ISO 13849 Analysis — Part 3: Architectural Category Selection

This entry is part 3 of 6 in the series How to do a 13849-1 analysis

At this point, you have completed the risk assessment, assigned required Performance Levels to each safety function, and developed the Safety Requirement Specification for each safety function. Next, you need to consider three aspects of the system design: Architectural Category, Channel Mean Time to Dangerous Failure (MTTFD), and Diagnostic Coverage (DCavg). In this part of the series, I am going to discuss selecting the architectural category for the system.

If you missed the second instalment in this series, you can read it here.

Understanding Performance Levels

To understand ISO 13849-1, it helps to know a little about where the standard originated. ISO 13849-1 is a simplified method for determining the reliability of safety-related controls for machinery. The basic ideas came from IEC 61508 [7], a seven-part standard originally published in 1998. IEC 61508 brought forward the concept of the Average Probability of Dangerous Failure per Hour, PFHD (1/h). Dangerous failures are those failures that result in non-performance of the safety function, and which cannot be detected by diagnostics. Here’s the formal definition from [1]:


dangerous failure
failure which has the potential to put the SRP/CS in a hazardous or fail-to-function state

Note 1 to entry: Whether or not the potential is realised can depend on the channel architecture of the system; in redundant systems a dangerous hardware failure is less likely to lead to the overall dangerous or fail-to-function state.

Note 2 to entry: [SOURCE: IEC 61508–4, 3.6.7, modified.]

The Performance Levels are simply bands of probabilities of Dangerous Failures, as shown in [1, Table 2] below.

Table 2 from ISO 13849-2:2015 showing the five Performance levels and the corresponding ranges of PFHd values.
Performance Levels as bands of PFHd ranges

The ranges shown in [1, Table 2] are approximate. If you need to see the specific limits of the bands for any reason, see [1, Annex K] describes the full span of PFHD, in table format.

There is another way to describe the same characteristics of a system, this one from IEC. Instead of using the PL system, IEC uses Safety Integrity Levels (SILs). [1, Table 3] shows the correspondence between PLs and SILs. Note that the correspondence is not exact. Where the calculated PFHd is close to either end of one of the PL or SIL bands, use the table in [1, Annex K] or in [9] to determine to which band(s) the performance should be assigned.

IEC produced a Technical Report [10] that provides guidance on how to use ISO 13849-1 or IEC 62061. The following table shows the relationship between PLs, PFHd and SILs.

Table showing the correspondence between the PL, PFHd, and SIL.
IEC/TR 62061-1:2010, Table 1

IEC 61508 includes SIL 4, which is not shown in [10, Table 1] because this level of performance exceeds the range of PFHD possible using ISO 13849-1 techniques. Also, you may have noticed that PLb and PLc are both within SIL1. This was done to accommodate the five architectural categories that came from EN 954-1 [12].

Why PL and not just PFHD? One of the odd things that humans do when we can calculate things is the development of what has been called “precision bias” [12]. Precision bias occurs when we can compute a number that appears very precise, e.g., 3.2 x 10-6, which then makes us feel like we have a very precise concept of the quantity. The problem, at least in this case, is that we are dealing with probabilities and minuscule probabilities at that. Using bands, like the PLs, forces us to “bin” these apparently precise numbers into larger groups, eliminating the effects of precision bias in the evaluation of the systems. Eliminating precision bias is the same reason that IEC 61508 uses SILs – binning the calculated values helps to reduce our tendency to develop a precision bias. The reality is that we just can’t predict the behaviour of these systems with as much precision as we would like to believe.

Getting to Performance Levels: MTTFD, Architectural Category and DC

Some aspects of the system design need to be considered to arrive at a Performance Level or make a prediction about failure rates in terms of PFHd.

First is the system architecture: Fundamentally, single channel or two channel. As a side note, if your system uses more than two channels there are ways to handle this in ISO 13849-1 that are workarounds, or you can use IEC 62061 or IEC 61508, either of which will handle these more complex systems more easily. Remember, ISO 13849-1 is intended for relatively simple systems.

When we get into the analysis in a later article, we will be calculating or estimating the Mean Time to Dangerous Failure, MTTFD, of each channel, and then of the entire system. MTTFD is expressed in years, unlike PFHd, which is expressed in fractional hours (1/h). I have yet to hear why this is the case as it seems rather confusing. However, that is current practice.

Architectural Categories

Once the required PL is known, the next step is the selection of the architectural category. The basic architectural categories were introduced initially in EN 954-1:1996 [12].  The Categories were carried forward unchanged into the first edition of ISO 13849-1 in 1999. The Categories were maintained and expanded to include additional requirements in the second and third editions in 2005 and 2015.

Since I have explored the details of the architectures in a previous series, I am not going to repeat that here. Instead, I will refer you to that series. The architectural Categories come in five flavours:

Architecture Basics
Category Structure Basic Requirements Safety Princple
For full requirements, see [1, Cl. 6]
B Single channel Basic circuit conditions are met (i.e., components are rated for the circuit voltage and current, etc.) Use of components that are designed and built to the relevant component standards. [1, 6.2.3] Component selection
1 Single channel Category B plus the use of “well-tried components” and “well-tried safety principles” [1, 6.2.4] Component selection
2 Single channel Category B plus the use of “well-tried safety principles” and periodic testing [1, 4.5.4] of the safety function by the machine control system. [1, 6.2.5] System Structure
3 Dual channel Category B plus the use of “well-tried safety principles” and no single fault shall lead to the loss of the safety function.

Where practicable, single faults shall be detected. [1, 6.2.6]

System Structure
4 Dual channel Category B plus the use of “well-tried safety principles” and no single fault shall lead to the loss of the safety function.

Single faults are detected at or before the next demand on the safety system, but where this is not possible an accumulation of undetected faults will not lead to the loss of the safety function. [1, 6.2.7]

System Structure

[1, Table 10] provides a more detailed summary of the requirements than the summary table above provides.

Since the Categories cannot all achieve the same reliability, the PL and the Categories are linked as shown in [1, Fig. 5]. This diagram summarises te relationship of the three central parameters in ISO 13849-1 in one illustration.

Figure relating Architectural Category, DC avg, MTTFD and PL.
Relationship between categories, DCavg, MTTFD of each channel and PL

Starting with the PLr from the Safety Requirement Specification for the first safety function, you can use Fig. 5 to help you select the Category and other parameters necessary for the design. For example, suppose that the risk assessment indicates that an emergency stop system is needed. ISO 13850 requires that emergency stop functions provide a minimum of PLc, so using this as the basis you can look at the vertical axis in the diagram to find PLc, and then read across the figure. You will see that PLc can be achieved using Category 1, 2, or 3 architecture, each with corresponding differences in MTTFD and DCavg. For example:

  • Cat. 1, MTTFD = high and DCavg = none, or
  • Cat. 2, MTTFD = Medium to High and DCavg = Low to Medium, or
  • Cat. 3, MTTFD = Low to High and DCavg = Low to Medium.

As you can see, the MTTFD in the channels decreases as the diagnostic coverage increases. The design compensates for lower reliability in the components by increasing the diagnostic coverage and adding redundancy. Using [1, Fig. 5] you can pin down any of the parameters and then select the others as appropriate.

One additional point regarding Category 3 and 4: The difference between these Categories is increased Diagnostic Coverage. While Category 3 is Single Fault Tolerant, Category 4 has additional diagnostic capabilities so that additional faults cannot lead to the loss of the safety function. This is not the same as being multiple fault tolerant, as the system is still designed to operate in the presence of only a single fault, it is simply enhanced diagnostic capability.

It is worth noting that ISO 13849 only recognises structures with single or dual channel configurations. If you need to develop a system with more than single redundancy (i.e., more than two channels), you can analyse each pair of channels as a dual channel architecture, or you can move to using IEC 62061 or IEC 61508, either of which permits any level of redundancy.

The next step in this process is the evaluation of the component and channel MTTFD, and then the determination of the complete system MTTFD. Part 4 of this series publishes on 13-Feb-17.

In case you missed the first part of the series, you can read it here.

Book List

Here are some books that I think you may find helpful on this journey:

[0]     B. Main, Risk Assessment: Basics and Benchmarks, 1st ed. Ann Arbor, MI USA: DSE, 2004.

[0.1]  D. Smith and K. Simpson, Safety critical systems handbook. Amsterdam: Elsevier/Butterworth-Heinemann, 2011.

[0.2]  Electromagnetic Compatibility for Functional Safety, 1st ed. Stevenage, UK: The Institution of Engineering and Technology, 2008.

[0.3]  Overview of techniques and measures related to EMC for Functional Safety, 1st ed. Stevenage, UK: Overview of techniques and measures related to EMC for Functional Safety, 2013.


Note: This reference list starts in Part 1 of the series, so “missing” references may show in other parts of the series. Included in the last post of the series is the complete reference list.

[1]     Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design. ISO Standard 13849-1. 2015.

[7]     Functional safety of electrical/electronic/programmable electronic safety-related systems. IEC Standard 61508. 2nd Edition. Seven Parts. 2010.

[9]      Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems. IEC Standard 62061. 2005.

[10]    Guidance on the application of ISO 13849-1 and IEC 62061 in the design of safety-related control systems for machinery. IEC Technical Report 62061-1. 2010.

[11]    D. S. G. Nix, Y. Chinniah, F. Dosio, M. Fessler, F. Eng, and F. Schrever, “Linking Risk and Reliability—Mapping the output of risk assessment tools to functional safety requirements for safety related control systems,” 2015.

[12]    Safety of machinery. Safety related parts of control systems. General principles for design. CEN Standard EN 954-1. 1996.

ISO 13849 Analysis — Part 1: Start with Risk Assessment

This entry is part 1 of 6 in the series How to do a 13849-1 analysis

I often get questions from clients about how to get started on Functional Safety using ISO 13849. This article is the first in a series that will walk you through the basics of using ISO 13849. Keep in mind that you will need to hold a copy of the 3rd edition of ISO 13849-1 [1] and the 2nd edition of ISO 13849-2 [2] to use as you go along. There are other standards which you may also find useful, and I have included them in the Reference section at the end of the article. Each post has a Reference List. I will publish a complete reference list for the series with the last post.

Where to start?

So you have just learned that you need to do an ISO 13849 functional safety analysis. You have the two parts of the standard, and you have skimmed them, but you are feeling a bit overwhelmed and unsure of where to start. By the end of this article, you should be feeling more confident about how to get this job done.

Step 1 – Risk Assessment

For the purpose of this article, I am going to assume that you have a risk assessment for the machinery, and you have a copy for reference. If you do not have a risk assessment, stop here and get that done. There are several good references for that, including ISO 12100 [3], CSA Z432 [4], and ANSI B11.TR3 [5]. You can also have a look at my series on Risk Assessment.

The risk assessment should identify which risks require mitigation using the control system, e.g., use of an interlocked gate, a light curtain, a two-hand control, an enabling device, etc.See the MS101 glossary for detailed definitions. Each of these becomes a safety function. Each safety function requires a safety requirements specification (SRS), which I will describe in more detail a bit later.

Safety Functions

The 3rd edition of ISO 13849 [1] provides two tables that give some examples of safety function characteristics [1, Table 8] and parameters [1, Table 9] and also provides references to corresponding standards that will help you to define the necessary parameters. These tables should not be considered to be exhaustive – there is no way to list every possible safety function in a table like this. The tables will give you some good ideas about what you are looking for in machine control functions that will make them safety functions.

While you are identifying risk reduction measures that will use the control system for mitigation, don’t forget that complementary protective measures like emergency stop, enabling devices, etc. all need to be included. Some of these functions may have minimum requirements set by Type B2 standards, like ISO 13850 [6] for emergency stop which sets the minimum performance level for this function at PLc.

Selecting the Required Performance Level

ISO 13849-1:2015 provides a graphical means for selecting the minimum Performance Level (PL) required for the safety function based on the risk assessment. A word of caution here: you may feel like you are re-assessing the risk using this tool because it does use risk parameters (severity, frequency/duration of exposure and possibility to avoid/limit harm) to determine the PL. Risk assessment This tool is not a risk assessment tool, and using it that way is a fundamental mistake. Its output is in terms of performance level, which is failure rate per hour of operation. For example, it is entirely incorrect to say, “This machine has a risk level of PLc” since we define PLs in terms of probable failure rate per hour.

ISO 13849-1 graphical selection tool for determining PLr requirement for a safety function
Graphical Performance Level Selection Tool [1]
Once you have assigned a required Performance Level (PLr) to each safety function, you can move on to the next step: Developing the Safety Requirements Specification.

Book List

Here are some books that I think you may find helpful on this journey:

[0]     B. Main, Risk Assessment: Basics and Benchmarks, 1st ed. Ann Arbor, MI USA: DSE, 2004.

[0.1]  D. Smith and K. Simpson, Safety critical systems handbook. Amsterdam: Elsevier/Butterworth-Heinemann, 2011.

[0.2]  Electromagnetic Compatibility for Functional Safety, 1st ed. Stevenage, UK: The Institution of Engineering and Technology, 2008.

[0.3]  Overview of techniques and measures related to EMC for Functional Safety, 1st ed. Stevenage, UK: Overview of techniques and measures related to EMC for Functional Safety, 2013.


[1]     Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design. 3rd Edition. ISO Standard 13849-1. 2015.

[2]     Safety of machinery — Safety-related parts of control systems — Part 2: Validation. 2nd Edition. ISO Standard 13849-2. 2012.

[3]      Safety of machinery — General principles for design — Risk assessment and risk reduction. ISO Standard 12100. 2010.

[4]     Safeguarding of Machinery. CSA Standard Z432. 2004.

[5]     Risk Assessment and Risk Reduction- A Guideline to Estimate, Evaluate and Reduce Risks Associated with Machine Tools. ANSI Technical Report B11.TR3. 2000.

[6]    Safety of machinery — Emergency stop function — Principles for design. ISO Standard 13850. 2015.

Get the Basics Right!

For more than 15 years I’ve been teaching people about risk assessment, machinery safety and CE Marking of machinery in private, onsite classes and through presentations at safety conferences. Things are about to change!

This fall, Compliance InSight Consulting will begin offering open-enrolment workshops in CE Marking, Risk Assessment Functional Safety, and Machinery Safety, all with a focus on industrial machinery. These courses will be hands-on events, with students engaged in workshop activities throughout eachTraining event event.

In the winter, these workshops will also migrate to our on-line education platform, so students in any location around the world can access our training programs.

This is an exciting step for CIC, and the workshops we have planned are engaging, dynamic and information packed.

Watch the blog, and subscribe to our mailing list to be the first to know when registration opens. Workshops will be limited size, first-come, first-served. We’ll announce dates and locations in early August!