David Collier of Pilz Automation Technology explains the changes that were introduced in the third edition of BS EN ISO 13849-1, published in December 2015, which is identical to international standard ISO 13849-1:2015 and European harmonised standard EN ISO 13849-1:2015. He also shares his observations of the impact these changes will have.
The planned merger of EN ISO 13849-1 and EN 62061 into IEC/ISO 17305 by the Joint Working Group JWG1 did not come to pass. However, during the attempt, an official request was made to alter the existing version of EN ISO 13849-1, which did take place in December 2015. The latest 2015 edition is now harmonised to the Machinery Directive.
The modifications are in some cases purely editorial (such as the suffix 'd' used in MTTFd , B10d and elsewhere being replaced by the suffix 'D'). However, some important clarifications and shifts have been included, and it is now the case that EN ISO 13849-1:2015 is the go-to standard for safety-related controls on machines, since the previous edition is no longer harmonised to the Machinery Directive 2006/42/EC.
In section 1 the table comparing the recommended application of EN ISO 13849-1 and EN 62061 has been removed, but EN 62061 is still mentioned.
In section 2, normative references to other standards have been updated, such as ISO 12100:2010 for risk assessment and risk reduction.
In section 3 (terms and definitions) one addition is the mention of 'proven in use' which means demonstration, based upon operation experience for a specific configuration of a component that a likelihood of a dangerous failure is low enough not to impact the Performance Level of all safety functions incorporating that component. Later in the standard it becomes clear in 4.5.5 that this is only 'allowed' for mechanical, hydraulic and pneumatic elements where omission of MTTFD is to be justified, and 'proven in use' would need to be stated by the manufacturer of the component.
Quite a lot of change has happened in section 4, Design Considerations. In section 4.5.2 the limitation of MTTFD to 100 years (capping) was previously applicable to all subsystems regardless of category, which had the undesirable effect of limiting the number of category 4 subsystems that could be combined without a drop in Performance Level from PL e to PL d. This was thought to be too conservative, therefore for category 4 subsystems the capping limit has been raised to 2500 years, which means later in the informative annex K the table K1 now covers this extended range instead of 100 years. This higher value is justified because in Category 4 other quantifiable aspects (structure and Diagnostic Coverage) are at their maximum point. As a result of this there is no longer a need to combine input and actuator elements as one subsystem in some cases, which was previously sometimes needed, especially for hydraulic and pneumatic components.
In section 4.5.4 the assumption made for Category 2 that the demand rate must be less than 1/100 of the test rate has been changed to 'the demand rate is less than or equal to 1/100 test rate; or testing occurs immediately upon demand of the safety function and the overall time to detect the fault and to bring the machine to a non-hazardous condition (usually to stop the machine) is shorter than the time to reach the hazard (see also ISO 13855)'. The added possibility to test 'on demand' allows a dual-channel category 2 design with one active channel and one monitoring channel, the latter recognising and appropriately responding to demand placed on the former but only actively getting involved in the case that the first channel fails. This could be useful for retrofit applications (second channel as an add-on to the existing first channel), if timing constraints are met to ensure that for safety distances are maintained with respect to stopping times (see also EN ISO 13855).
Up until the change, Table 5 in section 4 was used to select the optimum combination of category, DC and MTTFD to achieve a desired PL. This is now supplemented by another table in 4.5.5 'Description of the outputs part of the SRP/CS by category', which refers to actuators (such as power drives) or mechanical, hydraulic or pneumatic components (or components comprising a mixture of technologies) where no application-specific reliability data is available. The machine builder has scope to evaluate the PL without any reference to MTTFD calculation, and use only Category, Diagnostic Coverage and steps against Common Cause Failure (CCF). Table 8 shows recommended and optional categories which can be used to achieve the desired PL in a subsystem comprising such components, providing that they are 'proven in use' or 'well tried' (regardless of Category), which means in practise usability will be limited. However, it may be used where calculation of the PL of the final actuator subsystem in a safety function is not possible.
Use of non-failsafe PLCs
Section 4.6 covers software and a new statement is made about non-failsafe PLCs whose manufacturer-developed embedded firmware does not meet the requirements of SRESW (safety related embedded software needs to be developed in accordance with IEC 61508-3, which is a very detailed task only ever conducted by manufacturers of safety PLCs and safety controllers). The requirement is that for standard PLCs to be used in safety functions the PL must be limited to PL a or b when in Category B, 2 or 3, and for PL c or d to be achieved two diverse PLCs must be used in a two-channel architecture. In practise such a structure would not be used due to installation and maintenance efforts (two different PLCs running together) and probably also space and cost. Therefore, for PL c and above the obvious choice is to use safety PLCs.
In section 6.2.2 reference is still made to the fact that the structure (Category) is the key characteristic having the greatest influence on the PL. The statement that it is admissible to design according to a machine-specific C-standard specifying just a Category (as was the case in EN 954-1) and not the PL (hence obviating the need to consider MTTFD, DC and CCF) has been removed. It is the view of the author that one should always use state of the art when defining a safety function and working with the full requirements of EN ISO 13849-1 is better than using the superseded EN 954-1 and just the Category.
The informative Annexes have undergone some significant changes. Annex A concerns the risk analysis used to determine the required PL. It must be pointed out that the risk graph method is not mandatory, and it assumes the worst case (probability of occurrence is 100 per cent). It is also possible to deduce the PLr by other methods, or refer to a PL stated in a machine-specific C-standard. The terms S (severity), F (frequency) and P (possibility of avoidance) remain. The term F is now better clarified as F1 seldom being accumulated exposure time being less than 1/20 of the overall operating time and the frequency not higher than once per 15 minutes – the aim of this is make sure that duration is better defined, which is very relevant to relating a safety function to a task such as maintenance and not just the number of times persons are exposed to hazards.
Now consideration can also be given to the additional term 'probability of occurrence' (which is a parameter considered in EN 62061 when determining a target SIL, but not previously considered in EN ISO 13849-1). Rather than assuming 100 per cent there is now a statement that 'where the probability of occurrence of the hazardous event can be justified as low, the PLr may be reduced by one level'. This means that after considering severity (eg S2 irreversible injury), frequency of exposure (eg F2 twice a shift) and possibility of avoidance (eg P2 unavoidable) the PLr would be PL e, but by using the argument that it is actually not likely to happen you could instead select PL d. This is not a massive stretch, but a drop from PL d to PL c is a big step because the design requirement could change from requiring dual-channel architecture such as Category 3 with Diagnostic Coverage of 60 per cent to single-channel Category 1 without any Diagnostic Coverage. This is dramatic and even more so if taking the reduction from PL c (which at a minimum requires Category 1 and the use of well-tried components) to PL b (which would remove the need to use even well tried components). It is the view of the author that the use of such a reduction could be acceptable if a safety system is being designed on top of an existing control system, but it should not be used to rectify an existing poorly designed safety function. More importantly, extreme caution should be used when applying the reduction if one has already reduced the PL r by selecting P1. Note the option to do this appears in both the Sistema and PAScal software tools, with the warning about applying the reduction of PLr where P1 has been selected. It is probably worth noting that anyone buying a machine should be asking the machine supplier about this, as there may be a temptation to reduce the cost of the safety-related controls and this should not be at the expense of safety!
There are many other changes, but the above are some of the most significant. The fact that this new edition is harmonised means that software tools, such as PAScal v1.8, have been updated to reflect these changes. Follow the link to download a free demonstration version of PAScal v1.8.