CanadaCE MarkControl FunctionsControl ReliabilityEmergency StopEU European UnionFunctional SafetyGuards and GuardingHierarchy of ControlsHow toInterlocksInterlocksISO 13849Robotics

ISO 13849 – 1 Analysis — Part 3: Architectural Category Selection

This entry is part 3 of 9 in the series How to do a 13849 – 1 ana­lys­is

At this point, you have com­pleted the risk assess­ment, assigned required Per­form­ance Levels to each safety func­tion, and developed the Safety Require­ment Spe­cific­a­tion for each safety func­tion. Next, you need to con­sider three aspects of the sys­tem design: Archi­tec­tur­al Cat­egory, Chan­nel Mean Time to Dan­ger­ous Fail­ure (MTTFD), and Dia­gnost­ic Cov­er­age (DCavg). In this part of the series, I am going to dis­cuss select­ing the archi­tec­tur­al cat­egory for the sys­tem.

If you missed the second instal­ment in this series, you can read it here.

Understanding Performance Levels

To under­stand ISO 13849 – 1, it helps to know a little about where the stand­ard ori­gin­ated. ISO 13849 – 1 is a sim­pli­fied meth­od for determ­in­ing the reli­ab­il­ity of safety-related con­trols for machinery. The basic ideas came from IEC 61508 [7], a sev­en-part stand­ard ori­gin­ally pub­lished in 1998. IEC 61508 brought for­ward the concept of the Aver­age Prob­ab­il­ity of Dan­ger­ous Fail­ure per Hour, PFHD (1/h). Dan­ger­ous fail­ures are those fail­ures that res­ult in non-per­form­ance of the safety func­tion, and which can­not be detec­ted by dia­gnostics. Here’s the form­al defin­i­tion from [1]:

3.1.5

dan­ger­ous fail­ure
fail­ure which has the poten­tial to put the SRP/CS in a haz­ard­ous or fail-to-func­tion state

Note 1 to entry: Wheth­er or not the poten­tial is real­ised can depend on the chan­nel archi­tec­ture of the sys­tem; in redund­ant sys­tems a dan­ger­ous hard­ware fail­ure is less likely to lead to the over­all dan­ger­ous or fail-to-func­tion state.

Note 2 to entry: [SOURCE: IEC 61508 – 4, 3.6.7, mod­i­fied.]

The Per­form­ance Levels are simply bands of prob­ab­il­it­ies of Dan­ger­ous Fail­ures, as shown in [1, Table 2] below.

Table 2 from ISO 13849-2:2015 showing the five Performance levels and the corresponding ranges of PFHd values.
Per­form­ance Levels as bands of PFHd ranges

The ranges shown in [1, Table 2] are approx­im­ate. If you need to see the spe­cif­ic lim­its of the bands for any reas­on, see [1, Annex K] describes the full span of PFHD, in table format.

There is anoth­er way to describe the same char­ac­ter­ist­ics of a sys­tem, this one from IEC. Instead of using the PL sys­tem, IEC uses Safety Integ­rity Levels (SILs). [1, Table 3] shows the cor­res­pond­ence between PLs and SILs. Note that the cor­res­pond­ence is not exact. Where the cal­cu­lated PFHd is close to either end of one of the PL or SIL bands, use the table in [1, Annex K] or in [9] to determ­ine to which band(s) the per­form­ance should be assigned.

IEC pro­duced a Tech­nic­al Report [10] that provides guid­ance on how to use ISO 13849 – 1 or IEC 62061. The fol­low­ing table shows the rela­tion­ship between PLs, PFHd and SILs.

Table showing the correspondence between the PL, PFHd, and SIL.
IEC/TR 62061 – 1:2010, Table 1

IEC 61508 includes SIL 4, which is not shown in [10, Table 1] because this level of per­form­ance exceeds the range of PFHD pos­sible using ISO 13849 – 1 tech­niques. Also, you may have noticed that PLb and PLc are both with­in SIL1. This was done to accom­mod­ate the five archi­tec­tur­al cat­egor­ies that came from EN 954 – 1 [12].

Why PL and not just PFHD? One of the odd things that humans do when we can cal­cu­late things is the devel­op­ment of what has been called “pre­ci­sion bias” [12]. Pre­ci­sion bias occurs when we can com­pute a num­ber that appears very pre­cise, e.g., 3.2 x 10-6, which then makes us feel like we have a very pre­cise concept of the quant­ity. The prob­lem, at least in this case, is that we are deal­ing with prob­ab­il­it­ies and minus­cule prob­ab­il­it­ies at that. Using bands, like the PLs, forces us to “bin” these appar­ently pre­cise num­bers into lar­ger groups, elim­in­at­ing the effects of pre­ci­sion bias in the eval­u­ation of the sys­tems. Elim­in­at­ing pre­ci­sion bias is the same reas­on that IEC 61508 uses SILs – bin­ning the cal­cu­lated val­ues helps to reduce our tend­ency to devel­op a pre­ci­sion bias. The real­ity is that we just can’t pre­dict the beha­viour of these sys­tems with as much pre­ci­sion as we would like to believe.

Getting to Performance Levels: MTTFD, Architectural Category and DC

Some aspects of the sys­tem design need to be con­sidered to arrive at a Per­form­ance Level or make a pre­dic­tion about fail­ure rates in terms of PFHd.

First is the sys­tem archi­tec­ture: Fun­da­ment­ally, single chan­nel or two chan­nel. As a side note, if your sys­tem uses more than two chan­nels there are ways to handle this in ISO 13849 – 1 that are work­arounds, or you can use IEC 62061 or IEC 61508, either of which will handle these more com­plex sys­tems more eas­ily. Remem­ber, ISO 13849 – 1 is inten­ded for rel­at­ively simple sys­tems.

When we get into the ana­lys­is in a later art­icle, we will be cal­cu­lat­ing or estim­at­ing the Mean Time to Dan­ger­ous Fail­ure, MTTFD, of each chan­nel, and then of the entire sys­tem. MTTFD is expressed in years, unlike PFHd, which is expressed in frac­tion­al hours (1/h). I have yet to hear why this is the case as it seems rather con­fus­ing. How­ever, that is cur­rent prac­tice.

Architectural Categories

Once the required PL is known, the next step is the selec­tion of the archi­tec­tur­al cat­egory. The basic archi­tec­tur­al cat­egor­ies were intro­duced ini­tially in EN 954 – 1:1996 [12].  The Cat­egor­ies were car­ried for­ward unchanged into the first edi­tion of ISO 13849 – 1 in 1999. The Cat­egor­ies were main­tained and expan­ded to include addi­tion­al require­ments in the second and third edi­tions in 2005 and 2015.

Since I have explored the details of the archi­tec­tures in a pre­vi­ous series, I am not going to repeat that here. Instead, I will refer you to that series. The archi­tec­tur­al Cat­egor­ies come in five fla­vours:

Archi­tec­ture Basics
Cat­egory Struc­ture Basic Require­ments Safety Princple
For full require­ments, see [1, Cl. 6]
B Single chan­nel Basic cir­cuit con­di­tions are met (i.e., com­pon­ents are rated for the cir­cuit voltage and cur­rent, etc.) Use of com­pon­ents that are designed and built to the rel­ev­ant com­pon­ent stand­ards. [1, 6.2.3] Com­pon­ent selec­tion
1 Single chan­nel Cat­egory B plus the use of “well-tried com­pon­ents” and “well-tried safety prin­ciples” [1, 6.2.4] Com­pon­ent selec­tion
2 Single chan­nel Cat­egory B plus the use of “well-tried safety prin­ciples” and peri­od­ic test­ing [1, 4.5.4] of the safety func­tion by the machine con­trol sys­tem. [1, 6.2.5] Sys­tem Struc­ture
3 Dual chan­nel Cat­egory B plus the use of “well-tried safety prin­ciples” and no single fault shall lead to the loss of the safety func­tion.

Where prac­tic­able, single faults shall be detec­ted. [1, 6.2.6]

Sys­tem Struc­ture
4 Dual chan­nel Cat­egory B plus the use of “well-tried safety prin­ciples” and no single fault shall lead to the loss of the safety func­tion.

Single faults are detec­ted at or before the next demand on the safety sys­tem, but where this is not pos­sible an accu­mu­la­tion of undetec­ted faults will not lead to the loss of the safety func­tion. [1, 6.2.7]

Sys­tem Struc­ture

[1, Table 10] provides a more detailed sum­mary of the require­ments than the sum­mary table above provides.

Since the Cat­egor­ies can­not all achieve the same reli­ab­il­ity, the PL and the Cat­egor­ies are linked as shown in [1, Fig. 5]. This dia­gram sum­mar­ises te rela­tion­ship of the three cent­ral para­met­ers in ISO 13849 – 1 in one illus­tra­tion.

Figure relating Architectural Category, DC avg, MTTFD and PL.
Rela­tion­ship between cat­egor­ies, DCavg, MTTFD of each chan­nel and PL

Start­ing with the PLr from the Safety Require­ment Spe­cific­a­tion for the first safety func­tion, you can use Fig. 5 to help you select the Cat­egory and oth­er para­met­ers neces­sary for the design. For example, sup­pose that the risk assess­ment indic­ates that an emer­gency stop sys­tem is needed. ISO 13850 requires that emer­gency stop func­tions provide a min­im­um of PLc, so using this as the basis you can look at the ver­tic­al axis in the dia­gram to find PLc, and then read across the fig­ure. You will see that PLc can be achieved using Cat­egory 1, 2, or 3 archi­tec­ture, each with cor­res­pond­ing dif­fer­ences in MTTFD and DCavg. For example:

  • Cat. 1, MTTFD = high and DCavg = none, or
  • Cat. 2, MTTFD = Medi­um to High and DCavg = Low to Medi­um, or
  • Cat. 3, MTTFD = Low to High and DCavg = Low to Medi­um.

As you can see, the MTTFD in the chan­nels decreases as the dia­gnost­ic cov­er­age increases. The design com­pensates for lower reli­ab­il­ity in the com­pon­ents by increas­ing the dia­gnost­ic cov­er­age and adding redund­ancy. Using [1, Fig. 5] you can pin down any of the para­met­ers and then select the oth­ers as appro­pri­ate.

One addi­tion­al point regard­ing Cat­egory 3 and 4: The dif­fer­ence between these Cat­egor­ies is increased Dia­gnost­ic Cov­er­age. While Cat­egory 3 is Single Fault Tol­er­ant, Cat­egory 4 has addi­tion­al dia­gnost­ic cap­ab­il­it­ies so that addi­tion­al faults can­not lead to the loss of the safety func­tion. This is not the same as being mul­tiple fault tol­er­ant, as the sys­tem is still designed to oper­ate in the pres­ence of only a single fault, it is simply enhanced dia­gnost­ic cap­ab­il­ity.

It is worth not­ing that ISO 13849 only recog­nises struc­tures with single or dual chan­nel con­fig­ur­a­tions. If you need to devel­op a sys­tem with more than single redund­ancy (i.e., more than two chan­nels), you can ana­lyse each pair of chan­nels as a dual chan­nel archi­tec­ture, or you can move to using IEC 62061 or IEC 61508, either of which per­mits any level of redund­ancy.

The next step in this pro­cess is the eval­u­ation of the com­pon­ent and chan­nel MTTFD, and then the determ­in­a­tion of the com­plete sys­tem MTTFD. Part 4 of this series pub­lishes on 13-Feb-17.

In case you missed the first part of the series, you can read it here.

Book List

Here are some books that I think you may find help­ful on this jour­ney:

[0]     B. Main, Risk Assess­ment: Basics and Bench­marks, 1st ed. Ann Arbor, MI USA: DSE, 2004.

[0.1]  D. Smith and K. Simpson, Safety crit­ic­al sys­tems hand­book. Ams­ter­dam: Elsevi­er­/But­ter­worth-Heine­mann, 2011.

[0.2]  Elec­tro­mag­net­ic Com­pat­ib­il­ity for Func­tion­al Safety, 1st ed. Steven­age, UK: The Insti­tu­tion of Engin­eer­ing and Tech­no­logy, 2008.

[0.3]  Over­view of tech­niques and meas­ures related to EMC for Func­tion­al Safety, 1st ed. Steven­age, UK: Over­view of tech­niques and meas­ures related to EMC for Func­tion­al Safety, 2013.

References

Note: This ref­er­ence list starts in Part 1 of the series, so “miss­ing” ref­er­ences may show in oth­er parts of the series. Included in the last post of the series is the com­plete ref­er­ence list.

[1]     Safety of machinery — Safety-related parts of con­trol sys­tems — Part 1: Gen­er­al prin­ciples for design. ISO Stand­ard 13849 – 1. 2015.

[7]     Func­tion­al safety of electrical/electronic/programmable elec­tron­ic safety-related sys­tems. IEC Stand­ard 61508. 2nd Edi­tion. Sev­en Parts. 2010.

[9]      Safety of machinery – Func­tion­al safety of safety-related elec­tric­al, elec­tron­ic and pro­gram­mable elec­tron­ic con­trol sys­tems. IEC Stand­ard 62061. 2005.

[10]    Guid­ance on the applic­a­tion of ISO 13849 – 1 and IEC 62061 in the design of safety-related con­trol sys­tems for machinery. IEC Tech­nic­al Report 62061 – 1. 2010.

[11]    D. S. G. Nix, Y. Chin­ni­ah, F. Dosio, M. Fessler, F. Eng, and F. Schrever, “Link­ing Risk and Reli­ab­il­ity — Map­ping the out­put of risk assess­ment tools to func­tion­al safety require­ments for safety related con­trol sys­tems,” 2015.

[12]    Safety of machinery. Safety related parts of con­trol sys­tems. Gen­er­al prin­ciples for design. CEN Stand­ard EN 954 – 1. 1996.

Digiprove sealCopy­right secured by Digi­prove © 2017
Acknow­ledge­ments: IEC and ISO as cited.
Some Rights Reserved
Series Nav­ig­a­tionISO 13849 – 1 Ana­lys­is — Part 2: Safety Require­ment Spe­cific­a­tion”>ISO 13849 – 1 Ana­lys­is — Part 2: Safety Require­ment Spe­cific­a­tionISO 13849 – 1 Ana­lys­is — Part 4: MTTFD – Mean Time to Dan­ger­ous Fail­ure”>ISO 13849 – 1 Ana­lys­is — Part 4: MTTFD – Mean Time to Dan­ger­ous Fail­ure