Last edit: 16/05/2024
The Categories are therefore important to achieve a specific PL for a subsystem. However, the standard clarifies that they show a logical representation of the subsystem structure, which may differ from its physical one.
[ISO 13849-1] 6.1.3.2 Designated Architectures – Specification of Categories
6.1.3.2.1 General. […] The designated Architectures show a logical representation of the structure of the subsystems for each Category.
NOTE 1: For Categories 3 and 4, not all parts are necessarily physically redundant but there are redundant means of assuring that a single fault cannot lead to the loss of the sub-function. Therefore, the technical realization (for example, the circuit diagram) can differ from the logical representation of the architecture.
Another way to state the same concept is that each one of the 5 Categories of ISO 13849-1 describes the required behaviour of the subsystem with respect to its resistance to faults.
Let’s consider the guard locking mechanism of an interlocking device. The market offers interlocking devices that can reach PL e; they have redundant electrical channels, like two Voltage Free Contacts (VFCs) or 2 Output signal switching device contacts (OSSD), but the Guard Locking Mechanism is a single element. That is not an uncommon solution: the reason is that, in mechanical devices with a single channel Architecture, the detection of faults by the control system may not be possible in certain situations or its cost would be unjustifiable. However, It is important that all probable faults are evaluated by the interlocking device manufacturer and that any dangerous failure mode is either eliminated or proven to be technically improbable. This can be achieved by over-dimensioning critical parts of the device and subsequently testing them. If that is done, the single channel locking mechanism can be used in a redundant Architecture, in our example an interlocking device with guard locking, since it achieves the relevant Category 4 behaviour.
Just to state the concept in a different way, where mechanical faults are proved to be technically improbable, continued performance of the safety function in the presence of a single fault is assumed. Of course, the specific Fault Exclusion can only be justified if the device is used within its manufacturer’s specification.
IEC 61508-2 accepts the use of Fault exclusion.
[IEC 61508-2] 7.4.4.1 General requirements
7.4.4.1.1 With respect to the hardware fault tolerance requirements
[…]
- when determining the hardware fault tolerance achieved, certain faults may be excluded, provided that the likelihood of them occurring is very low in relation to the safety integrity requirements of the subsystem. Any such fault exclusions shall be justified and documented (see Note 2).