Project

Safety Interlock Proof Testing Project

Automation project for planning and documenting proof testing of a safety interlock chain with stop-time checks, fault injection, reset behaviour, bypass controls and release evidence.

This project produces a proof-test and release package for an installed safety interlock chain. The objective is not to write a generic safety checklist. The objective is to prove, with traceable evidence, that the specific sensor, wiring, logic, actuator, reset sequence, bypass control and stopping response perform the credited protection function before the machine is released to automatic operation.

The example uses a guarded robotic packaging cell, but the workflow transfers to process interlocks, power-converter protection, test rigs, access-controlled laboratories, automated conveyors and equipment where a protection function must be periodically validated. Formal compliance requires the applicable machinery, process, electrical or site-specific safety standards. This project is an engineering validation workflow, not a substitute for a legal safety assessment.

Project objective

Validate the guard-door interlock GS-204 on a robotic case-packing cell after maintenance and before production release.

The final deliverable is an engineering proof-test package containing:

  • safety-function boundary and assumptions;
  • tag list and physical inspection record;
  • stop-time and distance-margin calculation;
  • proof-test matrix for normal and abnormal states;
  • fault-injection evidence;
  • reset and restart-behaviour checks;
  • bypass-control and expiry checks;
  • residual-risk notes and open limitations;
  • release decision signed by engineering, maintenance and operations.

The interlock chain is credited only when the whole chain works. A changing input bit in software is not enough. The proof test must confirm that gate opening produces the required safe state at the hazardous motion sources, that faults are detected or made visible, and that reset cannot restart equipment in an unsafe state.

System boundary

Use this simplified boundary for the project.

ItemProject value
Protected access pointGuarded-cell gate G-204
Primary sensorDual-channel coded guard switch GS-204
Logic deviceProgrammable safety controller PSC-1
Final control elementsRobot safe torque off, conveyor drive safe torque off, pneumatic dump valve
Hazard consideredReach into robot or pusher motion zone while automatic motion is enabled
Reset stationOutside the guarded cell, with view of the gate area
Normal operating modeAutomatic production at full speed
Maintenance modeReduced speed, hold-to-run jog, bypass permit required
Proof-test triggerMaintenance replacement, safety-controller change, annual validation, incident recovery

The boundary excludes emergency-stop validation, lockout procedure validation, full risk assessment and performance-level calculation. Those records should exist elsewhere and must be cross-referenced. This project validates the installed interlock function against its approved design intent.

Acceptance criteria

Use these project acceptance criteria.

RequirementAcceptance value
Gate opened in automatic moderobot and conveyor safe torque off, pneumatic dump commanded
Maximum measured stopping time with guard margin\le0.78\ \text{s}
Minimum access distance to closest hazard\ge1.25\ \text{m}
Reset with gate openno restart, alarm remains active
Reset from inside the cellimpossible or rejected by logic
Bypass in production modenot allowed
Authorized bypass durationautomatic expiry at 60\ \text{min}
Faulted input channeldetected or prevents automatic restart
Power recovery with gate openno automatic restart
Evidence qualitytest record has tag, state, expected result, observed result, time, owner and disposition

The values are teaching values. A real project must use validated stopping-time measurement, access geometry, approach-speed assumptions, fault exclusions, diagnostic coverage and standards required by the site.

Step 1: Define the safety function

Write the safety function in a testable form:

When guard gate G-204 is opened during automatic operation, hazardous robot, conveyor and pusher motion shall be brought to the defined safe state before a person can reach the hazard zone. Restart shall require the gate closed, a deliberate external reset and a separate start command.

Convert that statement into observable evidence.

Function elementObservable evidence
gate state sensedboth guard-switch channels change consistently
logic statesafety controller reports guard open and automatic motion inhibited
final actionrobot and conveyor safe torque off, pusher air dumped
response timemeasured stop time is within the allowed screen
reset behaviourreset clears the fault only when the gate is closed and the cell is clear
restart behaviourreset alone does not start motion
bypass controlbypass requires permit, mode restriction, timer and visible indication

This conversion is important because it prevents a weak proof test. A checkbox saying “interlock tested” does not identify what was tested, which chain elements were included, or whether the final hazardous energy was actually removed.

Step 2: Perform the stop-time screen

For the initial screen, combine the configured delays and measured mechanical run-down.

Delay termValue
input filter and safety input processing35\ \text{ms}
safety-controller logic cycle30\ \text{ms}
output relay and contactor response20\ \text{ms}
drive safe-torque-off reaction60\ \text{ms}
measured mechanical run-down410\ \text{ms}

The total stop time is:

T_{stop}=0.035+0.030+0.020+0.060+0.410
T_{stop}=0.555\ \text{s}

Use a simplified approach speed:

v=1.6\ \text{m/s}

The travel distance during stopping is:

S=vT_{stop}
S=1.6(0.555)=0.888\ \text{m}

The measured distance from the gate threshold to the closest hazard zone is:

S_{available}=1.25\ \text{m}

The simplified margin is:

S_{margin}=S_{available}-S
S_{margin}=1.25-0.888=0.362\ \text{m}

The screen passes because the margin is positive. The engineering interpretation is limited: this is not a full safety-distance standard calculation. It is a commissioning screen that must be supported by formal design records, validated measurement method and site-specific assumptions.

Step 3: Add repeatability and measurement guard

One stop-time measurement is not enough. Repeat the test after maintenance and use the worst observed result, not the average.

TrialMeasured stop time
10.54\ \text{s}
20.56\ \text{s}
30.55\ \text{s}
40.58\ \text{s}
50.57\ \text{s}

The worst measured stop time is:

T_{max}=0.58\ \text{s}

Apply a measurement and condition guard:

T_{guard}=0.05\ \text{s}

The release stop time for the screening record is:

T_{release}=T_{max}+T_{guard}=0.58+0.05=0.63\ \text{s}

The corresponding distance is:

S_{release}=1.6(0.63)=1.008\ \text{m}

The margin is:

S_{margin}=1.25-1.008=0.242\ \text{m}

The result still passes the project acceptance value. The comment in the release package should say that the design has positive margin for the tested configuration, but that any change to robot speed, payload, pneumatic pressure, access geometry, input filtering, safety-controller program or drive configuration requires reassessment.

Step 4: Build the proof-test matrix

The proof-test matrix should include normal operation, abnormal operation and recovery states.

Test IDInitial stateActionExpected resultEvidence
PT-01automatic mode, gate closedopen G-204robot STO, conveyor STO, air dump, alarm activesafety log, drive status, valve feedback
PT-02automatic mode, gate openpress resetreset rejected, no restartHMI alarm, safety state
PT-03gate closed, safe state activepress reset, then startreset accepted, start allowed only after separate commandevent log, operator observation
PT-04maintenance moderequest bypassbypass allowed only with permit and reduced-speed statepermit record, mode status
PT-05production moderequest bypassbypass rejectedHMI event, safety-controller bit
PT-06bypass activewait 60\ \text{min}bypass expires or forces hold statetimer log
PT-07power cycle with gate openrestore powerno automatic restartstartup log
PT-08gate switch channel A open circuitattempt automatic runfault detected or automatic run inhibiteddiagnostic alarm
PT-09gate switch channel mismatchattempt resetreset rejecteddiagnostic alarm
PT-10air dump valve feedback absentopen gatefault or hold state visiblevalve feedback log

Each row needs observed results, not only expected results. If a test fails, the disposition must record whether the system was repaired, retested, accepted with limitation, or held from production.

Step 5: Fault-injection comments

Fault injection is where many weak proof tests fail. The test should not only prove that the system works when every component is healthy. It should show what happens when common dangerous or degraded states occur.

FaultEngineering reason for the testAcceptable response
input channel open circuitdetects broken wire or disconnected switch channelfault visible, automatic start inhibited
channel mismatchdetects switch, wiring or timing disagreementfault visible, reset rejected
stuck closed inputchallenges hidden failure of sensing pathdetected by diagnostics or found by proof test before release
failed output feedbackverifies final element is not assumed from command bitalarm or hold until feedback is restored
reset held activeprevents a taped or failed reset pushbutton from restarting motionedge detection or reset fault
bypass permit expiredprevents degraded state from becoming normal productionautomatic expiry, escalation or forced hold

The engineering comment belongs in the record: the proof test does not need to damage equipment to be useful. It needs a controlled method for producing representative faults, restoring the system, and proving that the protective function does not silently become unavailable.

Step 6: Check bypass exposure control

A bypass is sometimes necessary for alignment, troubleshooting or commissioning. The proof test should verify that the bypass state is engineered as a controlled degraded mode.

Assume the bypass permit allows:

t_{permit}=60\ \text{min}=1.0\ \text{h}

The maintenance work plan estimates:

t_{planned}=35\ \text{min}=0.583\ \text{h}

During a dry run, the bypass remains active for:

t_{actual}=52\ \text{min}=0.867\ \text{h}

The utilization of the authorized window is:

\displaystyle U=\frac{t_{actual}}{t_{permit}}=\frac{0.867}{1.0}=0.867

So the bypass used about:

86.7\%

of the authorized time.

That result is acceptable only if the state remained inside the permitted operating condition. If production mode was enabled during the same period, the bypass test would fail even though the timer had not expired. Time control is necessary, but it is not sufficient; mode restriction and visible indication are also required.

Step 7: Screen the proof interval

Some dangerous failures are not self-revealing. A simplified average dangerous undetected probability screen can help explain why periodic proof testing matters.

Use the approximation:

\displaystyle P_{DU}\approx\frac{\lambda_{DU}T}{2}

where:

  • \lambda_{DU} is the dangerous undetected failure rate;
  • T is the proof-test interval in hours;
  • the approximation is valid only when \lambda_{DU}T is small.

Assume an illustrative dangerous undetected failure rate:

\lambda_{DU}=2.0\times10^{-6}\ \text{h}^{-1}

For annual proof testing:

T_{annual}=8760\ \text{h}
\displaystyle P_{DU,annual}\approx\frac{(2.0\times10^{-6})(8760)}{2}=0.00876

For semiannual proof testing:

T_{semiannual}=4380\ \text{h}
\displaystyle P_{DU,semiannual}\approx\frac{(2.0\times10^{-6})(4380)}{2}=0.00438

The semiannual screen halves the average dangerous undetected probability in this simplified model. That does not automatically make it the right interval. The final interval should consider demand rate, diagnostic coverage, maintenance burden, component data, regulatory requirements, consequence severity, prior failures and whether the proof test itself creates risk.

Step 8: Score residual actions with RPN

Use risk-priority-number scoring only as a triage aid, not as proof that the system is safe.

Residual issueSeverityOccurrenceDetectionRPN
bypass request possible from wrong HMI page8358(3)(5)=120
reset station view partially obstructed by spare cartons7447(4)(4)=112
stop-time measurement record not attached to maintenance work order6566(5)(6)=180
event-log export procedure depends on one engineer5475(4)(7)=140

The highest RPN in this simplified table is the missing stop-time attachment:

RPN_{max}=180

The engineering decision is not “RPN below a magic number means release.” The decision is that release can proceed only if high-priority residual actions are either closed or explicitly accepted with owner, due date and compensating controls.

Release package

The final package should be short enough to review and complete enough to audit.

SectionRequired content
scopemachine, gate, safety function, exclusions
design referenceapproved risk assessment, logic revision, electrical drawing, pneumatic drawing
configurationcontroller program version, drive settings, input filter, valve feedback tags
proof-test recordmatrix with observed results and pass/fail disposition
stop-time evidenceraw measurements, worst case, guard margin, distance screen
fault evidenceinjected faults, diagnostics, reset response, restoration record
bypass evidencepermit workflow, mode restriction, expiry, HMI indication
limitationsassumptions, untested states, required follow-up
release decisionhold, conditional release or production release

Use a release decision such as:

The GS-204 interlock chain passed proof testing for automatic production release in the tested configuration. Production release is conditional on keeping bypass disabled in production mode, preserving the external reset station, attaching stop-time evidence to the maintenance record and revalidating after any change to access geometry, robot speed, drive settings, safety logic or final-element hardware.

This statement is useful because it ties release to configuration. It avoids the common error of treating one successful test as permanent proof for future modified states.

Common project mistakes

Common mistakes include:

  • testing the software bit instead of the final hazardous-energy removal;
  • averaging stop times instead of using the worst measured value plus a guard;
  • accepting reset behaviour without checking restart behaviour;
  • allowing bypass in production mode because it is convenient during troubleshooting;
  • documenting expected results without observed evidence;
  • omitting faulted-input and output-feedback tests;
  • failing to update the proof-test record after logic, sensor, drive or access-geometry changes.

The practical rule is simple: a proof test is only as strong as the boundary it actually tests. If the record does not show the sensor, logic, final element, timing, reset, bypass and fault response, it is not a release package for the credited interlock function.

REF

See also