Under the EN ISO 13849-1 standard, machine designers must ensure that the design of the safety related parts of a control system (SRP/CS) are validated. Paul Laidler, business director for machinery safety at TÜV SÜD Product Service, a global product testing and certification organisation, comments.
An analysis by the Health and Safety Executive (HSE) of incidents connected with safety related parts of control systems revealed that poor design and implementation, together with incorrect specification, accounted for 59% of the causes identified. That represents a significant amount of downtime for those that rely on machinery to do business effectively. They are also exactly the types of problem that an effective validation process could have uncovered before the control system went into service.
Since the final withdrawal of EN 954-1 at the end of last year, its replacement (EN ISO 13849-1) must now be followed. Under EN ISO 13849-1, machine designers must meet the requirements of Section 8 of the new standard, which states that “the design of the safety related parts of the control system (SRP/CS) shall be validated.” The standard goes on to advise that details of the validation are given in EN ISO 13849-2.
Why validate
The requirement for validation should not come as a surprise, as validation was already required by the old standard that EN ISO 13849-1 replaced. There are very good reasons for this, as the HSE publication ‘Out of Control: Why control systems go wrong and how to prevent failure’ reveals.
Available as a free download from the HSE website (www.hse.gov.uk)this booklet is aimed at users of control systems, designers, manufacturers and installers. It includes an analysis of incidents connected with safety related parts of control systems, as well as guidance reflecting revisions of legislation and relevant standards. The booklet’s primary purpose is to raise awareness of the technical causes of control system failure by examining actual case studies of incidents that show that obvious defects could have been prevented.
If these are the types of problem that an effective validation process could have uncovered before the control system went into service, it is concerning that comparatively little attention has been given by machinery designers to the very important aspect of validation.
The validation process
So what exactly does validation involve? This is where we return to EN ISO 13849-2, which spells out the basic requirements very clearly in Section 3.1, Validation Principles. In part, this states:
“The validation shall demonstrate that each safety-related part meets the requirements of ISO 13849-1, in particular: the specified safety characteristics of the safety functions provided by that part, as set out in the design rationale, and the requirements of the specified category [see ISO 13849-1, clause 6].
Validation should be carried out by persons who are independent of the design of the safety-related part(s).”
The standard explains that the use of the phrase ‘independent person’ does not necessarily mean that third-party testing is needed, but that the degree of independence should reflect the safety performance of the safety related part.
Now let’s look at the validation process. As a preliminary step, the engineer designing the machine will have carried out a risk analysis to identify safety performance levels
(PL) required by safety functions that are providing part of the overall risk reduction appropriate to the hazards associated with the machine, a procedure that is covered by EN ISO 13849-1. The engineer will then have designed a control system that is capable of meeting the PL required by the safety functions. This is done by considering the categories within the standard, carrying out detailed calculations involving the ‘mean time to dangerous failure’ for the chosen components, along with diagnostic coverage and common cause failures.
The validation process must re-examine all of these steps. It is clear why independent validation is so important, as engineers validating their own work could all too easily duplicate any mistakes they had made at the design stage. Validation, however, doesn’t finish with re-examining the design, as it must also look at the implementation of the SRP/CS and, in some cases, verify its functionality by testing.
Act now
In fact, there is even more to be done, as validation must also take into account the environmental conditions in which the machine will operate, including the effects of shock and vibration, as well as temperature, humidity and the effects of any lubricants and cleaning materials that might be used. Electromagnetic compatibility must also be considered, as should the effects of wear and other forms of deterioration as the machine ages. Finally, the validation process must be fully documented so that the machine manufacturer can produce evidence that it has been properly carried out.
Independent validation is clearly an important part of the process of stopping control systems from going wrong and of preventing the failure of machines in service. Unreliable machines that have not been appropriately validated will affect the end-users’ bottom line, and will ultimately impact the reputation and sales revenue of any machinery producer that does not up their game when it comes to validation. To avoid this, act now to ensure validation is included as part of the design process.
TÜV SÜD
