ISO 13849 and IEC 62061: machinery safety

Author Hugues Orgitello Last updated 30 May 2026 ~9 min read

Guide, machinery safety

Designing a safety function on a machine, emergency stop, interlocked movable guard, light curtain, two-hand control, means quantifying the reliability of the control part that carries it out. Two harmonised standards frame this exercise in the European Union: ISO 13849-1 and its validation part ISO 13849-2, which reason in Performance Level (PL a to e), and IEC 62061, which reasons in SIL CL (1 to 3) following the IEC 61508 lineage. This page sets out the metrics of each standard, the PL to SIL mapping table, the selection criteria, the calculation procedure, validation, and the link to Directive 2006/42/EC and Regulation (EU) 2023/1230.

Two standards, one objective

ISO 13849-1 and IEC 62061 both address the safety-related parts of control systems. ISO 13849 calls them SRP/CS (Safety-Related Parts of Control Systems); IEC 62061 uses SCS (Safety-related Control System). The goal is identical: to demonstrate that the safety function has a sufficiently low probability of dangerous failure relative to the risk it reduces.

ISO 13849-1 comes from the European machinery tradition (the former EN 954-1) and reasons through architecture categories combined with reliability quantities. IEC 62061 is the machinery branch of IEC 61508, the generic functional safety standard for electrical, electronic and programmable electronic systems; it reuses the SIL logic and the 61508 vocabulary.

Historically ISO 13849 covered all technologies while IEC 62061 (2005 edition) was limited to electrical, electronic and programmable electronic systems. The 2021 edition of IEC 62061 lifted that restriction: both standards now cover the full range of control technologies, including hydraulic and pneumatic. The choice between them therefore mainly reflects team culture and the weight of complex programmable electronics in the function.

Standards lineage

Standard	Origin	Metric	Scope
ISO 13849-1	Machinery world (former EN 954-1)	Performance Level (PL a to e)	All technologies
ISO 13849-2	Associated validation part	Design review and testing	All technologies
IEC 62061	Machinery branch of IEC 61508	SIL CL (1 to 3)	All technologies (since 2021)
IEC 61508	Generic parent standard	SIL (1 to 4)	Generic E/E/PE systems

ISO 13849-1: Performance Level

The Performance Level (PL) is the core of ISO 13849-1 quantification. It is a discrete level from a to e expressing the capability of an SRP/CS to carry out a safety function under foreseeable conditions. Each PL maps to a PFHd range, the probability of dangerous failure per hour.

PL	PFHd (per hour)
a	1e-5 to less than 1e-4
b	3e-6 to less than 1e-5
c	1e-6 to less than 3e-6
d	1e-7 to less than 1e-6
e	1e-8 to less than 1e-7

Determining the required PL (PLr)

The target to reach is the PLr (PL required), derived from a three-parameter risk graph applied to each safety function before risk reduction measures:

• S (severity): S1 slight and reversible injury, S2 serious or irreversible injury or death.
• F (frequency and duration of exposure): F1 rare or short, F2 frequent or continuous.
• P (possibility of avoiding the hazard): P1 possible under certain conditions, P2 scarcely possible.

Combining S, F and P yields a PLr from a to e. The design must then reach a PL greater than or equal to the PLr. The graph is described in annex A of the standard.

The five architecture categories

The achieved PL depends first on the category, which describes the structure of the SRP/CS and its behaviour when a fault occurs.

Category	Principle	Behaviour on fault
B	Basic components, built to the state of the art	A fault may cause loss of the function
1	As B with well-tried components and principles	Better reliability, but a fault may still cause loss of the function
2	Function checked periodically by the control system	A fault detected at the next check; loss possible between checks
3	Single-fault tolerant architecture (often two channels)	A single fault does not cause loss of the function
4	Two channels with high diagnostics, fault accumulation controlled	Neither a single fault nor a reasonable accumulation causes loss of the function

MTTFd, DC and CCF

Three further quantities refine the PL within a category.

• MTTFd (Mean Time To dangerous Failure): mean time before a dangerous failure of a channel, classed low (3 to less than 10 years), medium (10 to less than 30 years), high (30 to 100 years). The channel MTTFd is capped at 100 years in the calculation.
• DC (Diagnostic Coverage): share of dangerous failures detected by diagnostics, classed none (less than 60 per cent), low (60 to less than 90), medium (90 to less than 99), high (at least 99). The average DC (DCavg) over the whole SRP/CS is used.
• CCF (Common Cause Failure): control of common cause failures, scored on the annex F points grid. A total of at least 65 points out of 100 is required for categories 2, 3 and 4.

The achieved PL is read from table 7 (crossing category, MTTFd, DCavg), confirmed by the curves in annex K. The SISTEMA tool from the IFA (Institut fur Arbeitsschutz) automates this calculation and is widely recognised by notified bodies.

IEC 62061: SIL CL for machinery

IEC 62061 quantifies a SIL CL (SIL Claim Limit), 1 to 3, assignable to a subsystem. The SIL CL is the upper SIL bound a subsystem may claim given its architecture, its fault tolerance (HFT) and its safe failure fraction (SFF), exactly in the logic of IEC 61508.

The standard describes a full procedure: estimating and assigning a SIL to each safety function, breaking it down into subsystems (sensor, logic, actuator), assigning a SIL CL to each subsystem, then combining them to verify the target. The system PFHd is the sum of the subsystem PFHd values in series, compared with the target SIL range.

SIL and PFHd ranges

SIL	PFHd (per hour)
1	1e-6 to less than 1e-5
2	1e-7 to less than 1e-6
3	1e-8 to less than 1e-7

IEC 62061 does not go beyond SIL 3: SIL 4 of IEC 61508 has no realistic machinery use. The subsystem architectures (noted A and B, or the basic structures D depending on the edition) determine the achievable SIL CL from HFT and SFF, using the same tables as part 2 of IEC 61508.

PL to SIL mapping

Because both standards derive from IEC 61508 and share PFHd, the mapping is reliable for communicating between teams or choosing a standard. It is not a formal equivalence (the calculation routes differ), but an alignment by PFHd range.

Performance Level	PFHd (per hour)	Equivalent SIL
a	1e-5 to less than 1e-4	no SIL equivalent
b	3e-6 to less than 1e-5	SIL 1
c	1e-6 to less than 3e-6	SIL 1
d	1e-7 to less than 1e-6	SIL 2
e	1e-8 to less than 1e-7	SIL 3

PL a is the only level with no SIL equivalent: its PFHd range sits above the SIL 1 domain. Conversely, IEC 62061 does not go below SIL 1, so a function targeting PL a is handled only by ISO 13849.

When to use which standard

Situation	Recommended standard	Reason
Simple architecture, mixed technologies, machinery team	ISO 13849-1	Category approach, SISTEMA tool, machinery culture
Function at PL a (low risk)	ISO 13849-1	IEC 62061 does not go below SIL 1
Complex programmable electronics, significant software	IEC 62061	61508 lineage, detailed software requirements
Continuity with a fleet already certified to SIL	IEC 62061	Consistent vocabulary and SIL files
Integration into a process chain under IEC 61511	IEC 62061	Same 61508 root, easier transfer

As both standards remain harmonised under the Machinery Directive, the choice is free. Mixing the two on the same function is discouraged: follow one standard per safety function and document the choice in the technical file.

Step by step procedure

The approach is common to both standards, with metrics specific to each.

1. Risk assessment under EN ISO 12100: identify the hazards, estimate the risk, define the reduction measures and the necessary safety functions.
2. Define each safety function: input (sensor), processing (logic), output (actuator), expected behaviour, response time, safe state.
3. Set the target: PLr (ISO 13849) or target SIL (IEC 62061) through the risk graph or the matrix.
4. Design the architecture: choose the category (B, 1, 2, 3, 4) or the subsystem structure, add redundancy and diagnostics as needed for the target level.
5. Quantify: MTTFd, DCavg, CCF and table 7 for ISO 13849; HFT, SFF, subsystem PFHd for IEC 62061. SISTEMA helps for ISO 13849.
6. Verify: achieved PL greater than or equal to the PLr, or system PFHd within the target SIL range.
7. Validate under ISO 13849-2 (or the validation clause of IEC 62061): design review, fault analysis, functional tests and fault tests.
8. Document: technical file, EU declaration of conformity, instructions for use, maintenance, and the conditions of validity of the PL or SIL.

Validation under ISO 13849-2

Validation is not incidental: part 1 requires it and refers to part 2 for the method. ISO 13849-2 combines two complementary means.

• Analysis (design review): checking that each safety function, each category and each calculation assumption is consistent with the actual design. The standard provides fault lists (faults to consider or exclude) by technology in its annexes, to frame the fault analysis.
• Testing: functional tests (the function correctly reaches the safe state), fault tests (injecting faults to verify the category behaves as expected), and environmental limit tests where relevant.

The validation plan, the list of safety functions, the fault analysis and the test report form part of the technical file. A fault exclusion must be justified in writing and remains the manufacturer's responsibility; an assessor or notified body checks the soundness of each exclusion.

Link to the Machinery Directive

EN ISO 13849-1 and EN IEC 62061 are cited in the Official Journal of the European Union as harmonised standards of Directive 2006/42/EC. Their voluntary application gives presumption of conformity with the essential health and safety requirements of annex I, in particular clause 1.2.1 on the safety and reliability of control systems.

The presumption covers only the scope addressed and only the exact version cited in the OJEU: ISO 13849-1 has had several editions (2006, 2015, 2023) and the cited version is not always the most recent. The manufacturer checks the reference and date before claiming the presumption.

Regulation (EU) 2023/1230 replaces Directive 2006/42/EC with full application from 20 January 2027. The presumption mechanism through harmonised standards is retained, and EN ISO 13849-1 and EN IEC 62061 remain the expected references for control system safety. The regulation tightens requirements for machinery integrating software safety components and artificial intelligence, frames substantial modifications and allows documentation in digital form. Manufacturers follow the republication of harmonised references under the regulation.

Conformity assessment route

The functional safety standard does not on its own determine the assessment module. For most machinery, the manufacturer proceeds by self-assessment (internal production control) and draws up the EU declaration of conformity itself. Annex IV machinery (certain presses, saws, protective devices) requires a notified body, through EU-type examination or full quality assurance, when the harmonised standards are not applied in full. ISO 13849 and IEC 62061 serve, in all cases, to justify the reliability of the control system.

Common pitfalls

Pitfall	Consequence	Mitigation
Confusing achieved PL with PLr	Insufficient PL goes unnoticed	Always compare achieved PL with the PLr from the risk graph
CCF below 65 points in category 3 or 4	Quantification rejected	Fill in the annex F grid from the design stage
Channel MTTFd above 100 years in the calculation	Overestimated PL	Cap the channel MTTFd at 100 years
Missing or undocumented 13849-2 validation	Presumption of conformity untenable	Validation plan, fault analysis and traced tests
Unjustified fault exclusion	Exclusion rejected at review	Justify each exclusion in writing against the fault lists
Standard version not cited in the OJEU	No presumption	Check the reference and date cited in the Official Journal
Mixing ISO 13849 and IEC 62061 on one function	Inconsistent file	One standard per safety function, choice documented
Ignoring the 2023/1230 transition	File obsolete by 20 January 2027	Follow the republication of harmonised references

Further reading

• Machinery Directive 2006/42/EC and Regulation 2023/1230
• IEC 61508: functional safety and SIL levels
• Risk management: ISO 14971, IEC 31010, FMEA, FTA
• ISO 26262: automotive functional safety
• Technical documentation file contents
• Glossary of certification terms

Need help?

A 30-minute audit with AESTECHNO engineers.

AESTECHNO is the electronics design house that edits spilma. We help product teams scope their certification effort and avoid the common mistakes.

Book a free audit

Sources and references

Sources & references

1. ISO 13849-1:2023, Safety of machinery, Safety-related parts of control systems, Part 1: General principles for design , ISO www.iso.org/standard/73481.html
2. ISO 13849-2:2012, Safety of machinery, Safety-related parts of control systems, Part 2: Validation , ISO www.iso.org/standard/53640.html
3. IEC 62061:2021, Safety of machinery, Functional safety of safety-related control systems , IEC webstore.iec.ch/publication/59927
4. Directive 2006/42/EC on machinery , EUR-Lex eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32006L0042
5. Regulation (EU) 2023/1230 on machinery , EUR-Lex eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32023R1230
6. IEC 61508:2010, Functional safety of electrical/electronic/programmable electronic safety-related systems , IEC www.iec.ch/functional-safety
7. ISO 12100:2010, Safety of machinery, General principles for design, Risk assessment and risk reduction , ISO www.iso.org/standard/51528.html