ISO 13849 is a safety standard which applies to parts of machinery control systems that are assigned to providing safety functions (called safety-related parts of a control system).[1] The standard is one of a group of sector-specific functional safety standards that were created to tailor the generic system reliability approaches, e.g., IEC 61508, MIL-HDBK-217, MIL-HDBK-338, to the needs of a particular sector. ISO 13849 is simplified for use in the machinery sector.

The standard has two parts:

  • ISO 13849-1, Part 1: General principles for design, provides safety requirements and guidance on the principles of design and integration of safety-related parts of control systems (hardware or software).
  • ISO 13849-2, Part 2: Validation, specifies the procedures to be followed for validating by analysis or tests, the safety functions of the system, the category achieved and the performance level achieved.[2]

ISO 13849 is designed for use in machinery with high to continuous demand rates. According to IEC 61508, a HIGH demand rate is once or more per year of operation, and a CONTINUOUS demand rate is much, much more frequent than HIGH. For systems with a LOW demand rate, i.e., less than once-per-year, see IEC 61508, or the appropriate sector-specific standard such as IEC 61511.

The standard is developed and maintained by ISO/TC 199, Safety of machinery, Working Group 8 — Safe Control Systems.[3] The scope of ISO 13849 includes control systems using mechanical, electrical, electronic, and fluidic (hydraulic and pneumatic) technologies.

According to an informal stakeholder survey done in 2013, more than 89% of machine builders and more than 90% of component manufacturers and service providers use ISO 13849 as the primary functional safety standard for their products.[4]

History

edit

EN 954-1

edit

ISO 13849-1 has its origins in the mid 1990s when the European Committee for Standardization (CEN) published EN 954-1, Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design[5] in 1996. In 1999, EN 954-1 was transferred to ISO for ongoing development under the Vienna Agreement.

EN 954-1 introduced the original five structural Categories, B, 1-4.

prEN 954-2

edit

prEN 954-2:1999, Safety of machinery — Safety-related parts of control systems — Part 2: Validation, is the precursor document that eventually became ISO 13849-2 in 2003. This document was never published as a finished standard. The "pr" in "prEN" indicates that the document was a European pre-standard.

ISO 13849-1, 1st Edition

edit

In 1999, ISO published the first edition of ISO 13849-1, Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design. The first edition was technically identical to EN 954-1. Within a year after publication, ISO/TC 199 launched a New Work Item Proposal for the revision of the standard. The goal was to add probabalistic requirements to the existing standard.

ISO 13849-2, 1st Edition

edit

In 2003, ISO 13849-2, Safety of machinery – Safety-related parts of control systems — Part 2: Validation, was published. This standard included all of the details related to validating the functional safety of a design. In addition, Annexes A-D included key information on basic and well-tried safety principles, well-tried components, and common faults for mechanical, hydraulic, pneumatic, and electrical components.

ISO 13849-1, 2nd Edition

edit

The second edition of ISO 13849-1 was published in 2006. That edition introduced MTTFd, DCavg, and CCF for the first time. The revisions incorporated the recommendations developed through the EU STSARCES project.[6] and [7]

ISO 13849-2, 2nd Edition

edit

In 2012, ISO 13849-2, Safety of machinery – Safety-related parts of control systems — Part 2: Validation was published. This edition was reaffirmed in 2017 and remains current.

ISO 13849-1, 3rd Edition

edit

The third edition of ISO 13849-1 was published in 2015. The revision included additional technical explanations and clarification of the analytical methods. This edition was reaffirmed in 2020, while a new revision was started.

ISO 13849-1, 4th Edition

edit

The fourth edition of ISO 13849-1 was published in 2023. The revision focuses on the integration of the content from ISO 13489-2, some specific annexes of the document ISO 13489-2 are still used.

Risk Assessment

edit

Risk assessment techniques

edit

Following ISO 13849-1, the design of the safety system is based on a risk assessment performed by the manufacturer of the machine.[8] The risk assessment identifies the safety functions required to mitigate risk and the performance level these functions need to meet to adequately mitigate the identified risks, either completely, or in combination with other safeguards, e.g., fixed or movable guards or other measures.

The Annex A decision tree, Figure A.1, is provided as an example of how the PLr can be determined. The Annex A method is not a risk assessment tool since the output from the tool is in terms of Performance Level, not risk. Figure A.1 cannot be used for risk assessment. Examples of a risk matrix and a risk decision tree are given in ISO/TR 14121-2.[9] Risk assessment is typically done in at least two cycles, the first to determine the intrinsic risk, and the second to determine the risk reduction achieved by the control measures implemented in the design.

Assignment of safety functions

edit

A safety function is a control system function whose failure will result in an immediate increase in risk.[8] ISO 13849-1 includes descriptions of a number of common safety functions, including:

  • safety-related stop
  • start/restart
  • manual reset
  • local control
  • muting
  • response time
  • safety-related parameter(s)
  • fluctuation, loss and restoration of power sources

Each safety function identified in the risk assessment is assigned a required Performance Level (PLr) based on the intrinsic risk determined through the risk assessment. The intrinsic risk is the risk posed by the machine if no risk control measures were present, or if the risk control measures fail or are defeated by the user.

Performance levels

edit

A Performance Level is a band of failure rates, represented as a, b, c, d, e. These failure rates are quantified as the Probability of Dangerous Failure per hour, PFHd. The numeric values for PFHd are given in Annex K. The PL range for each band has a 5% tolerance. The PFHd covered by ISO 13849-1 range from the highest failure rate in PLa < 1 × 10−4 to the lowest failure rate in PLe at ≥ 1 × 10−8.

The Performance Level of a safety function is determined by the architectural characteristics of the controller (classified according to designated architectural categories, Category B, 1, 2, 3, 4), the MTTFD of the components in the functional channel(s) of the system, the average diagnostic coverage (DCavg) implemented in the system, and the application of measures against Common Cause Failures (CCF). Category B, 1 and 2 architectures are single channel, and therefore offer no fault tolerance.

Designated architectures

edit

The designated architectures include three single-channel and two redundant structures. The structures are the basis for the calculations used to determine the PFHd values given in Annex K.

Block diagrams

edit

Each designated architecture has an associated block diagram. When analyzing SRP/CS designs, a block diagram should be developed to assist the analyst in calculating the MTTFD of the functional channel(s).

Category B

edit

Category B represents the basic category. This category is single-channel, and can include components with MTTFD = Low or Medium. Components must be suitable for use in the application, and specified appropriately for the conditions of use, i.e., voltage, current, frequency, switching frequency, ambient temperature, pollution class, shock, vibration, etc. Since Category B is single channel, DCavg = NONE. CCF is not relevant in this category.

The maximum PL = b.

Category 1

edit

Category 1 achieves increased reliability as compared to Category B through the use of MTTFD = High components. These components are deemed "well-tried components" and are listed in ISO 13849-2, Annexes A through D. Additionally, components that have been tested by the manufacturer and approved according to the relevant component safety standard, e.g., IEC 60947-5-5, are also considered well-tried. Since Category 1 is single channel, DCavg = NONE. CCF is not relevant in this category.

The maximum PL = c.

Category 2

edit

Category 2 is a single-channel architecture that achieves increased reliability by building on Category B, using components with MTTFD = Low to High, and adding diagnostic capability through the use of test equipment. The DCavg for Category 2 can be Low to Medium, i.e., 60% ≤ DC < 99%. The diagnostic frequency depends on the demand rate on the safety function, and on the PLr that must be achieved. A minimum CCF score of 65 is required, see Annex F.

The maximum PL = d.

Category 3

edit

Category 3 is the first architecture with a redundant structure. Building on Category B, and using components with MTTFD = Low to High, this architecture introduces cross-monitoring between the two active channels, as well as cyclic monitoring of the output device(s). Category 3 requires DCavg Low to Medium, i.e., 60% ≤ DC < 99%. A minimum CCF score of 65 is required, see Annex F.

In Category 3, no single component failure is permitted to cause the loss of the safety function.

The maximum PL = e.

Category 4

edit

Category 4 is also a redundant architecture that builds upon Category B. Using components limited to MTTFD = High, this architecture includes cross-monitoring between the two active channels, as well as cyclic monitoring of the output device(s). Category 4 requires DCavg HIGH, i.e., ≥ 99%. A minimum CCF score of 65 is required, see Annex F.

In Category 4, no single component failure is permitted to cause the loss of the safety function.

The PL = e.

The primary differences between Category 3 and 4 are that Category 4 requires:

  • MTTFD components in the functional channels
  • DCavg ≥ 99%
  • Accumulation of faults between diagnostic cycles cannot cause the loss of the safety function
  • All of the faults that occur between diagnostic cycles must be detected when the diagnostics run

Validation

edit

Safety-related parts of control systems (SRP/CS) require validation. ISO 13849-2 includes all of the details required for the validation using analytical techniques (including FMEA, FMECA, FMEDA, IFA SISTEMA or any of the other analytical tools available), functional testing, and documentation in a validation record.

Acronyms

edit
Acronyms
Acronym Expansion Notes
PL Performance Level Predicted bands of failure rates for SRP/CS
PLr required Performance Level Performance Level required based on the risk assessment to provide necessary risk reduction.
MTTFD or MTTFd Mean Time to Dangerous Failure Given in years
PFHd Probability of dangerous Failure per Hour The fractional probability per hour of operation.
DCavg average Diagnostic Coverage Given as a percentage.
CCF Common Cause Failure Failures in more than one component with a common cause.
SRP/CS Safety-Related Parts of Control System(s) The parts of a machine control system that provide a safety function.

References

edit
  1. ^ "ISO 13849-1:2015, Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design". International Organization for Standardization (ISO). Retrieved 2022-04-06.
  2. ^ "ISO 13849-2:2012, Safety of machinery — Safety-related parts of control systems — Part 2: Validation". International Organization for Standardization (ISO). Retrieved 2022-04-06.
  3. ^ "ISO/TC 199 Safety of machinery". ISO. International Organization for Standardization. 22 January 2019. Retrieved 8 April 2022.
  4. ^ Outcome of the "Questionnaire" doc. N 964 -- Report from ISO/TC 199/JWG 1/Sub Group 2, ISO/TC 199 N1035, 2013-03-01
  5. ^ "EN 954-1:1996, Safety of machinery - Safety-related parts of control systems - Part 1: General principles for design". www.cencenelec.eu. European Committee for Standardization (CEN). Retrieved 7 April 2022.
  6. ^ "Standards for safety related complex electronic systems". cordis.europa.eu. European Commission. Retrieved 11 April 2022.
  7. ^ "STSARCES project - final report -part 1". industry-finder.com. 27 May 2014. Retrieved 11 April 2022.
  8. ^ a b "ISO 12100:2010, Safety of machinery — General principles for design — Risk assessment and risk reduction". International Organization for Standardization (ISO). 22 January 2019. Retrieved 2022-04-06.
  9. ^ "ISO/TR 14121-2:2012 Safety of machinery — Risk assessment — Part 2: Practical guidance and examples of methods". International Organization for Standardization (ISO). Retrieved 6 April 2022.