ISO 13849–1 Analysis — Part 3: Architectural Category Selection

This entry is part 3 of 9 in the series How to do a 13849–1 analy­sis

At this point, you have com­plet­ed the risk assess­ment, assigned required Per­for­mance Lev­els to each safe­ty func­tion, and devel­oped the Safe­ty Require­ment Spec­i­fi­ca­tion for each safe­ty func­tion. Next, you need to con­sid­er three aspects of the sys­tem design: Archi­tec­tur­al Cat­e­go­ry, Chan­nel Mean Time to Dan­ger­ous Fail­ure (MTTFD), and Diag­nos­tic Cov­er­age (DCavg). In this part of the series, I am going to dis­cuss select­ing the archi­tec­tur­al cat­e­go­ry for the sys­tem.

If you missed the sec­ond instal­ment in this series, you can read it here.

Understanding Performance Levels

To under­stand ISO 13849–1, it helps to know a lit­tle about where the stan­dard orig­i­nat­ed. ISO 13849–1 is a sim­pli­fied method for deter­min­ing the reli­a­bil­i­ty of safe­ty-relat­ed con­trols for machin­ery. The basic ideas came from IEC 61508 [7], a sev­en-part stan­dard orig­i­nal­ly pub­lished in 1998. IEC 61508 brought for­ward the con­cept of the Aver­age Prob­a­bil­i­ty of Dan­ger­ous Fail­ure per Hour, PFHD (1/h). Dan­ger­ous fail­ures are those fail­ures that result in non-per­for­mance of the safe­ty func­tion, and which can­not be detect­ed by diag­nos­tics. Here’s the for­mal def­i­n­i­tion from [1]:


dan­ger­ous fail­ure
fail­ure which has the poten­tial to put the SRP/CS in a haz­ardous or fail-to-func­tion state

Note 1 to entry: Whether or not the poten­tial is realised can depend on the chan­nel archi­tec­ture of the sys­tem; in redun­dant sys­tems a dan­ger­ous hard­ware fail­ure is less like­ly to lead to the over­all dan­ger­ous or fail-to-func­tion state.

Note 2 to entry: [SOURCE: IEC 61508–4, 3.6.7, mod­i­fied.]

The Per­for­mance Lev­els are sim­ply bands of prob­a­bil­i­ties of Dan­ger­ous Fail­ures, as shown in [1, Table 2] below.

Table 2 from ISO 13849-2:2015 showing the five Performance levels and the corresponding ranges of PFHd values.
Per­for­mance Lev­els as bands of PFHd ranges

The ranges shown in [1, Table 2] are approx­i­mate. If you need to see the spe­cif­ic lim­its of the bands for any rea­son, see [1, Annex K] describes the full span of PFHD, in table for­mat.

There is anoth­er way to describe the same char­ac­ter­is­tics of a sys­tem, this one from IEC. Instead of using the PL sys­tem, IEC uses Safe­ty Integri­ty Lev­els (SILs). [1, Table 3] shows the cor­re­spon­dence between PLs and SILs. Note that the cor­re­spon­dence is not exact. Where the cal­cu­lat­ed PFHd is close to either end of one of the PL or SIL bands, use the table in [1, Annex K] or in [9] to deter­mine to which band(s) the per­for­mance should be assigned.

IEC pro­duced a Tech­ni­cal Report [10] that pro­vides guid­ance on how to use ISO 13849–1 or IEC 62061. The fol­low­ing table shows the rela­tion­ship between PLs, PFHd and SILs.

Table showing the correspondence between the PL, PFHd, and SIL.
IEC/TR 62061–1:2010, Table 1

IEC 61508 includes SIL 4, which is not shown in [10, Table 1] because this lev­el of per­for­mance exceeds the range of PFHD pos­si­ble using ISO 13849–1 tech­niques. Also, you may have noticed that PLb and PLc are both with­in SIL1. This was done to accom­mo­date the five archi­tec­tur­al cat­e­gories that came from EN 954–1 [12].

Why PL and not just PFHD? One of the odd things that humans do when we can cal­cu­late things is the devel­op­ment of what has been called “pre­ci­sion bias” [12]. Pre­ci­sion bias occurs when we can com­pute a num­ber that appears very pre­cise, e.g., 3.2 x 10-6, which then makes us feel like we have a very pre­cise con­cept of the quan­ti­ty. The prob­lem, at least in this case, is that we are deal­ing with prob­a­bil­i­ties and minus­cule prob­a­bil­i­ties at that. Using bands, like the PLs, forces us to “bin” these appar­ent­ly pre­cise num­bers into larg­er groups, elim­i­nat­ing the effects of pre­ci­sion bias in the eval­u­a­tion of the sys­tems. Elim­i­nat­ing pre­ci­sion bias is the same rea­son that IEC 61508 uses SILs — bin­ning the cal­cu­lat­ed val­ues helps to reduce our ten­den­cy to devel­op a pre­ci­sion bias. The real­i­ty is that we just can’t pre­dict the behav­iour of these sys­tems with as much pre­ci­sion as we would like to believe.

Getting to Performance Levels: MTTFD, Architectural Category and DC

Some aspects of the sys­tem design need to be con­sid­ered to arrive at a Per­for­mance Lev­el or make a pre­dic­tion about fail­ure rates in terms of PFHd.

First is the sys­tem archi­tec­ture: Fun­da­men­tal­ly, sin­gle chan­nel or two chan­nel. As a side note, if your sys­tem uses more than two chan­nels there are ways to han­dle this in ISO 13849–1 that are workarounds, or you can use IEC 62061 or IEC 61508, either of which will han­dle these more com­plex sys­tems more eas­i­ly. Remem­ber, ISO 13849–1 is intend­ed for rel­a­tive­ly sim­ple sys­tems.

When we get into the analy­sis in a lat­er arti­cle, we will be cal­cu­lat­ing or esti­mat­ing the Mean Time to Dan­ger­ous Fail­ure, MTTFD, of each chan­nel, and then of the entire sys­tem. MTTFD is expressed in years, unlike PFHd, which is expressed in frac­tion­al hours (1/h). I have yet to hear why this is the case as it seems rather con­fus­ing. How­ev­er, that is cur­rent prac­tice.

Architectural Categories

Once the required PL is known, the next step is the selec­tion of the archi­tec­tur­al cat­e­go­ry. The basic archi­tec­tur­al cat­e­gories were intro­duced ini­tial­ly in EN 954–1:1996 [12].  The Cat­e­gories were car­ried for­ward unchanged into the first edi­tion of ISO 13849–1 in 1999. The Cat­e­gories were main­tained and expand­ed to include addi­tion­al require­ments in the sec­ond and third edi­tions in 2005 and 2015.

Since I have explored the details of the archi­tec­tures in a pre­vi­ous series, I am not going to repeat that here. Instead, I will refer you to that series. The archi­tec­tur­al Cat­e­gories come in five flavours:

Archi­tec­ture Basics
Cat­e­go­ry Struc­ture Basic Require­ments Safe­ty Princ­ple
For full require­ments, see [1, Cl. 6]
B Sin­gle chan­nel Basic cir­cuit con­di­tions are met (i.e., com­po­nents are rat­ed for the cir­cuit volt­age and cur­rent, etc.) Use of com­po­nents that are designed and built to the rel­e­vant com­po­nent stan­dards. [1, 6.2.3] Com­po­nent selec­tion
1 Sin­gle chan­nel Cat­e­go­ry B plus the use of “well-tried com­po­nents” and “well-tried safe­ty prin­ci­ples” [1, 6.2.4] Com­po­nent selec­tion
2 Sin­gle chan­nel Cat­e­go­ry B plus the use of “well-tried safe­ty prin­ci­ples” and peri­od­ic test­ing [1, 4.5.4] of the safe­ty func­tion by the machine con­trol sys­tem. [1, 6.2.5] Sys­tem Struc­ture
3 Dual chan­nel Cat­e­go­ry B plus the use of “well-tried safe­ty prin­ci­ples” and no sin­gle fault shall lead to the loss of the safe­ty func­tion.

Where prac­ti­ca­ble, sin­gle faults shall be detect­ed. [1, 6.2.6]

Sys­tem Struc­ture
4 Dual chan­nel Cat­e­go­ry B plus the use of “well-tried safe­ty prin­ci­ples” and no sin­gle fault shall lead to the loss of the safe­ty func­tion.

Sin­gle faults are detect­ed at or before the next demand on the safe­ty sys­tem, but where this is not pos­si­ble an accu­mu­la­tion of unde­tect­ed faults will not lead to the loss of the safe­ty func­tion. [1, 6.2.7]

Sys­tem Struc­ture

[1, Table 10] pro­vides a more detailed sum­ma­ry of the require­ments than the sum­ma­ry table above pro­vides.

Since the Cat­e­gories can­not all achieve the same reli­a­bil­i­ty, the PL and the Cat­e­gories are linked as shown in [1, Fig. 5]. This dia­gram sum­maris­es te rela­tion­ship of the three cen­tral para­me­ters in ISO 13849–1 in one illus­tra­tion.

Figure relating Architectural Category, DC avg, MTTFD and PL.
Rela­tion­ship between cat­e­gories, DCavg, MTTFD of each chan­nel and PL

Start­ing with the PLr from the Safe­ty Require­ment Spec­i­fi­ca­tion for the first safe­ty func­tion, you can use Fig. 5 to help you select the Cat­e­go­ry and oth­er para­me­ters nec­es­sary for the design. For exam­ple, sup­pose that the risk assess­ment indi­cates that an emer­gency stop sys­tem is need­ed. ISO 13850 requires that emer­gency stop func­tions pro­vide a min­i­mum of PLc, so using this as the basis you can look at the ver­ti­cal axis in the dia­gram to find PLc, and then read across the fig­ure. You will see that PLc can be achieved using Cat­e­go­ry 1, 2, or 3 archi­tec­ture, each with cor­re­spond­ing dif­fer­ences in MTTFD and DCavg. For exam­ple:

  • Cat. 1, MTTFD = high and DCavg = none, or
  • Cat. 2, MTTFD = Medi­um to High and DCavg = Low to Medi­um, or
  • Cat. 3, MTTFD = Low to High and DCavg = Low to Medi­um.

As you can see, the MTTFD in the chan­nels decreas­es as the diag­nos­tic cov­er­age increas­es. The design com­pen­sates for low­er reli­a­bil­i­ty in the com­po­nents by increas­ing the diag­nos­tic cov­er­age and adding redun­dan­cy. Using [1, Fig. 5] you can pin down any of the para­me­ters and then select the oth­ers as appro­pri­ate.

One addi­tion­al point regard­ing Cat­e­go­ry 3 and 4: The dif­fer­ence between these Cat­e­gories is increased Diag­nos­tic Cov­er­age. While Cat­e­go­ry 3 is Sin­gle Fault Tol­er­ant, Cat­e­go­ry 4 has addi­tion­al diag­nos­tic capa­bil­i­ties so that addi­tion­al faults can­not lead to the loss of the safe­ty func­tion. This is not the same as being mul­ti­ple fault tol­er­ant, as the sys­tem is still designed to oper­ate in the pres­ence of only a sin­gle fault, it is sim­ply enhanced diag­nos­tic capa­bil­i­ty.

It is worth not­ing that ISO 13849 only recog­nis­es struc­tures with sin­gle or dual chan­nel con­fig­u­ra­tions. If you need to devel­op a sys­tem with more than sin­gle redun­dan­cy (i.e., more than two chan­nels), you can analyse each pair of chan­nels as a dual chan­nel archi­tec­ture, or you can move to using IEC 62061 or IEC 61508, either of which per­mits any lev­el of redun­dan­cy.

The next step in this process is the eval­u­a­tion of the com­po­nent and chan­nel MTTFD, and then the deter­mi­na­tion of the com­plete sys­tem MTTFD. Part 4 of this series pub­lish­es on 13-Feb-17.

In case you missed the first part of the series, you can read it here.

Book List

Here are some books that I think you may find help­ful on this jour­ney:

[0]     B. Main, Risk Assess­ment: Basics and Bench­marks, 1st ed. Ann Arbor, MI USA: DSE, 2004.

[0.1]  D. Smith and K. Simp­son, Safe­ty crit­i­cal sys­tems hand­book. Ams­ter­dam: Else­vier/But­ter­worth-Heine­mann, 2011.

[0.2]  Elec­tro­mag­net­ic Com­pat­i­bil­i­ty for Func­tion­al Safe­ty, 1st ed. Steve­nage, UK: The Insti­tu­tion of Engi­neer­ing and Tech­nol­o­gy, 2008.

[0.3]  Overview of tech­niques and mea­sures relat­ed to EMC for Func­tion­al Safe­ty, 1st ed. Steve­nage, UK: Overview of tech­niques and mea­sures relat­ed to EMC for Func­tion­al Safe­ty, 2013.


Note: This ref­er­ence list starts in Part 1 of the series, so “miss­ing” ref­er­ences may show in oth­er parts of the series. Includ­ed in the last post of the series is the com­plete ref­er­ence list.

[1]     Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 1: Gen­er­al prin­ci­ples for design. ISO Stan­dard 13849–1. 2015.

[7]     Func­tion­al safe­ty of electrical/electronic/programmable elec­tron­ic safe­ty-relat­ed sys­tems. IEC Stan­dard 61508. 2nd Edi­tion. Sev­en Parts. 2010.

[9]      Safe­ty of machin­ery — Func­tion­al safe­ty of safe­ty-relat­ed elec­tri­cal, elec­tron­ic and pro­gram­ma­ble elec­tron­ic con­trol sys­tems. IEC Stan­dard 62061. 2005.

[10]    Guid­ance on the appli­ca­tion of ISO 13849–1 and IEC 62061 in the design of safe­ty-relat­ed con­trol sys­tems for machin­ery. IEC Tech­ni­cal Report 62061–1. 2010.

[11]    D. S. G. Nix, Y. Chin­ni­ah, F. Dosio, M. Fessler, F. Eng, and F. Schr­ev­er, “Link­ing Risk and Reliability—Mapping the out­put of risk assess­ment tools to func­tion­al safe­ty require­ments for safe­ty relat­ed con­trol sys­tems,” 2015.

[12]    Safe­ty of machin­ery. Safe­ty relat­ed parts of con­trol sys­tems. Gen­er­al prin­ci­ples for design. CEN Stan­dard EN 954–1. 1996.

Digiprove sealCopy­right secured by Digiprove © 2017
Acknowl­edge­ments: IEC and ISO as cit­ed.
Some Rights Reserved