Safety Related Parts of Control Systems – General principles for design
EN ISO 13849-1,2 are used as part of the systematic risk reduction described in ISO 12100 for the part concerning the design of the machine safety-related control system.
ISO 13849-1 is a Standard for designing the parts of the control system that implement the safety functions. It can be used for all types of machinery regardless of the type of technology used (electrical, hydraulic, pneumatic, etc.). These parts can be made up of hardware and / or software and can be separated from the machine control system or be an integral part of it.
ISO 13849-1 is applicable only if the safety function is demanded with a frequency higher than once a year (operation in High demand mode) or if it is demanded continuously (Continuous mode of operation) because the tables and formulas provided in the standard relate to these two modes of operation.
Examples of products that are commonly integrated into a safety-related control system are: relays, solenoid valves, position switches, configurable PLCs, safety modules, motor drives, two-hand control devices, pressure sensitive equipment, photoelectric barriers, laser scanner.
The parts of the machine control system that perform safety-related tasks are designated with the acronym SRP / CS (Safety Related Parts of Control System).
In addition to implementing safety functions, an SRP / CS can also provide operational functions, but only the parts that are safety-related fall within the scope of the standard
For the evaluation of the safety performance of an SRP / CS, the term PL (Performance Level) is used which specifies the ability of an SRP / CS to ensure adequate risk reduction within predefined operating conditions.
The performance level is measured on a 5-level scale, from PL a to PL e; each level is associated with a range of values of mean probability of dangerous failure (PFHD).
Average probability of dangerous failure per hour (PFHD) 1/h
≥ 10-5 a < 10-4
≥ 3 x 10-6 a < 10-5
≥ 10-6 a < 3 x10-6
≥ 10-7 a < 10-6
≥ 10-8 a < 10-7
Fig. 5 – Table of ISO 13849 standard: Performance leves (PL)
Risk assessment and required Performance Level – PL r assignment
For each safety function identified, the designer must decide what is the contribution to risk reduction the safety function should provide.
This contribution does not cover the overall machine risk but only the part of risk related to the application of that particular safety function.
The parameter. that is used to estabilsh what is the amount of risk reduction that the safety function is required to provide is the PL r (Performance Level Required).
Parameter PL, instead, represents the Performance Level reached by the hardware implementing the safety function. PL of the hardware must be equal to or higher than specified PL r.
After deciding the necessary PL r, it is necessary to design a suitable SRP / CS, calculate the resulting PL of that piece of hardware and check if it is greater than or equal to the PL r.
To get the contribution to risk reduction that must be provided by the safety- related function a graph of decisions is used, leading to univocal identification of the PL r. If more than one safety-related function are identified, PL r shall be identified for each of them.
S:severity of injury
S1: Slight injury generally reversible
S2: Serious injury generally irreversible or died
F:frequency or time exposure to hazard
F1: From rare to short and or short exposure time
F2: From frequent to continuous and or long exposure time
P: avoidable risk or limitation of damage
(it depends on the speed of the event, the possibility of perception of danger and the possibility of escape)
P1:avoidable within given conditions
P2: almost unavoidable
Fig. 6 – Graph of decisions for evaluation of the Pl r
It is possible that the same person may be subjected to the simultaneous interaction of multiple hazards due, for example, to the presence of multiple dangerous movements of the machine that could potentially create harm.
If the evaluation of the probability of failure were made by taking into account all the hardware components of the overall safety related control system, very high PFHD values would soon be reached (even if components with very high MTTFD values were used) with consequent impossibility to stay within the required PL r.
Things get even more complicated if the individual risks require different PL r.
To overcome the problem it is allowed to separate the risks, if this is possible, and to assign to each of them a separate safety function.
The designer must analyse this possibility during the risk assessment process. First, the dangerous zone is identified, then all dangerous movements of the machine parts that are located in the same dangerous zone are identified, then all the operations carried out by the machine in the same zone are considered and which are the parts of the body that are subjected to risk.
If the analysis shows the possibility of separating the various dangerous movements, then a separate safety function is assigned to each dangerous movement and the relevant PL is calculated.
In a working cell that involves several robots on different operations, the stopping function following the actuation of the light curtain can be evaluated individually for each robot.
For the example of the machining cell shown in the picture, the following safety functions can be identified:
SF1: The interruption of the safety curtain involves the stopping of all robot 1 drives
SF2: The interruption of the safety curtain involves the stopping of all the robot 2 drives
SF3: The interruption of the safety curtain involves the stopping of all robot 3 drives
Fig. 8 – Working cell involving multiple robots on different operations
The same consideration applies for example to a rotary table equipped with several clamping devices; the risk assessment can be done separately for each clamp.
In a welding robot the operator is exposed simultaneously to the risk of crushing due to the movement of the robot head and to the risk of burning due to the tool mounted on the head. In this case the robot head and tool must be taken into account at the same time in the evaluation of the safety function.
For a robot in learning mode it is possible to keep power to the robot when the entrance door of the cell is open, only if a local enabling device (hold-to-run control) is used and that the robot is operated at a reduced safety speed.
The probability of failure of all three devices (door interlock, hold-to-run and speed monitor) must therefore be included in the calculation of the PFHD because the dangerous failure of one of them immediately leads to a dangerous condition.
To decide which safety functions are required, the intended use of the machine must be considered (including reasonably foreseeable misuse). For each safety function, a document must be drawn up in which at least the following specifications are detailed:
Result of the risk assessment for each hazard (PL r value)
Behaviour that is intended to be achieved or prevented with the safety function (e.g. when the guard is opened the machine performs a stop Cat.0)
Intended use of the machine and reasonably foreseeable misuse
Operation in emergency conditions
Safety function response time
Restart after a protective action (automatic or manual restart)
Actuation mode (related to a section or part of the machine)
Need to suspend the safety function (muting, banking)
By-pass mode of the safety function for repair, tuning, cleaning, troubleshooting, etc.
Description of connections between different safety function, if eny
Safety function actuation frequency
Priority of functions which, if active at the same time, can cause operating conflicts
To help the designer, the standard lists the main safety functions that are generally implemented in an SRP / CS and for some of them it provides the main safety requirements:
Safety related stop function started by a safety measure
Manual restart function
Start / Restart function
Local command function
Hold-to-run control function
Prevention of unexpected start-up
Escape and rescue of trapped people
Isolation function and energy dissipation
Command mode and enable mode
Emergency stop function
Safety-realted stop function
The stop function activated by the actuation of a protective device must bring the machine to a safe state in the shortest time possible.
The safety-related stop unction has priority over a stop for operational reasons.
When a group of machines work together, it is necessary to report to the supervisory control and / or to the other machines the existence of the safety stop.
After the actuation of a stop command by a protective device, the stop condition must be maintained until a safe condition exist for restarting
After a stop command by a protection device activation, the stop condition of the machine must be maintained until safe conditions exist for restarting.
Manual restart function
Reset command restarts the protective device and cancels the safety stop command. If established by the risk assessment, this cancellation must be confirmed through a manual, separate and deliberate action (manual reset). The manual reset function:
It must be authorized through a separate device, included in the SRP / CS and operated manually
It must be enabled only if all protective devices are operational
The manual restart must not initiate a movement or a dangerous situation
It must take place through deliberate action
It must enable the control system to accept the start command
It must be enabled only when the machine actuator is in the OFF state
Muting function must not expose people to dangerous situations. During Muting, the safety conditions must be guaranteed by other protection devices. At the end of Muting, all the safety functions of the SRP / CS must be reset automatically. The PL of the parts of the SRP / CS that perform the Muting function must not decrease the safety level of the protective device to which are connected.
Safety related parameters
When the deviation of parameters such as position, speed, temperature or pressure, beyond the set limits can cause safety problems, the control system must implement appropriate measures (for example, stopping, warning signal, alarm).
Fluctuations, loss and restoration of power sources
When fluctuations in power levels exceed the designed operating range, including loss of power, the SRP / CS must continue to provide or send output signals that allow other parts of the machine system to maintain a safe state.
E – Stop
The E-Stop is defined as a “complementary protection measure” (it is not a safety function).
It is used to reduce the risk of unreasonably foreseeable failure or accidents in parts of the machine, including failure of protective devices. Since it must be available in case of failure of the other protective devices, it is also advisable to consider it in EN ISO 13849-1.
It must be available and operational at all times and must bypass all other functions and operating modes of the machine (without compromising any structures designed for the escape of trapped peoples). Any start command (voluntary, unintentional, or unexpected) must not have effect on those parts of the machine stopped by the E-stop command until the device is manually reset.
The PL r of the E-Stop function should be the same of the safety function with the highest PL r involved in the realisation of the SRP / CS.
Local control function
When a machine is locally controlled, e.g. by means of a portable control device it is necessary that:
The local control device selector must be located outside the danger zone
Local control must be active only in the part of the dangerous area identified by the risk analysis
The change from local control to main control must not create a dangerous situation
When, following the risk assessment, it is found that the response time of the SRP / CS can be decisive for safety purposes, its response time must be added to the response time of the other devices of the safety loop in order to get the overall response time of the machine.
The overall response time required for stopping the machine can affect the design of the SRP/CS, e.g, for some applications it can be necessary to add a braking system.
A safety function can be done using one or more SRP/CS.
All available technologies can be used, also in combination; electrical, hydraulic, pneumatic, mechanical etc.
It is also possible for an SRP/CS to implement safety functions and normal command functions (for example a photoelectric light curtain or two-hand control can be used for both protection and start cycle).
Fig. 9 – Typical architecture of the SRE / CS
Fig. 10 – Several safety functions can share one or more SRP/CS
The designer has to decide the required contribution to risk reduction for each safety function.
The evaluation of PL r must be carried out separately for each individual safety function.
SRP/CS design phase – Organisational aspects
Before creating an SRP/CS, in order to reduce as much as possible the introduction of systematic failures during the design phase or as a result of subsequent modifications, it is necessary to have a management organization that follows structured procedures covering the entire life cycle of the SRP/CS. Each design activity should be properly specified, documented and verified.
Ability to promptly detect internal failures potentially affecting the safety function
Component reliability, the ability to limit common cause failures
Quality of the design
Environmental conditions and operational stresses
The operating cycle of the machine.
Intended use and reasonably foreseeable misuse must be considered.
The table below summarizes the quantitative requirements, assigning them an overall value of probability of dangerous failure, and the qualitative aspects that must be met in order to obtain a PL.
Fig. 11 – Mandatory qualitative and quantitative requirements to be met for safe control system design according to ISO 13849-1
Average Probability of Dangerous Failure/Hour is only one of the parameters contributing to assignment of PL. To claim a PL rating, it is also mandatory to prove having considered and complied with all requirements, including: – Monitoring of systematic failures – Using robust and reliable components (according to Product Standards if available) – Use of good engineering practice – Considering environmental conditions in which the safety-related system will operate – In the case of new software, adopting all organisational aspects of V-type development model shown in Figure 6 of ISO 13849-1 and meeting development requirements for application SW and enbedded SW.
The method used for the evaluation of the part of the PL linked to the quantitative aspects is the computation of the probability that a dangerous failure may occur to the SRP/CS in a certain period of time, considering the reliability of its components.
NOTE: The greater the contribution to risk reduction provided by the safety function the lower must be the PFHd (average probability of dangerous failure) of the SRP/CS. A fault is considered dangerous ifit inhibits the protection function of the safety related control-system.
The Average probability of dangerous failure for a safety-related control system, or for a sub-system, may be estimated in various ways. These methods require the use of complex mathematical formulas which typically belong to the field of system reliability theory. The use of such methods implies that for each components the following are known:
Failure rate (λ)
Percent distribution of failure rate for each component failure modes, (example: for a positive action switch the failure modes are: the contact will not open when required = 20% of the times and the contact will not close when required = 80% of the times
The effect of each failure on safety-related system performance, (e.g dangerous failure or not dangerous failure)
Percent of dangerous failures detected (by automatic self-diagnostic techniques implemented) out of total dangerous failures
Percent of dangerous failures not detected (by automatic self-diagnostic techniques implemented) out of total dangerous failures
ISO 13849-1 simplifies this process by replacing the mathematical formulas with precalculated tables for different combinations of Categories, average MTTFD and DC values which are also determined through tables
Design of an SRP/CS as per ISO 13849-1 may be summarized in the following eight steps:
Selection of system structure (architectures)
Calculation of MTTFD
Selection of the self-diagnostic techniques and DC calculation
Verification of CCF for redundant architecture
Calculation of PL using Table 5 or Table K.1
Verification of PL (if calculated PL is below PL r return to Step 1)
Categories and their relationship with the MTTFD, with the DC and with the CCFs
EN / ISO 13849 uses a methodology based on 5 particular structures called “Categories” which constitute the backbone on which all the quantifiable aspects that contribute to the formation of the PL are based.
The categories describe the performance of an SRP/CS in relation to:
Structural arrangement of its parts
Its fault tolerance
Its behaviour under fault conditions
Reliability of its components
This means that the safety performance is achieved not only through particular hardware architectures (which the standard defines as designated architecture), but also through a careful use of reliable components and, if necessary, of adequate monitoring techniques. The choice of a category mainly depends on:
Ammount of risk reduction needed
Required performance level (PL r)
Type of risk due to the failure of the SRP/CS
Possibility to avoid systematic failures in the SRP/CS
Probability of failures in the SRP/C
Mean Time to Dangerous Failure (MTTFD)
Diagnostic coverage (DC)
Common Cause Failures (CCF) in the case of categories 2, 3 and 4
It should be noted that the designated architectures give a logical representation of the system structure, while the technical implementation and the functional circuit diagram may appear completely different.
Designated architectures can also be used to describe a part or a sub-part of a control system responding to certain input signals and generating safety output signals. Therefore the “input” block can represent, for example, a photoelectric light curtain (AOPD) or switch contacts. The “output” block can represent, for example, a safety-related output (OSSD) or a combination of relay contacts.
For categories 3 and 4 the dual channel representation does not mean that all parts need to be physically redundant but that redundant means exist to ensure that a single fault cannot lead to the loss of the safety function.
There are certainly several ways to create architectures that can satisfy the requirements established by the categories. If the structure of the control system is made by one (or more) of the 5 categories, then for the computation of the safety performance level (PL) it is possible to use the simplified procedures described in the standard.
If an architecture deviates from those of the Categories, then its PL cannot be evaluated with the simplified method of the standard, but must be justified by other analytical means, for example by Markov modeling, in order to show that through this non designated architecture it is possible to achieve the required performance level (PL r). Markov offers a remarkable ability to manage many of the technical characteristics that are implemented in modern safety devices, for example it is possible to model periodic events such as automatic fault diagnostics tests.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.