Validation needed
July 1st 2011

With EN ISO 13849-1 having been in place for some time as the standard for the safety-related parts of machine control systems, it is concerning that comparatively little attention has been given to one important aspect of this standard – the requirement for validation.Paul Laidler explains

For many years, the applicable standard for the safety related parts of machine control systems has been EN 954-1.

However, in recent times, the shortcomings of this standard – which includes its inability to deal with programmable or software safety systems – have become increasingly significant. For this reason a new standard, EN ISO 13849-1, was developed and it was initially planned that this would replace EN 954-1 at the end of 2009.

In fact, the change of approach introduced with EN ISO 13849-1 was so radical that machine builders and other interested parties successfully petitioned for a stay of execution and, as a result, it was agreed that EN 954-1 could remain in use until the end of 2011.

That date is just months away, and it is unlikely there will be any further extension.

This means machine builders need to be ready to work with EN ISO 13849-1 from 1st January 2012 (if they are not already using this standard) and that includes being ready to meet the requirements of Section 8, which states that 'the design of the SRP/CS (safety related parts of the control system) shall be validated'. The standard goes on to advise that details of the validation are given in EN ISO 13849-2, which we will return to shortly.

The requirement for validation should not come as a surprise to machine builders as validation is, in fact, already required by EN 954-1. There are good reasons for this, as a quick perusal of the HSE publication 'Out of Control' will reveal. Available as a free download from the HSE website, this document includes, in Section 4, an analysis of incidents connected with safety-related parts of control systems. The analysis reveals that poor design and implementation, together with incorrect specification, accounted for 59% of the problems examined in the study.

These are exactly the types of problem that validation could have been expected to uncover before the control system went into service. In spite of this, the requirement for validation contained in EN 954-1 has sometimes been neglected with few apparent consequences. This situation is most unlikely to be allowed to continue when EN 954 is withdrawn.

So what exactly does validation involve? EN ISO 13849-2 spells out the basic requirements very clearly in Section 3.1, Validation Principles. In part, this states: 'The validation shall demonstrate that each safety-related part meets the requirements of ISO 13849-1, in particular: the specified safety characteristics of the safety functions provided by that part, as set out in the design rationale, and the requirements of the specified category (ISO 13849-1, clause 6).

Validation should be carried out by persons who are independent of the design of the safety-related part(s)'.

The standard goes on to explain that the use of the phrase 'independent person' does not necessarily mean that third party testing is needed, but that the degree of independence should reflect the safety performance of the safety related part.

Let's look at the validation process. As a preliminary design step, the engineer designing the machine will have carried out a risk analysis to identify the safety performance level (PL) appropriate to the hazards associated with the machine, a procedure covered by EN ISO 13849-1. The engineer will then have designed a control system to meet this PL, by considering the category, carefully selecting the components used and, with the introduction of the new standard, carrying out detailed calculations involving the mean time to dangerous failure for these components, along with diagnostic coverage and common cause failures.

The validation process must re-examine all of these steps. It's clear why independent validation is so important; engineers validating their own work could all too easily duplicate any mistakes they had made at the design stage. Validation doesn't finish with re-examining the design, however, it must also look at the implementation of the SRP/CS and, in some cases, verify its functionality by testing.

In fact, there is even more to be done, as validation must also take into account the environmental conditions in which the machine will operate, including the effects of shock and vibration to which it may be subjected, as well as temperature, humidity and, where applicable, the effects of lubricants and cleaning materials.

Electromagnetic compatibility must be considered, as must the effects of wear and other deterioration as the machine ages.

Finally, the validation process must be carefully and fully documented so that the machine maker can produce evidence, if called upon to do so, that validation has been properly carried out.

Many machine manufacturers may well lack the in-house resources needed to properly validate the SRP/CS in their products. In such cases, use of an expert consultant, such as Laidler Associates, will prove an excellent investment and will mean the requirement for validation to be carried out by persons who are independent of the design process will be automatically satisfied.

Laidler Associates is a division of TÜV SÜD Product Service.

More articles from Laidler Associates: