I recently assisted a customer in testing a newly installed Safety Instrumented System (SIS) at a Natural Gas Liquids (NGL) processing facility. The activity was a Site Acceptance Test (SAT) in which Safety Instrumented Function (SIF) is thoroughly tested. The plan involved exercising each transmitter through its range of normal operation, alarm points, and trip points. Final elements were reset and observed to change state during a trip, thereby proving that the SIF logic as well as all field devices were functioning properly. We encountered a non-conformance when testing for transmitter fault conditions. The procedure involved driving the transmitter outside the normal 4 to 20 mA range. The expected behavior is for this to be detected by the SIS logic solver, and the associated process variable to be placed in a vote-to-trip state. In the first, when we drive the transmitter below the calibrated range resulting in a signal below 4 mA at the PLC. However, no vote-to-trip occurred. The signal was lowered to 3 mA, 2 mA and so forth, but no change in state was observed. We discovered that the configuration of the logic solver relied upon fault detection at the Analog Input module, which would set a fault bit and communicate this to the processor. It was noted that this logic was not properly functioning. The resolution was to program logic in the SIS application for the processor to detect the out of range condition and properly place the process variable in a vote-to-trip state.
A thorough examination of the SIS should include defining the saturation current of each transmitter or type of transmitter being used as input to the SIS. Saturation current is the lowest current that a transmitter will generate while still functioning within the calibrated range. For example, a transmitter may be able calibrated to read 100 psig to 1500 psig. 4mA would correspond to 100 psig. The saturation current may be 3.9 mA for a transmitter. The fault detection is typically set at 0.1 mA below the saturation current, or other value specified by the vendor. This results in a fault detection at 3.8 mA or below for this example. Logic was also programmed to detect an over-range fault as well; however, each transmitter is configured to drive the signal downscale on a self-diagnosed fault condition. Again, the exact value of the fault current will vary from vendor to vendor, but it will be significantly lower than the saturation current. For example, the fault current may be 3.75 mA, which would be detected by our 3.8 mA or less PLC diagnostic.
The important concept here is to understand the engineering techniques used to verify that the design of the SIF meets the Safety Integrity Level (SIL) target. This is known as SIL Verification, which involves a reliability engineering principals and an examination of possible device failure modes. Each transmitter will have a characteristic failure rate for failure modes such as “Fail High”, “Fail Low”, and “Fail in Place”. Self-diagnosed fault conditions are usually configured to result in a “Fail Low” effect. The SIL verification calculations typically assume that all over-range (>20mA) or under-range (<4mA) conditions result in a vote-to-trip, which results in a potentially dangerous failure mode being converted to a safe outcome. This reduces the SIF probability of failure on demand (PFD) and increases the achieved Risk Reduction Factor (RRF). It would be a significant gap if the SIS configuration for fault detection does not match with these assumptions used in SIL verification.
At Kenexis, we always require function test plans to verify proper handling of transmitter faults by the SIS Logic Solver. When using a Safety PLC that is certified for SIS applications, this fault handling is typically the default configuration. However, when using a general purpose industrial PLC with a safety configuration, this type of fault handling may require application programming. Please contact Kenexis is you’d like more guidance on SIS function testing, also called proof testing.