ISO 13849 is a safety standard which applies to parts of machinery control systems that are assigned to providing safety functions (called safety-related parts of a control system).[1] The standard is one of a group of sector-specific functional safety standards that were created to tailor the generic system reliability approaches, e.g., IEC 61508, MIL-HDBK-217, MIL-HDBK-338, to the needs of a particular sector. ISO 13849 is simplified for use in the machinery sector.
The standard has two parts:
ISO 13849 is designed for use in machinery with high to continuous demand rates. According to IEC 61508, a HIGH demand rate is once or more per year of operation, and a CONTINUOUS demand rate is much, much more frequent than HIGH. For systems with a LOW demand rate, i.e., less than once-per-year, see IEC 61508, or the appropriate sector-specific standard such as IEC 61511.
The standard is developed and maintained by ISO/TC 199, Safety of machinery, Working Group 8 — Safe Control Systems.[3] The scope of ISO 13849 includes control systems using mechanical, electrical, electronic, and fluidic (hydraulic and pneumatic) technologies.
According to an informal stakeholder survey done in 2013, more than 89% of machine builders and more than 90% of component manufacturers and service providers use ISO 13849 as the primary functional safety standard for their products.
ISO 13849-1 has its origins in the mid 1990s when the European Committee for Standardization (CEN) published EN 954-1, Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design[4] in 1996. In 1999, EN 954-1 was transferred to ISO for ongoing development under the Vienna Agreement.
EN 954-1 introduced the original five structural Categories, B, 1-4.
prEN 954-2:1999, Safety of machinery — Safety-related parts of control systems — Part 2: Validation, is the precursor document that eventually became ISO 13849-2 in 2003. This document was never published as a finished standard. The "pr" in "prEN" indicates that the document was a European pre-standard.
In 1999, ISO published the first edition of ISO 13849-1, Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design. The first edition was technically identical to EN 954-1. Within a year after publication, ISO/TC 199 launched a New Work Item Proposal for the revision of the standard. The goal was to add probabalistic requirements to the existing standard.
In 2003, ISO 13849-2, Safety of machinery – Safety-related parts of control systems — Part 2: Validation, was published. This standard included all of the details related to validating the functional safety of a design. In addition, Annexes A-D included key information on basic and well-tried safety principles, well-tried components, and common faults for mechanical, hydraulic, pneumatic, and electrical components.
The second edition of ISO 13849-1 was published in 2006. That edition introduced MTTFd, DCavg, and CCF for the first time. The revisions incorporated the recommendations developed through the EU STSARCES project.[5] and [6]
In 2012, ISO 13849-2, Safety of machinery – Safety-related parts of control systems — Part 2: Validation was published.This edition was reaffirmed in 2017 and remains current.
The third edition of ISO 13849-1 was published in 2015. The revision included additional technical explanations and clarification of the analytical methods.This edition was reaffirmed in 2020, while a new revision was started.
The fourth edition of ISO 13849-1 was published in 2023. The revision focuses on the integration of the content from ISO 13489-2, some specific annexes of the document ISO 13489-2 are still used.
Following ISO 13849-1, the design of the safety system is based on a risk assessment performed by the manufacturer of the machine.[7] The risk assessment identifies the safety functions required to mitigate risk and the performance level these functions need to meet to adequately mitigate the identified risks, either completely, or in combination with other safeguards, e.g., fixed or movable guards or other measures.
The Annex A decision tree, Figure A.1, is provided as an example of how the PLr can be determined. The Annex A method is not a risk assessment tool since the output from the tool is in terms of Performance Level, not risk. Figure A.1 cannot be used for risk assessment. Examples of a risk matrix and a risk decision tree are given in ISO/TR 14121-2.[8] Risk assessment is typically done in at least two cycles, the first to determine the intrinsic risk, and the second to determine the risk reduction achieve by the control measures implemented in the design.
A safety function is a control system function whose failure will result in an immediate increase in risk. ISO 13849-1 includes descriptions of a number of common safety functions, including:
Each safety function identified in the risk assessment is assigned a required Performance Level (PLr) based on the intrinsic risk determined through the risk assessment. The intrinsic risk is the risk posed by the machine if no risk control measures were present, or if the risk control measures fail or are defeated by the user.
A Performance Level is a band of failure rates, represented as a, b, c, d, e. These failure rates are quantified as the Probability of Dangerous Failure per hour, PFHd. The numeric values for PFHd are given in Annex K. The PL range for each band has a 5% tolerance. The PFHd covered by ISO 13849-1 range from the highest failure rate in PLa < 1 × 10−4 to the lowest failure rate in PLe at ≥ 1 × 10−8.
The Performance Level of a safety function is determined by the architectural characteristics of the controller (classified according to designated architectural categories, Category B, 1, 2, 3, 4), the MTTFD of the components in the functional channel(s) of the system, the average diagnostic coverage (DCavg) implemented in the system, and the application of measures against Common Cause Failures (CCF). Category B, 1 and 2 architectures are single channel, and therefore offer no fault tolerance.
The designated architectures include three single-channel and two redundant structures. The structures are the basis for the calculations used to determine the PFHd values given in Annex K.
Each designated architecture has an associated block diagram. When analyzing SRP/CS designs, a block diagram should be developed to assist the analyst in calculating the MTTFD of the functional channel(s).
Category B represents the basic category. This category is single-channel, and can include components with MTTFD = Low or Medium. Components must be suitable for use in the application, and specified appropriately for the conditions of use, i.e., voltage, current, frequency, switching frequency, ambient temperature, pollution class, shock, vibration, etc. Since Category B is single channel, DCavg = NONE. CCF is not relevant in this category.
The maximum PL = b.
Category 1 achieves increased reliability as compared to Category B through the use of MTTFD = High components. These components are deemed "well-tried components" and are listed in ISO 13849-2, Annexes A through D. Additionally, components that have been tested by the manufacturer and approved according to the relevant component safety standard, e.g., IEC 60947-5-5, are also considered well-tried. Since Category 1 is single channel, DCavg = NONE. CCF is not relevant in this category.
The maximum PL = c.
Category 2 is a single-channel architecture that achieves increased reliability by building on Category B, using components with MTTFD = Low to High, and adding diagnostic capability through the use of test equipment. The DCavg for Category 2 can be Low to Medium, i.e., 60% ≤ DC < 99%. The diagnostic frequency depends on the demand rate on the safety function, and on the PLr that must be achieved. A minimum CCF score of 65 is required, see Annex F.
The maximum PL = d.
Category 3 is the first architecture with a redundant structure. Building on Category B, and using components with MTTFD = Low to High, this architecture introduces cross-monitoring between the two active channels, as well as cyclic monitoring of the output device(s). Category 3 requires DCavg Low to Medium, i.e., 60% ≤ DC < 99%. A minimum CCF score of 65 is required, see Annex F.
In Category 3, no single component failure is permitted to cause the loss of the safety function.
The maximum PL = e.
Category 4 is also a redundant architecture that builds upon Category B. Using components limited to MTTFD = High, this architecture includes cross-monitoring between the two active channels, as well as cyclic monitoring of the output device(s). Category 4 requires DCavg HIGH, i.e., ≥ 99%. A minimum CCF score of 65 is required, see Annex F.
In Category 4, no single component failure is permitted to cause the loss of the safety function.
The PL = e.
The primary differences between Category 3 and 4 are that Category 4 requires:
Safety-related parts of control systems (SRP/CS) require validation. ISO 13849-2 includes all of the details required for the validation using analytical techniques (including FMEA, FMECA, FMEDA, IFA SISTEMA or any of the other analytical tools available), functional testing, and documentation in a validation record.
Acronym | Expansion | Notes | |
---|---|---|---|
PL | Performance Level | Predicted bands of failure rates for SRP/CS | |
PLr | required Performance Level | Performance Level required based on the risk assessment to provide necessary risk reduction. | |
MTTFD or MTTFd | Mean Time to Dangerous Failure | Given in years | |
PFHd | Probability of dangerous Failure per Hour | The fractional probability per hour of operation. | |
DCavg | average Diagnostic Coverage | Given as a percentage. | |
CCF | Common Cause Failure | Failures in more than one component with a common cause. | |
SRP/CS | Safety-Related Parts of Control System(s) | The parts of a machine control system that provide a safety function. |