Basic Safety Standard ISO12100
International standards for machine safety are organized according to a hierarchical structure of A, B, and C standards.
- A standard (basic safety standard): ISO12100
- B standard (group safety standard): ISO13849-2, ISO13849-2, ISO4413 (hydraulic), ISO4414 (pneumatic), etc.
- C standard: Individual machine safety standard
EN954-1/ISO13849-1 Safety Category
Category ENISO13849-1: 2006, JIS B9705-1:2011
| Category | Requirements Summary | System Behavior | Principles Used to Achieve Safety | MTTFd for Each Channel | DCavg | CCF |
|---|---|---|---|---|---|---|
B (see 6.2.3) |
The components as well as the SRP/CS and/or protective devises shall be designed, manufactured, selected, and assembled in accordance with relevant standards to withstand the expected impacts. Use basic safety principles. | Failure can lead to loss if safety functions. | Characterized primarily by the selection of components. | “Low” to “Medium” | “None” | Not relevant |
1 (see 6.2.4) |
Requirements of B shall apply. Well-tried components and well-tried safety principles shall be used. | Failure may result in loss of safety function, but the probability of occurrence is lower than Category B. | Characterized primarily by the selection of components. | “High” | “None” | Not relevant |
2 (see 6.2.5) |
Requirements of B and the use of well-tried safety principles shall apply. Safety function shall be checked at suitable intervals by the machine control system (see 4.5.4). | Occurrence of faults between checks can lead to loss of safety functions. Loss of safety function is detected by checks. | Characterized primarily by structure. | “Low” to “High” | “Low” to “Medium” | Annex F Reference |
3 (see 6.2.6) |
Requirements of B and the use of well-tried safety principles shall apply. Safety-related parts shall be designed, so that a single fault in any of these parts does not lead to the loss of safety function, and whenever reasonably practicable, the single fault is detected. | The safety function always works in the event of a single fault. Some, but not all, faults are detected. Accumulation of undetected faults can lead to loss of safety functions. | Characterized primarily by structure. | “Low” to “High” | “Low” to “Medium” | Annex F Reference |
4 (see 6.2.7) |
Requirements of B and the use of well-tried safety principles shall apply. Safety-related parts shall be designed, so that a single fault in any of these parts does not lead to a loss of safety function; and the single fault is detected at or before the next demand upon the safety function, but that if this detection is not possible, an accumulation of undetected faults shall not lead to the loss of the safety function. | Safety functions always work in the event of a fault. Detection of accumulated faults reduces the possibility of loss of safety functions. (high DC). Faults are timely detected to prevent loss of safety functions. | Characterized primarily by structure. | “High” | “High” (includes fault accumulation) | Annex F Reference |
ISO13849-1:2015 Safety of Machinery – Safety-Related Parts of Control Systems
So far, ISO13849-1:1999 has determined the safety of control systems by categorizing them according to the “structure” of the safety-related parts themselves.
In ISO1384901:2006, in addition to conventional categories, safety evaluations including “reliability” and “quality” of individual parts are incorporated, and temporal changes in control systems (Considering the actual operating conditions) can also be evaluated.
Designated Architecture (Structure) for Each Category
im: Interconnection means
I: Input device (e.g. sensor)
L: Logic
O: Output device (e.g. solenoid valve)
Category B: in the event of a fault, the safety function is lost.
Category 1: In the event of failure, the safety function is lost but the probability of occurrence is lower than Category B.
m: Monitoring
TE: Test equipment
OTE: Output of test equipment
Category 2: In the event of failure between inspections (checks), the safety function is lost. Ability to detect loss of safety function.
m: Monitoring
c: Mutual monitoring
Category 3: Safety is ensured by a 2-channel redundant structure and cross-check (mutual monitoring). So even if a single fault occurs, the safety function is always maintained, but not all faults are detected. If undetected faults accumulate, the safety function is lost.
Category 4: Safety is ensured by redundant structure and cross-check (mutual monitoring) similar to category 3, but safety functions are always maintained even if a single failure occurs. A fault is detected before the safety function is activated so that the safety function is not lost.
Categories Are Part of PL Due to the Withdrawal of EN954-1
Four Items that Determine the Performance Level (PL)
Performance Level (PL) is determined by the sum of the values calculated in items (1) to (4) below. The performance level of all safety-related parts (input device, logic, output device
Structure of the safety-related parts of the control system. The structure of the system can be determined by satisfying the requirements of each category from B to 4, but since the category alone cannot evaluate the system’s changes over time, ISO 138459-1:2006 stipulates a new standard. In addition, the specific structure of each category by each element of I (input device), L (logic), and O (output device) is shown.
The average time it takes a safety-related part of a control system to reach a dangerous failure. It is rated as High, Medium, and Low.
It means the average of self-diagnosis rate, and is calculated using the “all dangerous failure rate” of the safety-related parts of the control system as the denominator and the “detectable dangerous failure rate” as the numerator. DCavg is rated in four categories: none, low, medium, and high.
A check item to reduce the risk of failure, assuming that all of the multiple channels of the control system sill fail due to a common cause. A score of 65 or higher is required for Category 2 and above.
ISO13849-1:2006 Performance Level
ISO13849-1:2006 specifies a new “Performance Level (PL)” for safety-related parts (input, logic, output
The performance level is calculated as the performance classification of safety-related parts, but it is necessary to satisfy the “required performance level (PLr)” required by safety-related parts.
If it is lower than PLr, (1) Category: System structural requirements, (2) MTTFd: reliability of selected equipment, (3) DCavg: Self-failure rate, (4) CCF: Common failure cause. It is necessary to review each item and satisfy PLr.
| Performance Level (PL) | Probability of Dangerous Failure per unit time (PFHd) 1/h |
|---|---|
| a | 10-5 or more and less than 10-4 <0.001% to 0.01%> |
| b | 3x10-6 or more and less than 10-5 <0.0003% to 0.001%> |
| c | 10-6 or more and less than 3 x 10-6 <0.0001% to 0.0003%> |
| d | 10-7 or more and less than 10-6 <0.00001% to 0.0001%) |
| e | 10-8 or more and less than 10-7 <0.000001% to 0.00001%> |
Click here for an overview of machine safety and related products.
Click here for the concept and countermeasures of risk assessment.
Contact Our Team
ROSS employs a powerful team of experts with vast experience in fluid power able to help you find a solution for your safety goals. Whether it be a custom solution, a current product, application, or safety course, ROSS is here to provide just what you need with your business specifications in mind.