Glossary term
Proof-Test Interval
Engineering definition of proof-test interval covering hidden failures, PFD screening, diagnostic coverage, maintenance burden and validation evidence.
Definition
metricProof-test interval is the planned time between tests that verify a protective function, backup function or hidden-failure safeguard can still perform its credited action.
Proof-test interval matters when a dangerous or mission-critical failure is not self-revealing during normal operation. It is used for interlocks, shutdown valves, backup generators, alarms, medical-device checks, ventilation safeguards, power protection, standby channels and other functions whose unavailable state may stay hidden until demanded. The interval must balance hidden-failure exposure, diagnostic coverage, maintenance burden, bypass exposure and test-induced risk.
Proof-test interval is the planned time between tests that prove a protective function, standby function or hidden-failure safeguard is still able to perform its credited action. The term is common in functional safety, process safety, machine safety, power systems, reliability engineering and medical-device maintenance.
The concept matters because some failures are not self-revealing. A guard switch can fail stuck closed, a shutdown valve can seize, a backup generator can fail to start, a diagnostic channel can be bypassed, or an alarm path can be disabled. The system may appear normal until the protective function is demanded.
Hidden-Failure Exposure
If a dangerous hidden failure can occur at rate:
and is only revealed by proof testing, the average exposure grows with the interval:
where T_I is the proof-test interval. The shorter the interval, the shorter the average time a hidden dangerous failure can remain present. Shorter is not always better, because testing can create downtime, bypass exposure, maintenance errors or test-induced failures.
PFD Screening
For a simplified low-demand protective function, a common first screen is:
This approximation assumes constant dangerous undetected failure rate, effective proof testing, low demand rate and no dominant common-cause or systematic failure term. It is useful for reasoning, not a complete safety calculation.
Solving for a maximum interval gives:
The final interval should also consider diagnostic coverage, component data, standards, consequence severity, maintenance access and operating history.
Worked Example
A protective function has estimated dangerous undetected failure rate:
The target simplified average probability of failure on demand is:
The maximum interval from the first screen is:
That is:
An annual interval would give:
which fails the target. A quarterly interval of:
gives:
which passes the simplified screen.
Test Burden and Bypass Exposure
Proof testing itself can add risk. If each test requires:
of bypassed or unavailable protection, then test-related exposure fraction for a quarterly interval is:
This number does not automatically reject the interval. It shows why procedure quality, bypass controls, staffing, spare parts and restoration evidence belong in the decision.
Test Boundary
A proof test should exercise the function that is being credited, not only the easiest signal. For an interlock, that may mean input device, logic solver, output relay, final element, reset behavior and event record. For a standby generator, it may mean start command, fuel system, transfer path, loaded operation, alarms and restoration to standby. For a medical device, it may mean sensor check, alarm path, inhibited output and traceable service record.
The interval is weak if the test boundary is weak. A frequent test of a pilot light does not prove that a valve closes. A simulated trip bit does not prove that stored energy is removed. A maintenance checklist does not prove recovery unless restoration and bypass closure are verified.
Boundary With Diagnostic Coverage
Diagnostic coverage asks which faults are detected. Proof-test interval asks how long hidden faults can remain before the next planned test. Strong online diagnostics may justify a longer proof-test interval. Weak diagnostics or severe consequences may require shorter intervals.
The two terms should not be swapped. A frequent proof test with poor coverage can still miss the dangerous failure. A high-coverage diagnostic with no action rule can still fail the safety function.
Validation Evidence
Useful evidence includes fault list, proof-test procedure, test boundary, final-element exercise, bypass log, restoration checklist, pass/fail criteria, calibration records, maintenance competence, demand history, failed-test history, diagnostic coverage, common-cause review, management-of-change trigger and evidence that the test does not leave the system in a degraded or bypassed state.
Common mistakes include testing only the sensor and not the final element, selecting intervals from habit, ignoring test-induced risk, assuming annual testing is always sufficient, failing to close bypasses, using proof tests that do not reveal the credited hidden failure and treating a test checkbox as release evidence. A defensible proof-test interval states the hidden failure, the test method, the interval basis, the restoration rule and the evidence record.