Changes in machinery functional safety standard ISO 13849-1:2015

TÜV SÜDvisit website


Stewart Robinson, Principal Engineer and Functional Safety Expert at TÜV SÜD Product Service, explains the changes in ISO 13849-1:2015, the new edition of this functional safety standard for machinery.

Changes in machinery functional safety standard ISO 13849-1:2015Following the collapse of the project to merge the two functional safety standards for machinery (ISO 13849 and IEC 62061) into a single standard IEC/ISO 17305, ISO decided that instead of issuing a planned amendment of 13849-1, a full new version would be published. This version is ISO 13849-1:2015, with the European and UK equivalents being EN ISO 13849-1:2015 and BS EN ISO 13849-1:2015.

Within the updated ISO 13849-1, Table 1 has been removed and replaced by a reference to the technical report ISO/TR 23849 published in 2010 for guidance on the choice of which functional safety standard to adopt in different situations.

References have been updated throughout the standard, mainly to reflect changes in other standards.

Terms and definitions

Some definitions have been added, including a definition of Proven in use: demonstration, based on an analysis of operational experience for a specific configuration of an element, that the likelihood of dangerous systematic faults is low enough so that every safety function that uses the element achieves its required performance level (PLr).

The term T10d has been added to the list of terms and definitions and is defined as the Mean time until 10 per cent of the components fail dangerously.

Previously the expression average probability of a dangerous failure per hour had been used in full throughout the standard. Now, the abbreviation PFHD is also used, delivering some consistency between EN ISO 13849-1 and other functional safety standards. Likewise, the term subsystem is now included as an alternative term for Safety Related Parts of Control Systems (SRP/CS).

The flow chart (Figure 2) for the overview of the risk reduction process now includes systematic failures in the list of things to consider in order to evaluate the Performance Level.

Clause 4.5.1 (Performance Level) includes a statement acknowledging the use of subsystems designed according to IEC 62061 or IEC 61508.

The 'assumption' that for Category 2 architecture the demand rate should be ≤1/100 test rate now has an added alternative provision that Category 2 can also be claimed if testing occurs immediately upon demand of the safety function, and safety times and distances are also satisfied.

There is a new clause (4.5.5) regarding the use of non-electrical components where no reliability data is available. This is quite a detailed clause that allows for estimations of PFHD to be made based on architectures and other factors.

For Category 4 architectures, the 100 years Mean Time To Dangerous Failure (MTTFd) capping can be increased to 2500 years. This is to overcome the limitations imposed on the calculated PFHD that results in an artificial limit to the number of subsystems in a series alignment. Annex K has also been expanded to take account of this.

To achieve PLd with Category 2 architectures it is now a normative requirement for the Output of Test Equipment (OTE) to initiate a safe state.

The requirements for Safety Related Embedded Software (SRESW) includes clear restrictions on the use of some Programmable Electronic Systems according to the PLr:

For components for which SRESW requirements are not fulfilled, eg PLCs without safety rating by the manufacturer, these components may be used under the following alternative conditions:

  • the SRP/CS is limited to PL a or b and uses category B, 2 or 3;
  • the SRP/CS is limited to PL c or d and may use multiple components for two channels in category 2 or 3. The components of these two channels use diverse technologies.

The summing up of the PFHD of each SRP/CS in a series alignment to establish the PFHD of the function is made clear (Clause 6.3). There is also an unambiguous statement that the procedure for estimating the PL achieved by a series alignment as summarised in table 11 is only applicable if the PFHD of the individual subsystems is not known.


There is also clarification that the use of the Risk Graph in Annex A is not mandatory, and that other methods to establish the performance level required (PLr) of the safety functions can be used instead. The guidance on selecting some of the parameters is expanded, and it is made clear that the selection of P1 or P2 should consider both the possibility to avoid and the probability of occurrence of the hazardous event.

In the generic reliability data tables in Annex C there is more detail for hydraulic components based on cycles/year, and the B10d for a contactor with nominal load is now given as 1,300,000. Tables C2 to C7 no longer have worst-case values included and some of the typical values have been changed.

The entry in table E.1 that allowed a claim of 90 per cent DC (diagnostic coverage) for only monitoring one of the actuators has been removed.

There are some additional measures against Common Cause Failures listed in table F.1 - for example, detection of short circuits by dynamic test is listed as a measure for separation/segregation. The measure for EMC is more specific and specifies For electrical/electronic systems, prevention of contamination and electromagnetic disturbances (EMC) to protect against common cause failures in accordance with appropriate standards (eg IEC 61326–3-1).

Annex I Examples has been completely revised with example A (single channel) having a PLr of PLc, and example B (dual channel) having a PLr of PLd. More detail is now also given to the reliability data used in the examples to make them more in keeping with actual 'real world' applications.

And finally, the table in Annex K has been expanded to include PFHD values for Category 4 architectures up to 2500 years MTTFd.

Practical steps

To make EN ISO 13849-1:2015 work for them, machine builders need to pay more attention to the concept of functional safety, identify the individual safety functions of a machine, and then assign performance requirements against each of these to ensure that they comply. While breaking each function into further subsystems is a detailed and time-consuming process, it can help with the calculations and also help to ensure that nothing is missed.

Performance data is available from most of the safety product manufacturers for use in the calculations. However, even when the relevant data is available, it would be misleading to pretend that carrying out the calculations required by EN ISO 13849-1 is a straightforward task. To make things a little easier, several software packages have been produced that guide users through the process.

Although software support is available, ensuring compliance with EN ISO 13849-1:2015 is a task that few system integrators or machine builders will want to undertake for themselves, or have the resources available to do so.

In view of the changes in this new edition of the machinery functional safety standard, ISO 13849-1:2015, follow the links for more information about Functional Safety Assessments and Functional Safety Training from TÜV SÜD Product Service.

© Copyright 2006-14 The Engineering Network Ltd.