Skip to content
Front End Engineering
Consultancy
Back to Blog
SafetyEC&I

SIS Proof Testing and Partial-Stroke Valve Testing

Jose Campins··10 min read

Introduction

A safety instrumented function (SIF) is a dormant system. It sits between a sensor, a logic solver, and a final element — usually a shutdown valve — and does nothing at all until a hazardous demand arrives. Its entire value is realised in the seconds when it acts on that demand. The uncomfortable question is: on the day of the demand, how do you know it still works?

The answer is proof testing — the periodic, deliberate exercise of a SIF to reveal the dangerous failures that have accumulated silently since the last test. Proof testing is not a maintenance nicety; it is the mechanism that turns a claimed SIL rating into a delivered one. Get the test scope and interval right and the function keeps the integrity the LOPA credited it with. Let them slip and the achieved SIL quietly falls below the target, often with no visible symptom until the demand it fails to answer.

PFDavg and Why Testing Matters

For a low-demand SIF, integrity is measured by the average probability of failure on demand (PFDavg) — the fraction of time the function is, unknowingly, unable to respond. The SIL bands are defined directly on it:

SIL PFDavg range Risk reduction factor
1 0.1 – 0.01 10 – 100
2 0.01 – 0.001 100 – 1,000
3 0.001 – 0.0001 1,000 – 10,000

For a simple single-channel (1oo1) architecture, the dominant term in PFDavg is startlingly simple:

PFDavg ≈ (λDU × TI) / 2

Where λDU is the rate of dangerous undetected failures and TI is the proof test interval. The message of that equation is the whole point of this post: the test interval is a direct multiplier on the failure probability. Halving the interval halves the PFDavg. Doubling it doubles it. The hardware sets λDU; the test regime sets TI — and the two together, not the hardware alone, decide which SIL band the function actually lands in.

Dangerous undetected is the key phrase. Automatic diagnostics catch the detected failures continuously. Everything the diagnostics cannot see stays hidden until the proof test finds it — which is why the proof test's reach into those undetected failures is the number that matters.

Proof Test Coverage

A proof test is rarely perfect. The fraction of dangerous undetected failures a given test actually reveals is its proof test coverage (Cpt). Whatever the test misses accumulates unrevealed across every interval, all the way to the point where the equipment is stripped down at a major turnaround.

The PFDavg equation with imperfect coverage splits into two terms — the part the periodic test catches, and the residual part that only a full overhaul reveals:

PFDavg ≈ (Cpt × λDU × TI/2) + ((1 − Cpt) × λDU × TL/2)

Where TL is the much longer interval to full teardown/overhaul. A test with 70% coverage leaves 30% of dangerous failures riding on the multi-year lifetime term — and that residual can dominate the PFDavg no matter how often the partial test is run.

This is why a good proof test procedure is written to maximise coverage, not merely to tick a box:

  • Test the full loop, sensor to final element, not the logic solver in isolation.
  • Use a real process stimulus where possible — apply an actual pressure to the transmitter, not a simulated 4–20 mA signal that bypasses the sensing element.
  • Physically confirm the final element travels to its safe position and achieves tight shutoff — the valve moving is the whole point of the function.
  • Verify the trip setpoint and response time, not just that something eventually happened.

A test that jumpers the transmitter and watches the logic solver trip proves the logic and proves nothing about the sensor or the valve — the two elements most likely to have failed dangerously.

Partial-Stroke Testing

The hardest element to prove is the final valve, because a full closure usually means a process shutdown. Operators are therefore tempted to stretch the valve's test interval — which, per the PFDavg equation, directly erodes the SIL. Partial-stroke testing (PST) breaks that trade-off.

A partial stroke drives the shutdown valve a small way closed — typically 10–20% of travel — and returns it, without interrupting production. It cannot prove tight shutoff, but it does prove the valve is not seized — and a stuck valve is the single largest contributor to λDU for most final elements.

The value of PST is that it converts a slice of the valve's dangerous undetected failures into detected ones, shrinking the λDU term that the long full-stroke interval has to carry:

  • Typical PST coverage of valve DU failures: 60–70% (seizure, sticking, actuator/spring degradation).
  • What PST cannot cover: tight-shutoff / seat-leakage failures — only a full stroke to the seat proves those.
  • Effect: PST lets the full-stroke interval be extended (often to a turnaround) while holding PFDavg, because the frequent partial tests keep the dominant seizure failures revealed.

PST is implemented either with a smart digital valve positioner that runs the test and trends the signature, or with a mechanical stop / solenoid arrangement. The positioner's stroke signature is a bonus diagnostic — a slow or high-friction curve flags a degrading valve long before it seizes.

Test Intervals and the SIL Trade-off

Setting the interval is the core engineering judgement. The interval that satisfies the target PFDavg is calculated, but the practical constraints pull against it:

  • Shorter interval → lower PFDavg, but more production interruptions, more test-induced wear, and more chances of leaving the loop in an unsafe or bypassed state after testing.
  • Longer interval → higher PFDavg, eventually pushing the function below its target SIL band.
  • Aligning to turnaround cycles is operationally attractive but only valid if the calculated PFDavg still meets target at that interval — the arithmetic decides, not the maintenance calendar.

The layered strategy that most facilities converge on:

  1. Continuous automatic diagnostics catch detected failures in real time.
  2. Partial-stroke tests (say quarterly to annually) catch valve seizure without a shutdown.
  3. Full proof tests (aligned to a shutdown, often every 1–3 years) catch the residual, including tight shutoff.
  4. Overhaul at major turnaround catches whatever the proof test coverage misses.

Each layer targets a different slice of λDU. Remove any one and the slice it covered reverts to the longest interval above it — which is exactly how a well-designed SIF quietly degrades below its SIL when a test regime is "optimised" without redoing the calculation.

Writing a Good Proof Test Procedure

The calculation assumes a test that is actually performed as credited. The procedure is where that assumption is kept honest:

  • State the coverage the SIL calculation assumed — the technician must know the test is protecting a specific PFDavg, not performing a routine.
  • Test end-to-end and record the as-found condition before any adjustment — an as-found failure is the data that validates (or refutes) the assumed λDU.
  • Include tight-shutoff verification for valves whose SIF credits it (e.g. seat leakage measured against ISO 5208 / API 598 class).
  • Manage the bypass — document how the function is inhibited during test, who authorises it, and the hard requirement to restore and prove it afterwards. A SIF left in bypass after a test is a 100% PFD — the worst failure mode there is.
  • Feed as-found failures back into the reliability data. If proof tests keep finding dangerous failures, the real λDU is higher than assumed and the interval must shorten.

The procedure and the PFDavg calculation are a matched pair. A calculation that assumes 90% coverage and a procedure that only jumpers the transmitter are not describing the same safety function.

A Worked Example

Scenario: A 1oo1 high-pressure shutdown SIF — pressure transmitter, logic solver, single shutdown valve. Target SIL 2 (PFDavg < 0.01). Dominant term is the valve, with λDU = 3 × 10⁻⁶ per hour.

Full-stroke test only, annual interval (TI = 8,760 h):

PFDavg (valve) ≈ (λDU × TI) / 2
              = (3 × 10⁻⁶ × 8,760) / 2
              = 0.0131

That is 0.0131 — outside the SIL 2 band. Adding the transmitter and logic solver contributions only makes it worse. The function as tested does not meet target.

Add partial-stroke testing (quarterly, 65% coverage of valve DU failures), keeping the full-stroke test annual for the tight-shutoff residual. The PST converts 65% of the valve's DU failures to a 3-monthly revealed interval; only the remaining 35% rides the annual term:

PFDavg (valve) ≈ (0.65 × λDU × TI_pst/2) + (0.35 × λDU × TI_full/2)
   TI_pst = 2,190 h,  TI_full = 8,760 h
 = (0.65 × 3e-6 × 1,095) + (0.35 × 3e-6 × 4,380)
 = 0.00214 + 0.00460
 = 0.0067

Result: PFDavg drops from 0.0131 to 0.0067 — inside SIL 2 — with no change to the hardware and no extra production shutdowns. The partial-stroke regime, not a more expensive valve, is what delivered the SIL. This is the practical lesson: for final elements, the test strategy is a design variable on equal footing with the equipment selection.

Common Pitfalls

  • Extending the test interval without redoing the PFDavg. The interval is a direct multiplier on failure probability. "Aligning to the turnaround" is only valid if the arithmetic still meets target.
  • Testing the logic solver, not the loop. Jumpering the transmitter and watching the trip proves the least likely element to fail. Stimulate the real sensor and confirm the real valve moves.
  • Claiming full coverage from a partial test. PST does not prove tight shutoff. If the SIF credits seat-tight closure, only a full stroke to the seat counts for that portion.
  • Leaving the SIF in bypass. The one failure that dwarfs every calculation. Restoring and proving the function after test is not optional.
  • Ignoring as-found data. Proof tests are also a measurement of the real λDU. Repeated as-found failures mean the interval is too long — act on the data, do not just reset the clock.
  • Buying integrity in hardware that testing could deliver. Before specifying a redundant valve, check whether partial-stroke testing closes the gap. It often does, at a fraction of the cost.

Conclusion

A safety instrumented function is only as good as the last time it was proven to work. The hardware sets the failure rate; the test regime sets the SIL you actually achieve — and the PFDavg equation makes that dependence exact, not rhetorical. Proof test coverage and interval are engineering variables to be calculated and defended, on the same footing as the sensor and the valve.

Partial-stroke testing is the lever that reconciles integrity with production: it keeps the dominant valve-seizure failures revealed without a shutdown, often delivering a SIL that the raw hardware alone would miss. Design the test strategy with the same rigour as the loop, keep the procedure and the calculation matched, and the SIF will answer the one demand that matters. Neglect the testing and the safety case erodes silently — until the day it is needed and is found, too late, to have been in bypass or seized shut.

Related Project · Offshore · Technical Due Diligence

Block 5 MOPU — Independent Engineering Review

About the Author

Jose Campins

Jose Campins

Principal Consultant — Process Engineering · 20+ years

20 years of upstream process engineering across FPSO topsides, MOPUs, and modular early production facilities in Southeast Asia, the Middle East, and West Africa. His primary disciplines are FEED studies, process simulation, and detailed design.

Share