Safety Lifecycle Navigator

Size: px

Start display at page:

Download "Safety Lifecycle Navigator"

Tiffany Bishop
5 years ago
Views:

1 Safety Lifecycle Navigator

2 Please observe the following notes Target group of this document This guideline is aimed at all persons using safety technology or want to. It is intended to simplify the entry into the technology of safe machines, in addition to the trainings and services offered by the Safety Alliance members, and to give you an overview on safety technology basics and necessary measures in the safe machine s lifecycle. Important relevant guidelines, standards and regulations for safety technology are mentioned, but the guideline is not exhaustive. Becoming familiar with valid guidelines, standards, and regulations for the application is required in any case. Important note All information contained in this guideline was carefully compiled. The information was provided as reader assistance and does not exclude an autonomous check, in particular with regard to suitability and intended use in your specific application. The reader is responsible for checking current standards in terms of content and validity for his own work. Especially quotations and interpretations of standards as well as examples are only intended as explanations and are not exhaustive. They must not be used without being verified or be generalized. The Safety Alliance as well as its members, subsidiaries and associated companies (hereafter referred to as "Safety Alliance") are not liable for recommendations given or implied in the following descriptions. No further guarantee, warranty or liability claims beyond the general delivery conditions of the Safety Alliance members can be derived from the following descriptions. Statement of legal authority This guideline, including all figures contained herein, is protected by copyright. It is to be used for its intended purpose only. All other means of usage are prohibited. Reproduction, translation, as well as electronic and photographic archiving and modification, require written consent by the Safety Alliance. Violators are liable for damages. The Safety Alliance reserves the right to make any changes serving the purpose of technical progress. The Safety Alliance reserves all rights in the case of patent award or listing of a registered design. Third-party products are always named without reference to patent rights. The existence of such rights shall not be excluded. Internet The Safety Alliance website can be found on the internet at: Copyright notice: All texts, illustrations and graphic designs are protected by copyright. If you want to use parts thereof, please contact the Safety Alliance. Page 2 of 58

3 Your safe way through the in mechanical engineering Start

4 Content Machinery safety step by step 5 Objectives of safety technology use 6 The shortest way to the destination 6 The Safety Alliance 7 Open platform for functional safety technology 8 Your benefits as mechanical engineer and operator 8 Advice and support on the way to the safe machine 9 Involved authors and companies 9 10 Your starting point - the example machine 11 Route planning 12 Start Legal basis 13 Waypoint 1 Safety planning 16 Waypoint 2 Risk assessment 19 Waypoint 3 Specification of the risk minimization 28 Waypoint 4 Validation planning 32 Waypoint 5 Implementation 34 Waypoint 6 Verification 44 Waypoint 7 Validation 50 You have reached your destination! 53 What s next? Traffic information and points of interest 54 Your contact in the Safety Alliance 55 Bibliography 56 Index of figures Machinery safety step by step The Safety Alliance What s next? Traffic information and points of interest Page 4 of 58

5 Machinery safety step by step

Machinery safety step by step Objectives of safety technology use In today s industrial production, more and more complex machines and technical systems are used.

On the other hand, the availability of machines and production facilities should not be more limited than absolutely necessary.

6 Machinery safety step by step Objectives of safety technology use In today s industrial production, more and more complex machines and technical systems are used. On the one hand, safety technology use should exclude danger for people, environment and machines or at least reduce it to an acceptable level. On the other hand, the availability of machines and production facilities should not be more limited than absolutely necessary. Thus, basic objectives for safety technology use are: avoidance of accidents which can be caused by incorrect behavior of machines or people preventive health protection for people at work avoidance of costs directly or indirectly caused by machine malfunction or incorrect behavior of people. These include production failure, destruction of machine parts or tools, liability for quality defects, compensation for victims, etc. The shortest way to the destination Manufacturers as well as operators of machinery are obliged by EU directives to place only safe machines on the market and to provide only safe equipment. Thus, the goal is clearly described. However, what does the way to this goal look like? Which steps in which direction do I have to take as a mechanical engineer to reach this goal as fast as possible, simply and efficiently? The processes and steps on the way to the safe machine and its safe operation are described in detail in appropriate standards with standard methods. However, in practice it frequently turns out that the amount of considerations is significant. A lot of special details have to be considered before the background of experience and expert knowledge and evaluated with regard to the safety of man and environment. The aim of the Safety Alliance is to provide support both for machine builders and operators for the effective and efficient planning, implementation, and application of functional safety technology. Therefore, the experts of the Safety Alliance have developed the present Safety Lifecycle Navigator. It describes the shortest way to the destination "safe machine". The Safety Lifecycle Navigator shows the complete "route" with all waypoints in clearly arranged form. It explains which prerequisites and results are assigned to the waypoints and where to go from there. And of course: where to ask for the way in case of doubt. I wish you every success for your work! Peter Fuchs Spokesman of the Safety Alliance Page 6 of 58

7 The Safety Alliance

8 The Safety Alliance Open platform for functional safety technology The Safety Alliance is an association of automation manufacturers, technology and solution providers, specialists and service providers for functional safety technology. With the formation of the Safety Alliance, the proven concept of an open technology platform, based on scalable and interoperable software components, becomes a comprehensive solution architecture for functional safety. Leading automation manufacturers, solution providers, service providers and users of safety technology complement each other s competencies with regard to marketing, further development and support of an open technology platform around the market standard SAFEPROG and SAFEOS. This simplifies the development, integration and application of functional safety technology. Your benefits as mechanical engineer and operator You construct, build, or operate efficient machines or highly productive systems. You know the specific requirements of your industry and set new benchmarks with your products and solutions. To do this, you need functionally safe automation technology. You want to use certified components and an open standard? Then the Safety Alliance is the right marketplace for you! The open technology platform of the Safety Alliance provides all you need fast and ready-to-use controls or modular switching devices, as well as, for example, certified programming and runtime systems. Irrespective of whether you want to use ready devices and systems, or rely on own control technology, the open platform of the Safety Alliance provides the technology you need. It assists you in developing and marketing products and solutions for functional safety faster. Open and uniform Openness in the sense of the Safety Alliance has many aspects. The Safety Alliance platform supports various communication networks and safety profiles. In this respect, you do not have to commit or restrain. The same applies, for example, for CPUs and hardware architectures or certified operating systems. The technologies of the Safety Alliance have been in operation in a variety of certified systems of different providers. The uniform standard of the Safety Alliance is created via the safe programming system SAFEPROG as editor, which is the core of the technology platform together with the safe runtime system SAFEOS. This means that, you as mechanical engineer or operator, can program, configure, and operate the products of the Safety Alliance partners with an uniform tool chain. Your investments in differentiation features such as industry-specific application projects and function blocks remain protected and can be reused on the portfolio of the Safety Alliance controls. With this globally-proven basis, you position successfully with unique products and solutions in the market. Page 8 of 58

9 The Safety Alliance Advice and support on the way to the safe machine The Safety Lifecycle Navigator is an overview document for better understanding the processes related to the "safe machine" using a specific example. You will learn, among other things, that "following recipe instructions" is unfortunately not possible in the field of machinery safety. Each safety solution is as unique as the machine, for which it is implemented. This way, a customized safety concept is developed, step by step, from one waypoint to the next. Many steps on the way to the safe machine will become easier and more target-oriented, when you sometimes ask for the way. No matter if it is specification, development, certification, draft of your internal Functional Safety Management or a complete solution for the safety of your machine - the experienced experts of the Safety Alliance are pleased to support you with expert help and advice. A list of your contact persons can be found on page 55. Involved authors and companies The Safety Alliance would like to thank the following members for the committed cooperation in making this Safety Lifecycle Navigator: Bernecker + Rainer Industrie-Elektronik Ges.m.b.H. Franz Kaufleitner Product Manager Integrated Safety Technology Andreas Hager Research & Development Controls Baumüller Nürnberg GmbH Heinrich März Manager R&D Electronic innotec GmbH Dr. Peter Wratil Managing Director KW-Software GmbH Andreas Orzelski Managing Director Peter Fuchs Head of Marketing Communications Spokesman of the Safety Alliance Harry Koop Test Analyst Safety Software TÜV Rheinland Industrie Service GmbH Stephan Häb Head of Business Unit Functional Safety Products Page 9 of 58

10 Safety Lifecycle

11 Your starting point - the example machine Figure 1: Example machine without safety equipment The example machine displayed in Figure 1 is the starting point of our considerations. It is a lathe used for machining workpieces that are fixed by clamping jaws in a fast rotating tool. Workpieces are to be clamped and adjusted regularly before each new machining process. The example machine is displayed without installed safety measures. This simplified example shows the individual steps on the way to the safe machine. Nevertheless, the display is complete as the complexity of the respective machine has no direct influence on the navigation through the. However, the effort per waypoint for more complex machines will be accordingly higher, without changing anything about the general procedure. In each case, all waypoints have to be passed through.! Note: In some places, there are useful shortcuts which are marked accordingly. Otherwise, you should never leave the planned route. We wish you a nice and especially safe journey! Page 11 of 58

12 Route planning Waypoint 1 Safety planning START Legal basis 1 EN ISO Figure 6: Simplified V model of the software lifecycle FINISH The safe machine Result Waypoint 2 Risk assessment 2 Verification Waypoint 3 Specification of the risk minimization 3 Specification of the safety function Safety-related software specification Validation Validation Validated software 7 Waypoint 7 Validation Waypoint 4 4 Validation planning System design Integration test (incl. wiring test) 6 Waypoint 6 Verification Waypoint 5 Implementation 5 Module design Module test Coding Figure 2: Definition of the waypoints in conformity with EN ISO :2008 (D) The "map" with the "route plan" in Figure 2 describes the shortest way from the example machine to the finish of the safe machine, reached with completion of waypoint 7. The way to the safe machine is independent of the used technology. In our example machine, we especially focus on programmable safety systems. The legal requirements hiding behind waypoints 1 to 7 are also valid for machines without programmable safety technology and must also be fulfilled and documented completely here. In the beginning, it is useful to make a comparison of the map. For this purpose, an excursus to the legal basis is used. Here it its determined which regulations and standards are legally relevant for your machine and are considered as "traffic rules" during the journey. In the sense of an easily understandable and clear presentation, the description of individual waypoints cannot contain all details for a specific implementation. In particular cases and depending on the respective application and industry, further standards are to be adhered, for example, with regard to wiring, hardware design and selection of suitable safety components. The members of the Safety Alliance will be pleased to assist you. A list with contacts can be found on page 55. Page 12 of 58

13 Start Legal basis Key question Which guidelines and standards are valid for my product? Requirements The machine specification must be completed. General procedure Machinery Directive and CE marking Quote from the Machinery Directive (MRL) [1]: "The manufacturer of machinery or his authorized representative must ensure that a risk assessment is carried out for the machinery which he wishes to place on the market. For this purpose, he should determine which are the essential health and safety requirements applicable to his machinery and in respect of which he must take measures." The CE marking is based on the declaration of CE conformity and is fully acknowledged as unique marking that guarantees the machine compliance to the requirements of this guideline. Any other marking that a third party may mistake with the CE marking regarding meaning or design, or both, is prohibited. The CE marking must be affixed on a par in the immediate vicinity of the name of the manufacturer, using the same technique. To differ CE markings on components from CE markings on the machine, the latter must be affixed next to the name of the responsible, i. e. next to the name of the manufacturer or his authorized representative [1]. Definition The Machinery Directive is valid for placing new machines on the market. It shall also apply to safety components placed on the market separately. A machine for the purpose of this directive is an assembly of linked parts or components, at least one of which moves, with the appropriate actuators, control and power circuits, etc., joined together for a specific application, in particular for the processing, treatment, moving or packaging of a material. A machine is also an assembly of machines which, in order to achieve the same end, are arranged and controlled so that they function as an integral whole. Machines are also interchangeable equipment modifying the function of a machine, which is placed on the market for the purpose of being assembled with a machine or a series of different machines or with a tractor by the operator himself in so far as this equipment is not a spare part or a tool. Safety components means a component, provided that it is not interchangeable equipment, which the manufacturer or his authorized representative established in the European Economic Area places on the market to fulfil a safety function when in use and the failure or malfunctioning of which endangers the safety or health of exposed persons. A variety of products is excluded from the scope of this Directive. These include: firearms steam boilers and pressure vessels special equipment for use in amusement parks machinery for medical use and others Page 13 of 58

14 Responsibility Manufacturers and retailers have the legal obligation to comply with European Community requirements for the equipment and operation of machines and systems. The manufacturer or his authorized representative established in the Community is responsible for the compliance with the provisions, the issue of an "EU declaration of conformity" (for ready-to-use machines) or a "declaration by the manufacturer" (for not ready-to-use machines and safety components) as well as the affixing of the CE marking. If this is not the case, the responsibility is assigned to the one who places the machine on the market. This can be the importer or dealer, but also the one manufacturing a machine for his own use or assembling from machines of different origins. Safety measures are not only to be observed when placing new machines or systems on the market. Safety must also be guaranteed when modifications or upgrades are performed subsequently on an existing machine or system. Of particular importance is the upgrade of old machines. You have to perform a risk analysis on a regular basis. Placing on the market, standards The EU Machinery Directive determines that principally no danger may arise from machines (risk assessment according to EN ISO 12100). As there is often no zero risk in the technology, the aim is to achieve an acceptable residual risk. If safety is dependent on control systems, these must be designed in such a way that the probability of functional errors is sufficiently low. If this is not possible, any occurring errors shall at least not lead to the loss of the safety function. In order to comply with the regulations, it makes sense to use harmonized standards that have been created according to a mandate from the European Commission and are published in the European Official Journal (Presumption of conformity). This is the only way to avoid an increased effort for the conformity assessment. When complying with standards by presumption of conformity, which are relevant for a machine or technical equipment, it is assumed that the compliance with the legal provisions is reached and the assembler and operator of the machine or system performed its duty of care. If a manufacturer or operator of a machine or technical equipment uses no standards or only standards without presumption of conformity, he has to prove in another way that the general legal provisions are fulfilled. In the past, the safety-related parts of a machine s control system were designed according to EN This was based on the calculated risk (categorized). The aim was to assign an appropriate system behavior to each category (deterministic approach). By the use of electronics (programmable electronics in particular) in safety technology, safety can no longer be measured purely in terms of the simple category system of EN In addition, it is impossible to provide information on probability of failure (probabilistic approach). Help is now available from IEC and EN ISO , the successor standard to EN Therefore, especially the harmonized standards IEC and EN ISO are relevant for a mechanical engineer today. "Harmonized" standards are listed in the European Official Journal of the EU and thus are generally accepted within the European Union. The standard EN ISO defines a total of four parameters [2], [3]: structure of the safety system failure rate, dangerous failure rate in particular diagnosis coverage rate number of errors of a common cause For guideline and standard research, it is worthwhile to take into account, furthermore, that a product standard with detail requirements to a machine (C standard) has always a higher priority than a more general base standard (B standard). This means: If there is a deviation from a B standard in the product standard (C standard), the C standard is applied. Example: the EN 201 C standard describes the safety requirements for molding machines. Thus, it has priority over the EN ISO B standard. Page 14 of 58

15 Liability Manufacturers and distributers are liable for the safety of a machine or system. The Machinery Directive partially simplifies the modality regarding compensation claims for personal injuries caused by the defective safety of a product. It only includes the harmonization of a limited aspect of civil liability rules in the member states. In addition, it precisely defines the term manufacturer or "person placing on market". The content of technical provisions a manufacturer has to observe before placing its products on the market, is, however, not defined. The Machinery Directive is limited to an argumentation simplification by the product victim and releases him from the obligation to prove the guilty of the manufacturer. Dealing with old machines When an old machine is slightly modified and this machine has not been involved in an accident, no new risk assessment has to be performed and thus also no update to the Machinery Directive. If the machine is older than 10 years, however, the safety technology should be updated. An old machine operated by a new operator or after a significant modification, is always followed by a risk assessment and performing the required measures [3]. Significant modifications are, for example: installation of a new control technology (switch from electromechanical to electronic and/or programmable systems) increase of the production speed new operation concept Results Due to the machine specification, the assignment of relevant standards is made. The machine consists of electronic as well as hydraulic and pneumatic elements. EN ISO is thus used as listed standard with propagation of conformity as basis for testing the conformity of the machine to legal provisions. In individual cases, there might be a reference to IEC [4]. Page 15 of 58

16 Waypoint 1 - Safety planning Key question Who does what and when? How is it checked and documented? Requirements Due to the machine specification, the assignment of relevant standards is made. General procedure At this waypoint, all safety-related activities for reaching functional safety are planned. The planning is done in the so-called "plan of functional safety" (Safety Plan). This plan specifies all framework conditions which apply for the following waypoints. These include, for example: Who has which role in the project? What are the waypoints? Who is responsible for which waypoint? What is the input and output information of each waypoint? How is the information verified? How modifications are dealt? How is the configuration management made? What kind of qualification measures must be performed that the corresponding employees have the required competence for their job? Which quality management is used by suppliers? In addition, the "Validation and Verification plan" (V&V plan) is developed at this waypoint. This plan includes all fault avoidance measures used in this project. It defines which verification and validation measure is performed and where the result is documented. The tools used for these actions are also documented here. Further notes on the procedure can be found in the IEC 62061, Chapter 4 "Management of functional safety" [4]. Page 16 of 58

17 1 Safety planning for the example machine Different roles are required for the concrete implementation on the example machine. In the following safety plan, the roles are defined, assigned to people and responsibilities are specified. A safety plan once created carefully can be reused with minor changes for follow-on projects and other machines. All persons involved in the project are listed in the safety plan. Table 1 shows an example of assigning a role (in the project) to a person. In addition, the qualification and/or competence of the respective person is displayed. Here, it is also listed which information is required for the corresponding phase and which information is created. At the end of the phase, it is checked whether the respective actions have been performed. The person responsible for this is also specified here. In order to ensure that every person involved in the project has the required competence for the assigned task, it can be necessary to improve qualifications. Qualification measures for this are also specified in the safety plan (Table 3). Table 2 defines who is responsible for the corresponding waypoint in the project and who is performing the actions. Example: Functional safety plan Table 1: Safety plan - responsibilities Name Role in the project Role description Company/ department Qualification/ competence Hans Leiter Project manager Person responsible for the whole project Model company/ construction Functional safety training/ project management in similar projects Hardware development Software development Hardware testing Software testing Table 2: Safety plan - waypoints Name Responsible Input information Execution 3 Project manager 4 Head of Quality management Requirement specification/ technical specification Specification risk minimization Mr. Meier Mr. Finder Output information Specification risk minimization Specification validation tests Verification Mr. Schmidt Mr. Müller Assessment 5 TÜV TÜV Page 17 of 58

18 1 Table 3: Safety plan - qualification measures Name Mr. Meier Qualification measure Qualification level A training at TÜV Table 4 shows an example of a fault-avoiding measure. The verification of a specification is checking whether the document is correct and complete both in terms of substance and in terms of content. After this verification, the result is documented in an inspection report. This report is at the same time the proof that the verification has been performed. In addition, the tools used in the project are listed in the V&V plan. For creation of the application program for the example selected in this document, the safe programming tool SAFEPROG is used (Table 5). Example of V&V plan Table 4: V&V plan error-avoiding measures Waypoint Applied measure/procedure Proof of the execution 3 Verification of the specification Verification report for specification of the safety functions 4 Table 5: V&V plan used tools Measure/procedure Application development Used tool SAFEPROG Results All safety-related actions for reaching functional safety are described in the safety plan. In the V&V plan, all measures for fault avoidance with verification and validation measures and their documentation are defined. During the further course of the project, the results of the verification and validation measures are continuously documented in the V&V plan. Page 18 of 58

19 Waypoint 2 - Risk assessment Key question What risks arise from the machine in its different operating modes? Requirements The functional specification of the machine is complete and the team is formed. General procedure Legal and normative guidelines The legal basis for executing a risk assessment is specified by the Machinery Directive: "The manufacturer of machinery or his authorized representative must ensure that a risk assessment is carried out in order to determine the health and safety requirements which apply to the machinery. The machinery must then be designed and constructed taking into account the results of the risk assessment." [1] This once again makes the central importance of the risk assessment clear. The statement says: "Risk assessment is the overall process of risk analysis and risk assessment. It is a sequence of logical steps which makes it possible to analyze and assess the danger associated with machines systematically." [5] The aim is therefore that all risks that may arise from a machine are detected and assessed. Based on this, safety concepts are to be developed that reduce the risks to an acceptable level. For this reason the development begins with the risk assessment and has to be always adjusted in the course of the development. Designing a machine without sufficient consideration of safety aspects, is no longer acceptable from the economic point of view and considering cost and time specifications of today s development processes. Risks should be avoided as far as possible and/or kept as small as possible by appropriate measures already during the construction process. Page 19 of 58

20 2 Risk minimization To ensure safe dealing with machines or systems, the risk is to be minimized by technical and organizational measures (Figure 3). In Figure 4 the assignment to the so-called Performance Level (PL, from EN ISO [2]) and/or Safety Integrity Level (SIL, from IEC [4]) is made. These classifications describe the effort required for the minimization of a risk to an acceptable level according to the standard. As it is usually not possible to eliminate the risk completely, a residual risk still remains in many cases [5]. Residual risk Tolerable risk Risk without safeguarding Risk Necessary risk minimization Risk reduction by non-technical/ organizational measures Risk reduction by technical measures (constructive, electrical/electronic safety equipment, etc.) Actual risk minimization Figure 3: Risk reduction to a tolerable residual risk level Tolerable risk Risk PL a PL b PL / SIL describes the required effort for reduction of a risk to a tolerable level PL c (SIL 1) PL d (SIL 2) PL e (SIL 3) Figure 4: Classification of the necessary effort for a risk reduction Page 20 of 58

21 2 Risk assessment process Information on the general procedure is specified in the EN ISO [5]. The following points are included: 1. Risk analysis a. Specification of machine limits b. Identification of dangers c. Risk estimation after each measure for risk minimization, until the assessment comes to the conclusion that the risk is sufficiently reduced (Figure 5). This means that various steps are to be performed whose contents are explained by means of quotations from the EN ISO [5]. 2. Risk assessment An overview of procedure and content of the risk assessment can be found in [3]. The risk assessment is displayed as iterative process performing a re-assessment Start C standard with risk analysis? yes no Definition of system limits Hazard identification Risk analysis Risk assessment Risk minimization Risk estimation Risk assessment no Has the risk been minimized sufficiently? yes End Figure 5: Iterative process for reaching a tolerable risk level Page 21 of 58

22 2 Risk analysis "The risk analysis provides the information required for the risk assessment, which in turn provides a basis for making decisions about the need for a risk minimization." [5] As already described, it is required to know how high the risk is. For this purpose, the machine limits have to be defined. As manufacturer, you should be aware of the intended use of your machine, as well as considering any predictable misuse. This includes: limits of use spatial limits temporal limits further limits Limits of use are defined by the various operating modes of the machine and the different possibilities for intervention by the user. These include also interventions required by malfunctions during machine use. In addition, the field of application of the machine must be defined, for example, whether it is restricted to industry, trade, and/or household. There are also considerations about people working with the machine, for example: gender age physical skills (also limits of these skills, such as reduced eyesight or restrictions by employees with pacemakers) Very important are also considerations about education, experience, or operator skills: For production machines, further considerations regarding other people are required that may be exposed to hazards in relation to the machine. operators working in the vicinity these are probably aware of the specific hazard. other employees working in the vicinity, but, for example, not of the production area these are familiar with the basic safety measures of the operator but hardly with specific hazards arising from the respective machine. not employed persons in the vicinity (for example, visitors) these are not aware of specific hazards, nor do they know the company s basic safety measures. For spatial limits is to be considered: the motion area the space requirement of persons working with the machine, for example, during operating and maintenance interactions between man and machine, for example, man/machine interface the interface between machine and energy supply Temporal limits concern the machine s lifetime or also the lifetime of wearing parts (for example, brakes, if they are part of the safety concept) as well as maintenance intervals. Further limits can be temperatures, climatic conditions, effect of dust, etc. The properties of the material to be processed must also be considered. operators maintenance personnel or technicians sales representatives of the manufacturer cleaning staff Page 22 of 58

23 2 Hazards The next step of the risk assessment concerns the identification of hazards. This can be regarded as the actual core of the task. From the point of view of safety technology, hazards arising from machines will also lead to incidents during the life cycle. In order to take appropriate measures, these must first be identified. But how is it possible for a manufacturer to identify all hazards? In this respect, standards provide assistance. On the one hand, there are machine-specific C standards with concrete specifications. In addition, there is a general basis for the implementation of risk assessments in the EN ISO In the following, the EN ISO is considered more precisely. Hazards are divided into hazard groups and/or hazard types: mechanical hazards electrical hazards thermal hazards noise hazards vibration hazards radiation hazards material/substance hazards ergonomic hazards hazards in connection with the machine s operational environment combination of hazards These are further divided, for example, mechanical hazards into crushing shearing detecting winding seizing cutting pushing friction as well as further hazards It therefore becomes clear that a risk assessment can be schematically and rigidly predetermined but the effort will be extremely high. In addition, clarity is rarely given. If you combine, for example, the above mentioned hazard types with the usually given life cycles of a machine and the tasks specified in the standard (here the transport example), such as lifting loading packaging transporting unloading unpacking, several hundred points of view emerge only for the mechanical hazards part. On the opposite are the measures to be taken. For the written documentation of the risk assessment for a hazard area covered, for example, by a fixed guard, it does not make sense that the description of the safeguarding is listed for every single hazard type/injury type/task. Even for simple machines, there would be risk assessments filling many pages. At this point it is necessary to find a compromise without neglecting a hazard. In the practical handling, a summary of different hazard types where safeguarding also enables an equal treatment proved to be advantageous for the written format. The same applies for dividing hazard areas of machines. To consider complex machines as a whole leads to lack of precision. Experience has shown that there is a risk of not detecting essential things. On the other hand, it does not actually make any sense to consider machines always as individual components. There doesn't seem to be a panacea. Often the consideration on component level has been a good compromise. On the one hand, this is an usual division in mechanical engineering firms (often also of responsibilities), on the other hand different hazards can be overseen in detail. It is important to consider which information is required for a risk assessment. This, however, depends on the used safety measures. For example, it is absolutely necessary for the conception of a fixed guard to consider how high the risk is. Whether the drive for the decisive motion is operated electrically or pneumatically, has no direct influence. However, the situation is completely different if safety-related parts of controls are part of the safety measure. Even the design of the drive is important in this case, as Page 23 of 58

24 2 the measures for switching off can be very different. If a component has several drive elements, they might be also different in terms of hazard potential, thus allowing different measures. Life stages If the life stages are considered as further division aspect, it is also required to find an appropriate solution. It is essential to consider all life stages, such as: setup/installation commissioning in the assembly plant transport commissioning at the customer production mode troubleshooting format conversion or other modifications repair/maintenance It often makes sense to choose different detail levels for different life stages. The life stage "Transport" is an example for this. Often a machine is transported as a whole. Insofar it makes little sense to consider the life stage "Transport" in detail for each component, unless forces are applied or transport equipment is installed. The same applies for production, commissioning, or repair. Risks The next step of the risk analysis is the risk estimation. The following points must first be clarified: degree of damage and probability of a damage. Aspects are: How high is the risk of being injured? How often is a hazard disposition? How much time it takes for the hazard exposition? How likely is it that the hazardous state occurs? Who is exposed to the hazard? Can this person do something to fight this hazard? Page 24 of 58

25 2 Risk assessment of the example machine In the following, the risk assessment is performed for our example machine. It is a lathe used for processing workpieces and brings about different risks depending on the life stages to be considered. In order to estimate these risks at all, the machine is released from all (probably already existing) safety functions. Only the so-called fixed safety equipment remains, such as walls that cannot be removed or covers on the machine. All doors, light grids, etc. are removed for assessment. R2 R1 R3 R4 Figure 6: Risk assessment of the example machine The risks to be considered are labeled with R1 to R4 in figure 6. R1 Clamping tool, rotating (risk: trapping when starting up the machine with severe injuries) R2 Cover on machine parts (risk: clamping between equipment parts) R3 Access to the machine s fan (risk: severe injuries when putting the hands into it) R4 Access to gear parts (risk: severe injuries when putting the hands into it during greasing or cleaning) Whereas risks R2 to R4 only come into consideration during maintenance and installation work, risk R1 occurs several times during operation. Workpieces have to be clamped and adjusted regularly. A sudden and unexpected startup of the machine may result in severe injuries of the operating personnel. Page 25 of 58

26 2 In order to assess the risk and the measure to be taken for a risk reduction, the risk graph in Figure 7 according to the standard EN ISO is used. [2] This risk graph classifies the risk into three assessment criteria [2]: As indicated in the risk graph according to the standard EN ISO , severe (irreversible) injuries may be caused by an unexpected startup of the turned part (S2) (see Figure 8). severity of the injury (S) frequency of the person s contact with the danger zone (F) possibility of escape (P) S: severity of the injury S1: reversible injury S2: irreversible injury S1 F1 P1 P2 P1 PL a b Low contribution to risk reduction F: frequency F1: rather rare F2: often or always P: possibility of escape P1: probably possible P2: rather impossible Starting point S2 F2 F1 F2 P2 P1 P2 P1 P2 c d e High contribution to risk reduction Figure 7: Classification via risk graph according to EN ISO Page 26 of 58

27 2 S1 F1 P1 P2 P1 PL a b Low contribution to risk reduction Starting point F2 F1 P2 P1 P2 c S2 P1 d F2 P2 e High contribution to risk reduction Figure 8: Classification of the risk by an unexpected startup of the machine Furthermore, the person must reach the danger zone more frequently (F2: several times within one hour). However, the person may escape as the startup of the machine is rather slow. Overall, risk R1 requires a PL value of "d". Results A risk analysis has been performed and documented. Hazards arising from the machine have been identified and the resulting risks have been evaluated using the example of risk R1. The calculated performance level (PL value) is the basis for the selection of further measures for risk minimization. Page 27 of 58

28 Waypoint 3 - Specification of the risk minimization Key question How are risks, detected during risk assessment, reduced to a tolerable level? Requirements Basis for a specification of the risk minimization is the result of the previous risk analysis at waypoint 2. Depending on the detected performance level (PL value), it is determined which measures are to be used for reducing the detected risks. The necessary risk reduction should be performed in two steps: 1. Reduction by changing the construction 2. Reduction by use of technical safety equipment and safety components Risk minimization of the example machine With the risk assessment at waypoint 2, a required performance level of "d" (PL d) has been detected for the safe operation of the example machine (only risk R1). The here required safety measure is now to be determined. Page 28 of 58

29 3 Figure 9: Measure for risk reduction by fencing with safety door Selection of safeguarding The whole machine is fenced and has a safety door (Figure 9). The fence prevents the person from direct access. To monitor the machine during operation, the fence has Plexiglas walls which cannot be damaged by ejected parts. However, the fence has a safety door to enable a person to enter the area of the rotating clamping tool (Figure 9). As soon as the person opens the safety door, the drive of the clamping tool must be stopped safely, to enable a further rotation [6], [7]. The safety door is mechanically designed to open the door only outwards. This means that the person first has to step back to enter the danger zone. As this process takes at least 1-2 seconds, it must be ensured that the rotation of the machine is completely decayed within this timeframe. The complete safety chain must be sufficient for the PL value of "d" detected at the risk assessment at Waypoint 2 [7]. As displayed in the figure, there is also an emergency-stop button next to the safety door to stop the machine safely in the event of danger, independent of the mentioned safety function. This emergency-stop function is a complementary safety function [8]. The here valid PL value is based on the requested PL value of the safety function. Specification of the safety function According to the display in Figure 9, the example machine is equipped with a safety door, monitoring for closed position via safe position switches, and an emergency-stop button. When the position switch or emergency-stop button is activated, the example machine is to be stopped safely. For a safe machine stop, there are different procedures. Suitable is, for example, a controlled stop with safely monitored delay time uncontrolled stop with mechanical break As the safe state is very often requested (workpiece change), the stop of the drive is to be controlled. This procedure has the advantage over the mechanical brake that no wearing parts are to be considered in the safety assessment. The request is executed via the drive s internal safety function SS1 (Safe Stop 1). For the SS1 function (Safe Stop 1 or stop category 1 according to EN ), the drive is first set to standstill. The safety function monitors the braking ramp. Then, the drive s internal safety function STO (Safe Torque Off) is activated. In this state, the drive is safely torque-free. Page 29 of 58

30 3 SS1 TIME Speed Input Output Figure 10: Process of SS1 function Specification of the safety functions Safety function SF1: Stop after opening the safety door The safety door is monitored via two position switches. The position switches function antivalent (1 N/C and 1 N/O) and are evaluated via the Safety Alliance control. For further consideration (calculation of the reachable performance level by means of SISTEMA), we assume that the safety door is activated once every 10 minutes and the machine is in multi-shift operation day and night and 365 days a year. By means of mechanical construction and assembly, it must be ensured that when opening the safety door, clear signals will be applied at the Safety Alliance control within 100ms. When the safety door is open, the safety function SF1 is activated and a speed set value of 0 is specified for the drive. The permissible deceleration time (SS1 time) is specified when developing the safety concept and is set via a parameter in the safety function SS1 (ramp monitoring time). For the example machine, a maximum ramp monitoring time of 1s is defined. Once activated, a stop sequence can no longer be interrupted. When the safety function is activated and the ramp monitoring time has elapsed, the drive is switched to the safe state (STO) by the safety function. This state can only be left if the safety function is enabled again by an acknowledgement signal. Page 30 of 58

31 3 Safety function SF2: Stop after activating the emergency-stop button Emergency-stop is a complementary safety function. A two-channel emergency-stop button is used as switching element for implementing the emergency-stop function. Two-channel evaluation takes place at safe inputs and outputs evaluated by a Safety Alliance control. For further consideration, it is assumed that the emergency-stop button is activated or checked once a month. The further implementation takes place as described in SF1. Safety function SF3: Protection against unintended restart (restart inhibit) After safety function SF1 or SF2 is activated and the deceleration time has elapsed, the drive is torque-free (STO active). This state can only be left by an acknowledgement/enable signal. It is generated manually via an enable button. When the safety function is requested (activated emergency-stop button or position switch), the enable button has no function. The enable button itself can be a standard component. Its signals, however, must be processed in such a way that errors will not lead to an unintended startup of the machine. Safety function SF4: Selection of the operating mode In the example machine, we now focus on the operating mode "Production". The selection of the operating mode must also be done safely. Results The minimization of risks by means of suitable measures (safety functions) is specified and documented. If necessary, several iterations between Waypoint 2 and Waypoint 3 were performed (see also Figure 5). Compliance with the performance level detected at Waypoint 2 is reached when implementing the specification and safety functions in the following waypoints. This completes the risk assessment process. Page 31 of 58

32 Waypoint 4 - Validation planning Key question How will the specified safety functions be tested and which results are expected? Requirements The risk assessment, including the specification of risk minimization as well as of safety functions, is completed. General procedure During the validation planning, it is defined how the specified safety function will be tested in practice. The results are given in text or table form with the test action to be performed in which situation and/or in which operating mode of the machine, and which response is to be given by the machine. For a better traceability, a reference to the respective safety function is given. Page 32 of 58

33 4 Validation planning for the example machine Function test Table 6: Validation plan for the safety functions of the example machine Test No. Initial situation Test action VT1 VT2 Machine is running Machine is running Emergencystop button is activated Safety door is opened Tested safety function SF2 SF1 Expected response Machine decelerates and then switches to the torque-free state Machine decelerates and then switches to the torque-free state VT3 Machine is in torque-free state; emergency-stop button is activated Enable button is activated SF3 Machine remains in torque-free state VT4 Machine is in torque-free state; safety door is open Enable button is activated SF3 Machine remains in torque-free state VT5 Machine is in torque-free state; emergency-stop button is not activated; safety door is closed Enable button is activated SF3 Machine starts drive Test of the diagnostic functions Table 7: Validation plan for the diagnostic functions of the example machine Test No. Initial situation Test action Expected response VT6 Machine is running Fieldbus is interrupted Machine switches to torque-free state; frequency converter switches independently to safe state VT7 Machine is running Safety circuit 1 is interrupted (see Figure 14) Machine decelerates and then switches to the torque-free state VT8 Machine is running Safety circuit 2 is interrupted Machine decelerates and then switches to the torque-free state VT9 Machine is running Safety circuit 1 is short-circuited with 24V Machine switches to torque-free state; safe output switches to error state VT10 Machine is running Safety circuit 2 is short-circuited with 24V Machine switches to torque-free state; safe output switches to error state Provided that only certified products with guaranteed diagnostic properties are used, the corresponding tests in Table 7 can be dropped. Results The test of the safety functions is specified in form of validation plans. Based on this, the correct implementation of the safety function on the machine is tested later on. Page 33 of 58

34 Waypoint 5 - Implementation Key question How will the specified safety functions be realized technically? Requirements The minimization of the risks by means of suitable measures (safety functions) is specified and documented (result from Waypoint 3). General procedure Based on the specification of the safety functions, the concrete system and module design is specified and implemented. The system design includes the selection of suitable components according to specific parameters as well as the structure description of the resulting connection of the individual components. The module design includes a description of the safety application as well as the parameterization of selected components. The practical realization is done by a physical wiring of the components according to the system design as well as the coding of the safety application described in the module design.! If you only use certified Safety Alliance system functions (ready function blocks) for the implementation of the safety function, you can drop the module design-module test level according to [9] and [10], and the V model will then be reduced by one level. This means that there is a signposted "shortcut" on the route to the safe machine. In case of any further questions please consult your Safety Alliance contacts. You find a contact list on Page 55. Page 34 of 58

35 5 Implementation on the example machine System design In order to reach the required performance level (PL d) for risk R1, a two-channel structure is selected for the implementation of the safety-related circuit equipment. This allows the combination of a larger number of components and parts without leaving the permissible tolerance range for the desired PL value. Selection of components The here selected safety-related components must enable the two-channel structure. Furthermore it must be observed that the required safety level (PL d) can be reached by the safety parameters of the components. The following components are required for the implementation of the safety functions: Table 8: Table with component examples Component Type name Manufacturer Requirements Safety controller SafeControl Safety Alliance >= PL d Safe inputs SafeInput Safety Alliance >= PL d Converter with safety module Emergency-stop button SafeMotion Device Safety Alliance SS1 >= PL d EN Position switch EN Mode selector switch EN Enable button EN Remark Concrete manufacturer and type names for the components mentioned in Table 8 can possibly be found in the manufacturer-specific annex or from the contacts listed on Page 55. Calculation of the reachable performance level by means of SISTEMA At this point, a test whether the performance level detected in the risk assessment (Waypoint 2) can be reached by the measures specified for the implementation, is highly recommended. An early comparison of reachable performance level and required performance level avoids aberrations and associated additional costs in the project. The SISTEMA software utility is used for this test. The Windows tool models the structure of the safety-related control components based upon the so-called designated architectures and calculates reliability values with various levels of detail, including that of the attained performance level (PL). After registering with a valid address, the SISTEMA program is available to download free of charge from the website of the Institut für Arbeitssicherheit der Deutschen Gesetzlichen Unfallversicherung (IFA) ( Evaluation in SISTEMA starts with the definition of the safety functions and the configuration of components involved in the respective safety function: Page 35 of 58

For other products, for example, electromechanical components, the necessary parameters can be calculated with the tools integrated in SISTEMA.

36 5 Figure 11: Safety function and involved components The next step is to determine the safety-related parameters for involved components. The Safety Alliance partners provide their products with a SISTEMA library, where all necessary safety-related parameters are stored for these products. For other products, for example, electromechanical components, the necessary parameters can be calculated with the tools integrated in SISTEMA. These tools offer, for example, assistance in calculating, typical component values from EN ISO , and a diagnosis measures catalog based on EN ISO The following figures show examples of the relevant settings in SISTEMA for the safety function SF1: stop after opening the safety door. Figure 12: Calculator for MTTFd by means of the B10d method Page 36 of 58

5 Figure 13: Table of the required and/or attained performance levels Finally, SISTEMA offers a tabular overview of the safety functions with the required performance level PLr and the attained

37 5 Figure 13: Table of the required and/or attained performance levels Finally, SISTEMA offers a tabular overview of the safety functions with the required performance level PLr and the attained performance level PL. If the attained performance level PL is larger or equal to the required performance level PLr, the implementation can be continued as planned. If at this point the attained performance level is too small, the safety function must be implemented differently (two-channel structure, other components, better diagnosis, etc.). When using programmable safety technology of the Safety Alliance partners and two-channel sensors/actuators, this is usually not the case. Structure of the safety circuit Evaluation of the safe switching elements takes place via a Safety Alliance control in connection with safe output and input terminals. To detect short circuits and cross circuits, the switching elements are supplied by a pulsed signal via the pulse outputs. The converter is connected to the Safety Alliance control by using a safe communication protocol via fieldbus. The button for enable/acknowledgement of the safe state is not part of the safety circuit and thus not listed as safe component. The structure of the safety circuit and the concrete wiring of the individual components is displayed in Figure 14. Safety door safety circuit 1 Safety door safety circuit 2 Figure 14: Structure of the safety circuit S1: Emergency-stop button S2: Enable button S3: Mode selector switch B1: Position switch, 1 N/C contact using a positive opening operation to open the safety equipment (TRUE, if safety equipment closed). B2: Position switch, 1 N/O contact (TRUE if safety equipment closed). T1: Frequency converter M1: Motor Page 37 of 58

38 5 Module design The module design is used to clarify the selected implementation. It includes a verbal description of the safety application and a block diagram. If a function is a much more complex relationship between several functions, this must be considered in greater detail. If necessary, a further description, as well as a corresponding design is required. In addition, you have to define whether and how the functions to be implemented are tested. This is defined according to a specification used as basis for module tests. Every single module must go through a process of verification, simulation, and test according to IEC By means of the module test, it is guaranteed that the intended function is executed correctly and there is no unintended activation of functions (IEC Chapter [4]). In addition, it is guaranteed that the processes within the module are implemented correctly. Module tests can already be performed very early in the development phase by means of a simulation environment. The safe programming tool SAFEPROG provides an integrated simulation of the safety control. The simulation of the application program can significantly reduce the subsequent commissioning time, as systematic errors are detected earlier. In addition, it is a very effective measure to protect the person responsible for commissioning because the project has already been tested for correct function. Description of the safety application In operating mode "Production", opening the safety door or triggering emergency-stop, lead to a system stop. For this purpose, the command for requesting the safety function SS1 is transmitted to the drive by the safe control. The safety function is then executed by the drive which reports the execution status to the safe control. The example is implemented in a module in the safe programming environment SAFEPROG. Figure 15 shows the basic design of an application program as block diagram. SafeDigitalInput03 SafeDigitalInput04 GuardMonitoring SF1 SafeDigitalInput01 SafeDigitalInput02 EmergencyStop & SF2 Axis SS1 Frequency Converter SafeDigitalInput06 SafeDigitalInput07 ModeSelector SF3 SafeDigitalInputt05 Reset SF4 Figure 15: Block diagram of the safety application Page 38 of 58

39 5 For the implementation, the required function blocks and their parameterization are specified. Table 9 includes the specification and parameterization of safety components and function blocks. It is defined which function blocks are used to implement the safety function, what parameters are to be set, and which input or output signals are involved. Table 9: Specification and parameterization of safety components and function blocks Safety function Function block/ ID in the program Parameter/value Device/signal name in the program SF1 Stop after opening the safety door SF_GuardMonitoring_V1_00 / SafetyGuard S_StartReset: acceleration inhibit S_AutoReset: restart inhibit DiscrepancyTime: discrepancy time SafeDigitalInput03 SafetyGuardSwitch1 SAFETRUE (acceleration inhibit deactivated) SAFEFALSE (restart inhibit activated) 250ms Parameter/value Puls_Source Puls 3 SafeDigitalInput04 SafetyGuardSwitch2 Puls_Source Puls 4 Safety function Function block/ ID in the program Parameter/value SF2 - Stop after activating the emergency-stop button SF_EmergencyStop_V1_00 / EmergencyStop S_StartReset: acceleration inhibit SAFETRUE (acceleration inhibit deactivated) Device/signal name in the program S_AutoReset: restart inhibit SafeDigitalInput01 EStop SAFEFALSE (restart inhibit activated) Parameter/value Two-channel evaluation Equivalence with SafeDigitalInput02 Device/signal name in the program Discrepancy time 50ms Puls_Source Puls 1 SafeDigitalInput Parameter/value Puls_Source Puls 2 Page 39 of 58

40 5 Safety function Function block/ ID in the program Device/signal name in the program Parameter/value SF1 Stop after opening the safety door SF2 Stop after activating the emergency-stop button Manufacturer-specific Axis S_AxisID Ramp Monitoring Time for SS1 Stop time 1s Safety function Device/signal name in the program SF3 Protection against unintended restart (restart inhibit) DigitalInput05 Reset Safety function Function block/ ID in the program Parameter/value Device/signal name in the program Device/signal name in the program SF4 Selection of the operating mode SF_ModeSelector_V1_00 / ModeSelector S_Unlock: operating mode locked S_SetMode: manual acknowledgement of the operating mode AutoSetMode: automatic change without acknowledgement ModeMonitorTime: time expectation SafeDigitalInput06 ModeProduction SafeDigitalInput07 ModeSetup SAFETRUE SAFEFALSE TRUE 500ms Page 40 of 58

41 5 In parallel, the module tests are developed. Table 10 includes the test actions and expected responses for the module tests. The following initial situations are assumed: emergency-stop button is pressed (signal EStop = FALSE) safety door is open (signals SafetyGuardSwitch1 and SafetyGuardSwitch2 = FALSE) operating mode 'Production' is not active (signal ModeProduction = FALSE) Table 10: Test actions and expected responses for module tests Module test no. Test action Expected response MT1 Activate operating mode 'Production': Switch the ModeProduction input signal to TRUE S_Mode0Sel state = TRUE (acknowledgement in simulation required) statusss1 = TRUE MT2 Unlock emergency-stop: Switch the EStop input signal to TRUE S_EStopOut state = FALSE (restart inhibit active) statusss1 = TRUE MT3 Close safety door: Switch the SafetyGuardSwitch1 and SafetyGuardSwitch2 input signals to TRUE S_GuardMonitoring state = FALSE (restart inhibit active) statusss1 = TRUE MT4 Positive edge at Reset: Switch the Reset input signal to TRUE statusss1 = FALSE MT5 MT6 Open safety door: Switch the SafetyGuardSwitch1 and SafetyGuardSwitch2 input signals to FALSE Close safety door: Switch the SafetyGuardSwitch1 and SafetyGuardSwitch2 input signals to TRUE S_GuardMonitoring state = FALSE statusss1 = TRUE S_ GuardMonitoring state = FALSE (restart inhibit active) statusss1 = TRUE MT7 Positive edge at Reset: Switch the Reset input signal to TRUE statusss1 = FALSE MT8, MT9, MT10 Repeat steps MT5 MT7 with the EStop input signal instead of SafetyGuardSwitch1 and SafetyGuardSwitch2 See steps 5 7 Page 41 of 58

42 5 The integration test checks whether all modules interact correctly. The term "module" is not only the programmed safety function, but also further components, such as sensors and actuators. The aim of the integration test is to proof that the previously specified safety function is executed correctly and no unintended function can endanger the safety. For performing integration tests, the individual modules of the machine must already be merged or connected. Thus, in comparison to module tests, integration tests cannot be performed in a simulation environment. Table 11 includes test actions and expected responses for integration tests. Table 11: Test actions and expected responses for integration tests Integration test no. IT1 Test action Activate/deactivate operating mode 'Production' Expected response The ModeProduction input signal switches between TRUE/FALSE IT2 Press/unlock emergency-stop The EStop input signal switches between FALSE/TRUE IT3 Safety door open/closed The SafetyGuardSwitch1 and SafetyGuardSwitch2 input signals switch between FALSE/TRUE IT4 Press/do not press Reset The Reset input signal switches between TRUE/FALSE In this concrete example, there are only wiring tests. Depending on the complexity of the machine, further integration tests might be required, for example, for the communication between control components. Coding After completion of the system and module design, the implementation (coding) can begin. For coding, appropriate programming guidelines, such as EN ISO 13849, Annex J.4, "Example of programming rules" [2] are to be applied to make the code readable, clear, and testable. The parameterization is performed by means of the safe parameterization tool SAFEGRID, which is embedded in SAFEPROG. In addition, the implementation of the safety function is performed according to the previously specified design. In the course of the implementation, the required input/ output channels are linked as well as the used safety components parameterized according to the requirements. Page 42 of 58

43 5 Coding of the concrete example using SAFEPROG Next is the parameterization of safety components by means of SAFEGRID. Details of the specific parameters can be found in the device documentations of the manufacturer. Figure 16: Coding of the concrete example using SAFEPROG Results The results of this waypoint are the design and implementation of the part of safety application observed here as an example. Another result is the specification of the tests to be performed to ensure the correct implementation and function of the created safety application. Depending on the degree of complexity of the machine and safety application, further parts are to be treated as analog and implemented. This also applies for further operating modes selectable via the mode selector switch, such as, for example, service and installation mode. Page 43 of 58

44 Waypoint 6 - Verification Key question How is the correct implementation of the safety functions be proved and documented? Requirements The implementation of the safety functions must be completed and the specification of the tests to be performed to ensure the correct implementation and function must be available. General procedure This waypoint describes which tests are used to prove whether the implementation of the safety function corresponds to its design, and whether the specified function is actually given. As in Waypoint 5 (implementation), a distinction is made between module and system level, and tests according to the available test specification are performed. All results are to be documented in a test report. When using safety controls and certified components of the Safety Alliance, the verification of the safety application can be carried out in the simulation environment EASYSIM as part of the safe programming system SAFEPROG. This offers the advantage, for series machine manufacturers in particular, that waypoint 6 is only to be performed when the safety application is first developed. During the subsequent series production, the required validation in Waypoint 7 is thus reduced to a wiring and function test. Page 44 of 58

45 6 Verification on the example machine Module tests The tests can be performed by means of the simulation environment EASYSIM. The results are to be documented in a test report. Table 12: Module tests on the example machine Test execution information: Tested by: Mr. Finder Date: 18/10/2014 Test candidate information: SAFEPROG Date: SAFEPROG User: Developer Test No. Test action Expected response Result MT1 Activate operating mode 'Production': Switch the ModeProduction input signal to TRUE S_Mode0Sel state = TRUE (acknowledgement required in simulation) statusss1 = TRUE MT2 Unlock emergency-stop: Switch the EStop input signal to TRUE S_EStopOut state = FALSE (restart inhibit active) statusss1 = TRUE MT3 Close safety door: Switch the SafetyGuardSwitch1 and Safety GuardSwitch2 input signals to TRUE S_GuardMonitoring state = FALSE (restart inhibit active) statusss1 = TRUE statusss1 state = FALSE Faulty parameterization; repeat testing OK MT4 Positive edge at Reset: Switch the Reset input signal to TRUE statusss1 = FALSE MT5 Open safety door: Switch the SafetyGuardSwitch1 and SafetyGuardSwitch2 input signals to FALSE S_GuardMonitoring state = FALSE statusss1 = TRUE Page 45 of 58

46 6 Test No. Test action Expected response Result MT6 Close safety door: Switch the SafetyGuardSwitch1 and SafetyGuardSwitch2 input signals to TRUE S_GuardMonitoring state = FALSE (restart inhibit active) statusss1 = TRUE MT7 Positive edge at Reset: Switch the Reset input signal to TRUE statusss1 = FALSE MT8, MT9, MT10 Repeat steps MT5 MT7 with the EStop input signal instead with SafetyGuardSwitch1 and SafetyGuardSwitch2 See steps 5 7 SAFEPROG enables to carry out module tests within the simulation environment EASYSIM. The simulation environment EASYSIM simulates the real safety control with runtime system SAFEOS. After startup of the simulation mode in the development environment SAFEPROG, EASYSIM is started automatically when opening an online connection. As soon as the user program is downloaded to the simulation, all global input and output variables can be controlled on the graphical interface. This way, the behavior of input sensors in the user program can be simulated. By means of the output variables, the specific behavior can be tested. The following screenshots Figure 17, Figure 18, and Figure 19 display the simulated implementation of module test MT5. Figure 17: Performance of module test MT5 using EASYSIM - Part 1 Page 46 of 58

47 6 In the lower area of the simulation environment, the TRUE or FALSE state is set for each input. During the subsequent run through the individual steps, the value at the outputs is indicated according to the program logic. In the above example, step 1 is the initial state with closed safety door. Step 2 then simulates opening the safety door, which is equivalent to test case MT5. The expected response can, for example, be seen at the variable "statusss1". In parallel to the simulation environment, the program behavior can be also observed in the variable status of the development environment. Figure 18 displays the state prior to the execution of test step MT5 (corresponds to step 1 in Figure 17). Values, parameters, and connection lines displayed in blue, represent the value FALSE. Values, parameters, and connection lines displayed in red, represent the value TRUE. The input variables SafetyGuardSwitch1 and SafetyGuardSwitch2 have the value TRUE, which is equivalent to a closed safety door. The feedback from the safe drive is written to the variable statusss1. As the safety function is not requested, the variable statusss1 has the value FALSE. Figure 18: Implementation of module test MT5 using EASYSIM - Part 2 Page 47 of 58