Verifying and validating the safety system design
18 December 2012
Designing safety control systems in accordance with global standards helps machine builders and manufacturers to drive up productivity; more importantly, standards compliance makes a huge contribution to the safety and wellbeing of workers as well as the protection of capital assets. Wayne Solberg reports.
Verifying and validating machine safety control systems in accordance with the Safety LifeCycle approach, as defined in standards IEC 61508 and IEC 62061, enables both end-user and machine supplier to harness the inherent value of intelligent safety system designs. The LifeCycle approach provides the foundation for this detailed, more systematic design process for machinery applications, concentrating on integrating the safety and machine functions as early as possible in the design process.
But among the most important design phases are those that come towards the end of the job: verifying and validating the performance of a safety system design. At this point, the designer already has completed the initial phases — that is, conducted a risk or hazard assessment, defined the functional requirements of the machine and begun designing the safety system.
Verifying the performance of the safety system design means proving that safety function circuits are working properly and that they meet the specified requirements. During verification, the safety system must be tested while the machine is running; for example, activating an emergency stop (e-stop) to test that a machine will indeed stop running on activation is the only way to verify proper e-stop operation.
Next, completing the validation step means testing that the system’s safety functions do what they’re designed to do. For instance, in a dual-channel e-stop application involving redundant control relays, a designer conducting the test might inject a human fault between the logic solver and output on channel one – activating the e-stop – to validate that the wiring is correct on channel one from the input to the logic solver. The designer would then repeat the process on the second channel to make sure it, too, functions as planned.
To validate a light curtain application, a designer conducting the test validates the stop time by verifying the safe distance calculations; this ensures that the light curtain is sited appropriately with respect to the machine. Validation takes place at both the machine builder’s facility, and the end-user’s facility to make sure the safety-related control system operates correctly at every stage of commissioning, from installation, through start-up, to machine set-up.
An important point to note here is that verification is not the same as validation. Validating the safety functions of a system requires a plan, must be documented and should include environmental, operational, and maintenance tasks and functions. In addition, validation proves the safety circuit works correctly. It requires fault injection in all identified modes of operation. It also requires circuit evaluation using analytical tools to verify circuit design compliance, component selection verification and systematic analysis.
Comply with the standards
Verification and validation of a safety system must be in accordance with global functional safety standards. A designer must validate the safety system in accordance with IEC 61508, IEC 62061, EN ISO 13849-1 and 13849-2. Each standard provides a unique definition of validation.
Validation according to IEC 61508 and IEC 62061 means examining and testing the safety-related electrical control system, including hardware and software, to ensure it achieves the functional safety requirements of the application. The standards require the validation has a documented plan comprising the following:
- Details of when the validation shall take place.
- Identification of the machine’s relevant modes of operation (such as normal operation or setting).
- Acceptance criteria (what is acceptable as a pass or fail form of validation).
- Corrective actions to be taken in the event of failure to meet the acceptance criteria to re-validate the system.
- Validation according to EN ISO 13849-1/2 also entails a planned, documented process. It uses static and dynamic testing, among other methodologies, to show that all safety-related parts of the control systems interact correctly to perform the intended safety function. It also shows that unintended functions don’t occur.
Descriptions of safety functions and requirements of specified performance levels and categories are found in EN 954-1.
All safety functions, including any protection methods, circuits and components that mitigate identified hazards, need to be working correctly to be validated. This includes validation of software, environmental and maintenance requirements, and general tools that can be used for mechanical, pneumatic, hydraulic and electrical systems.
EN ISO 13849-2 also specifies the conditions under which the validation by testing of the safety-related parts of the control systems should be carried out. In addition, validation must demonstrate that each safety-related part and control system meets the requirements of EN ISO 13849-1, including the specified performance level, category, and measures for control and avoidance of systematic failures.
Verifying and validating the safety-related control systems in accordance with the Safety LifeCycle approach gives the end-user the confidence that he or she is taking delivery of a machine that is fully compliant with today’s safety standards.
Wayne Solberg is a global OEM technical consultant (safety) with Rockwell Automation
Contact Details and Archive...