When designing or verifying a Safety Instrumented Function (SIF), it’s common to hear terms like PFDavg, SIL level, and test interval. But one factor that’s often misunderstood — or just overlooked — is proof test coverage (Cpt). This is a critical element that directly impacts how effectively your testing finds dangerous failures.
If your facility is working toward compliance with IEC 61511-1, understanding how Cpt works — and how to apply it — can make the difference between an overly optimistic SIL claim and a realistic, defensible safety case.
Let’s walk through what Cpt is, how it affects your calculations, and how to apply it the right way.
What Is Proof Test Coverage (Cpt)?
Proof test coverage (Cpt) is the fraction of dangerous undetected (DU) failures that your proof test is capable of finding.
- A Cpt of 1.0 (or 100%) means your test detects all dangerous undetected failures.
- A Cpt of 0.7 (or 70%) means your test only finds 70% of those failures.
This is important because any dangerous failures that your test doesn’t catch will accumulate over time, increasing the average probability of failure on demand (PFDavg).
Cpt is often used alongside another key term: proof test interval (TI) — how often you do the testing. But the test interval doesn’t matter much if your test isn’t catching what matters.
Also worth noting: Cpt is not the same thing as diagnostic coverage (DC) — though they both relate to detecting failures, they’re measured differently and come from different sources.
Note that proof tests can and do capture beyond DU failures. It can also catch safe failures (SU, SD). But the main purpose of proof test is to find DU failures and that is the only failure Cpt is associated with.
How Cpt Affects PFDavg
The most common form of the PFDavg equation used in training looks like this:
But this assumes you catch all dangerous undetected (DU) failures — which is rarely true. A more accurate form includes Cpt:
Where:
- λDU is the dangerous undetected failure rate
- TI is the proof test interval
- LT is the SIS lifetime (e.g., 15 or 20 years)
The two terms in the equation represent different contributions to PFDavg, as explained below:
- The first term is the contribution between tests.
- The second term is the contribution of failures that remain hidden even during proof tests that apply for the lifetime.
In many training or spreadsheet tools, the second term is omitted if the lifetime is similar to the test interval. But when the lifetime is significantly longer (e.g., TI = 1 year, LT = 15 years), ignoring it underestimates risk.
Let’s make a quick comparison:
Example:
- λDU = 2E-6 per hour
- TI = 1 year (8,760 hours)
- LT = 15 years (131,400 hours)
- Case A: Cpt = 0.55
- Case B: Cpt = 0.95
Case A: PFDavg ≈ (2E-6 × 0.55 × 8760)/2 + (2E-6 × 0.45 × 131400)/2 = 1.04E-2 → RRF ≈ 96 (SIL 1)
Case B: PFDavg ≈ (2E-6 × 0.95 × 8760)/2 + (2E-6 × 0.05 × 131400)/2 = 2.06E-3 → RRF ≈ 485 (SIL 2)
👉 This is the difference between a SIL 1 system and a SIL 2 system — driven entirely by proof test coverage.
Even though both cases used the same failure rate, test interval, and SIS lifetime, the lower test coverage in Case A pulled the risk performance down an entire SIL level. This is a powerful reminder that increasing test frequency is not enough if the test itself isn’t catching the right failure modes.
What’s a Realistic Cpt?
You’ll often see vendors or safety books quote generic Cpt ranges. Here’s a quick cheat sheet to get you started:
| Component | Typical Cpt | Notes |
|---|---|---|
| Pressure Transmitter | 85–95% | Depends on how it’s tested |
| Logic Solver | 95–99% | High diagnostic coverage helps |
| Final Element (valve) | 50–95% | Greatly depends on stroke testing |
Cpt is influenced by:
- Test method (partial stroke, full stroke, leak test, etc.)
- Equipment design (some valves are inherently testable)
- Human factors (procedures, training, consistency)
How to Determine Proof Test Coverage (Cpt)
If Using IEC 61508 Certified Equipment
If you’re using components that are certified per IEC 61508, your job is easier. Look at the SIL certificate or safety manual. Most will include Cpt values based on an FMEDA (Failure Modes, Effects, and Diagnostic Analysis).
- Example: A final element might claim 65% for partial-stroke testing and 90% for full-stroke testing.
- You need to match your test procedure to what was assumed in the FMEDA.
This is especially important with valves. Partial stroke tests (PVST) might not catch failure modes that a full test (FVST) would — and the difference in Cpt can be dramatic.
If Using Non-61508 Equipment (Route 2H or 2S)
If your hardware isn’t certified, you’ll need to get data and use the proven in use method (this takes the route 2H or 2S approach, routes are confusing and will be discussed elsewhere).:
- Use industry databases like OREDA
- Refer to books like Safety Instrumented System Verification by Goble
- Review ISA technical reports and peer-reviewed FMEDAs
- Document your engineering judgment and conservatism
Example: You might assign a Cpt of 70% to a test routine that checks for mechanical failure in a solenoid but can’t detect seat leakage. Be transparent about assumptions — auditors and assessors will ask.
Common Proof Test Coverage Misunderstandings
- Cpt ≠ diagnostic coverage: Diagnostic coverage comes from built-in self-checks. Cpt is about your manual or automatic testing procedures.
- You can’t just assume 100%: Even a full-stroke test may not catch all dangerous failures, especially in actuators and valve internals.
- Test frequency doesn’t override poor Cpt: Doing a weak test more often doesn’t give the same benefit as a strong test less frequently.
- Copying vendor Cpt while using a much weaker plant test; assuming partial‑stroke test Cpt equals full functional Cpt.
- Not coordinating the type of Cpt with the plant possibly needing to be shutdown. For example, a Functional Safety Engineers establishes a high Cpt assuming a FVST every six months, which would require a plant shutdown in their situation. But the facility cannot be shutdown every six months. This is a classic example of not including all stakeholders in decisions.
Practical Tips for Beginners
- If possible, use certified equipment — it saves work and improves defensibility.
- For valves and final elements, be clear with your operations team: A test that’s easy to perform (like PVST) often has lower coverage.
- Document exactly what your test does and doesn’t detect.
- For new designs, select devices that are easier to proof test.
Related Reading and Resources
Internal Links:
- Glossary: Cpt, Proof Test, Proof Test Interval
- Blog: Understanding Proof Testing
- Blog: Deep dive on failure rate
External Resources:
- OREDA Failure Database
- Exida’s Safety Equipment Reliability Handbook (SERH) – this does have proof test coverage
Q&A
1. How do I figure out what Cpt to use in my SIFs?
Start with the equipment documentation. If certified, use the FMEDA. If not, use judgment, external databases, and document everything.
2. Can I assume 100% Cpt if I fully test a valve via a FVST?
Not quite. While FVST gets close, it might miss failure modes like sticking during partial actuation or internal bypass.
3. How is Cpt different from diagnostic coverage?
It measures what your manually performed or manually-initiated test can catch. Diagnostic coverage measures what the device’s self-checks can catch.
4. Does increasing test frequency help more than increasing Cpt?
They both help — but increasing Cpt often gives more impact with fewer operational interruptions.
5. What’s the best way to improve Cpt without changing the system?
Upgrade your test method. Add leak testing, position feedback, or combine manual and automated routines.
6: Does Cpt apply to safe failures as well?
No. Cpt is defined only on dangerous undetected failure modes. Proof tests may reveal safe failures, but those affect spurious trip rate and availability, not the Cpt value used in PFDavg.
Want to go deeper? Check out our full article on Proof Testing here or visit the glossary for more functional safety terms.