (Circle one)

Did process variable reach or exceed setpoint? Yes No (Circle one)

Comments:

2) Permissive info

Did permissive function correctly? Yes No (Circle one)

If no, circle one of the following:

Permissive failed to prevent unsafe state

Permissive spuriously initiated action

Comments:

3) Auto-start info

Was system supposed to start? Yes No (Circle one)

Did system start? Yes No (Circle one)

Did system start on first attempt? Yes No N/A (Circle one)

Did system start within defined time criteria? Yes No N/A (Circle one)

Comments:

ISA-TR84.00.03-2012 - 66 -

Form B.2 — Demand log

Distribution list: SIS Specialist: Operations Manager:

Operator

Date and

Time of

Event

Instrument

Loop

Number(s)

Service

Process

Area

Sub-Area

Batch

No

Initiating

Event Comments

Example

Operator

Date and

Time of

Event

Instrument

Loop

Number(s)

Service

Process

Area

Sub-Area

Batch

No

Initiating

Event Comments

John

Doe

8/21/2007

14:08

206LSLL

and

207LSLL

Boiler #1

Steam

Drum Low

Level

Switches

Power

House

Boiler #1

N/A While

swapping

boiler #1 to

boiler #2

operator lined

up the wrong

blowdown

valve which

dropped the

level in boiler

#1 causing

trip

See Data

Historian

and SOE

Log for

8/21/2007

- 67 - ISA-TR84.00.03-2012

Form B.3 — Trip investigation report

Distribution list: SIS Specialist: Operations Manager:

SIF tag number or loop ID: Plant ID:

SIF description:

(If there is a documented SRS provide document reference)

Process demand Spurious trip

(Was there a process excursion or was it a spurious SIF failure?)

Date/Time:

Classification: ______Safety ______Environmental _____ Asset Protection

Trip caused by: Check all that apply

Process upset Wind

Control failure Ground movement

Operator error Loss of containment detection

Equipment failure Fire

Lightning Explosion

(What caused the process to shutdown or to be interrupted?)

Did all of the SIS equipment operate as designed? yes no

If no, fill out a failure report for any equipment that did not function properly.

Plant restart Date/Time

Estimate cost of the trip based on business interruption or lost production:

Estimate equipment damage costs:

If trip was due to failed equipment, has a failure report been completed? yes no

Considering the impact of the trip, are there any recommendations to prevent future occurrence?

Information used in analysis:

(Attach DCS trends, alarm journals, first out, sequence of events logs, manufacturer failure reports)

Comments:

Assessment led by: Date:

(Process Automation/Control System Engineer)

ISA-TR84.00.03-2012 - 68 -

The form shows how the individual demand reports in B.1 through B.3 can be summarized for reporting to the management team.

Form B.4 — SIF demand report

This form to be maintained by the Process Automation/Control System Engineer or SIS Specialist

Report time period

From: To:

SIF ID# Number of

trips

Actual

demands

(process issue)

Spurious

events

(reliability

issue)

Remarks

- 69 - ISA-TR84.00.03-2012

Annex C — Example failure reports

A failure has occurred when equipment is not able to perform its required function. Failures should be recorded and tracked so that their frequency can be compared to the assumptions in the process hazards analysis and SIL Verification calculation. Repeated failure is a leading indicator of inadequate mechanical integrity and should be investigated so that action can be taken to reduce the frequency of reoccurrence where possible. This annex provides exampl es of failure reporting forms. Users may develop other failure reports incorporating similar information or use other forms of documentation to record and track failure.

Form C.1 — Failure investigation report form

SIF ID #: Plant ID:

SIF description:

(If there is a documented SRS provide document reference)

Manufacturer: Software Rev #

(Firmware/application program, where relevant)

Model number: When Installed?

Failure was detected by:

Operator Diagnostic alarm Inspection

Proof test Near miss / incident

(If detected by incident, this report may accompany the near miss/incident report)

Classification: ______Safety ______Environmental _____ Asset protection

How did the equipment fail?

Failed to operate according to specification

Operated without cause

Where was the failure? (check all that apply)

Part failure Installation Electrical connection

Process connection Program error Human error

Utility (e.g., power supply, communication) Design error

Other (describe) _______________________________________________________

Describe what failed?

(Examples: Plugged process connection, over-temperature, short, power supply went bad, electronics failed)

Was the failure corrected through repair replacement

modification program fix

Was the repair/replacement “like for like”? yes no

Was the replaced equipment on the Approved Equipment List? yes no

Will the failed equipment be subjected to manufacturer/outside shop failure analysis?

(If so, forward report to Maintenance Manager and SIS Specialist)

Are there similar installations in this process unit, which should be examined for similar failure?

Comments:

(Detail any additional monitoring or precautions required?)

Assessment led by: Date:

SIS Specialist/Engineer or equivalent

ISA-TR84.00.03-2012 - 70 -

Form C.2 — Transmitter failure report 1

Plant ID: Loop ID: Tag #:

Test date: Who tested: Test procedure #:

Previous test date: Previous failure report #:

What was the effect of the failure:



What caused the failure:

Sensor Process connection Electrical connection

Electrical contact Power supply

Impulse line plugged Root valve/manifold closed Configuration

Other (describe)

Comments:

Assessment led by: _____________________________Date:_______________________


2

Form C.3 — Valve failure report 3

Plant ID: Loop ID: Tag #:

Failure date: Identified by: Test procedure #:

Previous test date: Previous failure report #:

What was the effect of the failure:



What parts contributed to the failure:

Actuator Seat Airset/Air supply

Solenoid valve Spring Pneumatic connection/tubing

Body/Bonnet Gasket Pneumatic accessory (e.g. booster, quick vent, etc.)

Guide Packing Power supply

Shaft Position switch Electrical connection

Comments:

Assessment led by: _____________________________Date:_______________________


4

- 71 - ISA-TR84.00.03-2012

Annex D — Effective procedure writing, verification and implementation

A comprehensive MI program is only useful if personnel understand the intent of the program and have the means and capability to execute its procedures as written. Procedure documentation is more than just the act of putting words on paper, it involves the systematic review of the steps required to execute a job task, including the examination of human factors and ergonomics. Procedures should be in place prior to the start -up of the process equipment and should be written with the intended audience in mind. Consideration should be given to the level of technical knowledge expected of the reader.

Procedures should provide instructions, practices, and guidelines used for SIS equipment inspection, preventive maintenance, and testing. Procedures should be in place before process equipment is placed in service, updated before any change is implemented, and kept current throughout the SIS life. An internal practice should provide overall requirements for procedure scope and content. Each SIS should have a set of procedures covering the MI requirements unique to that specific SIS and its SIF. Separate work processes are often used for on -line versus off-line maintenance.

Inspection and test procedures should be available and should describe the work tasks in a step -by-step manner with clear pass/fail criteria. As with other procedures, responsible personnel or departments, the required permits and notifications, the required test equipment and tools, and any appropriate hazard or safety warnings should be identified. Procedures should provide the work process steps necessary to successfully complete equipment commissioning and validation. Validation should be performed whether repair is done on-site or by the manufacturer.

Test procedures should describe any related functions, such as SIS alarms, bypass switches , manual shutdown buttons, and resets. Procedures may be modularized as desired with procedures written for individual pieces of SIS equipment, SIF subsystems, each SIF, a set of SIF, or the entire SIS. Procedures should be comprehensive and clearly convey the work expectations and requirements. Maintenance records should be signed and dated by the person(s) conducting the work.

Those assigned responsibility for conducting work according to a test procedure should be sufficiently competent to understand and implement the procedure as written. The procedures should include an inspection of the physical installation to provide visual confirmation that equipment is in satisfactory condition. Preventive maintenance activities should also be described.

SIS equipment should be periodically proof tested to demonstrate and document that the equipment is operating according to the SRS and equipment specification. Proof tests can be performed on-line or off-line. On-line test procedures should be carefully planned, documented, and validated, because minor mistakes during on-line testing can potentially lead to process upsets or spurious trips. Off-line testing is inherently safer, but given the current trend of increasing run time between process facility turnarounds, i t is becoming increasingly difficult to determine the “as good as new” equipment status without some on -line testing.

When automated diagnostics detect a fault, the SIF is configured to initiate 1) an automatic shutdown, 2) a safety alarm, or 3) a fault alarm. The required configuration is defined in the SRS and is determined by the equipment choice, subsystem fault tolerance against dangerous failure, the nature of the failure (e.g., dangerous failure versus safe), and the availability of compensating measures. Continued operation requires compensating measures to ensure safe operation during the allowable repair time (refer to ISA-TR84.00.04 Annex P). When applicable, operating procedures should provide restrictions on the maintenance activities, e.g., pro hibited during certain operating modes.

Test procedures should cover in detail how maintenance is performed safely while the process equipment is operating. A key parameter for on-line repair is the allowable repair time

ISA-TR84.00.03-2012 - 72 -

established in the design and operating basis. The allowable repair time provides the maximum time that the equipment can be out of service prior to initiating management of change activity. The management of change review is performed to determine whether the compensating measures are sufficient for the extended period, additional measures are required, or manual shutdown executed. The review should also address the priority status for the repair activity.

A specific written test procedure should be available for each SIF. The procedures s hould be of sufficient detail to allow personnel who are not intimately familiar with the SIF to perform the appropriate testing. These should include where appropriate the following:

list of SIF included in the SIS

equipment description and location for each safety function

functional requirements for each safety function

inspection procedures to be followed

calibration and testing methods to be followed

frequency of calibration, testing, inspections, and maintenance activities

specify acceptable performance limits (± 2% of full range if no limits specified)

specify sequence of testing if required

specify who should perform test

specify state of process when test is performed

if the SIF is mirrored in the BPCS, test should show that SIF actuated final contr ol device

verification of operational state of SIF after test complete

test of internal and external diagnostics (WDT, etc.)

verify auxiliary service components are operational (fans, filters, batteries, UPS, etc.)

define a means of ensuring testing is performed and documented

All test procedures should have system being tested, page numbers, and revision date on each page of procedure. The responsible role/person for maintaining each procedure should b e identified in the procedure. The electronic file path or hard copy library location of test procedures corresponding to the device to be tested should appropriately loaded in the maintenance management system.

All drawings used to describe SIF should be referenced including P&IDs, loop drawings, logic sheets, etc.

Procedures should focus on the ways in which the core attributes, namely independence, integrity, functionality, reliability, auditability, access security, and management of change, are maintained to the suitable level of rigor. Well written procedures help eliminate systematic failures by providing instructions, improving communication, reducing training time, and improving work consistency.

The test procedures are considered a controlled document just like the process operating procedures. Any deviations from the documented test procedure should be reviewed to make sure the change will lead to a failure of the SIF.

A thorough understanding of the intended SIS functionality is critical to ensuring that the SIS is operated and maintained to meet the required performance. Consideration should be given to potential language barriers to effective learning. If multiple languages are spoken, safety and emergency information should be communicated in other languages as necessary to ensure personnel understand work process requirements and expectations. If personnel do not

- 73 - ISA-TR84.00.03-2012

understand how the SIS equipment is expected to operate, a procedure change, variance, or deviation may seem acceptable, yet yield an undesirable outcome.

Personnel should be trained on facility procedures, such as safe work practices, evacuation and response procedures, access permit requirements, and management of change. Personnel should receive specific training related to their assigned responsibility. Personnel training should be verified as complete during the pre-start-up safety review for any new or modified SIS. New personnel should complete training on the SIS operation prior to taking responsibility for the process equipment.

Once an SIS is operational, knowledge and skills should be maintained through an on-going training program. For best results, facility training should emphasize the fundamental criticality of SIS operation. Means for evaluating the training program effectiveness should be implemented. Training should be revised to resolve deficiencies. Knowledge and skills based testing can be used to validate training effectiveness, as necessary. When knowledge and skills do not match expectations, consideration should be given to improving training content, depth, or fr equency to obtain the desired level of competence. Training records should be maintained.

Training should familiarize maintenance personnel with the hazardous events the SIS protects against and the expected SIS operation. Personnel assigned responsibility to perform maintenance and testing on the SIS equipment require the knowledge and experience necessary to perform the procedures correctly. Training should ensure that maintenance personnel understand what permits and notifications are required to work on or to bypass SIS equipment. Training should cover task expectations, such as documentation, reporting, and failure investigation.

D.1 Format

The procedure format is often determined by the equipment to be tested, the testing equipment employed and the capabilities of the technician performing the test procedure. All procedures should be written with their intended audience in mind and with an appreciation for the specific technical knowledge of the reader. The procedures should be clear and concise, with minim um complexity. Procedures should provide information in different formats, such as text, graphics, and flowcharts, to accommodate different learning styles. Where multiple languages are spoken, consideration should be given to developing procedures and tra ining materials in each language to ensure critical information is not lost in translation.

Task lists, checklists, hierarchical outlines, or task analysis can be used to create procedures, which are easy to understand and use. Task analysis offers a more rigorous organization than other methods. It often uses a three or four column format delineating major steps, providing detailed work tasks, caution notes and comments.

The choice of technique is highly related to the complexity of the procedure. Task li sts are generally restricted to very simple work instructions, requiring few steps and decisions. Longer instructions should be written in checklists or in hierarchical (i.e., outline) format to break the work process into smaller logical steps that are generally executed in series to obtain the specified result. For example, a series of maintenance steps for a transmitter would include activities such as checking the transmitter range, verifying the deviation alarms, and validating the trip set point. Each step has specified pass-fail criteria, which is evaluated and recorded.

When many decisions are required, graphical techniques for presenting the steps of the procedure, such as flow charts, should be considered. Flow charts break down the procedures into small logical steps and provide an effective means to illustrate decision blocks where the answer choice, e.g., a “yes or no,” affects the action to be taken.

Regardless of the format chosen, the goal is to ensure that safe and reliable operation is achieved through the detection and correction of failures. The SIS procedures should be written

ISA-TR84.00.03-2012 - 74 -

with sufficient detail to achieve the performance specified in the SRS. Just as the core attributes affect the SRS, they are also significant to effective procedure development.

D.2 Test scope

The test scope should identify for the technician what the procedure intends to test, the status of the process during the test, and what is not tested using this procedure. In some cases there may be several test procedures for a specific component or SIF.

the hazardous event(s) for which the SIF provides protection

the hazardous event(s) classification or SIL target

the testing and inspection interval

the identification of the equipment on which the inspection or test was perfo rmed (e.g., loop number, equipment number, SIF identification, test procedure reference for a set of SIF)

the settings and tolerance or acceptable performance limits (e.g., pass/fail criteria) for the SIS equipment

the pretest conditions required to safely run the test, including the state of the process (normal operating conditions, shutdown, on-line, off-line, lock-out, etc.)

for on-line tests with a process hazard present, the procedure must give specific instructions on what to do if the SIF fails and specify limits on when to abort the test

the proper step-by-step sequence in which to run the test

the procedure validates each channel of the SIF, including

each channel of the SIF independently trips each final element as designed

each SIF independently trips each final element as designed

each logic solver independently trips each final element as designed. If BPCS is used in the SIF, it should be tested in the procedure.

the name(s) of the qualified individuals performing the test, and their respo nsibilities

reference drawings and documents

test equipment required

removal of equipment used for the test

verification that equipment and final control element is returned to normal operation. Verification that each sensor and final control element is returned to pre-test operation.

permits required

manufacturing authorization of the procedure

D.3 Related reference data, drawings, documentation, procedures

The technician may need additional information not contained in the test procedure in order to properly carry out the test such as calibration procedures, lock out procedures, line breaking procedures, inspection procedures, schematic diagrams, and P&ID. Providing references to the technician will ensure the test procedure will be properly carried out and reduce the time required to perform the tests. This is especially important during turnarounds where many test procedures may need to be completed in a short period of time.

D.4 Personnel safety considerations

Personnel may be exposed to the process while performing the test procedure or have to enter an area which would put the operator at risk. In order for the technician to perform the work safely, they need to be informed of the hazards they may incur, such as exposure to hazardous

- 75 - ISA-TR84.00.03-2012

substances, electrocution, flammables, radiation, gravity, and ergonomic considerations and the potential consequences of failure to follow the procedure or of exposure.

D.5 Planning

Performing testing on a process can be costly and potentially result in a loss of production. It is important to document in the planning section of the procedure the testing equ ipment, PPE, test gases, scaffolding, and any other equipment needed to per form the test. In addition, the plan should include information on what to do if the test fails. Remember that if the test is performed on-line, you do not have an unlimited amount of time to complete the test. Locating the spare parts for the SIF before the shutdown can save a lot of precious time when SIS equipment fails the test and needs to be replaced. To aid the technician in planning it is recommended to have notification of required test issued via the maintenance management system 30 to 60 days fro m the actual required test date.

D.6 Notification (Operations, Facility, etc.)

What the technician does in the process can affect many others in the process and even potentially the community if the work is not coordinated with the proper plant personnel. Befo re the technician starts work, a permit to work should be obtained from the appropriate person in order to make sure it is safe to perform the work. In addition the technician may need to get a breaking into process permit or a lockout permit in order to perform the procedure safely. The notification section of the procedure should identify the permits required to perform the work safely.

D.7 Operating procedure requirements

Figure D.1 provides an example of a simplified work process, illustrating the typical interrelationship between operational and maintenance activities. The content and depth of the information communicated to various personnel should be based on the intended role of the individual in managing risk and performing the MI activity.

Process Engineering and Operations are primarily responsible for defining the content of SIS operating procedures. These procedures should cover SIS specific information and should explain to the operator the correct use of bypasses and resets, the required response to SIS alarms and trips, when to execute a manual shutdown, and provisions for operation with detected faults. These procedures, along with analogous ones developed by Maintenance/Reliability Engineering for maintenance activities, make up the backbone of the operating basis for the process equipment.

ISA-TR84.00.03-2012 - 76 -

Figure D.1 — Simplified operation and maintenance work process

D.8 Procedure verification

Maintenance procedures should be analyzed using a suitable, standardized method to determine the coverage comprehensiveness of the test procedure, ensure adequate test coverage for all dangerous failure modes, and ensure the potential for systematic (human) errors have been considered in the procedure. These methods may vary depending upon the complexity of the task and may include failure mode and effects analysis (FMEA), job step analysis, task analysis, or equivalent. While a test should be comprehensive, if it is too difficult or complex, there is a greater likelihood the test will not be completed properly.

D.9 Procedure analysis

Each procedure should define the individuals, departments, or job functions responsible for the development, approval, upkeep, distribution, and revision management of the procedures themselves. Work procedures are most successful when they are broken down into steps or tasks intended to achieve specific results.

If the intended audience does not understand them or feels that they are too complex, the procedures will not be followed. In an operating and maintenance environment, people often tend to follow the path of least resistance and, if they perceive a difficult path, they may find an easier, though not necessarily correct, or safe, one.

Table D.1 provides a listing of people, situations, and system related errors. Slips, such as omissions and lapses, are common, yet critical errors. Incorrect equipment assembly, installation, and repair are common maintenance errors.

- 77 - ISA-TR84.00.03-2012

Table D.1 — People, situations, and system related errors

People-oriented errors

Slips (lapses, omissions, execution errors)

Capture error

Identification error

Impossible tasks

Input or misperception errors

Lack of knowledge

Over-motivation or under under-motivation

Reasoning error

Task mismatches

Situation-oriented errors

Environmental

Stress

Timing

System-oriented errors

Errors by others

Procedural

Violations

Human errors in system design

Mistakes

Specification errors

Communication breakdown

Lack of competency

Functional errors

Common errors in instrument design

D.10 Continuous improvement

Personnel should contribute their experience and knowledge to the continuous improvement of procedures and practices. Cooperation of multiple parties is necessary to ensure that the SIS requirements match the capability of personnel. Procedures used in com bination with training and regular performance feedback achieve predictable work results. The procedure should be reviewed after completion by a planner and any deviations should be reviewed to determine whether the procedure should be updated. Any modifications to the procedure should follow the MOC procedures at the site.

D.11 Modification

SIS procedures should be under revision control. Procedures should be periodically reviewed to ensure that the procedures are up-to-date and reflect current work tasks and expectations. Changes to SIS procedures, whether technical or editorial, should be reviewed and approved.


- 79 - ISA-TR84.00.03-2012

Annex E — Example inspection items and forms

The following are recommended inspection items that should be covered by an inspection program as part of an overall mechanical integrity plan. The bullet lists are not exhaustive and do not include everything that should be covered by the inspection program for particular equipment or SIS.

Inspection is typically not a singular activity, but something that is done as part of other duties and in some cases only under specific circumstances. Some items can be addressed by simple visual inspection, where personnel perform a unit walkthrough and look for discrepancies, e.g., tagging or labeling. These inspections do not require tools and may be performed by plant operators or maintenance technicians. Other items can be intrusive, requiring “hands -on” inspection and would likely be performed only by maintenance personnel under controlled conditions, e.g., pulling wire to determine whether it is loose. These latter items are often verified during commissioning or proof testing when equipment is off -line or in bypass. Some inspections require specialized resources, tools and equipment access. For example, examining the physical condition, application program, and diagnostic status of a logic solver requires a skilled control system technician and access to the engineering station and logic solver. Another example requiring specialized tools would be the use of radiography to detect a plugged process connection. Any person trained in the use of the radiography equipment could perform the inspection, but it is likely that it would only be performed on connections where process pluggage has been identified as a concern.

The recommended inspection items are not intended to be turned into a single checklist, since these items may be performed at different frequencies depending on manufacturer recommendations, the type of inspection being performed, the expected equipment degradation rates, specific characteristics of the process, and SIS management of change history. Some of these items may be inspected frequently as in the case of visual inspections, while others may only be performed infrequently as in the case of “hands -on” inspections.

Generally, an inspection checklist or form is used to support thorough inspection. An example checklist is provided in Table E.1. This checklist applies to multiple equipment types and is not intended for use as is. Typically, a user will have a generic template with typical inspection items and then modify the template to address the specific application and device technology, subject to a particular inspection. Specific checklists are used to ensure consistency in the inspection scope and record quality. Training should ensure that inspectors understand the importance of verifying the overall fitness of the equipment in service and of reporting any discrepancies with the equipment regardless of the checklist items.

E.1 General field inspection items

On the field side, the focus is on the physical aspects of the installation, such as wiring, status of any punch list items remaining from the commissioning effort, and adherence to construction specifications. Field inspections should verify:

tags and labeling

painting, where applicable

conduit seals

covers

wiring

grounding systems

support systems (e.g., communications, power supplies, and instrument air)

installation materials (e.g., gaskets, grounding rings)

ISA-TR84.00.03-2012 - 80 -

installation (e.g., bolts, insulation, process connections, supports, tracing, purges, bug screens,)

installation quality (e.g., no signs of physical disturbances, such as absence of moisture/debris/corrosion, excessive vibration or steam impingement)

barriers (e.g., bollards protecting equipment from physical impact or covers on emergency push buttons)

warning signs (e.g., radiation or high voltage hazard)

Each component of an SIF should be in good condition with no visible physical defects, which could impact the performance or reliability of the system. All parts of the SIF should be inspected for damage, deterioration, missing parts, or other physical damage and for incipient conditi ons such as water ingress. The physical examination should include:

all input devices to the SIS such as transmitters, switches, thermocouples

all output devices such as solenoid valves, control valves, motor controllers

system wiring with particular attention to terminations, junction boxes, conduit

SIS logic solver - electromechanical relays, PLC, etc.

E.2 Sensors

In addition to the items covered in E.1, the following inspection criteria apply to field sensors:

instruments clearly identified as part of SIF

process connections in good condition with respect to leaks, insulation, corrosion, etc.

root valves in correct position

instruments installed per design standards and manufacturer guidelines

configuration per design

heat tracing functional and insulation in good condition

conduit connections and covers in good condition and properly supported

cabling in good condition and correct length for thermal expansion

cabling drip loops in place and functional with drainage to a proper location

drains and seals, if required, in place and functional

process tubing lines properly supported and sloped

E.3 Final elements

In addition to the items covered in E-1, the following inspection criteria apply to the final elements:

final elements clearly identified as part of SIF

configuration per design (e.g., valve fails open or closed)

heat tracing functional and insulation in good condition

bug screens in place and functional

tubing for air supply and connections to positioner or top works in good condition

solenoids properly mounted with tubing and electrical connections in good condition

valve piping gaskets in good condition (e.g., no cracks or leaks)

valve stem in good condition

- 81 - ISA-TR84.00.03-2012

top works in good condition (e.g., no cracks or leaks at gaskets)

valve installation supports in good condition

no corrosion build-up around valve stem

motor control circuits in good condition

variable speed drive mounting is secure

electrical wiring terminals (at each end) are properly tightened

no sign of overheating has occurred at each terminal

no corrosion, burnt spots, overheating, de-formation, or discoloration on contacts

instrument pressure gauges in good condition

any auxiliary equipment, such as signal converters and positioners, in good condition

any other conditions which might hinder proper operation of the valve

E.4 Logic solvers

The following inspection items apply to logic solvers:

diagnostic checks

diagnostic alarms configured per specification and properly prioritized

proper operation of all communication buses

power to redundant power supplies and proper operation

proper logic solver scan order to ensure proper process safety time

operating records indicate that solid state outputs are not generating “off” leakage current above rated value

physical checks

components clearly identified as part of SIF

absence of moisture

status condition lights are functional and normal (e.g., fault, communication, power, fusing)

ventilation or cooling is functional

absence of dust or other foreign material (e.g., filters)

closure hardware installed per design standards

check that access security (e.g., doors locked) is in place

logical checks

configuration per design (e.g., absence of forces and bypasses, scan rate)

manufacturer recommendations (e.g., bug fixes, recalls)

E.5 Wiring connections

The following inspection items apply to wiring connections:

wiring, terminals or junction boxes clearly identified as part of SIF

wiring connections in junction boxes, scramble boxes, or other terminations are tight

wiring and cable segregation, as required, is in place

fire proofing per design

ISA-TR84.00.03-2012 - 82 -

seals where required should be checked

conduit covers should be in place

conduit drains should be in place and working properly

cabinet doors are closed, water tight, and properly labeled

E.6 Power and grounding/bonding

Proper grounding includes many separate grounding entities in a process facility. Some examples include DCS, PLC, highway, static, substation, neutral, single point, motor, raceway, control room, instrument transformer, building, faraday effect (framing), lightning co ne of protection, surge protection, safety, noise (e.g., shielding), ungrounded, ground tripod, lightning rods, ground rods, ground noise, computer flooring, footing ground rods, isolated, ground plane, UPS, isolation transformer, computer, ground resistance, etc. For this technical report, discussion of grounding is focused on the SIS, but the reader is cautioned that improper grounding and poor maintenance of the grounding systems is one of the leading causes for process unreliability.

Power and grounding connections and insulation should be verified to ensure no degradation. Visual inspection is typically performed during on-line operation, while more rigorous physical inspection is executed off-line. The following inspection criteria apply:

all power and grounding / bonding installed per documented design

all power and grounding / bonding connections securely fastened

no evidence of corrosion or fouling on any power or grounding / bonding connections

no evidence of sliced, cracked or otherwise degraded power and grounding / bonding insulation

no evidence of charring or heat build-up

power operating within acceptance range

- 83 - ISA-TR84.00.03-2012

Form E.1 — Generic field sensor checklist

Instrument number: ________________________________________________________ Test number: ______________________________________________________________ Materials of construction:

OK Not OK No obvious signs of corrosion in area with the process OK Not OK Model number of installed instrument matches instrument

calibration records Protection from the environment:

OK Not OK NA Protection from mechanical damage (can instrument be used as a step, etc.)

OK Not OK NA Protection from weather (freezing, rain, snow, ice, etc.) OK Not OK NA Protection from insects, birds, etc. (vents clear, etc.) OK Not OK NA Protection from corrosive leaks of adjacent process (signs

of external corrosion on instrument) Proper installation of impulse lines:

OK Not OK NA Sloped correctly (down for liquids, up for gases) OK Not OK NA Materials of construction correct (no obvious signs of

corrosion) Proper installation of instrument:

OK Not OK NA Orientation of instrument OK Not OK NA Field zeroed after shop calibration (if required) OK Not OK NA Primary elements not worn or eroded (orifice plates, vortex

shedder bar, etc.) OK Not OK NA Breather drain fitting installed OK Not OK NA Low point conduit drain installed OK Not OK NA Conduit in good shape OK Not OK NA Proper static grounding applied

Process concerns:

OK Not OK NA Impulse lines not plugged OK Not OK NA Purges working properly OK Not OK NA No corrosion present OK Not OK NA Thermowell fouling

Equipment identification:

OK Not OK NA Green "Safety Interlock" tag installed OK Not OK NA Clearly labeled with instrument number OK Not OK NA Up-to-date calibration sticker

Comments/Observations:_______________________________________________________ Inspected by:______________________________________________________________________ Inspection date:____________________________________________________________________


- 85 - ISA-TR84.00.03-2012

Annex F — Example calibration forms

This Annex provides an example of a calibration record. Users may develop other calibration records incorporating similar information or use other forms of documentation to record and track calibration.

Form F.1 — Instrument calibration record

TAG NUMBER: DATE: / /

UNIT: SYSTEM:

TRANS DAMPENING: Seconds TRANSMITTER Analog SqRt.

VERIFIED AGAINST GOVERNING DOCUMENT AS-FOUND: Digital Linear

Transmitter Calibration Data SERIAL NUMBER:

Zero and

Span

Process

Range

Units Transmitter

Input

Units Transmitter

Output

Units

Lower Limit

Upper Limit

Transmitter Calibration Record

Transmitter Input: Transmitter Output:

Percent

of Span

Actual

Input

Desired

Output

Output

As-

found

%

Error

As-

found

After

Calibration

%

Error

After

Cal.

Output

As-left

%

Error

As-left

0%

25%

50%

75%

100%

Actual output - Desired output

Percent error = (Actual output - Desired output)/(Upper output limit - Lower output limit) X 100%

Maximum allowable % error: The maximum allowable % error is listed in the

instrument maintenance SOP.

Maximum % error as-found:

Calibration required: Yes No Calibration is required if the maximum % error as -

found is greater than the maximum allowable %

error.

Maximum % error after

calibration:

Corrective action (repair or replacement is

required if the maximum % error after calibration

is greater than the maximum allowable % error.

Corrective action required: Yes No

Corrective action taken: (If required)

ISA-TR84.00.03-2012 - 86 -

Switch Settings: Serial Number:

Tag

Number

Switch

Setting

Signal

As-found

Signal

As-left

Deadband

Comments

Switch Settings: Serial

Number:

Tag

Number

Switch

Setting

Signal

As-found

Signal

As-left

Deadband

Comments

Calibration Equipment Used:

Instrument Shop

I.D. Number

Calibration

Due Date

Comments

IS / /

IS / /

IS / /

IS / /

REMARKS:

DIGITAL DOWNSCALE B/O SS TAG ATTACHED

ANALOG UPSCALE B/O

TRANSMITTER PROPERLY COLOR CODED SQUARE ROOT

AS-LEFT: PMI PERFORMED LINEAR

TECHNICIAN: DATE: / /

- 87 - ISA-TR84.00.03-2012

Annex G — Preventive maintenance

Preventive maintenance is a proactive activity that maintains the equipment in the “as good as new” condition. When the equipment is in this condition, it is operating within its useful life period. Preventive maintenance reduces the frequency of equipment failure through periodic restoration of the equipment condition. It involves many different activities that occur based on fixed schedules and based on predicted degradation. It includes performing maintenance to extend the equipment life such as changing an air filter and replacing disposable parts such as changing batteries. Common preventive maintenance tasks include timely:

battery replacement

process connection cleaning

periodic replacement of eroded components based on historical erosion rates (e.g., flow tubes, thermowells, or orifice plates)

rebuilding valves

seat

actuator

packing

gasket replacement

instrument air filter / separator cleaning/change-out

lubrication

electrical contact replacement

Appropriate preventive maintenance tasks may be identified from sources such as manufacturer’s literature, brainstorming, operating experience, maintenance experience, and best practices. Important considerations in establishing a rigorous MI program include:

integrating preventive maintenance efforts with other plant tasks resulting in a cost effective efficient multi-tasking maintenance program.

availability of the competent and trained personnel to perform the desired maintenance.

availability of correct materials and tools to utilize in the desired maintenance.

availability of correct instructions and related planning to utilize in the desired maintenance.

availability of MI and reliability processes to identify chronic failure issues (e.g., possible improper selection of equipment/materials).

G.1 Identification of preventive maintenance tasks

Understanding causes and mechanisms of equipment failures provides the insight as to how the path to failure may be measured. It also helps to establish appropriate predetermined levels of degradation that mandate action is taken within some prescribed time period.

An initial source of needed preventive maintenance tasks can be found in the manufacturer’s safety manual and equipment maintenance manual. This will need to be supplemented with the tasks required due to the impact of the process and environmental conditions, which may accelerate the degradation or wear beyond manufacturer expectations. Failure Modes and Effects Analysis (FMEA) and Reliability Centered Maintenance (RCM) are analytical methods that can be used to identify preventive maintenance tasks that sustain the SIS equipment’s integrity and reliability.

Failure investigation, such as Root Cause Analysis, can potentially identify weaknesses in the maintenance program which should be corrected. This approach helps facilitate an overall

ISA-TR84.00.03-2012 - 88 -

reliability centered maintenance program that additionally would measure and analyze equipment performance, looking to maintain expected performance as well as to identify opportunities to improve reliability.

G.2 Criticality

Some maintenance tasks are performed to extend the life of the equipment, such as replacing the electrolyte in an analyzer’s cell, or improving the reliability of the equipment. Other tasks are critical to ensuring the integrity and reliability of the SIF on a routine basis, such as replacing instrument air filters to reduce the likelihood of failing or rebuilding shutoff valves on a periodic basis. While all of these activities are important to the operation of the process, tasks associated with maintaining the performance of the SIS need to be managed using the typical lifecycle management systems such as MOC, action tracking, failure response, and documentation.

G.3 Timing

The frequency of maintenance tasks are affected by the following:

shutdown schedule

on-line vs. off-line tasks

unexpected as found condition during preventive maintenance

manufacturer’s recommendations

good engineering practices and expert judgment

system architecture (e.g. level of fault tolerance)

PFD targets

incident investigation results

testing interval constraints and requirements

number of operations

hours of operation experience

In some cases optimizing all of the factors to satisfy performance expectations can be a challenge, especially the shutdown schedule. The SIS design may need to include provisions for performing preventive maintenance on-line. During a turnaround, preventive maintenance tasks may need to be performed in conjunction with inspection and testing tasks. The order of these tasks and whether they can be performed at the same time should be discussed and scheduled. When production units do not run continuously, the preventive maintenance tasks may by based on how long the equipment is operating or may need to be scheduled just prior to startup of the unit.

As part of the continuous improvement part of the lifecycle, the timing of the activities need to be reviewed to determine if the performance of the maintenance program meets the assumptions of the SIL Verification. Maintenance records and incident investigations can provide insight into whether the MI plan is achieving its goals. Where the equipment performance does not meet the required performance, the task may need to be performed more frequently or modified to improve performance. Where the performance of the equipment cannot be improved by modifying the timing or task, other equipment may need to be selected.

Once a schedule basis is established, changes should be reviewed to ensure that the change does not impact the SIS equipment integrity. When the task cannot be performed within a defined acceptable grace period, the user has several options using management of change. This may include permanent changes to the schedule if justified or implementing alternative

- 89 - ISA-TR84.00.03-2012

temporary means of risk reduction. Annex J provides additional guidance for dealing with potential deferral situations.

G.3.1 Fixed schedule

Fixed schedules are often used to address parts that predictably wear out, gum up, foul, corrode, etc. Inspection checklists, such as those listed in Annex E, can s upplement scheduled preventive maintenance by identifying corrosion and wear and to determine what parts need to be replaced. When a part is found to be out of tolerance, the part is repaired/ replaced to bring the equipment back to an “as good as new” condition.

Some of the advantages of conducting preventive maintenance on a fixed schedule include:

allows maintenance effort to serve as a training tool

improved process uptime and fewer process upsets

planned maintenance resulting in a safe plant floor environment

planned maintenance resulting in shorter downtime

sustain warranty protection

reduced spares inventory

G.3.2 Predictive maintenance schedule

Predictive, or condition-based, maintenance represents a means to detect equipment degradation, allowing repair to occur prior to a complete failure. It is only appropriate when there is a method in place that allows measurement of degraded performance so that a predetermined intervention point can be defined. For example, inspection or proof testing checklists can be used to identify when replaceable parts are wearing out, so the replacement of the part can be scheduled so that it is replaced prior to the equipment failure.

For predictive maintenance, the timing is linked to an inspection, test or diagnostics to determine the timing. The MI plan should define the response required once a deficiency has been identified and when the task becomes overdue. The response to an overdue task will need to consider how fast the equipment is degrading. The response is generally more critical than scheduled maintenance since degradation has already been identified and documented either through inspection activities or automated diagnostics that alert personnel when there is a need for intervention.

For example a 2oo3 voting level sensors where two sensors are DP level and one radar level, comparison diagnostics can be used to identify the onset of excessive drift or allowing identification of impulse line pluggage. Instead of cleaning the impulse lines on a weekly basis the lines could be cleaned based on the diagnostics results.

Advantages of predictive maintenance include:

improved process uptime and fewer spurious shutdowns, especially when used in conjunct ion with fault tolerant systems

availability of information to support troubleshooting

providing an alert to the appropriate personnel, giving them some time to optimize the performance of critical maintenance activities

integration with other mechanical integrity efforts resulting in a cost effective e fficient multi-tasking maintenance program

automated documentation of specifically defined degraded conditions to support proven in use

ISA-TR84.00.03-2012 - 90 -

extended life as degraded conditions are repaired prior to more complete failures

analysis of actual equipment “wear-out” versus estimated “wear-out” performance allowing MI plan upgrade

controlled analysis of replaced equipment for evidence of unexpected application limitations or potential unsafe failures

optimized spares inventory

G.4 Documentation

Preventive maintenance should be documented and include step-by-step instructions as needed to ensure the task is being performed consistently and properly. The procedure should include:

procedure for performing the task

who is qualified to perform the task

pass / fail criteria

as-found condition

listing of parts replaced

other work performed in response to as-found condition

as-left condition

name of person(s) performing task

Where the as-found is outside the expected condition, the current condition should be documented for that piece of equipment. The deviation from expected performance should be investigated to determine if the frequency of the maintenance activity is adequate or if potential changes should be considered. Options include development of additional scheduled maintenance activities, redesign of the device in question or implementation of predictive maintenance via diagnostics.

- 91 - ISA-TR84.00.03-2012

Annex H — Example proof test template and procedures

The proof test template (Table G.1) and technology test procedures contained in this technic al report are examples of how some user companies develop proof test procedures . The user is reminded that the proof test template and the device tests contained in this technical report are examples illustrating how some user companies develop and implement proof test procedures. It should not be interpreted that these are recommendations or requirements for proof testing any specific technology. Users should consider their application and SIF requirements, as well as manufacturer’s recommendations, when writing proof test procedures. The user is cautioned to clearly understand all facility design and operational constraints prior to developing and executing proof test procedures.

Table H.1 — Proof test procedure template Generic Procedure

Scope

This generic procedure is meant to provide a basis to develop plant specific and

technology specific proof test procedures. It DOES NOT take into account specific

concerns regarding safety, process control disturbances, etc. that may be related to a

particular plant or process. While there are some points in the procedure where

notice is given that safety, control of the process, etc. should be considered, it is the

responsibility of the person using this document, and modifying it for a specific plant

and technology, to take these process concerns into account. Steps that lead the

user to check specific known hazards should be added to this procedure by plant

representatives who understand the process, and who thus know what kinds of items

should be addressed.

This document explains the basic rules of the test procedures and provides di rections for

the development of plant specific procedures and or new procedures.

(Define the task along with explaining when to apply and why it must be done a specific

way. Also, describe how it affects product or service quality)

General Plant and

SIF Information

Facility code number: ___________________________________

Plant code number: _____________________________________

Safety Instrumented Function (SIF) identification number: ________________

Protective system type (circle applicable type)

Alarm

Shutdown interlock

Permissive interlock

Auto-Start interlock

Protective circuit description: (Reference applicable interlock table or master alarm

summary as appropriate)

___________________________________________

Continued on next page

ISA-TR84.00.03-2012 - 92 -

Proof test procedure template (continued)

Basic Information

for Test Procedures

in SIS Loops

There are four topics, which are the basis for test procedures for instruments used in SIS

loops:

1) Diagnostic coverage: All calculations of test intervals and reliability for each instrument in a SIS loop are based on a certain part of diagnostic coverage. This might be limited to the check of shorts or open circuits for an analog instrument or a certain amount of diagnosis of the internal function of a smart instrument or even 100% diagnosis coverage with an internal test unit. The scope of the test is to check all functions not covered by the diagnosis of the instrument. Example: A smart pressure transmitter does not check (today) the function of the process connection (plugging), the drift of the sensor module and the accuracy of an A/D converter. Therefore these functions have to be part of the test procedure: The process connection is checked by visual inspection and the other functions are checked by a zero and calibration test. The result of this part must be to ensure that the instrument is functioning as it would if new.

2) Reliability: To meet the business requirements about Asset Mechanical Reliability (AMR) additional testing is done to ensure, that the instrument will function properly during the coming period until the next test. Therefore some checks are added, which are not effecting the measurement now, but may become a failure in the future. Example: Insulation test for thermocouples.

3) Verification: Some tests are included to ensure that the instrument has the same function as designed. This should ensure that during a replacement the right instrument and the proper settings have been done.

4) Experience of people: Only experienced people should do test for instruments in SIS loops. The procedures are written for this level only. A note should be added to all procedures:

Note: The person performing the work should have training on the ____ and ____ and handling of _____ or thoroughly familiarize themselves with the instrument's manual.

Site specific requirements for training may be added here

Attributes and

Categories

Categories:

Safety Environmental Asset Protection Other

Hazards and

precautions

The table below lists job hazards and the precautions that should be taken for ergonomics,

safety, environmental, quality, and Good Manufacturing Practices before beginning this

procedure.

Specific hazards should also be addressed in the procedure steps.

Hazard Precaution

Tools and

equipment

The tools and equipment listed below are needed to do this job.

Include safety equipment here.

Tool/Equipment Use (if explanation is needed)

Hand tools

Consumables


- 93 - ISA-TR84.00.03-2012


Before you begin Before beginning this procedure ...

List things that have to be done before the procedure can be started.

List any resources and references to consult before beginning.

Examples

obtain a valid work permit for the planned maintenance task

check working conditions of test equipment or make arrangements with a test lab or have needed calibration gases available

ensure Operations/Operator communication link open to be kept fully aware of work activity as if progresses, e.g., place look in manual prior to removing equipment from service

confirm equipment tag corresponds with maintenance management system work order tag

Safe operating

limits

List general operating limits here if they apply.

List specific limits in the procedure table.

Example: A root valve is leaking and the process cannot be isolated.

Consequences of

Deviation

List consequences of deviation from the procedure steps

Steps necessary to correct or avoid the deviation must be listed in the procedure.

Type of deviation Consequences and how to avoid

Procedure __________ follows these steps to ________________:

Limit each procedure table to a maximum of nine steps if possible. Procedures may

have more than one procedure table. Use of the Step/Action table or the checklist

format below may be useful. For examples of proof test steps, refer to specific

instrument device technology examples, which follow after this template.

Step Action

Procedure

Checklist

The checklist contains critical steps. The “as-found” and “as-left” results should be noted

to document the performance of a sensor or final element during the proof test. These

data must be evaluated periodically to determine to proper length of the proof test interval

or take corrections (extension or shorten of a proof test interval).

In some geographic regions it is required to file a signed record. In this case the checklist

can be printed the results should be listed and signed by the person doing the job.

In other regions (e.g., the US) this is not required. In this case the checklist may be used

to note the as-found / as-left results for later input in the maintenance management

system.

NOTE Add Hazard/Precaution sub-label if applicable to a particular step.


ISA-TR84.00.03-2012 - 94 -


Part Step Action Pass/Fail

Criteria

As-

found

As-

left

Checked

by

Condition of process installation

Condition of wiring

Visual Inspection

Trip point check

Zero check

Out of range check

Failure detection values

Range of instrument and HMI

Final element check

Instrument back in operation

All corrective actions, damage codes

and as-found results reported in

maintenance management system and

work order closed.

Instrument replaced with proper

settings

Related Documents List related and supporting documents like manuals here:

Signature This procedure checklist was completed by (applies if a hardcopy of checklist must be

signed and filled):

____________________________________ ____________________

(Name) (Date)

Records control File this completed procedure checklist (applies if checklist format utilized) in:

____________________________.

Validation This procedure was validated as the best known way to do this job by:

____________________________________ ____________________

(Name/Job Title) (Date)

Approvals This procedure was approved by:

____________________________________ ____________________

(Name/Job Title) (Date)

Document history Below are at least the last three revisions of this document, including all revisions within

the last three months.

Date By Description

- 95 - ISA-TR84.00.03-2012

Annex I — Proof test examples for various SIF technologies

The following information can be used to develop proof tests using the pr oof test template in Table G.1 The user is reminded that the proof test template and the device tests contained in this technical report are examples illustrating how some user companies develop and i mplement proof test procedures. It should not be interpreted that these are recommendations or requirements for proof testing any specific technology. The user is cautioned to clearly understand manufacturer testing requirements, facility design and operational constraints prior to developing and executing proof test procedures.

I.1 General considerations

Proof tests may be performed as partial device tests, full device tests, segment tests, or end -to-end tests. The mechanical integrity plan must ensure that the complete SIS is demonstrated to work according to specification and is being maintained in the “good as new” condition throughout the equipment life. The proof test procedure should describe the test scope and clearly define the pass-fail criteria. The proof test procedure should clearly require that the test is performed and the results recorded in the as-found condition. The proof test procedure should also account for testing and inspection requirements that are identified in the equipment safety manual.

I.1.1 Test facility design

In the design of your test facility you need to consider the types of equipment you will be testing and what off-line testing you will be able to conduct. The typical testing facility will include equipment for calibration of temperature elements and transmitters, pressure and level transmitters and components, and electronic components such as trip amps. In some cases, the test facilities will include flow testing equipment. For organic vapor monitors, the test facility will need to have a source of test gases to test the monitors with.

I.1.2 Test equipment

It is important that the test equipment used is periodically calibrated to a recognized national standard. Considerations need to be given to where the testing equipment will be used. Will the test equipment be used in a hazardous area where explosion proof test equipme nt will be required? The use of smart testing equipment provides many advantages, which will help improve consistency in testing and reduce systematic errors. Some smart testing equipment include features such as instructing the technician what steps to perform when, recording of as-found and as-left values, identification of test failure, and upload capability to the maintenance management system.

I.1.3 Ergonomics

It is important to assess aspects of the proof test steps, which could require awkward body positions, heavy lifts and repetitive motion. Ensure that the necessary personnel, equipment, and planning are available to expeditiously resolve any such issue.

I.1.4 Preventive maintenance

As part of the testing and inspection of the SIS equipment, consideration nee ds to be taken to ensure that the recommended maintenance be performed on the equipment to ensure that the component is returned to service in an as new condition.

I.1.5 As-found/as-left

Ensure that when a proof test is to be or being performed the as-found condition, or the initial state of the equipment is documented prior to any corrective action or preventive maintenance activity. The as-found information is critical to understanding the actual degradation or failure

ISA-TR84.00.03-2012 - 96 -

rate of the equipment. Also, ensure that the as-left condition, or the final state of the SIS equipment after MI activities, is documented prior to returning the equipment to service.

I.1.6 Proof testing pitfalls

Personnel participating in all aspects of SIS proof testing should be competent to carry o ut their assigned tasks. The need for personnel to be competent in carrying out their assigned task is a fundamental and obvious prerequisite for the avoidance of unsafe situations, particularly around SIS maintenance. This subclause describes some common pitfalls that can occur (and have been seen) during SIS proof testing.

I.1.6.1 Test philosophy

1) Living by a philosophy that anybody can do proof testing . Most SIS systems are not trivial, and as such require a certain level of competency to understand their purpo se and to maintain so that they provide a high level of integrity. Simply put, specially trained people should take responsibility and perform this function. A failure to recognize this fact can lead to unexpected process trips during on-line testing, and in some cases more severe unsafe situations.

2) Using an open work order as an excuse for equipment not working . If equipment is not functional at the proof test, this condition should be documented and corrected. An open work order is not justification to skip the test.

3) Not properly planning test execution during major projects resulting in test invalidation. On major projects, there can be intense pressure to test SIS equipment as soon as it is installed but prior to other work in the unit being completed. However, some late stage construction work can impact SIS equipment. For example, SIS equipment may need to be disconnected in order to conduct pipe or vessel pressure testing, wh ich invalidates the proof test. Painters and insulators could damage SIS equipment that has already been tested.

4) Not performing a complete proof test to demonstrate required operation. For example, incidents have occurred where it was later shown that the level switch was manually toggled rather than proving that the level float could break the contact. It is important to demonstrate the functionality documented in the SRS. This includes not only the basic functionality, but also validating that diagnostic alarms are still annunciating as expected, pre -trip and trip alarms are displayed at the correct priority, SIS valves are not leaking, and the application program executes functions as specified.

I.1.6.2 Pre-test tasks

1) Failure to fully open or full close a bypass valve associated with a SIS final element valve at the beginning and end of proof testing. A failure to fully open a bypass valve associated with a SIS final element valve could lead to an actual trip of the process - due to insufficient flow for maintaining downstream operating conditions, when the SIS final element valve is full stroke tested during proof testing.

2) Incorrectly inserting a hardwired jumper on an output while on-line and causing a trip. In some PLC systems, the digital output card could generate a diagnostic fault when the hardwired jumper is inserted. Depending on the architecture, this could lead to the PLC generating a trip condition. Also, the hardwired jumper can cause a ground fault, leading to de-energization of the digital output.

3) Not performing a walk-through prior to initiating proof testing. A walkthrough should be conducted to locate the equipment to be tested, to ensure that blinds and bleeds are properly lined up, to verify that no process fluid or materials are trapped in lines, and to identi fy where equipment is missing. This walk-through is often skipped because it is assumed that it is not necessary, but tests go much smoother and more efficiently when it occurs.

- 97 - ISA-TR84.00.03-2012

4) Failure to lock out all energy sources (e.g., electrical, pneumatic, hydraulic, steam, gravity) and to bleed all latent energy sources (e.g., pneumatic, hydraulic) as part of lockout. Failure to do this can cause a safety hazard during testing.

I.1.6.3 General testing mistakes

1) Testing the wrong transmitter, when individual bypass functions are provided for individual field instruments in a redundant channel subsystem. For example in a 1oo2 voting subsystem, bypassing transmitter A during an on-line test, but accidentally working on transmitter B results in a spurious trip. To prevent this some users implement a bypass of the entire subsystem, which disables the SIF during the test. Compensating measures equivalent to the loss of protection must then be provided, which for high SIL requirements can be difficult. Individual bypasses allow the SIF to continue to provide some protection reducing the required compensating measure. In some cases, the configuration of the bypass may allow the SIF to provide sufficient protection negating the need for a compensating measure.

2) Calibrating a transmitter prior to recording the as-found condition. Technicians routinely perform calibration on control transmitters to minimize process measure error. For SIS transmitters, it is important for the as-found condition to be recorded prior to initiating calibration, zero error adjustment, or ranging.

3) During level instrument proof testing, a failure to recognize and compensate for specific gravity differences. For example, the level trip is based on fluid specific gravity A, but the level test uses a fluid with specific gravity B. A common occurrence here is users using water to conduct the level test, but the normal fluid is hydrocarbon. While the level instrument may function and give the appropriate alarms/trip actions using specific gravity B during testing, the result of this situation in the real world is the actual alarm/trip setting will be different at specific gravity A.

4) Moving the valve repeatedly until it moves freely then recording the as-found. When maintenance is conducted on control valves, technicians will open and close the valve several times to get the valve to move freely across its range. For SIS final elements, it is important for the as-found condition be recorded prior to working on the valve.

5) Testing both circuits of shared final element at same time. When the BPCS and SIS share a final element, sometimes the procedure is incorrectly written so that both output circuits are de-energized prior to checking the final element state. This does not support the validation of each circuit and it is possible for the final element to achieve the correct state with one failed circuit. Instead each circuit should be tested individually.

I.1.6.4 Post-test tasks

1) Failure to re-open root (or manifold) valves to an instrument following a proof test . This situation leads to an instrument reading a constant value, and its failure to not see actual process changes due to being blocked in.

2) Not recognizing, or remembering to remove a forced value in a field instrument after proof testing. When this occurs, the field instrument reads a constant value because it's been locked into its memory. This is a very dangerous situation, and can sometimes go unrecognized for a period of time.

3) Leaving a smart transmitter in test mode after proof test. The field instrument reads a constant value at last test state. This is a very dangerous situation and can go unrecognized for a period of time.

4) Failure to fully open or fully close a bypass valve associated with a SIS final element valve at the end of proof testing. A failure to fully close a bypass valve associated with a SIS final element valve could lead to a unsafe condition - if there is a process demand resulting in a need for the SIS final element valve to close, but its bypass valve is still open following proof testing. This situation results in no isolation of the process stream, and feeds the unsafe situation.

ISA-TR84.00.03-2012 - 98 -

5) Failure to return a SIF function to a normal operating state, before the removal of its bypass. Following simulated on-line proof testing, if one forgets to return the value of the SIF trip function from the trip value back to a normal operating value and removes the SIF trip bypass function - the SIS will initiate a process trip. So many times, people performing the test get caught up in the moment or get distracted, and forget to recognize this fact. In the end, they learn the hard way.

6) Failure to remove bypasses, forces, and jumpers when testing is complete . This situation can result in the dangerous failure of the SIS, where it is disabled. For this reason, it is recommended that any form of bypassing be covered by documented procedures that ensure proper installation and that the removal of bypasses be independently verified.

7) Failure to turn the heat tracing on before returning the sensor to service after maintenance on dP measurements. Turning on heat tracing once the process is operating can cause one leg of the transmitter to heat up faster than the other causing a false signal. If the heat tracing is not turned on the material could solidify or freeze in the impulse lines causing a failure of the measurement.

I.2 Sensor testing

With SIS sensors testing, inspection and maintenance is performed to ensure that equipment is not in a failed or degraded condition. The testing, inspection and maintenance proc edures are designed to ensure that the performance of the components of an SIS remain in the “as good as new” condition. Testing of process sensors can be performed on -line while the process is operating or off-line while the process is shutdown. In either case, the process may be designed such that the sensor may be able to be removed for testing. Factors to consider include:

can the sensor be removed for testing and calibration,

will the sensor be calibrated on-line, and

will the process be down and cleaned out or operating?

Process sensors that are going to require on-line testing should generally be installed with some level of redundancy to allow testing of one sensor while another is still making the necessary measurement. If on-stream reliability of the process is critical, a 2oo3 configuration of sensors may be necessary. With this configuration, one sensor can be tested at a time without any bypasses and without any sacrifice of SIF integrity or safety. Logic for the SIF should be designed to reduce the 2oo3 voting to a 1oo2 while one sensor is being tested. If a 1oo2 configuration is used for sensors, a bypass will be necessary to allow on-line testing of each sensor while maintaining measurement capability with the other sensor. Logic during such a test will reduce to 1oo1, which is a lower SIF integrity than the 1oo2, and appropriate precautions should be taken during the testing to ensure safety is not compromised. The key is to make sure that with the 2oo3 voting the sensor defaults to the tripped direction whereas the 1oo2 would default to the non trip direction. The technician will need to identify the trip direction of the sensor and may need to implement a bypass or software force to achieve the appropriate degraded state.

While having fault tolerant systems provides the capability to perform on-line testing, the user needs to keep several things in mind.

1) Any time a bypass is implemented for on-line testing there is a risk for human error which can leave the process vulnerable or result in a spurious trip. The user needs to make sure that the labeling of equipment is accurate and clear. For instance, the control room may bypass sensor 1 of a 1oo2 configuration, but the technician in the field may pull sensor 2 leading to a trip of the process.

2) In many cases on-line testing does not cover all the potential covert failures which only can be tested during off-line testing.

- 99 - ISA-TR84.00.03-2012

3) There is a limited amount of time to complete the testing and repairs if necessary. If a component fails the test, there should be a procedure to ensure replacement or repair of the equipment within the assumed mean t ime to restoration time or a process shutdown may be required.

The testing frequency for sensors can be more or less frequent than that for other SIS equipment depending on the MTTF of the SIS equipment used and the sensor contribution to the overall SIF integrity. Where sensors are installed in redundant configurations such as 2oo3, the testing of individual sensors can be extended by installing diagnostics such as having comparison monitoring of the sensor signals and alarming when one or more signals depart from acceptable ranges. Then if there is an alarm indicating a failure of the sensors, additional testing and calibration can be performed at that time. While diagnostics can provide identification of many of the covert failures of a sensor, full functional testing of a sensor still needs to be performed.

Testing sensors may involve any of the following techniques, which should be specified in the test procedure for the SIF: The technique used to test the SIF should be specified in the test procedure. This could be:

1) use of process to drive transmitter (NOTE Using the process to drive the transmitter will provide assurance the transmitter can measure the process conditions but this technique may not always be available if the process is not in operation.)

2) simulating the sensor input via appropriate measurement source

3) simulating process conditions utilizing an external simulator such as using a hand pump t o pressure up a level transmitter

4) simulating the sensor output via a mA simulation tool

NOTE (Using a current simulation on the output tests the wiring and the receiving device but does not test the transmitter function).

Measure the sensor output conditions - If the output is linear, measure the output level with respect to the current process condition such as temperature, pressure, product level etc.

Sensor testing will vary depending on the type of sensor used.

In cases where the transmitters or switches are in a voting configuration, the redundant transmitter(s) will either need to be isolated or the trip signal disabled for the redundant transmitters to ensure the trip signal is coming from the transmitter being tested. Each transmitter in the voting configuration will need to be tested separately if the system has not been set up to indicate the trip of each sensor separately.

Isolation valves on all sensors should be verified open at end of test.

Each sensor’s off-line condition should be checked and verified against the expected value with respect to the process off-line conditions. Also, verify that the sensor when brought back on-line provides the expected process variable measurement based on the known process conditions.

ISA-TR84.00.03-2012 - 100 -

I.2.1 Pressure

I.2.1.1 mA pressure transmitter

Using a 4-20 mA signal simulator or hand held communicator connected to the transmitter, verify the transmitter fault logic, per NAMUR Ne43, by performing the following steps:

1) connect the simulator to the instrument loop being tested

2) drive the output current to 21.2 mA (or whatever the fault value is defined by the manufacturer - a different value may be selected by the user with assurance that upscale overdrive has taken place) and verify readout device indicates bad measurement

3) drive the output current to 3.5 mA (or whatever the fault value is defined by the manufacturer - a different value may be selected by the user with assurance that downscale overdrive has taken place) and verify readout device indicates bad measurement

4) disconnect the simulator from the loop being tested

Perform the following steps, as applicable, for verification of transmitter input processing and trip check:

1) ensure root process isolation valves to transmitter are closed

2) relieve pressure and (if checking differential pressure device, equalize pressure on high and low side of sensing diaphragm) check zero mA output to read 4 mA and trim mA output if necessary. Record as-found/as-left.

3) connect the calibrated pressure source to the process side of the transmitter downstre am of the process isolation valve(s). If the process does not have a set up for testing the transmitter in process then connecting to the impulse piping or disconnecting the process seal installing a test flange is acceptable.

4) set the calibrated pressure source to allow simulation of the input pressure over the calibrated range of the transmitter. Perform a calibration check rising at 0%, 50% and 100% of calibrated range and verify readings at HMI concur, repeat process decreasing. Record all as-found conditions prior to making any adjustments or repairs.

5) set the pressure source to the lower range (zero) of the transmitter

6) increase the simulated pressure until the low pressure trip and pre-alarm clears as indicated by loop documentation (if applicable). Verify and document as-found condition that trip and pre-alarm clear at correct set point. Record as-found conditions.

7) Increase the simulated pressure until a high pressure pre-alarm and trip occurs as indicated by the loop documentation (if applicable). Verify and document as-found conditions that pre-alarm and trip occur at correct set point. Record as-found conditions. Make sure to approach the pre-alarm and trip point in such a manner to ensure accurate testing results. This is more important when dealing with analog trip setting on trip amps where there is no digital readout and set point.

8) increase the pressure to the high range limit for the transmitter and verify the upper limit is accurate. Record as-found conditions.

9) decrease the simulated pressure until the high pressure trip and pre-alarm clears as indicated by loop documentation (if applicable). Verify and document as -found conditions that trip and pre-alarm clear at correct set point. Verify the dead band setting on the trip is correct. Record as-found conditions.

10) decrease the simulated pressure until a low pressure pre-alarm and trip occurs as indicated by loop documentation (if applicable). Verify and document as-found conditions that pre-alarm and trip occurs at correct set point. Make sure to approach the pre-alarm and trip point in such a manner to ensure accurate testing results. This is more important when dealing with analog trip setting on trip amps where there is no digital readout and set point. Record as-found conditions.

- 101 - ISA-TR84.00.03-2012

11) return the pressure to the lower range limit to check the repeatability of the transmitter

12) document as-found and as-left alarm and trip settings, and calibration check points on appropriate place in test procedure report

13) make adjustments to transmitter if required then repeat test recordings as-left conditions

14) disconnect and close up the process connection for the pressure source

15) verify that process isolation valve(s) is open

NOTE:

If the root valve leaks, the procedure above may give false results.

The procedure above may not be applicable for high pressure applications.

Ensure the process can tolerate the SIF trip, or place the instrument into manual (bypass) prior to starting the test.

I.2.1.2 Pressure switches

Perform the following steps for verification of switch input processing validation and trip check. When a pressure switch is implemented, it is common to provide a pre-trip alarm using the process transmitter. If a pre-trip alarm is provided, the technician will also need to perform the tasks listed in B1.1 for a mA pressure transmitter in addition to testing the pressure switch.

1) close off the isolation valve(s) for the process

2) connect the calibrated pressure source to the input of the pressure switch downstream of process isolation valve. If the process does not have a set up for testing the transmitter in process then connecting to the impulse piping or disconnecting the process seal installing a test flange is acceptable.

3) set the calibrated pressure source to allow simulation of the input pressure over the calibrated range of the pressure switch

4) increase the simulated pressure until the low pressure trip clears as indicated by loop documentation (if applicable). Verify and document the as-found condition that the trip cleared at the correct set point.

5) increase the simulated pressure until a high pressure trip occurs as indicated by the loop documentation (if applicable). Verify and document the as-found condition that the trip occur at the corrected set point. Make sure to approach the trip point in such a manner to en sure accurate testing results. This is more important when dealing with analog trip setting on trip amps where there is no digital readout and set point.

6) decrease the simulated pressure until the high-pressure trip clears as indicated by loop documentation (if applicable). Verify and document the as-found condition that trip clears at correct set point. Verify the dead band is correct.

7) decrease the simulated pressure until a low-pressure trip occurs as indicated by loop documentation (if applicable). Verify and document the as-found condition that trip occurs at correct set point. Make sure to approach the trip point in such a manner to ensure accurate testing results. This is more important when dealing with analog trip setting on trip amps where there is no digital readout and set point.

8) make adjustments if required, then repeat the tests above recording the as -left conditions

9) disconnect pressure source and reconnect switch to process tap and open process root valve

I.3 Temperature

I.3.1 mA temperature transmitters

Verify the thermocouple (TC) fault protection by disconnecting the thermocouple and verifying that the Open TC tag alarms in control center. The user should be aware that this might be alarmed high, low or last depending on the SRSs (SRS) and the application.

ISA-TR84.00.03-2012 - 102 -

Using a 4-20 mA signal simulator, or hand held communicator connected to the transmitter verify the transmitter fault logic, per NAMUR Ne43, by performing the following steps:

1) connect the simulator/calibrator to the instrument signal loop being tested

2) drive the output to the device’s high fault value (for example to 21.2 mA. A different value may be selected by the user with assurance that upscale overdrive has taken place) and verify readout device indicates bad measurement.

3) drive the output to the dev ice’s low fault value (for example to 3.5 mA. A different value may be selected by the user with assurance that downscale overdrive has taken place) and verify readout device indicates bad measurement.

Perform the following steps as applicable for verification of transmitter input processing and trip check:

1) verify the thermocouple (TC) type by physical examination of tag or color code on thermocouple and confirm that the transmitter is set for the correct thermocouple type

2) verify the TC open circuit detection by disconnecting the TC and verifying the appropriate transmitter response

3) connect the mV simulator to the TC wiring to the transmitter to simulate the TC input

4) perform a calibration check by entering mV or temperature signals corresponding to 0%, 50% and 100% of calibrated range and verify readings at HMI and simulator concur. Repeat process decreasing. Record all as-found conditions prior to making any adjustments or repairs.

5) starting from the low scale mV or temperature signal, increase the simulated temperature until the low temperature trip and low temperature pre-alarm clear. Record as-found mV/temperature readings for these two points. Verify and document that pre -alarm and trip clear at correct values.

6) continue increasing the mV or temperature signal until the high temperature pre-alarm and high temperature trip activate. Record the as-found mV/temperature readings for these two points. Verify and document that pre-alarm and trip activate at correct values.

7) decrease the mV or temperature signal until the high temperature trip and high temperature pre-alarm clear. Record as-found mV/temperature readings for these two points. Verify and document that pre-alarm and trip clear at correct values and that the dead band setting on the trip is correct.

8) decrease the mV or temperature signal until the low temperature pre -alarm and low temperature trip activate. Record as-found mV/temperature readings for these two points. Verify and document that pre-alarm and trip activate at correct values and that the dead band setting on the trip is correct.

9) if any readings are out of specification and require adjustment or repairs, make adjustments and repairs then repeat steps 1 through 5 recording readings for as-left condition

10) disconnect the mV/temperature simulator and simulator/calibrator then reconnect the thermocouple. Verify that the thermocouple polarity is correctly connected.

Since TC assemblies are relatively inexpensive, consider keeping a calibrated “spare” for SIS applications in the plant instrument shop or warehouse for change out at designated proof test intervals. Then check the calibration of the removed TC in the instrument shop or lab to determine if it can be placed in the “spare” inventory, for use at the next proof test interval, is recommended. Thermocouple assemblies are subject to aging and accelerated calibration drift, which varies with TC assembly type and the process streams to which they are exposed. These considerations will set the proof test or “change-out” interval. (For safety applications, during the design phase, the use of a thermowell should be considered along with process temperature

- 103 - ISA-TR84.00.03-2012

reading lag time due to thermowell thickness.) If the temperature sensor is a bare sensor (not in a thermo well) ensure the process is cleaned out so it is safe to remove the sensor.

Using a calibrated temperature simulator and a portable ice bath, measure the thermocouple voltage output or temperature with the thermocouple inserted into the ice bath. Verify correct reading for type of thermocouple used. Record as-found reading.

Repeat above for ambient temperature measurement and verify that thermocouple output indicated correct ambient temperature. Record as-found reading.

I.3.2 Thermocouples

Verify the thermocouple (TC) type by physical examination of tag o r color code on thermocouple. Keep in mind that different countries have different color codes.

Using an installed reference TC or comparison of installed TC assembly outputs will allow a ‘high’ level of diagnostic coverage of TC failures due to aging or drift. At some point though, the TC assemblies will have to be replaced or have individual calib ration checks because these techniques will not achieve 100% coverage of faults.

TC input validation and trip check

Perform the following steps as applicable for verification of TC input processing validation and trip check.

1) verify the TC open circuit detection by disconnecting the TC and verifying the open TC tag alarms in control center

2) connect the mV simulator to the TC wiring to the sensor end and simulate the TC input over the operating range indicted in the table

3) perform a calibration check by entering mV or temperature signals corresponding to 0%, 50% and 100% of calibrated range and verify readings at HMI concur. Repeat process decreasing. Record all as-found conditions prior to making any adjustments or repairs.

4) starting from the low scale mV or temperature signal, increase the simulated temperature until the low temperature trip and low temperature pre-alarm clear. Record as-found mV/temperature readings for these two points. Verify and document that pre -alarm and trip clear at correct values.

5) continue increasing the mV or temperature signal until the high temperature pre -alarm and high temperature trip activate. Record the as-found mV/temperature readings for these two points. Verify and document that pre-alarm and trip activate at correct values.

6) decrease the mV or temperature signal until the high temperature trip and high temperature pre-alarm clear. Record as-found mV/temperature readings for these two points. Verify and document that pre-alarm and trip clear at correct values and that the dead band setting on the trip is correct.

7) decrease the mV or temperature signal until the low temperature pre -alarm and low temperature trip activate. Record as-found mV/temperature readings for these two points. Verify and document that pre-alarm and trip activate at correct values and that the dead band setting on the trip is correct.


9) disconnect the mV/temperature simulator and reconnect the thermocouple. Verify that the thermocouple polarity is correctly connected

Since TC assemblies are relatively inexpensive, keeping a calibrated “spare” for SIS applications in the plant instrument shop or warehouse for change out at designated proof test interval. Then

ISA-TR84.00.03-2012 - 104 -

check the calibration of the removed TC in the instrument shop or lab to determine if it can be placed in the “spare” inventory, for use at the next proof test interval, is recommended. Thermocouple assemblies are subject to aging and accelerated calibration drift, which varies with TC assembly type and the process streams to which they are exposed. These considerations will set the proof test or “change-out” interval. (For safety applications, during the design phase, the use of a thermowell should be considered along with process temperature reading lag time due to thermowell thickness.)If the temperature sensor is a bare sensor (not in a thermo well) ensure the process is cleaned out so it is safe to remove the sensor.

Using a calibrated temperature simulator and a portable ice bath, measure the thermocouple voltage output or temperature with the thermocouple inserted into the ice bath. Verify correct reading for type of thermocouple used. Record as-found reading.

Repeat above for ambient temperature measurement and verify that thermocouple output indicated correct ambient temperature. Record as-found reading.

I.3.3 Resistance temperature detectors

Verify the resistance temperature detector (RTD) type by physical examination of tag or color code on sensor.

Perform the following steps as applicable for verification of RTD input processing validation and trip check.

1) connect the simulator to the RTD wiring to the sensor end and simulate the RTD input

2) perform a calibration check by entering resistance or temperature signals corresponding to 0%, 50% and 100% of calibrated range and verify readings at HMI concur. Repeat process decreasing. Record all as-found conditions prior to making any adjustments or repairs.

3) starting from the low scale resistance or temperature signal, increase the simulated temperature until the low temperature trip and low temperature pre-alarm clear. Record as-found resistance/temperature readings for these two points. Veri fy and document that pre-alarm and trip clear at correct values.

4) continue increasing the resistance or temperature signal until the high temperature pre -alarm and high temperature trip activate. Record the as-found resistance/temperature readings for these two points. Verify and document that pre-alarm and trip activate at correct values.

5) decrease the resistance or temperature signal until the high temperature trip and high temperature pre-alarm clear. Record as-found resistance/temperature readings for these two points. Verify and document that pre-alarm and trip clear at correct values and that the dead band setting on the trip is correct.

6) decrease the resistance or temperature signal until the low temperature pre -alarm and low temperature trip activate. Record as-found resistance/temperature readings for these two points. Verify and document that pre-alarm and trip activate at correct values and that the dead band setting on the trip is correct.


8) disconnect the temperature simulator and reconnect the RTD. Verify that the thermocouple polarity is correctly connected.

For the RTD:

1) using a calibrated temperature simulator and a portable ice bath, measure the RTD output or temperature with the RTD inserted into the ice bath. Verify correct reading for type of RTD used. Record as-found reading.

- 105 - ISA-TR84.00.03-2012

2) repeat above for ambient temperature measurement and verify that RTD output indicated correct ambient temperature. Record as-found reading.

If the values above are out of specification, replace the RTD and repeat the test recording as -left.

I.3.4 Temperature switches

Perform the following steps as applicable for verification of switch input processing validation and trip check. It may not be possible to perform the following tests in the field depending on specific area classifications.

1) set a calibrated temperature bath to allow simulation of the input temper ature over the calibrated range of the temperature switch

2) place temperature switch in temperature bath

3) increase the simulated temperature until the low temperature trip and pre -alarm clears as indicated by loop documentation. Verify and document that pre-alarm and trip clear at correct set point. Record all as-found conditions prior to making any adjustments or repairs.

4) increase the simulated temperature until a high temperature pre-alarm and trip occurs as indicated by the loop documentation. Verify and document record these two values as-found. Confirm that pre-alarm and trip occur at correct set point.

5) decrease the simulated temperature until the high temperature trip and pre -alarm clears as indicated by loop documentation. Verify and record these two values as-found. Confirm that trip and pre-alarm clear at correct set point.

6) decrease the simulated temperature until a low temperature pre-alarm and trip occurs as indicated by loop documentation (if applicable). Verify and record these two values as -found. Confirm that pre-alarm and trip occurs at correct set point.


I.4 Flow

I.4.1 Flow transmitters—Differential pressure

Using a 4-20 mA signal simulator, verify the transmitter fault logic, per NAMUR Ne43, by performing the following steps:


2) drive the output current to 21.2 mA (a different va lue may be selected by the user with assurance that upscale overdrive has taken place) and verify readout device indicates bad measurement

3) drive the output current to 3.5 mA (a different value may be selected by the user with assurance that downscale overdrive has taken place) and verify readout device indicates bad measurement


Perform the following steps for verification of transmitter input processing and trip check:


2) relieve pressure and equalize pressure on high and low side of sensing diaphragm) check zero mA output to read 4 mA and trim mA output if necessary, record as -found as-left

3) if process service is dirty or plugging may be necessary to check for plugged taps, deformation of orifice plate including wear/sharpness of bore

ISA-TR84.00.03-2012 - 106 -

4) connect the calibrated pressure source to the process side of the transmitter downstream of the process isolation valve(s). If the process does not have a set up for testing the transmitter in process then connecting to the impulse piping or disconnecting the process seal installing a test flange is acceptable

5) set the calibrated pressure source to allow simulation of the input pressure over the calibrated range of the transmitter. Perform a calibration check rising at 0%, 50% and 100% of calibrated range and verify readings at HMI concur, repeat process decreasing.


7) Increase the simulated pressure unt il the low pressure trip and pre-alarm clears as indicated by loop documentation (if applicable). Verify and document that pre-alarm and trip clear at correct set point. Verify the dead band setting on the trip is correct.

8) increase the simulated pressure until a high pressure pre-alarm and trip occurs as indicated by the loop documentation (if applicable). Verify and document that pre-alarm and trip occur at correct set point. Make sure to approach the pre-alarm and trip point in such a manner to ensure accurate testing results. This is more important when dealing with analog trip setting on trip amps where there is no digital readout and set point.

9) increase the pressure to the high range limit for the transmitter and veri fy the upper limit is accurate

10) decrease the simulated pressure until the high pressure trip and pre-alarm clears as indicated by loop documentation (if applicable). Verify and document that trip and pre -alarm clear at correct set point. Verify the dead band setting on the trip is correct.

11) decrease the simulated pressure until a low pressure pre-alarm and trip occurs as indicated by loop documentation (if applicable). Verify and document that pre-alarm and trip occurs at correct set point. Make sure to approach the pre-alarm and trip point in such a manner to ensure accurate testing results. This is more important when dealing with analog trip setting on trip amps where there is no digital readout and set point.


13) document as-found and as-left alarm and trip settings, and calibration check points on appropriate place in test procedure along with any adjustments which were made



I.4.2 Flow transmitter—In line



2) drive the output current to 21.2 mA (a different value may be selected by the user with assurance that upscale overdrive has taken place) and verify readout device indicates bad measurement

3) drive the output current to 3.5 mA (a different value may be selected by the user with assurance that downscale overdrive has taken place) and verify readout d evice indicates bad measurement


NOTE1 The full proof test of in-line meters such as vortex, coriolis and magnetic presents some challenges in that the only way to fully check process measurement input into the electronics is through the use of a master comparison meter or a prover connection, with installation provisions provided for during design and construction, or by re moval of the meter for calibration check in a flow lab (removal of the meter for testing in a lab can probably only be done or planned for during a scheduled shutdown).

- 107 - ISA-TR84.00.03-2012

NOTE 2 Another possible consideration for “proof testing” the operation or calibrated flow range of orifice plates and in line meters is the use of clamp on ultrasonic flow meters in order to somewhat prove in specification performance between shutdown intervals.

5) shortly after start-up, temporarily install clamp-on ultrasonic flow meters, either upstream or downstream of in line flow meter to best fit operation of clamp-on

6) with plant operational constraints, open and close selected control valve or block valve to vary flow and document readings from both flow devices

7) at some selected interval recheck/prove in-line meter reading against temporary clamp-on meter

I.4.3 Flow transmitter - Using master meter or prover loop

1) install the master meter (or prover) and transmitter using the plant operations operating procedure

2) install the necessary data collection components to collect and compare data points from both the meter under test and the master meter

3) follow the plant operating procedure to have the same process fluid flow through both the master meter and the meter under test

4) close the downstream block and check the zero value and zero stability of both meters and document results

5) open downstream block valve and check reading of both meters at normal flow rate and document results

6) if the trip flow rate for the meter under test is lower than the normal operating range, the second test point should be flow rate at which trip is designed to occur. This may need to be achieved by closing the downstream block valve. Document results from both meters.

7) if the trip flow rate for the meter under test is higher than the normal operating range the second test point should be the closest rate to the value which can be achieved. This may require extraordinary operating provisions approved by plant operations. Document results from both.

I.4.4 Flow transmitter—Testing/Checking in flow lab

1) follow plant operating procedure for removing meter from line

2) inspect meter internal component for any extraordinary damage or wear which may necessitate a complete replacement

3) send meter to flow test lab. Lab will need flow performance specification requirements. If tests show re-calibration is necessary, lab must show results that the re-calibrated meter performance is repeatable other a replacement meter should be purchased.

4) upon receiving tested meter from flow lab, inspect and re-install ensuring proper alignment of body with piping and gaskets

5) using appropriate hand held electronic communicator, set transmitter output to 4 mA and verify reading on HMI. Perform a 4 mA trim on transmitter if required.

6) follow plant operations procedure to fill line with process fluid. Close downstream block valve and verify zero reading of meter. Re-zero if required then open downstream block valve.

I.4.5 Flow switches

1) obtain work permit from Operations to ensure the flow switch can be checked safely without impacting Operations and prepare to open flow switch electronics enclosure foll owing manufacturer instructions

2) open flow switch electronics enclosure and connect one digital voltmeter (DVM) across load side of switch contacts and second DVM to measure voltage signal output

ISA-TR84.00.03-2012 - 108 -

3) start feed pump, open flow block valve and ensure that flow switch alarm contact is closed (measuring 24 VDC on load side) and the critical interlock is not engaged on the DCS. Record voltage signal output.

4) instruct the operator to close flow block valve. Ensure that the flow switch contacts open and critical interlock engages. Measure the flow switch voltage signal and record. If the interlock fails to trip, investigate to find out the failure and report/document findings.

5) open flow block valve and ensure that the flow switch contacts c lose and the interlock resets (operators must reset the interlock)

6) turn equipment back over to Operations with instructions to reinstall the car seal on the manual valve

I.5 Level

I.5.1 Level transmitter—Differential pressure



2) drive the output current to 21.2 mA (a different value may be selected by the user with assurance that upscale overdrive has taken place) and verify readout device indicates bad measurement

3) drive the output current to 3.5 mA (a different value may be selected by the user with assurance that downscale overdrive has taken place) and verify readout device indicates bad measurement


5) perform the following steps for verification of transmitter input processing and trip check:


2) relieve pressure and equalize pressure on high and low side of sensing diaphragm) check zero mA output to read 4 mA and trim mA output if necessary, record as -found as-left

3) if process service is dirty or plugging may be necessary to check for plugged taps, i.e. remove diaphragm seals check and re install with new gaskets

4) connect the calibrated pressure source to the process side of the transmitter downstream of the process isolation valve(s). If the process does no t have a set up for testing the transmitter in process then connecting to the impulse piping or disconnecting the process seal installing a test flange is acceptable

5) set the calibrated pressure source to allow simulation of the input pressure over the calibrated range of the transmitter. Perform a calibration check rising at 0%, 50% and 100% of calibrated range and verify readings at HMI concur, repeat process decreasing.


7) increase the simulated pressure until the low pressure trip and pre-alarm clears as indicated by loop documentation (if applicable). Verify and document that pre -alarm and trip clear at correct set point. Verify the dead band setting on the trip is correct.

8) increase the simulated pressure until a high pressure pre-alarm and trip occurs as indicated by the loop documentation (if applicable). Verify and document that pre -alarm and trip occur at correct set point. Make sure to approach the pre-alarm and trip point in such a manner to ensure accurate testing results. This is more important when dealing with analog trip setting on trip amps where there is no digital readout and set point.

- 109 - ISA-TR84.00.03-2012

9) increase the pressure to the high range limit for the transmitter and verify the upper limit is accurate

10) decrease the simulated pressure until the high pressure trip and pre-alarm clears as indicated by loop documentation (if applicable). Verify and document that trip and pre -alarm clear at correct set point. Verify the dead band setting on the trip is correct.

11) decrease the simulated pressure until a low pressure pre-alarm and trip occurs as indicated by loop documentation (if applicable). Verify and document that pre -alarm and trip occurs at correct set point. Make sure to approach the pre-alarm and trip point in such a manner to ensure accurate testing results. This is more important when dealing with analog trip setting on trip amps where there is no digital readout and set point.


13) document as-found and as-left alarm and trip settings, and calibration check points on appropriate place in test procedure along with any adjustments which were made



I.5.2 Level switches—Tuning fork

Development of proof test procedures for this type of device must take into consideration process potential for plugging, corrosion and density effects. Some devices of this configuration have high levels of on board diagnostics, which can “proof -test” operation with the press of a button or turning of a key. Even with this type of configuration, tuning fork needs to be removed, visually inspected and tested operationally on some periodic basis. Typical steps:

1) notify plant operations that the device to be taken out of service

2) press or turn the test key on the electronic unit and confirm operation on the HMI/l ogic solver in the control room

3) visually inspect the condition of level switch housing for corrosion, damaged conduit/wire entry and other issues, which could impact MI

4) test/verify settings such as density

5) per plant operations procedures/constraints raise the tank level to actuation point and check for positive confirmation in control room

6) if raising level in tank is not safely possible, remove the switch from service and place in container of liquid with similar density and check for positive confirmation in control room.

7) check tuning fork and tank nozzle for signs of corrosion and process coating, take corrective actions necessary

8) re-install switch assembly and place back into service per plant operations guidelines

This procedure is intended for use in on-line testing but is applicable for off-line testing as well.

I.6 Process analyzers

Process analyzers should be calibrated in accordance with manufacturer’s specific instructions.

Signals from process analyzers to SIF are typically current signals representing values and ranges of SIS equipment being measured. Verification of correct setpoints for pre-alarm and trip values should be done using current sources in like manner to that for other current transmitters. (See mA pressure transmitter above.) Document as-found and as-left values

ISA-TR84.00.03-2012 - 110 -

I.7 PES logic solver

Before the advent of programmable devices using multiple I/O, proof testing was conceptually relatively straight forward, giving rise to the concept of an end-to-end test of the complete SIF. In today’s world, the logic solver is most often a system unto itself and is involved in multiple SIF. This significant increase in complexity designed to provide greater flexibility while lowering cost and balancing reliability makes it necessary to thoughtfully consider how to perform effective proof testing. There are two major aspects that must be considered. The first is that the logic solver health, independent of any individual SIF needs to be adequately validated. Checking the utilities needed by the logic solver to function correctly would also fall into this category. The second is the individual SIF needed to be tested as they always have. However, even here, there has been an increase in complexity at times with voted sensors and sensors/final elements being shared by multiple SIF, making a segmented approach more appropriate than a seemingly infinite number of end-to-end tests.

There are several methods to test the logic solver, each with different purposes and effectiveness, depending upon the design stage, whether in operation, and whether following a change during the operational time of the facility. The following subclauses provide some guidance as to when a particular method is useful and what type of validation is performed.

I.7.1 Logic solver stand alone test procedure

This part of the overall SIS validation is not part of the specific SIF proof tests. The MI program should address the inspection and testing of logic solver hardware, diagnostics, (e.g., watch dog timer and stuck-on/stuck-off input/output diagnostics), and application program that are not tested as part of individual SIF tests. Testing of logic solvers for SIF is not practical while the process is operating to perform its designated function. Therefore the full functionality of the logic solver should be tested and validated prior to placing the SIF in operation as a layer of protection for the process. Further testing of the logic solver should be performed at the scheduled down time for the process and any time the SIF is taken out of service for application program changes.

By testing the individual SIF, the application program should be adequately tested. However, there are other aspects of the logic solver that merit further testing to ensure continued reliability of performance. These include, but are not necessarily limited to:

validate preprogrammed function blocks within the PES that are not part of the equipment supplier’s standard library of function blocks, typically at the Factory Acceptance Test (FAT), rather than the Site Acceptance Test (SAT). For those function blocks that fall into this category, the following is recommended:

identify those function blocks that are used within the SIS. For this purpose, different versions of a preprogrammed function blocks that accomplish the same result are considered to be different function blocks.

for each different preprogrammed function block that is used, at least one instance of this block should be validated by testing all combinations of initiators

when testing combinations of trip signals, the effects of transmitter bypasses, operator bypasses, and "transmitter bad quality" should be considered and tested. For a typical two-out-of-three function block, this will result in substantially more than three tests.

for a preprogrammed function block, features that can be tuned individually for each instance of the block should be thoroughly validated for each block

if SIS operation can be affected by an individually tuned parameter, each instance of the block should be thoroughly validated

- 111 - ISA-TR84.00.03-2012

verify that the system is fully functional and is not operating in a degraded state. It is possible in many cases for an SIS to be in a degraded state, with major failed components, and still be capable of providing appropriate responses due to system redundancy and other safeguards.

validate that the system diagnostics are fully functional

during the FAT this includes more rigorous fault insertion type testing

during an SAT/initial validation or subsequent revalidations, the level of rigor that can be achieved at an FAT is not practical. Nevertheless, checks should be made that include:

check of all diagnostic systems statistics

check that system diagnostics are active in accordance with manufacturer recommendations

function check status alarms for each device in the system. Pull each module and watch for status alarm on alarm summary. Disconnect cabling and check for status alarms. Also pull each power supply and fail each I/O card.

if redundant power feeds are used, confirm that the loss of one power feed will generate status alarm while leaving system healthy

verify that no significant PES or hardwired system diagnostic alarms are generated during the course of validation. If so, the cause should be determined immediately, and the situation rectified and noted in the SAT/FAT document.

check status of power supplies (including backup power supplies) in the system, and ensure that there are no power supply system alarms

check status of communication buses in the system (such as: I/O Bus, Module Bus, Data Highway, etc), and that there are no communication system alarms

check status of I/O modules (specifically any redundant I/O cards), and that there a re no I/O modules system alarms

check status of logic solvers (specifically any redundant pair), and that there are no system alarms

verify that all firmware and application program revisions are consistent and are in accordance with manufacturer recommendations

the PES is configured per manufacturer specific certification requirements and user standards or approved documented modifications to those requirements

verify proper fail-to-safe modes are set properly in each I/O channel

check of all communications networks including visual inspection of wiring for proper supports

check that the logic solver scan time and statistics are properly tuned to ensure optimum performance. Make sure adequate free memory exists for future on-line/off-line configuration changes.

verify that all module power-up initialization logic works properly. Ensure that all shutdown set points are retained through power down and power up initialization of t he logic solver.

perform redundancy checks on all redundant modules and racks. Remove or generate an error on the primary module/rack and verify that the backup module/rack takes control. Restart the primary module/rack and verify that it returns to a heal thy state as a backup unit.

confirm that both the primary and redundant have identical configurations at the completion of staging

make backup copies of all logic solver and operator interface configurations at the completion of staging. At subsequent reva lidations, run a compare of the master copy versus the “as -found” copy.

ISA-TR84.00.03-2012 - 112 -

check that the PES is locked, secure, and cannot be changed (manually or via electronic means) unless appropriate management of change procedures are used

I.7.2 SIF logic solver test procedure when connected to field equipment

This procedure builds upon the test procedure documented in paragraph H .7.1 and applies to logic solvers that have been installed in the field. It encompasses the initial validation proof test when first installed as well as to subsequent proof tests as part of the mechanical integrity program for the life of the installation.

The following is a generalized version of specific tests that should be conducted using a 2oo3 sensor architecture example connected to the logic solver:

Typical special tools for use in testing the logic solver may include but not necessarily be limited to:

digital volt meter (DVM)

stopwatch

HART – smart communicator

reference documentation for SIF logic (e.g., wiring diagrams or application program specification)

Specific checks:

for new installations, all alarm inhibits on listed tags should be removed prior to testing. For existing facilities, any alarm inhibit found represents a failure that should be documented .

confirm pre-alarm set point in logic solver

confirm initiation set point in SIS logic solver

confirm time delays in SIS logic solver

transmitter "A" value trip level (verify vote to trip and deviation)

transmitter "A" value bad quality (verify vote to trip)

transmitter "B" value trip level (verify vote to trip and deviation)

transmitter "B" value bad quality (verify vote to trip)

transmitter "C" value trip level (verify vote to trip and deviation)

transmitter "C" value bad quality (verify vote to trip)

"A" high high and "B" bypass and trip level (verify no trip)

"A" high high and "C" bypass and trip level (verify no trip)

"B" high high and "C" bypass and trip level (verify no trip)

"B" high high and "A" bypass and trip level IF only one transmitter b ypass then trip level (verify no trip)

"C" high high and "A" bypass and trip level (verify no trip)

"C" high high and "B" bypass and trip level (verify no trip)

bring one pair (or single) to pre-alarm (verify alarm)

bring same initial set (or 1) to trip value (record pair tested) (verify trip actions)

bring different set of initiators to trip value (record pair tested) (verify trip signal in PES)

bring different set of initiators to tr ip value (record pair tested) (verify trip signal in PES)

run a comparison check of the master reference copy of application program versus the current application program

- 113 - ISA-TR84.00.03-2012

For each action above, the “as-found” condition or state should be documented.

Some of the checks above may be able to be performed while the plant is running . With respect to proof testing the final element under the most realistic conditions, maximizing its proof test coverage, incorporating that check as part of a scheduled shutdown can be useful. Any checks or tests that cannot be performed while running or via transition from running to off-line must be performed off-line while the plant is not running.

Following the tests and prior to restoring the SIS to operation:

remove any overrides applied for testing

return sensors to their normal operating state and remove test equipment

ensure all are left in a safe state and passed back to Operations

ensure that the work area is safe, and left in a clean and tidy manner

sign-off relevant work permit and return to the area authority for close out

record any maintenance history in the maintenance management IT system preventive maintenance work order

raise a malfunction report for any failure that would have prevented the protection from performing its function

I.7.3 Logic solver simulation test procedure

Prior to field installation or prior to implementing application program changes to an installed logic solver in the field, it can be useful to test the application program off line. One means to accomplish this is with a simulator. In this instance, the test program is deve loped in a simulation program using another PE logic solver. Connection to the logic solver for testing is similar to above. However, the use of such a simulation requires complete validation of the simulation program in the simulator prior to testing the SIS logic solver. The simulation might also be used in training operators in the functionality of the SIF and confirming that the application program meets the SRS. In some instances this simulator might operate in an automated mode in performing the test. The actual test procedure as outlined in 7.1 should also be accomplished to the greatest extent possible.

This approach supports both factory acceptance training and on-going training. Maximizing the opportunity to test at the factory prior to shipment and field installation decreases the potential for issues to occur in the field, where diagnostic trouble shooting tools are more limited in comparison to what can be done at the manufacturer‘s site.

I.7.4 PE logic solvers not connected to field or simulators

Testing PE logic solvers that are not yet connected to field devices or a simulator is limited to manual testing of the application program using the PE logic solver configuration device. This is an action that primarily takes place during initial programming and configuration of the PE logic solver for the SIF application. Since changes are numerous during this activity, formal documentation of this “testing” should not be necessary. The final application program documentation should reflect the results of this testing.

I.8 HMI

The testing guidance below assumes that the HMI does not write to the SIS. The only write to the SIS is a manual emergency stop that is a hardwired input to the SIS. Emergency trips initiated within the BPCS are assumed to be in series with the SIS outputs.

The Human Machine Interface (HMI) displays related to safety should be tested at the same frequency as the full SIF. When changes are made to information displayed in the HMI, the

ISA-TR84.00.03-2012 - 114 -

changes should be tested to confirm appropriate status is d isplayed. If the HMI is used to provide a manual initiation of the SIF, this function should be tested during each revalidation of the SIF.

All indications of SIF variables that are displayed on a human machine interface whether they be within the BPCS operator workstation, a separate operator display station, or lights on a panel should be verified as each variable is tested. The correct range of process variable, the pre -alarm and trip set points, and any other variable information that is provided should be verified and documented during the testing. Both as-found and as-left values should be documented. Where multiple pages (video, CRT, etc.,) of SIF information are provided, all displayed pages should be verified for appropriate labeling and access cont rol.

Testing of the HMI during normal operation of the process should be done any time that there is an indication of a malfunction of the HMI display itself. This could result from a fault in an input to the display or a fault in the display component itself. When repairs are made or a HMI is replaced, all features of the original HMI specified for the SIF should be tested.

On-line testing of the HMI is not required unless changes have been made in the information presented to the operator. Any changes that modify information to the operator about the status of the SIF should be tested when they are made and verified as being appropriate.

I.9 Communications

Communications between the SIF and other control equipment such as the Basic Process Control System (BPCS) should be tested at the same frequency as the SIF. When performing the initial SAT and completing full proof tests of the SIF, the testing should include all communication to auxiliary equipment such as the DCS. When changes are made to the communications links between the SIF and any other equipment, testing should confirm that appropriate information is being communicated.

Where provided, all communications with other systems such as the BPCS should be tested to verify correct transfer of information and data between the SIF and other system(s). All information transferred should be verified by comparing the sent information with the received and displayed information on the system(s) other than the SIF.

Techniques used for blocking communications from the BPCS operator workstation to the SIF that could lead to application program changes in the SIS should be validated. Attempts at changing the SIF application program should be made from the BPCS operator workstation to verify that this action cannot take place. The security technique used to protect against changes to the firmware or application program from the configuration station should also be tested. If this technique involves connecting the configuration station only when changes are to be made, verify that another PES station cannot perform this function. If password protection is the technique used, verify that the password meets the company’s requirements for password strength. This is especially important if the SIF display station is also used as the configuration station with key lock or password protection.

Where a separate operator display station is provided for the SIF, tests should confirm that changes to the application program in the SIF cannot be made from this station.

Communications between other systems and the SIF should be tested on the same schedule as the logic solver and at any time there is an indication of a malfunction of the communication link. If communication with another system has an impact on the safety integrity of the SIF, the test interval included in the integrity evaluation should be used. Any on-line testing of a communication link should not reduce the capability of the SIF to perform its function.

Any changes made to communications between the SIF and any other system should be tested when the changes are made. It is not recommended that changes be made while the SIF is

- 115 - ISA-TR84.00.03-2012

providing protection to the process as these change activities could result in nuisance trips of the SIF or result in program errors, which could render the SIF incapable of performing its function.

I.10 Power supplies

Perform the following inspections and tests under typical load and use points. For revalidations, most of these can be performed while the plant is running:

measure and record voltage

measure and record current

measure and record ohms to ground (anything less than or equal to 2.0 ohms is considered an incipient failure and must be corrected)

inspect to ensure that that isolated ground system has not been compromised

measure power quality and ensure the absence of AC ripple. AC ripple is considered a dangerous failure and must be corrected.

test that both over and under voltage diagnostics function and take appropriate action

test that over current diagnostics function and take appropriate action

test any other external power supply and interrupts triggered by SIS application program

Any measurements outside of the defined acceptable range need to be noted in the as -found documentation and then repaired.

I.11 Interposing relays

An interposing relay is either an electromechanical or a solid state relay whose function is to accept as input a low level (e.g., current, voltage) signal and provide as output a higher level signal. In process control the input source is typically the output card of an industrial control system (e.g., SIS, BPCS, PLC, DCS) and the output is connected to plant floor loads (e.g., final elements such as motor control circuits, or electromagnetic valves).

refer to the segment testing guidance (e.g., from sensor through logic solver to final element) and verify that the interposing relay is functioning properly (e.g., output power off when input power is off and vice versa)

perform test on each segment connected to the interposing relay

perform test for each unused interposing relay output using terminal block wiring locations where applicable

confirm interposing relay mounting is secure (e.g., tighten mounting screws)

confirm wiring to terminals are secure (e.g., tighten terminals)

for an electromechanical relay, inspect each contact for degradation (e.g., oxidation due to low-energy output current, poor colorization due to overheating or excessive duty cycle)

for a solid state relay, confirm output leakage current is not exceeding nameplate level

compare test plan to manufacturer requirements and perform tests not listed above

I.12 Final element testing

Final elements are in general the most likely component to fail when a demand is placed on the SIF. The most common failures involve seat leakage rates, solenoid coil failures, and fou ling of the valve preventing closure. These devices fall into two categories of operation: those that typically remain in one position for long periods of time without moving and those that operate frequently as part of normal operation. The test program needs to examine at the specific

ISA-TR84.00.03-2012 - 116 -

application and determine what testing and preventive maintenance is required for a particular final element. The process operating conditions can be severe thus contributing to potential failures. Unlike transmitters and logic solvers, the final control elements contain many moving parts, which must function together to accomplish the desired action they are specified to perform. This means that the performance of the valve not only depends on a good test program, but also on an effective preventive maintenance program. For instance some companies perform a rebuild of SIS valves and actuators every six years to replace packing, check corrosion on springs, replace o-rings, and lubricate moving parts.

Many installed final elements utilize common process utilities, such as compressed ai r, electricity, and hydraulics which should they fail, could render multiple devices unavailable. An example of this would be an air supply that was required to close two valves in a redundant configuration. If the air supply fails to provide the necessary pressure or volume to move either of the valves, the SIF will fail to accomplish its function.

The test interval may need to be modified based on the severity of the service the valve encounters. Temperature (high or low), erosion and corrosion are a few of the factors, which may have an impact on making changes to the testing frequency.

A visual inspection according to an approved procedure should be carried out regularly. See Annex E for a sample procedure or checklist for this visual inspection.

Some final element testing includes testing the speed of closure of the valve. There are several things to be aware of when performing this test. Valves with soft seats will deform when the valve is stroked. It will take about 24 hours for the re-form after the valve is stroked. This can lead to error in the speed at which the valve will perform during actual demand. Where you have soft seats make sure you put the valve into the operational pos ition long enough to ensure you will get an effective test of the valve speed during actual demand.

Other devices used as final control elements such as motors should be tested at the frequency used in the performance calculations for the SIF.

When the final element is part of more than one scenario, the final element has to be tested according the highest SIL-level requirements.

I.12.1 Valves

Before developing the testing procedures for valves you should identify the critical requirements for successful operation such as speed of operation, the leakage requirements, fail to open position or fail to close position,

The appropriate test interval as final control elements depends on a number of factors:

type of valve used as the final control element

service in which the valve is applied

whether the valve is used during normal operation or as a standby valve for use only when the SIF takes action

whether the valve must provide minimal leakage isolation or some leakage can be tolerated

whether the valve actuator has a spring to drive it to the safe state or it depends on motive power to drive it in both directions

A proof test of an SIF valve should include full stroking of the valve, inspection, and leak tightness as required. During the test the stroke time, feed back signals, leak test and inspection should be recorded on the testing documentation. Stroking time is from output signal change to valve position change, not just from start to finish of valve stroke. Pre-stroke dead time as the

- 117 - ISA-TR84.00.03-2012

actuators fill or exhaust and achieve break away force on the valve is generally the longest time component of the total stroke time.

I.12.1.1 Solenoid operated valves

Verify solenoid valve normal and trip condition status. If solenoid is normally energized during process operation, verify that coil is energized and no air is venting through vent port. If solenoid is normally de-energized during process operation, verify that coil is de-energized and vent port is open to vent. De-energize or energize coil as required and verify that air is either vented from valve actuator or applied to valve actuator as required by the SRS. Verify that solenoid installed position allows gravity assist in taking valve to de-energized position. For examples of testing solenoid valves see example procedures for testing of final control elements.

Solid state outputs have leakage current when they are “off.” Pilot operated solenoid valves generally have very low hold-in current requirements when in the “on” position. The result may be that the solenoids may not move to “off” position when the solid state output commands “off” since the leakage current holds the solenoid “on”. Periodically check a few of the solid state outputs to ensure their “off” leakage current has not increased above rated value.

I.12.1.2 Leakage testing

For many SIS valves the leakage test is the most important and most often the reason for valve failure. Selection of the appropriate leakage rate can be difficult and often results in conservative leakage requirements. In most cases, the seat leakage for control valves is defined by a leakage class as defined by ANSI/FCI 70-2 and IEC 60534-4. The classes range from Class I where no testing is required to Class VI, which is bubble tight for gas service. For block valves API 598 provides a listing of maximum allowable leakage rates for closure tests.

When there is not a RAGAGEP identifying the proper leakage rate for the valve, what do you need to consider when determining whether the valve passes or fails the leakage requirements? In many cases the valve is designed to the requirements of the process, but not the process safety requirements. For example you have a double block and wedge design where nitrogen is used as a wedge in-between the valves to ensure that if there is a leak the nitrogen leaks into the process and prevents the process from leaking through both valves. In this case you want a tight shut off, but if the valves leak it is just an economic problem. Would the leakage rate be critical to the operation of the SIS? It may not be.

Where the leakage of a valve could prevent the SIS from achieving or maintaining a safe state of the process, the leakage rate will need to be included as part of the pass/fail criteria. Involve the process engineers. This decision will be very process and SIF spec ific. Include in your determination:

the design of the final element configuration (single valve, double block, double block and bleed, double block and wedge)

the pressures on each side of the valve

how much of a leak will prevent the SIS from achieving or maintaining a safe state of the process

There are several sources for information on how to perform a leakage test. For gas -fired systems the NFPA 86 standard in section A.7.5.9 and FM 6-0 in section 2.12.6 provide testing methods for gas shut off valves. When you use the FM test procedure you could have a valve downstream that leaks causing an error in the test.

In-line testing of the block valve avoids the cost of removal of the valve, which can be very expensive. This procedure means that the user may need to provide the manual block valves and testing ports needed to perform the test.

ISA-TR84.00.03-2012 - 118 -

The typical method for testing the valve closure requirements falls into two categories; gas and liquid. The method for gas used in fired equipment involves blocking in the downstream side of the valve, applying a specific pressure to the upstream side and measuring the number of bubbles leaking through the valve. NFPA specifies the use of a ¼” tube inserted between ⅛ ” to ¼” below the surface of the water. It is important to minimize the volume in the piping between the test valve and the downstream block valve. The user will need to time the test to identify the number of bubbles per minute for the leakage test. Generally it is a good practice to wait 2-3 minutes after applying pressure to start the test. This method can be applied to non -fired equipment as well.

For liquid services, the line is filled with liquid including the valve cavity before performing the test. The leakage from the valve is captured in a container over a specified time and measured to determine the leakage rate. As with the gas leakage test the user will need to provide time for the leakage to stabilize before starting the test.

Other leak test methods for non-fired equipment valves depend on the allowable leak rate for the SIF. If large leak rates are acceptable for the SIF, a highly accura te existing (or temporary such as clamp on) flow meter can be used. For lower leak rates the ideal gas law concept can be used. This involves blocking in the upstream side of the SIF valve and introducing and monitoring the pressure between the valves. Using the ideal gas law PV=nRT the amount of pressure drop can be converted into a leak rate. For an accurate calculation, ensure enough time is taken to perform this test (10-15 minute pressure test), and to be cautious of external influences (such as ambient temperature changes).

I.12.1.3 On-line testing

Since the test interval to achieve the required safety integrity is often shorter than the desired operating cycle for the process, on-line testing thus becomes a desirable procedure. The test interval determination is based on required SIF integrity.

Operation of valves while on-line may result in tripping the SIF even if the valve is only operated for a portion of its full stroke capability. Redundancy of final control elements may or may not provide for on-line testing of these devices. If the redundancy is to ensure stopping a flowing stream, two final control elements, i.e., valves, will be installed in series and closing or opening either one as the case may be is not desirable while the process is in operation. On-line testing of final control elements is the most difficult portion of the testing required for SIF.

Techniques have been devised to allow some measure of testing of final elements, particularly valves. These include use of manual block valves around the SIF valve for use while the testing is being performed. A drawback of this approach is high capital cost and the chance of leaving the manual block valves in the wrong position after a test has been performed. Using this technique requires special attention to operation of the manual valves before and during the test. See 6.5.17 on bypass cautions.

Some companies take credit for on-line valve tests when an unplanned trip of the system takes place. They verify that all valves went to their correct pos ition as required by the trip condition and that all indications of valve position have confirmed this to be true. They then document what has occurred and take credit for this as a functional test of the valves affected. When taking such credit, consideration should be given to the performance requirement of the operation of the valve (i.e. speed of response and shutoff performance). The documentation should include the rationale for acceptance of the performance based on additional in -line testing while the opportunity is available or noting that prior testing could lead one to believe the performance is adequate until the next scheduled test.

I.12.1.4 Partial stroke

On method of testing a valve is to perform a partial stroke test. ANSI/ISA-TR96.05.01-2008 provides guidance on performing partial stroke testing of automatic block valves. The user needs

- 119 - ISA-TR84.00.03-2012

to be aware that partially stroking a valve does not ensure it will function to its full open or closed position or satisfy the required shutoff of the valves when cal led upon to do so. The test only covers part of the failure modes of the valve. The coverage factor of a partial stroking of a valve should be limited to a certain maximum, e.g., 70%.

I.12.1.5 Hydraulic slide valve

Due to their physical size, hydraulic slide valves (HSV) are usually not provided with bypass lines around them. HSV's are also rarely fully stroked on-line due to the fact that even the slightest uncontrolled change in valve position can result in a major unit upset. Therefore, on-line proof testing of HSV's is usually limited to testing up to the trip solenoid, in addition to performing periodic preventive maintenance checks. Full stroke testing of HSV's is left as a turnaround maintenance activity

1) prior to performing any work or testing on a HSV, the fo llowing steps should be taken:

a) obtain console operator permission to perform work on the HSV

b) if HSV to be tested is associated with a SIS, obtain and complete the necessary bypass approval process including all signatures

NOTE The below information is generic in nature. For recommendations on a specific type valve, hydraulic actuator and hydraulic power unit, the manufacturer SHOULD BE CONSULTED.

Inspection and maintenance while HSV is in-service 1) perform a visual field inspection of the hydraulic slide valve installation:

a) check HSV identification signage is intact, and clearly visible - including all operational and warning signs

b) check visual integrity of all instrument and control cabling around the hydraulic slide valve and its hydraulic power unit (HPU) source

c) if HSV actuator is insulated or fireproofed, check the integrity of the insulation and fireproofing

d) check the integrity of all hydraulic lines or hoses between the HSV actuator and its HPU, especially for leaks

e) check line flanges, bonnet flange, and stem packing gland for evidence of leakage

f) on HSVs where steam purge is used, check the integrity of steam supply, and ensure steam traps are working properly

g) at the hydraulic power unit (HPU) for the HSV check and verify:

1) oil reservoir level and temperature

2) differential pressure across hydraulic pump filters for dirty filters

3) catch oil sample to prove quality of hydraulic oil, and signs of wear

4) ensure reservoir nitrogen purge pressure is positive to eliminate pulling air into the system

5) ensure all HPU process and system alarms are clear

6) ensure the standby hydraulic pump (i.e. non-running) is in auto

7) check motor vibration and amperage of the running pump

2) hydraulic slide valve operational checks:

a) partially-move the HSV at least once a day to the degree feasible, (without creating a unit upset) - to verify valve is not stuck in place and will move

b) verify HSV position feedback signal is working correctly

c) HSV emergency trip solenoid verification:

ISA-TR84.00.03-2012 - 120 -

1) place the HSV into the locked-in place (manual) test position - which renders the hydraulic actuator to be inoperable during this test

2) by either using an actual SIF trip initiator or by forcing the SIS logic solver output, simulate the trip output signal to the HSV trip solenoid. Depending on the HSV design, this output signal will either be an "energized" or "de-energized" signal.

3) confirm the HSV trip solenoid operated correctly by observing a change in pressure via a pressure gauge that now reads the trip accumulator pressure

There should also be no change observed in the physical HSV position

4) when HSV trip solenoid testing is complete, re-establish normal function (by either restoring the SIF trip initiator or placing the SIS logic solver output back to normal state). Confirm that the command signal is equal to the position feedback signal.

5) once complete, restore the hydraulic actuator back in service by removing the locked-in place (manual) function, and return to "auto"

3) once testing is complete, restore everything back to pre-test conditions, ensure all HPU alarms are clear, one HPU pump is running/other pump is in auto-start, the HSV is in the correct process position, and notify console operator that testing is complete

Inspection and maintenance during a turnaround - while HSV is not in-service

1) perform a visual field inspection of the hydraulic slide valve installation, and replace as needed:

a) check the integrity of all hydraulic lines or hoses between the HSV actuator and its HPU, especially at threaded junctions for leaks

b) remove external insulation and examine welds for cracks

c) inspect refractory lining for erosion, spalling or excessive cracking

d) if stem packing has a history of leaking though this seal, replace the packing on the stem packing gland

e) thoroughly clean HPU reservoir and replace hydraulic fluid

f) HPU filter replacement

g) inspect and replace accumulator seals and charging valve

h) inspect and clean lock-in place solenoid valve

i) inspect and clean emergency trip solenoid valve

j) check status and calibration of all gauges and transmitters

2) hydraulic slide valve operational checks:

a) at the hydraulic power unit (HPU) for the HSV simulate and test all of the following alarms:

1) oil reservoir high and low level alarms

2) oil temperature high and low level alarms

3) high differential pressure alarm across hydraulic pump filters

b) test and verify the correct operation of the hydraulic oil pump auto-start function on low low oil pressure

1) perform auto-start test with pump A in hand, and pump B in auto

2) repeat auto-start test with pump A in auto, and pump B in hand

c) check the following data for each hydraulic oil pump:

1) pump efficiency and vibration, in compar ison to previous collected data

- 121 - ISA-TR84.00.03-2012

2) motor vibration and amperage draw on pump cycling per previous data

3) motor couplings for wear and replace as necessary

d) check and verify local hand wheel operation

e) perform lock-in place test to verify that hydraulic actuator does not respond to an input command signal

f) perform trip solenoid test and verify the following:

1) HSV strokes from fully open to fully close

2) confirm stroke time in comparison to previous collected data

3) check calibration and linearity of feedback position transducer and control (for modulating valves)

g) check the number of full strokes possible with the pumps switched off and using only the accumulator pressure. Record pressure at each step, and compare results with previously collected data.

h) perform testing for each of the following scenarios, and confirm the HSV fail action:

1) loss of electrical power

2) loss of input command signal

3) loss of feedback signal

4) deviation error between feedback signal and input command signal catch

i) once turnaround testing is complete, restore everything back to pre-test conditions, and notify the console operator that testing is complete

I.12.1.6 Motor operated valve

1) prior to performing test, the following steps should be taken:

a) obtain console operator permission to perform the MOV proof test

b) obtain and complete the necessary “control of defeat form” including all s ignatures

2) perform a visual field inspection of the MOV installation:

a) check visual integrity of all control and power cabling around the MOV

b) check that MOV identification signage is intact, and clearly visible

c) if MOV is fireproofed, check the integrity of the fireproofing

d) check the integrity of the grease lubricant between the actuator and the valve stem. Replenish as needed.

e) check the MOV actuator to ensure all cover bolts, and spare conduit entries are intact

f) if the MOV actuator is fitted with integral pushbuttons, ensure the pushbutton waterproof seals or membranes are intact

g) if MOV has a remote field mounted pushbutton station, check integrity of the pushbutton station and its associated cabling

h) at the substation (or switch rack) that the MOV power is fed from, check the i ntegrity of the circuit breaker

3) depending on whether the MOV valve installation has a bypass line around it or not, proof testing is conducted in one of two ways:

Partial stroke test (without a bypass line)

a) position person #1 at the MOV, person #2 at the remote pushbutton station, and the electrician at the MOV circuit breaker

ISA-TR84.00.03-2012 - 122 -

b) person #1 alerts the console operator, and places the MOV in hand wheel manual. Hand crank the valve 25% of travel towards the closed position from the fully open position, verifying that the hand wheel is functional. Then reverse the operation of the hand -wheel to allow the valve to move back to its full open position. Release the manual override setting/clutch.

c) person #1 operates the MOV with the MOV local OPEN pushbutton. Person #1 verifies that the valve is opening and then uses the local STOP pushbutton to stop the va lve. Repeat the procedure, this time allowing the valve to go to the full open position. Verify that all local and remote MOV status indicators are working correctly.

NOTE If however, the valve started to go closed, person #1 radios to the electrician to open the breaker to abort the test.

d) notify console operator of the problem, and have the electrician troubleshoot the problem - before continuing the test from the beginning

e) person #1 operates the local CLOSE pushbutton. Person #1 allows the MOV to go 25% of travel towards the closed position from the full open position (or as far as the Process will allow without causing a serious unit upset). Person #1 uses the local STOP pushbutton to stop the valve. (If however, the valve doesn't stop, person #1 radios to the electrician to open the breaker to abort the test.)

f) person #1 radios to person #2 to operate the MOV with the MOV remote OPEN pushbutton. Person #1 verifies that the valve is opening and radios to person #2 to stop the valve. Repeat the procedure, this time allowing the valve to go full open. Verify that all local and remote MOV status indicators are working correctly.


g) notify console operator of the problem, and have the electrician troubleshoot the problem - before continuing the test from the beginning

h) person #1 radios to person #2 to operate the MOV with the MOV remote CLOSE pushbutton. Person #1 allows the MOV to go 25% closed (or as far as the process will allow with causing a serious unit upset). Person #1 radios to person #2 to stop the valve using the STOP pushbutton. Verify that all local and remote MOV status indicators are working correctly.

NOTE If however, the valve doesn't stop, person #1 radios to the electrician to open the breaker to abort the test.

i) person #1 radios to person #2 to operate the MOV with the MOV remote OPEN pushbutton. Person #1 verifies that the valve is opening and allows to valve to go fully open.

j) if the MOV has pushbuttons in the manned control center, repeat steps e through f except using the control center pushbuttons

k) once testing is complete, restore everything back to pre-test conditions, ensure breaker is energized (i.e. closed), MOV valve is in the correct position, and notify the console operator that testing is complete

- 123 - ISA-TR84.00.03-2012

Full stroke test (with a bypass line) a) position person #1 at the MOV, person #2 at the remote pushbutton station, and the

electrician at the MOV circuit breaker

b) open the bypass valve around the MOV valve to be tested. If the bypass valve is fitted with a position status indication, verify the bypass valve status changed from closed to open.

c) person #1 alerts the console operator, and places the MOV in hand wheel manual. Hand crank the valve 25% closed, verifying that the hand wheel is functional.

d) person #1 operates the MOV with the MOV local OPEN pushbutton. Person #1 verifies that the valve is opening and then uses the local STOP pushbutton to stop the valve. Repeat the procedure, this time allowing the valve to go full open. Verify that all local and remote MOV status indicators are working correctly.


e) notify console operator of the problem, and have the electrician troubleshoot the problem - before continuing the test from the beginning

f) person #1 operates the local CLOSE pushbutton. Person #1 allows the MOV to go fully closed. Verify that all local and remote MOV status indicators are working correctly.

At this point - if it is desired, and facilities permit, leak testing of the valve may be performed.

g) person #1 radios to person #2 to operate the MOV with the MOV remote OPEN pushbutton. Person #1 verifies that the valve is opening and radios to person #2 to stop the valve. Repeat the procedure, this time allowing the valve to go full open. Verify that all local and remote MOV status indicators are working correctly.


h) notify console operator of the problem, and have the electrician troubleshoot the problem - before continuing the test from the beginning

i) person #1 radios to person #2 to operate the MOV with the MOV remote CLOSE pushbutton. Person #1 allows the MOV to go fully closed. Person #1 radios to person #2 to fully OPEN the valve with the remote OPEN pushbutton. Verify that all local and remote MOV status indicators are working correctly.

j) if the MOV has pushbuttons in the manned control center, repeat step i for the c ontrol center pushbuttons

k) once testing is complete, restore everything back to pre-test conditions, ensure breaker is energized (i.e. closed), MOV valve is in the correct position, MOV bypass line is closed, and notify the console operator that testing is complete

I.12.2 Motor starters (low to medium voltage)

Another final element that needs to be tested is a motor star ter for an electrical motor. Electrical motors are typically implemented to drive pumps on process facilities. There are a number of types of motors starters found on process facilities with the most common being a manual starter and a combination FVNR (full voltage non-reversing) starter.

The manual starter is typically used for single-phase motors that do not require remote start/stop functionality. A manual starter includes make/break electrical contacts operated by an operator accessible manual switch, overload protection, and is mounted in a single NE MA rated enclosure near the motor

A combination FVNR motor starter is typically used for three phase motors or motors that require remote start stop functionality. A combination FVNR starter includes a fused disconnect switch, an electrical contactor, overloads, and is mounted in either a single NEMA rated enclosure or a motor control center (MCC). With the advent of remote operator control of processes came the

ISA-TR84.00.03-2012 - 124 -

need for central control rooms (CCR) and electrical control rooms (ECR) in the process sector; as a result most combination FVNR motor starters are now mounted in MCCs located in the ECR.

A MCC is a free-standing row of vertical and horizontal buses mounted in sections with plug-in type motor starters. The size of the MCC is based on the number and s ize of the motor starters and the supplemental requirements (e.g., main disconnect, section disconnects, safety switches, power panels).

I.12.2.1 Test requirements

This brief review of testing requirements is based on applications using combination FVNR motor starters mounted in a MCC with each motor starter directly connected to its motor. It is assumed that the SIS is de-energized to trip and the motor-operated pump is considered in a safe state when the motor is stopped.

Safety concerns with motor starters in MCCs include:

short-circuit induced arc when inserting motor starter into the MCC bus

short-circuit induced arc when extracting motor starter into the MCC bus

bus shorts and voltages

improper power lockout

alternate power feeds into the MCC that require multiple lockouts

alternate power feeds into the motor starter so that opening the motor starter disconnect switch does not remove all power within the motor starter

I.12.2.2 General requirements

The facility should have an approved procedure and training in place before testing MCC motor starters. The procedure should ensure electrical safety equivalent to NFPA 70E, which includes activities such as:

try, lock, tag, and try procedure

stand aside-left hand rule in any MCC disconnect switch operation

eye protection

hand and body protection

as built drawings

MCC is ECO’d (i.e., engineering change ordered) up-to-date

Plant maintenance, operations, and productions safety procedures

MCC manufacturer testing and safety procedures

MCC is properly grounded

ability to lock out all power sources to the MCC

When testing a MCC motor starter implement and complete all the procedures noted above, and perform an inspection of the wear on the bus and plug-in clamps on the motor starter. This should indicate excessive heat, improper contact, or wear. In addition to visual inspection, full functional cycling of the contactor should be performed.

If further inspection is needed, the motor starter can be removed and can now be taken to the maintenance shop and inspected, tested, and upgraded as needed. Note that a duplicate motor starter could have been previously approved and designed to replace the removed unit thus greatly reducing the mean time to restoration. In any event the insertion of the tested

- 125 - ISA-TR84.00.03-2012

starter should follow the manufacturer’s approved installation method and the power and control leads should be tested as noted elsewhere in this TR before energizing the motor starter.

I.12.3 Variable speed drives (VSD)

Following are some basic testing considerations for E/E/PE “smart” (i.e., microprocessor-based) VSDs (e.g., DC, AC, variable frequency) that are final elements within SIF.

This discussion centers on the premise that the SIF application is a de-energized to trip application where removal of electrical power to the VSD provides a safe state.

CAUTION: “Removal of power’ refers to the power necessary to operate the drive. It does NOT refer to the removal of all electrical power within a VSD drive system. As such, a SIF/VSD SIF should NEVER be considered an electrical lock-out device.

Typical “shutdown” interfaces between SIF and the VSDs in an industrial environment include implementation of electro-mechanical contactors, discrete outputs, communication networks, analog signals, and wireless technologies.

The “shutdown” technology implemented is based on the process safety-related application and the VSD design.

Today’s VSD design is impacted by the mature EN954 standard and the recent IEC62061 standard. While this issue may not impact testing measures directly it is mentioned h erein because it does impact SIF design considerations; The SIF interface design to the VSD should be completely understood prior to proceeding with testing.

It is assumed that the design has three basic design characteristics:

1) The VSD design has a TRY-LOCK-TAG-CLEAR-TRY feature. The initial TRY pushbutton feature allows the VSD to be momentarily jogged (this ensures the proper drive is being locked out), then the SIF shutdown is implemented; the system is LOCKED out and TAGGED; the total physical area impacted by the VSD is CLEARED and the TRY button is activated again to ensure the VSD has been properly locked out.

2) The VSD design electrical distribution has an internal electrical distribution system that isolates the VSD drive power and VSD load output power from the VSD microprocessor power, the VSD input power, the VSD diagnostic output power, and the VSD HMI power.

3) The plant has a lockout procedure for the VSD microprocessor power, the VSD input power, the VSD diagnostic output power, and the VSD HMI power circuits.

It is assumed that the plant has a turnover tagging system. The purpose of placing tags is to provide a visible indication of the status of each piece of equipment to eliminate exposure to energized systems by unauthorized personnel. Placement or removal of tags must be done jointly by the organizations involved. Only one color of tag may be on a piece of equipment at any time.

NOTE This test description is not intended to determine if the VSD is operating properly, but is intended to determine if the SIF interface to the VSD is operating properly.

I.12.3.1 SIF/VSD testing - general

Given the multiple energy sources typically found in a VSD, the plant should have the ability to safely de-energize, lock-out, and tag any and all parts of the VSD system.

The SIF/VSD testing procedure will vary depending on which circuit is being tested. For purposes of brevity it will be assumed the VSD power circuit is to be tested.

I.12.3.2 Discrete outputs

The VSD may need to be locked out in order to test the discrete logic solver output to ensu re it is functioning properly. This can be done using the SIF logic solver forcing capability or when

ISA-TR84.00.03-2012 - 126 -

testing the logic solver application program. If there is not a separate motor starter supplying power to the VSD, and if the output is a solid state device the for complete test coverage its leakage current (i.e., current drawn when in the “off” mode) should be checked and documented. This value should be checked against the circuit hold-in current value in the VSD circuit to ensure there is sufficient current gap so the drive will shut down when the output commands. These current values should be recorded and saved since solid state device off leakage current value tends to increase over time.

The VSD should be uncoupled from its load if practicable. This will facilitate safely testing the SIF interface to the VSD. If this is not possible an analysis of the impact of drive rotation on the process load is required to determine when and how to proceed. Often a pre-planned jog or try pushbutton function coordinated with the SIF command can be used to test the validity of the SIF interface to the VSD while not impacting the process.

I.12.3.3 Communication networks

Today’s VSDs often offer the ability to interface the SIF and VSD via a safety certified communications network. Testing of this approach requires the following additional considerations:

1) Testing requires a complete understanding of the testing recommendations provided by the communications network and the VSD manufacturers.

2) Test of the communications network “watchdog” system should be included in the test.

3) Corporate IT systems should be consulted to determine the impact of cyber-security past, present, and future threats to determine the extent of cyber -security testing needed.

I.12.3.4 Analog

While today’s VSDs often offer the ability to interface the SIF and VSD via a safety certified communications network, most VSD manufacturers still provide an analog interface option (e.g., 4-20ma). This is done in part to allow for an alternate SIF interfaces between a SIF logic solver and a VSD system from different manufacturers where the “universal” interface may hav e bugs. The analog communications “watchdog” system should be included in the test.

I.12.4 Wireless

Today’s VSDs are often implemented in robotic type applications (e.g., material handling, material storage and retrieval) that utilize wireless SIF to VSD interfaces. Testing of the wireless communication may utilize any of the other approaches discussed in I.12. However, testing of wireless does introduce additional considerations including:

1) Testing requires a complete understanding of the testing recommendations provided by the wireless manufacturer.

2) Wireless implementation typically brings into play other layers of protection that have to be considered (e.g., barriers, photo eyes, pressure mats, light curtains)

3) Test of the wireless communications network “watchdog” system should be included in the test.

I.13 Testing of manual/automatic response to SIS failure

The design of SIS should consider what could happen if the SIS fails and identify means to respond to those failures. Based on the requirements of ANSI/ISA-84.00.01-1 Clause 11.3.2, there needs to be a way to achieve or maintain a safe state of the process when there is a failure of the SIS to operate as required. For example, the failure of the final elements could be disastrous. Having a plan, or response procedure, on how to manage to this situation minimizes the impact of this failure.

- 127 - ISA-TR84.00.03-2012

In many applications, an operator is provided with a manual shutdown to provide means to manual initiate shutdown of the process. For example, when a sensor fails to activate the SIS, the operator can activate a manual trip of the SIS through the SIS or through an indepen dent trip switch. In the case of a final control element failure, there may need to be unit boundary shut off valve. In all cases these backup systems should be tested to ensure their functionality were an event to occur. This includes the equipment, the a larms and the operators.

The manual shutdown or the independent trip systems may operate one or multiple valves. Each component of the manual shutdown should be tested and maintained as necessary to keep the equipment in good working order. An end-to-end test should be performed to make sure the entire system is functional. The most logical time to test the manual shutdown equipment is during the proof test, since some of the equipment is associated with the SIS. The equipment that is not part of the SIS could be tested at a different interval as appropriate to demonstrate the required integrity.

Manually operated valves or other manual devices will need to be periodically operated for functionality, inspected, and preventive maintenance performed on the eq uipment as needed.

The sensors and alarms, which identify the failure of the SIS, should be tested, calibrated and maintained.

I.14 Testing of bypasses

I.14.1 Testing of manual bypass switches

The proper operation of manually operated bypass switches should be verif ied during SIS commissioning and verified after modifications that could affec t the operation of the bypass. Verification should be performed prior to commencing operations and should demonstrate proper application and removal of the bypass condition. A failure to enter the bypass state could result in spurious alarms or spurious activation of the SIS during maintenance. A failure to return to normal from the bypass state could block SIS action during a valid process demand.

I.14.2 Testing of automated bypasses

The proper operation of automatically initiated bypasses should be verified during SIS commissioning and verified after modifications that could affect the operation of the bypass. Automated bypasses include timed functions (for instance a timed low flow b ypass for pump start) and manually initiated conditions through and HMI. Verification should be performed prior to commencing operations and should demonstrate proper application and removal of the bypass condition. A failure to enter the bypass state could result in spurious alarms or spurious activation of the SIS during maintenance. A failure to return to normal from the bypass state could block SIS action during a valid process demand.


- 129 - ISA-TR84.00.03-2012

Annex J — Deferral considerations and example procedures

This Annex provides examples of deferral procedures. Users may develop other deferral procedures incorporating similar information or use other forms of documentation to approve, record and track deferral.

J.1 Example deferral approval procedure

Below are the requirements for deferring tests and repairs of SIS and BPCS IPL equipment. All due dates mentioned below are based on the last day of the month in which the test was due.

Parameter Requirement

Statement of

intent

This process provides flexibility in instrument testing requirements to accommodate production

planning and turnaround timing issues. However, deferral of a required test or repair of a SIS or

of a required test of a BPCS Independent Protection Layer (IPL) should be a non-routine event,

based upon unusual circumstances.

Each SIS and BPCS IPL should be designed and maintained such that deferrals are not routinely

required.

Alternative

practices for

test deferrals

Design practices to consider include:

partial stroke testing

automatic testing

testing while bypassing the SIS or BPCS IPL

use an alternate SIS or BPCS IPL

Test deferral

identification

If a test is not completed by the end of the month in which it was due and an approved deferral

is not obtained, the test will be considered “overdue”. The overdue report should be presented to

the responsible leader and a compliance plan should be developed for all overdue tests.

- The Maintenance organization at each site must determine which role(s) are respons ible for

tracking and reporting overdue tests.

Test deferral

requirements

A test of an individual SIS or BPCS IPL component may be deferred up to 50% of the prescribed

test interval beyond the scheduled test date, but less than one year, with the approval of the

Production Leader and, either the EH&S Delivery Leader and, either the Geographic or Business

Process Safety Technology Leader.

A test for an individual SIS or BPCS IPL component may be deferred between 50% and 100% of

the prescribed test interval, but not more than one year, with the additional approval by the Tech

Center Director, the Site Leader (or small site equivalent) and Manufacturing Business

Operations Leader.

Repair

deferral

identification

At the time a failure or malfunction is noted, an assessment on the repair time is made by the

owner, SIS Specialist and other expertise as appropriate.

The timing for repair / monitoring plan is established by designated Tables or approved

calculation method for the MTTR with a maximum of 14 days.

A repair time exceeding the MTTR is considered a repair time issue

ISA-TR84.00.03-2012 - 130 -

Repair

deferral

requirements

Repair deferral applies only to those SIS Instruments and Final Elements which are redundant.

Single instruments cannot be repaired online.

Repair timing deferrals up to a maximum of 5 times MTTR require approval by the Production

Leader and the SIS Instrument Coach or global SIS Specialist. Repair deferrals beyond the

maximum of 5 times the MTTR must meet specific hazard assessment requirements.

If the repair is not completed within the time it was due and an approved deferral is not obtained,

the SIS loop is considered impaired and appropriate actions must be taken (e.g. , shutdown).

If the repair is not completed within the time approved in the deferral, the SIS loop is considered

impaired and appropriate actions must be taken (e.g. , shutdown or alternative protection

arrangement).

J.2 Example test deferral process

Applicability The process to all SIS and IPL scheduled tests that cannot be completed during the month

of the originally scheduled due date.

Deviation from specific governmentally mandated test intervals must be reviewed by the

Legal Department and approved in writing by the appropriate government agency.

Purpose The purpose of this document is to provide a defined process for a SIS or BPCS owner to

determine if a one-time deferral of a scheduled due date for a test of equipment is

warranted or whether the equipment should be taken out of service. This will be performed

by documenting an evaluation and reviewing the evaluation with a SIS Specialis t, and other

key stakeholders. A deferral evaluation should be performed whenever there will be a

deviation from a test interval requirement.

For a deferral to be approved the equipment owner must demonstrate that the deferral will

not add inappropriate risk for the period of t ime of the requested deferral. This process is

not to be used to routinely defer proof tests. Each loop must be designed to allow an

appropriate proof test interval.

Timing / Approval

requirement for

50% deferral

A test deferral of up to 50% for an individual SIS or BPCS component of the prescribed test

frequency beyond the scheduled test date, (flexibility to accommodate production planning

and turnaround timing issues) requires approval of the Production Leader and

Environmental Health and Safety (EH&S) Leader and Geographic or Business Process

Safety Leader. For example: Equipment requiring a test frequency of 6 months can be

extended 3 months past the scheduled test date with the appropriate approvals. Maximum

duration of the deferral should not exceed 1 year nor exceed the next shutdown or

turnaround date whichever comes earlier.

Timing / Approval

requirement for

100% deferral

A test deferral beyond 50% of the prescribed test frequency, but not exceeding 100% for an

individual SIS or BPCS component of the prescribed test frequency requires additional

approval by the Tech Center Director, the Site Leader (or small site equivalent) and

Manufacturing Business Operations Leader. Maximum duration of the deferral should not

exceed 1 year nor exceed the next shutdown or turnaround date whichever comes earlier.

Deferral Process

Timing

Considerations

It is recommended that the test due date deferral process and required documentation be

completed 30 days prior to the originally scheduled due date. This timing will allow the

entity to plan and schedule a shutdown to meet the originally scheduled date if the deferral

request is not approved.

Management

system /

documentation

These deferred tests should be documented in the computerized maintenance management

system such that completion of these activities will be identified as a priority item during

any unscheduled opportunity prior to the deferred date.

Overdue definition If a test is not completed by the end of the month in which it was due and an approved

deferral is not obtained, the test will be considered “overdue”. A compliance plan should be

developed for all overdue tests.

- 131 - ISA-TR84.00.03-2012

Process Steps in the process:

1) Initiate the test due date deferral form and identify all the key stakeholders. Stakeholders may include: owners, owner’s representative, SIS Specialist.

2) Review demand rate and SIS/BPCS performance history

3) Identify what will be done for the evaluation and document. This might be a formal Risk assessment or a meeting of SIS Specialists. Part of this should be a visual inspection of the equipment by the owner’s representative, and SIS Specialist. Where visual inspection is not feasible, digital photographs of the equipment may be used.

4) After review and concurrence of the SIS Specialist, obtain signatures of Production Leader, and, either the EH&S Leader. Deferrals in excess of 50% will additionally require the signature of the Tech Center Director, the Manufacturing Business Operations Leader and Site Leader (or small site equivalent).

5) Complete documentation of the test due date deferral form and file either electronically or hard copy in the equipment history file.

6) Update required information in the maintenance management system.

7) Upon completion of the test the test due date deferral form should become part of

the permanent equipment history file.

Form

Documentation of this process should be done using the test due date deferral form

supplied below or a suitable alternate that must include as a minimum the following:

equipment identification

original due date for test

deferred due date

listing of the SMEs

approval signatures

explanation of why the deferral is requested

documentation of the global SIS Specialist evaluation

ISA-TR84.00.03-2012 - 132 -

J.3 Test due date deferral approval form

IPL

description:

SIS or BPCS tag

numbers:

Originator:

Plant/Department requesting deferral:

Scheduled due date

Proposed deferral due date

Reason for deferral request (attach additional sheets if needed)

Describe or document SIS Specialist evaluation (attach additional sheets if needed)

Communication plan (attach additional sheets if needed)

Identify stakeholders:


Management Team

Approval signatures (electronic or manual):

Operations Manager Date

SIS Specialist/Engineer Date

PSM Manager Date

- 133 - ISA-TR84.00.03-2012

J.4 Example repair deferral procedure

Applicability Redundant instruments.

The process applies to all deficiencies that have been identified as a result of Safety

Instrumented System (SIS) test that cannot be completed within the average MTTR after

the time the deficiency is found.

Single instruments.

SIS without redundant sensors/final elements cannot be handled with this process.

Instruments required by government regulation.

This process does not apply to deficiencies identified during government or other

regulatory tests. Deviation for repairs resulting from regulatory required tests can only be

approved using the process identified by the appropriate government agency and reviewed

by the Legal Department.

Purpose The purpose of this process is to provide a defined process for an entity to seek a one-time

deferral of a scheduled due date for repair of equipment by documenting an engineering

evaluation and reviewing with the SIS Specialist, and other key stakeholders and

documenting approval of the Operations, Maintenance and Process Safety Leadership

Team.

For deferrals of this type, the requestor must demonstrate that the deferral will not add

inappropriate risk for the period of time of the requested deferral.

Timing approval

requirements

The Production Leader/Department Head and, either the SIS Specialist must approve all

deferrals within their block/area. Additionally, the Site/Regional Process Safety Technology

Leader (or small site equivalent) must approve all deferrals to ensure compliance with

applicable government regulations.

Management

system

documentation

These deferred repairs should be documented in the maintenance management system

such that completion of these activities will be identified as a priority item during any

unscheduled opportunity prior to the deferred date. Maximum duration of the deferral

should be the next scheduled shutdown or turnaround date, not to exceed one year.

Overdue

definition

If the repair is not completed by the time defined tables or other approved calculatio n

method as average “Mean Time to Repair” and an approved deferral is not obtained or a

“SIS Impairment Standard” process hazard assessment was not completed and approved,

the repair will be considered “overdue”. The operation of the plant section protected by the

SIF must be discontinued or an alternative arrangement must be put in place that provides

an equivalent level of safety. The relevant LOPA line should be modified to show the

existence and adequacy of this alternative arrangement and approval of business Process

Safety Leader must be obtained.

ISA-TR84.00.03-2012 - 134 -

Process Steps in the process:

1) Initiate the repair due date deferral form and identify all the key stakeholders. Stakeholders may include; owners, owner’s representative, SIS Specialist.

2) Review the documentation that was prepared for the repair and other equipment history.

3) identify what will be done for an engineering evaluation to insure no additional risk will result from deferring this repair the additional time period and document. This might be a meeting of Specialist’s. Part of this should be a visual inspection and a review of the impact on the PFD calculation of the SIS loop by the owner’s representative and global SIS Specialist. Where visual inspection is not feasible, digital photographs of the equipment may be used.

4) Obtain signatures of Production Leader/Department Head, SIS Specialist, Tech Center Director, Business Operations Leader, Site Leader, Site/Regional Process Safety Technology Leader (or small site equivalent) as required.

5) Complete documentation of the repair due date deferral form and file either electronically or hard copy in the equipment history file.

6) Update required information in the maintenance management system.

7) Upon completion of the inspection or repair the repair due date deferral form should become part of the permanent equipment history file.

Form

Documentation of this process should be done using the repair due date deferral form

supplied below or a suitable alternate that must include as a minimum the following:

equipment identification

original due date for repair

deferred due date

listing of the SMEs

approval signatures

explanation of why the deferral is requested

documentation of the SIS Specialist evaluation

- 135 - ISA-TR84.00.03-2012

J.5 Example repair due date deferral form

SIF

description:

SIS tag numbers

Originator:

Plant/Department requesting deferral:

Scheduled due date

Proposed deferral due date

Reason for deferral request (attach additional sheets if needed)

Describe or document SIS Specialist evaluation (attach additional sheets if needed)

Attach repair deficiency documentation

Communication plan (attach additional sheets if needed)

Identify stakeholders:


Management Team

Approval signatures (electronic or manual):

Operations Manager Date

SIS Specialist/Engineer Date

PSM Manager Date

This page intentionally left blank

- 137 - ISA-TR84.00.03-2012

Annex K — Example bypass approval procedures

This Annex provides examples of bypass approval procedures. Users may develop other bypass approval procedures incorporating similar information or use other forms of documentation to approve, record, and track bypassing.

K.1 Example bypass approval procedure 1

K.1.1 Bypassing policy when process hazards are present

Process hazards are normally considered present when the process is running, has process materials still contained in the vessels or piping, or has energy sources available.

All SIF(s), which are found to be bypassed without authorization, are to become the subject of an incident investigation.

The following is required to bypass SIS equipment.

The authorization to bypass will be on a completely filled out SIS equipment bypass permit.

Authorization levels for all SIS equipment bypasses depend on the length of the bypass permit as shown below.

up to 72 hours: Second Line Manager or designate

more than 72 hours but less than 168 hours (7 days): Production Manager or designate

more than 168 hours (7 days): Plant Manager or designate

It is forbidden to circumvent the time limit by having bypasses re-authorized, e.g. if a bypass is originally authorized for 72 hours and the work is not completed then another bypass must be issued with the permit starting at the original time.

When authorization is required at times other than days, Monday through Friday, or holiday’s telephone contact to the authorizer or designate is adequate.

The time that the bypass is in effect should be limited to the minimum time.

Continuity of the repair should be maintained during the bypassing of SIF(s).

A qualified instrument or electrical technician must bypass the SIF(s).

The bypass should only bypass the part of the SIF(s) required for the purpose of the bypass.

Production must post the white copy of the authorized bypass permit in the CCR, one copy with the Production Supervisors and one copy with the E&I Supervisor when the bypass is installed. The white copy is to be filed when the permit is removed.

Bypassing is to be done in such a way that it is obvious that the SIF(s) is bypassed. Bypass the minimum part of the circuit. For example, if the transmitter is bad or questionable then bypass only the input to the relay or PES. This will leave the other SIF(s) in the circuit functional.

Do not bypass SIF(s) by forcing transmitters to give false measurements. Examples are to raise the zero on transmitters, bypassing transmitter’s impulse lines and changing purge gas flows to cause measurement errors. Entering process values in PES is not recommended.

K.1.2 Bypassing policy when process hazards are not present

Process hazards are normally not present when equipment is not in operation and i s properly cleared and tagged. Other policies such as log-tag-try, MOC policy, and the other requirements

ISA-TR84.00.03-2012 - 138 -

of this standard must be met to insure the SIF are returned to service before the hazards are introduced.

The following exceptions to bypassing policy apply when process hazards are not present.

bypassing permit is not required

the time that the bypass is in effect is not limited to minimum repair time

continuity of repair is not required

bypassing authorization is not required

the following must be done when bypassing (performing maintenance work on) an SIF(s) when process hazards are not present:

a qualified instrument or electrical technician must bypass the SIF(s)

the bypass should only bypass the part of the SIF(s) requiring repair or maintenance

K.1.3 Records

The SIF(s) bypass permit authorizing the bypass will be under the control of production. After the bypass has been removed, production is required to keep the bypass permits on file for five years. This is to allow review by the cyclic PHA team.

A unit report no later than the third working day of each month, documenting each SIF(s) which was bypassed via a bypass permit must be prepared and submitted to the Production Manager. This report should include the date the bypass was installed, the date the bypass was removed and if it was past due.

K.1.4 Responsibilities

K.1.4.1 Approvers of the bypass permit

The function of approvers is to complete the bypass permit. They must be knowledgeable of the process, process hazards, and the SIF(s) system. This will usually consist of a production supervisor, operating technician, E&I supervisor, E&I technician, process technical, and E&I engineer, as needed.

All participants filling in the bypass permit sections 1 through 4 must initial the permit, indicating their approval. Technical approval can be complete by the Technical Supervisor or designate or senior technical person familiar with the process hazards.

K.1.4.2 Authorizer of the bypass permit

The function of the authorizer is to insure that the permit has been completed correctly and the risk to bypass the SIF(s) is acceptable. Typically this requires the authorizer to ask quest ions of the approvers to insure due consideration has been given to each entry of the permit. A second line supervisor or designate fills this function.

OPERATIONS:

Determine if process hazards are present.

Insure the equipment is returned to service.

Assist Maintenance as required.

For keyed SIF(s) bypasses, the operating supervisor must retain responsibi lity for control of the key. Keys must not be left in the switch when the SIF(s) is not bypassed.

Produce the monthly unit report for the Production Manager.

- 139 - ISA-TR84.00.03-2012

MAINTENANCE:

Perform all mechanical work involving bypassing and restoring of SIF to service.

TECHNICAL:

Assist production and maintenance as required especially in hazard analysis and SIF(s) bypassing method.

Approve the bypass permit.

K.1.5 Safety analysis and authorization

The operating group requesting the work will normally fill in the first and second sections of the permit. These sections document the purpose and objectives for the bypass and lead you through simple hazards screening. These sections focus on the EHS hazards that the safety action addresses. Much of the hazard information will be documented in the operating guides, SIF(s) test procedure and in the process hazard classification documentation for the area. If additional information is needed to complete this section, consult the technical and maintenance groups. The hazards screening section of the permit details which action will be bypass ed, the reason for the bypass, limits for the change (expected bypass duration), and safety steps to be taken that insure safe operation while the bypass is in effect. When filling in this permit, it is important to be as thorough as possible, attach temporary operating procedures and other documentation as needed.

The third section of the permit will normally be filled in by the Maintenance group performing the bypass work. This section documents the technical basis and description of how the bypass will be accomplished. All affected devices and actions are to be listed. List all other documentation related to the bypass action, such as marked prints or special maintenance procedures.

Section four of the permit is a summary statement to say why the unit is safe to operate with the bypass in service.

Section five of the bypass permit is for approval and authorization of the action. All participants filling in the bypass permit sections 1 through 4 must initial the permit, indicating their approval. Technical approval can be complete by the Technical Supervisor or designate or senior technical person familiar with the process hazards. After section 5 is completed, the action can be taken. All devices bypassed must be properly tagged. The white signed copy of the bypass permit should be posted in the CCR for communication purposes and will be filed for closure after the bypass action is removed. The yellow and pink copies are to be sent to the production and E&I supervisor when the SIF is bypassed.

Finally sections six and seven of the permit document when the bypass is installed and removed. It also documents that the CCR operator has reviewed the bypass permits at the beginning of the shift.

ISA-TR84.00.03-2012 - 140 -

K.1.6 Example SIF bypass permit

Section 1:

Requested by: _________________________________ Date: ______________ Area: _____________________________ Service description: _____________________________________________________ Trip setting: _____________________________________________(with Eng. Units) Effective date/time: From ______________________ To ______________________

Section 2:

Hazardous event classification (S, E, A) and SIL of the SIF: ______________________ Describe the EHS hazard the instrument action is designed to prevent: ________________________________________________________________________ List other protection for this hazard (R/V, SIF(s), and alarms): ________________________________________________________________________ Purpose for bypass: ________________________________________________________________________ Backup variable to be monitored and responsibility: ________________________________________________________________________ Backup variable mandatory shutdown limits: High: Low: Other_____________ Shutdown method and responsibility: ________________________________________________________________________ Operating procedure modifications complete appended and communicated? Yes No N/A

Section 3:

Loop no.: _________ Instrument setting:__________ I. D. no.:__________ Describe how the instrument action will be bypassed: ________________________________________________________________________ List all sensors (initiating events) and hand switches that will be bypassed: ________________________________________________________________________ List actions (valves, motors, etc.) that will be bypassed: ________________________________________________________________________

Section 4:

Why is the unit safe to operate with this SIF(s) bypassed? _________________________________________________________________________

Section 5:

PARTICIPANTS APPROVAL :(print names and initial): ________________________________________________________________________ DATE:__________________ TECHNICAL APPROVAL:_____________________________________________________ DATE:__________________ AUTHORIZED BY:___________________________________________________________ DATE:___________________ Up to 72 hours First Line Supervisor or designate 72 hours to 168 hours: Production Manager or designate Over 168 hours: Plant Manager or designate

- 141 - ISA-TR84.00.03-2012

NOTE The yellow COPY to the Operating Supervisor when the bypass is installed; the pink copy to the E&I Supervisor when the bypass is installed. The white signed copy will be posted in the CCR when the bypass is installed. The white copy will be filed when the bypass is removed.

Section 6:

BYPASS INSTALLED:__________________________ DATE:___________ (OPERATING TECHNICIAN) TIME:____________ ________________________ DATE:___________ (E&I TECHNICIAN) TIME:____________

Section 7:

BYPASS REMOVED:___________________________ DATE:__________ (OPERATING TECHNICIAN) TIME:___________ ____________________________ DATE:__________ (E&I TECHNICIAN) TIME:___________

Until the bypass is removed the CCR operator is required to initial and date this permit at the beginning of each shift.

_________________________________ DATE:____________ TIME:________ (OPERATING TECHNICIAN)

K.1.7 Glossary of bypass permit terms

SIF bypass permit: A work sheet that documents and authorizes a bypass, hazards screening leading up to the bypass, and exactly what bypass work was done.

Requested by and date: Name of person requesting the bypass to be done, usually the shift supervisor for the group that operates the equipment and the date that the bypass permit is started.

Area: Operating area or system requesting the bypass.

Service description: Device name in common terms such as the operating manual description

or control system descriptor.

Trip setting: The process trip setting from the operating guide procedure with engineering units

such as degrees C. or PSI.

Effective date/time: Estimated date that the bypass will be in service, such as from the permit

date until the earliest planned repair window.

Hazardous event classification and SIL: The classification of the hazard that the action being bypassed is used to mitigate, such as safety, environmental, asset and the SIF Safety Integrity Level.

EHS hazard the action is designed to prevent: The specific hazard that the action is used to

prevent.

List other protection for this hazard: List other hazard controls or devices such as R/V's, instrument actions, special procedures or alarms. This information may be documented in the Hazard classification files or can be reconstructed by the bypass permit requestor.

Purpose for bypass: State the purpose of the bypass, why it is needed.

Backup variable to be monitored and responsibility: Describe any other process variables or special operating procedures that will be monitored or used while this action is bypassed and define who is responsible to monitor this information.

ISA-TR84.00.03-2012 - 142 -

Backup variable mandatory shutdown limits: If a backup variable is to be used, detail the mandatory shutdown limits with engineering units of the backup process variables being monitored.

Shutdown method and responsibility: Document how the system will be shutdown with the SIF

bypassed and who is responsible for this action.

Operating procedure modifications complete, appended and communicated Document whether or not operating procedures have been changed and were issued based on the bypass work.

Loop no.: The instrument loop number.

Instrument Setting: The SIF trip setting in engineering units or other instrument specific units,

as are appropriate for this device.

I.D. no.: The SAP equipment number for the trip device being bypassed.

Describe how the action will be bypassed: Document the physical instrument action bypass method. Refer to marked prints or sketches if necessary. This information will be used to remove the bypass after repairs have been made.

Sensors (initiating events) and hand switches that will be bypassed: List all sensors that will be bypassed by this work, such as when multiple sensors trip a common device that is being bypassed.

Actions (valves, motors, etc.) that will be bypassed: List all instrumented actions that will be bypassed by this work, such as when multiple final acting devices are bypassed by single relay.

Why is the unit safe to operate? This affirming question, to be answered after steps 1, 2, & 3 has been completed. It documents the reasons of the bypass requestor believes that the unit IS safe to operate with the bypass in effect.

Participant's approval: The names and initials of the principle participants of the bypass safety

and work analysis. The signature initials of the participants approves the bypass action.

Authorized by and date: First Line Supervisor, Production Manager or Plant Manager or

designate responsible for the operating equipment and the date of authorization.

Bypass INSTALLED / REMOVED: The names, date, and time of the actual bypass installation

and removal team, so that complete tracking of the bypass removal can be insured.

K.2 Example bypass approval procedure 2

A Bypass Assessment is carried out before the application of a bypass. The assessment is led by a Process Specialist with support from the IPS Specialist and Operations. A Bypass Assessment issued within 24 hours of bypass initiation is deemed an “emergency bypass.” Emergency Bypass Assessments should be periodically reviewed by the Process Specialist. Consideration should be given to developing a permanent file Bypass Assessment . The Bypass Assessment is executed by a Process Specialist who facilitates a meeting involving an Operations Supervisor and an SIS Specialist. The assessment is performed to:

understand the hazardous event being prevented by the SIS,

understand how the IPS detects and responds to the hazardous event,

determine whether or not it is permissible to apply the bypass,

determine the allowable repair time,

- 143 - ISA-TR84.00.03-2012

understand the process impact if the bypass is not used correctly and the process trips,

determine how the bypass is implemented,

evaluate how the bypass impairs or disables the IPS,

identify how the operator would know when bypass is in place,

identify measures to be implemented during bypass to compensate for IPS impairment or disablement, and

identify whether any further precautions to be implemented.

ISA-TR84.00.03-2012 - 144 -

K.2.1 Example bypass assessment form

Planned Emergency (<24 hours)

SIS Equipment or Loop ID: Plant ID:

Hazardous event being prevented: (Provide hazard analysis report references)

SIF Description: (If there is a documented SRS, provide document reference)

Classification: ______Safety ______Environmental _____ Asset Protection Risk Reduction: ______Safety ______Environmental _____ Asset Protection

Process impact if spurious trip occurs during bypass:

How is the bypass implemented?

Is bypass covered by procedure? Yes No If yes, give procedure ID:

How does the bypass affect the SIS ability to function?

Can operator independently verify that the bypass is in place or not?

What compensating measures will be taken to address the hazardous event? (If these are documented in start-up or other operating procedures, provide procedure reference)

Considering the risk and the compensating measures, the bypass is: Acceptable Unacceptable

Bypass is conditionally permitted for: Start-up only Maintenance only Start-up and Maintenance

Allowable Repair Time (approved bypass period): Start-up only Maintenance - 48 hours

Additional Requirements: (Provide requirements for additional operator or supervisory personnel or for unit access restrictions, signage, notifications, precautions, etc.)

Assessment led by: Date: (Process Specialist or equivalent)

Approval

SIS Specialist/Engineer: Date:

Operations Manager: Date:

- 145 - ISA-TR84.00.03-2012

K.3 Example bypass log

K.3.1 Sheet 1

Facility / Plant / Unit ID ____________________________________________

Tag Number Description Reason for Bypass Applied by Date Time Restored by Date Time

K.3.2 Sheet 2

Facility / Plant / Unit ID ____________________________________________

By signing below all signatories confirm acceptance of the outstanding bypasses listed on sheet 1

Date Day shift OPERATOR technician Night shift OPERATOR technician

(All techs to sign in this box) (All techs to sign in this box)


- 147 - ISA-TR84.00.03-2012

Annex L — Validation planning

The following table identifies items that should be included as part of the validation plan of the SIS. Refer to ANSI/ISA-84.00.01-1 Clause 15.2 for more details.

1 Safety requirement specification

Identification of the version of the SRS and any other documentation to which the site acceptance

testing and validation is to be based upon.

2 Relevant modes of operation

Testing of all relevant modes of operation of the process where required including:

preparation for use including setting and adjustment

start-up, automatic, manual, semi-automatic, steady state

re-setting, shutdown, maintenance

reasonable foreseeable abnormal conditions

3 Validation testing

Confirmation that the SIS and the individual SIF performs as specified in the SRS. Also confirm

that the document:

records the results of each test

details of special test equipment including calibration info

details any special pass fail criteria

4 Reference documentation

All documentation that will be referred to during the execution of the validation / testing activities

is specifically identified including version number.

5 Logic solver program version tracking

Review the version control of the embedded firmware and application program of the SIS from

completion of the Factory Acceptance Test through the Site Acceptance Test / Validat ion up until

final handover to Operations. Effective Management Of Change (MOC) should be demonstrated.

6 Engineering modifications

Validation testing should account for any approved design changes that have taken place during

the installation of the SIS.

7 Validation strategy

Justification of any testing activity used as part of the validation process that is not based upon

end-to-end testing with process simulation in the field. Consider the following areas:

electrical signal injectors used in place of transmitters

reliance upon simulators to test application program

reliance upon FAT results in place of on-site function tests

any automated testing techniques

8 Validation Environment

Consideration of representative environmental conditions that the equipment is to be tested

under. Things to consider:

ensure that normal air conditioning systems are running when the tests are performed making the test realistic

ensure that the conditions and test equipment used is as realistic as possible

9 Pass/Fail Criteria

Detail any special Pass/Fail criteria which should be considered and confirm that these

requirements have been incorporated into the SAT document including a requirement to record

the actual values (see ISA-TR84.00.03, 6.7 for details).

10 Measurement Accuracy

Specific testing of any device that has any measurement accuracy specification that is above

normal.

ISA-TR84.00.03-2012 - 148 -

11 Calibration

Calibration details and related documentation are up-to-date and that the testing is based upon

the correct and up-to-date values.

12 Adverse Reaction

Review the overall system configuration in which the SIS is located and ensure that no equipment

connected to the SIS can have an adverse effect on the SIS, e.g., communication links, power

supplies, peripherals, HMI, etc. This might be due to regular or i rregular operation of that

equipment. Ensure that any required tests are included in the SAT document.

13 SIF Functionality

Detailed testing activities associated with SIF functionality including redundant channels and

where shutdown sequences are in place.

14 SIS Documentation

SIS documentation is consistent with the installed SIS. If mark -ups have been made during the

testing/validation process, confirm that these details will be incorporated onto the master

documents in a timely manner and are made available to anyone who might need to refer to them

in the meantime (e.g., start-up team, Operations, or Maintenance).

15 Analogue Input Configuration

Invalid analogue input signal testing (see ISA-TR84.00.03, 6.4 for details).

Things to consider:

calibrated ranges smaller than the process range

transmitter process saturation current settings

transmitter fault current settings

logic solver compatibility with t ransmitter settings

logic solver response to above conditions

16 Human Machine Interface

Functionality of the HMI.

17 Special computations

Testing of any special computations performed with the SIS.

18 Reset functionality

Individual SIF and overall SIS reset functionality.

19 Bypass functionality

Testing of bypass facilities.

Consider both electrical (hand-switches/buttons) and mechanical (valve) bypasses and any

alarms that annunciate their use/application.

Consider partial bypass facilities and include testing to ensure that they only bypass what they

are thought to bypass (see ISA-TR84.00.03, 6.6 for details).

20 Manual shutdown functionality

Testing of manual shutdown functionality.

Consider individual SIF and overall plant shutdown requirements and the locations for these

facilities.

21 Maintenance proof test procedures

Maintenance proof test procedures have been produced and integrated into the Computer Maintenance Management System.

Proof test interval and proof test coverage assumptions in the related SIL Calculations have been implemented effectively.

22 Maintenance testing facilities

Online and offline testing facilities that form part of the design of the SIS/SIF are tested.

Special tools required to perform the test/s are identified in the documentation and made available for the test.

- 149 - ISA-TR84.00.03-2012

23 Diagnostic alarm functionality

Test diagnostic alarms. These include both SIS “system” alarms such as power supply failure,

processor failure, etc. and also SIF specific alarms such as voting channel deviation, bad PV etc.

24 Power/Utility interruption

Test for specified response to loss of utilities (i.e. electric, air, hydraulic power) and also

reintroduction of power/utilities.

25 EMC immunity

Test EMC immunity of the logic solver. Some common examples of sources of interference are:

site radio communication, mobile phones etc.

wireless laptops, Bluetooth enabled PDA’s , etc.

air conditioning systems starting/stopping/under full load, etc.

26 Voting arrangements

Test input / output voting arrangements.

(see ISA-TR84.00.03, 6.9.3 for credit that can be taken on FAT testing).

27 Special conditions of use

Test special conditions documented in the SRS, such as power quality, environmental conditions,

heat tracing, minimum motive force on valve actuators, etc.

28 Field process installation

Check field installations of each function relevant hook-up drawing by performing a “walk-

through” with an Operations representative to verify that all installations are connected to

appropriate process connections/orientation.

29 Discrepancy control/closure

Track all discrepancies uncovered during validation, and provide information on what action is

taken to rectify. For each discrepancy, detail what course of re -testing is performed to ensure the

correct result is observed and also that no other erroneous faults are introduced to the system

during the change. Detail also the approval of these re-testing activities including the basis for

the decision to approve. Approval of discrepancy closure should be carried out joint ly between

the appointed field and SIS engineers.

30 Documentation

Provide the fully completed copy of the validation documentation ensuring that the results of all

tests are recorded. The validation documentation should be signed to confirm completeness of all

testing activities identified.

31 Pre-startup safety review (PSSR)

Confirm that a PSSR is included in the scope of the handover activities to Operations.


Developing and promulgating sound consensus standards, recommended practices, and technical reports is one of ISA’s primary goals. To achieve this goal the Standards and Practices Department relies on the technical expertise and efforts of volunteer committee members, chairmen and reviewers. ISA is an American National Standards Institute (ANSI) accredited organization. ISA administers United States Technical Advisory Groups (USTAGs) and provides secretariat support for International Electrotechnical Commission (IEC) and International Organization for Standardization (ISO) committees that develop process measurement and control standards. To obtain additional information on the Society’s standards program, please write: ISA Attn: Standards Department 67 Alexander Drive P.O.Box12277 Research Triangle Park, NC 27709 ISBN: 978-1-937560-57-7