110

ISO 13849-1

TÜV Rheinland Taiwan Ltd.

Solar & Commercial Products

Alex Cheng
Assistant Manager
Tel: +886 2 2172 1565
Mail: alex.cheng@tuv.com

CEN

2
 • (FS) (PL)
• (SRP/CS)
• (Category)?
• (MTTFD) ?
• (DC) ?
• (CCF) ?
• (PL)

4
 ? From google pictures

5
5

safety standard EN ISO 13849-1?

• EN954-1
•

From google pictures

6
 safety standard EN ISO 13849-1?

• EN ISO 13849-1 EN 954-1 (safety category) IEC 62061 (reliability)

(performance level)

(FS) (PL)

• IEC 61508 is a Functional Safety basic standard for electrical, electronic and programmable electronic
system of each professions.
(Functional safety) IEC 61508

ISO 13849-1
From google pictures

SRP/CS of industrial machine

Industrial process (chemicals, oil, gas) E/E/PE of industrial machine

8
 From google pictures

Difference between EN 954-1 and EN ISO13849-1

10
 11

Design procedure of SRP/CS

Step 1: Risk assessment (from intend use, hazardous injure degree, access frequency,
Possibility of avoiding the hazard)
( )

Step 2: Define the safety-related part control system (Start/stop, safeguarding, hold-to-run
control, Emergency stop, anti-unexceptional start, SF required in C-type standard…etc.)
( / C-type
… )

Step 3: Determine the “Required Performance Level (PLr)”

“ PLr”

Step 4: Check constructions of SRP/CSs and sure the I, L and O for each channel (input, logic,
output, monitor…)
( … )

Step 5: Evaluation of “Performance Level (PL)”

12
“ PL” “ PLr”
 Constructions of SRP/CSs

13

Risk assessment & PL evaluation

CE & From google pictures

Risk assessment for robot system

ISO 12100

SRP/CS design for control

ISO 13849-1

(PL) PL a ( ) PL e ( )
PLr EN ISO 12100 EN ISO 13849-1

14 14
 From google pictures

15 15

How to define the PLr? “ (PLr)”?

• Determination by risk graph

PLr ISO 13849-1 A

S (Severity of Injury)
S1 ( / )
S2
F (Frequency and/or Exposure to Hazard)
F1 (<15min/
1/20)
F2 (>15min/ )
P
(Possibility of Avoiding Hazard or Limiting Harm)
P1 ( )
P2 ( )

16
 ? Machining Center

17

/ , “ (PLr)”?

From google pictures

18
 / , “ (PLr)”?

From google pictures

19

How to define the PLr? “ (PLr)”?

• Required in C-type standard C

EN 422: 2009

20
 How to define the PLr? “ (PLr)”?

• Required in C-type standard C

EN ISO 23125: 2015

21

How to define the PLr? “ (PLr)”?

• Required in C-type standard C

EN ISO 10218-1: 2011

22
 How to define the PLr? “ (PLr)”?

• Required in C-type standard C

EN ISO 3691-4: 2020
: PLr=d
PLr=c From google pictures

PLr=b
PLr=b
PLr=d
PLr=d
:
:

23

How to define the PLr? “ (PLr)”?

• Required in C-type standard C

EN 1175: 2020

24
 How to define the PLr? “ (PLr)”?

• Required in C-type standard C

EN ISO 13482: 2014

Safety functions of
personal care robots
Type 1.1 Type 1.2 Type 2.1 Type 2.2 Type 2.3 Type 2.4 Type 3.1 Type 3.2
6.2.2.2 d d c d c d d d
6.2.2.3 b d b d b c c e
6.3 6.5.3 b (*d) d b d a d N/A e
6.4 b d b b b d c e
6.7 b d b (*) e (*d) a b (*d) N/A N/A
6.5.2.1,6.5.2.2 b d N/A N/A b d N/A e (*)
6.6,6.7 b d (*e) N/A c b d (*e) b (*c) d (*e)

25

How to define the PLr? “ (PLr)”?

• Required in C-type standard C

EN ISO 20430: 2020

PLr=d

PLr=d PLr=e PLr=c PLr=c

26
 How to define the PLr? “ (PLr)”?

• Required in C-type standard C From google pictures

EN ISO 20430: 2020

PLr=c

PLr=c

PLr=c

27

Methods of “Performance Level” evaluation

• Four parameters for evaluation of PL

Category: construction of SRP/CS
-
Category B, 1, 2, 3, 4

MTTFD: mean time to dangerous failure- lifetime of the components and system
-
MTTFD high, medium, low

DC: diagnostic coverage- monitoring (failure- detection) of the components and system
- - ( )
DCavg high, medium, low, none

CCF: common cause failure- safety design of SRP/CS (reliability for design)
- -
CCF 65(YES), <65(NO)

28
29

Category B B

• The SRP/CS shall, as a minimum, be designed, constructed, selected, assembled and combined in accordance with the relevant standards
and use basic safety principles for the specific application.
SRP/CS
• The SRP/CS shall be withstood the expected operating stresses, influence of the processed material, vibration, EMC, power
interruptions…etc.
--
• The MTTFD of each channel shall be low to mindium” , DCavg and CCF are not relevant.
MTTFD “low to medium”, CDavg CCF
• The maximum PL achievable with category B is PL = b.
B PL PL=b

30
Category B B

31

Category 1 1

• SRP/CS of category 1 shall be designed and constructed using well-tried components and well-tried safety principles (see ISO 13849-2).
1 SRP/CS ISO 13849-2
• NOTE 1 Complex electronic components (e.g. PLC, microprocessor, application-specific integrated circuit) cannot be considered as
equivalent to “well tried”.
PLC “ ”
• When a fault occurs it can lead to the loss of the safety function. However, the MTTFD of each channel in category 1 is higher than in
category B. Consequently, the loss of the safety function is less likely.
MTTFD B
• The MTTFD of each channel shall be low to mindium” , DCavg and CCF are not relevant.
MTTFD “high”, CDavg CCF
• The maximum PL achievable with category 1 is PL = c.
32
1 PL PL=c
What is “well-tried” component?

ISO 13849-2: 2012

33

What is “well-tried” component?

ISO 13849-2: 2012

34
What is “well-tried” component?
ISO 13849-2: 2012

35

What is “well-tried safety principles”?

ISO 13849-2: 2012

36
 What is “well-tried safety principles”?
ISO 13849-2: 2012

37

Category 1 1

38
Example circuit of Category 1 ..\draft\Example of Cat. 1 circuit.pdf

The maximum PL achievable with category 1 is PL c

39

Category 2 2

• SRP/CS of category 2 shall be designed and constructed using well-tried safety principles (see ISO 13849-2).
2 SRP/CS ISO 13849-2
• SRP/CS of cat. 2 shall be designed that their functions are checked at suitable intervals by the “machine start-up” and “new cycle start”.
“ ” “new cycle ”
• The initiation of this check may be automatic, this check function shall allow machine operation if no faults have been detected, or an output
(OTE) to initiates the control action if a fault is detected.
; (OTE)

40
Category 2 2

• For PLr up to and including PLr = c, whenever practicable the output (OTE) shall initiate a safe state which is maintained until the fault is
cleared. When this is not practicable (e.g. welding of the contact in the final switching device) it may be sufficient for the output of the test
equipment OTE to provide a warning.
PLr PLr = c (OTE)
OTE

• For PLr = d the output (OTE) shall initiate a safe state which is maintained until the fault is cleared.
PLr = d (OTE)

41

Category 2 2

• The check itself shall not lead to a hazardous situation (e.g. due to an increase in response time). The test equipment may be integral with, or
separate from, the safety-related part(s) providing the safety function.

• The MTTFd of each channel shall be “low to high” , the DCavg shall be “low” and “CCF shall be “Yes”.
MTTFd “low to high” ; SRP/CS DCavg “low”; CCF ”Yes”
• The maximum PL achievable with category 2 is PL = d.
2 PL PL=d

42
 2 ?

• As it is not possible to exclude faults that can cause the malfunction of an integrated circuit (see Tables D.20 and D.21), a single fault can lead
to loss of a safety function (including its check/test) implemented in a single integrated circuit. Consequently, it is highly unlikely that the multi-
channel functionality necessary for the fault tolerance and/or detection requirements of category 2, 3 or 4 can be achieved using a single
integrated circuit, unless it satisfies the special architecture requirements of IEC 61508-2:2010, Annex E.
D.20 D.21
/
IEC 61508-2:2010, E 2 3
4 /

43

Category 3 3

• SRP/CS of category 3 shall be designed and constructed using well-tried safety principles (see ISO 13849-2).
3 SRP/CS ISO 13849-2

44
Category 3 3

• SRP/CS of category 3 shall be designed so that a single fault in any of these parts does not lead to the loss of the safety function.
Whenever reasonably practicable, the single fault shall be detected at or before the next demand upon the safety function.
Single fault ,
• The single fault detection does not mean that all faults will be detected.
single fault detection (DC will be low), ;

• When the single fault occurs the safety function is always performed.
single fault , ( )
• Accumulation of undetected faults can lead to the loss of the safety function.
,
• The MTTFd of each channel shall be low to high” , the DCavg shall be “low” and “CCF shall be “Yes”.
MTTFd “low to high” ; SRP/CS DCavg “low”; CCF ”Yes”

45

3 (Category 3 )

46
Example circuit of Category 3

47

Example circuit of Category 3

48
Example circuit of Category 3

49

:
• EN ISO 10218 PL (performance level)
- (PL) EN ISO 13849-1 4.5.1 SIL (safety integrity level)
- (SIL) IEC 62061 5.2.4
Input >> Logic >> Output

• EN ISO 13849-1 3
PLr = d IEC 62061 SIL2

Reliability of the control

• IEC 60204-1 0
1

50
 : _

ISO 10218-1 1

ISO 13855

Cat. 3, PLr=d Cat. 3, PLr=d

51

: _ 3 (Category 3 )
ISO 13849-1 3 PLr = d IEC 62061
SIL2

a) a single fault in any of these parts does not lead to the loss of the safety function;

b) whenever reasonably practicable, the single fault shall be detected at or before the next demand upon
the safety function;

c) when the single fault occurs, the safety function is always performed and a safe state shall be
maintained until the detected fault is corrected; and

d) all reasonably foreseeable faults shall be detected.

From google pictures

a) d) ISO 13849-1 3

52
 : _ 3 (Category 3 )
From google pictures

Robot Controller

SIL=2, PL=d SIL=2, PL=d

IEC 61508 & IEC 62061 IEC 61800-5-1 & IEC 61800-5-2

53

Safety functions of IEC 61800-5-2 [STO] From SIEMENS

54
 Safety functions of IEC 61800-5-2 [SOS] From SIEMENS

55

Safety functions of IEC 61800-5-2 [SLS] From SIEMENS

56
Category 4 4

• SRP/CS of category 4 shall be designed and constructed using well-tried safety principles (see ISO 13849-2).
4 SRP/CS ISO 13849-2

57

Category 4 4

• SRP/CS of category 4 shall be designed so that a single fault in any of these parts does not lead to the loss of the safety function.
Whenever reasonably practicable, the single fault shall be detected at or before the next demand upon the safety function.
Single fault ,
• If this detection is not possible, then an accumulation of undetected faults shall not lead to the loss of the safety function.

• When the single fault occurs the safety function is always performed.
single fault , ( )
• All faults will be detected in time to prevent the loss of the safety function.
, ,
• Accumulation of undetected faults can is taken into account.
,
• In practice, the consideration of a fault combination of two faults may be sufficient.

• The MTTFd of each channel shall be “high” , the DCavg shall be “high” and “CCF shall be “Yes”.
MTTFd “high” ; SRP/CS DCavg “high”; CCF ”Yes”
58
Example circuit of Category 4

59

Example circuit of Category 4

60
 Example circuit of non-contact safety switch EN ISO 14119

61

What is “fault exclusion” ?

• (PLr)
• ISO 13849-2
• ISO 13849-2 FMEA IEC 60812
ISO 13849-2: 2012

62
 FMEA
BMS Failure Mode and Effect Analysis (FMEA)
Effect Analysis
Diagnostic
Item Section Function Subfunction Failure Mode / Symptom Dangerous Dangerous No technique and Remark
Safe
detectable undetectable Effect measure
Open circuit
Short circuit
1 48V to 12V
Voltage too high
Voltage too low
Power Supply
Open circuit
Short circuit
2 12V to 3.3V
Voltage too high
Voltage too low
3 TCP/TP Open circuit
PCS
4 CAN Open circuit
50% dangerous safety function lost
5 CPU-RAM
50% safe V
6 50% dangerous safety function lost
CPU-ROM
7 50% safe V
CPU
8 50% dangerous safety function lost
soft-error
9 50% safe V
10 Clock clock (frequency )
11 I/O I/O pin
12 Open circuit
Overvoltage Voltage sensor
13 Short circuit
14 Open circuit
Undervoltage Voltage sensor
15 Short circuit
16 Open circuit
Overtemperature Temperature sensor
Sensor Short circuit
Open circuit
Undertemperature Temperature sensor
Short circuit
Open circuit
Overcurrent Current sensor
17 Short circuit
18 broken

63

What is “fault exclusion” ?

ISO 13849-2: 2012

64
What is “fault exclusion” ?
ISO 13849-2: 2012

65

66
 How to find the value of MTTFD? MTTFD ?

1) Value form component’s supplier

Example:

67

How to find the value of MTTFD? MTTFD ?

1) Value form component’s supplier

Example:

68
 How to find the value of MTTFD ? MTTFD ?
2) Value form calculation
• B10D- number of cycles till 10% of component fail dangerously

• nop – operation (cycles/ year)

• tcycle- time between the beginning of two successive cycles of component (s/cycle)
• hop – operation (hours/ day)
• dop – operation (days/ year)

69

How to find the value of MTTFD? MTTFD ?

Example 1:

70
 How to find the value of MTTFD? MTTFD ?

71

How to find the value of MTTFD? MTTFD ?

72
 How to calculating the value of MTTFD of semiconductors?

73

How to calculating the value of MTTFD of passive components?

74
 How to calculating the value of MTTFD of passive components?

75

How to calculating the value of MTTFD of semi & electronic components?

• “ ” MTTFD

76
 Final value of MTTFD MTTFD

MTTFD

Low 3 years MTTFD 10 years

Medium 10 years MTTFD 30 years
High 30 years MTTFD 100 years

Calculation for two different redundant channels:

The limitation of MTTFD of each channel values to a maximum of 100 years

77

78
 Estimates for diagnostic coverage (DC)?

79

Estimates for diagnostic coverage (DC)?

Validity check
e.g.: Use of mechanically linked NO and NC contacts

80
 Estimates for diagnostic coverage (DC)?

Dynamic test

EN ISO 14119

81

Estimates for diagnostic coverage (DC)?

82
 FS approved safety module (Logic subsystem)

SIL
(IEC61508-1)
PL
high/continuous mode of
operation
a No correspondence
b 1
c 1
d 2
e 3

83

FS approved safety module (Logic subsystem)

Average probability of
dangerous failure per
PL hour (PFH)

1/h
a 10-5 to 10-4
b 3×10-6 to 10-5
c 10-6 to 3×10-6
d 10-7 to 10-6
e 10-8 to 10-7

84
 Estimates for diagnostic coverage (DC)?

85

Forcibly-guided contacts
EN 50205

86
 Mechanically-linked contacts
IEC 60947-5-1/A2 ed. 2 - Annex L

87

Mechanically-linked contacts
IEC 60947-5-1/A2 ed. 2 - Annex L

Control relay

88 88
 Power contacts and mirror contacts
NC mirror contact, mechanically linked to the power poles
IEC 60947- 4-1 - Annex F

89 89

Direct monitoring & indirect monitoring

90
 Final value of DCavg DCavg

DCavg
None DC<60%
Low 60% DC<90%
Medium 90% DC<99%
High 99% DC

• Definition of an average diagnostic coverage DCavg is estimated by:

(example):

91

92
How to decide the value of CCF? CCF ?

• The quantitative process of CCF should be passed for the whole system, every parts of SRP/CS
should be considered.
CCF
• Measure and contains associated values, are based on engineering judgement.

• For each listed, only the full score or nothing can be claim. If only partly fulfilled, the score is zero.
, , 0”
• Definition of an common cause failures (CCF) is estimated by table F.1.
“ table F.1

93

Estimates for common cause failure (CCF)?

94
 Estimates for common cause failure (CCF)?

95

96
Relationship between Category, MTTFD, DC and PL

97

Simplified procedure for PL

Category

MTTFD

DCavg

CCF

98
 1

The key features of these safety-related parts are

therefore:
— one channel of electromechanical components;
— position switch SW1A (NC) has positive mechanical
action of the contact and high B10D;
— contactor relay K1A has high 10D.

The position switch and contactor relay in this

example are both well-tried components when
implemented according to ISO 13849-2.

99

100
 1

101

102
 2

103

Safety-related application software (SRASW)

Tools, libraries, languages

Software coding
Testing

Verification

Modifications

104
 Document Expectation
1 Information of develop environment - MCU type name
- Development Language
- Development tools
2 Safety function specifications - Specific explanation of the safety functions including response time.

3 Software architecture specifications - Overall software architecture

- Specific explanation of the safety function relevant software specifications
- Specific explanation of the diagnostic software implemented
4 Hardware architecture specifications - Overall hardware architecture
- MCU resource configuration

5 Evidence of traceability - The evidence of traceability confirmation

e.g. static analysis record

6 Safety functions validation records - The validation records of all the safety functions

7 Software diagnostic measures test records - The test records of all the software diagnostic measures

8 Source code list - With version no.

9 Source code - With version no.

10 Software version table with ROM checksum - Software identification

- Specific modification records
If necessary, additional documents will also be asked to submit.

105

106
Definition of SF, SB, BL and channels
channel 1

channel 2

subsystem
Block

107

Category 1
SB
channel

Block

108 2021/10/21
 Thank you for your attention.

109

Vickey Chen
02-2172-1561
0919 828 889
TÜV Rheinland Taiwan Ltd.
E-Mail: vickeycc.chen@tuv.com

LEGAL DISCLAIMER
This document remains the property of TÜV Rheinland. It is supplied in confidence solely for information purposes for the recipient. Neither this document nor any
information or data contained therein may be used for any other purposes, or duplicated or disclosed in whole or in part, to any third party, without the prior written
authorization by TÜV Rheinland. This document is not complete without a verbal explanation (presentation) of the content.
TÜV Rheinland AG