Paul Laidler of Laidler Associates explains why machine builders need to ensure that their designs for EN ISO 13849-1 safety-related control systems are properly validated.
For many years, the applicable standard for the safety-related parts of machine control systems has been EN 954-1. However, in recent times, the shortcomings of this standard – which includes its inability to deal with programmable or software-based safety systems – have become increasingly significant. For this reason a new standard, EN ISO 13849-1, was developed and it was initially planned that this would replace EN 954-1 at the end of 2009 (and BS EN 954-1 in the UK).
In fact, the change of approach introduced with EN ISO 13849-1 was so radical that some machine builders and other interested parties successfully petitioned for a 'stay of execution' and, as a result, it was agreed that EN 954-1 could remain in use until the end of 2011. That date is now just a few months away, and it is very unlikely that there will be a further extension to the life of this venerable standard.
All of which means that machine builders need to be ready to work with EN ISO 13849-1 from 1 January 2012 (if they are not already using this standard) and that includes being ready to meet the requirements of Section 8 of the standard, which states that "the design of the SRP/CS (safety related parts of the control system) shall be validated." The standard goes on to advise that details of the validation are given in EN ISO 13849-2, to which we will return shortly.
The requirement for validation should not come as a surprise to machine builders as validation is, in fact, already required by EN 954-1. There are very good reasons for this, as a quick perusal of the HSE publication Out of Control will reveal. Available as a free download from the HSE website, this document includes, in Section 4, an analysis of incidents connected with safety-related parts of control systems. This analysis reveals that poor design and implementation, together with incorrect specification, accounted for 59 per cent of the problems examined in the study. These are exactly the types of problem that validation could have been expected to uncover before the control system went into service.
In spite of this, the requirement for validation contained in EN 954-1 has sometimes been neglected, with few apparent consequences. This situation is, however, most unlikely to be allowed to continue when EN 954-1 is withdrawn.
So what exactly does validation involve? EN ISO 13849-2 spells out the basic requirements very clearly in Section 3.1, Validation Principles. In part, this states:
"The validation shall demonstrate that each safety-related part meets the requirements of ISO 13849-1, in particular: the specified safety characteristics of the safety functions provided by that part, as set out in the design rationale, and the requirements of the specified category [see ISO 13849-1, clause 6]. Validation should be carried out by persons who are independent of the design of the safety-related part(s)."
The standard goes on to explain that the use of the phrase 'independent person' does not necessarily mean that a third-party is needed, but that the degree of independence should reflect the safety performance of the safety-related part.
Validation process explained
Now let us consider the validation process. As a preliminary design step, the engineer designing the machine will have carried out a risk analysis to identify the safety performance level (PL) appropriate to the hazards associated with the machine, a procedure that is covered by EN ISO 13849-1. The engineer will then have designed a control system to meet this PL by considering the category, carefully selecting the components used and, with the introduction of the new standard, carrying out detailed calculations involving the mean time to dangerous failure for these components, along with diagnostic coverage and common cause failures.
The validation process must re-examine all of these steps, and it is now clear why independent validation is so important; engineers validating their own work could all too easily duplicate any mistakes they had made at the design stage. Validation does not finish with re-examining the design, however, it must also look at the implementation of the SRP/CS and, in some cases, verify its functionality by testing.
In fact there is even more to be done, as validation must also take into account the environmental conditions in which the machine will operate, including the effects of shock and vibration to which it may be subjected, as well as temperature, humidity and, where applicable, the effects of lubricants and cleaning materials. Electromagnetic compatibility must be considered, as must the effects of wear and other forms of deterioration as the machine ages.
Finally, the validation process must be carefully and fully documented so that the machine maker can produce evidence, if called upon to do so, to demonstrate that validation has been properly carried out.
It will be seen that validation, while mandatory, is a far from trivial exercise. In fact, many machine manufacturers may well find that they lack the in-house resources and expertise needed to validate properly the SRP/CS in their products. In such cases, the services of expert consultants, such as Laidler Associates, will prove an excellent investment. It is also worth noting that an additional benefit of using services of this type is that the requirement for validation to be carried out by persons who are independent of the design process will be satisfied automatically.
It is often tempting to think that carrying out work in-house is the most cost-effective option but, when the work is as critical and demanding as SRP/CS validation, this assumption may be very far from true. Buying-in expertise and resources to carry out these complex tasks will often deliver big savings in time and money – not to mention stress!
Contact Laidler Associates for more information about the validation of safety-related control system designs.