ISO 13849

Safety of Machinery / Safety-related Parts of Control Systems

ISO 13849 is the international standard for the design of safety-related parts of control systems (SRP/CS) for machinery. It defines the Performance Level (PL a-e) framework, an alternative to the SIL approach of IEC 62061 for the machinery sector.

Body: ISO
Family: Functional Safety
First published: 1999
Latest revision: 2023 (Edition 4 for Part 1; Part 2 revised 2012)
Next revision: Stable — minor revisions in active maintenance
Status: current
Access: Paid (ISO Store — ~200 CHF for the 2 parts)

Document structure

ISO 13849-1

Safety-related parts of control systems — Part 1: General principles for design

Defines the PL determination method (risk graph), Category 1-4 architectures, MTTFD and DCavg quantification, common cause failure CCF score. Annex A is the famous risk graph. Annex K (informative) maps PL ↔ SIL.

ISO 13849-2

Safety-related parts of control systems — Part 2: Validation

Validation process : test plans, fault lists per technology (electrical, electronic, programmable, fluid power, mechanical), verification of failure exclusions.

Key concepts

Safety-related Part of a Control System(SRP/CS): The part of the machine control system that performs safety functions — e.g., interlock door switch + safety relay + contactor + emergency stop button. Same scope as a SIS in process industry, different vocabulary.
Performance Level(PL): The standard's headline metric. PL a (lowest) through PL e (highest). Each PL corresponds to a range of PFHD : PL a: 10⁻⁵ ≤ PFHD < 10⁻⁴ ; PL b: 3·10⁻⁶ ≤ PFHD < 10⁻⁵ ; PL c: 10⁻⁶ ≤ PFHD < 3·10⁻⁶ ; PL d: 10⁻⁷ ≤ PFHD < 10⁻⁶ ; PL e: 10⁻⁸ ≤ PFHD < 10⁻⁷.
Category(Cat): Architectural classification (5 levels) defined in ISO 13849-1 clause 6 : Cat B (basic — no fault tolerance), Cat 1 (well-tried components), Cat 2 (periodic testing), Cat 3 (single fault tolerant), Cat 4 (single fault tolerant with high diagnostic coverage).
Required Performance Level(PLr): The PL that the SRP/CS must achieve to provide sufficient risk reduction. Determined via the **risk graph in Annex A** based on severity (S1/S2), frequency of exposure (F1/F2), and possibility to avoid (P1/P2).
Mean Time To Dangerous Failure(MTTFD): Per channel, not per system. Categorized as Low (3-10 years), Medium (10-30 years), or High (30-100 years). 100 years is the cap — claims beyond are not credited.
Average Diagnostic Coverage(DCavg): Fraction of dangerous failures detected by diagnostics, averaged across channels. Categorized as None (< 60%), Low (60-90%), Medium (90-99%), or High (≥ 99%).
Common Cause Failure score(CCF): Tabulated checklist in Annex F (15 questions, each worth 5-25 points). Score ≥ 65/100 required to credit redundancy. If CCF < 65, the architecture is treated as if non-redundant.
PL ↔ SIL mapping: Informative correspondence (Annex K of ISO 13849-1). Cat 4 + DC ≥ 99% ↔ PL e ↔ SIL 3. Cat 3 + DC 90-99% ↔ PL d ↔ SIL 2. Cat 3 + DC 60-90% ↔ PL c ↔ SIL 1. Used to interface ISO 13849 designs with IEC 61508-certified components.
Failure exclusion: Argument that a specific failure mode is implausible due to design, materials or operational conditions. Documented per ISO 13849-2 Annex tables. Must be technically justified — not a free pass to ignore failures.

Notes & guidance

The other functional safety standard

If IEC 61508 is the grandfather and IEC 61511 is the process-industry adaptation, ISO 13849 is the machinery cousin — same family, different philosophy.

In machinery (welding robots, packaging lines, machine tools, presses), safety functions typically:

Operate in high demand mode (door opened many times per shift, e-stop tested often)
Use electromechanical components more often (safety relays, contactors, position switches)
Are subject to the Machinery Directive 2006/42/EC (EU) which mandates ISO 13849 or IEC 62061 as harmonized standards

ISO 13849 chose to express integrity as Performance Level (PL a-e) rather than reusing IEC 61508’s SIL 1-4. The metric is PFHD (Probability of dangerous Failure per Hour) only — there’s no low-demand PFDavg equivalent. This is because machinery safety functions are typically demanded continuously or high-rate.

The PL determination flow (Annex A)

                Severity
              S1 (slight) ─── PL a
              S2 (serious)
                 │
        ┌────────┴───────┐
   F1 (rare)         F2 (frequent)
        │                 │
   P1: avoidable    P1: avoidable
        ↓               ↓
      PL b            PL c
   P2: hardly       P2: hardly
        ↓               ↓
      PL c            PL d
                      F2 + P2 + irreversible
                      ↓
                    PL e

This is a simpler decision tree than the LOPA used in IEC 61511. It works because machine safety risks are usually more standardized (a sharp moving part, a press, an electric shock zone) than process plant risks.

Cat + DCavg + MTTFD → PL

The PL achieved is determined by a 3D matrix (clause 4.5.4 of Part 1) :

MTTFD per channel	Cat B / 1, DC=none	Cat 2, DC=low	Cat 2, DC=medium	Cat 3, DC=low	Cat 3, DC=medium	Cat 4, DC=high
Low (3-10y)	PL a	PL b	PL c	PL c	PL d	–
Medium (10-30y)	PL b	PL c	PL d	PL d	PL d	–
High (30-100y)	PL c	PL d	PL d	PL d	PL e	PL e

In practice, a typical Cat 3 safety door (force-guided contacts + redundant inputs + dual-channel safety relay) easily reaches PL d with off-the-shelf certified components. Reaching PL e requires Cat 4 architecture (full diversity in some implementations) and consistent high DC > 99%.

The β-factor / CCF question

ISO 13849 handles CCF differently from IEC 61508 :

IEC 61508 / 61511: explicit β-factor (typically 2-10%) multiplied in the PFD equation
ISO 13849: binary check via Annex F checklist (65/100 minimum). If passed, redundancy is credited fully. If not passed, redundancy is ignored.

The checklist scores items like : physical separation, diverse technology, EMC qualification, identical maintenance procedures, etc. Most well-engineered Cat 3 / Cat 4 systems pass easily.

SISTEMA — the unofficial standard tool

The IFA (DGUV, Germany) publishes SISTEMA, a free desktop tool that implements the full ISO 13849-1 calculation flow. It’s the de facto industry tool, supported by every major safety vendor (Pilz, Sick, Schmersal, Siemens) who provide component data libraries directly importable into SISTEMA.

Our PFD ↔ SIL calculator covers the IEC 61511 side. For pure machinery design in PL terms, the SISTEMA workflow is hard to beat — and we will not duplicate it ; we’ll likely link to it and complement with conceptual education.

Why two machinery standards (ISO 13849 + IEC 62061) ?

Historical accident. Both are harmonized under the Machinery Directive 2006/42/EC :

ISO 13849 comes from the mechanical engineering / DIN tradition
IEC 62061 is the machinery adaptation of IEC 61508 (uses SIL language)

Both are valid. In practice, ISO 13849 dominates Europe for typical machinery (its tools and component certifications are widespread). IEC 62061 is more often seen in complex machinery with significant programmable electronic content (multi-axis CNC, large packaging lines).

There is ongoing work to converge them in a future joint revision — IEC/ISO 17305 was the proposed merged document, but it has been on hold. For now, designers pick one and stick with it.

Relationship to other standards

IEC 61508: parent. ISO 13849 borrows the PFH metric structure but reorganizes the SIL-equivalent into PL.
IEC 62061: sibling. Same scope as ISO 13849, SIL-based language. Often used together (system level in 62061, components in 13849).
ISO 12100: prerequisite. Defines the risk assessment process for machinery. The PLr decision (Annex A of ISO 13849) is downstream of an ISO 12100 risk assessment.
IEC 60204-1: machinery electrical equipment. The “physical layer” wiring/protection rules that complement ISO 13849.

Applicable industries

Industrial machinery (assembly, packaging, machine tools)
Robotics and cobotics
Conveyors and material handling
Wood and metal processing machines
Food processing machinery
Plastic injection / blow molding
Lifts and hoists (sometimes ISO 13849, sometimes lift-specific standards)