1.9.2 The actual proof test interval is different from the interval assumed in the
calculation. Longer test intervals will lead to a higher average SIF PFD,
which may exceed the limit specified in the SRS.
1.9.3 The proof testing does not reveal all faults that prevent the SIS performing
its designed functionality and allow them to be repaired in a timely and safe
manner. If faults are not revealed then the actual PFD will continue to
increase over time, and will eventually exceed the limit specified in the SRS
(see Annexe B).
1.9.4 The proof testing does not fully cover all components of the SIS (e.g. due to
test switches / simulation which may not cover the measurement
component or not testing output elements). If faults are not revealed
because some components are not tested, then the actual PFD will
continue to increase over time, and will eventually exceed the limit specified
in the SRS (see Annexe B).
2 Approach
Proof Testing Methods
2.1
The reliability calculation assumes that a proof test restores the SIS to its designed
functionality, i.e. the SIS operating as specified in the safety requirements
specification (SRS). Therefore, in order for the duty holder to define the proof test,
the safety function must be well defined (e.g. time to close, tight shutoff, action on
single sensor failure etc.).
2.2
It is recognised that it is sometimes not possible to ‘test’ some components (e.g.
one use items such as suppression system’s powder canister or some inline flow
meters). In these cases equivalent measures should be taken for these
components to achieve the same outcome (e.g. replacement or corroborative
measurements). For the purposes of this document, these equivalent measures
shall be considered as part of the proof test even if they are not an actual ‘test’.
2.3
The objective of the proof test is to reveal undetected faults in the SIS. Therefore
it is important to consider the possible component failure modes and their effect on
the safety function. For example, relay contacts are known to weld together and
therefore the proof test should establish that the relay contacts open on demand.
2.4
Failure modes are often well known for ‘simple’ components (i.e. type A
components as defined in BS EN 61508/11) and therefore the proof test can often
be well defined with a high degree of confidence that all undetected faults will be
revealed. With more complex devices, the failure modes are not always known
and therefore a reasonable set of failure modes should be determined from
experience, fault trees, failure mode effect analysis studies etc. In all cases, the
requirements of the safety function should be tested as a minimum.
2.5
Some typical examples of proof testing that may not reveal all unrevealed faults
are given below.
Partial stroke testing
Valves checked to limit switch / solenoid