How to maintain the SIL-rating ​​of a machine protection system

The SIL-rating of a SIL loop degrades over time. Therefore the safety integrated function (SIF) of the safety instrumented system (SIS) must be tested with a certain frequency, which is usually determined by the OEM of the system. After all, it is important to make sure a machine protection system will function properly when it’s supposed to. This article underlines the necessity to perform full proof-tests and partial proof-tests to maintain the SIL-rating of a machine protection system.

The end user of a safety system is responsible to ensure proof-tests are carried out according to the specifications of the manufacturer (OEM). With these proof-tests the probability of a malfunction (PFD: probability of failure on demand) stays within tolerable limits. Two type of proof-tests can be used to maintain the SIL-rating; full proof-tests and partial proof-tests.

 

The SIL-rating of a safety loop decreases over time. By carrying out partial proof-tests and full proof-tests the SIL-rating can be maintained or restored. 

Full proof-tests

A full proof-test is carried out during a planned standstill (e.g., a turnaround). During this test any dangerous failure mode is tested, covering 100% of the safety functions of a machine protection system. The SIL-rating is then restored to its original value. After the test has taken place and the SIL-rating is restored, it will again degrade over time. By carrying out a full proof-test with a certain frequency, the SIL-rating can be maintained continuously.

Full proof-tests are not always possible; some machines are required to be operational at all times, except during turnaround projects. In that case downtime to test a safety system is too expensive to justify doing a full proof-test. A partial proof-tests is a good alternative, but will not completely restore or maintain the SIL-rating. However, it is much more applicable as the machine can be (partially) operational during a partial proof-test.

Partial proof-tests

With partial proof-tests 2oo3 testing can be used. This means two parts of the safety loop are secured while testing while testing the third part, in a 2oo3 sensor configuration this would mean testing one sensor and securing the other two sensors. The safety functions of the safety system are partially tested, but never fully as this requires testing all safety components to be tested simultaneously. 100% coverage thus cannot be achieved using this testing method. Therefore, a partial proof-test will only restore the SIL-rating to a certain extent. This benefits the SIL-rating less than a full proof-test, but is often easier to apply because the machine does not have to be (completely) stationary by means of 2oo3 testing. The SIL-rating then decreases again over time, the rate at which this happens depends on the coverage (%) of the partial proof-test.

Functional safety consultancy

Istec offers a consultancy service to determine the SIL proof-test procedure in advance. It is also possible to have the SIL proof-test performed during troubleshooting by one of Istec’s functional safety engineers. Read more about our functional safety consultancy »