Hubbry Logo
ISO 13849ISO 13849Main
Open search
ISO 13849
Community hub
ISO 13849
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
ISO 13849
ISO 13849
ISO 13849
View on Wikipedia
from Wikipedia

ISO 13849 is a safety standard which applies to parts of machinery control systems that are assigned to providing safety functions (called safety-related parts of a control system).[1] The standard is one of a group of sector-specific functional safety standards that were created to tailor the generic system reliability approaches, e.g., IEC 61508, MIL-HDBK-217, MIL-HDBK-338, to the needs of a particular sector. ISO 13849 is simplified for use in the machinery sector.

The standard has two parts:

  • ISO 13849-1, Part 1: General principles for design, provides safety requirements and guidance on the principles of design and integration of safety-related parts of control systems (hardware or software).
  • ISO 13849-2, Part 2: Validation, specifies the procedures to be followed for validating by analysis or tests, the safety functions of the system, the category achieved and the performance level achieved.[2]

ISO 13849 is designed for use in machinery with high to continuous demand rates. According to IEC 61508, a HIGH demand rate is once or more per year of operation, and a CONTINUOUS demand rate is much, much more frequent than HIGH. For systems with a LOW demand rate, i.e., less than once-per-year, see IEC 61508, or the appropriate sector-specific standard such as IEC 61511.

The standard is developed and maintained by ISO/TC 199, Safety of machinery, Working Group 8 — Safe Control Systems.[3] The scope of ISO 13849 includes control systems using mechanical, electrical, electronic, and fluidic (hydraulic and pneumatic) technologies.

According to an informal stakeholder survey done in 2013, more than 89% of machine builders and more than 90% of component manufacturers and service providers use ISO 13849 as the primary functional safety standard for their products.[4]

History

[edit]

EN 954-1

[edit]

ISO 13849-1 has its origins in the mid 1990s when the European Committee for Standardization (CEN) published EN 954-1, Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design[5] in 1996. In 1999, EN 954-1 was transferred to ISO for ongoing development under the Vienna Agreement.

EN 954-1 introduced the original five structural Categories, B, 1-4.

prEN 954-2

[edit]

prEN 954-2:1999, Safety of machinery — Safety-related parts of control systems — Part 2: Validation, is the precursor document that eventually became ISO 13849-2 in 2003. This document was never published as a finished standard. The "pr" in "prEN" indicates that the document was a European pre-standard.

ISO 13849-1, 1st Edition

[edit]

In 1999, ISO published the first edition of ISO 13849-1, Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design. The first edition was technically identical to EN 954-1. Within a year after publication, ISO/TC 199 launched a New Work Item Proposal for the revision of the standard. The goal was to add probabalistic requirements to the existing standard.

ISO 13849-2, 1st Edition

[edit]

In 2003, ISO 13849-2, Safety of machinery – Safety-related parts of control systems — Part 2: Validation, was published. This standard included all of the details related to validating the functional safety of a design. In addition, Annexes A-D included key information on basic and well-tried safety principles, well-tried components, and common faults for mechanical, hydraulic, pneumatic, and electrical components.

ISO 13849-1, 2nd Edition

[edit]

The second edition of ISO 13849-1 was published in 2006. That edition introduced MTTFd, DCavg, and CCF for the first time. The revisions incorporated the recommendations developed through the EU STSARCES project.[6] and [7]

ISO 13849-2, 2nd Edition

[edit]

In 2012, ISO 13849-2, Safety of machinery – Safety-related parts of control systems — Part 2: Validation was published. This edition was reaffirmed in 2017 and remains current.

ISO 13849-1, 3rd Edition

[edit]

The third edition of ISO 13849-1 was published in 2015. The revision included additional technical explanations and clarification of the analytical methods. This edition was reaffirmed in 2020, while a new revision was started.

ISO 13849-1, 4th Edition

[edit]

The fourth edition of ISO 13849-1 was published in 2023. The revision focuses on the integration of the content from ISO 13489-2, some specific annexes of the document ISO 13489-2 are still used.

Risk Assessment

[edit]

Risk assessment techniques

[edit]

Following ISO 13849-1, the design of the safety system is based on a risk assessment performed by the manufacturer of the machine.[8] The risk assessment identifies the safety functions required to mitigate risk and the performance level these functions need to meet to adequately mitigate the identified risks, either completely, or in combination with other safeguards, e.g., fixed or movable guards or other measures.

The Annex A decision tree, Figure A.1, is provided as an example of how the PLr can be determined. The Annex A method is not a risk assessment tool since the output from the tool is in terms of Performance Level, not risk. Figure A.1 cannot be used for risk assessment. Examples of a risk matrix and a risk decision tree are given in ISO/TR 14121-2.[9] Risk assessment is typically done in at least two cycles, the first to determine the intrinsic risk, and the second to determine the risk reduction achieved by the control measures implemented in the design.

Assignment of safety functions

[edit]

A safety function is a control system function whose failure will result in an immediate increase in risk.[8] ISO 13849-1 includes descriptions of a number of common safety functions, including:

  • safety-related stop
  • start/restart
  • manual reset
  • local control
  • muting
  • response time
  • safety-related parameter(s)
  • fluctuation, loss and restoration of power sources

Each safety function identified in the risk assessment is assigned a required Performance Level (PLr) based on the intrinsic risk determined through the risk assessment. The intrinsic risk is the risk posed by the machine if no risk control measures were present, or if the risk control measures fail or are defeated by the user.

Performance levels

[edit]

A Performance Level is a band of failure rates, represented as a, b, c, d, e. These failure rates are quantified as the Probability of Dangerous Failure per hour, PFHd. The numeric values for PFHd are given in Annex K. The PL range for each band has a 5% tolerance. The PFHd covered by ISO 13849-1 range from the highest failure rate in PLa < 1 × 10−4 to the lowest failure rate in PLe at ≥ 1 × 10−8.

The Performance Level of a safety function is determined by the architectural characteristics of the controller (classified according to designated architectural categories, Category B, 1, 2, 3, 4), the MTTFD of the components in the functional channel(s) of the system, the average diagnostic coverage (DCavg) implemented in the system, and the application of measures against Common Cause Failures (CCF). Category B, 1 and 2 architectures are single channel, and therefore offer no fault tolerance.

Designated architectures

[edit]

The designated architectures include three single-channel and two redundant structures. The structures are the basis for the calculations used to determine the PFHd values given in Annex K.

Block diagrams

[edit]

Each designated architecture has an associated block diagram. When analyzing SRP/CS designs, a block diagram should be developed to assist the analyst in calculating the MTTFD of the functional channel(s).

Category B

[edit]

Category B represents the basic category. This category is single-channel, and can include components with MTTFD = Low or Medium. Components must be suitable for use in the application, and specified appropriately for the conditions of use, i.e., voltage, current, frequency, switching frequency, ambient temperature, pollution class, shock, vibration, etc. Since Category B is single channel, DCavg = NONE. CCF is not relevant in this category.

The maximum PL = b.

Category 1

[edit]

Category 1 achieves increased reliability as compared to Category B through the use of MTTFD = High components. These components are deemed "well-tried components" and are listed in ISO 13849-2, Annexes A through D. Additionally, components that have been tested by the manufacturer and approved according to the relevant component safety standard, e.g., IEC 60947-5-5, are also considered well-tried. Since Category 1 is single channel, DCavg = NONE. CCF is not relevant in this category.

The maximum PL = c.

Category 2

[edit]

Category 2 is a single-channel architecture that achieves increased reliability by building on Category B, using components with MTTFD = Low to High, and adding diagnostic capability through the use of test equipment. The DCavg for Category 2 can be Low to Medium, i.e., 60% ≤ DC < 99%. The diagnostic frequency depends on the demand rate on the safety function, and on the PLr that must be achieved. A minimum CCF score of 65 is required, see Annex F.

The maximum PL = d.

Category 3

[edit]

Category 3 is the first architecture with a redundant structure. Building on Category B, and using components with MTTFD = Low to High, this architecture introduces cross-monitoring between the two active channels, as well as cyclic monitoring of the output device(s). Category 3 requires DCavg Low to Medium, i.e., 60% ≤ DC < 99%. A minimum CCF score of 65 is required, see Annex F.

In Category 3, no single component failure is permitted to cause the loss of the safety function.

The maximum PL = e.

Category 4

[edit]

Category 4 is also a redundant architecture that builds upon Category B. Using components limited to MTTFD = High, this architecture includes cross-monitoring between the two active channels, as well as cyclic monitoring of the output device(s). Category 4 requires DCavg HIGH, i.e., ≥ 99%. A minimum CCF score of 65 is required, see Annex F.

In Category 4, no single component failure is permitted to cause the loss of the safety function.

The PL = e.

The primary differences between Category 3 and 4 are that Category 4 requires:

  • MTTFD components in the functional channels
  • DCavg ≥ 99%
  • Accumulation of faults between diagnostic cycles cannot cause the loss of the safety function
  • All of the faults that occur between diagnostic cycles must be detected when the diagnostics run

Validation

[edit]

Safety-related parts of control systems (SRP/CS) require validation. ISO 13849-2 includes all of the details required for the validation using analytical techniques (including FMEA, FMECA, FMEDA, IFA SISTEMA or any of the other analytical tools available), functional testing, and documentation in a validation record.

Acronyms

[edit]
Acronyms
Acronym Expansion Notes
PL Performance Level Predicted bands of failure rates for SRP/CS
PLr required Performance Level Performance Level required based on the risk assessment to provide necessary risk reduction.
MTTFD or MTTFd Mean Time to Dangerous Failure Given in years
PFHd Probability of dangerous Failure per Hour The fractional probability per hour of operation.
DCavg average Diagnostic Coverage Given as a percentage.
CCF Common Cause Failure Failures in more than one component with a common cause.
SRP/CS Safety-Related Parts of Control System(s) The parts of a machine control system that provide a safety function.

References

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

ISO 13849

View on Grokipedia
from Grokipedia
ISO 13849 is an international standard published by the (ISO) that addresses the of machinery through the design, integration, and validation of safety-related parts of control systems (SRP/CS), which perform functions to prevent hazardous situations. The standard applies to subsystems of various technologies, including electrical, electronic, hydraulic, pneumatic, and mechanical, operating in high-demand or continuous modes, but excludes systems in low-demand modes. It provides a risk-based to determine and achieve appropriate performance without prescribing specific functions or product requirements. The core of ISO 13849, particularly in Part 1 (General principles for design), focuses on evaluating the reliability of SRP/CS using performance levels (PL), discrete classifications from PL a (lowest) to PL e (highest) based on the average probability of a dangerous failure per hour (PFHd), with values ranging from 10^{-8} to 10^{-4}. These levels are derived from a risk assessment process that considers factors such as severity of harm (S), frequency of exposure (F), and possibility of avoidance (P), ensuring that the required PL (PL_r) matches the identified hazards. Complementing PL, the standard defines architectural categories (B, 1, 2, 3, 4) that specify the fault tolerance and diagnostic coverage of the control system's structure, with higher categories incorporating redundancy and monitoring to enhance safety integrity. Originally evolving from the European standard EN 954-1 in the 1990s, which provided qualitative safety categories, ISO 13849-1 introduced quantitative reliability measures in its 2006 edition to align with functional safety principles from , with subsequent revisions in 2015 and 2023 refining the design process, software considerations, and validation methods outlined in Part 2. As a Type B standard, it supports global compliance with machinery safety regulations, such as the EU Machinery Directive 2006/42/EC, and is essential for industries like and to minimize accidents and ensure operator protection.

Overview

Purpose and Scope

ISO 13849 is an providing requirements and guidance on the principles for the , integration, and validation of safety-related parts of (SRP/CS) for machinery, aiming to ensure by minimizing risks from hazardous machine operations. It defines SRP/CS as those components of a whose operation, or failure to operate, can affect the of the machine or its users. The scope of ISO 13849 applies to SRP/CS operating in high demand or continuous modes (more frequent than once per year) across technologies including electrical, electronic, hydraulic, pneumatic, and mechanical systems, for both stationary and mobile machinery throughout their lifecycle. It excludes low-demand mode operations, which fall under , and protection against electric shock, addressed by IEC 60204-1. The standard also does not cover high-risk processes in process industries, which are governed by dedicated standards such as IEC 61511. The primary objectives are to reduce risks to acceptable levels by achieving required performance levels (PLr) through a combination of probabilistic methods—such as estimating mean time to dangerous failure (MTTFd) and diagnostic coverage (DC)—and architectural categories that constrain fault tolerance and fault detection. As a Type-B generic safety standard, ISO 13849 is harmonized with the EU Machinery Directive 2006/42/EC, providing a horizontal framework applicable to all types of machinery safety functions while excluding detailed software safety lifecycles, which are referred to IEC 61508.

Key Principles

ISO 13849 employs a probabilistic approach to evaluate the of machinery control systems by combining key reliability parameters: the mean time to dangerous (MTTFd), which quantifies component longevity before a hazardous ; diagnostic coverage (DC), which measures the proportion of dangerous detected by the system; and safeguards against (CCF), such as separation of components or diversity in design to prevent simultaneous . These elements are used to calculate the achievable performance level (PL) for safety-related parts of control systems (SRP/CS), ensuring that the system's reliability aligns with the risks involved. This methodology shifts from purely deterministic assessments to one that incorporates statistical data, allowing for a more nuanced quantification of safety performance. Performance levels serve as discrete safety integrity indicators, ranging from PL a (the lowest) to PL e (the highest), each tied to a specific range of the probability of dangerous failure per hour (PFHd). For instance, PL d corresponds to a PFHd of 10810^{-8} to 10710^{-7}, representing a high level of safety suitable for significant risks, while PL e is less than 10810^{-8} for the most critical applications. The required performance level (PLr) is established via as the baseline for , with brief reference to this process highlighting its role in tailoring to operational contexts. Fault-tolerant design is central to the standard, incorporating architectural categories that enable the system to maintain safety functions despite single or accumulated faults, alongside robust fault detection to mitigate both systematic failures (arising from design errors or external influences) and random hardware failures. High DC values, often exceeding 90%, ensure timely detection through diagnostics like self-testing or monitoring, while MTTFd levels (low: 3–10 years; medium: 10–30 years; high: 30–100 years) reflect component reliability over the mission time. The assignment of PLr further considers zones of operation—categorized as high, medium, or low based on exposure and hazard severity—to dictate the necessary safety rigor in different machinery areas. The principle of equivalence underpins practical implementation, permitting SRP/CS to satisfy the PLr through either quantitative analysis—such as PFHd calculations using tools like —or predefined designated architectures (e.g., Category 3 for redundancy or Category 4 for full with diagnostics), provided CCF measures score at least 65 points. This flexibility allows engineers to balance detailed probabilistic modeling with validated structural designs, ensuring equivalence in outcomes without mandating one method over the other.

History and Development

Predecessor Standards

The primary predecessor to ISO 13849 was EN 954-1:1996, titled "Safety of machinery – Safety-related parts of control systems – Part 1: General principles for design," which established a deterministic framework for designing safety-related parts of control systems in machinery. This standard defined five safety categories—B, 1, 2, 3, and 4—based primarily on the architectural structure of the and the extent of fault detection and diagnostics, without incorporating probabilistic assessments or quantitative reduction metrics. Category B represented the basic level with minimal fault resistance, while higher categories like 3 and 4 involved and monitoring to handle single or multiple faults, ensuring the system either maintained safety or entered a safe state upon fault detection. An attempt to extend EN 954-1 came with the draft standard prEN 954-2 in the late , which focused on validation methodologies for safety-related parts, including techniques such as testing, , and analysis to verify compliance with the categories. However, prEN 954-2 was never formally published as a full standard, leaving a gap in systematic validation guidance for complex systems. EN 954-1 faced significant criticism for its deterministic approach, which did not account for the probability of dangerous failures or provide a means to quantify the degree of risk reduction achieved by a given category, often resulting in over-design for low-risk applications or insufficient rigor for high-risk ones. This limitation became particularly evident as machinery controls grew more complex with programmable electronics, where fault probabilities varied widely but could not be adequately evaluated under the standard's qualitative categories. The transition from EN 954-1 to was driven by the need to align machinery safety standards with the broader framework of , which emphasized quantitative risk assessment, and by the new 2006/42/EC that required more precise conformity demonstrations for essential health and safety requirements. These factors highlighted the necessity for a probabilistic to better integrate metrics and support harmonized international practices. The safety categories from EN 954-1 served as the foundational basis for the architectural descriptions in .

Evolution of ISO 13849-1 Editions

The first edition of ISO 13849-1, published in 1999, adopted the deterministic safety categories from EN 954-1:1996 without introducing probabilistic measures. It provided foundational guidance aligning with the general principles in ISO 12100, emphasizing hazard identification, risk estimation, and reduction strategies for machinery control systems, but retained the qualitative approach of its predecessor. The second edition, released in 2006, marked a significant shift by introducing the Performance Level (PL) concept as a probabilistic measure of function reliability, moving away from purely deterministic categories. This edition provided foundational tables for estimating Mean Time To Dangerous Failure (MTTFd) of components and Diagnostic Coverage (DC) levels, enabling designers to quantify reduction more precisely. Key enhancements included the introduction of a structured for assessing Failures (CCF) to account for simultaneous faults across redundant elements, as well as expanded normative guidance on and integration at interfaces between hardware and control logic. These updates addressed practical implementation challenges identified in early applications, improving the standard's usability for diverse machinery types. It also refined PL determination through subsystem-by-subsystem , which allowed for more modular evaluation of complex safety-related parts of control systems (SRP/CS). The third edition in 2015 incorporated technical corrections from 2009 and updated fault exclusion models to better reflect the reliability of contemporary components, such as programmable logic controllers (PLCs) and electronic sensors. It refined CCF evaluation with improved scoring criteria in Annex F, including enhanced measures for separation and diversity to mitigate shared failure modes. Additionally, the edition strengthened guidance on integrating SRP/CS with emerging cyber-physical elements, such as networked controls, to ensure compatibility with evolving automation architectures while maintaining alignment with ISO 12100 risk principles. The fourth edition, published in 2023 and expanded to 152 pages, responded to identified gaps by tightening PL calculation requirements, including stricter CCF assessments that mandate subsystem-specific analysis and limit assumptions for unproven components. It enhanced harmonization with IEC 62061 by clarifying equivalences between PL and Safety Integrity Levels (SIL), facilitating dual compliance for international machinery designs. New sections addressed factors in parameters (e.g., operator expertise and avoidance possibilities) and lifecycle , while incorporating provisions for modern challenges like IoT-enabled connectivity and software validation. Validation processes are now integrated, with references to former ISO 13849-2 content for testing and fault lists. The 2023 edition has faced criticism from some experts for potential loopholes in PL calculations that may lead to unsafe designs, though it remains the current standard as of November 2025. These successive updates were driven by stakeholder feedback on harmonization efforts between ISO and IEC standards, requirements under the EU Machinery Directive 2006/42/EC for verifiable safety demonstrations, and analysis of incident data revealing limitations in earlier probabilistic models for dynamic environments.

Evolution of ISO 13849-2 Editions

The first edition of ISO 13849-2, published in August 2003, established core principles for validating the safety-related parts of control systems (SRP/CS) in machinery. It outlined procedures and conditions for validation through analysis and testing of specified safety functions, as well as the associated categories of SRP/CS, drawing directly from the design rationale in ISO 13849-1:1999 and its predecessor EN 954-1. This edition introduced key validation methods, including testing protocols, analytical techniques, and fault insertion to assess system reliability and fault tolerance. Validation efforts were tailored to the required Performance Level (PLr) determined via risk assessment in ISO 13849-1, ensuring that achieved performance aligned with safety demands across categories B to 4. The second edition, issued in October 2012, represented a technical revision that canceled and replaced the 2003 version to better accommodate advancements in ISO 13849-1:2006, particularly its refined Performance Level determination and diagnostic coverage requirements. This update provided expanded guidance on validating subsystems, such as modular components or encapsulated units, and incorporated recommendations for using software tools in performance analysis and . It placed greater emphasis on as a critical element for conformity assessment, including detailed records of validation plans, results, and fault lists to support regulatory compliance under directives like the EU Machinery Directive 2006/42/EC. Key enhancements included a risk-based scaling of validation rigor—such as intensified testing and analysis for PL e systems—and measures to mitigate systematic failures via comprehensive lifecycle reviews, from design to operation. A new informative Annex E offered a practical example of validating fault behavior and diagnostic coverage to aid . Following the publication of ISO 13849-1:2023 in April 2023, substantial content from ISO 13849-2:2012 was integrated into the former, with normative validation requirements relocated to Clause 10 of ISO 13849-1 to create a more cohesive framework for safety-related design and verification. This alignment streamlined processes by embedding validation directly within the primary performance standard, while ISO 13849-2:2012 remains the current edition pending a planned revision. As of November 2025, an upcoming , ISO/TR 13849-2, is in development and expected in late 2025 or 2026 to provide supplementary guidance on advanced validation practices. Throughout its evolution, ISO 13849-2 has served as a vital complement to ISO 13849-1, delivering practical, post-design verification methods to confirm that the implemented safety functions achieve the PLr specified from assessments.

Risk Assessment Process

Hazard Identification and Risk Evaluation

Hazard identification and risk evaluation form the foundational steps in the risk assessment process outlined in ISO 13849-1, which relies on the principles of ISO 12100 to systematically identify potential hazards associated with machinery and evaluate the associated risks to determine the required performance level (PLr) for safety-related parts of control systems (SRP/CS). This aligns with the iterative risk reduction process in ISO 12100:2010, prioritizing inherently safe design, protective measures, and information for use before relying on SRP/CS. This process ensures that risks are reduced to an acceptable level through the design of appropriate safety functions, focusing on hazards that can be mitigated by control systems rather than inherent design features. It is an iterative procedure that begins with defining the machine's limits and operational boundaries, considering all relevant phases of the machine's life cycle, such as assembly, transport, use, maintenance, and decommissioning. The 2023 edition of ISO 13849-1 refines the risk graph in Annex A with additional guidance for parameter P and improved integration with the safety requirements specification. Hazard identification involves a multidisciplinary approach, engaging stakeholders including machine designers, operators, personnel, and safety experts to uncover potential sources of . Common techniques adapted for machinery include brainstorming sessions to explore "what-if" scenarios, structured checklists based on industry-specific hazards (e.g., mechanical, electrical, or risks), Failure Modes and Effects Analysis (FMEA) to systematically analyze component failures and their impacts, and Hazard and Operability Studies (HAZOP) modified for processes to identify deviations from intended operations. These methods prioritize hazards linked to operator exposure, such as those in danger zones near or sources like hydraulic systems, ensuring comprehensive coverage without overlooking foreseeable misuse. Risk evaluation follows identification and is conducted iteratively per ISO 12100, classifying risks based on three key parameters: severity of harm (S), frequency and/or exposure time to the (F), and possibility of avoidance (P). Severity (S) is rated as S1 for slight, reversible injuries or S2 for serious, potentially irreversible injuries or ; frequency/exposure (F) as F1 for rare or brief exposures (e.g., less than ) or F2 for frequent or prolonged exposures; and possibility of avoidance (P) as P1 if avoidance is feasible under the circumstances or P2 if it is unlikely, influenced by factors like operator experience and hazard speed. These parameters are used in a graph (see Annex A of ISO 13849-1) to determine the required performance level (PLr), ranging from a (lowest) to e (highest). The assignment of the required performance level (PLr), ranging from a (lowest) to e (highest), is derived from the risk evaluation using a graph or matrix as specified in Annex A of ISO 13849-1. For instance, a of high severity (S2), high frequency (F2), and low avoidance possibility (P2)—such as in a high-energy cutting operation—results in requiring PL e. This determination takes into account operational contexts, such as the frequency and duration of exposure to hazards in different areas of the , as evaluated through parameters S, F, and P. Prerequisites for effective assessment include involving all relevant stakeholders early and documenting considerations across operational phases to ensure the process is thorough and verifiable.

Assignment of Safety Functions

In ISO 13849, safety functions are defined as the protective measures implemented within the safety-related parts of control systems (SRP/CS) to achieve or maintain a safe state by reducing identified risks to a tolerable level. These functions typically include mechanisms such as emergency stops, which immediately halt machine operations upon detection of a hazardous condition; guarding systems, which prevent access to dangerous areas; and speed monitoring, which limits operational velocities to avoid injury. Each safety function must be capable of performing reliably under foreseeable conditions to mitigate specific hazards arising from the machine's operation. The boundaries of a safety function encompass its input, logic, and output elements, forming a complete subsystem that responds to hazards. Inputs are provided by sensors detecting events like door openings or operator actions; the logic involves controllers or processors that evaluate signals and decide on responses; and outputs consist of actuators such as brakes or relays that execute the safety action. These boundaries must account for interfaces between subsystems, potential interactions with non-safety-related parts, and environmental factors like electromagnetic compatibility (EMC) or mechanical stresses that could influence performance. Defining clear boundaries ensures that the safety function operates as an integrated unit without unintended gaps in protection. The required Performance Level (PLr) for a safety function is assigned based on the risk assessment's evaluation of severity (S), (F), and possibility of avoidance (P), ensuring the function's reliability matches the risk reduction needs. PLr is then allocated across the function's elements—such as assigning a higher PL to critical sensors in high-risk scenarios—using to break down complex functions into manageable parts with individual PL targets. This distribution considers factors like mean time to dangerous failure (MTTFd), diagnostic coverage (DC), and common cause failures (CCF), allowing the overall function to meet or exceed the PLr without over-engineering less critical components. Documentation of safety functions is formalized in the Safety Requirements Specification (SRS), which outlines the function's description, triggering conditions, required reactions, and transition to a safe state. The SRS also details fault reactions, such as stopping drives or activating redundancies upon detection of errors, along with operating modes, response times, and interface requirements to guide design and validation. This specification serves as the foundational document for verifying that the implemented SRP/CS aligns with the assigned safety functions. Common examples of safety functions include two-hand control systems for hydraulic presses, where simultaneous activation of two buttons ensures the operator's hands are away from the danger zone before the press cycles. Another is the use of light curtains for access on assembly lines, which interrupt machine motion if the infrared beam is broken, preventing entry into hazardous areas. In a cell, a safety function might involve multiple sensors coordinating to stop all drives upon opening a protective , demonstrating how functions can overlap for comprehensive risk reduction.

Performance Levels

Definition and Determination

Performance levels (PL) in ISO 13849-1 represent discrete measures of the ability of safety-related parts of control systems (SRP/CS) to perform a function under foreseeable conditions, quantified by the average probability of a dangerous failure per hour (PFHd). There are five performance levels, ranging from PL a (lowest) to PL e (highest), each corresponding to a specific range of PFHd values. These levels provide a standardized way to assess and specify the reliability of safety functions in machinery control systems. The following table summarizes the PFHd ranges for each PL:
Performance LevelPFHd (per hour)
PL a≥ 10^{-5} to < 10^{-4}
PL b≥ 3 × 10^{-6} to < 10^{-5}
PL c≥ 10^{-6} to < 3 × 10^{-6}
PL d≥ 10^{-7} to < 10^{-6}
PL e≥ 10^{-8} to < 10^{-7}
Lower PFHd values indicate higher reliability and better performance. For example, PL a corresponds to PFHd > 10^{-5}, while PL e corresponds to PFHd < 10^{-7}. To determine if a safety system meets the required performance level (PLr, derived from risk assessment), the achieved PL is calculated based on the system's architecture and components, then compared to PLr; the achieved PL must be equal to or higher than PLr. Key factors influencing the achieved PL include the mean time to dangerous failure (MTTFd) for component reliability, diagnostic coverage (DC) for fault detection percentage, common cause failures (CCF) for shared failure risks, and the overall system architecture. Calculations assume a default mission time of 20 years for MTTFd estimation, representing the intended operational period of the machinery. Over the mission time, PL may degrade due to component wear and accumulated failures, necessitating periodic proof testing to detect and mitigate dangerous undetected failures and maintain the required safety integrity. The achieved PL can be established either by applying designated architectural categories (B to 4) that map to specific PL outcomes or through custom probabilistic calculations incorporating the above factors.

Calculation Methodology

The calculation of the achieved performance level (PL) in ISO 13849-1 integrates the mean time to dangerous failure (MTTFd), average diagnostic coverage (DCavg), common cause failure (CCF) mitigation, and the selected safety architecture to determine the probability of dangerous failure per hour (PFHd), from which the PL is derived. For a given safety function, the overall PFHd is the sum of PFHd values for subsystems (input, logic, output), and the PL corresponds to PFHd ranges: PL a (≥10-5 to <10-4), b (≥3×10-6 to <10-5), c (≥10-6 to <3×10-6), d (≥10-7 to <10-6), e (≥10-8 to <10-7). This methodology applies a simplified probabilistic approach for high-demand or continuous mode systems, assuming constant failure rates and focusing on dangerous failures. MTTFd represents the expected time until a dangerous failure occurs in a component or subsystem, expressed in years, with levels categorized as low (3–10 years), medium (10–30 years), or high (30–100 years). It is calculated using component reliability data, typically the B10d value (number of cycles until 10% of components fail dangerously), adjusted for operational demand: MTTFd=B10dnop\text{MTTFd} = \frac{B_{10d}}{n_{op}} where nopn_{op} is the expected number of cycles per year, given by nop=dop×hop×3600tcyclen_{op} = \frac{d_{op} \times h_{op} \times 3600}{t_{cycle}} with dopd_{op} as operating days per year, hoph_{op} as operating hours per day, and tcyclet_{cycle} as the cycle time in seconds. For series systems, MTTFd is the reciprocal sum: 1MTTFd=1MTTFdi\frac{1}{\text{MTTFd}} = \sum \frac{1}{\text{MTTFd}_i}; for parallel redundant systems, it approximates MTTFdMTTFdi\text{MTTFd} \approx \sum \text{MTTFd}_i under low failure probability assumptions. B10d values are derived from manufacturer data or handbooks like IFA Report 2/2017, often assuming 10–50% of total failures are dangerous. DC measures the effectiveness of diagnostic techniques in detecting dangerous failures, expressed as a percentage: DC = (detected dangerous failures / total dangerous failures) × 100%, with levels none (<60%), low (60–90%), medium (90–99%), and high (≥99%). For a single channel, DC is estimated directly; for multi-channel systems, DCavg is the weighted average across functions, using DCavg=(MTTFdi×DCi)MTTFdi.\text{DC}_\text{avg} = \frac{\sum (\text{MTTFd}_i \times \text{DC}_i)}{\sum \text{MTTFd}_i}. Diagnostic techniques are evaluated via Annex E tables, such as parity checks (99% DC for logic) or cyclic testing (90% DC for outputs). For example, monitored redundancy in Category 3 architectures can achieve medium DC through cross-monitoring. CCF addresses simultaneous failures in redundant channels due to shared causes, required for Categories 2–4, and is quantified via a 65-point checklist in Annex F across six groups: separation (up to 25 points), diversity (up to 15 points), and fault avoidance measures (up to 10 points each for other groups). A minimum score of 65 points must be achieved to claim CCF mitigation, effectively reducing the common failure fraction to ≤2%, integrated into PFHd as an additional term (e.g., β-factor approximation where β = 1 - score/100 for scoring). For single-channel systems, CCF is not applicable. The average PFHd for a channel is calculated as PFHd=(1DC100)×1MTTFd×8760+CCF term,\text{PFHd} = \left(1 - \frac{\text{DC}}{100}\right) \times \frac{1}{\text{MTTFd} \times 8760} + \text{CCF term}, with MTTFd converted to hours (8760 hours/year), and the CCF term added for redundant architectures (e.g., 5–10% of single-channel PFHd for Category 3 with adequate scoring). For single-channel: PL ≤ min(PL from MTTFd, PL from DC); for dual-channel without diagnostics, PFHd sums reciprocals adjusted for undetected failures. Categories provide a simplified alternative by predefining MTTFd and DC requirements to bound achievable PL. The 2023 edition of ISO 13849-1 incorporates normative requirements previously in ISO 13849-2:2012, particularly for validation, effectively updating and integrating Part 2 content. It introduces stricter considerations for CCF in software-heavy systems by incorporating validation requirements from the former ISO 13849-2, emphasizing software reliability and requiring explicit plans that address software-related common failures like systematic errors. This update aligns calculations with for software, mandating higher CCF scores (e.g., diversity in software channels) to achieve PL d/e in programmable systems. The 2023 edition has faced for potential loopholes in performance level calculations, particularly regarding default MTTFd values and software systematic failures, as highlighted in industry analyses (as of 2025). though critics note potential loopholes in assuming default MTTFd values without rigorous data.

Safety Architectures

Category Descriptions

ISO 13849-1 defines five safety categories—B, 1, 2, 3, and 4—as predefined architectural structures for safety-related parts of control systems, enabling the achievement of required performance levels through standardized and diagnostic measures rather than fully custom probabilistic analyses. These categories establish baseline assumptions about system behavior under fault conditions, incorporating principles such as the use of well-tried components to minimize probabilities. The choice of category influences the maximum attainable performance level (PL), with higher categories offering greater reliability by addressing potential faults more robustly. Category B applies basic safety principles, including the selection of well-tried components and adherence to general design rules for control systems, without any . A single fault in this architecture can directly result in the loss of the function, as no fault detection or tolerance mechanisms are required. The maximum achievable PL is a, suitable for low-risk applications where minimal reliability is needed. Category 1 extends Category B by emphasizing higher-quality components selected for enhanced reliability, assuming that a single fault is unlikely to immediately cause loss of the safety function due to robust choices. Like Category B, it lacks or automatic fault detection, relying instead on component integrity to maintain function. The maximum PL is b, providing a step up in reliability for moderately low-risk scenarios. Category 2 incorporates the elements of Category 1 and introduces periodic proof testing to detect accumulated faults before they lead to a dangerous failure, ensuring the function remains operational during tests. This testing provides some diagnostic capability, preventing undetected degradation over time. PL b or c is possible, depending on test frequency and component reliability. Category 3 achieves single-fault tolerance through , such as dual channels, where the safety function persists despite one fault, and faults are detected quickly—often via cross-monitoring—to allow timely intervention. This architecture assumes faults are identified before a second failure occurs, maintaining until repair. The maximum PL is d, ideal for applications demanding higher fault resistance. Category 4 offers the most stringent protection by tolerating the accumulation of multiple faults without compromising the safety function, supported by high diagnostic coverage through extensive monitoring and diverse . Faults are detected and addressed in time to prevent dangerous outcomes, with assumptions of rapid reaction times. It enables PL e, the highest level, for critical high-risk machinery. Each category's assumptions include specific fault reaction times, such as immediate detection in redundant systems or periodic checks in tested ones, with the maximum PL ultimately determined by the mean time to dangerous failure (MTTFd) of components and the diagnostic coverage (DC) achieved within the architecture.

Block Diagram Representation

Block diagrams in ISO 13849-1 provide a visual model for safety-related parts of control systems (SRP/CS), illustrating the structure of safety functions to facilitate of , fault detection, and propagation. These diagrams abstract the into interconnected blocks representing subsystems, enabling designers to evaluate compliance with level (PL) requirements without delving into detailed circuit schematics. By depicting signal flows and diagnostic mechanisms, block diagrams serve as a foundational tool for identifying potential modes and ensuring the function's integrity under foreseeable conditions. The primary elements of these diagrams include inputs such as sensors or initiating devices (e.g., proximity switches or light barriers), logic solvers like programmable logic controllers (PLCs) or safety relays that process safety signals, and outputs comprising actuators such as contactors or valves that execute the safety action. Single-channel or dual-channel configurations are shown, with channels representing parallel or series paths from input to output; power supply paths are also depicted to highlight shared resources that could introduce common vulnerabilities. Standard symbols per ISO 13849-1, such as rectangular blocks for subsystems and arrows for signal flows, ensure consistency across representations. Representation rules emphasize illustrating through dual channels or parallel structures, diagnostics via feedback loops or cross-monitoring (e.g., periodic testing between channels), and interfaces between subsystems to trace fault propagation. Diagrams must clearly delineate test equipment, such as watchdog timers, separate from core paths, using dashed lines for monitoring signals to distinguish them from primary safety functions. These rules align with Annex B of the standard, promoting unambiguous modeling that supports subsequent quantitative assessments. Analysis using block diagrams involves tracing paths to determine mean time to dangerous failure (MTTFd) for each channel or block, assessing diagnostic coverage (DC) through mechanisms like channel comparison (e.g., achieving medium DC >60% via cross-checks), and evaluating failure (CCF) risks from shared elements such as power supplies or environmental exposures. For instance, MTTFd is aggregated along redundant paths, with DC quantified as the proportion of detectable dangerous failures (e.g., λ_DD / (λ_DD + λ_DU)), and CCF mitigated by scoring measures like separation (up to 15 points) to achieve at least 65 points overall. This diagrammatic approach aids in PL determination by visualizing how architectural choices influence reliability metrics. A representative example is a Category 3 for a guard interlock function, featuring two independent sensors (e.g., dual position switches) feeding into separate logic channels connected by an for cross-monitoring, which then drive two redundant (e.g., contactors K3 and K4). Fault paths in this reveal that a single fault in one channel is detected via periodic diagnostics before the next demand, though accumulation of two undetected faults could impair the function; monitoring loops (e.g., from feedback to logic) ensure DC remains high (e.g., 99%). The 2023 edition of ISO 13849-1 enhances representation by incorporating software blocks within logic solvers to address software safety requirements (new Clause 7). It also notes that security issues, such as physical, IT-security, or cyber security, can affect safety functions and refers to ISO/TR 22100-4 and IEC/TR 63074 for further guidance, though specific measures for these aspects are not provided.

Validation and Verification

Validation Techniques

Validation techniques for ISO 13849 ensure that the safety-related parts of control systems (SRP/CS) achieve the required level (PLr) by verifying safety functions through systematic , testing, and documentation processes as outlined in the standard. These methods confirm that the system detects faults, maintains safe states, and meets reliability targets throughout its lifecycle, integrating design verification with operational checks to mitigate risks in machinery applications. Theoretical validation relies on analytical approaches to model and predict system behavior under fault conditions without physical intervention. (FMEA) identifies potential failure modes in components, assessing their effects on functions and calculating diagnostic coverage (DC) by distinguishing detectable (DD) from undetectable (DU) failures, where DC = Σλ_DD / (Σλ_DD + Σλ_DU). (FTA), as per IEC 61025, and event tree analysis (ETA) are top-down inductive methods suitable for evaluating fault accumulation in higher categories, such as Category 4 architectures, by mapping failure probabilities and failures. These techniques are essential for PL d and e systems, where full fault coverage, including rare events, must be demonstrated to achieve PFH_d values of 10^{-8} to less than 10^{-7} for PL d and less than 10^{-8} for PL e. Empirical validation involves hands-on testing to confirm real-world performance. Proof testing verifies the initiation of states and overall function , conducted at intervals like machine startup or before hazardous operations, particularly for Category 2 systems requiring periodic checks. Fault insertion testing injects simulated faults—such as wire breaks, signal errors, or failures—into prototypes or production samples to assess detection and response, ensuring the system transitions to a state; for instance, tests on light barriers or pneumatic valves confirm DC levels above 90% for PL c or higher. For lower PL a and b, basic functional checks suffice, focusing on normal operation without exhaustive fault scenarios, while PL e demands comprehensive coverage of all foreseeable faults. Simulation techniques enhance validation by modeling complex interactions, using tools like Markov chains or Petri nets to predict probabilities and validate software-related (SRASW) through fault case emulation. Digital twins, representing virtual replicas of the , allow for iterative testing of architectures under varied conditions, bridging analysis and empirical methods for lifecycle assurance. Documentation forms the backbone of validation, requiring a structured plan per ISO 13849-2 that includes safety requirements specifications, fault lists, test reports, and deviation analyses to prove compliance. This encompasses (V&V) plans following the , with records of design features, probability calculations, and to ensure . The 2023 edition of ISO 13849-1 integrates validation processes previously in ISO 13849-2, emphasizing lifecycle management with requirements for post-modification re-validation to address changes in functions or components. However, the 2023 edition has faced from some experts for technical flaws, including in software validation and safety calculations, with recommendations to await revisions (as of 2025). This update introduces Annex G.5 on management and enhances software validation, ensuring ongoing conformity from design through operation and modifications.

Common Tools and Metrics

In applying ISO 13849-1, key metrics quantify the reliability and fault tolerance of safety-related parts of control systems (SRP/CS), enabling engineers to determine the achievable performance level (PL). The B10d value represents the expected number of operating cycles a component can undergo before 10% of a population fails dangerously, serving as a foundational input for estimating mean time to dangerous failure (MTTFd). Hardware fault tolerance (HFT) indicates the number of faults a subsystem can endure without losing its safety function, with ISO 13849 categories implicitly aligning to HFT levels—such as HFT=0 for Category 2 (with periodic testing) and HFT=1 for Category 3. The safe failure fraction (SFF) measures the proportion of failures that are either safe or detected, recommended by some analyses to supplement diagnostic coverage (DC) in ISO 13849 evaluations for more precise risk assessment. Proof test coverage ratio assesses the effectiveness of periodic proof tests in detecting undetected dangerous failures, particularly essential for architectures like Category 2 where diagnostics alone may not suffice. Software tools facilitate the computation of these metrics and overall PL compliance, streamlining design and documentation processes. , a free utility developed by the German Social (DGUV/IFA), models SRP/CS architectures, automates PL calculations using inputs like category, MTTFd, DC average, and common-cause failure (CCF) measures, and generates reports for verification. PAScal, provided by Pilz as a complimentary , supports PL determination per ISO 13849-1 by integrating component data libraries and handling large projects with structured safety function breakdowns. Vendor-specific options, such as Rockwell 's Safety Automation Builder, aid in configuring safety systems within integrated environments like Connected Components Workbench, incorporating ISO 13849 metrics for PLC-based designs. These tools apply metrics practically by outputting diagnostic coverage (DC) values—ranging from none (<60%) to high (≥99%)—to track fault detection efficacy and ensure required PLr is met. They incorporate CCF scoring aids, such as checklists yielding a minimum score of 65 points across separation, , and environmental measures, to quantify and mitigate shared failure risks. Mission time projections, typically set at 20 years per ISO 13849-1, are modeled in tools to forecast MTTFd degradation and recommend component replacement intervals based on T10d (time to 10% dangerous failures). Best practices emphasize integrating these metrics with programmable logic controllers (PLCs) and human-machine interfaces (HMIs) to enhance real-time diagnostics, thereby boosting DC through automated fault monitoring and feedback loops. Despite their utility, these tools rely on accurate manufacturer-provided component data, such as B10d values, and cannot compensate for erroneous inputs, potentially leading to optimistic PL estimates if reliability figures are outdated. Ultimately, users bear full responsibility for independent validation of tool outputs against actual system performance, as mandated by ISO 13849-1 to confirm compliance.

Integration with Other Standards

Comparison to IEC 62061

IEC 62061 is an international standard that specifies requirements and guidance for the functional safety of safety-related electrical, electronic, and programmable electronic control systems (E/E/PE SCS) for machinery, defining Safety Integrity Levels (SIL 1 to 3) to address both random hardware failures and systematic failures throughout the system lifecycle. In contrast to ISO 13849's Performance Levels (PL a to e), which emphasize a simplified reliability assessment using Mean Time To Dangerous Failure (MTTFd) and Diagnostic Coverage (DC), IEC 62061 employs SIL based on Probability of Failure on Demand (PFD) or Probability of Dangerous Failure per Hour (PFH) and Safe Failure Fraction (SFF) for high-demand or continuous mode operation. An approximate mapping exists between the two metrics, primarily aligned by the average probability of a dangerous failure per hour (PFHd), as shown in the following table derived from the standards:
PFHd (1/h)PL (ISO 13849)SIL (IEC 62061)
≥10⁻⁵ to <10⁻⁴aNo special requirements
≥3×10⁻⁶ to <10⁻⁵b1
≥10⁻⁶ to <3×10⁻⁶c1
≥10⁻⁷ to <10⁻⁶d2
≥10⁻⁸ to <10⁻⁷e3
This correspondence is not exact, as PL a has no direct SIL equivalent, and the methodologies differ in their quantitative rigor. Key differences arise in their application: ISO 13849 offers a pragmatic, machinery-specific approach with qualitative elements and simplified architectural categories, making it suitable for standalone machines without requiring a comprehensive full-lifecycle , whereas IEC 62061, derived from the broader framework, provides more detailed guidance for complex, programmable systems in automation, including normative management and subsystem validation. Both standards achieve equivalence in ensuring for machinery under the EU 2006/42/EC, as harmonized Type C standards, allowing designers to select based on system complexity—ISO 13849 is generally preferred for applications not exceeding SIL 3 requirements, while IEC 62061 suits higher-integrity or electronically intensive setups. The 2023 edition of ISO 13849-1 introduces improvements for better alignment with IEC 62061:2021, including revised structures that mirror ISO 12100's design process, expanded software requirements, and explicit Table 4 correlating PL to SIL (e.g., PL b/c to SIL 1, PL d to SIL 2, PL e to SIL 3), which facilitates easier compliance when systems reference both standards and reduces dual-certification efforts.

Alignment with ISO 12100

ISO 12100 establishes the foundational principles for machinery safety through a systematic, iterative and reduction process aimed at achieving tolerable risk levels. This process comprises three principal steps: implementing inherently safe design measures to eliminate or minimize hazards at the source; applying technical protective measures, such as guards and safety-related control systems, supplemented by information for use; and evaluating any residual risks to ensure overall acceptability. The standard emphasizes a holistic approach, prioritizing design-stage interventions before relying on operational safeguards. ISO 13849-1 integrates seamlessly with ISO 12100 by focusing on the design, implementation, and validation of safety-related parts of s (SRP/CS) as a key component of the second step in the risk reduction hierarchy. Following the identification and initial estimation outlined in ISO 12100, ISO 13849-1 employs these parameters—such as severity of (S), and/or exposure to the (F), and possibility of avoidance (P)—to derive the required Performance Level (PLr) for functions. This ensures that s, like interlocks or emergency stops, provide the necessary reliability to mitigate identified effectively. The PLr is determined directly from the ISO 12100 , linking qualitative evaluation to quantitative performance. The 2023 edition of ISO 13849-1 enhances this alignment by explicitly referencing ISO 12100:2010 for guiding hazard identification and risk estimation, including the use of risk graphs in Annex A that address human error factors within the avoidance parameter (P). New Clause 4 provides recommendations for risk assessment aligned with ISO 12100, while Annex M offers tables of typical safety functions to support hazard analysis without duplicating ISO 12100's broader methodology. These updates clarify the iterative application, ensuring control system design follows ISO 12100's risk reduction flow. In complementary fashion, ISO 12100 serves as the overarching strategy for machinery , while ISO 13849-1 delivers specialized, quantifiable methods for reliability, filling the gap between qualitative risk principles and precise performance validation. Together, they form a cohesive framework essential for demonstrating conformity under directives like the EU , facilitating by addressing both general safety and functional control aspects.

References

  1. https://www.iso.org/standard/73481.html
  2. https://www.iso.org/obp/ui/#iso:std:iso:13849:-1:ed-4:v1:en
  3. https://www.pilz.com/en-US/support/law-standards-norms/functional-safety/en-iso-13849-1
  4. https://www.phoenixcontact.com/en-us/industries/functional-safety/safety-of-machinery-standards
  5. https://www.dguv.de/medien/ifa/en/pub/rep/pdf/reports-2019/report0217e/rep0217e.pdf
  6. https://publikationen.dguv.de/widgets/pdf/download/article/4894
  7. https://www.cencenelec.eu/news-events/news/2023/eninthespotlight/2023-05-25-en-iso-13849-1-2023/
  8. https://assets.new.siemens.com/siemens/assets/api/uuid:23ce849b-fca0-4402-b88b-91adef4139e8/hilfetexte-iso-en-211221.pdf
  9. https://eshield.pl/en/for-engineer/mastering-pn-en-iso-13849-1-key-principles-for-safe-control-systems/
  10. https://www.iso.org/obp/ui/en/#!iso:std:69883:en
  11. https://standards.iteh.ai/catalog/standards/cen/3cb4c70e-8528-4b71-a6c2-c3d3148a1a2b/en-954-1-1996
  12. http://www.industry-finder.com/machinery-directive/history-standards-functional-safety-machinery.html
  13. https://www.schmersal.com.tr/fileadmin/download/literature/en/mrl_news/b_prepp2.pdf
  14. https://machinerysafety101.com/2012/07/16/how-to-migrate-from-en-954-1-to-en-iso-13849-1-or-en-62061/
  15. https://www.gt-engineering.it/en/insights/functional-safety-300321/iso-13849-1/
  16. https://www.iso.org/standard/34931.html
  17. https://www.iso.org/standard/69883.html
  18. https://www.machinebuilding.net/what-changed-in-bs-en-iso-13849-12015
  19. https://machinerysafety101.com/2023/05/01/do-not-use-iso-13849-1-2023/
  20. https://www.iso.org/standard/36180.html
  21. https://www.iso.org/standard/53640.html
  22. https://cdn.standards.iteh.ai/samples/53640/e240593c209440729727cd6ec30d7a94/ISO-13849-2-2012.pdf
  23. https://www.ibf-solutions.com/en/seminars-and-news/news/new-en-iso-13849-12023
  24. https://safetyculture.com/topics/operator-safety/iso-12100
  25. https://www.plcacademy.com/risk-assessment-example-with-iso-12100/
  26. https://machinerysafety101.com/2017/01/03/iso-13849-1-analysis-pt-1/
  27. https://www.dguv.de/medien/ifa/en/pra/en13849/safety_functions.pdf
  28. https://www.keyence.com/ss/products/safetyknowledge/performance/
  29. https://www.sick.com/us/en/what-are-performance-levels/w/blog-safety-standard-performance-levels
  30. https://machinerysafety101.com/2017/01/30/iso-13849-analysis-part-3/
  31. https://www.keyence.com/ss/products/safetyknowledge/performance/level/
  32. https://machinerysafety101.com/2017/02/13/iso-13849-1-analysis-part-4/
  33. https://search.abb.com/library/Download.aspx?DocumentID=2TLC172003B02002
  34. https://literature.rockwellautomation.com/idc/groups/literature/documents/wp/safety-wp040_-en-p.pdf
  35. https://library.e.abb.com/public/1d68e9918ebe4a8098f002bdd5181197/EN_ISO_13849-1_2TLC172003B02002.pdf
  36. https://us.idec.com/RD/safety/law/iso-iec/iso13849
  37. https://machinerysafety101.com/2017/02/27/iso-13849-1-analysis-part-5/
  38. https://machinerysafety101.com/2017/03/20/iso-13849-1-analysis-part-6-ccf/
  39. https://www.rosscontrols.com/en/safety/mttfd-and-diagnostic-coverage-example
  40. https://www.reersafety.com/en/academy/industrial-safety-guide/iso-13849-12safety-of-machinery/simplified-method-for-estimating-the-quantifiable-part-of-the-pl/
  41. https://www.gt-engineering.it/en/technical-standards/en-iso-standards/en-iso-13849-1-performance-level-estimation/iso-13849-1-new-edition-2023/
  42. https://machinerysafety101.com/2025/05/22/iso-13849-1-2023-a-loophole-in-safety-calculations/
  43. https://library.e.abb.com/public/1d68e9918ebe4a8098f002bdd5181197/EN_ISO_13849-1_2TLC172003B02002.pdf?x-sign=QzajIFfueWb01F6eBrZTvoHGSIXgjOuGCRVvj5Pxhk9gUXR2snHXV9St9grlyosy
  44. https://machinerysafety101.com/2011/09/19/category-3-architecture/
  45. https://cdn.standards.iteh.ai/samples/73481/a2b27fd1dab8460fa3cef34426de7cce/ISO-13849-1-2023.pdf
  46. https://www.linkedin.com/pulse/diagnostics-according-en-iso-13849-iec-62061-dr-martin-kidman-phd
  47. http://www.applied-statistics.org/functional-safety-definitions.html
  48. https://www.gt-engineering.it/en/insights/process-safety-processi-gt-engineering/proof-test-diagnostic-coverage/
  49. https://www.dguv.de/ifa/praxishilfen/practical-solutions-machine-safety/software-sistema/index.jsp
  50. https://www.directindustry.com/prod/pilz/product-7550-1641746.html
  51. https://www.rockwellautomation.com/en-us/capabilities/industrial-safety-solutions/safety-automation-builder.html
  52. https://www.controleng.com/converging-safety-non-safety-systems-increases-scalability-flexibility/
  53. https://www.hs-compliance.com/machinerysafety/functional-safety.aspx
  54. https://webstore.iec.ch/publication/65002
  55. https://www.mdpi.com/2313-576X/5/4/76
  56. https://61508.org/wp-content/uploads/2024/11/09A-T6A-Symposium-Presentation-IEC-62061-and-ISO-13849.pdf
  57. https://www.capiel.eu/img/CAPIEL_white-paper.pdf
  58. https://cdn.standards.iteh.ai/samples/63158/95e874b4a9164b158c0840590676839a/ISO-TR-22100-2-2013.pdf
  59. https://www.iso.org/standard/63158.html
Add your contribution
Related Hubs
User Avatar
No comments yet.