ISO 13849 Analysis — Part 1: Start with Risk Assessment

This entry is part 1 of 6 in the series How to do a 13849-1 analysis

I often get questions from clients about how to get started on Functional Safety using ISO 13849. This article is the first in a series that will walk you through the basics of using ISO 13849. Keep in mind that you will need to hold a copy of the 3rd edition of ISO 13849-1 [1] and the 2nd edition of ISO 13849-2 [2] to use as you go along. There are other standards which you may also find useful, and I have included them in the Reference section at the end of the article. Each post has a Reference List. I will publish a complete reference list for the series with the last post.

Where to start?

So you have just learned that you need to do an ISO 13849 functional safety analysis. You have the two parts of the standard, and you have skimmed them, but you are feeling a bit overwhelmed and unsure of where to start. By the end of this article, you should be feeling more confident about how to get this job done.

Step 1 – Risk Assessment

For the purpose of this article, I am going to assume that you have a risk assessment for the machinery, and you have a copy for reference. If you do not have a risk assessment, stop here and get that done. There are several good references for that, including ISO 12100 [3], CSA Z432 [4], and ANSI B11.TR3 [5]. You can also have a look at my series on Risk Assessment.

The risk assessment should identify which risks require mitigation using the control system, e.g., use of an interlocked gate, a light curtain, a two-hand control, an enabling device, etc.See the MS101 glossary for detailed definitions. Each of these becomes a safety function. Each safety function requires a safety requirements specification (SRS), which I will describe in more detail a bit later.

Safety Functions

The 3rd edition of ISO 13849 [1] provides two tables that give some examples of safety function characteristics [1, Table 8] and parameters [1, Table 9] and also provides references to corresponding standards that will help you to define the necessary parameters. These tables should not be considered to be exhaustive – there is no way to list every possible safety function in a table like this. The tables will give you some good ideas about what you are looking for in machine control functions that will make them safety functions.

While you are identifying risk reduction measures that will use the control system for mitigation, don’t forget that complementary protective measures like emergency stop, enabling devices, etc. all need to be included. Some of these functions may have minimum requirements set by Type B2 standards, like ISO 13850 [6] for emergency stop which sets the minimum performance level for this function at PLc.

Selecting the Required Performance Level

ISO 13849-1:2015 provides a graphical means for selecting the minimum Performance Level (PL) required for the safety function based on the risk assessment. A word of caution here: you may feel like you are re-assessing the risk using this tool because it does use risk parameters (severity, frequency/duration of exposure and possibility to avoid/limit harm) to determine the PL. Risk assessment This tool is not a risk assessment tool, and using it that way is a fundamental mistake. Its output is in terms of performance level, which is failure rate per hour of operation. For example, it is entirely incorrect to say, “This machine has a risk level of PLc” since we define PLs in terms of probable failure rate per hour.

ISO 13849-1 graphical selection tool for determining PLr requirement for a safety function
Graphical Performance Level Selection Tool [1]
Once you have assigned a required Performance Level (PLr) to each safety function, you can move on to the next step: Developing the Safety Requirements Specification.

Book List

Here are some books that I think you may find helpful on this journey:

[0]     B. Main, Risk Assessment: Basics and Benchmarks, 1st ed. Ann Arbor, MI USA: DSE, 2004.

[0.1]  D. Smith and K. Simpson, Safety critical systems handbook. Amsterdam: Elsevier/Butterworth-Heinemann, 2011.

[0.2]  Electromagnetic Compatibility for Functional Safety, 1st ed. Stevenage, UK: The Institution of Engineering and Technology, 2008.

[0.3]  Overview of techniques and measures related to EMC for Functional Safety, 1st ed. Stevenage, UK: Overview of techniques and measures related to EMC for Functional Safety, 2013.


[1]     Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design. 3rd Edition. ISO Standard 13849-1. 2015.

[2]     Safety of machinery — Safety-related parts of control systems — Part 2: Validation. 2nd Edition. ISO Standard 13849-2. 2012.

[3]      Safety of machinery — General principles for design — Risk assessment and risk reduction. ISO Standard 12100. 2010.

[4]     Safeguarding of Machinery. CSA Standard Z432. 2004.

[5]     Risk Assessment and Risk Reduction- A Guideline to Estimate, Evaluate and Reduce Risks Associated with Machine Tools. ANSI Technical Report B11.TR3. 2000.

[6]    Safety of machinery — Emergency stop function — Principles for design. ISO Standard 13850. 2015.

Scoring Severity of Injury – Hidden Probabilities

This entry is part 8 of 8 in the series Risk Assessment

I’ve been thinking a lot about risk scoring tools and the algorithms that we use. One of the key elements in risk is the Severity of Injury. There are hidden probabilities attached to the Severity of Injury scores that are assigned that are not discussed clearly in any of the risk assessment standards that are commonly in use. This all started when I was challenged to write an analysis of the problems with the CSA Risk Scoring Tool that you can find in the 2014 version of CSA Z434. That tool is deeply flawed in my opinion, but that is not the topic of this post. If you want to read my analysis, you can download the white paper and the presentation notes for my analysis from the Compliance inSight Publications page [1].

Scoring risk can be a tricky thing, especially in the machinery sector. We rarely have much in the way of real-world data to use in the analysis, and so we are left with the opinions of those building the machine as the basis for our evaluation. Severity is usually the first risk parameter to be estimated because it’s seen as the “easy” one – if the characteristics of the hazard are well known. One aspect of severity that is often missed is the probability of a certain severity of injury. We’re NOT talking about how likely it is for someone to be injured here; we’re talking about the most likely degree of injury that will occur when the person interacts with the hazard. Let me illustrate this idea another way: Let’s call Severity “Se”, any specific injury “I”, and the probability of any specific injury “Ps”. We can then write a short equation to describe this relationship.

Se f (I,Ps)

Since we want there to be a possibility of no injury, we should probably relate these parameters as a product:

Se = I x Ps

Ok, so what? What this equation says is: the Severity (Se) of any given injury (I), is the product of the specific type of injury and the probability of that injury. More simply yet, you could say that you should be considering the most likely type of injury that you think will occur when a person interacts with the hazard. Consider this example: A worker enters a robotic work cell to change the weld tips on the welding gun the robot uses. This task has to be done about once every two days. The entry gate is interlocked, and the robot was locked out before entry. The floor of the work cell has wireways, conduits and piping running across it from the edges of the cell to the various pieces of equipment inside the cell, creating uneven footing and lots of slip and trip hazards. The worker misses his footing and falls. What can you expect for Se in this case?

We know that falls on the same level can lead to fatalities, about 600/year in the USA [2], but that these are mostly in the construction and mining sectors rather than general manufacturing. We also know that broken bones are more likely than fatalities in falls to the same level. About a million slips and falls per year result in an emergency room visit, and of these, about 5%, or 50,000, result in fractures. Ok, so what do we do with this information? Let’s look at typical severity scale, this one taken from IEC 62061 [3].

Table 1 – Severity (Se) classification [2, Table A.1]

Consequences Severity (Se)
Irreversible: death, losing an eye or arm 4
Irreversible: broken limb(s), losing a finger(s) 3
Reversible: requiring attention from a medical practitioner 2
Reversible: requiring first aid 1

Using Table 1, we might come up with the following list of possible severities of injury. This list is not exhaustive, so feel free to add more.

Table 2 – Potential Injury Severities

Possible Injury Severity (Se)
Fall on same level – Fatality 4
Fall on same level – Broken wrist 3
Fall on same level – Broken collarbone 3
Fall on same level – Torn rotator cuff 2
Fall on same level – Bruises 1
Fall on same level – Head Injury 3
Fall on same level – Head Injury 4

How do we score this using a typical scoring tool? We could add each of these as line items in the risk register, and then assess the probability of each, but that will tend to create huge risk registers with many line items at very low risks. In practice, we decide on what we think is the most likely degree of injury BEFORE we score the risk. This results in a single line item for the hazard, rather than seven as would be the case if we scored each of these potential injuries individually.

We need a probability scale to use in assessing the likelihood of injuries. At the moment, no published scoring tool that I know of has a scale for this, so let’s do the simple thing: Probability (Ps) will be scored from 0-100%, with 100% being a certainty.

Going back to the second equation, what we are really doing is assigning a probability to each of the severities that we think exist, something like this:

Table 3 – Potential Injuries and their Probabilities

Possible Injury (I) Severity (Se) Probability (Ps)
Fall on same level – Fatality 4  0.0075%
Fall on same level – Broken wrist 3  5%
Fall on same level – Broken collarbone 3  5%
Fall on same level – Torn rotator cuff 2  5%
Fall on same level – Bruises 1  90%
Fall on same level – Head Injury 3 1%
Fall on same level – Head Injury 4   0.0075%
Fall on same level – Lacerations to hands 2 90%

The percentages for fatalities and fractures we taken roughly from [1]. Ok, so we can look at a table like this and say that cuts and bruises are the most likely types of injury in this case. We can either decide to group them for the overall risk score, or we can score each individually, resulting in adding two separate line items to the risk register. I’m going to use the other parameters from [2] for this example, and develop an example risk register, Table 4. In Table 4,

Se = Severity

Pr = Probability of the Hazardous Event

Fr = Frequency and Duration of Exposure

Av = Possibility to Avoid or Limit Harm

The algorithm I am using to evaluate the risk is R = Se x [Pr x (Fr + Av)] [1]. Note that where I have combined the two potential injuries into one line item (Item 1 in the register), I have selected the highest severity of the combined injuries. The less likely severities, and in particular the fatalities, have been ignored. You can click on  Table 4 to see a larger, more readable version.

Table 4 - Example Risk Register
Table 4 – Example Risk Register

Note that I did not reduce the Se scores in the Final Risk Score, because I have not made changes to the slip/trip and fall hazards, only to the likelihood of the injury occurring. In all cases, we can show a significant risk reduction after mitigation. I’m not going to get into risk evaluation (i.e., Is the risk effectively controlled?) in this particular article, but the fact that you can show a significant risk reduction is important. There are lots of considerations in determining if the risk has been effectively controlled.


Consideration of the probability of certain kinds of injuries occurring must be considered when estimating risk. This process is largely undocumented but nevertheless occurs. When risk analysts are considering the severity of injury from any given hazard, this article gives the reader one possible approach than could be used to select the types of injuries most likely to occur before scoring the rest of the risk parameters.


[1] D. Nix, ‘Evaluation of Problems and Challenges in CSA Z434-14 Annex DVA Task-Based Risk Assessment Methodology‘, 2015.

[2] National Floor Safety Institute (NFSI), ‘Quick Facts – Slips, Trips, and Falls’, 2015. [Online]. Available: [Accessed: 21- Jul- 2015].

[3] ‘Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems. IEC 62061.’, International Electrotechnical Commission (IEC), Geneva, 2005.


Digiprove sealCopyright secured by Digiprove © 2015
Acknowledgements: International Electrotechnical Commis more...
Some Rights Reserved

Get the Basics Right!

For more than 15 years I’ve been teaching people about risk assessment, machinery safety and CE Marking of machinery in private, onsite classes and through presentations at safety conferences. Things are about to change!

This fall, Compliance InSight Consulting will begin offering open-enrolment workshops in CE Marking, Risk Assessment Functional Safety, and Machinery Safety, all with a focus on industrial machinery. These courses will be hands-on events, with students engaged in workshop activities throughout eachTraining event event.

In the winter, these workshops will also migrate to our on-line education platform, so students in any location around the world can access our training programs.

This is an exciting step for CIC, and the workshops we have planned are engaging, dynamic and information packed.

Watch the blog, and subscribe to our mailing list to be the first to know when registration opens. Workshops will be limited size, first-come, first-served. We’ll announce dates and locations in early August!