Maintenance and proof test requirements for SIL overspeed detection systems

Because the integrity of a safety-related system degrades over time, periodic testing (known as proof testing) is essential in order to detect hidden failures. So it is of crucial importance that all safety instrumented systems (SISs) have a maintenance plan in place to support their ongoing operation. This compensates for the safety system integrity degrading over time and helps ensure that the safety system’s required SIL level is maintained.

About safety system integrity test

Put simply, it is essential to test the integrity of any safety instrumented system (SIS) because otherwise an undetected failure may be left unrevealed until a demand is actually placed upon the system, with the result that the safety function might fail when required.

With this in mind, proof testing is used to help ensure safety system integrity by testing in order to catch any failures not detected by any diagnostics of the safety system. In this way, the safety system is restored as close as possible to an “as new” condition. As such, proof testing is critical to ensuring the integrity of a safety system throughout its lifecycle and must be performed routinely at a specified interval.

Safety system integrity over time

Safety system integrity can be considered a measure of the probability that a safety-related system will function as required when required, and is indicated by the safety integrity level (SIL). The application itself determines the particular SIL required: the higher the SIL level, the higher the associated safety level and the lower the chance of failure.

Although the integrity of a safety system degrades over time due to many factors such as undetected failures and/or the degradation of electronics or materials, the probability of failures can be minimized in the design process.

The main purpose of an overspeed detection system (ODS) is to ensure that a machine will be stopped if an overspeed event occurs. Accordingly, an ODS that is fundamentally simple and concentrates on core safety concerns (that is, with minimal non-safety related functionality) will be inherently more reliable and robust. Basically, if a safety product has fewer features, the probability of a failure is smaller and the proof testing requirements are less demanding.

Read more about ODS as an isolated layer of protection

SIS maintenance plan

The maintenance plan of a SIS is of crucial importance because it is the key to reducing the rate of dangerous-undetected failures and maintaining the safety integrity of the SIS. In general, there are three complementary tests that can constitute a maintenance plan:

• Diagnostic test - Safety system components often include diagnostics, a type of built-in self-test (BIST), which be used to detect certain types of failures without interfering with the normal operation of the system. Diagnostics typically run frequently (order of seconds, minutes or hours) but diagnostic coverage (DC) is limited to <100% (that is, not all failures can be detected since the system cannot be interrupted). So, even with diagnostics, the safety integrity level (SIL) will degrade over time (albeit at a slower pace compared to a system that does not include diagnostics).
• Partial proof test - Used to partially test the functionality of a SIS through a manual intervention at a scheduled interval. Operational/production pressures can make it difficult to run a full proof test, in which case a partial proof test can be a good compromise. After a partial proof test, some undetected failures could remain and the SIL will degrade over time.
• Full proof test - Used to fully test (100%) the functionality of a SIS through a manual intervention at a scheduled interval. In theory, after a full proof test, the system is restored to an “as new” condition.

Maintenance and testing guidelines for users

End-users of a SIL overspeed detection system should follow original equipment manufacturer (OEM) or safety system supplier recommendations for maintenance and proof testing in accordance with the safety system’s life cycle. Such systems are developed and/or certified in accordance with the IEC 61508 “functional safety” standard process, which requires that a safety manual is available to provide all of the necessary information regarding frequency of maintenance, proof testing, calibration, etc.

Similarly, the 5th edition of the API 670 “machinery protection systems” standard states that “Routine test intervals are determined by the responsible party, unless the system is an IEC 61508 or IEC 61511 certified system where it is dictated by the certification report” (or safety manual). (Refer to API 670 5th edition, section 8.4.4.6 note 2.).

---

Back to blog list

Learn more