Safety Standard ISO13849-1

Corresponding to Category 2 to 4
Safety control system
by dual residual pressure release valve
with position detection sensor

SMC Support
Providing B10(d)/MTTF data Providing operational components
We will calculate and provide reliability characteristics We provide validated operational components that can
concerning life and breakdown of individual parts. be used to build safety control systems.
(The customer should convert this to MTTFd.)

B10 (cycles to 10% failure)

Title: Reliability
characteristic data
Product name: Solenoid
valve
Model: SJ2000

Note) Please note that these are not safety parts certified to the safety standard.

P-E11-4B
 The ISO13849-1 safety standard has been extended globally since December 2011.
It is also incorporated into the standards in each country.
As an example, the specific work flow for Europe is explained below.
(Please note that the standards in each country are different – ANSI in America, JIS in Japan, GB in China -
so the work flow will be different in each region.)

EN (Europe) Machinery Directive (Europe)

ANSI (America)
ISO12100-1 ISO13849-1
JIS (Japan) Standard which specifies hazards and Standard for design and validation
defines method for risk assessment of safety related parts of the control
GB (China) (1) Mechanical hazard system.
(2) Electrical hazard Methods to be adopted to achieve
(3) Thermal hazard the necessary performance level
(4) Noise-related hazard
using guard switches, interlock
(5) Vibration-related hazard
(6) Radiation-related hazard circuits etc.
(7) Material-related hazard
(8) Ergonomics hazard •Interlock device
(9) Hazard relating to environment •Emergency stop device
(10) Hazard relating to combination
• ...

Machinery Directive (Europe) ISO12100-1

ISO13849-1
(Check of safety control system)

(Other harmonized standards)

Certification

End user Equipment manufacturer

Level “c” or above is

Correspondence
necessary to ensure the
safety of workers….
Let’s instruct the equip-
ment manufacturer. Instruction

The safety level of this

equipment is “c” in the 5
Equipment concept stage evaluation from a to e.
(Refer to Q3&A on page 3 Equipment design
and w Determining Perform-
ance Level (PLr) on page 5,
for level of safety equipment. Equipment certification

The end user has instructed

that it must conform to
ISO13849-1∗.
Let’s consult SMC about the
Equipment concept pneumatic equipment!

Can be checked by a third party organization or consultant.

The risk of injury to workers, safety equipment and control circuit
are confirmed to determine the level of the hazard. ∗ Refer to Q2 on page 3, and pages 4 and 5.

1
 ISO13849-1
SMC Support
Dual residual pressure release valve Supplying operational
Providing B10(d)/MTTF data
with position detection sensor components
This is a safety system valve. When the position We will calculate and provide reliability We provide validated operational components
detection sensor mounted to the valve detects that one characteristics values concerning life that can be used to build safety control systems.
of the two valves is out of position, the valve can be and breakdown of individual parts.
used with a safety system which vents the protected (The customer should convert this to
system when the position sensor signals a fault. MTTFd.)

B10 (cycles to 10% failure)

Title: Reliability
characteristic data
Product name:
Solenoid valve
Model: SJ2000

Back
Refer to P.3 P.6 P.12 P.14 P.15 Refer to P.13 Refer to P.16 to cover

SMC sales

We can provide pressure

release valves
corresponding to the
category, product data and
operational components.

Request

What is a dual residual pressure release valve with position detection sensor?
Two 3-port valves with switches to check the movement of the main
valve are connected in series, so even if one of them fails to operate,
the other one can safely release the residual pressure! The spool
position switches indicate if one valve has failed to operate and can be
used to prevent the reenergizing of the system until repaired.
VG342--X87
SMC can supply products
related to the safety control VP544--X538
system.
Supply of products related to dual residual
pressure release valve with position
detection sensor

Position detection valve with redundancy

2
 Simple!

ISO13849-1 Q&A
Q 1 What can SMC Sales do for customers in terms
of the ISO13849-1 standard?
Q 5 Ifhowa customer requires the ISO13849-1 standard,
should we respond?
A See the three points below. A Take them the ISO13849-1 pamphlet. Explain about the
services SMC can provide: q dual residual pressure
SMC Support release valve with position detection sensor, w providing
data, e supplying validated operational components.
q Dual residual pressure release valve
with position detection sensor
Two 3- port valves with switches to check the movement of the
Q 6 position
What is a dual residual pressure release valve with
detection sensor?
main valve are connected in series, so even if one of them fails to
operate, the other one can safely release the residual pressure. A It is a residual pressure release valve made to correspond to the
Then, this valve can be used in the safety system where the spool safety standard. Two residual pressure release 3-port valves are
position switches indicate if one valve has failed to operate and can connected in series (AND circuit), so even if one fails to operate,
be used to prevent the reenergizing of the system until repaired. the other one will operate, so residual pressure is released safely.
This is called a redundancy function. Also because it has a sensor
w Providing B10(d)/MTTF data
B10 (cycles to 10% failure)
to confirm the valve operation, the sensor shows whether the valve
We will calculate and provide reliability
is operating correctly and reenergization can be prevented if not.
Title: Reliability
characteristic values concerning characteristic data With a sensor
Product name: Solenoid
estimated life of individual parts. (The valve
customer should convert this to Model: SJ2000
Residual Residual
MTTFd.)
pressure pressure
release 3-port release 3-port Equipment side
valve valve

e Supplying validated
operational components.
We provide components to
Q 7 The standard is being enforced. Does existing
equipment correspond to the standard?
ensure the safety of the
safety control system. A The standard came into force in December 2011 and new equipment must
adapt.
Regarding existing equipment, if modification such as equipment change etc. is
Q 2 Explained simply, what kind of standard is
ISO13849-1?
needed to increase the performance, it is necessary to conform to the standard.
So safe components and circuits are used to conform to the standard. Even for
modifications, there will be requirements for dual residual pressure release valve
A It is a standard that ensures that the design and construction of the safety
with position detection sensor, supply of data, and demand for safety equipment.
related part of a machine control system is suitable to protect people from
the hazards of the machine, based on the defined level of risk.
Q 8 The standard mentions “redundancy”. What
does this mean?
Q 3 Who evaluates the required performance level for the equipment? A Redundancy means that even if one part fails, the whole system will fulfill
A The mechanical safety devices of the equipment (system) and the reliability of the equipment
its required function. This is usually achieved by having dual channels of
used should be evaluated.
operation, such as dual valves, dual wiring, dual guard switches etc.
This level is called PL (performance
The dual residual pressure release valve with position detection sensor
level). This is the evaluation criteria
is said to have redundancy because two valves are connected in series,
of the safety level of the equipment.
so even if one valve fails to operate, the other valve will function.
Designer and manufacturer of the
machine has the responsibility for
the evaluation. Q 9 We often hear about “categories” in ISO13849-1.
What does this mean?
Then they have to perform the
evaluation by themselves or they A The categories mentioned in ISO13849-1 are one of the four
may ask a third party organization. elements to determine PL (Performance Level of the actual
The responsibility remains with the safety control system). There are five performance levels
manufacturer. combining the configuration of the safety control system
(hardware) and reliability (life, probability of failure, etc.).
Q 4 What happens after the level classification has been done? There are five Categories: B, 1, 2, 3 and 4.
• Category B, 1 ..Safety function can be accomplished by single channel.
A After the evaluation criteria PLr has been determined, PL
Single failure results in loss of safety function.
is found from the actual safety control system. This PL • Category 2.......Safety function can be accomplished by single
level is compared with PLr and if it is equal or above, it channel and is automatically checked.
conforms to the standard, but if it is less, the measures • Category 3.......It has redundancy so there is no loss of safety
function with a single failure. The safety function must
are insufficient. If the measures are insufficient for the be checked before each use. An accumulation of
level of safety, the end user must introduce or modify undetected faults can cause loss of safety function.
equipment to ensure safety. According to these instruc- • Category 4.......It has redundancy so there is no loss of safety function with a
tions, for example the equipment manufacturer will design single failure. The safety function must be checked before each
use. An accumulation of undetected faults does not affect the
parts and systems to ensure the safety of the equipment. safety function. (Higher DC and MTTFd than Category 3.)

3
SMC responds to safety standard ISO13849-1.
The globalization of the concept of machine safety by international standards is currently accelerating.
Conforming to international standards (IEC/
ISO standards) is becoming a main condition.
Globalization concerning mechanical safety is accelerating.
(Example: In Europe, the safety requirements of the Machin-
ery Directive are mandatory and ISO13849 can be used to
IEC/ISO standards
ensure compliance with this Directive, and equipment that
does not conform to it cannot be distributed in the EU region.
This safety concept is also being taken up in Japan, so
safety construction done by conforming to international Europe (EN) China (GB)
standards.) America (ANSI)
Japan (JIS)

Globalization is accelerating Asia/Oceania (AS)

Member countries of the WTO/TBT agreement must South Korea (KS)
conform to international standards, and the
standards in each country are aligned internationally.

Countries are affected by the contents of the standard.

Countries affect the contents of the standard.

1 Risk Assessment (Analysis of Risk) Procedure

¡Risk analysis and risk reduction Estimation of risk
The person responsible for design of a machine or process is Mechanical hazards, the basis for estimation of risk,
required to design it such that it conforms to necessary safety are defined as follows in ISO12100-1 (JIS B 9702).
standards and restrictions. To do that, first the “risk” of the (1) Mechanical hazards (crushing, getting caught, cutting etc.)
whole machine is identified by a method based on ISO14121 (JIS (2) Electrical hazards (electric shock, insulation failure, and static electricity etc.)
B 9702) using the definition in ISO12100 (JIS B 9702), the risk is (3) Thermal hazards (fire, explosion, burns etc.)
estimated, and measures are taken to reduce it if there is a risk. (4) Noise-related hazards
(5) Vibration-related hazards
The risk generated in the entire machine is checked and reduced, (6) Radiation-related hazards (low frequency, electromagnetic radiation etc.)
based on the flow of ISO14121. (7) Material-related hazards (hazardous substances etc.)
(8) Ergonomics hazards (human error etc.)
(9) Hazards relating to operating environment
(10) Hazards relating to combination
Risk assessment Start
based on ISO14121
™If risk reduction strategy is based on the safety control system
Specify limits of machine It is evaluated by Performance Level (PL), and the evaluation
ISO12100-1(JIS B 9700-1) procedure is decided by ISO13849-1.
Strategies for risk reduction Start
1. Intrinsically safe design
Identify hazards If strategy is based on control
2. Safeguarding and ISO12100-1(JIS B 9700-1)
complementary protective measures ISO13849-1
3. Information about residual risks Identify safety function and
ISO12100-2 (JIS B 9700-2) necessary characteristics Specify limits of machine
Estimate the risk ISO12100-1(JIS B 9700-1)
ISO12100-1(JIS B 9700-1)

Find required performance (PLr)

Acceptable level? Identify hazards

Design safety control system ISO12100-1(JIS B 9700-1)
No
Yes
Reduction of risk Risk analysis
Evaluate Performance Level (PL)
Finish (Category, MTTFd/ B10d, DCavg, CCF) Estimate the risk
ISO12100-1(JIS B 9700-1)

If this risk reduction is based on the safety control system, PL ≥ PLr

Yes
the safety control system is evaluated with ISO13849-1 to No
Acceptable level?
reduce the risk. (In the past, EN954-1 was used.) No
Yes
Reduction of risk Risk analysis
Finish
What is Performance Level (PL)?
The level of risk of the machine and the level of the corresponding safety
control system is comparatively evaluated in five stages “a” to “e”.

4
 2 Determining Performance Level (PL)

¡Determining Required Performance Level (PLr) as evaluation criteria

First, determine the Required Performance Level (PLr) which is the evaluation criteria.
Required Performance Level (PLr) is evaluated from Severity of Injury (S), Frequency
and/or Exposure to Hazard (F) and Possibility of Avoiding Hazard (P).
Possibility of
avoiding hazard PLr
ISO13849-1 Frequency
of hazard
Evaluation example
Severity P1
S: Severity of Injury of injury a Determining PLr
F1
S1: Slight injury If injury is serious (S2),
S1 P2
S2: Serious injury (after effects, death etc) exposure to hazard is seldom
P1 b (F1) and it is possible to
F: Frequency and/or Exposure to Hazard F2 avoid the hazard (P1), then
F1: Seldom or short duration P2 the PLr is “c”.
F2: Often or long duration P1 c
Determining PL
F1
P: Possibility of Avoiding Hazard or Limiting Harm From PL ≥ PLr,
P1: Possible under specific conditions S2 P2
the necessary PL is “c”,
P1 d
P2: Impossible “d” or “e”.
F2
P2
e

Size of risk

To satisfy the Performance Level (PL), it must be designed Evaluation example

so that the combined value of the four parameters To satisfy PL, or
qCategory wMTTFd if category of equipment is 3 ·DCavg = Medium
eDCavg rCCF ·DCavg = Low ·MTTFd = Low or more
·MTTFd = Medium or more ·CCF= 65 points or more
exceeds the Required Performance Level
·CCF= 65 points or more is necessary.
(PLr).
∗ See below for parameters of PL .

™Determining Performance Level (PL) of the actual safety control system

The PL of the actual safety control system is determined separately from the Required Performance Level (PLr). To satisfy this PL, the
combined value of four parameters (qCategory, wMTTFd, eDCavg and rCCF) must exceed the Required Performance Level (PLr).

Parameters of PL Evaluation criteria

Structure of hardware Life of components Reliability of system Certainty of design

B
Category Architecture of safety control system
1
(configuration of I, L, O)
2
q The category is composed of I (input equipment),
L (logical operation equipment) and O (output equipment). 3
4
5 levels

qIndividual parts wWhole system High

MTTFd 1. MTTF given by manufacturer (30 years or more, less than 100 years)
2. ∗ MTTF given in Annex C or
if B10 is given, use: MTTFd=
1 Medium
w B10d
MTTFd=
B10d
B10d=2 x B10 Σ
n
1 (10 years or more, less than 30 years)
Low
0.1 x Nop i=l MTTFdi
Nop∗ ∗ The designer of the machine needs to ascertain Nop (3 years or more, less than 10 years)
(how many times that part operates in one year). MTTFd=2 x MTTF 3 levels

qIndividual parts wWhole system

High
DCavg ∗ Select DC from n (99% or more)
Table 1 of Annex E. Σ DCi
i=l MTTFdi
Medium
(90% or more, less than 99%)
DC DCavg= n
e Easy to calculate if using products certified to Σ 1 Low
IEC/EN61508, IEC/EC62061, EN954-1 etc. i=l MTTFdi (60% or more, less than 90%)
MTTFd None
(less than 60%) 4 levels

∗ Score from checklist

CCF in Annex F is 65 or more. Yes (65 points or more)
r For Category 2 and above, CCF is required to be 65 points or more.
No (less than 65 points)
2 levels

∗ Refer to the ISO13849-1 standard.

5
 Differences in combinations and outline of Categories B, 1, 2, 3, 4.
Input signal Output signal Input signal Output signal
m
I L O I L O I1 L1 O1
Input signal Output signal
m C
m
TE OTE I2 L2 O2
Output signal Input signal Output signal

Configuration applicable to Category B and Category 1 Configuration applicable to Category 2 Configuration applicable to Category 3 and Category 4
I : Input equipment (e.g. sensor) m : Monitoring m : Monitoring
L : Logical operation equipment TE : Testing equipment C : Cross monitoring
O : Output equipment (e.g. contactor) OTE : Output of test result
∗ In Category 3, safety function may be lost due to
∗ MTTFd of Category 1 is higher than Category B, ∗ In Category 2, if a fault occurs, it may lead to a accumulation of undetected faults.
so probability of losing safety function is low, but loss of safety function in the interval between ∗ The redundancy of architecture shown in these block diagrams
a fault may lead to loss of safety function. two checks. can mean not just physical meaning but also internal logic
from which the single fault tolerance is confirmed.

Category Outline of requirements

Safety-related parts of control systems should achieve their functions,
SMC can provide
B and should withstand expected stress (vibration, EMC etc.). products related
1
Category B + to the category of
Standard valves
Use of well tried safety components
the system.
Category B + Related products such as dual
2 Safety function(s) shall be checked at appropriate intervals.
residual pressure release valve
Position detection valves
Category B + with position detection sensor
3 A single fault does not lead to the loss of safety function.
Position detection valves
Where practicable, a single fault shall be detected. with redundancy
Category B +
4 A single fault is detected at or before the next demand on the safety function. If this detection
is not possible then an accumulation of faults shall not lead to the loss of safety function.

The structure of the safety control system depends on the purpose of the
machine, degree of hazard, scale of machinery and operation frequency. SMC offers a full line-up of other
For example if we think of an assembly process, there are differences recommended products related to safety.
depending on the purpose: robot, pick & place, semiautomatic etc. and
the structure of equipment is different.
This classification of basic structure is what is called the Category of the
safety control system.

Simplified procedure for evaluating PL achieved by SRP/CS

qCategory B 1 2 2 3 3 4
wMTTFd of
each channel
Low a — a b b c —

Medium b — b c c d —

High — c c d d d e

eDCavg None None Low Medium Low Medium High

rCCF None 65 points or more
Example: If CCF is 65 or more, Category 3, MTTFd = Medium, and DCavg = Low, then PL is evaluated as “c”.

6
INDEX
Safety standard ISO13849-1 and role of SMC ………… P.8

1. Global trends in safety design ……………………………………… P.8

2. Safety design of ISO13849-1 ………………………………………… P.8

3. Safety of machinery / Safety-related parts of control system… P.9

Risk assessment (analysis of risk) procedure ……… P.9

1. If risk reduction strategy is based on control ……………… P.10

Determining Required Performance Level (PLr) ………………… P.10
Determining Performance Level of actual control system (PL) ………… P.11
2. Determining PL from four parameters ………………………… P.12

Four parameters for determining PL ………………………… P.12

1. Category ………………………………………………………………………… P.12

2. MTTFd ……………………………………………………………………………… P.13

3. DCavg ……………………………………………………………………………… P.13
4. CCF ………………………………………………………………………………… P.13

SMC’s response ……………………………………………………………… P.13

Recommended valves and wiring examples (Category B to 4) …… P.14

Pneumatic equipment products ………………………………… P.16

1. Directional control equipment………… P.16

2. Actuators …………………………………… P.17

3. Flow control equipment ………………… P.18

4. Detection switches ……………… Back cover

7
 ISO13849-1

Safety standard ISO13849-1 and role of SMC

As a background to this, the concept of machine safety
ISO13849-1:2006 (Safety-related part of control system) is provided by an international standard and globaliza-
was enacted to provide a quantitative and clear method tion is accelerating. Conformance to international stan-
of assessment (evaluation) of control systems for equip- dards (IEC/ISO standards) is becoming a major condi-
ment and machines. tion to satisfy machine safety.
This ISO13849-1 is essential as a harmonized standard
For example, in Europe, the New Machinery Directive
of the Machinery Directive (2006/42/EC).
(2006/42/EC) which is one of the EU directives legally
For equipment manufacturers and end users consider- enforced in the EU, was made law on 29th December
ing safety design of equipment and machines, SMC will 2009. (Although it was enacted, the adaptation of the old
(1) help with equipment selection. standard EN954 was extended by two years. As a result,
(2) provide reliability data such as B10(d)∗1 /MTTF it was actually be enforced from 29th December 2011.)
data. To conform to this new Machinery Directive, this
(3) provide operational products. ISO13849-1 is essential as a harmonized standard.
ISO13849-1 itself is not a compulsory standard, but in
order to conform to this Machinery Directive, even in
Japan pneumatics manufacturers including SMC are
User
getting requests, particularly from equipment manufac-
Equipment concept turers and end users who are considering shipping
equipment to Europe.
With this background, on a global level, people respon-
Equipment design SMC’s role and support sible for the design of machines or processes are
(1) Help with equipment
required to make designs that conform to the necessary
selection
safety standards and restrictions.
(2) Providing B10(d)/MTTF data
(3) Providing related products Within these international standards, the standard which
defines principles and performance required from safety
Equipment certification Can be done by the manufacturer
control systems of equipment and machines used by
(in some cases with third party
cooperation). pneumatic, hydraulic and electrical machines, is
ISO13849-1.

∗1: B10(d) data (MTTF only for electronic equipment

2. Safety design of ISO13849-1
that does not have wear-out failure) The architecture (safety construction) of safety control
The reliability characteristics values (B10(d) or MTTF) systems used before ISO13849-1:2006 were determin-
provided by SMC are values particular to the compo- istic ones based on the internal construction of the
nents to be used. equipment or machine. For example, the loss of the
The customer should separately convert these into safety function due to the internal parts changing over
the parameters for assessing the safety category time was not taken into consideration. So the idea of
within the equipment design specification.
machine safety has changed to specifying it in terms of
These values are obtained under our standard
function and reliability. So in the revised ISO13849-
(SMC internal test conditions), and are not guaran-
teed under the operating conditions of the
1:2006, deterministic function and probabilistic reliability
customer’s equipment. are amalgamated.
In addition to the existing structural definition, this gives
a two-level definition which probabilistically evaluates
the safety system, such as the life until dangerous
failure at component level, and detection of dangerous
1. Global trends in safety design failure.
The JIS standards that form the standard for machine With this definition, machine safety in the actual operat-
design in Japan now are being aligned with international ing conditions of the machine can be quantitatively
standards ISO (International Standardization Organiza- evaluated.
tion) and IEC (International Electrotechnical Commis-
sion) standards.
8
3. Safety of machinery / Safety-related parts of control system Overview of risk assessment/risk reduction
ISO13849-1 provides general principles for machine Start
design. It specifies safety requirements for the design
of safety-related parts of the control system (SRP/CS)
Risk assessment based
and general principles, and characteristics including the Specify limits of machine ∗1 on ISO14121 (JIS B 9702)
performance level necessary to perform the safety
function.
It applies to all kinds of machines, regardless of the
technology and type of energy used (electrical, hydrau- Identify hazards ∗1 This iterative risk reduction
lic, pneumatic, mechanical etc). process must be carried out
ISO13849-2 covers validation. Using the theoretical individually for each hazard
existing under each condition of
grounds shown by the designer in the design, according use (duty).
Estimate the risk ∗1
to ISO13849-1, for safety-related parts of the control
system, it specifies the procedure that should be
followed to analyze the safety function and the category
achieved, and validation by testing. Evaluate the risk ∗1
Yes
No
Other hazard occurred?
Risk assessment (analysis of risk) procedure
Risk appropriately
Finish
We will explain the specific method of safety design. reduced?
Yes
First, using the method based on ISO14121, identify No
the “risks of machine” of the machine as a whole, using
the definitions in ISO12100 (JIS B 9702), estimate the Strategies for risk reduction
risk, and take measures to reduce any risk. This is 1. Intrinsically safe design ∗1
2. Safeguarding and complementary Iterative process for design
called risk assessment. of safety-related parts of
protective measures ∗1
3. Information about residual risks ∗1 control system (SRP/CS) ∗2
The machine safety hazards that risk assessment is
based on, are defined as follows in ISO12100-1 (JIS B
9702).
Selected protective measures
(1) Mechanical hazards (crushing, getting caught, cutting etc) are by control system? Yes
(2) Electrical hazards (electric shock, insulation failure,
and static electricity etc) No
(3) Thermal hazards (fire, explosion, burns etc)
(4) Noise-related hazard ∗1: Refer to ISO12100-1 (JIS B 9700-1).
∗2: Refer to ISO13849-1 and “1” on page 10.
(5) Vibration-related hazard
(6) Radiation-related hazard (low frequency, electro-
magnetic radiation etc)
(7) Material-related hazard (hazardous substances etc.)
(8) Ergonomics hazard (human error etc)
(9) Hazard relating to operating environment
(10) Hazard relating to combination
Using this criteria, risk is determined, identified and
estimated according to the following work flow, and if
there is a problem, measures are considered to reduce
the risk.

9
 ISO13849-1

1. If risk reduction strategy is based on control Determining Required Performance Level (PLr)
If this risk reduction is based on the control system, the First the Required Performance Level (PLr) is deter-
machine safety of the safety control system is evalu- mined.
ated with ISO13849-1 aiming to reduce the risk. (In the The Required Performance Level (PLr) is evaluated
past, EN954-1 applied to mechanical parts and from Severity of Injury (S), Frequency and/or Exposure
IEC61508 applied to electronic parts.) to Hazard (F) and Possibility of Avoiding Hazard (P).
Selected Note) If injury is serious (S2), exposure to hazard is seldom (F1)
Determine Required Performance Level PLr
safety and it is possible to avoid the hazard (P1), then the PLr is
functions
“c”.
Note)
Design and technical achievement of safety function:
Identify safety-related parts that
perform safety function
ISO13849-1
Note)
Evaluate Performance Level PL, S : Severity of Injury
taking into consideration S1: Slight injury
Category MTTFd S2: Serious injury (after effects, death etc)
DCavg CCF
If applicable: F : Frequency and/or Exposure to Hazard
software of safety-related parts F1: Seldom or short duration
Note)
F2: Often or long duration
No
Verification of PL of safety function: Is PL ≥ PLr ? P : Possibility of Avoiding Hazard or Limiting Harm
P1: Possible under specific conditions
Yes
P2: Impossible
Validation No
Are all requirements satisfied?
(See ISO13849-2)

Yes
Were all safety functions analyzed? Possibility of
Frequency avoiding hazard PLr
Yes
of hazard
Note) Refer to ISO13849-1.
Severity P1
of injury a
The standard for how to evaluate and reduce the risk of F1
the safety control system in ISO13849-1 is Perfor- P2
mance Level (PL). S1
Performance Level is a common rating scale to quanti-
P1 b
tatively show the definition of probabilistic reliability F2
such as time elements at parts level. The level of risk P2
and corresponding safety control system are compara- P1 c
tively evaluated on a 5 stage scale from “a” to “e”. F1
In order to satisfy Performance Level (PL), it must be S2 P2
designed such that the total value of four parameters P1 d
(1) Category, (2) MTTFd, (3) DCavg and (4) CCF F2
exceeds the Required Performance Level (PLr). P2
e

Size of risk

10
 Determining Performance Level of actual control system (PL)
Next, the Performance Level (PL) of the actual safety control system is determined with four parameters.
The PL of the actual safety control system level is determined separately from the Required Performance Level PLr.
PL can be determined from a combination of the four parameters (q Category, w MTTFd, e DCavg and r CCF).
(1) Category : Structure of safety control system
(2) MTTFd (B10d) : Mean time to dangerous failure of components
(3) DCavg : Reliability of failure detection of the entire system
(4) CCF : Reliability of the entire system against foreseeable common cause failures

Parameters of PL Evaluation criteria

Structure of hardware Life of components Reliability of system Certainty of design

B
Category Architecture of safety control system
1
(configuration of I, L, O)
2
1 The category is composed of I (input equipment), 3
L (logical operation equipment) and O (output equipment). 4
5 levels

qIndividual parts wWhole system High

MTTFd 1. MTTF given by manufacturer (30 years or more, less than 100 years)
2. ∗ MTTF given in Annex C or 1 Medium
MTTFd=
2 B10d if B10 is given, use:
B10d B10d=2 x B10 Σ
n
1 (10 years or more, less than 30 years)
MTTFd= i=l MTTFdi
Low
0.1 x Nop
Nop∗ ∗ The designer of the machine needs to ascertain Nop (3 years or more, less than 10 years)
MTTFd=2 x MTTF
(how many times that part operates in one year). 3 levels

qIndividual parts wWhole system

High
DCavg ∗ Select DC from Table 1 of Annex E. n (99% or more)
Σ DCi
i=l MTTFdi
Medium
(90% or more, less than 99%)
DC DCavg= n
3
Easy to calculate if using products certified to
IEC/EN61508, IEC/EC62061, EN954-1 etc.
Σ
i=l
1
MTTFdi
Low
(60% or more, less than 90%)
MTTFd None
(less than 60%)
4 levels

CCF ∗ Score from checklist in Annex F is 65 or more. Yes (65 points or more)
4 No (less than 65 points)
For Category 2 and above, CCF is required to be 65 points or more.
2 levels
∗ Refer to the ISO13849-1 standard.

The reliability parameters MTTFd and DCavg are found from mathematical formulae. CCF is found from a checklist.
Using standard values, MTTFd is classified into 3 levels, DCavg into 4 levels, and CCF into 2 levels.
PL is evaluated from these four parameters to find the corresponding PL.
As a result, PL is determined by a combination of these four factors: q Category, w MTTFd, e DCavg and r CCF.

Simplified procedure for evaluating PL achieved by SRP/CS

Example: If CCF is 65 or more, Category 3,
Category B 1 2 2 3 3 4
MTTFd = Medium, and DCavg = Low,
MTTFd of then PL is evaluated as “c”.
each channel

Low a — a b b c —

Medium b — b c c d —

High — c c d d d e

DCavg None None Low Medium Low Medium High

CCF None 65 points or more
11
 ISO13849-1

2. Determining PL from four parameters

The Performance Level (PL) of the safety control system I is the detection equipment of starting event, pressure
is required to be equal to or exceeding the Required sensor, L is relay sequence circuit and PLC control
Performance Level (PLr). program, O is electromagnetic switch, output relay,
solenoid valve.
B 1 2 3 4

There are five categories, B to 4, as shown below. The

structure of I (input equipment), L (logical operation
PLr
≤ PL equipment) and O (output equipment) of the safety
control system is different. As the level increases, the
requirements of each safety-related part also increase.

Input signal Output signal

Required performance level (PLr) Actual safety control system
level (PL) I L O
If PL, the result of combining the four parameters q
Category, w MTTFd, e DCavg and r CCF, expressed as Configuration applicable to Category B and Category 1
a, b, c, d or e, exceeds PLr, then it satisfies ISO13849-1. I : Input equipment (e.g. sensor)
L : Logical operation equipment
O : Output equipment (e.g. contactor)
Four parameters for determining PL ∗ MTTFd of Category 1 is higher than Category B,
so probability of losing safety function is low, but
1. Category a fault may lead to loss of safety function.

This parameter concerns the construction of the

safety-related parts of the control system (hardware).
Input signal Output signal
The construction to ensure safety depends on the
purpose of the machine, degree of hazard, scale of I L O
machinery and operation frequency. The Category is a m
basic classification of this construction.
The basic structure of the Category is illustrated as I
TE OTE
(input equipment), L (logical operation equipment) and
Output signal
O (output equipment).
Configuration applicable to Category 2
The safety function in ISO13849-1 is considered to be m : Monitoring
TE : Testing equipment
one channel where as I (input equipment), L (logical OTE : Output of test result
operation equipment) and O (output equipment) are ∗ In Category 2, if a fault occurs, it may lead to loss
connected in series. of safety function in the interval between two
checks.
Safety control system (1 channel)

I L O
Machine
Starting Input equipment Logical operation Output equipment
Actuator m
event SRP/CSi equipment SRP/CSl SRP/CSo
I1 L1 O1
Input signal Output signal
Starting event: Manual operation of push-button, opening of door C

(Safety control system) m

I2 L2 O2
Input signal Output signal
I (input equipment): Detection equipment (sensor) of starting event
Configuration applicable to Category 3 and Category 4
L (logical operation equipment): Relay sequence circuit
m: Monitoring
PLC control program C : Cross monitoring
O (output equipment): Electromagnetic switch, output relay, solenoid valve ∗ In Category 3, safety function may be lost due to
accumulation of undetected faults.
∗ The redundancy of architecture shown in these
block diagrams can mean not just physical
meaning but also internal logic from which the
Machine actuator: Motor, fluid (hydraulic/ pneumatic) actuator single fault tolerance is confirmed.
∗ Does not apply to fluid actuators.
12
2. MTTFd 3. DCavg
MTTFd indicates the mean time until the safety function The average self-diagnosis rate, an index of the reliabil-
is lost in a safety control system. ity of the entire safety control system, is provided by
DCavg (average Diagnostic Coverage).
In order to evaluate PL, the equipment manufacturer
The reliability of the function of the entire system, includ-
needs reliability data (MTTF, B10) of individual parts
ing software as well as parts, is evaluated.
used in the safety control system.
This is because the loss of the safety function is
DC
caused by the failure of parts making up the system, so None DC < 60%
it is based on the mean time to failure of individual Low 60% < DC < 90%
parts. Medium 90% < DC < 99%
The criteria of MTTFd are as follows. High 99% ≤ DC
MTTFd
Low 3 years ≤ MTTFd < 10 years
Medium 10 years ≤ MTTFd < 30 years 4. CCF
High 30 years ≤ MTTFd < 100 years CCF (Common Cause Failure) is an index of reliability
in terms of design, so that the function of the whole
If one channel of I, L, O of the safety control system is safety control system will not be lost due to a common
made up of n parts, then MTTFd is as follows. In reliabil- cause. All parts of the safety-related parts of control
ity engineering, the probability of a system breaking system must be taken into consideration. Points are
down is shown by the sum of the failure rates of the lost if a strategy is only partially achieved. It will pass if
individual parts making up the channel. The same this score is 65 or more.
applies to dangerous failure. There is an inverse
relationship between the dangerous failure rate and
mean time to dangerous failure. Therefore the mean
time to dangerous failure (MTTFd) of the whole system
is found from the sum of the reciprocals of the mean time SMC’s response
to dangerous failure of individual parts (MTTFdi).
Regarding ISO13849-1, which is the safety standard for
I SRP/CS i im L SPP/CS l im O SRP/CS o equipment and machinery, SMC supports equipment
manufacturers and users in the following three ways.
qwe… …n
(1) Help with equipment selection
1 Explanation of the parts of the standard relating to
MTTFd= n SMC’s pneumatic equipment, and selection of
Σ MTTFdi
i=l
1
suitable equipment that can be used in the equipment
planned by equipment manufacturer and users.
MTTFd: Mean time to failure of individual parts (2) Providing B10(d)/MTTF data
We will provide MTTF/B10(d) data, which is one of
An additional note about the B10(d) data (MTTF only for the parameters needed when equipment manufactur-
electronic equipment that does not have wear-out failure) ers and users evaluate PL (Performance Level).
provided by SMC.
(3) Providing products for use in the safety
The reliability characteristics values (B10(d) or MTTF)
provided by SMC are values particular to the components
circuit
to be used. SMC will supply products validated according to ISO
The customer should separately convert these into the 13849-2.
parameters for assessing the safety category within the
equipment design specification.
Note that these values are obtained under our standard
(SMC internal test conditions), and are not guaranteed
under the operating conditions of the customer’s equip-
ment.

13
 ISO13849-1

Recommended valves and wiring examples

Recommended valves for each Category and usage examples are shown below for control circuits that supply and cut off air, for
equipment that uses air as an energy source. Note that these usage examples are for reference, and are one part of the safety
system, so for actual circuits, we recommend getting confirmation from a third party certification organization about the safety of
the system as a whole, as well as conforming to other related standards.

Category B, 1
Outline of requirements of Category
Principles used to MTTFd of DCavg CCF
Category Outline of requirements System behavior
achieve safety each channel (self diagnosis) (common cause failure)
B Use of basic safety principles Failure results in loss of Low to medium
Selection of
Requirements of B + well tried safety function None Not applicable
1 (components + safety principles) (probability is 1<B)
components High

Combination of requirements of Category

Category B 1 2 2 3 3 4 Can correspond with 11
MTTFd of validated products. +24 V +
each channel
Low a — a b b c — −
Electrical equipment: 12
— — Emergency stop
Medium b b c c d Commercially available push-button switch S1
High — c c d d d e electrical equipment (A)
2
DCavg None None Low Medium Low Medium High that can correspond
to Category 1.
Specified construction of requirements of Category
Input signal Output signal Configuration applicable to
Category B and Category 1 3 1
I L O (R) (P)
I : Input equipment (e.g. sensor)
L : Logical operation equipment Standard product valve
O: Output equipment (e.g. contactor) GND Example Wiring Diagram

Category 2
Outline of requirements of Category
Principles used to MTTFd of DCavg CCF
Category Outline of requirements System behavior
achieve safety each channel (self diagnosis) (common cause failure)

. Requirements of B + well tried safety principles Loss of safety function Low to

2 . Safety function is checked at appropriate intervals. between checks
From construction Low to high
medium
65 points or more

Combination of requirements of Category Example Wiring Diagram with Safety PLC (Category 2)
Category B 1 2 2 3 3 4
MTTFd of
Recommended valves Emergency stop Air supply
each channel
Single residual pressure push-button switch push-button switch
Low a — a b b c —
Medium b — b c c d — release valve with position S1 S2
High — c c d d d e detection sensor
DCavg None None Low Medium Low Medium High
(VP542--X536
VP742--X536 )
Specified construction of requirements of Category +24 V + FS-PLC
−

Input signal Output signal Configuration applicable

to Category 2
I L O
m : Monitoring
m TE : Testing equipment Electrical equipment: Single residual pressure
OTE: Output of test Commercially available release valve with position
result
2(A) 1(P)
detection sensor
TE OTE electrical equipment 3(R)

Output signal
that can correspond (1)
(3)
(2)
(4)

to Category 2.

14
 Category 3, 4
Outline of requirements of Category
Principles used to MTTFd of DCavg CCF
Category Outline of requirements System behavior
achieve safety each channel (self diagnosis) (common cause failure)
. Requirements of B + well tried . Safety function implemented
safety principles when fault generated
. Safety function is not lost with a . All faults are not detected. Low
3 Low to high
. Safety function may be lost by to medium
single fault.
. Single fault can be detected. accumulation of undetected faults.
. Requirements of B + well tried
safety principles . Safety function implemented From construction 65 points or more
. Safety function is not lost with a when fault generated
single fault, . Detection of accumulated
4 and faults increases probability of High High
. Single fault is detected before the next
safety function (high DC).
demand on the safety function. If this is . Faults detected while it is safe
not possible, an accumulation of faults
must not lead to loss of the safety function.

Combination of requirements of Category Specified construction of requirements of Category Configuration applicable

Category B 1 2 2 3 3 4 m to Category 3 and Category 4
MTTFd of I1 L1 O1 m: Monitoring
each channel
a — a b b c — Input signal Output signal C : Cross monitoring
Low
Medium b — b c c d — C ∗ The redundancy of architecture
— c c d d d e m shown in these block diagrams
High
can mean not just physical
DCavg None None Low Medium Low Medium High I2 L2 O2 meaning but also internal logic
Input signal Output signal from which the single fault
tolerance is confirmed.

Recommended valves Example Wiring Diagram with Safety PLC (Category 3, 4)

Dual residual pressure release valve with position detection sensor Emergency stop Air supply
push-button switch push-button switch

S1 S2

+24 V + FS-PLC
VP544--X538 −

Dual residual pressure

release valve with position
detection sensor 2(A) 1(P)
3(R) 3(R)

(1) (2) (1) (2)

(3) (4) (3) (4)
VP744--X538

VG342--X87
15
 ISO13849-1

Pneumatic equipment products

The products below are available to support the safety of the equipment itself. However (other than VG342--X87, VP542--X536,
VP544--X538, VP742--X536 or VP744--X538) these products are not certified to safety standard ISO13849-1; they are opera-
tional parts that can be used in the control system of the machine. We recommend getting confirmation from a third party certifica-
tion organization about the safety of the actual control system as a whole.

1. Directional control equipment

Dual residual pressure release valve with position detection sensor
. Position detection possible
. Position detection possible with redundancy

Category Model Feature / Specification

Residual pressure release valve

Category 2 VP542--X536 . Valve position can be detected.
VP742--X536

Dual residual pressure release valve

VP544--X538
VP744--X538 . Valve position can be detected.
. Valve has 2 stations, so if one of
Dual residual pressure release valve
Category 3, 4 them fails to operate, residual
with soft start-up function pressure is released by the remain-
VP544--X555 ing valve.

Dual residual pressure release valve

VG342--X87

Please refer to P. G. Information for details.

Specification with residual pressure release valve

. Can hold intermediate stop position
Applicable models
for a long time.
. Air supply can be stopped for each Name Series
5 port solenoid valve SY3000/5000
valve.

Back pressure prevention valve specification

. Prevents malfunction of actuator due to back pressure.
Applicable models
Series
Name
Body ported type
4 port solenoid valve SJ
5 port solenoid valve SY3000/5000
5 port solenoid valve S0700
5 port solenoid valve VQ
5 port solenoid valve VQC
5 port solenoid valve VQZ
5 port solenoid valve SQ
5 port solenoid valve VQ7

Specification with switch

. Signal of each valve cut off
Applicable models
individually.
Name Series
5 port solenoid valve SY3000/5000

16
Specification with interlock
. Individual common wiring possible
Applicable models
Name Series
5 port solenoid valve SV
5 port solenoid valve VQC

Separate power supply specification

. Signal of each valve individually cut off for each power supply.
Applicable models
Series Applicable valves
SY3000/5000
EX250
VQC1000/2000/4000, S0700

With disconnection short-circuit detection function

Applicable models
Series Applicable valves
SY3000/5000
EX600
VQC1000/2000/4000, S0700

Two-handed operation specification

. Safety measures equipment of
Applicable models
circuit
. Safety measures by signal output Name Series
Two hand control valve VR51
when operated with two hands
simultaneously

Residual pressure relief specification

. Accident prevention
Handle: Black (Semi-standard) Applicable models
by release of residual
Name Series
pressure in pneumatic
Residual pressure relief 3 port valve
line VHS
(Conforming to OSHA standard/Pressure relief 3 port valve with locking holes)

Body: Red (-X1)

2. Actuators
End lock specification
. Certain fall prevention function
. Workpiece held at stroke end when Basic type air cylinders
Shape Model Bore size
air is cut off
CBJ2 ø16
CBM2 ø20 to ø40
Round CBG1 ø20 to ø100
CBA2 ø40 to ø100
MBB ø32 to ø100
Square CBQ2 ø20 to ø100

17
 ISO13849-1

Pneumatic equipment products

The products below are available to support the safety of the equipment itself. So they are not certified to safety standard ISO13849-1;
they are component operational parts that can be used in the control system of the machine. We recommend getting confirmation from
a third party certification organization about the safety of the actual control system as a whole.

End lock specification

. Certain fall prevention function
. Workpiece held at stroke end when air is cut off Guide cylinders
Type Model Bore size
MGG ø20 to ø100
MGP ø20 to ø100
CXS ø6 to ø32
Shaft guide
CXW ø10 to ø32
MGZ ø40 to ø63
MTS ø12 to ø40
MXS ø8 to ø25
Linear guide
MXQ ø8 to ø25

Mechanically jointed rodless cylinder

Type Model Bore size
Linear guide MY1H ø16 to ø40

With lock specification

. Fall prevention function by emergency stop (not safety
Basic air cylinders
products) Type Model Bore size
. Locking is possible to CLJ2 ø16
suit the workpieces. CLM2 ø20 to ø40
CNG ø20 to ø40
CNA2 ø40 to ø100
Round MNB ø32 to ø100
CNS ø125 to ø160
CLS ø125 to ø250
CL1 ø40 to ø160
C95N ø32 to ø100
CLQ ø20 to ø100
Square
RLQ ø32 to ø63
Rectangular MLU ø25 to ø50

Guide cylinders
Type Model Bore size
MLGP ø20 to ø63
Shaft guide MLGC ø20 to ø40
CLK1 ø32 to ø63

Mechanically jointed hy-rodless cylinder with brake

Type Model Bore size
Cam follower guide ML1C ø25 to ø40
3. Flow control equipment
Residual pressure release specification
. Residual pressure can be instantly released
Applicable models
by pressing a button on the product. Name Series
Speed controller with residual pressure release
valve with One-touch fitting
AS1FE
Residual pressure release valve with One-touch fitting KE
Mis-operation prevention
specification
. Prevents unintended Special tools Applicable models
manual operation. Name Series
Speed controller adjustable by flat head screwdriver AS1F-D
Tamper proof speed controller AS1F-T

18
 ISO13849-1

Intermediate stop/drop prevention specification

. Allows temporary stop and speed control of cylinder.
Applicable models
Name Series
Speed controller with pilot check valve ASP
Check valve AK

Quick extension prevention specification

. Possible to cut off supply
Applicable models
for rapid exhaust.
Name Series
(Soft start-up valve)
. Flow control is possible in two Soft start-up valve AV
directions.
Dual speed controller ASD
(Dual speed controller)

4. Detection switches
Mis-operation prevention specification
. Unintentional changes prevented by password input
Sensor/amp integrated type
Name Series
2-color display high precision ZSE30A(F)/ISE30A
digital pressure switch ZSE40A(F)/ISE40A
Compact digital pressure switch ZSE10(F)/ISE10

Sensor/amp separate type

Name Series
Compact pneumatic pressure sensor
PSE53
PSE54
Low differential pressure sensor PSE55
Pressure sensor for general fluids PSE56
Multi-channel digital pressure sensor controller PSE200
2-color display digital pressure sensor controller PSE300

Residual pressure check specification

. Allows visual confirmation
Applicable models
of residual pressure in
Name Series
cylinder, production line.
Residual pressure indicator for air CB-97XH

Revision history
Edition B ∗ Changed from B10 to B10(d).
∗ Example wiring diagram with safety PLC corrected.
∗ Recommended pneumatic equipment products revised.
∗ Number of pages decreased from 24 to 20. UT