The construction of machines, systems or even buildings is often a lengthy process - which does not always lead to a satisfactory result. Sometimes this is due to a lack of precision in the planning. Sometimes, however, it is also due to the fact that those involved in the development process lose sight of the actual conditions in which the product is to be used. For this reason, it is important to systematically check the functionality and suitability of a product during the design process so that any necessary adjustments can be made as early as possible. This is all the more important when it comes to products in the field of machine safety, which are intended to protect the health - or even the lives - of employees.

In mechanical engineering, it is often necessary to safeguard machines by integrating safety-related control functions. EN ISO 13849 Part 1 is a central and widely used standard for the design of "safety-related parts of control systems". However, Part 2 of this standard - which defines the procedure for the targeted validation of safety functions - still receives too little attention. However, this part of the standard is at least as relevant and explosive, as validation is the only way to provide proof of suitability in relation to the actual application. Consequently, validation in accordance with EN ISO 13849 Part 2 plays an important role in the overall CE conformity assessment process.

Legal framework

The European Machinery Directive forms the legal framework for EN ISO 13849. Since 1995, every manufacturer of machinery has been responsible for ensuring that the requirements of the European Machinery Directive regarding safety and health protection are met. They are supported in this by standards. If a product meets the requirements of a harmonized standard, it is assumed that the product complies with the essential safety requirements in Annex 1 of the Machinery Directive. In this context, there is also talk of the so-called 'presumption of conformity' with the associated reversal of the burden of proof.

EN ISO 13849 Part 2 specifies the validation procedure for the safety functions contained in the machine. The term SRP/CS (safety-related parts of a control system) is also used in this context. The validation must demonstrate that the design of the SRP/CS fulfills the safety requirements of EN ISO 13849-1, particularly with regard to the properties of the safety functions defined in the design process. The required performance level (PLr) determined is a particular focus here. To ensure that errors or deviations from the specifications can be detected and corrected at an early stage, it is advisable to start this process as early as possible in the development or design phase.

Validation and verification

Validation is made up of various steps, whereby a basic distinction is made between verification and validation: Verification comprises the analyses and tests for SRP/CS or their sub-aspects. This involves determining whether the results achieved in a development phase or design stage correspond to the specifications for this phase, for example whether the circuit layout corresponds to the circuit design. Verification focuses on the question of whether the achieved performance level (PL) at least corresponds to (or is greater than) the required performance level (PL r). If this is not the case, design adjustments must be made.

Validation, on the other hand, refers to the proof of suitability - in relation to the actual intended use - which takes place during the development process or at the end of it. It checks whether the specified safety requirements for the safety-relevant parts of the machine control system have been met.

Analysis and testing

Verification and validation can be carried out exclusively through analysis or alternatively through a combination of analysis and testing. As part of the analysis, for example, documents are reviewed and, where necessary, analysis tools are used - such as circuit simulators, tools for static and dynamic software analysis or FMEA tools.

If the analysis is not sufficient to show that the requirements are met, tests must complete the validation. In order to test the failure behavior of the safety functions, faults are simulated here, among other things, the occurrence of which must not lead to the loss of the safety function.

As a general rule, the entire validation process should be carried out by 'other' or 'independent' persons, i.e. persons who were not involved in the design and construction of the SRP/CS. However, this does not necessarily mean that third-party testing is required.

The Institute for Occupational Safety and Health of the German Social Accident Insurance (IFA) makes recommendations in this regard based on the principle that the degree of independence should be appropriate to the risk - i.e. the required Performance Level PL r. For PL a, for example, this could be 'another person' (such as the line manager); for PL e, this would not be sufficient and a higher degree of independence would be required.

Validation process steps

The validation procedure in accordance with EN ISO 13849-2 prescribes the creation of a validation plan that describes the requirements and objectives of all activities to be carried out. It also defines the means of validating the defined safety functions, categories and performance levels. These include

It is important to systematically check the functionality and suitability of a product as early as the design process.

© Schmersal

To prepare for the validation procedure, it is essential to compile extensive documents - for example, a description of the characteristics of each individual safety function, drawings and specifications for the safety function, principle and block diagrams, circuit diagrams, fault lists, the justification of all fault exclusions and user information.

Once the validation plan has been drawn up and the necessary documents have been compiled, the analysis can begin. This includes checking the individual categories and the parameters Mean Time to Dangerous Failure (MTTFD), Diagnostic Coverage (DCavg) and Common Cause Failure (CCF).

Categories classify the SRP/CS in terms of their resistance to faults and their behavior in the event of a fault. They are also the starting point for determining the probability of failure and the PL. The aim of category validation is to confirm all the requirements placed on the category realized by the SRP/CS.

The MTTFD value used to determine the PL is checked for plausibility as part of the analysis, for example by comparing product data sheets with the values from EN ISO 13849-1, Annex C. The DC measures for the detection and control of faults and failures must be comprehensibly justified and the corresponding information checked for plausibility.

EN ISO 13849-2 describes a special procedure based on a points system for validating the selected measures against common cause failures (CCF). A corresponding table can be found in Annex F, Table F.1. of the standard. Here too, the information should be clearly justified.

Avoid systematic failures

A further process step is the validation of measures to prevent systematic failures, for example through a thorough inspection of the development documents and through failure analyses - Failure Mode and Effects Analysis (FMEA) or 'impact analysis' for short. Tests are also carried out by simulating faults. In addition, the performance and immunity of the SRP/CS to environmental influences must be validated - by analysis and, if necessary, by testing. Expected adverse conditions include mechanical stresses such as vibrations or soiling, temperature fluctuations, humidity or electromagnetic interference.

Validation of the software

The validation of the safety-related software is carried out using the so-called V-model: On the one hand, it is checked whether the requirements of the safety-related software specification for the functional behavior and the performance criteria (e.g. time-related specifications) have been implemented correctly. On the other hand, tests are carried out to test the software's ability to detect and control errors. To confirm that the software complies with the specification of the safety requirements, a corresponding report is also created here, which becomes part of the validation report of the machine or system.

At the end of the analysis, the correct estimation of the PL is checked and a validation is carried out with regard to the question of whether a combination of safety-related parts achieves the performance level specified in the design.

Finally, once all verification and validation steps have been carried out, the validation report is prepared. This contains all the details of the analyses and tests carried out on the hardware and software of the SRP/CS in a comprehensible form.

External service providers

Integrating validation into the design process at an early stage helps to prevent costly design errors and is therefore also of interest to the manufacturer in terms of cost-effectiveness. In addition, carefully carried out and appropriately documented validation is a relief not to be underestimated when implementing measures ordered by the authorities or in court proceedings. Even after many years, comprehensible documentation can be a relieving factor for the manufacturer of machines and systems.

Validation does not necessarily have to be carried out by third parties, but it can be helpful to involve external service providers. For example, tec.nicum - the service division of the Schmersal Group - offers both individual services that are required as part of the validation process as well as support throughout the entire process. If required, the experts can check the circuit diagrams of the electrical, pneumatic and hydraulic system, calculate the performance level and create all documents for complete documentation.

Author:
Tobias Keller is a Safety Consultant at tec.nicum, the Services division of the Schmersal Group in Wuppertal.