Activity
Mon
Wed
Fri
Sun
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
Dec
Jan
Feb
Mar
What is this?
Less
More

Memberships

Functional Safety Play Book

128 members • Free

3 contributions to Functional Safety Play Book
4d • 
General Discussion
Proof test coverage
Something that always makes me pause when reviewing designs… Proof test coverage that somehow always ends up being 100% effective. On paper it looks great. The numbers work nicely. The SIL calculation passes comfortably. But in the real world I always find myself thinking: Can we really detecting every dangerous failure with that test? In my experience, this is a major cause of rework. If the design progresses to the point where commissioning documents are written and then a FSA or design review reveals overly optimistic proof test coverage it’s a lot of work to correct. Anyone else experiencing this?
1
16
New comment 18h ago
1 like • 2d
Yes agree, this is work in progress as the tendency is to assume 100%. Consideration should be made during the Proof test procedure development, "what failure mode does the proof test reveal and more importantly what is not revealed?". In respect of valve coverage "mission time" , "manufacturer recommendation" become relevant, (all though 'Midas' testing for letby can be used), these require that the valve be overhauled AND recertified (clock reset).
0 likes • 1d
@Robert Petchey all good comments and realisation that 100% also implies that you know 100% of the failure modes. This can bite hard when future failure catch you by surprise. I note from the dcs/automation world that the process designer is including proof testing within software taking the maintenance team and human error out of the loop?? The trap is that human error as moved from the maintenance team to the design team !!
Jan 8 • 
Functional Safety Question ❓
Mission Time
Hi all, thanks for accepting. First of all, I am new in functional safety and sorry for my bad english😊. Actually I have some doubt about one of variable in PFDavg calculation namely mission time, couple of question to all: 1. What will happen in the end of mission time?should end user decommissioned the plant?or just replace everything and the mission time will get restarted? 2. If it depend on end user, than based on what consideration usually for them to determine the correct mission time?and what is the reason behind that? 3. Since by the time PFDavg will get derated, and SIL claimed may decreased over the time, shouldn't end user decide to set the mission time before the SIL/RRF drops beyond the rating it should be? Hope you guys can share your knowledge. Thanks,
2
7
New comment 2d ago
0 likes • 2d
@Noah Tibasiima agree, as Richard, my previous comments on proof test coverage are relevant. Your point on outage program is commercially important, combining Mission time requirements with major outages is critical to the business.
Jan 8 • 
Introductions 👋
Fascinating F S
Hi everyone it will be great to share experiences, interpretations and understanding of functional safety.
1
0
1-3 of 3
Chris Hastings
1
3points to level up
Chris Hastings
@chris-hastings-1821
Power generation digital control and functional safety expert
Active 3h ago
Joined Jan 8, 2026
3
Contributions
0
Followers
1
Following
Powered by