Interested in linking to "Kiss Off Safety System Myths"?
You may use the Headline, Deck, Byline and URL of this article on your Web site. To link to this article, select and copy the HTML code below and paste it on your own Web site.
The best diagnostics are those you implement independently to verify the process connection and field device are working from a total system and application perspective. No matter the diagnostic, the only way to be certain that an SIS device is working is to proof test it.
4. Partial testing is good enough. Partial testing only identifies specific failure modes of equipment. It's not a substitute for a complete function check that proves the equipment does what it needs to do as and when required. Major process industry incidents have shown that what you don't maintain eventually fails.
For example, the "push-to-test" feature on some electronic sensors only checks the electronics and doesn't determine whether the sensing elements are working properly. Partial stroke testing validates the valve actuator but not the ability of the valve to close fully or to meet leak tightness requirements. Partial tests can detect some failure modes. You must perform full proof testing, though, to demonstrate the specified operation of the equipment.
5. The main purpose of proof testing is failure detection. Unfortunately, IEC 61511 has encouraged this concept because it defines a proof test as an opportunity to detect dangerous undetected failures. However, detection isn't the primary goal of proof testing — its main purpose is finding weaknesses in your MI strategy and triggering root-cause identification with subsequent change in the specification, design, installation or strategy. You should consider any failure found in a proof test as a serious problem, requiring immediate investigation to prevent future failures.
Many incident investigations point out that a company had found and repeatedly corrected failures prior to an incident — but didn't prevent the failure from re-occurring by determining and addressing the root cause.
6. Proof testing suffices to ensure mechanical integrity. The proof test only validates MI, which depends upon inspection and preventive maintenance (Figure 1).
You should perform periodic inspections to identify and correct incipient issues and degraded conditions; this often is called proactive or condition-based maintenance. You can conduct some inspections externally during operation but others require more-rigorous internal inspection, such as looking at a valve seat or pulling wires to see if they're loose.
Also, perform regular preventive maintenance to replace parts with a shorter life expectancy than the major equipment components. This reduces the failure rate and extends the useful life of the equipment.
Proof testing demonstrates the MI plan consisting of inspection and preventive maintenance suffices to sustain the equipment in the "as good as new" condition.
7. Relay-based safety systems aren't as good as safety programmable logic controllers (PLCs). Relays have extensive prior-use history in many industry sectors, very low failure rates, and readily predictable and well-understood failure modes. Relays can be installed locally with no need for climate-controlled enclosures (Figure 2).
Safety PLCs are more flexible and easier to modify — but this often leads to ad hoc programming. Without a detailed application program specification, a rigorous software development process and extensive testing, safety PLC programs can have significant undetected problems.
While safety PLCs have extensive diagnostics, this is largely because they have many components that can fail. Simplex safety PLCs have overall failure rates an order of magnitude greater than those of relays, and so need diagnostics and hardware fault tolerance to offset these higher rates.