Skip to main content
Powerfabric
Contracting

Site Acceptance Testing (SAT) Best Practices

Site Acceptance Testing (SAT) Best Practices

Site Acceptance Testing (SAT) is the final engineering checkpoint before an automation, electrical, or control system is handed over for production use. For contractors, it is where design intent, factory-tested functionality, site installation quality, commissioning readiness, and contractual performance obligations meet. A well-executed SAT reduces startup risk, protects warranty positions, and creates a defensible acceptance record. A poorly executed SAT, by contrast, often leads to disputed scope, repeated punch lists, latent defects, and avoidable downtime.

In European projects, SAT must also be aligned with CE-marking obligations, the Machinery Directive or Machinery Regulation transition context, low-voltage and EMC compliance, and increasingly cybersecurity requirements under EU NIS2-related governance expectations. For industrial control systems, SAT is not just a “test day”; it is a structured verification process that confirms the installed system is safe, complete, correct, and ready for operation.

1. What SAT Is, and What It Is Not

SAT verifies the installed system at the site under real conditions, after transportation, installation, wiring, network integration, and utility interfaces are complete. It confirms that the system performs according to the approved functional design, contract specifications, and applicable standards.

SAT is not a substitute for:

  • Design verification during engineering.
  • Factory Acceptance Testing (FAT), which checks equipment before shipment.
  • Routine maintenance tests, which occur after handover.

In practice, SAT should bridge FAT and commissioning. FAT proves the panel or system design in a controlled environment; SAT proves the same logic, wiring integrity, interlocks, alarms, and communications still work after transportation and installation.

2. Standards and Clause-Level References That Shape SAT

The exact SAT scope depends on the package, but the following references are commonly relevant:

  • IEC 60204-1 — Electrical equipment of machines: verification and functional testing principles, including protective bonding, insulation, and control-circuit checks. Clause 18 covers verification.
  • IEC 61439-1 / IEC 61439-2 — Low-voltage switchgear and controlgear assemblies: routine verification requirements for assemblies, including wiring, dielectric, and functional checks.
  • IEC 61511 — Safety instrumented systems for the process industry: validation and functional testing expectations for SIS-related loops and proof-test logic.
  • IEC 62443 — Industrial automation and control system cybersecurity: relevant for access control, hardening, account management, and network segmentation checks during SAT.
  • NFPA 70 (NEC) — Electrical installation acceptance considerations in North American projects, especially grounding, labeling, and wiring practices.
  • NFPA 70E — Electrical safety in the workplace: energized work controls, safe test methods, and arc-flash boundaries during site testing.
  • ISA-TR84.00.07 and related ISA guidance — useful for functional safety and proof-test planning in instrumented systems.
  • ANSI/ISA-18.2 — Alarm management: alarm testing, prioritization, and shelving behavior verification.

For European projects, SAT documentation should also support compliance evidence under the Machinery Directive 2006/42/EC where applicable, and the newer Machinery Regulation transition requirements where contractually adopted. If the system includes connected assets or remote access, SAT should verify cybersecurity controls that align with IEC 62443 and the organization’s NIS2-driven risk management expectations.

3. Define SAT Scope Before Site Work Starts

The most common SAT failure is not technical; it is contractual ambiguity. The SAT scope must be frozen before mobilization and should be traceable to the functional design specification, I/O list, cause-and-effect matrix, network architecture, and vendor manuals.

A good SAT scope typically includes:

  • Document review and pre-SAT readiness checks.
  • Visual inspection of installation quality.
  • Point-to-point wiring verification.
  • Insulation resistance and continuity checks where appropriate.
  • Loop checks for transmitters, actuators, drives, and analyzers.
  • PLC/RTU logic verification against approved cause-and-effect.
  • Alarm and event testing.
  • Communications testing with SCADA, historians, gateways, and safety systems.
  • Fail-safe, loss-of-signal, and power-loss behavior tests.
  • Operator interface and permissive/interlock verification.
  • Cybersecurity and access-control checks for industrial networks.

Any exclusions should be explicitly listed, such as process medium unavailable, utility not energized, or third-party package not released. If the exclusion affects acceptance, define a conditional acceptance path and a retest plan.

4. Pre-SAT Readiness: The Gate That Saves Time

Do not start SAT until the installation is genuinely ready. A readiness gate should confirm:

  • As-built drawings are current and issued for test.
  • All redlines from installation are incorporated or formally tracked.
  • Panels are clean, labeled, bonded, and mechanically complete.
  • Power supplies, UPSs, and network switches are energized and stable.
  • Instrument air, process media, or simulated signals are available.
  • Calibration certificates are valid for loop devices.
  • Safety permits, lockout/tagout, and energized work authorizations are in place.
  • Test equipment is calibrated and traceable.

Clause-wise, this aligns well with the verification principle in IEC 60204-1 Clause 18 and the routine verification approach in IEC 61439-1/2. For energized testing, NFPA 70E requires risk assessment and controls consistent with the voltage and arc-flash exposure.

5. Build the SAT Protocol Like a Test Engineering Package

A strong SAT protocol is more than a checklist. It should be a controlled test document with:

  • Test objective and system boundaries.
  • Applicable drawings, specifications, and revisions.
  • Test prerequisites and safety controls.
  • Step-by-step procedures.
  • Expected results and acceptance criteria.
  • Hold points for witness and sign-off.
  • Defect classification and retest requirements.

For each test step, define the expected state. For example, if a motor starter is forced to trip, specify whether the PLC should show a fault, whether the HMI should alarm, whether the MCC bucket should drop out, and whether the restart should be inhibited until manual reset.

6. Execute SAT in a Logical Order

A robust sequence reduces rework:

  1. Safety and installation verification. Confirm labels, bonding, enclosure integrity, wiring segregation, and access restrictions.
  2. Power-up checks. Verify correct supply voltage, phase rotation, UPS autonomy, and no abnormal current draw.
  3. Point-to-point verification. Check every field termination against the drawings and I/O list.
  4. Loop checks. Simulate or apply real signals to verify scaling, direction, range, and alarms.
  5. Logic and interlock tests. Exercise permissives, trips, E-stops, and sequence logic.
  6. Communications tests. Confirm SCADA, PLC, remote I/O, drives, analyzers, and gateways exchange data correctly.
  7. Failure mode tests. Remove signals, lose power, open circuits, and drop networks to validate safe behavior.
  8. Integrated operational tests. Run the plant or subsystem in a realistic sequence.

For safety-related systems under IEC 61511, the test should demonstrate that the safety function meets the intended response and that bypasses, overrides, and resets behave as specified.

7. Cybersecurity Checks Belong in SAT Now

Modern SAT must include cybersecurity validation, especially for connected PLCs, SCADA servers, remote access gateways, and IIoT devices. At minimum, verify:

  • Default passwords are removed or changed.
  • Role-based access control is active.
  • Unused services and ports are disabled.
  • Remote access is approved, logged, and time-bound.
  • Network segmentation matches the approved architecture.
  • Firmware and software versions are documented.
  • Backup and restore procedures are tested.

IEC 62443-2-1 and 62443-3-3 provide strong guidance for operational security requirements. In procurement terms, SAT should verify that cybersecurity features promised in the cybersecurity specification are actually implemented on site.

8. Worked Example: SAT of a Pump Skid with VFD and SCADA Integration

Consider a pump skid with one 15 kW motor, one VFD, one pressure transmitter, one flow switch, one local E-stop, and SCADA monitoring. The contract requires:

  • Start permissive only if suction pressure is above 1.2 bar and no fault exists.
  • Trip on low suction pressure below 0.8 bar for 5 seconds.
  • Trip on motor overload or VFD fault.
  • SCADA alarm within 2 seconds of fault detection.
  • Analog pressure scaling from 4–20 mA = 0–10 bar.

During SAT, the pressure transmitter is simulated at 12 mA. The expected pressure value is:

$$P = \frac{I - 4}{16} \times 10 = \frac{12 - 4}{16} \times 10 = 5 \text{ bar}$$

That confirms the scaling is correct. Next, simulate 6.0 mA:

$$P = \frac{6 - 4}{16} \times 10 = 1.25 \text{ bar}$$

This should satisfy the permissive because it is above 1.2 bar. Now simulate 5.28 mA:

$$P = \frac{5.28 - 4}{16} \times 10 = 0.8 \text{ bar}$$

The system should begin the low-pressure trip timer. If the trip delay is 5 seconds, the acceptance criterion is that the VFD run command drops and the SCADA alarm appears within the agreed response time. If the alarm must appear in less than 2 seconds, the measured delay is:

$$t_{alarm} = t_{PLC} + t_{network} + t_{SCADA}$$

If test measurements show $t_{PLC}=0.15$ s, $t_{network}=0.30$ s, and $t_{SCADA}=0.85$ s, then:

$$t_{alarm} = 0.15 + 0.30 + 0.85 = 1.30 \text{ s}$$

That passes the 2-second requirement. If the VFD is 15 kW and full-load current is 29 A at 400 V, the approximate three-phase apparent power at full load is:

$$S = \sqrt{3} V I = 1.732 \times 400 \times 29 \approx 20.1 \text{ kVA}$$

This is useful for validating feeder loading, UPS sizing for controls, and temporary test power planning. The point of the example is not the arithmetic alone; it is that SAT should convert contractual requirements into measurable pass/fail criteria.

9. Acceptance Criteria: Make Them Objective

Acceptance criteria must be binary wherever possible. “Works properly” is not an acceptance criterion. Better examples are:

  • All I/O points respond correctly within the approved tolerance.
  • No unresolved critical defects remain open at handover.
  • All safety interlocks trip to safe state as designed.
  • All alarms are displayed with correct text, priority, and timestamp.
  • All communications links recover automatically after simulated loss.

A practical defect classification structure is:

Defect Class Meaning Acceptance Impact
Critical Safety, legal, or major functional failure Blocks acceptance
Major Significant functional deviation with workaround Conditional acceptance only
Minor Cosmetic or low-risk issue May be accepted with punch list

10. SAT vs FAT vs Commissioning

Activity Location Main Purpose Typical Output
FAT Vendor or integrator workshop Verify design and build before shipment Factory test report, punch list
SAT Customer site Verify installation and site integration Site acceptance certificate, site punch list
Commissioning Site Start and tune the system for operation Operational readiness, performance data

In well-run projects, FAT reduces SAT duration, but it does not eliminate it. SAT remains necessary because field wiring, environmental conditions, network addressing, utility interfaces, and installation workmanship all change the final behavior.

11. Documentation and Handover

At the end of SAT, the handover package should include:

  • Signed test sheets with dates, names, and roles.
  • Calibration certificates and test equipment IDs.
  • Open issue log with owners and closure dates.
  • As-built drawings and final I/O lists.
  • Software backups, firmware versions, and checksum records.
  • Cybersecurity baseline and account inventory.
  • Training records for operators and maintainers.

This documentation is often what protects the contractor during warranty disputes. If a fault appears later, the SAT record proves what was tested, under what conditions, and with what result.

Closing: Common SAT Mistakes and How to Avoid Them

The most common SAT mistakes are starting too early, using vague acceptance criteria, failing to include cybersecurity checks, skipping failure-mode testing, and treating the protocol as a formality instead of an engineering tool. Another frequent error is allowing unresolved FAT punch items to “ride through” into site testing without formal risk assessment. Avoid these problems by freezing the test scope early, tying every test to a requirement, enforcing readiness gates, using calibrated instruments, and recording objective evidence. If SAT is planned as a disciplined verification process rather than a rushed sign-off event, it becomes one of the strongest controls for quality, safety, and contractual certainty in industrial contracting.

Frequently asked questions

What should be included in a Site Acceptance Testing (SAT) scope for a PLC, MCC, or SCADA system on a European EPC project?

A SAT scope should verify that the installed system matches the approved design, including I/O point-to-point checks, loop checks, communications, alarms, interlocks, permissives, redundancy, and failover behavior. For European projects, the test basis should align with IEC 62443 for cybersecurity, IEC 60204-1 for machine electrical equipment where applicable, and EN 60204-1/EN 61439 requirements for electrical assemblies and control panels, while also confirming contract-specific functional requirements.

How is SAT different from Factory Acceptance Testing (FAT) in industrial automation projects?

FAT verifies the system at the vendor or integrator location using simulated or emulated field conditions, while SAT confirms correct performance after installation with real field wiring, utilities, and site conditions. In practice, SAT must also validate installation quality, cable termination integrity, grounding, network connectivity, and actual process interface behavior, which are not fully proven during FAT; this distinction is consistent with IEC 61511 lifecycle verification principles for safety-related systems.

What are the most common SAT checks for control panel and MCC installations before energization?

Before energization, the SAT should include visual inspection, torque verification, insulation resistance testing, continuity checks, protective device settings review, phase rotation confirmation, and verification of control power, space heaters, and ventilation. For panel construction and assembly compliance, references commonly include IEC 61439 for low-voltage switchgear and controlgear assemblies, IEC 60204-1 for machine electrical equipment, and NFPA 70/70E where North American practices are contractually required.

How should SAT be structured for SCADA communications and network validation on a multi-vendor project?

SCADA SAT should test physical layer integrity, IP addressing, VLANs, routing, time synchronization, historian data flow, alarm/event propagation, and communications loss recovery across all interfaces. On global projects, engineers should also verify network segregation and access control against IEC 62443, and document protocol-specific checks for OPC UA, Modbus TCP, Profinet, EtherNet/IP, or IEC 60870-5-104 as applicable to the project architecture.

What is the best practice for executing loop checks during SAT on instrumentation-heavy sites?

Loop checks should confirm the complete signal path from field instrument to marshalling, I/O card, controller logic, HMI/SCADA display, and any final control element, then back through the return path for output signals. Best practice is to record as-found and as-left conditions, verify scaling and engineering units, and ensure the test method covers both normal and abnormal signal states, consistent with IEC 61508/IEC 61511 verification expectations for instrumented functions.

How do you validate alarms, interlocks, and cause-and-effect logic during SAT?

Validation should use a formal cause-and-effect matrix and demonstrate each permissive, trip, alarm, and reset condition under controlled test scenarios with clear pass/fail criteria. For safety-related or critical shutdown functions, the test record should show functional proof of the intended response and any bypass management, with reference to IEC 61511 for safety instrumented systems and ISA-18.2 for alarm management where alarm philosophy is part of the project basis.

What documentation should be completed and signed off at the end of SAT?

The SAT dossier should include approved procedures, marked-up test sheets, calibration certificates, punch lists, nonconformance reports, redline drawings, software/firmware versions, backups, and final acceptance certificates. For European compliance-heavy projects, the handover package should also preserve traceability to the technical file, risk assessment, and applicable conformity requirements under relevant IEC/EN standards and project-specific contractual obligations.

What are the key risk controls for SAT on live brownfield plants or compressed schedules?

Risk controls should include method statements, permit-to-work, lockout/tagout, temporary overrides control, interface isolation, rollback plans, and a defined escalation path for defects affecting production or safety. When work is performed near energized equipment or live process systems, the safety approach should align with NFPA 70E principles where applicable, while European projects should ensure compliance with site electrical safety rules, IEC-based design assumptions, and formal management of change procedures.

Related services