Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.roboticks.io/llms.txt

Use this file to discover all available pages before exploring further.

ISO 13849-1 and ISO 13849-2

ISO 13849 is the safety-of-machinery standard for the design and verification of safety-related parts of control systems (SRP/CS). It is one of two routes (the other being IEC 62061) used to demonstrate that a machinery control system reaches the safety integrity its risk assessment requires.
  • ISO 13849-1:2023Safety-related parts of control systems — Part 1: General principles for design. Defines Performance Level (PL) a–e and Categories B / 1 / 2 / 3 / 4. The design standard.
  • ISO 13849-2:2012Safety-related parts of control systems — Part 2: Validation. The verification standard.
EN ISO 13849-1 is harmonised under EU MR 2023/1230 and under the prior Machinery Directive.
Roboticks is audit-readiness tooling, not a certified toolchain. We assemble the evidence your notified body, certification body, or QA process ingests. We do not replace tool qualification (DO-178C, ISO 26262-8 TCL) and we do not issue conformity assessments. Verify the regulatory interpretations on this page against the standard text and your accredited assessor.

Performance Levels and Categories

PL is the probability of dangerous failure per hour the standard requires for a safety function:
PLProbability of dangerous failure per hour
a≥ 10⁻⁵ and < 10⁻⁴
b≥ 3×10⁻⁶ and < 10⁻⁵
c≥ 10⁻⁶ and < 3×10⁻⁶
d≥ 10⁻⁷ and < 10⁻⁶
e≥ 10⁻⁸ and < 10⁻⁷
PL is determined by a risk-graph procedure (Annex A) considering severity, frequency, and avoidability. The resulting PL r (required PL) must be met by the SRP/CS PL achieved through the design. Categories describe the structural and behavioural properties of the SRP/CS architecture:
  • Category B — basic safety principles only.
  • Category 1 — well-tried components and basic safety principles.
  • Category 2 — periodic checking of the safety function.
  • Category 3 — single-fault tolerance.
  • Category 4 — single-fault tolerance plus fault detection.
PL and Category are coupled — a given PL can be achieved by specific Category/MTTFd/DCavg/CCF combinations per Annex H.

What Roboticks supports

  • PL and Category annotation on requirements via the asil_pl field (PLa through PLe).
  • Clause-level derivation from ISO 13849-1 (e.g., Annex H combinations).
  • Verification-evidence assembly that maps to ISO 13849-2 validation activities — software validation, common-cause failure analysis, fault-injection.
  • Software safety lifecycle evidence for SRP/CS where software is in scope (Clause 4.6) — coverage, SARIF static-analysis, deterministic test execution.

What Roboticks does not do

  • We do not compute PL — that requires MTTFd, DCavg, and CCF data Roboticks does not gather.
  • We do not perform the risk graph determination — that is your safety engineer’s product.
  • We do not certify the safety case.

Example PLd Category 3 requirement

- id: REQ-EST-003
  title: E-stop function PLd Category 3
  type: safety
  asil_pl: PLd
  category: "3"
  derives_from:
    - standard: iso-13849-1-2023
      clause: "§4.5.2 + Annex H — PL d, Category 3 combination"
      edition: "2023"
    - standard: iso-10218-1-2025
      clause: "§5.4.2 Protective stop"
      edition: "2025-07"
  text: |
    The E-stop safety function shall achieve PL d Category 3:
    dual-channel actuator demand path, cross-monitoring between
    channels, single-fault detection that prevents loss of the
    safety function on any single failure of either channel.
  acceptance:
    - test: tests/safety/test_estop_dual_channel.py::test_both_channels_command_stop
    - test: tests/safety/test_estop_dual_channel.py::test_single_channel_fault_detected
    - test: tests/safety/test_estop_dual_channel.py::test_safety_function_maintained_on_fault
    - test: tests/safety/test_estop_dual_channel.py::test_crosscheck_detects_discrepancy
The verification tests cover the Category 3 expectations: both channels function nominally, single-channel fault is detected, the safety function is maintained on the detected fault, and the dual-channel cross-check trips on discrepancy.

Fault injection for PL verification

Roboticks SDK provides a fault-injection helper that drops, corrupts, or stalls topics: 
from roboticks import confirms, inject_fault

@confirms("REQ-EST-003")
def test_single_channel_fault_detected(robot):
    with inject_fault(topic="/safety/estop_ch_a", mode="drop"):
        robot.assert_estop()
        assert robot.diagnostics.error("CH_A_LOSS")
        assert robot.is_stopped()
The fault-injection context manager is recorded in the JUnit XML’s roboticks.fault_injection property, so the evidence pack documents not just that a test ran but what fault condition it ran under. This is the form of evidence ISO 13849-2 validation activities expect.

Suggested test patterns

CategoryPattern
B / 1Nominal-function tests; component datasheet review (off-platform)
2Periodic-check trigger tests; verify check detects injected fault
3Dual-channel symmetry tests; fault on one channel verified to preserve function; cross-check discrepancy detection
4Category 3 patterns + fault-detection coverage tests

Pinning

rbtk standard pin iso-13849-1-2023 --project acme-robotics/firmware
rbtk standard pin iso-13849-2-2012 --project acme-robotics/firmware
ISO 13849 is part of the industrial-robot-eu bulk template.

Next steps

IEC 62061

The alternative route to functional safety for machinery.

IEC 61508

The parent standard from which IEC 62061 derives.

ISO 10218

Cites ISO 13849 PL requirements throughout.