29 March 2016

Safety Disconnect matrix:

Every project needs attention concerning Safety.
This document explains how CSi is creating a safety disconnect matrix for a project and how this should
be implemented and used to check if all directives are fulfilled.
SECC stands for Safety Engineering & Commissioning Checklist.

The project engineer is using this example Excel file as a start from where he creates a new file dedicated
for his project. This is done according layout drawings, functional specification, risk analyses and
meetings. When the draft version is ready, the file must be checked and validate by a safety consultant as
described in document C006A01.00x

After validation the document can be released for the hardware engineer. As soon as the hardware
drawings are ready, the software engineer can start with the safety software. At this moment the software
engineer first will update the Excel file with more details like subgroups and tagnames.

If you save your file, be sure it gets an appropriate name like SECC_Customer_V0.1.XLS

This Excel file contains a few different pages:

Introduction:

Fill in here the credentials of this project. Some will be used on other Tabs.
Keep track of the version information.
On this page, version and date will be taken from last date next to version info.

Groups:

Here we find precisely which positions and their number belong to which motor group. That list will be
used later in the checklist. These groups will be used as the outputs in the Matrix.
If you fill in the Type column, the appropriate checklist will be created on page ChecklistA.
Column PL and SIL can be used to fill with the required Performance Level or Safety Integrity Level.

Matrix:

On this page the order-number, cabinet number and version of the file will be filled in from page
Introduction. In the columns (lightblue) we find all the safety outputs and on the rows all the safety
inputs. These inputs are all the emergency stop buttons, area stops, light screens, gates etc. As for the
safety inputs we will use here not the input itself, but the OK signal of that input. For instance a light
screen, if it is interrupted the OK signal will be FALSE, only after it is free and a reset pulse, the OK signal
will be TRUE again.
On the page Conditions we will find when an input signal is OK or not. This can be done by plane text or
by logic function blocks.
In the column of every output we will find the inputs who influence this output. If all inputs are TRUE, then
this output can be switched ON.

Conditions:

A lot of inputs will only have general conditions before that signal is OK. These are for instance the
emergency stop buttons. Input itself must be TRUE and a reset pulse should be given.
Light guards are used in 2 variations. The simple once you will find at the outer borders of an area where
humans can directly enter that area. They are foreseen with muting photocells and a local reset
pushbutton. How this it programmed in the safety plc is standard and in this document not described in
detail. On the checklist we will find sufficient rules to test the complete function, including Bypass function.
The other variation is just a light screen without a hardware mute. This one we will find at the border
between 2 separate safety areas. For instance between a transfer carrier and a wrapper machine. This
ones working state depends on the state of other safety devices on the outside of that area like gates and
type 1 light screens. For this we need to describe all the different possible conditions for every light
screen.

CSi Safety SECC V4.3 1

Also gates come in 2 variations. The simple once have only a contact what is opened as soon as that
gate is opened by an operator. After it is closed, it always needs a reset before that signal is OK again.
This type is only allowed to be used for gates enclosing a very small area, where a person cannot hide
inside that area, so someone else can not close that gate without seeing the person inside. It is also
allowed as a emergency exit from an area. Then that gate can only be opened from the inside out and the
area concerned is already switched off.
All other gates come with an interlock key. The operator who enters that area must use that key to access
the area. As soon as the gate is unlocked after the request, the operator takes that key with him inside
the area. No one is capable to close the gate and reset the area without that key. That key must be back
in its lock and switched on again before a reset can be performed. Also this procedure is standard and
not explained here in detail. On the checklist we will find sufficient rules to test the complete function.

LayOut:

This page we use to put a copy of the layout of the installation. This is not mandatory, but useful for the
safety consultant as he makes the last check and for the software engineer, customer and all who uses
this Excel file. This layout indicates visually which parts / positions belong to which safety area.

SRS:

Here you can store your Safety Requirement Specifications of all the used equipment.

ChecklistA:

ChecklistA will contain the checks to perform for all items on page Groups.
This list can be created at the moment all inputs and outputs are defined and all the Tag names are
known. For every type of output there is a predefined list of checks to perform. This checklist has to be
taken on-site and must be executed by one or two persons from where one of them is not the software
engineer. That person should perform all the tests and sign every page of it. Every page must also
contain the date of testing. Any anomaly must be written down in the comment column.
Checklists will be generated when pressing the pushbutton. This list has to be checked, because special
items has to be filled in manually.
This Generate pushbutton is only visible after the first validation. Version info on the Introduction page
must be V1.0 or greater. Once generated, this button will not be visible the next time you open that page.

Type of Outputs:
0 No checklist required or empty row on this page
1 Standard CSi PAV or RAV cabinet controlled by a plc.
2 Standard CSi Cabinet controlled by hardware like PNOZ modules
3 Non standard single contactor
4 Single output relais with one contact for relais status Off
5 Single output relais like ET200S module 1-F-RO (138-4FR00-0AA0)
6 Double output relais each with a feedback signal (normal controlled by PNOZ modules)
7 Air pressure valve with an old fashion pressure switch
8 Air pressure valve with on-top a reedcontact for status Off
9 Air pressure valve with onboard safety check
10 Safe Torque Off on frequency controlers
11 All other outputs none of the above types.

CSi Safety SECC V4.3 2

ChecklistB:

ChecklistB will contain the checks to perform for all items on page Matrix.
This list can be created at the moment all inputs and outputs are defined and all the Tag names are
known. For every type of input there is a predefined list of checks to perform. This checklist has to be
taken on-site and must be executed by two or more persons from where one of them is not the software
engineer. Those persons should perform all the tests and sign every page of it. Every page must also
contain the date of testing. Any anomaly must be written down in the comment column.
Checklists will be generated when pressing the pushbutton. This list has to be checked, because special
items has to be filled in manually.
This Generate pushbutton is only visible after the first validation. Version info on the Introduction page
must be V1.0 or greater. Once generated, this button will not be visible the next time you open that page.

CSi Safety SECC V4.3 3

PLC-Signature:

The software engineer should go online with his programming device connected to the safety-plc and
make a screenshot of the active safety signature. This screenshot should be copied on to this page.

If there are more safety signatures from other implemented safety hardware, be sure you have a copy of
them too including dipswitch and turn-knob parameters of Sick, Pilz and/or Rockwell hardware safety
modules.

CSi Safety SECC V4.3 4