EN ISO 13849-2, validation of safety-related control systems

Since the final withdrawal of EN 954-1 at the end of 2011, most machine builders should now be working to its replacement (EN ISO 13849-1, and BS EN ISO 13849-1 in the UK), the standard for the safety-related parts of machine control systems (SRP/CS). Under EN ISO 13849-1 machine designers must meet the requirements of Section 8 of the new standard, which states that "the design of the safety related parts of the SRP/CS shall be validated." However, the requirement for validation should not come as a surprise, as it was already required by the old EN 954-1 standard.

Health & Safety Executive (HSE) analysis of incidents connected with safety-related parts of control systems reveals that poor design and implementation, together with incorrect specification, accounted for 59 per cent of the causes identified. That represents a significant amount of downtime for those that rely on machinery to do business effectively, and they are exactly the types of problem that an effective validation process could have uncovered before the control system went into service. End-user businesses are therefore increasingly demanding full validation on a machine before purchasing it.

The HSE publication Out of Control: Why control systems go wrong and how to prevent failure is available as a free download from the HSE website. Aimed at users of control systems, designers, manufacturers and installers, its primary purpose is to raise awareness of the technical causes of control system failure by examining case studies of incidents that show that obvious defects could have been prevented.

Validation process

EN ISO 13849-2 spells out the basic requirements very clearly in Section 3.1, Validation Principles, stating that:

"The validation shall demonstrate that each safety-related part meets the requirements of ISO 13849-1, in particular:

the specified safety characteristics of the safety functions provided by that part, as set out in the design rationale, and

the requirements of the specified category [see ISO 13849-1, clause 6].

Validation should be carried out by persons who are independent of the design of the safety-related part(s)."

The standard goes on to explain that the use of the phrase 'independent person' does not necessarily mean that third-party testing is needed, but that the degree of independence should reflect the safety performance of the safety-related part.

As a preliminary step, the engineer designing the machine will have carried out a risk analysis to identify safety performance levels (PL) required by safety functions that are providing part of the overall risk reduction appropriate to the hazards associated with the machine, a procedure that is covered by EN ISO 13849-1. The engineer will then have designed a control system that is capable of meeting the PL required by the safety functions. This is done by considering the categories within the standard, carrying out detailed calculations involving the mean time to dangerous failure for the chosen components, along with diagnostic coverage and common-cause failures.

The validation process must re-examine all of these steps, and it is now clear why independent validation is so important, as engineers validating their own work could all too easily duplicate any mistakes they had made at the design stage. However, validation does not finish with re-examining the design, as it must also look at the implementation of the SRP/CS and, in some cases, verify its functionality by testing.

Validation must also take into account the environmental conditions in which the machine will operate, including the effects of shock and vibration, as well as temperature, humidity and the effects of any lubricants and cleaning materials that might be used. Electromagnetic compatibility must also be considered, as should the effects of wear and other forms of deterioration as the machine ages. Finally, the validation process must be fully documented so that the machine manufacturer can produce evidence that validation has been properly carried out.

Independent validation is clearly an important part of the process of stopping control systems from going wrong and of preventing the failure of machines in service. Unreliable machines that have not been appropriately validated will affect end-users' bottom line, and will ultimately impact on the reputation and sales revenue of machine builders that do not validate systems correctly. To avoid this, machine builders should act now to ensure validation is included as part of the design process.

Contact TUV SUD Product Service for further advice about validating safety-related control systems to EN ISO 13849-2.