Instrumented Protective Functions Test Procedure Revision1

Petroleum Development Oman L.L.C.

UNRESTRICTED Document ID : PR-1094

August 2004 Filing Key

Instrumented Protective Functions

Test Procedure

Keywords: IPF, IPS, Initiator, Final Element, Testing, STANDARD TEXT (MCP)

This document is the property of Petroleum Development Oman, LLC. Neither the whole nor any part of
this document may be disclosed to others nor reproduced, stored in a retrieval system, nor transmitted in
any form by any means (electronic, mechanical, reprographic recording or otherwise) without prior written
consent of the owner.

PR-1094 1 August 2004

Instrumented Protective Functions Test Procedure Revision1

Authorised For Issue: July 2004

........................................
Balushi, Ibrahim TIO(UOM5)
CDFP Control & Automation

........................................
Barwani, Saif TIE (UES)
CFDH Control & Automation

........................................
Naamany, Naaman UOX
CFDH - OPERATIONS EXCELLENCE

The following is a brief summary of the 3 most recent revisions to this document. Details of all
revisions prior to these are held on file by the issuing department.

Revision No. Date Author Scope / Remarks

Rev 1 July 04 UOM/5 Revision 1
Rev 0 Feb 99 UES/1 OP-07 re-written to new format and in
accordance with DEP 32.80.10.10

PR-1094 2 August 2004

Instrumented Protective Functions Test Procedure Revision1

Contents

1. Introduction............................................................................................................. 4
1.1 Background.......................................................................................................... 4
1.2 Purpose ................................................................................................................ 4
1.3 Distribution / Target Audience ............................................................................ 4
1.4 Structure of This Document................................................................................. 4

2. Procedure................................................................................................................ 5
2.1 Scope ................................................................................................................... 5
2.2 Procedure Description ......................................................................................... 9
2.3 Roles/Authority and Responsibilities ................................................................ 12
2.4 Execution of the Procedure................................................................................ 13
2.5 Related Forms.................................................................................................... 13
2.6 Related Business Control Documents................................................................ 13
2.7 Review and Improvement.................................................................................. 13
2.8 Step-out and Approval....................................................................................... 14
ATTACHMENT 1 - User Feedback Sheet ............................................................. 15

PR-1094 3 August 2004

Instrumented Protective Functions Test Procedure Revision1

1. Introduction
1.1 Background

Testing of Instrumented Protective Functions is one of the key activities for the
continued assurance of the technical integrity of facilities or plants. The application of
this Procedure is mandatory and it shall be taken into account when preparing the
Integrated Production Plan (I.P.P.). It applies to all PDO Installations.

1.2 Purpose

The purpose of this procedure is to specify responsibilities and describe the steps to be
followed in the testing of Instrumented Protective Functions.

1.3 Distribution / Target Audience

Operations and field Maintenance personnel, Campaign Team Personnel. Also it could
be use as a reference for Support Staff, Engineering Staff and Technical Services
Personnel.

1.4 Structure of This Document

• Procedure
• Roles, Authority and Responsibilities
• Schedule of when to apply this procedure
• Forms to be used

PR-1094 4 August 2004

Instrumented Protective Functions Test Procedure Revision1

2. Procedure
2.1 Scope

This procedure covers the testing of Instrumented Protective Functions (IPF's) that have
been installed as integral components of process facility Safety Systems. This includes
alarms and pre-alarms which need not be implemented in a separate IPS.

2.1.1 Definitions (based on DEP 32.80.10.10)

Term Definition

Levels of Protection
Safety systems of process facilities normally consist of two levels of
protection to prevent or minimise the effects of an failure of
equipment within the process. These two levels of protection are
independent of, and in addition to, the control devices used in
normal process operation. The two levels of protection are the
highest order (primary) and next highest order (secondary) available.
The primary level of protection normally consists of an
instrumentation-based system electronic, hydraulic and/or
pneumatic. A direct-operated relief valve forms the preferred
secondary level of protection. Ref. API RP 14C, section 3.4. The
actual levels of protection will be determined by formal IPF
classification.

Instrumented Protective A function comprising the Initiator function, Logic Solver function
Function (IPF) and Final Element function for the purpose of preventing or
mitigating Hazardous Situations (See fig.1).

Shutdown Levels Instrumented Protective Systems are structured into a number of

shutdown levels dependent on the hazard and plant architecture.
See Table below. Ref. EP 95-0230.

SIL Classification Instrumented Protective Functions have been classified based on the
methodology as per DEP 32.80.10.10. The result of this
classification process is an SIL class and robustness qualification
against Dangerous Failure and safe failures. The defined SIL class
and the implemented robustness determine the required test interval

SIL a1 An alaram only function ( No Trip Function)

SIL a2 Switching function and can be implemented in a control system (e.g.

DCS/FCS)

SIL 1 Safeguarding function with Function is implemented in a

PFD ≥ 10-2 to <10-1
SIL 2 Safeguarding function with
PFD ≥ 10-3 to <10-2
SIL 3 Safeguarding function with
PFD ≥ 10-4 to <10-3
failsafe logic solver system
(PLC), TUV approved / Relay
/ pneumatic / hydraulic,
electromechanical, electronic
and/or programmable
electronic Logic Solvers.

SIL 4 Safeguarding function with PFD ≥ 10-5 to <10-4. Function shall be

solid state or magnetic core to meet the SIL4 requirement. SIL 4
classifications are implemented if un avoidable i.e can not be re
designed to lower the SIL class.

PFD Probability of Failure on Demand

Trip An Instrumented Protective Function action to bring the Final

Element(s) to a safe state.

PR-1094 5 August 2004

Instrumented Protective Functions Test Procedure Revision1

Alarm An automatic function which detects a change from the normal

condition and initiates a warning system to attract attention to the
abnormality.

Pre-Alarm An automatic function, similar to an alarm, which is however

followed by a trip if the process excursion reaches the trip setting

Dangerous Failure A Failure that has the potential to place the IPF in a state in which it
will fail to perform its function. Dangerous Failures are usually only
safe when the system has to perform a certain action or through
testing. Formerly known as unrevealed failure.

Test A method designed to verify that a trip, (pre-)alarm or protective

system would operate correctly when required.

Comprehensive Test A method whereby, on initiation of an Initiator, all related logic

functions and their Final Elements are allowed to operate, resulting
in a related equipment / process shut down.

Inhibited Test Employs the use of overriding devices to maintain the process
equipment in running condition whilst enabling the functionality of
an Initiator to be tested.

Instrumented Protective System The pneumatic, hydraulic, electromechanical, electronic and/or

programmable electronic Logic Solver component of the
Instrumented Protective Function, complete with input and output
equipment.

Initiator A device or combination of devices that indicates whether a process

or equipment item is operating outside the operating envelope. The
Initiator includes input cards and input relays and the annunciator.
Examples are manual switches, position switches and measurement
systems (including process connections, sensors, transmitters,
cabling, trip amplifiers or input cards etc.).

Logic Solver The portion of an Instrumented Protective Function which performs

the application logic function. The Logic Solver excludes trip
amplifiers, input cards and output cards. Examples are
electromechanical relays, solid-state/magnetic-core logic and the
Central Processing Unit (CPU) section of programmable electronic
systems.

Final Element A device or combination of devices that manipulate a process

variable or attract the attention of the operator to achieve risk
reduction. The Final Element includes output cards or output relays,
solenoid valves and cabling. Examples are valves, switchgear
(rotating equipment stop circuits) and alarms.

Test Procedure Details the method of testing. Test procedures will be held in SAP as
Standard text (MCP).

SAP Systems, Applications and Products

SIL Safety Integrity level

Shutdown Levels

Usual Abbreviation Typical Action

PSD-3 • Equipment shutdown (e.g. of a compressor or pump)
PSD-2 • Partial plant shutdown (e.g. of a processing train)
PSD-1 • Total shutdown, no depressurisation (unless required
for specific reasons, e.g. compressor seal protection)

PR-1094 6 August 2004

Instrumented Protective Functions Test Procedure Revision1

ESD • Total process shutdown with plant depressurisation

and closure of Well SSSV’s

Fig 1 Typical Instrumented Protective System

IPS

Transmitters
Trip Ampl.

ESD/PSD
Maintenance Valves
Process Connection

MOS
O
Overrides
Switches

X Process Connection
SW
I
Pushbuttons
Breaker Circ.

X
PB

O
Other Systems Pumps/Motors
Compressors/Turbines

INITIATORS LOGIC SOLVER FINAL ELEMENTS

PR-1094 7 August 2004

Instrumented Protective Functions Test Procedure Revision1

2.1.2 Instrumented Protective Functions Testing

• Testing is executed to identify Dangerous Failure and to prove that the functionality of
all Instrumented Protective Functions and their component parts conform to the latest
issue of the ‘Alarm and Trip Setting List’ and ‘Cause and Effect’ matrices.
• Periodic testing of Instrumented Protective Functions is a MANDATORY requirement
and shall be carried out by competent, authorised personnel in accordance with the
frequencies identified by IPF classification process and which are integrated in SAP.
• Areas where IPF classifications have not been performed, current testing intervals as
per SAP shall be used.
Note Revised testing intervals for existing IPF Elements, as identified by IPF
classification procedure, will be adjusted in SAP on a step by step basis as they made
available. Ref. DEP 32.80.10.10

Test Interval for SIL a1 and SIL a2 functions:

• Standalone SIL a1 and SIL a2 functions implemented in either DCS or FCS

(or any other control system) shall be aligned with the Reliability Centred
Maintenance (RCM), which is 3 years.

• Standalone SIL a2 implemented in IPS shall be 3 years.

• SIL a2 functions which are implemented as part of the SIL1 or SIL 2 functions
(e.g. first layer of an overpressure protection system) shall follow the test
interval of the SIL 1 or SIL 2 functions of which they are a part of.

Test Interval for SIL 1 & SIL 2 functions

The test interval for SIL 1 & SIL 2 functions shall be one year, or as determined by the
Probability of Failure on Demand (PFD) calculation, whichever is lower.

Test Interval for SIL 3 functions

Based on the potential severity of SIL 3 functions, the test interval for these functions
shall be 6 months, or as determined by PFD calculation, whichever is lower.

Test Interval for SIL 4 functions

The use of SIL 4 functions shall be avoided. However, under special circumstances, to
be decided on a case by case basis by the CFDH (C&A), SIL 4 function may be
acceptable.

In such cases, the test interval for SIL 4 functions shall be determined based on the
PFD calculations with a maximum allowable test interval of 6 months.

Test Interval for functions which have not been classified under the new IPF
methodology.

Test interval for all functions which have not been classified under the new
methodology will be one year.

During the ESD valve function test; if any ESD valve fails which has a classification
of SIL 1 and above, the OXO/13 team shall carry out immediate repairs and OXO/22

PR-1094 8 August 2004

Instrumented Protective Functions Test Procedure Revision1

& TIO/1X shall investigate/validate root cause of the failure and amend PM content
and/or frequency to maintain the technical integrity of the plant.

• Any extension of a test interval or delay of a test beyond the prescribed date in SAP
shall be formally documented through SAP Z6 process approved by CDFP and
authorised by the Area Co-ordinator via PR-1005 "Maintenance and Inspection
Activity Variance Control Procedure".

• Local records of tests and authorisation for extension of test intervals, etc. shall be
maintained in SAP by the respective Area Maintenance and Reliability Engineer
(OXO/22). For verification purposes these records shall be subject to periodic audit.
The last three test report hard copy shall be archived.

2.2 Procedure Description

2.2.1 Testing And Monitoring

• Due attention shall be given to minimising production deferment by good planning

and careful scheduling of tests.

• Based on Plan and associated Tasklist in SAP, IPF testing shall be executed such
that the requirements in paragraph 2.1.2 are fully met.

• IPF testing shall include the Initiator function, Final Element function and Logic
Solver function, each with their own test intervals. These tests need not necessarily be
performed simultaneously.

• During the tests, Final Elements shall be allowed to move to the safe state, and thus
result in a related equipment or process shut down, if not already shut down.

• In an Instrumented Protective system all Initiator functions shall be activated by

varying the actual operating parameters wherever this can be done safely and
practically.

• Where varying the actual operating parameters cannot be done safely and
practically, the process parameter shall be simulated. This simulation shall be done at
site and shall resemble as closely as possible a true process parameter excursion. If
this simulation is done by isolating a pressure instrument from the process and
pressurising it with a hand pump, the test coverage factor is 0.95. The same is valid for
an external level chamber by isolating it and filling it with liquid to simulate the
process so long process connection confirmed clear from contamination and blockage.

• Where varying the actual operating parameters cannot be done at site, the process
parameter shall be simulated in a workshop i.e temperature measurement device
simulation/calibration.

• An Initiator function has passed the test if it switches within the Trip Limit
Tolerance as defined in the STANDARD TEXT (MCP) for that initiator. If it switches
outside the limit, or not at all this shall be reported as a failed test.

PR-1094 9 August 2004

Instrumented Protective Functions Test Procedure Revision1

• A Final Element function has passed the test if it reaches its final position within the
time defined in the SP-1081 (DEP 31.40.70.30-PDO) dated January 2000 i.e for valve
less 5 inches closes in 3 seconds and for valve more than 4 inches closes in a duration
1 seconds for every inch i.e. 10 inch valve takes 10 seconds to close or as per the
process specific requirement specification.

Note : An unplanned 'genuine shutdown' shall not be considered as a test of the

Initiator because the trip settings would not have been verified/recorded though it
gives confidence that the design function was met.

An unplanned genuine activation of a Final Element shall not be considered as a test

unless the initiation and activation have been properly reported through the control
system.

• All test results, failed or passed, shall be reported/recorded in SAP by using SAP
work order Shop paper to facilitate the area Maintenance & reliability Engineer
(OXO/22) and UOM5 to ascertain test frequency, MCP contents and optimise. Failed
tests shall be logged in the alarm/trip logbook in the control room & SAP and a
corrective work request (SAP) shall be raised for immediate repair.

• Resuming Operations with a defeated / defective Instrumented Protective Function is

only allowed under specific and proper written authorisation by the Area Co-ordinator
(Ref. PR-1090 Overriding of Instrumented Protective Functions).

• Repair and maintenance shall be followed by a re-test and the results shall be fully
documented and recorded/entered in to SAP.

• The "List of Alarm and Trip Settings" drawing shall be used for interim period while
migrating alarm & trip data to SAP. The range and trip setting values are being stored
in SAP when this procedure was produced. In future SAP database will be the master
and setting changes would be processed though Z6 notifications.

Note If installations or equipment have been out of operation after the scheduled test
, the Instrumented Protective Functions shall be tested before start up.

2.2.2 Defeat of Initiator Functions for Testing Purposes

• Initiator functions shall only be overridden when necessary for testing and
maintenance purposes. Any additional precautions to ensure uninterrupted operations
whilst testing Instrumented Protective Functions (like jumpers) must be recorded in
the Work Permit.

• If during tests, IPF Initiators need to be overridden this shall be done in a

deliberate and controlled manner, in conjunction with PR-1090 and in accordance
with the Permit to Work procedure, so that any loss of integrity is minimised and the
potential unsafe situation remains evident to those operating the facility.

• The control room OVER-RIDE logbook shall be used to record override

activation’s unless the override is logged in the DCS with periodic alarm activation.

• The Production Supervisor shall, while overrides are active, instruct the Instrument
Maintenance Technician and the Production Operator to closely and continuously
observe the process condition through reliable secondary means.

PR-1094 10 August 2004

Instrumented Protective Functions Test Procedure Revision1

• If any IPF is annunciating an alarm, which would have produced a shutdown, or if

any doubt or uncertainty exists, the Instrument Technician must immediately release
the override allowing normal executive action to take place and the Operator, if
necessary, shall initiate a manual shutdown.

• Overriding IPF Initiators for purposes other than system testing is controlled by
PR-1090. An IPF Initiator with shutdown function shall normally not be left
overridden and in an unmonitored state.

2.2.3 Changes to Instrumented Protective Functions

• All modifications and changes to IPF’s must be formally approved using the Facility
Change Proposal Procedure PR-1001a.

2.2.4 Recording of Test Results and Safe Failures

• The detailed test routines, procedures and performance reporting shall be performed
in accordance with the Plan and associated Tasklist available in SAP and allocated to
that equipment.

• All test results shall be reported using SAP work order Shop. Failed tests shall be
followed by a corrective workorder entered in SAP by the Instrument Maintenance
Foreman/Supervisor.

• The testing results gathered per system shall be forwarded by the Operations Area
Co-ordinator to the area Maintenance & reliability Engineer (OXO/22) and UOM5 to
ascertain test frequency, MCP contents and optimise.

PR-1094 11 August 2004

Instrumented Protective Functions Test Procedure
2.3 Roles/Authority and Responsibilities
Execution of Function test
ROLE
Production Supervisor (OXO/14X or
15X or 19X)
Instrument Maintenance Supervisor
(OXO/13X)
Production Operator (OXO/141X or
151X or 191X)
Instrument Maintenance (OXO/131X)
/ Campaign Technician (OXO/2513)
Area Co-ordinator (OXO/1)
IPF classification related to Brown field
Head of projects (OXE/2)
Head of maintenance &Integrity
(OXO/2), (GGO/2)
IPF Classification Team, facilitated by
an Engineer of the C&A Section
(TIE/2)
SAP related activities
Roles
Area Instrument Supervisor
(OXO/13X)
Project Engineer (OXE/2X)- For New
Projects -
Planner – (OXO/23X), (GGO/24)
Area Maintenance & reliability
Engineer (OXO/22X), (GGO/23)
Corporate C&A reliability Engineer /
(TIO/1X)
PR-1094
Revision1
RESPONSIBILITY
Test Co-ordination (Support)
Test Co-ordination (Lead)
Facilitate testing and ensure appropriate measures in
place for safe operation
Ensure operator engaged appropriate measures in place
for safe operation and execute IPF testing / Repairs
(Executers)
He ensures production and instrument teams are in
control of safety measures to execute testing and
authorises IPF override
IPF Classification of Facility Safety Systems – New
Installations
Initiates IPF Classification of Facility Safety Systems –
Existing Installations
IPF Identification, Classification and Tagging (if
required) of Facility Safety Systems
Responsibility
Ensure C&A project deliverables are registered
Ensure timely execution C&A maintenance and
performance reporting in the SAP
Raising Z 6 for registration and/or technical amendment.
Raising request for registration of C&A equipment in the
SAP
Initiate action for new Tasklist and Maintenance Plan
through OXO/22X
Initiate Scheduling of Plans
All Changes/ Modification/ Deletions are through Z6
process
Action Change/Modify/New creation of Tasklist, Plans
Validate C&A maintenance history and analysis
All Changes/ Modification/ Deletions are through Z6
process
Review of SAP upload Functionlocations, Tasklist and
Plans
Run C&A maintenance performance analysis and initiate
changes/modification/creation of Tasklist & Plans
All Changes/ Modification/ Deletions are through Z6
process
12 August 2004
Instrumented Protective Functions Test Procedure Revision1

Compile C&A performance optimization

CDFP-UOM/5 Approval of any changes/modifications/deletion/creation of

Functionlocation, Tasklist, Standard Text, Plans and
scheduling in SAP, through Z6 process
SAP data management team – TTO/3 Execute Changes/modifications/deletion/creation of SAP
team master data like Functionlocation, Tasklist, Standard Text,
Plans and scheduling in SAP, through Z6 process

2.4 Execution of the Procedure

This procedure is invoked on an ad-hoc basis whenever there is a need for a new
Operations Procedure, or when existing Procedures are revised in line with PDO review
policy.

2.5 Related Forms

None

2.6 Related Business Control Documents

Document Title Number

Code of Practice - Maintain Surface Product Flow Assets - CP-114
Manual - Classification and Implementation of - DEP
Instrumented Protective Functions 32.80.10.10
-Instrument Protective Systems -DEP
32.80.10.30
Procedure - Maintenance and Inspection Activity - PR-1005
Variance Control Procedure
- Overriding of Instrument - PR-1090
Safeguarding Systems Procedure
- the Facility Change Proposal - PR-1001a
Procedure
API - Recommended Practice for analysis, - API RP 14C
design, installation and testing of basic
surface facilities.
- HSE Management in Design - EP 95-0230
Guideline Guideline on IPF classification GU-437

2.7 Review and Improvement

This procedure is valid for a period of three years from date of issue or revision. This
procedure shall be reviewed by the Control & Automation CDFP through the
document custodians in the Systems & Information Section and amendments/changes
made as necessary. Feedback received from end users SHALL be considered in the
review cycle and improvements incorporated where appropriate. Any improvement in
this procedure shall be approved by the CFDH of Control and Automation.

PR-1094 13 August 2004

Instrumented Protective Functions Test Procedure Revision1

2.8 Step-out and Approval

The Step-out Approval of this procedure shall be approved by the CFDH of Control and
Automation.

PR-1094 14 August 2004

Instrumented Protective Functions Test Procedure Revision1

ATTACHMENT 1 - User Feedback Sheet

OPERATIONS PROCEDURES

USER FEEDBACK SHEET

Any user who identifies an error, inaccuracy or ambiguity in these Operations Procedures
documents is requested to advise the custodians in the Systems & Information Section by
returning this page (or copy) with his comments.

Volume: Part:

User name: Ref. Ind: Date:

New Operations Standard or Practice required: Yes / No (delete as applicable)

New Procedure, Name or Error Location : e.g. New Procedure/ Comment / Error / Suggestion
PR number, page, paragraph.

PR-1094 15 August 2004