Chapter 5 - Design and Evaluation of Safety Functions

Last edit: 11/08/2023

In Chapter 5, how to design and evaluate a safety function is presented in detail. The concept of Subsystems and Architectural Constraints is put into practice.

More and more Safety Functions have software inside; therefore, it is important to understand the difference between Limited and Full Variability Languages and what the machine manufacturer has to do when using the former or the latter. Finally we shed some light on how to treat low demand mode of operation in machinery.

Each safety function is performed by either an SCS (IEC 62061) or an SRP/CS (ISO 13849-1) and it consists of one or several subsystems. The concept of a Safety-related control System composed of a series of subsystems is coming from IEC 62061 and, in general, the Reliability theory. ISO 13849-1 is coming from the concept of categories applicable to the entire Safety-related control System. However, the new edition of the ISO standard adopts fully the concept of subsystems and it clarifies that the categories are applicable to subsystems only.

Also on this aspect, ISO 13849-1 aligns with IEC 62061. The IEC standard indicates the Reliability of a safety function with a level of SIL, with no mention of architectures; the same is done now by the ISO standard. Therefore, with the new edition of ISO 13849-1, when specifying the Reliability level required by a safety function, the correct statement is, for example, PL d and not PL d, Category 3. The category is only applicable to sub-functions and it is a mean to calculate the PFHD of the subsystem. I could have a Safety-related control System whereby the input subsystem is a Category 1 and the output a Category 4.


Hereafter some excerpt from the chapter.

5.2 Well-Tried Components
The concept is defined in both ISO 13849-1 and IEC 62061. Those types of components are compulsory for Category 1 (ISO 13849-1) and in both Basic Subsystem Architecture A and B (IEC 62061).
In all other Categories and Architectures, non-well-tried components can be used as well, provided they have Reliability data. Well-tried components are needed in those two cases since the Safety-related Control System has a single channel and no Diagnostic. Here is the definition.

[ISO 13849-1] 3.1 Terms and definitions
3.1.50 Well-Tried Component. Component successfully used in safety-related applications.


5.6.1 Limited and Full Variability Language
Nowadays, more and more Safety functions make use of Programmable Logic Controllers. In other term, the “Logic” in an I–L–O architecture is implemented within a Safety PLCs or Safety Programmable Module.
A Safety PLC needs to be programmed by the user with the specific Safety Function logic. In other terms, the machinery manufacturer writes the Application Software. ISO 13849-1 calls it Safetyrelated application software (SRASW):

[IEC 61508-4] 3.2 Equipment and devices
3.2.7 Application Software (application data or configuration data). Part of the software of a programmable electronic system that specifies the functions that perform a task related to the EUC rather than the functioning of, and services provided by the programmable device itself.

That is different from the System Software, which is written by the PLC manufacturer. ISO 13849-1 calls it Safety-related embedded software (SRESW):

[IEC 61508-4] 3.2 Equipment and devices
3.2.6 System Software. Part of the software of a PE system that relates to the functioning of, and services provided by, the programmable device itself, as opposed to the application software that specifies the functions that perform a task related to the safety of the EUC.


5.7.2 Subsystems in Both High and Low Demand Mode
Electromechanical components are provided with a B10D value that allows the calculation of an MTTFD or λD, based upon the number of operations. B10D values are calculated having a certain number of components under test and by switching on and off the components several times per hour; please refer to Chapter 1 for more details. That means B10D values should only be used when the component is part of a high demand mode subsystem. Moreover, considerations should be made when the number of operations is less than once per month.
In high demand mode, the more a component is used, the less reliable the subsystem system will be, since the high demand mode standards take into consideration the component Fatigue: the more it is used, the higher the Fatigue.