P7: Functional Safety in High demand - ISO 13849-1 categories

Last edit: 16/05/2024


ISO 13849-1 is intended to be used in the design and evaluation of safety-related parts of the control system (SRP/CS) and only the part of the control system that is safety-related falls under the scope of the standard. It applies to SRP/CS for high demand and continuous modes of operation, including their subsystems, regardless of the type of technology and energy used: electrical, hydraulic, pneumatic, or mechanical. ISO 13849-1 does not apply to low demand mode of operation. That does not mean that Low demand is not possible in Machinery; simply a different standard has to be used, like IEC 61511-1.

The ability of safety-related parts of control systems to perform safety functions under foreseeable conditions is indicated by one of five levels, called performance levels or PL. Annex A of ISO 13849-1 contains a method that can be used for the determination of the PLr of a safety function performed by the SRP/CS. Annex A of IEC 62061 could also be used as an alternative.

The required performance level corresponds to the required risk reduction to be provided by the safety function: the greater the contribution to the risk reduction, the higher the required safety performance. The performance levels of safety functions are defined in terms of Average probability of dangerous failure per hour. There are five performance levels, ranging from providing a low contribution to risk reduction for PL a, to a high contribution to the risk reduction for PL e. The defined ranges of probability of a dangerous failure per hour are shown in Table 1

In order to facilitate the design of an SRP/CS and the assessment of the achieved PL, ISO 13849-1 employs a methodology based on the categorization of architectures, with specific design criteria (MTTFD and DCavg,) and specified behaviour under faults conditions. These architectures are allocated one of five levels termed Categories B, 1, 2, 3 and 4.

The first edition of ISO 13849-1 was the evolution of EN 954-1 and it was still based upon the so called deterministic approach. Despite the approach from Reliability theory was introduced in ISO 13849-1 with the second edition, the so called probabilistic approach, the 5 categories defined by EN 954-1 were kept as basic elements of the standard.

One of the differences between EN 954-1 and ISO 13849-1 is that, in the former, the categories were associated to the entire SRP/CS, while in the latter they are used to represent subsystems. This association is clearly stated in the new 2023 edition. For that reason, it is not correct to require a safety System, for example,  to be Category 3, since a system can be designed with the following subsystems:

  • The input subsystem is a Category 3: for example an interlock with 2 Voltage Free Contacts,
  • The logic is a Safety PLC, usually a Category 4.
  • The output is a Category 1: for example a Single contactor.

In EN 954-1 the Category was the indication of the Reliability level of an SRP/CS. Type C Standards were requiring, for example, an SRP/CS Category 3 or Category 1: that was the common language used. In the new edition of ISO 13849-1, the concept is made clear: the Category is a way to achieve the Performance level of a subsystem. Therefore, it is improper to describe an SRP/CS in terms of a Category: a safety system has a PFH and a Performance Level (or a SIL, if IEC 62061 is used) but, necessarily, no Category (nor Architecture).