Overpressure Protection SIL 2 Proof Test: HIMA HIMatrix F35 and Woodward ProTech TPS

Overpressure Protection SIL 2 Proof Test: HIMA HIMatrix F35 and Woodward ProTech TPS

Why Overpressure SIF Proof Tests Fail Audits

Overpressure protection is the most common Safety Instrumented Function (SIF) in process plants. Yet it generates the most audit findings. Engineers test the pressure transmitter but skip the logic solver output relay verification. They record PST travel time but not the opening force. They complete the test in 45 minutes but leave three items undocumented. Auditors reject the record as incomplete.

This article covers the full proof test for a two-out-of-three (2oo3) pressure transmitter arrangement feeding a HIMA HIMatrix F35 logic solver, with a Woodward ProTech TPS overspeed protection comparison. Both systems target SIL 2 with PFDavg between 1×10⁻³ and 1×10⁻².

First, confirm the Proof Test Coverage (PTC) assumption used in the original SIL calculation. Most SIL calculations assume 90% PTC for a full proof test. A partial test (PST only, no valve full stroke) achieves only 50–60% PTC. A 90% PTC assumption with 60% actual PTC shifts a SIL 2 function to SIL 1 — a compliance violation with legal implications.

HIMA HIMatrix F35 Logic Solver Proof Test Procedure

The HIMatrix F35 uses a TMR (Triple Modular Redundant) I/O architecture. Each AI channel reads independently and votes internally. The proof test verifies all three signal paths, not just one channel. The F3 AIO 8/4 01 analog I/O module handles the pressure transmitter inputs.

  • Step 1: Enable HIMatrix SILworx Proof Test Mode via the SILworx engineering station (version 6.4 or later). Navigate to System → Safety → Proof Test Manager. Set SIF ID for the target overpressure function.
  • Step 2: Inject a 4.00 mA test signal (representing 0% range = 0 barg) at each AI channel input terminal using a Fluke 707 loop calibrator. Verify HIMatrix reads 0.0 barg ±0.2% on all three channels via SILworx Online Monitor.
  • Step 3: Increase injected signal to 20.0 mA (100% range = full-scale pressure). Verify HIMatrix reads full-scale ±0.2% on all three channels.
  • Step 4: Inject a trip signal at 21.0 mA (105% range — simulating transmitter high-high). Confirm HIMatrix logic produces a Safety Output (SO) drive command within 200 ms per SRS requirement.
  • Step 5: Verify DO channel output at the ESD valve solenoid. Measure voltage at solenoid terminal: confirm 0 VDC within 250 ms of SO activation. Log timestamp from SILworx event log.
  • Step 6: Test HIMatrix self-diagnostics. Force a single AI channel to fail (disconnect channel 1 input). Verify HIMatrix raises a "Channel 1 Diagnostics Fault" alarm but does NOT trip the SIF (2oo3 degraded to 1oo2 voting — correct behavior). Re-connect and verify channel 1 restores.
  • Step 7: Test bypass function. Activate maintenance bypass via SILworx Bypass Manager. Verify HIMatrix raises "SIF Bypassed" alarm to DCS via Modbus TCP holding register 40010 bit 3. Bypass auto-cancels after 8 hours (configurable via P_BYPASS_TIMEOUT).

Record all timestamps, measured values, and pass/fail results in the Proof Test Record form. IEC 61511 Clause 16.2.5 requires: test date, tester identity, test method, measured response time, comparison to SRS requirement, and sign-off. The F3 DIO 16/8 01 module handles the digital output channels driving ESD valve solenoids.

ESD Valve Partial Stroke Test and Full Stroke Verification

The ESD valve is the most failure-prone element in an overpressure SIF. Valve seat leakage and actuator spring failure are undetectable without a physical stroke test. Partial Stroke Testing (PST) detects 50–70% of dangerous undetected failures. Full Stroke Test (FST) detects 90%+.

Set PST travel to 15% of full stroke for a normally-open fail-safe valve. Travel below 10% misses sticky-stem failures. Travel above 20% risks process upset in a live process.

  • Step 1: Confirm process can tolerate a 15% valve closure. Coordinate with operations. Issue a permit-to-test.
  • Step 2: Initiate PST from DCS faceplate. Log start time in SILworx event log.
  • Step 3: Monitor valve travel feedback (4–20 mA from positioner). Verify 15% travel achieved within 5 seconds. Valve must return to 100% open within 10 seconds after PST completion.
  • Step 4: Record PST supply pressure at actuator (minimum 5.5 barg for spring-return actuator). Values below 5.0 barg indicate accumulator drain or supply regulator drift.
  • Step 5: For FST (shutdown window only), de-energize trip solenoid completely. Verify full closure within 3 seconds per SRS requirement. Measure seat leakage using upstream pressure drop rate method. Leakage above 0.1% Cv rated flow fails the test.

Check solenoid valve coil resistance at each proof test. A standard 24 VDC solenoid coil reads 30–70 ohms at 20°C. Values outside this range indicate coil degradation. Replace solenoid coils at or before 10-year intervals regardless of electrical test results.

Woodward ProTech TPS Comparison: Overspeed as Overpressure Analog

Woodward ProTech TPS (Triple Proximity Switch) protects gas turbines from overspeed events. The architecture mirrors overpressure SIF: three sensors feed a 2oo3 voting relay. The Woodward 8200-205 Two-Out-Of-Three Overspeed Protection system implements identical voting logic.

The ProTech TPS accepts magnetic proximity sensors (MPU) with a nominal output of 0.5–50 Vrms across the speed range. Set the overspeed trip setpoint at 110% of rated speed. The trip setpoint stores in non-volatile EEPROM. Document the setpoint value and firmware version in the proof test record.

  • Inject a simulated speed signal from a Woodward ProTech Speed Tester at each MPU input. Increase frequency to 110% of rated speed equivalent (e.g., 1200 Hz for a 3000 RPM machine with 24-tooth wheel).
  • Verify relay output drops within 50 ms (response time specification).
  • Test all three MPU channels independently. Verify 2oo3 logic: single-channel above setpoint produces an alarm but no trip. Two-channel above setpoint produces a trip.
  • Record relay contact state (NC contact opens on trip) with a digital multimeter during the test.

ProTech TPS relay output contact life is rated at 100,000 operations. Check the operations counter (Menu → Diagnostics → Relay Count). Replace relay modules at 80,000 operations proactively. A relay failure in a 2oo3 system degrades to 1oo2 voting and changes the PFDavg significantly.

PFDavg Recalculation and Audit Documentation

After every proof test, update the PFDavg calculation. This step is mandatory under IEC 61511 Clause 16.2.5 but is the most frequently skipped step in the field.

Use the simplified IEC 61511 formula for a 2oo3 sensor arrangement:

PFDavg (2oo3) = λDU² × Ti²

Where λDU = dangerous undetected failure rate per hour (e.g., 5×10⁻⁸ /hr for a Rosemount 3051 pressure transmitter) and Ti = proof test interval in hours. For a 12-month interval (8,760 hours): PFDavg = (5×10⁻⁸)² × (8760)² = 1.9×10⁻⁷. Add the HIMatrix F35 logic solver PFDavg (approximately 3×10⁻⁵) and ESD valve PFDavg (approximately 1×10⁻³ for a full-stroke tested valve). Total SIF PFDavg ≈ 1.03×10⁻³ — borderline SIL 2.

If any proof test reveals test coverage less than 90%, or if the valve PST fails and FST is deferred, recalculate with the reduced coverage factor. A PFDavg above 1×10⁻² requires immediate corrective action and notification to the process safety authority.

Compile the complete proof test package: test procedure revision number, as-found and as-left calibration records for each transmitter, SILworx event log export (PDF), valve PST and FST records, PFDavg recalculation sheet, and tester signatures. Retain records for the life of the SIF plus 5 years minimum.

Conclusion and Action Advice

SIL 2 overpressure proof tests fail audits for two reasons: incomplete coverage of all SIF elements, and missing PFDavg recalculation after the test. A transmitter calibration without logic solver output verification is not a proof test — it is a calibration. Use HIMatrix SILworx Proof Test Manager to enforce a structured test sequence and generate an automatic test report.

For the ESD valve, never accept PST alone as a full proof test substitute. Schedule FST during every planned shutdown — valve seat leakage above 0.1% Cv rated flow is a critical finding that PST cannot detect. For ProTech TPS overspeed protection, monitor relay contact operation count and replace at 80,000 operations. Keep the total SIF PFDavg below 5×10⁻³ to maintain a 100% safety margin within SIL 2 limits. Document everything — the audit team asks for records first and hardware second.

Back to blog
Show All
Blog posts
Show All
Why RTD Sensors Must Be Installed Downstream of Orifice Plates
Marcus Chen

Why RTD Sensors Must Be Installed Downstream of Orifice Plates

Installing an RTD upstream of an orifice plate corrupts differential pressure readings through thermowell vortex shedding. This article explains the von Kármán vortex street physics, ISO 5167 and ASME MFC-3M downstream placement requirements, the 5D minimum spacing rule, thermowell wake frequency compliance, and a 7-step installation procedure for combined orifice plate and RTD assemblies.
Vortex Flow Meter: Working Principles, Selection Criteria, and Field Commissioning
Zhang Haowen

Vortex Flow Meter: Working Principles, Selection Criteria, and Field Commissioning

A vortex flow meter operates on the von Karman vortex shedding principle, delivering excellent long-term accuracy in steam, gas, and low-viscosity liquid service with no moving parts. This guide covers Strouhal number physics, Reynolds number constraints, meter sizing, straight-run requirements for ABB VortexMaster FSV430, and field commissioning steps for Woodward turbine governor integration.
Thermocouple Wiring, Standards, and Troubleshooting: A Practical Field Guide
Chen Liangwei

Thermocouple Wiring, Standards, and Troubleshooting: A Practical Field Guide

Accurate thermocouple measurement requires correct type selection, matched extension wire, and reliable cold junction compensation. This guide covers IEC 60584 type codes and application ranges, extension wire and compensating cable selection, Phoenix Contact WTOP CJC terminal blocks, Yokogawa YTA110 CJC configuration, and systematic fault diagnosis for open circuit, short circuit, and calibration drift.
Recommended Products List
Emerson KL3105X1-LS1 12P6551X032 Isolated Charm Card
Emerson KL3105X1-LS1 12P6551X032 Isolated Charm Card

Emerson
Emerson DeltaV KL4502X1-MA1 Relay Out Terminal Charm
Emerson DeltaV KL4502X1-MA1 Relay Out Terminal Charm

Emerson
Emerson DeltaV KL3021X1-LS1 Hart Analog Input CHARM Module, 4–20 mA
Emerson DeltaV KL3021X1-LS1 Hart Analog Input CHARM Module, 4–20 mA

Emerson
Emerson DeltaV KL3003X1-BA1 DI 24 VDC Dry Contact CHARM Module
Emerson DeltaV KL3003X1-BA1 DI 24 VDC Dry Contact CHARM Module

Emerson
Emerson DeltaV KL3005X1-LS1 Isolated Digital Input Charm Module
Emerson DeltaV KL3005X1-LS1 Isolated Digital Input Charm Module

Emerson
KL4510X1-EA1 | Emerson DeltaV | I.S. CHARM Address Terminal
KL4510X1-EA1 | Emerson DeltaV | I.S. CHARM Address Terminal

Emerson
Emerson DeltaV I.S. CHARM Terminal Block PN: KL4510X1-DA1
Emerson DeltaV I.S. CHARM Terminal Block PN: KL4510X1-DA1

Emerson
Emerson DeltaV KL1501X1-BA1 CSLS Power Module
Emerson DeltaV KL1501X1-BA1 CSLS Power Module

Emerson
KL3003X1-LS1 | Emerson DeltaV | LS DI 24 VDC Dry Contact CHARM
KL3003X1-LS1 | Emerson DeltaV | LS DI 24 VDC Dry Contact CHARM

Emerson
Emerson KL3031X1-BA1 RTD/Resistance Input CHARM Module
Emerson KL3031X1-BA1 RTD/Resistance Input CHARM Module

Emerson
GE Fanuc IC693UAA003 Series 90 Micro PLC Module
GE Fanuc IC693UAA003 Series 90 Micro PLC Module

GE
GE Fanuc RX3i IC694MDL730 12/24VDC Positive Logic Output Module
GE Fanuc RX3i IC694MDL730 12/24VDC Positive Logic Output Module

GE