The steps to be followed

The performance level shall be determined for each subsystem and/or each combination of subsystems that provide a safety function. The PL of the subsystem shall be determined by going through the following aspects:

1. the architecture
   • Decompose the Safety Related Parts of the control system into subsystems (5.1.3)
   • Assign a category to each subsystem;
   • Evaluate if the applicable qualitative requirements of the category are met (table 6.1), including:
2. basic safety principles
3. well-tried safety principles
4. well-tried components
   1. Evaluate if the required behaviour under fault conditions is met;
5. The MTTF_D value for single components (Annex C and D of ISO 13849-1);
6. The Diagnostic Coverage, limited in any case by the selected Category (Annex E of ISO 13849-1);
7. The CCF has to reach at least 65 points (Annex F of ISO 13849-1);
8. The effect of the safety-related software design on the operation of the hardware (Annex J of ISO 13849-1);
9. The effect of measures against systematic failures (Annex G of ISO 13849-1)

Depending upon the Subsystem Category, only some of the qualitative requirements are applicable. Table 2 shows when the different methodologies used to avoid Systematic Failures and Common Cause Failures shall be used, depending upon the category employed.

When a safety function is designed using one or more subsystems, each subsystem can be designed either using PLs according to ISO 13849-1, or using SILs according to IEC 62061 and or IEC 61508. Subsystems designed according to IEC 61508 series may be used but shall be restricted to those designed for high demand or continuous mode that use Route 1H.

Subsystems designed according to ISO 13849-1 should be in accordance with the requirements of one of categories five categories that are fundamental to achieve a specific Performance Level. The categories describe the required behaviour of subsystems in respect of its resistance to faults, based upon the design  considerations previously indicated (MTTF_D, DC_avg etc..).

Category B is the basic Category where the occurrence of a fault can lead to the loss of the safety function. In Category 1 an improved resistance to faults is achieved by using high quality components.

With Categories 2, 3 and 4, higher Reliability of the subsystem is achieved by improving fault tolerance (Category 3 and 4 only) and diagnostic measures. In Category 2, since there is no redundancy, that is achieved by periodically checking that the safety function is performed without faults (Diagnostic Coverage). In Categories 3 and 4, the Diagnostic Coverage works together with Redundant channels, so that a single fault will not lead to the loss of the safety function.

In Category 4 and whenever reasonably practicable in Category 3, such faults should be detected.

The 5 Categories are represented by specific safety-related block diagrams, each one meeting the requirements of the Category. The Markov model used in ISO 13849-1 only considers those 5 Architectures; it is possible to deviate from them, but that implies to go through a new modelling.

For each subsystem, the maximum value of MTTF_D for each channel is limited to 100 years. For Category 4 subsystems, the maximum value of MTTF_D for each channel is limited to 2 500 years. That limitation is somehow equivalent to the Architectural Constraints in IEC 62061.