ISO 12100 sets the method: scope the machine, identify hazards across every task and life-cycle phase, estimate and evaluate the risk, then reduce it following the hierarchy. The required Performance Level falls out of that assessment. Designing the safety system first and writing the assessment to justify it is a common and incorrect practice.
The AS/NZS 4024 series carries ISO 12100, ISO 13849-1 and IEC 62061 into Australian use. ISO 13849-1 expresses integrity as a Performance Level (PL a to e) and IEC 62061 as a SIL claim limit (SILcl 1 to 3). Knowing which applies to a machine and its demand mode is the first design decision.
Existing machine safety systems on Australian sites often have adequate hardware but degraded documentation, bypassed circuits left over from past maintenance, or safety PLC programs that no longer match the machine as it is configured today. Establishing the true as-installed state is the practical starting point.
Machine safety risk assessment is the starting point for all functional safety work on a piece of machinery. It determines what hazards exist, who is exposed and when, what level of risk reduction is required, and which safety functions need to be implemented to achieve it. Without it, safety design rests on convention and instinct rather than a systematic evaluation of what the machine can do to people across every mode it operates in.
The international method is set out in ISO 12100, the type-A machinery safety standard, which is adopted in Australia through the AS/NZS 4024 series. ISO 12100 defines the risk assessment and risk reduction process. The integrity of any safety-related control function is then quantified using ISO 13849-1 (Performance Levels) or IEC 62061 (a SIL claim limit). These are machine safety standards, and they are distinct from the process functional safety path under IEC 61511, which our companion article on functional safety and SIL assessment covers in detail.
Machine safety and process safety solve different problems with different rulebooks. A guard interlock that operates many times a shift is a high-demand function assessed under ISO 13849-1 or IEC 62061. A high-pressure trip that may be called once a year is a low-demand process function under IEC 61511. The boundary between them should be drawn explicitly in the design. For delivery support, see functional safety and PLC, SCADA and HMI programming.
Most safety problems on brownfield Australian manufacturing sites are not hardware failures. They are documentation gaps, bypassed circuits, and safety systems that were designed for the machine as it was installed but never updated as the machine was modified over the years. A safety system that was correct in 2010 may not be appropriate for the machine as it operates today. Modifications, new operating modes, changed guarding and different task sequences all shift the risk profile.
ISO 12100 separates risk assessment (analysis plus evaluation) from risk reduction, and it defines an iterative loop: assess, reduce, then re-assess the residual risk until it is acceptable. The structure is as follows.
| Step | Purpose |
|---|---|
| Determine the limits of the machine | Scope the assessment: physical limits, use and reasonably foreseeable misuse, all operating modes, and every life-cycle phase from installation to decommissioning |
| Identify hazards | Systematic review of all energy sources, hazard types and tasks, not just production mode. Use the hazard list in ISO 12100 as a checklist |
| Estimate risk | For each hazard, evaluate severity of harm, frequency and duration of exposure, and the probability of the harm occurring including the possibility of avoidance |
| Evaluate risk | Decide whether the estimated risk is acceptable or whether further reduction is required |
| Reduce risk | Apply measures following the three-step hierarchy and re-assess |
| Verify and document | Confirm the measures achieve the required reduction, record the assessment, and place it under version control |
Two parts of this are commonly underdone. The first is the breadth of hazard identification. Most serious machinery injuries occur during non-production tasks: clearing a jam, cleaning, changeover, or fault finding, often with a guard open or a function defeated. An assessment that only considers the machine running normally misses the tasks where people are most exposed. The second is the treatment of operating modes. Setup, cleaning, maintenance and production each present a different exposure pattern, and each should be assessed on its own terms.
ISO 12100 sets a strict order of preference for reducing risk, often called the three-step method. Measures higher in the hierarchy are inherently more reliable because they do not depend on a person behaving in a particular way.
A safety light curtain is a step-two measure. It does not eliminate the hazard; it reduces the probability that a person is injured by it, and only while it is functioning and not defeated. If the hazard can be eliminated by design, that is always the better outcome than guarding it. Designing the control panel engineering and the safety circuit before this hierarchy has been worked through is a common way to lock in a weaker solution than the machine actually allowed.
Once a safety function has been identified and a target set, its required integrity is expressed through one of two standards.
ISO 13849-1 applies to the safety-related parts of control systems (SRP/CS) using any technology. It defines a required Performance Level (PLr) from PL a (lowest) to PL e (highest), determined by a risk graph. The achieved PL of the designed circuit is derived from the architecture category (B, 1, 2, 3, 4), the component reliability expressed as mean time to dangerous failure (MTTFd), the diagnostic coverage (DC), and the resistance to common-cause failure (CCF). The achieved PL must meet or exceed the PLr. This is the framework most often used for mechanical and electromechanical safety functions: emergency stops, interlocking guards, two-hand controls and light curtains.
IEC 62061 addresses the same machinery domain but expresses integrity as a SIL claim limit (SILcl), from SILcl 1 to SILcl 3, in a high-demand context. It is derived from the base functional safety standard IEC 61508 and is often preferred for complex programmable electronic safety control systems where the SIL framework maps more naturally. The two standards are broadly equivalent for common machinery and there are published correspondence tables between PL and SIL.
For most Australian food, beverage and general manufacturing machinery, the working framework is ISO 13849-1 with Performance Levels. IEC 62061 becomes the natural choice on more complex programmable safety installations. For the separate world of low-demand process trips (pressure relief, emergency shutdown), IEC 61508 and IEC 61511 apply instead, which is the boundary discussed in the functional safety and SIL assessment article.
The figures and parameters below are illustrative engineering choices chosen to show the method. They are not drawn from any real Metromotion Controls project or named client.
Consider a horizontal form-fill-seal packaging machine in a food plant. One identified hazard is a crush and shear point at the jaw assembly, accessible when an operator reaches in to clear a film jam. The vertical motion of the heated sealing jaws can cause a serious, often irreversible injury to a hand or forearm.
Applying the ISO 13849-1 risk graph to that single hazard:
Following the branch S2, F2, P2 through the risk graph leads to a required Performance Level of PLr e, the highest level. That target then drives the safeguarding design. Working back up the hierarchy first: the most effective answer is to design out the need to reach in at all, for example an automatic jam-clearing or film-feed arrangement, because that removes the exposure rather than guarding it.
Where reaching in cannot be eliminated, the safeguarding measure becomes an interlocked guard or a safety light curtain that removes motion energy from the jaws before a hand can reach the trap point, sized against the approach speed and stopping time of the machine. To achieve PL e the safety-related control circuit typically needs Category 4 architecture: redundant, monitored channels with high diagnostic coverage and a high MTTFd, implemented on a safety-rated logic device rather than the standard machine PLC. A verification engineer then confirms the achieved PL of the as-designed circuit meets PL e, using the device data and the architecture. If the achieved PL falls short, the answer is to improve the architecture, select better-rated components, or add diagnostics, not to relax the PLr.
Note how the assessment, not the available hardware, sets the target. A different machine where the same trap point was reachable only during occasional maintenance with the machine isolated (F1) and where the operator could see and avoid the motion (P1) might land at a much lower PLr, and a simpler interlock would then be adequate. Same hazard type, different exposure, different answer.
A few questions settle most of the early decisions:
When a safety function targets PL d or PL e (or SILcl 2 or 3), or when a safety PLC program is being modified without a clear record of its design basis, that is the point to bring in dedicated functional safety competence. Replacing a failed safety relay with an identical rated component does not require a new risk assessment; a significant modification that could affect an existing safety function does.
A handful of patterns account for most of the trouble:
These issues are rarely the result of negligence. They accumulate through maintenance decisions, production pressure and modifications that each seemed minor on their own. A systematic review of safety documentation, safety circuit integrity, and safety PLC program versions against the current machine configuration is the way to establish the true state before planning any change. That discipline is the same one that underpins sound automation upgrades and systems integration work.
In Australia the legal driver for machine safety sits within the Work Health and Safety framework rather than in a standard that names a Performance Level directly. Safe Work Australia's model Code of Practice on managing the risks of plant places a duty on those who design, manufacture, supply, import, install and use plant to identify hazards and eliminate or minimise risk so far as is reasonably practicable, which expressly includes guarding and the control systems that keep machinery within safe limits (Safe Work Australia, managing the risks of plant). Where a control function is relied on to discharge that duty, ISO 13849-1 or IEC 62061 is the accepted way to show the function is adequate and maintained.
The technical requirements are carried into Australian use through the AS/NZS 4024 Safety of machinery series, which adopts ISO 12100, ISO 13849-1, IEC 62061 and the relevant type-C machine-specific standards. Designers and operators generally work to the ISO and IEC numbering in day-to-day engineering, with AS/NZS 4024 providing the adopted Australian status (Standards Australia). The wider professional body resources from the International Society of Automation are a useful reference for safety lifecycle conventions that apply across both machine and process domains.
The electrical and assembly standards apply in parallel to the safety logic. AS/NZS 3000, the Wiring Rules, governs the installation, and AS/NZS 61439 covers the low-voltage switchgear and controlgear assemblies that house the safety system, which matters whenever a safety scope touches a control panel. Confirming which standards apply, and to which part of the scope, belongs in the early study rather than on the day of the work. State and territory WHS regulators administer these duties locally, and any change to an existing safety function should run through management of change with the risk assessment updated to match.
Machine safety risk assessment is the process by which hazards are identified systematically across every task and mode, risk is estimated consistently, and safety measures are selected and verified to provide the required reduction. The required Performance Level is an output of that work, not an input. On brownfield Australian manufacturing sites the most practical starting point is usually a review of the existing safety documentation and safety circuit integrity: establishing what was designed, what is actually installed, and what has changed. From there, gaps can be identified and closed in a structured way, with the assessment driving the design rather than the design forcing the assessment. For broader delivery context, see our work in industrial automation and across the food and beverage sector.
Tommy Kim writes for Metromotion Controls, a Melbourne control systems integrator delivering PLC, SCADA, controls integration and commissioning for food, beverage, dairy and FMCG manufacturers across Australia.
Both express the integrity required of a safety function, but through different standards. ISO 13849-1 uses Performance Level, PL a to PL e, derived from the architecture category, component reliability (MTTFd), diagnostic coverage and resistance to common-cause failure. IEC 62061 expresses machinery integrity as a SIL claim limit, SILcl 1 to 3, in a high-demand context. For most manufacturing machinery, guard interlocks, emergency stops and two-hand controls, ISO 13849-1 and PL are the working framework. The required Performance Level (PLr) is the target output of the risk assessment, and the achieved PL of the designed circuit must meet or exceed it.
Under the Australian Work Health and Safety framework, those who design, manufacture, supply, install and use plant have a duty to manage risk so far as is reasonably practicable. A formal risk assessment to ISO 12100 (adopted through AS/NZS 4024) is expected for new machinery design and for any significant modification. For existing machinery a documented assessment is best practice, and it becomes necessary where the plant presents a risk that has not been controlled. In practice the depth of the assessment should be proportional to the severity and likelihood of the hazards the machine presents.
ISO 13849-1 provides a risk graph that uses three parameters: severity of the potential harm (S1 slight, reversible or S2 serious, often irreversible including death), frequency and duration of exposure (F1 seldom to less often, or F2 frequent to continuous), and possibility of avoiding the harm (P1 possible under specific conditions, or P2 scarcely possible). You start at the root, follow the branch set by each parameter, and read off PLr from a to e. The result is the target the safety-related control circuit must achieve. The same hazard assessed for a machine that runs three shifts will often demand a higher PLr than one run occasionally.
They are separate disciplines with different metrics. Machine safety under ISO 13849-1 and IEC 62061 protects people from moving machinery, guards, interlocks and emergency stops, which are typically high-demand functions assessed with a Performance Level or SILcl and a probability of dangerous failure per hour. Process functional safety under IEC 61511 protects against process hazards such as overpressure or overfill using safety instrumented functions, which are typically low-demand and assessed with an average probability of failure on demand (PFDavg). On a real plant both coexist. Our companion article on process functional safety and SIL assessment covers the IEC 61511 path in detail.
It should record the scope of the machine and all its operating modes (production, setup, cleaning, maintenance, fault clearance); a hazard identification covering every task and life-cycle phase, not just normal running; a risk estimation for each hazard using severity, exposure and avoidance criteria; the required risk reduction expressed where relevant as a PLr or SILcl; the selected risk reduction measures in order of the hierarchy and their effectiveness; the achieved PL or SIL of any safety-related control function; and the residual risk after measures are applied. The document must be version controlled and revisited whenever the machine is modified.
No, not for the safety function itself. A safety function that targets a meaningful Performance Level or SILcl requires a safety-rated logic device with published failure data, diagnostic coverage and a certified systematic capability, kept functionally separate from the standard control PLC. Standard PLCs and standard I/O do not carry that evidence and cannot be claimed in the PL or SIL calculation. The same applies to the input devices and final switching elements: each part of the safety loop needs rated components and a defined functional test, not only the logic solver.
Functional safety assessment, SIL determination, safety instrumented functions and machine safety to IEC 61508, IEC 61511 and ISO 13849.
Industrial control panels, MCC design, switchboard automation and EPLAN documentation.
Commissioning engineers, FAT, SAT, loop checks, startup support and control system audits.
Automation, traceability, CIP, SCADA and production data for Australian food and beverage plants.
IEC 61508 and IEC 61511, SIL determination by risk graph and LOPA, the safety lifecycle, and how machine safety differs.
A practical guide to functional safety and SIL assessment for Australian industrial sites: IEC 61508 and IEC 61511, SIL determination by risk graph and LOPA, the safety lifecycle, proof testing, and how machine safety differs.
Key point
SIL is a risk-reduction target, not a product rating
Published 9 May 2026
A practical engineering guide to planning an automation upgrade on a live Australian plant: obsolescence and lifecycle assessment, risk ranking, phased versus big-bang cutover, brownfield constraints, spares, and standards continuity.
Key point
Lifecycle assessment sets the timing, not the failure
Published 9 May 2026
A practical guide to IIoT condition monitoring for Australian manufacturers, covering ISO 17359 and ISO 13374, the P-F curve, vibration, temperature and current sensing, MQTT and Sparkplug B, OPC UA, and how condition data ties into the historian and OEE.
Key point
Condition monitoring is a discipline with standards behind it
Published 9 May 2026
Map out scope, delivery approach and what to have ready before the first conversation. Answer a few questions and Metromotion Controls returns a tailored scoping brief on screen.