ISO 13849
In 2006 the latest revision of the ISO standard 13849 was published (ISO 13849-1) and ratified by European and national standardization organizations. After a recently extended grace period of three more years it will replace the EN 954 standard for safety of machinery within the European Union and elsewhere in December 2012. For manufacturers of machines like construction equipment or utility vehicles now is the right time to incorporate the new standard into the control design of their new products.
ISO 13849 provides safety requirements and principles for the design and integration of safety-related parts of electronic control systems. It is based on the same categories described in EN 954, but enhances its deterministic concepts with probabilistic, quantitative methods (as widely known from the more complex IEC 61508 standard) to handle modern electronic systems as well.
Based on a hazard and risk analysis, a performance level (PL) is assigned to a safety-critical function. Five performance levels, PL a to PL e are specified. Their definition is based on the probability of dangerous failures per hour:
Furthermore the standard defines a set of predefined structural architectures and design concepts. Those so-called "designated architectures" are divided into five categories: B, 1, 2, 3 and 4. These categories describe how parts have to be selected and which diagnostic capabilities and redundant elements have to be incorporated into an electronic design. Category B for example describes a simple, single-channel architecture with no specific diagnostic circuit, category 2 includes diagnostic circuits and category 3 is a full dual-channel system.
The required performance levels of the electronic control units utilized in a machine are determined by taking into account the chosen category for the system architecture, the achieved diagnostic coverage (DCavg) and the probability of a dangerous failure (expressed as MTTFd) within a signal channel. If dangerous malfunctions are unlikely (happen very rarely), a simpler architecture and a low diagnostic coverage are sufficient. However, if functions are highly safety-critical, such as for heavy construction equipment, for which an MTTFd below about 40 years cannot be tolerated, then control units and sensors with a higher performance level (c, d or e) will need to be chosen, and a better diagnostic coverage will need to be implemented. But keep in mind that the overall MTTFd of a safety-critical function, which basically equates to its performance level (PL), needs to be derived mathematically based upon the properties of all the individual components and sub-systems used within a given input-output channel. This means that a channel based upon a PL c sensor and a PL d control unit could possibly reach PL d overall.
A cost-effective electronic control platform needs to offer a good balance between high diagnostic coverage and a sufficiently robust design that does not require a lot of redundancy, as redundancy would add cost. This means, for example, that a category 2 would be preferable to a category 3 or 4 design. This robustness can be achieved by carefully selectiing of the electronic components used and a number of solid design rules. TTControl has recently introduced its TTC 90 controller ,which can be regarded as an ideal "affordable ISO 13849 controller". It is a general-purpose unit that comes with soon to be TUeV-certified drivers for its inputs and outputs that can be used for safety-critical functions. As a stand-alone controller it can achieve ISO 13849 performance levels c and d.