Your browser does not support JavaScript!
Skip to content Skip to navigation menu

Group safety standards / ISO13849-1 | Canada

ISO13849-1 is one of the most important safety group standards (Type-B standards), which are international standards for safety, and provides requirements for safety-related parts of control systems. This standard specifies the probability of dangerous failure per hour (performance level) of a system, which is required when the control system is used as a risk reduction measure.


This standard applies to not only electric/electronic systems but also oil/pneumatic systems. It therefore is widely used by, for example, machinery manufacturers, machine users, and service providers, as well as organization related to health and safety, and regarded as an important standard for the design and assessment of safety-related parts of control systems.
 




Procedures for enhancing machine safety start with performing a risk assessment in accordance with ISO12100, the result of which is then used to go through a risk reduction process called the 3-step method, which consists of “Inherently safe design measures,” “Safeguarding and  complementary protective measures,” and provision of “Information for use.” If a control system is used for risk reduction in this process, this standard is applied to the design and validation of the safety-related parts of  control system (see Figure 1). 
Because this standard ISO13849-1 covers only safety-related parts of control systems, other protective measures, including the design and installation of  guards, must be designed on the basis of other standards. It should be noted that not all aspects of risk reduction can be covered by this standard alone.

The control systems of machines can be divided into “safety-related parts” and “non-safety-related parts.” 
 
● ”The safety-related part of a control system” is defined as “a part of a control system that responds to safety-related input signals and generates safety-related output signals.” For example, in the case of an industrial robot system shown in Figures 2 and 3, the safety-related parts of the control system are as follows:
・The safety-related input signal part that transmits that people are outside the  guard, the door is closed, and locked by the interlock switch
・The safety-related input signal part that i transmits that the emergency stop  switch is not pushed (there is no  problem)
・The safety-related logic  part that confirms the above-mentioned input signal and the safe state in the safety relay module (safety controller) and determines that the robot can be allowed to start
・The safety-related output signal part that, in response to the determination by the safety-related logic  part, starts/stops the robot by turning on/off the safety contactor 
 
● ”Non-safety-related parts” are parts that control, for example, the motion speed and the positioning of a robot arm, and can be operated only when it is confirmed that the safety-related parts can start the robot without a problem.
The standard (ISO13849-1) specifies matters related to “safety-related parts” of control systems (see Figure 3).

Safety-related parts of a control system are also described as SRP/CS. SRP/CS, an abbreviation for a “safety-related part of a control system,” is used to refer to not only the safety-related parts of a control system as a whole but also the input, logic, or output individually (See Figure 4).
The performance level is defined as “a discrete level used to specify the ability of safety-related parts of control systems (SRP/CS) to perform a safety function (*) under foreseeable conditions” and categorized according to “the average probability of dangerous failure per unit time” expressed as PFHD.

As Table 1 shows, it is categorized into five levels from PL= a to PL = e, with PL = e indicating the lowest probability of failure. For example, PL = a shows that a dangerous failure can occur at a rate of 1 in 100,000 times or greater and less than 1 in 10,000 times when the machine operates for one hour. PL is an indicator of a safety function that achieves risk reduction in the machine by the control system.

* Safety function: A function of the machine, a failure of which can result in an immediate increase of the risk(s) (ISO13849-1)

1. What is the performance level (PL)?
Performance level (PL)Average probability of dangerous failure per unit time, PFHD (1/h) 
a≥10-5 and <10-4
b≥3 × 10-6 and <10-5
c≥10-6 and <3 × 10-6
d≥10-7 and <10-6
e≥10-8 and <10-7

The performance level (PL) is built on a circuit structure of SRP/CS based on the category (Cat), but it also considers other factors that show the reliability of the device used, that is, MTTFD (the mean time to dangerous failure), DC (diagnostic coverage), which is a ratio of dangerous failures in the system detected by SRP/CS, and CCF (common cause failure), which represents multiple independent failures resulting from one cause of failure; thus, it is determined by the four factors. From this, PL can be described as Figure 5.
When making a machine safety, risk assessment and risk reduction are pursued in accordance with ISO12100.
When a control system is used in the process of risk reduction, the validity is evaluated by applying ISO13849-1 and following the procedure in Figure 6.
The next section discusses the procedure in detail.

 
Figure 7 shows the method for determining the performance level (PL) where risk reduction is pursued using a control system.

5.1. Determination of required performance level (PLr)

Estimate PLr * by using the risk graph method shown in Figure 8.

Required performance level (PLr)
“Performance level applied in order to achieve the required risk reduction for each safety function”


ISO13849-1 deals with only the general principles of SRP/CS design and thus based on the assumption that protective measures other than control systems, including guards, are properly implemented in accordance with ISO12100. On the basis of this, the start point of risk estimation assumes a case where a dangerous failure occurs in one of the control systems to be built. For example, think about a case where opening the door of a  guard  will not stop a hazard inside. In this case,

・For S, if an operator or any other person suffers injury because of the dangerous failure, choose either “S1 ( Slight injury)” or “S2 (Serious injury).”
・For F, choose between “Rare” and “Frequent” regarding the frequency of harm suffered in S. 
・For P, choose between “Possible” or “Impossible” regarding the possibility of avoiding the hazard.

As a result, one selected from among the levels a to e represents the required performance level (PLr). As Figure  6 shows, PLr = a means that the control circuit to be built only needs to assume a low level of risk reduction. Meanwhile, when PLr = e is selected, the control circuit to be built needs to assume a higher level of risk reduction. Not that PLr determined in this way is compared with the result of PL that is actually calculated, in order to determine whether it is appropriate for the risk of hazards that need to be addressed by SRP/CS.
 

5.2. Determination of the category

The category is defined as “classification of the safety-related parts of a control system in respect of their resistance to faults (fault resistance) and their subsequent behavior in the fault condition, and which is achieved by the structural arrangement of the parts, fault detection and/or by their reliability.” That is, the category is safety functions requirements used in determining the circuit structure of a safety-related part of a control system.
The category is specified as the “designated architecture” and as discussed later, classified into five types: Categories B, 1, 2, 3, and 4.
 

Figure 9 shows the relationship between PL achieved and Category, DCavg, and MTTFD.
This Figure 9 is used to determine the category to build a control system with PL that is equivalent to or higher than the required PLr.

For example, when a system with PL = c is designed as Figure 10 shows, one of the Categories 1–3 can be selected for the structure (architecture).

5.2.1. Requirements for each category

1) Categories B and 1
The designate architecture for Categories B and 1 is shown in Figure 11. Both the Categories have the same architecture figure. In both of them, there is no fault diagnosis function, and signals pass one way from I (input) to O (output). Note that MTTFD of Category 1 needs to be longer than that of Category B. This means Category 1 has the lower probability of dangerous failure and of losing a safety function. Since Categories B and 1 do not have a fault diagnosis function, DCavg (diagnostic coverage) and CCF (common cause failure) do not need to be considered to calculate PL.

2) Category 2
The designate architecture for Category 2 is shown in Figure 12.
This architecture has a fault diagnosis function as an additional feature. It is expressed as TE (Test Equipment). The output of this test equipment is expressed as OTE (Output of TE). TE diagnoses I, L, and O ,and any fault is output to OTE. In some cases, TE is contained in L.
Since Category 2 has a fault diagnosis function, DCavg (diagnostic coverage) and CCF (common cause failure) need to be considered.
 

3) Category  3
The designated architecture for Category 3 is shown in Figure 13.
This architecture has the redundant  signal paths, with the input signals mutually monitoring each other for discrepancies in signals ( fault) through the cross-monitoring of L1 and L2 (logic). O1 and O2 (output) are monitored by L1 and L2 (logic), which perform a back-check by comparing output signals with output conditions, and self-diagnosed.
The designated architecture for Category  3 is shown in Figure 3.
 

4) Category 4
The designated architecture for Category 4 is shown in Figure 14.
The structure for this architecture is the same as that for Category 3, but the performance of a self-diagnosis function for C (cross-monitoring) and m (monitoring) is higher in Category 4. To highlight this, solid lines are used instead of dotted lines.
 

5.3. Calculation of MTTFD

MTTFD, which stands for mean time to dangerous failure, represents the expectation of the mean time for a safety-related part of the relevant device or control system to fail dangerously, and expressed as the number of years. This parameter is required from the standpoint of system reliability.

In order to determine PL, MTTFD for the entire system is calculated. First, MTTFD for each related component is determined, then MTTFD for each channel is determined, based on which MTTFD for the entire system is calculated (in the case of systems with multiple channels). The MTTFD value for each channel is divided into three with their respective upper and lower limits, as shown in Table 3.

If the calculation result of MTTFD for the channel is less than three years, it does not meet the requirement for the range of MTTFD. It is allowed for the MTTFD value for each component to exceed 100 years. Meanwhile, the MTTFD value for each channel is subject to an upper limit of 100 years even if the calculation result exceeds 100 years. Nevertheless, a Category 4 structure is allowed to have a maximum MTTFD of 2500 years for each channel due to its circuit structure (redundancy) and a high DC value.
 

5.3.1. MTTFD for each device

The MTTFD value for each component is determined according to the following order of priority: the first priority is given to the MTTFD value provided by the manufacturer, the second priority to the value provided in Annex C or D of this standard, and the third priority to MTTFD = 10 years if no value is provided in Annex C.

 

5.3.1.1. Calculate MTTFD from B10D of the component

Not all the components of safety-related parts have an MTTFD value. For components such as those with a mechanical contact (i.e., a contactor, interlock switch), the life of which is affected by the frequency (number of times) of operation, the value of B10D (Note 1) is provided in place of that of MTTFD. The MTTFD value for the component is calculated on the basis of this B10D by taking into account a parameter called nop (Note 2) (see Equations (1) and (2)).


 
Note 1 B10D: The number of cycles (number of times of operation) until 10% of the components fail dangerously
Note 2 nop: The mean number of annual operation cycles (number of times of operation), the calculation of which requires the following information:
hop:is the mean operation, in hours per day
dop:is the mean operation, in days per year
t cycle: is the mean operation time between the beginning of two successive cycles of the component. in seconds per cycle

Those who design safety-parts of control systems estimate the frequency (number of times) of operation of the system and its components, and on the basis of that, calculate nop and take into account B10D to determine MTTFD. As in the case of MTTFD, priority is given to using the B10D value provided by the manufacturer if it is provided.
 

5.3.2. Method for calculating MTTFD for the entire channel: parts count method

After the MTTFD value for each device is determined, it is used to calculate MTTFD for each channel (see (3)).
For example, if MTTFD1 = 30 years, MTTFD2 = 30 years, and MTTFD3 = 30 years, then 1/ MTTFD = 1/30+1/30+1/30, indicating that MTTFD for this channel is 10 years.
 

5.3.3 Method for determining MTTFD in cases where different channels have different MTTFD

For a 2-channel structure like Category 3 or 4, the MTTFD as a whole is calculated using either one of the following methods:
● To assume a worst-case scenario,  the MTTFD value of the channel with the lower value is usedas a whole
● To use Equation (4) to calculate the value as a whole.
When Equation (4) is used, if MTTFD1 = 3 years and MTTFD2 = 100 years, then MTTFD as a whole is 66 years.
This is the same as assuming that both the channels each have MTTFD = 66 years.

5.4. Calculation of DC (diagnostic coverage) and DCavg


To estimate the performance level, the calculation of DCavg (average diagnostic coverage) for the entire system is required. For the calculation, DC (diagnostic coverage) for each component needs to be determined. DC (diagnostic coverage) is the level of dangerous failures that can be detected, as expressed as a percentage. Specifically, it is expressed as a ratio of the failure rate of detected dangerous failures (λDD) to the failure rate of total dangerous failures (λtotal) (see (5)).

DC (diagnostic coverage) does not consider the safe failures of the components or the system. It only considers dangerous failures. DC is divided into four categories (see Table 4).

Logical devices (e.g., safety controllers) and electrical/electronic devices, such as safety light curtains, have an embedded self-diagnosis function, but mechanical components, including interlock switches and emergency stop switches, generally do not have a self-diagnosis function. However, making the connection with the logic device redundant and monitoring discrepancies in signals at, for example, the logic part (e.g., a safety controller) will achieve a high DC for the safety-related parts of the control system as a whole.
In selecting DC for each component, one is selected from ISO13849-1 Annex E that is suited for the diagnosis technique described for the input device, logic device, and output device.
After DC for the component is determined, the value is used to calculate DCavg for the entire system (see Equation (6)).


Note that for components without detected failures (parts that are not diagnosed), DC = 0.

5.5. Estimate of CCF (common cause failure)

CCF (common cause failure) is defined as “failures of different items, resulting from a single event, where these failures are not consequences of each other.” It means the consequence of a failure resulting from a single cause does not trigger a next failure to result in multiple failures, but a single cause leads to multiple independent failures.
For example, it refers to failures of (multiple) parts of circuits that are independent of each other, resulting from overvoltage / abnormal ambient temperature. CCF is an indicator that shows what kinds of measures are taken in the system to respond to events that may cause such failures.

Requirements for CCF are considered to be met if certain measures are taken, which is demonstrated by earning at least 65 of 100 points by answering yes or no to multiple questions provided in ISO13849-1 Annex F, Table F.1 (see Table 5).
Note that for each item of measures for CCF shown in Table 5, a partial response will not receive a partial credit but receive 0 (zero) for the applicable item.
Generally, these questions are answered by a person who designs safety-related parts of control systems.

5.6. Evaluation of Performance level (PL) 

PLr required for the safety-related part of a control system is compared with PL of the system, which is calculated from ISO13849-1 Annex K, Table K.1 on the basis of the assessment results of the category, MTTFD, DCavg, CCF of the circuit that was actually designed, in order to confirm that the level of PL is equivalent to or higher than that of PLr. If PLr ≤ PL is confirmed (i.e., if the average probability of dangerous failure is equivalent or smaller), the goal of risk reduction is considered to have been achieved.

In the case of an emergency stop switch + a safety relay module + a safety contactor

Examples of products of safety-related parts of a control system is shown in Figure 15, and the circuit diagram in Figure 16.

1. Order of actions and safety principles

1) Press the emergency stop  switch
The output of the safety relay module turns to OFF, releasing the excitation of contactors (K3, K4), turning the main contacts (NO contacts) of the contactors OFF, and stopping the motor (hazard).

2) The emergency stop  switch remains in its pressed position (latching function)
The main contacts of the contactors keep the OFF status, thus preventing the motor from unexpected star-up .

3)  Reset the emergency stop  switch
The action of reset itself will not start the motor.

4)  Press the start switch
The motor starts.

 

2. Safety principles and conditions

(1) Use an emergency stop  switch that conforms to IEC60947-5-5 and IEC60947-5-1 (Annex K)
(2) Use a safety relay module that conforms to PL = e and Category 4 provided in ISO13849-1. 
(3) Use contactors that conform to IEC60947-1 (with mirror contacts) and arrange two contactors individually.
(4) Connect the mirror contacts (NC contacts) of the contactors to the back check circuits of the safety relay module.

 

3. Operating conditions of the system

(1) Operating hours/days and frequency
・Average  operation days per year: 365 days.
・Average  operation  hours per day: 24  hours.
・Average operation frequency of emergency stop: once/day (t = 86,400 s/cycle).

(2) B10D, DC, etc. for the components
・Emergency stop  switch
B10D (respective NC contacts): 100,000 cycles (as per Annex C, Table C.1)
DC: 99% (as per Annex E, Table E.1)

・Contactor
B10D: 2,000,000 cycles (as per Annex C, Table C.1)
DC: 99% (as per Annex E, Table E.1)
・Safety relay module
MTTFD: 243 years (the value provided by the manufacturer)
DC: 99% (the value provided by the manufacturer)


 

4. Block diagram

A block diagram is used to express, for example, logical connections between various sections in SRP/CS (this is based on the idea of a reliability block diagram). The block diagram can be expressed as Figure 17.
As the figure shows, this diagram is the same as the Category 4 architecture (Figure 18).
Note that in this circuit, the maximum number of operation times of the emergency stop switch is limited, and the exclusion of faults in mechanical aspects provided in ISO13849-2: 2012, Table D.8 is applied.

 

5. Calculation results, PL, and the probability of dangerous failure per unit time

In Table 6, MTTFD, DC, and other parameters for the emergency stop  switch, the safety relay module, and the safety contactors are shown on the left side, while MTTFD↓, category, DCavg, and other parameters for the system are on the right side.

 
  In ISO13849-1, the calculation of MTTFD was performed for each channel of the system, followed by the calculations of DCavg and other parameters. ISO/TR23849, meanwhile, adopts a method in which the entire system is divided into subsystems, PL (and PFHD) are calculated for each subsystem, and the respective values are added up to determine PL and PFHD as a whole. Described below are examples of calculations on the basis of ISO/TR23849.
 
 

In the case of limit switch × 2 units (NC contact + NO contact) + a safety relay module + safety contactors (2 units)

Please see Figure 19 for the circuit diagram.


 

1. Order of actions and safety principles

1) Open the movable guard.
The output of the safety relay module turns to OFF, releasing the excitation of contactors (K3, K4), turning the main contacts (NO contacts) of the contactors OFF, and stopping the motor (hazard). 
2) Keep the movable guard open.
The main contacts of the contactors keep the OFF status, thus preventing the motor from unexpected star-up .
3) Close the movable guard.
Just closing the movable guard will not start the motor.
4) Press the start switch
The motor starts.
 

2. Safety principles and conditions

(1) Position switch S1 is a limit switch with a direct opening mechanism NC contacts, and meets the requirements provided in IEC60947-5-1 Annex K.
(2) For position switch S2, use a limit switch with NO contacts.
(3) Use a safety relay module that conforms to PL = e and Category 4 provided in ISO13849-1.
(4) For K3 and K4, use products that conform to IEC60947-1 (with mirror contacts), and arrange two units individually.
(5) Connect the mirror contacts (NC contacts) of the contactors to the back check circuits of the safety relay module.
 

3. Operating conditions of the system

(1) Operating hours/days and frequency
・Average operation days per year: 365 days.
・Average  operation hours per day:  24  hours.
・Frequency of opening and closing the movable guard: Once every 15 minutes (t = 900 s/cycle)
(2) B10D, DC, etc. for the components
・S1 limit switch B10D: 1,000,000 cycles (value from manufacturer), DC: 99% (Annex E, Table E.1)
・S2 limit switch B10D: 500,000 cycles (value from manufacturer), DC: 99% (Annex E, Table E.1)
・K3 contactor B10D: 2,000,000 cycles (value from manufacturer), DC: 99% (Annex E, Table E.1)
・K4 contactor B10D: 2,000,000 cycles (value from manufacturer), DC: 99% (Annex E, Table E.1)
 

4. Block diagram

As Figure 20 shows, the block diagram is expressed by dividing the system into the subsystems: the input, logic, and output.
Because ISO/TR23849 allows subsystems with the same structure to be integrated, the number of subsystems can be reduced to two as shown in Figure 21. Subsystem 1 is divided into Channels 1 and 2 to calculate their respective parameters such as MTTFD, DCavg, while PL (PFHD) is determined from Annex K, which is ultimately added to PL (PFHD) provided in K1.

 

5. Calculation results, PL, and the probability of dangerous failure per unit time

In Table 7, MTTFD, DC, and other parameters for the limit switch, the safety relay module, and the safety contactors are shown on the left side, while PFHD for each subsystem as well as PFHD and PL as a whole are put on the right side by referring to Annex K.

(Reference) 

1. PL  evaluation method in a case where a combination of SRP/CS achieves an overall PL

When multiple safety related parts of control system(SRP/CS), each having its own PL, are connected in series as shown in Figure 22, the methods below are used to determine the overall PL.

Method 1) 

The overall PFHD for a system in which individual SRP/CSn are connected in series, as shown in Figure 23, can be obtained by adding up the respective PFHDn.


Method 2) 
In cases where PFHDn for SRP/CSn is unknown, there is a simplified method that uses Table 9 to determine it. 
The following steps need to be followed:

1) Identify SRP/CS that has the lowest PL in the entire system, and express it as “PLlow”
2) Identify the number (N) of PLlow, and express the number as “Nlow”
3) Determine the overall PL according to Table 8.
For example, PL for the system shown in Figure 24 is determined as follows:


In this example, . PLlow is the SRP/CS part of PL=c. The number of PLlow is two (Nlow = 2).
From Table 8, the overall PL is determined to be PL = c.
This system has parts with Category1 or 2, and therefore may lose its safety functions if a single failure occurs.


 

2. Exclusion of faults and failures

1. Faults and failures

In this standard, the terms fault and failure are defined as below:
● Fault
It refers to a “state” of a device or system characterized by the inability to perform a required function.
It chiefly means a random hardware fault in this standard.

● Failure
It refers to the termination of the ability of a device or system to perform a required function. After a failure, the device or system is in a state of a fault.
SRP/CS that meet certain PL requirements are required to verify resistance to failures. In this verification, consideration needs to be given to the following points:

● Single fault
If a fault of a certain component (part) occurs, and as a consequence, another component fails, the first and all subsequent faults are regarded as a single fault.
● Assessment of CCF (common cause failure)
Two or more individual faults that have the common cause need to be regarded as a single fault.
Note that the concurrence of two or more faults resulting from different causes may be considered almost impossible and thus do not need to be considered
 

2. Failure exclusion

Please see ISO13849-2 for information about failure exclusion.
For example, ISO13849-2, Table D. 8 provides that if the contact has a direct opening mechanism (NC contact) in accordance with IEC60947-5-1 Annex K in items such as position switches and emergency stop switches, the possibility of a failure in which the contact is stuck closed due to welding can be eliminated.
 

3. Performance level (PL) required  in Type-C standard

For machines that are covered by the scope of a Type-C standard, the provisions of the Type-C standard take precedence over the provisions of the other standards. If the standard specifies requirements for the PL or category of safety-related systems, that PL or category takes precedence.
Because some Type-C standards allow PLr to be determined according to the result of risk assessment, please refer to the relevant standard.
 

4. Relationship between PL and SIL

The categories in the 999 edition of ISO 13849-1 and the Safety Integrity Level (SIL)* according to IEC 61508 could not be correlated with each other.However, in the  latest ISO13849-1, which began to evaluate safety functions in terms of the average probability of dangerous failure using the performance level (PL), it has become possible to associate PL with the safety integrity level (SIL) (See Table 2).
Note that the classification  level of PL = a does not exist in SIL. In addition, while SIL has the levels from 1 to 4, SIL4 is intended for major risks in fields such as chemical plants and nuclear power generation / railroads and thus interpreted as the level that falls outside of the scope of application in the field of machine safety. As a result, it is SIL3 that corresponds to PL = e, which represents the lowest probability of dangerous failure. Please see Table  9 for the probability of failure in SIL.
Table 9. Comparison between the performance level and SIL
 the performance level (PL)Safety integrity level (SIL) Frequent operation request or continuous mode
a
b1
c1
d2
e3
* Safety integrity level (SIL)  SIL is an indicator of safety levels that is specified in the functional safety standard (IEC61508), which is used to ensure the safety of not only industrial machinery but also chemical plants and railroad systems using a programmable controller or software. It is divided into the four levels from SIL1 to SIL4 and has the low-demand operation mode and the high-demand operation mode (continuous operation mode). Table 10 shows the category of SIL for the high-demand operation mode (continuous operation mode), which can be referred to in association with PL.
Table 10 SIL and limit of PFHD values
Safety integrity level (SIL)Frequent operation request or continuous mode (average probability of dangerous failure per hour, PFHD)
1≥ 10-6 and < 10-5 
2≥ 10-7 and < 10-6 
3≥ 10-8 and < 10-7 
4≥ 10-9 and < 10-8 


5.  the category to the performance level (a comparison between the  latest edition   and the 1st edition )

1) Risk estimation and the categories specified in the  1st edition ISO13849-1: 1999 (EN954-1)
Figure 25 shows the process of risk estimation and category determination for safety-related parts that is specified in the 1st edition
In risk estimation, the risk graph method is used, and a choice is made between the two for the items: “Severity of harm (S),” “Frequency of exposure (F),” and “Possibility of avoiding harm (P)” for a five-level classification.
However, in the case of S1 (Mild), Category 1 is selected regardless of the frequency of exposure and the possibility of avoiding harm.
For S2 (Severe), F2 (Frequent), and P2 (Low), Category 4 is selected. For most of the other cases, one of two categories is selected.
In addition, the old version provides performance requirements (resistance of safety functions to failures) for each category using explanatory sentences as shown in Table 11, and the categories from B to 4 themselves represent safety levels. Risk levels are B < 1 < 2 < 3, with 4 having the highest risk.
Categories B and 1 do not have a self-diagnosis function. Categories 3 and 4 are required to maintain safety functions if a single fault occurs.