ISO 13849-1 is the international standard for designing and validating safety-related control systems on machinery. If you build machines that will be sold into the EU — or that carry CE marking requirements — you need to understand how to apply it correctly. This guide covers the core concepts, the Performance Level calculation, and the documentation you must produce before a machine ships.

What ISO 13849 Actually Covers

ISO 13849-1 covers the design of safety functions — the control actions that reduce risk when a hazard is present. Common examples include: emergency stop, guard door interlocking, two-hand control, and enabling devices. The standard defines how reliable these safety functions must be, expressed as a Performance Level (PL) from PLa (lowest) to PLe (highest).

It does not cover the machine's structural integrity, electrical insulation, or ergonomics. Those are covered by other standards (EN ISO 12100 for risk assessment, IEC 60204-1 for electrical equipment). ISO 13849 is specifically about the control system's contribution to safety.

Scope note: ISO 13849 applies to safety-related parts of control systems (SRP/CS). It is the main reference for machinery safety in Europe. IEC 62061 is an alternative route for electrical/electronic/programmable systems — both are acceptable under the Machinery Directive.

Step 1 — Risk Assessment First

You cannot assign a Performance Level requirement without first doing a risk assessment under EN ISO 12100. The risk assessment identifies the hazards, the people exposed, and the probability and severity of harm. From this you determine the required PLr (required Performance Level) for each safety function.

ISO 13849-1 Annex A provides a risk graph with two input parameters:

Parameter	Options	Meaning
Severity (S)	S1 / S2	S1 = reversible injury; S2 = irreversible injury or death
Frequency (F)	F1 / F2	F1 = seldom to occasional; F2 = frequent to continuous or long exposure
Avoidability (P)	P1 / P2	P1 = possible under specific conditions; P2 = scarcely possible

Running through the risk graph gives you the PLr: typically PLc or PLd for most industrial machinery hazards. PLe is reserved for the highest-severity applications such as automotive press lines or industrial robots where human entry into the hazard zone is routine.

Step 2 — Categories and Architecture

Once you know your PLr, you need to design a safety circuit architecture (Category) that can achieve it. ISO 13849-1 defines five Categories:

Category B

Single channel, basic design — low demand, low severity only. PLa–PLb achievable.

Category 1

Single channel using well-tried components and principles. PLc achievable with high MTTFd.

Category 2

Single channel with periodic test by a separate monitoring circuit. PLc–PLd achievable.

Category 3

Dual channel — single fault does not cause loss of safety function. PLd achievable. No fault accumulation.

Category 4

Dual channel with immediate fault detection. PLe achievable. Every fault detected before or at next safety demand.

For PLd — the most common requirement on industrial machinery — Category 3 dual-channel architecture with a safety relay or safety PLC is the standard approach. Most modern safety PLCs (Siemens F-CPU, Rockwell GuardLogix, Pilz PNOZmulti) are certified to Category 3/PLe as hardware, giving you significant design headroom.

Step 3 — Calculating Achieved PL

After selecting your architecture and components, you must demonstrate that the achieved PL meets or exceeds PLr. The calculation combines three reliability metrics:

MTTFd— Mean Time To dangerous Failure

Component reliability data from manufacturer datasheets. Expressed in years. Each channel must achieve Low, Medium, or High MTTFd.

DCavg— Diagnostic Coverage (average)

How effectively the system detects its own faults. Category 3 typically requires DCavg ≥ 60% (low). Safety PLCs with internal diagnostics achieve 90%+ (medium–high).

CCF— Common Cause Failure

Measures resistance to failures that affect both channels simultaneously (e.g. EMI, contamination). Scored using ISO 13849-1 Annex F — minimum 65 points required for Cat 3/4.

The simplest tool for this calculation is SISTEMA (Safety Integrity Software Tool for the Evaluation of Machine Applications), published free by IFA (Germany). SISTEMA takes your component data and architecture and outputs the achieved PL. It also generates a calculation report that forms part of your technical file.

Step 4 — Safety Function Documentation

ISO 13849-2 (the validation standard) and the Machinery Directive both require that each safety function be formally documented. At minimum you need:

→Safety function description: what it does, what hazard it mitigates

→Required PLr from risk assessment

→Architecture category and channel diagram

→Component list with MTTFd data and DC values

→SISTEMA calculation report showing achieved PL ≥ PLr

→CCF scoring table (ISO 13849-1 Annex F)

→Proof test interval (if Category 2)

→Validation test plan and test results

This package forms part of the machine's technical file. Without it, CE marking under the Machinery Directive (2006/42/EC — being replaced by the 2023 Machinery Regulation 2023/1230/EU from January 2027) is not achievable.

Common Mistakes We See in the Field

Issue: Single-channel E-stop wired to safety relay but no CCF analysis

Fix: CCF scoring is mandatory for Cat 3/4. Score the Annex F table — it usually passes easily with proper cable separation and surge protection.

Issue: Safety PLC used but PL calculation not validated against actual program

Fix: The safety PLC hardware may be certified PLe, but the application program also needs validation. Run SISTEMA on the full SRP/CS including the PLC safety function blocks.

Issue: MTTFd data taken from generic tables rather than manufacturer datasheet

Fix: Always use the B10d values from the component manufacturer. Generic table values are conservative and may under-estimate your achieved PL.

Issue: Proof test interval not defined for Category 2 systems

Fix: Category 2 safety functions must define a proof test interval (T1). This must be included in the machine manual and maintenance schedule.

FERSMEK's Approach to Functional Safety

On every project where machinery safety is in scope, we produce a full safety function specification before programming starts. This document captures the PLr for each function, the chosen architecture, the component list, and the SISTEMA calculation. It is reviewed by the client before commissioning and updated if the design changes.

We work with Siemens F-CPU (TIA Portal Safety Advanced), Rockwell GuardLogix (Studio 5000 Logix Designer Safety), and Pilz PNOZmulti. For clients who need to prepare their own technical file for CE marking, we can provide the SISTEMA project file and documentation package as a project deliverable.

Understanding ISO 13849: A Practical Guide for Machine Builders