Functional Safety

 What is Functional Safety in terms of machinery?

The definition of functional safety from BS EN 62061 “Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems” is:

“part of the safety of the machine and the machine control system which depends on the correct functioning of the SRECS (safety-related electrical control system), other technology safety-related systems and external risk reduction facilities”

So what does it mean?

Functional safety relates to parts of the plant which rely on the correct operation of its control and protective devices to remain safe. An example would be the dangerous failure of a light curtain. In this case the hazards that the light curtain was guarding against would become exposed thus creating an unsafe area of the machine.

Why do I have to comply?

The Machinery Directive (2006/42/EG) contains “general safety goals” and defines “basic health and safety requirements” in order to conform. Working to harmonised machinery safety standards gives an "automatic presumption of conformity” to particular aspects of the Machinery Directive thus conforming with the basic health and safety requirements.Which standards apply to functional safety?

  • IEC 61508 “Functional safety of electrical/electronic and programmable electronic safety-related systems” (ratified, not harmonised)
  • BS EN 62061 “Safety of machinery – Functional safety of safetyrelated electrical, electronic and programmable electronic control systems”
  • BS EN 13849-1 “Safety-related parts of control systems” - part 1 
  • BS EN 954-1 “Safety-related parts of control systems – general principles for design

IEC 61508

Although not harmonised, IEC 61508 provides an “umbrella” standard for functional safety which is non-specific to any particular industry. This standard is complex and contains over 900 pages and defines recognised state-of-the art technologies in terms of functional safety.

BS EN 62061

This is a harmonised standard under the Machinery Directive. It is also complex and defines design and validation principles for electrical, electronic and programmable electronic safety-related control systems for the machinery sector.

The standard applies the principles of IEC 61508 in regard to machinery safety. It provides a “life-cycle” approach to machinery safety and instead of designated architectures. It talks about Safety Integrity Level (SIL) ratings for SRECS (safety-related control systems). SIL ratings range from 1 to 3 and relate to probabilities of dangerous failures per hour (PFHd). Some of the calculations involved for validation can be quite complex and the documentation requirements are extensive.

Programmable safety-systems such as fail-safe PLCs and AS-i SAFE are required to meet this standard.

BS EN 13849-1

This standard was harmonised in May 2007 and is set to replace BS EN 954-1 by December 2011. This standard is less complex than BS EN 62061 but shares some of the philosophies such as diagnostic coverage (DC), common cause failure (CCF) and mean-time to failure (MTTF) etc.

Unlike BS EN 62061, this standard is applied to simpler, architecture specific systems. It uses a quantitative method for determining “Performance Levels” (PL) in relation to the probability of dangerous failures in the system.

Similar to BS EN 954-1, this standard is generally used for electromechanical and simple electronic systems and is limited to designated architectures.

BS EN 954-1

This is a well known standard and by means of a risk-graph produces a Category in relation to the associated risk. The Categories are b, 1, 2, 3 and 4. This standard is again restricted to designated architectures.So how can Control and Safety Engineering Ltd help with all this?

At Control and Safety Engineering Ltd we have designed our own safety-system design and validation software to speed up the whole life-cycle design process. For instance we can quickly determine the overall PFHd for a SRECS by entering data for particular components or convert MTTF values to SIL. The safety software also covers calculations from other standards such as BS EN 13855 in order to determine positions of protective equipment in respect to approach speeds etc. CSE Director Richard Kaye is a TUV Certified Safety Engineer.


The figure below represents a system with single-fault tolerance incorporating diagnostic coverage.  This layout can be applied to both channels shown in SSE 1 and the contactor outputs incorporating EDM signals. 

It represents SSE 1 by the use of two safety gates for input switching.




Where: T2 is the diagnostic test interval

             T1 is the proof test interval (lifetime)

             β  is the common-cause failure

                       DC1 is the diagnostic coverage of subsystem element 1


                       DC2 is the diagnostic coverage of subsystem element 2

                       λDFe1 is dangerous failure rate of subsystem 1

                       λDFe2 is dangerous failure rate of subsystem 2

The susceptibility to common-cause failure within control function system design is estimated using Table F.1 of Annex F in BS EN ISO 62061.   

The examples below demonstrate the software that we have written to calculate the above formula