safety verification and validation requirements, processes and documentation

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.

PUBLIC INFORMATION

Safety Verification and Validation Requirements, Processes, and Documentation

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 2

Agenda

Best Practices

Example V&V Plan / Documentation

The verification and validation process

What are verification and validation?

Why do validation?


The Safety Life Cycle

STEP 5 MAINTAIN & IMPROVE SAFETY SYSTEM

STEP 1 RISK OR HAZARD ASSESSMENT

STEP 4 SAFETY SYSTEM INSTALLATION & VALIDATION STEP 3

SAFETY SYSTEM DESIGN & VERIFICATION

STEP 2 SAFETY SYSTEM FUNCTIONAL REQUIREMENTS

Safety Life Cycle


… machine had a plastic

guard… to prevent the

entry of any fingers…

… Employee #1 opened the

plastic guard to knock the

piece of chicken aside with

his fingers…

… fingers got caught in the

rotating blades…

sustained an amputation

… cover has an

interlock to stop the

machine…


How is this Possible?

Assume a risk assessment was performed:

Frequent exposure, Serious Injury, Not Likely to Avoid

Proper safeguard selection (interlocking guard)

Proper circuit design (reliability matches level of risk)

What was missed?

6

Didn’t we do the right things?

… a later test indicated… it

took a little over two seconds

for the machine to stop


Why Do we Do Validation?

7

Does it work the way I designed it to work?


Agenda

Best Practices




Why do validation?


What are Verification and Validation?

9

Verification: confirmation by

examination (e.g. tests, analysis)

that the SRECS, its subsystems or

subsystem elements meet the

requirements set by the relevant

specification

Validation: confirmation by


that the SRECS meets the

functional safety requirements of

the specific application

Verification: confirmation by


that the SRECS, its subsystems or

subsystem elements meet the

requirements set by the relevant

specification

Validation: confirmation by


that the SRECS meets the

functional safety requirements of

the specific application

The system and individual

components

Check that each component and output of each step meets the necessary requirements

The overall system

Check that the system will meet the

demands of the application


How Do We Know it can Meet the Demands of the Application?

STEP 5 MAINTAIN & IMPROVE SAFETY SYSTEM

STEP 1 RISK OR HAZARD ASSESSMENT

STEP 4 SAFETY SYSTEM INSTALLATION & VALIDATION STEP 3

SAFETY SYSTEM DESIGN & VERIFICATION

STEP 2 SAFETY SYSTEM FUNCTIONAL REQUIREMENTS

Safety Life Cycle ?


What are Verification and Validation?

11

Verification: confirmation by examination (e.g. tests, analysis) that the SRECS, its subsystems or subsystem elements meet the requirements set by the relevant specification

Is my design CAPABLE of meeting the required performance level (PLr)?

Do each of my software modules perform as expected?

Can the relay and the valve work together?

More theoretical in nature

More about the DESIGN

Confirm the process step

Validation: confirmation by examination (e.g. tests, analysis) that the SRECS meets the functional safety requirements of the specific application

Does my circuit perform as expected?

Did the system software shut off all the hazards in all modes?

What happens when I short E-stop channel A to ground?

More practical in nature

More about the PERFORMANCE

Confirm the entire process


Standards and V&V: ISO 13849

12

―Shall demonstrate that

each SRP/CS…‖ –

performed for ALL safety

functions

Use analysis and testing

―shall include testing

under fault conditions‖ for

Categories 2-4


Standards and V&V: IEC 62061

13

―Each SRCF… shall be

validated‖ – performed for

all safety functions

―shall be validated by test

and/or analysis‖

―fault insertion testing

shall be performed where

the required safe failure

fraction > 90 %.‖


Agenda

Best Practices




Why do validation?


Who Oversees Validation?

15

"Should" be persons independent of the

design.

Assessor ?

Independent person?

Independent department?

Independent organization?


Gather the right information

16

Documentation – What do I need?

Varies according to technology used, the category or categories and performance level(s) to be demonstrated, the design rationale of the system, and the contribution of the SRP/CS to the reduction of the risk. Documents containing sufficient information from the following list shall be included in the validation process to demonstrate that the safety-related parts perform the specified safety functions to the required performance level or levels and category or categories:

specification of the required characteristics of each safety function, and its required category and performance level;

drawings and specifications, block diagram(s), circuit diagram(s), time sequence diagram(s) for switching components, signals relevant for safety;

description of the relevant characteristics of components previously validated;

for safety-related parts other than those listed in g), component lists with item designations, rated values, tolerances, relevant operating stresses, type designation, failure-rate data and component manufacturer, and any other data relevant to safety;

information for use, e.g. installation and operation manual/instruction handbook.

software specification which is clear and unambiguous and which states the safety performance the software is required to achieve,

— evidence that the software is designed to achieve the required performance level (see 9.5), and

— details of tests (in particular test reports) carried out to prove that the required safety performance is achieved.

VERIFICATION OF CIRCUIT PERFORMANCE

Information is required on how the performance level and average probability of a dangerous failure per hour is determined. The documentation of the quantifiable aspects shall include — the safety-related block diagram (see ISO 13849-1:2006, Annex B) or designated architecture

— the determination of MTTFd, DCavg and CCF, and

— the determination of the category (see Table 2).

Information is required for documentation on systematic aspects of the SRP/CS.

Information is required as to how the combination of several SRP/CS achieves a performance level in accordance with the performance level required.


Make a Plan - 13849

17

Spelled out in the standards

Step by step plan that needs to

include:

What specs do I need to meet?

Test conditions: operational and

environmental

What analyses and tests will I

use?

What test standards will I use?

Who will perform each step?


Make a Plan - 62061

18

Verification plan:

When the verification shall take place;

Who shall carry out the verification;

What strategies and techniques;

What is success? - acceptance criteria

Pass fail? evaluation of verification results.

Validation plan:

When the validation shall take place;

Modes of operation of the machine – Don’t forget!

What is the standard? Specs…

HOW? technical strategy / analytical methods / statistical tests

What is success? acceptance criteria

Then what? Actions to be taken in the event of failure to meet the acceptance criteria.


Documentation – What Do I Need to Produce?

19

Analysis and testing ―shall be recorded‖

Validation of each safety function recorded

Process for each safety function recorded

Cross-reference to previous validation records

If something does NOT meet the acceptance criteria:

Which element failed?

Why did it fail?

What will we do about it?

For any safety-related part which has failed an element of the

validation process, the validation record

Documentation of re-validation after modification


Agenda

Best Practices




Why do validation?


Step 1 – V&V Introduction and Basic Validation Information

Guardmaster Safety Relay Validation - Example

Introduction

This document defines the verification and validation test procedures to be performed on a Guardmaster Safety Relay (GSR) system. The safety system

consists of series wired E-Stop pushbsuttons wire to a 440R-D22R2 safety relay which actuates tow safety contactors. The purpose of this validation plan

is to verify the operational and diagnostic features of the Guardmaster Safety Relay application under normal and abnormal operating conditions. This

document will also serve as a record of the safety system performance during testing.

Basic Validation Data

Machine Name/Model Number

Machine Serial Number

Customer Name

Test Date

Tester Name(s)

Schematic Drawing Number

Guardmaster Safety Relay

Model


Step 2 – V&V Methodology and Wiring Verification

Methodology

This Guardmaster Safety Relay System validation procedure consists of three phases of testing. The phases must be completed in the order listed below.

1. Safety Wiring and Configuration Checkout

2. Normal Functional Operation

3. Abnormal Functional Operation

Safety Wiring Verification

Safety Wiring Verification tests that the safety relay wiring and rotary switch settings are correct and properly documented.


Step 3 – V&V Run Verification

Establish Machine Run Condition

Test Step Verification Pass/Fail Changes/Modifications

Purpose Verify the safety relay wiring and rotary switch settings

1 Visually verify the E-Stop pushbutton wiring follows the wiring diagram.

2 Visually verify the contactor wiring follows the wiring diagram.

3 Verify the logic configuration steps were followed per the Installation Manual.

3 Visually verify that the rotary switch is set to Position 2 {(IN1 & IN2) OR L12}

Normal Operation Verification

Normal Operation Verification tests that the safety system responds properly during normal operation and will verify the following:

Initiation of a Start Command from a pushbutton or HMI will cause the safety contactors to close only if: No safety relay faults are present and all E-Stop buttons are released.

If an E-Stop button is pressed, the safety relay will de-energize the contactors.

Safety relay faults are cleared by the Fault Reset pushbutton.

Establish Machine Run Condition


Purpose Verify that the Machine can be placed into a run condition.

1 Machine Stopped Condition - All contactors are opened and all relay LEDs are green

2 Release all E-Stop buttons

3 Press the ―Reset‖ pushbutton.

4 Initiate a Start command (pushbutton or HMI)

5 Verify that all safety contactors close.


Step 4 – V&V Safe E-stop Condition Verification

Establish Machine Safe Condition (E-Stop)


Purpose Verify that the machine will enter a safe condition (all safety contactors opened) after

an E-Stop pushbutton is depressed.

1 Machine Run Condition - All contactors are closed.

2 Depress the E-stop pushbutton.

3 Verify that all safety contactors open.

4 Verify that the Safety Relay LEDs indicate which channel is open.

5 Release the E-stop pushbutton from Step #1.

6 Press the "Reset" pushbutton and initiate a Start command.

7 Verify the Machine Run Condition is re-established.

8 Repeat steps 1 through 6 for all E-stop pushbuttons on the machine.


Step 5 – V&V Abnormal Operation Verification

Abnormal Operation Validation

Abnormal Operation Validation tests that the safety relay system responds properly to faults and will verify the following:

A single wire safety connection fault will initiate a Shutdown and the LEDs will indicate a fault if cascaded relays are used.

Detection of Inconsistent inputs on the E-Stop pushbutton will initiate a Shutdown and will indicate a fault on the LEDs.

Contactors that fail to pickup or drop out will initiate a shutdown and incidate a fault on the LEDs.

Inactive faults are cleared by the Reset pushbutton.


Step 6 – V&V Single Wire Safety Connect Fault Verification

Single Wire Safety Connection Fault


Purpose This test will verify system response when the single wire safety connection is lost

or shorted on cascaded relays. (Not applicable for single relays)


2 Disconnect the single wire safety connection from L11

3 Verify that all contactors open immediately.

4 Verify that the PWR/FAULT LED flashes Red 5 times.

5 Verify that the fault cannot be reset with the wire disconnected.

6 Reconnect the wire to L11 and cycle the E-Stop pushbutton

7 Press the Reset pushbutton and verify thePWR/FAULT LED is Green

8 Short the single wire safety connection from L11 to +24vdc.

9 Verify that the PWR/FAULT LED flashes Red 5 times.

10 Verify that the fault cannot be reset with the wire disconnected.

11 Reconnect the wire to L11 and cycle the E-Stop pushbutton


13 Repeat Steps 1-12 for all cascaded Safety Relays.


Step 7 – V&V Logic Verification

GSR Logic Confguration Switch Test


Purpose This test will verify the system response when the Guardmaster Safety RelayLogic

Switch is turned while the machine is running.


2 Turn the dial switch on Guardmaster Safety Relay

3 Verify all contactors remain closed and PWR/FAULT LED flashes Red-Green two

times per cycle.

4 Turn the dial switch on Guardmaster Safety Relay back to 2

5 Verify all contactors remain closed and PWR/FAULT LED is solid green.


Step 8 – V&V Output Verification Safety Contactor Feedback Open Fault


Purpose This test will verify the system response and diagnostic reporting when a contactor feedback open fault occurs.


2 Disconnect the wire from a contactor feedback input.

3 The Safety Relay will not detect this since the auxiliary contacts are both open and removing a wire does not

change this. So no action should be taken.

4 Press the ―E-Stop‖ pushbutton.


6 Verify that the PWR/FAULT LED is Red.

7 Verify that the fault cannot be reset with the feedback wire disconnected.

8 Reconnect the wire from Step 2 and cycle the E-Stop Pushbutton.


Safety Contactor Feedback Shorted Fault


Purpose This test will verify the system response and diagnostic reporting when a contactor feedback shorted fault occurs.


2 Place a jumper around the contactor feedback contact.



5 Remove the jumper inserted in Step 2.


Contactor Failed to Pickup Fault


Purpose This test will verify system response and diagnostic reporting when a contactor fails to pickup when initially

commanded to close.


2 Place a jumper around the contactor feedback contact.

3 Verify that all contactors attempt to close but when one fails to close all contactors reopen.


5 Remove the jumper inserted in Step 2.



Example: Safety Checklists and Validation

Safety Checklists Sample checklists to help users develop verification and validation checklists. These checklists guide you thru the evaluation process. • GuardLogix® users

manuals • on-line at AB.com


Example: Pre-engineered Safety Blocks


Example: Pre-engineered Safety Blocks

Safety V&V Plans help you document that the

system operated as intended at installation.

This provides a documentation trail and proof of due diligence.


Agenda

Best Practices




Why do validation?


We care what you think!

On the mobile app:

1. Locate session using

Schedule or Agenda Builder

2. Click on the thumbs up icon on

the lower right corner of the

session detail

3. Complete survey

4. Click the Submit Form button

33

Please take a couple minutes to complete a quick session survey to tell us how we’re doing.

2

3

4

1

Thank you!!


www.rsteched.com

Follow RSTechED on Facebook & Twitter. Connect with us on LinkedIn.

PUBLIC INFORMATION

Questions?


PUBLIC INFORMATION

Thank You

safety verification and validation requirements, processes and documentation

Technology

rockwell automation

validation requirements

safety system step

process step validation

validation process

functional safety requirements

safety life cycle step

system software