requirements, processes, and documentation€¦ · · 2015-02-18requirements, processes, and...

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900E

PUBLIC INFORMATION

T85-Safety Verification and ValidationRequirements, Processes, and Documentation

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION

Agenda

2

Example V&V Plan / Documentation

The verification and validation process

What are verification and validation?

Why do validation?

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.PUBLIC INFORMATION 3

The Safety Life Cycle

STEP 5MAINTAIN & IMPROVE SAFETY SYSTEM

STEP 1RISK OR HAZARD ASSESSMENT

STEP 4SAFETY SYSTEM INSTALLATION &VALIDATION STEP 3

SAFETY SYSTEM DESIGN & VERIFICATION

STEP 2SAFETY SYSTEMFUNCTIONALREQUIREMENTS

Safety Life Cycle


… machine had a plastic

guard… to prevent the

entry of any fingers…

… Employee #1 opened the

plastic guard to knock the

piece of chicken aside with

his fingers…

… fingers got caught in the

rotating blades…

sustained an amputation

… cover has an

interlock to stop the

machine…


How is this Possible?

Assume a risk assessment was performed:

Frequent exposure, Serious Injury, Not Likely to Avoid

Proper safeguard selection (interlocking guard)

Proper circuit design (reliability matches level of risk)

What was missed?

6

Didn’t we do the right things?

… a later test indicated… it

took a little over two seconds

for the machine to stop


Why do we do validation?

7

Does it work?the way I designed it work?


Agenda

8

Best Practices




Why do validation?


Validation: confirmation by

examination (e.g. tests, analysis)

that the SRECS meets the

functional safety requirements of

the specific application

Verification: confirmation by


that the SRECS, its subsystems or

subsystem elements meet the

requirements set by the relevant

specification

Validation: confirmation by


that the SRECS meets the

functional safety requirements of

the specific application

Verification: confirmation by


that the SRECS, its subsystems or

subsystem elements meet the

requirements set by the relevant

specification


9

The system and individual components

Check that each component and output of each step meets the necessary requirements

The overall system

Check that the system will meet the

demands of the application


How do we know it can meet the demands of the application?

STEP 5MAINTAIN & IMPROVE SAFETY SYSTEM

STEP 1RISK OR HAZARD ASSESSMENT

STEP 4SAFETY SYSTEM INSTALLATION &VALIDATION STEP 3

SAFETY SYSTEM DESIGN & VERIFICATION

STEP 2SAFETY SYSTEMFUNCTIONALREQUIREMENTS

Safety Life Cycle?


What is a Safety Function?

11

A safety function is a control function that affects safety

Behaves like any other control function, but with higher integrity

Like any control function, has Input, Logic, Output subsystems

“High integrity” implies certain things aside from “safety rated”

Source of hazardous energy directly controlled (not removing an

enable signal)

Circuit performance maintained through I, L, O subsystems

I L O


What is a Safety Function?

12

Safety function protects persons from a specific hazard

In our example, guard is locked until the hazard stops

Safety functions can be described with multipart requirements. In our

example:

The blades cannot start turning until the operator is clear

The operator can not open the cover while the blades are moving

Closing the cover will not restart the blades

The circuit that issues the stop command is required to meet the

requirements of PLd / Cat 3 / Control Reliable


Specifying Safety Functions

What is the triggering event?

What is the reaction?

What is the safe state?

What is the behaviour of the system in the presence of faults?

How does normal operation resume?

Standards to meet? Required circuit performance? Other

considerations?

A stop or “request to enter” command

Contactors (name? size?) opened, energy to motor (name?) removed

Electrical energy removed, motor at rest, cover unlocked

Faults (which ones?) detected before / on demand, energy removed

On reset, cover locks, energy restored, motion does not resume

Shall be designed and constructed to meet requirements of ISO

13849-1 PLd, Safe distance according to ISO 13855, etc…



Access to rotating tenderizer blades is prevented by using an interlocked

guard door (GD_01) with guard locking. Once power has been removed

from the Blade Motor (1HP, 8A, 230VAC), the guard door will remain

closed and locked for a minimum of 3 seconds to confirm the hazardous

motion is stopped. At such time, the operator is allowed to unlock the door

by applying power to the guard lock. While the door is open, it is monitored

to confirm no unexpected start-up can occur. Upon closing of the door,

hazardous motion and power to the motor will not resume until a

secondary action (start button depressed) occurs. Faults at the door

interlock switch, wiring terminals or safety controller will be detected before

the next safety demand. The safety function will meet the requirements for

Category 4, Performance Level “e” (Cat 4, PLe), per ISO 13849-1. Or the

definition of Control Reliable per ANSI B11.



http://marketing.rockwellautomation.com/safety/en/index




Specifying Safety Function

Safety Functions can be generalized for reuse

Two different interlocking guards on two different machines operate in

a similar fashion

Basis for many corporate standards

Some Common Safety Functions include:

17

E-stop Light Curtains – muting Light Curtains – non muting Two hand control Enabling Switch Guard-locking Tongue switch interlock

Safety Camera Area Scanner (Single & Multi) Pull-cord Hinge switch interlock Non contact interlock Safe Speed Control Safe Stop


Rockwell Safety Functions Library

18

http://marketing.rockwellautomation.com/safety/en/safety_functions

http://marketing.rockwellautomation.com/safety/en/safety_functions


Specifying Safety Function

Generalized Functional Specification

19


Standards and V&V: ISO 13849

“Shall demonstrate that

each SRP/CS…” –

performed for ALL safety

functions

Use analysis and testing

“shall include testing

under fault conditions” for

Categories 2-4

20


Standards and V&V: IEC 62061

“Each SRCF… shall be

validated” – performed for

all safety functions

“shall be validated by test

and/or analysis”

“fault insertion testing

shall be performed where

the required safe failure

fraction > 90 %.”

21



Verification: confirmation by examination (e.g. tests, analysis) that the SRECS, its subsystems or subsystem elements meet the requirements set by the relevant specification

Is my design CAPABLE of meeting the required performance level (PLr)?

Do each of my software modules perform as expected?

Can the relay and the valve work together?

More theoretical in nature

More about the DESIGN

Confirm the process step

Validation: confirmation by examination (e.g. tests, analysis) that the SRECS meets the functional safety requirements of the specific application

Does my circuit perform as expected?

Did the system software shut off all the hazards in all modes?

What happens when I short E-stop channel A to ground?

More practical in nature

More about the PERFORMANCE

Confirm the entire process

22


Agenda

23

Best Practices




Why do validation?


Make a plan - 13849

Spelled out in the standards

Step by step plan that needs to

include:

What specs do I need to meet?

Test conditions: operational and

environmental

What analyses and tests will I

use?

What test standards will I use?

Who will perform each step?

24


Make a plan - 62061

Verification plan:

When the verification shall take place;

Who shall carry out the verification;

What strategies and techniques;

What is success? - acceptance criteria

Pass fail? evaluation of verification results.

Validation plan:

When the validation shall take place;

Modes of operation of the machine – Don’t forget!

What is the standard? Specs…

HOW? technical strategy / analytical methods / statistical tests

What is success? acceptance criteria

Then what? Actions to be taken in the event of failure to meet the acceptance criteria.

25


Make a Plan

Questions your plan should answer:

What documentation and data do I need?

Specification

Machine Limits / Stop Times

What equipment and tools do I need?

Software?

Who do I need to conduct and help with the validation?

How will I test the control system?

Subsystem / device testing

Commissioning / normal operation

Confirmation / ABNORMAL operation

26


Who oversees validation?

"Should" be persons independent of the

design.

Assessor ?

independent person?

independent department?

independent organization?

27


Verification

Ongoing and occurs at each step of the process:

Assessment / Functional Specification:

Have I chosen the correct safeguard?

Are there incentives to defeat?

Design:

Can the components I select withstand the demands of the application?

Have I chosen the correct structure, reliability, and diagnostic tests?

Installation:

Is the guard mounted far enough from the hazard?

Does my wiring meet NFPA 79 / IEC 60204?


Validation – Subsystem / device

For simple systems:

Does each input register?

Does each output actuate?

For complex systems:

Networks

I/O

Software Configuration

Hardware

HMI

Alarms / troubleshooting feedback points per device

Interlock conditions for troubleshooting safety functions


Validation – Commissioning / normal ops

*Prerequisite - Subsystem checkout complete, machine is “Ready to Run”

USE THE SPECIFICATION!!!

Safety system split into zones and functions - For EACH SAFETY

FUNCTION and EACH ZONE:

Test normal operation and Commission all safety functions:

Estop

Interlocking guards, guardlocking

Energy Isolation & Energy Control

Test interlocks and permissives for each safety function

Interlocking guards, guardlocking

Energy Isolation & Energy Control


Commissioning: Normal operation

“Normal Operation” <> “Normal Thought Process”

If you were operating the machine, how would you do it?

Resets?

Attempt normal reset with safety system interlocks

Attempt normal reset with energy control and isolation system

interlocks

Reset allowed with guard door open?

Reset allowed with ESTOP actuated?

Reset allowed with any other safety interlocks?

Reset held down?

How far can I open the guard door before it stops?

Performing events out of sequence is NOT fault injection


Validation – Abnormal operation

*Prerequisite – commissioning / normal operation complete

Frequently missed!

USE THE SPECIFICATION!!!

Any circuit must have the performance requirement specified

What are the requirements? Fault tolerance? Diagnostics?

How far do I go?

Which faults should I consider?

Inject every fault on every device?

What about identical designs?

High risk vs low risk systems?


Validation – Abnormal operation

Typical Abnormal Conditions Considered:

Safety I/O communication loss

Safety I/O input / output status fault

Safety Controller communication loss

Switch safety controller to program mode (fault recovery)

Safety device faults

inconsistent inputs

cycle inputs required

feedback failure fault

Power loss and restoration


IEC 61508-1:

7.16.2.3 An impact analysis shall be carried out that shall include an

assessment of the impact of the proposed modification or retrofit activity on

the functional safety of any E/E/PE safety-related system. The assessment

shall include a hazard and risk analysis sufficient to determine the breadth

and depth to which subsequent overall, E/E/PE system or software safety

lifecycle phases will need to be undertaken. The assessment shall also

consider the impact of other concurrent modification or retrofit activities,

and shall also consider the functional safety both during and after the

modification and retrofit activities have taken place.

34

Validation – What if something changes?

34


Documentation – What Do I Need to Produce?

Analysis and testing “shall be recorded”

Validation of each safety function recorded

Process for each safety function recorded

Cross-reference to previous validation records

If something does NOT meet the acceptance criteria:

Which element failed?

Why did it fail?

What will we do about it?

For any safety-related part which has failed an element of the

validation process, the validation record

Documentation of re-validation after modification

36


Agenda

37

Best Practices




Why do validation?


How to get started?

39


Verification activities:

40

IEC 60947-5


Step 1 – V&V Introduction and Basic Validation Information

Guardmaster Safety Relay Validation - Example

Introduction

This document defines the verification and validation test procedures to be performed on a Guardmaster Safety Relay (GSR) system. The safety system

consists of series wired E-Stop pushbsuttons wire to a 440R-D22R2 safety relay which actuates tow safety contactors. The purpose of this validation plan

is to verify the operational and diagnostic features of the Guardmaster Safety Relay application under normal and abnormal operating conditions. This

document will also serve as a record of the safety system performance during testing.

Basic Validation Data

Machine Name/Model Number

Machine Serial Number

Customer Name

Test Date

Tester Name(s)

Schematic Drawing Number

Guardmaster Safety Relay

Model


Step 2 – V&V Methodology and Wiring Verification

Methodology

This Guardmaster Safety Relay System validation procedure consists of three phases of testing. The phases must be completed in the order listed below.

1. Safety Wiring and Configuration Checkout

2. Normal Functional Operation

3. Abnormal Functional Operation

Safety Wiring Verification

Safety Wiring Verification tests that the safety relay wiring and rotary switch settings are correct and properly documented.


Step 3 – V&V Run Verification

Establish Machine Run Condition

Test Step Verification Pass/Fail Changes/Modifications

Purpose Verify the safety relay wiring and rotary switch settings

1 Visually verify the E-Stop pushbutton wiring follows the wiring diagram.

2 Visually verify the contactor wiring follows the wiring diagram.

3 Verify the logic configuration steps were followed per the Installation Manual.

3 Visually verify that the rotary switch is set to Position 2 {(IN1 & IN2) OR L12}

Normal Operation Verification

Normal Operation Verification tests that the safety system responds properly during normal operation and will verify the following:

Initiation of a Start Command from a pushbutton or HMI will cause the safety contactors to close only if: No safety relay faults are present and all E-Stop buttons are released.

If an E-Stop button is pressed, the safety relay will de-energize the contactors.

Safety relay faults are cleared by the Fault Reset pushbutton.

Establish Machine Run Condition


Purpose Verify that the Machine can be placed into a run condition.

1 Machine Stopped Condition - All contactors are opened and all relay LEDs are green

2 Release all E-Stop buttons

3 Press the “Reset” pushbutton.

4 Initiate a Start command (pushbutton or HMI)

5 Verify that all safety contactors close.


Step 4 – V&V Safe E-stop Condition Verification

Establish Machine Safe Condition (E-Stop)


PurposeVerify that the machine will enter a safe condition (all safety contactors opened) after

an E-Stop pushbutton is depressed.

1 Machine Run Condition - All contactors are closed.

2 Depress the E-stop pushbutton.

3 Verify that all safety contactors open.

4 Verify that the Safety Relay LEDs indicate which channel is open.

5 Release the E-stop pushbutton from Step #1.

6 Press the "Reset" pushbutton and initiate a Start command.

7 Verify the Machine Run Condition is re-established.

8 Repeat steps 1 through 6 for all E-stop pushbuttons on the machine.


Step 5 – V&V Abnormal Operation Verification

Abnormal Operation Validation

Abnormal Operation Validation tests that the safety relay system responds properly to faults and will verify the following:

A single wire safety connection fault will initiate a Shutdown and the LEDs will indicate a fault if cascaded relays are used.

Detection of Inconsistent inputs on the E-Stop pushbutton will initiate a Shutdown and will indicate a fault on the LEDs.

Contactors that fail to pickup or drop out will initiate a shutdown and incidate a fault on the LEDs.

Inactive faults are cleared by the Reset pushbutton.


Step 6 – V&V Single Wire SafetyConnect Fault Verification

Single Wire Safety Connection Fault


PurposeThis test will verify system response when the single wire safety connection is lost

or shorted on cascaded relays. (Not applicable for single relays)


2 Disconnect the single wire safety connection from L11

3 Verify that all contactors open immediately.

4 Verify that the PWR/FAULT LED flashes Red 5 times.

5 Verify that the fault cannot be reset with the wire disconnected.

6 Reconnect the wire to L11 and cycle the E-Stop pushbutton

7 Press the Reset pushbutton and verify thePWR/FAULT LED is Green

8 Short the single wire safety connection from L11 to +24vdc.

9 Verify that the PWR/FAULT LED flashes Red 5 times.

10 Verify that the fault cannot be reset with the wire disconnected.

11 Reconnect the wire to L11 and cycle the E-Stop pushbutton


13 Repeat Steps 1-12 for all cascaded Safety Relays.


Step 7 – V&V Logic Verification

GSR Logic Confguration Switch Test


PurposeThis test will verify the system response when the Guardmaster Safety RelayLogic

Switch is turned while the machine is running.


2 Turn the dial switch on Guardmaster Safety Relay

3Verify all contactors remain closed and PWR/FAULT LED flashes Red-Green two

times per cycle.

4 Turn the dial switch on Guardmaster Safety Relay back to 2

5 Verify all contactors remain closed and PWR/FAULT LED is solid green.


Step 8 – V&V Output VerificationSafety Contactor Feedback Open Fault


Purpose This test will verify the system response and diagnostic reporting when a contactor feedback open fault occurs.


2 Disconnect the wire from a contactor feedback input.

3The Safety Relay will not detect this since the auxiliary contacts are both open and removing a wire does not

change this. So no action should be taken.

4 Press the “E-Stop” pushbutton.


6 Verify that the PWR/FAULT LED is Red.

7 Verify that the fault cannot be reset with the feedback wire disconnected.

8 Reconnect the wire from Step 2 and cycle the E-Stop Pushbutton.


Safety Contactor Feedback Shorted Fault


Purpose This test will verify the system response and diagnostic reporting when a contactor feedback shorted fault occurs.


2 Place a jumper around the contactor feedback contact.



5 Remove the jumper inserted in Step 2.


Contactor Failed to Pickup Fault


PurposeThis test will verify system response and diagnostic reporting when a contactor fails to pickup when initially

commanded to close.


2 Place a jumper around the contactor feedback contact.

3 Verify that all contactors attempt to close but when one fails to close all contactors reopen.


5 Remove the jumper inserted in Step 2.



Example: Safety Checklists and Validation

Safety Checklists

Sample checklists to help users develop verification and validation checklists. These checklists guide you thru the evaluation process.

• GuardLogix® users manuals

• on-line at AB.com


Example: Pre-engineered Safety Blocks


Example: Pre-engineered Safety Blocks

Safety V&V Plans help you document that the

system operated as intended at installation.

This provides a documentation trail and proof of due diligence.

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved.

www.rockwellautomation.com

Follow ROKAutomation on Facebook & Twitter.Connect with us on LinkedIn.

Rev 5058-CO900E

PUBLIC INFORMATION

Questions?

requirements, processes, and documentation€¦ · · 2015-02-18requirements, processes, and...

Documents