Information
-
Machinery Safety - Validation
-
Document No.
-
Client
-
Site
-
Customer Site
-
Conducted on
-
Prepared by
Executive Summary
Executive Summary
Scope of this Document
Objective and Scope
Validation
Standards Referenced in this document
Testing of SRPCS
Revision
-
Revision Reason
-
By whom
Phase 1 - Mechanical & Integrated Safeguards
Documentation Reviewed
-
Risk Assessment reviewed
-
Are there Functional Safety Descriptions (FSDs) available?
- Yes
- No
- N/A
- Actions Required
- NO
- YES
Check with OEM for pre start checklists of safety functions. They should be reasonably expected to share this along with the Functional Safety Descriptions
-
Is an SRS available?
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Is there a SISTEMA report or similar?
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Are pre-start commissioning checklists available?
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Is there residual risk identified in the risk assessment.
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
For safety PLC and Configurable Safety Systems - is there an SSRS or similar documentation?
- Yes
- No
- N/A
- Actions Required
- NO
- YES
Documentation List
-
Document Type
-
Document Number
Machine Identification
-
Type of Machinery
-
Basic machine operation
-
Photo
-
Installation type
-
Manufacturer of Machine
-
Machine Model Number
-
Machine Serial Number
Machinery Safeguarding Analysis
-
Area of machine:
Guarding is Compliant when (According to ISO14119) guard fixings are considered tamperproof and robust enough to withstand tampering.
-
Safeguards are required on this machine.
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Type of Safeguards
-
Safeguards selected are the appropriate type for the process
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Detail Recommended Actions
-
Safeguards are fixed in place, secured by appropriate fixings, and correctly interlocked.
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Detail Recommended Actions
-
All identified gaps are considered compliant
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Detail Recommended Actions
-
Safeguards prevent access to dangerous moving parts.
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Detail Recommended Actions
Supervision of all tools required to open guards is strongly recommended. Operators and cleaners for example should not have uncontrolled access. FLM or local supervisor should retain and log usage of such tools for verification (incident management). It is normal for maintenance to have access to such tools.
-
A tool is required to remove existing guarding.
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Is there a permit system in place prior to the removal of guarding. (Safe System of Work)
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Conveyors Only
-
Detail Recommended Actions
-
Conveyors are designed to be compliant with AS 4024-1310 & 12 & EN 619-2021
All electrical cabinets, MCC's DB's and control boxes must be securely fitted with covers and locked at all times such that only certified electrical personnel have access. Per AS/NZS 3000:2008
-
Are all electrical fixtures are covered and locked.
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Detail Recommended Actions
-
Machinery has integrated safeguarding (eg two-handed or hold-to-run jog operation) allowing operation through guards [not whole of body access]
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
See details in Predictable Failure Testing of Complementary Safety Functions
-
Walkways, platforms, self-closing gates and guard rails are used to allow safe access to machinery?
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Are they compliant?
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Detail Recommended Actions
-
Wherever possible all monitoring, adjustment or maintenance points should located outside the guarded area to allow safe maintenance. Every effort should be made to locate points in safe areas but it is not always achievable.
-
Is LOTO isolation present on the machinery and where possible located outside of the guarded or hazardous areas?
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
LOTO devices are located within proximity of the device to isolate or in a logical position.
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Does the site have robust LOTO procedures documented.
- Yes
- No
- N/A
- Actions Required
- NO
- YES
Types of Isolation present
-
Electrical Isolator is fitted
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Pneumatic Isolator is fitted
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Hydraulic Isolator is fitted
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Steam Isolator is fitted
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Water Isolator is fitted
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Gas Isolation is fitted
- Yes
- No
- N/A
- Actions Required
- NO
- YES
Phase 2 - Safety Controls System Validation
- Phase 2 Validation of the Logic System
-
Safety Logic Subsystems on this machinery.
-
Logic Device ID
-
Type of safety logic
- Safety Relays
- Safety Configurable Relays
- Safety PLC
- No Safety Logic Required
- Combination of Safety Logic and Safety Relays
- Safety Logic required but not installed
-
Safety PLC and Configurable Relay Subsystems comprises of
undefined
-
Mechanical damage not present on the device.
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
All the safety logic devices securely mounted (DIN rail or screw base etc)
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
All the connections to the safety devices secure?
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Installation is IP2X
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
EMC mitigation is considered for safety installation
-
Is there an SSRS available or evidence of safety software fault checking.
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
How has the software been checked for errors and systematic failures?
-
What is the highest PL that can achieved by this Safety Logic Subsystem
-
PL actual may meets or exceed PLr (PL required)
-
PL actual may not meet PLr (PL required)
undefined
-
Mechanical damage not present on the device.
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
All the safety logic devices securely mounted (DIN rail or screw base etc)
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
All the connections to the safety devices secure?
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Installation is IP2X
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
EMC mitigation is considered for safety installation
Machinery Normal Operation
-
Verify that the Machine can be placed into a ready-to-run condition
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Initial Condition: Machine is Idle - contractors open , drives off
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Verify that all safety contactors are closed (Contactors and Pneumatic / Hydraulic Safety Valves are energised.)
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Verify all emergency stop pushbuttons are released, and door switches are in a safe state
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Verify that Safety Logic Subsystem is healthy.
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Start the machine.
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Normal Operation Confirmed
- Yes
- No
- N/A
- Actions Required
- NO
- YES
Phase 3 - Predictable failure testing
Fault testing Analysis of Safety Control System
-
Emergency Stops & Lanyard Switches
-
Device ID
-
Actuator and background colour is compliant (As per EN ISO13850 - Red Twist to release / latching actuator with a yellow background for contrast for identification and colour blindness.)
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Located correctly as per risk assessment.
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
ESTOP Shroud is fitted ( as per EN ISO13850, a shroud can only be allowed in specific scenarios where it is impossible to put the switch in a location where nuisance tripping cannot occur)
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Recommended Actions to rectify
Testing Criteria - as far as possible, all reasonable tests are carried out on safety devices. Some tests cannot be done for technical reasons: for example - no test pulses are used on Safety PLC dual channel inputs - and no cross-short testing can be achieved. Magnetic safety switches will not be tested for cross shorts either - even with test pulses as this test can permanently damage most of these type of non-contact switches.
-
As per AS 4024-2:2012 (EN ISO 13849-2:2012)
-
Lanyard ESTOP Testing
-
Lanyard ESTOP Installation
- Pass
- Fail
- Conditional Pass (extra measures required - see action items)
-
Emergency Stops & Lanyard Switches SRPCS Testing
- Cross Short Test between input Channels (Cat 3 & 4)
- Input Channel Lost Signal (removal of one channel)
- 24vDC intrusion
- Earth Fault or 0v test where applicable
-
Cross Short Test Result
- Pass
- Fail
- Conditional Pass (extra measures required - see action items)
-
Details of failure and remedial action required.
-
Input Channel Loss Test Results
- Pass
- Fail
- Conditional Pass (extra measures required - see action items)
-
Details of failure and remedial action required.
-
24Vdc intrusion Test Results
- Pass
- Fail
- Conditional Pass (extra measures required - see action items)
-
Details of failure and remedial action required.
-
Earth Fault Test Results
- Pass
- Fail
- Conditional Pass (extra measures required - see action items)
-
Details of failure and remedial action required.
Interlock Switches
-
Device ID
-
What type of switch is this?
-
Interlock has fault exclusion for mechanical failure of actuator
- Yes
- No
- N/A
- Actions Required
- NO
- YES
Testing Criteria - as far as possible, all reasonable tests are carried out on safety devices. Some tests cannot be done for technical reasons: for example - no test pulses are used on Safety PLC dual channel inputs - and no cross-short testing can be achieved. Magnetic safety switches will not be tested for cross shorts either - even with test pulses as this test can permanently damage most of these type of non-contact switches.
-
As per AS 4024-2:2012 (EN ISO 13849-2:2012)
-
Interlock Switches SRPCS Testing
- Cross Short Test between input Channels (Cat 3 & 4)
- Input Channel Lost Signal (removal of one channel)
- 24vDC intrusion
- Earth Fault or 0v test where applicable
-
Cross Short Test Result
- Pass
- Fail
- Conditional Pass (extra measures required - see action items)
-
Details of failure and remedial action required.
-
Input Channel Loss Test Results
- Pass
- Fail
- Conditional Pass (extra measures required - see action items)
-
Details of failure and remedial action required.
-
24Vdc intrusion Test Results
- Pass
- Fail
- Conditional Pass (extra measures required - see action items)
-
Details of failure and remedial action required.
-
Earth Fault Test Results
- Pass
- Fail
- Conditional Pass (extra measures required - see action items)
-
Details of failure and remedial action required.
ESPE Validation
-
Are Presence Sensing Devices used on this machinery?
- Yes
- No
- Yes, but combined with other safeguards.
- Integration to other machinery may give rise to further analysis
-
Device ID
Testing Criteria - as far as possible, all reasonable tests are carried out on safety devices. Some tests cannot be done for technical reasons: for example - no test pulses are used on Safety PLC dual channel inputs - and no cross-short testing can be achieved. Magnetic safety switches will not be tested for cross shorts either - even with test pulses as this test can permanently damage most of these type of non-contact switches.
-
As per AS 4024-2:2012 (EN ISO 13849-2:2012)
-
What type of ESPE are used on this machinery?
- Type 4 Safety Light Barriers (Res > 14mm) Finger Resolution
- Type 4 Safety Light Barriers (Res > 40mm<14mm) hand resolution
- Type 4 Safety Single Beam Sensors
- Type 4 Safety Light Curtains (Res <40mm)
- Safety Laser Scanner (Cat3,PLd)
- Type 2 Safety Light Curtains (Res >40mm<14mm) Hand Resolution
- Type 2 Safety Light Barriers (Res > 14mm) Finger
- Safety Bumpers - PLd
- Safety Edges - PLd
- Safety Mats - PLd
-
Are safety stopping distances correct to prevent reaching the hazard? See standards such as AS4024:2801 for guidance
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Details of any limitations preventing correct placement with respect to AS4024:2801 or schedule action for relocation.
-
Compliant
-
Are safety devices mounted correct height above the floor or conveyor to protect against unauthorised entry - see ISO13855:2010 and AS4024:2801 for guidance.
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Details of any limitations preventing correct placement with respect to AS4024:2801 or schedule action for relocation.
-
Compliant
-
Are ESPE's selected the correct type for the application?
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Is muting required on this set up
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
Muting testing required
- Test Concurrent or Sequential Muting
- Test Override is not permanent
- Test Muting Lamp Feedback (where fitted)
- Light Curtains Revert to normal operation post mute
-
ESPE Testing
-
Removal of OSSD test
- Pass
- Fail
- Conditional Pass (extra measures required - see action items)
-
Details of failure and remedial action required.
-
Removal of Output Channel test
- Pass
- Fail
- Conditional Pass (extra measures required - see action items)
-
Details of failure
Complementary Measures (other than ESTOPs)
-
Are Complementary measures used on this machinery?
- Yes
- No
- Yes, but combined with other safeguards.
- Integration to other machinery may give rise to further analysis
-
Device ID
Testing Criteria
-
Complementary Safety Measures Used?
- Two Hand Controls
- Enable Switches - Hold To Run
- Safe Speed Monitoring
- Standstill Monitoring
- Foot Switches
- None Used
-
As per AS 4024-2:2012 (EN ISO 13849-2:2012) & EN574 III
-
For testing Two Hand Controls or Hold to Run Enable switches
- Hold one switch and after 1 second operate the second switch
- Operate both switch simultaneously - then release one switch
-
Machine does not start when tested like this
- Pass
- Fail
- Conditional Pass (extra measures required - see action items)
-
When one switch is released the machine stops
- Pass
- Fail
- Conditional Pass (extra measures required - see action items)
-
Simultaneity validation testing results
- Pass
- Fail
- Conditional Pass (extra measures required - see action items)
-
Hold down test validation results
- Pass
- Fail
- Conditional Pass (extra measures required - see action items)
-
Guards are locked until safe speed or standstill detected
- Pass
- Fail
- Conditional Pass (extra measures required - see action items)
-
Ensure guards are locked when machinery started
- Pass
- Fail
- Conditional Pass (extra measures required - see action items)
-
Record time delay if safe timer is included (ms)
-
Establish safe conditions and record test
Final switching devices
-
What types of FSD are used
-
FSD Device ID's
Testing Criteria
EN 61810-3 Relays with forcibly guided contacts. Contactors are considered for use in safety circuits if they are compliant force-guided contacts. Mechanical guiding (forced guiding) makes it impossible to simultaneously close the normally closed and normally open contact. If a normally closed contact becomes welded, it must be impossible for the normally open contacts to close when the coil is energised. If a normally open contact becomes welded, it must be impossible for the normally closed contacts to close when the coil is de-energized also known as forced contacts, positively activated contacts, guided contacts, and linked contacts. This Forced-guided contact feature is primarily required for Safety circuits and redundant control systems. STO Drives and devices using safety over ethernet are not tested, but logic is determined in the Safety PLC or Controller.
-
Removal of feedback Test Result
- Pass
- Fail
- Conditional Pass (extra measures required - see action items)
-
Details of failure and remedial action required.
RESET Devices
-
RESET Device ID
-
Type of RESET
Testing Criteria
STO Drives and devices using safety over ethernet are not tested, but logic is determined in SSRS.
-
RESET feedback circuit testing
- Removal of Feedback to Safety Relay / PLC
- Short Circuit of Feedback Auxiliary Contact
- Short Circuit of RESET Switch (Anti Tie Down Test)
-
Removal of feedback Test Result
- Pass
- Fail
- Conditional Pass (extra measures required - see action items)
-
Details of failure and remedial action required.
-
Short circuit of feedback Test Results
- Pass
- Fail
- Conditional Pass (extra measures required - see action items)
-
Details of failure and remedial action required.
-
Short circuit of RESET Test Results
- Pass
- Fail
- Conditional Pass (extra measures required - see action items)
-
Details of failure and remedial action required.
Main Points for the Functional Safety validation
-
Confirm the Performance Level of the machinery as tested?
-
Confirm the Performance Level from the OEM / Integrator
-
Does this meet the requirement for the client and this type of machinery per standards?
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
What if any improvements need to be made to establish the correct Performance Level
-
Can the machinery be operated safely as validated?
- Yes
- No
- N/A
- Actions Required
- NO
- YES
-
What immediate actions are recommended to allow machinery operation
Validation Sign Off
Confirmation of Validation Result
-
Overall Validation Testing Result
- Pass
- Fail
- Conditional Pass (extra measures required - see action items)
-
Refer to action items list.
-
Re-validated following completeion of action items
-
Signed
-
Signature
-
Signature
-
Alistair Keenan
-
Consulting Director - KTSM
-
Certified Functional Machinery Safety Engineer
-
Certified Functional Process Safety Engineer
-
HAZOP Leader
-
EEHA Hazardous Area Classification and Design
