Dealing
adequately with technical uncertainties
Statistics,
RAMS
& Quality Management
ISO
13849 Category and Performance Level (PL) versus IEC 61508 Safety
Integrity Level (SIL)
Functional
Safety: Introduction
Safety vs. Reliability
IEC
61508
ISO
13849
→ IEC 61508 vs. ISO 13849
When
engineers are asked about IEC 61508, they almost always think of key
safety indicators like "probability of failure per hour", "SIL
level" or the like.
While key indicators are beyond any
doubt fundamental characteristics, they make only a small portion in
the whole.
The main purpose of safety standards is way more than just handling key
safety indicators; they literally
cover the whole product life cycle, in particular R&D,
manufacturing and installation phase of a product life. By aligning
product development to the requirements of safety standards,
companies are enabled to design safety into their products from the
very beginning. As a consequence, complying to key safety indicators
becomes easy for companies.
Compliance with key safety indicators is in turn documented evidence
that the company's product development process has been in line with
the requirements of safety standards. Therefore, despite making only a
small portion of safety standards, it is justified to look a little bit
closer to the key safety indicators. IEC 61508 key safety indicators will be explained first because they are
easier to understand.
IEC 61508
IEC
61508 offers 4 (or 5) so called Safety Integrity Levels (SIL) for
safety related systems:
(no SIL, or SIL 0), SIL 1, SIL 2, SIL 3
and SIL 4.
Sil0
reflects the lowest, and SIL4 the highest safety level.
The SIL classification of safety
related systems depends on the following parameters:
 Probability of Failure per hour (PFH)
 PFH
is the probability of failure per hour. The range of interest is
between 1E5/h and 1E9/h, which is equivalent to MTTF = 1E5h and
1E9h.
 Safe
Failure Fraction (SFF)
 SFF
is the relative portion [0 ... 100%] of failure modes leading to safe failure
(in
contrast to a so called dangerous
failure, the failure
might be a nuisance, but there will be no resulting danger). The range
of
interest is between 60% and 99,9%.
 Hardware
Fault Tolerance (HFT)
 HFT
is the minimum number of tolerable failures without losing the safety
function. Typical HFT values are 0 or 1, rarely 2 or higher.
 Fault
tolerance can be achieved with intelligent system design or with
multichannel architectures (redundancy). The latter should be
considered
only when others are impractical, or when the safety goals are too strict, because redundancy is always
accompanied with the so called common
cause problem.
The tables below show the interaction
of these parameters:
1. SFF
and HFT versus SIL
1.a) Systems
without digital ICs:

HFT=0

HFT=1 
HFT=2 
SFF
= 0 ... <60%

SIL
1

SIL
2

SIL
3 levels.

SFF
= 60% ... <90%

SIL
2

SIL
3

SIL
4

SFF
= 90% ... <99% 
SIL
3

SIL
4

SIL
4

SFF
> 99%

SIL
3

SIL
4

SIL
4 
1.b)
Systems with at least one digital IC:

HFT=0

HFT=1 
HFT=2 
SFF
= 0 ... <60% 
SIL 0

SIL
1

SIL
2

SFF
= 60% ... <90% 
SIL
1

SIL
2

SIL
3

SFF
= 90% ... <99% 
SIL
2

SIL
3

SIL
4

SFF
> 99% 
SIL
3

SIL
4

SIL
4

2.
SIL versus PFH
SIL
Level

PFH

Range
covered

SIL 1

1E5
> PFH > 1E6 
Factor 10

SIL 2

1E6
> PFH > 1E7 
Factor 10 
SIL 3

1E7
> PFH > 1E8 
Factor 10 
SIL 4

1E8
> PFH > 1E9 
Factor 10 
Note:
"..PFH > 1E9" is not a mistake. IEC 61508 suggests that there are
no suitable means available for demonstrating probabilities of
dangerous
failures
smaller than 1E9 per hour. This is however a matter
of opinion. Arithmetic example: For a 10.000 population, 1E9/h means ~
one dangerous failure per calendar year!
In aviation, for example, 1E9 and smaller is literally "business as
usual". If 1E9 was the end
of the line, commercial aviation would not exist.
ISO 13849
ISO
13849 offers 5 so called
categories (Cat) and 5 performance levels (PL).
Cat B and PL a reflect the lowest,
and Cat 4 and PL e the highest safety level.
Cat
B, Cat 1, Cat 2, Cat 3, Cat 4
PL a PL b PL c, PL d, PL e
The
following table shows all ISO
13849 allowable combinations
of Cat and PL:

Cat
B

Cat
1

Cat
2

Cat
3

Cat
4

PL
a

x


x

x


PL
b

x

x

x

x


PL
c


x

x

x


PL
d



x

x


PL
e




x

x

Assigning category and performance
level to a safety related system is somewhat complicated in ISO 13849.
The following parameters play vital
roles:
 MTTF_{d} per channel
 _{ }This means "Mean Time to Dangerous Failure" for
one channel.
 Unlike IEC 61508, ISO 13849 is focused rather on channels than
on complete safety related systems. However, safety related systems of
categories B, 1 and 2 are neither redundant, nor do they have
"channels", so for these systems, "channel" would just be synonymous
for "system".
 DC_{avg}
 Average
diagnostic coverage. The percentage of potentially
dangerous failures detectable by diagnostics.
 This definition is a little bit clumsy because  to some
extent it foils the design of safe systems. Therefore it is better to
use SFF instead of DC _{avg}.
 Architecture of the safety related system.
 A dedicated set of requirements. This will be explained below
in the "category" table.
The interdependencies of these parameters as well as their effects on
category and performance level are way more
specific than compared with IEC 61508, and can therefore not be explained in general. See
appendix K of ISO 13849 for details. Unfortunately there is no
justification about why the relationships are in this of all ways.
However, the following basic statements may give some clues:
 Category (Cat) is a function of
 Architecture of the safety related system
 DC_{avg
}
 Performance level (PL) is a function of
 The higher MTTF_{d}, DC_{avg} and category, the
better the performance level. While high MTTF_{d} values are
preferable in any case, they are quite ineffective unless design
efforts are focused as well on category and DC_{avg. }
ISO 13849 uses MTTF_{d} for
quantifying channel safety, and PFH for quantifying safety of the
complete safety related system.
This is somewhat circumstantial,
however, MTTF_{d} can be converted into PFH as follows:
PFH
= 1/MTTF_{d}.
This formula is an approximation, but
a very good one for high MTTF_{d} (and therefore small PFH),
because for
small PFHs, the exponential function can be replaced with a linear
approximation.
ISO 13849 allowable MTTF_{d} values are limited to the range
between 3
years and 100 years, which corresponds to failure rates between 38 and
1,14 fpmh (failures per million hours). This limitation is far from
what can be technically achieved (will be explained on the next page).
1) Category
The
following table shows the relationships between category, architectural
constraints and DC_{avg}.
ISO
13849
Category

Architectural
Constraints

Required Diagnostic Coverage

Goal of the Category

B

Simple
safety related system. No requirements.

none

Focus rather
on reliability than on safety.
Use common technical sense.

1

Like B, plus:
Proven principles (e.g. 4...20 mA). Evidence that system design is
proven for safety applications.

none

Proven
principles, proven components. Use technical expert knowledge. 
2

Like 1, plus:
The safety related system must be tested periodically.

min. 60%
(min. 90% *)

Increased
failure detection probability

3

Like 1, plus:
Fault tolerance whenever possible and feasible. Only few
dangerous single failure modes allowed.
In most cases this boils down to 100% single fault tolerance.

min. 60%
(min. 90% *)

1. "Near
fault tolerance".
2. Undetectable dangerous single failure modes are allowed to some
extent.

4

Like 3, plus:
Fault tolerance. Every single failure must be detectable before
demand.
In most cases this boils down to almost 100% double fault tolerance
because any first failure shall not be masked by a subsequent second
failure.

min. 99% 
1. Fault
tolerance.
2. Undetectable dangerous single failure modes are not allowed.
3. No dangerous failure shall be masked by a subsequent failure.

*
yields better PL in some cases
2) Performance
Level
Performance
level is just a stepped representation of MTTF_{d} into 5
ranges.
The following table is an approximation; the exact settings depend on
category and DC_{avg}. See appendix K of ISO 13849 for more
information.
PFH 
Performance
Level

Range covered

3E5 > PFH
> 1E5 
a

Factor 3

1E5 > PFH
> 3E6 
b

Factor 3 
3E6 > PFH
> 1E6 
c

Factor 3 
1E6 > PFH
> 1E7 
d

Factor 10

1E7 > PFH
> 2,5E8 
e

Factor 4

Privacy Policy