Validation is key for machine safety
Author : Paul Laidler, Business Director for Machinery Safety, TÜV SÜD Product Service
05 March 2013
Standards relating to safety related parts of control systems (SRP/CS) have been a topic of concern for some time within the field of machinery safety. This situation turned to confusion as a result of the final withdrawal of the more familiar standard EN 954-1 in December 2011, and its replacement by EN ISO 13849-1.
EN ISO 13849-1 or EN 62061 should now be followed to demonstrate compliance with the Machinery Directive and are more advanced standards which can deal with ne
Having two different standards for safety related controls that are both harmonised to the Machinery Directive has left many people confused about which standard should be applied in a particular application. EN 62061 applies to electrical, electronic and programmable electronic control systems, whereas EN ISO 13849-1 is not technology specific so it can be applied for electrical, pneumatic, hydraulic and mechanical safety systems (as could its predecessor EN 954-1).
ISO Technical Committee 199 “Safety of Machinery” has set up a joint working group with the long-term objective to simplify the process and merge the two standards. However, this is still in the early stages of development, so each standard will continue to exist for the foreseeable future.
Safety related controls
Although EN ISO 13849-1 has been in place for some time, comparatively little attention seems to have been given to an important aspect – the requirement for validation.
An analysis by the Health and Safety Executive (HSE) of incidents connected with safety related parts of control systems revealed that poor design and implementation, together with incorrect specification, accounted for 59 per cent of the causes identified. This represents a significant amount of downtime for those that rely on machinery to do business effectively, and is exactly the type of problem that a full validation process can uncover before the control system goes into service.
End-user businesses are therefore increasingly demanding full validation on a machine before it is fully commissioned. So, machine builders that cannot provide the full validation paperwork are likely to see a negative impact on their sales revenue.
The requirement for validation should not come as a surprise, as validation was already required by the old EN 954-1 standard. There are very good reasons for this, as the HSE publication “Out of Control: Why control systems go wrong and how to prevent failure” reveals.
Available as a free download from the HSE website (www.hse.gov.uk) this booklet is aimed at users of control systems, designers, manufacturers and installers. As previously mentioned, it includes an analysis of incidents connected with safety-related parts of control systems, as well as guidance reflecting revisions of legislation and relevant standards. The booklet’s primary purpose is to raise awareness of the technical causes of control system failure by examining actual case studies of incidents that show that obvious defects could have been prevented.
What is validation?
The validation process is intended to assure the conformity of the SRP/CS with the Machinery Directive. Validation is the demonstration that the SRP/CS meets the specified safety requirements, which can be done at different stages throughout the design and development lifecycle process or at the end of it. However, we would recommend that this should be done as early as possible in the design stage and become part of the ongoing development process, as it is more cost effective for faults to be identified and rectified then, rather than when a final machine has been produced.
Under EN ISO 13849-1, machine designers must meet the requirements of Section 8 of the new standard, which states that “the design of the safety related parts of the control system shall be validated. Part two of EN ISO 13849 covers the validation elements comprehensively and Section 4.1 in EN ISO 13849-2:2012 spells out the basic requirements very clearly:
“The validation shall demonstrate that each safety-related part meets the requirements of ISO 13849-1, in particular:
* the specified safety characteristics of the safety functions provided by that part, as set out in the design rationale, and
* the requirements of the specified category [see ISO 13849-1, clause 6].
Validation should be carried out by persons who are independent of the design of the safety-related part(s).”
As stated above, “persons who are independent of the design” means that, if possible, the tests should be performed by someone not involved in the design and development. As the validation process is re-examining all of the previous steps associated with developing the SRP/CS of a machine, it is clear why independent validation is so important. Engineers validating their own work could all too easily duplicate any mistakes they had made at the design stage.
Formulate a plan
Validation can be performed by analysis or a combination of analysis and testing. The first stage of which is developing the verification plan. This includes elements such as the identification of the machine’s safety functions, test principles and internal company requirements that will be applied, analysis and tests that will be performed, fault lists (the principles for the consideration of faults are listed in the annexes of EN ISO 13849-2), the personnel that are responsible for this process, the specific tools used, and the definition of criteria for the passing or failure of tests.
The plan ensures that all the necessary validation stages are covered, which includes validation of all of the processes used, such as safety functions, the performance level of the SRP/CS, the category, Mean Time to Failure values, diagnostic coverage values, measures against common cause and systematic failures, and the safety-related software.
The validation process
Now let us look at the validation process. As a preliminary step, the engineer designing the machine will have carried out a risk analysis to identify the safety Performance Levels (PL) required by the safety functions that are providing part of the overall risk reduction appropriate to the hazards associated with the machine, a procedure that is covered by EN ISO 13849-1.
The approach to safety used by EN ISO 13849-1 is based on probabilities, with the PL related directly to the probability of a system failing to danger. While this new quantitative approach is more appropriate for complex machinery, and it also enables the proposed safety-related control system to be validated, it does mean that designers have to consider many more aspects than before.
The engineer will then have designed a control system that is capable of meeting the PL required by the safety functions. This is done by considering the categories within the Standard, carrying out detailed calculations involving the ‘mean time to dangerous failure’ for the chosen components, along with diagnostic coverage and common cause failures.
The validation process must re-examine all of these steps and, as mentioned previously, the level of independence of person(s) carrying out the validation must reflect the level of risk identified. However, validation doesn’t finish with re-examining the design, as it must also look at the implementation of the SRP/CS and, in some cases, verify its functionality by testing.
In fact, there is even more to be done, as validation must also take into account the environmental conditions in which the machine will operate, including the effects of shock and vibration, as well as temperature, humidity and the effects of any lubricants and cleaning materials that might be used. Electromagnetic compatibility must also be considered, as should the effects of wear and other forms of deterioration as the machine ages.
Throughout the validation process, every activity must be fully documented, together with their results, so that the machine manufacturer can produce evidence that validation has been properly carried out.
Independent validation is clearly an important part of the process of stopping control systems from going wrong and of preventing the failure of machines in service. However, since many safety functions use the same hardware within a machine, the validation process is not as onerous as it may at first seem. Once all safety functions have been considered and the analysis and tests show that the safety functions have been implemented correctly, your validation is complete.
Unreliable machines that have not been appropriately validated will affect end-users’ bottom line, and will ultimately impact the reputation and sales revenue of any machinery producer that does not up their game when it comes to validation. To avoid this, act now to ensure validation is included as part of the design process.