ISO 13849 vs. IEC 61508

Dealing adequately with technical uncertainties

Statistics, RAMS & Quality Management

Search this site:
Start Services Analyses Training Consulting Software Methods MTBF Calculation FMEA, FMECA Block Diagrams Fault Tree Analysis Event Tree Analysis Markov Diagrams Weibull Analysis Accelerated Tests More ... Topics References By Customer By Project About Contact German

Sitemap

ISO 13849 Category and Performance Level (PL) versus IEC 61508 Safety Integrity Level (SIL)

Functional Safety: Introduction

Safety vs. Reliability

IEC 61508

ISO 13849

→ IEC 61508 vs. ISO 13849

Conclusions

When engineers are asked about IEC 61508, they almost always think of key safety indicators like "probability of failure per hour", "SIL level" or the like.
While key indicators are beyond any doubt fundamental characteristics, they make only a small portion in the whole.
The main purpose of safety standards is way more than just handling key safety indicators; they literally cover the whole product life cycle, in particular R&D, manufacturing and installation phase of a product life. By aligning product development to the requirements of safety standards, companies are enabled to design safety into their products from the very beginning. As a consequence, complying to key safety indicators becomes easy for companies.

Compliance with key safety indicators is in turn documented evidence that the company's product development process has been in line with the requirements of safety standards. Therefore, despite making only a small portion of safety standards, it is justified to look a little bit closer to the key safety indicators. IEC 61508 key safety indicators will be explained first because they are easier to understand.

IEC 61508

IEC 61508 offers 4 (or 5) so called Safety Integrity Levels (SIL) for safety related systems:

(no SIL, or SIL 0), SIL 1, SIL 2, SIL 3 and SIL 4.

Sil0 reflects the lowest, and SIL4 the highest safety level.
The SIL classification of safety related systems depends on the following parameters:

Probability of Failure per hour (PFH)

PFH is the probability of failure per hour. The range of interest is between 1E-5/h and 1E-9/h, which is equivalent to MTTF = 1E5h and 1E9h.

Safe Failure Fraction (SFF)

SFF is the relative portion [0 ... 100%] of failure modes leading to safe failure (in contrast to a so called dangerous failure, the failure might be a nuisance, but there will be no resulting danger). The range of interest is between 60% and 99,9%.

Hardware Fault Tolerance (HFT)

HFT is the minimum number of tolerable failures without losing the safety function. Typical HFT values are 0 or 1, rarely 2 or higher.
Fault tolerance can be achieved with intelligent system design or with multi-channel architectures (redundancy). The latter should be considered only when others are impractical, or when the safety goals are too strict, because redundancy is always accompanied with the so called common cause problem.

The tables below show the interaction of these parameters:

1. SFF and HFT versus SIL

1.a) Systems without digital ICs:

	HFT=0	HFT=1	HFT=2
SFF = 0 ... <60%	SIL 1	SIL 2	SIL 3 levels.
SFF = 60% ... <90%	SIL 2	SIL 3	SIL 4
SFF = 90% ... <99%	SIL 3	SIL 4	SIL 4
SFF > 99%	SIL 3	SIL 4	SIL 4

1.b) Systems with at least one digital IC:

	HFT=0	HFT=1	HFT=2
SFF = 0 ... <60%	SIL 0	SIL 1	SIL 2
SFF = 60% ... <90%	SIL 1	SIL 2	SIL 3
SFF = 90% ... <99%	SIL 2	SIL 3	SIL 4
SFF > 99%	SIL 3	SIL 4	SIL 4

2. SIL versus PFH

SIL Level	PFH	Range covered
SIL 1	1E-5 > PFH > 1E-6	Factor 10
SIL 2	1E-6 > PFH > 1E-7	Factor 10
SIL 3	1E-7 > PFH > 1E-8	Factor 10
SIL 4	1E-8 > PFH > 1E-9	Factor 10

Note:
"..PFH > 1E-9" is not a mistake. IEC 61508 suggests that there are no suitable means available for demonstrating probabilities of dangerous failures smaller than 1E-9 per hour. This is however a matter of opinion. Arithmetic example: For a 10.000 population, 1E-9/h means ~ one dangerous failure per calendar year!
In aviation, for example, 1E-9 and smaller is literally "business as usual". If 1E-9 was the end of the line, commercial aviation would not exist.

ISO 13849

ISO 13849 offers 5 so called categories (Cat) and 5 performance levels (PL).
Cat B and PL a reflect the lowest, and Cat 4 and PL e the highest safety level.

Cat B, Cat 1, Cat 2, Cat 3, Cat 4
PL a PL b PL c, PL d, PL e

The following table shows all ISO 13849 allowable combinations of Cat and PL:

	Cat B	Cat 1	Cat 2	Cat 3	Cat 4
PL a	x		x	x
PL b	x	x	x	x
PL c		x	x	x
PL d			x	x
PL e				x	x

Assigning category and performance level to a safety related system is somewhat complicated in ISO 13849.
The following parameters play vital roles:

MTTF_d per channel

This means "Mean Time to Dangerous Failure" for one channel.
Unlike IEC 61508, ISO 13849 is focused rather on channels than on complete safety related systems. However, safety related systems of categories B, 1 and 2 are neither redundant, nor do they have "channels", so for these systems, "channel" would just be synonymous for "system".

DC_avg

Average diagnostic coverage. The percentage of potentially dangerous failures detectable by diagnostics.

This definition is a little bit clumsy because - to some extent- it foils the design of safe systems. Therefore it is better to use SFF instead of DC _avg.

Architecture of the safety related system.

A dedicated set of requirements. This will be explained below in the "category" table.

The interdependencies of these parameters as well as their effects on category and performance level are way more specific than compared with IEC 61508, and can therefore not be explained in general. See appendix K of ISO 13849 for details. Unfortunately there is no justification about why the relationships are in this of all ways. However, the following basic statements may give some clues:

Category (Cat) is a function of

Architecture of the safety related system
DC_avg

Performance level (PL) is a function of

Category
DC_avg
MTTF_d per channel

The higher MTTF_d, DC_avg and category, the better the performance level. While high MTTF_d values are preferable in any case, they are quite ineffective unless design efforts are focused as well on category and DC_avg.

ISO 13849 uses MTTF_d for quantifying channel safety, and PFH for quantifying safety of the complete safety related system.
This is somewhat circumstantial, however, MTTF_d can be converted into PFH as follows:

PFH = 1/MTTF_d.

This formula is an approximation, but a very good one for high MTTF_d (and therefore small PFH), because for small PFHs, the exponential function can be replaced with a linear approximation.

ISO 13849 allowable MTTF_d values are limited to the range between 3 years and 100 years, which corresponds to failure rates between 38 and 1,14 fpmh (failures per million hours). This limitation is far from what can be technically achieved (will be explained on the next page).

1) Category

The following table shows the relationships between category, architectural constraints and DC_avg.

ISO 13849 Category	Architectural Constraints	Required Diagnostic Coverage	Goal of the Category
B	Simple safety related system. No requirements.	none	Focus rather on reliability than on safety. Use common technical sense.
1	Like B, plus: Proven principles (e.g. 4...20 mA). Evidence that system design is proven for safety applications.	none	Proven principles, proven components. Use technical expert knowledge.
2	Like 1, plus: The safety related system must be tested periodically.	min. 60% (min. 90% *)	Increased failure detection probability
3	Like 1, plus: Fault tolerance whenever possible and feasible. Only few dangerous single failure modes allowed. In most cases this boils down to 100% single fault tolerance.	min. 60% (min. 90% *)	1. "Near fault tolerance". 2. Undetectable dangerous single failure modes are allowed to some extent.
4	Like 3, plus: Fault tolerance. Every single failure must be detectable before demand. In most cases this boils down to almost 100% double fault tolerance because any first failure shall not be masked by a subsequent second failure.	min. 99%	1. Fault tolerance. 2. Undetectable dangerous single failure modes are not allowed. 3. No dangerous failure shall be masked by a subsequent failure.

* yields better PL in some cases

2) Performance Level

Performance level is just a stepped representation of MTTF_d into 5 ranges.
The following table is an approximation; the exact settings depend on category and DC_avg. See appendix K of ISO 13849 for more information.

PFH	Performance Level	Range covered
3E-5 > PFH > 1E-5	a	Factor 3
1E-5 > PFH > 3E-6	b	Factor 3
3E-6 > PFH > 1E-6	c	Factor 3
1E-6 > PFH > 1E-7	d	Factor 10
1E-7 > PFH > 2,5E-8	e	Factor 4