Last edit: 07/08/2023
It is one of the two standards used in machinery and, at least in Europe, it is the most used of the two, the other being IEC 62061. It is divided in two parts:
- ISO 13849-1: Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design
- ISO 13849-2: Safety of machinery — Safety-related parts of control systems — Part 2: Validation
The first edition of ISO 13849-1 was published in 1999 and it was identical to EN 954-1:1996. ISO 13849-1 was just the corresponding ISO number for EN 954-1; therefore, the real first edition (officially it was the second one) was in 2006.
The stakeholders who edited the EN 954-1, saw the need to include Programmable Electronics in machinery safety systems. Actually, Electronics were already included in EN 954-1, but without any detailed software requirements. The standard needed to go through a so-called probabilistic approach, the same used by IEC 61508 series. Therefore, the revision leading to the 2nd edition of ISO 13849-1, combined the deterministic aspects of EN 954-1 with the probabilistic approach of IEC 61508 and included software requirements for the first time. A few Mathematicians from IFA [15] designed the Markov models for the 2006 edition of the standard.
The third edition was issued in 2015, while the latest one, the fourth, was published in 2022. This new edition is based upon the same principles as the previous one. Hereafter we mention two key changes:
- The Validation process, detailed in ISO 13849-2 is now included in the first part. The main reason is because people were not focused enough on the validation process. Manufacturers normally run the number crunching and fail to check if, once the machine is installed and commissioned, the safety system works as expected: validation is key to confirm and guarantee the level of safety required.
- It is now clear that the Category is a characteristics of the Safety Subsystem and not of the whole safety function. The input subsystem can be Category 1 (single channel), while the output subsystem, of the same safety function, can be Category 3 (double channel). The confusion was due to the EN 954-1 heritage. The fact that a Safety Function can be made of different subsystem categories means its reliability level is represented by its Performance level only. In EN 954-1 the reliability was represented by a category level only. When we moved to ISO 13849-1, type C standards kept giving both the PL and the Category requirements for Safety Functions. From this fourth edition, it is clear that only the PL represents the reliability level of a Safety Function: the category is only a way to reach it. The same is valid for IEC 62061, whereby a Safety Function is characterised by a SIL level only and not by which architectures are used for the various subsystems.