November 2009

Audits are the answer

By Dr. Bert Knegtering

These days, more and more discussions are popping up regarding the need for off-line proof testing of safety programmable logic controller (PLC) systems.

The primary reason for these discussions is the first PLC systems that went into service to protect process installations have been operating now for more than two decades.

The concern of many is the likelihood that certain components may fail is increasing. At the same time however, these systems have their own diagnostics. This means these systems continuously and automatically perform self-checks.

In the case of a physical component failure, the PLC system will automatically give an indication of that failure, and if needed, automatically take action.

However, reliable and safe operation of a safety PLC system does not only depend on the probability of having a physical hardware failure. Quite often, it appears over time, all kinds of other problems sneak into the system causing conditions that reduce the system's reliability and safety performance.

For example, sometimes a system is in maintenance override mode, but upon completion of the maintenance, no one removes the override. Another example is when there are failures in the design and implementation of systems.

This also raises the question of what the relationship is between the occurrence of a physical failure and the malfunctioning of the system due to other reasons. The general feeling in industry is most systems fail for reasons other than physical failures.

Further, when the failure is not due to physical system failure, which party is responsible for the failure? Is it the supplier or the user?

It depends. Problems typically observed during the first year, mainly relate to wrong implementation or design failures, and one can assign such occurrences to the supplier or the system integrator. Conversely, problems resulting in the malfunctioning of the system after many years (e.g. 10 years) most often rest with the user.

Today, many companies perform calculations to determine the Probability of Failure on Demand (PFD) for safety instrumented systems, including the safety-PLC system.

Based on the required Safety Integrity Level, the maximum time between off-line proof testing is calculated. This is the off-line proof test interval.

How should this test proceed? The main concern should not focus on physical hardware failures but much more on the other category of problems. It is for this reason that users of safety PLC systems should, after a certain number of years, spend their efforts on doing a system audit.

System specialists, in this case, should do an inspection to observe anomalies and judge whether the system is still in good condition or not. A system audit will yield information on whether it is still operating safely and reliably, and very importantly, whether one can expect the system to continue to operate safely and reliably in the coming years.

This is how we can address doubts about our oldest safety PLC systems.


Dr. Bert Knegtering ( is a senior consultant for industrial process safety and works in The Netherlands.


PLC: Programmable Logic Controller is a control device designed specifically for industrial machines that perform logical operations compatible with traditional relay logic.

Safety PLC is a PLC specifically designed to be reliable through the device of redundancy. It could be for safety reasons or to minimize the commercial impact of a serious failure.

IEC 61508 is an international standard, and its title is Functional safety of electrical/electronic/programmable electronic safety-related systems.

PFD: The Probability of Failure on Demand and RRF (Risk Reduction Factor) for different SILs (Safety Integrity Level) as defined in IEC 61508 are as follows: