Functional safety requirements can be applied to many products, and the subject has its own language and jargon, the whole subject can be baffling and complex.

The subject matter can be quite confusing for anyone looking at this interesting topic for the first time, and common questions will arise such as; “I think we need to conduct an assessment but don’t know where to start”, “what standards do I follow and how do I apply them to my area of work”.

This technical note has been produced to support manufacturers with a general top-level introduction and to also stimulate ideas for both current and future products, and system/subsystem developments. We won’t try to blind you with the science, but just give an overall understanding of the subject. For more detailed information and training, CML can offer a range of services to help.

  1. What is functional safety, and is there a top-level standard?

From an overall point of view, safety is defined as freedom from unacceptable risk. The risk from a process or machine hazard can be defined as the combination of the probability of occurrence and the seriousness of the harmful outcome. If the plant/machine risk assessment indicates the risk is too high, then there clearly needs to be some method of reducing the risk to an acceptable level. Where safety relies on a system (or device) whose function contributes a large level of risk reduction, functional safety engineering is used to achieve this reduction.

SIL – Safety Integrity Level, is primarily a quantitative reliability metric of the system function(s), together with various qualitative measures that need to be used, prescribed according to the SIL. There are four SIL levels, 1 2, 3 & 4, where SIL 1 is the lowest level of safety function and SIL 4 the highest. The level of rigour applied to the assessment increases as the SIL number increases.

The top-level standard is IEC 61508.

Industry specific standards are then implemented from IEC 61508; a few industrial sectors are shown below:

Industrial Sector: A few typical Examples:
Machinery Emergency stops, guard interlocks, robotic assembly equipment
Rail Signalling systems, traction breaking systems
Process Emergency Shutdown and Fire & Gas systems
Automotive Breaking systems, air bags, autonomous driving functions
Explosive Atmospheres Support of Area Classification:

Reduction of explosive limits, control of ventilation / dilution

Support of product certification:

Control of ignition sources, shutdown of process using gas detection.

Non-electrical machine shutdown systems for over-heating, over speed, conveyor belt misalignment, vibration monitoring etc.

So firstly, it is necessary to understand what industrial sector is being considered. Once this is understood the application / project can be designed or assessed against the applicable standards and assessment procedures.

For example, if the engineering task is the implementation of a safety gate in a large printing machine the machinery safety related standards ISO EN 13849-1 [performance levels not SIL’s, PL a, b, c, d and e] or IEC 62061 [SIL’s used] would be used. It’s important to understand that each part of the safety function will need to be assessed. Safety functions are built from complete control paths and include input(s), logic / processing and output device(s), all of which must be considered with respect to the safety function and provide assurance that it has reduced the risk from an initial to acceptable level. The safety functions can use a combination of already available devices with known failure rates or further analysis must be used to justify the failure data of new ‘elements’.

  1. Is functional safety related to the CE marking process?

Functional safety supports the CE marking process & applicable safety product Directives. A manufacturer must select and apply all applicable Directives to their product before it is placed on the EU market (in some cases used only by themselves). Typical CE marking Directives associated with industrial equipment for example will be EMC, Machinery, LVD and ATEX. Some of these Directives can use functional safety engineering as a means to reduce and control risks from plant/machinery hazards to acceptable levels.

  1. Where to start – examples:

To show how functional safety can be applied, two examples are provided. The examples are overviews and should not be viewed as complete safety assessments.

Example A: Simple printing machine using flammable solvents as part of the process consumables

In this case the Machinery Directive is the prime CE marking Directive with ATEX and EMC also needing to be addressed.

Risk Assessment Machinery: The first engineering task to undertake is a hazard and risk analysis, to EN 12100. This will identify all hazards associated with the machine i.e. impact, crushing, being drawn in, cutting, heat, and cold to name a few.

Reduce the Risk: For each hazard, review the risk and consequence and then apply measure(s) to reduce the risk to an acceptable level. This may be from fixed guarding or by implementing safety related parts of control systems e.g. a switch being monitored by a safety relay and the energy source being removed from the output device / hazard when the switch is operated.

Risk Assessment Fire & Explosion: We now must consider the hazard of fire and explosion using the ATEX Directive and standard EN 1127-1 in conjunction with the Machinery Directive. In this example, this can either be addressed by zoning the machine (internals and associated limits) and then using appropriate ATEX / IECEx equipment.


We could use functional safety to implement a dilution and extraction system with fans / flow meters and associated ducting. In this instance, the zoning previously mentioned could be lowered, allowing a cost saving on different ATEX / IECEx equipment selection or it may completely remove the potential for an explosive atmosphere allowing for standard non-ATEX / IECEx equipment to be used. If this approach is used, then the flow rate must be confirmed before the machine process is started, during the process run time and when the process is stopped. The dilution system must therefore be interlocked into the machine to provide the safety concept. In addition to this, if the risk analysis identifies a high probability that a potentially explosive atmosphere could be inside the ducting during process failure modes or before extraction start-up i.e. electrical power outage / failure, then the ducting and associated equipment must be zoned and appropriately classified ATEX /IECEx equipment used. 

Example B: Induction motor used in a potentially hazardous area

In this example, we would like to protect an electrical motor from overheat in a potentially explosive atmosphere. This safety function is implemented by firstly monitoring the electrical outputs to the device i.e. voltage and current and then comparing temperature feedback information from the motor. We need to be certain that the risk of the monitoring device failing to cut electrical power upon motor over-temperature is acceptably low. The standard applicable to this type of safety monitoring device is EN 50495 with a SIL suitability outcome for the device.

The standard can also be used to provide additional Hardware Fault Tolerance (HFT) to enable for example Category 3G ATEX electrical equipment historically used in Zone 2, to be used in Zone 1 [Category 2G], by providing additional functional safety monitoring and shutdown of the potential ignition sources [heat, rotational speed etc].

  1. Typical equipment requiring functional safety assessment:

We have already mentioned a safety function will consist of an input, logic and output elements. The individual elements could use any form of energy i.e. electrical, pneumatic or hydraulic. Any element that is used as part of a safety function will therefore need to be assessed against the applicable standards. Examples include process variable transmitters (temperature, flow, pressure, etc), sensors (gas, proximity, speed, rotation, movement, etc), controllers, relays, actuators, valves, isolators, etc. The scope of the assessment includes the reliability data, the qualitative integrity measures, the development documentation and the user safety manual.

  1. Certification process

In general, the assessment is conducted in the following manner:

  1. Client information sheet is completed for each project. This is required before any quotation for works is given and will be used to understand the client’s knowledge and define the assessment standards, e.g., IEC 61508 + IEC 61511 [Process] or IEC 61508 + IEC 62061 [machinery]. The required SIL target (1, 2, 3 or 4) for the application is also stated by the client at this stage (if this is known).
  1. Considering a new electronic product, an analysis of the probabilistic failures (e.g., by failure modes and effects analysis) and an assessment of the architectural integrity. From this analysis, a number of the parameters required by IEC 61508 are derived. An assessment of the measures used to address systematic (qualitative) type defects, particularly software if used.
  2. Functional safety management: FSM – ‘manufacturing / design of the product’ – is also assessed and a safety manual must be produced. The safety manual and certificate work together with the product and must be viewed together.
  3. Certification can be issued following the successful assessments of both product and manufacturing / design systems.





Atex professionals


daily search





You are using BETA version.
Send feedback