Category (ISO 13849-1)

A category is a machinery safety term, defined in ISO 13849-1, that describes how the safety-related part of a machine’s control system is built and how it behaves when a fault occurs. The same concept goes by several different names and can be confusing:

• Designated architecture (the formal term used in ISO 13849-1)
• Architectural category
• Safety category
• Control system category, or control category
• EN 954-1 category (the older, now-superseded name)

Whatever you call it, there are five categories:

• Category B: basic single-channel design; a single fault can defeat the safety function. Ceiling: PLb.
• Category 1: like B but built from well-tried components and principles for better reliability; still single channel. Ceiling: PLc.
• Category 2: single channel with periodic self-checks that test the safety function. Ceiling: PLd.
• Category 3: redundant dual-channel design where a single fault does not cause loss of the safety function. Ceiling: PLe.
• Category 4: redundant dual-channel design that tolerates a single fault and detects it before the next demand. Ceiling: PLe.

Category is one of the inputs that sets the achievable performance level (PL), alongside the mean time to dangerous failure (MTTFd), diagnostic coverage (DC), and common cause failure (CCF) measures. DC climbs with the category, from none at B and 1 to high at 4, while CCF measures become mandatory once the design goes multi-channel at Category 2 and above. Because category drives PL, it also sets the SIL you can claim: a Category 4 design reaching PLe corresponds to SIL 3.

Key Points

• A category (formally a designated architecture) describes the structure and fault behavior of a machine’s safety-related control system, in five categories: B, 1, 2, 3, and 4.
• Categories B and 1 are single channel with no fault tolerance, Category 2 adds periodic diagnostics, and Categories 3 and 4 are redundant and tolerate a single fault.
• Category is a key input to the performance level, with rough ceilings of PLb (B), PLc (1), PLd (2), and PLe (3 and 4).
• DC and CCF requirements rise with the category, and CCF measures apply once the design is multi-channel.

Example

An emergency-stop circuit is built with two redundant contactors, each monitored so that a welded contact is detected before the next demand. Because a single fault neither defeats the stop function nor goes unnoticed, the design meets Category 4. Paired with high diagnostic coverage and a good MTTFd, that architecture supports a performance level of PLe.

See Also: performance level, machinery safety, MTTF, common cause failure

Cited Sources

• ISO 13849-1:2023, Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design
• EU Machinery Regulation (EU) 2023/1230 — EUR-Lex official text