P8: Functional Safety in High Demand: Category B, 1 and 2 of ISO 13849-1

Home » Insights » Process Safety » P8: Functional Safety in High Demand: Category B, 1 and 2 of ISO 13849-1

Get information

Last edit: 20/08/2025

The stakeholders who edited the EN 954-1, saw the need to include Programmable Electronics in machinery safety systems. Actually, Electronics were already included in EN 954-1, but without any detailed software requirements. The standard needed to go through a so-called probabilistic approach, the same used by IEC 61508 series. Therefore, the revision leading to the 2nd edition of ISO 13849-1, combined the deterministic aspects of EN 954-1 with the probabilistic approach of IEC 61508 and included software requirements for the first time.

A few Mathematicians from IFA designed the Markov models for the 2006 edition of the standard.

The third edition was issued in 2015, while the latest one, the fourth, was published in 2022. This new edition is based upon the same principles as the previous one. Hereafter we mention two key changes:

  1. The Validation process, detailed in ISO 13849-2 is now included in the first part. The main reason is because people were not focused enough on the validation process. Manufacturers normally run the number crunching and fail to check if, once the machine is installed and commissioned, the safety system works as expected: validation is key to confirm and guarantee the level of safety required.
  2. It is now clear that the Category is a characteristic of the Safety Subsystem and not of the whole safety function. The input subsystem can be Category 1 (single channel), while the output subsystem, of the same safety function, can be Category 3 (double channel). The confusion was due to the EN 954-1 heritage. The fact that a Safety Function can be made of different subsystem categories means its reliability level is represented by its Performance level only. In EN 954-1 the reliability was represented by a category level only. When we moved to ISO 13849-1, type C standards kept giving both the PL and the Category requirements for Safety Functions. From this fourth edition, it is clear that only the PL represents the reliability level of a Safety Function: the category is only a way to reach it. The same is valid for IEC 62061, whereby a Safety Function is characterised by a SIL level only and not by which architectures are used for the various subsystems.

Subsystems designed according to ISO 13849-1 should be in accordance with the requirements of one of categories five categories that are fundamental to achieve a specific Performance Level. The categories describe the required behaviour of subsystems in respect of its resistance to faults, based upon design considerations like MTTFD, DCavg etc.

Category B is the basic Category, where the occurrence of a fault can lead to the loss of the safety function. In Category 1 an improved resistance to faults is achieved by using high quality components.

With Categories 2, 3 and 4, higher Reliability of the subsystem is achieved by improving fault tolerance (Category 3 and 4 only) and diagnostic measures. In Category 2, since there is no redundancy, that is achieved by periodically checking that the safety function is performed without faults (Diagnostic Coverage). In Categories 3 and 4, the Diagnostic Coverage works together with Redundant channels, so that a single fault will not lead to the loss of the safety function.

In Category 4 and whenever reasonably practicable in Category 3, such faults should be detected.

The 5 Categories are represented in ISO 13849-1 by a specific safety-related block diagrams, each one meeting the requirements of the Category. The Markov modelling used by IFA engineers only considered those 5 Architectures; it is possible to deviate from them, but that implies to go through a new modelling.

For each subsystem, the maximum value of MTTFD for each channel is limited to 100 years. For Category 4 subsystems, the maximum value of MTTFD for each channel is limited to 2 500 years.

Category B

Category B subsystems must use the Basic Safety Principles , where applicable and detailed in ISO 13849-2, and must be designed according to the relevant standards. This should ensure they can withstand the expected operational stresses and influences of the processed material, such as cleaning agents (e.g., through the use of stainless steel) or other relevant external influences, such as mechanical vibration.

The reliability block diagram for a Category B (and 1) is shown in Figure 1. It is represented as having an Input, a Logic, and an Output; however, each category applies to a subsystem: for example, an Input subsystem or an Output subsystem. Therefore, do not be confused by the figure: it shows a subsystem and not necessarily a safety-related control system.

legend:

  • m represents the means of interconnection, typically electrical wires.
  • I represents the Entrance.
  • L represents the Safety Logic; it can also be a wire, a Safety Module (non-programmable) or a Programmable Logic.
  • O represents the Output; it can be a contactor or a solenoid valve.

With this category, no diagnostic coverage is needed and common fault (CCF) considerations are not relevant; the maximum achievable performance level (PL) is PL b .

Being a single channel, a single fault can lead to the loss of the safety sub-function.

Category 1

In Category 1, the same requirements apply as for Category B; in addition, well-tried safety principles should be followed, where applicable. Furthermore, Category 1 is the only category that requires the use of well-tried components . The block diagram is the same as for Category B. Diagnostic coverage is not provided; common fault (CCF) considerations are not relevant, and the maximum achievable performance level (PL) is PL c.

A failure can lead to the loss of the safety function; however, the MTTF D of a single channel in Category 1 is higher than in Category B; therefore, the loss of the safety function is considered less likely.

Example of a Category 1 Entrance Subsystem: Interlocking Device

Consider an electromechanical interlocking device connected to a safety logic. When the door is opened, the interlocking device’s output system (a voltage-free contact) opens and the safety logic input is deenergized. The circuit structure is shown in Figure 2, while Figure 3 represents the same input subsystem as a block diagram. The interlocking device has a B 10D = 20 10⁶ and is assumed to open twice per hour.

According to the manufacturer’s datasheet, its useful life is 20 years and it should be protected by a gG fuse rated at a maximum of 4 A, installed on the 24 V DC line. This is important to avoid systematic failures: if the interlocking device’s output system is not adequately protected from short circuits, all reliability calculations are meaningless. This also applies to the manufacturer’s stated maximum ambient temperature of 80°C, or the maximum impulse voltage U imp of 2.5 kV that the component can withstand. These are just examples: in general, as a Category 1 subsystem, basic and well-tried safety principles must be applied.

Furthermore, being a Category 1 subsystem, the components used must be well-tried , and this is the case. The interlocking device is a “Positive-mode actuation switch” that complies with IEC 60947-5-1 and is therefore a well-tried component.

Let us now focus on the probability of random failures.

  • The first step is to calculate the MTTF D. Let’s assume that the machine works 240 days a year and 8 hours a day.

However, since we are in Category 1, the MTTFD of the subsystem must be limited to 100 years.

  • Furthermore, since it’s a category 1, there’s no diagnostic test. This means we assume a CD < 60%.

 

  • The last step is to refer to Table K.1 of ISO 13849-1 where, for a Category 1 and an MTTF D = 100 years, the PFH D is 1.14 10⁻⁶. Finally, we verified that the T 10D was greater than the useful life of the interlocking device: this means that the interlocking device can be used up to its useful life of 20 years.

Category 2

In Category 2 both the Basic and Well-tried safety principles must be followed.

This is a single-channel architecture with monitoring of each subsystem performed, in its most general form, by an external unit called Test Equipment. If a fault is detected, the TE signals it to the “outside world” via an output: the OTE (Output Test Element).

Below is the block diagram:

Legend:

  • Im represents the means of interconnection, typically electrical wires.
  • I represents the Entrance.
  • L represents the Safety Logic; it can also be a wire, a Safety Module (non-programmable) or a Programmable Logic.
  • O represents the Output; it could be a contactor or a solenoid valve, for example.
  • m represents the monitoring performed by the Test Element (TE).
  • OTE is the test equipment output.

Compared to Category 1, we can note the presence of a Test Channel, consisting of a Test Element (TE) and its output, the OTE, i.e. the Output Test Element.

Using a Category 2 architecture, all performance levels except PL e can be achieved.

Furthermore, for this category, Figure 4 shows a subsystem and not necessarily an entire safety-related control system . In Category 2, to achieve PL d, a certain level of Diagnostic Coverage (at least Low) must be present: the functional channel must be tested at suitable intervals by test equipment. The safety function must be checked before a hazardous situation begins, for example:

  • Before starting a new cycle and/or,
  • Before the start of other movements and/or,
  • Immediately upon request of the safety function and/or,
  • Periodically during operations, if the risk assessment and type of operation demonstrate that it is necessary.

Any safety function control either allows its operation, if no fault is detected, or generates an output (OTE), if a fault is detected.

It is important to emphasize that, in the case of PL d, the OTE must initiate a safe state , which is maintained until the fault is resolved. Conversely, in the case of PL c, a safe state is not required and it would be sufficient to provide a warning.

[ISO 13849-1] 6.1.3.2 Designated Architectures – Specification of Categories

6.1.3.2.4 Category 2.

[…] For PLr d the output (OTE) shall initiate a safe state that is maintained until the fault is cleared.

For PLr up to and including PLr c, whenever practicable the output (OTE) shall initiate a safe state that is maintained until the fault is cleared. When this is not practicable (e.g. welding of the contact in the final switching device) it may be sufficient for the output of the test equipment OTE to provide a warning.

The Diagnostic Coverage (DC avg ) of the functional channel must be at least Low. The MTTF D of the functional channel can vary from low to high, depending on the required performance level (PLr).

In any case, common fault prevention (CCF) measures apply .

Of the four categories, Category 2 is probably the most difficult to understand: let’s try to clarify its use and understand the reasons for its limitations. To do so, we need to examine Markov modeling. We’ll do so in the next article, the last of 2024.

Core Competencies

Machinery Directive Machinery Safety Process Safety Functional Safety UL and CSA Conformity Electrical Safety and Arc Flash Mitigation ATEX Risk Gas Furnaces - CE Marking
Safety in Collaborative Robotics
There is no “Collaborative Robot”. That is one of the first statements you hear from people working in Collaborative Robotics. The reason is because...
Read more