Emergency Stop Proof Test

Owned by Tim Williams
Aug 28, 2024
3 min read

Background

In the 3rd edition of ISO 13850, published in 2015, a new provision requiring emergency stop systems to meet at least PLc was added, guiding the designer to implement at least that Performance Level.

IEC 61508-4:

3.8.5
proof test
periodic test performed to detect failures in a safety-related system so that, if necessary, the system can be restored to an “as new” condition or as close as practical to this condition

 

If you know the structure of the emergency stop control system, you can determine the test rate based on the demand rate. It would be considerably easier if the standards just gave us minimum test rates for the various architectures. One standard, ISO 14119 [11] on interlocks, does just that. This standard does not include emergency stop functions within its scope, as its focus is on interlocks. Still, since interlocking systems are more critical than the complimentary protective measures that back them up, it would be reasonable to apply these same rules. Looking at the clause on Assessment of Faults, [11, 8.2], we find this guidance:

For applications using interlocking devices with automatic monitoring to achieve the necessary diagnostic coverage for the required safety performance, a functional test (see IEC 60204-1:2005, 9.4.2.4) can be carried out every time the device changes its state, e.g. at every access. If, in such a case, there is only infrequent access, the interlocking device shall be used with additional measures, because between consecutive functional tests the probability of occurrence of an undetected fault is increased.

When a manual functional test is necessary to detect a possible accumulation of faults, it shall be made within the following test intervals:

  • at least every month for PLe with Category 3 or Category 4 (according to ISO 13849-1) or SIL 3 with HFT (hardware fault tolerance) = 1 (according to IEC 62061);

  • at least every 12 months for PLd with Category 3 (according to ISO 13849-1) or SIL 2 with HFT (hardware fault tolerance) = 1 (according to IEC 62061).

NOTE It is recommended that the control system of a machine demands these tests at the required intervals e.g. by visual display unit or signal lamp. The control system should monitor the tests and stop the machine if the test is omitted or fails.

We still don’t have a test frequency for PLc, Category 1 systems. There is no explicit guidance for these systems in the standards. How can we determine a test rate for these systems?

One approach would be to start by examining the MTTFD values for all of the subsystems and components. ISO 13849-1 requires that the system has a HIGH MTTFD value, meaning 30 years ≤ MTTFD ≤ 100 years. If this is the case, then the once-in-20-years proof test is theoretically enough. More frequent testing, i.e., more than once in 20 years, is always acceptable.

Allen-Bradley recommends checking an 800F e-stop device annually.

There is no formal OSHA requirement to check emergency stop devices periodically.

Best practice seems to be every six months to yearly.

Because of the large number of devices and the impact to other observatory systems, we should probably divide the task into two (or more) parts. It will involve an initial ‘full-up’ test that verifies the operation of the emergency stop function. Then individual devices could be checked to see if they trigger the emergency stop function.

Overview

The functional test is based on the original complete verification and validation test plan. The original verification and validation test plan was to ensure that safety functions were carried out as designed and that certain hardware faults could be detected and tolerated (meaning the system still behaved as designed with a single hardware fault).

There could be certain undetected faults in the system. The system was designed to detect faults so that an accumulation of faults should not cause the loss of a safety function. Running functional tests are designed to find undetected faults.

A functional test should be carried out on every single emergency stop device at least annually. Because of the large number of emergency stop devices the functional test will be broken up into smaller, more manageable tests.

Facilities LIC

Ground Floor