The ISO 13849-1 standard defines the relationship between the required diagnostic coverage and the architectural category which correlates to the amount of redundancy of the system. As previously stated, the ISO 3691-4 standard requires a minimum PLd safety level that can be achieved by either using Category 2, HFT = 0 or Category 3, HFT=1 architecture as defined in the IEC 13849-1 standard. This choice impacts the amount of redundancy and diagnostics coverage required in the system as shown in Figure 2-2.

I = input, L=logic, O= Output, TE= Test Equipment , OTE= Output Test Equipment, m= monitoring, c= compare

Figure 2-2 Designated Architectures for Categories 2 and 3 per IEC 13849-1

As shown in Table 2.1 Cat 2, HFT = 0, system implementations require less redundancy in exchange of a higher diagnostics coverage of 90% (DCavg = 90%). To meet the required DCavg, the diagnostics functions need to be executed within a defined timing interval to make sure that the safe state is reached on time. Contrarily, Category 3 architectures require dual-channel designs in exchange of lower diagnostic coverage and more relaxed timing constrains.

In the case of AMRs, one of the key constraining factors is the overall size and weight of the system. Therefore, more compact Cat 2 architectures are appropriate for these types of applications. However, in cases where a Cat 3 implementation is preferred, TI also provides the Industrial Functional Safety for C2000™ Real-Time Microcontrollers product overview and guidance on how to implement such systems.