Proof testing: the more realistic, the better
End users need to proof their safety functions are working in order to make sure they still work as specified. Many end users struggle with the question how often a proof test needs to be carried out. Especially in the process industry where end users try to operate their plants continuously for many years.
Performing a full functional test on a safety function would in many cases mean an undesired interruption of the process. This makes proof testing in practice a difficult task. If you carry out the proof test you might interrupt the process and lose money. If you do not carry out the proof test you will not know whether your safety function still works and thus take (unnecessary) risks.
Every end user struggles in the end with the same dilemma. How often do I need to carry out a proof test without getting legally in to trouble? How to decide the proof test interval?
What functional safety standards say about proof testing
Take for example the IEC 61511:2003 for the process industry sector. This standard states in clause 16.3.1.3
The frequency of the proof tests shall be as decided using the PFDavg calculation.
Even the new draft of IEC61511 states it in a similar manner:
The schedule for the proof tests shall be according to the SRS. The frequency of proof tests for a SIF shall be determined through PFDavg or PFH calculation in accordance with 11.9 for the SIS as installed in the operating environment.
Not only IEC 61511 but also in the more generic IEC 61508 standard is written that the proof test interval can be determined based on the PFDavg value. So, if the end user just follows the standards then the proof test interval is based on the PFD calculations.
And what do product manufacturers say?
Product manufactures of safety equipment write safety manuals. And in those manuals you will often find statements like this “We recommend to proof test the device at least once per year” or what ever frequency they recommend. Product manufacturers either have done tests to decide on the proof test frequency or they just protect themselves legally by making a statement like this. Either way, you need to follow their instructions.
Proof testing – Legally who is right?
So what does an end user do if the PFD calculation of the complete loop results in a proof test frequency of once every two years, but there is equipment in the loop where the manufacturer states in their manual to proof test it once every year? Legally which one of the two wins?
Even though I have been personally an safety expert witness on several court cases related to IEC 61508, I don’t know the legal answer to this one. During those court cases, where I was a safety expert witness, it was never about safety but only about money related to IEC 61508 projects. I personally have never seen a court case where exactly this question was the problem. I think legally it is a difficult question to answer and only the judge can decide on a case by case basis. So if I where an end user, how would I decide the proof test interval?
How to decide the proof test frequency?
If you think about it practically an end users needs to think about three things when deciding on the proof test frequency. First of all the end user needs to follow the law. If in your country there are any laws that in one or the other way would make a statement about proof testing safety functions then you will have to follow that law.
Second of all, end users need to do what manufacturers of safety products write in their safety manuals. You cannot buy a product, not follow the manual, and then complain that it did not work. Product suppliers will always point out that it was clearly written in the manual how to operate their product.
And at last, follow the PFD calculation. But keep in mind two things. First of all the PFD calculation is only as good as you made the model and the reliability data you are using. There is always a lot of uncertainty in the PFD calculation. Do you want to base your proof test frequency on uncertain results? Second of all, if the PFD calculation results in a lower frequency than the product manual states, I think you should still follow the manual. The product manufacture knows his product best.
So in summary, the order on how to decide the proof test frequency should be like this:
- Do what the law says
- Follow the instructions of the product manufacturer
- Base it on the PFD calculation
Keep in mind that the higher frequency always wins. And finally, try to make the proof test as realistic as possible. The more realistic the better it is.
