P8: Functional Safety in High Demand: Category B, 1 and 2 of ISO 13849-1

Last edit: 23/10/2024

Introduction

ISO 13849-1 is one of the two standards used in machinery and, at least in Europe, it is the most used of the two, the other being IEC 62061. The ISO standard has been divided in two parts:

  • ISO 13849-1: Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design
  • ISO 13849-2: Safety of machinery — Safety-related parts of control systems — Part 2: Validation

The first edition of ISO 13849-1 was published in 1999 and it was identical to EN 954-1:1996. ISO 13849-1 was just the corresponding ISO number for EN 954-1; therefore, the real first edition (officially it was the second one) was in 2006.

The stakeholders who edited the EN 954-1, saw the need to include Programmable Electronics in machinery safety systems. Actually, Electronics were already included in EN 954-1, but without any detailed software requirements. The standard needed to go through a so-called probabilistic approach, the same used by IEC 61508 series. Therefore, the revision leading to the 2nd edition of ISO 13849-1, combined the deterministic aspects of EN 954-1 with the probabilistic approach of IEC 61508 and included software requirements for the first time.

A few Mathematicians from IFA designed the Markov models for the 2006 edition of the standard.

The third edition was issued in 2015, while the latest one, the fourth, was published in 2022. This new edition is based upon the same principles as the previous one. Hereafter we mention two key changes:

  1. The Validation process, detailed in ISO 13849-2 is now included in the first part. The main reason is because people were not focused enough on the validation process. Manufacturers normally run the number crunching and fail to check if, once the machine is installed and commissioned, the safety system works as expected: validation is key to confirm and guarantee the level of safety required.
  2. It is now clear that the Category is a characteristic of the Safety Subsystem and not of the whole safety function. The input subsystem can be Category 1 (single channel), while the output subsystem, of the same safety function, can be Category 3 (double channel). The confusion was due to the EN 954-1 heritage. The fact that a Safety Function can be made of different subsystem categories means its reliability level is represented by its Performance level only. In EN 954-1 the reliability was represented by a category level only. When we moved to ISO 13849-1, type C standards kept giving both the PL and the Category requirements for Safety Functions. From this fourth edition, it is clear that only the PL represents the reliability level of a Safety Function: the category is only a way to reach it. The same is valid for IEC 62061, whereby a Safety Function is characterised by a SIL level only and not by which architectures are used for the various subsystems.

Subsystems designed according to ISO 13849-1 should be in accordance with the requirements of one of categories five categories that are fundamental to achieve a specific Performance Level. The categories describe the required behaviour of subsystems in respect of its resistance to faults, based upon design considerations like MTTFD, DCavg etc.

Category B is the basic Category, where the occurrence of a fault can lead to the loss of the safety function. In Category 1 an improved resistance to faults is achieved by using high quality components.

With Categories 2, 3 and 4, higher Reliability of the subsystem is achieved by improving fault tolerance (Category 3 and 4 only) and diagnostic measures. In Category 2, since there is no redundancy, that is achieved by periodically checking that the safety function is performed without faults (Diagnostic Coverage). In Categories 3 and 4, the Diagnostic Coverage works together with Redundant channels, so that a single fault will not lead to the loss of the safety function.

In Category 4 and whenever reasonably practicable in Category 3, such faults should be detected.

The 5 Categories are represented in ISO 13849-1 by a specific safety-related block diagrams, each one meeting the requirements of the Category. The Markov modelling used by IFA engineers only considered those 5 Architectures; it is possible to deviate from them, but that implies to go through a new modelling.

For each subsystem, the maximum value of MTTFD for each channel is limited to 100 years. For Category 4 subsystems, the maximum value of MTTFD for each channel is limited to 2 500 years.