Glossary term

Proof-Test Interval

Engineering definition of proof-test interval covering hidden failures, PFD screening, diagnostic coverage, maintenance burden and validation evidence.

Definition

metric

Proof-test interval is the planned time between tests that verify a protective function, backup function or hidden-failure safeguard can still perform its credited action.

Proof-test interval matters when a dangerous or mission-critical failure is not self-revealing during normal operation. It is used for interlocks, shutdown valves, backup generators, alarms, medical-device checks, ventilation safeguards, power protection, standby channels and other functions whose unavailable state may stay hidden until demanded. The interval must balance hidden-failure exposure, diagnostic coverage, maintenance burden, bypass exposure and test-induced risk.

Proof-test interval is the planned time between tests that prove a protective function, standby function or hidden-failure safeguard is still able to perform its credited action. The term is common in functional safety, process safety, machine safety, power systems, reliability engineering and medical-device maintenance.

The concept matters because some failures are not self-revealing. A guard switch can fail stuck closed, a shutdown valve can seize, a backup generator can fail to start, a diagnostic channel can be bypassed, or an alarm path can be disabled. The system may appear normal until the protective function is demanded.

Hidden-Failure Exposure

If a dangerous hidden failure can occur at rate:

\lambda_{DU}

and is only revealed by proof testing, the average exposure grows with the interval:

\displaystyle \bar{t}_{hidden}\approx\frac{T_I}{2}

where T_I is the proof-test interval. The shorter the interval, the shorter the average time a hidden dangerous failure can remain present. Shorter is not always better, because testing can create downtime, bypass exposure, maintenance errors or test-induced failures.

PFD Screening

For a simplified low-demand protective function, a common first screen is:

\displaystyle PFD_{avg}\approx\frac{\lambda_{DU}T_I}{2}

This approximation assumes constant dangerous undetected failure rate, effective proof testing, low demand rate and no dominant common-cause or systematic failure term. It is useful for reasoning, not a complete safety calculation.

Solving for a maximum interval gives:

\displaystyle T_{I,max}=\frac{2PFD_{target}}{\lambda_{DU}}

The final interval should also consider diagnostic coverage, component data, standards, consequence severity, maintenance access and operating history.

Worked Example

A protective function has estimated dangerous undetected failure rate:

\lambda_{DU}=1.2\times10^{-6}\ \text{h}^{-1}

The target simplified average probability of failure on demand is:

PFD_{target}=0.002

The maximum interval from the first screen is:

\displaystyle T_{I,max}=\frac{2(0.002)}{1.2\times10^{-6}}=3333\ \text{h}

That is:

\displaystyle \frac{3333}{8760}=0.38\ \text{year}

An annual interval would give:

\displaystyle PFD_{annual}\approx\frac{(1.2\times10^{-6})(8760)}{2}=0.00526

which fails the target. A quarterly interval of:

T_I=2190\ \text{h}

gives:

\displaystyle PFD_{quarterly}\approx\frac{(1.2\times10^{-6})(2190)}{2}=0.00131

which passes the simplified screen.

Test Burden and Bypass Exposure

Proof testing itself can add risk. If each test requires:

t_{test}=2\ \text{h}

of bypassed or unavailable protection, then test-related exposure fraction for a quarterly interval is:

\displaystyle U_{test}=\frac{2}{2190}=0.000913

This number does not automatically reject the interval. It shows why procedure quality, bypass controls, staffing, spare parts and restoration evidence belong in the decision.

Test Boundary

A proof test should exercise the function that is being credited, not only the easiest signal. For an interlock, that may mean input device, logic solver, output relay, final element, reset behavior and event record. For a standby generator, it may mean start command, fuel system, transfer path, loaded operation, alarms and restoration to standby. For a medical device, it may mean sensor check, alarm path, inhibited output and traceable service record.

The interval is weak if the test boundary is weak. A frequent test of a pilot light does not prove that a valve closes. A simulated trip bit does not prove that stored energy is removed. A maintenance checklist does not prove recovery unless restoration and bypass closure are verified.

Boundary With Diagnostic Coverage

Diagnostic coverage asks which faults are detected. Proof-test interval asks how long hidden faults can remain before the next planned test. Strong online diagnostics may justify a longer proof-test interval. Weak diagnostics or severe consequences may require shorter intervals.

The two terms should not be swapped. A frequent proof test with poor coverage can still miss the dangerous failure. A high-coverage diagnostic with no action rule can still fail the safety function.

Validation Evidence

Useful evidence includes fault list, proof-test procedure, test boundary, final-element exercise, bypass log, restoration checklist, pass/fail criteria, calibration records, maintenance competence, demand history, failed-test history, diagnostic coverage, common-cause review, management-of-change trigger and evidence that the test does not leave the system in a degraded or bypassed state.

Common mistakes include testing only the sensor and not the final element, selecting intervals from habit, ignoring test-induced risk, assuming annual testing is always sufficient, failing to close bypasses, using proof tests that do not reveal the credited hidden failure and treating a test checkbox as release evidence. A defensible proof-test interval states the hidden failure, the test method, the interval basis, the restoration rule and the evidence record.

REF

See also