Standards for functional safety

Different standards may be called upon to observe functional safety on control systems, depending on the application.

In the area of machine safety, EN 954 is the main standard named for safety-related control systems.

Irrespective of the technology, this applies for the whole chain from the sensor to the actuator. The risk graphs and corresponding risk parameters can be used to estimate the potential risk for danger zones on machinery. The category is then established without the use of risk-reducing measures.

S = Severity of injury:
1 = Slight (normally reversible) injury

2 = Serious (normally irreversible) injury, including death


F = Frequency and/or exposure to the hazard
1 = Seldom to quite often and/or exposure time is short

2 = Frequent to continuous and/or exposure time is long

P = Possibility of avoiding the hazard

1 = Possible under specific conditions

2 = Scarcely possible

The control system requirements derived from the risk graph are specified as follows:

The safety-related parts of machine control systems and/or their safety devices and components shall be designed, constructed, selected, assembled and combined in accordance with the relevant standards so that they can withstand the expected influences.

Safety-related parts shall be designed and constructed using well-tried components and well-tried safety principles. Well-tried means that the components have been widely used in the past with successful results in similar applications, or they have been manufactured using principles that demonstrate their suitability and reliability for safety-related applications.

Well-tried safety principles are circuits that are constructed in such a way that certain faults can be avoided by the appropriate arrangement or layout of components.

Note: The occurrence of a fault can lead to the loss of the safety function.

Safety-related parts of control systems must be designed so that their safety function(s) are checked at suitable intervals by the machine control system. The check of the safety function(s) shall be performed: (a) at the machine start-up and prior to the initiation of any hazardous situation, and (b) periodically during operation, if the risk assessment and the kind of operation show that it is necessary.
The initiation of this check may be automatic or manual. Automatically, for example, the check may be initiated by a signal generated from a control system at suitable intervals. The automatic test should be provided by preference.

The decision about the type of test depends on the risk assessment and the judgement of the end user or machine builder.
The result of the test shall allow operation if no fault has been detected, or shall generate an output to initiate an appropriate control action if a fault has been detected. A second, independent shutdown route is required for this.

Notes: In some cases Category 2 is not applicable because the checking of the safety function cannot be applied to all components and devices. Moreover, the cost involved in implementing Category 2 correctly may be considerable, so that it may make better economic sense to implement a different category.
In general Cat. 2 can be realised with electronic techniques. The system behaviour allows that: the occurrence of a fault can lead to the loss of the safety function between checks; the loss of the safety function is detected by the check.

Safety-related parts of control systems must be designed so that a single fault in any of these parts does not lead to the loss of the safety function. Whenever reasonably practicable, the single fault shall be detected at or before the next demand upon the safety function. This does not mean that all faults will be detected. The accumulation of undetected faults can lead to an unintended output signal and a hazardous situation at the machine.

Safety-related parts of control systems must be designed so that a single fault in any of these parts does not lead to a loss of the safety function; the single fault must be detected at or before the next demand upon the safety functions (e.g. immediately at switch on, at the end of a machine operating cycle). If this detection is not possible, then an accumulation of faults shall not lead to a loss of the safety function.