Machine safety risk assessment is the starting point for all functional safety work on machinery. It determines what hazards exist, who is exposed and when, and what level of risk reduction each safety function must deliver. Without it, safety design rests on convention and instinct rather than a systematic evaluation of what the machine can do to people in every mode it operates in.
The method is set out in ISO 12100, the type-A machinery safety standard, adopted in Australia through the AS/NZS 4024 series. The integrity of any safety-related control function is then quantified under ISO 13849-1 (Performance Levels) or IEC 62061 (a machinery SIL). These are machine safety standards, distinct from the process functional safety path under IEC 61511, which our companion article on functional safety and SIL assessment covers in detail.
Machine safety and process safety solve different problems with different rulebooks. A guard interlock that operates many times a shift is a high-demand function under ISO 13849-1 or IEC 62061. A pressure trip called once a year is a low-demand process function under IEC 61511. The boundary between them should be drawn explicitly in the design. For delivery support, see functional safety and PLC, SCADA and HMI programming.
On brownfield Australian sites, most safety problems are not hardware failures. They are documentation gaps, bypassed circuits and safety systems never updated as the machine was modified. New operating modes, changed guarding and different task sequences all shift the risk profile, so a safety system that was correct in 2010 may not suit the machine as it runs today.
The ISO 12100 risk assessment process
ISO 12100 separates risk assessment (analysis plus evaluation) from risk reduction, and defines an iterative loop: assess, reduce, then re-assess the residual risk until it is acceptable.
| Step | Purpose |
|---|
| Determine the limits of the machine | Scope the assessment: physical limits, use and foreseeable misuse, all operating modes, every life-cycle phase |
| Identify hazards | Review all energy sources, hazard types and tasks, using the ISO 12100 hazard list as a checklist |
| Estimate risk | For each hazard: severity of harm, frequency and duration of exposure, probability of harm including avoidance |
| Evaluate risk | Decide whether the estimated risk is acceptable or needs further reduction |
| Reduce risk | Apply measures following the three-step hierarchy and re-assess |
| Verify and document | Confirm the measures achieve the required reduction, record the assessment under version control |
Two parts are commonly underdone. Hazard identification has to cover non-production tasks, because most serious machinery injuries occur clearing a jam, cleaning, changing over or fault finding, often with a guard open or a function defeated. And each operating mode, setup, cleaning, maintenance and production, presents a different exposure pattern and should be assessed on its own terms.
The hierarchy of risk reduction
ISO 12100 sets a strict order of preference, often called the three-step method. Measures higher in the hierarchy are more reliable because they do not depend on a person behaving in a particular way.
- Inherently safe design. Eliminate the hazard or reduce it by design: remove a trap point, reduce force or energy, design out the need to access a dangerous zone. The most effective measure, because there is nothing left to fail or bypass.
- Safeguarding and complementary protective measures. Fixed guards, interlocked movable guards, light curtains, safety mats, two-hand controls and emergency stops. These reduce the probability that a person reaches the hazard; they do not remove it.
- Information for use. Warnings, markings, instructions and training. The least reliable layer, used for residual risk only, never as a substitute for the first two steps.
A safety light curtain is a step-two measure: it protects only while it is functioning and not defeated. If the hazard can be designed out, that beats guarding it. Committing the control panel engineering and safety circuit design before the hierarchy has been worked through is a common way to lock in a weaker solution than the machine allowed.
ISO 13849-1 and IEC 62061: which applies
ISO 13849-1 covers the safety-related parts of control systems (SRP/CS) in any technology. A risk graph sets a required Performance Level (PLr) from PL a (lowest) to PL e (highest). The achieved PL of the designed circuit comes from the architecture category (B, 1 to 4), the component reliability (MTTFd), the diagnostic coverage (DC) and the resistance to common-cause failure (CCF), and it must meet or exceed the PLr. This is the usual framework for emergency stops, interlocked guards, two-hand controls and light curtains.
IEC 62061 addresses the same domain but expresses the target as a SIL, from SIL 1 to SIL 3, in a high-demand context. It derives from IEC 61508 and is often preferred for complex programmable electronic safety systems. Earlier editions capped what a subsystem could support with a SIL claim limit (SILCL); the 2021 edition renames this the maximum SIL, aligning with IEC 61508. The two standards are broadly equivalent for common machinery, and ISO 13849-1 publishes a correspondence between PL and SIL.
For most Australian food, beverage and general manufacturing machinery, ISO 13849-1 with Performance Levels is the working framework. Low-demand process trips belong to IEC 61511, the boundary discussed in the functional safety and SIL assessment article.
A worked example, for illustration only
The parameters below are illustrative choices to show the method. They are not drawn from any real Metromotion Controls project or named client.
Consider a horizontal form-fill-seal packaging machine in a food plant. One identified hazard is a crush and shear point at the heated sealing jaws, accessible when an operator reaches in to clear a film jam. Applying the ISO 13849-1 risk graph to that hazard:
- Severity (S): a serious crush or amputation, so S2.
- Frequency and duration of exposure (F): on a line running multiple shifts, jam clearance is frequent, so F2.
- Possibility of avoidance (P): the jaw motion is fast and the trap point hard to escape once a hand is inside, so P2.
The branch S2, F2, P2 gives a required Performance Level of PLr e, the highest level. Working the hierarchy first: the most effective answer is to design out the need to reach in at all, for example an automatic jam-clearing or film-feed arrangement, because that removes the exposure rather than guarding it.
Where reaching in cannot be eliminated, the safeguard becomes an interlocked guard or a light curtain that removes motion energy from the jaws before a hand can reach the trap point, sized against the machine's approach speed and stopping time. PL e typically requires Category 4 architecture: redundant, monitored channels with high diagnostic coverage and high MTTFd, on a safety-rated logic device rather than the standard machine PLC. Verification then confirms the achieved PL meets PL e from the device data and architecture; if it falls short, the answer is better architecture, better components or more diagnostics, not a relaxed PLr.
The assessment, not the available hardware, sets the target. Where the same trap point is reachable only during occasional isolated maintenance (F1) and the operator can see and avoid the motion (P1), the PLr is much lower and a simpler interlock is adequate. Same hazard type, different exposure, different answer.
Choosing the framework and the target
A few questions settle most of the early decisions:
- Is the hazard a machine or a process? Moving machinery, guards and interlocks point to ISO 13849-1 or IEC 62061. Overpressure or overfill points to IEC 61511 and a safety instrumented function.
- What is the demand mode? A function called many times a shift is high demand, assessed with PL or PFH. A function called rarely is low demand, assessed with PFDavg under the process standards.
- ISO 13849-1 or IEC 62061? Either is acceptable for common machinery. ISO 13849-1 is usually the most direct path for electromechanical functions; IEC 62061 often fits complex programmable systems better. Pick one per function and apply it consistently.
- What sets the target? Severity, exposure and avoidance from the task analysis, not the controller on the shelf.
When a function targets PL d or PL e, or a safety PLC program is being modified without a clear record of its design basis, that is the point to bring in dedicated functional safety competence. Replacing a failed safety relay like for like does not require a new risk assessment; a modification that could affect an existing safety function does.
Common mistakes in machine safety risk assessment
- Designing the safety system first, then writing the assessment to justify it. The PLr must come out of the risk graph. Specifying a safety controller before the target exists produces a circuit that is over-engineered or short of the required level, with documentation that cannot be defended.
- Assessing only the production mode. Most machinery injuries happen during jam clearance, cleaning, setup and maintenance, exactly the tasks where guards are most often defeated.
- Skipping the hierarchy and going straight to guarding. Reaching for a light curtain before asking whether the hazard can be designed out locks in a measure that depends on the guard never being bypassed.
- Using standard PLC and I/O for the safety function. A standard controller cannot be credited in a PL or SIL calculation. The function needs rated devices end to end, functionally separate from the standard control.
- Bypassed circuits left in place. Safety circuits jumpered out for maintenance and never reinstated are a recurring brownfield finding, and they silently invalidate the original assessment.
- No record of design intent. Without the original assessment and the achieved PL of each function, nobody can judge whether later modifications have degraded the safety level.
These issues are rarely negligence. They accumulate through maintenance decisions, production pressure and modifications that each seemed minor on their own. A review of safety documentation, circuit integrity and safety PLC program versions against the current machine configuration establishes the true state before any change is planned. The same discipline underpins sound automation upgrades and systems integration work.
Australian context: duties, standards and local practice
The legal driver sits in the Work Health and Safety framework rather than a standard that names a Performance Level. Safe Work Australia's model Code of Practice on managing the risks of plant places a duty on those who design, manufacture, supply, install and use plant to eliminate or minimise risk so far as is reasonably practicable, which expressly includes guarding and the control systems that keep machinery within safe limits (Safe Work Australia, managing the risks of plant). Where a control function discharges that duty, ISO 13849-1 or IEC 62061 is the accepted way to show it is adequate and maintained.
The technical requirements are carried into Australian use by the AS/NZS 4024 Safety of machinery series, which adopts ISO 12100, ISO 13849-1, IEC 62061 and the relevant type-C machine-specific standards (Standards Australia). In parallel, AS/NZS 3000 governs the installation and AS/NZS 61439 the assemblies that house the safety system. State and territory WHS regulators administer the duties locally, and any change to an existing safety function should run through management of change with the assessment updated to match.
What this means
Machine safety risk assessment identifies hazards across every task and mode, estimates risk consistently, and selects and verifies measures that deliver the required reduction. The required Performance Level is an output of that work, not an input. On brownfield sites the practical starting point is a review of the existing safety documentation and circuit integrity: what was designed, what is installed, and what has changed. For broader delivery context, see our work in industrial automation and across the food and beverage sector.
References