ISO 13849–1 Analysis — Part 3: Architectural Category Selection

This entry is part 3 of 9 in the series How to do a 13849–1 analy­sis

At this point, you have com­plet­ed the risk assess­ment, assigned required Per­for­mance Lev­els to each safe­ty func­tion, and devel­oped the Safe­ty Require­ment Spec­i­fi­ca­tion for each safe­ty func­tion. Next, you need to con­sid­er three aspects of the sys­tem design: Archi­tec­tur­al Cat­e­go­ry, Chan­nel Mean Time to Dan­ger­ous Fail­ure (MTTFD), and Diag­nos­tic Cov­er­age (DCavg). In this part of the series, I am going to dis­cuss select­ing the archi­tec­tur­al cat­e­go­ry for the sys­tem.

If you missed the sec­ond instal­ment in this series, you can read it here.

Understanding Performance Levels

To under­stand ISO 13849–1, it helps to know a lit­tle about where the stan­dard orig­i­nat­ed. ISO 13849–1 is a sim­pli­fied method for deter­min­ing the reli­a­bil­i­ty of safe­ty-relat­ed con­trols for machin­ery. The basic ideas came from IEC 61508 [7], a sev­en-part stan­dard orig­i­nal­ly pub­lished in 1998. IEC 61508 brought for­ward the con­cept of the Aver­age Prob­a­bil­i­ty of Dan­ger­ous Fail­ure per Hour, PFHD (1/h). Dan­ger­ous fail­ures are those fail­ures that result in non-per­for­mance of the safe­ty func­tion, and which can­not be detect­ed by diag­nos­tics. Here’s the for­mal def­i­n­i­tion from [1]:


dan­ger­ous fail­ure
fail­ure which has the poten­tial to put the SRP/CS in a haz­ardous or fail-to-func­tion state

Note 1 to entry: Whether or not the poten­tial is realised can depend on the chan­nel archi­tec­ture of the sys­tem; in redun­dant sys­tems a dan­ger­ous hard­ware fail­ure is less like­ly to lead to the over­all dan­ger­ous or fail-to-func­tion state.

Note 2 to entry: [SOURCE: IEC 61508–4, 3.6.7, mod­i­fied.]

The Per­for­mance Lev­els are sim­ply bands of prob­a­bil­i­ties of Dan­ger­ous Fail­ures, as shown in [1, Table 2] below.

Table 2 from ISO 13849-2:2015 showing the five Performance levels and the corresponding ranges of PFHd values.
Per­for­mance Lev­els as bands of PFHd ranges

The ranges shown in [1, Table 2] are approx­i­mate. If you need to see the spe­cif­ic lim­its of the bands for any rea­son, see [1, Annex K] describes the full span of PFHD, in table for­mat.

There is anoth­er way to describe the same char­ac­ter­is­tics of a sys­tem, this one from IEC. Instead of using the PL sys­tem, IEC uses Safe­ty Integri­ty Lev­els (SILs). [1, Table 3] shows the cor­re­spon­dence between PLs and SILs. Note that the cor­re­spon­dence is not exact. Where the cal­cu­lat­ed PFHd is close to either end of one of the PL or SIL bands, use the table in [1, Annex K] or in [9] to deter­mine to which band(s) the per­for­mance should be assigned.

IEC pro­duced a Tech­ni­cal Report [10] that pro­vides guid­ance on how to use ISO 13849–1 or IEC 62061. The fol­low­ing table shows the rela­tion­ship between PLs, PFHd and SILs.

Table showing the correspondence between the PL, PFHd, and SIL.
IEC/TR 62061–1:2010, Table 1

IEC 61508 includes SIL 4, which is not shown in [10, Table 1] because this lev­el of per­for­mance exceeds the range of PFHD pos­si­ble using ISO 13849–1 tech­niques. Also, you may have noticed that PLb and PLc are both with­in SIL1. This was done to accom­mo­date the five archi­tec­tur­al cat­e­gories that came from EN 954–1 [12].

Why PL and not just PFHD? One of the odd things that humans do when we can cal­cu­late things is the devel­op­ment of what has been called “pre­ci­sion bias” [12]. Pre­ci­sion bias occurs when we can com­pute a num­ber that appears very pre­cise, e.g., 3.2 x 10-6, which then makes us feel like we have a very pre­cise con­cept of the quan­ti­ty. The prob­lem, at least in this case, is that we are deal­ing with prob­a­bil­i­ties and minus­cule prob­a­bil­i­ties at that. Using bands, like the PLs, forces us to “bin” these appar­ent­ly pre­cise num­bers into larg­er groups, elim­i­nat­ing the effects of pre­ci­sion bias in the eval­u­a­tion of the sys­tems. Elim­i­nat­ing pre­ci­sion bias is the same rea­son that IEC 61508 uses SILs — bin­ning the cal­cu­lat­ed val­ues helps to reduce our ten­den­cy to devel­op a pre­ci­sion bias. The real­i­ty is that we just can’t pre­dict the behav­iour of these sys­tems with as much pre­ci­sion as we would like to believe.

Getting to Performance Levels: MTTFD, Architectural Category and DC

Some aspects of the sys­tem design need to be con­sid­ered to arrive at a Per­for­mance Lev­el or make a pre­dic­tion about fail­ure rates in terms of PFHd.

First is the sys­tem archi­tec­ture: Fun­da­men­tal­ly, sin­gle chan­nel or two chan­nel. As a side note, if your sys­tem uses more than two chan­nels there are ways to han­dle this in ISO 13849–1 that are workarounds, or you can use IEC 62061 or IEC 61508, either of which will han­dle these more com­plex sys­tems more eas­i­ly. Remem­ber, ISO 13849–1 is intend­ed for rel­a­tive­ly sim­ple sys­tems.

When we get into the analy­sis in a lat­er arti­cle, we will be cal­cu­lat­ing or esti­mat­ing the Mean Time to Dan­ger­ous Fail­ure, MTTFD, of each chan­nel, and then of the entire sys­tem. MTTFD is expressed in years, unlike PFHd, which is expressed in frac­tion­al hours (1/h). I have yet to hear why this is the case as it seems rather con­fus­ing. How­ev­er, that is cur­rent prac­tice.

Architectural Categories

Once the required PL is known, the next step is the selec­tion of the archi­tec­tur­al cat­e­go­ry. The basic archi­tec­tur­al cat­e­gories were intro­duced ini­tial­ly in EN 954–1:1996 [12].  The Cat­e­gories were car­ried for­ward unchanged into the first edi­tion of ISO 13849–1 in 1999. The Cat­e­gories were main­tained and expand­ed to include addi­tion­al require­ments in the sec­ond and third edi­tions in 2005 and 2015.

Since I have explored the details of the archi­tec­tures in a pre­vi­ous series, I am not going to repeat that here. Instead, I will refer you to that series. The archi­tec­tur­al Cat­e­gories come in five flavours:

Archi­tec­ture Basics
Cat­e­go­ry Struc­ture Basic Require­ments Safe­ty Princ­ple
For full require­ments, see [1, Cl. 6]
B Sin­gle chan­nel Basic cir­cuit con­di­tions are met (i.e., com­po­nents are rat­ed for the cir­cuit volt­age and cur­rent, etc.) Use of com­po­nents that are designed and built to the rel­e­vant com­po­nent stan­dards. [1, 6.2.3] Com­po­nent selec­tion
1 Sin­gle chan­nel Cat­e­go­ry B plus the use of “well-tried com­po­nents” and “well-tried safe­ty prin­ci­ples” [1, 6.2.4] Com­po­nent selec­tion
2 Sin­gle chan­nel Cat­e­go­ry B plus the use of “well-tried safe­ty prin­ci­ples” and peri­od­ic test­ing [1, 4.5.4] of the safe­ty func­tion by the machine con­trol sys­tem. [1, 6.2.5] Sys­tem Struc­ture
3 Dual chan­nel Cat­e­go­ry B plus the use of “well-tried safe­ty prin­ci­ples” and no sin­gle fault shall lead to the loss of the safe­ty func­tion.

Where prac­ti­ca­ble, sin­gle faults shall be detect­ed. [1, 6.2.6]

Sys­tem Struc­ture
4 Dual chan­nel Cat­e­go­ry B plus the use of “well-tried safe­ty prin­ci­ples” and no sin­gle fault shall lead to the loss of the safe­ty func­tion.

Sin­gle faults are detect­ed at or before the next demand on the safe­ty sys­tem, but where this is not pos­si­ble an accu­mu­la­tion of unde­tect­ed faults will not lead to the loss of the safe­ty func­tion. [1, 6.2.7]

Sys­tem Struc­ture

[1, Table 10] pro­vides a more detailed sum­ma­ry of the require­ments than the sum­ma­ry table above pro­vides.

Since the Cat­e­gories can­not all achieve the same reli­a­bil­i­ty, the PL and the Cat­e­gories are linked as shown in [1, Fig. 5]. This dia­gram sum­maris­es te rela­tion­ship of the three cen­tral para­me­ters in ISO 13849–1 in one illus­tra­tion.

Figure relating Architectural Category, DC avg, MTTFD and PL.
Rela­tion­ship between cat­e­gories, DCavg, MTTFD of each chan­nel and PL

Start­ing with the PLr from the Safe­ty Require­ment Spec­i­fi­ca­tion for the first safe­ty func­tion, you can use Fig. 5 to help you select the Cat­e­go­ry and oth­er para­me­ters nec­es­sary for the design. For exam­ple, sup­pose that the risk assess­ment indi­cates that an emer­gency stop sys­tem is need­ed. ISO 13850 requires that emer­gency stop func­tions pro­vide a min­i­mum of PLc, so using this as the basis you can look at the ver­ti­cal axis in the dia­gram to find PLc, and then read across the fig­ure. You will see that PLc can be achieved using Cat­e­go­ry 1, 2, or 3 archi­tec­ture, each with cor­re­spond­ing dif­fer­ences in MTTFD and DCavg. For exam­ple:

  • Cat. 1, MTTFD = high and DCavg = none, or
  • Cat. 2, MTTFD = Medi­um to High and DCavg = Low to Medi­um, or
  • Cat. 3, MTTFD = Low to High and DCavg = Low to Medi­um.

As you can see, the MTTFD in the chan­nels decreas­es as the diag­nos­tic cov­er­age increas­es. The design com­pen­sates for low­er reli­a­bil­i­ty in the com­po­nents by increas­ing the diag­nos­tic cov­er­age and adding redun­dan­cy. Using [1, Fig. 5] you can pin down any of the para­me­ters and then select the oth­ers as appro­pri­ate.

One addi­tion­al point regard­ing Cat­e­go­ry 3 and 4: The dif­fer­ence between these Cat­e­gories is increased Diag­nos­tic Cov­er­age. While Cat­e­go­ry 3 is Sin­gle Fault Tol­er­ant, Cat­e­go­ry 4 has addi­tion­al diag­nos­tic capa­bil­i­ties so that addi­tion­al faults can­not lead to the loss of the safe­ty func­tion. This is not the same as being mul­ti­ple fault tol­er­ant, as the sys­tem is still designed to oper­ate in the pres­ence of only a sin­gle fault, it is sim­ply enhanced diag­nos­tic capa­bil­i­ty.

It is worth not­ing that ISO 13849 only recog­nis­es struc­tures with sin­gle or dual chan­nel con­fig­u­ra­tions. If you need to devel­op a sys­tem with more than sin­gle redun­dan­cy (i.e., more than two chan­nels), you can analyse each pair of chan­nels as a dual chan­nel archi­tec­ture, or you can move to using IEC 62061 or IEC 61508, either of which per­mits any lev­el of redun­dan­cy.

The next step in this process is the eval­u­a­tion of the com­po­nent and chan­nel MTTFD, and then the deter­mi­na­tion of the com­plete sys­tem MTTFD. Part 4 of this series pub­lish­es on 13-Feb-17.

In case you missed the first part of the series, you can read it here.

Book List

Here are some books that I think you may find help­ful on this jour­ney:

[0]     B. Main, Risk Assess­ment: Basics and Bench­marks, 1st ed. Ann Arbor, MI USA: DSE, 2004.

[0.1]  D. Smith and K. Simp­son, Safe­ty crit­i­cal sys­tems hand­book. Ams­ter­dam: Else­vier/But­ter­worth-Heine­mann, 2011.

[0.2]  Elec­tro­mag­net­ic Com­pat­i­bil­i­ty for Func­tion­al Safe­ty, 1st ed. Steve­nage, UK: The Insti­tu­tion of Engi­neer­ing and Tech­nol­o­gy, 2008.

[0.3]  Overview of tech­niques and mea­sures relat­ed to EMC for Func­tion­al Safe­ty, 1st ed. Steve­nage, UK: Overview of tech­niques and mea­sures relat­ed to EMC for Func­tion­al Safe­ty, 2013.


Note: This ref­er­ence list starts in Part 1 of the series, so “miss­ing” ref­er­ences may show in oth­er parts of the series. Includ­ed in the last post of the series is the com­plete ref­er­ence list.

[1]     Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 1: Gen­er­al prin­ci­ples for design. ISO Stan­dard 13849–1. 2015.

[7]     Func­tion­al safe­ty of electrical/electronic/programmable elec­tron­ic safe­ty-relat­ed sys­tems. IEC Stan­dard 61508. 2nd Edi­tion. Sev­en Parts. 2010.

[9]      Safe­ty of machin­ery — Func­tion­al safe­ty of safe­ty-relat­ed elec­tri­cal, elec­tron­ic and pro­gram­ma­ble elec­tron­ic con­trol sys­tems. IEC Stan­dard 62061. 2005.

[10]    Guid­ance on the appli­ca­tion of ISO 13849–1 and IEC 62061 in the design of safe­ty-relat­ed con­trol sys­tems for machin­ery. IEC Tech­ni­cal Report 62061–1. 2010.

[11]    D. S. G. Nix, Y. Chin­ni­ah, F. Dosio, M. Fessler, F. Eng, and F. Schr­ev­er, “Link­ing Risk and Reliability—Mapping the out­put of risk assess­ment tools to func­tion­al safe­ty require­ments for safe­ty relat­ed con­trol sys­tems,” 2015.

[12]    Safe­ty of machin­ery. Safe­ty relat­ed parts of con­trol sys­tems. Gen­er­al prin­ci­ples for design. CEN Stan­dard EN 954–1. 1996.

Digiprove sealCopy­right secured by Digiprove © 2017
Acknowl­edge­ments: IEC and ISO as cit­ed.
Some Rights Reserved
Series Nav­i­ga­tionISO 13849–1 Analy­sis — Part 2: Safe­ty Require­ment Spec­i­fi­ca­tion”>ISO 13849–1 Analy­sis — Part 2: Safe­ty Require­ment Spec­i­fi­ca­tionISO 13849–1 Analy­sis — Part 4: MTTFD — Mean Time to Dan­ger­ous Fail­ure”>ISO 13849–1 Analy­sis — Part 4: MTTFD — Mean Time to Dan­ger­ous Fail­ure

Author: Doug Nix

Doug Nix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. ( in Kitchener, Ontario, and is Lead Author and Senior Editor of the Machinery Safety 101 blog. Doug's work includes teaching machinery risk assessment techniques privately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as providing technical services and training programs to clients related to risk assessment, industrial machinery safety, safety-related control system integration and reliability, laser safety and regulatory conformity. For more see Doug's LinkedIn profile.