ISO 13849

Last updated

ISO 13849 is a safety standard which applies to parts of machinery control systems that are assigned to providing safety functions (called safety-related parts of a control system). [1] The standard is one of a group of sector-specific functional safety standards that were created to tailor the generic system reliability approaches, e.g., IEC 61508, MIL-HDBK-217, MIL-HDBK-338, to the needs of a particular sector. ISO 13849 is simplified for use in the machinery sector.

Contents

The standard has two parts:

ISO 13849 is designed for use in machinery with high to continuous demand rates. According to IEC 61508, a HIGH demand rate is once or more per year of operation, and a CONTINUOUS demand rate is much, much more frequent than HIGH. For systems with a LOW demand rate, i.e., less than once-per-year, see IEC 61508, or the appropriate sector-specific standard such as IEC 61511.

The standard is developed and maintained by ISO/TC 199, Safety of machinery, Working Group 8 — Safe Control Systems. [3] The scope of ISO 13849 includes control systems using mechanical, electrical, electronic, and fluidic (hydraulic and pneumatic) technologies.

According to an informal stakeholder survey done in 2013, more than 89% of machine builders and more than 90% of component manufacturers and service providers use ISO 13849 as the primary functional safety standard for their products. [4]

History

EN 954-1

ISO 13849-1 has its origins in the mid 1990s when the European Committee for Standardization (CEN) published EN 954-1, Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design [5] in 1996. In 1999, EN 954-1 was transferred to ISO for ongoing development under the Vienna Agreement.

EN 954-1 introduced the original five structural Categories, B, 1-4.

prEN 954-2

prEN 954-2:1999, Safety of machinery — Safety-related parts of control systems — Part 2: Validation, is the precursor document that eventually became ISO 13849-2 in 2003. This document was never published as a finished standard. The "pr" in "prEN" indicates that the document was a European pre-standard.

ISO 13849-1, 1st Edition

In 1999, ISO published the first edition of ISO 13849-1, Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design. The first edition was technically identical to EN 954-1. Within a year after publication, ISO/TC 199 launched a New Work Item Proposal for the revision of the standard. The goal was to add probabalistic requirements to the existing standard.

ISO 13849-2, 1st Edition

In 2003, ISO 13849-2, Safety of machinery – Safety-related parts of control systems — Part 2: Validation, was published. This standard included all of the details related to validating the functional safety of a design. In addition, Annexes A-D included key information on basic and well-tried safety principles, well-tried components, and common faults for mechanical, hydraulic, pneumatic, and electrical components.

ISO 13849-1, 2nd Edition

The second edition of ISO 13849-1 was published in 2006. That edition introduced MTTFd, DCavg, and CCF for the first time. The revisions incorporated the recommendations developed through the EU STSARCES project. [6] and [7]

ISO 13849-2, 2nd Edition

In 2012, ISO 13849-2, Safety of machinery – Safety-related parts of control systems — Part 2: Validation was published. This edition was reaffirmed in 2017 and remains current.

ISO 13849-1, 3rd Edition

The third edition of ISO 13849-1 was published in 2015. The revision included additional technical explanations and clarification of the analytical methods. This edition was reaffirmed in 2020, while a new revision was started.

ISO 13849-1, 4th Edition

The fourth edition of ISO 13849-1 was published in 2023. The revision focuses on the integration of the content from ISO 13489-2, some specific annexes of the document ISO 13489-2 are still used.

Risk Assessment

Risk assessment techniques

Following ISO 13849-1, the design of the safety system is based on a risk assessment performed by the manufacturer of the machine. [8] The risk assessment identifies the safety functions required to mitigate risk and the performance level these functions need to meet to adequately mitigate the identified risks, either completely, or in combination with other safeguards, e.g., fixed or movable guards or other measures.

The Annex A decision tree, Figure A.1, is provided as an example of how the PLr can be determined. The Annex A method is not a risk assessment tool since the output from the tool is in terms of Performance Level, not risk. Figure A.1 cannot be used for risk assessment. Examples of a risk matrix and a risk decision tree are given in ISO/TR 14121-2. [9] Risk assessment is typically done in at least two cycles, the first to determine the intrinsic risk, and the second to determine the risk reduction achieved by the control measures implemented in the design.

Assignment of safety functions

A safety function is a control system function whose failure will result in an immediate increase in risk. [8] ISO 13849-1 includes descriptions of a number of common safety functions, including:

Each safety function identified in the risk assessment is assigned a required Performance Level (PLr) based on the intrinsic risk determined through the risk assessment. The intrinsic risk is the risk posed by the machine if no risk control measures were present, or if the risk control measures fail or are defeated by the user.

Performance levels

A Performance Level is a band of failure rates, represented as a, b, c, d, e. These failure rates are quantified as the Probability of Dangerous Failure per hour, PFHd. The numeric values for PFHd are given in Annex K. The PL range for each band has a 5% tolerance. The PFHd covered by ISO 13849-1 range from the highest failure rate in PLa < 1 × 10−4 to the lowest failure rate in PLe at ≥ 1 × 10−8.

The Performance Level of a safety function is determined by the architectural characteristics of the controller (classified according to designated architectural categories, Category B, 1, 2, 3, 4), the MTTFD of the components in the functional channel(s) of the system, the average diagnostic coverage (DCavg) implemented in the system, and the application of measures against Common Cause Failures (CCF). Category B, 1 and 2 architectures are single channel, and therefore offer no fault tolerance.

Designated architectures

The designated architectures include three single-channel and two redundant structures. The structures are the basis for the calculations used to determine the PFHd values given in Annex K.

Block diagrams

Each designated architecture has an associated block diagram. When analyzing SRP/CS designs, a block diagram should be developed to assist the analyst in calculating the MTTFD of the functional channel(s).

Category B

Category B represents the basic category. This category is single-channel, and can include components with MTTFD = Low or Medium. Components must be suitable for use in the application, and specified appropriately for the conditions of use, i.e., voltage, current, frequency, switching frequency, ambient temperature, pollution class, shock, vibration, etc. Since Category B is single channel, DCavg = NONE. CCF is not relevant in this category.

The maximum PL = b.

Category 1

Category 1 achieves increased reliability as compared to Category B through the use of MTTFD = High components. These components are deemed "well-tried components" and are listed in ISO 13849-2, Annexes A through D. Additionally, components that have been tested by the manufacturer and approved according to the relevant component safety standard, e.g., IEC 60947-5-5, are also considered well-tried. Since Category 1 is single channel, DCavg = NONE. CCF is not relevant in this category.

The maximum PL = c.

Category 2

Category 2 is a single-channel architecture that achieves increased reliability by building on Category B, using components with MTTFD = Low to High, and adding diagnostic capability through the use of test equipment. The DCavg for Category 2 can be Low to Medium, i.e., 60% ≤ DC < 99%. The diagnostic frequency depends on the demand rate on the safety function, and on the PLr that must be achieved. A minimum CCF score of 65 is required, see Annex F.

The maximum PL = d.

Category 3

Category 3 is the first architecture with a redundant structure. Building on Category B, and using components with MTTFD = Low to High, this architecture introduces cross-monitoring between the two active channels, as well as cyclic monitoring of the output device(s). Category 3 requires DCavg Low to Medium, i.e., 60% ≤ DC < 99%. A minimum CCF score of 65 is required, see Annex F.

In Category 3, no single component failure is permitted to cause the loss of the safety function.

The maximum PL = e.

Category 4

Category 4 is also a redundant architecture that builds upon Category B. Using components limited to MTTFD = High, this architecture includes cross-monitoring between the two active channels, as well as cyclic monitoring of the output device(s). Category 4 requires DCavg HIGH, i.e., ≥ 99%. A minimum CCF score of 65 is required, see Annex F.

In Category 4, no single component failure is permitted to cause the loss of the safety function.

The PL = e.

The primary differences between Category 3 and 4 are that Category 4 requires:

Validation

Safety-related parts of control systems (SRP/CS) require validation. ISO 13849-2 includes all of the details required for the validation using analytical techniques (including FMEA, FMECA, FMEDA, IFA SISTEMA or any of the other analytical tools available), functional testing, and documentation in a validation record.

Acronyms

Acronyms
AcronymExpansionNotes
PLPerformance LevelPredicted bands of failure rates for SRP/CS
PLrrequired Performance LevelPerformance Level required based on the risk assessment to provide necessary risk reduction.
MTTFD or MTTFdMean Time to Dangerous FailureGiven in years
PFHdProbability of dangerous Failure per HourThe fractional probability per hour of operation.
DCavgaverage Diagnostic CoverageGiven as a percentage.
CCFCommon Cause FailureFailures in more than one component with a common cause.
SRP/CSSafety-Related Parts of Control System(s)The parts of a machine control system that provide a safety function.

Related Research Articles

<span class="mw-page-title-main">Safety engineering</span> Engineering discipline which assures that engineered systems provide acceptable levels of safety

Safety engineering is an engineering discipline which assures that engineered systems provide acceptable levels of safety. It is strongly related to industrial engineering/systems engineering, and the subset system safety engineering. Safety engineering assures that a life-critical system behaves as needed, even when components fail.

Automotive engineering, along with aerospace engineering and naval architecture, is a branch of vehicle engineering, incorporating elements of mechanical, electrical, electronic, software, and safety engineering as applied to the design, manufacture and operation of motorcycles, automobiles, and trucks and their respective engineering subsystems. It also includes modification of vehicles. Manufacturing domain deals with the creation and assembling the whole parts of automobiles is also included in it. The automotive engineering field is research intensive and involves direct application of mathematical models and formulas. The study of automotive engineering is to design, develop, fabricate, and test vehicles or vehicle components from the concept stage to production stage. Production, development, and manufacturing are the three major functions in this field.

ISO/IEC/IEEE 12207Systems and software engineering – Software life cycle processes is an international standard for software lifecycle processes. First introduced in 1995, it aims to be a primary standard that defines all the processes required for developing and maintaining software systems, including the outcomes and/or activities of each process.

ISO/IEC 15504Information technology – Process assessment, also termed Software Process Improvement and Capability dEtermination (SPICE), is a set of technical standards documents for the computer software development process and related business management functions. It is one of the joint International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) standards, which was developed by the ISO and IEC joint subcommittee, ISO/IEC JTC 1/SC 7.

Quality management ensures that an organization, product or service consistently functions well. It has four main components: quality planning, quality assurance, quality control and quality improvement. Quality management is focused not only on product and service quality, but also on the means to achieve it. Quality management, therefore, uses quality assurance and control of processes as well as products to achieve more consistent quality. Quality control is also part of quality management. What a customer wants and is willing to pay for it, determines quality. It is a written or unwritten commitment to a known or unknown consumer in the market. Quality can be defined as how well the product performs its intended function.

Information security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

IEC 61508 is an international standard published by the International Electrotechnical Commission (IEC) consisting of methods on how to apply, design, deploy and maintain automatic protection systems called safety-related systems. It is titled Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems.

Software safety is an engineering discipline that aims to ensure that software, which is used in safety-related systems, does not contribute to any hazards such a system might pose. There are numerous standards that govern the way how safety-related software should be developed and assured in various domains. Most of them classify software according to their criticality and propose techniques and measures that should be employed during the development and assurance:

A Semantic Service Oriented Architecture (SSOA) is an architecture that allows for scalable and controlled Enterprise Application Integration solutions. SSOA describes an approach to enterprise-scale IT infrastructure. It leverages rich, machine-interpretable descriptions of data, services, and processes to enable software agents to autonomously interact to perform critical mission functions. SSOA is technically founded on three notions:

  1. The principles of Service-oriented architecture (SOA);
  2. Standard Based Design (SBD); and
  3. Semantics-based computing.

The ISO/IEC 15288Systems and software engineering — System life cycle processes is a technical standard in systems engineering which covers processes and lifecycle stages, developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Planning for the ISO/IEC 15288:2002(E) standard started in 1994 when the need for a common systems engineering process framework was recognized.

<span class="mw-page-title-main">ISO 22000</span> Food safety standard

ISO 22000 is a food safety management system by the International Organization for Standardization (ISO) which is outcome focused, providing requirements for any organization in the food industry with objective to help to improve overall performance in food safety. These standards are intended to ensure safety in the global food supply chain. The standards involve the overall guidelines for food safety management and also focuses on traceability in the feed and food chain.

Profisafe is a standard for a communication protocol for the transmission of safety-relevant data in automation applications with functional safety. This standard was developed jointly by several automation device manufacturers in order to be able to meet the requirements of the legislator and the IFA for safe systems. The required safe function of the protocol has been tested and confirmed by TÜV Süd. The PROFIBUS Nutzerorganisation e.V. in Karlsruhe supervises the standardization for the partner companies and organizes the promotion of this common interface.

Functional safety is the part of the overall safety of a system or piece of equipment that depends on automatic protection operating correctly in response to its inputs or failure in a predictable manner (fail-safe). The automatic protection system should be designed to properly handle likely systematic errors, hardware failures and operational/environmental stress.

ISO 26262, titled "Road vehicles – Functional safety", is an international standard for functional safety of electrical and/or electronic systems that are installed in serial production road vehicles, defined by the International Organization for Standardization (ISO) in 2011, and revised in 2018.

ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again most recently in 2022. There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. A SWOT analysis of the ISO/IEC 27001 certification process was conducted in 2020.

Automotive Safety Integrity Level (ASIL) is a risk classification scheme defined by the ISO 26262 - Functional Safety for Road Vehicles standard. This is an adaptation of the Safety Integrity Level (SIL) used in IEC 61508 for the automotive industry. This classification helps defining the safety requirements necessary to be in line with the ISO 26262 standard. The ASIL is established by performing a risk analysis of a potential hazard by looking at the Severity, Exposure and Controllability of the vehicle operating scenario. The safety goal for that hazard in turn carries the ASIL requirements.

ISO/IEC 27040 is part of a growing family of International Standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in the area of security techniques; the standard is being developed by Subcommitee 27 (SC27) - IT Security techniques of the first Joint Technical Committee 1 of the ISO/IEC. A major element of SC27's program of work includes International Standards for information security management systems (ISMS), often referred to as the 'ISO/IEC 27000-series'.

The testing, inspection and certification (TIC) sector consists of conformity assessment bodies who provide services ranging from auditing and inspection, to testing, verification, quality assurance and certification. The sector consists of both in-house and outsourced services.

References

  1. "ISO 13849-1:2015, Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design". International Organization for Standardization (ISO). Retrieved 2022-04-06.
  2. "ISO 13849-2:2012, Safety of machinery — Safety-related parts of control systems — Part 2: Validation". International Organization for Standardization (ISO). Retrieved 2022-04-06.
  3. "ISO/TC 199 Safety of machinery". ISO. International Organization for Standardization. 22 January 2019. Retrieved 8 April 2022.
  4. Outcome of the "Questionnaire" doc. N 964 -- Report from ISO/TC 199/JWG 1/Sub Group 2, ISO/TC 199 N1035, 2013-03-01
  5. "EN 954-1:1996, Safety of machinery - Safety-related parts of control systems - Part 1: General principles for design". www.cencenelec.eu. European Committee for Standardization (CEN). Retrieved 7 April 2022.
  6. "Standards for safety related complex electronic systems". cordis.europa.eu. European Commission. Retrieved 11 April 2022.
  7. "STSARCES project - final report -part 1". industry-finder.com. 27 May 2014. Retrieved 11 April 2022.
  8. 1 2 "ISO 12100:2010, Safety of machinery — General principles for design — Risk assessment and risk reduction". International Organization for Standardization (ISO). 22 January 2019. Retrieved 2022-04-06.
  9. "ISO/TR 14121-2:2012 Safety of machinery — Risk assessment — Part 2: Practical guidance and examples of methods". International Organization for Standardization (ISO). Retrieved 6 April 2022.