Safety Related Parts of Control Systems, Part 1: General principles for design.
ISO 13849-1 is a revised version of EN 954-1
The complex mathematical formulas of the system reliability theory were replaced with pre-calculated tables.
Some concepts of EN 954 were retained, i.e. categories, redundancy, monitoring.
A number were modified, i.e. risk graph, selection of Categories.
The role of Categories is no longer crucial as in EN 954-1.
To assess the resistance to dangerous failure, the Category concept is replaced by Performance Level (PL) as the ability of the safety-related machine
control system (hereinafter called SRP/CS) to assure protection in specified operating conditions.
The parameter used to evaluate the PL of the safety-related system is the Average probability of dangerous failure/hour.
A failure is considered to be dangerous where it inhibits the system protection function if undetected.
There are 5 levels, PLa to PLe.
The greater the contribution to reducing risk the lower the Average probability of dangerous failure/hour.
PL is a function of control system architecture, component reliability, ability to promptly detect internal failure potentially affecting the safety function and
quality of the design.
The table below summarizes mandatory qualitative and quantitative requirements to be met for safe control system design to ISO 13849-1.
See also glossary
To claim a given PL, in addition to evaluating the Average probability of dangerous failure/hour for the control system in question, it will also be necessary
to prove compliance with quality requirements specified by the standard.
The claimed PL must be validated using ISO 13849-2 Safety Related Parts of Control Systems - Validation defining procedures tests andanalysis, for
the assessment of:
• Safety function provided
• Category attained
• Performance level reached.
|Average Probability of Dangerous Failure/Hour is only one of the parameters contributing to assignment of PL.
To obtain a PL rating, it is also mandatory to prove and substantiate having considered and complied with all requirements, including:
• Monitoring of systematic failures
• Using robust and reliable components (in line with Product Standards if available)
• Working according good engineering practice
• Considering environmental conditions in which the safety-related system will operate
• In the case of new software, adopting all organizational aspects of V-type development model shown in Figure 6 of the Standard
ISO 13849-1 and meeting development requirements for applications and built-in SW.
Design of an SRP/CS as per ISO 13849-1 may be summarized in the following eight steps
1 – Identification of safety-related function through risk analysis
2 – Assignment of Performance Level requested (PLr) through risk graph
3 – Selection of system structure (architectures) and self-diagnostic techniques
4 – Technical development of control system
5 – Calculation of MTTFd, DCavg and verification of CCF
6 – Calculation of PL using Table 5
7 – Verification of PL (if calculated PL is below PLr return to Step 3)
8 – Validation.
Identification of safety related item and assignment of Performance Level required - PLr
Identification of the safety function and assignment of the Performance level required- PLr.
For each safety-related function identified (see ISO 14121 – Risk Assessment) the designer of the SRP/CS decides the contribution to reduction of risk
to be provided, i.e. PLr.
This contribution does not cover overall machine risk but only the part of risk related to the application of the safety function in question.
Parameter PLr represents the Performance Level required for the safety-related function in question.
Parameter PL represents the Performance Level of implementation hardware.
PL of hardware must be equal to or higher than specified PLr.
A tree type graph of decisions is used to find the contribution to risk reduction that must be provided by the safety-related function, leading to univocal
identification of PLr.
If more than one safety-related function are identified, PLr shall be identified for each of them.
Design of the safety related control system and evaluation of the PL
|Note: contrary to EN954-1 as regards Categories, here PLrs are totally “hierarchical”.
PLr(e) provides the greatest contribution to risk reduction, whereas PLr(a) makes the lowest contribution.
After deciding on the PLr needed, a suitable SRP/CS is designed, calculating the resulting PL and ensuring that it is higher than or equal to PLr.
Fig. 3 shows that, to obtain the PL, the Average probability of dangerous failure/hour of the SRP/CS designed must be calculated
The Average probability of dangerous failure/hour for a safety-related control system may be estimated in various ways.
Using such methods implies that for each components the following are known:
• Failure rate (λ)
• Percent distribution of failure rate for all component failure modes, (e.g. if for a positive action switch the failure modes are: the contact will not open
when required = 20% of cases and the contact will not close when required = 80% of cases. Gives: will not open = λ x 0,2 will not close = λ x 0,8 )
• The effect of each failure on safety-related system performance, (e.g. dangerous failure = λd, or non-dangerous failure = λs)
• Percent of dangerous failures detected (by automatic self-diagnostic techniques implemented) out of total dangerous failures: λdd = λd x DC.
• Percent of dangerous failures not detected (by automatic self-diagnostic techniques implemented) out of total dangerous failures: λdu = λd x (1-DC).
ISO 13849-1 simplifies calculation by providing a table based on Markov modeling in which average probability of dangerous failure per hour is precalculated
for various Category combinations and range values of MTTFd and DCavg which are in turn obtained using tables.
|Range of MTTFd
||Range of value DC/
||3 years ≤ MTTFd < 10 years
||DC < 60%
||10 years ≤ MTTFd < 30 years
||60% ≤ DC < 90%
||30 years ≤ MTTFd < 100 years
||90% ≤ DC < 99%
||Alto 99% ≤ DC
The problem is thus reduced to: selecting the architecture, calculating DCavg in relation to self-diagnostic techniques implemented, calculating simplified
MTTFd of circuit designed and verifying compliance with requirements for independent channel operation (CCF) for redundant architectures (Cat. 2, 3 and 4).
The combination of Category plus DCavg adopted, is shown in one of the seven columns of fig. 5 of ISO 13849-1. Calculated MTTFd determines which part
of the column is to be considered. Corresponding PL is shown on the left of the table.
The part of column selected may include two or three possible values of PL, e.g. for Cat. 3, DCavg = Medium and MTTFd = Low, the following three
values are possible: PLb, PLc, PLd. In these cases, to obtain the correct PL use is made of Table K.1 of Annex K of the Standard (not shown) providing
detailed values of Average probability of dangerous failure per hour and PL in relation to actual value of MTTFd and the combination Category-plus-DCavg
The Standard may be adopted only if the control system is designed using one (or more) of the five architectures specified.
Each architecture corresponds to one of the Categories defined in EN 954-1.
For systems designed to EN 954-1, category selection is directly linked to risk through the risk graph.
ISO 13849-1 is more flexible, as several options are available for each Performance Level specified.
An example is given in Table 5 where for a system having PL of “c” the following five alternatives are possible:
1. Category 3 with MTTFd = Low and DCavg medium.
2. Category 3 with MTTFd = Medium and DCavg low.
3. Category 2 with MTTFd = Medium and DCavg medium.
4. Category 2 with MTTFd = High and DCavg low.
5. Category 1 with MTTFd = High.
Combination of several SRC/PS to achieve the overall PL
The safety-related function may include one or more SRP/CSs, and several safety-related function may use the same SRP/CSs.
Individual SRP/CSs could also be obtained using other architectures.
Where the safety-related function is obtained by a series connection of several SRP/CSs, e.g. safety light curtains, control logics, power output, and for each
of these the PL is known, the Standard provides a simple method for calculating overall PL.
Locate the part with PL = PL low
Find the number of parts having PL = PL low
Enter data in the following table to obtain total PL
The PL obtained using this table refers to reliability values at mid-position for each of the intervals in Table 3 of ISO 13849-1.
We have: PL low = d N low = 1 (< 3)
Therefore: PL total = d
and average probability of dangerous failure per hour for the entire system will be a number somewhere between 1 x 10-6 and 1 x 10-7 (see Table
3 of ISO 13849-1).