Long live EN 954-1?
23 January 2013
It was recently announced that the replacement of the well-known EN 954-1 safety standard is to be delayed for a further two years.This delay is very welcome, although it should not be seen as an excuse for complacency, sa
Since as long ago as 1997, EN 954-1, "Safety of Machinery, Safety related parts of control systems" has been the main European standard underpinning the design and functioning of machine control systems.
It has long been apparent, however, that this standard has serious shortcomings.
In particular, it fails to deal adequately with the programmable electronic safety devices that are being used more and more in modern machines.
Concerns have also been expressed that the relationships between risk levels and the categories defined in EN 954-1 do not always appear to be logical, and that the standard is too deterministic in its approach and, therefore, fails to take due account of probabilistic considerations.
To address these issues, EN ISO 13849- 1 was developed, and it was officially adopted as the successor standard to EN 954-1 in October 2006. However, the Machinery Directive Working Group of the European Environmental and Technical Regulation Directorate noted at the time that transition to the new standard "represents a drastic evolution in the safety philosophy for control systems." For this reason, the maximum permissible transition period - three years - was allowed for the full adoption of the new standard. During this period, the parallel use of EN 954-1 and EN ISO 13849-1 was permitted, and compliance with either standard can be taken as providing presumption of conformity to the revised Machinery Directive 2006/42/EC.
The transition period expires on 28th December 2009 - or at least that was the original plan. In practice, the objective of fully implementing the new standard from this date has run into numerous problems.
One of the most significant of these is related to the probabilistic approach that is at the heart of EN ISO 13849-1.
Gone are the familiar safety categories of EN 954-1, to be replaced by designated Performance Levels from a-e (PLs a-e).
These PLs relate directly to the probability of a system failing to danger. To achieve PLa, for example, the average probability of a failure to danger per hour must be in the range >10-5 to < 10-4, while for PLe it must be in the range > 10-8 to < 10-7.
This is all well and good, but how can those probabilities be determined? The most usual answer is that they are calculated on the basis of MTTF (mean time to failure) data for the components used in the safety system.
And this is at the heart of the problem.
In very many cases, the necessary MTTF data simply isn't available. Note that this is not necessarily the fault of the component suppliers. Deriving reliable MTTF data is a difficult process that often requires component testing over long periods of time. Whatever the reason, if the MTTF data is not available, it becomes virtually impossible to determine the Performance Level for a system, which in turn makes it impossible for machine builders to meet the requirements of EN ISO 13849-1.
This is not the only problem with fully implementing the new standard in December 2009. The old standard - EN 954- 1 - is referenced by many other harmonised standards, and it has not proved possible to update all of these dependent standards in time for the planned transition. In fact, the Machinery Directive Working Group reported in July 2009 that of 584 standards that needed updating, 92% were ready for Unique Approval Procedure/Final Vote, for 78% the Unique Approval Procedure/Final Vote was actually launched or closed, and only 53% had been published.
If the original timetable for the introduction of EN ISO 13849-1 were to be retained, by the end of 2009 there would be many current standards that still referred to EN 954-1, which would by then be obsolete.
This is clearly an undesirable situation.
As an aside, it is worth noting that some harmonised standards are already available in the updated format. Those who wish to see examples may want to peruse EN ISO 12100-1 and EN ISO 12100-2, two Type A basic safety standards that cover basic terminology and methodology, and technical principles and specifications, respectively.
Fortunately for all who have concerns over the imminent transition to EN ISO 13849-1, it seems that the Machinery Directive Working Group is taking a pragmatic approach to the issues this raises.
The Group has recently announced that EN 954-1 can continue to be accepted "for a certain time" while it is still referenced by harmonised standards. It has been announced that the extended period of acceptance is two years and that up to 31 December 2011 EN 954-1 has presumption of conformity to the Machinery Directive.
What does this mean for machine builders? For a start, it means that they are freed from the near impossibility of complying with EN ISO 13849-1 by the end of the year. It also means that they can benefit from working to the much more familiar requirements of EN 954-1 for some time to come. It doesn't mean, however, that they can ignore EN ISO 13849-1 entirely, because it will eventually be fully implemented.
What does this mean for manufacturers? From a manufacturers viewpoint they might well see the extension as an opportunity to rush through certification.
I think we might see an acceleration to get machines CE and PUWER certified to EN954-1 before the new legislation is in place. However, forward-looking manufacturers will be looking to make good use of the breathing space they have been granted. Most will undoubtedly prefer to continue, for some time at least, to work to EN 954-1 while also making preparations for a timely transition to the new standard.
What does this mean for machine users? From a machine users point of view, if they have concerns about EN ISO 13849- 1 then they will simply continue to conduct PUWER (Provision and Use of Work Equipment Regulations 1998) assessments to conform to EN954-1.
It is important to remember, however, that EN 954-1 is being replaced because it has shortcomings. Manufacturers continuing to use EN 954-1 cannot simply ignore these shortcomings and rely on this standard alone to demonstrate that they have met their legal obligations in relation to control system safety.
For example, as has already been mentioned, EN 954-1 does not recognise programmable electronic safety systems even though these are rapidly growing in number. Machine manufacturers relying on EN 954-1 must, therefore, make separate provision for assessing the performance of any programmable electronic safety devices they use. In this particular case, one possible solution is to call on the EN 62061 standard that deals specifically with these devices.
Two points are, however, worth making. The first is that there are many cases where deciding on the appropriate standard or standards to complement EN 954-1 is much more difficult than in this example. The second point is that, even if EN 62061 is appropriate - and it must be remembered that it applies only to systems where electricity is the sole source of power - demonstrating compliance is not necessarily straightforward.
In other words, even though EN 954-1 may feel like a very familiar standard, there is a good case for those companies that continue to use it to seek expert advice on its limitations and how they can best be addressed. Regrettably, there will be some machine manufacturers that will instead attempt to bury their corporate heads in the sand, in exactly the same way that some even now choose to ignore the requirements of EN 954-1.
This is not a good idea. Certainly it is possible to get away with failing to take safety standards into account - up to a point. If a situation arises where the result is injury or death, however, the penalties are draconian, especially following the recent introduction of the new offence of Corporate Manslaughter. Put plainly, unless you enjoy the prospect of forfeiting a lot of money and possibly spending some time in jail, it's simply not worth the risk.
What then, is the best course of action for machine manufacturers? The first step is to ensure that they are fully meeting their obligations in relation to control system safety for their current products, which will probably mean doing more than simply relying on EN 954-1.
The second step is to start making preparations for the transition to EN ISO 13849-1. This is undeniably a complex area as the new standard adopts an entirely different approach from its predecessor, and relies heavily on the interpretation of data that may be unfamiliar. Once again, therefore, an investment made in sourcing expert guidance is likely to pay for itself many times over.
There is no doubt that EN 954-1 is due for replacement and that its successor, EN ISO 13849-1 is better aligned with modern equipment and practices. Nevertheless, as we have seen, the delay in introducing the new standard is largely to be welcomed.
Paul Laidler is managing director of Laidler Associates. Find Laidler Associates on Stand 10 at Health & Safety '10 South