Long live EN 954-1?

It was recently announced that the replacement of the well-known EN
954-1 safety standard is to be delayed for a further two years.This delay
is very welcome, although it should not be seen as an excuse for
complacency, says Paul Laidler

Since as long ago as 1997, EN 954-1,
“Safety of Machinery, Safety
related parts of control systems”
has been the main European standard
underpinning the design and
functioning of machine control systems.

It has long been apparent, however, that
this standard has serious shortcomings.

In particular, it fails to deal adequately
with the programmable electronic safety
devices that are being used more and
more in modern machines.

Concerns have also been expressed that
the relationships between risk levels and
the categories defined in EN 954-1 do not
always appear to be logical, and that the
standard is too deterministic in its
approach and, therefore, fails to take due
account of probabilistic considerations.

To address these issues, EN ISO 13849-
1 was developed, and it was officially
adopted as the successor standard to EN
954-1 in October 2006. However, the
Machinery Directive Working Group of
the European Environmental and
Technical Regulation Directorate noted at
the time that transition to the new
standard “represents a drastic evolution in
the safety philosophy for control systems.”
For this reason, the maximum
permissible transition period – three years –
was allowed for the full adoption of the new
standard. During this period, the parallel
use of EN 954-1 and EN ISO 13849-1 was
permitted, and compliance with either
standard can be taken as providing
presumption of conformity to the revised
Machinery Directive 2006/42/EC.

The transition period expires on 28th
December 2009 – or at least that was the
original plan. In practice, the objective of
fully implementing the new standard from
this date has run into numerous problems.

One of the most significant of these is
related to the probabilistic approach that is
at the heart of EN ISO 13849-1.

Gone are the familiar safety categories
of EN 954-1, to be replaced by designated
Performance Levels from a-e (PLs a-e).

These PLs relate directly to the probability
of a system failing to danger. To achieve
PLa, for example, the average probability
of a failure to danger per hour must be in
the range >10-5 to < 10-4, while for PLe it must be in the range > 10-8 to < 10-7. This is all well and good, but how can those probabilities be determined? The most usual answer is that they are calculated on the basis of MTTF (mean time to failure) data for the components used in the safety system. And this is at the heart of the problem. In very many cases, the necessary MTTF data simply isn’t available. Note that this is not necessarily the fault of the component suppliers. Deriving reliable MTTF data is a difficult process that often requires component testing over long periods of time. Whatever the reason, if the MTTF data is not available, it becomes virtually impossible to determine the Performance Level for a system, which in turn makes it impossible for machine builders to meet the requirements of EN ISO 13849-1. This is not the only problem with fully implementing the new standard in December 2009. The old standard – EN 954- 1 – is referenced by many other harmonised standards, and it has not proved possible to update all of these dependent standards in time for the planned transition. In fact, the Machinery Directive Working Group reported in July 2009 that of 584 standards that needed updating, 92% were ready for Unique Approval Procedure/Final Vote, for 78% the Unique Approval Procedure/Final Vote was actually launched or closed, and only 53% had been published. If the original timetable for the introduction of EN ISO 13849-1 were to be retained, by the end of 2009 there would be many current standards that still referred to EN 954-1, which would by then be obsolete. This is clearly an undesirable situation. As an aside, it is worth noting that some harmonised standards are already available in the updated format. Those who wish to see examples may want to peruse EN ISO 12100-1 and EN ISO 12100-2, two Type A basic safety standards that cover basic terminology and methodology, and technical principles and specifications, respectively. Fortunately for all who have concerns over the imminent transition to EN ISO 13849-1, it seems that the Machinery Directive Working Group is taking a pragmatic approach to the issues this raises. The Group has recently announced that EN 954-1 can continue to be accepted “for a certain time” while it is still referenced by harmonised standards. It has been announced that the extended period of acceptance is two years and that up to 31 December 2011 EN 954-1 has presumption of conformity to the Machinery Directive. What does this mean for
machine builders?
For a start, it means that they are freed from
the near impossibility of complying with EN
ISO 13849-1 by the end of the year. It also
means that they can benefit from working to
the much more familiar requirements of EN
954-1 for some time to come. It doesn’t
mean, however, that they can ignore EN
ISO 13849-1 entirely, because it will
eventually be fully implemented.

What does this mean for
manufacturers?
From a manufacturers viewpoint they
might well see the extension as an
opportunity to rush through certification.

I think we might see an acceleration to get
machines CE and PUWER certified to
EN954-1 before the new legislation is in
place. However, forward-looking
manufacturers will be looking to make good
use of the breathing space they have been
granted. Most will undoubtedly prefer to
continue, for some time at least, to work to
EN 954-1 while also making preparations
for a timely transition to the new standard.

What does this mean for
machine users?
From a machine users point of view, if
they have concerns about EN ISO 13849-
1 then they will simply continue to
conduct PUWER (Provision and Use of
Work Equipment Regulations 1998)
assessments to conform to EN954-1.

It is important to remember, however,
that EN 954-1 is being replaced because it
has shortcomings. Manufacturers
continuing to use EN 954-1 cannot
simply ignore these shortcomings and rely
on this standard alone to demonstrate
that they have met their legal obligations
in relation to control system safety.

For example, as has already been
mentioned, EN 954-1 does not recognise
programmable electronic safety systems
even though these are rapidly growing in
number. Machine manufacturers relying
on EN 954-1 must, therefore, make
separate provision for assessing the
performance of any programmable
electronic safety devices they use. In this
particular case, one possible solution is to
call on the EN 62061 standard that deals
specifically with these devices.

Two points are, however, worth
making. The first is that there are many
cases where deciding on the appropriate
standard or standards to complement EN
954-1 is much more difficult than in this
example. The second point is that, even if
EN 62061 is appropriate – and it must be
remembered that it applies only to
systems where electricity is the sole source
of power – demonstrating compliance is
not necessarily straightforward.

In other words, even though EN 954-1
may feel like a very familiar standard,
there is a good case for those companies
that continue to use it to seek expert
advice on its limitations and how they can
best be addressed. Regrettably, there will
be some machine manufacturers that will
instead attempt to bury their corporate
heads in the sand, in exactly the same way
that some even now choose to ignore the
requirements of EN 954-1.

This is not a good idea. Certainly it is
possible to get away with failing to take
safety standards into account – up to a
point. If a situation arises where the result
is injury or death, however, the penalties
are draconian, especially following the
recent introduction of the new offence of
Corporate Manslaughter. Put plainly,
unless you enjoy the prospect of forfeiting
a lot of money and possibly spending some
time in jail, it’s simply not worth the risk.

What then, is the best course of action
for machine manufacturers? The first step
is to ensure that they are fully meeting
their obligations in relation to control
system safety for their current products,
which will probably mean doing more
than simply relying on EN 954-1.

The second step is to start making
preparations for the transition to EN ISO
13849-1. This is undeniably a complex
area as the new standard adopts an entirely
different approach from its predecessor,
and relies heavily on the interpretation of
data that may be unfamiliar. Once again,
therefore, an investment made in
sourcing expert guidance is likely to pay
for itself many times over.

There is no doubt that EN 954-1 is due
for replacement and that its successor, EN
ISO 13849-1 is better aligned with modern
equipment and practices. Nevertheless, as
we have seen, the delay in introducing the
new standard is largely to be welcomed.

Paul Laidler is managing director of Laidler
Associates. Find Laidler Associates on Stand 10
at Health & Safety ’10 South