1 Jan 1970

Validation of safety-related control systems

Designers of machinery and control systems have worked for many years with BS EN 954 (Safety of machinery, Safety related parts of control systems), with Part 1 (General principles for design) being one of the key documents. Less well known is prEN 954-2 (Safety of machinery, Safety related parts of control systems, Validation).This was intended to be the second part of this important standard but, as can be seen by the 'pr', it never progressed beyond the status of a draft. However, with EN 954-1 soon to be replaced by ISO 13849-1 (see recent news and an article ), the standards committees have pressed ahead with the corresponding ISO 13849-2:2003 (Safety of machinery, Safety related parts of control systems, Validation), which would have replaced and superseded EN 954-2 had that part of the earlier standard ever been ratified.

As can be seen from the date, Part 2 of ISO 13849 was published in 2003, in advance of Part 1, so it therefore refers to both EN 954-1 and ISO 13849-1. Because of the unusual timing arrangements, there could well be a degree of confusion when ISO 13849-1 is published; for example, there are references in Part 2 to 'categories' (in line with EN 954-1), whereas ISO 13849-1 is expected to refer to 'performance levels' used alongside categories.

Nonetheless, the existence of a published ISO 13849-2 gives machine builders a standard against which they can work when validating safety-related control systems.

The scope of BS EN ISO 13849-2 is relatively broad, encompassing the validation of safety-related parts of control systems that use mechanical, pneumatic, hydraulic and electrical (and electronic) technologies. But machine builders working with programmable electronic systems are directed towards IEC 61508 and IEC 62061.

Validation requires both analysis and testing in most cases, and the standard states that the validation shall "demonstrate that each safety-related part meets the requirements of EN 954-1 (ISO 13849-1), in particular: the specified safety characteristics of the safety functions provided by that part, as set out in the design rationale, and; the requirements of the specified category."

Importantly, the rigour of validation increases with the required performance level and complexity. For complex systems, validation should be carried out by persons who are independent of the design of the safety-related parts.

A flow diagram in ISO 13849-2 shows the validation process, with the preparation of the Validation Plan coming first. Furthermore, it is recommended that the analysis should commence in parallel with the design process in order that problems can be corrected as soon as possible and at minimum cost.

Other activities that can be started at an early stage are the preparation of generic fault lists and specific fault lists. These lists can be compiled using the tables included in the informative appendices to ISO 13849-2, and criteria are provided that, if met, permit faults to be excluded (for example: in the case of a relay, the fault might be simultaneously closing of normally open and normally closed contacts; this can be excluded if positively driven (or mechanically guided) contacts are used).

Of course, documentation is an essential element of meeting the requirements of ISO 13849-2, though most of this information should be available already if the requirements of EN 954-1 (ISO 13849-1) are being met. A look-up table within ISO 13849-2 shows what types of documentation are required, depending on the category. In addition, the validation analysis and testing must be recorded.

For the analysis, both top-down techniques (such as Fault Tree Analysis) and bottom-up techniques (such as Failure Modes and Effects Analysis) can be used, depending on the goal to be achieved.

Testing is described as "complementary to analysis and often necessary"; it should be adequately planned, performed in a logical sequence, and the results recorded. Tests should be performed on a sample operated at or near to its final operating configuration (for instance, with guards and covers in place).

However, for the validation of categories, the standard refers to three types of validation method: analysis from circuit diagrams; tests on the actual circuit and fault simulation on actual components; and a simulation of control system behaviour, eg by means of hardware and/or software models. Clearly any software or hardware models will, themselves, need to be validated accordingly.

It is now almost a year since ISO 13849-2 was published, and very little has been said or written about it. While it is likely that most machine builders working to EN 954-1 will have been performing some form of validation of the safety-related parts of their control systems, they should be aware that there is a standard to which they should be working. Copies of the standard are available through Pilz , which is an official BSI Distributor, or email consulting@pilz.co.uk for help and advice on the validation of safety-related parts of control systems.


Pilz Automation Ltd
Pilz House, Little Colliers Field
Corby, Northants, NN18 8TJ
United Kingdom

Telephone: +44 1536 460766
E-Mail: sales@pilz.co.uk

Press contact

Telephone: +44 1536 460766
E-Mail: marketing@pilz.co.uk

Was this article helpful?