ISO 13849 – 1 Analysis — Part 3: Architectural Category Selection

This entry is part 3 of 9 in the series How to do a 13849 – 1 ana­lys­is

At this point, you have com­pleted the risk assess­ment, assigned required Performance Levels to each safety func­tion, and developed the Safety Requirement Specification for each safety func­tion. Next, you need to con­sider three aspects of the sys­tem design: Architectural Category, Channel Mean Time to Dangerous Failure (MTTFD), and Diagnostic Coverage (DCavg). In this part of the series, I am going to dis­cuss select­ing the archi­tec­tur­al cat­egory for the sys­tem.

If you missed the second instal­ment in this series, you can read it here.

Understanding Performance Levels

To under­stand ISO 13849 – 1, it helps to know a little about where the stand­ard ori­gin­ated. ISO 13849 – 1 is a sim­pli­fied meth­od for determ­in­ing the reli­ab­il­ity of safety-​related con­trols for machinery. The basic ideas came from IEC 61508 [7], a seven-​part stand­ard ori­gin­ally pub­lished in 1998. IEC 61508 brought for­ward the concept of the Average Probability of Dangerous Failure per Hour, PFHD (1/​h). Dangerous fail­ures are those fail­ures that res­ult in non-​performance of the safety func­tion, and which can­not be detec­ted by dia­gnostics. Here’s the form­al defin­i­tion from [1]:


dan­ger­ous fail­ure
fail­ure which has the poten­tial to put the SRP/​CS in a haz­ard­ous or fail-​to-​function state

Note 1 to entry: Whether or not the poten­tial is real­ised can depend on the chan­nel archi­tec­ture of the sys­tem; in redund­ant sys­tems a dan­ger­ous hard­ware fail­ure is less likely to lead to the over­all dan­ger­ous or fail-​to-​function state.

Note 2 to entry: [SOURCE: IEC 61508 – 4, 3.6.7, mod­i­fied.]

The Performance Levels are simply bands of prob­ab­il­it­ies of Dangerous Failures, as shown in [1, Table 2] below.

Table 2 from ISO 13849-2:2015 showing the five Performance levels and the corresponding ranges of PFHd values.
Performance Levels as bands of PFHd ranges

The ranges shown in [1, Table 2] are approx­im­ate. If you need to see the spe­cif­ic lim­its of the bands for any reas­on, see [1, Annex K] describes the full span of PFHD, in table format.

There is anoth­er way to describe the same char­ac­ter­ist­ics of a sys­tem, this one from IEC. Instead of using the PL sys­tem, IEC uses Safety Integrity Levels (SILs). [1, Table 3] shows the cor­res­pond­ence between PLs and SILs. Note that the cor­res­pond­ence is not exact. Where the cal­cu­lated PFHd is close to either end of one of the PL or SIL bands, use the table in [1, Annex K] or in [9] to determ­ine to which band(s) the per­form­ance should be assigned.

IEC pro­duced a Technical Report [10] that provides guid­ance on how to use ISO 13849 – 1 or IEC 62061. The fol­low­ing table shows the rela­tion­ship between PLs, PFHd and SILs.

Table showing the correspondence between the PL, PFHd, and SIL.
IEC/​TR 62061 – 1:2010, Table 1

IEC 61508 includes SIL 4, which is not shown in [10, Table 1] because this level of per­form­ance exceeds the range of PFHD pos­sible using ISO 13849 – 1 tech­niques. Also, you may have noticed that PLb and PLc are both with­in SIL1. This was done to accom­mod­ate the five archi­tec­tur­al cat­egor­ies that came from EN 954 – 1 [12].

Why PL and not just PFHD? One of the odd things that humans do when we can cal­cu­late things is the devel­op­ment of what has been called “pre­ci­sion bias” [12]. Precision bias occurs when we can com­pute a num­ber that appears very pre­cise, e.g., 3.2 x 10-6, which then makes us feel like we have a very pre­cise concept of the quant­ity. The prob­lem, at least in this case, is that we are deal­ing with prob­ab­il­it­ies and minus­cule prob­ab­il­it­ies at that. Using bands, like the PLs, forces us to “bin” these appar­ently pre­cise num­bers into lar­ger groups, elim­in­at­ing the effects of pre­ci­sion bias in the eval­u­ation of the sys­tems. Eliminating pre­ci­sion bias is the same reas­on that IEC 61508 uses SILs – bin­ning the cal­cu­lated val­ues helps to reduce our tend­ency to devel­op a pre­ci­sion bias. The real­ity is that we just can’t pre­dict the beha­viour of these sys­tems with as much pre­ci­sion as we would like to believe.

Getting to Performance Levels: MTTFD, Architectural Category and DC

Some aspects of the sys­tem design need to be con­sidered to arrive at a Performance Level or make a pre­dic­tion about fail­ure rates in terms of PFHd.

First is the sys­tem archi­tec­ture: Fundamentally, single chan­nel or two chan­nel. As a side note, if your sys­tem uses more than two chan­nels there are ways to handle this in ISO 13849 – 1 that are work­arounds, or you can use IEC 62061 or IEC 61508, either of which will handle these more com­plex sys­tems more eas­ily. Remember, ISO 13849 – 1 is inten­ded for rel­at­ively simple sys­tems.

When we get into the ana­lys­is in a later art­icle, we will be cal­cu­lat­ing or estim­at­ing the Mean Time to Dangerous Failure, MTTFD, of each chan­nel, and then of the entire sys­tem. MTTFD is expressed in years, unlike PFHd, which is expressed in frac­tion­al hours (1/​h). I have yet to hear why this is the case as it seems rather con­fus­ing. However, that is cur­rent prac­tice.

Architectural Categories

Once the required PL is known, the next step is the selec­tion of the archi­tec­tur­al cat­egory. The basic archi­tec­tur­al cat­egor­ies were intro­duced ini­tially in EN 954 – 1:1996 [12].  The Categories were car­ried for­ward unchanged into the first edi­tion of ISO 13849 – 1 in 1999. The Categories were main­tained and expan­ded to include addi­tion­al require­ments in the second and third edi­tions in 2005 and 2015.

Since I have explored the details of the archi­tec­tures in a pre­vi­ous series, I am not going to repeat that here. Instead, I will refer you to that series. The archi­tec­tur­al Categories come in five fla­vours:

Architecture Basics
Category Structure Basic Requirements Safety Princple
For full require­ments, see [1, Cl. 6]
B Single chan­nel Basic cir­cuit con­di­tions are met (i.e., com­pon­ents are rated for the cir­cuit voltage and cur­rent, etc.) Use of com­pon­ents that are designed and built to the rel­ev­ant com­pon­ent stand­ards. [1, 6.2.3] Component selec­tion
1 Single chan­nel Category B plus the use of “well-​tried com­pon­ents” and “well-​tried safety prin­ciples” [1, 6.2.4] Component selec­tion
2 Single chan­nel Category B plus the use of “well-​tried safety prin­ciples” and peri­od­ic test­ing [1, 4.5.4] of the safety func­tion by the machine con­trol sys­tem. [1, 6.2.5] System Structure
3 Dual chan­nel Category B plus the use of “well-​tried safety prin­ciples” and no single fault shall lead to the loss of the safety func­tion.

Where prac­tic­able, single faults shall be detec­ted. [1, 6.2.6]

System Structure
4 Dual chan­nel Category B plus the use of “well-​tried safety prin­ciples” and no single fault shall lead to the loss of the safety func­tion.

Single faults are detec­ted at or before the next demand on the safety sys­tem, but where this is not pos­sible an accu­mu­la­tion of undetec­ted faults will not lead to the loss of the safety func­tion. [1, 6.2.7]

System Structure

[1, Table 10] provides a more detailed sum­mary of the require­ments than the sum­mary table above provides.

Since the Categories can­not all achieve the same reli­ab­il­ity, the PL and the Categories are linked as shown in [1, Fig. 5]. This dia­gram sum­mar­ises te rela­tion­ship of the three cent­ral para­met­ers in ISO 13849 – 1 in one illus­tra­tion.

Figure relating Architectural Category, DC avg, MTTFD and PL.
Relationship between cat­egor­ies, DCavg, MTTFD of each chan­nel and PL

Starting with the PLr from the Safety Requirement Specification for the first safety func­tion, you can use Fig. 5 to help you select the Category and oth­er para­met­ers neces­sary for the design. For example, sup­pose that the risk assess­ment indic­ates that an emer­gency stop sys­tem is needed. ISO 13850 requires that emer­gency stop func­tions provide a min­im­um of PLc, so using this as the basis you can look at the ver­tic­al axis in the dia­gram to find PLc, and then read across the fig­ure. You will see that PLc can be achieved using Category 1, 2, or 3 archi­tec­ture, each with cor­res­pond­ing dif­fer­ences in MTTFD and DCavg. For example:

  • Cat. 1, MTTFD = high and DCavg = none, or
  • Cat. 2, MTTFD = Medium to High and DCavg = Low to Medium, or
  • Cat. 3, MTTFD = Low to High and DCavg = Low to Medium.

As you can see, the MTTFD in the chan­nels decreases as the dia­gnost­ic cov­er­age increases. The design com­pensates for lower reli­ab­il­ity in the com­pon­ents by increas­ing the dia­gnost­ic cov­er­age and adding redund­ancy. Using [1, Fig. 5] you can pin down any of the para­met­ers and then select the oth­ers as appro­pri­ate.

One addi­tion­al point regard­ing Category 3 and 4: The dif­fer­ence between these Categories is increased Diagnostic Coverage. While Category 3 is Single Fault Tolerant, Category 4 has addi­tion­al dia­gnost­ic cap­ab­il­it­ies so that addi­tion­al faults can­not lead to the loss of the safety func­tion. This is not the same as being mul­tiple fault tol­er­ant, as the sys­tem is still designed to oper­ate in the pres­ence of only a single fault, it is simply enhanced dia­gnost­ic cap­ab­il­ity.

It is worth not­ing that ISO 13849 only recog­nises struc­tures with single or dual chan­nel con­fig­ur­a­tions. If you need to devel­op a sys­tem with more than single redund­ancy (i.e., more than two chan­nels), you can ana­lyse each pair of chan­nels as a dual chan­nel archi­tec­ture, or you can move to using IEC 62061 or IEC 61508, either of which per­mits any level of redund­ancy.

The next step in this pro­cess is the eval­u­ation of the com­pon­ent and chan­nel MTTFD, and then the determ­in­a­tion of the com­plete sys­tem MTTFD. Part 4 of this series pub­lishes on 13-​Feb-​17.

In case you missed the first part of the series, you can read it here.

Book List

Here are some books that I think you may find help­ful on this jour­ney:

[0]     B. Main, Risk Assessment: Basics and Benchmarks, 1st ed. Ann Arbor, MI USA: DSE, 2004.

[0.1]  D. Smith and K. Simpson, Safety crit­ic­al sys­tems hand­book. Amsterdam: Elsevier/​Butterworth-​Heinemann, 2011.

[0.2]  Electromagnetic Compatibility for Functional Safety, 1st ed. Stevenage, UK: The Institution of Engineering and Technology, 2008.

[0.3]  Overview of tech­niques and meas­ures related to EMC for Functional Safety, 1st ed. Stevenage, UK: Overview of tech­niques and meas­ures related to EMC for Functional Safety, 2013.


Note: This ref­er­ence list starts in Part 1 of the series, so “miss­ing” ref­er­ences may show in oth­er parts of the series. Included in the last post of the series is the com­plete ref­er­ence list.

[1]     Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 1: General prin­ciples for design. ISO Standard 13849 – 1. 2015.

[7]     Functional safety of electrical/​electronic/​programmable elec­tron­ic safety-​related sys­tems. IEC Standard 61508. 2nd Edition. Seven Parts. 2010.

[9]      Safety of machinery – Functional safety of safety-​related elec­tric­al, elec­tron­ic and pro­gram­mable elec­tron­ic con­trol sys­tems. IEC Standard 62061. 2005.

[10]    Guidance on the applic­a­tion of ISO 13849 – 1 and IEC 62061 in the design of safety-​related con­trol sys­tems for machinery. IEC Technical Report 62061 – 1. 2010.

[11]    D. S. G. Nix, Y. Chinniah, F. Dosio, M. Fessler, F. Eng, and F. Schrever, “Linking Risk and Reliability — Mapping the out­put of risk assess­ment tools to func­tion­al safety require­ments for safety related con­trol sys­tems,” 2015.

[12]    Safety of machinery. Safety related parts of con­trol sys­tems. General prin­ciples for design. CEN Standard EN 954 – 1. 1996.

Digiprove sealCopyright secured by Digiprove © 2017
Acknowledgements: IEC and ISO as cited. 
Some Rights Reserved
Series NavigationISO 13849 – 1 Analysis — Part 2: Safety Requirement Specification”>ISO 13849 – 1 Analysis — Part 2: Safety Requirement SpecificationISO 13849 – 1 Analysis — Part 4: MTTFD – Mean Time to Dangerous Failure”>ISO 13849 – 1 Analysis — Part 4: MTTFD – Mean Time to Dangerous Failure

Author: Doug Nix

+DougNix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. ( in Kitchener, Ontario, and is Lead Author and Managing Editor of the Machinery Safety 101 blog.

Doug's work includes teaching machinery risk assessment techniques privately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as providing technical services and training programs to clients related to risk assessment, industrial machinery safety, safety-related control system integration and reliability, laser safety and regulatory conformity.

Follow me on