EN 13849-1 was put into place in 2006 in order  to replace EN 954-1.  The main reason for that was to also consider the importance of failures-in-time of the design and its components, not only its architecture as for 954-1.

However, the machine norms, e.g. EN 15011 for bridge and portal cranes still kept EN 954-1 as the relevant norm for the safety of the electrical equipment of the  crane. This lead to enlargements of the validity of EN 954-1; the last was decided on 29.12.2009 with an end date of 31.12.2011. Eventually, EN 954-1 is fully replaced by EN 13849-1 by 31.12.2011.

This means that since 2012, cranes that are new produced or “significantly refurbished” have to use a safety system that complies with the respective PL level of EN 13849-1.

If the safetysystem of an older crane is replaced by a new one, this is regarded as a significant change. Only if the safetysystem is repaired or replaced by same model, it can be compliant to its older norm.

The need for a specific PL is related to the danger of operation with a machine.  Low level of injury, seldom exposed to it and a good chance to escape requires a low PL. On the other hand,  high level of injury (death), steadily exposed and no chance to escape requires the highest PL.

Cranes  require PL-C of the complete chain from sensors to actors , given by a heavy level of injury but not frequently exposed and a fair chance to escape.

Explanations:

DC                                      Diagnostic Coverage in percent

MTTF or MTTFd               Mean Timime to Failure in years

CAT.i                                  Safety Category of the system

                                           structure (link to EN 954-1)

Categories:

CAT.B  = single design acc. to fundamental safety principles, no

                feedback, no sufficient diagnostics

CAT.1  = as CAT.B but with reliable Components (complex

                electronics is NOT regarded as reliable)

CAT.2  = single design but with feedback and control of each

                block and separate cutout

CAT.3  = redundant design, 1-failure proof

CAT.4 =  redundant design, several failures will not lead to loss

                of safety function

The diagram points out, that a certain PL can be reached by different designs. As an example, PL-C can be reached with a single design if the MTTF is very high. If the MTTF is low, then it requires a redundant design with medium level of Diagnostic Coverage.

Normally, the safety system is a chain, from sensor to actor (relay / valve).  It is required that if the PL of the whole system shall be C, there must be at least one of the components, that has 1 PL level higher, so coming with PL-D. This is in most cases the central control. Here it is possible to use a CAT.2 design,  or to use a redundant design according to CAT.3. In both cases, the supplier of the system has to certify the conformity to the norm.

If the sensor does not have an own diagnostic (like most sensors on the market) it shall come redundant as well if it does not have a PL C certification.

The actor to cut out crane functions must have a possibility to read back that the cut-out really has happened.

In general, both safety regulations are going in the same direction. IEC 61508 and 62061 are used for electronic systems only whereas EN 1849-1 can also be applied for mechanical, pneumatic and hydraulic systems.

The highest SIL 4 is not covered by a PL. The conversion between Failure probability, PL and SIL is given in the table below.