safety verification and validation requirements, processes and documentation
DESCRIPTION
The Safety Life Cycle approach as defined in standards IEC 61508 and IEC 62061, requires verification to prove the circuit for the safety functions of the machine are working properly and meet specified requirements, and validation to test the safety functions of the system. These functions require a plan and proper documentation. This session will cover the verification and validation process, proper documentation and available tools. We recommend attending SF01-Safety System Development Process and Configuration Tools Overview prior to this session.TRANSCRIPT
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
PUBLIC INFORMATION
Safety Verification and Validation Requirements, Processes, and Documentation
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 2
Agenda
Best Practices
Example V&V Plan / Documentation
The verification and validation process
What are verification and validation?
Why do validation?
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 3
The Safety Life Cycle
STEP 5 MAINTAIN & IMPROVE SAFETY SYSTEM
STEP 1 RISK OR HAZARD ASSESSMENT
STEP 4 SAFETY SYSTEM INSTALLATION & VALIDATION STEP 3
SAFETY SYSTEM DESIGN & VERIFICATION
STEP 2 SAFETY SYSTEM FUNCTIONAL REQUIREMENTS
Safety Life Cycle
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
… machine had a plastic
guard… to prevent the
entry of any fingers…
… Employee #1 opened the
plastic guard to knock the
piece of chicken aside with
his fingers…
… fingers got caught in the
rotating blades…
sustained an amputation
… cover has an
interlock to stop the
machine…
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
How is this Possible?
Assume a risk assessment was performed:
Frequent exposure, Serious Injury, Not Likely to Avoid
Proper safeguard selection (interlocking guard)
Proper circuit design (reliability matches level of risk)
What was missed?
6
Didn’t we do the right things?
… a later test indicated… it
took a little over two seconds
for the machine to stop
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Why Do we Do Validation?
7
Does it work the way I designed it to work?
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 8
Agenda
Best Practices
Example V&V Plan / Documentation
The verification and validation process
What are verification and validation?
Why do validation?
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
What are Verification and Validation?
9
Verification: confirmation by
examination (e.g. tests, analysis)
that the SRECS, its subsystems or
subsystem elements meet the
requirements set by the relevant
specification
Validation: confirmation by
examination (e.g. tests, analysis)
that the SRECS meets the
functional safety requirements of
the specific application
Verification: confirmation by
examination (e.g. tests, analysis)
that the SRECS, its subsystems or
subsystem elements meet the
requirements set by the relevant
specification
Validation: confirmation by
examination (e.g. tests, analysis)
that the SRECS meets the
functional safety requirements of
the specific application
The system and individual
components
Check that each component and output of each step meets the necessary requirements
The overall system
Check that the system will meet the
demands of the application
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 10
How Do We Know it can Meet the Demands of the Application?
STEP 5 MAINTAIN & IMPROVE SAFETY SYSTEM
STEP 1 RISK OR HAZARD ASSESSMENT
STEP 4 SAFETY SYSTEM INSTALLATION & VALIDATION STEP 3
SAFETY SYSTEM DESIGN & VERIFICATION
STEP 2 SAFETY SYSTEM FUNCTIONAL REQUIREMENTS
Safety Life Cycle ?
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
What are Verification and Validation?
11
Verification: confirmation by examination (e.g. tests, analysis) that the SRECS, its subsystems or subsystem elements meet the requirements set by the relevant specification
Is my design CAPABLE of meeting the required performance level (PLr)?
Do each of my software modules perform as expected?
Can the relay and the valve work together?
More theoretical in nature
More about the DESIGN
Confirm the process step
Validation: confirmation by examination (e.g. tests, analysis) that the SRECS meets the functional safety requirements of the specific application
Does my circuit perform as expected?
Did the system software shut off all the hazards in all modes?
What happens when I short E-stop channel A to ground?
More practical in nature
More about the PERFORMANCE
Confirm the entire process
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Standards and V&V: ISO 13849
12
―Shall demonstrate that
each SRP/CS…‖ –
performed for ALL safety
functions
Use analysis and testing
―shall include testing
under fault conditions‖ for
Categories 2-4
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Standards and V&V: IEC 62061
13
―Each SRCF… shall be
validated‖ – performed for
all safety functions
―shall be validated by test
and/or analysis‖
―fault insertion testing
shall be performed where
the required safe failure
fraction > 90 %.‖
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 14
Agenda
Best Practices
Example V&V Plan / Documentation
The verification and validation process
What are verification and validation?
Why do validation?
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Who Oversees Validation?
15
"Should" be persons independent of the
design.
Assessor ?
Independent person?
Independent department?
Independent organization?
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Gather the right information
16
Documentation – What do I need?
Varies according to technology used, the category or categories and performance level(s) to be demonstrated, the design rationale of the system, and the contribution of the SRP/CS to the reduction of the risk. Documents containing sufficient information from the following list shall be included in the validation process to demonstrate that the safety-related parts perform the specified safety functions to the required performance level or levels and category or categories:
specification of the required characteristics of each safety function, and its required category and performance level;
drawings and specifications, block diagram(s), circuit diagram(s), time sequence diagram(s) for switching components, signals relevant for safety;
description of the relevant characteristics of components previously validated;
for safety-related parts other than those listed in g), component lists with item designations, rated values, tolerances, relevant operating stresses, type designation, failure-rate data and component manufacturer, and any other data relevant to safety;
information for use, e.g. installation and operation manual/instruction handbook.
software specification which is clear and unambiguous and which states the safety performance the software is required to achieve,
— evidence that the software is designed to achieve the required performance level (see 9.5), and
— details of tests (in particular test reports) carried out to prove that the required safety performance is achieved.
VERIFICATION OF CIRCUIT PERFORMANCE
Information is required on how the performance level and average probability of a dangerous failure per hour is determined. The documentation of the quantifiable aspects shall include — the safety-related block diagram (see ISO 13849-1:2006, Annex B) or designated architecture
— the determination of MTTFd, DCavg and CCF, and
— the determination of the category (see Table 2).
Information is required for documentation on systematic aspects of the SRP/CS.
Information is required as to how the combination of several SRP/CS achieves a performance level in accordance with the performance level required.
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Make a Plan - 13849
17
Spelled out in the standards
Step by step plan that needs to
include:
What specs do I need to meet?
Test conditions: operational and
environmental
What analyses and tests will I
use?
What test standards will I use?
Who will perform each step?
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Make a Plan - 62061
18
Verification plan:
When the verification shall take place;
Who shall carry out the verification;
What strategies and techniques;
What is success? - acceptance criteria
Pass fail? evaluation of verification results.
Validation plan:
When the validation shall take place;
Modes of operation of the machine – Don’t forget!
What is the standard? Specs…
HOW? technical strategy / analytical methods / statistical tests
What is success? acceptance criteria
Then what? Actions to be taken in the event of failure to meet the acceptance criteria.
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Documentation – What Do I Need to Produce?
19
Analysis and testing ―shall be recorded‖
Validation of each safety function recorded
Process for each safety function recorded
Cross-reference to previous validation records
If something does NOT meet the acceptance criteria:
Which element failed?
Why did it fail?
What will we do about it?
For any safety-related part which has failed an element of the
validation process, the validation record
Documentation of re-validation after modification
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 20
Agenda
Best Practices
Example V&V Plan / Documentation
The verification and validation process
What are verification and validation?
Why do validation?
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Step 1 – V&V Introduction and Basic Validation Information
Guardmaster Safety Relay Validation - Example
Introduction
This document defines the verification and validation test procedures to be performed on a Guardmaster Safety Relay (GSR) system. The safety system
consists of series wired E-Stop pushbsuttons wire to a 440R-D22R2 safety relay which actuates tow safety contactors. The purpose of this validation plan
is to verify the operational and diagnostic features of the Guardmaster Safety Relay application under normal and abnormal operating conditions. This
document will also serve as a record of the safety system performance during testing.
Basic Validation Data
Machine Name/Model Number
Machine Serial Number
Customer Name
Test Date
Tester Name(s)
Schematic Drawing Number
Guardmaster Safety Relay
Model
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Step 2 – V&V Methodology and Wiring Verification
Methodology
This Guardmaster Safety Relay System validation procedure consists of three phases of testing. The phases must be completed in the order listed below.
1. Safety Wiring and Configuration Checkout
2. Normal Functional Operation
3. Abnormal Functional Operation
Safety Wiring Verification
Safety Wiring Verification tests that the safety relay wiring and rotary switch settings are correct and properly documented.
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Step 3 – V&V Run Verification
Establish Machine Run Condition
Test Step Verification Pass/Fail Changes/Modifications
Purpose Verify the safety relay wiring and rotary switch settings
1 Visually verify the E-Stop pushbutton wiring follows the wiring diagram.
2 Visually verify the contactor wiring follows the wiring diagram.
3 Verify the logic configuration steps were followed per the Installation Manual.
3 Visually verify that the rotary switch is set to Position 2 {(IN1 & IN2) OR L12}
Normal Operation Verification
Normal Operation Verification tests that the safety system responds properly during normal operation and will verify the following:
Initiation of a Start Command from a pushbutton or HMI will cause the safety contactors to close only if: No safety relay faults are present and all E-Stop buttons are released.
If an E-Stop button is pressed, the safety relay will de-energize the contactors.
Safety relay faults are cleared by the Fault Reset pushbutton.
Establish Machine Run Condition
Test Step Verification Pass/Fail Changes/Modifications
Purpose Verify that the Machine can be placed into a run condition.
1 Machine Stopped Condition - All contactors are opened and all relay LEDs are green
2 Release all E-Stop buttons
3 Press the ―Reset‖ pushbutton.
4 Initiate a Start command (pushbutton or HMI)
5 Verify that all safety contactors close.
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Step 4 – V&V Safe E-stop Condition Verification
Establish Machine Safe Condition (E-Stop)
Test Step Verification Pass/Fail Changes/Modifications
Purpose Verify that the machine will enter a safe condition (all safety contactors opened) after
an E-Stop pushbutton is depressed.
1 Machine Run Condition - All contactors are closed.
2 Depress the E-stop pushbutton.
3 Verify that all safety contactors open.
4 Verify that the Safety Relay LEDs indicate which channel is open.
5 Release the E-stop pushbutton from Step #1.
6 Press the "Reset" pushbutton and initiate a Start command.
7 Verify the Machine Run Condition is re-established.
8 Repeat steps 1 through 6 for all E-stop pushbuttons on the machine.
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Step 5 – V&V Abnormal Operation Verification
Abnormal Operation Validation
Abnormal Operation Validation tests that the safety relay system responds properly to faults and will verify the following:
A single wire safety connection fault will initiate a Shutdown and the LEDs will indicate a fault if cascaded relays are used.
Detection of Inconsistent inputs on the E-Stop pushbutton will initiate a Shutdown and will indicate a fault on the LEDs.
Contactors that fail to pickup or drop out will initiate a shutdown and incidate a fault on the LEDs.
Inactive faults are cleared by the Reset pushbutton.
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Step 6 – V&V Single Wire Safety Connect Fault Verification
Single Wire Safety Connection Fault
Test Step Verification Pass/Fail Changes/Modifications
Purpose This test will verify system response when the single wire safety connection is lost
or shorted on cascaded relays. (Not applicable for single relays)
1 Machine Run Condition - All contactors are closed.
2 Disconnect the single wire safety connection from L11
3 Verify that all contactors open immediately.
4 Verify that the PWR/FAULT LED flashes Red 5 times.
5 Verify that the fault cannot be reset with the wire disconnected.
6 Reconnect the wire to L11 and cycle the E-Stop pushbutton
7 Press the Reset pushbutton and verify thePWR/FAULT LED is Green
8 Short the single wire safety connection from L11 to +24vdc.
9 Verify that the PWR/FAULT LED flashes Red 5 times.
10 Verify that the fault cannot be reset with the wire disconnected.
11 Reconnect the wire to L11 and cycle the E-Stop pushbutton
12 Press the Reset pushbutton and verify thePWR/FAULT LED is Green
13 Repeat Steps 1-12 for all cascaded Safety Relays.
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Step 7 – V&V Logic Verification
GSR Logic Confguration Switch Test
Test Step Verification Pass/Fail Changes/Modifications
Purpose This test will verify the system response when the Guardmaster Safety RelayLogic
Switch is turned while the machine is running.
1 Machine Run Condition - All contactors are closed.
2 Turn the dial switch on Guardmaster Safety Relay
3 Verify all contactors remain closed and PWR/FAULT LED flashes Red-Green two
times per cycle.
4 Turn the dial switch on Guardmaster Safety Relay back to 2
5 Verify all contactors remain closed and PWR/FAULT LED is solid green.
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Step 8 – V&V Output Verification Safety Contactor Feedback Open Fault
Test Step Verification Pass/Fail Changes/Modifications
Purpose This test will verify the system response and diagnostic reporting when a contactor feedback open fault occurs.
1 Machine Run Condition - All contactors are closed.
2 Disconnect the wire from a contactor feedback input.
3 The Safety Relay will not detect this since the auxiliary contacts are both open and removing a wire does not
change this. So no action should be taken.
4 Press the ―E-Stop‖ pushbutton.
5 Verify that all contactors open immediately.
6 Verify that the PWR/FAULT LED is Red.
7 Verify that the fault cannot be reset with the feedback wire disconnected.
8 Reconnect the wire from Step 2 and cycle the E-Stop Pushbutton.
9 Press the Reset pushbutton and verify thePWR/FAULT LED is Green
Safety Contactor Feedback Shorted Fault
Test Step Verification Pass/Fail Changes/Modifications
Purpose This test will verify the system response and diagnostic reporting when a contactor feedback shorted fault occurs.
1 Machine Run Condition - All contactors are closed.
2 Place a jumper around the contactor feedback contact.
3 Verify that all contactors open immediately.
4 Verify that the PWR/FAULT LED is Red.
5 Remove the jumper inserted in Step 2.
6 Press the Reset pushbutton and verify thePWR/FAULT LED is Green
Contactor Failed to Pickup Fault
Test Step Verification Pass/Fail Changes/Modifications
Purpose This test will verify system response and diagnostic reporting when a contactor fails to pickup when initially
commanded to close.
1 Machine Run Condition - All contactors are closed.
2 Place a jumper around the contactor feedback contact.
3 Verify that all contactors attempt to close but when one fails to close all contactors reopen.
4 Verify that the PWR/FAULT LED is Red.
5 Remove the jumper inserted in Step 2.
6 Press the Reset pushbutton and verify thePWR/FAULT LED is Green
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 29
Example: Safety Checklists and Validation
Safety Checklists Sample checklists to help users develop verification and validation checklists. These checklists guide you thru the evaluation process. • GuardLogix® users
manuals • on-line at AB.com
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Example: Pre-engineered Safety Blocks
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 31
Example: Pre-engineered Safety Blocks
Safety V&V Plans help you document that the
system operated as intended at installation.
This provides a documentation trail and proof of due diligence.
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 32
Agenda
Best Practices
Example V&V Plan / Documentation
The verification and validation process
What are verification and validation?
Why do validation?
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
We care what you think!
On the mobile app:
1. Locate session using
Schedule or Agenda Builder
2. Click on the thumbs up icon on
the lower right corner of the
session detail
3. Complete survey
4. Click the Submit Form button
33
Please take a couple minutes to complete a quick session survey to tell us how we’re doing.
2
3
4
1
Thank you!!
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
www.rsteched.com
Follow RSTechED on Facebook & Twitter. Connect with us on LinkedIn.
PUBLIC INFORMATION
Questions?
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
PUBLIC INFORMATION
Thank You