ISO 13849 Analysis — Part 2: Safety Requirement Specification

This entry is part 2 of 6 in the series How to do a 13849-1 analysis

Developing the Safety Requirement Specification

The Safety Requirement Specification sounds pretty heavy, but actually, it is just a big name for a way to organise the information you need to have to analyse and design the safety systems for your machinery. Note that I am assuming that you are doing this in the “right” order, meaning that you are planning the design beforehand, rather than trying to back-fill the documentation after completing the design. In either case, the process is the same, but getting the information you need can be much harder after the fact, than before the doing the design work. Doing some aspects in a review mode is impossible, especially if a third party to whom you have no access did the design work [8].

If you missed the first instalment in this series, you can read it here.

What goes into a Safety Requirements Specification?

For reference, chapter 5 of ISO 13849-1 [1] covers safety requirement specifications to some degree, but it needs some clarification I think. First of all, what is a safety function?

Safety functions include any function of the machine that has a direct protective effect for the worker using the machinery. However, using this definition, it is possible to ignore some important functions. Complementary protective measures, like emergency stop, can be missed because they are usually “after the fact”, i.e., the injury occurs, and then the E-stop is pressed, so you cannot say that it has a “direct protective effect”. If we look at the definitions in [1], we find:


safety function

function of the machine whose failure can result in an immediate increase of the risk(s)
[SOURCE: ISO 12100:2010, 3.30.]

Linking Risk to Functional Safety

Referring to the risk assessment, any risk control that protects workers from some aspect of the machine operation using a control function like an interlocked gate, or by maintaining a temperature below a critical level or speed at a safe level, is a safety function. For example: if the temperature in a process rises too high, the process will explode; or if a shaft speed is too high (or too low) the tool may shatter and eject broken pieces at high speed. Therefore, the temperature control function and the speed control function are safety functions. These functions may also be process control functions, but the potential for an immediate increase in risk due to a failure is what makes these functions safety functions no matter what else they may do.

[1, Table 8] gives you some examples of various kinds of safety functions found on machines. The table is not inclusive – meaning there are many more safety functions out there than are listed in the table. Your job is to figure out which ones live in your machine. It is a bit like Pokemon – ya gotta catch ’em all!

Basic Safety Requirement Specification

Each safety function must have a Performance Level or a Safety Integrity Level assigned as part of the risk assessment. For each safety function, you need to develop the following information:

Basic Safety Requirement Specification
Item Description
Safety Function Identification Name or other references, e.g. “Access Gate Interlock” or “Hazard Zone 2.”
Functional Characteristics
  • Intended use or foreseeable misuse of the machine relevant to the safety function
  • Operating modes relevant to the safety function
  • Cycle time of the machine
  • Response time of the safety function
Emergency Operation Is this an emergency operation function? If yes, what types of emergencies might be mitigated by this function?
Interactions What operating modes require this function to be operational? Are there modes where this function requires deliberate bypass? These could include normal working modes (automatic, manual, set-up, changeover), and fault-finding or maintenance modes.
Behaviour How you want the system to behave when the safety function is triggered, i.e., Power is immediately removed from the MIG welder using an IEC 60204-1 Category 0 stop function, and robot motions are stopped using IEC 60204-1 Category 1 stop function through the robot safety stop input.


All horizontal pneumatic motions stop in their current positions. Vertical motions return to the raised or retracted positions.

Also to be considered is a power loss condition. Should the system behave in the same way as if the safety function was triggered, not react at all, or do something else? Consider vertical axes that might require holding brakes or other mechanisms to prevent power loss causing unexpected motion.

Machine State after triggering What is the expected state of the machine after triggering the safety function? What is the recovery process?
Frequency of Operation How often do you expect this safety function to be used? A reasonable estimate is needed. More on this below.
Priority of Operation If simultaneous triggering of multiple safety functions is possible, which function(s) takes precedence? E.g., Emergency Stop always takes precedence over everything else. What happens if you have a safe speed function and a guard interlock that are associated because the interlock is part of a guarding function covering a shaft, and you need to troubleshoot the safe speed function, so you need access to the shaft where the encoders are mounted?
Required Performance Level I suggest recording the S, F, and P values selected as well as the PLr value selected for later reference.

Here’s an example table in MS Word format that you can use as a starting point for your SRS documents. Note that SRS can be much more detailed than this. If you want more information on this, read IEC 61508-1, 7.10.2.

So, that is the minimum. You can add lots more information to the minimum requirements, but this will get you started. If you want more information on developing the SRS, you will need to get a copy of IEC 61508 [7].

What’s Next?

Next, you need to be able to make some design decisions about system architecture and components. Circuit architectures have been discussed at some length on the MS101 blog in the past, so I am not going to go through them again in this series. Instead, I will show you how to choose an architecture based on your design goals in the next instalment. In case you missed the first part of the series, you can read it here.

Book List

Here are some books that I think you may find helpful on this journey:

[0]     B. Main, Risk Assessment: Basics and Benchmarks, 1st ed. Ann Arbor, MI USA: DSE, 2004.

[0.1]  D. Smith and K. Simpson, Safety critical systems handbook. Amsterdam: Elsevier/Butterworth-Heinemann, 2011.

[0.2]  Electromagnetic Compatibility for Functional Safety, 1st ed. Stevenage, UK: The Institution of Engineering and Technology, 2008.

[0.3]  Overview of techniques and measures related to EMC for Functional Safety, 1st ed. Stevenage, UK: Overview of techniques and measures related to EMC for Functional Safety, 2013.


Note: This reference list starts in Part 1 of the series, so “missing” references may show in other parts of the series. Included in the last post of the series is the complete reference list.

[1]     Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design. 3rd Edition. ISO Standard 13849-1. 2015.

[7]     Functional safety of electrical/electronic/programmable electronic safety-related systems. Seven parts. IEC Standard 61508. Edition 2. 2010.

[8]     S. Jocelyn, J. Baudoin, Y. Chinniah, and P. Charpentier, “Feasibility study and uncertainties in the validation of an existing safety-related control circuit with the ISO 13849-1:2006 design standard,” Reliab. Eng. Syst. Saf., vol. 121, pp. 104–112, Jan. 2014.

ISO 13849 Analysis — Part 1: Start with Risk Assessment

This entry is part 1 of 6 in the series How to do a 13849-1 analysis

I often get questions from clients about how to get started on Functional Safety using ISO 13849. This article is the first in a series that will walk you through the basics of using ISO 13849. Keep in mind that you will need to hold a copy of the 3rd edition of ISO 13849-1 [1] and the 2nd edition of ISO 13849-2 [2] to use as you go along. There are other standards which you may also find useful, and I have included them in the Reference section at the end of the article. Each post has a Reference List. I will publish a complete reference list for the series with the last post.

Where to start?

So you have just learned that you need to do an ISO 13849 functional safety analysis. You have the two parts of the standard, and you have skimmed them, but you are feeling a bit overwhelmed and unsure of where to start. By the end of this article, you should be feeling more confident about how to get this job done.

Step 1 – Risk Assessment

For the purpose of this article, I am going to assume that you have a risk assessment for the machinery, and you have a copy for reference. If you do not have a risk assessment, stop here and get that done. There are several good references for that, including ISO 12100 [3], CSA Z432 [4], and ANSI B11.TR3 [5]. You can also have a look at my series on Risk Assessment.

The risk assessment should identify which risks require mitigation using the control system, e.g., use of an interlocked gate, a light curtain, a two-hand control, an enabling device, etc.See the MS101 glossary for detailed definitions. Each of these becomes a safety function. Each safety function requires a safety requirements specification (SRS), which I will describe in more detail a bit later.

Safety Functions

The 3rd edition of ISO 13849 [1] provides two tables that give some examples of safety function characteristics [1, Table 8] and parameters [1, Table 9] and also provides references to corresponding standards that will help you to define the necessary parameters. These tables should not be considered to be exhaustive – there is no way to list every possible safety function in a table like this. The tables will give you some good ideas about what you are looking for in machine control functions that will make them safety functions.

While you are identifying risk reduction measures that will use the control system for mitigation, don’t forget that complementary protective measures like emergency stop, enabling devices, etc. all need to be included. Some of these functions may have minimum requirements set by Type B2 standards, like ISO 13850 [6] for emergency stop which sets the minimum performance level for this function at PLc.

Selecting the Required Performance Level

ISO 13849-1:2015 provides a graphical means for selecting the minimum Performance Level (PL) required for the safety function based on the risk assessment. A word of caution here: you may feel like you are re-assessing the risk using this tool because it does use risk parameters (severity, frequency/duration of exposure and possibility to avoid/limit harm) to determine the PL. Risk assessment This tool is not a risk assessment tool, and using it that way is a fundamental mistake. Its output is in terms of performance level, which is failure rate per hour of operation. For example, it is entirely incorrect to say, “This machine has a risk level of PLc” since we define PLs in terms of probable failure rate per hour.

ISO 13849-1 graphical selection tool for determining PLr requirement for a safety function
Graphical Performance Level Selection Tool [1]
Once you have assigned a required Performance Level (PLr) to each safety function, you can move on to the next step: Developing the Safety Requirements Specification.

Book List

Here are some books that I think you may find helpful on this journey:

[0]     B. Main, Risk Assessment: Basics and Benchmarks, 1st ed. Ann Arbor, MI USA: DSE, 2004.

[0.1]  D. Smith and K. Simpson, Safety critical systems handbook. Amsterdam: Elsevier/Butterworth-Heinemann, 2011.

[0.2]  Electromagnetic Compatibility for Functional Safety, 1st ed. Stevenage, UK: The Institution of Engineering and Technology, 2008.

[0.3]  Overview of techniques and measures related to EMC for Functional Safety, 1st ed. Stevenage, UK: Overview of techniques and measures related to EMC for Functional Safety, 2013.


[1]     Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design. 3rd Edition. ISO Standard 13849-1. 2015.

[2]     Safety of machinery — Safety-related parts of control systems — Part 2: Validation. 2nd Edition. ISO Standard 13849-2. 2012.

[3]      Safety of machinery — General principles for design — Risk assessment and risk reduction. ISO Standard 12100. 2010.

[4]     Safeguarding of Machinery. CSA Standard Z432. 2004.

[5]     Risk Assessment and Risk Reduction- A Guideline to Estimate, Evaluate and Reduce Risks Associated with Machine Tools. ANSI Technical Report B11.TR3. 2000.

[6]    Safety of machinery — Emergency stop function — Principles for design. ISO Standard 13850. 2015.

Why you should stop using the term ‘Deadman’

Do you use the phrase ‘deadman’ or ‘deadman switch’ when talking about safety related controls on your machinery? I often run into this when I’m working with clients who use the terms to refer to ‘enabling devices’ – you know, those two or three-position switches that are found on robot teaching pendants and in other applications to give the operator a way to stop machinery, even if they have already been injured or killed by the equipment. Calling these devices a ‘Deadman Switch’ or even a ‘Live-Man Switch’ as the three-position devices are sometimes called, sends entirely the wrong message to the user as far as I’m concerned. The objective of our work as machinery safety engineers is to prevent injuries from happening in the first place. Using a device that is designed to determine if the user is dead or unconscious means someone screwed up.

A little history

The term ‘deadman’ comes from a device that was developed by the railroad locomotive builders in the 1800’s. In those days, locomotives were fired by coal or wood used to heat the boiler to generate steam. The engines were usually attended by two men: a Fireman and the Engineer. The Fireman’s job was primarily to keep the firebox stoked and to assist the Engineer. The Engineer’s job was to keep the locomotive running, including driving the train.

The cabin was generally open at the back, and even in cold weather this was seldom a problem because the heat from the firebox was more than enough to keep the men warm. In the summer, it was very difficult to keep the cab cool enough, even with the windows open.

The motion of the engine was regulated with two valves, one that provided the forward / reverse selection and a long lever with a ratchet mechanism that controlled the speed and braking. The ratchet allowed the engineer to set the valve in one position and have it stay steady. As long as the boiler was producing sufficient steam, the engine would keep on rolling.

The locomotives occasionally had problems with carbon monoxide building up in the cab, causing the engineer to slip into unconsciousness and sometimes die. As long as the CO didn’t also affect the fireman, the engine could be stopped. In the summer, the possibility of heat exhaustion and heat stroke could also cause the men to succumb while the train was moving.

A 'deadman' pedal in a locomotive.
A ‘deadman’ pedal in a railway locomotive

Since the speed valve was normally set in one position, the train could continue with the crew unconscious or worse. After some terrible accidents, designers came up with the ‘deadman’ control – the engineer would be required to maintain a device in a certain position in addition to the speed control valve, otherwise the brakes would be applied stopping the engine. The intent was literally to detect a dead man at the controls!

With the advent of electric trains, trams and subways, the concerns about heat and CO were eliminated, but other possibilities, including heart attacks and other infirmities caused these devices to be integrated into these new transportation systems. To learn more about these applications, see the Wikipedia article Dead Man’s Switch.

It’s worth noting that the railways now call these devices ‘Driver Safety Devices’ or DSD. See a modern DSD at the Arrowvale Electronics web site.

Robots Enter the Picture

Motoman robot pendant enabling device
Motoman pendant with showing enabling device (red arrow)

In the 1980’s, industrial robots began to appear in the workplace. Accidents in these early days drove changes in the design of the control pendants used to ‘teach’ these devices their tasks. Early pendants provided motion control and an emergency stop device. Later, the motion controls were altered to become ‘hold-to-run’ devices that could jog the selected robot axis at a pre-selected slow-speed, one axis at a time. In the 90’s the ‘enabling device’ was added to the pendant. These two-position switches, still called ‘dead-man switches’, had to be held closed in order for the robot to move under control of the axis hold-to-run controls. Accidents continued to occur. In the mid 90’s the three-position enabling device, sometimes called a ‘live-man-switch’, was introduced after studies showed that some people would release their grip on the control pendant when struck by the robot, while others would clench the hand holding the pendant. The new switches are required to be held in the mid position to enable motion. The picture at left shows the back of a modern robot pendant. The black bar in the lower right is the enabling device, located so that your hand will naturally hold the device in the correct position when you hold the pendant in your left hand. Not so good if you are left-handed!

ABB IRB640 Robot Pendant
ABB IRB640 Robot Pendant



Euchner ZS Switches

In addition to the pendant enabling devices, additional enabling devices are required where more than one worker is required inside the danger zone of the machine. These devices can be purchased separately and added to systems as needed. Depending on the application, you can get these devices with emergency stop buttons and jog buttons integrated into a single unit as shown in the picture of the Euchner ZS switches.

Machinery Standards and Definitions

Enabling devices are one of those protective measures that cannot be readily classified as a safeguarding device because they do not proactively prevent injury. INstead, like an emergency stop, they may allow a worker to avert or limit harm that is already occuring. That makes the enabling device a ‘complementary protective measure’.

Let’s take a minute to look at a couple of important definitions from the machinery standards. At the moment, the best definition for a complementary protective measure comes from the Canadian standard, CSA Z432-04. Excerpted from CSA Z432-04, § Complementary Protective Measures:

Protective measures that are neither inherently safe design measures, nor safeguarding (implementation of guards and/or protective devices), nor information for use may have to be implemented as required by the intended use and the reasonably foreseeable misuse of the machine. Such measures shall include, but not be limited to,

a) emergency stop;

b) means of rescue of trapped persons; and

c) means of energy isolation and dissipation.

Let’s also look at the formal definition of an ‘enabling device’ in the same standard:

7.23.3 Enabling devices
An enabling device is an additional manually operated 2- or 3-position control device used in conjunction with a start control and which, when continuously actuated in one position only, allows a machine to function. In any other position, motion is stopped or a start is prevented.
Enabling devices shall have the following features:

a) They shall be connected to a Category 0 or a Category 1 stop (see NFPA 79).

b) They shall be designed in accordance with ergonomic principles:

(i) position 1 is the off function of the switch (actuator is not operated);

(ii) position 2 is the enabling function (actuator is operated); and

(iii) position 3 (if used) is the off function of the switch (actuator is not operated past its mid position).

c) Three-position enabling devices shall be designed to require manual operation in order to reach position 3.

d) When returning from position 3 to position 2, the function shall not be enabled.

e) An enabling device shall automatically return to its off function when its actuator is not manually held in the enabling position.

Note: Tests have shown that human reaction to an emergency may be to release an object or to hold on tighter, thus compressing an enabling device. The ergonomic issues of sustained activation should be considered during design and installation of the enabling device.


OMRON A4EG Enabling Switches
OMRON A4EG Enabling Switches

Similar definitions exist in the International, European and US standards, although they may not be quite as formalized.


Most enabling devices on their own do nothing except PERMIT motion to take place, although the actual definition of enabling device in CSA Z432 actually permits the enabling device to cause motion. Absence of the enabling signal prevents or stops motion. These devices are then used in conjunction with hold-to-run controls on robots and machinery, and with throttle controls on trains, street cars, subways and similar equipment. Note that most standards to not permit enabling devices to actually cause motion. This is a unique situation in the Canadian standard.

So what’s the big deal?

Using the terms ‘dead-man’ or ‘live-man’ to describe these devices puts the wrong message out as far as I’m concerned. As safety engineers and OHS practitioners, we care about keeping workers out of danger. This is neither checking to see if we have either a ‘dead man’ or a ‘live man’, but rather ensuring that the person in control of the equipment is ‘in control’.  Using a phrase like ‘enabling device’ clearly says what the device does.

In my opinion, and  supported by the current International and Canadian Standards, these terms must be abandoned in favour of ‘enabling device’ and the qualifiers ‘2-position enabling device’ and ‘3-position enabling device’. These terms are also used in many of the current machinery safety standards, so using them correctly improves clarity in writing and speaking. Clarity in communication in safety is too important for practitioners to permit the ongoing use of terms that convey the wrong message and do not promote clarity of meaning. Since clarity is often lacking when it comes to safety, anything we can do to improve our communications should be high on our priority list!