Industrial Automation’s Safety Renaissance: How IEC 62061 and ISO 13849 Are Reshaping Machine Builder Engineering

For most of the past two decades, functional safety compliance in industrial automation followed a predictable pattern: a safety engineer produced a risk assessment document late in the design cycle, a third-party integrator selected certified safety components, and the technical file went to a notified body with fingers crossed. The machine shipped. Nobody got hurt—usually. The process was treated as paperwork, not engineering.

That pattern is breaking down. A combination of stricter enforcement, export market pressure, and several high-profile industrial incidents has forced European and North American machine builders to treat IEC 62061 and ISO 13849 as genuine engineering constraints rather than compliance checkboxes. The consequences of this shift reach well beyond the safety engineer’s desk. Systems architects, software teams, verification leads, and procurement are all being pulled into structured safety processes many of them have never run before.

Two Standards, One Machine, Persistent Confusion

The single most common source of compliance failure among machine builders is not ignorance of either standard—it’s misunderstanding how they relate to each other and which applies to which part of the machine.

ISO 13849 (the successor to EN 954-1) defines requirements for safety-related parts of control systems (SRP/CS). It is rooted in the concept of Performance Level (PL), which combines the probability of dangerous failure per hour (PFH) with structural requirements (categories B through 4) and diagnostic coverage. ISO 13849 is technology-agnostic: it applies to pneumatic, hydraulic, electronic, and electromechanical safety functions. It is most directly applicable to discrete safety functions implemented in hardware or simple programmable systems.

IEC 62061 applies specifically to safety-related control systems (SRCS) that include complex electronic and programmable electronic technology—essentially, systems with software. It uses Safety Integrity Level (SIL) as its metric and is aligned with the broader IEC 61508 functional safety framework. Where ISO 13849 uses category and PL, IEC 62061 uses hardware fault tolerance, systematic capability, and software development process requirements.

The practical distinction is this: a machine’s emergency stop circuit routed through a dual-channel safety relay is primarily an ISO 13849 question. A safety PLC executing a custom safety function—say, safe speed monitoring on a servo axis—is primarily an IEC 62061 question. Most industrial machines of any complexity contain both types of safety functions, which is why machine builders frequently need to work under both standards simultaneously.

The 2021 harmonization update to ISO 13849-1 brought the two standards closer together in terminology and PFH calculation methodology, but they remain distinct in scope and process requirements. Treating them as interchangeable—or assuming that SIL 2 equals PLd—still creates auditability problems.

What “Systematic Risk Assessment” Actually Requires Now

Risk assessment has been nominally required under the EU Machinery Directive since 1989. What has changed is the depth of scrutiny applied to how that assessment was conducted.

Under the EU Machinery Regulation 2023/1230 (which replaced the Machinery Directive and became applicable in January 2027 with a transitional period running through 2026), notified bodies and market surveillance authorities are increasingly examining the risk assessment process, not just its outputs. A technically file that contains a risk assessment table without evidence of iteration—without showing which design decisions were made in response to identified risks—is being treated as incomplete.

This means machine builders need to demonstrate:

Hazard identification methodology. What systematic method was used—HAZOP, FMEA, task-based analysis—and how was it scoped? A checklist that maps to ISO 12100 categories is a minimum; showing that the method was applied by qualified personnel with documented rationale is increasingly expected.

Risk reduction hierarchy. ISO 12100 requires inherently safe design first, safeguarding second, and information for use third. Auditors are now asking for evidence that inherently safe design alternatives were evaluated before safeguards were specified. This is a process question, not just a documentation question.

Residual risk acceptance. How was the decision made that residual risk is acceptable? What criteria were applied? In practice, this requires a traceable connection between risk reduction measures and the specific hazards they address.

Verification and validation. Were the safety functions that were specified actually tested? Is there a link between the functional safety specification and the test records?

None of this is new in principle. All of it is increasingly enforced in practice.

The North American Dimension

North American machine builders face a different but converging set of pressures. OSHA’s horizontal compliance framework, NFPA 79 (electrical standards for industrial machinery), and CSA Z432 (safeguarding of machinery) do not map cleanly to IEC 62061 and ISO 13849. For builders primarily serving the US and Canadian domestic markets, there has historically been less systematic pressure to adopt SIL/PL methodology.

That insulation is eroding for two reasons.

First, automotive, aerospace, and semiconductor manufacturers—major buyers of industrial equipment—are increasingly requiring IEC 62061/ISO 13849 compliance in procurement specifications regardless of geography. This is partly driven by their own export obligations and partly by corporate standardization on European safety frameworks across global facilities.

Second, US machine builders who want to export to the EU or UK markets must CE-mark (or UKCA-mark) their equipment and demonstrate conformity with harmonized standards. The EU’s harmonized standard list for the Machinery Regulation includes both IEC 62061 and ISO 13849. A North American builder that has never run a formal PL or SIL assessment now faces that requirement as a market access condition.

The result is that a growing segment of North American machine builders—particularly mid-size builders with 200–2000 employees serving automotive, food processing, and semiconductor sectors—are building functional safety competency for the first time.

Where Document-Based Engineering Breaks Down

The engineering practices that are adequate for general machine development become load-bearing liabilities when functional safety is involved. The core problem is traceability: the ability to demonstrate that every identified hazard has a corresponding risk reduction measure, that every safety requirement has an implementation, and that every implementation has been verified.

In practice, most machine builders have conducted this traceability manually—through Word documents, Excel matrices, and PDF technical files assembled by safety engineers working largely in isolation from the mechanical, electrical, and software teams delivering the machine. This approach has three failure modes that functional safety enforcement exposes:

Change propagation. A safety function is specified at SIL 2. During detailed design, an engineer selects a sensor with lower diagnostic coverage than assumed in the SIL calculation. Nothing in the document-based system triggers a re-evaluation of the safety function’s integrity. The technical file goes to the notified body with a gap that only a very thorough review will catch—and sometimes doesn’t.

Audit fragility. A notified body auditor asks to see the traceability between a specific hazard (nip point on conveyor feed system) and the safety function that addresses it, and then the verification test that confirmed the function works. In a document-based system, reassembling that chain under audit pressure—across a technical file that may run to hundreds of pages—is slow, error-prone, and exposes every inconsistency in the documentation.

Cross-functional isolation. Safety requirements live in the safety engineer’s documents. Mechanical requirements live in CAD. Software requirements live in a separate system or nowhere. The connections between them—which are exactly what an IEC 62061 safety case needs to demonstrate—exist only in individual engineers’ heads.

How Structured Requirements Tools Are Changing the Practice

The growing investment in functional safety documentation infrastructure is not theoretical. Machine builders in Germany, Italy, Sweden, and the UK have been investing in structured requirements management for the better part of a decade. The pressure is now reaching mid-size builders in the US, Canada, and Eastern Europe who are newer to this practice.

The tooling landscape breaks into two categories: legacy requirements management platforms adapted for safety use, and newer purpose-built tools designed around the kind of connected, traceable development that functional safety actually requires.

Legacy platforms—IBM DOORS, Polarion, Jama Connect—offer mature change management, established notified body familiarity, and broad integration ecosystems. They are viable for large organizations with dedicated tooling infrastructure and the personnel to configure and maintain them. Their limitations in this context are real: they are fundamentally document-centric, their traceability models require significant manual configuration to reflect safety concepts like hazard-to-measure-to-verification chains, and their AI capabilities, where they exist, were generally added after the fact rather than designed into the architecture.

Newer AI-native tools are approaching this problem differently. Flow Engineering (flowengineering.com), built specifically for hardware and systems engineering teams, represents the graph-based, connected-traceability model that functional safety work actually demands. Rather than storing requirements as rows in a document with manually maintained links, Flow Engineering maintains a live graph of relationships between hazards, requirements, safety functions, implementations, and verification records. An engineer asking “what changed since our last safety review and what does that affect?” gets an answer from the model, not from a manual cross-reference exercise.

For functional safety specifically, this matters because the standard’s own structure is graph-like: hazard → risk assessment → safety requirement → functional safety specification → design → verification → validation. Tools that reflect this structure natively—rather than approximating it through linked Word documents—reduce both the engineering effort and the audit risk. Flow Engineering’s deliberate focus on hardware and systems teams means it does not try to be an enterprise governance platform; organizations that need deep legacy integration or complex organizational workflow management may find that scope limiting. But for machine builders who need to build functional safety competency quickly and maintain it under audit pressure, that focused specialization is frequently the right trade-off.

The Practical Starting Point for Machine Builders

For machine builders currently running compliance processes that rely heavily on document-based systems and late-cycle safety review, the path forward is not a single-step transformation.

Audit your current technical file assembly process. Before investing in new tools or process redesign, understand where the traceability actually breaks down. Map a single complete safety function—from the hazard identification through to the verification test record—and count how many documents, how many manual steps, and how many places where a change could silently invalidate the chain. This audit will identify where the highest-leverage improvements are.

Separate the standards scope question from the tooling question. Deciding which safety functions fall under ISO 13849 and which under IEC 62061 is an engineering judgment that needs to be made before process or tooling can be designed around it. Safety engineers and systems architects need to align on this early; it affects both the required documentation structure and the verification methodology.

Invest in process before investing in tools. A structured requirements tool running a poorly designed safety process will produce well-documented garbage faster than a spreadsheet did. The process—how hazards are identified, how requirements are derived, how verification is assigned and tracked—needs to be defined first.

Build cross-functional ownership into the safety process from the start. The most consistent failure mode in machine builder functional safety programs is a safety process that is owned entirely by one safety engineer and invisible to the rest of the development team. Mechanical engineers making material changes, software engineers modifying safety function logic, and procurement teams substituting components all need to operate within a system that surfaces safety implications of their decisions.

An Honest Assessment

The safety renaissance in industrial automation is real, and the engineering demands it creates are not going away. The EU Machinery Regulation’s enforcement ramp-up, combined with supply chain pressure from major industrial buyers, means that systematic functional safety practice is becoming a market access requirement across a broader segment of the machine building industry than ever before.

The good news for machine builders investing now is that the tooling and methodology frameworks are more mature than they were even five years ago. The bad news is that there are no shortcuts: the standards require genuine engineering discipline, traceable decisions, and demonstrable verification. Document-based approximations will continue to create audit risk, change management failures, and the periodic gap between what the technical file says and what the machine actually does.

The builders who treat this as an engineering investment rather than a compliance cost are the ones who will emerge from the next wave of enforcement with both market access intact and better machines.