How do you determine the performance level in accordance with EN ISO 13849-1?

In principle, the machine builder must consider the PL from two perspectives when constructing and planning a machine: First, they must determine the required PL using a risk assessment. They must then calculate the PL and subsequently prove that it fulfils the minimum requirement.

To calculate the PL, the manufacturers of the SRP/CS provide corresponding safety characteristics. The Eaton safety manual provides further information about this, as well as useful wiring and calculation examples.

Alongside the PL, a further technical safety performance parameter exists in the form of the safety integrity level (SIL 1, 2, 3, 4) in accordance with IEC 62061. The two safety standards use different classification systems and definitions for the safety levels. Depending on the technology, risk classification and architecture, the iterative process for designing the SRP/CS is to be applied either according to EN ISO 13849-1 or IEC 62061.

Five steps to a validated PL

Step 1 – risk assessment

To determine the required performance level PL_r during the risk assessment, the engineer must consider the machine without the provided safety features. The risk graph from EN ISO 13849-1 (see figure) is used as a basis for the risk assessment. The process defined here assesses the extent of the damage or severity of the potential danger of injury S, the frequency and duration of the hazard F, as well as the possibility of preventing the hazard P.

It must therefore be assessed whether a possible injury is reversible (S1) and whether it could have serious, or even fatal, consequences (S2). Does the hazard occur only rarely or for a short duration (F1) or does it occur more than once per hour or for an extended period of time (F2)? Is there a realistic chance of preventing an accident or significantly reducing its effects (P1) or is it barely possible to prevent the hazard (P2)?

This procedure is a qualitative assessment that usually provides sufficient precision with little effort. It is to be understood as an additional part of the risk assessment according to EN ISO 12100.

Step 2 – designing the control architecture

The next step involves assessing the structure of a safety-related control system and assigning it to a category. EN ISO 13849-1 defines the following categories:

• Category B is the basic category, under which the safety-related parts of the control system correspond at least to the state of the art and withstand the expected influences.
• Category 1 is intended for tried-and-tested components and principles (e. g. position switches with positive opening contact).
• In category 2, the safety-related parts must be checked automatically or manually at certain intervals.
• In category 3, a single fault in a safety-related component does not cause the safety feature to fail, i.e. the switching is redundant by design.
• In category 4, a single fault does not bring about a loss of the safety feature, in the same way as in category 3. In addition, the fault is detected immediately or recognised before the next potential hazard.

Step 3 – determining the achieved PL

To determine the PL that has been achieved, the following parameters must be considered:

Control architecture (category)

Mean time to dangerous failure MTTF_d. For electromechanical components, this value depends strongly on the number of actuations. EN ISO 13849-1 provides the following calculation formula for this:

Common cause failures CCF. The CCF provides a qualitative assessment of the resistance to external influences, such as ambient conditions. Table F.1 in annex F of the standard lists suitable measures for the machine area and includes a point-based evaluation. 

Relationship between category, MTTF_d, DC, CCF and PL. The standard provides a diagram that includes the different combinations of the category with DC_avg and MTTF_d and relates these to the PL.

Step 4 – verification of the achieved risk reduction

During the verification, the achieved PL from step 3 is compared against the required PL_r from step 1. If PL ≥ PL_r, the safety-related parts of the control fulfil the requirements. If PL < PL_r, the engineer must make appropriate improvements and then run through the process again.

Step 5 – validation of the safety features

The validation provides a final confirmation that the selected safety features fulfil the requirements for the necessary risk reduction. A validation plan should document which analyses and tests have been carried out to check the solution against the requirements.

Summary

The performance level is an important element for ensuring that a machine is safe to use and is therefore key to its functional safety. EN ISO 13849-1 specifies a detailed iterative process for determining and validating the PL. The calculation is not particularly easy. A range of calculation tools (e. g. SISTEMA "Safety of controls on machines" from the DGUV) are therefore available, which help engineers to evaluate the safety of controls.