How do I validate my Safety System?

The most common step that is not performed or performed incorrectly when implementing a safety system is validation. This step is essential to confirm the specification and conformity of the safety system, however many people are unsure how to validate or don't even consider performing a validation.

Here are some common mistakes made with validation:

No Specification

You can’t validate an unspecified safety system, thus if there is no specification document then what are you validating?

The specification document has two purposes:
  1. It provides a framework for the system to be designed
  2. It provides a specification to validate

The specification should explain the following:
  1. The functional behaviour of the safety system - For example if the system is an E-Stop the specification should explain; how the E-Stop is initiated, what hazardous movements are inhibited by the E-Stop, what Stop Category is performed, how quickly are these movements inhibited, how is the system reset to allow machine operation to continue, etc.
  2. Operational and environmental conditions
  3. Integrity Requirements - What is the level of risk reduction required by the safety system? This can be measured by a required Safety Category (CAT), Performance Level (PL) or Safety Integrity Level (SIL)
Once the Specification exists then the system can be validated according to its functional, environmental and integrity requirements.

Only Normal Operation of Safety System is Tested

It is common for validation to be performed on a safety system with no fault simulation testing.

For example, if validating an E-Stop the machine is started under its maximum expected operational load and the E-Stop hit. The safety function is validated by confirming the hazardous movements have been ceased in the required time according to the specification and the machine can’t be restarted until the E-Stop operator is manually reset.

The above validation may prove the functional behaviour of the E-Stop but many safety systems also require fault simulation to validate their integrity requirement. If the above E-Stop had a requirement of CAT 3, then all single fault modes would need to be simulated to confirm that the system will not lose safety function due to a single fault.

No Documentation

As like any activity performed during the implementation of a safety system, validation does not exist if it is not documented. All relevant analysis, tests reports, calculations, data sheets, etc. must be recorded to prove the process undertaken.

For help with validation plans, register for the NHP Safety Reference Guide, in the 'Safety Function Document' section there are numerous examples of pre-engineered Safety Functions with validation plans at the back of each document.

For more information on the process of validation, activities to be performed and the documentation required reference AS 4024.1502-2006.


André Pinheiro said...

I am in the middle of a discussion regarding EDM on a Schneider Altivar 61 VSD. The safety function is trying to achieve CAT 3 with one drive as the actuator. Although the discussion is more around the need of EDM, may other concern is how is this CAT 3 if there is only one drive as the actuator? Could you please make any comments as the need for EDM on a safety function using one drive as the actuator, and on this function achieving CAT 3 with a single drive?

Justiin Wild said...

The Schneider Altivar manual shows examples of how believe they meet Category 3. It is more to do with the Stop input circuit having dual channels. They only use one output channel from the Safety Relay to drop one input to the Drive. While it doesn't look like a typical Cat 3 circuit, they have had it certified to SIL2 CAT3. (See link below). This perhaps is one of those cases where you use manufacturer data to prove your design.

Published: 18 May 2017