❌ ISO 13849-1:2023 – Do Not Use ❌

This is a first

On Thursday, 2023-04-27, ISO published ISO 13849-1:2023, the 4th edition of the dominant functional safety standard for machinery.

Usually, I would be the first to tell you that you should buy the standard as quickly as possible and start using it immediately. Today is not a normal day. As Command Module Pilot John L. “Jack” Swigert on Apollo 13 said, “Okay, Houston, we’ve had a problem here” [1].

I can’t say this strongly enough: Do not use ISO 13849-1:2023. Stay with ISO 13849-1:2015 or IEC 62061:2021 instead.

If you subscribe to my mailing list, you heard of this first through that channel. This post expands on that email. If you like, you can subscribe here if you are not a member of my mailing list. We only send out a couple of emails yearly and will never sell or share your information with anyone.

---

---

TL;DR

What happened: ISO published a new edition of ISO 13849-1 on 2023-04-27. The standard is riddled with technical problems that are likely to create safety systems much less safe than the 3rd edition of the standard published in 2015. The new EMC for functional safety annex includes unproven methods that will cause problems for anyone trying to use them.

Best advice: DO NOT USE ISO 13849-1:2023. Stay with the 3rd edition until the committee can correct the problems in the 4th edition.

---

Do NOT buy or use this standard!

I strongly recommend that you DO NOT use ISO 13849-1:2023 edition for a few reasons:

• Several technical changes in the normative text can result in designs that are more likely to fail.
• Some approaches the standard suggests are not based on sound science or engineering practice.
• Unproven techniques are presented as sound engineering techniques.
• The standard is transitioning from a two-part structure to a single document. That transition is incomplete and won’t be finished for a few years. 

Read on to learn more about the problems with this new 4th edition.

Technical flaws

Out-of-scope requirements for SRESW

The standard includes requirements outside the scope of the document. The scope includes the design of safety systems, not safety components; however, the clause covering the development of safety-related embedded software (SRESW), i.e., safety software developed using high-variability language and provided as firmware, requires the use of design techniques at the component level. The development of SRESW is covered in detail in IEC 61508-3:2010 [2] but is outside the scope of ISO 13849-1. This is the first reason I recommend that you do not use ISO 13849-1:2023.

Standard PLCs in safety functions

If you are familiar with BGIA Report 2/2008e [3] or IFA Report 2/2017e [4], you will remember the many examples showing system schematics, logic block diagrams, and giving detailed analyses. IFA even produced example SISTEMA project files for all the examples in those reports.

Standard PLCs are used as part of the control system in some of those examples. The standard PLC is sometimes used as test equipment or in the functional channel. However, two standard PLCs are not used to provide the two functional channels. This is because standard PLCs are not tested with the same level of rigour as safety PLCs and are, therefore, more likely to be negatively affected by temperature, humidity, vibration, electrical transients, and other electromagnetic phenomena that can cause errors to occur. These errors can lead to catastrophic failures.

The 4th edition of ISO 13849-1 includes new approaches to functional safety systems unsupported by sound engineering practices. One involves using two standard PLCs for systems with PL_r up to e. This approach yields different results than could be achieved using the standard calculations on the same components. It is likely to produce control systems that will not perform as required. I would not suggest following this new approach as it is fundamentally unsound.

It is possible to demonstrate that the two approaches will give PFH_D values that differ approximatively by more than one decade and PL values that differ at least for one level!

The result is that the standard makes it possible to get two different values for the same circuit. ❌ This approach should be avoided and is another reason I recommend you do not use ISO 13849-1:2023.

An alternative approach to determining the PL without data

A new “alternative” approach no longer requires PFH_D data to determine the PL. Knowing the failure rate of components is fundamental to predicting the performance of components and systems.

The alternative approach permits the determination of the PL and the related PFH_D using components with unknown failure rates or where the component manufacturer does not indicate their suitability for use in safety-related applications.

For example, the possibility of using components without failure-rate data is conditional on using well-tried components. It is unclear from the text how it is possible to declare a component well-tried and, at the same time, not provide any information on its reliability or how it is possible not to have reliability data for well-tried components built to conform to specific safety standards.

The assumption that it is ”acceptable” to specify a 20-year mission time for components of unknown pedigree is also inconsistent if their useful lifetime is unknown. The useful life, T_10D, must be greater than the mission time. If you don’t know the useful life, you cannot know if the component needs to be replaced during the standard mission time.

A conflict exists due to a statement that if reliability data are not available,  it is possible to use “failure rate field data from identical component applications in similar environments collected over a significant period of time and where the collection and analysis method results in a reasonable level of confidence in the data” and, if this route is not practical, then to assume an MTTF_D of 10 years (worst case).

This alternative method is based on assumptions that have no technical basis. ❌ This approach should be avoided and is another reason I recommend you do not use ISO 13849-1:2023.

Annex L – Electromagnetic interference (EMI) immunity

Electromagnetic compatibility (EMC) is a growing concern for systems designers in every sector. As wireless devices of all kinds proliferate and vehicles are fitted with high-frequency radar systems for various automated driver assist systems, the electromagnetic environment has become an increasingly wild and hostile place for equipment to operate.

For decades, electromagnetic immunity for functional safety has been a concern in avionics, medical devices, the military and the nuclear power sector. It’s a new concept for many machine builders. Some machine builders are still struggling with the basics of functional safety and EMC without considering the intersection of these two complex areas.

The 4th edition of the standard includes an expanded clause on EMC. That clause points to the new “Annex L,” including references to IEC 61000-1-2 [5]. That standard has not been revised since it was first published in 2016. According to some of the experts involved with its development, IEC 61000-1-2 has some significant flaws and does not cover the topic well enough to be useful.

Annex L suggests a method for conducting an electromagnetic risk assessment, referring to other standards for improving electromagnetic resilience in functional safety systems.

The good thing is that the annex is informative; the bad thing is that it is likely to guide machine builders in the wrong direction. Other EMC standards provide much better guidance.

You can not “test in” electromagnetic resilience

One of the modern quality assurance fathers, W. E. Deming, wrote, “Quality can not be inspected into a product or service; it must be built into it” [6]. The same is true for electromagnetic resilience. The product was either designed and built to be resilient or not. Testing will not fix that and may not reveal significant weaknesses. Keith Armstrong, a leading EMC expert, said in a presentation in 2022 [7] that:

• Digital systems cannot be proven safe enough by testing alone.
• Failures of digital systems caused by untested combinations of perfectly correct inputs have been a well-known problem for 40+ years (see Wikipedia).
• Merely testing the address space (the range of input data) can require hundreds of years, even at 1 µs/test.
• Full testing, even just once, is impossible!
• And digital systems are non-linear, so we can’t interpolate, meaning that even if testing proved 99% of digital states were safe (but it can’t!), we still must assume the untested 1% of states remaining, could all be unsafe.

Considering all that, consider the “Four Routes” in Annex L.

Four routes

Annex L includes four “routes” to fulfil the EMC requirements of the standard. Consider that this is an informative annex, so none of the routes are mandatory.

Route A – Use the product standard

In Route A, you simply follow the EMC requirements found in the type-C standard for the product. For example, if you manufacture CNC machining centres, you would follow the EMC requirements in ISO 16090-1 [8]. Other examples of product standards include
IEC 61326-3-1 [9] or IEC 61800-5-2 [10]. Some product standards reference a product-specific EMC standard rather than generic standards. However, many type-C standards committees have no expertise in EMC. They will often default to the minimum requirements found in the generic standards. The result: Testing that cannot validate the electromagnetic resilience of the functional safety systems on the product.

Route B – Use IEC 61000-6-2

Route B is “Follow IEC 61000-6-2. This route is only applicable to PL=a or b. This route is not applicable for systems requiring PL c, d, or e.

For low-risk products, there is no practical difference between Routes A and B for many products. One practical limitation is for machines whose risk assessment identifies the need for an emergency stop function or whose type-C standard requires an emergency stop function. ISO 13850 [12] requires emergency stop functions to provide a minimum PL=c, so any machine with an emergency stop cannot use Route B unless the risk assessment can justify a lower PL.

Route C – Implement EMC measures on a system level ❌

Route C suggests following IEC 61000-6-7 [13], but this standard was published in 2014 and has yet to be updated.

This route relies upon a scoring tool shown in Table L.1, a method that has no substantive technical basis and is unprecedented in any of the IEC EMC standards. The approach used in Table L.1 has never been submitted to peer review by the scientific community. No field trials or studies have demonstrated the effectiveness of the Table L.1 method in producing designs with good electromagnetic resilience in machinery applications.

Anyone using this method, because it appears simpler and easier to use because it does not require tests with increased immunity levels, could create systems sensitive to EMI and potentially dangerous.

❌ Route C should be avoided. This is another good reason that you do not use ISO 13849-1:2023.

Route D – Follow IEC 61000-6-7 or other generic EMC standards for functional safety

Route D skips the unproven Table L.1 scoring method, requiring full conformity to IEC 61000-6-7 or “other generic EMC standards for functional safety.” This route is open to future EMC for functional safety standards that will likely be developed.

One standard that can help bridge the gaps in [11], [13] and the product-specific EMC standards is IEEE 1848™ 2020, IEEE Standard for Techniques and Measures to Manage Functional Safety and Other Risks with Regards to Electromagnetic Disturbances [14]. This standard grew out of work done by the UK IET in the first two decades of the century. It includes various techniques that can be used to manage the development of functional safety systems. It includes measures that can significantly improve the electromagnetic resiliency of these systems no matter which IEC standard applies to your product. A new project stemming from IEEE 1848 will create a machinery sector-specific version of the standard. That document will be starting development in Q4-2023, with the goal of publication in 2026. You can learn more about that project from the 1848-MSSV website. The committee is actively recruiting engaged experts with EMC and machinery experience.

A document in transition

ISO/TC 199/WG 8 has merged all of the normative text from ISO 13849-2:2012 into part 1. However, the informative annexes from ISO 13849-2 provide important information necessary for using both part 1 and part 2 of the standard but have not been moved into part 1 yet. The committee recognized that the tables needed corrections and revisions since they were published over a decade ago. This work has started, but it will be some time before the Working Group can finish. Until that work is done, the most current information is still in ISO 13849-2:2012.

As an interim step, ISO 13849-2 will be changed to a technical report, ISO/TR 13849-2, containing only the informative annexes with the updated tables. Following the publication of ISO/TR 13849-2, which might happen in 2025, ISO 13849-1 will be revised, incorporating the informative annexes from ISO/TR 13849-2. It will be a single-part standard when the combined document is published, possibly in 2028. Hopefully, the committee will have corrected the many problems in the 4th edition and completed the merger of the two parts by then.

The documents will be a mess for a while, which is another good reason you do not use ISO 13849-1:2023.

Best advice

For all of the reasons given in this article, my best advice is that you do not use ISO 13849-1:2023 but instead stay with ISO 13849-1:2015 and ISO 13849-2:2012 until the working group can merge the two documents and correct the technical flaws introduced in the new 4th edition. The 3rd edition is technically sound, and by using it, you can be confident in the reliability of the safety systems you design.

In the meantime, IEEE 1848 provides much better guidance on electromagnetic resilience than Annex L, building upon and compensating for the weaknesses in IEC 61000-1-2 and IEC 61000-5-7, ensuring compatibility with the 3rd, 4th, and future 5th editions of ISO 13849.

Need training?

We offer online ISO 13849 training that gives you a deep understanding of how to implement this standard in your designs.

---

References

[1] K. Mars and J. Uri, “50 years ago: ‘Houston, we’ve had a problem,’” NASA, 13-Apr-2020. [Online]. Available: https://www.nasa.gov/feature/50-years-ago-houston-we-ve-had-a-problem. [Accessed: 02-May-2023].

[2] Functional safety of electrical/electronic/programmable electronic safety-related systems, IEC 61508 (seven parts). International Electrotechnical Commission (IEC). 2010.

[3] M. Hauke et al., “Functional Safety of Machine Controls – Application of ISO 13849-1,” DGUV/BGIA – Institute for Occupational Safety and Health of the German Social Accident Insurance, St, Augustine, DE, Report 2/2008e, 2009. [Online]. Available: https://www.dguv.de/ifa/publikationen/reports-download/bgia-reports-2007-bis-2008/bgia-report-2-2008/index-2.jsp. [Accessed: 28-Apr-2023]

[4] M. Hauke et al., “Functional safety of machine controls – Application of EN ISO 13849,” Deutsche Gesetzliche Unfallversicherung e. V. (DGUV), St. Austine, DE, Report 2/2017e, Jul. 2019. [Online]. Available: https://www.dguv.de/ifa/publikationen/reports-download/reports-2017/ifa-report-2-2017/index-2.jsp. [Accessed: 28-Apr-2023].

[5] Electromagnetic compatibility (EMC) – Part 1-2: General – Methodology for the achievement of functional safety of electrical and electronic systems including equipment with regard to electromagnetic phenomena, IEC 61000-1-2. International Electrotechnical Commission (IEC), Geneva, 2016. Available: https://webstore.iec.ch/publication/24517

[6] W. E. Deming, Out of the crisis, 2nd ed. The MIT Press, 2018. p. 29. [Online]. Available: https://deming.org/inspection-is-too-late-the-quality-good-or-bad-is-already-in-the-product/. [Accessed: 28-Apr-2023].

[7] K. Armstrong, “Techniques & Measures for Managing Functional Safety and Other Risks that can be caused by EMI (IEEE 1848-2020) — and an outlook on draft IEC TS 60601-4-X on managing the Essential Performance risks that can be caused by EMI,” presented at the 2022 IEEE International Symposium on Electromagnetic Compatibility, Signal & Power Integrity, Spokane, WA, 2022-08-05.

[8] Machine tools safety — Machining centres, milling machines, transfer machines — Part 1: Safety requirements, ISO 16090-1. International Organization for Standardization (ISO). 2022.

[9] Electrical equipment for measurement, control and laboratory use – EMC requirements – Part 3-1: Immunity requirements for safety-related systems and for equipment intended to perform safety-related functions (functional safety) – General industrial applications, IEC 61326-3-1. International Electrotechnical Commission (IEC). 2017.

[10] Adjustable speed electrical power drive systems – Part 5-2: Safety requirements – Functional, IEC 61800-5-2. International Electrotechnical Commission (IEC). 2016.

[11] Electromagnetic compatibility (EMC) – Part 6-2: Generic standards – Immunity standard for industrial environments, IEC 61000-6-2. International Electrotechnical Commission (IEC). 2016.

[12] Safety of machinery – Emergency stop – Principles for design, ISO 13850. International Organization for Standardization (ISO). 2015.

[13] Electromagnetic compatibility (EMC) – Part 6-7: Generic standards – Immunity requirements for equipment intended to perform functions in a safety-related system (functional safety) in industrial locations, IEC 61000-6-7. International Electrotechnical Commission (IEC). 2014.

[14] IEEE Standard for Techniques and Measures to Manage Functional Safety and Other Risks with Regards to Electromagnetic Disturbances, IEEE Std. 1848. Institute of Electrical and Electronic Engineers (IEEE), Piscataway, NY, 2020. Available: https://ieeexplore.ieee.org/document/9416938.

© 2023, Compliance inSight Consulting Inc.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.