A brief history of Functional Safety standards

Last edit: 22/08/2023

In machinery, one of the first safety standards was BS 5304 “Code of Practice for Safety of Machinery”, first published in 1975. Design features in this code of practice were essentially qualitative. The guide existed, with various revisions, until well into the 1990s, where such guidance was then provided by the European Standard EN 954-1:1996 “Safety of machinery – Safety related parts of control systems General principles for design” [2]: the safety of Machinery Control Systems was formally born.

At that time, the world of programmable electronics, despite already heavily used in process safety, was kept out of Machinery standards. Here is what the 1998 version of IEC 60204-1 [3] was stating about emergency stops:

[IEC 60204-1: 1997] 9.2.5.4 Emergency operations (emergency stop, emergency switching off)

9.2.5.4.2 Emergency Stop.  [….] Where a category 0 stop is used for the emergency stop function, it shall have only hardwired electromechanical components. In addition, its operation shall not depend on electronic logic (hardware or software) or on the transmission of commands over a communications network or link. Where a category 1 stop is used for the emergency stop function, final removal of power to the machine actuators shall be ensured and carried out by means of electromechanical components.

The reason for the scepticism towards Electronics was that an Electromechanical component has clearly defined failure modes. For example, an power contactor (§4.12.2) can fail open or fail closed.

EN 954-1 had, what was later called, a Deterministic Approach. Safety components were accepted only if electromechanical or made with simple electronics. Safety was relying mainly on the so called “Architectures”: Single or Double channel. In case of need for a low risk reduction, a single interlocking device and a single contactor that stops the motor was enough. In case the motor was moving an high risk element, like a saw, two contactors with monitoring function (Fault Detection) were needed to stop the same motor.

For Software and Programmable Electronics used in safety application, some countries had local technical standards. In Germany, in the 90th, the standard DIN VDE 0801 for processor and software based Safety-related Control Systems was sometimes used in addition to EN 954-1. Basic principles of the DIN VDE standard went into the IEC 61508 series.

In the 90’s, IEC started writing what later became the IEC 61508 [4] series of standards, that officially defined the term Functional Safety. Since IEC 61508 series only consider electrical / electronic / programmable electronic (E/E/PE) safety related systems, this is its definition of Functional Safety.

[IEC 61508-4] 3 Definitions and abbreviations

3.1.12 Functional Safety. Part of the overall safety relating to the EUC and the EUC control system that depends on the correct functioning of the E/E/PE safety-related systems and other risk reduction measures

With the acronym EUC, we mean the machinery or process whose risk we want to reduce.

 [IEC 61508-4] 3 Definitions and abbreviations

3.2.1 Equipment Under Control (EUC). Equipment, machinery, apparatus or plant used for manufacturing, process, transportation, medical or other activities

However, Functional Safety can be achieved with other technologies, like Pneumatic or Hydraulic; therefore,  this is another definition [1]:

[Electropedia] Functional Safety: part of the overall safety that depends on functional and physical units operating correctly in response to their inputs.