EN ISO 13849-1 – Functional Safety Standard, Basis for Performance Level (PL)
June 21, 2023
The standard EN ISO 13849-1 is the basis for evaluating the safety of complex machine control systems. It is a basic functional safety standard and contains internationally unified requirements, referring to the determination of the required performance level and identification of safety-related control parts, through to implementation of safety functions. The standard is to be applied to safety-related parts of control systems, irrespective of the technology and energy used (electrical, hydraulic, pneumatic, mechanical). It describes the safety requirements of the design and integration of safety-related parts of control systems. Properties such as performance level – PLr are defined for these parts; properties that are required to execute specific safety functions.
The greater the risk, the higher the requirements of the control systems. The hazardous situation is classified into five levels, known as performance levels (PL), from PL “a” (low) to PL “e” (high). The required PL is determined and assigned as part of the risk assessment in accordance with EN ISO 13849-1.
ISO 13849-1 – Significant changes 2023
In 2023, the International Organization for Standardization (ISO) published the new edition of ISO 13849-1. The revised version specifies a range of guidelines, for determining the performance level for example, and thus provides better support with implementation. It also takes account of the greater significance of software. It is far from clear when it will be harmonised into the EU standard EN ISO 13849-1, whether there will be a transition period for publication of the standard in the Official Journal and, if so, how long this might be. The standards experts from Pilz recommend that designers and operators deal with the upcoming changes at an early stage.
Significant changes in ISO 13849-1:2023 compared with the previous version ISO 13849-1:2015:
- Clearer structure overall, focusing on the implementation of a safety function as a combination of several subsystems
- Use of the term “subsystem” throughout the document (instead of SRP/CS)
- Improved and extended specification of safety functions (Clause 5)
- Improved guidelines and additional requirements relating to the SRS (safety requirements specification) (Clause 5)
- Clarifications regarding design aspects (Clause 6); e.g. optimised Category 2 definition, determination of CCF per subsystem and with regard to fault consideration, fault exclusion and well-tried components
- Improvements and clarifications regarding software (Clause 7)
- Validation (Clause 10); the normative requirements of ISO 13849-2 were revised and incorporated into Part 1
- Determination of the required performance level (Annex A); changes with regard to parameter P
- Clarification of measures against common cause failures (CCF) – (Annex F)
- Guidelines for the management of functional safety were extended (Annex G.5)
- Details of how to guarantee that EMC noise immunity is sufficiently high (Annex L)
- Supplementary information for the safety requirements specification (Annex M)
- Avoidance of systematic failure through software design (Annex N); contains a simple example for software validation
- Additional information on safety-related values of components (Annex O), adapted to the approach of VDMA standard sheet 66413
EN ISO 13849 as an instrument for achieving machinery safety
Safety is a key topic, especially in Europe – among other things it is incorporated and formulated in law in the Machinery Directive (MD) and in future in the new Machinery Regulation (MR). Standards such as EN ISO 13849 can be applied as a building block for verification in order to meet the essential health and safety requirements for safety-related parts of control systems.
The standard EN ISO 13849 consists of two parts and was developed and published by ISO (International Organization for Standardization).
►Part 1 – ISO 13849-1 with the general principles for design was technically revised to clarify and detail some requirements, without introducing any new technical concepts. This part was republished in 2023.
►Part 2 of the standard – EN ISO 13849-2:2012: Validation will initially remain as it is and will be revised afterwards. The normative annexes from Part 2 are embedded in the update of Part 1.
The last edition of EN ISO 13849-1 was published in 2015. The standard is based on a probabilistic approach for the assessment of safety-related control systems and contains internationally unified requirements, referring to the risk assessment, required performance levels and identification of safety-related control parts, through to implementation of safety functions.
ISO 13849-1 uses a graph to deal with the assignment of risks to the required performance level and uses structural and statistical methods to evaluate safety functions. The objective is to establish the suitability of safety measures to reduce risks.
Risk assessment and risk reduction combined with functional safety
In the European Union, the standard EN ISO 12100 is used to determine the steps you need to consider when assessing and reducing risk on machinery. The evaluation and verification of safety functions are the prevail of the standards EN ISO 13849 and EN IEC 62061. The design of the safety-related parts of control systems is an iterative process, which is executed in several steps.
- Step – Define the safety function requirements
- Step – Determine the required performance level (PL)
- Step – Design and technically implement the safety functions
- Step – Determine and quantitively evaluate the performance level
- Step – Verification
- Step – Validation
Risk evaluation and determination of the required performance level PLr
Risks are assessed in EN ISO 13849-1 with the aid of a graph. The assessed criteria include severity of injury, frequency of exposure to the risk and the possibility of avoiding the risk. The outcome of the assessment is the required performance level (PLr) for the individual safety functions, which are intended to minimise the risks.
PL a corresponds to a low risk, PL e to a high risk.
S – Severity of injury
- S1 = Slight (normally reversible injury)
- S2 = Serious (normally irreversible injury or death)
F – Frequency and/or exposure to hazard
- F1 = Seldom to less often and/or exposure time is short
- F2 = Frequent to continuous and/or exposure time is long
P – Possibility of avoiding hazard or limiting harm
- P1 = Possible under specific conditions
- P2 = Scarcely possible
The possibility of avoiding the hazard is further specified through five factors for parameter P:
- Speed with which the hazard arises (e.g. quickly or slowly)
- Possibilities for hazard avoidance (e.g. by escaping)
- Practical safety experiences relating to the process
- Operation by experts or non-professionals
- Operation with or without supervision
Determination of parameter P – Factors | Α | B | C |
---|---|---|---|
Machine is used by | Specialist | Layperson | |
Speed of the part of the machine that can cause a hazardous event | Event at low or very low speed | Event at medium speed | Event at high speed |
Physical possibility of avoiding the hazard | Possible in at least 50 % of cases | Possible in less than 50 % of cases | Not possible |
Possibility of recognising/sensing the hazard | Possible in at least 50 % of cases | Only possible in less than 50 % of cases | Not possible |
Complexity of the operations | Low complexity or no interaction | Medium to high complexity |
*If “C” is selected OR “B” is selected at least 3 times; avoidance “P2”: # “C” >=1; #”B” >=3àP2
*If “C” is selected OR “B” is selected at least 3 times; avoidance “P2”: # “C” >=1; #”B” >=3àP2
Aim of EN ISO 13849-1 and the performance level – Risk reduction
The risk is the combination of the probability of occurrence of harm and the severity of that harm. Typically, several safety functions are available to reduce the risks. Each safety function is implemented as a combination of several subsystems. A subsystem is a unit of the architectural design of a safety-related system at the highest level, whereby the architecture represents the specific configuration of hardware and software elements in a safety-related control system (SCS). Subsystems are either already validated by the manufacturer or are designed as new subsystems by the machine manufacturer or integrator.
A safety requirements specification (SRS) is required for a clear description of the safety functions. This is documentation containing all the details required for safe and correct performance of the safety functions. The following is recorded for each safety function:
- Function description with the triggering event, reaction and safe state
- Required PLr
- Corresponding operating modes
- Reaction times
- Error reaction and behaviour
- Priority
- Interfaces (with other safety functions)
Evaluation of the implementation of self-developed subsystems
In ISO 13849-1 and EN ISO 13849-1, the following aspects must be defined in order to determine the PL of a subsystem.
- System category (structural requirement): this classifies the subsystem in respect of its resistance to faults and its subsequent behaviour in the event of a fault, which is achieved by the structural arrangement of the parts, fault detection and/or its reliability
- Mean time to dangerous failure (MTTFD)
- Diagnostic coverage (DC), defined as a measure of the effectiveness of the diagnostics: [ratio between the failure rate of detected dangerous failures and the total rate of dangerous failures]
- Common cause failure (CCF)
Software – Informative Annex N for avoiding systematic faults
The requirements of application software have been increased in comparison with the previous version EN ISO 13849-1: 2015.
An informative Annex N has been included on the subject of avoiding faults/fault avoidance measures for the safety-related software design. ISO 13849-1 now covers various software types:
- Safety-related embedded software (SRESW)
- Safety-related application software (SRASW)
- Parameter setting software
Also, suggestions for improvement have been included, with regard to how these can be linked to the requirements for programming languages with limited (LVL = limited variability language) or unlimited language scope (FVL = full variability language).
Validation in accordance with EN ISO 13849-1
The validation specifications have been adapted and the normative requirements regarding the validation procedure from ISO 13849-2:2012 have been revised and integrated into ISO 13849-1:2023, e.g.
- The analysis supplements the test, it does not replace it
- Validation and examination of the SRS is described in detail
- A simple example of software validation is provided
Please note: the tables for fault evaluation are still only included in EN ISO 13849-2 or ISO 13849-2.
Electromagnetic compatibility requirements (EMC)
An informative Annex L has been incorporated into ISO 13849-1. This contains details of how to guarantee sufficient EMC noise immunity. EMC interference can mean that electrical or electronic systems behave unexpectedly. For this reason, basic measures should be taken against EMC influences at subsystem and overall system level. Various options are listed for this, including the help of an EMC measures table. The EMC Directive regulates the essential requirements for electromagnetic compatibility.