1.9.2 The actual proof test interval is different from the interval assumed in the

calculation. Longer test intervals will lead to a higher average SIF PFD,

which may exceed the limit specified in the SRS.

1.9.3 The proof testing does not reveal all faults that prevent the SIS performing

its designed functionality and allow them to be repaired in a timely and safe

manner. If faults are not revealed then the actual PFD will continue to

increase over time, and will eventually exceed the limit specified in the SRS

(see Annexe B).

1.9.4 The proof testing does not fully cover all components of the SIS (e.g. due to

test switches / simulation which may not cover the measurement

component or not testing output elements). If faults are not revealed

because some components are not tested, then the actual PFD will

continue to increase over time, and will eventually exceed the limit specified

in the SRS (see Annexe B).

2 Approach

Proof Testing Methods

2.1

The reliability calculation assumes that a proof test restores the SIS to its designed

functionality, i.e. the SIS operating as specified in the safety requirements

specification (SRS). Therefore, in order for the duty holder to define the proof test,

the safety function must be well defined (e.g. time to close, tight shutoff, action on

single sensor failure etc.).

2.2

It is recognised that it is sometimes not possible to ‘test’ some components (e.g.

one use items such as suppression system’s powder canister or some inline flow

meters). In these cases equivalent measures should be taken for these

components to achieve the same outcome (e.g. replacement or corroborative

measurements). For the purposes of this document, these equivalent measures

shall be considered as part of the proof test even if they are not an actual ‘test’.

2.3

The objective of the proof test is to reveal undetected faults in the SIS. Therefore

it is important to consider the possible component failure modes and their effect on

the safety function. For example, relay contacts are known to weld together and

therefore the proof test should establish that the relay contacts open on demand.

2.4

Failure modes are often well known for ‘simple’ components (i.e. type A

components as defined in BS EN 61508/11) and therefore the proof test can often

be well defined with a high degree of confidence that all undetected faults will be

revealed. With more complex devices, the failure modes are not always known

and therefore a reasonable set of failure modes should be determined from

experience, fault trees, failure mode effect analysis studies etc. In all cases, the

requirements of the safety function should be tested as a minimum.

2.5

Some typical examples of proof testing that may not reveal all unrevealed faults

are given below.



Partial stroke testing



Valves checked to limit switch / solenoid