ISO 13849-1 PL

Calculations Simplified
Heinz Knackstedt
Safety Engineer
C&E sales, inc.

page 1
Cats, SILs and PLs… Oh My !!!

Or
What is
ISO 13849-1:2015

page 2
The “Spectrum” Within a EN954-1 Category
Red is Monitoring connections to PLC
Three PE with Standard dedicated PLC
vs.
Type 2 Safety Light Curtain and IM

FGR BOTH are Structure Category 2, but is their

PLC
Safety Performance Level the same?
K1 V1
Switched K1
Output
These two circuits are both identified as being
the “same” category
Safety Light But, do they provide the same level of risk
Curtain Type 2
reduction performance?
There may be “logical” arguments for
preference of one design over the other, but
there is no rigor to the evaluation using EN954-
V1 1:1996

page 3
Which is the better safety circuit?

It has been a judgement call, based

on experience

That was the problem so,

what to do

page 4
 We will get back to this
example after we examine the
concepts embodied by ISO
13849-1:2015

page 5
 Objectives of the New Machinery
Functional Safety Standards
• Replace “Qualitative” with “Quantitative” performance
metrics of the Safety Related Parts of the Control Systems
(SRP/CS)
• For a required level of risk reduction, as determined by the
Risk Assessment, DEFINE the MINIMUM Safety System level
of performance which may be utilized to achieve a risk
reduction to an acceptable level
• What is Functional Safety
– Control based Risk Reduction Measure which, if it fails to danger,
immediately increases risk back to the original level
• Safety Light Curtains, Safety Modules and PLC, Interlocked Guards,
Two-Hand-Anti-Tie-Down, Robotic Safe Speed
• Fixed Guards and PPE are not part of functional safety

page 6
 What Are
• MTTFD Mean Time to Dangerous Failure
– Average value of operating time without a failure to danger for a
component or channel
– Typically given in years
• PFHD Probability of Failure to Danger per Hour
– Statistical probability of Failure to Danger of a system or sub-
system based on its:
• Channel(s) MTTFD
• Ability to detect failures to danger and to eliminate the
hazard having sustained that fault
• Robustness against Common Cause Failure
– Given in Failure/hour
– For Cat B and Cat 1 and single components it is
• λD = 1/(MTTFD) if MTTFD is expressed in hours

page 7
 Performance Level PL

Performance Level PL:

– Discrete value used to specify the ability of the
Safety Related Parts of Control System (SRP/CS )
to perform a safety function under foreseeable
conditions.

page 8
 Performance Level PL
Performance Level is a discrete value of the PROBABILISTIC
occurrence of a failure to danger expressed as Probability of
Dangerous Failures per Hour, PFHD
– Failure of a Channel is the Mean Time to Dangerous Failure,
MTTFD of its components, typically expressed in years
• For non-monitoring structures, system failure rate depends
solely on MTTFD of its components
– Failure of a monitored single or dual channel system is the
Probability of Dangerous Failure per Hour PFHD
• Its failure rate is lower than the MTTFD of its components
due to monitoring which, upon detecting a failure to
danger, removes the hazard before the control system has
an opportunity to fail to danger

page 9
 PFHD

BGIA Report 2/2008e

page 10
 Graph for determining required PLr PFHD SIL
PLr for Safety Function P1 EN954-1 ISO 13849-1:2015 IEC 62061
λD =1/ 8760 MTTFD F1 a < 3.8 x10-4 N/A
One year of P2 B
24/7=8760 hr..... or
just under 104 hours
B
P1 b
S1 F2 < 10-5
P2
1 1
P1 < 3x10-6
F1 c
P2 2
< 10-6
P1 d 2
S2 F2 3
P2
Note: Correlation of risk levels between EN-954-1 and
ISO 13849 or IEC 62061 are not identities, but are given 4 e < 10-7 3
for relative comparisons only

Adapted from Appendix A

Fig A.1 ISO 13849-1-2015
page 11
The FOUR Legged Stool of ISO 13849-1,2:2015

FUNCTIONAL SAFETY
RISK REDUCTION MEASURE
CAPABILITY
Risk Assessment
The Basis of Design of the
Safety Function

CCF
Structure Verification
MTTFD DC Common Cause
Circuit
Mean Time Diagnostic Failure and
Configurations Validation
To Coverage
Dangerous The
Failure
Underpinning
Does it meet the
design requirements?

page 12
 ISO 13849-1:2015
Each Performance Level PL, is defined by FOUR
specific, quantitative, requirements

1 Category (Cat.) also known as STRUCTURE

How the components in the SRP/CS are
. interconnected
2 Mean time to dangerous failure of the Channel(s)
. (MTTFD)
MTTFD from manufacturer of electronic components
B10D cycles from manufacturer for wear components
MTTFD is then calculated from the application cycle rate

page 13
 ISO 13849-1:2015
3 Diagnostic Coverage (DC and DC avg) in %
DC Ratio of Detected Failures to Danger to all
Failures to Danger which result in the loss of the Safety
Function for a component or sub-system
DC avg Rate of failures to danger detected divided by the
rate of all failures to danger for ALL COMPONENTS in the SRP/CS
4 Common Cause Failure (CCF)
How well does the design and construction prevent CCF
Verification is part of the process
Do the components of choice, in the proposed structure,
meet the requirement of the risk reduction per the PLr as
determined by the Risk Assessment

page 14
 The process to meet PLr
• Evaluate the four parts of the Performance
Levels:
– Category (Cat.)
– Mean Time To dangerous Failure (MTTFD)
– Diagnostic Coverage (DCavg)
– Common Cause Failure (CCF)
• The structure of the Safety Related Parts of the
Control System and how the failure of each
component affects the safety performance of
the safety control system

page 15
Functional Safety-Related Block Diagram
“Smart” Sensors Safety Capable “Smart” Actuators
Internal Monitor Internal Monitor Internal Monitor

Communication Communication
Sensors Logic Outputs
( Status ) ( What When ) ( How )

Monitoring Monitoring

• Each circuit has these three elements of either :

• Individual components
• Sub-systems, with internal monitoring, which perform that function,
• A failure in any block in the series safety-related block diagram, can lead
to the loss of the safety function
• To evaluate safety performance, each proposed SRP/CS must be
broken into a block diagram of Series Safety Failure Events
• Note: this includes the interconnection of the blocks

page 16
Functional Safety-Related Block Diagram
• Sensor Logic Output
• Each circuit has at least these three functions composed
of either :
• Individual elements (components)
• Interlock limit switch, contactor
• Sub-systems of components in a specific structure
which are grouped to perform that function
• Encapsulated sub-system sold as stand alone
functions as independent SRP/CS
• Will have their own published PFHD
• Safety Light Curtain, Safety Interlock Module,
VFD Safe Stop Controller
• The final power device such as the motor or cylinder
is not included in the safety-related block diagram

page 17
 Safety Function Block Rules
• All items which can lead to the loss of safety are
shown in “Series”
• Items which provide an alternate means of
performing the safe shut down function when one
component fails are shown in “Parallel”
• Do not confuse the electrical or fluid power flow
with the orientation of the safety function block
– EX: A Safety Interface Module used for Manual Suspension of a
Door Interlock has it contacts in parallel with those of the Door
Interlock SIM BUT:
– The safety function block shows them in a series flow since the
failure of the Manual-Suspension SIM to drop out, leads to a
failure to danger of the Door Interlock Safety Function, as it can
no longer perform its safety function

page 18
 Safety -related Block Diagram
• Devices whose failure to danger causes the loss of the system safety function are
shown as series blocks
I1 L1 O1

• Devices whose failure to danger do not cause the immediate loss of the system
safety, because another element can continue the lost function, are shown in parallel
with that device(s) Either Q1 or Q2 can shut down the hazard
O1
I1 L1
O2

• The order of the components is not significant

– This can simplify calculations and entry into calculation packages.

I1 O1 I1 O1
L1 = L1
I2 O2 I2 O2

page 19
 Safety Function Block Rules
• Some PLC and remote devices may have
separate components such as I/O modules in
addition to the logic unit.
• Example: PLC Remote I/O, Smart drive
with field bus
• Safety-related Block Diagram includes the
hardware for interconnection of the blocks
• Example: Hard Wire integrity
Safety Networks
Safety Wireless Remote I/O

page 20
 Devices may be simple or complex sub-systems,
each with its own individual S, L, and O functions

PFHDS PFHDL MTTFDQ

Adapted From Fig 6.13 BGIA Report 2-2008e

page 21
 Scanner Safety PLC

3Way Dump Pilot Check

Hazardous Directional Valve

Movement

Pressure Switch
Note that the Pressure Switch 1S3 is not
part of the Safety –related Block Diagram as
its failure does not directly lead to the loss of
the safety function. It is shown as a
component of the safety-related diagram

The undetected failure of 1S3 will result in

the reduction of the PL of the SRP/CS as its
function in Discovery Coverage to detect
safety critical function of 1V4 and 1V3 is now
lost

If possible, the pressure switch should be

checked for cycling within the safety circuit.
If this is not possible, it should be monitored
in the control circuit. Since PS are typically
not available with Force Guided contacts,
monitor the cycling of it one contact, or add
an intervening FG relay and monitor both its
N.O. and N.C. contacts.

Fig 8.28 BGIA Report 2/2008e

page 22
Identify the Category (Structure)
Cat B & Cat 1 = Single Channel

Cat 2 = Single Channel with Monitoring

Cat 3 & Cat 4 = Dual Channel w/ Monitoring

page 23
 Graphical representation of the
four ISO 13849-1:2015 quantitative
measures of the SRP/CS

page 24
 . ISO 13849-1:2015 retains “Categories” as ONE of the
components of determining a Performance Level. Also
called Structure.
If a circuit cannot be reduced to one of these categories,
ISO 13849-1:2015 simplified calculations may not be
used

MTTFd Low

MTTFd
Med
MTTFd
High

Adapted from Fig 5 ISO 13849-1:2015

page 25
 The Process to Meet PLr
• Evaluate the four parts of Performance
Levels:
– Category (Cat.)
– Mean Time To dangerous Failure
(MTTFD)
– Diagnostic Coverage (DCavg)
– Common Cause Failure (CCF)

page 26
 The Process to Meet PLr
• The operational time of use at which the
component reaches its Mean Time to Dangerous
Failure is based on the device and its application
– Electronics: Measured by on-line time
– Mechanically based component which has a
wear out mechanism:
• Time of use to reach 10 x B10D number of
cycles at the cycle rate of the application
–B10D is the number of cycles at which
10% of test group failed to danger
• Typically expressed in terms of years

page 27
 MEAN TIME TO DANGEROUS FAILURE
In order for the value of ISO 13849-1:2015 to be realized, one must
accept the validity of Statistical Mathematics
.

FACT
.

MTTFD is a statistical value which in

NO WAY MEANS
“Guaranteed Lifetime”, or “Failure-Free-Time”,
“Time to First Failure” or any other such concept

It is a numerical value, usually stated in years, which permits the calculation, in

percent, of a probability failure to danger during a given period of use

MTTFD in years can be converted to Failure to Danger Rate in terms of failures per
hour, λD ,typically based on a 24/7 day 365 days per year
λD (hr.) = 1/(MTTFD (yr.) x 8760)hr./yr.
MTTFD of one year of 24/7 is a λD of 1.14 x 10-4 failures per hour (1.14E-4)

page 28
 Mean Time To DANGEROUS Failure MTTFD
One of the quantifiable aspects to the contribution of
reliability that is measured in time, of hours or years of use
– Used to predict the Percent of DANGEROUS failures in a
population over a defined time period of use
– Not to be confused with Mean Time To (ALL) Failure (MTTF) data
– Assumes constant failure rate over time by ignoring the two
curved ends of the “Bath Tub” failure rate curve
• Infant mortality by good product design and manufacturing
and/or burn in
• Wear out by replacement AT or BEFORE B10D is reached
Infant mortality excluded B10D has been reached
by manufacturing controls
and burn in

Adapted from Fig. D.1 BGIA 2/200e

page 29
 Distribution of Failures to Danger
%f(t) = 1-e-λt
L
o tuse = 1/λd
g
04% 37%
a 96% 63%
r
05% 37% 74%
i
t 95% 63% 26%
h
m
INTACT
i FAILED
c
S
c
a
l
e

λ=1.9x10-5 PLb λ=6.3x10-6 PLc λ=1.9x10-6 PLd

page 30
 Individual Channel Performance
3y %f(t) = 1-e-λt
10y
63.2%
t=1/λ

30y

100y

%f(t)

•Channel MTTFD of 3 years and less is not

acceptable for safety controls since 1/3 would fail
to danger within the first year
•Single channel capped at 100 year (Exc. Cat 4)

Adapted from “A New Approach to Machine Safety”

Schmersal IPEC Industrial Controls Ltd
page 31
 Component Failure
• Electronics (non wear) are assumed to have a linear failure
distribution
– Life dependent on hours of use, powered, “on-line”
• Mechanical Components
– “Well Tried” proven performance in similar applications
– Wear out typically driven by number of cycles under load
– B10 Life: cycles of use where 10% of a test population has failed
• Use 10xB10D or 2x10xB10 (assumes 50% of all failures are to
danger) to obtain Mean Cycles to Failure, MCTF
– MTTFD is calculated using the Use Profile (nop) of the component
– 10 x B10D x tcycle(sec)
MTTFD = 10B10D / nop = Days Hours 3600 sec
x x
Year Day Hour
• Replace after usage reaches B10D life at T10D = B10D / nop or 20 Years

page 32
 Vendor Data
• Safety Products previously Certified by a Notified Body
(3d Party) as meeting a Category per EN954-1:1996 may
not be automatically extended/converted to a SIL or PL
• Each must be re-certified to the new standard(s)
– This is an expensive endeavor (10 -15K $ each )
• Requires economical justification, by product
– This does NOT mean that a product is no longer safe, just
that it have not been validated to the newest standard
– May be freely used in the US as ISO 13849-1 is not an
American Standard
• Exception if conformance to RIA15.06:2012 is required
since it includes ISO 13849-1:2006 performance level
(PL) requirements

page 33
 Vendor Data
• There are four types of functional safety
products
– Electronic components
• Primarily photo-electric and inductive sensors
– Electronic sub- systems
• Safety Light Curtains w/ Solid State output, RFID
safety sensors
• Contain self-test to provide PFHD , PL, and/or SIL

page 34
 Vendor Data
– Mechanical components for use as part of a SRP/CS
• Limit switches, relays, contactors, switches, fluid power valves
– Used with Input, Logic, and Output components
– Period of use until replacement, T10D ,must be calculated from
B10D and application use rate
• May have dual B10D data for mechanical and for electrical cycle
life (including variations due to load/power level) .
– Electro-mechanical sub-systems
• Safety Interface Module with Relay output
• Internal failure is detected by the product and included in the
vendor’s published PFHD , PL, or SIL
– Check for MTTFD of relays based on load and cycle rate to
calculate T10D

page 35
Electronic with Relay output

page 36
 Note: Additional application data
must be followed for given values
of B10 or B10D to be valid
• Construction details ex: direct
operating
• Often given with restrictions, most
often loading, approach speed,
Limit Switch and cycle rate

Safety Light
Curtain

Safety
Controller

Note: These last two specifications certify the acceptable

performance of specific logic safety function blocks

page 37
 Electromechanical Components
• High Current Rating
If higher loads must be switched through one or more
of the contacts, the minimum and maximum values of
the contact(s) changes to:
• UL Listed: Min voltage: 15V ac/dc; Min current: 30 mA
• ac/dc; Min power: 0.45 W (0.45 VA); Max: 250V ac /
• 24V dc, 6 A resistive - B300, R300 per UL508
• CE: Min voltage: 15V ac/dc; Min current: 30 mA ac/dc; Safety-related block diagram of
• Min power: 0.45 W (0.45 VA); Max: 250V ac / 24V dc,
• 6 A resistive - IEC 60947-5-1: AC15: 230V ac, 3 A;
the Output of this component
• DC-13: 24V dc, 2 A
• Mechanical life Mm
• ≥ 50,000,000 operations Mm Mc
• Electrical life (switching cycles of the output contacts,
• resistive load) Mc
• 150,000 cycles @ 900 VA Note specific B10 for each VA loading
• 1,000,000 cycles @ 250 VA
• 2,000,000 cycles @ 150 VA
• 5,000,000 cycles @ 100 VA
• NOTE: Transient suppression is recommended when switching inductive
• loads. Install suppressors across load. Never install suppressors
• across output contacts (see Warning in Overvoltage Cat
• II and III).
• Output Response Time
• 35 ms max.

page 38
Electro Mechanical Component

page 39
 Safety PLC and Controllers
• Failure mode data may be given in different
forms
– Controllers which are self contained have data which
includes failure mode of their input and output
hardware
• If relay output, may have B10D of the contacts
– PLC which have selectable input and output modules
have the main frame values independent of their I/O
• The B10D or PFHD of the I/O may be device specific
• Are added as individual items to safety related
block diagram
– Communication between modules such as wire
network, wireless, and fiber optical have a separate
PFHD for those devices

page 40
 Remote I/O and Safety PLC

B1

S1

Note each PLC K3, K4 has

an independent remote I/O
module K1 K2

S1 and the horn P1 are a Cat

2 warning sub-system

T1a is a SS1
T1B is a SLS

A separate safety function is

developed for the Gate
interlock by replacing S1
data with B1 and using the
same remaining
configuration

Adapted from Fig. 8.42 BGIA 2/200e

page 41
 B10D examples of “Well Tried” components

Cycle/year
variation
provides a
variation factor
of 10x

Loading variation
provides a
variation factor
of 50x

When used per Manufacture’s or Designers use specification

Some adjustment for duty cycle and loading is allowed/required. “Full Load” applies not only to electrical load
but extreme conditions or marginal operating conditions

Partial Table C.1 ISO 13849-1-2015

page 42
 B10D for Electronic Devices

Tables C.2 C.3 ISO 13849-1-2015

page 43
 MTTFD Classification

3.81x10-5 /hr..... 1.14x10-5 /hr.....

1.14x10-5 /hr..... 3.81x10-6 /hr.....
3.81x10-6 /hr..... 1.14x10-6 /hr.....

The limitation of MTTFD of each channel values to a maximum of 100 years refers to the single
channel of the SRP/CS which carries out the safety function. Higher MTTFD values can be used
for single components
How to determine the MTTFD value of a component or sub-
system
1. Manufacturer’s data in Powered time or B10D cycles
2. Table Annex C of ISO 13849-1:2015
3. Parts Count in Annex D of ISO 13849-1:2015
4. Choose ten years (i.e. “Medium”).
Adapted from Table 4 ISO 13849-2-2015
page 44
Capability of the SRP/CS in Order to Achieve a Given PL
Channel
Figure: 5 ISO 13849-1:2015 (symmetrized)

MTTFD Low

MTTFD Med

MTTFD High

Adapted from Fig 5 ISO 13849-1:2015

page 45
 The Process to Meet PLr
Evaluate the four Quantitative parts of the
Performance Levels:
– Category (Cat.)
– Mean Time To dangerous Failure
(MTTFD)
– Diagnostic Coverage of a Component
(DC) or Channel(s) Diagnostic Average
Rate (DCavg)
– Common Cause Failure (CCF)

page 46
 The Process to Meet PLr
• DC The percentage of a component’s
failures to DANGER which are DETECTED
divided by ALL of its failures to DANGER
• DCavg For Channels,
• The ratio between the failure rate of
detected dangerous failures and the
failure rate of total dangerous failures of
all components in the SRP/CS

page 47
 Diagnostic Coverage
• DC: Ratio of Detected Failures to danger to All Failures to
danger

• DCavg: The Diagnostic Coverage for the SRP/CS is the ratio of

the failure rate of detected failures to danger to the failure rate
of all failures to danger of the individual components (not
complete sub-systems wit their own PHFD.

D, n

D, n

page 48
 Diagnostic Coverage for Components and Channel(s)

Note: For SRP/CS consisting of several parts an average value, DCavg, is used for DC in
Fig 5 and Table K
• Determine the DC for each component or sub-system
– Percentage of dangerous failures detected
• For an estimation, in most cases, failure mode and effects
analysis (FMEA) or similar methods can be used
• A “simplified” approach to estimating DC, using design and
construction characteristics (see Annex E ISO 13849-1:2015).
• Obtain DCavg or use worst case DC of a high failure rate
component

Table 6 ISO 13849-1:2015

page 49
Electro Mechanical Component

page 50
 Diagnostic Coverage (DC)
A table is given in ISO 13849-1:2015 Annex E for examples
. (for additional estimations, see IEC 61508-2)

Adapted from Table E.1 ISO 13849-1:2015

page 51
 DC and DCavg

Adapted from Table E.1 ISO 13849-1:2015

page 52
 Capability of the SRP/CS in Order to Achieve a Given PL

Channel
Figure: 5 ISO 13849-1:2015 (symmetrized)

MTTFD Low

MTTFD Med

MTTFD High

Adapted from Fig 5 ISO 13849-1:2015

page 53
 The Process to Meet PLr

Evaluate the four parts of the

Performance Level:
• Category (Cat.)
• Mean Time To dangerous Failure (MTTFD)
• Diagnostic Coverage (DCavg)
• Common Cause Failure (CCF)

page 54
 Common Cause Failure
Common Cause Failure CCF: failures of different
items, resulting from a single event, where
these failures are not consequences of each
other.
– Causing simultaneous failures in two separate
devices rendering DC ineffective
• EX: two positively mounted limit switches on a common
base
• (see Annex F ISO 13849-1:2015)
– Applicable to Categories 2, 3, and 4
• Those which have component monitoring

page 55
 Common Cause Failure
(Table F.1 [worksheet] lists CCF reduction measures and contains
associated values, based on engineering judgment, which
represent the contribution each measure makes to the reduction
of common cause failures
• For each listed measure, only the full score or nothing can be
claimed. If a measure is only partly fulfilled, the score according
to this measure is zero.
• Sufficient measures against CCF to claim DC >60% require the
attainment of a minimum score of 65 out of 100 from table F.1.
– An initial score of less than 65 requires implementation of
additional CCF reduction measures to reach an acceptable score
else no diagnostic coverage may be claimed.

page 56
 Table F.1 Common Cause Failure (CCF) worksheet
Clause Measure Against CCF Score
1 Separation/segregation
Separation/Segregation 15
2 Diversity 20
3 Design/application/experience
3.1 Protection against over-voltage, over-pressure, over- 15
current etc..
3.2 Components used are “WELL TRIED” 5
4 Assessment/analysis 5
5 Competence/training 5
6 Environmental
(All according to Manufacturer’s Specifications)
6.1 Pertaining to the power source for electrical and fluid power 25
EMI, RFI, Filtration, Drainage, Dirt Entry
6.2 Temperature, Humidity, Dust, Shock, Vibration 10
Must reach a score of at least 65 for Cat 2, 3, or 4 structure to claim a DC
All components in channel must meet requirement to get score > 0 No partial sores

Data From Table F.1 ISO 13849-1:2015

page 57
Electro Mechanical component

page 58
Capability of the SRP/CS in Order to Achieve a Given PL
Channel
Figure: 5 ISO 13849-1:2015 (symmetrized)

MTTFD Low

MTTFD Med

MTTFD High

CCF score of 65% or higher

Adapted from Fig 5 ISO 13849-1:2015

page 59
Four Quantitative Measures to Achieve a Required PL

Category B 1 2 2 3 3 4

DCavg None none low medium low medium High

MTTFD of a Not a b b c Not

each channel covered covered
low
MTTFD of b Not b c c d Not
each channel covered covered
medium
MTTFD of Not c c d d d e
each channel covered
high
Also see graphic representation

Table 6 ISO 13849-1:2015

page 60
 Safety System Defined
• We have now identified sufficient data to provide an
estimate of the PL of a safety circuit proposal
• Impact of structure and fault detection
– The MTTFD of a Cat B or 1 is a function ONLY of the
failure rates of its parts
– The PFHD of a Cat 2, 3 or 4 system is greater than that of
the λ D of its component parts due to the impact of fault
detection and/or multiple channels since a component’s
failure to danger which is detected, leads to the safe
shutdown of the hazard before a system failure to
danger can occur

page 61
 So, now what is the Performance Level of a SRP/CS
for this Safety Function?

• Having the four pieces of data from above, the PL Graph may
be utilized to estimate PL of the SRP/CS
– This provides a range of PL possible, depending on the Structure, and
the MTTFD, DCavg, and CCF of the components chosen
• For a more detailed resolution, the data above may be used
with ISO 13849-1:2015 Table K.1 to obtain an estimate of the
SRP/CS performance
– PFHD in failures per hour and thus the PL of the design
– This also permits separation of product characteristics which split the PL
lines since their evaluation is based on channel MTTFD ranges
• Use component information and use commercial computer
programs

page 62
 PL of Safety Related Function of the Control System as a
ISO function of Risk Category PFHD 1/h
PL
62061
< 3.8x10-5
Figure: 5 ISO 13849-1:2015
N/A
d
< 10-5

< 3x10-6
SIL 1
System

< 10-6
SIL 2 Each Channel with MTTFD of:
Years 1/Hour
3<=MTTFD <10 3.8*10-5 > λ > 10-5 < 10-7
10<=MTTFD <30 10-5 > λ > 3.8*10-6
SIL 3
30<= MTTFD <100 3.8*10-6 > λ > 10-6
< 10-8
CCF=>65

DC avg probability of fault discovery as

% of occurrence
1.14 E-4
MTTFD = Low 60% <= DC < 90%
λD
Med 90% <= DC < 99%
High 99% <= DC

Adapted from Table E.1 ISO 13849-1:2015

page 63
SO:
If the Risk Assessment indicates that the
Functional Safety risk reduction measure
must meet a performance level PLr = PLd ,
there are several design choices of both
structure and component performance
which may meet the design requirement

page 64
 Practical Application of ISO 13849-1:2015
Various Method of Determining PL
• Each method makes certain assumptions and/or
simplifications
• The simpler the method, the greater the
assumptions
– This drives the solution to the more conservative result
– The highest performance level predictions are
obtained using the more detailed calculation methods,
typically full computer programs designed for ISO
13849-1:2015

page 65
 Conversions
• Mean Time To Dangerous Failure of Mechanical
components
• MTTFD is in Years while λD is in per Hour
• MTTFD in years = 8760 hours/year λD ~ ~ 1.141E-04 (1.141 x 10-4 )

• B10 Number of cycles until 10% of a test population has failed

• If B10D is not specifically stated, the Fraction of Failure Rate may
be given B10D= B10/FFR or estimated at 50% of the total failures
• MTTFD = Nominal cycles to failure to danger/ Cycles per Year
• = 10xB10D / nop
– Ex: To convert B10 life of a component to MTTFD in years on a
machine which, runs 240 days per year, for 16 hours per day
with a 15 sec machine cycle
(2 x 10 x B10)cycles x 15 sec/cycle
MTTFD (years) =
240 days/yr x 16 hr/day x 60 min/hr x 60sec/min

page 66
 Mission Time T10D
• Note: Mechanical components, which wear out,
such as Contactors, Valves etc.. should be
replaced at their B10D cycle life since their rate of
failure can no longer be considered to be a
constant and the MTTFD no longer valid
This includes electro-mechanical relays in
Safety Interface Modules which may have a
PFHD of 1E-9 but whose relay in that application
may have a MTTFD of 25 yr. and a T10D of 2.5 yr.
• Operating time ( also known as Mission Time or )
• TM = T10D = B10D / nop = MTTFD / 10

page 67
 Single Channel MTTFD of Components or Systems
• MTTFD of a channel is the reciprocal of the
sums of the reciprocals of MTTFD of the
individual components or sub-systems in the
channel.
• Failure to danger of ANY component in the
series string faults the system to danger
– Therefore in a single channel system:
1/MTTFD Chn = 1/MTTFD comp1 +1/MTTFD comp2 +…..1/MTTFD comp n

OR.
λD Chn = λ D comp 1 + λ D comp 2 +………… λ D comp n
Comp1 Comp 2 Comp n

page 68
 MTTFD of Channels

• MTTFD of Individual CHANNELS are

each capped:
– Cat 1, 2, and 3 = 100 years
– Cat 4 at 2,500 years
• Components and Sub-systems
within a channel are not capped

page 69
 MTTFD of Dual Channels
• In a Dual channel system, to gain a system MTTFD if:
– The two channels have the same MTTFD , their
symmetrized value is the same as that of a channel
– The channel MTTFD are not the same, a symmetrized
value calculated as below is used for the combined
channels.
– Else the lowest MTTFD of the two is used

• EX: By calculation two channels one 100yr and one 33yr yield a
symmetrized value of 72yr

page 70
 Calculating DC avg
• The system DCavg is calculated using the
Diagnostic Coverage percentage and the MTTFD
or λD of all functional components in the system
• Or use the DC value of a high failure rate with
lowest DC component for the total system

Note: If a component has a DC of <60% enter DC = Zero

However, its 1/MTTFD must still be added to the denominator

page 71
 Table K.1 ISO 13849-1:2015
• Determine the SYSTEM MTTFD values of Channel or
component Structure, MTTFD , DCavg , and CCF value
– Single channels are listed as Structure B or 1 depending
on their MTTFD
– MTTFD ≥ 30 years is High = Cat 1
• Locate the closest lower MTTFD in the left column
of table K.1
• Locate the Category and DCavg column from the
heading left to right.
• From the MTTFD trace to the right until the
appropriate Cat/DCavg column is intersected
• Read the sub-system or channel PL or PFHD

page 72
ISO 13849-1:2015 Table “K”

page 73
 Mixed System
PLe PLe Force Guided
Contactor
Safety Light
Safety PLC
Curtain
Force Guided
Contactor

Output is two contactors driven by two outputs of the PLC and monitored by the
Safety PLC
B10 of contactor is 5,000,000 cycles, assume B10D = 2xB10, MTTFD = 10xB10D
Rate of use is 10/hour, 24hour per day, 5 days per week, 50 weeks per year
10x24x5x50 = 60,000 cycles per year (nop)
MTTFD = B10x2x10/ nop = 5x106 x 2x10 / 6x104 = 10x107/ 6x104 = 1.7x103
MTTFD is 1,700 years which is capped at 100 years
DC = 99% from table E1 therefor use HIGH
From Table K.1 this is a PLe for the dual channel of two monitored contactors

From Table K.1 ISO 13849-1:2015

page 74
 Mixed System
PLe PLe Force Guided
Contactor
Safety Light
Safety PLC
Curtain
Force Guided
Contactor

• The PFHD of the two contactors monitored with the safety

PLC was found to be 2.47E-8
• Vendor data supplies values for the SLC and the PLC
• These are added to the contactor PFHD for a total system
performance

• PFHDsys = PFHDn

• 4.5E-8 + 1.1E-8 + 2.5E-8 = 8.1 E-8 for a system PLe

page 75
Use of the circular Performance Level
Calculator instead of Table K.1 from
ISO 13849-1:2015
this is the same data as Table K

page 76
Rotate calculator to expose the Values for “B” only between 3 and <30 years

channel MTTFD in the lower

window
Read the MTTFD of a system
with the selected attributes from
the upper window.
Based on color code find PL
exponent

EX: For a Channel or Channel

combination with a MTTFD of
33 years, used in a given
structure and with a given DC,
the MTTFD of the component
when used in this CONTROL
SYSTEM is from 3.46x10-6
/hr..... in a Cat 1 to 8.57x10-8
/hr..... in a Cat 4 with a High DC
These numbers translate into a
PL of “b” to an “e” (Ref pg. 7)
Can be ordered on-line from IFA.org

page 77
Determine the SYSTEM PL
an EXAMPLE

page 78
 Convert the Functional Safety SRP/CS to a
Safety-Related Block Diagram
• Determine the structure of the circuit and
identify its in-series components or sub-
systems for each channel
– Determine the structure and components of the
three functions for each sub-system
• Input, Logic, Output
• Identify which components or sub-systems,
will cause failure to danger of the entire
channel when their failure to danger occurs

page 79
 ALWAYS
Create the Safety-related block diagram from the
circuit drawing

OPEN OPEN

A1
SIM

S11 S31

S21 S32

S22

S12

Machine 13 14
FGC1
Sequence 23 24
FGC2

page 80
 LS1 LS3

Each door, with its two interlock SIM

switches, is evaluated independently

The impact of the series connection of

the two door interlocks is reflected by
LS2 LS4 FGC 1
reduction of DC to MED
FGC 2
The MTTFD of the FGC is based on the PLC
SUM of the cycles of both doors

PLC is for machine sequence logic only

and does NOT enter the safety-
related diagram
Door 1
LS1 FGC 1
NOTE: The cycles/yr. SIM
of the SIM and FGC are the
Sum of Door 1 and Door 2 LS2 FGC 2
cycles

Door 2
LS3 FGC 1
SIM
LS4 FGC 2

page 81
Methodology

PL Graph
(Estimate)

page 82
 Diagram of Circuit to be
Verified to Meet or Exceed PLr

Verification Process Machine

Logic only
Identify:
• Category (Cat.) = known circuit structure
• MTTFD = calculated from data provided by the manufacturer to determine
“low”, medium”, or “high” for the channel(s)
• Diagnostic Coverage (DCavg) = identify methods and the “percentage” from a
table to determine “none”, “low”, medium”, or “high”
• Common Cause Failure (CCF) = Do the worksheet and determine if the design
meets a score of 65 or better for Cat ≥ 2.
Then apply the above information to the chart…

page 83
Cat 3
PL Verification
MTTFD =High The resulting PL = “d” or “e”
DC avg = Medium (meets or exceeds the
required PLr level of “d” from
CCF = 70
PLr = PLd the Risk Assessment
Figure: 5 ISO 13849-1:2015
MTTFD Low

MTTFD Med

MTTFD High

CCF>65

Adapted from Fig 5 ISO 13849-1:2015

page 84
Matrix of generalized requirements of the four Quantitative Measures when used
with a specific structure to achieve a required PLr
.
Here to achieve a PLd, any of the shaded methods can meet the requirement
Category B 1 2 2 3 3 4

DCavg None none low medium low medium High

MTTFD of a Not a b b c Not

each channel covered covered
low
MTTFD of b Not b c c d Not
each channel covered covered
medium
MTTFD of Not c c d d d e
each channel covered
high

Adapted from Table 6 ISO 13849-1:2015

page 85
 Methodology

• Summation of PL sub-systems

page 86
 Summation of PL Systems
• Determine the structure of the circuit and identify its
in-series components or sub-systems for each channel
• Draw the Safety-related block diagram to identify
which components or sub-systems, will cause failure to
danger of the entire channel when their failure occurs
• Determine the PL of each component or sub-system
using:
– Published manufacturer’s data
– Estimates from Appendix of safety components
– Calculate from MTTFD and Table K.1 or Circular Calculator
• Use PL count chart to reduce to system PL performance

page 87
 Sub-Systems’ PL Count
• Determine the PL of each sub-system connected in Series in the Safety-related
Block Diagram
• Determine lowest PL=PLlow
• Count number of PLlow in the series string
• Use clause 6.3 Table 11 to determine PL of the string
• This is simplified method of the mathematical summation of the probabilities
of failure using sub-system 1/MTTFD values

Table: 11 ISO 13849-1:2015

page 88
 PLn Count Method
PLe PLd PLd

Safety Light Safety Rated

Safety PLC ROBOT Stop
Curtain

Lowest PL=d
Number of lowest PL =2
For PLd ≤ 3 = PLd

If we had used a remote I/O structure using a network, two

additional elements would have been added to the safety-
related block diagram as shown on the next page

page 89
 PLn Count Method
PLe PLd PLd PLd PLd
Safety Light Remote Remote Network Safety Rated
Network Input
Safety PLC Output ROBOT Stop
Curtain

Lowest PL=d
Number of lowest PL = 4
For PLd > 3 = PLc

Note: There is a good reason to use the finer granularity method of

summing actual 1/MTTFD for each component or sub-system. If actual
values are used, they may be capable of achieving a higher system PLd.
This is due to the use of the Mid value of MTTFD for each sub-system PL
rather than the exact value which might be higher than its PL mid-value

page 90
 PLn Count Method with Components
PFHD=5.3E-8 converts to PLe

PLe PLe Force Guided

Contactor
Safety Light
Safety PLC
Curtain Force Guided
Contactor

• Channel mixed with individual components,

– ISO 13849-1:2015 Table K.1 or its circular calculator may be used to
establish the component’s PL for use with PL count method
– Using the Safety-related block diagram, determine the structure category
(Cat 3 or 4)
– Determine the MTTFD of the component(s) (51 years)
– Calculate DCavg of their portion of the system (high) and confirms Cat 4
– Determine the equivalent PL from the table K.1 or circular calculator
PFHD= 5.3E-8 which is Cat 4 PLe
– Use this PL as one of the sub-systems in the series channel string
– Lowest PLe, number of lowest is ≤3 therefore system is PLe

page 91
Calculation of System PFHD to Define System PL

Determine the MTTFD of each component in series

– Each component can cause the loss of the safety
function
– Determine the MTTFD of the series system
– Calculate the DCavg
– Verify CCF score ≥65
– Use Table K.1 or circular calculator to determine
system PL

page 92
Is This a Cat 4 PLe Circuit?

Limit Switch Force Guided

A Contactor
Safety Interface A
Module
Limit Switch Force Guided
B Contactor
B

page 93
 Limit Switch Force Guided
Contactor
A A
Safety Interface
Module
Limit Switch Force Guided
Contactor
B B
Using B10 and cycle rate we calculated the following
MTTFD of Limit switch A=B= 65 years
MTTFD of Contactor A=B = 80 years
MTTFD of either channel = 1/ (1 MTTFD2 +MTTFD3)
= 1/ ( 1/65+1/80) = .0153+.0125= .0278 MTTFD = 37 Years
Since both channels are the same, that is also the symmetrized System channel MTTFD
Assume DCavg = >90, but <99 therefore is MEDIUM
From ISO 13849-1:2015 table K.1 next lowest MTTFD value of 36 PFHD = 2.01E-7,
Safety Interface Module vendor data PLe PFHD= 6.26E-8
TOTAL the system PFHD is 2.01E-7 + 6.26E-8 = 2.64E-7 ; Cat 3 PLd

From ISO
13849-1:2015
Table K.1
page 94
Numerical Example of a
Mixed System

page 95
 Example 75yr

150yr 150yr

Scanner Safety PLC

• Symmetrized MTTFD of valve dual channel of 3Way Dump Pilot Check
75 and capped single valve 150 to 100 = 88 yr. 150yr
3.0E-7 1.5E-7
• DC of both 1V3 and 1V4 is 99% via 1S3
• DC of 1V5 by process monitoring is 60% Directional Valve

• DCavg is calculated to be 86%, <90% therefore low

• Valve channel is Cat 3 DCavg Low
Pressure Switch
• CCF score from table F.1 >65
• From table K.1 closest lower values of 82 yr. and low DCavg (60%)
hydraulic system PFHD is 1.14E-7
– This is conservative due round down, actual calculations using
SISTEMA would yield a value of 6.2E-8
• Resultant system performance is sum of the three PFHD
Conservative 5.6E-7 PLd or calculated 5.1E-7 PLd

Fig 8.28 BGIA Report 2/2008e

page 96
We can now take a closer look at the
two “Equivalent” light barriers
introduced at the start of the
discussion

page 97
 Example of the “Spectrum” Within a Given Category
Red is Monitoring connections to PLC • The dedicated standard PLC monitors the function of the
three photoelectric sensors and the follower relay K1
• The PLC is not a Serial component in the Safety-related
Block Diagram, i.e. its failure does not directly result in the
Switched loss of the safety function, therefore its MTTFD is not
Output included in the safety channel calculation
FGR
PLC • MTTFD of the PLC is 50 years and is >1/2x the MTTFD of
the system being monitored, thus meets the minimum
K1 V1 requirement for a test component for this system
K1 •
•The Type 2 Safety Light Curtain is certified by a Third Party
Test Laboratory to meet the required standards of Cat 2 and
Safety Light
Curtain Type 2 has a PLd
• The Interface Module is a pre-wired set of two Force
Guided Relays, monitored by the SLC
• The solenoid valve is a Well Tried hydraulic component
with a MTTFD of 150 years at this operation rate
• Both systems’ performance is limited by V1 because it is
not monitored
V1
• For a Mission Live of 20 years, the PE circuit has a 42%
chance of Failure To Danger while the Type 2 Safety Light
curtain PLc has a 18% chance of failure.

page 98
 Note: SPR/CS performance limited by un-monitored valve
Red is Monitoring connections to PLC Cat 2, DC=low, MTTFd 33, λ=1.86E-6
Capped
MTTFd=100

P1 P2 P3 K1 V1
Switched
Output 100 100 100 1302 150
FGR
PLC
32.5 PLC
K1 V1
1.86E-6 + 1.14E-6 = 3.0E-6
K1
MTTFd = Yr. PLb 41% fail @20 Yr.
1214 100
9.4E-8 1.14E-6
Safety Light
Curtain Type 2
IM
SLC V1
IM
6.9E-8 2.5E-8 150
V1 6.9E-8 + 2.5E-8 + 1.14E-6 = 1.23 E-6
MTTFd = 93 Yr. PLc 19% fail @20 Yr.

page 99
 Computer Based Calculation of
System PL
• Computer programs both free and for purchase are
available to calculate system PL
• These have the advantage of using the full range of
values of MTTFD and DCavg rather than round down use
of the granular values of ISO 13849-1:2015 table K.1,
programs typically will result in a higher System MTTFD
• These programs should not be used without a thorough
understanding of ISO 13849-1:2015.
• Failure to understand the safety evaluation process
will result in a “Plug In and Grind” effort which,
while providing a numerical value, may contain
serious errors.
• A generic no-cost program is briefly represented in
Appendix A. At-cost as well as no-cost programs are
available from numerous Safety Product vendors

page 100
 Appendix A

SISTEMA Evaluation tool

page 101
 SISTEMA
• A free software to assist in determining PLs from the IFA (research arm of
the BG, German Insurance Agency)
– http://www.dguv.de/ifa/en/pub/rep/rep07/bgia0208/index.jsp
– Program accepts component values and topography as well as DC and CCF data
and calculates the final value of PL and 1/MTTFD also known as λD
– Shows shortfalls in performance
– Useful in component and structure “what if ” scenarios for specific PL
– Standardized Component files may be imported from vendors or user specific
data
• SISTEMA Calculator Program for PL per ISO 13849-1-2015
– FIA Software
– Identify
• Category
• Safety Logic Blocks
• MTTFD of components
– Standard components file
– User components customized file
• DCavg
• CCF

page 102
page 103
 Annex B
From ISO 13849-1:2015

page 104
 Safety-Related Block Diagram

Annex B Table: B.1 ISO 13849-1:2015

page 105
 Annex C
From ISO 13849-1:2015

page 106
MTTFD and B10D
for components

Annex C Table: C.1 ISO 13849-1:2015

page 107
 Annex E
From ISO 13849-1:2015

page 108
 Table E.1 Diagnostic Coverage ISO 13849-1:2015

Annex E Table: E.1 ISO 13849-1:2015

page 109
 Measure DC
Logic component
Table E.1
ISO 13849-1:2015
Continued

Annex E Table: E.1 ISO 13849-1 :2015

page 110
 Table E.1 ISO 13849-1:2015
Continued

Annex E Table: E.1 ISO 13849-1:2015

page 111
 Appendix F
From ISO 13849-1:2015

page 112
 Quantification of Measures CCF
Clause Measure Against CCF Score
1 Separation/Segregation 15
2 Diversity 20
3 Design/application/experience
3.1 Protection against over-voltage, over-pressure, over-current 15
etc.
3.2 Components used are “WELL TRIED” 5
4 Assessment/analysis 5
5 Competence/training 5
6 Environmental
6.1 Pertaining to the power source for electrical and fluid power
EMI, RFI, Filtration, Drainage, Dirt Entry 25
(All according to Manufacturer’s Specifications)
6.2 Temperature, Humidity, Dust, Shock, Vibration 10
Must reach a score of at least 65 for Cat 2, 3, or 4
All components/components in channel must meet requirement to get score >0 No partials

Annex F Table: F.1 ISO 13849-1:2015

page 113
 Appendix K
From ISO 13849-1:2015

page 114
 Table K.1 ISO 13849-1:2015

Annex K Table K.1 ISO 13849-1:2015

page 115
 Table K.1 ISO 13849-1:2015

Annex K Table K.1 ISO 13849-1:2015

page 116
 Table K.1 ISO 13849-1:2015

Annex K Table K.1 ISO 13849-1:2015

page 117
 Table K.1 ISO 13849-1:2015

Annex K Table K.1 ISO 13849-1:2015

page 118
 Contact Information

Heinz Knackstedt
Safety Engineer
TÜV Functional Safety Engineer
Add Your C&E sales, inc.
Logo Here Dayton, Ohio USA

Office: +1 (937) 434-8830

Cell: +1 (937) 545-6494

hknackstedt@cesales.com

page 119