Safety Related Part of the Control System - Validation to IEC 13849-2

Neglected Validation

The design of machines is often a lengthy process - which does not always lead to a sufficient result. Occasionally this is due to a lack of precision in planning. Sometimes, however, it is also due to the fact that the stakeholder in the development process lose sight of the actual limits in which the product is to be used. For this reason, it is important to systematically check the functionality and suitability of a product during the design process in order to be able to make any necessary adjustments as early as possible. This is even more important when it comes to machine safety. The ISO 13849 series is significant for the integration of safety-related control functions in machines. However, the part of the standard related to validation is often neglected in practice - a major shortcoming. In mechanical engineering, it is often necessary to safeguard machines by integrating safety-related control functions. ISO 13849 Part 1 is a central and widely used standard for the design of "safety-related parts of control systems". However, Part 2 of this standard - in which the procedure for the targeted validation of safety functions is defined - still receives too little attention. This part of the standard is at least as relevant as Part 1, since the validation according to ISO 13849 Part 2 plays an important role in the overall process of the CE conformity assessment procedure.

The European Machinery Directive forms the legal framework for ISO 13849. Since 1995, every manufacturer of machinery is responsible to ensure that the requirements of the European Machinery Directive regarding Health and Safety are met. They are supported by harmonised standards. If a product meets the requirements of a harmonized standard, it is assumed that the product complies with the basic safety requirements of Annex 1 of the Machinery Directive. In this context, we are also talking about the so-called 'presumption of conformity' with the associated reversal of the burden of proof. ISO 13849 Part 2 defines the validation procedure for the safety functions of the machine. SRP/CS (Safety related parts of a control system) is also mentioned in this context. The validation must show that the design of the SRP/CS meets the safety requirements of ISO 13849-1, particularly with regard to the properties of the safety functions defined in the design process. The determined required Performance Level (PLr) is particularly important here. To ensure that errors or deviations from the specifications can be detected and corrected at an early stage, it is advisable to start this process at an early stage of development or design.

Validation and verification

Validation consists of various steps, whereby a basic distinction must be made between verification and validation: Verification comprises the analyses and tests for SRP/CS or their partial aspects. This involves determining whether the results achieved in a development phase or a design phase correspond to the specifications for this phase, i.e. whether, for example, the circuit layout corresponds to the circuit design. The verification process focuses on the question of

whether the achieved Performance Level (PL) is at least equal to (or greater than) the required Performance Level (PLr). If this is not the case, constructive adjustments must be made. Validation, on the other hand, refers to the proof of suitability - related to the real purpose of use - that takes place during or at the end of the development process. It is checked whether the specified safety requirements for the safety-relevant parts of the machine control system have been fulfilled.

Analysis and testing

Verification and validation can only be performed by analysis or alternatively by a combination of analysis and testing. For example, analysis includes document review and, where necessary, analysis tools such as circuit simulators, static and dynamic software analysis tools, or FMEA tools. If the analysis is not sufficient to demonstrate that the requirements are met, tests shall be performed to complete the validation. In order to test the failure behaviour of the safety functions, errors are simulated and must not lead to the loss of the safety function. The safety function must achieve a safe state. As a general rule, the entire validation process should be carried out by 'other' or 'independent' persons, i.e. persons who were not involved in the design and construction of the SRP/CS. However, this does not necessarily mean that third party verification is required. The legislative authority makes recommendations on this according to the principle that the degree of independence should be appropriate to the risk - i.e. a low required Performance Level PLr, for example could be reviewed by a 'different person' such as the supervisor. With higher required performance level this would not be sufficient and a higher degree of independence is necessary.

Validation steps

The validation procedure according to EN ISO 13849-2 requires the preparation of a validation plan describing the requirements and objectives of all operations to be performed. It also defines the means to validate the defined safety functions, categories and performance levels. To prepare the validation process, it is essential to compile comprehensive documents - such as a description of the characteristics of each safety function, drawings and safety function specifications, principle and block diagrams, circuit diagrams, fault lists, justification of all fault exclusions and user information. Once the validation plan has been drawn up and the necessary documents have been compiled, the analysis can begin. This includes checking the individual categories and the parameters Mean Time to Dangerous Failure (MTTFD), Diagnostic Coverage (DCavg) and Common Cause Failure (CCF). Categories classify the SRP/CS according to their resilience to failure and their behaviour in the event of failure. They are also the starting point for determining the probability of failure and the PL. The aim of category validation is the confirmation of all requirements for the category implemented by the SRP/CS.

The MTTFD value used to determine the PL is checked for plausibility as part of the analysis, for example by comparing product data sheets with the values from ISO 13849-1, Annex C. The DC measures for the detection and control of faults and failures must be comprehensibly justified and the corresponding information checked for plausibility. ISO 13849-2 describes a special procedure based on a points system for the validation of the selected measures against failures due to common cause (CCF). A corresponding table can be found in the Annex of the standard. Here, too, the information should be justified in a comprehensible manner.

Avoid systematic failures

A further procedural step is the validation of measures to avoid systematic failures, for example through a thorough review of the design documents and through Failure Mode and Effects Analysis (FMEA). Tests are also carried out by simulating failures. In addition, the performance and immunity of the SRP/CS to environmental influences must be validated e.g. through analysis and, if necessary, testing. Expectable adverse conditions include mechanical stresses such as vibration or contamination, temperature fluctuations, condensation or electromagnetic interference.

Validation of the software

The safety-related software is validated by means of the so-called V-model: Firstly, it is checked whether the requirements of the safety-related software specification for the functional behaviour and the performance criteria (e.g. time-related specifications) have been correctly implemented. Secondly, tests are carried out to check the error detection and control by the software. In order to confirm that the software complies with the specification of the safety requirements, a corresponding report is also prepared here, which becomes part of the validation report of the machine or plant. At the end of the analysis, the correct estimation of the PL is assessed and a validation is performed as to whether a combination of safety-related parts achieves the performance level defined in the design. Finally and after all verification and validation steps have been carried out, the validation report is prepared. This report contains all information on the analyses and tests carried out on the hardware and software of the SRP/CS in a comprehensible form.

Third party service providers

Early integration of validation into the design process helps to prevent costly design flaws and is therefore also beneficial for the manufacturer in terms of cost-effectiveness. In addition, a carefully executed and appropriately documented validation represents a considerable contribution to the implementation of officially ordered measures or legal proceedings. Even after many years e.g. 10 year for the Technical File, coherent documentation can still be a helpful factor for the manufacturer, especially if it comes to modifications or upgrades to an existing machine or system. The validation does not necessarily have to be carried out by a third party, but it may be helpful to involve external service providers. If necessary, the experts will check the schematics of the electrical, pneumatic and hydraulic system, calculate the performance levels and create all necessary documents for the technical file.

All information is given to the best of our knowledge and belief. The authors assume no responsibility or liability for any misuse of the information contained herein.
Disclaimer. © 2019 - 2026. All Rights Reserved. Sponsored by ELCO. Built with TYPEMILL.