Safety Instrumented Systems Proof Testing

  • Safety Instrumented Systems (SIS) are designed to provide a level of integrity that reduces the risk of a hazard to a defined tolerable level.

  • During normal operation, components of the safety instrumented system (SIS) are subject to the possibility of random failures. These failures may be safe failures that could lead to spurious trips or dangerous failures that may prevent the SIS operating correctly when required. If the dangerous failures are not revealed by diagnostic functions, then they are termed as undetected.

  • Over time, the probability that an undetected dangerous failure has occurred increases. Therefore the probability that the SIS will not operate as required (often called probability of failure on demand - PFD) also increases over time until the failure is revealed and repaired.

  • Good practice (e.g. BS EN 61511) requires that a PFD calculation is performed to show that the integrity, i.e. the average PFD, of the SIS is sufficiently low to achieve the level of risk reduction required based upon assumptions including: the reliability of the components being used and how often undetected dangerous failures are revealed by proof test.

  • The underlying PFD calculations typically include within them assumptions about the coverage of the test, i.e. that all undetected dangerous failure modes that prevent the SIS from operating in accordance with the safety requirement specification are revealed at the specified proof test interval and repaired within the specified mean time to repair.

  • Dutyholders often seek to achieve this by carrying out periodic testing at the specified proof test interval. However, it is observed that such testing sometimes does not reveal all undetected failure modes, for example because:

    1. Some components cannot be tested because to do so would destroy them, e.g. explosion suppression powder canisters.
    2. Some components cannot be tested in the usual manner whilst the process is online.
    3. Some components cannot be tested without exposing workers to other hazards, e.g. hazardous pressure or energy, toxic or flammable materials etc.
    4. Some failure modes cannot be directly tested.
    5. The test method is insufficient to reveal all failure modes, e.g. associated with redundant channels, diagnostic functions, failure modes.
  • It can be seen that the integrity achieved by the SIS is linked to the assumptions made within the PFD and the coverage of the proof test, and that this has a direct effect on the level of risk reduction the SIS provides.

  • This document provides practical guidance on how to carry out PFD calculations, define and implement direct tests or other methods to ensure that the SIS provides the risk reduction required of it in an ongoing basis.

  • Note that the terms used in this document are defined as in BS EN 61511 unless specifically defined in this document.