Safety: Understanding SIL, Cpt and PFDavg

Summary

When designing or verifying a safety instrumented function (SIF), it’s common to hear terms such as PFDavg (average probability of failure on demand), safety integrity level (SIL) and test interval. However, a factor that’s often misunderstood—or just overlooked—is proof test coverage (Cpt). Cpt is a critical element that directly impacts how effectively testing finds dangerous failures.

If a facility is working toward compliance with IEC 61511-1, understanding how Cpt works—and how to apply it—can make the difference between an overly optimistic SIL claim and a realistic, defensible safety case.
 

Cpt explanation

Proof test coverage (Cpt) is the fraction of dangerous undetected failures that a proof test is capable of finding. A Cpt of 1.0 (or 100%) means the test detects all dangerous undetected failures. A Cpt of 0.7 (or 70%) means the test finds only 70% of those failures. This is important because any dangerous failures that testing doesn’t catch will accumulate over time, increasing the average probability of failure on demand (PFDavg).

Cpt is often used alongside another key term: proof test interval (TI), which is how often the testing is done. However, the test interval doesn’t matter much if  the testing isn’t catching what matters.
Also worth noting: Cpt is not the same thing as diagnostic coverage (DC). Although they both relate to detecting failures, they’re measured differently and come from different sources.

How Cpt affects PFDavg. The most common form of the PFDavg equation used in training is:

However, Equation 1 assumes all dangerous undetected failures are detected, which is rarely true. A more accurate form includes Cpt:

Where:
λ_DU is the dangerous undetected failure rate
TI is the proof test interval
LT is the SIS lifetime (e.g., 15 or 20 years).

The two terms in the equation represent different contributions to PFDavg. The first term is the contribution between tests. The second term is the contribution after the final test, over the system lifetime.

In many training or spreadsheet tools, the second term is omitted if the lifetime is similar to the test interval. However, when the lifetime is significantly longer (e.g., TI = 1 year, LT = 15 years), ignoring it underestimates risk as shown in the following comparison.

λ_DU = 2E-6 per hour
TI = 1 year (8,760 hours)
LT = 15 years (131,400 hours)
Case A: Cpt = 0.55
Case B: Cpt = 0.95
Case A: PFDavg ≈ (2E-6 × 0.55 × 8760)/2 + (2E-6 × 0.45 × 131400)/2 = 1.04E-2 → RRF ≈ 96 (SIL 1)
Case B: PFDavg ≈ (2E-6 × 0.95 × 8760)/2 + (2E-6 × 0.05 × 131400)/2 = 2.06E-3 → RRF ≈ 485 (SIL 2)
 
It is important to note that this is the difference between a SIL 1 system and a SIL 2 system—driven entirely by proof test coverage.

Even though both cases used the same failure rate, test interval and SIS lifetime, the lower test coverage in Case A pulled the risk performance down an entire SIL level. That’s a powerful reminder that increasing test frequency is not enough if the test itself isn’t catching the right failure modes.
 

Determining a realistic Cpt

Vendors or safety books often quote generic Cpt ranges. Table 1 is a guideline to help determine a realistic Cpt.
 

Table 1: Guideline to help determine a realistic Cpt.
 
Cpt is influenced by three broad factors: the test method (partial stroke, full stroke, leak test, etc.); the equipment design (some valves are inherently testable); and human factors (procedures, training, consistency).
 

Determining Cpt

Determining Cpt depends on whether IEC 61508-certified equipment is used.

If using IEC 61508-certified equipment. If using components that are certified according to IEC 61508, determining Cpt is easier. Check the SIL certificate or safety manual. Most will include Cpt values based on failure modes, effects and diagnostic analysis (FMEDA). For example, a final element might claim 65% for partial-stroke testing, and 90% for full-stroke testing. The test procedure must match what was assumed in the FMEDA. This is particularly important with valves. Partial stroke tests might not catch failure modes that a full test would and the difference in Cpt can be dramatic.

Using non-61508 equipment (route 2H or 2S). If the hardware isn’t certified, obtain data and use the proven in-use method (this takes the Route 2H or 2S approach; routes are confusing and will be discussed elsewhere):

• Use industry databases such as the  OREDA failure database.
• Refer to books such as “Safety Instrumented System Verification,” by Goble.
• Review ISA technical reports and peer-reviewed FMEDAs.
• Document using engineering judgment and conservatism.

For example, a Cpt of 70% might be assigned to a test routine that checks for mechanical failure in a solenoid but can’t detect seat leakage. Be transparent about assumptions; auditors and assessors will ask.

Common Cpt misunderstandings. Cpt does not equal diagnostic coverage. Diagnostic coverage comes from built-in self-checks. Cpt is about manual or automatic testing procedures. Don’t assume 100%. Even a full-stroke test may not catch all dangerous failures, especially in actuators and valve internals. Test frequency doesn’t override poor Cpt. Doing a weak test more often doesn’t give the same benefit as a strong test less frequently.

Practical tips for beginners

• If possible, use certified equipment; it saves work and improves defensibility.
• For valves and final elements, be clear with the operations team. A test that’s easy to perform—such as partial stroke valve testing—often has lower coverage.
• Document exactly what the test does and doesn’t detect.
• For new designs, select devices that are easier to proof test.

Frequently asked questions

1. How do I figure out what Cpt to use in my SIFs?
Start with the equipment documentation. If certified, use the FMEDA. If not, use judgment, external databases and document everything.

2. Can I assume 100% Cpt if I fully test a valve via a FVST?
Not quite. While FVST gets close, it might miss failure modes like sticking during partial actuation or internal bypass.

3. How is Cpt different from diagnostic coverage?
It measures what the test can catch. Diagnostic coverage measures what the device’s self-checks can catch.

4. Does increasing test frequency help more than increasing Cpt?
They both help, but increasing Cpt often gives more impact with fewer operational interruptions.

5. What’s the best way to improve Cpt without changing the system?
Upgrade the test method. Add leak testing, position feedback or combine manual and automated routines.

_{This feature originally appeared in the August/September issue of Automation.com Monthly.}