The safety functions of machines are increasingly controlled by programmable equipment; therefore safe operation is linked to the correctness of the software, an essential element to avoid dangerous behavior of the machines. The validation of the software therefore becomes fundamental to guarantee the safety of the machinery.
Since the software is characterized by the presence of systematic - and not random - failures - the only feasible measure to limit the possibility that the software (both application and system) that controls safety functions causes dangerous behavior of the machine is to avoid, as far as possible , the introduction of errors during the software development phases (including revisions and corrections).
One of the most critical elements is the coexistence of software that performs safety functions and software necessary for the normal operation of the machine.
The UNI EN ISO 13849-1: 2016 standard requires that the parts of software that do not perform safety functions do not negatively influence those that control control circuits that must reach a required level of performance.
More generally, software dedicated to safety functions that must achieve a lower required performance level must not affect parts of the software with functions for which the required performance level is higher.
This risk is greater for the integrated PLCs which control the normal operation of the machine and which also perform safety functions, since in this case different parts of the software (safe and otherwise) coexist on the same programmable equipment.
A case that happens in machinery control software is the use of unsafe variables in software branches that perform safety functions; depending on how and where these variables are used, it could be that entire sections of software are not running and, consequently, the functions they control, such as monitoring a pressure or a temperature, are not active.
While programming tools usually highlight safe and functional elements of software, they do not prevent (and cannot prevent) parts of insecure software from being introduced into sections that perform security functions.
In fact, it is often necessary, for example, for the same actuator to be stopped both as part of the normal working cycle of the machine and for safety reasons (for example following the opening of an interlocked mobile guard).
It is therefore essential to carry out verification of the correct writing of the software - as prescribed by §4.6 of the UNI EN ISO 13849-1: 2016 standard - aimed at identifying errors that could compromise the safe operation of the machine.
In fact the criticalities inherent in an incorrect writing of the software would not manifest themselves during the normal functioning of the machine or during functional tests; for example, an unsafe variable does not compromise the correct operation of the machine as long as the PLC works regularly: in the event of a fault or anomalous conditions, however, this variable could take on undesired values and cause dangerous behavior of the machine.
An exhaustive software validation must also be carried out, which simulates anomalous and fault conditions, in order to highlight any unsafe behavior of the machine control circuits.
In the absence of these activities, the errors in the software are difficult to find as they are "hidden" within the code; the complexity of the behavior of a programmable equipment makes it decidedly more critical than wired circuits, which can be analyzed more easily.
Contact us if you need advice to validate the machinery you design and build.