Functional Safety 2016
November, 2016 - London
Page 3 of 17
Introduction
The periodic proof testing of a Safety Instrumented Function (SIF) is an integral element of the
SIF design and the assurance that the SIF will continue to provide the target and “as designed”
risk reduction for the required mission time of the SIF or until it is no longer required to provide
the risk reduction.
Manufacturers of safety related equipment, that is claimed as being compliant with BS EN
61508:2010 must perform analysis of the equipment, with respect to random hardware failures.
This analysis must determine the: failure modes; with respect to equipment operation
parameters; the estimated dangerous failure rates for detected and undetected failures;
diagnostic coverage; environmental limits; estimated equipment lifetime and any periodic proof
test and / or maintenance requirements. For the claimed compliant equipment, this information
must be provided in a safety manual that is in accordance with the requirements of BS EN
61508:2010 Part 2 Annex D and includes the specific requirements for proof testing of the
equipment.
The primary objective of the proof test is to reveal undetected dangerous faults, but it is
recognised that not all faults can be detected by either equipment diagnostic tests or proof tests
and may only be found during overhaul or a demand on the SIF to operate. If faults are not
detected by overhaul or a demand then it should be assumed that they will remain for the life of
the equipment, but do not impact on the equipment’s ability to perform the safety function, as
the SIF would have failed during the demand. These types of faults may be considered no
effect failures and are not considered in this paper.
Therefore, considering undetected dangerous faults, the fraction of faults detected when the
proof test is performed is termed as the Proof Test Coverage (
!"
) and the fraction of faults not
detected is termed (1-
!"
). These latter faults, which are not detected at the proof test, will only
be detected when a demand is made on the SIF.
The
!"
impacts on the achieved Average probability of failure on demand (PFD
AVG
) of a SIF. It
is therefore critical that the manufacturers requirements for testing are complied with, to provide
the assurance that the SIF will continue to provide the target and “as designed” risk reduction
for the required mission time of the SIF or until it is no longer required to provide the risk
reduction.