JAPAN

≠ EDI
CTOFGOVERNMENT±
Inor
dertopromotepubl
iceduca
ti
onandpubl
ics
afet
y,equ
aljus
ti
cefora
ll
,
abet
te
ri n
for
me dcit
iz
enry,th
eruleo
flaw,worl
dtra
deandworldpea
ce,
t
hisl
egaldoc
ume n
tisherebymadeav
ail
abl
eonan onc
ommerci
albas
is
,asit
i
stheri
ghtofallhumanstoknowandspe
akthela
wsthatgov
ernthe
m.

JIS B 9705-1 (2011) (English): Safety of

machinery -- Safety-related parts of control
systems -- Part 1: General principles for design

Theci
ti
zen
sofanat
io
nmu s
t
ho
nort
helawso
fth
eland
.
Fukuz
awaYuki
chi
 JAPANESE
INDUSTRIAL
STANDARD
Translated and Published by
Japanese Standards Association

JIS B 9705-1: 2011

(ISO 13849-1 : 2006)

(JMF)

Safety of machinery-Safety-related
parts of control systems-Part 1:
General principles for design

ICS 13.110
Reference number: JIS B 9705-1 : 2011 (E)

PROTECTED BY COPYRIGHT 50 S
B 9705-1 : 2011 (ISO 13849-1 : 2006)

Date of Establishment: 2000-11-20

Date of Revision: 2011-07-25
Date of Public Notice in Official Gazette: 2011-07-25
Investigated by: Japanese Industrial Standards Committee
Standards Board
Technical Committee on Industrial Machinery

IIS B 9705-1: 2011, First English edition published in 2012-02

Translated and published by: Japanese Standards Association

4-1-24, Akasaka, Minato-ku, Tokyo, 107-8440 JAPAN

In the event of any doubts arising as to the contents,

the original IIS is to be the final authority.

(\) JSA 2012

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or
utilized in any form or by any means, electronic or mechanical, including photocopying and
microfilm, without permission in writing from the publisher.

Printed in Japan
AT

PROTECTED BY COPYRIGHT
 B 9705-1 : 2011 (ISO 13849-1 : 2006)

Contents

Page

Introduction ............................................................... ······· .... ······ .... ·· .... ·.. ········ .. ···· .... ··········1
1 Scope··· .. ·· ...... ···················· .. ··········· .... ·.. ···· ................................................................. ··3
2 Normative references ..................................................................... ··· .. · .. ·.. ·· .. ············4

3 Terms, definitions, symbols and abbreviated terms ·· .............. ·· ...... · ...... · .. ·.. ···· .. ·5
3.1 Terlns and definitio11S ............................................................. ·········· .. ················ .. ····5
3.2 Symbols and abbreviated terms ............................................................................ 10
4 Design considerations ............................................................................................. 11
4.1 Safety objectives in design ..................................................................................... 11
4.2 Strategy for risk reductio11 .. ···· .. ·········· .... ·...... ·· .... ···· .... · .. ······· .. ····· .... ·· .. ······· .... ······13
4.3 Determination of required performance level (PL..) · ...... ····· .... · .. ···· .. ····· .. ···· ...... ·17
4.4 l)esign of SRP/CS .................................................................................................... 17
4.5 Evaluation of the achieved performance level PL and relationship with
SIL .......................................................................................... ··· .......... ········ .. ·...... ·· .. ·18
4.6 Software safety requirem.ents ................................................................... ··· .. ··· .... ·24
4.7 Verification that achieved PL nleets PLI' .... ·.... · .......... ·...................... ··· ...... ··· .. · .. ·30
4.8 Ergonomic aspects of design .................................................................... · ...... · .... ··30
5 Safety functions ...................................................................................... ·.. ·· .. ···· .. ····31
5.1 Specification of safety functions ............................................................................ 31
5.2 Details of safety functions ..................................................................................... 33

6 Categories and their relation to l\iTTF d of each channel, DC avg and CCF ·.. ··36
6.1 Genera1 .... ······ .. ·· .. ·· .. · ....... ·.·.·.· .. · .... ·· ......... · ..... ····· .. ······ .. ·· .. ·· .. ············ .. ······· .. ····· .. ·· .. ··36
6.2 Specifications of categories ................................................................................ · .. ·37
6.3 Combination of SRP/CS to achieve overall PL · .. · ............ · ...... · .... · ........ ·.. ·· .. · .. ····45
7 Fault consideration, fault exclusion ..................................................................... 46
7.1 General········ .... · .. ··· ........ ·· ...... ···· .... · ........................................................................... 46
7.2 Fault consideration .................................................................... ··· .. ···· .... · .. · .. ····· .... ·46
7.3 Falllt exclusion ......................................................................................................... 47
8 Validation ..................................................................... ··· .. ·· ............ ···· ............ · .... ····47
9 Maintenance ............................................................................. ·.............. ·· ........ ··· .. ··47
10 Technical docurnentation ........................................................................................ 47

11 Information for use ..................................................................... ·· .. ······ .. ········ ...... ··48

Annex A (informative) Determination of required performance level (PL r ) .......... 50

Annex B (infonnative) Block method and safety-related block diagram ...... · .... ·.. ·53

(i)

PROTECTED BY COPYRIGHT
B 9705-1 : 2011 (ISO 13849-1 : 2006)

Annex C (informative) Calculating or evaluating lVITTFd values for single

components ................................................................. ·· .. ·········55

Annex D (informative) Simplified method for estimating MTTF d for each

channel ................................................................... ···· .... · .... · .. ·63

Annex E (informative) Estimates for diagnostic coverage (DC) for functions

and. lTIoduJes ........................... ···· .. · .. ··· .. ··· .... ·· .. ·· ...... ····· .. ·········65
Annex F (informative) Estimates for common cause failure (CCF) ...... ··········· .. ·.. ·68
Annex G (informative) Systematic failure .................................................................. 70
Annex H (informative) Example of combination of several safety-related
parts of the control system .. ···· .. · ...... · .... ·· .. ·· .. · .. ·.. ······· .. ·.. ·····73
Annex I (informative) Examples ................................................................................. 76
Annex J (informative) Software ...................................................... ·····························84

Annex K (informative) Numerical representation of figure 5 .. ·.. · .. · .. ·· ...... ··· ...... ··· .. ·87
Bibliography···· .... · ............................................................................................................. 90

(ii)

PROTECTED BY COPYRIGHT
 B 9705-1 ; 2011 (ISO 13849-1 : 2006)

reword
This translation has been made based on the original Japanese Industrial Standard
revised by the Minister of Health, Labour and Welfare and the lVIinister of Economy,
Trade and Industry through deliberations at the Japanese Industrial Standards
Committee as the result of proposal for revision of Japanese Industrial Standard
submitted by The Japan Machinery Federation (JYIF) with the draft being attached,
based on the provision of Article 12 Clause 1 of the Industrial Standardization Law
applicable to the case of revision by the provision of Article 14.
Consequently JIS B 9705~1: 2000 is replaced with this Standard.
This JIS document is protected the Copyright Law.
Attention is drawn to the possibility that some parts of this Standard may conflict
with a patent right, application for a patent after opening to the public or utility
model right which have technical properties. The relevant lVIinisters and the Japanese
Industrial Standards Committee are not responsible for identifying the patent right,
application for a patent after opening to the public or utility model right which have
the said technical properties.

(iii)

PROTECTED BY COPYRIGHT
JAPANESE INDUSTRIAL STANDARD JIS B 9705-1:2011
(ISO 13849-1 . 2006)

Safety of machinery-Safety .. related

parts of control systems-
Part 1: General principles for design

Introduction
This .Japanese Industrial Standard has been prepared based on the second edition
of ISO 13849-1 published in 2006 without lnodifying the technical contents.
The portions with dotted underlines are the matters not given in the correspond-
ing International Standard.
The structure of safety standards in the field of machinery is as follows as stated
in JIS B 9700-1.
Type-A standards (basis standards) give basic concepts, principles for design and
general aspects that can be applied to machinery.
Type-B standards (generic safety standards) deal with one or more safety aspect(s),
or one or more type(s) of safeguards that can be used across a wide range of machinery:
Type-Bl standards on particular safety aspects (e.g. safety distances, surface
temperature, noise);
Type- B2 standards on safeguards (e.g. two-hand controls, interlocking devices;
pressure sensitive devices, guards).
Type-C standards (machinery safety standards) deal with detailed safety require-
ments for a particular machine or group of machines.
JIS B 9705-1 is a Type-B-1 standard as stated in JIS B 9700·1.
When provisions of a Type-C standard are different from those which are stated in
Type-A or Type-B standards, the provisions of the Type-C standard take precedence
over the provisions of the other standards for machines that have been designed and
built according to the provisions of the Type-C standard.
JIS B 9705-1 is intended to give guidance to those involved in the design and as-
sessment of control systems, and to those developing Type-B2 or Type-C standards.
As part of the overall risk reduction strategy at a machine, a designer will often
choose to achieve some measure of risk reduction through the application of safeguards
employing one or more safety functions.
Parts of nlachinery control systems that are assigned to provide safety functions
and called safety-related parts of control systems (SRP/CS) and these can consist of
hardware and software and can either be separate from the machine control system
or an integral part of it. In addition to providing safety functions, SRP/CS can also
provide operational functions (e.g. two-handed controls as a means of process initia-
tion),
The ability of safety-related parts of control systems to perform a safety function
under foreseeable conditions is allocated one of five levels, called performance levels
(PL). These performance levels are defined in terms of probability of dangerous fail-
ure per hour (see table 3).

PROTECTED BY COPYRIGHT
2
B 9705-1 : 2011 (ISO 13849-1 : 2006)

The probability of dangerous failure of the function depends on several fac-

tors, including hardware and software structure, the extent of fault detection mecha-
nisms [diagnostic coverage (DC)], reliability of components [mean tiule of dangerous
CMTTF d ), common cause failure (CCF)], process, operating enVI-
ronmental conditions and operation procedures.
In order to assist the and help facilitate the assessment of achieved PL,
this Standard eUlploys a methodology based on the categorization of structures according
to specific design criteria and specified behaviours under fault conditions. These cat-
egories are allocated one of five levels, termed Categories B, 1, 2, 3 and 4.
The performance levels and categories can be applied to safety-related parts of con-
trol such as
protective devices (e.g. two-hand control devices, interlocking devices), electro-
sensitive protective devices (e.g. photoelectric barriers), pressure sensitive devices,
control units (e.g. a logic unit for control funetions, data processing, monitoring,
etc.), and
power control elell1ents (e.g. relays, valves, etc.),
as well as to control systems carrying out safety functions at all kinds of machinery-
from simple small kitchen machines, or automatic doors and gates) to manufac-
turing installations (e.g. packaging machines, printing machines, presses).
This Standard is intended to provide a clear basis upon which the design and per-
formance of any application of the SRP/CS (and the machine) can be assessed, for
example, by a third party, in-house or by an independent test house.
JIS B 9961 and this Standard specify requirements for the design and implemen-
tation of safety-related control systems of machinery. Tbe use of either of these Stan-
dards, in accordance with their scopes, can be presumed to fulfil the relevant essential
safety requirements. The following table summarizes the scopes of JIS B 9961 and
this Standard.

PROTECTED BY COPYRIGHT
 3
B 9705-1 : 2011 (ISO 13849-1 : 2006)

Table 1 Recommended application of pJIS B 9961 and JIS B 9705-1

I Technology implementing the JIS B 9705-1 JIS B 9961

safety-related control function(s)
A Non-electrical, e.g. hydraulics X Not coveI'ed
B Electromechanical, e.g. relays, Restricted to designated All architectures and up to
and/or non complex electronics architectures and up to PL= e 8IL3
C Complex electronics, e.g. Restricted to designated An architectures and up to
pl'Ogrammable architectures a) and up to PL = d S1L3
I

D A combined with 13 Hestricted to designated XC)

architectures a) and up to PL = e
E C combined with B Restricted to designated All architectures and up to
architectures and up to PI.. == d
a) S1L8
F C combined with A, or C X b) XCI
combined ,,,,ith A and B
X indicates that this item dealt with by the Standard shown in the column heading.
Notes aj Designated architectures are defined in 6.2 in order to a simplified approach for
quantification of performance level.
h)
For complex electronics: use designated architectures according to this Standard up to
PL = d Of any architecture according to JIS B 9961.
c)
For non-electrical technology, use parts in accordance with this Standard as subsystems.

1 Scope
This Standard provides safety requirements and guidance on the principles for the
design and integration of safety-related parts of control systems (SRP/CS), including
the design of software. For these parts of SRP/CS, it. specifies characteristics that in-
clude the performance level required for carrying out safety functions. It applies to
SRP/eS, regardless of the type of technology and energy used (electrical, hydraulic,
pneumatic, mechanical, etc.), for all kinds of machinery.
It does not specify the safety functions or performance levels that are to be used in
a particular case.
This Standard provides specific requirements for SRP/CS using programmable elec-
tronic system(s).
It does not give specific requirements for the design of products which are parts of
SRP/CS. Nevertheless, the principles given, such as categories or performance levels,
can be used.
NOTE 1 Exanlples of products which are parts of SRP/CS: relays, solenoid valves,
position switches, PLCs (programmable logic controllers), motor control
units, two-hand control devices, pressure sensitive equipment. For the
design of such products, it is important to refer to the specifically ap-
plicable Standards, e.g. JIS B 9712, JIS B 9717·1 and ISO 13856-2.
NOTE 2 For the definition of required performance level, see 3.1.24.

PROTECTED BY COPYRIGHT
4
B 9705-1 :2011 (ISO 13849-1: 2006)

NOTE 3 The requirements provided in this Standard for prograulIllable electronic

systenls are compatible with the methodology for the design and de-
velopment of safety-related electrical, electronic and programmable
electronic control systems for machinery given in JIS B 9961.
NOTE 4 For safety-related etnbedded software for components with PL r = e see
lEe 61508-3, clause 7.
NOTE 5 See also table 1.
NOTE 6 The International Standal'd corresponding to this Standard and the
symbol of degree of correspondence are as follows.
ISO 13849-1: 2006 Safety of machinery-Safety-related parts of control
systerrts-Part 1: General principles for design (IDT)
In addition, symbols which denote the degree of correspondence in
the contents between the relevant International Standard and JIS are
IDT (identical), lVIOD (modified), and NEQ (not equivalent) according
to ISO/lEe Guide 21·1.

2 Normative references
The following standards contain provisions which, through reference in this text,
constitute provisions of this Standard. The nlost recent editions (including amendments)
indicated below shall be applied.
JIS B 9700-1 Safety of machinery-Basic concepts) general principles /()r
Part 1: Basic tern~inology, methodology
NOTE: Corresponding International Standard: ISO 12100-1 Safety of machin-
ery-Basic concepts) general principles for design-Part 1: Basic termi-
nology, methodology (IDT)
JIS B 9700-2 Sarety or machinery-Basic concepts. general principles 1'01' design-
Part 2: Technical principles
NOTE: Corresponding International Standard: ISO 12100-2 Safety of rnachin-
ery-Basic concepts) general principles jor design-Part 2: Technical
principles (IDT)
JIS B 9702 Safety or machinery-Principles or risk assessment
NOTE: Corresponding International Standard: ISO 14121 Safety of machin-
ery-Principles of rish asseSSlnent (IDT)
ISO 13849-2 Safety or lnachinery-Safety-related parts or control systems-Part 2:
Validation
lEe 60050-191 International Electrotechnical Vocabulary. Chapter 191: Dependabil-
ity and quality of service, Amd.1: 1999 and Amd.2: 2002
lEe 61508-3 Functional safety of electrical/electronic I programmable electronic
safety-related systems--Part 3: Software requirements and Corr.1:
1999
IEC 61508-4 Functional safety of electrical I electronic I programrnable electronic
safety-related systems-Part 4: Definitions and abbreviations and
Corr.1: 1999

PROTECTED BY COPYRIGHT
 5
B 9705-1 : 2011 (ISO 13849-1 : 2006)

3 Terms, definitions, symbols and abbreviated terms

3.1 Terms and definitions

For the purposes of this document, the terms and definitions given in JIS B 9700-1
and IEC 60050-191 and the following apply.

3.1.1 safety-related part of a control system~ SRP/CS

part of a control system that responds to safety-related input signals and generates
safety-related output signals
NOTE 1 The combined safety-related parts of a control system start at the point
where the safety-related input signals are initiated (including, for ex-
ample, the actuating cam and the roller of the position switch) and end
at the output of the power control elements (including, for example, the
main contacts of a contactor).
NOTE 2 If monitoring systems are used for diagnostics, they are also considered
as SRP/CS.

3.1.2 category
classification of the safety-related parts of a control system in respect of their resis-
tance to faults and their subsequent behaviour in the fault condition, and which is
achieved by the structural arrangement of the parts, fault detection and/or by their
reliability

3.1.3 fault
state of an item characterized by the inability to perform a required function, exclud-
ing the inability during preventive maintenance or other planned actions, or due to
lack of external resources
NOTE 1 A fault is often the result of a failure of the item itself, but may exist
without prior failure.
(See IEC 60050-191,05-01.)
NOTE 2 In this Standard, "fault" means random fault.
NOTE 3 "Fault" is translated into Japanese as "RUGUAI (SYOGAI)" in JIS B
.-----.-.. --.--------97oo-~fwhic}~·h·~-s--th·e--s·ame-m-e-aning-as-"-SYOGA."i;;-define(fi-n-this-St~~~~
~ia-l:-cL--"'HtfduAj;)--is'mahliy-u;;e(ffor--machXnerlei;.--·
....... --- ... ~ -- . -- .

3.1.4 failure
termination of the ability of an item to perform a required function
NOTE 1 After a failure, the item has a fault.
NOTE 2 "Failure" is an event, as distinguished from "fault", which is a state.
NOTE 3 The concept as defined does not apply to items consisting of software only.
(See IEC 60050-191, 04-01.)
NOTE 4 Failures which only affect the availability of the process under control
are outside of the scope of this Standard.

PROTECTED BY COPYRIGHT
6
B 9705-1 : 2011 13849-1 : 2006)

3.1.5 (lan~~er'O"l1lS failure

failure which has the potential to the SRP/CS in a hazardous or fail-to-function
state
NOTE: 'Vhether or not the potential is realized can on the channel ar-
chitecture of the system.; in redundant a dangerous hardware
failure is less likely to lead to the overall dangerous or fail-to-function
state.
(Adapted from IEC 61508-4, definition 3.6.7.)

3.1.6 common cause failure, CCF

failures of items, resulting from a event, where these failures are not
consequences of each other
(See IEC 60050-191 Amd.1, 04-23.)
NOTE: Comnl0n cause failures should not be confused with common mode fail-
ures.

:·t1. 7 systematic failure

failure related in a deterministic way to a certain cause, which can only be eliminated
a modification of the or of the manufacturing process, operational procedures,
documentation or other relevant factors
NOTE 1 Corrective maintenance without modification will usually not eliminate
the failure cause.
NOTE 2 A systematic failure can be induced by simulating the failure cause.
lEe 60050-191,04-19.)
NOTE 3 Examples of causes of systematic failures include human error in
the safety "'- .. L.!.vLLV"" specification,
the design, installation, operation of the hardware, and
the design, implementation, etc., of the

3.1.8 muting
temporary automatic of a safety function(s) by the SRP/CS

3.1.9 manual reset

function within the SRP/CS used to restore manually one or more safety functions before
re-starting a machine

3.1.10 harm
physical injury or damage to health
JIS B 9700-1, 3.5.)

3.1.11 hazard
potential source of harm

PROTEC'l'ED BY COPYRIGHT
 7
B 9705-1 : 2011 (ISO 13849-1 : 2006)

NOTE 1 A hazard can be qualified in order to define its origin (e.g. mechanical
hazard, electrical hazard) or the nature of the potential harm (e.g. electric
shock hazard, cutting hazard, toxic hazard, fire hazard).
NOTE 2 The hazard envisaged in this definition:
either is permanently present during the intended use of the machine
(e.g. motion of hazardous moving elements, electric arc during a weld-
ing phase, unhealthy posture, noise emission, high temperature);
or may appear unexpectedly (e.g. explosion, crushing hazard as a
consequence of an unintended/unexpected start-up, ejection as a con-
sequence of a breakage, fall as a consequence of acceleration/decel-
eration).
(See JIS B 9700·1, 3.6.)

3.1.12 hazardous situation

circumstance in which a person is exposed to at least one hazard, the exposure hav-
ing immediately or over a long period of time the potential to result in harm
(See JIS B 9700-1, 3.9.)

3.1.13 risk
combination of the probability of occurrence of harm and the severity of that harm
(See JIS B 9700·1, 3.11.)

3.1.14 residual risk

risk remaining after protective measures have been taken
See figure 2.
(Adapted from JIS B 9700-1, definition 3.12.)

3.1.15 risk assessment

overall process comprising risk analysis and risk evaluation
(See JIS B 9700-1, 3.13.)

3.1.16 risk analysis

combination of the specification of the limits of the machine, hazard identification and
risk estimation
(See JIS B 9700-1,3.14.)

3.1.17 risk evaluation

judgement, on the basis of risk analysis, of whether risk reduction objectives have been
achieved
(See JIS B 9700-1, 3.16.)

3.1.18 intended use of a machine

use of the machine in accordance with the information provided in the instructions for
use
(See JIS B 9700 .. 1, 3.22.)

PROTECTED BY COPYRIGHT
8
B 9705-1 : 2011 (ISO 13849-1 : 2006)

3.1.19 reasonably foreseeable misuse

use of a machine in a way not intended by the designer, but which may result from
readily predictable human behaviour
(See JIS B 9700-1, 3.23.)

3.1.20 safety function

function of the machine whose failure can result in an immediate increase of the risk(s)
(See JIS B 9700-1, 3.28.)

3.1.21 monitoring
safety function which ensures that a protective measure is initiated if the ability of a
component or an element to perforn1 its function is diminished or if the process condi-
tions are changed in such a way that a decrease of the anlount of risk reduction is
generated

3.1.22 programmable electronic system, PES

system for control, protection or monitoring dependent for its operation on one or m.ore
programlnable electronic devices, including all elements of the system such as power
supplies, sensors and other input devices, contactors and other output devices
(Adapted from IEC 61508-4, definition 3.3.2.)

3.1.23 performance level, PL

discrete level used to specify the ability of safety-related parts of control systems to
perform a safety function under foreseeable conditions
NOTE: See 4.5.1.

3.1.24 required performance level, PL r

performance level (PL) applied in order to achieve the required risk reduction for each
safety function
See figures 2 and A.I.

3.1.25 mean time to dangerous failure, MTTF d

expectation of the mean time to dangerous failure
(Adapted from JIS B 9961, definition 3.2.34.)

3.1.26 diagnostic coverage, DC

measure of the effectiveness of diagnostics, which may be determined as the ratio
between the failure rate of detected dangerous failures and the failure rate of total
dangerous failures
NOTE: Diagnostic coverage can exist for the whole or parts of a safety-related
system. For example, diagnostic coverage could exist for sensors and/or
logic system and/or final elements.
(Adapted from IEC 61508-4, definition 3.8.6.)

PROTECTED BY COPYRIGHT
 9
B 9705-1 : 2011 (ISO 13849-1 : 2006)

3.1.27 protective measure

measure intended to achieve risk reduction
Example 1. Im.plemented by the designer: inherent design, safeguarding and comple-
mentary protective measures, information for use.
Example 2 Imp]emented by the user: organization (safe working procedures, su-
pervision, permit-to-work systems), provision and use of additional safe-
guards, personal protective equipment, training.
(Adapted from JIS B 9700·1, definition 3.18.)

3.1.28 mission time, TM

period of time covering the intended use of an SRP/CS

3.1.29 test rate, rt

frequency of automatic tests to detect faults in an SRP/CS, reciprocal value of diag-
nostic test interval

3.1.30 demand rate, rd

frequency of demands for a safety-related action of the SRP/CS

3.1.31 repair rate, rr

reciprocal value of the period of time between detection of a dangerous failure by either
an online test or obvious malfunction of the system and the restart of operation after
repair or system/component replacement
NOTE: The repair time does not include the span of time needed for failure-
detection.

3.1.32 machine control system

system which responds to input signals from parts of machine elements, operators,
external control equipment or any combination of these and generates output signals
causing the machine to behave in the intended lnanner
NOTE: The machine control system can use any technology or any cOTIlbination
of different technologies (e.g. electrical/electronic, hydraulic, pneumatic,
mechanical),

3.1.33 safety integrity level, SIL

discrete level (one out of a possible four) for specifying the safety integrity requirements
of the safety functions to be allocated to the E/E/PE (electric/electronic/programmable
electronic) safety-related systems, where safety integrity level 4 (SIL4) has the high*
est level of safety integrity and safety integrity level 1 (SILl) has the lowest
(See lEe 61508-4, 3.5.6.)

3.1.34 limited variability language, LVL

type of language that provides the capability of combining predefined, application-
specific library functions to implement the safety requirements specifications
(Adapted from lEe 61511-1, definition 3.2.81.1.2,)

PROTECTED BY COPYRIGHT
10
B 9705-1 : 2011 (ISO 13849-1 : 2006)

NOTE 1 Typical examples of LVL (ladder function block diagram) are given
in JIS B 3503.
NOTE 2 A typical example of a system LVL:

3.1.35 full variability language, FVL

type of language that provides the capability of ilnplelnenting a wide variety of func-
tions and applications
Example: C, C++, Assembler.
(Adapted from lEe 6151 definition 3.2.81.1.3.)
NOTE 1 A typical 0...,." ............. 1'" of systerns using FVL: embedded systenls.
NOTE 2 In the field of machinery, FVL is found in embedded software and rarely
in application software.

3.1.36 application software

software specific to the application, implelllented by the machine manufacturer, and
generally containing logic sequences~ limits and expressions that control the appropriate
inputs, outputs, calculations and decisions necessary to llleet the SRP/CS requirements

3.1.37 embedded software, firmware, system software

software that is part of the system supplied by the control manufacturer and which is
not accessible for modification by the user of the machinery
NOTE: Embedded software is usually written in FVL.

3.2 Symbols and abbreviated terms

See table 2.

Table 2 Symbols and abbreviated terms

Symbol or Description Definition or I

abbreviation occurrence
a, b, c, d, e npn()b~hon performance levels Table :3
AOPD Active optoe1ectronic protective device (e.g. light barrier) Annex H
B, 1,2,3,4 Denotation of categories Table 7 I

B 10tl N umber of cycles until 10 of the components fail dangerously Annex C ·

I (for pneumatic and electromechanical components)

Cat. i Category 3.1.2
CC Current converter Annex I
CCF Common cause failure 3.1.6
DC Di vV <01."6'" 3.1.26
""
Ivg 111 "0 E.2
F, Fl, F2 Frequency and/or time of exposure to the hazard A.2.2
FB Function block 4.6.3
FVL Full variability language 3.1.35 ·
•

FMEA Failure modes and effects analysis 7.2

PRO,]lECTED BY COPYRIGHT
 11
B 9705-1: 2011 (ISO 13849-1 : 2006)

Table 2 (concluded)
Symbol or Description Definition or I
abbreviation occurrence
I, 11, 12 Input device, e.g, sensor 6.2
i, j Index for counting Annex D
I/O Inputs/outputs Table E.l
{"b, i br Interconnecting means Figure 4
" Contactors Annex I
i 1.,,1.,1,1.,2 Logic 6.2
LVL Limited variability language 3.1.34
1M NIotor Annex I
I JWTTF Mean time to failure Annex C
Mean time to dangerous failure 3.1.25
" ,J.V N Ulnber of items 6.3, D.I
Number of SRPiCS with PLlow in a combination of SRP/CS 6.3
" " Output device, e.g. actuator 6.2 I
I

I P, PI, P2 Possibility of avoiding the hazard A.2.3

I

PES Programmable electronic system 3.1.22

PL Perfonnance level 3.1.23 I

PLC Programmable logic controller Annex I

PLio\\, Lowest performance level of an 8RPiCS in a combination of 6.3
SRP/CS
PL r Required performance level 3.1.24
rd Demand rate 3.1.30
R8 Rotation sensor Annex I I

S,81,82 Severity of injury A.2.1

Position switches I Annex I
Safety integrity level i Table 4
Safety-related application software
I
SRES'V Safety-related embedded software
SRP Safety-related part I General
SRP/CS Safety-related part of a control system 3.1.1
TE Test equipment 6.2
T"I Mission time : 3.1.28

4 Design considerations

4.1 Safety objectives in design

The SRP/CS shaH be designed and constructed so that the principles of JIS B 9700-1
and JIS B 9702 are fully taken into account (see figures 1 and 3). All intended use
and reasonable foreseeable misuse shall be considered.

PROTECTED BY COPYRIGHT
12
B 9705-1 : 2011 (ISO 13849-1 : 2006)

,/----~-~~r:--!-------------,"
f
Determination of the limits of
\

Risk assessment carried out in

the machinery
Yes accordance with JIS B 9702
(see .HS B 9700-1, 5.2)

Hazard identification
(see JIS B 9700-1, clause 4 and 5.3)
This iterat.ive risk reduction
process shall be carried out
Risk estimation separately for each hazard
(see JIS B 9700·1,5.3) under each condition of use
(task)

Risk evaluation
.HS B 9700.1, 5.3)
(see
No

END

\ /~,-~--------------------------,
\
No I "\
\

~-------------
I
\ ..... -----------------~
I
I
I
I

Risk reduction process for the

hazard:
1 by intrinsic design, Iterative process of the design
2 by safeguards, of safety-related parts of
3 by information for use the control system (SRP/CS)
(see JIS B 9700-1, figure 2) rsee figure 3 a)-I
NOTE: The details of this
................ ~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v . . . . . . . . . . . . . ..

framework surrounded
.· .. P.···.·············,,······· .. -----
with dotted line is

Yes
I I
\ I
\ I
" ,,/'
'~----------------------------

Note a; Refers to this Standard, figure 3.

Figure 1 Overview of risk assessment/risk reduction

PROTECTED BY COPYRIGHT
 1:3
B 9705-1 : 2011 (ISO 13849-1 : 2006)

4.2 Strategy for risk reduction

4.2.1 General
The strategy for risk reduction at the machine is given in JIS B 9700-1, clause 5,
and further guidance is given in JIS B 9700 2, clauses 4 and 5. This strategy covers
w

the whole life cycle of the machine.

The hazard analysis and risk reduction process for a machine requires that haz-
ards are eliminated or reduced through a hierarchy of nleasures:
hazard elimination or risk reduction by design (see JIS B 9700-2, clause 4);
risk reduction by safeguarding and possibly complementary protective measures
(see JIS B 9700-2, clause 5);
ri.sk reduction by the provision of information for use about the residual risk (see
JIS B 9700 2, clause 6).
w

4.2.2 Contribution to the risk reduction by the control system

The purpose in following the overall design procedure for the machine is to achieve
the safety objectives 4.1), The design of the SRP/CS to provide the required risk
reduction is an integral subset of the overall design procedure for the nlachine. The
SRP/CS provides safety functionCs) at a PL which achieves the required risk reduction.
In providing safety function(s), either as an inherently safe part of the design or as a
control for a safeguard or protective device, the design of the SRP/CS is a part of the
strategy for risk reduction. This is an iterative process and is illustrated in figures 1
and 3.
For each safety function, the characteristics (see clause 5) and the required perfor-
mance level shall be specified and documented in the safety requirements specifica-
tion.
In this Standard the performance levels are defined in terms of probability of dan-
gerous failure per hour. Five performance levels (a to e) are set out, with defined ranges
of probability of a dangerous failure per hour (see table 3).

Table 3 Performance levels (PL)

I PL Average prohability of dangerous failure per hour (PFHd) [l/h]
10-:)sPFHd < 10-- 4
I

a
b ;3 x 10-6:sPFHrl < 10-5
C 10- 6 s PFHd < 3 x 10-6
7
d 10- sPFHd < 10- 6

e 10-8 s PFHd <

NOTE: Besides the average probabjlity of dangerous failure per hour
other measures are also necessary to achieve the PL.

From the risk assessment (see JIS B 9702) at the machine, the designer shall decide
the contribution to the reduction of risk which needs to be provided by each relevant
safety function which is carried out by the SRP/CS( s). This contribution does not cover

PROTECTED BY COPYRIGHT
14
B 9705-1 : 2011 13849-1 : 2006)

the overall risk of the rnachinery under e.g. not the overall risk of a mechani-
cal press, or machine is but that part of risk reduced by the ap-
plication of particular safety functions. Examples of such functions are the stopping
function initiated by using an electro-sensitive protective device on a press or the door-
locking function of a washing rn':lrot"',r\
Risk reduction can be achieved by applying various protective measures (both
SRP/CS and non SRP/CS) with the end result of a safe condition
ure

PROTEcrrED BY COPYRIGHT
 15
B 9705-1: 2011 (ISO 13849-1 : 2006)

R
Key
Rh for a specific hazardous situation, the risk before protective measures are applied
Rr risk reduction required from protective measures
Ra actual risk reduction achieved with protective measures
solution 1 - important part of risk reduction due to protective measures other than SRP/CS
(e.g. mechanical measures), small part of risk reduction due to SRP/CS
2 solution 2 - important part of risk reduction due to the SRP/CS (e.g. light curtain), small part
of risk reduction due to protective measures other than SRP/CS mechanicalmeasuresl
3 adequately reduced risk
4 inadequately reduced risk
R risk
a residual risk obtained by solutions 1 and 2
b adequately reduced risk
RlsRPcs, R2sRP/cs risk reduction from the safety function carried out by the SRP/CS
RIM, R2M risk reduction from protective measures other than SRP/CS (e.g. mechanical measures)
NOTE: See JIS B 9700 series for further information on risk reduction.

Figure 2 Overview of the risk reduction process for each hazardous

situation

PROTECTED BY COPYRIGHT
16
B 9705-1 : 2011 (ISO 13849-1 : 2006)

Identify the safety functions to he

performed by SRP/CSs

For each function specify the

+------,
required characteristics (see clause 5)

For each Determine the required performance

selected level PLl (see 4.3 and Annex A)
safety
function

Identify the ",'->T,OTu_rOI

carry out the

Evaluate the performance level PI... (see 4.5)

considering:
category (see clause 6)
MTTFd (see Annexes C and D)
No
DC (see Annex E)
CCF (see Annex F)
if software (see 4.6 and Annex J)
of the above safety-reJated parts
No

r?}i.gllJ~~) :.
Are other hazards

Note a) ISO 13849-2 nrr,'\T1(H'", additional help for the validation.

Figure 3 Iterative process for design of safety-related parts of

control systems (SRPfeS)

PROTECTED BY COPYRIGHT
 17
B 9705-1: 2011 (ISO 13849-1 : 2006)

4.3 Determination of required performance level

For each selected safety function to be carried out by an SRP/CS, a required per-
formance level (PLr ) shall be determined and documented (see Annex A for guidance
on determining PLr ). The determination of the required performance level is the re-
sult of the risk assessment and refers to the amount of the risk reduction to be car-
ried out by the safety-related parts of the control system (see figure 2).
The greater the amount of risk reduction required to be provided by the SRP/CS,
the higher the PLr sha11 be.

4.4 Design of SRP/CS

Part of the risk reduction process is to detennine the safety functions of the ma-
chine. This will include the safety functions of the control systenl, e.g. prevention of
unexpected start-up.
A safety function may be implemented by one or more SRP/CS, and several safety
functions may share one or more SRP/CS re.g. a logic unit, power control element(s)].
It is also possible that one SRP/CS implements safety functions and standard control
functions. The designer may use any of the technologies available, singly or in com-
bination. SRP/CS may also provide an operational function (e.g. an AOPD as a means
of cycle initiation).
A typical safety function diagrammatic presentation is given in figure 4 showing a
combination of safety-related parts of control systems (SRP/CS) for
input (SRP/CS a ),
logic/processing (SRP/CS b ),
output/power control elements (SRP/CS c ), and
interconnecting means i bc ) (e.g. electrical, optical).
NOTE 1 Within the same machinery it is important to distinguish between dif-
ferent safety functions and their related SRP/CS carrying out a certain
safety function.
Having identified the safety functions of the control system, the designer shall iden-
tify the SRP/CS (see figures 1 and 3) and, where necessary, shall assign them to input,
logic and output and, in the case of redundancy, the individual channels, and then
evaluate the performance level PL (see figure 3).
NOTE 2 Designated architectures are given in clause 6.
NOTE 3 All interconnecting means are included in the safety-related parts.

PROTECTED BY COPYRIGHT
18
B 9705-1 : 2011 (ISO 13849-1 : 2006)

1 2

Key
input
L logic
o output
.initiation event manual actuation of a push button, opening of guard, interruption of beam
of AOPD)
2 machine actuator (e,g. motor brakes)

Figure 4 Diagrammatic presentation of combination of safety-related

of control systems for processing typical safety function

4.5 Evaluation of the achieved performance level PL and relationship with

SIL

4.5.1 Performance level PL

For the purposes of this Standard, the ability of safety-related parts to perform a
safety function is through the determination of the performance level.
For each selected SRP/CS andlor for the combination of SRP/CS that performs a
safety function the estimation of PL shall be done.
The PL of the SRP/CS shall be determined by the estimation of the following as-

the MTTFd value for single components (see Annexes C and D);
the DC Annex E);
the CCF Annex F);
the structure (see clause 6);
the behaviour of the function under fault condition(s) (see clause 6);
safety-related software (see 4.6 and Annex J);
systematic failure Annex G);
the ability to perform a safety function under expected environnlental conditions.
NOTE 1 Other parameters, e.g. operational demand test rate, can
have certain .1'"''''.
J. .... J ... "" .......

These aspects can be grouped under two approaches in relation to the evaluation
process:
a) quantifiable aspects (MTTF d value for components, CCF, structure);

PROTECTED BY COPYRIGHT
 19
B 9705-1 : 2011 (ISO 13849-1 : 2006)

b) non-quantifiable, qualitative aspects which affect the behaviour of the SRP/CS

(behaviour of the safety function under fault condibons, safety-related software,
systematic failure and environmental conditions).
Among the quantifjable aspects, the contribution of reliability (e.g. MTTFdl struc-
ture) can vary with the technology used. For example, it is possible (within certain
limits) for a single channel of safety-related parts of high reliability in one technology
to provide the same or higher PL as a fault-tolerant structure of low reliability in
another technology.
There are several Inethods for estimating the quantifiable aspects of the PL for any
type of system (e.g. a complex structure), for example, ~farkov n10delling, generalized
stochastic petri nets (GSPN), reliability block diagrams (see, e.g. lEe 61508 series).
To make the assessment of the quantifiable aspects of the PL easier, this Standard
provides a simplified method based on the definition of five designated architectures
that fulfil specific design criteria and behaviour under a fault condition (see 4.5.4).
For an SRP/CS or cmnbination of SRP/CS designed according to the requirements
given in clause 6, the average probability of a dangerous failure could be estimated
by means of figure 5 and the procedure given in Annexes A to H, J and K.
For an SRP/CS which deviates from the designated architectures, a detailed calcu-
lation shall be provided to demonstrate the achievenlent of the required performance
level (PL r ).
In applications where the SRP/CS can be considered simple, and the required per-
formance level is a to c, a qualitative estimation of the PL may be justified in the design
rationale.
NOTE 2 For the design of complex control systems, such as PES designed to per-
form safety functions, the application of other standards can be appro-
priate (e.g. IEC 61508 series, JIS B 9961 or JIS B 9704
The achievement of qualitative aspects of the PL can be demonstrated by the ap-
plication of the recommended measures given in 4.6 and Annex G.
In standards in accordance wjth IEC 61508 series, the ability of safety-related con-
trol systems to perform a safety function is given through a SIL. Table 4 displays the
relationship between the two concepts (PLs and SILs).
PLa has no correspondence on the SIL scale and is mainly used to reduce the risk
of slight, normally reversible, injury. Since SIL4 is dedicated to catastrophic events
possible in the process industry, this range is not relevant for risks at machines. Thus
PLe corresponding to SIL3 is defined as the highest level.

PROTECTED BY COPYRIGHT
20
B 9705-1 : 2011 (ISO 1:3849-1 : 2006)

Table 4 Relationship between performance level and ",.",1t.n1"' ... r

integrity level (SIL)

PL SIL
high/continuous mode of operation
a No correspondence
b 1
c 1.
--
d I 2

e :3

Therefore, protective measures to reduce the risk shall be applied, principally the
following.
Reduce the probability of faults at the cornponent level. The aim is to reduce the
probability of faults or failures which affect the function. This can be done
by increasing the reliability of components, e.g. by selection of well-tried COlnpo-
nents and/or applying well-tried safety principles, in order to ruinimize or exclude
critical faults or failures (see ISO 13849·2).
Improve the structure of the SRP/CS. The aiIn is to avoid the dangerous effect of
a fault. Some faults may be detected and a redundant and/or monitored structure
could be needed.
Both measures can be applied separately or in c01nbination. \Vith some technolo-
gies, risk reduction can be achieved by selecting reliable components and by fault ex-
clusions; but with other technologies, risk reduction could require a redundant and/or
monitored system. In addition, common cause failures (CCF) shall be taken into ac-
count figure 3).
For architectural constraints, see clause 6.

4.5.2 Mean time to dangerous failure of each channel (MTTFd)

The value of the l\tlTTFd of each channel is given in three levels (see table 5) and
shall be taken into account for each channel (e.g. single channel, each channel of a re-
dundant individually.
According to lVITTF(i, a maxinlum value of 100 years can be taken into account.

PROTECTED BY COPYRIGHT
 21
B 9705-1 : 2011 (ISO 13849-1 : 2006)

rfahle 5 Mean time to dangerous failure of each channel (MTTF d)

Denotation of each channel Range of each channel

Low :3 years sMTTFd < 10 years
l'v1edium 10 yeal's:sM'l'TFd<30 years
High 30 years:sMTTFrj:S 100 years
No'rE 1 The choice of the MTTFd ranges of each channel is based on failure rates found in the
field as forming a kind of logarithmic scale fitting to the
PL scale. An MTTFd value of each channel less than three years is not expected to be
found for real SRP/CS since this would mean that after one year about 30 % of all sys-
tems on the market will fail and will need to be replaced. An MTTFd value of each
channel greater than 100 years is not acceptable because SRP/CS for high risks should
not depend on the reliability of components alone. To reinforce the SRPfeS against
systematic and random failure, additional means such as redundancy and testing should
be required. To be practicable, the number of ranges was restricted to three. The limi-
tation of MTTFd of each channel values to a maximum of 100 years refers to the
channel of the SRP/CS which carries out the safety function. MTTFd values can
be used for components (see table D.l).
NOTE 2 The indicated borders of this table are assumed within an accuracy of 5 t.;().

For the estimation of MTTF d of a component, the hierarchical procedure for find-
ing data shall be, in the order given:
a) use manufacturer's data;
b) use methods in Annexes C and D;
c) choose ten years.

4.5.3 Diagnostic coverage (DC)

The value of the DC is given in four levels table 6).
For the estimation of DC, in most cases, failure lllode and effects analysis (FMEA,
see lEe 60812) or similar methods can be used. In this case, an relevant faults and/or
failure modes should be considered and the PL of the combination of the SRP/CS which
carry out the safety function should be checked against the required performance level
(PL r ). For a simplified approach to estimating DC, see Annex E.

PROTECTED BY COPYRIGHT
22
B 9705-1 : 2011 (ISO 13849-1 .2006)

Table 6 Diagnostic coverage (DC)

DC
Denotation Range
None DC 60
Low 60 %.sDC <90 %

Medium 90 (k~DC<99

High 99 %sDC

NOTE 1 For SRP/CS consisting of several parts an average value for DC is used in
ure 5, clause 6 and E.2.
NOTE 2 The choice of the DC ranges is based on the values 60 %, 90 (;'C and B9 also es-
tablished in other standards (e.g. lEe 61508 series) dealing with diagnostic coverage
of tests. Investigations show that (lOO-DC) rather than DC itself is a characteris-
tic measure for the effectiveness of the test. (IOO-DC) for the key values 600/,), 90
and 99 forms a kind of logarithmic scale fitting to the logarithmic PL-scale. ADC-
value less than 60 has only slight effect on the reliability of the tested system and is
therefore called "none". A DC-value than 99 (}(; for complex systems is very hard
to achieve. To be practicable, the number of ranges was restricted to four. The indi-
cated borders of this table are assumed within an accuracy of 5

4.5.4 Simplified procedure for estimating PL

The PL may be estimated by taking into account all relevant parameters and the
appropriate methods for calculation (see 4.5.1).
This clause describes a simplified procedure for estimating the PL of an SRP/CS
based on designated architectures. Some other architectures with similar structure
111ay be transformed to these designated architectures in order to obtain an estima-
tion of the PL.
The designated architectures are represented as block diagrams, and are listed in
the context of each category in 6.2. Information about the block method and the safety-
related block diagralns are given in 6.2 and Annex B.
The designated architectures show a logical representation of the system structure
for each category. The technical realization or, for example, the functional circuit dia-
gram, may look completely different.
The designated architectures are drawn for the combined SRP/CS, starting at the
points where the safety-related signals are initiated and ending at the output of the
power control elements (see also JIS B 9700~1, Annex A). The designated architec-
tures can also be used to describe a part of subpart of a control system that responds
to input signals and generates safety-related output signals. Thus the "input" element
can represent, for example, a light curtain (AOPD) as well as input circuits of control
logic elements or input switches. "Output" can also represent, for example, an output
signal switching device (OSSD) or outputs of laser-scanners.
For the designated architectures, the following typical assumptions are made:
mission time, 20 years (see clause 10);
constant failure rates within the mission time;

PROTECTED BY COPYRIGHT
 28
B 9705-1 : 2011 (ISO 13849-1 : 2006)

for category 2, demand rate $; 11100 test rate;

for category 2, MTTFd,TE larger than half of 11TTF d,L.
NOTE: \Vhen blocks of each channel cannot be separated, the following can be
applied: MTTFd of the summarized test channel (TE, OTE) larger than
half MTTFd of the summarized functional channel (1, L, 0).
The methodology considers the categories as architectures with defined DC avg • The
PL of each SRP/CS depends on the architecture, the mean time to dangerous failure
(MTTF d) in each channel and the DC avg •
ComTIlon cause failures (CCF) should also be taken into account (for guidance, see
Annex F).
For SRP/CS with software, the requirements of 4.6 apply.
If quantitative data is not available or not used (e.g. low complexity systems), the
worst case of all relevant parameters should be chosen.
A combination of SRP/CS or a single SRP/CS may have a PL. The combination of
several SRP/CS with different PL is considered in 6.3.
In the case of applications with PLy a to c, rneasures to avoid faults can be suffi-
cient; for higher risk applications, PLr d to e, the structure of the SRP/CS can provide
measures for avoiding, detecting or tolerating faults. Practical measures include re-
dundancy, diversity, lllOnitoring (see also JIS B 9700-2, clause 3 and JIS B 9960-1).
Figure 5 shows the procedure for the selection of categories in combination with the
MTTFd of each channel and DCa,'g to achieve the required PL of the safety function.
For the estilnation of the PL, figure 5 gives the different possible combinations of
category with DC avg (horizontal axis) and the MTTFd of each channel (bars). The bars
in the diagram represent the three MTTF d ranges of each channel (low, medium and
high) which can be selected to achieve the required PL.
Before using this simplified approach with figure 5 (which represents results of dif-
ferent Markov models based on designated architectures of clause 6), the category of
the SRP/CS as weI] as DC avg and the MTTFd of each channel sha11 be determined (see
c]ause 6 and Annexes C to E).
For categories 2, 3 and 4, sufficient measures against common cause failure shall
be carried out (for guidance, see Annex F). Taking these parameters into account, fig-
ure 5 provides a graphical method for determining the PL, achieved by the SRP/CS.
The combination of category (including common cause failure) and DC avg determines
which column of figure 5 is to be chosen. According to the MTTFd of each channel, one
of the three different shaded areas of the relevant column shall be chosen.
The vertical position of this area determines the achieved PL which can be read
off the vertical axis. If the area covers two or three possible PLs, the PL achieved is
given in table 7. For a more precise numerical selection of PL depending on the pre-
cise value of MTTF d of each channel, see Annex K.

PROTECTED BY COPYRIGHT
24
B 9705-1 : 2011 (ISO 13849-1 : 2006)

PL

~. 1
i~~~~~
a ~

--. -
d

Cat. B Cat. 1 Cat. 2 Cat. 2 Cat. 3 Cat. 3 Cat. 4

DC avg none DC avg none DC avg low DC avg medium DC avg low DC avg medium DC avg high

Key
PL perf()rmance level
1 MTTFd of each channel"" low
2 MTTFd of each channel"" medium
3 MTTFcl of each channel"" high

Figure 5 Relationship between categories, DC avg , MTTF d of each

channel and PL

Table 7 Simplified procedure for evaluating PL achieved by SRP/CS

Category B 1 2 2 3 3 4
DC av g none none low medium low medium high
MTTFd of each channel
Not Not
Low a a b b c
covered covered
Not Not
Medium b b c c d
covered covered
Not
High c c d d d e
covered

4.6 Software safety requirements

4.6.1 General
Alllifecycle activities of safety-related embedded or application software shall pri-
marily consider the avoidance of faults introduced during the software lifecycle (see
figure 6). The main objective of the following requirements is to have readable, un-
derstandable, testable and maintainable software.

PROTECTED BY COPYRIGHT
 25
B 9705-1 : 2011 (ISO 13849-1 : 2006)

<:
/
Safety functions Validated
specification software
software Validation Validation
specification

+-I
I
I
i
System Integration
design ~---------------------- testing

+-I
I
I

Module Module
design f+----- testing

.
I
I
I
I

:
(
------+ Res ult
Coding
------11> Verification

NOTE: Annex J gives more detailed recommendations for Iifecycle activities,

Figure 6 Simplified V-model of software safety lifecycle

4.6.2 Safety-related embedded software (SRESW)

For SRESW for components with PLr a to d, the following basic measures shall be
applied:
software safety lifecyele with verification and validation activities, see figure 6;
documentation of specification and design;
modular and structured design and coding;
control of systematic failures (see G.2);
\\There using software-based measures for control of random hardware failures,
verification of correct implementation;
functional testing, e.g. black box testing;
appropriate software safety lifecyele activities after modifications.
For SRESW for components with PLl' cor d, the following additional measures shall
be applied:
project management and quality management system comparable to, e.g. lEe 61508
series or JIS Q 9001;
documentation of all relevant activities during software safety lifecycle;
configuration management to identify all configuration items and doculnents re-
lated to a SRESW release;

PROTECTED BY COPYRIGHT
26
B 9705-1 : 2011 (ISO 13849-1 : 2006)

structured specification with requirements and design;

use of suitable programming languages and c01nputer-based tools with confi.dence
from use;
modular and structured programming, separation in non-safety-related software,
limited module sizes with fully defi.ned interfaces, use of design and coding stan-
dards;
coding verification by walk-through/review with control flow analysis;
extended functional e.g. grey box testing, performance testing or simula-
tion;
impact analysis and appropriate software safety lifecycle activities after modifica-
tions.
SRES\V for components with PL = e shall comply with lEe 61508-3, clause 7, ap-
y

propriate for SIL3. vVhen using diversity in specification, design and coding, for the
two channels used in SRP/CS with category 3 or 4, PL r ;::; e can be achieved with the
above-mentioned measures for PLr of c or d.
NOTE 1 For a detailed description of such measures, see, e.g. lEe 61508-7.
NOTE 2 E'or SRESW with diversity in design and coding, for components used
in SRP/CS with category 3 or 4, the effort involved in taking lneasures
to avoid systematic failures can reduced by, for example, reviewing
parts of the software only by considering structural aspects instead of
checking each line of code.

4.6.3 Safety-related application software (SRASW)

The software safety lifecycle (see figure 6) applies also to SRAS\V (see Annex ~J).

SRAS'V written in LVL and cOlnplying with the following requirements can achieve
a PL a to e. If SRAS\V is written in FVL, the requirements for SRESW shall apply
and PL a to e is achievable. If a part of the SRASW within one component has any
impact due to its modification) on several safety functions with different PL, then
the requirements related to the highest PL shall apply. For SRASW for components
with PL r from a to e, the following basic n1easures shall be applied:
development lifecycle with verification and validation activities, see figure 6;
documentation of specification and design;
modular and structured programming;
functional testing;
appropriate development activities after modifications.
For SRAS\V for components with from c to e~ the following additional measures
with increasing efficiency (lower effectiveness for PL r of c, medium effectiveness for
Pl.r of higher effectiveness for PLr of are required or recommended.
a) The safety-related software specification shall be reviewed (see also Annex J), made
available to every person involved in the life cycle and shall contain the descrip-
tion of:

PROTECTED BY COPYRIGHT
 27
B 9705-1 : 2011 (ISO 13849-1 : 2006)

1) safety functions with required PL and associated operation modes,

2) performance criteria, e.g. reaction times,
:3) hardware architecture with external signal interfaces, and
4) detection and control of external failure.
b) Selection of tools, libraries, languages:
1) Suitable tools with confidence frOIn use: for PL e achieved with one component
and its tool, the tool shall comply with the appropriate safety standard; if two
diverse components with diverse tools are used, confidence from use may be suf-
ficient. Technical features which detect conditions that could cause systematic
error (such as data type mismatch, ambiguous dynamic memory allocation, in-
complete called interfaces, recursion, pointer arithmetic) shall be used. Checks
should mainly be carried out during compile time and not only at runtime. Tools
should enforce language subsets and coding guidelines or at least supervise or
guide the developer using them.
2) Whenever reasonable and practicable, validated function block (FB) libraries
should be used- either safety-related FB libraries provided by the tool manu-
facturer (highly recommended for PL = or validated application specific FE
libraries and in conformity with this Standard.
3) A justified LVL-subset suitable for a nlodular approach should be used, e.g. ac-
cepted subset of ~JIS B 3503 languages. Graphical languages (e.g. function block
diagram, ladder diagram) are highly recommended.
c) Software design shall feature:
1) semi-formal methods to describe data and control flow, e.g. state diagram or
program flow chart,
2) modular and structured programming predominantly realized by function blocks
deriving from safety-related validated function block libraries,
3) function blocks of limited size of coding,
4) code execution inside function block which should have one entry and one exit
point,
5) architecture model of three stages, Inputs:::::;> Processing:::::;> Outputs (see figure 7
and Annex J),
6) assignment of a safety output at only one program location, and
7) use of techniques for detection of external failure and for defensive programming
within input, processing and output blocks which lead to safe state.

PROTECTED BY COPYRIGHT
28
B 9705-1 : 2011 (ISO 13849-1 : 2006)

Input bloch; Processing block Output bloeks

Acquisition of t'rc~ce~;slI'lg required Control of the

inJonnation of the to realize the safety actuators by safety
various safety sensors functions which lead outputs
by safety inputs to a safe state

Figure 7 General architecture model of software

d) \Vhere SRAS\V and non-SRASvV are combined in one component:

1) SRASW and non-SRASW shall be coded in different function blocks with well-
defined data links;
2) there shall be no combination of non-safety-related and safety-related data
which could lead to downgrading of the integrity of safety-related for
combining safety-related and non-safety-related signals by a logical
"OR~~ where the result controls safety-related .., .. F ..........' .. ..,.

e) Software implementation/coding:
1) code shall be readable, understandable and testable and, because of this sym-
bolic variables (instead of explicit hardware addresses) should be used;
2) justified or accepted coding guidelines shall be used (see also Annex J);
3) data integrity and plausibility checks range checks) available on applica-
tion (defensive programming) should be used;
4) code should be tested by simulation;
5) verification should be by control and data flow for PL=d or e.
f)

1) the appropriate validation method is black-box testing of functional behaviour

and performance criteria timing performance);
2) for PL == d or e, test case execution from boundary value analysis is recommended;
3) test planning is recommended and should include test cases with completion
criteria and required tools;
4) I/O shall ensure that safety-related signals are correctly used within
SRASW.
g) Documentation:
1) all lifecycle and modification activities shall be documented;
2) documentation shall be complete, available, readable and understandable;

PROTECTED BY COPYRIGHT
 29
B 9705-1 : 2011 (ISO 13849-1 : 2006)

3) code documentation within source text shall contain module headers with legal
entity, functional and I/O description, version and version of used library func-
tion blocks, and sufficient cmnments of networks/statement and declaration lines.
h) Verification
Example: Review, inspection, walkthrough or other appropriate activities.
NOTE: Verification is only necessary for application-specific code, and not for
validated library functions.
i) Configuration management
It is highly recommended that procedures and data backup be established to
identify and archive documents, software modules, verification/validation results
and tool configuration related to a specific SRASW version.
j) Modifications
After modifications of SRASW, ilnpact analysis shall be perforrned to ensure
specification. Appropriate lifecycle activities shall be performed after modifica-
tions. Access rights to modifications shall be controlled and modification history
shall be documented.
NOTE: ~10dification does not affect systems already in use.

4.6.4 Software-based parameterization

Software-based parameterization of safety-related paranleters shall be considered
as a safety-related aspect of SRP/CS design to be described in the software safety re-
quirements specification. Parameterization shaH be carried out using a dedicated soft-
ware tool provided by the supplier of the SRP/CS. This tool shall have its own
identification (name, version, etc.) and shall prevent unauthorized modification, for
example, by use of a password.
The integrity of all data used for parameterization shall be maintained. This shall
be achieved by applying nleasures to
control the range of valid inputs,
control data corruption before trans111ission,
control the effects of errors frOln the parameter transmission process,
control the effects of incomplete parameter transmission, and
control the effects of faults and failures of hardware and software of the tool used
for parameterization.
The parameterization tool shall fulfil all requirements for SRP/CS according to this
Standard. Alternatively, a special procedure shall be used for setting the safety-re-
lated parameters. This procedure shall include confirmation of input parameters to
the SRP/CS by either
retransnlission of the modified parameters to the parameterization tool, or
other suitable means of confirming the integrity of the parameters,
as well as subsequent confirmation, e.g. by a suitably skilled person and by means of
an autOlnatic check by a parameterization tool.

PROTECTED BY COPYRIGHT
:30
B 9705-1 : 2011 elSa 13849-1 : 2006)

NOTE 1 This is of particular importance where parameterization is carried out

using a device not specifically intended for the purpose (e.g. personal
computer or equivalent).
The software modules used for encoding/decoding \vithin the transmission/retrans-
mission process and software modules used for visualization of the safety-related pa-
raIneters to the user shall, as a minimuITI, use diversity in function(s) to avoid systematic
failures.
DOCU111entation of software-based paranleterization shall indicate data used (e.g. pre-
defined parameter sets) and information necessary to identify the parameters associ-
ated with the SRP/CS, the person(s) carrying out the parameterization together with
other relevant information such as date of parameterization.
The following verification activities shall be applied for software-based parameter-
ization:
verification of the correct setting for each safety-related parameter (minimum,
lnaximum and representative values);
verification that the safety-related parameters are checked for plausibility, for
example by use of invalid values, etc.;
verification that unauthorized modification of safety-related parameters is pre-
vented;
verification that the data/signals for parameterization are generated and processed
in such a way that faults can not lead to a loss of the safety function.
NOTE 2 This is of particular importance where the parameterization is carried
out using a device not specifically intended for this purpose (e.g. per-
sonal computer or equivalent).

4.7 Verification that achieved PL meets PLr

For each individual safety function the PL of the related SRP/CS shall match the
required performance level (PL r ) determined according to 4.3 (see fjgure 3). If this is
not the case, an iteration in the process described in figure 3 is necessary.
The PI... of the different SRP/CS which are part of a safety function shall be greater
than or equal to the required performance level (PL r ) of this safety function.

4.8 Ergonomic aspects of design

The interface between operators and the SRP/CS shall be designed and realized such
that no person is endangered during all intended use and reasonable foreseeable mis-
use of the machine (see also JIS B 9700-2, EN 614-1, ISO 9355-1, ISO 9355-2, ISO
9355-3, EN 1005-3, JIS B 9960-1, clause 10, lEe 60447 and JIS B 9706 series).
Ergonomic principles shall be used so that the machine and the control system, in-
cluding the safety-related parts, are easy to use, and so that the operator is not tempted
to act in a hazardous manner.
The safety requirements for observing ergonomic principles given in JIS B 9700-2,
4.8, apply_

PRO'l'ECTED BY COPYRIGHT
 31
B 9705-1 : 2011 (ISO 13849-1 : 2006)

5 Safety functions

5.1 Specification of safety functions

This clause provides a list and details of safety functions which can be provided by
the SRP/CS. The designer (or type-C standard maker) shall include those necessary
to achieve the m.easures of safety required of the control system for the specific appli-
cation.
Example: Safety-related stop function, prevention of unexpected start-up, manual
reset function, muting function, hold-to-run function.
NOTE: :Machinery control systems provide operational and/or safety functions.
Operational functions (e.g. starting, normal stopping) can also be safety
functions, but this can be ascertained only after a complete risk assess-
ment on the machinery has been carried out.
Tables 8 and 9 list some typical safety functions and, respectively, certain of their
characteristics and safety-related parameters, while making reference to other JISs
and International Standards whose requirements relate to the safety function, char-
acteristic or parameter. The designer (or type-C standard maker) shall ensure that
all applicable requirements are satisfied for the relevant safety functions listed in the
tables.
Additional requirements are set out in this clause for certain of the safety function
characteristics.
\Vhere necessary, the requirements for characteristics and safety functions shall
be adapted for use with different energy sources.
As most of the references in tables 8 and 9 relate to electrical standards, the ap-
plicable requirements will need to be adapted in the case of other technologies (e.g.
hydraulic, pneumatic).

PROTECTED BY COPYRIGHT
32
B 9705-1 : 2011 (ISO 13849-1 ; 2006)

Table 8 Some J]Ss applicable to typical machine safety functions and

certain of their characteristics
function/characteristic Requirement(s) For additional
information,
This I JIS B 9700·] JIS B 9700·2
see:
Standard I
Safety-related stop function 5.2.1 3.26.8 4.11.3 JIS B 9960-1, 9.2.2,
initiated by c, '-' u
_1 Ul
I 9.2.5.3, 9.2.5.5
Manual reset function 5.2.2 - - JIS B 9960·1, 9.2.5.3,
9.2.5.4
Start/restart function 5.2.3 - 4.11.3, 4.11.4 .JIS B 9960.1, 9.2.1,
9.2.5.1, 9.2.5.2, 9.2.6
Local control function 5.2.4 - 4.11.8,4.11.10 JIS B 9960-1, 10.1.5
Muting function 5.2.5 - I
- -
Hold-tn-run function - 4.11.8 b) JIS B 9960-1, 9.2.6.1
Enabling device function - tJIS B 9960.1, 9.2.6.3,
10.9
Prevention of unexpected - 4.11.4 JIS B 9714
start-up JIS B 9060-1, 5.4
Escape and rescue of trapped - 5.5.3
persons
Isolation and energy dissipation - 5.5.4 JIS B 9714
fundion JIS B 9960·1,5.3,
6.3.1
Control modes and mode - 4.11.8.4.11.10 JIS B 9960·1, 9.2.3,
selection 9.2.4
Interaction between diflercnt - 4.11.1 JIS B 9960·1, 9.3.4
safety-related parts of control (last sentence)
systems
Monitoring of parameterization 4.6.4 -
of safety-related input values
Emergency stop function b) - 5.5.2 JIS B 9703
JIS B 9960·1, 9.2.5.4
Notes a) Including interlocked guards and limiting devices overspeed, overtemperature,
overpressure) .
b)
Complementary protective measure, see JIS B 9700-1.

PROTECTED BY COPYRIGHT
 33
B 9705-1 : 2011 (ISO 13849-1 : 2006)

Table 9 Some International Standards and JISs giving re{luirements

for certain safety functions and safety~related parameters

Safety function! Req uirem ent For additional information,

safety-related pal'ameter see:
This Standard JIS B 9700-2
Response time 5.2.6 - JIS B 9715, 3.2, A.3, AA
Safety-related parameter such as 5.2.7 4.11.8 e) .JIS R 9960.1, 7.1, 9.3.2, 9.3A
speed, temperature or pressure
Fluctuations, loss and restoration 5.2.8 4.11.8 e) JIS B 9960-1, 4.3, 7.1, 7.5
of power sourees r

Indications and alarms - 4.8 ISO 7731

ISO 11428
ISO 11429
JIS B 9706-1
JIS B 9960-1, 10.3, lOA
lEe ..61131 series
~~---.~ ~.--~--.~-.-~~---.-

I
JIS B 9961

When identifying and specifying the safety function(s), the following shall at least
be considered:
a) results of the risk assessment for each specific hazard or hazardous situation;
b) Inachine operating characteristics, including
intended use of the machine (including reasonable foreseeable misuse),
modes of operation (e.g. local mode, automatic mode, n10des related to a zone or
part of the machine),
cycle time, and
response ti me;
c) elnergency operation;
d) description of the interaction of different working processes and Inanual activities
(repairing, setting, cleaning, trouble shooting, etc.);
e) the behaviour of the machine that a safety function is intended to achieve or to
prevent;
f) condjtjon(s) (e.g. operating mode) of the machine in which it is to be active or
disabled;
g) the frequency of operation;
h) priority of those functions that can be simultaneously active and that can cause
conf1icting action.

5.2 Details of safety functions

5.2.1 Safety-related stop function

The fonowing applies jn addition to the requirements of table 8.

PROTECTED BY COPYRIGHT
34
B 9705-1 : 2011 (ISO 13849-1 : 2006)

A safety-related function (e.g. initiated by a safeguard) shall, as soon as nec-

essary after actuation, put the machine in a state. Such a stop shall have prior-
ity over a stop for operational reasons.
When a group of machines are working together in a coordinated manner, provi-
sion shall be m.ade for signalling the supervisory control and/or the other machines that
such a stop condition exists.
NOTE: A safety-related stop function can cause operational problems and a dif-
ficult restart, e.g. in an arc welding application. To reduce the tempta-
tion to defeat this stop function, it can be preceded with a stop for
operational reasons to finalize the actual operation and prepare for an
easy and quick restart from the stop position (e.g. without any dalIlage
of the production). One solution is the use of interlocking device with
guard locking where the guard locking is released when the cycle has
reached a defined position where the easy restart is possible.

5.2.2 Manual reset function

The following applies in addition to the requirements of table 8.
After a stop command has been initiated by a safeguard, the stop condition shall
be maintained until safe conditions for restarting exist.
The re-establishment of the safety function by resetting of the safeguard cancels
the stop command. If indicated by the risk assessment, this cancellation of the stop
command shall be confirmed by a manual, separate and deliberate action (Illanual reset).
The manual reset function shall
be provided through a separate and manually operated device within the SRP/CS,
only be achieved if a11 safety functions and safeguards are operative,
not initiate nlotion or a hazardous situation by itself,
be by deliberate action,
enable the control system for accepting a separate start command,
only be accepted by disengaging the actuator from its energized (on) position.
The performance level of safety-related parts providing the manual reset function
shall be selected so that the inc1usion of the manual reset function does not diminish
the safety required of the relevant safety function.
The reset actuator shall be situated outside the danger zone and in a safe position
frorn which there is good visibility for checking that no person is within the danger
zone.
Where the visibility of the danger zone is not complete, a special reset procedure
is required.
NOTE: One solution is the use of a second reset actuator. The reset function is
initiated within the danger zone by the first actuator in conlbination with
a second reset actuator located outside the danger zone (near the safe-
guard). This reset procedure needs to be realized within a limited time
before the control systenl accepts a separate start comlnand.

PROTECTED BY COPYRIGHT
 35
B 9705-1 : 2011 (ISO 13849-1 : 2006)

5.2.8 Start/restart function

The following applies in addition to the requirements of table 8.
A restart shall take place automatically only if a hazardous situation cannot exist.
In particular~ for interlocking guards with a start function, JIS B 9700-2, 5.3.2.5, ap-
plies.
These requirements for start and restart shall also apply to machines which can
be controlled remotely.
NOTE: A sensor feedback signal to the control system can initiate an automatic
restart.
Example: In automatic machine operations, sensor feedback signals to the con-
trol system are often used to control the process flow. If a work piece
has come out of position, the process flow is stopped. If the monitor-
ing of the interlocked safeguard is not superior to the automatic pro-
cess control, there could be a danger of restarting the machine while
the operator readjusts the work piece. Therefore the remotely con-
trolled restart ought not to be allowed until the safeguard is closed
again and the maintainer has left the hazardous area. The contribu-
tion of prevention of unexpected start-up provided by the control sys-
tem is dependent on the result of the risk assessment.

5.2.4 Local control function

The following applies in addition to the requirements of table 8.
When a machine is controlled locally, e.g. by a portable control device or pendant,
the following requirements shall apply:
the means for selecting local control shall be situated outside the danger zone;
it shall only be possible to initiate hazardous conditions by a local control in a zone
defined by the risk assessment;
switching bet\veen local and main control shall not create a hazardous situation.

5.2.5 Muting function

The following applies in addition to the requirelnents of table 8.
Muting shall not result in any person being exposed to hazardous situations. During
muting, safe conditions shall be provided by other means.
At the end of muting, all safety functions of the SRP/CS shall be reinstated.
The performance level of safety-related parts providing the muting function shall
be selected so that the inclusion of the muting function does not diminish the safety
required of the relevant safety function.
NOTE: In some applications, an indication signal of muting js necessary.

5.2.6 Response time

The following applies in addition to the requirements of table 9.
The response time of the SRP/CS shall be determined when the risk assessment of
the SRP/CS indicates that this is necessary (see also clause 11).

PROTECTED BY COPYRIGHT
36
B 9705-1 : 2011 (ISO 1:3849-1 : 2006)

NOTE: The response time of the control system is part of the overall response
time of the machine. The required overall response time of the machine
can influence the design of the safety-related part, e.g. the need to pro-
vide a braking system.

5.2.7 Safety-related parameters

The following applies in addition to the requirements of table 9.
vVhen safety-related paralneters, e.g. position, speed, temperature or pressure, de-
viate from present limits the control system shall initiate appropriate measures (e.g.
actuation of stopping, warning signal, alarm).
If errors in manual inputting of safety~related data in programmable electronic sys-
tems can lead to a hazardous situation, then a data checking system within the safety-
related control systen1 shall be provided, e.g. check of limits, format and/or logic input
values.

5.2.8 Fluctuations, loss and restoration of power sources

The following applies in addition to the requirements of table 9.
When fluctuations in energy levels outside the design operating range occur, includ-
ing loss of energy supply, the SHP/CS shall continue to provide or initiate output
signal(s) which "vill enable other parts of the machine system to maintain a safe state.

6 Categories and their relation to MTTFd of each channel, DC avg and CCF

6.1 General
The SRP/CS shall be in accordance with the requirements of one or more of the five
categories specified in 6.2.
Categories are the basic parameters used to achieve a specific PL. They state the
required behaviour of the SHP/CS in respect of its resistance to faults based on the
design considerations described in clause 4.
Category B is the basic category. The occurrence of a fault can lead to the loss of
the safety function. In category 1 improved resistance to faults is achieved predomi-
nantly by selection and application of components. In categories 2, 3 and 4, improved
performance in respect of a specified safety function is achieved predominantly by im-
proving the structure of the SHP/CS. In category 2 this is provided by periodically check-
ing that the specified safety function is being performed. In categories 3 and 4 this is
provided by ensuring that the single fault will not lead to the loss of the safety func-
tion. In category 4, and whenever reasonably practicable in category 3, such faults will
be detected. In category 4 the resistance to the accumulation of faults will be speci-
fied.
Table 10 gives an overview of categories of the SRP/CS, the requirements and the
system behaviour in case of faults.
When considering the causes of failures in some components it is possible to ex-
clude certain faults (see clause 7).
The selection of a category for a particular SRP/CS depends mainly upon

PROTECTED BY COPYRIGHT
 37
B 9705-1 : 2011 (ISO 13849-1 : 2006)

the reduction in risk to be achieved by the safety function to which the con-
tributes,
the required performance level (PL r ),
the technologies used,
the risk arising in the case of a fault(s) in that part,
the possibilities of avoiding a fault(s) in that part (systematic faults),
the probability of occurrence of a fau1t(s) in that part and relevant parameters,
the mean time to dangerous failure (MTTF d),
the diagnostic coverage (DC), and
the COTIlmOn cause failure (CCF) in the case of categories 2, 3 and 4.

6.2 Specifications of categories

6.2.1 General
Each SRP/CS shall comply with the requirements of the relevant category, see 6.2.3
to 6.2.7.
The following architectures typically meet the requirements of the respective cat-
egory.
The following figures 8 to 12 show not examples but general architectures. A de-
viation from these architectures is always possible, but any deviation shall be justi-
fied, by means of appropriate analytical tools (e.g. lVlarkov modelling, fault tree
analysis), such that the system meets the required performance level (PLr ).
The designated architectures cannot be considered only as circuit diagrams but also
as logical diagrams. For categories 3 and 4, this 111eanS that not all parts are neces-
sarily physically redundant but that there are redundant means of assuring that a fault
cannot lead to the loss of the safety function.
The lines and arrows in figures 8 to 12 represent logical interconnecting means and
logical possible diagnostic means.

6.2.2 Designated architectures

The structure of an SRPICS is a characteristic having great influence on the
PL. Even if the variety of possible structures is high, the basic concepts are often
similar. Thus, nl0st structures which are present the machinery field can be mapped
to one of the categories. For each category, a typical representation as a safety-related
block diagram can be made, These typical realizations are called designated archi-
tectures and are listed in the context of each of the following categories (see figures 8
to 12).
It is important that the PL shown in figure 5, depending on the category, MTTFd
of each channel and DC avg , is based on the designated architectures. If figure 5 is used
to estimate the PL the architecture of the SRP/CS should be demonstrated to be equiva-
lent to the designated architecture of the claimed category. Designs fulfilling the
characteristics of the respective category in general are equivalent to the respective
designated architecture of the category.

PROTECTED BY COPYRIGHT
38
B 9705-1 : 2011 (ISO 13849-1 : 2006)

NOTE: In some cases arising from a technical solution or determined by

a type-C standard, the safety-related performance of the SHP/CS can be
required only by a category without additional For such specific
cases, safety is provided particularly by the architecture, and the require-
ments for lVITTF, DC and CCF do not apply.

6,2.3 Category B
The SRP/CS shall, as a mininlum, be designed, constructed, selected, assembled and
combined in accordance with the relevant standards and using basic safety principles
for the specific application to withstand
the expected operating stresses, e.g. the reliability with respect to breaking capacity
and frequency,
the influence of the processed material, e.g. detergents in a washing rnachjne, and
other relevant external influences, e.g. mechanical vibration, electromagnetic in-
terference, power supply interruptions or disturbances.
There is no diagnostic coverage none) within category B systems and the
:MT'fFd of each channel can be low to medium. In such structures (normally single-
channel systems), the consideration of CCF is not relevant.
The maximum PL achievable with category B is PL == b.
NOTE: When a fault occurs it can lead to the loss of the safety function.
Specific requirements for electromagnetic compatibility are found jn the relevant
product standards, e.g. JIS C 4421 for power drive systems. For functional safety of
SHP/CS in particular, the ilnmunity requirements are relevant. If no product stan-
dard at least the imnlunity requiren1ents of JIS C 61000·6·2 should be followed.

Key
im interconnecting means
I input device, e.g. sensor
L logic
o output device, e.g. main contactor
Figure 8 Designated architecture for category B

6.2.4 Category 1
For category 1, the same requirements as those according to 6.2.3 for category B
shall apply. In addition, the following applies.
SRP/CS of category 1 shall be designed and constructed using well-tried components
and well-tried safety principles (see ISO 13849-2).
A "well-tried component" for a safety-related application is a component which has
been either

PROTECTED BY COPYRIGHT
 39
B 9705-1 : 2011 (ISO 13849-1 : 2006)

a) widely used in the past with successful results in similar applications, or

b) made and verified using principles vvhich demonstrate its suitability and reliabil-
ity for safety-related applications.
Newly developed components and safety principles may be considered as equiva-
lent to "well-tried" if they fulfil the conditions of b).
The decision to accept a particular component as being "well-tried" depends on the
application.
NOTE 1 Complex electronic components (e.g. PLC, microprocessor, application-
specific integrated circuit) cannot be considered as equivalent to "well-
tried".
The MTTFd of each channel shall be high.
The D1.axinlunl PL achievable with category 1 is PL;; c.
NOTE 2 There is no diagnostic coverage (DCavg;;;;none) within category 1 systeIlls.
In such structures (single-channel system.s) the consideration of CCF is
not relevant.
NOTE 3 When a fault occurs it can lead to the loss of the safety function. How-
ever, the MTTFd of each channel in category 1 is higher than in category
B. Consequently, the loss of the safety function is less likely,
It is important that a clear distinction between "well-tried component" and "fault
exclusion" (see clause 7) be made. The qualification of a component as being well-tried
depends on its application. For exanlple, a position switch with positive opening con-
tacts could be consjdered as being well-tried for a machine tool, while at the same time
as being inappropriate for application in a food industry in the milk industry, for
instance, this switch would be destroyed by the milk acid after a few months. A fault
exclusion can lead to a very high PL, but the appropriate measures to allow this fault
exclusion should be applied during the whole lifetime of the device. In order to en-
sure additional measures outside the control system may be necessary. In the
case of a position switch, some examples of these kinds of measures are
means to secure the fixing of the switch after its adjustment,
means to secure the of the cam,
means to ensure the transverse stability of the cam,
means to avoid overtravel of the position switch, e.g. adequate mounting strength
of the shock absorber and any alignment devices, and
means to protect it against damage from outside.

PROTECTED BY COPYRIGHT
40
B 9705-1 : 2011 (ISO 1:3849-1 : 2006)

Key
i III interconnecting means
input device, e.g. sensor
L logic
o output device, e.g. main contactor

9 Designated architecture for category 1

6.2.5 Category 2
For category 2, the same requirements as those to 6.2.3 for category B
shall apply. H\;VeIl-tried principles" according to 6.2.4 shall also be followed. In
addition, the f()llowing
SRP/CS of category 2 shall be designed so that their function( s) are checked at suit-
able intervals by the machine control system. The check of the function( s) shall
be performed
at the machine start-up, and
prior to the initiation of any hazardous situation, e.g. start of a new cycle, start of
other movements, and/or periodically during operation if the risk assessment and
the kind of shows that it. is necessary.
The initiation of this check may be automatic. check of the functionts)
shall either
allow operation if no faults have been detected, or
an output which initiates appropdate control action, if a fault is detected.
Whenever possible this output shall initiate a safe state. This safe state shall be
maintained until the fault is cleared. \Vhen it is not possible to initiate a safe state
(e.g. welding of the contact in the final switching device) the output shall provide a
warning of the hazard.
For the designated architecture of category 2, as shown in figure 10, the ca1cula-
tion of lY1TTFrl and DC(lvg should take into account only the blocks of the functional chan-
nel (i.e. I, Land 0 in figure 10) and not the blocks of the testing channel (i.e. TE and
OTE in figure 10).
The diagnostic coverage (DC avg ) of the total SRP/CS including fault-detection shall
be low to medium. The lVlTTF d of each channel shall be low-to-high, depending on the
required performance level (PLr.J. IVleasures against CCF shall be applied Annex F).
The check itself shall not lead to a hazardous situation due to an increase in
response The checking equipment may be integral with, or separate from, the
safety-related partCs) providing the safety function.
The maximum PL achievable with category 2 is PL = d.
NOTE 1 In some cases category 2 is not applicable because the checking of the
function cannot be applied to all components.

PROTECTED BY COPYRIGHT
 41
B 9705-1 : 2011 (ISO 13849-1 : 2006)

NOTE 2 Category 2 systerIl behaviour allows that

the occurrence of a fault can lead to the loss of the safety function
between checks,
the loss of safety function is detected by the check.
NOTE 3 The principle that supports the validity of a category 2 function is that
the adopted technical provisions, and, for example, the choice of check-
frequency can decrease the probability of occurrence of a dangerous
situation.

Dashed lines represent reasonably practicable fault detection.

Key
im interconnecting means
T input device, e.g. sensor
L
m monitoring
o output device, e.g. main contactor
TE test equipment
OTE output of TE

Figure 10 Designated architecture for category 2

6.2.6 Category 3
For category 3, the same requirements as those according to 6.2.3 for category B
shall apply. "Well-tried principles" according to 6.2.4 shall also be followed. In
addition, the following applies.
SRP/CS of category 3 shall be designed so that a single fault in any of these parts
does not lead to the loss of the safety function. \Vhenever reasonably practicable, the
single fault shall be detected at or before the next demand upon the safety function.
The diagnostic coverage (DC Hvg) of the total SRP/CS including fault-detection shall
be low to medium. The MTTFd of each of the redundant channels shall be low-to-high,
depending on the PLro, :Measures against CCF shall be applied Annex F).
NOTE 1 The requirement of single-fault detection does not mean that all faults
will be detected. Consequently, the accumulation of undetected faults
can lead to an unintended output and a hazardous situation at the
machine. Typical examples of practicable measures for fault detection
are use of the feedback of mechanically guided relay contacts and moni-
toring of redundant electrical outputs.

PROTECTED BY COPYRIGHT
42
B 9705-1 : 2011 (ISO 13849-1 : 2006)

NOTE 2 If necessary because of technology and application, type-C standard mak-

ers need to further details on the detection of faults.
NOTE 3 Category 3 systenl behaviour allows that
when the single fault occurs the safety function is always perforn1ed,
some but not all faults will be detected I

accumulation of undetected faults can lead to the loss of the safety

function.
NOTE 4 The technology used will influence the possibilities for the ilnplemen-
tation of fault detection.

Dashed lines represent reasonably practicable fault detection.

Key
ino interconnecting means
c cross monitoring
11, J2 input device, e.g. sensor
Ll, L2 logic
m monitoring
01, 02 output device, e.g. main contactor

Figure 11 Designated architecture for category 3

6.2.7 Category 4
For category 4, the same requirements as those according to 6.2.3 for category B
shall apply. "'Vell-tried safety principles" according to 6.2.4 shall also be followed. In
addition, the following applies.
SRP/CS of category 4 shall be designed such that
a single fault in any of these safety-related parts does not lead to a loss of the safety
function, and
the single fault is detected at or before the next demand upon the safety functions,
e.g. immediately, at switch on, or at end of a machine operating cycle,
but if this detection is not possible, then an accumulation of undetected faults shall
not lead to the loss of the safety function.
The diagnostic coverage (DC avg ) of the total SRP/CS shall be high, including the ac-
cumulation of faults. The MTTFd of each of the redundant channels shall be high.
Measures against CCP shall be applied (see Annex F).

PROTECTED BY COPYRIGHT
 4:3
B 9705-1 ; 2011 (ISO 13849-1 : 2006)

NOTE 1 Category 4 system behaviour allows that

when a fault occurs the function js always performed,
the faults will be detected in time to prevent loss of the safety function~

accu:mulation of undetected faults is taken into account.

NOTE 2 The difference between category 3 and category 4 is a higher DC avg in
category 4 and a required MTTFd of each channel of "high" on]y.
In practice, the consideration of a fault combination of tvvo faults Inay be sufficient,

Solid lines for monitoring represent diagnostic coverage that is higher than in
the architecture for category 3.
Key
irn interconnecting means
c cross monitoring
11, 12 input device, e.g. sensor
Ll,L2
11l monitoring
01, 02 output device, e.g. main eontactor

Figure 12 Designated architecture for category 4

PROTECTED BY COPYRIGHT
tiL!
B 9705-1 : 2011 (ISO 13849-1 : 2006)

Table 10 Summary of requirements for categories

Category I Summary of requirements System behaviour Prindple M'YrFcl DC avg CCF

used to of eaeh
achieve channel
I safety
B SRP/CS and/or their The occurrence of Mainly Low to None Not
(see pmtective equipment, as a fault can lead to character- medium relevant
6.2.3) ,veil as their components, the loss of the ized by
shan be designed, safety function. selection of
constructed, selected, components
assembled and combined
in accordance with
relevant standards so that
they can withstand the
I
~
, influence. Basic
safety principles shall be
used.
f--
1 Requirements of B shall The occurrence of Mainly High None Not
(see Well-tried compo- a fault can lead to character- relevant
6.2.4) nents and weU-tried the loss ofthe ized by
safety principles shall be safety function selection of
used. but the probability components
of occurrence is
lower th all for
category B.
2 Requirements of Band The occurrence of Mainly Low to Low to See
(see the use of well-tried safety a fault can lead to character- medium Annex F
6.2.5) principles shall apply. the loss of the ized by
Safety function shall be safety function structure
checked at suitable between the
intervals by the machine checks.
control system. The loss of
function is
detected by the
check.
3 Requjrements of Band When a single Mainly Low to Low to See
(see the use of weU-tried safety fault occurs, the character- high medium Annex F
6.2.6) principles shall apply. safety function is ized by
Safety-related parts shall always performed. structure
be designed, so that Some, but not all,
-a fault in any of faults will be
these parts does not detected.
lead to the loss of the Accumulation of
safety function, and undetected faults
- whenever reasonably can lead to the
practicable, the single loss of the
fa ul t is detected. function.

PROTECTED BY COPYRIGHT
 45
B 9705-1 : 2011 (ISO 13849-1 : 2006)

Table 10 (concluded)

Category Summary of requirements System behaviour Principle MTTFd CCF

Hsed to of each
achieve channel
safety
4 Requirements of Band 'When a single Mainly High High See
(see the use of well-tl~ied safety fault occurs the character- including Annex F
6.2.7) principles shall apply. safety function is ized by accumula-
Safety-related parts shall always performed. structure tion of
be designed, so that Detection of faults
- a single fault in any of accumulated
these parts does not faults reduces the
lead to a loss of the probability of the
safety function, and loss of the
the single fault is function (high DC).
detected at or before The faults will be
the next demand upon detected in time to
the safety function, but prevent the loss of
that if this detection is the safety function.
not possible, an
accumulation of
undetected faults shaH
not lead to the loss of
the safety function.
i

NOTE: For full requirements, see clause 6.

6.3 Combination of SRP/CS to achieve overall PL

A safety function can be realized by a combination of several SRP/CS: input sys-
tem, signal processing unit, output system. These SRP/CS may be assigned to one
andior different categories. For each SRP/CS used, a category according to 6.2 shall
be selected. For the overall combination of these SRP/CS, an overall PL may be iden-
tified using table 11. In this case, the validation of the conlbination of SRP/CS is re-
quired (see figure 3).
According to 6.2, the combined safety-related parts of a control system start at the
points where the safety-related signals are initiated and end at the output of the power
control elements. But the combined SRP/CS could consist of several parts connected
in a linear (series alignment) or redundant (parallel alignment) \vay. To avoid a new
complex estimation of the performance level (PL) achieved by the combined SRP/CS
where the separate PLs of a]1 parts are already calculated, the following estimations
are presented for a series allgnment of SRP/CS.
Assumed are N separate SRP/CS i in a series alignment, as a whole performing a
safety function. For each SRP/CS i , a PL i has already been evaluated. This situation
is illustrated in figure 13 (see also figure 4 and figure H.2).

PROTECTED BY COPYRIGHT
46
B 9705-1 : 2011 13849-1 : 2006)

SRP/CS
PL
Figure 13 Combination of SRP/CS to achieve overall PL

The following method allows the calculation of the PL of the whole combined SRPI
CS performing the safety function:
a) Identify the lowest PL i : this is PL]()w.
b) Identify the number
c) Look-up PL in table 11.

Table 11 Calculation of PL for series alignment of SRP/CS

PLlow N1ol\' PL
a >3 => None, not allowed
::;;3 => a
b >2 => a
::;;2 => b
c >2 I => b
::;;2 => c
d >3 c
::;;3 d
e >3 d
::;;3 e
NOTE: The values calculated for this look-up table are based
on reliability values at the mid-point for each PL.

7 Fault consideration, fault exclusion

7.1 General
In accordance with the category selected, safety-related parts shall be designed to
achieve the required performance level (PL r ). The ability to resist faults shall be as-
sessed.

7.2 Fault consideration

ISO 13849 2 lists the important faults and failures for the various technologies.
a

The lists of faults are not exclusive and, if necessary, additional faults shall be con-
sidered and listed. In such cases, the method of evaluation should also be clearly elabo-
rated. For new components not mentioned in ISO 13849-2, a failure nlode and effects
analysis (FlVIEA, see lEe 60812) shall be carried out to establish the faults that are
to be considered for those components.

PROTECTED BY COPYRIGHT
 47
B 9705-1 : 2011 (ISO 13849-1 : 2006)

In general, the following fault criteria shall be taken into account:

if, as a consequence of a fault, further components fail, the first fault together with
all following faults shall be considered as a single fault;
two or more separate faults having a common cause sha11 be considered as a single
fault (known as a CCF);
the simultaneous occurrence of two or more faults having separate causes is con-
sidered highly unlikely and therefore need not be considered.

7.3 Fault exclusion

It is not ahvays possible to evaluate SRP/CS without assuming that certain faults
can be excluded. For detailed infonnation on fault exclusions, see ISO 13849-2.
Fault exclusion is a cOlnpromise between technical safety requirements and the theo-
retical possibility of occurrence of a fault.
Fault exclusion can be based on
the technical improbability of occurrence of some faults,
generally accepted technical experience, independent of the considered appJication,
and
technical requirements reJated to the application and the specific hazard.
If faults are excluded, a detailed justification shall be given in the technical docu-
mentation.

8 Valida tion
The design of the SRP/CS shall be validated (see figure 3). The validation sha1]
demonstrate that the combination of SRP/CS providing each safety function meets all
relevant requirements of this Standard.
For details of validation, see ISO 13849·2.

9 Maintenance
Preventive or corrective maintenance can be necessary to maintain the specified per-
formance of the safety-related parts. Deviations with tinle from the specified perfor-
mance can lead to a deterioration in safety or even to a hazardous situation. The
information for use of the SRP/CS shall include instructions for the maintenance
(including periodic inspection) of the SRP/CS.
The provisions for the maintainability of the safety-related partes) of a control sys-
tem shall follow the principles given in JIS B 9700-2, 4.7. All information for main-
tenance shal1 comply with JIS B 9700-2, 6.5.1 e).

10 Technical documentation
vVhen designing an SRP/CS, its designer shall document at least the following in-
formation relevant to the safety-related part:
safety function(s) provided by the SRP/CS;
the characteristics of each safety function;

PROTECTED BY COPYRIGHT
48
B 9705-1 : 2011 (ISO 1:3849-1 : 2006)

the exact points at which the safety-related partes) start and end;
environmental conditions;
the performance level (PL);
the category or categories selected;
the parameters relevant to the reliability (MTTF d, DC, CCF and mission time);
measures against systenlatic failure;
the technology or technologies used;
all safety-relevant faults considered;
justification for fault exclusions (see ISO 13849-2);
the design rationale (e.g. faults considered, faults excluded);
software documentation;
lneasures against reasonably foreseeable misuse.
NOTE: In general, this docuDlentation is foreseen as being for the rnanufacturer's
internal purposes and will not be distributed to the machine user.

11 Information for use

The principles of JIS B 9700-2, 6.5.2, and the applicable sections of other relevant
documents (e.g. JIS B 9960-1, clause 17), shall be applied. In particular, that infor-
lnation which is important for the safe use of the SRP/CS shall be given to the user.
This shall include, but is not limited to the following:
the limits of the safety-related parts to the categoryCies) selected and any fault
exclusions;
the limits of the SRP/CS and any fault exclusions (see 7.3), for which, when es-
sential for maintaining the selected category or categories and safety performance,
appropriate information (e.g. for modification, maintenance and repair) sha11 be
given to ensure the continued justification of the fault exclusion(s);
the effects of deviations from the specified performance on the safety function(s);
clear descriptions of the interfaces to the SRP/CS and protective devices;
response time;
operating limits (including environmental conditions);
indications and alarms;
muting and suspension of safety functions;
control modes;
maintenance (see clause 9);
maintenance check lists;
ease of accessibility and replacing of internal parts;
means for easy and safe trouble shooting;

PROTECTED BY COPYRIGHT
 49
B 9705-1 : 2011 (ISO 13849-1 : 2006)

infornlation explaining the applications for Llse relevant to the category to which
reference is made;
checking test intervals where relevant.
Specific information shall be provided on the category or categories and performance
level of the SRPfCS, as follows:
dated reference to this Standard (i.e. '(JIS B 9705-1: 2011");
the Category, B, 1, 2, 3, or 4;
the performance level, a, b, c, d, or e.
EXalnple: An SRPfCS in accordance with this Standard, of Category B and per-
formance level a, would be referred to as follows:
JIS B 9705-1: 2011 Category B PL a

PROTECTED BY COPYRIGHT
50
B 9705-1 : 2011 (ISO 13849-1 : 2006)

. . . . . . ,..... . . ., . . . A (informative)
Determination of required performance level (PL r )

A.I Selection of PL r
This Annex is concerned with the contribution to the reduction in risk made by the
safety-related parts of the control being considered. The method given here
provides only an estimation of risk reduction and is intended as guidance to the de-
signer and standard maker in detennining the PLr for each necessary safety function
to be carried out by an SRP/CS.
The risk assessment assumes a situation prior to provision of the intended safety
function. Risk reduction by other technical measures independent of the control sys-
tem mechanical guards), or additional safety functions, can be taken into account
in determining the PLr of the intended safety function; in which case, the starting point
of figure A.1 can be selected after the implementation of these measures (see also fig-
ure 2). The severity of injury (denoted by is relatively easy to estilnate (e.g. lac-
eration, amputation, fatality). For the frequency of occurrence, auxiliary parameters
are used to improve the estimation. These parameters are
frequency and tilne of exposure to the hazard (F), and
possibility of avoiding the hazard or limiting the harm (P).
Experience has shown that these parameters can be combined, as in figure A.1, to
a gradation of risk from low to high. It is emphasized that this is aqua litative
process giving only an estimation of risk.

A.2 Guidance for selecting parameters S, F and P for the risk estimation

A.2.1 Severity of injury SI and S2

In estimating the risk arising from a failure of a safety function only slight inju-
ries (nonnally reversible) and serious injuries (normally irreversible) and death are
considered.
To make a decision the usual consequences of accidents and normal healing pro-
cesses should be taken into account in determining 81 and 82. For example, bruising
and/or lacerations without complications would be classified as 81, whereas amputa-
tion or death would be S2.

A.2.2 Frequency and/or exposure times to hazard, Fl and F2

A generally valid time period to be selected for parameter FloI' F2 cannot be speci-
fied. However, the following explanation could facilitate making the right decision
where doubt exists.
F2 should be selected if a person is frequently or continuously exposed to the haz-
ard. It is irrelevant whether the same or different persons are exposed to the hazard
on successive exposures, e.g. for the use of lifts. The frequency parameter should be
chosen according to the frequency and duration of access to the hazard.

PROTECTED BY COPYRIGHT
 51
B 9705-1 : 2011 (ISO 13849-1 : 2006)

Where the demand on the safety function is known by the designer, the frequency
and duration of this demand can be chosen instead of the frequency and duration of
access to the hazard. In this Standard, the frequency of demand on the safety func-
tion is assumed to be mOl'e than once per year.
The period of exposure to the hazard should be evaluated on the basis of an aver-
age value which can be seen in relation to the total period of time over which the equip-
ment is used. For exam.ple, if it is necessary to reach regularly between the tools of
the machine during cyclic operation in order to feed and move work pieces, then F2
should be selected. If access is only required from time to tinle, then Fl should be
selected.
NOTE: In case of no other justification F2 should be chosen, if the frequency is
higher than once per hour.

A.2.3 Possibility of avoiding the hazard PI and P2

It is important to know whether a hazardous situation can be recognized and avoided
before leading to an accident. For example, an important consideration is whether the
hazard can be directly identified by its physical characteristics, or recognized only by
technical means, e.g. indicators. Other important aspects which influence the selec-
tion of parameter P include, for example:
operation with or without supervision;
operation by experts or non-professionals;
speed with which the hazard arises (e.g. quickly or slowly);
possibilities for hazard avoidance (e.g. by escaping);
practical safety experiences relating to the process.
When a hazardous situation occurs, PI should only be selected if there is a realis-
tic chance of avoiding an accident or of significantly reducing its effect; P2 should be
selected jf there is almost no chance of avoiding the hazard.
Figure A.I provides guidance for the determination of the safety-related PL· depend-
ing on the risk assessment. The graph should be considered for each safety function.
The risk assessment method is based on JIS B 9702 and should be used in accordance
with JIS B 9700-1.

PROTECTED BY COPYRIGHT
52
B 9705-1 : 2011 (ISO 13849-1 : 2006)

L
P1 a
F1
i

S1
I P2
!
i
P1 . b
I F2
1 P2
e----------------- P1 c
F1
i P2
S2 ! d
P1 ..
I
! F2 .
P2 e
H

Key Risk parameters:

starting point for evaluation of S severity of injury
safety function's contribution to 81 slight (normally reversible injury)
ri sk reduction 82 serious (normally irreversible injury or death)
L low contribution to risk reduction F frequency and/or exposure to hazard
H high contribution to risk reduction Fl seldom-to-less-often andlor exposure time is short
PL r required performance level F2 frequent-to-continuous and/or exposure time is long
P possibility of avoiding hazard or limiting harm
PI possible under specific conditions
P2 scarcely possible
Figure A.I Risk graph for determining required PLr for safety function

PROTECTED BY COPYRIGHT
 53
B 9705-1 : 2011 (ISO 13849-1 : 2006)

Annex (informative)
Block method and safetY-I'"elated block diagram

B.l Block method

The simplified approach requires a block-oriented logical representation of the
SRP/CS. The SRP/CS should be separated into a small number of blocks according to
the following:
blocks should represent logical units of the SRP/CS related to the execution of the
safety function;
different channels performing the safety function should be separated into differ-
ent blocks - if one block is no able to perform its function, the execution of
the safety function through the blocks of the other channel should not be affected;
each channel may consist of one or several blocks - three blocks per channel in the
designated architectures, input, logic and output, is not an obligatory number, but
simply an example for a logical separation inside each channel;
each hardware unit of the SRP/CS should belong to exactly one block, thus allow-
ing for the calculation of the MTTFd of the block based on the MTTF d of the hard-
ware units belongjng to the block (e.g. by failure mode and effects analysis or the
parts count method, see Annex D.l);
hardware units only used for diagnostics test equiplnent) and which do not
affect the execution of the safety function in the different channels when they fail
dangerously, may be separated from hardware units necessary for the execution
of the safety function in the different channels.
NOTE: For the purposes of this Standard, "blocks" do not correspond to functional
blocks or reliability blocks.

B.2 Safety-related block diagram

The blocks defined by the block method may be used to graphically represent the
logical structure of the SRP/CS in a safety-related block diagram. For such a graphi-
cal representation, the following may be of guidance:
the failure of one block in a series alignment of blocks leads to failure of the
whole channel if one hardware unit in one channel of the SRP/CS fails dan-
gerously, the whole channel might not be able to execute the safety function any
longer);
only the dangerous fai1ure of all channels in a parallel alignment leads to the loss
of the safety function a safety function performed by several channels is ex-
ecuted as long as at least one channel has no failure);
blocks used only for purposes and which do not affect the execution of the
safety function in the different channels when they fail dangerously may be sepa-
rated from blocks in the different channels.
See figure B.1 for an example.

PROTECTED BY COPYRIGHT
54
B 9705-1 : 2011 (ISO 13849-1 : 2006)

r-- 11 01 -

- -

- 12 L 02 -

D
11 and 01 build up the first channel (series alignment); \vhile 12, Land 02 build up the second
channel (series alignment), with both channels executing the safety funetion redundantly (parallel
alignment). T is only used for testing.
Key
11,12 input devices, e.g. sensor
L logic
01,02 output devices, e.g. main contactor
T testing device

Figure B.t Example of safety-related block diagram

PROTECTED BY COPYRIGHT
 55
B 9705-1 : 2011 (ISO 13849-1 : 2006)

Annex (informative)
Calculating or evaluating MTTF d values for
single components

C.I General
This Annex several methods for calculating or evaluating 11TTFd values for
single cOD1ponents: the method given in C.2 is based on the respect of good engineer-
ing practices for the different kinds of components; that given in C.3 is applicable to
hydraulic components; CA provides a means of calculating the lVITTFd of pneumatic,
mechanical and electromechanical components from 810 (see CA.1); C.5 lists l\tITTF d
values for electrical components.

C.2 Good engineering practices method

If the following criteria are met, the MTTFd or BlOc! value for a component can be
estimated according to table C.1.
a) The conlponents are manufactured according to basic and well-tried safety prin-
ciples in accordance with ISO 13849-2~ or the relevant standard (see table C.1)
for the design of the component (confirmation in the data sheet of the component).
NOTE: This information can be found in the data sheet of the component manu-
facturer.
b) The manufacturer of the component specifies the appropriate application and
operating conditions for the user.
c) The design of the SRP/CS fulfils the basic and well-tried safety principles accord-
ing to ISO 13849-2, for the implementation and operation of the component.

C.3 Hydraulic components

If the following criteria are met, the MTTFd value for a single hydraulic component,
e.g. valve, can be estimated at 150 years.
a) The hydraulic components are manufactured according to bask and well-tried safety
principles in accordance with ISO 13849-2, tables C.1 and C.2, for the design of
the hydraulic component (confirmation in the data sheet of the component).
NOTE: This information can be found in the data sheet of the component manu-
facturer.
b) The manufacturer of the hydraulic component specifi.es the appropriate applica-
tion and operating conditions for the user. The SRP/CS manufacturer shall pro-
vide information pertaining to his responsibility to apply the basic and well-tried
safety principles according to ISO 13849-2, tables C.l and C.2, for the jmplemen-
tation and operation of the hydraulic component.
But if either a) or b) is not achieved, the MTTFd value for the single hydraulic com-
ponent has to be given by the manufacturer.

PROTECTED BY COPYRIGHT
56
B 9705-1 : 2011 (ISO 13849-1 : 2006)

Table C.l International Standards, JISs and other standards dealing

with MTTF d 01' B10d for components

Basic and well-tried safety Other reJevant Typical values:

principles according to standards MTTFd (years)
ISO 13849-2: 2003 BlOd (cycles!

Mechanical components Tables Al and A.2 MTTFu=150

Hydraulic components Tables C.I and C.2 JIB B 8361 M1"fF,\= 150
EN 982
Pneumatic components Tables B.l and B.2 .JIS B 8370 BlOd"" 20 000 000
EN 983
Relays and contactor Tables D.l and D.2 EN 50205 B1()d"" 20 000 000
relays with small load lEe 61810 series
(mechanical load) JIS e 8201 series
HeJays and contactor Tables D.l and D.2 EN 50205 BIOd = 400 000
with maximum load lEe 61810 series
~JIS C 8201 series

Proximity switches with Tables D.I and D.2 JIB e 8201 series BJOd:: 20 000 000
smaH load JIS B 9710
(mechanical load)
Proximity switches with Tables D.I and D.2 JIS e 8201 series B10<1 = 400 000
maximum load JIS B 9710
-
Contactors with small load Tables D.l and D.2 JIS e 8201 series B 10<1 = 20 000 000
(mechanical load)
Contactors with nominal Tables D.I and D.2 JIB C 8201 series BlOd"" 2 000 000
load
Position switches Tables D.I and D.2 eJIS e 8201 series BlOd = 20 000 000
independent of load at .JIS B 9710
Position switches (with Tables D.l and D.2 JIS e 8201 series B1Od= 2000000
separate actuator, JIS B 9710
;.l 1 ~1, ~ 15)
independent load al

Emergency stop devices Tables D.l and D.2 JIS e 8201 series Blod = 100 000
independent of the load at JIS B 9703
Emergency stop devices Tables D.I and D.2 JIB e 8201 series BlUd=6050
with maximum operational JISB9703
demands 3 !
Push buttons Tables D.l and D.2 JIS C 8201 series BlOt! = 100 000
(e.g. f!nClhlnw switches
independent of the load) at
r-
For the definition and use of Bllld, see C.4.
NOTE 1 BlOd is estimated as two times 810 (50 9~i dangerous failure).
NOTE 2 "Small load" means, for example, 20 (1c of the rated value (for more information, see ISO
13849-2).
Note ai If fault exclusion for direct opening action is possible.

PROTECTED BY COPYRIGHT
 57
B 9705-1 : 2011 (ISO 13849-1 : 2006)

C.4 lVlTTF d of pneumatic, mechanical and electromechanical components

C.4.1 General
For pneumatic, mechanical and electromechanical components (pneumatic
relays, contactors, position switches, cams of position switches, etc.) it may be diffi-
cu1t to calculate the mean time to dangerous failure (l\rITTFd for components), which
is given in years and which is required by this Standard. JVlost of the time, the manu-
facturers of these kinds of cOlllponents only the mean number of cyc1es until 10 %
of the components fail dangerously (B lOd ). This c1ause gives a method for calculating
an MTTFd for components using BlOd or T given by the manufacturer re-
lated closely to the application dependent cycles.
If the following criteria are the JVITTFd value for a single pneumatic, electro-
mechanical or mechanical component can be estimated according to C.4.2.
a) The com.ponents are manufactured according to basic safety principles in accor-
dance with ISO 13849-2, table B.1 or table D.1, for the design of the component
(confirmation in the data sheet of the component).
NOTE: This information can be found in the data sheet of the component manu-
facturer.
b) The com.ponents to be used in category 1, 2, 3 or 4 are manufactured according to
well-tried safety principles in accordance with ISO 13849-2, table B.2 or table D.2,
for the design of the component (confirmation in the data sheet of the component).
NOTE: This information can be found in the data sheet of the component manu-
facturer.
c) The manufacturer of the component specifies the appropriate application and
operating conditions for the user. The SRP/CS manufacturer shall provide infor-
mation pertaining to his responsibility to fulfil the basic safety principles accord-
ing to ISO 13849-2, table B.I or table D.l, for the implementation and operation
of the component. For category 1, 2, 3 or 4, the user has to be informed of his re-
sponsibility to fulfil the well-tried principles according to ISO 13849·2, table
B.2 or table D.2, for the implementation and operation of the component.

C.4.2 Calculation of M1"rFd for components from RIM

The mean num.ber of cycles until 10 % of the components fail dangerously (B lOd ) 1)
should be determined by the manufacturer of the component in accordance with rel-
evant product standards for the test methods JIS C 8201-5-1, ISO 19973 series,
IEC 61810 The dangerous failure nlodes of the component have to be defined,
e.g. sticking at an end position or change of switching tim.es. If not an the components
fail dangerously during the tests seven components tested, only five fail danger-
ously), an analysis taking into account the components that were not dangerously failed
components should be perfornled.
With B:J)d 11 and !lop, the mean nun1ber of annual operations, l\1TTFd for components
can be calculated as
Note 1) If the dangerous fraction of BlO is not given, 50 % of BIO may be used, so
BlOd = 2B1O is recommended.

PROTECTED BY COPYRIGHT
58
B 9705-1 ; 2011 (ISO 13849-1 : 2006)

lV1-rTFJ = ~- .................................................................... (C.1)

0.1 x nor

where

with the folJowing assumptions been made on the application of the component:
the mean operation, in hours per day;
mean operation, in per year;
tcycl e : the mean time between the beginning of two suc-
cessive cycles of the component. switching of
a valve) in seconds per cycle.
The operation time of the component is limited to the mean ti11.18 until 10 % of
the components fail dang1ercms

~Od ............................................................................... (C.3)

NOTE: Explanation of the formulas in CA.2.

the mean number of till 10 %. of the components fail dangerously, can
be converted to TlOd , the lnean time until 10 % of the components fail dangerously, by
using nOll' the mean number of annual operations:

= B IOd ............................................................................... (C.4)

The reliability methods in this Standard assume that the failure of components is
distributed exponentially over tinle: F(t)= 1 Adt). For pneumatic and electrome-
chanical cOlllponents, a weibull distribution is more likely. But if the time
of the components is limited to the mean time until 10 % of the components fail dan-
(TlOd), then a constant dangerous failure rate (Ad) over this operation time can
be estimated as

~~- ................................ , ................................ (C.5)

BIOd

Equation takes into account that with a constant failure 10 % of the com-
ponents in the assumed application fail after TlOd [years], corresponding to B IOd [cycle].
To be exact:

0.1 ..... (C.6)

~OJ .

With l\rfTTFd= 1/)\.d for exponential distributions, this yields

BIOd •••••••••••••••••••••••••••••••••••••••••••••••••••••••••••
0.1 xn"p

PROTECTED BY COPYRIGHT
 59
B 9705-1: 2011 (ISO 13849-1 : 2006)

CA.8 Example
For a pneumatic valve, a manufacturer determines a mean value of 60 million cycles
as 11tod. The valve is used for two shifts each day on 220 operation days a year. The
Inean tilne between the beginning of two successive switching of the valve is estimated
as 5 This yields the following values:
d C1P of 220 days per year;
h(lP of 16 h per day;
f cycle of 5 s per cycle;
B lOd of 60 million cycles.
With these input data the following quantities can be calculated:

x 3 600 s/h ("

--~~...........- - . - - - " " " " " " - - - -..- - = : 2.53xlO cycles/year .... (C.8)
5 s/cycle

60 X 10 6
--------=: 23.7 years ....................................... (C.9)
2.53 x cycles/year

237 years .................................................. (C.lO)

This will an l\1TTF d for the component "high" according to table 5. These as-
sumptions are only valid for a restricted operation time of 23.7 years for the valve.

C.5 MTTF d data of electrical components

C.5.1 General
Tables C.2 to C,7 indicate SOID.e typical average values of lVITTF d for electronic com-
ponents. The data are extracted from the SN 29500 series database All data are
of general type. Various databases available the database list in the Bibliogra-
phy) which present MTTF d values for various electronic components. If the designer
of an SRP/CS has other, reliable, specific data on the components used, then the used
of that specific data instead is highly recommended.
The values given in tables C.2 to C.7 are valid for a temperature of 40°C, nominal
load for current and voltage.
In the MTTF column of the tables, the values from SN 29500 are for generic com-
ponents for all possible failure modes which are not necessarily dangerous failures. In
the MTTFd column, it is typically assumed that not all failures modes lead to a dan-
gerous failure. This depends mainly on the application. A precise way of determin-
ing the "typical" MTTFd for components is to carry out an FMEA. Some components,
e.g. transistors used as switches, can have short circuits or interruptions as failure.
Only one of these two modes can be dangerous; therefore the "remarks" column assumes
only 50 % dangerous failure, which means that the MTTFd for cOInponents is twice the
given lVITTF value. For use where there is doubt, a worst case MTTFd for components
is given in the "worst case" MTTFd column, where the safety margin is 10.

PROTECTED BY COPYRIGHT
60
B 9705-1 : 2011 (ISO 13849-1 : 2006)

C.S.2 Semiconductors
See tables C.2 and C.3.

Table C.2 Transistors (used as svdtches)

Transistor Example MTTF for l\·1TTFd for components RemaTk

components years
I years
Typical Worst case
Bipolar '1'018,1'092, 34247 68493 6849 50 % dangerous failure
801'23
Bipolar, Jaw power 1'05,1'039 5708 11416 1142 50 dangerous failure
Bipolar, power TO~1, 1'0220, 1941 881 388 50 dangerous fail ure
D-Pack
FET Junction MOS 22831 45662 566 50 dangerous failure
.

MOS, power T03, T0220, I 1142 2283 228 50 dangerous failure

D-Pack
•

Table C.3 Diodes,power semiconductors and integrated circuits

Diode Example MTTFfor MTTFd for components Hemark

components years
years
Typical Worst ease
General purpose 114155 228 :311 22831 50 % dangerous failure
Suppressor 15981 ;31963 3196 I 50 lie dangerous failure
Zener diode Pto~ < 1W - 114155 228311 22831 50 £Jr· dangerous failure
Rectifier diodes 57078 114155 11416 50 (1e dangerous failure
Rectifier bridges - 11415 22831 2283 50 dangerous failure
Thyristors - 2283 4566 457 50 dangerous failure
I

Triacs, Diacs - I
1484 2968 I 297 IIC dangerous failure
Integrated circuits Use manufacturer's data 50 % dangerous faiJure
(programmable and
non-programmable)
I

PROTECTED BY COPYRIGHT
 61
B 9705-1 : 2011 (ISO 13849-1 : 2006)

C.6 Passive components

See tables CA to C.7.

Table C.4 Capacitors

Capacitor Example IVITTF for MTTFd for components Remark

components years
years
Typical Worst case
Standard, no power KP, KC, KT, 57078 114155 11416 50 % dangerous
MKT, MKC, MKP, failure
MKU,MP,MKV
Ceramic - 22831 45662 4566 50 dangerous
failure
Aluminium electrolytic Non-solid electrolyte 22831 45662 4566 50 % dangerous
failure
Aluminium electrolytic Solid electrolyte 37671 75342 753"1 50 % dangerous
failure
Tantalum electrolytic Non-solid electrolyte 11415 22831 2283 50 % dangerous
failure
Tantalmn electrolytic I Solid electrolyte 114155 228311 22831 50 % dangerous
failure

Table C.5 Resistors

Resistor Example MTTF for MTTFd for components Remark

components years
yeal's
Typical Worst case
Carbon film - 114155 228.'311 22831 50 dangerous
failure
Metal film - 570776 1141552 1H 155 50 dangerous
failure
Metal oxide and wire-wound 22831 45662 4566 50 dangerous
failure
I
Variable 3767 7534 753 50 % dangerous
I I failure

PROTECTED BY COPYRIGHT
62
B 9705-1 : 2011 (ISO 13849-1 : 2006)

Table C.S Inductors

T~:Xi-l 'Ie ]\-lTTF for I MTTFtl for components Remark
!

-~

components I yean'l
!
years
I Typical Worst case

QPA>
" 37671 75342 7534 50 % dangerous
failure
I Low frequency inductors - 228:31 45 GG2 4566 50 % dangerous
and transformers failure
Main transformers and 11415 228:31 2283 .50 % dangerous
tt'ansformers fen' switched failm'e
modes and pO\\'er supplies

Table C.7 Optocouplers

Optocouplers Example MT'rF for MTTFd for components Remark

components years
years
Typical \VOl'st ease
Bipolar output SFH 610 7648 15296 1 530 50 0 . dangerouR
failure
FET output LH 1056 2854 5708 571 50 dangerous
failure

PROTECTED BY COPYRIGHT
 f>:3
B 9705-1 : 2011 13849-1 : 2006)

Annex D (informative)
Simplified method estimating MTTFd
each channel

D.I Parts count method

Use of the "parts count method" serves to estimate the l\1TTFd for each channel sepa-
rately. The values of all single components which are part of that channel are
used in this caleulation.
The general formula is

..................................... (D.1)

where
MTTFd ' for the complete channel;
MTTFdi, lVITTFd.i: the MTTFd of each component which has a
contribution to the safety function
The first sum is over each component separately; the second sum is an equivalent,
simplified form where all Ilj identical components with the same 1VITTFdj are grouped
together.
Example:
lIMTTFdi = 1130+ 1130 + 1130
nj/MTTFdj=3/30 1110
The example given in table D.l an lVITTF d of the channel of 21.4 years, which
is "medium" according to table 5.

Table D.l Example of the parts list of a circuit board

J Component Units I M'fTFuj 1/MTTFdj lljlMTTFdj

nj \Vorst case Worst case Worst case
I
years l/year lIyear
1 Transistors, bipolar, low power (see table C.2) 2 1 1.42 0.000876 0.001 752
2 Resistor, carbon film (see table C.5) 5 22831 0.000044 0.000219
3 Capacitor, standard, no power (see table C.4) 4 11416 0.000 088 0.000 350
4 Relay (with small load, see table C.1) 4 315.66 0.003 168 0.012672
(81Od 20 000 000 cycles, nop = 633 600)
5 Contactor (with nominal load, see table C.l) 1 31.57 0.031676 0.031676
2 000 000 cycles, flup 633600)
(SlOd =

I 2: (nj/MTTFJj) 0.046669
MTTFd= 112: (njI1VITTFtI) [years] 21.43

PROTECTED BY COPYRIGHT
64
B 9705-1 : 2011 (ISO 13849-1 : 2006)

NOTE 1 This method is based on the presumption that a failure of any

component within a channel leads to dangerous failure of the channel.
rrhe calculation illustrated by table D.l is based upon this.
NOTE 2 In this the nlain influence com.es from the contactor. The chosen
and B10d for this are based on Annex C. For
application dop = 220 , hop = 8 h/day and
10 s/cycle is giving 11013=633 600 cycles/year. In general,
manufacturer's values for MTTFd and B10d will lead to a much better
result, that is, a MTTF d for the channel.

D.2 for different 'V.lCJLa.u'.lCJl~;.I."t symmetrization of MTTF d for each channel

The architectures of 6.2 assume that for different channels in a redun-
dant SRP/CS the values for l\tITTFd for each channel are the same. This value per
channel should be for figure 5.
If the lVITTFd of the channels differ, there are two possibilities:
as a worst case <:lC':!11"'"Yln.i-lr.n the lo\ver value should be taken into U.,",~,\J""Ll

Formula D.2 can be used as an estimation of a value that can be substituted for
l\tfTTFd for each channel:

2
MTTFdC1 + lVITTFdc - - - - - - - - - ............ CD.2)
3
---+---
MTTFdCl

where MTTFdCl and MTTF dC2 are the values for two different redundant channels.
Example:
One channel has an l\tITTFdel = 3 years, the other channel has an lVITTF dC2 = 100 years,
then the resulting MTTF d =66 years for each channeL This means a redundant sys-
tem with 100 years MTTF d in one channel and 3 years MTTFd in the other channel is
equal to a system where each channel has an NITTF d of 66 years.
A redundant system with two channels and different MTTFa values for each chan-
nel can be substituted by a redundant system with identical .MTTF d in each channel
by using the above formula. This procedure is necessary for the correct use of figure 5.
NOTE: This method assumes independent parallel channels.

PROTECrJ'ED BY COPYRIGHT
 65
B 9705-1 : 2011 (ISO 13849-1 : 2006)

Annex E (informative)
Estimates for diagnostic coverage (DC) for functions
and modules

E.1 Examples of diagnostic coverage (DC)

See table E.1

Table E.1 Estimates for diagnostic coverage (DC)

Measure DC
EI Input device
1 Cyclic test stimulus by dynamic mge of the input signals 90 %
2 Plausibility check, e.g. use of normally open and normally 99 (;{!

closed mechanically linked contacts

i 3
I
Cross monitoring of inputs without dynamic test o % to 99 %, depending on how
often a signal is done by
the application
4 Cross monitoring of input signals with dynamic test if short 90 Cjt,
circuits are not detectable (for multiple IiO)
5 Cross monitoring of input signals and intermediate results 99
within the logic (L), and temporal and logical software monitor
of the program flow and detection of static faults and short
circuits (for multiple lIO)
6 Indirect monitoring (e.g, monitoring by pressure switch, 90 to 99 9~;, rlepending on the
electrical position monitDring of actuators) application
7 Direct monitoring (e.g. electrical position monitoring of control 99 %
valves, monitoring of electromechanical devices by mechanically
linked contact elements)
8 Fault detection by the process o % to 99 %, depending on the
application; this measure alone
is not sufficient for the required
performance level "e"!
9 Monitoring some characteristics of the sensor (response time, 60
range of alalogue 19na. e,g. electrical resistance, capacitance)
EL Logic
1 Indirect monitoring (e.g. monitoring by pressure switch, 90 % to 99 (}(, depending on the
electrical position monitoring of actuators) application
2 Direct monitoring (e.g. electrical position monitoring of control 99 %
valves, monitoring of electromechanical devices by mechanically
linked contact elements)
a Simple temporal time monitoring of the logic (e.g. timer as 60 (;'1{!

watchdog, where points are within the program of the

logic)
4 Temporal and logical monitoring of the logic by the watchdog, 90
where the test equipment does plausibility checks of the
behaviour of the

PROTECTED BY COPYRIGHT
66
B 9705-1 : 2011 (ISO 13849~1 : 2006)

Table E.1 (continued)

Measure DC
5 Start-up self-tests to detect latent faults in parts of the logic 90 % (depending on the testing
(e.g. program and data memories, input/output ports, interfaces) technique)

6 Checking the monitoring device reaction capability (e.g. 90 %.

watchdog) by the main channel at start-up or whenever the
safety function is demanded or "whenever an external signal
demands it, through an input facility
7 Dynamic principle (all components of the logic are required to 99
change the state ON-OFF-ON when the function is
demanded), e.g. interlocking circuit implemented by relays I

8 Invariable memory: signature of one word (8 bit) 90

9 Invariable memory: signature of double word 06 bit) 99
10 Variable memory: RAM-test by use of redundant data e.g. Jlags, 60
markers, constants, timers and cross comparison of these data
11 Variable memory: check for readability and write ability of used 60
data memory cens
12 Variable memory: RM1 monitoring with modified Hamming 99
code or RAlVl self-test (e.g. "gal pat" or "Abraham")
13 Processing unit: self-test by software 60 to 90 %
14 Processing unit: coded processing 90 % to 99
15 Fault detection by the process o {:il to 99 1Jf, depending on the

application; this measure alone

is not sufficient for the required
i performance level "e"l
EO Output device
1 Monitoring of outputs by one channel without dynamic test 0%t099 depending on how
often a signal change is done by
the application
2 Cross monitoring of outputs without dynamic test 0 to 99 % depending on how
often a signal change is done by
the application
!--'-- -
a Cross monitoring of output signals with dynamic test without 90 %
detection of short circuits (for multiple 1/0)
4 Cross monitoring of output signals and intermediate results 99
within the logic (L) and temporal and logical software monitor
of the program flow and detection of static faults and short
circuits (for multiple I/O)
5 Redundant shut-off path with no monitoring of the actuator 0%
6 Redundant shut-off path with monitoring of one of the actuators 90 %
either by logic or by test equipment
7 Redundant shut-off path with monitoring of the actuators by 99
logic and test equipment
8 Indirect monitoring (e.g. monitoring by pressure s\vitch, 90 to 99 %, depending on the
electrical position monitoring of actuators) application

PROTEC'l'ED BY COPYRIGHT
 67
B 9705-1 : 2011 (ISO 13849-1 : 2006)

Table E.l (concluded)

Measure DC
9 Fault detection by the process a to 99 %, depending on the
application; this measure alone
is not sufficient for the required
performance level "e"!
10 Direct monitoring (e.g. electrical position monitoring of control 99
valv(~s: monitoring of electromechanical devices by mechanically
linked contact elements)
NOTE 1 For additional estimations for DC, see, e.g., lEe 61508-2, tables A.2 to A 15.
NOTE 2 If medium or high DC :is claimed for the logic, at least one measure for variable memory,
invariable memory and processing unit with each DC at least 60 % has to be applied.
There may also be measures that used other than those listed in this table.
--

E.2 Estimation of average DC (DC avg )

In many systems, several measures for fault detection might be used. These mea-
sures could check different parts of the SRP/CS and have different DC. For an esti-
mation of the PL according to figure 5 only one, average, DC for the whole SRP/CS
performing the safety function is applicable.
DC may be determined as the ratio between the failure rate of detected dangerous
failures and the failure rate of total dangerous failures. According to this definition
an average diagnostic coverage DC avg is estimated by the following formula:

................................ (E.l)

Here all components of the SRP/CS without fault exclusion have to considered and
summed up. For each block, the MTTF d and the DC are taken into account. DC in
this formula means the ratio of the failure rate of detected dangerous failures of the
part (regardless of the measures used to detect the failures) to the failure rate of an
dangerous failures of the part. Thus, DC refers to the tested part and not to the testing
device. Components without failure detection (e.g. which are not tested) have DC = 0
and contribute only to the denominator of DC avg •

PROTECTED BY COPYRIGHT
68
B 9705-1 : 2011 (ISO 13849-1 : 2006)

Annex }" (informative)

Estimates for common cause failure (CCF)

F.l Requirements for CCF

A comprehensive procedure for measures against CCF for sensors/actuators and
separately for control is given, for example, in IEC 61508·6, Annex D. Not all
measures given therein are applicable to the machinery site. The most important mea-
sures are here.
NOTE: In this Standard, it is assumed that for redundant systelns a [3-factor ac-
cording to IEC 61508-6, Annex D should be less than or equal to 2 %.

F.2 Estimation of effect of CCF

This quantitative process should be passed for the whole system. Every part of the
safety-related parts of the control system should be considered.
Table F.l lists the measures and contains associated values, based on '-'",l':::;'''',lv'~L
judgement, which represent the contribution each measure makes in the reduction of
common cause failures.
For each listed measure, only the full score or nothing can be claimed. If a mea-
sure is only partly fulfilled, the score according to this measure is zero.

Table F.1 Scoring process and quantification of measures against CCF

No, Measure against CCF Score

1 Separation/Segregati,on
Physical separation between signal paths: 15
separation in wiring/piping,
sufficient clearances and creepage distances on printed-circuit boards.
2 Diversity
Different technologies/design or physical principles are used, for example: 20
first channel programmable electronic and second channel hardwired,
kind of initiation,
pressure and temperature,
Measuring of distance and pressure,
digital and analogue.
Components of different manufactures. i

3 Design/application/experience
3.1 Protection against over-voltage, over-pressure, over-current, etc. 15
3.2 Components used are well-tried. 5
4 Assessment/analysis
Are the results of a failure mode and effect analysis taken into aeeount to avoid 5
common-cause-failures in design.

PROTECTED BY COPYRIGHT
 69
B 9705-1 : 2011 (ISO 13849-1 : 2006)

Table F.l (concluded)

No. Measure against CCF Score

5 Competenceltraining
Have designers/maintainers been trained to understand the causes and consequences 5
of common cause failures?
6 Environmental
6.1 Prevention of contamination and electromagnetic compatibility (EMC) against CCF 25
in accordance with appropriate standards.
Fluidic systems: filtration of the pressure medium. pr~vention of dirt intake,
drainage of compressed air, e.g. in compliance with the component manufacturers'
requirements concerning purity of the pressure medium.
Electric systems: Has the system been checked for electromagnetic immunity, e.g. as
specified in relevant standards against CCF?
For combined fluidic and electric systems, both aspects shouJd be considered.
6.2 Other influences 10
Have the requirements for immunity to all relevant en . .ironmental influences such
as, temperature, shock, vibration, humidity (e.g. as specified in relevant standards)
been considered?
Total (max.
achievable
100)
Total score Measures for avoiding CCF lIi
65 or better Meets the requirements
Less than 65 Process failed => choose additional measures
Note a) "Where technological measures are not relevant, points attached to this column can be
considered in the comprehensive calculation.

PROTECTED BY COPYRIGHT
70
B 9705-1 ; 2011 (ISO 13849-1 : 2006)

lLIU!..JL.II. ............... G (informative)

Systematic . . _ . . . . 'Io41L ....

G.l General
ISO 13849·2 gives a comprehensive list of measures systematic failure which
should be applied, such as basic and well-tried safety principles.

G.2 Measures for the control of systematic failures

The fonowing measures should be applied.
Use of de-energization ISO 13849-2)
The safety-related parts of the control (SRP/CS) should be so
that with loss of its power a safe state of the machine can be achieved or
maintained.
Measures for controlling the effects of voltage breakdown, variations, over-
undervoltage
SRP/CS behaviour in response to voltage breakdown, voltage variations, over-
and undervoltage conditions should be predetermined so that the SUP/OS
can achieve or maintain a safe state of the nlachine (see also JIS B 9960·1 and
lEO 61508·7, A.S),
Measures for controlling or avoiding the effects of the physical environment (for
example, temperature, humidity, water, vibration, dust, corrosive substances, elec-
tromagnetic interference and its effects)
SRP/CS behaviour in response to the effects of the physical environment should
be predetermined so that the SRP/CS can achieve or maintain a safe state of the
luachine (see also, for example, JIS C 0920, JIS B 9960·1).
Program sequence monitoring shall be used with SRP/CS containing software in
order to detect defective program sequences
A defective program sequence exists if the individual eJements of a program
software modules, subprograms or commands) are processed in the wrong sequence
or period of time or if the clock of the processor is faulty (see lEe 61508-7, A.9).
Measures for controlling the effects of errors and other effects arising from any data
communication process IEC 61508·2, 7.4.8)
In addition, one or more of the following measures should be applied, taking into
account the complexity of the SRP/CS and its PL:
failure detection by automatic tests;
tests by redundant hardware;
diverse hardware;
operation in the positive mode;
mechanically linked contacts;

PROTECTED BY COPYRIGHT
 71
B 9705-1 : 2011 (ISO 13849-1 : 2006)

direct opening action;

oriented m.ode of fail nre;
over-dimensioning by a suitable factor, where the manufacturer can demonstrate
that derating will improve reliability-where over-dimensioning is appropriate, an
over-dimensioning factor of at least 1.5 should be used.
See also ISO 13849.2, D.3.

G.3 Measures for avoidance of systematic failures

The following m.easures should be applied.
Use of suitable materials and adequate manufacturing
Selection of material, lnanufacturing methods and treatment in relation to, e.g.
stress, durability, elasticity, friction, wear, corrosion, temperature, conductivity,
dielectric rigidity.
Correct dimensioning and shaping
Consideration of, e.g. stress, strain, fatigue, telnperature, surface roughness, tol-
erances, manufacturing.
Proper selection, combination, arrangements, assembly and installation of compo-
nents, including cabling, wiring and any interconnections
Apply appropriate standards and manufacturer's application notes, e.g. catalogue
sheets, installation instructions, specifications, and use of good engineering prac-
tice.
Com patibility
Use components with compatible operating characteristics.
Withstanding specified environmental conditions
Design the SRP/CS so that it is capable of working in all expected environments
and in any foreseeable adverse conditions, e.g. temperature, humidity, vibration
and electromagnetic interference (EMI) ISO 13849-2, D.2).
Use of components designed to an appropriate standard and having well-defined
failure modes
To reduce the risk of undetected faults by the use of components with specific
characteristics (see IEC 61508-7, B.a.3).
In addition, one or more of the following measures should applied, taking into
account the complexity of the SRP/CS and its PL.
Hardware design review (e.g. by inspection or walk-through)
To reveal by reviews and analysis discrepancies between the specification and
implementation (see IEC 61508-7, B.3.7 and B.3.8).
Computer-aided design tools capable of simulation or analysis
Perform the design procedure systematically and include appropriate automatic
construction elements that are already available and tested (see lEe 61508 7, q

B.3.5).

PROTECTED BY COPYRIGHT
72
B 9705-1 : 2011 (ISO 13849-1 : 2006)

Simulation
Perforrn a systematic and complete inspection of an SRP/CS design in terrns of
both the functional perfonnance and the correct dimensioning of their components
(see IEC 61508-7, B.3.6).

GA Measures for avoidance of systematic failures during SRP/CS integra-

tion
The following measures should be applied during integration of the SRP/CS:
functional testing;
project management;
documentation.
In addition, black-box testing should be applied, taking into account the complex-
ity of the SRP/CS and its PL.

PROTECTED BY COPYRIGHT
 73
B 9705-1 : 2011 (ISO 13849-1 : 2006)

Annex H (informative)
Example of combination of several safety-related parts
of the control system

Figure H.1 is a schematic diagram of the safety-related parts providing one of the
functions controlling a machine actuator. This is not a functional/working diagram
and is included only to demonstrate the principle of combining categories and tech-
nologies in this one function.
The control is provided through electronic control logic and a hydraulic directional
valve. The risk is reduced by an AOPD, which detects access to the hazardous situa-
tion and prevents start-up of the fluidic actuator when the light beam is interrupted.
The safety-related parts which provide the safety function are: AOPD, electronic
control logic, hydraulic directional valve and the interconnecting means.
These con1bined safety-related parts provide a stop function as a safety function.
As the AOPD is interrupted, the outputs transfer a signal to the electronic control
which provides a signal to the hydraulic directional valve to stop the hydraulic flow
as the output of the SRP/CS. At the m.achine, this stops the hazardous movement of
the a ctua tor.
This combination of safety-related parts creates a safety function demonstrating the
combination of different categories and technologies based on the requirements given
in dause 6. Using the principles given in this Standard, the safety-related parts shown
in figure H.2 can be described as follows.
Category 2, PL c for the electro-sensitive protective device (light barrier). To reduce
the probability of faults this device uses well-tried safety principles;
Category 3, PL = d for the electronic control logic. To increase the level of safety
performance of this electronic control logic, the structure of this SRP/CS is redun-
dant and implements several fault detection measures such that it is able to de-
tect most of single faults;
Category 1, PL =c for the hydraulic directional valve. The status of being well-tried
is TIlainly application-specific. In this example, the valve is considered to be well-
tried. In order to reduce the probability of faults, this device is comprised of well-
tried components applied using well-tried safety principles and all application
conditions are considered (see 6.2.4),
NOTE 1 The position, size and layout of the interconnecting means have also
to be taken into account.
This combination leads with PL 10w = c and N]ow 2 to an overall performance level of
PL = c (see 6.3),
NOTE 2 In case of one fault in the category 1 or the category 2 parts of fig-
ure H.2 there may be a loss of the safety function.

PROTECTED BY COPYRIGHT
74
B 9705-1 : 2011 (ISO 13849-1 : 2006)

H I
I

SRP/CS a SRPJCS SRP/CSc

b

Key
AOPD active optoelectronic protective device (e.g. light barried, SRP/CS a : Category 2
[Type 2 (.ns B 9704-1)], PL=c
E electronic control SRP/CS lJ : Category 3, PL= d
F fluidics, SRP/CS c : Category 1, PL = c
Fa fiui die actuator
H hazardous movement

Figure H.I Example - Block diagram explaining combination of SRP/CS

PRO'l'ECTED BY COPYRIGHT
 75
B 9705-1 : 2011 (ISO 13849-1 : 2006)

~}~-{;J -
[}~ - ............

L---t-+-4---J ,.-----
I
I ---

~B ~
/
SRP/CS a
, SRP/CSb SRP/CS c

/ /
Key
AOPD active optoelectronic protective device (e.g. light barrier)
electronic control logic
F f1uidies
I, II, 12 input devices, e.g. sensor
L,L1,L2 logic
0, 01, 02, OTE output devices, e.g. main contactor
TE test equipment

Figure H.2 Substitution of figure H.I by designated architectures

PROTECTED BY COPYRIGHT
76
B 9705-1 : 2011 13849-1 : 2006)

Annex I (informative)
Examples

1.1 General
This Annex illustrates the use of the methods given in preceding annexes for iden-
tifying functions and PL. The quantification of two widely used
control circuits is given. For the procedure, see figul'e 3.
Two different exam.ples of control circuits, A and B are examined, see I.l and
figure 1.3. Both illustrate the performance of the same safety function of the inter-
locking of the door. The first example is built up as one channel of electrome-
chanical components with high MTTFd values, while the second is made up of two
channels -one electronlechanical and the other progralnmable electronic - including
tests, but lnade up of components with lower

1.2 Safety function and required performance level (PL r )

For both examples, the function of the interlocking of a guard may be chosen
as follows.
The Inovement will be stopped when the guard door is opened (by de-
energizing the power of the electrical motor).
The risk according to the risk graph method (see A.l) are the fol-
lowing:
severity of S = 82, serious;
frequency and/or exposure time to F = Fl, seldorn to less often and/or the
exposure time is
possibility of the hazard, P Pl,
=: pV.'UJ.'UJ.'V under specific conditions.
These decisions lead to a required performance level PLr of c.
Determination of the category: a performance level of c can be achieved
typically by very reliable single-channel systems (category 1) or redundant architec-
tures (category 2 or 3) (see 5 and clause 6).

1.3 Example A, single-channel system

1.3.1 Identification of safety-related parts

All components contributing to the function are represented in figure I.l.
Functional details not contributing to the function of interlocking (as start and
stop switches) are omitted.

PROTECTED BY COPYRIGHT
 77
B 9705-1 : 2011 (ISO 13849-1 : 2006)

Key
o open + direct-current power source
c close L alternative-current power source
M motor
KIA contactor
SW lA switch (NC)

Figure 1.1 Control circuit A for performing safety function

In this example, a door switch has normally closed contacts (but no fault exclusion
is justified) and is connected to a contactor able to switch off the power connection to
the motor:
one channel of electromechanical components;
switch SvV1A has medium MTTF d;
contactor KIA has low MTTF d.
The chosen contactor in this example is a well-tried component when implemented
according to ISO 13849-2.
Thus the safety-related parts and their division into channels can be illustrated in
a safety-related block diagram as shown in figure 1.2.

-1 SW1A K1A ~
Key
KIA contactor
SWIA switch

Figure 1.2 Safety-related block diagram identifying safety-related parts

of Example A

PROTECTED BY COPYRIGHT
78
B 9705-1 : 2011 (ISO 13849-1 : 2006)

1.3.2 L"-U.,LJU",,L ...... 'O.JU"IJ ....CI.&.I. of lVITTF d for each channel, common cause failure,
category, PL
The values for ]\1TTF d for each channel, DCavr. and common cause failure are as-
sumed to be estimated to Annexes C, D, E and F, or to be by the manu-
facturer. The categories are estimated to 6.2.
]\t1TTFd
The contactor KIA and the ssvitch SWIA contribute to the of the one chan-
nei. The MTTFd,K1A of 50 years and of 20 years are assumed to be given
by the manufacturer. The parts count method of D.l for the l\ITTFd of the
one channel:

1 0.07
----+ + = - - ..... (1.1)
MTTFd MTTFsW1A MTTFKIA 20 years 50 years years
which leads to 1vlTTFd= 14.3 years or "medium" for the channel according to 4.5.2,
table 5.
NOTE: If no inform.ation for KlA were available, a worst case assumption ac-
cording to C.2 or CA could be made.
DC
Because no is done in control circuit A, the DC = 0 or "none" according
to 4.5.3, table 6.
Category
Although the preferred category for this circuit is 1, the resulting :MTTFd
of the channel is "ll1edium". This is an argunlent that only category B is reached
by thi s
Input data for figure 5: for each channel is "medium" (14.3 years), 1S
"none" and category is B.
This lnay be interpreted as performance level b.
This result does not match the required performance level c according to 1.2. The
circuit thus has to be redesigned and re-evaluated until performance level c is reached,
in order to meet the requirements for risk reduction of the example application of 1.2.

1.4 Example B, redundant system

1.4.1 Identification of safety-related parts

All components contributing to the safety function are represented in 1.3.
Functional details not contributing to the safety function of interlocking (as start and
stop switches or delayed switching of KIB) are omitted.

PROTEC'rED BY COPYRIGHT
 79
B 9705-1 ; 2011 (ISO 13849-1 : 2006)

o + + +
c T e SW1B
L

SW2 K1B
1
--------
t

PLC

SIB

RS

Key
PLC programmable logic controller cs stop function (standard)
CC current converter SIB safe impulse blocking
M motor KIB contactor
RS rotation sensor SWIB switch (NC )
o open SW2 switch (NO)
c close + direct-current power source
L alternative-current power source

Figure 1.3 Control circuit B to perform the safety function

In this second example two channels providing redundancy are used. The first chan-
nel, similarly to that in example A, uses a door switch having direct opening action
and which is used in the positive mode of actuation. This door switch is connected to
a contactor able to switch off the power connection to the motor. In the second chan-
nel additional (programmable) electronic components are used. A second door switch
is connected to a programmable logic controller which can control the current converter
to switch off the power connection to the motor:
redundant channels, one electromechanical and the other programmable electronic;
switch SW1B has positive mechanical action of the contacts, S\V2 has medium
MTTF d ;
contactor KIB has medium l\ITTF d, the chosen contactor in this example is not a
well-tried component;
electronic components have medium MTTF d •

PROTECTED BY COPYRIGHT
80
B 9705-1 : 2011 (ISO 13849-1 : 2006)

So the safety-related parts and their division into channels can be illustrated in a
safety~related block diagram as shown figure lA.
NOTE: With respect to redundant diversity, requirements for software accord-
to 4.6 for the PLC path are not considered relevant.

K1B ~
I

SW2 cc

SWiB and KiB build up the first channel, SW2, PLC and CC build up the
second channel; RS is only used to test the current converter.
Key
SW lB interlocking device
KiB contactor
SW2 switch
PLC progTammable controller
CC current converter
RS rotation sensor

Figure 1.4 Block diagrams identifying safety-related parts of example B

1.4.2 Quantification of MTTF d for each channel, DC avg, common cause failure,
category and PL
The values for MTTFd for each channel, DC avg and common cause failure are as-
sumed to be evaluated according to Annexes C, D, E and F, or to be given by the manu-
facturer. The categories are estiInated according to 6.2.
The switch SWIB has a direct opening action and is used in the positive m.ode of
actuation. Therefore, a fault exclusion is made concerning non-opening of a contact
and non-actuation of the s\vitch due to mechanical failure (e.g. break of plunger, wear
of the actuating cam, maladjustment).
NOTE: These assumptions are valid for auxiliary circuit switches according to
JIS C 8201·5·1, Annex K, and for adequate mechanical fixing and ac-
tuation of the switches according to the manufacturer's specification (see
ISO 13849-2).

PROTECTED BY COPYRIGHT
 81
B 9705-1 : 2011 (ISO 13849-1 : 2006)

MTTFd
The eontactor KIB is the only element contributing to the MTTFd of the one chan-
nel. The MTTFKIH of 30 years is assumed to be given by the manufacturer. The
parts count method of D.I yields for the J\tlTTFrl of the one channel

---+ .............................................................. (1.2)

MTTFdC1 J'v1TTFdK1B

which leads to MTTF d = 30 years for the channel.

In the second channel SW2, PLC and CC are contributing to MTTFdC2 . For these
three components as well as for RS an MTTF d of 20 years is assulned to be given
by the manufacturer. The parts count method of D.I yields for the MTTF dC2 of the
second channel

----+ +----
MTTFdC1 MTTI:;'dsw2 MTTFdf'lC .MTTFdCC

0.15
---+ + ...................... (1.3)
20 years 20 years 20 years years

which leads to l\!ITTF d = 6.7 years for the channel.

Because both channels have different MTTFd, the formula of D.2 can be used
to calculate a substitutional value for a single-channell\lITTF d of a symm.etrical two-
channel systeIIl. This fonnula yields IVITTF d = 20 years or "IIlediuIIl" for the chan-
nel according to 4.5.2, table 5.
DC
In control circuit B, four of the safety-related parts are tested by the PLC: SW2
and KIB are read back by the PLC, the PLC performs self-tests and the CC is read
back via RS by the PLC. The related DC of every tested part are
1) DC SW2 = 60 %, "low", due to monitoring of input signals without dynamic test,
see table E.1 (Input device, EI-3),
2) DC KlB = 99 %, "high", due to norIIlally open and normally closed mechanically
linked contacts, see table E.l (Input device, EI-2),
3) DC PLC = 30 %, "none", due to low effectiveness of self-tests (it is assumed that
the manufacturer has calculated this value by FMEA), and
4) DCcc = 90 %, "medium", due to redundant shut-off path with monitoring of the
actuator by control logic, see table E.l (Output device, EO-6)-ifthe PLC moni-
tors a failure of CC, it is able to stop the motion with the safe impulse block-
ing (additional shut-off path).
For an estimation of the PL, an average DC value (DC avg) is needed as input for
figure 5.

PROTECTED BY COPYRIGHT
82
B 9705-1 : 2011 (ISO 13849-1 ; 2006)

----- + + ----------
MTTFdSW2 MTTFdKIB MTTFdPLC MTTFdCC

0.6 0.99 0.3 0.9

20 0.123 =67.1 % ..... 0.4)
0.183
----+ +----
20 years 30 years 20 years 20 years

Thus, the DC avg is "low" according to 4.5.3 and table 6.

CCF
An estimation of the Ineasures against CCF according to F.2 is assumed to have
been carried out for control circuit B. Scores are claimed as given in table 1.1.

Table 1.1 Estimation of the measures against CCF for example B

No. Score for Maximum
Hem
contra] circuit
I possible score
I

1 Separation/segregation
Physical separation bet\.veen signal paths 15 15
2 Diversity
Different technologies/design or physical principles are used 20 20
3 Design/application/experience
3.1 Protection against overvoltage, overpressure, overcurrent, etc. None 15
3.2 Components used are well-tried 5 5
4 Assessment/analysis
Are the results of a failure mode and efiect analysis taken into 5 5
account to avoid common cause failures in design?
5 Competence/training
Have designers been trained to understand the causes and None 5
consequences of common cause failures?
f) Environmental
6.1 Prevention of contamination and electromagnetic compatibility 25 25
(EMC) against CCF in accordance vvith appropriate standards
... ~

G.2 Other influences 10 10

Have the requirements for immunity to all relevant environ-
mental influences, such as temperature, shock, vibration,
humidity (e.g. as specified in relevant standards) been
considered?
Total 80 Max. 100

Sufficient measures against CCF require a minium score of 65. In example B, a

score of 80 is sufficient to fulfil the requirements against CCF.

PRO'l'ECTED BY COPYRIGHT
 8:3
B 9705-1 : 2011 (ISO 13849-1 : 2006)

A single fault in any of the parts does not lead to the loss of the safety function.
Whenever reasonably practicable the fault is detected at or before the next de-
mand upon the safety function. The diagnostic coverage (DC llvg ) is in the range 60 %
to 90 The measures against CCF are sufficient. These characteristics are typical
for category 3.
Input data for figure 5: .MTTF for the channel is "nledium" years), DC<lI't-; is "low"
and category is 3.
This 111ay be interpreted as performance level c.
This result matehes the required performance level c of 1.2. Thus control circuit B
meets the requirelnents for risk reduction of the eXaIllple application of 1.2.

PROTECTED BY COPYRIGHT
84
B 9705-1 : 2011 (ISO 13849-1 : 2006)

Annex J (informative)
Software

J.l Description of example

In this exemplary activities for realizing the SRES\V of an SRP/CS for PLr = d
are presented. The SRP/CS is interfaced with the machine equipment. It ensures
the of information sent by the various sensors,
the processing required to operate the control elements taking into account the
requirements, and
the control of the actuators.
The design of the SRESW of this application on function block level is as shown in
J.l.

A•.Ai UHll HUll Processing

- f-+ function 1
Piloting
actuator t-- --..
Acquisition
- f-+ sensor 2
I---

Sensors Acquisition Piloting Actuators

interface
- f-+ sensor 3 actuator 2
r- --.. interface

Acquisition
L Processing
function 2
- r+ sensor 4
Piloting
actuator :3 t-- f-+
Acquisition
- 4
sensor 5

Figure J.l Function block level design of software example

J.2 Application of V-model of software safety lifecycle

Table J.1 presents an exemplary of activities and documents on applica-
tion of V-model of software safety for a machine control.

PRo'rECTED BY COPYRIGHT
 85
B 9705-1 : 2011 (ISO 13849-1 : 2006)

Table J.l Activities and documents within software safety lifecycle

Development activity Verificat;ion activity Associated documentation

Machine aspect: Identification of safety-related "Safety-related specification
Identification of the functions functions for machine control"
involving the SRP/CS
Architecture aspect: Comments upon safety "Definition of the control
Definition of the control architecture characteristics of chosen architecture"
with sensors and actuators components

Sofhvare specification aspect: Re-reading of the descriptions "Software descriptions"

Transcription of machine functions (see J.3)
into software functions
Software architecture aspect: Definition of critical blocks "Function block model1ing"
To detail the functions into which are subject to greater
functional blocks review and validation effort

Encoding aspect: Re-reading of the code. "Encoding comments in the

Encoding according to the Verification of functions and code"
programming rules (see JA) compliance with rules. "Encoding re-reading sheets"
Validation aspect: Verification of the test "Correspondence matrix" which
Making of test scenarios: covering cross-references specification
operation aspect of functions Verification of the test results paragTapbs and tests
behaviour-on-failure aspect "Test sheets" comprising test
scenario and comments upon
results achieved

J.3 Verification of software specification

As part of the software safety lifecycle, the verification activity at level of the soft-
ware specification consists in reading the descriptions so as to verify that all the sen-
sitive points are properly described. The following should be considered when verifying
each function:
limiting the cases of erroneous interpretation of the system specificati.on;
avoiding gaps in specification resulting in an a priori unknown behaviour of the
SRP/CS;
precisely defining conditions for activation and de-activation of functions;
precisely guaranteeing that all the possible cases are handled;
consistency tests;
the different parameterizing cases;
the reaction following a failure.

J.4 Example of programming rules

For the CCF, in general it should be possible to authenticate the program by au-
thor, date of loading, version and last type of access. Concerning the programming
rules the following rules can be differentiated.

PROTECTED BY COPYRIGHT
86
B 9705-1 : 2011 (ISO 13849-1 ; 2006)

a) Programming rules at level of the program structure The programming

should be structured so as to display a consistent and understandable general
skeleton allowing the different processings to be easily localized. This implies
1) use of templates for typical program or function blocks,
2) partitioning of the progranl into ''''"''.,.vu in order to identify main parts cor-
"-''-'F......

responding to "inputs", "processings" and "outputs",

3) comnlents on each program section in the source of the program to facilitate the
updating of the comment in case of modification,
4) description of the role a function block has when calling this block,
5) that menlOry location should be used only by one single kind of data type and
be Jnarked by unique labels, and
6) that the working sequence should not depend on variables such as a jump ad-
dress calculated at runtime of the program, conditional jumps being authorized.
b) Programming rules regarding the use of variables
The activation or de-activation of any output should take place only once (cen-
tralized conditions).
The program should be structured such that the equations for updating a vari-
able are centralized.
Each global variable, input or output, should have a mnemonic name explicit
enough and be described by a comment within the source.
c) Programming rules at level of a function block
Preferably use function blocks that have been validated by the supplier of the
SRP/CS, checking that the assumed operating conditions for these validated blocks
correspond to the conditions of the program.
The size of the coded block should be 1imited to the following guideline values:
1) parameters lllaxiTnum eight digital and two integer inputs, one output;
2) function code-maximum ten local variables, maximum 20 Boolean equations.
The function blocks should not modify the global variables.
A digital value should be controlled relative to pre-set benchmarks to ensure the
domain of validity.
A function block should try to detect inconsistencies of variables to be processed.
The fault code of a block should be accessible to discriminate a fault alllOng others.
The fault codes and the state of the block after fault detection should be described
by comments.
The resetting of the block or the restoration of a normal state should be described
by comments.

PROTECTED BY COPYRIGHT
 87
B 9705-1 : 2011 (ISO 13849-1 : 2006)

Annex (informative)
representation of figure 5

For lVITTFd, DC, Ceg'OrH;S and PL in figure 5, see table K.l.

PROTECTED BY COPYRIGHT
 Table K.l Numerical representation of figure 5 tdCIJ
CIJ
c.o
-...1
Average probability of a dangerous failure per hour (lIh) and corresponding performance level (PL) o
Cf
lVITTFd for each Cat. B PL Cat. 1 PL Cat. 2 PL Cat. 2 PL Cat. 3 PL Cat. 3 PL Cat. 4 PL I--'
channel DCavg=none DC\wg=none DCavg=low DC ll \'[; = medi um DC av ,; = hnv DC avg = medi um DCavg=high t..:J
years o
I--'
. . ,.:. . .': ' : , ...
2.58 x 10~i; .'. lO'" .' I···· ... .': '.' ., " I-'
. 3,80 . ' .....
a
'

a 1.99 x 10;' a 1.26 x a 6.09 ". b . .. ......,

1.13 x 10-::; 5,41 x lO- fi CI2
3,46 x 10-(; 5
1.79 x 10-5
3.3 a 2.33 x 10- a a a b o
3.6 3.17 x 10- 5
a 2.1:3 x 10- 5
a I.G2 x 10- 5
a 1.03 x 10-5 a 4.86 x 10-(; b I--'
W
CJJ
3.9 2.93 x 10-5 a 1.95 x 10- 5 a 1.48 x 1O- 1i a 9.37 x 10.. 6 b 4.40 x lO-ti b ~
cp
4.3 2.65 x 10- 5
a 1.76 x 10- 5 a 1.33 x 10- 5
a 8.39 x 10- 6
b 3.89 x 1O-f:i b I--'
"'d 4.7 2.43 x 10- 5 a 1.60 x 10 .. 5 a 1.20 x 10- 5 a 7.58 x 10"(; b 3.48 X 10- 6
b t..:J
:;:cI o
o 5.1 2.24 x 10- 1i a 1.47 x 10- 5 a 1.10 x 10- 5 a 6.91 x 10-6 b 3.15 X lO- fi b o
~
t.rj ~
(1 5.G 2.04 x lo-~ a 1.33 x 10- 5 a 9.87 x 10- 6 b 6.21 X lO- t' b 2.80 x 10-6 c
~
t.rj
6.2 1.84 x 10- 5 a 1.19 x 10- 5 a 8.80 x lO- G b 5.53 x 10-0 b 2.47 X 10-6 C
t:1
5 5 fi
1:0 6.8 1.68 x 10- a 1.08 x 10- a 7.93 x 1O-f:i b 4.98 X 10-(; b 2.20 X 10- C
~
7.5 1.52 x 10-5 a 9.75 x 1O- 1i b 7.10 x 10- 6 b 4.45 x 10-(; b 1.95 X lO-G C
Q
o 8.2 1.39 x 10- 5
a 8.87 x 10- 0
b 6,43 X 10- 6
b 4.02 X 10- 6
b 1.74 X 10-(1 c
~
:;:cI 9.1 1.25 x 10-5 a 7.94 x 10- 6 b 5.71 X 10- 6 b 3.57 x 10-6 b 1.53 X 10-6 c
o::r:: '.'

1~(5
·h 5. .r. ,6-'; 10';';fI' C
t-3
11 1.04 X lO- D a 6,44 x 10- 6 b 4.53 X 10- 0 b 2.81 x lO- u c 1.18 X 10- 6 C

12 9.51 x 10-6 b 5.84 x lO- G b 4.04 x 10- 6 b 2,49 X 1O-G c 1.04 x lO- G C

1:3 8.78 X 10-£; b 5.33 x 10-(1 b 3.64 X 10- 6 b 2.23 x lOG C 9.21 X 10-7 d
15 7.61 x 10- 6 b 4.53 x 10- 6 b 3.01 X 10-6 b 1.82 X 10-6 c 7.44 X 10-7 d
6 6 li 7
16 7.13 x 10- b 4.21 X 10·(1 b 2.77 X 10- c I.G7 X lO- c 6.76 X 10- d
18 6.34 x 10-6 b 3.68 x 10- 6 b 2.37 X 10- 6 c 1.41 x lO- f; C 5.67 x 10-' d
6 6 6 6
20 5.71 x 10- b 3.26 x 10- b 2.06 x 10- c 1.22 x 10- c 4.85 x 10-' d

22 5.19 x 1O- G b 2.93 x 10- 6 c 1.82 x 10"(; C 1.07 x 10.6 c 4.21 X 10"7 d
24 4.76 x 10-(; b 2.65 x 10-(' C 1.62 x 10-6 C 9.47 x 10-7 d 3.70 X 10-7 d
6 6 0
27 4.23 x 10- b 2.32 x 10- c 1.39 x 10- c 8.04 x 10-1' d 3.10 x 10-" d
 Tables K.l (concluded)
,~~,. ----

Average probability of a dangerous failure per hour nJh) and corresponding performance level (PL)
MTTFd f01' each Cat. B PL Cat. 1 PL Cat. 2 PL Cat. 2 PL Cat. 3 PL Cat. :3 PL Cat. 4 PL
channel DCavg=none DCavg=none low medium DCallg=low medium high
years
I···· •.... •. . "'$0< .,. :' . .......... .• 10~6 h ;2.0610,;6<
I

·il
.
"6.94 .. .~

I·. .... :·C. ". . :

.... ............
.
'.. 9, .•.. x :.=1
33 3.46 x 10- 6 b 1.85 x 10- 6 C 1.06 10- 6 c 5.94 X 10-7 d 2.30 X 10-7 d 8.57 x 10-8 e •
36 3.17 x 10 6
b 1.67 x 10- 6 c 9.39 x 10-- 7 d 5.16 X 10- 7 d 2.01 x 10-7 d 7.77 X 10,8 e
39 2.93 x 10-6 C 1.53 X 10-6 C 8.40 X 10-7 d 4.53 X 10-7 d 1.78 X 10- 7 d 7.11 x 10-1' e :
43 2.65 x 10-6 C 1.37 x 10- 6
C 7.34 x 10- 7
d 3.87 X 10- 7
d 1.54 x Hr' d 6.37 x 10- 15 C •

'i:! 47 2.43 x lOG C 1.24 X lOll C 6.49 X 10 7

d 3.35 x 10 7
d 1.34 X 10 7
d 5.76 x 10 8
e
~
o
,...:; 51 2.24 x 10-6 C 1.13 X 10-6 C 5.80 x 10-7 d 2.93 x 10-7 d 1.19 X 10-7 d 5.26 X 10-1\ e
M
o 56 2.04 x 10-11 C 1.02 X 10-6 C 5.10 X 10'7 d 2.52 X 10-7 d 1.03 X 10. 7 d 4.73 X 10- 8 e
H
~ 62 1.84 x lO-{l c 9.06 x 10- 7
d 4.43 X 10- 7
d 2.13 x 10- 7
d 8.84 X 10- 8
e 4.22 x 10-& e
t:i
8
t;d 68 1.68 x 10- 6
C 8.17 X 10- 7
d ~3.90 X 10- 7
d 1.84 X 10- 7
d 7.68 x 10-" e a.80 x 10- e
~
75 1.52 x 10-6 c 7.31 X 10-7 d 3.40 X 10-7 d 1.57 X 10-7 d 6.62 X 10-11 e 3.41 x 10-8 e
o
o 82 1.39 x 10-6 C 6.61 X 10-7 d 3.01 X 10-7 d 1.35 X 10-7 d 5.79 x 10-8 e 3.08 x 10-"
~
2)
91
.
] .25 x 10-'> c 5.88 x 10.7 d 2.61 x 10'7 d 1.14 x 10..7 d 4.94 x 10'<; e 2.74 x lQ-s e to
.:e: '. :(~ ... [5.28 .7 ';' .q, . . . f'/11 X ".'
·lQ'·8 ·····2 e m
~ ..... :.~~:... :C: . 'l
,
"

f-3
L ......... __
o
cr
I-'

~
o
I-'
I-'

I--i
rn
o
I-'
CA:l
00
~
~
I-'

00
<.0
90
B 9705-1 : 2011 (ISO 1:3849-1 : 2006)

Bibliography

1 Publication on programmable electronic system

[1] JIS C 61000-4-4 Electromagnetic compatibility (EMC)--Part 4-4: Testing and
measurement techniques-Electrical last transient / burst immu-
nity test
NOTE: Corresponding International Standard: IEC 61000-4-4 Electromag-
netic compatibility (E.1VfC)-Part 4-4: Testing and lneasurement tech-
niques-Electrical last transient / burst inununity test (IDT)
[2J JIS B 9704-1 Safety ol machinery-Electro-sensitive protective equipment-
Part 1: General requirements and tests
NOTE: Corresponding International Standard: IEC 61496-1 Salety o/, rna-
chinery-Electro-sensitive protective equipment-Part .1.' General re-
quirernents and tests (IDT)
[3] JIS B 9704-2 Safety ol machinery-Electro-sensitive protective equipment-
Part 2: Particular requirements for equipment using active opto-
electronic protective devices (AOPDs)
NOTE: Corresponding International Standard: IEC 61496-2 Safety of ma-
chinery-Electnh'iensitive protective equipment-Part 2: Particular re-
quire77~ents far equipment using active apto-electronic protective devices
(AOPDs) (IDT)
[4] JIS B 9704-3 Safety of machinery-Electro-sensitive protective equiPlnent-
Part 3: Particular requirements for Active Opto-electronic Protec-
tive Devices responsive ta Diffuse Reflection (AOPDDR)
NOTE: Corresponding International Standard: IEC 61496-3 Salety of ma-
chinery-Electro-sensitive protective equipment-Part 3: Particular re-
quirements for Active Opto-electronic Protective Devices responsive to
Diffuse Reflection (AOPDDR) (IDT)
JIS B 9717-1 Salety of lnachinery-Pressure-sensitive protective devices-Part 1:
General principles for design and testing of pressure-sensitive mats
and pressure-sensitive floors
NOTE: Corresponding International Standard: ISO 13856-1 Safety of rnachin-
ery-Pressure-sensitive protective devices-Part 1: General principles
for design and testing of pressure-sensitive mats and pressure-sensi-
tive floors (IDT)
[6] JIS B 9961: 2008 Safety ol machinery-Functional safety of safety-related elec-
trical, electronic and pragramlnable electronic control system,s
NOTE: Corresponding International Standard: lEC 62061 :2005 Safety ofma-
chinery-Functional safety of safety-related electrical, electronic and
progral1tmable electronic control systems (IDT)
lEC 61508-1: 1998 Functional safety ol electrical/electronic / progranunable elec-
tronic safety-related systelns-Part 1: General requirements

PRO'l'ECTED BY COPYRIGHT
 91
B 9705-1 : 2011 (ISO 13849-1 : 2006)

[8] IEC 61508- 2: 2000 Fundional safety of electrical/electronic / programmable elec-

tronic safety-related systems-Part 2: Requirements for elec-
trical / electronic / programmable electronic safety-related
systems
[9] IEC 61508-5: 1998 Functional safety of electrical/electronic / programn2able elec-
tronic safety-related systems--Part 5: Examples of methods for
the detennination of safety integrity levels
[10] IEC 61508-6:2000 Functional safety of electricall electronic/progranunable elec-
tronic safety-related 6: Guidelines on the appli·
cation of lEG 61508-2 and lEG 61508·3
[11] IEC 61508-7: 2000 Functional safety of electrical/electronic / programmable elec-
tronic safety-related systerns-Part 7: OvervZ:ew of techniques
and nwasures
[12] IEC 61511-1 Functional safety-Safety instrumented systems for the process
industry sector-Part 1: Frameworh, definitions, hardware
and softlJ.)are requirements
[13J Guidelines, Programl1~able Electronic Systelns in Safety-related Applications,
Parts 1 (ISBN 0 11 8839066) and 2 0 11 883906 3)
[14J CECR-184, Personal Safety in Microprocessor Control Systems (Elektronikcentralen,
Denmark)

2 Further publications
[15] JIS B 9703 Safety of machinery-Emergency stop--Principles for design
NOTE: International Standard: ISO 13850 Safety of lnachin-
ery-En/,ergency stop-Principles for (IDT)
[16] ~JIS B 9706 (series) Safety of machinery-Indication, marking and actuation
NOTE: Corresponding International Standard: IEC 61310 (all parts) Safety
of machinery-Indication, lnarking and actuation (lDT)
[17] JIS B 9710 Safety of machinery-Interlocking devices associated with guards-
Principles for design and selection
NOTE: Corresponding International Standard: ISO 14119 Safety of machin-
ery-Interlocking devices associated with guards-Principles for de-
and selection (IDT)
[18] JIS B 9712 Safety of machinery-Two-hand control devices-Functional '''' . n.J'' .........,
and principles
NOTE: Corresponding International Standard: ISO 13851 Safety of machin-
ery-Two-hand control devices-Functional aspects and design prin-
ciples (IDT)
[19] JIS B 9714 Safety of machinery-Prevention of unexpected start-up
NOTE: Corresponding International Standard: ISO 14118 Safety of rnachin-
ery-Prevention of unexpected start-up (IDT)

PROTECTED BY COPYRIGHT
92
B 9705-1 : 2011 (ISO 13849-1 : 2006)

[20] JIS B 9715 Safety of machinery-Positioning of protective equiprnent with

to the approach speeds of parts of the hurrwn body
NOTE: Corresponding International Standard: ISO 13855: 2000 Safety
chinery-Positioning of protective equipment with to the ap-
proach speeds of parts of the human body (IDT)
[21] ~JIS B 9960-1 Safety of machinery-Electrical equipment of machines-Part]:
General requirements
NOTE: Corresponding International Standard: IEC 60204-1 of ma-
chinery-Electrical equipment of machines-Part 1: General require-
ments (MOD)
.JIS C 4421 Adjustable electrical power drive (PDS)-Electromag-
netic compatibility (ENEC) requirements and specific test methods
NOTE: Corresponding International Standard: IEC 61800-3 Adjustable speed
electrical power drive systems-Part 8: EMC requirements and specific
test methods (MOD)
[23J JIS C 8201 Low-voltage switchgear and controlgear
NOTE: Corresponding International Standard: IEC 60947 (all parts) Low-
voltage switchgear and controlgear (MOD)
[24] JIS C 61000-6-2 Electromagnetic compatibility (EMC)-Part 6-2: Generic stan-
dards--Immunity for industrial environments
NOTE: Corresponding International Standard: IEC 61000-6-2 ElectrOlnag-
netic compatibility (EAlC)-Part 6-2: Generic standards-Imm,unity for
industrial environments (l\10D)
tIlS Q 9001 Quality rnanagement systems-Requirements
NOTE: Corresponding International Standard: ISO 9001 Quality manage-
ment systems-Requirenwnts (IDT)
[26J JIS B 8361: 2000 Hydraulic fluid power-General rules relating to systern,s
NOTE: Corresponding International Standard: ISO 4413 Hydraulic fZuid
power--General rules relating to systelns (IDT)
[27] JIS B 8370: 2000 Pneumatic fluid power-General rules relating to systems
NOTE: Corresponding International Standard: ISO 4414 Pneumatic fluid
power-General rules relating to systerrLs (IDT)
JIS C 0920 Degrees of protection provided by enclosures (IP Code)
NOTE: Corresponding International Standard: IEC 60529 Degrees of protec-
tion provided by enclosures (IP Code) (IDT)
[29] ISO 13856-2 Safety of machinery-Pressure-sensitive protective devices-Part 2:
General principles for the and testing of' pressure-sensitive
and pressure~sensitive bars
[30] ISO 11428 Ergonomics-Visual danger signals-General requirements, design
and testing

PROTECTED BY COPYRIGHT
 93
B 9705-1 : 2011 (ISO 13849-1 : 2006)

[81] ISO 9355-1 Ergonomic requirements for the of displays Cl11d control actua-
tors-Part 1: II unzan interactions with displays and control actua-
tors
[32] ISO 9355-2 Ergono112ic requirenwnts for the of displays and control actua-
tors-Part 2: Displays
[33] ISO 9355-3 Ergonomic requirements for the design of displays and control actua-
tors-Part 3.' Control actuators
[34] ISO 11429 Ergonomics-System of auditory and visual danger and information
signals
[35J ISO 7731 Ergo11Olnics-Danger signals for public and work areas-Auditory
danger signals
[36J ISO 19973 (all parts) PneUlnatic fluid power-,lissesslnent of COlnponent reliabil·
ity by testing
[37] lEe 60447 Basic and safety principles for man-machine interface, marking and
identification-Actuating principles
[38] IEC 60812 Analysis techniques for system reliability-Procedure for failure mode
and effects analysis (FMEA)
[39J IEC 61810 (all parts) Electromechanical elementary relays
[40] lEC 61300 (all parts) Fibre optic interconnecting devices and passive compo-
nents-Basic test and measurernent procedures
[41J JIS B 3503 Progranunable controllers-Programm,ing languages
NOTE: Corresponding International Standard: IEC 61131-3 Programlnable
controllers-Part 3: Programming languages (IDT)
[42] lEC 61131
-_._. __ .. .. -
_

[43J EN 457 Safety of machinery. Auditory danger signals. General requirements,

design and testing
[44] EN 614-1 Safety of machinery-Ergonolnic design principles-Part 1: Terminology
and general prindples
[45] EN 982 Safety of machinery. Safety requirements for fluid power systems and their
components. Hydraulics
[46] EN 983 Safety of machinery. Safety requirements for fluid power systems and their
components. Pneumatics
[47J EN 1005-3 Safety of Inachinery-Human physical performance-Part 3: Recom-
mended force lilnits for machinery operation
[48] EN 50205 Relays with forcibly guided (mechanically linked) contacts
[49] SN 29500 (all parts) Failure rates of components
[501 GOBLE, W.l\1. Control systerns-Evaluation and Reliability. 2nd Edition. Instru-
ment Society of America (ISA), North Carolina, 1998

PROTECTED BY COPYRIGHT
94.
B 9705-1 : 2011 (ISO 13849-1 ; 2006)

3 Databases
[51J SN 29500, Failure rates of components, Edition 1999-11, Siemens AG 1999,
www.pruefinstitut.de
IEC/TR 62380, Reliability data handbook-Universal model for reliability predic-
tion of electronics components, PCBs and equipment, identical to RDF 2000/ Re-
liability Data Handbook, UTE C 80-810, Union Technique de l'Electricite et de
la Communication (www.ute-fr.com)
[53J Reliability Prediction of Electronic Equipment, MIL-HDBK-2 Department of
Defense, VVashington DC, 1982
[54J Reliability Prediction Procedure for Electronic Equipment, Telcordia SR-332, Issue
01, May 2001(telecoDl-info.telcordia.cOln), Bellcore TR-332, Issue 06
[55J EPRD, Electronic Parts Reliability Data (RAC-STD-6100), Reliability Analysis
Centre, 201 Mill Street, Rome, NY 13440 (rac.alionscience.com)
NPRD-95, Non-electronic Parts Reliability Data (RAC-STD-6200), Reliability
Analysis Centre, 201 Mill Street, Rome, NY 13440 (rac.alionscience.com)
[57J British Handbook for Reliability Data for Components used in Telecomrnunica-
tion Systems, British Telecom (HRD5, last issue)
[58] Chinese Military Standard, GJB/z 299B

PROTECTED BY COPYRIGHrr
Errata for ,ns (English edition) are printed in Stand.9rdization and Qwdi(y Contwl, published
monthly by the Japanese Standards Association, and also provided to subscribers of JIS
(English edition) in },,follthly 111iorlllatiol1.

Enat3 will be provided upon request, please contact:

Standards Publishing Department, Japanese Standards Association
4-1-24, Akasaka, Minato-ku, Tokyo, 107-8440 JAPAN
TEL. 03-8583-8002 FAX. 03-3583-0462

PROTECTED BY COPYRIGHT