Tag Archives: ISO 13849-1 - Page 2

Machinery Safety 101

Tag Archives: ISO 13849-1 - Page 2

Understanding Risk Assessment

What is risk?

How is risk measured?

Who should conduct risk assessments?

When should a risk assessment be conducted?

What tools are available?

Where can you get training?

Missing MTTFd data

What the heck is MTTF_d???

So how do you get this data?

Now what?

IEC/TR 62061–1 Reviewed

Why You Need to Spend More Cash on Yet Another Document

The Problem

History

Why the Confusion?

…and then came 2007…

The Technical Report

Safe designs for safe workplaces

Understanding Risk Assessment

What is risk?

How is risk measured?

Who should con­duct risk assessments?

When should a risk assess­ment be conducted?

What tools are available?

Where can you get training?

Missing MTTFd data

What the heck is MTTFd???

So how do you get this data?

Now what?

IEC/​TR 62061–1 Reviewed

Why You Need to Spend More Cash on Yet Another Document

The Problem

History

Why the Confusion?

…and then came 2007…

The Technical Report

Who should conduct risk assessments?

When should a risk assessment be conducted?

What the heck is MTTF_d???

IEC/TR 62061–1 Reviewed

The Answer to the Scale Question

Merger

Comparing PL’s and SIL’s

Selecting a Standard

Risk Assessment

Safety Requirement Specification (SRS)

Combining Equipment with PLs and SILs

Fault Exclusions

Worked Examples

Understanding the Differences

To Buy or Not to Buy…

The Answer to the Scale Question

Table 1 Recommended appli­ca­tion of IEC 62061 and ISO 13849–1(under revision)

Merger

Comparing PL’s and SIL’s

Selecting a Standard

Risk Assessment

Safety Requirement Specification (SRS)

Combining Equipment with PLs and SILs

Fault Exclusions

Worked Examples

Understanding the Differences

To Buy or Not to Buy…

Compliance InSight Links

Sign Up For Our Newsletter!

Coming Events

Polls

Popular Posts

Recent Posts

Series

Categories

Tags

Countries Visiting Us:

Table 1
Recommended application of
IEC 62061 and ISO 13849–1(under revision)

Table 1 – Relationship between PLs and SILs based on the aver­age prob­a­bil­ity of dan­ger­ous fail­ure per hour

Table 1 – Relationship between PLs and SILs based on the average probability
of dangerous failure per hour

When people discuss ‘Risk’ there are a lot of different assumptions made about what that means. For me, the study of risk and risk assessment techniques started in 1995. As a technologist and controls designer, I had to somehow wrap my head around the whole concept in ways I’d never considered. If you’re trying to figure out risk and risk assessment this is a good place to get started!

From a machinery perspective, ISO 12100:2010 defines risk as:

“combination of the probability of occurrence of harm and the severity of that harm”

Risk can have positive or negative outcomes, but when considering safety, we only consider negative risk, or events that result in negative health effects for the people exposed.

The risk relationship is illustrated in ISO 12100:2010 Figure 3:

ISO 12100–2010 Figure 3

Where

R = Risk

S = Severity of Harm

P = Probability of Occurrence of Harm

The Probability of Occurrence of Harm factor is often further broken down into three sub-factors:

Probability of Exposure to the hazard
Probability of Occurrence of the Hazardous Event
Probability of Limiting or Avoiding the Harm

In order to estimate risk a scoring tool is needed. There is no one ‘correct’ scoring tool, and there are flaws in most scales that can result in blind-spots where risks may be over or under-estimated.

At the simplest level are ‘screening’ tools. These tools use very simple scales like ‘High, Medium, Low’, or ‘A, B, C’. These tools are often used when doing a shop-floor inspection and are intended to provide a quick method of capturing observations and giving a gut-feel assessment of the risk involved. These tools should be used as a way to identify risks that need additional, detailed assessment. To get an idea of what a good screening tool can look like, have a look at the SOBANE Déparis system.

Every scoring tool requires a scale for each risk parameter included in the tool. For instance, consider the CSA tool described in CSA Z434:

As you can see, each parameter (Severity, Exposure and Avoidance) has a scale, with two possible selections for each parameter.

When considering selection of a scoring tool, it’s important to take some time to really examine the scales for each factor. The scale shown above has a glaring hole in one scale. See if you can spot it and I’ll tell you what I think a bit later in this post.

There are more than 350 different scales and methodologies available for assessing risk. You can find a good review of some of them in Bruce Main’s textbook “Risk Assessment: Basics and Benchmarks” available from DSE online.

A similar, although different, tool is found in Annex 1 of ISO 13849–1. Note that this tool is provided in an Informative Annex. This means that it is not part of the body of the standard and is NOT mandatory. In fact, this tool was provided as an example of how a user could link the output of a risk assessment tool to the Performance Levels described in the normative text (the mandatory part) of the standard.

Consider creating your own scales. There is nothing wrong with determining what characteristics (parameters) you want to include in your risk assessment, and then assigning each parameter a numeric scale that you think is suitable; 1–10, 0–5, etc. Some scales may be inverted to others, for example: If the Severity scale runs from 0–10, the Avoidability scale might run from 10–0 (Unavoidable to Entirely Avoidable).

Once the scales in your tool have been defined, document the definitions as part of your assessment.

In many organizations, I find that risk assessment has been delegated to one person. This is a major mistake for a number of reasons. Risk assessment is not a solo activity for a ‘guru’ in a lonely office somewhere!

Risk assessment is not a lot of fun to do, and since risk assessments can get to be quite involved, it represents a significant amount of work to put on one person. Also, leaving it to one person means that the assessment will necessarily be biased to what that person knows, and may miss significant hazards because the assessor doesn’t know enough about that hazard to spot it and assess it properly.

Risk assessment requires multiple viewpoints from participants with varied expertise. This includes users, designers, engineers, lawyers and those who may have specialized knowledge of a particular hazard, like a Laser Safety Officer or a Radiation Safety Officer. The varied expertise of the people involved will allow the committee to balance the opinion of each hazard, and develop a more reasoned assessment of the risk.

I recommend that risk assessment committees never be less than three members. Five is frequently a good number. Once you get beyond five, it becomes increasingly difficult to obtain consensus on each hazard. Also, consider the cost. As each committee member is added to the team, the cost of the assessment can escalate exponentially.

Training in risk assessment is crucial to success. Ensure that the individuals involved are trained, and that at least one has some previous experience in the practice so that they may guide the committee as needed.

Risk Assessment in the Lifetime of a Product

Risk assessment should begin at the beginning of a project, whether it’s the design of a product, the development of a process or service, or the design of a new building. Understanding risk is critical to the design process. Cost for changes made at the beginning of a project are minimal compared to those that will be incurred to correct problems that might have been foreseen at the start. Risk assessment should start at the concept stage and be included at each subsequent stage in the development process. The accompanying graphic illustrates this idea.

Essentially, risk assessment is never finished until the product, process or service ceases to exist.

As mentioned earlier in this post, the book ‘Risk Assessment: Basics and Benchmarks” provides an overview of roughly 350 different scoring tools. You can search the Internet and turn up quite a few as well. The key thing with all of these systems is that you will need to develop any software based tools yourself. Depending on your comfort with software, this might be a spreadsheet format, a word processing document a database, or some other format that works for your application.

There are a number of risk assessment software tools available as well, including ISI’s CIRSMA™ and DSE’s DesignSafe. As with the scoring tools, you need to be careful when evaluating tools. Some have significant blind spots that may trip you up if you are not aware of their limitations.

Remember too that the output from the software can only be as good as the input data. The old saw “Garbage In, Garbage Out” holds true with risk assessment.

There are a few places to get training. Compliance InSight Consulting provides training to corporate clients and will be launching a series of web-based training services in 2011 that will allow individual learners to get training too.

The IEEE PSES operates a Risk Assessment Technical Committee that is open to the public as well. See the RATC web site.

The Exposure Scale in the CSA tool has a gap between E1 and E2. Looking at the definitions for each choice, notice that E1 is less than once per day or shift, while E2 is more than once per hour. Exposures that occur once per hour or less, but more than once per day cannot be scored effectively using this scale.

Also, notice the Severity scale: S1 encompasses injuries requiring not more than basic first aid. One common question I get is “Does that include CPR*?”. This question comes up because most basic first aid courses taught in Canada include CPR as part of the course. There is no clear answer for this in the standard. The S2 factor extends from injuries requiring more than basic first aid, like a broken finger for instance, all the way to a fatality. Does it make sense to group this broad range of injuries together? This definition doesn’t quite match with the Province of Ontario’s definition of a Critical Injury found in Regulation 834 either.

All of this points to the need to carefully assess the scales that you choose before you start the process. Choosing the wrong tool can skew your results in ways that you may not be very happy about.

*Cardio-Pulmonary Resuscitation

Posted by Doug Nix on September 13, 2010 Comments Off

When you first start to work through ISO 13849–1, the first thing that will smack you in the head is the plethora of new acronyms. The first one you’ll run into is ‘PL’, of course, since the entire purpose of the standard is to aid the designer in determining the reliability Performance Level of the control system. Shortly after that you’ll find yourself face to face with MTTF_d.

MTTF_d, or the Mean Time To Failure (dangerous), is the name given to the expected failure rate per year for a component used in a system that is being analyzed. This rate differs from the straight failure rate for the component because it’s limited to the failures that result in a dangerous failure mode, or that may lead to a hazard.

Obtaining MTTF_d data for a component should be easy for a designer. Component manufacturers who market components intended for safety applications should provide this data in the component specifications, but there are thousands, perhaps millions, of different components being marketed today for use in safety systems. Most of the major manufacturers are already providing this figure, or a figure that can be used to derive MTTF_d, B_10d, but for many components, this data is simply not available.

Here are some randomly chosen examples of manufacturer’s specification sheets that give this data:

Allen-Bradley Trojan™ T15 Interlock Switch

Pilz PNOZ X2 (pdf data sheet)

Telemecanique XPS MP Safety Controller (pdf data sheet)

B_10dis the number of cycles until 10% of the components being tested fail in a dangerous way. Using failure rate data from the component’s data sheet, it is possible to estimate B_10d from either B₁₀ or T (the application dependent lifetime of the component). Check out Annex C of the standard if you want to see how this can be done.

But what do you do if the manufacturer of your favourite contactor doesn’t provide ANY failure data? Some major manufacturers still don’t provide any failure rate data at all, some provide expected lifetimes under specific operation conditions. Some provide only EN 954–1:95 data. In the last case, I think this is one of the reasons for the EC Machinery Working Group’s decision late last year to extend the transition period to ISO 13849–1:07. Need to know more about that decision?

Unless you work for a large organization, instituting a life testing program is not likely to be an option, since you either need a protracted period of time with a few components in test, or thousands of samples for a short time.

The standard provides the option to use 10 years as a default where no other data is available. 10 years sounds like a long time at first blush, particularly if the planned lifetime of the system involved is 20 years. Typical MTTF_d values for high-reliability components are in the hundreds of years, so by comparison, 10 years is almost nothing. Tables are also provided for some kinds of components, but the tables are necessarily limited in size, so not every component will be listed.

Your only option is to use the data in the standard, or pick up some of the other publications that include component failure data, like MIL-HDBK-217F, IEC/TR 62380 (based on UTE 80810 & RDF 2000), NPRD 95 or IEC 61709 (based on Siemens SN 29500 documents). Some of these documents may be difficult or impossible to obtain.

The result of this lack of objective data from the component manufacturers is:

Conservative results based on the minimum default MTTF_d;
Potential over-design of safety related controls;
Increased manufacturing costs for machine builders;

The reasons for this situation vary by manufacturer, but ultimately it comes down to the cost of life testing components multiplied by number of components built by each manufacturer. Typical life tests require load simulators and switching for thousands of components, as well as data logging to trap failures and record relevant data. In the case of fluid power components (pneumatics and hydraulics), this becomes increasingly complex. For many component manufacturers, the cost of the life testing is prohibitive, even though this data is badly needed by their users.

Will we see an improvement in the future? The largest controls component manufacturers are very likely to provide this data as they have it available, meaning as they complete testing. New designs are much more likely to come with this data initially, while it may be a long time before some of the old standard components get time in the life test cell. Until then, lots of components will be assigned ’10 years’.

A big thank you to Wouter Leusden for the idea for this post!

Have a thought to share on this topic? Correct an error in the article? Sound off? Leave a comment!

Posted by Doug Nix on September 8, 2010 7 comments

This entry is part 2 of 2 in the series IEC/TR 62061–1

Standards organizations publish documents in a fairly continuous stream, so for those of us tasked with staying current with a large number of standards (say, more than 10), the publication of another new standard or Technical Report isn’t news — it’s business as usual. The question is always: Do we really need to add this to the library?

For those who are new to this business, having to pay for critical design information is a new experience. Finding out that it can cost hundreds, if not thousands, to build the library you need can be overwhelming.

This review aims to help you decide if you need IEC/TR 62061–1 in your library.

As a machine builder or a manufacturer building a product designed to be integrated into machinery, how do you choose between ISO 13849–1 and IEC 62061?

IEC 62061–1 attempts to provide guidance on how to make this choice.

When CENELEC published EN 954–1 in 1995, machine builders were introduced to a whole new world of control reliability requirements. Prior to its publication, most machines were built with very simple interlocks, and no specific standards for interlocking devices existed. In the years since then, the EN 954–1 Categories have become well known and are applied inside and outside the EU.

In the intervening years, IEC published IEC 61508. This seven-part standard introduced the idea of ‘Safety Integrity Levels’ or SILs. This standard is aimed at process control systems and could be used for complex machinery as well.

In 2006, IEC published a machinery sector specific standard based on IEC 61508, called IEC 62061. This standard offered a simplified application of the IEC 61508 methodology intended for machine builders. The key problem with this standard is that it did not provide a means to deal with pneumatic or hydraulic control elements, which are covered by ISO 13849–1.

ISO adopted EN 954–1 and reissued it as ISO 13849–1 in 1999. This edition of the standard was virtually identical to the standard it replaced from a technical requirements perspective. EN 954–1/ISO 13849–1 did not provide any means to estimate the integrity of the safety related controls, but did define circuit architectures (Categories B, 1–4) and spoke to the selection of components, introducing the concepts of ‘well-tried safety principles’ and ‘well-tried components’. A second problem had long existed in addition to this — EN 954–2, Validation, was never published by CENELEC except as a committee draft, so a key element in the application of the standard had been missing for five years at the point where ISO 13849–1 Edition 1 was published.

The first cut at guiding users in choosing an appropriate standard came with the publication of IEC 62061 Edition 1. Published in 2005, Edition 1 included a table that attempted to provide users with some guidance on how to choose between ISO 13849–1 or IEC 62061.

In 2007, ISO published the Second Edition of ISO 13849–1, and brought a whole new twist to the discussion by introducing ‘Performance Levels’ or PLs. PLs can be loosely equated to SILs, even though PLs are stated in failures per year and SILs in failures per hour. The same table included in IEC 62061 was included in this edition of ISO 13849–1.

Table 1
Recommended application of
IEC 62061 and ISO 13849–1(under revision)
(from the Second Edition, 2007)
Technology implementing the
safety related control function(s) ISO
13849–1 (under revision) IEC 62061
A Non electrical, e.g. hydraulics X Not covered
B Electromechanical, e.g. relays, or
non-complex electronics Restricted to designated
architectures (see Note 1) and up to PL=e
All architectures and up to
SIL 3
C Complex electronics, e.g. programmable Restricted to designated
architectures (see Note 1) and up
to PL=d All architectures and up to
SIL 3
D A combined with B Restricted to designated
architectures (see Note 1) and up
to PL=e X
see Note 3
E C combined with B Restricted to designated
architectures (see Note 1) and up
to PL=d All architectures and up to
SIL 3
F C combined with A, or C combined with
A and B X
see Note 2 X
see Note 3
“X” indicates that this item is dealt with by the standard shown in the column heading.
NOTE 1 Designated architectures are defined in Annex B of EN ISO 13849–1(rev.) to give a simplified approach for quantification of performance level.
NOTE 2 For complex electronics: Use of designated architectures according to EN ISO 13849–1(rev.) up to PL=d or any architecture according to IEC 62061.
NOTE 3 For non-electrical technology use parts according to EN ISO 13849–1(rev.) as subsystems.

So how is a machine builder to choose the ‘correct’ standard, if both standards are applicable and both are correct? Furthermore, how do you assess the reliability of the safety-related controls when integrating equipment from various suppliers, some of whom rate their equipment in PLs and some in SILs? Why are two standards addressing the same topic required? Will ISO 13849–1 and IEC 62061 ever be merged?

In July this year the IEC published a Technical Report that discusses the selection and application of these two key control reliability standards for machine builders. This guide has long been needed, and precedes a face to face event planned by IEC to bring machine builders and standards writers face-to-face to discuss these same issues.

The guide, titled IEC/TR 62061–1 — Technical Report — Guidance on the application of ISO 13849–1 and IEC 62061 in the design of safety-related control systems for machinery provides direct guidance on how to select between these two standards.

Download IEC standards, International Electrotechnical Commission standards.

In the introduction to the report the TC makes it clear that the standards will be merged, although they don’t provide any kind of a time line for the merger. Quoting from the introduction:

It is intended that this Technical Report be incorporated into both IEC 62061 and ISO 13849–1 by means of corrigenda that reference the published version of this document. These corrigenda will also remove the information given in Table 1, Recommended application of IEC 62061 and ISO 13849–1, provided in the common introduction to both standards, which is now recognized as being out of date. Subsequently, it is intended to merge ISO 13849–1 and IEC 62061 by means of a JWG of ISO/TC 199 and IEC/TC 44.

I added the bold face to the paragraph above to highlight the key statement regarding the eventual merger of the two documents. If you’re not familiar with the standards acronyms, a ‘JWG’ is a Joint Working Group, and a TC is a Technical Committee. TC’s are formed from volunteer experts from industry and academia supported by their organizations. So a JWG formed from two TC’s just means that a joint committee has been formed to work out the details of the merger. Eventually.

The other key point in this paragraph relates to the replacement of Table 1. In the interim, IEC/TR 62061–1 will be incorporated into both standards, replacing Table 1.

Eventually the confusion will be cleared up because only one standard will exist in the machinery sector, but until then, machine builders will need to figure out which standard best fits their products.

The Technical Report does a good job of discussing the differences between PL and SIL, including providing an explanation of how to covert one to the other, very useful if you are trying to integrate an SIL rated device into a PL analysis or vice-versa.

Clause 2.5 gives some solid advice on selecting between the two standards based on the technologies employed in the design and your own comfort level in using the analytical techniques in the two standards.

Another key point is that EITHER standard can be used to analyze complex OR simple control systems. Some fans of IEC 62061 have been known to put ISO 13849–1 down as useful exclusively for simple hardwired control systems. Clause 3.3 makes it clear that this is not the case. Pick the one you like or know the best and go with that. As an additional thought, consider which standard your competitors are using, and also which your customers are using. For example, if your customers use ISO 13849–1 primarily, qualifying your product under IEC 62061 might seem like a good idea, but may drive your customers to a competitor who makes their life easier by using ISO 13849–1. If your competitors are using a different standard, try to understand the choice before climbing on the bandwagon. There may be a competitive advantage lurking in being different.

Clause 4 speaks directly to the indispensable need to conduct a methodical risk assessment, and to use that to guide the design of the controls.

In my practice, many clients decide that they would prefer to choose a control reliability level that they feel will be more than good enough for any of their designs, and then to ‘standardize’ on that design for all their products, thereby eliminating the need to thoughtfully decide on the appropriate design for the application. In other cases, end-users may choose to use a ‘standard’ design throughout their facility to assist maintenance personnel by limiting their need to become technically familiar with a variety of designs. This is done to speed troubleshooting and reduce down time and spares stocks.

The problem with this approach can be that some managers believe this approach can eliminate the need to conduct risk assessments, seeing this as a fruitless, expensive and often futile exercise. This is emphatically NOT the case. Risk assessments address much more than the selection of control reliability requirements and need to be done to ensure that all hazards that cannot be eliminated or substituted are safeguarded. A missing or badly done risk assessment may invalidate your claim to a CE mark, or be the landmine that ends a liability case — with you on the losing end.

Each safety function needs to be defined in detail in a Safety Requirement Specification (SRS). A reliability assessment needs to be completed for each safety function defined in the SRS. This point is discussed in detail in IEC 62061, but is not dealt with in any detail in ISO 13849–1, so IEC/TR 62061–1 once again bridges the gap by providing an important detail that is missing in one of the two standards.

If you are unfamiliar with the concept of an SRS, each safety function needs to be described with a certain minimum amount of information, including:

The name of safety function;
A description of the function;
The required level of performance based on the risk assessment and according to either ISO 13849–1 (PL_r a to e) or the required safety integrity according to IEC 62061 (SIL 1 to 3)

Once the safety functions are defined and analyzed, each safety function must be implemented by a control circuit. The selected PL will drive the design to one or two of the defined ISO 13849–1 architectures, and then the component selections and other design details will drive the final failure rate and PL. Alternatively, the SRS will drive the selection of IEC 62061 architecture (1oo1, 1oo2, 2oo2, etc.) and the rest of the design details will lead to the final failure rate and SIL.

Table 1 in the Technical Report compares the levels.

Table 1 – Relationship between PLs and SILs based on the average probability
of dangerous failure per hour
Performance Level (PL) Average probability of a dangerous
failure per hour (1/h) Safety integrity level (SIL)
a >= 10^–5 to < 10^–4 No special safety requirements
b >= 3 x 10^–6 to < 10^–5 1
c >= 10^–6 to < 3 x 10^–6 1
d >= 10^–7 to < 10^–6 2
e >= 10^–8 to < 10^–7 3

This table combines ISO 13849–1 2007, Tables 3 & 4. No similar tables exist in IEC 62061 2005.

Section 7 of the report speaks to the challenge of integrating equipment with ratings in a mix of PLs and SILs. Until the standards merge and a single system for describing reliability categories is agreed on, this problem will be with us.

When designing systems using either system the designer has to determine the approximate rate of dangerous failures. In ISO 13849–1, MTTF_d is the component failure rate parameter, while in IEC 62061, PFH_d is the subsystem failure rate parameter. MTTF_d does not consider diagnostics or architecture, only the component failure rate per year, while PFH_d does include diagnostics and archtitecture, and it speaks to the system failure rate per hour. To compare these rates, ISO 13849–1 Annex K describes the relationship between MTTF_d and PFH_d for different architectures.

In the design process only one method can be used, so where equipment with different ratings must be combined the failure rates must be converted to either MTTF_dor to PFH_d, depending on the system being used to complete the analysis. Mixing requirements within the design of a subsystem is not permitted (See Clause 7.3.3).

Fault exclusions are permitted under both standards with some limitations: up to IEC 62061 SIL 2. No fault exclusions are permitted in SIL 3. Properly justified fault exclusions can be used up to PL_e. “Properly justified” fault exclusions are those that can be shown to be valid through the lifetime of the SRP/CS.

In general, fault exclusions for mechanical failures of electromechanical devices such as interlock devices or emergency stop devices are not permitted, with a few exceptions given in ISO 13849–2, (See Clauses 7.2.2.4 and 7.2.2.5).

This approach is consistent with the current approach taken in Canada, as described in CSA Z432 & Z434. Fault exclusions are generally not permitted under ANSI standards.

Section 8 of the Technical Report gives a couple of worked examples, one done under ISO 13849–1, and one under IEC 62061. For someone looking for a good example of what a properly completed analysis should look like, this section is the gold at the end of the rainbow. Section 8.2 provides a good, clear example of the application of the standards along with a nice, simple example of what a safety requirement specification might look like.

One area where proponents of the two standards often disagree is on the ‘accuracy’ of the analytical procedures given in the two standards. The Technical Report provides a detailed explanation of why the two techniques provide slightly different results and provides the rationale explaining why this variation should be considered acceptable.

At the end of the day, the question that needs to be answered is whether to buy this document or not. If you use either of these standards, I strongly recommend that you spend the money to get this Technical Report, if for nothing more than the worked examples. Until the two standards are merged, and that could be a few years, you will need to be able to effectively apply these approaches to PL and SIL rated equipment. This Technical Report will be an invaluable aid.

It also provides some guidance on the direction that the new merged standard will take. Some old arguments can be settled, or at least re-directed, by this document.

Finally, since the TR is to be incorporated in both standards and contains material replacing that in the current editions of the standard, you must buy a copy to remain current.

For all of these reasons, I would spend the money to acquire this document, read and apply it.

Download IEC standards, International Electrotechnical Commission standards.

Download ISO Standards

If you’ve bought the report and would like to add your thoughts, please add a comment below. Got questions? Contact me!

« Previous page | Next page »

	Technology implementing the safety related control function(s)	ISO 13849–1 (under revision)	IEC 62061
A	Non electrical, e.g. hydraulics	X	Not covered
B	Electromechanical, e.g. relays, or non-complex electronics	Restricted to designated architectures (see Note 1) and up to PL=e	All architectures and up to SIL 3
C	Complex electronics, e.g. programmable	Restricted to designated architectures (see Note 1) and up to PL=d	All architectures and up to SIL 3
D	A combined with B	Restricted to designated architectures (see Note 1) and up to PL=e	X see Note 3
E	C combined with B	Restricted to designated architectures (see Note 1) and up to PL=d	All architectures and up to SIL 3
F	C combined with A, or C combined with A and B	X see Note 2	X see Note 3
“X” indicates that this item is dealt with by the standard shown in the column heading. NOTE 1 Designated architectures are defined in Annex B of EN ISO 13849–1(rev.) to give a simplified approach for quantification of performance level. NOTE 2 For complex electronics: Use of designated architectures according to EN ISO 13849–1(rev.) up to PL=d or any architecture according to IEC 62061. NOTE 3 For non-electrical technology use parts according to EN ISO 13849–1(rev.) as subsystems.

Performance Level (PL)	Average probability of a dangerous failure per hour (1/h)	Safety integrity level (SIL)
a	>= 10^–5 to < 10^–4	No special safety requirements
b	>= 3 x 10^–6 to < 10^–5	1
c	>= 10^–6 to < 3 x 10^–6	1
d	>= 10^–7 to < 10^–6	2
e	>= 10^–8 to < 10^–7	3

17 Events on February 17, 2012 Toronto Engineering & Human Environment ExCom More details