The standard PN-EN ISO 13849-1:2023 outlines the design principles for control system components responsible for safety functions, known as Safety-Related Parts of Control Systems (SRP/CS). In practice, this means any control system tasked with accident prevention must meet specific reliability and structural requirements. Below, we present ten essential tips for engineers and technicians to aid in designing safe systems compliant with PN-EN ISO 13849-1. These tips cover safety categories, Performance Levels (PL), metrics such as MTTFd, DC, CCF, and SFF, along with examples and insights from international practice.
Table of Contents
1. Conduct a Risk Assessment and Determine the Required PLr
The first step in designing a safety system is conducting a risk assessment. Identify all potential hazards associated with the machine in accordance with the general standard EN ISO 12100. Based on the risk assessment, determine the required Performance Level (PLr) for each safety function as per EN ISO 13849-1. PLr represents the required capability of the safety system to reduce risk, essentially the Performance Level needed to reduce the risk to an acceptable level.
To establish PLr, evaluate three factors: Severity (S), Frequency/Exposure (F), and Possibility of Avoidance (P). Assign values to each (e.g., S1 or S2, F1 or F2, P1 or P2), which allows using a risk graph or table in the standard to determine the required level (from PL a for the lowest risk to PL e for the highest). For instance, for a hazard that could cause severe injury (S2), occurs infrequently (F1), and can be avoided by the operator (P1), the required level might be PL c. Correctly determining PLr is crucial—designers must ensure that the actual safety system achieves at least this level (PL ≥ PLr).
2. Choose the Appropriate Safety Category (B, 1, 2, 3, or 4)
PN-EN ISO 13849-1 defines safety architecture categories inherited from the previous EN 954-1 standard. The category specifies structural measures to prevent failures and the system’s resistance to faults. Choosing the right category is fundamental to achieving the required PL. Here’s a brief overview of the categories:
- Category B (Basic): Basic safety requirements. The system can be single-channel (no redundancy), and reliability mainly depends on good engineering practices and component quality. Category B typically corresponds to the lowest safety assurance levels (PL a).
- Category 1: Also a single-channel system without special diagnostic mechanisms, but with proven safety principles and reliable components. Using high-reliability elements improves over category B. A single failure can still deprive the system of its safety function (no redundancy). Typically, category 1 can provide PL a or b, provided components have sufficient reliability.
- Category 2: A single-channel system with monitoring. This means the system has periodic diagnostics—e.g., control tests performed automatically or by the operator at regular intervals. A single failure may lose the safety function at the time of occurrence but is detected at the next test, allowing actions (e.g., stopping the machine). An example is an emergency stop circuit tested at each machine startup. Category 2 can achieve PL b or even PL c if diagnostics are effective and components are reliable.
- Category 3: A redundant multi-channel system. The architecture ensures that a single failure does not cause a loss of the safety function (thanks to redundancy—usually two parallel channels). Not all failures are detected immediately. The system continues to operate without noticing some single faults, but the second channel still protects against accidents. To meet category 3 requirements, resistance to Common Cause Failures (CCF) must also be considered—e.g., two channels cannot easily fail for the same reason. Category 3 is popular in practice because it offers a high level of safety with relatively less complexity than category 4. It usually corresponds to PL d (sometimes PL c depending on components and diagnostics used).
- Category 4: The highest safety architecture. The system is redundant with continuous diagnostics organized so that a single failure does not cause a loss of the safety function, and every single failure is detected in real-time or quickly enough to prevent danger. This makes the occurrence of two simultaneous failures extremely unlikely, as the first failure is detected, and the machine is stopped before another occurs. Category 4 requires meeting stringent requirements, including very high resistance to CCF, high diagnostic coverage, and components of the highest reliability. A well-designed category 4 system can achieve PL e (the highest).
In practice, the choice of category depends on the required PLr and the components and technologies used. For lower PLr, categories 1 or 2 often suffice, while PL d typically requires category 3, and PL e—category 4. Remember that categories 2, 3, and 4 impose additional requirements (diagnostics, redundancy, CCF assessment), affecting the system’s cost and complexity.
3. Select High-Reliability Components (MTTFd)
MTTFd (Mean Time To Dangerous Failure) is a key quantitative parameter in ISO 13849-1. It is expressed in years and indicates how long a component can typically operate before a potential safety-threatening failure occurs. When designing safety systems, aim for the highest possible MTTFd for all critical elements.
The standard distinguishes three MTTFd ranges for a single-channel system: low, medium, and high. The usual boundary values are: low—from 3 to <10 years, medium—from 10 to <30 years, high—from 30 to 100 years. (MTTFd below 3 years is considered unacceptably low in the context of machine safety). Note that the standard limits the maximum MTTFd value to 100 years for a single channel—even if the manufacturer provides a higher value, calculations assume 100 as the upper limit. This prevents overestimating reliability and excessive optimism with very rare failures.
Practical tip: Choose components (sensors, controllers, valves, safety relays, etc.) from reputable suppliers who provide MTTFd data or related indicators (e.g., B10d—the number of cycles to 10% dangerous failures, from which MTTFd can be calculated). For high PL requirements, strive for each channel to have MTTFd in the “high” category (over 30 years). If using mechanical, pneumatic, or hydraulic elements, obtain reliability information from the manufacturer or use standardized data (e.g., general data for valves, actuators). Remember that the working environment affects MTTFd—elements operated in harsh conditions (dust, high temperatures, intensive work cycles) may have lower real reliability than in ideal conditions.
4. Ensure Effective Diagnostic Coverage (DC)
Diagnostic Coverage (DC) measures what percentage of potential dangerous failures are detected by the system’s built-in diagnostic mechanisms. Intuitively—the more faults we can automatically detect, the better, as the system can react (e.g., stop the machine) before an unnoticed failure leads to an accident. DC is expressed in percentages; 0% means no fault detection, 100% means all possible dangerous failures are detected.
PN-EN ISO 13849-1 uses four DC ranges (average DC_avg for the entire safety function): none/low, medium, high, very high. For example, DC < 60% may be treated as no or negligible diagnostic coverage, DC ≥60% is low (some faults detected), DC ≥90% is considered high, and DC ≥99% very high. To achieve high PL levels (d or e), generally, at least high diagnostic coverage is needed, especially in category 3 and 4 architectures.
Examples of diagnostic applications:
- Use sensors that duplicate signals or self-monitor—e.g., an encoder with self-checking function, auxiliary contacts monitoring contactor positions, etc.
- Utilize safety controllers or modules with pulse test function—they send test signals to check, e.g., if safety inputs have not jammed (checking for short circuits, damaged circuits).
- For category 2, plan regular tests—e.g., once per shift, the operator must check the operation of safety sensors (this is also a form of diagnostics, although performed manually).
High diagnostic coverage reduces the probability of unnoticed failure, directly translating into lower PFH_d (Probability of Dangerous Failure per Hour) for the entire safety function and thus higher achieved PL. In summary: always, when possible, design the system to detect its own faults—this is the foundation of categories 2, 3, and 4 and effective functional safety.
5. Consider Resistance to Common Cause Failures (CCF)
Even the best-designed redundant system can lose its safety function if both channels fail for the same reason. This scenario is called a Common Cause Failure (CCF). Examples include flooding a control cabinet, which disables two independent controllers simultaneously, or vibrations causing two identical connectors to loosen. In categories 2, 3, and 4, measures against CCF are necessary—otherwise, our redundancy may be illusory.
PN-EN ISO 13849-1 includes a CCF checklist where various preventive actions are scored. These actions include physical separation of channels (e.g., different cable routes, separated modules), diversity of components (e.g., using components from different manufacturers or with different operating principles, so the same fault does not affect all equally), protection against environmental factors (dust, moisture, temperature), proper grounding and shielding of electrical installations, avoiding identical software errors in both channels, training personnel in assembly and operation, etc. Each aspect adds points. To consider a system resistant to CCF, the design should score at least 65 points out of 100 possible in this assessment. This result means the risk of common failure has been reduced to an acceptably low level.
Practical tip: When designing redundant safety paths, always ask yourself: is there anything that can break both channels at once? If so, implement safeguards. For example, if two position sensors are mounted next to each other, ensure that vibrations or impact do not damage them simultaneously—perhaps place them in distant locations or use different technologies (e.g., one magnetic, the other mechanical). If two channels use power, consider separate power supplies or at least separate fuses. Such details significantly increase the system’s reliability.
6. Verify the Overall Safety Level of the Entire Function
When designing a complex safety function consisting of several components (e.g., sensor + logic module + actuator), remember that the overall safety level is limited by the weakest link. It is not enough for each component to have a high PL individually—you must also verify the overall Performance Level of the entire combination.
Importantly, if you connect multiple elements in series into one safety function, the overall probability of failure increases. This can lower the final PL. Practical example: Suppose you have three components with PLe certification (the highest) connected in one safety circuit, one after another. Intuitively, you might expect the entire system to be PLe. However, in reality, you will only achieve PLd at most. This is because the probabilities of failure of these elements add up—the more components, the greater the chance that one will fail. PLe means a very low probability of dangerous failure (around 10^-8 per hour). When you have three such elements, their total failure risk falls within the range corresponding to PLd (about 10^-7 per hour). In other words, several super-safe elements connected together can result in a level one step lower.
How to counteract this? First, minimize the number of elements in series if each must act to stop the hazard. Often, certain functions can be combined in parallel instead of in series, or choose components with even higher reliability to compensate for the summation effect (though, as mentioned, the standard limits MTTFd values, so miracles are not possible—PLe is the practical ceiling). Second, always calculate the achieved PL of the entire safety function. You can use tools like SISTEMA (free IFA software for PL calculation) or manual calculations according to the standard formulas. Check if the achieved PL ≥ required PLr. If not, you must modify the design—e.g., use a different category, additional diagnostics, better components, or divide the function into smaller, independent parts.
Remember this relationship: overall safety level = minimum (or less) of the component levels. A weak element will lower the whole, and even very good elements in excess can lower the level through risk accumulation.
7. Test and Maintain Safety Functions Throughout the Machine’s Lifecycle
Designing a system is one thing, but maintaining its reliability over time is another. An important tip is to consider from the design stage how safety elements will be tested and maintained during the machine’s operation. ISO 13849-1 (and related standards like ISO 13849-2 on validation) emphasize that functional safety requires continuous care.
Planned tests: If the system is category 2 (or has components not continuously monitored), periodic testing by personnel is necessary. The machine user should have clear instructions on how often to check, e.g., the operation of limit switches, light curtains, or emergency mushrooms. Tests can be automatic—e.g., the machine is programmed to perform an autotest of all safety paths every 24 hours—or manual, e.g., the operator checks weekly if all emergency buttons work correctly.
Maintenance and replacements: Pay attention to elements with a finite lifespan. Safety relays have a limited number of operating cycles, as do pneumatic valves (here, the previously mentioned B10d parameter indicating durability is useful). Plan a preventive replacement schedule for components before their wear compromises safety. For example, if a sensor has MTTFd ≈ 20 years, it may be worth replacing it after 10-15 years of intensive work rather than waiting for it to statistically fail.
Recalibration and inspections: Include in the machine’s manual the need for periodic safety system inspections. Often, national regulations require this—e.g., checking safety curtains or laser scanners for correct alignment and cleanliness, inspecting mechanical locks annually, etc. Regular inspections catch degradation (loose elements, worn parts, changes in the machine’s environment) before they become a cause of failure.
In summary, design with the entire lifecycle in mind. Ensure access to safety components (so they can be easily checked or replaced), include fault signaling (e.g., a light or message indicating a fault detected by the diagnostic system), and attach a test and maintenance schedule to the documentation. Even the best design will lose its PL if, after a few years, sensors are covered in dirt or a relay sticks—prevent this through proper maintenance.
8. Document the Design and Verify the Achieved Performance Level
Meeting safety standard requirements involves not only technical issues but also formal verification and documentation. Each safety function should be documented—from risk analysis (determining PLr), through architecture description (e.g., category 3, dual-channel emergency control system), to reliability calculation results (MTTFd, DC, CCF assessment) and the final achieved PL.
Using tools that facilitate such documentation is recommended. A popular choice is the mentioned IFA SISTEMA software, which allows modeling the system according to ISO 13849-1, entering component data, and automatically calculating the resulting PL. The obtained reports can be part of the machine’s documentation. Alternatively, calculations can be done manually or in a spreadsheet using formulas from the standard (e.g., summing failure rates λ for elements in series, average diagnostic coverage, etc.). It is important to clearly demonstrate that the required risk reduction has been achieved.
What to document? Everything that affects safety:
- Component characteristics: datasheets of sensors, controllers, actuators with MTTFd, B10d data, certificates for specific PL or SIL, information on diagnostic coverage, etc.
- Electrical/pneumatic/hydraulic diagrams: showing the category architecture (e.g., two contactors in the safety circuit, two redundant lines from sensor to controller, etc.).
- CCF analysis: completed checklist with assigned points and justification (e.g., “separated wires for each channel—15 points”).
- PL calculation results: e.g., SISTEMA printout indicating the achieved PL for each safety function.
- Test and maintenance plan: from point 7, should also be part of the documentation—for both the manufacturer (for CE compliance assessment) and the end user.
Well-maintained documentation is not only a formal requirement (e.g., for the EU Declaration of Conformity) but primarily confirms that the design is thoughtful and complete. In case of an audit, inspection, or (knock on wood) accident, such documentation proves due diligence by the designer. Verification of the achieved Performance Level should be conducted independently (e.g., review by another experienced safety engineer) and confirmed by tests on the operating machine.
9. Remember the Standard’s Universality—Apply it to Electrical and Mechanical, Pneumatic, Hydraulic Systems
One of the advantages of PN-EN ISO 13849-1 is that it does not limit itself to just electricity or electronics. Although many examples concern PLC controllers or safety relays, the principles of this standard can—and should—also be applied to mechanical elements and fluid systems (pneumatics and hydraulics) if they perform safety functions.
To illustrate, below is a comparative table showing the application of the standard in different types of systems:
| Type of System | Example Safety Element | Application of PN-EN ISO 13849-1 |
|---|---|---|
| Electrical | Light curtain, safety relay, PLC with safety functions | PL assessment covers electrical control parts. Categories relate to electrical circuit architecture (e.g., two contactors in series for cat. 3). The standard was originally developed with electrical systems in mind, but its principles are general. |
| Pneumatic | Dual valve air shut-off, pressure sensor monitoring pressure drop during emergency venting | Pneumatic elements can perform safety functions (e.g., stopping a cylinder). The same methods apply—determine MTTFd for valves (e.g., based on B10d data), ensure valve redundancy (typically two air shut-off valves for category 4) and diagnostics (sensors checking valve positions). |
| Hydraulic | Safety valve in a hydraulic press system, dual proportional valves controlling actuator movement | The standard applies similarly to hydraulic systems. MTTFd of hydraulic valves and pumps, system tightness, redundancy (e.g., two oil shut-off valves to ensure emergency stop)—all are assessed according to PN-EN ISO 13849-1. Safety categories relate to valve and pressure/position sensor architecture. |
| Mechanical | Mechanical speed limiter, centrifugal switch, return spring closing valve, linkage and lever system in lock | Purely mechanical elements can also be part of SRP/CS. For example, a door lock with a spring bolt—the spring must be designed as reliable (MTTFd), and often a second spring or bolt position sensor is added (redundancy/diagnostics). ISO 13849-1 allows such mechanical devices to be included in PL analysis, which is important as machines are not just electronics but also mechanics. |
As seen, PN-EN ISO 13849-1 is widely used in machine building precisely because it is universal. A machine often combines mechanics, electricity, and pneumatics—e.g., a welding robot has electrical control but also pneumatic grippers and a mechanical transmission. This standard enables a joint assessment of all these elements for safety. For machine manufacturers, this is a huge advantage: one consistent method of ensuring safety for the entire device, regardless of the technology used. As a result, it facilitates compliance with the Machinery Directive 2006/42/EC or the Machinery Regulation (essential safety requirements) and obtaining CE marking, as it can be demonstrated that every part of the control system affecting safety was designed according to a recognized standard.
10. Also Use Complementary Standards (e.g., PN-EN 62061) and International Best Practices
PN-EN ISO 13849-1 is not the only standard concerning machine functional safety. It is also worth knowing the PN-EN 62061 standard (based on IEC 62061), which focuses on machine safety from the perspective of Safety Integrity Level (SIL)—an approach derived from the general functional standard IEC 61508. Both standards can be applied concurrently and complementarily.
Briefly on the differences: ISO 13849-1 (PL) and IEC 62061 (SIL) aim for the same goal—ensuring that the risk of control system failure is appropriately low. PL is a discrete level from a to e, SIL from 1 to 3 (for machines, SIL4 is rarely required and not included in IEC 62061). PL e roughly corresponds to risk reduction at SIL3 level, and PL d ~ SIL2, although the assessment methods differ slightly. IEC 62061 emphasizes formal calculation of PFH (Probability of Failure per Hour) and requires meeting so-called architectural constraints based on HFT (Hardware Fault Tolerance) and SFF (Safe Failure Fraction). SFF indicates the percentage of all system failures that are safe or detected—e.g., SFF = 90% means only 10% of potential failures could remain undetected as dangerous. In practice, SFF is similar to the idea of diagnostic coverage and component reliability, but it is used in SIL standards to determine the allowable architecture for a given SIL (together with HFT).
How to apply standards concurrently? This is often done, e.g., when using programmable safety controllers: the architecture design can be based on ISO 13849-1 (PL for the entire function), but the controller itself may have a SIL3 certificate according to IEC 62061/61508. There is no contradiction—a SIL3-compliant component usually meets PL e requirements as well. Conversely, the 62061 standard is worth applying to very complex control systems (especially software-based), where the formal SIL approach provides deeper analysis (e.g., software error analysis, project cycle requirements, etc.). Meanwhile, ISO 13849-1 is often more practical for electromechanical systems, simpler to use for typical machines, and covers all technologies.
Both standards are harmonized with the Machinery Directive, meaning that by applying one or the other (or both), we can demonstrate compliance with essential safety requirements. Many companies use both: e.g., they assess safety functions using PL, but in the case of a control system composed of many network-communicating modules—which falls under complex electronics—they also verify SIL. The most important thing is to achieve the required risk reduction level; the path can be twofold.
International best practices: Globally, ISO 13849-1 is one of the most commonly used machine safety standards. In EU countries, it is practically a basic reference point (almost every machine built for the EU market must have a PL or SIL assessment). Leading are countries like Germany, where safety culture and the rigor of oversight institutions (TÜV, BG, etc.) enforce very meticulous standard application.
Interesting fact: Incorrectly designed safety systems can have serious consequences. History knows cases where machines were withdrawn from use or modified at the manufacturer’s expense because their safety systems did not achieve the declared level. For example, a packaging machine imported to the EU that did not stop quickly enough when the guard was opened—analysis showed the system was only category 1 (PL b), while due to risk, it should have been category 3 (PL d). The effect? Mandatory modification: adding additional sensors and safety relays to raise the architecture to the required level. In another case, neglecting periodic tests (cat. 2) led to a situation where a failure went undetected, resulting in an operator accident—the machine manufacturer was held responsible for lacking clear instructions on testing safety functions. Globally, such incidents increase awareness of the importance of standards. Conclusion: by following the tips and principles described above, you will not only meet the standard’s requirements but genuinely protect people and equipment from accidents, which is the ultimate goal of functional safety.
In conclusion, it is worth emphasizing: machine safety is a field where there are no shortcuts. The PN-EN ISO 13849-1 standard provides a proven set of guidelines—by adhering to them and using sound engineering judgment, you will build a control system that operates reliably, detects its own faults, and protects users’ lives and health.
FAQ: EN ISO 13849-1 – Key Principles
PN-EN ISO 13849-1 describes requirements for machine safety control systems (SRP/CS) using Performance Level (PL). It applies not only to electrical systems but also to pneumatic, hydraulic, and mechanical ones. PN-EN 62061 uses SIL (Safety Integrity Level) levels and focuses mainly on electrical, electronic, and programmable safety systems. Both standards comply with the Machinery Directive and can be used concurrently.
No. Even when using components with PLe level, connecting three such elements in series can lower the maximum achievable safety level to PLd. This is due to the summation of component failure probabilities.
MTTFd (Mean Time To Dangerous Failure) indicates the average time to a dangerous component failure. The higher the MTTFd value, the more reliable the component. The standard recommends selecting elements with the highest possible MTTFd to ensure adequate safety (preferably over 30 years).
CCF refers to a failure causing simultaneous damage to two or more redundant safety channels. ISO 13849-1 includes a list of preventive actions (e.g., physical separation, technological diversity, environmental protections) that should be implemented. Achieving at least 65 points in CCF assessment is required to consider the system resistant to such errors.
No. This standard is universal and covers not only electrical systems but also pneumatic, hydraulic, and mechanical ones. This allows for a comprehensive safety assessment of the entire machine, considering various technologies used in safety control.