Beyond Self-Certification

This keynote was delivered by Dom Barraclough, our Managing Director.

Let’s begin by acknowledging how fundamentally our industry has changed.

Increasing automation and digital control systems are no longer novelties, they’re standard practice. We’ve been deploying PLC-controlled winders for some time, SCADA systems are increasingly managing multiple operations remotely, and predictive maintenance algorithms are monitoring equipment health in real-time, and we have robotics and fully autonomous plant and equipment in many sectors, including mining.

Remote operations are expanding rapidly. Although development started in the 80’s, what once required constant human supervision can now be monitored from centralised control rooms, sometimes hundreds of kilometres away.

This technological evolution brings tremendous benefits: improved efficiency, better data for decision-making, and in many cases, reduced exposure of personnel to hazardous environments.

But it also brings growing complexity in safety-critical equipment. For example, a modern mine winder isn’t just a piece mechanical engineering, with mechanical safety systems, a loader doesn’t now always have a human in the driving seat and even when it does there are several onboard microprocessors, and the relays, switches, contactors  and operators in process line will enviably be replaced by a microprocessor and software code, my first job on a cherry picker design in 1990 was to convert relay logic into a GE Fanuc PLC system – each is a complex integration of electrical systems, software logic, communication networks, and mechanical components and the human. Do not just think computers and software, each layer, including the mechanical and human sub-systems, adds potential failure modes that may not be immediately obvious. They are all sub-systems.

And with this complexity comes heightened regulatory and stakeholder scrutiny. Regulators are asking harder questions. Insurance underwriters are demanding more comprehensive assurance. Many industrial sectors, including mine operators, are under pressure from boards, investors, and communities to demonstrate that safety claims are independently verified and demonstrable.

We must be careful not to criticise self-certification too much, let’s be clear about where it works well and why it exists.

Where self-certification works well: For straightforward, well-understood equipment with established design patterns and low complexity, manufacturer self-certification under legislation such as the Supply of Machinery Safety Regulations can be entirely appropriate. If you’re installing a conveyor, a pumping system, some form of power plant, the manufacturer’s declaration of conformity, backed by their technical file (if you can get it or part of it), may provide adequate assurance.

The speed and cost efficiency advantages are real. Self-certification streamlines the supply chain, reduces paperwork, and allows equipment to reach the market faster. For lower-risk machinery, this makes perfect economic sense. This is the basis of The Machinery Directive.

There’s also genuine value in manufacturer knowledge and expertise. Nobody understands a piece of equipment better than the people who designed and built it. They know the design intent, the materials, the testing regime, and the performance envelope.

However, and this is crucial, self-certification has clear limitations in complex or novel systems.

When you’re dealing with safety-critical control systems, bespoke designs, or equipment operating in unusual environments, the assumptions that make self-certification acceptable begin to break down.

This is particularly true when we consider functional safety requirements. Modern mine winders and other safety-critical may need to achieve specific Safety Integrity Levels (SILS) under ISO 62061 or Performance Levels (PLS) under EN 13849. These aren’t just theoretical classifications, they’re quantified measures of reliability that require systematic analysis, validation, and verification. We’ll hear Gareth talk in more detail about this area in a few minutes.

What happens if there is no specific legislation setting the safety goals for equipment?

Mine Winders in the UK are a good example , they are excluded in Schedule 3(1)(i) of the Supply of Machinery Safety Regulations, while this was helpful when other legislation applied, what happens when that legislation is no longer in force and current is not updated? Interestingly, roller coasters are the same, they are excluded from the Machinery Safety Regulations and don’t even have an equivalent of MR14 but do have a HSG.

We need to ask: Is self-certification enough, or do we need something more?

Let’s be direct about the limitations.

First, there are inherent conflicts of interest. When the organisation responsible for design, costing, manufacturing, and delivery is also responsible for certifying safety compliance, there’s a structural tension between commercial objectives and thorough safety assurance. I’m not questioning anyone’s integrity, I’m simply acknowledging that human psychology and organisational pressures create bias.

Second, self-certification typically involves limited independent scrutiny. The technical documentation and processes may be comprehensive and robust, the risk assessment may be thorough, but if it’s only reviewed internally, there’s no external challenge to assumptions, no fresh perspective to spot gaps or question design choices.

Third, we face pressure from commercial timelines. When project deadlines loom and clients demand delivery, there’s enormous pressure to sign off on conformity assessments quickly. Independent verification, with its additional time and questioning, can feel like an obstacle rather than a safeguard.

Finally, self-certification misses out on gaps in cross-sector learning and benchmarking. A manufacturer focused on mining equipment may not be aware of failure modes identified in offshore lifting, or control system vulnerabilities discovered in theme park rides, or lessons from cableway installations, or pressure system failures in process industries. Independent verifiers who work across multiple industries bring that broader perspective.

There’s also the technical challenge of functional safety verification. Everyone’s favourite topic of debate. Demonstrating that a safety function achieves SIL 2 or Performance Level d requires detailed calculation. These calculations can be complex, highly technical, and easily overlooked or miscalculated without independent scrutiny. This is an area that is often misunderstood, sometimes made too complex and seems to somehow feel like it sits outside the hierarchy of control or is the safety panacea.

So, what does independent verification actually add?

First and most fundamentally: impartial technical review and challenge. An independent verifier has no commercial stake in the project completing quickly or staying within budget. Their only obligation is to the technical integrity of the assessment. They can ask uncomfortable questions, challenge assumptions, and require additional evidence without worrying about client relationships or contract penalties.

Second: enhanced design integrity assurance. Independent verification applies a second set of expert eyes to the design, examining whether the risk assessment is comprehensive, whether safety-critical functions are properly identified, whether protective measures are adequate, and whether residual risks are acceptable.

For safety-critical control systems, this includes verification of functional safety calculations. When a manufacturer claims their braking system achieves SIL 3 under ISO 62061, an independent verifier will check the architecture category, validate the MTTFd calculations for each component, verify the diagnostic coverage percentages, assess common cause failure mitigation measures, and confirm that the achieved Safety Integrity Level genuinely meets the required level. This technical validation requires specialist expertise and independence from commercial pressures.

This isn’t about distrust, it’s about rigorous professional discipline and working together for a common safety goal.

Third: cross-sector expertise and best practice application. Working across, we work across mining, offshore, marine, entertainment, and industrial sectors. There are lessons from theme park ride safety certification under the LEAPS scheme for example, from cableway installations in alpine environments, from offshore lifting operations in the North Sea and from other hazardous industries. That cross-pollination of knowledge strengthens every assessment. Perhaps it’s essential.

Fourth: regulatory confidence and compliance support. When a regulator arrives for an intervention or inspection and asks for evidence of compliance with the Mines Regulations 2014, being able to present an independent third-party verification report carries far more weight than a manufacturer’s self-certification. It demonstrates due diligence. It shows that the duty holders took their responsibilities seriously. Even better if it’s available when a court bundle has to be submitted in defence!

Independent verification isn’t about creating bureaucracy, it’s about creating confidence.

Here’s a critical point: independent verification isn’t a one-time checkbox. It’s a lifecycle discipline.

At the design and specification stage, verification ensures that the fundamental design intent is sound, that hazards have been properly identified, that risk reduction measures follow processes such as that in ISO 12100 hierarchy, eliminating hazards through inherent design, then adding safeguarding, then providing information and training.

At this stage, we also establish the required Performance Level or Safety Integrity Level for each safety function, if that’s required. A safety function might require PLr d or SIL 2; the overspeed detection might require PLr e or SIL 3. These requirements drive the entire control system architecture, redundancy, diagnostic coverage, component selection. Independent verification ensures these determinations are made systematically and conservatively.

This is where the biggest wins happen, because design changes are far cheaper and more effective than retrofitting safety measures later. Think about the 1-10-100 model in Total Quality Management, a £1 mistake at design could turn into a £100 mistake at installation. Or even a £1000 problem if there is a regulatory breach and £10,000 if there’s an injury or worse.

During installation and commissioning, independent verification confirms that what was built matches what was designed, that safety-critical components are correctly configured, that interlocks function as intended, and that the system performs safely under actual operating conditions.

For functional safety systems, this includes validation testing, deliberately introducing faults to prove that the safety function responds correctly. If we’ve designed a safety system, we must test that it actually works under fault conditions: What happens if one sensor fails? If there’s a power interruption? If the primary braking path is blocked? If a spring fails or a hydraulic system leaks or bursts? Independent verification ensures this testing is comprehensive and properly documented.

This stage often reveals integration issues that weren’t apparent on paper.

For periodic examination and testing, verification provides ongoing assurance that equipment hasn’t degraded, that maintenance has been effective, and that modifications haven’t compromised safety integrity. Under the old Mines (Shafts and Winding) Regulations 1993, thorough examinations were mandatory and regular, we are now in a goal setting environment, how will the periodicity be agreed and scrutinised?

Finally, when equipment undergoes modification and upgrade assessment, independent verification ensures that changes don’t introduce new hazards or compromise existing safety measures. This is particularly important as systems are digitised or retrofitted with automation, the control system upgrade that seems routine may fundamentally alter the safety architecture.

Embedding verification throughout the lifecycle transforms it from a compliance burden into a strategic asset for operational resilience.

Let me share some concrete examples, appropriately anonymised, to illustrate these principles.

Safety-critical control systems in other industries: In theme park ride safety under the national LEAPS independent certification scheme, sophisticated control systems are routinely encountered that are functionally similar to mine winders, managing acceleration, deceleration, position monitoring, and emergency stops. In many instances more complex. The entertainment industry learned decades ago that manufacturer self-certification isn’t sufficient for high-consequence equipment. Same as mine winders are excluded from MD, so are amusement devices. That cultural expectation of independent verification has driven higher standards across the sector, standards that mining can learn from.

Common failure modes and near-misses: Across multiple sectors, I’ve observed recurring patterns: inadequate consideration of cybersecurity risks in networked systems; insufficient analysis of human-machine interface design leading to operator error; and failure to test systems under degraded or emergency conditions rather than just normal operation. These aren’t failures of individual manufacturers, they’re systemic blind spots that independent verification is specifically designed to catch.

Value of independent technical review: In one particularly striking case, an independent assessment of an upgraded control system identified that an emergency stop function had inadvertently been configured with a time delay due to a software parameter setting. The manufacturer’s self-certification hadn’t caught this because their testing focused on normal operation. The independent verifier’s insistence on testing all safety-critical functions under fault conditions revealed the issue before commissioning, potentially preventing a catastrophic failure.

These examples aren’t about naming and shaming, they’re about recognising that independent verification adds genuine value that self-certification alone cannot provide.

Let’s consider the broader regulatory context.

UK HSE enforcement trends show increasing focus on duty holder accountability and management of major hazard risks. The HSE’s Major Hazard Topic Inspection Guide for Shafts and Winding explicitly asks: “Is there provision of independent oversight of the policy?” and “Are there arrangements for independent third-party audit?” This isn’t optional nice-to-have language, it’s an enforcement expectation.

Recent HSE interventions have emphasised that duty holders under the Mines Regulations 2014 cannot simply delegate their safety obligations to manufacturers or contractors. The operator remains responsible for ensuring equipment is safe, and demonstrating that through independent verification is increasingly seen as evidence of meeting that duty.

European and international standards evolution is also moving in this direction. It’s worth noting that mine winding gear is actually excluded from the Supply of Machinery (Safety) Regulations 2008 under Schedule 3(1)(i), precisely because other legislation, the Mines Regulations and associated statutory instruments, comprehensively covers their design and safety. However, the Machinery Safety Regulations provide an excellent model for compliance approaches, particularly the distinction between self-certification and independent third-party assessment for higher-risk machinery in Annex IV. While mine winders aren’t subject to Machinery Regulations, the functional similarity to lifting equipment carrying persons, which does require notified body involvement, offers valuable guidance on appropriate assurance levels.

The application of functional safety standards ISO 62061 and EN 13849 to mining equipment is also becoming more explicit internationally. Australian mine safety regulations now reference these standards directly for winder control systems. Canadian jurisdictions are adopting similar requirements. The Swedish mining industry guidelines explicitly require functional safety analysis for mine hoists. The trend is clear: self-certification of functional safety claims without independent verification is becoming internationally unacceptable.

Duty holder accountability frameworks under ISO 45001 occupational health and safety management systems and asset management standards like ISO 55001 emphasise the need for independent assurance of critical systems. The standard ISO 17020 sets out requirements for the operation of various types of bodies performing inspection. Boards and executive leadership are being held personally accountable for safety performance, and they’re increasingly asking for independent verification reports as evidence of due diligence. Make sure you understand the difference between Accountable and Responsible in the RACI.

So how do we actually implement this in practice?

First, we must recognise that this is about moving beyond compliance to resilience. Independent verification shouldn’t be seen as a regulatory checkbox, it’s a strategic investment in operational reliability and safety culture. Organisations that embrace verification as a core discipline consistently achieve better safety outcomes and fewer unplanned shutdowns.

Second, stakeholder trust and reputation management matter more than ever. In an era of social media, instant communication, and heightened public scrutiny, a mine operator’s reputation is one of their most valuable assets. Being able to demonstrate that safety-critical equipment has been independently verified strengthens trust with regulators, employees, unions, communities, investors, and insurers.

Third, we need to focus on creating verification checkpoints within project and operational processes. This means building independent verification requirements into:

• Capital project stage gates – no design freeze without verification sign-off
• Procurement specifications – independent verification as a contractual requirement, including functional safety validation
• Functional safety assessment – independent SIL or PL verification at design stage
• Commissioning procedures – independent witness testing of safety-critical functions, including fault injection testing
• Maintenance regimes – independent review of thorough examination findings and revalidation after modifications

Fourth, integrating independent review into procurement is essential. Rather than treating verification as an afterthought that adds cost and delay, build it into the project plan from the start. Make it clear to manufacturers that independent verification is required, and give them visibility of the verification scope so they can design accordingly. This actually improves project outcomes because it catches issues early when they’re cheaper to fix.

The cultural shift required is significant but achievable: from “we’ve always done it this way” to “we verify because it makes us better.”

As our industry continues to digitise and automate, the need for independent verification will only increase. The complexity of modern control systems, the integration of multiple technologies, and the potential consequences of failure all point in the same direction: self-certification alone is no longer sufficient for safety-critical mining equipment.

The question isn’t whether to adopt independent verification, it’s how quickly we can make it standard practice.