Local Fuel PLC –The Shoreham Oil Terminal

Safety Instrument System LFS-SIS1 - Operation, Maintenance and Modification Lifecycle

P & I Design Ltd

DOCUMENT NO: LF364013_RPT

2 Reed Street, Thornaby, UK, TS17 7AF

ISSUE: B DATE: 16.05.16

Tel: + 44 (0)1642 617444

PAGE 6 OF 11

Fax: + 44 (0)1642 616447

www.pidesign.co.uk

5

LIFECYCLE PHASE – STAGE 4

5.1

Proof Testing

The purpose of the this proof testing is to reveal dangerous undetected failures and confirm

the correct operation of known safe detected failures so that, if necessary, the SIS can be

restored to its designed functionality. During normal operation, components of the SIS are

subject to the possibility of random hardware failures. These failures may be safe failures

that could lead to spurious trips or dangerous failures that may prevent the SIS operating

correctly when required. Dangerous failures may not be revealed and therefore there may be

no indication that these failures exist. The failure modes of all components cannot be fully

accounted for therefore these can only be confidently revealed by carrying out a full end to

end proof test by simulating the process conditions as closely as possible. Detected failure

diagnostics not functioning correctly could result in the system not being available to

operations when there is a process requirement.

Testing will be carried out in accordance with the following guidance:-

Proof Testing of Safety Instrumented Systems in the Onshore Chemical / Specialist Industry

OG-00054 and Principles for proof testing of safety instrumented systems in the chemical

industry. Contract Research Report - 428/2002. Prepared by ABB Ltd. for the Health and

Safety Executive.

The following is an extraction from the report 428/2002, Section 4.2.4 Conclusions and

Recommendations:

Based on the research, the following recommendations are made:



a method of SIS initiation should be adopted which adequately establishes that the

SIS would operate under operating conditions;



where reasonably practicable, SIS initiation should be via manipulation of the

process variable using process fluids. The provision of facilities for achieving this

should be considered during design of SIS;



the initiation of SIS should not involve placing the process in a state where failure of

the SIS under test could lead to a hazardous situation;



SIS should be proof tested as found rather than being disturbed, thereby reducing the

potential for unrealistic tests, loss of as found system failure data and introduction of

faults on system reinstatement.

In the testing procedures we have followed these recommendation as far as possible.

Trip Initiation

The methods of initiating SIS are many and varied but whatever the method it must provide

adequate confidence that the SIS would be initiated if required under operating conditions. A

distinction must be drawn between manipulation of the process variable and manipulation of

the process. Manipulation of the process variable without driving the process into a

potentially hazardous situation should be achieved where reasonably practicable.

Manipulation of the process may be necessary to provide a realistic test of functionality but

this must be accompanied by a risk assessment to ensure that the probability of achieving an

unsafe state remains acceptably low. Equally, any departure from realistic operating