If you’re new to functional safety, you’ve likely encountered terms like proof testing, Safety Instrumented Functions (SIF), and Probability of Failure on Demand (PFDavg). Understanding these concepts is crucial for ensuring the reliability of safety systems in process industries. In this article, we’ll clearly explain proof testing, why it’s essential, how it impacts the PFDavg calculation, and its relationship with Safety Integrity Level (SIL).
What Exactly is Proof Testing?
Proof testing refers to manually performed or manually initiated periodic tests conducted on Safety Instrumented Systems (SIS) to reveal hidden or dormant faults. The main goal is ensuring each SIF—which consists of sensors, logic solvers, and final elements—can reliably activate when needed. These tests simulate conditions that activate the safety system, confirming functionality and identifying issues that could compromise performance during an actual emergency.
IEC 61511, the international standard guiding functional safety in the process industry, explicitly mandates proof tests to maintain compliance and assure safety integrity.
Proof testing is not just a regulatory checkbox—it’s a central activity in any process safety lifecycle. When done properly, it enhances equipment reliability, informs maintenance strategies, and helps avoid unnecessary spurious trips or overlooked latent failures. These tests are especially important in facilities with aging infrastructure or complex safety systems, where regular inspections can be challenging.
Why is it Essential?
Regular proof testing helps:
- Ensure Reliability: Detects hidden faults, increasing confidence that safety systems respond correctly when required.
- Achieve and Maintain SIL Ratings: Directly influences SIL by lowering PFDavg values, ensuring a system meets its designated safety objectives.
Connecting to PFDavg
PFDavg is a metric used to gauge the likelihood that a safety system will fail to respond correctly upon demand. Frequent and thorough testing significantly reduces the PFDavg by detecting hidden failures and correcting them promptly.
Understanding PFDavg Through a Simple Calculation:
A simplified formula for calculating PFDavg is:
- λDU is the dangerous undetected failure rate, often in 1/hour
- TI s the test interval between proof tests, often in years
Shorter test intervals result in a lower PFDavg, directly supporting higher SIL ratings.
Practical Example:
Imagine a SIF component has a of 0.002 failures per year. With annual testing, your calculation would be:
This PFDavg of 0.001 complies with SIL 2 requirements (ranging from 0.001 to 0.01). Extending test intervals increases PFDavg, reducing safety system reliability and potentially affecting the SIL rating.
Types of Tests and Operational Impact
Different types of tests have distinct impacts on plant operations:
Full Functional Test
A complete system test, involving sensors, logic solvers, and actuators.
- Operational Impact: Usually requires full shutdown.
- Advantages: Highest accuracy, confirms full loop functionality.
- Drawbacks: Production downtime and increased costs.
Partial-Stroke Test
Typically used for valves, it partially moves the valve to test performance without shutting down the process.
- Operational Impact: Minimal interruption, production continues.
- Advantages: Frequent monitoring, limited disruption.
- Drawbacks: Less comprehensive, may miss certain faults.
Diagnostic Testing – is Great – but is not Proof Testing
Automated tests performed by components to detect faults continuously or at short intervals is a common feature in Functional Safety. However, these are NOT considered proof tests. Remember, proof test are manually performed or manually initiated tests.
Automatic diagnostic testing is an amazing way to help ensure safety, but is a distinct concept and has distinct math terms from proof testing. Some notes on diagnostics are…
- Operational Impact: No direct operational impact.
- Advantages: Early fault detection, reduced manual testing frequency.
- Drawbacks: Can miss faults undetectable by automated methods.
Balancing Test Frequency and Practicality
Typical Test Intervals (TI) for SIFs
The appropriate Test Interval (TI) for a Safety Instrumented Function (SIF) depends on many factors, including the required Safety Integrity Level (SIL), failure rate of components, Proof Test Coverage (Cpt), and the risk reduction targets.
In general practice:
- SIL 1 SIFs often have TIs ranging from 1 to 5 years
- SIL 2 SIFs typically fall within a 1 to 2 year TI
- SIL 3 SIFs usually require TIs of 6 months to 1 year or even more frequent
These ranges are not hard-rules and must be validated by PFDavg calculations, which incorporate actual device data and proof test protocol effectiveness. For high-demand or continuous mode operations, the calculation basis and interval definitions change, often requiring more sophisticated modeling.
Determining testing frequency involves balancing safety, reliability, and operational practicality. More frequent testing reduces PFDavg but increases operational costs and downtime, while less frequent testing can increase risks due to undetected faults. The key is aligning testing frequency with safety goals and operational realities.
Proof Test Coverage (Cpt)
A related topic, Proof Test Coverage (Cpt), refers to the effectiveness of proof tests in detecting hidden faults. Or more specifically, dangerous undetected (DU) failures. While this article focuses on the broader concept of proof testing, it’s worth noting that Cpt plays a significant role in how PFDavg is calculated. In essence, if a test is only capable of detecting a fraction (Cpt ) of possible dangerous undetected failures, that limited effectiveness must be factored into the safety equations. This complicates the math and emphasizes the importance of having well-defined proof test protocols that clearly state what is and isn’t being tested.
To learn more about Cpt, see this article to get into more details.
Balancing Testing with Operational Requirements
While proof testing is essential for maintaining the integrity of SIFs, it often competes with operational demands. Some tests, especially full functional tests, require shutting down part or all of a process—a decision that carries significant production and cost implications. In other cases, testing may require bypassing safety functions, temporarily reducing the facility’s protection layers.
Therefore, organizations must carefully weigh the benefits of frequent and thorough testing against the impact on production schedules, safety availability, and maintenance workload. This balance often involves coordination across operations, safety, and engineering teams to align test intervals with planned outages, maintenance windows, and risk tolerance levels.
Common Testing Pitfalls
While not exhaustive, here are some common pitfalls organizations encounter:
- Poor planning leading to unnecessary operational disruptions.
- Overreliance on partial-stroke and diagnostic testing without periodic full functional tests.
Avoiding these issues enhances both safety and efficiency.
Wrap-Up
Proof testing of SIFs is fundamental in maintaining the reliability and effectiveness of safety systems. Regular and thorough tests directly influence PFDavg calculations, help maintain SIL ratings, and ensure compliance with IEC 61511. By clearly understanding and implementing these practices, your organization significantly enhances safety, reduces risks, and sustains operational efficiency.
Quick Q&A:
Q1: What is the primary purpose of a proof test protocol?
A: To detect hidden failures within the SIF, ensuring reliability and readiness. Or more specifically, dangerous undetected (DU) failures.
Q2: How does testing frequency influence functional safety?
A: More frequent testing reduces the PFDavg, directly improving the SIL rating.
Q3: Can partial-stroke testing replace full functional testing?
A: No, partial-stroke testing complements full tests but can’t entirely replace them, as it’s not comprehensive enough to detect all types of faults.
Q3: Is diagnostic testing (done automatically by newer components) a type of proof testing.
A: No, diagnostic testing and proof testing are different concepts in the functional safety ecosystem. Proof testing is always operator-performed or operator-initiated. Both concepts are in PFDavg calculations and the math works different ways.
Q4: If my SIF already uses devices with high diagnostic coverage, do I still need frequent proof testing?
A: Yes. But perhaps with very strong diagnostics you can use a longer TI and still achieve the needed PFDavg.
Ready to Learn More?
Stay informed and up-to-date on functional safety and industry best practices by subscribing to our newsletter. You’ll receive the latest insights directly in your inbox to help improve your safety management practices.
Additional Resources:
- IEC 61511 Official Standard
- International Society of Automation (ISA)
- UK Health and Safety Executive (HSE)
- CCPS Guidelines
- Internal blog post on Cpt
- See our glossary for loads more terms
- Internal article on failure rate