ISO 13849 – 1 Analysis — Part 1: Start with Risk Assessment

This entry is part 1 of 9 in the series How to do a 13849 – 1 ana­lys­is

I often get ques­tions from cli­ents about how to get star­ted on Functional Safety using ISO 13849. This art­icle is the first in a series that will walk you through the basics of using ISO 13849. Keep in mind that you will need to hold a copy of the 3rd edi­tion of ISO 13849 – 1 [1] and the 2nd edi­tion of ISO 13849 – 2 [2] to use as you go along. There are oth­er stand­ards which you may also find use­ful, and I have included them in the Reference sec­tion at the end of the art­icle. Each post has a Reference List. I will pub­lish a com­plete ref­er­ence list for the series with the last post.

Where to start?

So you have just learned that you need to do an ISO 13849 func­tion­al safety ana­lys­is. You have the two parts of the stand­ard, and you have skimmed them, but you are feel­ing a bit over­whelmed and unsure of where to start. By the end of this art­icle, you should be feel­ing more con­fid­ent about how to get this job done.

Step 1 – Risk Assessment

For the pur­pose of this art­icle, I am going to assume that you have a risk assess­ment for the machinery, and you have a copy for ref­er­ence. If you do not have a risk assess­ment, stop here and get that done. There are sev­er­al good ref­er­ences for that, includ­ing ISO 12100 [3], CSA Z432 [4], and ANSI B11.TR3 [5]. You can also have a look at my series on Risk Assessment.

The risk assess­ment should identi­fy which risks require mit­ig­a­tion using the con­trol sys­tem, e.g., use of an inter­locked gate, a light cur­tain, a two-​hand con­trol, an enabling device, etc.See the MS101 gloss­ary for detailed defin­i­tions. Each of these becomes a safety func­tion. Each safety func­tion requires a safety require­ments spe­cific­a­tion (SRS), which I will describe in more detail a bit later.

Safety Functions

The 3rd edi­tion of ISO 13849 [1] provides two tables that give some examples of safety func­tion char­ac­ter­ist­ics [1, Table 8] and para­met­ers [1, Table 9] and also provides ref­er­ences to cor­res­pond­ing stand­ards that will help you to define the neces­sary para­met­ers. These tables should not be con­sidered to be exhaust­ive – there is no way to list every pos­sible safety func­tion in a table like this. The tables will give you some good ideas about what you are look­ing for in machine con­trol func­tions that will make them safety func­tions.

While you are identi­fy­ing risk reduc­tion meas­ures that will use the con­trol sys­tem for mit­ig­a­tion, don’t for­get that com­ple­ment­ary pro­tect­ive meas­ures like emer­gency stop, enabling devices, etc. all need to be included. Some of these func­tions may have min­im­um require­ments set by Type B2 stand­ards, like ISO 13850 [6] for emer­gency stop which sets the min­im­um per­form­ance level for this func­tion at PLc.

Selecting the Required Performance Level

ISO 13849 – 1:2015 provides a graph­ic­al means for select­ing the min­im­um Performance Level (PL) required for the safety func­tion based on the risk assess­ment. A word of cau­tion here: you may feel like you are re-​assessing the risk using this tool because it does use risk para­met­ers (sever­ity, frequency/​duration of expos­ure and pos­sib­il­ity to avoid/​limit harm) to determ­ine the PL. Risk assess­ment This tool is not a risk assess­ment tool, and using it that way is a fun­da­ment­al mis­take. Its out­put is in terms of per­form­ance level, which is fail­ure rate per hour of oper­a­tion. For example, it is entirely incor­rect to say, “This machine has a risk level of PLc” since we define PLs in terms of prob­able fail­ure rate per hour.

ISO 13849-1 graphical selection tool for determining PLr requirement for a safety function
Graphical Performance Level Selection Tool [1]
Once you have assigned a required Performance Level (PLr) to each safety func­tion, you can move on to the next step: Developing the Safety Requirements Specification.

Book List

Here are some books that I think you may find help­ful on this jour­ney:

[0]     B. Main, Risk Assessment: Basics and Benchmarks, 1st ed. Ann Arbor, MI USA: DSE, 2004.

[0.1]  D. Smith and K. Simpson, Safety crit­ic­al sys­tems hand­book. Amsterdam: Elsevier/​Butterworth-​Heinemann, 2011.

[0.2]  Electromagnetic Compatibility for Functional Safety, 1st ed. Stevenage, UK: The Institution of Engineering and Technology, 2008.

[0.3]  Overview of tech­niques and meas­ures related to EMC for Functional Safety, 1st ed. Stevenage, UK: Overview of tech­niques and meas­ures related to EMC for Functional Safety, 2013.


[1]     Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 1: General prin­ciples for design. 3rd Edition. ISO Standard 13849 – 1. 2015.

[2]     Safety of machinery – Safety-​related parts of con­trol sys­tems – Part 2: Validation. 2nd Edition. ISO Standard 13849 – 2. 2012.

[3]      Safety of machinery – General prin­ciples for design – Risk assess­ment and risk reduc­tion. ISO Standard 12100. 2010.

[4]     Safeguarding of Machinery. CSA Standard Z432. 2004.

[5]     Risk Assessment and Risk Reduction- A Guideline to Estimate, Evaluate and Reduce Risks Associated with Machine Tools. ANSI Technical Report B11.TR3. 2000.

[6]    Safety of machinery – Emergency stop func­tion – Principles for design. ISO Standard 13850. 2015.

Scoring Severity of Injury – Hidden Probabilities

This entry is part 8 of 8 in the series Risk Assessment

I’ve been think­ing a lot about risk scor­ing tools and the algorithms that we use. One of the key ele­ments in risk is the Severity of Injury. There are hid­den prob­ab­il­it­ies attached to the Severity of Injury scores that are assigned that are not dis­cussed clearly in any of the risk assess­ment stand­ards that are com­monly in use. This all star­ted when I was chal­lenged to write an ana­lys­is of the prob­lems with the CSA Risk Scoring Tool that you can find in the 2014 ver­sion of CSA Z434. That tool is deeply flawed in my opin­ion, but that is not the top­ic of this post. If you want to read my ana­lys­is, you can down­load the white paper and the present­a­tion notes for my ana­lys­is from the Compliance inSight Publications page [1].

Scoring risk can be a tricky thing, espe­cially in the machinery sec­tor. We rarely have much in the way of real-​world data to use in the ana­lys­is, and so we are left with the opin­ions of those build­ing the machine as the basis for our eval­u­ation. Severity is usu­ally the first risk para­met­er to be estim­ated because it’s seen as the “easy” one – if the char­ac­ter­ist­ics of the haz­ard are well known. One aspect of sever­ity that is often missed is the prob­ab­il­ity of a cer­tain sever­ity of injury. We’re NOT talk­ing about how likely it is for someone to be injured here; we’re talk­ing about the most likely degree of injury that will occur when the per­son inter­acts with the haz­ard. Let me illus­trate this idea anoth­er way: Let’s call Severity “Se”, any spe­cif­ic injury “I”, and the prob­ab­il­ity of any spe­cif­ic injury “Ps”. We can then write a short equa­tion to describe this rela­tion­ship.

Se f (I,Ps)

Since we want there to be a pos­sib­il­ity of no injury, we should prob­ably relate these para­met­ers as a product:

Se = I x Ps

Ok, so what? What this equa­tion says is: the Severity (Se) of any giv­en injury (I), is the product of the spe­cif­ic type of injury and the prob­ab­il­ity of that injury. More simply yet, you could say that you should be con­sid­er­ing the most likely type of injury that you think will occur when a per­son inter­acts with the haz­ard. Consider this example: A work­er enters a robot­ic work cell to change the weld tips on the weld­ing gun the robot uses. This task has to be done about once every two days. The entry gate is inter­locked, and the robot was locked out before entry. The floor of the work cell has wire­ways, con­duits and pip­ing run­ning across it from the edges of the cell to the vari­ous pieces of equip­ment inside the cell, cre­at­ing uneven foot­ing and lots of slip and trip haz­ards. The work­er misses his foot­ing and falls. What can you expect for Se in this case?

We know that falls on the same level can lead to fatal­it­ies, about 600/​year in the USA [2], but that these are mostly in the con­struc­tion and min­ing sec­tors rather than gen­er­al man­u­fac­tur­ing. We also know that broken bones are more likely than fatal­it­ies in falls to the same level. About a mil­lion slips and falls per year res­ult in an emer­gency room vis­it, and of these, about 5%, or 50,000, res­ult in frac­tures. Ok, so what do we do with this inform­a­tion? Let’s look at typ­ic­al sever­ity scale, this one taken from IEC 62061 [3].

Table 1 – Severity (Se) clas­si­fic­a­tion [2, Table A.1]

Consequences Severity (Se)
Irreversible: death, los­ing an eye or arm 4
Irreversible: broken limb(s), los­ing a finger(s) 3
Reversible: requir­ing atten­tion from a med­ic­al prac­ti­tion­er 2
Reversible: requir­ing first aid 1

Using Table 1, we might come up with the fol­low­ing list of pos­sible sever­it­ies of injury. This list is not exhaust­ive, so feel free to add more.

Table 2 – Potential Injury Severities

Possible Injury Severity (Se)
Fall on same level – Fatality 4
Fall on same level – Broken wrist 3
Fall on same level – Broken col­lar­bone 3
Fall on same level – Torn rotat­or cuff 2
Fall on same level – Bruises 1
Fall on same level – Head Injury 3
Fall on same level – Head Injury 4

How do we score this using a typ­ic­al scor­ing tool? We could add each of these as line items in the risk register, and then assess the prob­ab­il­ity of each, but that will tend to cre­ate huge risk registers with many line items at very low risks. In prac­tice, we decide on what we think is the most likely degree of injury BEFORE we score the risk. This res­ults in a single line item for the haz­ard, rather than sev­en as would be the case if we scored each of these poten­tial injur­ies indi­vidu­ally.

We need a prob­ab­il­ity scale to use in assess­ing the like­li­hood of injur­ies. At the moment, no pub­lished scor­ing tool that I know of has a scale for this, so let’s do the simple thing: Probability (Ps) will be scored from 0 – 100%, with 100% being a cer­tainty.

Going back to the second equa­tion, what we are really doing is assign­ing a prob­ab­il­ity to each of the sever­it­ies that we think exist, some­thing like this:

Table 3 – Potential Injuries and their Probabilities

Possible Injury (I) Severity (Se) Probability (Ps)
Fall on same level – Fatality 4  0.0075%
Fall on same level – Broken wrist 3  5%
Fall on same level – Broken col­lar­bone 3  5%
Fall on same level – Torn rotat­or cuff 2  5%
Fall on same level – Bruises 1  90%
Fall on same level – Head Injury 3 1%
Fall on same level – Head Injury 4   0.0075%
Fall on same level – Lacerations to hands 2 90%

The per­cent­ages for fatal­it­ies and frac­tures we taken roughly from [1]. Ok, so we can look at a table like this and say that cuts and bruises are the most likely types of injury in this case. We can either decide to group them for the over­all risk score, or we can score each indi­vidu­ally, res­ult­ing in adding two sep­ar­ate line items to the risk register. I’m going to use the oth­er para­met­ers from [2] for this example, and devel­op an example risk register, Table 4. In Table 4,

Se = Severity

Pr = Probability of the Hazardous Event

Fr = Frequency and Duration of Exposure

Av = Possibility to Avoid or Limit Harm

The algorithm I am using to eval­u­ate the risk is R = Se x [Pr x (Fr + Av)] [1]. Note that where I have com­bined the two poten­tial injur­ies into one line item (Item 1 in the register), I have selec­ted the highest sever­ity of the com­bined injur­ies. The less likely sever­it­ies, and in par­tic­u­lar the fatal­it­ies, have been ignored. You can click on  Table 4 to see a lar­ger, more read­able ver­sion.

Table 4 - Example Risk Register
Table 4 – Example Risk Register

Note that I did not reduce the Se scores in the Final Risk Score, because I have not made changes to the slip/​trip and fall haz­ards, only to the like­li­hood of the injury occur­ring. In all cases, we can show a sig­ni­fic­ant risk reduc­tion after mit­ig­a­tion. I’m not going to get into risk eval­u­ation (i.e., Is the risk effect­ively con­trolled?) in this par­tic­u­lar art­icle, but the fact that you can show a sig­ni­fic­ant risk reduc­tion is import­ant. There are lots of con­sid­er­a­tions in determ­in­ing if the risk has been effect­ively con­trolled.


Consideration of the prob­ab­il­ity of cer­tain kinds of injur­ies occur­ring must be con­sidered when estim­at­ing risk. This pro­cess is largely undoc­u­mented but nev­er­the­less occurs. When risk ana­lysts are con­sid­er­ing the sever­ity of injury from any giv­en haz­ard, this art­icle gives the read­er one pos­sible approach than could be used to select the types of injur­ies most likely to occur before scor­ing the rest of the risk para­met­ers.


[1] D. Nix, ‘Evaluation of Problems and Challenges in CSA Z434-​14 Annex DVA Task-​Based Risk Assessment Methodology’, 2015.

[2] National Floor Safety Institute (NFSI), ‘Quick Facts – Slips, Trips, and Falls’, 2015. [Online]. Available: http://​nfsi​.org/​n​f​s​i​-​r​e​s​e​a​r​c​h​/​q​u​i​c​k​-​f​a​c​ts/. [Accessed: 21- Jul- 2015].

[3] ‘Safety of machinery – Functional safety of safety-​related elec­tric­al, elec­tron­ic and pro­gram­mable elec­tron­ic con­trol sys­tems. IEC 62061.’, International Electrotechnical Commission (IEC), Geneva, 2005.


Digiprove sealCopyright secured by Digiprove © 2015
Acknowledgements: International Electrotechnical Commis more…
Some Rights Reserved

Get the Basics Right!

For more than 15 years I’ve been teach­ing people about risk assess­ment, machinery safety and CE Marking of machinery in private, onsite classes and through present­a­tions at safety con­fer­ences. Things are about to change!

This fall, Compliance InSight Consulting will begin offer­ing open-​enrolment work­shops in CE Marking, Risk Assessment Functional Safety, and Machinery Safety, all with a focus on indus­tri­al machinery. These courses will be hands-​on events, with stu­dents engaged in work­shop activ­it­ies through­out eachTraining event event.

In the winter, these work­shops will also migrate to our on-​line edu­ca­tion plat­form, so stu­dents in any loc­a­tion around the world can access our train­ing pro­grams.

This is an excit­ing step for CIC, and the work­shops we have planned are enga­ging, dynam­ic and inform­a­tion packed.

Watch the blog, and sub­scribe to our mail­ing list to be the first to know when regis­tra­tion opens. Workshops will be lim­ited size, first-​come, first-​served. We’ll announce dates and loc­a­tions in early August!