Dealing adequately with technical uncertainties

Statistics, RAMS & Quality Management
Search this site:
Sitemap
ISO 13849 Category and Performance Level (PL) versus IEC 61508 Safety Integrity Level (SIL)
  Functional Safety: Introduction
  Safety vs. Reliability
  IEC 61508
  ISO 13849
  IEC 61508 vs. ISO 13849 
  Conclusions

When engineers are asked about IEC 61508, they almost always think of key safety indicators like "probability of failure per hour", "SIL level" or the like.
While key indicators are beyond any doubt fundamental characteristics, they make only a small portion in the whole.
The main purpose of safety standards is way more than just handling key safety indicators; they literally cover the whole product life cycle, in particular R&D, manufacturing and installation phase of a product life. By aligning product development to the requirements of safety standards, companies are enabled to design safety into their products from the very beginning. As a consequence, complying to key safety indicators becomes easy for companies.

Compliance with key safety indicators is in turn documented evidence that the company's product development process has been in line with the requirements of safety standards. Therefore, despite making only a small portion of safety standards, it is justified to look a little bit closer to the key safety indicators. IEC 61508
key safety indicators will be explained first because they are easier to understand.

IEC 61508


IEC 61508 offers 4 (or 5) so called Safety Integrity Levels (SIL) for safety related systems:

(no SIL, or SIL 0), SIL 1, SIL 2, SIL 3 and SIL 4. 

Sil0 reflects the lowest, and SIL4 the highest safety level.
The SIL classification of safety related systems depends on the following parameters:
The tables below show the interaction of these parameters:

1.  SFF and HFT versus SIL

1.a) Systems without digital ICs: 

HFT=0
HFT=1 HFT=2
SFF = 0 ... <60%
SIL 1
SIL 2
SIL 3 levels.
SFF = 60% ... <90%
SIL 2
SIL 3
SIL 4
SFF = 90% ... <99% SIL 3
SIL 4
SIL 4
SFF > 99%
SIL 3
SIL 4
SIL 4

1.b) Systems with at least one digital IC: 

HFT=0
HFT=1 HFT=2
SFF = 0 ... <60% SIL 0
SIL 1
SIL 2
SFF = 60% ... <90% SIL 1
SIL 2
SIL 3
SFF = 90% ... <99% SIL 2
SIL 3
SIL 4
SFF > 99% SIL 3
SIL 4
SIL 4

2. SIL versus PFH

SIL Level
PFH
Range covered
SIL 1
1E-5  >  PFH  >  1E-6 Factor 10
SIL 2
1E-6  >  PFH  >  1E-7 Factor 10
SIL 3
1E-7  >  PFH  >  1E-8 Factor 10
SIL 4
1E-8  >  PFH  >  1E-9 Factor 10

Note:
"..PFH > 1E-9" is not a mistake. IEC 61508 suggests that there are no suitable means available for demonstrating probabilities of dangerous failures smaller than 1E-9 per hour. This is however a matter of opinion. Arithmetic example: For a 10.000 population, 1E-9/h means ~ one dangerous failure per calendar year!
In aviation, for example, 1E-9 and smaller is literally "business as usual".
If 1E-9 was the end of the line, commercial aviation would not exist.


ISO 13849

ISO 13849 offers 5 so called categories (Cat) and 5 performance levels (PL).
Cat B and PL a reflect the lowest, and Cat 4 and PL e the highest safety level. 
Cat B, Cat 1, Cat 2, Cat 3, Cat 4 
PL a PL b PL c, PL d, PL e

The following table shows all ISO 13849 allowable combinations of Cat and PL: 


Cat B
Cat 1
Cat 2
Cat 3
Cat 4
PL a
x

x
x

PL b
x
x
x
x

PL c

x
x
x

PL d


x
x

PL e



x
x


Assigning category and performance level to a safety related system is somewhat complicated in ISO 13849.
The following parameters play vital roles:

The interdependencies of these parameters as well as their effects on category and performance level are way more specific than compared with IEC 61508, and can therefore not be
explained in general. See appendix K of ISO 13849 for details. Unfortunately there is no justification about why the relationships are in this of all ways. However, the following basic statements may give some clues:
  1. Category (Cat) is a function of
  2. Performance level (PL) is a function of
  3. The higher MTTFd, DCavg and category, the better the performance level. While high MTTFd values are preferable in any case, they are quite ineffective unless design efforts are focused as well on category and DCavg. 
ISO 13849 uses MTTFd for quantifying channel safety, and PFH for quantifying safety of the complete safety related system.
This is somewhat circumstantial, however, MTTFd can be converted into PFH as follows:

PFH = 1/MTTFd.

This formula is an approximation, but a very good one for high MTTFd (and therefore small PFH), because for small PFHs, the exponential function can be replaced with a linear approximation.

ISO 13849 allowable MTTFd values are limited to the range between 3 years and 100 years, which corresponds to failure rates between 38 and 1,14 fpmh (failures per million hours). This limitation is far from what can be technically achieved (will be explained on the next page).


1) Category


The following table shows the relationships between category, architectural constraints and DCavg

ISO 13849 
Category
Architectural Constraints
Required Diagnostic Coverage
Goal of the Category
B
Simple safety related system. No requirements.
none
Focus rather on reliability than on safety.
Use common technical sense.
1
Like B, plus: 
Proven principles (e.g. 4...20 mA). Evidence that system design is proven for safety applications.
none
Proven principles, proven components. Use technical expert knowledge.
2
Like 1, plus: 
The safety related system must be tested periodically.
min. 60% 
(min. 90% *)
Increased failure detection probability
3
Like 1, plus:
Fault tolerance whenever possible and  feasible. Only few dangerous single failure modes allowed.
In most cases this boils down to 100% single fault tolerance.
min. 60% 
(min. 90% *)
1. "Near fault tolerance".
2. Undetectable dangerous single failure modes are allowed to some extent.
4
Like 3, plus: 
Fault tolerance. Every single failure must be detectable before demand. 
In most cases this boils down to almost 100% double fault tolerance because any first failure shall not be masked by a subsequent second failure.
min. 99% 1. Fault tolerance.
2. Undetectable dangerous single failure modes are not allowed.
3. No dangerous failure shall be masked by a subsequent failure.

* yields better PL in some cases

2) Performance Level 

Performance level is just a stepped representation of MTTFd into 5 ranges. 
The following table is an approximation; the exact settings depend on category and DCavg. See appendix K of ISO 13849 for more information. 


PFH Performance Level
Range covered
3E-5  >  PFH  >  1E-5 a
Factor 3
1E-5  >  PFH  >  3E-6 b
Factor 3
3E-6  >  PFH  >  1E-6 c
Factor 3
1E-6  >  PFH  >  1E-7 d
Factor 10
1E-7  >  PFH  >  2,5E-8 e
Factor 4

Next


Privacy Policy