Last edit: 02/08/2023
THE DOUBT: What is the difference between a Proof Test and a Diagnostic Test?
CONSIDERATIONS: The Proof Test concept is coming from IEC 61508 and it is important, especially for the Safety Instrumented Systems (SIS) used in Low demand.
In Low Demand, a pressure transmitter used in safety applications may never be needed, or very rarely. Let’s say that a high pressure is detected by a Safety System, in a particular application, every 6 years. For 6 years that safety loop is never active, but when the time comes, it must trigger reliably and bring the system to a safe state.
Safe failures are not an issue. Dangerous Detectable ones are not an issue as well, since they are detected in an automatic way by the safety system through an automatic test called Diagnostic test. The real issues are the Dangerous Undetectable failures. Those will not be detected by the Diagnostic Coverage. The only way to detect those possible failures is through and off-line test, called Proof Test. Hereafter the two definitions.
[IEC 61508-4:2010] 3.8.6 Copertura Diagnostica DC: Fraction of dangerous failures detected by automatic on-line diagnostic tests. The fraction of dangerous failures is computed by using the dangerous failure rates associated with the detected dangerous failures divided by the total rate of dangerous failures.
[IEC 61508-4:2010] 3.8.5 Proof Test: Periodic test performed to detect dangerous hidden failures in a safety-related system so that, if necessary, a repair can restore the system to an “as new” condition or as close as practical to this condition.
In essence: in low demand, the real issue are the dangerous undetectable failures that can be detected only off-line with a so called Proof Test, whose execution has to follow what the manufacturer of the instrument has stated in the safety manual. Yes, a user cannot imagine what has to be done for a Proof Test: the component manufacturer has to indicate all the procedures to be followed and if the test will be complete (≈100% of the failures detected) or it is only Partial.
Despite the Proof Test is also mentioned in IEC 62061, it is mainly used in Low demand. In high Demand (IEC 62061 and ISO 13849-1) the key indicator is the Diagnostic Coverage. It is calculated using the following formula,
Where λdd is the rate of detected dangerous hardware failures and λd is the total rate of dangerous hardware failures.
In high demand, safety components are used regularly (example once every hour), accumulation of faults is unlikely and safety relies a lot on the fact a safety loop is regularly activated and therefore tested.
CONCLUSIONS:
The Proof Test is an off-line verification of a safety component at the end of which all faults are normally detected (full proof Test). It is used in Low Demand Applications and it has to be performed with a frequency twice the demand upon the safety function. The reliability of a Safety subsystem is directly dependent upon the proof test interval called Ti.
The Diagnostic Test is an automatic test usually performed by the functional channel of the Safety System. In case of single channels in series, with diagnostic coverage, the reliability of the safety system depends upon such a parameter with the following formula (1oo1D or Architecture C according to IEC 62061):
