Knowledge base Critical care The management of safety critical devices has been an important part of operations for many years. Here, a team at E.ON explain how they proof test and manage the safety requirements and integrity levels of such devices, as well as detailing some common pitfalls on the road to regulatory compliance Within mature power plants, safety instrumented systems (SIS) are key to ensuring operations as an integral element of the layers of protection for any asset. Within these, failure of any of the safety instrumented functions (SIF) could result in severe injuries or even loss of life and would be in contravention of health and safety legislation in the UK, which requires all risks to be reduced as low as is reasonably practicable (ALARP) not to mention the significant costs to repair or replace the assets that can run into millions. At E.ON, our asset portfolio includes combined heat and power plants as well as biomass plants that require numerous safety instrumented functions to ensure safe operation. Examples of equipment with integral SIF within our sites include: Boilers, including heat recovery steam generators Turbines Emergency shutdown systems Burner management systems. A safety framework The management of safety critical devices has been an important part of the operations of many industries for a number of years. Within the powergeneration sector, BS EN 61511 provides a framework for the design, implementation, commissioning, operation, and maintenance of SIS. It is essential that these systems achieve a certain minimum standard and performance level. In particular, proof testing of safety critical devices is essential to ensure the safe operation of these devices. However, it can be challenging in a mature environment, where the devices are already in use. Here, well take you through proof testing safety critical devices in such an environment, as well as how to manage the safety requirements and integrity levels of these devices. This article intends to inform rather than guide. Well also describe some common pitfalls that can lead to noncompliance with regulatory standards. The challenge with some legacy plants with installed SIS is that they may not have a single documented Safety Requirements Specification (SRS) as required by BS EN 61511 because they pre-date it. Any requirements to calculate safety integrity levels (SILs) and planning outages to complete some of the tests may be complex. This was the case with some of our assets and we took the view to define descriptions of our SIFs within cause-and-effect diagrams and develop testing regimes. For installed SIS, it is recognised that retrospective application of the full requirements of the current version of BS EN 61511 may not be reasonably practicable (whether or not the SIS was originally compliant with previous versions) and therefore it is not expected that SIS hardware/ software be upgraded or replaced to seek full compliance with the current version of the standard. Instead, decisions are made based upon whether improvements would deliver risk reduction in a reasonably practicable way. In some cases, we raised asset risk entries for further consideration to demonstrate ALARP. Buncefield lessons GENSIP (Generators Safety Integrity Programme) was formed in 2006 in response to emerging integrity issues in the energy industry. One extreme example of what can happen should safety instrumented functions fail is the Buncefield incident that occurred on 11 December 2005. A storage tank level gauge showed a constant reading because of a failure and the high-level alarm switch had also jammed. As a result, the tank that contained gasoline overflowed, leading to one of the largest-recorded explosions in peacetime. A further 20 tanks were set alight and burned for three days leading to significant damage. The Health and Safety Executive and the Environment Agency issued a warning on the steps of the court following the prosecution of those responsible for the Buncefield incident. The warning formed the three process safety questions, simply put: Do we know what can go wrong? Are systems in place to prevent this? Do we know they will work? An early draft of a GENSIP good practice guidance document in 2008 was used to manage safety related systems in E.ON to answer these three questions. A management instruction was created to manage all protective devices across all power stations, which at that time was a significant portfolio. The evolution of this document has provided a more practical way of maintaining safe compliance in a mature environment. Proof testing and partial proof testing BS EN 61511 requires that periodic proof tests be conducted using a written procedure to reveal undetected faults that prevent the SIS from operating in accordance with the SRS and verify that they perform their required functions under specified conditions. The standard requires that the entire SIS shall be tested including the sensor(s), the logic solver and the final element(s) (for example, shutdown valves and motors) wherever possible. The frequency of the proof tests is initially decided based on the probability of failure on demand (PFD) as determined through SIL calculations. The standard also requires that the frequency of testing is re-evaluated at periodic intervals based on various factors, including historical test data, plant experience, hardware degradation, and software reliability. E.ON performed SIL verification and, because of the nature of our 24/7/365 operations, a risk-based decision that took GENSIP recommendations into account was made to align proof test intervals. In addition, each SIS shall be periodically visually inspected to ensure there are no unauthorised modifications and no observable deterioration (for example, missing bolts or instrument covers, rusted brackets, open wires, broken conduits, broken heat tracing, and missing insulation). The standard also requires that records are maintained to certify that proof tests and inspections were completed as required. The records we maintain include the following information: Description of the tests and inspections performed Dates of the tests and inspections Name of the person(s) who performed the tests and inspections Serial number or other unique identifier of the system tested (for example, loop number, tag number, equipment number, and SIF number) Results of the tests and inspection (eg, as-found and as-left conditions). Where a complete proof testing is not possible, we instead apply partial proof tests, particularly in complex systems. The decision on whether to implement partial proof testing requires judgement by a competent person based on the component types, relative costs of periodic maintenance, replacement and overhaul, and the access to the equipment. A partial proof testing strategy requires the definition of two or more proof test intervals. Ordinarily, this is defined as a more frequent partial test followed by a less frequent full test (typically to fit in with normal plant shutdown periods). From our experience, this split may be at the component level (for example, sensor and logic solver annually, and final elements every two years) or be split by specific component failure modes (for example, sensor, logic solver, and solenoid valves and partial valve stroke test annually, and full valve stroke test every two years). Author bios Dr Leslie Moyo is Lead Asset Compliance Engineer supporting E.ON power stations with governance and compliance requirements. He has extensive experience within the power generation, mining and oil and gas industries. Paul Thorpe is an Asset Risk and Process Safety Engineer supporting sites across E.ON in the UK. Prior to working for E.ON, he delivered safety and quality management systems and held roles as an automation and controls engineer across industry sectors. John Baxter leads the Asset Management Governance team at E.ON UK Solutions in Coventry, UK. He works with the power stations and other forms of generation and energy solutions to continually improve the integrated Asset Management System. He started as an apprentice maintenance technician and has worked in aerospace, defence, automotive and conformance consulting prior to the energy sector. A heat recovery steam generator at one of the sites shell-type boiler with auxiliary gas firing Monitoring and reporting To ensure that safety critical devices are being managed effectively, it is important to establish a monitoring and reporting system. This system should include both internal and external audits, as well as incident reporting. By tracking these data points, you can identify any areas where improvement is needed. Additionally, regular communication with all stakeholders is essential to ensure that everyone is on the same page and working towards the same goal. Our inspection and testing strategy aims to identify and carry out a suitable investigation to determine the causes when any of the following events occur: Correct activation of a safety function that prevented an incident occurring Correct activation of a safety function, but a hazardous consequence still occurred Spurious activation of a safety function Incomplete activation of a safety function, ie one or more elements did not perform as intended during a genuine or spurious demand on the system Detection of a hidden/latent fault or failure during routine proof testing, visual inspection or maintenance activities (including electronic diagnostics) that would have prevented the correct operation of the system A revealed/evident fault or failure occurring during operation Condition of components was much worse than expected during a scheduled component inspection or replacement task, eg accelerated corrosion or wear in component scheduled to be replaced. Any findings are reported in our computerised maintenance management system (CMMS) and corrective work orders at a high priority are expected to be raised for any defects associated with SIS devices. We use measurement points to record the as-found and as-left conditions. Here is an example screenshot of how this is set up Note measuring point number is the next available in the SAP system. 1) The MeasPosition (highlighted) is set to a suitable text value, eg Proof Test (this will allow these to be found through a search) 2) A description is entered if required 3) The code group is set to Proof Test in the available drop-downs. Values are: Proof Test As Found Found failed Found working As Left Left failed Left working Left failed unable to fix Current values: Through this system, we are also able to track upcoming proof tests, backlogs, planned maintenance work for SIFs and recorded defects against safety critical devices and run a dashboard showing the status of all SIS at any given point in time for management action. Mature journey We have provided an overview of the management of SIFs in a mature environment. The CMMS of choice for our power stations is SAP, but could relatively easily be configured for others. It has been quite a journey getting to this stage because of the complexity involved and the diligence required, but provides a warm feeling that we are operating on the right side of ALARP and so the risk of a catastrophic incident is mitigated as is required.
