4 Overview
4.1 Risk assessment and risk reduction process at the machine

The risk assessment and risk reduction process is defined by ISO 12100:2010 as shown in Figure 2.
ISO 13849-1 is included in the risk reduction process when a safety function and its corresponding
SRP/CS are used to provide the risk reduction.

NOTE For further information see ISO/TR 22100-2: 2013.
The safety requirements specification and the design of the SRP/CS shall take into account the result of
the risk assessment including the intended use and reasonably foreseeable misuse of the machine (see
Figure 1 and Figure 2).

NOTE This document does not apply to non-safety-related parts of control systems of a machine (see Figure 6).

Key
a The first time the question is asked, it is answered by the result of the initial risk assessment.
risk reduction by safeguarding may be realized by SRP/CS that execute safety functions. In this case this
document
Figure 2 — Schematic representation of risk reduction process including iterative three-step
method according to ISO 12100:2010

NOTE In special cases, this document applies also to step 3 of Figure 2. For examples see Annex M for
indications and alarms.

4.2 Contribution to the risk reduction

From the risk assessment, the designer shall decide the contribution to the risk reduction provided by
each relevant safety function carried out by the SRP/CS. This contribution covers the risk reduced by
the application of each particular safety function (see Figure 3) that can be achieve by measures other
than SRP/CS. It does not cover the overall risk of machinery under control.

EXAMPLE The stopping safety function on a press initiated by using an electro-sensitive protective device
or the door-locking safety function of a washing machine, etc

Key
Solution 1 important part of risk reduction due to protective measures other than SRP/CS (e.g. mechanical
measures), small part of risk reduction due to SRP/CS (e.g. light curtain)

Solution 2 important part of risk reduction due to the SRP/CS, small part of risk reduction due to protective
measures other than SRP/CS

NOTE See ISO 12100:2010 for further information on risk reduction.

Figure 3 — Overview of the risk reduction process for each hazardous situation

4.3 Design process of an SRP/CS

Figure 4 shows the design process of an SRP/CS and determining whether the SRP/CS achieves the
intended risk reduction.

Figure 4 — Iterative process for design of safety-related parts of control systems

4.4 Methodology

This document uses the following methodology:

1) specification of safety functions (Clause 5)

2) design and technical realization of the safety functions including identification of the SRP/CSs and
their subsystems which carry out each safety function;

a) design considerations (Clause 6),
b) software safety requirements (Clause 7);

3) verification that the achieved PL meets PL r (Clause 8);

4) ergonomic aspects of the design (Clause 9);

5) validation (Clause 10 or ISO 13849-2);

6) maintenance (Clause 11);

7) technical documentation (Clause 12);

8) information for use (Clause 13).

The required performance level refers to the risk reduction to be provided by the safety function. The greater the contribution to the risk reduction needed, the higher the required safety performance shall be. The performance levels are defined in terms of average probability of dangerous failure of the safety function per hour. There are five performance levels, from providing a low contribution to risk reduction for PL a, to a high contribution to the risk reduction for PL e. The defined ranges of probability of a dangerous failure per hour are in Table 2.

Subsystems (see 5.5) shall be evaluated using the same process as is used for SRP/CS systems, according
to Clauses 5 through 13.For each safety function, the achieved performance level shall meet or exceed
the required performance level (PL r ).

4.5 Required information

To fulfil the requirements of this document, the following information is necessary:

— results of the risk assessment of the machine or part of it;
— information for all safety functions (see Clause 5) determined to be necessary for the risk reduction process for each hazard including:
— detailed description of each safety function (see 5.2);
— determination of the required performance level (PL r ) for each safety function (see 6.3).

NOTE This information is already be given in applicable Type-C standards.

4.6 Safety function realization by using subsystems

The realisation of a safety function may be done by:
— using previously validated subsystems according to this document, IEC 62061, IEC 61508 or other
relevant safety-related product standards (e.g. IEC 61496-1 and IEC 61800-5-2),
— designing new subsystems according to this document, or
— a combination of both alternatives above (see example in Figure 5).