Last edit: 11/08/2023
The numerical quantification of the probability of failure of a subsystem can never be attained exactly, but only by approximation with the aid of statistical methods or other estimations are possible.
Any validated and recognized method can be used for this purpose. Such methods include reliability block diagrams (used in IEC 62061), fault tree analysis, Markov modelling (used in ISO 13849-1) or Petri nets.
However, in general, engineers lacking prior experience in quantification of the probability of failure of safety related control systems require some degree of support. This need was addressed, in ISO 13849-1, by developing a simplified approach, also called simplified method which, whilst being based upon sound scientific principles (Markov modelling), describes a simple method for quantification in successive steps.
The starting point of the simplified method is the observation that the majority of safety related control systems can be grouped in very small number of basic types, or to combinations of these basic types.
These types are, at one end of the spectrum, the single-channel untested system having components with different reliability level; in the middle of the spectrum, the same type, but enhanced by testing; and at the other end, the two-channel system featuring high quality testing. Systems with more than two channels are rare in machinery. Based upon that reasoning five different categories are defined in ISO 13849-1.
Subsystems designed according to ISO 13849-1 should therefore be in accordance with the requirements of one of those five categories that are fundamental to achieve a specific Performance Level. The categories describe the required behaviour of subsystems in respect of its resistance to faults, based upon the design considerations previously indicated (MTTFD, DCavg etc..).
Category B is the basic Category where the occurrence of a fault can lead to the loss of the safety function. In Category 1 an improved resistance to faults is achieved by using high quality components.
With Categories 2, 3 and 4, higher Reliability of the subsystem is achieved by improving fault tolerance (Category 3 and 4 only) and diagnostic measures. In Category 2, since there is no redundancy, higher reliability is achieved by periodically checking that the safety function is performed without faults (Diagnostic Coverage). In Categories 3 and 4, the Diagnostic Coverage works together with Redundant channels, so that a single fault will not lead to the loss of the safety function.
Each category is therefore important to achieve a specific PL for a subsystem. However, the standard clarifies that they show a logical representation of the subsystem structure, which may differ from its physical one.
[ISO 13849-1] 6.1.3.2 Designated Architectures – Specification of Categories
6.1.3.2.1 General. […] The designated Architectures show a logical representation of the structure of the subsystems for each Category.
NOTE 1: For Categories 3 and 4, not all parts are necessarily physically redundant but there are redundant means of assuring that a single fault cannot lead to the loss of the sub-function. Therefore, the technical realization (for example, the circuit diagram) can differ from the logical representation of the architecture.
Another way to state the same concept is that each one of the 5 Categories of ISO 13849-1 describes the required behaviour of the subsystem with respect to its resistance to faults.