iTeh Standards logo
EURUSD
Your shopping cart is empty.
ISO

ISO/DTR 13849-3

(Main)

Safety of machinery — Safety-related parts of control systems — Part 3: Markov model-based PFH calculation

Safety of machinery — Safety-related parts of control systems — Part 3: Markov model-based PFH calculation

Sécurité des machines — Parties des systèmes de commande relatives à la sécurité — Partie 3: Modèle de Markov basé sur le calcul PFH

General Information

Status
Not Published
ICS
13.110 - Safety of machinery
Technical Committee
ISO/TC 199 - Safety of machinery
Drafting Committee
ISO/TC 199/WG 8 - Safe Control Systems
Current Stage
5020 - FDIS ballot initiated: 2 months. Proof sent to secretariat
Start Date
11-Dec-2025
Completion Date
11-Dec-2025
Ref Project
ISO/DTR 13849-3 - Safety of machinery — Safety-related parts of control systems — Part 3: Markov model-based PFH calculation Released:11/27/2025ISO/DTR 13849-3 - Safety of machinery — Safety-related parts of control systems — Part 3: Markov model-based PFH calculation Released:11/27/2025
PreviousNext
Draft
ISO/DTR 13849-3 - Safety of machinery — Safety-related parts of control systems — Part 3: Markov model-based PFH calculation Released:11/27/2025
English language
74 pages
sale 15% off
sale 15% off
REDLINE ISO/DTR 13849-3 - Safety of machinery — Safety-related parts of control systems — Part 3: Markov model-based PFH calculation Released:11/27/2025REDLINE ISO/DTR 13849-3 - Safety of machinery — Safety-related parts of control systems — Part 3: Markov model-based PFH calculation Released:11/27/2025
PreviousNext
Draft
REDLINE ISO/DTR 13849-3 - Safety of machinery — Safety-related parts of control systems — Part 3: Markov model-based PFH calculation Released:11/27/2025
English language
74 pages
sale 15% off
sale 15% off

Standards Content (Sample)


FINAL DRAFT
Technical
Report
ISO/TC 199
Safety of machinery — Safety-
Secretariat: DIN
related parts of control systems —
Voting begins on:
2025-12-11
Part 3:
Markov model-based PFH
Voting terminates on:
2026-02-05
calculation
RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT,
WITH THEIR COMMENTS, NOTIFICATION OF ANY
RELEVANT PATENT RIGHTS OF WHICH THEY ARE AWARE
AND TO PROVIDE SUPPOR TING DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO-
LOGICAL, COMMERCIAL AND USER PURPOSES, DRAFT
INTERNATIONAL STANDARDS MAY ON OCCASION HAVE
TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL
TO BECOME STAN DARDS TO WHICH REFERENCE MAY BE
MADE IN NATIONAL REGULATIONS.
Reference number
FINAL DRAFT
Technical
Report
ISO/TC 199
Safety of machinery — Safety-
Secretariat: DIN
related parts of control systems —
Voting begins on:
Part 3:
Markov model-based PFH
Voting terminates on:
calculation
RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT,
WITH THEIR COMMENTS, NOTIFICATION OF ANY
RELEVANT PATENT RIGHTS OF WHICH THEY ARE AWARE
AND TO PROVIDE SUPPOR TING DOCUMENTATION.
© ISO 2025
IN ADDITION TO THEIR EVALUATION AS
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO-
LOGICAL, COMMERCIAL AND USER PURPOSES, DRAFT
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
INTERNATIONAL STANDARDS MAY ON OCCASION HAVE
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL
or ISO’s member body in the country of the requester.
TO BECOME STAN DARDS TO WHICH REFERENCE MAY BE
MADE IN NATIONAL REGULATIONS.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
ii
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms, definitions, symbols and abbreviated terms . 1
3.1 Terms and definitions .1
3.2 Symbols and abbreviated terms .1
4 Basic assumptions . 7
5 Channels . 8
5.1 General .8
5.2 Functional channel.8
5.3 Test channel .9
5.4 Channel comprising elements connected logically in series .9
5.5 Limitation of λ (Capping) .10
CHD
6 Wearing parts . 10
7 Common cause failures .11
8 Series arrangement of subsystems .12
9 Single-channel architecture with and without test channel .13
9.1 General . 13
9.2 General solution for the single-channel architecture . 13
9.3 Single-channel architecture with time-optimal testing.14
9.4 Single-channel architecture with external diagnostics . 15
9.5 Single-channel architecture with external diagnostics and time-optimal testing . 15
9.6 Single-channel architecture without diagnostics . 15
9.7 Simplified general solution for the single-channel architecture .16
9.8 Simplified solution for the single-channel architecture with time-optimal testing .16
10 Two-channel architectures . .16
10.1 General .16
10.2 General solution for the two-channel architecture .17
10.3 Two-channel architecture with continuous testing .19
10.4 Two-channel architecture without testing .19
10.5 Simplified general solution for the two-channel architecture . 20
10.6 Simplified solution for the symmetrical two-channel architecture . 20
10.7 Simplified solution for the two-channel architecture with continuous testing .21
10.8 Simplified solution for the two-channel architecture without testing .21
Annex A (informative) Examples of the application of this formula-based approach .22
Annex B (informative) Derivation of the PFH formulas presented in the main part .34
Bibliography . 74

iii
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent
rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a)
patent(s) which may be required to implement this document. However, implementers are cautioned that
this may not represent the latest information, which may be obtained from the patent database available at
www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 199, Safety of machinery.
A list of all parts in the ISO 13849 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.

iv
Introduction
This document has been prepared to enhance the capabilities of the simplified procedure of
ISO 13849-1:2023, 6.1.8 and Annex K, for estimating the performance level for subsystems.
By addressing the designated architectures of ISO 13849-1, the document presents an approach using
Markov model-based formulas to estimate the average frequency of a dangerous failure of the safety
function. As well as the simplified procedure of ISO 13849-1, the method considers the architecture, the
MTTF of channels, diagnostic coverage DC , the common cause factor β and the mission time T .
D avg M
Beyond the capabilities of the simplified procedure the method presented here can allow for different test
rates, a mission time different from 20 years, a common cause factor different from 2 % and any MTTF
D
ratio of a functional channel and its related test channel. Asymmetric redundancy is supported without
beforehand symmetrisation.
The formulas of this document can also be used in the context of other standards demanding the estimation
of PFH as long as the system under assessment meets the method's underlying assumptions (see Clause 4).
ISO 13849 and IEC 62061 govern the functional safety of machinery and require the probability of failure
to be determined for each safety function in terms of a quantitative estimation of the PFH value (average
frequency of a dangerous failure of the safety function).
NOTE In IEC 62061 (as well as in IEC 61508), PFH is descriptively denoted as the “average frequency of a dangerous
failure of the safety function”. The abbreviation PFH stems from the International Standard’s former denotation as the
“probability of a dangerous failure per hour”.
These International Standards assist users in ascertaining the PFH in different ways: IEC 62061 by
provision of equations for calculation of the PFH, ISO 13849-1 by a table and some associated formulas. Both
approaches have their drawbacks. The equations in IEC 62061 fail to address single-channel tested systems
in desirable depth and in some cases yield very conservative results for two-channel tested systems. The
table-based solution in ISO 13849-1 lacks flexibility owing to the fixed specification of the mission time
and the common cause factor (β) and entails additional overhead for asymmetrical two-channel systems.
Usually, the methods in the two standards will yield PFH values deviating to some extent from each other.
The objective of the PFH equations presented and derived in this document is for the benefits of flexible
solutions involving equations to be combined with the more precise modelling technique upon which the
table solution is based. The PFH equations yield good to very good reproduction of the table values stated
in ISO 13849-1:2023, Annex K, and in particular cases assume the form of equations already contained in
IEC 62061. They can therefore be regarded as a further development of the instruments of both International
Standards.
Markov models, which are also among the instruments considered suitable in IEC 61508-6 and IEC 61508-7,
are selected exclusively as the method for analysis of the architectures studied within this document. Unlike
the numerical methods (stochastic Petri nets, Monte Carlo simulation), Markov models enable equations
to be derived. They are also superior to reliability block diagrams (RBDs) in their handling of mutually
influencing failure processes and the reinsertion of repaired systems. The drawback of the Markov method
of being able to handle only exponentially distributed processes (constant transition rates) does not provide
significant detriment to the precision of the results.
Simple special cases are treated as non-standard cases of the higher-level more complex cases, enabling
overall methodical coherence to be attained.
The body part of this document addresses the use of the formulas for the estimation of the PFH value. The
definitions, variables and the basic assumptions are presented as well as the formulas.
Annex A demonstrates the application of this approach to the examples A and B in ISO 13849-1:2023, Annex I.
Annex B of this document discloses the derivation of the presented formulas based on Markov models for
the different architectures.
v
FINAL DRAFT Technical Report ISO/DTR 13849-3:2025(en)
Safety of machinery — Safety-related parts of control
systems —
Part 3:
Markov model-based PFH calculation
1 Scope
This document provides formulas for the estimation of the PFH value of single-channel architectures
as well as two-channel architectures with and without diagnostics in accordance with ISO 13849-1. The
formulas presented in this document are based on Markov modelling and can be used as an alternative to
the simplified procedure of ISO 13849-1 for estimating the quantifiable aspects of the performance level
(see ISO 13849-1:2023, 6.1.8, Figure 12, and Annex K). They can also serve as an alternative to any other
adequate method for estimating the quantifiable aspects of the performance level.
NOTE Different estimation methods can vary in the resulting PFH values due to their nature. A certain variation is
usually be the consequence of different modelling approaches and unavoidable simplifications specific to the method.
Other requirements of ISO 13849-1, e.g. on categories or software, are not addressed by this document.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO 13849-1, Safety of machinery — Safety-related parts of control systems — Part 1: General principles for
design
3 Terms, definitions, symbols and abbreviated terms
3.1 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 13849-1 apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.2 Symbols and abbreviated terms
The definition of parameters related to the quantitative estimation of the PFH value, such as mean time to
dangerous failure MTTF , diagnostic coverage DC, common cause factor β mission time T , etc., can be found
D M
in ISO 13849-1:2023, Clause 3.
With only a few exceptions, all variables used in this document are listed in Table 1 below.
NOTE Within this document components with mechanical wear are concisely addressed as wearing elements or
wearing parts.
Table 1 — Used variables and locations of their appearance
Pre-
Variable ferred Description Use (selection)
unit
B – Number of working cycles by which 10 % of the wearing Formulas (5), (6), (B.1),
10D E
elements E have failed dangerously (B.4), (B.5)
C – Auxiliary variable used for two-channel systems Formulas (31), (B.102)
N
C – Auxiliary variable used for two-channel systems Formulas (30), (B.101)
P
DC – Diagnostic coverage of the functional channel of a sin- Figures 3, 4, 9, B.2, B.3;
gle-channel system or a symmetrical two-channel system Formulas (11), (13), (14),
(15), (17), (18), (38), (B.47),
(B.49), (B.50), (B.51),
(B.54), (B.55), (B.125),
(B.126)
DC – Diagnostic coverage of channel A of a two-channel system Figures 6, 7, (B.14), (B.15);
A
Formulas (20), (22), (24),
(32), (36), (39), (B.65),
(B.66), (B.99)
– Generalized diagnostic coverage of channel A of a two-chan- Formulas (24), (26), (37),
DC
A
nel system with consideration of the test interval of the (B.64), (B.65), (B.122),
channel (B.123)
DC – Diagnostic coverage of channel B of a two-channel system Figures 6, 7, (B.14), (B.15);
B
Formulas (21), (23), (25),
(33), (36), (39), (B.68),
(B.69), (B.100)
– Generalized diagnostic coverage of channel B of a two-chan- Formulas (25), (27), (37),
DC
B
nel system with consideration of the test interval of the (B.67), (B.68), (B.122),
channel (B.123)
DC – Diagnostic coverage of channel CH Formula (4)
CH
DC – Diagnostic coverage of element i of channel CH Figure 1, Formula (4)
i
i = 1 … n
E – Element or wearing element Formulas (5), (6), (B.1),
(B.2), (B.3), (B.4), (B.5)
E – Element i of channel CH Figure 1, Formulas (1), (2),
i
(3), (4)
i = 1 … n
d d/a Mean annual number of operation days of a wearing element Formula (7)
op
h h/d Mean daily number of operation hours of a wearing element Formula (7)
op
−1
L h Auxiliary variable used for two-channel systems Figures B.21, B.22;
A
Formulas (19), (20), (22),
(26), (28), (29), (30), (31),
(32), (34), (B.66), (B.94),
(B.95), (B.98), (B.99),
(B101), (B102), (B104),
(B.106)
−1
L h Auxiliary variable used for two-channel systems Figures B.21, B.22;
B
Formulas (19), (21), (23),
(27), (28), (29), (30), (31),
(33), (35), (B.69), (B.94),
(B.95), (B.98), (B.100),
(B.101), (B.102), (B.105),
(B.107)
−1
L h Auxiliary variable used for single-channel systems Formulas (B.30), (B.32),
α
(B.34)
−9 −1
NOTE 1 FIT = 10 h
TTabablele 1 1 ((ccoonnttiinnueuedd))
Pre-
Variable ferred Description Use (selection)
unit
−1
L h Auxiliary variable used for single-channel systems Formulas (B.30), (B.33),
β
(B.34)
−1
L h Auxiliary variable used for single-channel systems Formulas (B.30), (B.31),
θ
(B.34)
−1
L h Auxiliary variable used for two-channel systems Formulas (28), (B.94)
−1
L h Auxiliary variable used for two-channel systems Formulas (29), (B.95)
MTTF a Mean time to dangerous failure of channel CH Formulas (2), (3)
D CH
MTTF a Mean time to dangerous failure of the wearing element E Formula (B.5)
D E
MTTF a Mean time to dangerous failure of the element i of channel CH Formulas (2), (3)
D Ei
i = 1 … n
−1 −1
n h , a Operating frequency (number of operations per time unit) Formulas (5), (6), (7), (B.1),
op
of the wearing element E; in case of intermittent operation: (B.4), (B.5)
mean operating frequency based on a time span of one year
P – Mean probability of the state “A DD” Formula (B.59)
A DD
p – Instantaneous probability of the state “A DU” Formula (B.92)
A DU
P – Mean probability of the state “A DU 2” Formula (B.60)
A DU 2
p – Instantaneous probability of the state “B DU” Formula (B.93)
B DU
−1
PFH h Average frequency of a dangerous failure per hour Figures B.3, B.15;
Formulas (10), (11), (13),
NOTE PFH is seen as the mean value over time of the fre-
(14), (15), (16), (17), (18),
quency of the unmet demands upon the safety function (fre-
(19), (36), (37), (38), (39),
quency of unsuccessful attempts, frequency of malfunction).
(40), (B.34), (B.35), (B.47),
(B.49), (B.50), (B.51),
(B.52), (B.54), (B.55),
(B.97), (B.98), (B.119),
(B.120), (B.121), (B.122),
(B.123), (B.124), (B.125),
(B.126), (B.127), (B.128),
(B.135)
−1
pfh h Instantaneous value of the frequency of a dangerous failure Formulas (B.29), (B.30),
(instantaneous value of the PFH) (B.34), (B.96), (B.97)
−1
PFH h PFH of a single-channel, untested system (see PFH) Formulas (B.38), (B.39),
NT
(B.40)
−1
PFH h PFH of a single-channel, time-optimal tested system (see Formulas (B.37), (B.39),
TOT
PFH) (B.40)
−1
PFH h PFH contribution of subsystem i of a series arrangement of n Formulas (10), (B.114),
i
subsystems (B.115), (B.116), (B.117),
i = 1 … n
(B.118), (B.119)
or
or
PFH component i of a two-channel system in simplified anal-
i = 1 … 5
ysis (see PFH)
P – Mean probability of the state “FPN” (flow partitioning node) Figure B.7; Formulas (B.10),
FPN
(B.12)
p – Instantaneous probability of the state “FPN” (flow partition- Figure B.7; Formulas (B.6),
FPN
ing node) (B.7), (B.8), (B.9), (B.10),
(B.11)
p – Instantaneous probability of the state i Formulas (B.19), (B.20),
i
(B.23), (B.24), (B.70), (B.71),
i = 1 … 3
(B.72), (B.76), (B.77), (B.78)
−9 −1
NOTE 1 FIT = 10 h
TTabablele 1 1 ((ccoonnttiinnueuedd))
Pre-
Variable ferred Description Use (selection)
unit
p – Instantaneous probability of the state “INT” Figure B.27;
INT
Formulas (B.108), (B.109),
(B.110), (B.111)
p – Instantaneous probability of the state “M D” of a single-chan- Formulas (B.28), (B.29)
M D
nel system
p – Instantaneous probability of the state “OK” of a single-chan- Formulas (B.27), (B.29)
OK
nel system
P – Mean probability of the state “OK” of a two-channel system Formulas (B.59), (B.60),
OK
(B.61)
−1
r h Demand rate upon the safety function Figures B.3, B.12, B.15;
d
Formulas (11), (12), (14),
(17), (B.15), (B.16), (B.17),
(B.18), (B.35), (B.36),
(B.41), (B.45), (B.46),
(B.47), (B.50), (B.54)
−1
r h Repair rate Figures B.3, B.15
r
−1
r h Test rate of the functional channel of a single-channel system Figures 3, 4, 9, B.2, B.3, B.12;
t
or a symmetrical two-channel system Formulas (11), (12), (14),
(17), (B.15), (B.16), (B.17),
(B.29), (B.35), (B.36),
(B.41), (B.45), (B.46), (B.47),
(B.50), (B.54), (B.126)
−1
r h Test rate of element i of channel CH Figure 1
ti
i = 1 … n
−1
r h Test rate of channel A of a two-channel system Figures 6, B.14, B.15;
tA
Formulas (22), (24), (B.57),
(B.124)
−1
r h Test rate of channel B of a two-channel system Figures 6, B.14, B.15;
tB
Formulas (23), (25), (B.58),
(B.124)
T h Test interval of a symmetrical two-channel system; clear- Figures 9, B.7, B.27;
ing interval of the flow partitioning node “FPN” or the state Formulas (38), (B.10),
“INT” (B.11), (B.12), (B.13), (B.14),
(B.15), (B.111), (B.113),
(B.125)
T h, a Time until 10 % of the wearing elements E have failed dan- Formulas (6), (B.1), (B.2),
10D E
gerously (B.3)
T h Test interval of channel A of a two-channel system Figures 6, 7, B.14, B.16, B.18,
A
B.24; Formulas (20), (24),
(36), (B.57), (B.59), (B.61),
(B.62), (B.64), (B.65),
(B.66), (B.114), (B.120),
(B.121)
T h Test interval of channel B of a two-channel system Figures 6, 7, B.14, B.16,
B
B.24; Formulas (21), (25),
(36), (B.58), (B.63), (B.67),
(B.68), (B.69), (B116),
(B.120), (B.121)
t s Cycle time of a wearing element Formula (7)
cycle
−9 −1
NOTE 1 FIT = 10 h
TTabablele 1 1 ((ccoonnttiinnueuedd))
Pre-
Variable ferred Description Use (selection)
unit
T h, a Mission time; if a proof test according to IEC 62061:2021, Formulas (11), (13), (17),
M
3.2.47, is implemented, the proof test interval supersedes T . (18), (19), (20), (21), (22),
M
(23), (24), (25), (36), (37),
(38), (39), (40), (B.34),
(B.35), (B.37), (B.47),
(B.49), (B.54), (B.55),
(B.60), (B.61), (B.62),
(B.63), (B.65), (B.66),
(B.68), (B.69), (B.97),
(B.98), (B.99), (B.100),
(B.115), (B.117), (B.120),
(B.121), (B.122), (B.123),
(B.124), (B.125), (B.126),
(B.127), (B.128), (B.135)
TRTE – Time-related test efficiency on a single-channel tested sys- Figure B.13; Formulas (12),
tem (B.41), (B.45), (B.46)
β – Common cause factor, constituting a quantitative dimen- Figures 3, 6, 7, 8, 9, B.1; B.2,
sion for the common cause failures of two channels (sin- B.14; Formulas (8), (9), (38)
gle-channel system: functional channel F and test channel M;
two-channel system: channels A and B)
Δt h, a Period of time for which the mean operation frequency n of Formulas (7)
op
a wearing element is calculated (typically one year)
Formulas (B.6), (B.7)
or
Small time interval used for limit calculation
−1
Λ h Failure-induced absolute inflow rate to the flow partitioning Figure B.7; Formulas (B.6),
node “FPN” (B.7), (B.8), (B.9), (B.10),
(B.11), (B.12)
−1
Λ h Failure-induced absolute outflow rate from the flow parti- Figures B.7, B.27;
tioning node “FPN” or from the state “INT” Formulas (B.12), (B.111),
(B.113)
−1
Λ h Absolute outflow rate from the flow partitioning node “FPN” Figure B.7; Formulas (B.11),
caused by periodic clearing (B.12)
−1
λ h , FIT Failure-induced nominal inflow rate to the flow partitioning Figures B.7, B.27;
node “FPN” or to the intermediate state “INT” Formulas (B.13), (B.14),
(B.108), (B.110), (B.111),
(B.113)
−1
λ h , FIT Failure-induced nominal outflow rate from the flow parti- Figures B.7, B.27;
tioning node “FPN” or from the intermediate state “INT” Formulas (B.6), (B.7), (B.8),
(B.9), (B.10), (B.11), (B.12),
(B.13), (B.14), (B.108),
(B.110), (B.111), (B.113)
−1
λ h , FIT Failure-induced nominal outflow rate from the flow parti- Figures B.7, B.8, B.9, B.12;
A
tioning node “FPN” Formulas (B.13), (B.16),
(B.29), (B.32), (B.33)
−9 −1
NOTE 1 FIT = 10 h
TTabablele 1 1 ((ccoonnttiinnueuedd))
Pre-
Variable ferred Description Use (selection)
unit
−1
λ h , FIT Dangerous failure rate of channel A of a two-channel system Figures 6, 7, 8, B.14, B.15,
AD
B.18B.26; Formulas (19),
(20), (22), (26), (28), (29),
(30), (31), (32), (34), (36),
(37), (39), (40), (B.59),
(B.61), (B.62), (B.64),
(B.66), (B.91), (B.92), (B.93),
(B.94), (B.95), (B.96), (B.97),
(B.98), (B.99), (B.101),
(B.102), (B.114), (B.115),
(B.116), (B117), (B.120),
(B.121), (B.122), (B.123),
(B.124), (B.127), (B.128),
(B.135)
−1
λ h , FIT As λ , but without the component caused by soft errors Formulas (8), (B.103)
AD SER-free AD
−1
λ h , FIT Surrogate inflow rate to the state “A DU 2” of a two-channel Figures B.18, B.19, B.20;
A SI
system Formulas (B.60), (B.61),
(B.62), (B.64)
−1
λ h , FIT Nominal outflow rate from the flow partitioning node “FPN” Figures B.7, B.8, B.9, B.12;
B
caused by periodic clearing Formulas (B.14), (B.17),
(B.29), (B.32), (B.33)
−1
λ h , FIT Dangerous failure rate of channel B of a two-channel system Figures 6, 7, 8, B.14, B.15,
BD
(B.26); Formulas (19), (21),
(23), (27), (28), (29), (30),
(31), (33), (35), (36), (37),
(39), (40), (B.63), (B.67),
(B.69), (B.91), (B.92), (B.93),
(B.94), (B.95), (B.96), (B.97),
(B.98), (B.100), (B.101),
(B.102), (B.114), (B.115),
(B.116), (B117), (B.120),
(B.121), (B.122), (B.123),
(B.124), (B.127), (B.128),
(B.135)
−1
λ h , FIT As λ , but without the component caused by soft errors Formulas (8), (B.103)
BD SER-free BD
−1
λ h , FIT Surrogate inflow rate to the state “B DU 2” of a two-channel Figures B.19, B.20;
B SI
system Formulas (B.63), (B.67)
−1
λ h , FIT Common cause failure rate Figure B.1; Formulas (8),
CC
(9), (B.48), (B.103),
−1
λ h , FIT Dangerous failure rate of channel CH Formula (1)
CHD
−1
λ h , FIT Dangerous failure rate of each of the functional channels of a Figure 9; Formulas (38),
D
symmetrical two-channel system (B.125), (B.126)
−1
λ h , FIT As λ , but without the component caused by soft errors Formulas (38), (B.125),
D SER-free D
(B.126)
−1
λ h , FIT Constant surrogate dangerous failure rate over time for the Formulas (5), (B.2), (B.3),
ED
wearing element E (B.4)
−1
λ h , FIT Dangerous failure rate of the element i of channel CH com- Figure 1; Formulas (1), (2),
EiD
prising n Elements (3)
i = 1 … n
−9 −1
NOTE 1 FIT = 10 h
TTabablele 1 1 ((ccoonnttiinnueuedd))
Pre-
Variable ferred Description Use (selection)
unit
−1
λ h , FIT Dangerous failure rate of the functional channel F of a sin- Figures 3, 4, 5, B.2, B.3, B.6,
FD
gle-channel system; dangerous failure results in loss of the B.11, B.12; Formulas (11),
safety function (13), (14), (15), (16), (17),
(18), (B.16), (B.17), (B.35),
(B.47), (B.49), (B.50),
(B.51), (B.52), (B.54), (B.55)
−1
λ h , FIT As λ , but without the component caused by soft errors Formulas (9), (B.48)
FD SER-free FD
−1
λ h , FIT Transition rate from state i to state j Figures B.10, B.23;
ij
Formulas (B.19), (B.20),
i = 1 … 3
(B.70), (B.71), (B.72)
j = 1 … 3
−1
λ h , FIT Dangerous failure rate of the test channel M of a single-chan- Figures 3, B.2, B.3, B.6, B.11,
MD
nel system; dangerous failure results in loss of the diagnos- B.12; Formulas (11), (13),
tics function (17), (18), (B.16), (B.17),
(B.35), (B.47), (B.49),
(B.54), (B.55)
−1
λ h , FIT As λ , but without the component caused by soft errors Formulas (9), (B.48)
MD SER-free MD
−9 −1
NOTE 1 FIT = 10 h
The significance of variables not listed in Table 1 is evident directly from the context.
4 Basic assumptions
Any modelling requires assumptions used by the model. The models discussed here, and their assumptions
are adjusted specifically to the typical boundary conditions of machine control systems. The following basic
assumptions generally apply throughout this document:
— Implementation of the safety functions with a logical series arrangement comprising discrete subsystems
in which the PFH of each subsystem is calculated separately.
— Use of the following subsystem architectures:
— Single-channel untested system (1oo1, designated architecture of categories B and 1);
— Single-channel tested system (1oo1D, designated architecture of category 2);
— Two-channel untested system (1oo2);
— Two-channel tested system (1oo2D, designated architecture of categories 3 and 4).
— No redundancy for increasing of the availability.
— Demand rate upon the safety function r ≥ 1/a. In terms of IEC 61508 this includes r = 1/a, high demand
d d
mode of operation and continuous mode of operation.
— In the case of diagnostics, test intervals not greater than the mission time.
NOTE 1 Setting the test interval of a channel to the mission time means one test at the end of the mission time
which is equivalent to no diagnostics for that channel. Commonly test intervals greater than one year are not
regarded as acceptable.
— Repair following detection of failure by diagnostics (automatic or manual as per specification).
— Repair following a hazardous event.

NOTE 2 In principle, consideration of the repair following a hazardous event also necessitates consideration
of the demand upon the safety function. It is found however that the demand rate needs be considered during
calculation of the PFH only in the case of certain 1oo1D applications.
— The reciprocals of the mean repair time (MRT) and the mean time to restoration (MTTR) are substantially
greater than the dangerous channel failure rates.
— Where a proof test (not usual in the machinery sector) is implemented: setting of the mission time T to
M
the length of the proof-test interval.
— Ignoring rates of failure to safety.
NOTE 3 This constitutes estimation on the safe side and permits simpler models and equations. It also prevents
non-guaranteed failures to safety from causing a mathematical improvement in PFH.
— Real component behaviour is idealized.
— Constant failure rates of channels over time; it follows that the MTTF (mean time to dangerous failure)
D
is equal to the reciprocal of the dangerous failure rate (MTTF = 1/λ ).
D D
NOTE 4 The mission time of wearing parts is limited to T (corresponding to B working cycles). Use of
10D 10D
a surrogate failure rate (substitute MTTF ) assumed to be constant over time is thus justified as an acceptable
D
approximation; see Clause 6 and Annex B.2.
— No systematic failures included in the PFH calculation.
NOTE 5 The PFH calculation addresses random hardware failures only. The important aspect of systematic
failures is addressed by following the relevant requirements of ISO 13849-1.
— PFH is seen as the mean value over time of the frequency of the unmet demands upon the safety function
(frequency of unsuccessful attempts, frequency of malfunction).
NOTE 6 The frequency of the unmet demands at worst is equal to the hazard rate. For high or continuous
demand mode, i.e. the modes of operation addressed by this document, the hazard rate conforms with the
unconditional failure intensity upon which the definition of the PFH in IEC 61508 is based.
NOTE 7 In conjunction with the potential scale of harm, this frequency is essential to the residual risk despite
implementation of the safety function.
— Perfect repair, where applicable: perfect proof test.
NOTE 8 It is assumed that following repair, both function blocks are intact and have the original failure rate
for the remaining mission time. In the context of the general assumption of constant failure rates over time, this
means that a function block that has not failed at the time of repair need not necessarily be replaced, but only
checked for its proper function.
5 Channels
5.1 General
In the block diagrams of the models described here, channels are shown as discrete function blocks. A
distinction is drawn between functional channels and test channels.
5.2 Functional channel
A functional channel performs the safety function when required or continuously. In the two-channel tested
systems described here (1oo2D), each functional channel also has the purpose of diagnostics of the other
functional channel, either by performing the full diagnostics function, or by serving as a sensor or actuator
in it.
NOTE Effective diagnostics requires both detection of the failure and performance of the predefined safety-
oriented action.
Loss of the ability to perform the safety function or the test function is described as a dangerous failure of the
functional channel. Use of a suitable system architecture can prevent the dangerous failure of a functional
channel from leading to a dangerous system failure (loss of the safety function).
5.3 Test channel
A test channel tests, at certain times or continually, the ability of a functional channel to perform the safety
function. Loss of this test function does not of itself lead to failure of the safety function. To obviate the
need for an additional term, it is nevertheless described as dangerous failure of the test channel, since with
regard to the test channel it constitutes the least favourable form of failure in safety terms.
5.4 Channel comprising elements connected logically in series
Functional channels and test channels often consist of elements arranged logically in series, as shown
in Figure 1. A channel CH comprising n elements then suffers dangerous failure when at least one of its
elements E … E fails dangerously.
1 n
Figure 1 — Channel CH consisting of n elements
The dangerous failure rate of the channel can then be calculated by means of the equation:
 (1)
CHDE1D E2DEnD
ISO 13849-1 uses the mean time to dangerous failure (MTTF ) instead of the dangerous failure rate.
D
ISO 13849-1 and this document assume all failure rates of single elements and complete channels to be
constant over time. Therefore, the following applies for an element E or, respectively, for a channel CH:
i
MTTF , MTTF (2)
DEi DCH

EDi CHD
and, conversely
, (3)
EDi CHD
MTTF MTTF
DEi DCH
Therefore, within ISO 13849-1, MTTF can be regarded as a synonym of the reciprocal of the dangerous
D
failure rate λ . Nevertheless, it is important to note that Formula (2) and Formula (3) are valid only in case
D
of failure rates which are constant over time.
In a functional channel for which diagnostics is implemented, the diagnostics can differ between the
individual elements. The diagnostic coverage of an element with a high failure rate then has a greater effect
for the channel as a whole than the diagnostic coverage of an element with a low failure rate. The mean
diagnostic coverage for the channel can therefore be computed as the sum of all weighted element diagnostic

coverages. The element diagnostic coverages are weighted with their respective components of the total
failure rate of the channel:
  
E1D E2D EDn
DC DC DC  DC (4)
CH 12 n
  
CHD CHD CHD
NOTE 1 The models presented here consider diagnostics only for functional channels. Diagnostics for test channels,
where implemented, is disregarded. This constitutes estimation on the safe side of the PFH. Internal diagnostics of
elements is not addressed by this document.
NOTE 2 For category 2, 3 or 4 it remains necessary to calculate the average diagnostic coverage (DC ) over both
avg
channels to decide whether the category requirements on the minimum value of DC are met.
avg
5.5 Limitation of λ (Capping)
CHD
ISO 13849-1 limits the maximum value of MTTF for each channel to 100 years for subsystems of category
D
B, 1, 2 and 3. For subsystems of category 4 the limiting value is 2 500 years. This limitation is intended
to ensure that redundancy and testing is needed to achieve higher performance levels. Therefore, when
determining the PL the capping of MTTF for each channel is always required and not only for the simplified
D
procedure for estimating the performance level of subsystems (ISO 13849-1:2023, 6.1.8). In conjunction
with the limitation of the maximum achievable PL with categories B, 1 and 2, as required in ISO 13849-1,
these measures pursue a similar objective as the architectural constraints of IEC 62061.
As the channel failure rates used here are constant over time, they are equal to the reciprocal of the MTTF
D
for each channel. The capping of MTTF for each channel can therefore be transferred to the following
D
limitations of λ :
CHD
— For categories B, 1, 2 and 3 the λ for each channel is limited to a minimum value of
CHD
−6 −1
λ = 1,14×10 h = 1 142 FIT.
CHD min 1
−8 −1
— For category 4 the λ for each channel is limited to a minimum value of λ = 4,57×10 h = 46 FIT.
CHD CHD min 2
NOTE Capping of MTTF as a means to avoid untested single-channel architectures to be used with high-risk
D
applications is specific to ISO 13849. International Standards like IEC 61508 or IEC 62061 accomplish the same goal by
setting out SIL-specific architectural constraints.
6 Wearing parts
Like other calculation-based methods, Markov models are not able on their own to handle failure rates that
change over time. Where the failure behaviour of elements is determined essentially by wear, the failure
rate of the elements increases over time. However, IEC 62061 and ISO 13849-1 present a pragmatic approach
to resolving this problem: use of the element is limited to the period preceding the strong wear phase at
the end of its usable life, and a constant surrogate failure rate over time is calculated as an approximation
of the actual failure rate for the resulting limited usage phase. The result of this approach is shown in the
remainder of this clause.
On average, 10 % of the specimens of a wearing element E will have failed dangerously after B working
10D, E
cycles under specified conditions. If n is the operation frequency (mean number of operations per time
op
unit, typically noted in cycles per year) the surrogate failure rate λ is given by
ED
n
op
  (5)
ED
10 B
10DE
NOTE 1 When the operating frequency n is very low (e.g. < 1/month), wear is not a predominant cause of failure
op
even in typical wearing parts. The use of Formula (5) is not then appropriate.
NOTE 2 The derivation of Formula (5) originates in ISO 13849-1 and is also presented in Annex B.2 of this document.

As mentioned above, the use of this approximated surrogate dangerous failure rate has to be limited to the
time period without strong wear. This period ends when B working cycles have been completed. The
10D, E
corresponding service life is given by
B
10DE
T = (6)
10DE
n
op
Therefore, Formula (5) is valid only if the operational life of the element E is limited to a time interval of
T . If T is shorter than the mission time T of the control system, the element E has to be replaced by
10D, E 10D, E M
a new specimen during T each time it has been used for a time span of T .
M 10D, E
In many cases the operation frequency n varies over time: for example, operating times alternate with
op
idle times. Then a mean value of n for the period of time Δt can be used based on the number n of cycles
op
completed during Δt. An equivalent equation for n is known from ISO 13849-1 as well as from IEC 62061:
op
s
dh
...


ISO/TR DTR 13849-3:2024(E)
ISO/TC 199
Secretariat: DIN
Date: 2025-10-1011-26
Safety of machinery — Safety-related parts of control systems
— —
Part 3:
Markov model-based PFH calculation

DTR stage
Warning for WDs and CDs
This document is not an ISO International Standard. It is distributed for review and comment. It is subject to
change without notice and may not be referred to as an International Standard.
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of
which they are aware and to provide supporting documentation.

A model document of an International Standard (the Model International Standard) is available at:

ISO #####-#:####(X)
2 © ISO #### – All rights reserved

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication
may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying,
or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO
at the address below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: + 41 22 749 01 11
EmailE-mail: copyright@iso.org
Website: www.iso.orgwww.iso.org
Published in Switzerland
iii
Contents
Foreword . v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms, definitions, symbols and abbreviated terms . 1
3.1 Terms and definitions . 1
3.2 Symbols and abbreviated terms . 1
4 Basic assumptions . 11
5 Channels . 13
5.1 General . 13
5.2 Functional channel . 13
5.3 Test channel . 13
5.4 Channel comprising elements connected logically in series . 13
5.5 Limitation of λ (Capping) . 15
CHD
6 Wearing parts . 15
7 Common cause failures . 16
8 Series arrangement of subsystems . 17
9 Single-channel architecture with and without test channel . 18
9.1 General . 18
9.2 General solution for the single-channel architecture . 19
9.3 Single-channel architecture with time-optimal testing . 20
9.4 Single-channel architecture with external diagnostics . 20
9.5 Single-channel architecture with external diagnostics and time-optimal testing . 21
9.6 Single-channel architecture without diagnostics . 21
9.7 Simplified general solution for the single-channel architecture . 22
9.8 Simplified solution for the single-channel architecture with time-optimal testing. 22
10 Two-channel architectures . 22
10.1 General . 22
10.2 General solution for the two-channel architecture . 24
10.3 Two-channel architecture with continuous testing . 25
10.4 Two-channel architecture without testing . 26
10.5 Simplified general solution for the two-channel architecture . 26
10.6 Simplified solution for the symmetrical two-channel architecture . 27
10.7 Simplified solution for the two-channel architecture with continuous testing . 28
10.8 Simplified solution for the two-channel architecture without testing . 28
Annex A (informative) Examples of the application of this formula-based approach . 29
Annex B (informative) Derivation of the PFH formulas presented in the main part . 43
Bibliography . 99

iv
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types of
ISO documents should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent rights
in respect thereof. As of the date of publication of this document, ISO had not received notice of (a) patent(s)
which may be required to implement this document. However, implementers are cautioned that this may not
represent the latest information, which may be obtained from the patent database available at
www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 199, Safety of machinery.
A list of all parts in the ISO 13849 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
v
Introduction
This technical reportdocument has been prepared on behalf of ISO/TC 199/WG 8 to enhance the capabilities
of the simplified procedure of ISO 13849--1:2023, 6.1.8 and Annex K, for estimating the performance level for
subsystems.
By addressing the designated architectures of ISO 13849--1, the reportdocument presents an approach using
Markov model-based formulas to estimate the average frequency of a dangerous failure of the safety function.
As well as the simplified procedure of ISO 13849--1, the method considers the architecture, the MTTF of
D
channels, diagnostic coverage DCavg, the common cause factor β and the mission time TM.
Beyond the capabilities of the simplified procedure the method presented here can allow for different test
rates, a mission time different from 20 years, a common cause factor different from 2 % and any MTTF ratio
D
of a functional channel and its related test channel. Asymmetric redundancy is supported without beforehand
symmetrisation.
The formulas of this document can also be used in the context of other standards demanding the estimation
of PFH as long as the system under assessment meets the method's underlying assumptions (see
Clause 4Clause 4).).
The ISO 13849 and IEC 62061 standards governinggovern the functional safety of machinery and require the
probability of failure to be determined for each safety function in terms of a quantitative estimation of the PFH
value (average frequency of a dangerous failure of the safety function).
NOTE In IEC 62061 (as well as in IEC 61508)), PFH is descriptively denoted as the “average frequency of a dangerous
failure of the safety function”. The abbreviation PFH stems from the standard’sInternational Standard’s former
denotation as the “probability of a dangerous failure per hour”.
These standardsInternational Standards assist users in ascertaining the PFH in different ways: IEC 62061 by
provision of equations for calculation of the PFH, ISO 13849--1 by a table and some associated formulas. Both
approaches have their drawbacks. The equations in IEC 62061 fail to address single-channel tested systems
in desirable depth and in some cases yield very conservative results for two-channel tested systems. The table-
based solution in ISO 13849--1 lacks flexibility owing to the fixed specification of the mission time and the
common cause factor (β) and entails additional overhead for asymmetrical two-channel systems. Usually, the
methods in the two standards will yield PFH values deviating to some extent from each other.
The objective of the PFH equations presented and derived in this document is for the benefits of flexible
solutions involving equations to be combined with the more precise modelling technique upon which the table
solution is based. The PFH equations yield good to very good reproduction of the table values stated in
ISO 13849--1:2023, Annex K, and in particular cases assume the form of equations already contained in
IEC 62061. They can therefore be regarded as a further development of the instruments of both
standardsInternational Standards.
Markov models, which are also among the instruments considered suitable in IEC 61508--6 and IEC 61508--
7, are selected exclusively as the method for analysis of the architectures studied within this document. Unlike
the numerical methods (stochastic Petri nets, Monte Carlo simulation), Markov models enable equations to be
derived. They are also superior to reliability block diagrams (RBDs) in their handling of mutually influencing
failure processes and the reinsertion of repaired systems. The drawback of the Markov method of being able
to handle only exponentially distributed processes (constant transition rates) does not provide significant
detriment to the precision of the results.
Simple special cases are treated as non-standard cases of the higher-level more complex cases, enabling
overall methodical coherence to be attained.
vi
The body part of this document addresses the use of the formulas for the estimation of the PFH value. The
definitions, variables and the basic assumptions are presented as well as the formulas.
Annex AAnnex A demonstrates the application of this approach to the examples A and B in ISO 13849--1:2023,
Annex I.
Annex BAnnex B of this document discloses the derivation of the presented formulas based on Markov models
for the different architectures.
vii
Safety of machinery — Safety-related parts of control systems —
Part 3: Markov model-based PFH calculation
Part 3:
Markov model-based PFH calculation
1 Scope
This technical report is intended to provideThis document provides formulas for the estimation of the PFH
value of single-channel architectures as well as two-channel architectures with and without diagnostics
according toin accordance with ISO 13849--1:2023. The formulas presented in this document are based on
Markov modelling and can be used as an alternative to the simplified procedure of ISO 13849--1:2023 for
estimating the quantifiable aspects of the performance level (see ISO 13849--1:2023, 6.1.8, Figure 12, and
Annex K). They can also serve as an alternative to any other adequate method for estimating the quantifiable
aspects of the performance level.
NOTE Different estimation methods can vary in the resulting PFH values due to their nature. A certain variation
willis usually be the consequence of different modelling approaches and unavoidable simplifications specific to the
method.
Other requirements of ISO 13849--1, e.g. on categories or software, are not addressed by this document. These
requirements need to be fulfilled independent of the alternative, Markov based PFH calculation.
2 Normative references
There are no normative references in this document.
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO 13849-1, Safety of machinery — Safety-related parts of control systems — Part 1: General principles for
design
3 Terms, definitions, symbols and abbreviated terms
3.1 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 13849-1:2023-04 apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia: available at https://www.electropedia.org/
3.2 Symbols and abbreviated terms
For theThe definition of parameters related to the quantitative estimation of the PFH value, such as mean time
to dangerous failure MTTF , diagnostic coverage DC, common cause factor β mission time T , etc., seecan be
D M
found in ISO 13849--1:2023, Clause 3.
With only a few exceptions, all variables used in this document are listed in Table 1Table 1 below.
NOTE Within this document components with mechanical wear are concisely addressed as wearing elements or
wearing parts.
Table 1 — Used variables and locations of their appearance
Pre-
Variable ferred Description Use (selection)
unit
B – Number of working cycles by which 10 % of the wearing Formulas (5), (6), (B.1),
10D E
elements E have failed dangerously (B.4)Formulas (5), (6),
(B.1), (B.4), (B.5), (B.5)
C – Auxiliary variable used for two-channel systems Formulas (31)Formulas (3
N
1), (B.102), (B.102)
C – Auxiliary variable used for two-channel systems Formulas (30)Formulas (3
P
0), (B.101), (B.101)
DC – Diagnostic coverage of the functional channel of a single- Figures 3, 4, 9, B.2, B.3;
channel system or a symmetrical two-channel system Formulas (11), (13), (14),
(15), (17), (18), (38),
(B.47), (B.49), (B.50),
(B.51), (B.54), (B.55),
(B.125)Figures 3, 4, 9, B.2,
B.3; Formulas (11), (13),
(14), (15), (17), (18), (38),
(B.47), (B.49), (B.50),
(B.51), (B.54), (B.55),
(B.125), (B.126), (B.126)
DC – Diagnostic coverage of channel A of a two-channel system Figures 6, 7, (B.14), (B.15);
A
Formulas (20), (22), (24),
(32), (36), (39), (B.65),
(B.66)Figures 6, 7, (B.14),
(B.15); Formulas (20),
(22), (24), (32), (36), (39),
(B.65), (B.66), (B.99),
(B.99)
¯ – Generalized diagnostic coverage of channel A of a two- Formulas (24), (26), (37),
𝐷𝐷𝐷𝐷 𝐷𝐷𝐷𝐷
A A
channel system with consideration of the test interval of the (B.64), (B.65),
channel (B.122)Formulas (24),
(26), (37), (B.64), (B.65),
(B.122), (B.123), (B.123)
DCB – Diagnostic coverage of channel B of a two-channel system Figures 6, 7, (B.14), (B.15);
Formulas (21), (23), (25),
(33), (36), (39), (B.68),
(B.69)Figures 6, 7, (B.14),
(B.15); Formulas (21),
(23), (25), (33), (36), (39),
(B.68), (B.69), (B.100),
(B.100)
¯ Generalized diagnostic coverage of channel B of a two- Formulas (25), (27), (37),

𝐷𝐷𝐷𝐷 𝐷𝐷𝐷𝐷
B B
channel system with consideration of the test interval of the (B.67), (B.68),
channel (B.122)Formulas (25),
(27), (37), (B.67), (B.68),
(B.122), (B.123), (B.123)
DCCH – Diagnostic coverage of channel CH Formula (4)Formula (4)
Pre-
Variable ferred Description Use (selection)
unit
DC – Diagnostic coverage of element i of channel CH Figure 1Figure 1,
i
Formula (4), Formula (4)
i = 1 … n
E – Element or wearing element Formulas (5), (6), (B.1),
(B.2), (B.3), (B.4)Formulas
(5), (6), (B.1), (B.2), (B.3),
(B.4), (B.5), (B.5)
E – Element i of channel CH Figure 1, Formulas (1), (2),
i
(3)Figure 1, Formulas (1),
i = 1 … n
(2), (3), (4), (4)
d d/a Mean annual number of operation days of a wearing element Formula (7)Formula (7)
op
h h/d Mean daily number of operation hours of a wearing element Formula (7)Formula (7)
op
−1
LA h Auxiliary variable used for two-channel systems Figures B.21, B.22;
Formulas (19), (20), (22),
(26), (28), (29), (30), (31),
(32), (34), (B.66), (B.94),
(B.95), (B.98), (B.99),
(B101), (B102),
(B104)Figures B.21, B.22;
Formulas (19), (20), (22),
(26), (28), (29), (30), (31),
(32), (34), (B.66), (B.94),
(B.95), (B.98), (B.99),
(B101), (B102), (B104),
(B.106), (B.106)
−1
L h Auxiliary variable used for two-channel systems Figures B.21, B.22;
B
Formulas (19), (21), (23),
(27), (28), (29), (30), (31),
(33), (35), (B.69), (B.94),
(B.95), (B.98), (B.100),
(B.101), (B.102),
(B.105)Figures B.21, B.22;
Formulas (19), (21), (23),
(27), (28), (29), (30), (31),
(33), (35), (B.69), (B.94),
(B.95), (B.98), (B.100),
(B101), (B102), (B105),
(B.107), (B.107)
−1
Lα h Auxiliary variable used for single-channel systems Formulas (B.30),
(B.32)Formulas (B.30),
(B.32), (B.34), (B.34)
−1
L h Auxiliary variable used for single-channel systems Formulas (B.30),
β
(B.33)Formulas (B.30),
(B.33), (B.34), (B.34)
−1
L h Auxiliary variable used for single-channel systems Formulas (B.30),
θ
(B.31)Formulas (B.30),
(B.31), (B.34), (B.34)
−1
L h Auxiliary variable used for two-channel systems Formulas (28)Formulas (2
8), (B.94), (B.94)
Pre-
Variable ferred Description Use (selection)
unit
−1
L h Auxiliary variable used for two-channel systems Formulas (29)Formulas (2
9), (B.95), (B.95)
MTTF a Mean time to dangerous failure of channel CH Formulas (2)Formulas (2),
D CH
(3), (3)
MTTFD E a Mean time to dangerous failure of the wearing element E Formula (B.5)Formula (B.5
)
MTTF a Mean time to dangerous failure of the element i of Formulas (2)Formulas (2),
D Ei
channel CH (3), (3)
i = 1 … n
−1 −1
n h , a Operating frequency (number of operations per time unit) of Formulas (5), (6), (7),
op
the wearing element E; in case of intermittent operation: (B.1), (B.4)Formulas (5),
mean operating frequency based on a time span of one year (6), (7), (B.1), (B.4), (B.5),
(B.5)
P – Mean probability of the state “A DD” Formula (B.59)Formula (B.
A DD
59)
p – Instantaneous probability of the state “A DU” Formula (B.92)Formula (B.
A DU
92)
PA DU 2 – Mean probability of the state “A DU 2” Formula (B.60)Formula (B.
60)
p – Instantaneous probability of the state “B DU” Formula (B.93)Formula (B.
B DU
93)
−1
PFH h Average frequency of a dangerous failure per hour Figures B.3, B.15;
Formulas (10), (11), (13),
NOTE PFH is seen as the mean value over time of the
(14), (15), (16), (17), (18),
frequency of the unmet demands upon the safety function
(19), (36), (37), (38), (39),
(frequency of unsuccessful attempts, frequency of
(40), (B.34), (B.35), (B.47),
malfunction).
(B.49), (B.50), (B.51),
(B.52), (B.54), (B.55),
(B.97), (B.98), (B.119),
(B.120), (B.121), (B.122),
(B.123), (B.124), (B.125),
(B.126), (B.127),
(B.128)Figures B.3, B.15;
Formulas (10), (11), (13),
(14), (15), (16), (17), (18),
(19), (36), (37), (38), (39),
(40), (B.34), (B.35), (B.47),
(B.49), (B.50), (B.51),
(B.52), (B.54), (B.55),
(B.97), (B.98), (B.119),
(B.120), (B.121), (B.122),
(B.123), (B.124), (B.125),
(B.126), (B.127), (B.128),
(B.135), (B.135)
−1
pfh h Instantaneous value of the frequency of a dangerous failure Formulas (B.29), (B.30),
(instantaneous value of the PFH) (B.34),
(B.96)Formulas (B.29),
(B.30), (B.34), (B.96),
(B.97), (B.97)
Pre-
Variable ferred Description Use (selection)
unit
−1
PFH h PFH of a single-channel, untested system (see PFH) Formulas (B.38),
NT
(B.39)Formulas (B.38),
(B.39), (B.40), (B.40)
−1
PFH h PFH of a single-channel, time-optimal tested system (see Formulas (B.37),
TOT
PFH) (B.39)Formulas (B.37),
(B.39), (B.40), (B.40)
−1
PFHi h PFH contribution of subsystem i of a series arrangement of n Formulas (10), (B.114),
subsystems (B.115), (B.116), (B.117),
i = 1 … n
(B.118)Formulas (10),
or
or
(B.114), (B.115), (B.116),
PFH component i of a two-channel system in simplified
i = 1 … 5
(B.117), (B.118), (B.119),
analysis (see PFH)
(B.119)
PFPN – Mean probability of the state “FPN” (flow partitioning node) Figure B.7;
Formulas (B.10)Figure B.7;
Formulas (B.10), (B.12),
(B.12)
p – Instantaneous probability of the state “FPN” (flow Figure B.7; Formulas (B.6),
FPN
partitioning node) (B.7), (B.8), (B.9),
(B.10)Figure B.7;
Formulas (B.6), (B.7),
(B.8), (B.9), (B.10), (B.11),
(B.11)
p – Instantaneous probability of the state i Formulas (B.19), (B.20),
i
(B.23), (B.24), (B.70),
i = 1 … 3
(B.71), (B.72), (B.76),
(B.77)Formulas (B.19),
(B.20), (B.23), (B. 24),
(B.70), (B.71), (B.72),
(B.76), (B.77), (B.78),
(B.78)
p – Instantaneous probability of the state “INT” Figure B.27;
INT
Formulas (B.108), (B.109),
(B.110)Figure B.27;
Formulas (B.108), (B.109),
(B.110), (B.111), (B.111)
p – Instantaneous probability of the state “M D” of a single- Formulas (B.28)Formulas (
M D
channel system B.28), (B.29), (B.29)
p – Instantaneous probability of the state “OK” of a single- Formulas (B.27)Formulas (
OK
channel system B.27), (B.29), (B.29)
P – Mean probability of the state “OK” of a two-channel system Formulas (B.59),
OK
(B.60)Formulas (B.59),
(B.60), (B.61), (B.61)
−1
r h Demand rate upon the safety function Figures B.3, B.12, B.15;
d
Formulas (11), (12), (14),
(17), (B.15), (B.16), (B.17),
(B.18), (B.35), (B.36),
(B.41), (B.45), (B.46),
(B.47), (B.50)Figures B.3,
B.12, B.15; Formulas (11),
(12), (14), (17), (B.15),
Pre-
Variable ferred Description Use (selection)
unit
(B.16), (B.17), (B.18),
(B.35), (B.36), (B.41),
(B.45), (B.46), (B.47),
(B.50), (B.54), (B.54)
−1
r h Repair rate Figures B.3Figures B.3,
r
B.15, B.15
−1
r h Test rate of the functional channel of a single-channel Figures 3, 4, 9, B.2, B.3,
t
system or a symmetrical two-channel system B.12; Formulas (11), (12),
(14), (17), (B.15), (B.16),
(B.17), (B.29), (B.35),
(B.36), (B.41), (B.45),
(B.46), (B.47), (B.50),
(B.54)Figures 3, 4, 9, B.2,
B.3, B.12; Formulas (11),
(12), (14), (17), (B.15),
(B.16), (B.17), (B.29),
(B.35), (B.36), (B.41),
(B.45), (B.46), (B.47),
(B.50), (B.54), (B.126),
(B.126)
−1
r h Test rate of element i of channel CH Figure 1Figure 1
ti
i = 1 … n
−1
r h Test rate of channel A of a two-channel system Figures 6, B.14, B.15;
tA
Formulas (22), (24),
(B.57)Figures 6, B.14, B.15;
Formulas (22), (24),
(B.57), (B.124), (B.124)
−1
r h Test rate of channel B of a two-channel system Figures 6, B.14, B.15;
tB
Formulas (23), (25),
(B.58)Figures 6, B.14, B.15;
Formulas (23), (25),
(B.58), (B.124), (B.124)
T h Test interval of a symmetrical two-channel system; clearing Figures 9, B.7, B.27;
interval of the flow partitioning node “FPN” or the state Formulas (38), (B.10),
“INT” (B.11), (B.12), (B.13),
(B.14), (B.15), (B.111),
(B.113)Figures 9, B.7, B.27;
Formulas (38), (B.10),
(B.11), (B.12), (B.13),
(B.14), (B.15), (B.111),
(B.113), (B.125), (B.125)
T h, a Time until 10 % of the wearing elements E have failed Formulas (6), (B.1),
10D E
dangerously (B.2)Formulas (6), (B.1),
(B.2), (B.3), (B.3)
T h Test interval of channel A of a two-channel system Figures 6, 7, B.14, B.16,
A
B.18, B.24; Formulas (20),
(24), (36), (B.57), (B.59),
(B.61), (B.62), (B.64),
(B.65), (B.66), (B.114),
(B.120)Figures 6, 7, B.14,
B.16, B.18, B.24;
Pre-
Variable ferred Description Use (selection)
unit
Formulas (20), (24), (36),
(B.57), (B.59), (B.61),
(B.62), (B.64), (B.65),
(B.66), (B.114), (B.120),
(B.121), (B.121)
T h Test interval of channel B of a two-channel system Figures 6, 7, B.14, B.16,
B
B.24; Formulas (21), (25),
(36), (B.58), (B.63), (B.67),
(B.68), (B.69), (B116),
(B.120)Figures 6, 7, B.14,
B.16, B.24; Formulas (21),
(25), (36), (B.58), (B.63),
(B.67), (B.68), (B.69),
(B116), (B.120), (B.121),
(B.121)
tcycle s Cycle time of a wearing element Formula (7)Formula (7)
T h, a Mission time; if a proof test according to IEC 62061:2021, Formulas (11), (13), (17),
M
3.2.47, is implemented, the proof test interval supersedes (18), (19), (20), (21), (22),
T . (23), (24), (25), (36), (37),
M
(38), (39), (40), (B.34),
(B.35), (B.37), (B.47),
(B.49), (B.54), (B.55),
(B.60), (B.61), (B.62),
(B.63), (B.65), (B.66),
(B.68), (B.69), (B.97),
(B.98), (B.99), (B.100),
(B.115), (B.117), (B.120),
(B.121), (B.122), (B.123),
(B.124), (B.125), (B.126),
(B.127),
(B.128)Formulas (11),
(13), (17), (18), (19), (20),
(21), (22), (23), (24), (25),
(36), (37), (38), (39), (40),
(B.34), (B.35), (B.37),
(B.47), (B.49), (B.54),
(B.55), (B.60), (B.61),
(B.62), (B.63), (B.65),
(B.66), (B.68), (B.69),
(B.97), (B.98), (B.99),
(B.100), (B.115), (B.117),
(B.120), (B.121), (B.122),
(B.123), (B.124), (B.125),
(B.126), (B.127), (B.128),
(B.135), (B.135)
TRTE – Time-related test efficiency on a single-channel tested Figure B.13;
system Formulas (12), (B.41),
(B.45)Figure B.13;
Formulas (12), (B.41),
(B.45), (B.46), (B.46)
β – Common cause factor, constituting a quantitative dimension Figures 3, 6, 7, 8, 9, B.1;
for the common cause failures of two channels (single- B.2, B.14; Formulas (8),
(9)Figures 3, 6, 7, 8, 9, B.1;
Pre-
Variable ferred Description Use (selection)
unit
channel system: functional channel F and test channel M; B.2, B.14; Formulas (8),
two-channel system: channels A and B) (9), (38), (38)
Δt h, a Period of time for which the mean operation frequency n Formulas (7)
op
of a wearing element is calculated (typically one year)
Formulas (B.6)Formulas (7
or )
Small time interval used for limit calculation Formulas (B.6), (B.7), (B.7)
−1
Λ h Failure-induced absolute inflow rate to the flow partitioning Figure B.7; Formulas (B.6),
node “FPN” (B.7), (B.8), (B.9), (B.10),
(B.11)Figure B.7;
Formulas (B.6), (B.7),
(B.8), (B.9), (B.10), (B.11),
(B.12), (B.12)
−1
Λ h Failure-induced absolute outflow rate from the flow Figures B.7, B.27;
partitioning node “FPN” or from the state “INT” Formulas (B.12),
(B.111)Figures B.7, B.27;
Formulas (B.12), (B.111),
(B.113), (B.113)
−1
Λ3 h Absolute outflow rate from the flow partitioning node “FPN” Figure B.7;
caused by periodic clearing Formulas (B.11)Figure B.7;
Formulas (B.11), (B.12),
(B.12)
−1
λ h , FIT Failure-induced nominal inflow rate to the flow partitioning Figures B.7, B.27;
node “FPN” or to the intermediate state “INT” Formulas (B.13), (B.14),
(B.108), (B.110),
(B.111)Figures B.7, B.27;
Formulas (B.13), (B.14),
(B.108), (B.110), (B.111),
(B.113), (B.113)
−1
λ2 h , FIT Failure-induced nominal outflow rate from the flow Figures B.7, B.27;
partitioning node “FPN” or from the intermediate state “INT” Formulas (B.6), (B.7),
(B.8), (B.9), (B.10), (B.11),
(B.12), (B.13), (B.14),
(B.108), (B.110),
(B.111)Figures B.7, B.27;
Formulas (B.6), (B.7),
(B.8), (B.9), (B.10), (B.11),
(B.12), (B.13). (B.14),
(B.108), (B.110), (B.111),
(B.113), (B.113)
−1
λ h , FIT Failure-induced nominal outflow rate from the flow Figures B.7, B.8, B.9, B.12;
A
partitioning node “FPN” Formulas (B.13), (B.16),
(B.29), (B.32)Figures B.7,
B.8, B.9, B.12;
Formulas (B.13), (B.16),
(B.29), (B.32), (B.33),
(B.33)
−1
Figures 6, 7, 8, B.14, B.15,
λAD h , FIT Dangerous failure rate of channel A of a two-channel system
B.18B.26; Formulas (19),
(20), (22), (26), (28), (29),
(30), (31), (32), (34), (36),
(37), (39), (40), (B.59),
Pre-
Variable ferred Description Use (selection)
unit
(B.61), (B.62), (B.64),
(B.66), (B.91), (B.92),
(B.93), (B.94), (B.95),
(B.96), (B.97), (B.98),
(B.99), (B.101), (B.102),
(B.114), (B.115), (B.116),
(B117), (B.120), (B.121),
(B.122), (B.123), (B.124),
(B.127), (B.128)Figures 6,
7, 8, B.14, B.15, B.18 B.26;
Formulas (19), (20), (22),
(26), (28), (29), (30), (31),
(32), (34), (36), (37), (39),
(40), (B.59), (B.61), (B.62),
(B.64), (B.66), (B.91),
(B.92), (B.93), (B.94),
(B.95), (B.96), (B.97),
(B.98), (B.99), (B.101),
(B.102), (B.114), (B.115),
(B.116), (B117), (B.120),
(B.121), (B.122), (B.123),
(B.124), (B.127), (B.128),
(B.135), (B.135)
−1
λ h , FIT As λ , but without the component caused by soft errors Formulas (8)Formulas (8),
AD SER-free AD
(B.103), (B.103)
−1
λ h , FIT Surrogate inflow rate to the state “A DU 2” of a two-channel Figures B.18, B.19, B.20;
A SI
system Formulas (B.60), (B.61),
(B.62)Figures B.18, B.19,
B.20; Formulas (B.60),
(B.61), (B.62), (B.64),
(B.64)
−1
λB h , FIT Nominal outflow rate from the flow partitioning node “FPN” Figures B.7, B.8, B.9, B.12;
caused by periodic clearing Formulas (B.14), (B.17),
(B.29), (B.32)Figures B.7,
B.8, B.9, B.12;
Formulas (B.14), (B.17),
(B.29), (B.32), (B.33),
(B.33)
−1
λ h , FIT Dangerous failure rate of channel B of a two-channel system Figures 6, 7, 8, B.14, B.15,
BD
(B.26); Formulas (19),
(21), (23), (27), (28), (29),
(30), (31), (33), (35), (36),
(37), (39), (40), (B.63),
(B.67), (B.69), (B.91),
(B.92), (B.93), (B.94),
(B.95), (B.96), (B.97),
(B.98), (B.100), (B.101),
(B.102), (B.114), (B.115),
(B.116), (B117), (B.120),
(B.121), (B.122), (B.123),
(B.124), (B.127),
(B.128)Figures 6, 7, 8,
B.14, B.15, (B.26);
Formulas (19), (21), (23),
Pre-
Variable ferred Description Use (selection)
unit
(27), (28), (29), (30), (31),
(33), (35), (36), (37), (39),
(40), (B.63), (B.67), (B.69),
(B.91), (B.92), (B.93),
(B.94), (B.95), (B.96),
(B.97), (B.98), (B.100),
(B.101), (B.102), (B.114),
(B.115), (B.116), (B117),
(B.120), (B.121), (B.122),
(B.123), (B.124), (B.127),
(B.128), (B.135), (B.135)
−1
λ h , FIT As λ , but without the component caused by soft errors Formulas (8)Formulas (8),
BD SER-free BD
(B.103), (B.103)
−1
λB SI h , FIT Surrogate inflow rate to the state “B DU 2” of a two-channel Figures B.19, B.20;
system Formulas (B.63)Figures B.
19, B.20; Formulas (B.63),
(B.67), (B.67)
−1
Figure B.1; Formulas (8),
λCC h , FIT Common cause failure rate
(9), (B.48),
(B.103)Figure B.1;
Formulas (8), (9), (B.48),
(B.103), ,
−1
λCHD h , FIT Dangerous failure rate of channel CH Formula (1)Formula (1)
−1
λ h , FIT Dangerous failure rate of each of the functional channels of a Figure 9; Formulas (38),
D
symmetrical two-channel system (B.125)Figure 9;
Formulas (38), (B.125),
(B.126), (B.126)
−1
λ h , FIT As λ , but without the component caused by soft errors Formulas (38),
D SER-free D
(B.125)Formulas (38),
(B.125), (B.126), (B.126)
−1
λ h , FIT Constant surrogate dangerous failure rate over time for the Formulas (5), (B.2),
ED
wearing element E (B.3)Formulas (5), (B.2),
(B.3), (B.4), (B.4)
−1
λ h , FIT Dangerous failure rate of the element i of channel CH Figure 1; Formulas (1),
EiD
comprising n Elements (2)Figure 1; Formulas (1),
i = 1 … n
(2), (3), (3)
−1
λFD h , FIT Dangerous failure rate of the functional channel F of a single- Figures 3, 4, 5, B.2, B.3, B.6,
channel system; dangerous failure results in loss of the B.11, B.12; Formulas (11),
safety function (13), (14), (15), (16), (17),
(18), (B.16), (B.17), (B.35),
(B.47), (B.49), (B.50),
(B.51), (B.52),
(B.54)Figures 3, 4, 5, B.2,
B.3, B.6, B.11, B.12;
Formulas (11), (13), (14),
(15), (16), (17), (18),
(B.16), (B.17), (B.35),
(B.47), (B.49), (B.50),
(B.51), (B.52), (B.54),
(B.55), (B.55)
Pre-
Variable ferred Description Use (selection)
unit
−1
λ h , FIT As λ , but without the component caused by soft errors Formulas (9)Formulas (9),
FD SER-free FD
(B.48), (B.48)
−1
λ h , FIT Transition rate from state i to state j Figures B.10, B.23;
ij
Formulas (B.19), (B.20),
i = 1 … 3
(B.70), (B.71)Figures B.10,
j = 1 … 3
B.23; Formulas (B.19),
(B.20), (B.70), (B.71),
(B.72), (B.72)
−1
λMD h , FIT Dangerous failure rate of the test channel M of a single- Figures 3, B.2, B.3, B.6,
channel system; dangerous failure results in loss of the B.11, B.12; Formulas (11),
diagnostics function (13), (17), (18), (B.16),
(B.17), (B.35), (B.47),
(B.49), (B.54)Figures 3,
B.2, B.3, B.6, B.11, B.12;
Formulas (11), (13), (17),
(18), (B.16), (B.17), (B.35),
(B.47), (B.49), (B.54),
(B.55), (B.55)
−1
λMD SER-free h , FIT As λMD, but without the component caused by soft errors Formulas (9)Formulas (9),
(B.48), (B.48)
−9 −1
NOTE 1 FIT = 10 h
The significance of variables not listed in Table 1Table 1 is evident directly from the context.
4 Basic assumptions
Any modelling requires assumptions used by the model. The models discussed here, and their assumptions
are adjusted specifically to the typical boundary conditions of machine control systems. The following basic
assumptions generally apply throughout this document:
— Implementation of the safety functions with a logical series arrangement comprising discrete subsystems
in which the PFH of each subsystem is calculated separately.
— Use of the following subsystem architectures:
— Single-channel untested system (1oo1, designated architecture of categories B and 1);
— Single-channel tested system (1oo1D, designated architecture of category 2);
— Two-channel untested system (1oo2);
— Two-channel tested system (1oo2D, designated architecture of categories 3 and 4).
— No redundancy for increasing of the availability.
— Demand rate upon the safety function r ≥ 1/a. In terms of IEC 61508 this includes r = 1/a, high demand
d d
mode of operation and continuous mode of operation.
— In the case of diagnostics, test intervals not greater than the mission time.
NOTE 1 Setting the test interval of a channel to the mission time means one test at the end of the mission time
which is equivalent to no diagnostics for that channel. Commonly test intervals greater than one year are not
regarded as acceptable.
— Repair following detection of failure by diagnostics (automatic or manual as per specification).
— Repair following a hazardous event.
NOTE 2 In principle, consideration of the repair following a hazardous event also necessitates consideration of
the demand upon the safety function. It is found however that the demand rate needs be considered during
calculation of the PFH only in the case of certain 1oo1D applications.
— The reciprocals of the mean repair time (MRT) and the mean time to restoration (MTTR) are substantially
greater than the dangerous channel failure rates.
— Where a proof test (not usual in the machinery sector) is implemented: setting of the mission time TM to
the length of the proof-test interval.
— Ignoring rates of failure to safety.
NOTE 3 This constitutes estimation on the safe side and permits simpler models and equations. It also prevents
non-guaranteed failures to safety from causing a mathematical improvement in PFH.
— Real component behaviour is idealized.
— Constant failure rates of channels over time; it follows that the MTTF (mean time to dangerous failure) is
D
equal to the reciprocal of the dangerous failure rate (MTTF = 1/λ ).
D D
NOTE 4 The mission time of wearing parts is limited to T10D (corresponding to B10D working cycles). Use of a
surrogate failure rate (substitute MTTF ) assumed to be constant over time is thus justified as an acceptable
D
approximation; see Clause 6Clause 6 and Annex B.2.
— No systematic failures included in the PFH calculation.
NOTE 5 The PFH calculation addresses random hardware failures only. The important aspect of systematic
failures has to beis addressed by following the relevant requirements of ISO 13849-1.
— PFH is seen as the mean value over time of the frequency of the unmet demands upon the safety function
(frequency of unsuccessful attempts, frequency of malfunction).
NOTE 6 The frequency of the unmet demands at worst is equal to the hazard rate. For high or continuous demand
mode, i.e. the modes of operation addressed by this document, the hazard rate conforms with the unconditional
failure intensity upon which the definition of the PFH in IEC 61508 is based.
NOTE 7 In conjunction with the potential scale of harm, this frequency is essential to the residual risk despite
implementation of the safety function.
— Perfect repair, where applicable: perfect proof test.
NOTE 8 It is assumed that following repair, both function blocks are intact and have the original failure rate for
the remaining mission time. In the context of the general assumption of constant failure rates over time, this means
that a function block that has not failed at the time of repair need not necessarily be replaced, but only checked for
its proper function.
5 Channels
5.1 General
In the block diagrams of the models described here, channels are shown as discrete function blocks. A
distinction is drawn between functional channels and test channels.
5.2 Functional channel
A functional channel performs the safety function when required or continuously. In the two-channel tested
systems described here (1oo2D), each functional channel also has the purpose of diagnostics of the other
functional channel, either by performing the full diagnostics function, or by serving as a sensor or actuator in
it.
NOTE Effective diagnostics requires both detection of the failure and performance of the predefined safety-oriented
action.
Loss of the ability to perform the safety function or the test function is described as a dangerous failure of the
functional channel. Use of a suitable system architecture can prevent the dangerous failure of a functional
channel from leading to a dangerous system failure (loss of the safety function).
5.3 Test channel
A test channel tests, at certain times or continually, the ability of a functional channel to perform the safety
function. Loss of this test function does not of itself lead to failure of the safety function. To obviate the need
for an additional term, it is nevertheless described as dangerous failure of the test channel, since with regard
to the test channel it constitutes the least favourable form of failure in safety terms.
5.4 Channel comprising elements connected logically in series
Functional channels and test channels often consist of elements arranged logically in series, as shown in
Figure 1Figure 1. A channel CH comprising n elements then suffers dangerous failure when at least one of its
elements E … E fails dangerously.
1 n
Figure 1 — Channel CH consisting of n elements
The dangerous failure rate of the channel can then be calculated by means of the equation:
𝜆𝜆 =𝜆𝜆 +𝜆𝜆 +  … +𝜆𝜆 +   …   +𝜆𝜆 (1)
CHD E1D E2D E𝑛𝑛D E𝑛𝑛DE𝑛𝑛D
ISO 13849--1:2023 uses the mean time to dangerous failure (MTTFD) instead of the dangerous failure rate.
ISO 13849--1:2023 and this document assume all failure rates of single elements and complete channels to be
constant over time. Therefore, the following applies for an element E or, respectively, for a channel CH:
i
1 1 1
𝑀𝑀𝑀𝑀𝑀𝑀𝐹𝐹 𝐹𝐹 = , , 𝑀𝑀𝑀𝑀𝑀𝑀𝐹𝐹 𝐹𝐹 = (2)
D E𝑖𝑖 D E𝑖𝑖 D CH D CH
𝜆𝜆 𝜆𝜆 𝜆𝜆
E𝑖𝑖D E𝑖𝑖D CHD
and, conversely
1 1
𝜆𝜆 = , 𝜆𝜆 = (3)
E𝑖𝑖D CHD
𝑀𝑀𝑀𝑀𝑀𝑀𝐹𝐹 𝑀𝑀𝑀𝑀𝑀𝑀𝐹𝐹
D E𝑖𝑖 D CH
1 1
𝜆𝜆 = , 𝜆𝜆 = (3)
E𝑖𝑖D CHD
𝑀𝑀𝑀𝑀𝑀𝑀𝐹𝐹 𝑀𝑀𝑀𝑀𝑀𝑀𝐹𝐹
D E𝑖𝑖 D CH
Therefore, within ISO 13849--1:2023, MTTF can be regarded as a synonym of the reciprocal of the dangerous
D
failure rate 𝜆𝜆 . Nevertheless, it is important to note that Formula (2)Formula (2) and Formula (3)Formula (3)
D
are valid only in case of failure rates which are constant over time.
In a functional channel for which diagnostics is implemented, the diagnostics can differ between the individual
elements. The diagnostic coverage of an element with a high failure rate then has a greater effect for the
channel as a whole than the diagnostic coverage of an element with a low failure rate. The mean diagnostic
coverage for the channel can therefore be computed as the sum of all weighted element diagnostic coverages.
The element diagnostic coverages are weighted with th
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...

This May Also Interest You

ISO
ISO 13855:2024(Main)
Safety of machinery — Positioning of safeguards with respect to the approach of the human body

This document specifies requirements for the positioning and dimensioning of safeguards with respect to the approach of the human body or its parts towards hazard(s) within the intended span-of-control as follows: — the position and dimension of the detection zone(s) of ESPE and pressure-sensitive mats and pressure-sensitive floors; — the position of two-hand control devices and single control devices; — the position of interlocking guards. This document also specifies requirements for the positioning of safety-related manual control devices (SRMCD) with respect to the approach of the human body or its parts from within the safeguard space relative to: — the position and dimension of the detection zone(s) of ESPE and pressure-sensitive mats and pressure-sensitive floors; and — the position and dimension of interlocking guards. When evaluating the ability of the human body or its parts to access SRMCD from within the intended safeguarded space, the requirements of this document are also applicable to determine the dimensions of safeguard(s). Approaches such as running, jumping or falling, are not considered in this document. NOTE 1 The values for approach speeds (walking speed and upper limb movement) in this document are time tested and proven in practical experience. NOTE 2 Other types of approach can result in approach speeds that are higher or lower than those defined in this document. This document applies to safeguards used on machinery for the protection of persons 14 years and older. Safeguards considered in this document include: a) electro-sensitive protective equipment (ESPE) such as: — active opto-electronic protective devices (AOPDs) (see IEC 61496-2); — AOPDs responsive to diffuse reflection that have one or more detection zone(s) specified in two dimensions (AOPDDRs-2D) (see IEC 61496-3); — AOPDs responsive to diffuse reflection that have one or more detection zone(s) specified in three dimensions (AOPDDRs-3D) (see IEC 61496-3); — vision based protective devices using reference pattern techniques (VBPDPP) (see IEC/TS 61496-4-2); — vision based protective devices using stereo vision techniques (VBPDST) (see IEC/TS 61496-4-3); b) pressure-sensitive mats and pressure-sensitive floors (see ISO 13856-1); c) two-hand control devices (see ISO 13851); d) single control devices; e) interlocking guards (see ISO 14120). This document is not applicable to: — safeguards (e.g. pendant two-hand control devices) that can be manually moved, without using tools, nearer to the hazard zone than the separation distance; — protection against the risks from hazards arising from emissions (e.g. the ejection of solid or fluid materials, radiation, electric arcs, heat, noise, fumes, gases); — protection against the risks arising from failure of mechanical parts of the machine or gravity falls. The separation distances derived from this document do not apply to safeguards used solely for presence sensing function.

  • Standard
    72 pages
    English language
    sale 15% off
  • Standard
    79 pages
    French language
    sale 15% off
ISO
ISO 14119:2024(Main)
Safety of machinery — Interlocking devices associated with guards — Principles for design and selection

This document specifies principles for the design and selection (independent of the nature of the energy source) of interlocking devices associated with guards and provides guidance on measures to minimize the possibility of defeat of interlocking devices in a reasonably foreseeable manner. This document covers principles for the design, selection and application of the following: — parts of the guards which actuate interlocking devices; — trapped key interlocking devices and systems for machinery applications. NOTE ISO 14120 specifies general requirements for the design and construction of guards provided primarily to protect persons from mechanical hazards. The processing of the signal from the interlocking device to stop the machine and prevent unexpected start up is covered in ISO 14118, ISO 13849-1 and IEC 62061.

  • Standard
    106 pages
    English language
    sale 15% off
  • Standard
    108 pages
    French language
    sale 15% off
ISO
ISO 13849-1:2023(Main)
Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design

This document specifies a methodology and provides related requirements, recommendations and guidance for the design and integration of safety‐related parts of control systems (SRP/CS) that perform safety functions, including the design of software. This document applies to SRP/CS for high demand and continuous modes of operation including their subsystems, regardless of the type of technology and energy (e.g. electrical, hydraulic, pneumatic, and mechanical). This document does not apply to low demand mode of operation. NOTE 1 See 3.1.44 and the IEC 61508 series for low demand mode of operation. This document does not specify the safety functions or required performance levels (PLr) that are to be used in particular applications. NOTE 2 This document specifies a methodology for SRP/CS design without considering if certain machinery (e.g. mobile machinery) has specific requirements. These specific requirements can be considered in a Type‑C standard. This document does not give specific requirements for the design of products/components that are parts of SRP/CS. Specific requirements for the design of some components of SRP/CS are covered by applicable ISO and IEC standards. This document does not provide specific measures for security aspects (e.g. physical, IT-security, cyber security). NOTE 3 Security issues can have an effect on safety functions. See ISO/TR 22100-4 and IEC/TR 63074 for further information.

  • Standard
    152 pages
    English language
    sale 15% off
  • Standard
    152 pages
    English language
    sale 15% off
  • Standard
    165 pages
    French language
    sale 15% off
  • Standard
    165 pages
    French language
    sale 15% off
ISO
ISO/TR 22053:2021(Main)
Safety of machinery — Safeguarding supportive system

This document provides guidance for the design and integration of a safeguarding supportive system (SSS) which is intended to include a mode selection as part of an SRP/CS or to add a layer of personnel authentication and authorization to an IMS designed according to ISO 11161. This document is meant to be used in conjunction with ISO 11161. This document is applicable to the SSS but does not address personnel qualification and competency.

  • Technical report
    8 pages
    English language
    sale 15% off
ISO
ISO/TR 22100-1:2021(Main)
Safety of machinery — Relationship with ISO 12100 — Part 1: How ISO 12100 relates to type-B and type-C standards

This document provides assistance to the designer/manufacturer of machinery and related components as to how the system of existing type-A, type-B and type-C machinery safety standards should be applied in order to design a machine to achieve a level of tolerable risk by adequate risk reduction. This document explains the general principles of ISO 12100 and how this type-A standard is used for practical cases in conjunction with type-B and type-C machinery safety standards. This document provides assistance to standards-writing committees on how ISO 12100 and type-B and type-C standards relate and explains their function in the risk assessment and risk reduction process according to ISO 12100. This document includes an overview of existing categories of type-B standards to assist standards readers and writers to navigate the many standards.

  • Technical report
    16 pages
    English language
    sale 15% off
ISO
ISO/TR 22100-5:2021(Main)
Safety of machinery — Relationship with ISO 12100 — Part 5: Implications of artificial intelligence machine learning

This document addresses how artificial intelligence machine learning can impact the safety of machinery and machinery systems. This document describes how hazards being associated with artificial intelligence (AI) applications machine learning in machinery or machinery systems, and designed to act within specific limits, can be considered in the risk assessment process. This document is not applicable to machinery or machinery systems with AI applications machine learning designed to act beyond specified limits that can result in unpredictable effects. This document does not address safety systems with AI, for example, safety-related sensors and other safety-related parts of control systems.

  • Technical report
    6 pages
    English language
    sale 15% off
  • Technical report
    6 pages
    French language
    sale 15% off
ISO
ISO 13857:2019(Main)
Safety of machinery — Safety distances to prevent hazard zones being reached by upper and lower limbs

This document establishes values for safety distances in both industrial and non-industrial environments to prevent machinery hazard zones being reached. The safety distances are appropriate for protective structures. It also gives information about distances to impede free access by the lower limbs (see Annex B). This document covers people of 14 years and older (the 5th percentile stature of 14-year-olds is approximately 1 400 mm). In addition, for upper limbs only, it provides information for children older than 3 years (5th percentile stature of 3-year-olds is approximately 900 mm) where reaching through openings needs to be addressed. NOTE 1 It is not practical to specify safety distances for all persons. Therefore, the values presented are intended to cover the 95th percentile of the population. Data for preventing lower limb access for children is not considered. The distances apply when sufficient risk reduction can be achieved by distance alone. Because safety distances depend on size, some people of extreme dimensions will still be able to reach hazard zones even when the requirements of this document are met. Compliance with the requirements in this document will prevent access to the hazard zone. Nevertheless the user of this document is advised that it does not provide the required risk reduction for every hazard (e.g. hazards related to machine emissions such as ionizing radiation, heat sources, noise, dust). The clauses covering lower limbs apply on their own only when access by the upper limbs to the same hazard zone is not foreseeable according to the risk assessment. The safety distances are intended to protect those persons trying to reach hazard zones under the conditions specified (see 4.1.1). NOTE 2 This document is not intended to provide measures against reaching a hazard zone by climbing over (see ISO 14120:2015, 5.18).

  • Standard
    20 pages
    English language
    sale 15% off
  • Standard
    20 pages
    French language
    sale 15% off
ISO
ISO 20607:2019(Main)
Safety of machinery — Instruction handbook — General drafting principles

This document specifies requirements for the machine manufacturer for preparation of the safety-relevant parts of an instruction handbook for machinery. This document: — provides further specifications to the general requirements on information for use given in ISO 12100:2010, 6.4.5; and — deals with the safety-related content, the corresponding structure and presentation of the instruction handbook, taking into account all phases of the life cycle of the machine. NOTE 1 The strategy for risk reduction at the machine is given in ISO 12100:2010, Clause 6, and includes inherently safe design measures, safeguarding and complementary risk reduction measures as well as information for use. NOTE 2 Annex A contains a correspondence table between ISO 12100:2010, 6.4, and this document. NOTE 3 Information for conception and preparation of instructions in general is available in IEC/IEEE 82079-1. This document establishes the principles which are indispensable to provide information on residual risks. This document does not address requirements for declaration of noise and vibration emissions. This document is not applicable to machinery manufactured before the date of its publication.

  • Standard
    24 pages
    English language
    sale 15% off
  • Standard
    25 pages
    French language
    sale 15% off
ISO
ISO 13851:2019(Main)
Safety of machinery — Two-hand control devices — Principles for design and selection

This document specifies the safety requirements of a two-hand control device (THCD) and the dependency of the output signal from the actuation by hand of the control actuating devices. This document describes the main characteristics of THCDs for the achievement of safety and sets out combinations of functional characteristics for three types. It does not apply to devices intended to be used as enabling devices, as hold-to-run devices or as special control devices. This document does not specify with which machines THCDs shall be used. It also does not specify which types of two-hand-control device shall be used for a specific application. Moreover, while guidance is given, it does not specify the required distance between the THCD and the danger zone (see 8.8). This document provides requirements for design and guidance on the selection (based on a risk assessment) of THCDs including the prevention of defeat, the avoidance of faults and verification of compliance. NOTE 1 A THCD only offers protection for the person using it. NOTE 2 For specific machines, the suitability of a two-hand control as a suitable protective device can be defined in a type-C standard. If such a standard does not exist or is not appropriate, the risk assessment and determination of suitable protective measures is the responsibility of the manufacturer of the machine. This document applies to all THCDs, independent of the energy used, including: — THCDs which are fully assembled for installation; — THCDs which are assembled by the machine manufacturer or integrator. This document is not applicable to THCDs manufactured before the date of its publication.

  • Standard
    21 pages
    English language
    sale 15% off
  • Standard
    22 pages
    French language
    sale 15% off
ISO
ISO 19353:2019(Main)
Safety of machinery — Fire prevention and fire protection

This document specifies methods for identifying fire hazards resulting from machinery and for performing a risk assessment. It gives the basic concepts and methodology of protective measures for fire prevention and protection to be taken during the design and construction of machinery. The measures consider the intended use and reasonably foreseeable misuse of the machine. It provides guidelines for consideration in reducing the risk of machinery fires to acceptable levels through machine design, risk assessment and operator instructions. This document is not applicable to: — mobile machinery; — machinery designed to contain controlled combustion processes (e.g. internal combustion engines, furnaces), unless these processes can constitute the ignition source of a fire in other parts of the machinery or outside of this; — machinery used in potentially explosive atmospheres and explosion prevention and protection; and — fire detection and suppression systems that are integrated in building fire safety systems. It is also not applicable to machinery or machinery components manufactured before the date of its publication.

  • Standard
    49 pages
    English language
    sale 15% off
  • Standard
    50 pages
    French language
    sale 15% off