ISO 13849

Last updated April 06, 2024

ISO 13849 is a safety standard which applies to parts of machinery control systems that are assigned to providing safety functions (called safety-related parts of a control system).^[1] The standard is one of a group of sector-specific functional safety standards that were created to tailor the generic system reliability approaches, e.g., IEC 61508, MIL-HDBK-217, MIL-HDBK-338, to the needs of a particular sector. ISO 13849 is simplified for use in the machinery sector.

ISO 13849-1, Part 1: General principles for design, provides safety requirements and guidance on the principles of design and integration of safety-related parts of control systems (hardware or software).
ISO 13849-2, Part 2: Validation, specifies the procedures to be followed for validating by analysis or tests, the safety functions of the system, the category achieved and the performance level achieved.^[2]

ISO 13849 is designed for use in machinery with high to continuous demand rates. According to IEC 61508, a HIGH demand rate is once or more per year of operation, and a CONTINUOUS demand rate is much, much more frequent than HIGH. For systems with a LOW demand rate, i.e., less than once-per-year, see IEC 61508, or the appropriate sector-specific standard such as IEC 61511.

The standard is developed and maintained by ISO/TC 199, Safety of machinery, Working Group 8 — Safe Control Systems.^[3] The scope of ISO 13849 includes control systems using mechanical, electrical, electronic, and fluidic (hydraulic and pneumatic) technologies.

According to an informal stakeholder survey done in 2013, more than 89% of machine builders and more than 90% of component manufacturers and service providers use ISO 13849 as the primary functional safety standard for their products.^[4]

History

EN 954-1

ISO 13849-1 has its origins in the mid 1990s when the European Committee for Standardization (CEN) published EN 954-1, Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design^[5] in 1996. In 1999, EN 954-1 was transferred to ISO for ongoing development under the Vienna Agreement.

EN 954-1 introduced the original five structural Categories, B, 1-4.

prEN 954-2

prEN 954-2:1999, Safety of machinery — Safety-related parts of control systems — Part 2: Validation, is the precursor document that eventually became ISO 13849-2 in 2003. This document was never published as a finished standard. The "pr" in "prEN" indicates that the document was a European pre-standard.

ISO 13849-1, 1st Edition

In 1999, ISO published the first edition of ISO 13849-1, Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design. The first edition was technically identical to EN 954-1. Within a year after publication, ISO/TC 199 launched a New Work Item Proposal for the revision of the standard. The goal was to add probabalistic requirements to the existing standard.

ISO 13849-2, 1st Edition

In 2003, ISO 13849-2, Safety of machinery – Safety-related parts of control systems — Part 2: Validation, was published. This standard included all of the details related to validating the functional safety of a design. In addition, Annexes A-D included key information on basic and well-tried safety principles, well-tried components, and common faults for mechanical, hydraulic, pneumatic, and electrical components.

ISO 13849-1, 2nd Edition

The second edition of ISO 13849-1 was published in 2006. That edition introduced MTTF_d, DC_avg, and CCF for the first time. The revisions incorporated the recommendations developed through the EU STSARCES project.^[6] and ^[7]

ISO 13849-2, 2nd Edition

In 2012, ISO 13849-2, Safety of machinery – Safety-related parts of control systems — Part 2: Validation was published. This edition was reaffirmed in 2017 and remains current.

ISO 13849-1, 3rd Edition

The third edition of ISO 13849-1 was published in 2015. The revision included additional technical explanations and clarification of the analytical methods. This edition was reaffirmed in 2020, while a new revision was started.

ISO 13849-1, 4th Edition

The fourth edition of ISO 13849-1 was published in 2023. The revision focuses on the integration of the content from ISO 13489-2, some specific annexes of the document ISO 13489-2 are still used.

Risk Assessment

Risk assessment techniques

Following ISO 13849-1, the design of the safety system is based on a risk assessment performed by the manufacturer of the machine.^[8] The risk assessment identifies the safety functions required to mitigate risk and the performance level these functions need to meet to adequately mitigate the identified risks, either completely, or in combination with other safeguards, e.g., fixed or movable guards or other measures.

The Annex A decision tree, Figure A.1, is provided as an example of how the PL_r can be determined. The Annex A method is not a risk assessment tool since the output from the tool is in terms of Performance Level, not risk. Figure A.1 cannot be used for risk assessment. Examples of a risk matrix and a risk decision tree are given in ISO/TR 14121-2.^[9] Risk assessment is typically done in at least two cycles, the first to determine the intrinsic risk, and the second to determine the risk reduction achieve by the control measures implemented in the design.

Assignment of safety functions

A safety function is a control system function whose failure will result in an immediate increase in risk.^[8] ISO 13849-1 includes descriptions of a number of common safety functions, including:

safety-related stop
start/restart
manual reset
local control
muting
response time
safety-related parameter(s)
fluctuation, loss and restoration of power sources

Each safety function identified in the risk assessment is assigned a required Performance Level (PL_r) based on the intrinsic risk determined through the risk assessment. The intrinsic risk is the risk posed by the machine if no risk control measures were present, or if the risk control measures fail or are defeated by the user.

Performance levels

A Performance Level is a band of failure rates, represented as a, b, c, d, e. These failure rates are quantified as the Probability of Dangerous Failure per hour, PFH_d. The numeric values for PFH_d are given in Annex K. The PL range for each band has a 5% tolerance. The PFH_d covered by ISO 13849-1 range from the highest failure rate in PL_a < 1 × 10⁻⁴ to the lowest failure rate in PL_e at ≥ 1 × 10⁻⁸.

The Performance Level of a safety function is determined by the architectural characteristics of the controller (classified according to designated architectural categories, Category B, 1, 2, 3, 4), the MTTF_D of the components in the functional channel(s) of the system, the average diagnostic coverage (DC_avg implemented in the system, and the application of measures against Common Cause Failures (CCF). Category B, 1 and 2 architectures are single channel, and therefore offer no fault tolerance.

Designated architectures

The designated architectures include three single-channel and two redundant structures. The structures are the basis for the calculations used to determine the PFH_d values given in Annex K.

Block diagrams

Each designated architecture has an associated block diagram. When analyzing SRP/CS designs, a block diagram should be developed to assist the analyst in calculating the MTTF_D of the functional channel(s).

Category B

Category B represents the basic category. This category is single-channel, and can include components with MTTF_D = Low or Medium. Components must be suitable for use in the application, and specified appropriately for the conditions of use, i.e., voltage, current, frequency, switching frequency, ambient temperature, pollution class, shock, vibration, etc. Since Category B is single channel, DC_avg = NONE. CCF is not relevant in this category.

The maximum PL = b.

Category 1

Category 1 achieves increased reliability as compared to Category B through the use of MTTF_D = High components. These components are deemed "well-tried components" and are listed in ISO 13849-2, Annexes A through D. Additionally, components that have been tested by the manufacturer and approved according to the relevant component safety standard, e.g., IEC 60947-5-5, are also considered well-tried. Since Category 1 is single channel, DC_avg = NONE. CCF is not relevant in this category.

The maximum PL = c.

Category 2

Category 2 is a single-channel architecture that achieves increased reliability by building on Category B, using components with MTTF_D = Low to High, and adding diagnostic capability through the use of test equipment. The DC_avg for Category 2 can be Low to Medium, i.e., 60% ≤ DC < 99%. The diagnostic frequency depends on the demand rate on the safety function, and on the PL_r that must be achieved. A minimum CCF score of 65 is required, see Annex F.

The maximum PL = d.

Category 3

Category 3 is the first architecture with a redundant structure. Building on Category B, and using components with MTTF_D = Low to High, this architecture introduces cross-monitoring between the two active channels, as well as cyclic monitoring of the output device(s). Category 3 requires DC_avg Low to Medium, i.e., 60% ≤ DC < 99%. A minimum CCF score of 65 is required, see Annex F.

In Category 3, no single component failure is permitted to cause the loss of the safety function.

The maximum PL = e.

Category 4

Category 4 is also a redundant architecture that builds upon Category B. Using components limited to MTTF_D = High, this architecture includes cross-monitoring between the two active channels, as well as cyclic monitoring of the output device(s). Category 4 requires DC_avg HIGH, i.e., ≥ 99%. A minimum CCF score of 65 is required, see Annex F.

In Category 4, no single component failure is permitted to cause the loss of the safety function.

The PL = e.

The primary differences between Category 3 and 4 are that Category 4 requires:

MTTF_D components in the functional channels
DC_avg ≥ 99%
Accumulation of faults between diagnostic cycles cannot cause the loss of the safety function
All of the faults that occur between diagnostic cycles must be detected when the diagnostics run

Validation

Safety-related parts of control systems (SRP/CS) require validation. ISO 13849-2 includes all of the details required for the validation using analytical techniques (including FMEA, FMECA, FMEDA, IFA SISTEMA or any of the other analytical tools available), functional testing, and documentation in a validation record.

Acronyms

Acronyms
Acronym	Expansion	Notes
PL	Performance Level	Predicted bands of failure rates for SRP/CS
PL_r	required Performance Level	Performance Level required based on the risk assessment to provide necessary risk reduction.
MTTF_D or MTTF_d	Mean Time to Dangerous Failure	Given in years
PFH_d	Probability of dangerous Failure per Hour	The fractional probability per hour of operation.
DC_avg	average Diagnostic Coverage	Given as a percentage.
CCF	Common Cause Failure	Failures in more than one component with a common cause.
SRP/CS	Safety-Related Parts of Control System(s)	The parts of a machine control system that provide a safety function.

Related Research Articles

Safety engineering is an engineering discipline which assures that engineered systems provide acceptable levels of safety. It is strongly related to industrial engineering/systems engineering, and the subset system safety engineering. Safety engineering assures that a life-critical system behaves as needed, even when components fail.

ISO/IEC/IEEE 12207Systems and software engineering – Software life cycle processes is an international standard for software lifecycle processes. First introduced in 1995, it aims to be a primary standard that defines all the processes required for developing and maintaining software systems, including the outcomes and/or activities of each process.

ISO/IEC 15504Information technology – Process assessment, also termed Software Process Improvement and Capability dEtermination (SPICE), is a set of technical standards documents for the computer software development process and related business management functions. It is one of the joint International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) standards, which was developed by the ISO and IEC joint subcommittee, ISO/IEC JTC 1/SC 7.

ISO/IEC 9126Software engineering — Product quality was an international standard for the evaluation of software quality. It has been replaced by ISO/IEC 25010:2011.

Quality management ensures that an organization, product or service consistently functions well. It has four main components: quality planning, quality assurance, quality control and quality improvement. Quality management is focused not only on product and service quality, but also on the means to achieve it. Quality management, therefore, uses quality assurance and control of processes as well as products to achieve more consistent quality. Quality control is also part of quality management. What a customer wants and is willing to pay for it, determines quality. It is a written or unwritten commitment to a known or unknown consumer in the market. Quality can be defined as how well the product performs its intended function.

Information security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

IEC 61508 is an international standard published by the International Electrotechnical Commission (IEC) consisting of methods on how to apply, design, deploy and maintain automatic protection systems called safety-related systems. It is titled Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems.

A Semantic Service Oriented Architecture (SSOA) is an architecture that allows for scalable and controlled Enterprise Application Integration solutions. SSOA describes an approach to enterprise-scale IT infrastructure. It leverages rich, machine-interpretable descriptions of data, services, and processes to enable software agents to autonomously interact to perform critical mission functions. SSOA is technically founded on three notions:

The principles of Service-oriented architecture (SOA);
Standard Based Design (SBD); and
Semantics-based computing.

The ISO/IEC 15288Systems and software engineering — System life cycle processes is a technical standard in systems engineering which covers processes and lifecycle stages, developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Planning for the ISO/IEC 15288:2002(E) standard started in 1994 when the need for a common systems engineering process framework was recognized.

ISO 22000 is a food safety management system by the International Organization for Standardization (ISO) which is outcome focused, providing requirements for any organization in the food industry with objective to help to improve overall performance in food safety. These standards are intended to ensure safety in the global food supply chain. The standards involve the overall guidelines for food safety management and also focuses on traceability in the feed and food chain.

Profisafe is a standard for a communication protocol for the transmission of safety-relevant data in automation applications with functional safety. This standard was developed jointly by several automation device manufacturers in order to be able to meet the requirements of the legislator and the IFA for safe systems. The required safe function of the protocol has been tested and confirmed by TÜV Süd. The PROFIBUS Nutzerorganisation e.V. in Karlsruhe supervises the standardization for the partner companies and organizes the promotion of this common interface.

Functional safety is the part of the overall safety of a system or piece of equipment that depends on automatic protection operating correctly in response to its inputs or failure in a predictable manner (fail-safe). The automatic protection system should be designed to properly handle likely systematic errors, hardware failures and operational/environmental stress.

ISO 31000 is a family of international standards relating to risk management codified by the International Organization for Standardization. The standard is intended to provide a consistent vocabulary and methodology for assessing and managing risk, resolving the historic ambiguities and differences in the ways risk are described.

ISO 14971Medical devices — Application of risk management to medical devices is a voluntary standard for the application of risk management to medical devices. "Voluntary standards do not replace national laws, with which standards' users are understood to comply and which take precedence" over voluntary standards such as ISO 13485 and ISO 14971. The ISO Technical Committee responsible for the maintenance of this standard is ISO/ TC 210 working with IEC/SC62A through Joint Working Group one (JWG1). This standard is the culmination of the work starting in ISO/IEC Guide 51, and ISO/IEC Guide 63. The third edition of ISO 14971 was published in December 2019 and supersedes the second edition of ISO 14971.

ISO 26262, titled "Road vehicles – Functional safety", is an international standard for functional safety of electrical and/or electronic systems that are installed in serial production road vehicles, defined by the International Organization for Standardization (ISO) in 2011, and revised in 2018.

Automotive Safety Integrity Level (ASIL) is a risk classification scheme defined by the ISO 26262 - Functional Safety for Road Vehicles standard. This is an adaptation of the Safety Integrity Level (SIL) used in IEC 61508 for the automotive industry. This classification helps defining the safety requirements necessary to be in line with the ISO 26262 standard. The ASIL is established by performing a risk analysis of a potential hazard by looking at the Severity, Exposure and Controllability of the vehicle operating scenario. The safety goal for that hazard in turn carries the ASIL requirements.

ISO/IEC/IEEE 29119Software and systems engineering -- Software testing is a series of five international standards for software testing. First developed in 2007 and released in 2013, the standard "defines vocabulary, processes, documentation, techniques, and a process assessment model for testing that can be used within any software development lifecycle."

References

↑ "ISO 13849-1:2015, Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design". International Organization for Standardization (ISO). Retrieved 2022-04-06.
↑ "ISO 13849-2:2012, Safety of machinery — Safety-related parts of control systems — Part 2: Validation". International Organization for Standardization (ISO). Retrieved 2022-04-06.
↑ "ISO/TC 199 Safety of machinery". ISO. International Organization for Standardization. 22 January 2019. Retrieved 8 April 2022.
↑ Outcome of the "Questionnaire" doc. N 964 -- Report from ISO/TC 199/JWG 1/Sub Group 2, ISO/TC 199 N1035, 2013-03-01
↑ "EN 954-1:1996, Safety of machinery - Safety-related parts of control systems - Part 1: General principles for design". www.cencenelec.eu. European Committee for Standardization (CEN). Retrieved 7 April 2022.
↑ "Standards for safety related complex electronic systems". cordis.europa.eu. European Commission. Retrieved 11 April 2022.
↑ "STSARCES project - final report -part 1". industry-finder.com. 27 May 2014. Retrieved 11 April 2022.
1 2 "ISO 12100:2010, Safety of machinery — General principles for design — Risk assessment and risk reduction". International Organization for Standardization (ISO). 22 January 2019. Retrieved 2022-04-06.
↑ "ISO/TR 14121-2:2012 Safety of machinery — Risk assessment — Part 2: Practical guidance and examples of methods". International Organization for Standardization (ISO). Retrieved 6 April 2022.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[13849-1-1] "ISO 13849-1:2015, Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design". International Organization for Standardization (ISO). Retrieved 2022-04-06.

[13849-2-2] "ISO 13849-2:2012, Safety of machinery — Safety-related parts of control systems — Part 2: Validation". International Organization for Standardization (ISO). Retrieved 2022-04-06.

[TC199-3] "ISO/TC 199 Safety of machinery". ISO. International Organization for Standardization. 22 January 2019. Retrieved 8 April 2022.

[survey-4] Outcome of the "Questionnaire" doc. N 964 -- Report from ISO/TC 199/JWG 1/Sub Group 2, ISO/TC 199 N1035, 2013-03-01

[954-1-5] "EN 954-1:1996, Safety of machinery - Safety-related parts of control systems - Part 1: General principles for design". www.cencenelec.eu. European Committee for Standardization (CEN). Retrieved 7 April 2022.

[STSARCES-6] "Standards for safety related complex electronic systems". cordis.europa.eu. European Commission. Retrieved 11 April 2022.

[STSARCES-final-report-7] "STSARCES project - final report -part 1". industry-finder.com. 27 May 2014. Retrieved 11 April 2022.

[ISO_12100-8] 1 2 "ISO 12100:2010, Safety of machinery — General principles for design — Risk assessment and risk reduction". International Organization for Standardization (ISO). 22 January 2019. Retrieved 2022-04-06.

[14121-2-9] "ISO/TR 14121-2:2012 Safety of machinery — Risk assessment — Part 2: Practical guidance and examples of methods". International Organization for Standardization (ISO). Retrieved 6 April 2022.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

v t e ISO standards by standard number
List of ISO standards – ISO romanizations – IEC standards
1–9999	1 2 3 4 6 7 9 16 17 31 -0 -1 -3 -4 -5 -6 -7 -8 -9 -10 -11 -12 -13 68-1 128 216 217 226 228 233 259 261 262 302 306 361 500 518 519 639 -1 -2 -3 -5 -6 646 657 668 690 704 732 764 838 843 860 898 965 999 1000 1004 1007 1073-1 1073-2 1155 1413 1538 1629 1745 1989 2014 2015 2022 2033 2047 2108 2145 2146 2240 2281 2533 2709 2711 2720 2788 2848 2852 3029 3103 3166 -1 -2 -3 3297 3307 3601 3602 3864 3901 3950 3977 4031 4157 4165 4217 4909 5218 5426 5427 5428 5725 5775 5776 5800 5807 5964 6166 6344 6346 6373 6385 6425 6429 6438 6523 6709 6943 7001 7002 7010 7027 7064 7098 7185 7200 7498 -1 7637 7736 7810 7811 7812 7813 7816 7942 8000 8093 8178 8217 8373 8501-1 8571 8583 8601 8613 8632 8651 8652 8691 8805/8806 8807 8820-5 8859 -1 -2 -3 -4 -5 -6 -7 -8 -8-I -9 -10 -11 -12 -13 -14 -15 -16 8879 9000/9001 9036 9075 9126 9141 9227 9241 9293 9314 9362 9407 9496 9506 9529 9564 9592/9593 9594 9660 9797-1 9897 9899 9945 9984 9985 9995
10000–19999	10006 10007 10116 10118-3 10160 10161 10165 10179 10206 10218 10279 10303 -11 -21 -22 -28 -238 10383 10585 10589 10628 10646 10664 10746 10861 10957 10962 10967 11073 11170 11172 11179 11404 11544 11783 11784 11785 11801 11889 11898 11940 (-2) 11941 11941 (TR) 11992 12006 12052 12182 12207 12234-2 12620 13211 -1 -2 13216 13250 13399 13406-2 13450 13485 13490 13567 13568 13584 13616 13816 13818 14000 14031 14224 14289 14396 14443 14496 -2 -3 -6 -10 -11 -12 -14 -17 -20 14617 14644 14649 14651 14698 14764 14882 14971 15022 15189 15288 15291 15292 15398 15408 15444 -3 -9 15445 15438 15504 15511 15686 15693 15706 -2 15707 15897 15919 15924 15926 15926 WIP 15930 15938 16023 16262 16355-1 16485 16612-2 16750 16949 (TS) 17024 17025 17100 17203 17369 17442 17506 17799 18004 18014 18181 18245 18629 18916 19005 19011 19092 -1 -2 19114 19115 19125 19136 19407 19439 19500 19501 19502 19503 19505 19506 19507 19508 19509 19510 19600 19752 19757 19770 19775-1 19794-5 19831
20000–29999	20000 20022 20121 20400 20802 20830 21000 21047 21122 21500 21827 22000 22275 22300 22301 22395 22537 23000 23003 23008 23009 23090-3 23092 23094-1 23094-2 23270 23271 23360 24517 24613 24617 24707 24728 25178 25964 26000 26262 26300 26324 27000 series 27000 27001 27002 27005 27006 27729 28000 29110 29148 29199-2 29500
30000+	30170 31000 32000 37001 38500 40500 42010 45001 50001 55000 56000 80000
Category