We automate your success.

Functional Safety

1. What is Functional Safety?

The primary objective of Functional Safety is to protect both people and the environment. As a rule, they are to be protected from hazardous malfunctions, e.g., resulting from automation systems in machines.

Functional Safety is also essential in order to comply with the regulations of the Machinery Directive. Further, Functional Safety can absolve liability under the German Product Liability Act ("Produkthaftungsgesetz") in the event of damage.

Functional Safety Management (FSM)

All activities related to Functional Safety are encompassed by the term Functional Safety Management (FSM). FSM ensures the responsibilities of individuals in the safety process are well-defined and that all planned safety measures are executed accurately and comprehensively.

The activities include, for example:

  • Risk analyses and definition of safety requirements
  • Specification of detailed requirements
  • Planning for implementing requirements in the development and production process
  • Documentation and proof of correct functioning
  • Tool qualification
  • Staff training
  • Verification and validation of documents, products, etc.
  • Procurement of components and quality assurance
  • Two-person rule
  • Monitoring of operational shortfalls

1.1 Risk assessment

The aim of Functional Safety is to reduce the risk of harm to individuals and/or property to a socially acceptable level.

Risk analysis

The first step involves identifying the specific risks associated with the machine in question. This is the only way to minimize the identified risks through appropriate measures. Every product that may pose a potential hazard must be taken into account. In the following, they are summarized under the term "machine".

Consequently, the first step involves preparing a risk assessment/analysis. The objective of this analysis is to identify all potential risks prior to placing the machine on the market. This risk assessment is mandatory as specified under various laws and directives, such as the German Product Safety Act ("Produktsicherheitsgesetz") or the Machinery Directive.

If a machine is subject to a safety standard like EN ISO 13849 or ISO 25119, the recommended risk graphs outlined therein can be applied. Alternatively, DIN EN ISO 12100 or a combination of various standards can be used.


All potential hazards must be taken into account, e.g.:

  • Mechanical hazards
  • Electrical hazards
  • Thermal hazards
  • Hazards due to vibration, radiation, materials and substances
  • Ergonomic hazards
  • Hazards associated with the operational conditions of the machine environment
  • Combination of hazards

Measures to minimize risks

If the risk assessment reveals a high probability of a hazardous event, significant consequences and no means for affected parties to evade the risk, appropriate measures for risk reduction must be defined and implemented. Subsequently, a new assessment and additional measures are formulated, if deemed necessary. This is an iterative process that must be repeated until the level of risk is acceptably low or effectively controlled through the measures implemented.

The first step towards risk reduction is to implement design-engineering measures; e.g.:

  • Separating hazardous zones from operators by means of protective housings or barriers.
  • Choosing a design that eliminates the risk of potential hazards.
  • Correctly dimensioning machinery to prevent hazardous situations.

The second step towards risk reduction is to utilize safety equipment. If an operator requires access to a hazardous area, e.g. to perform maintenance or adjustment activities, it must be possible without compromising the protective properties. A viable solution in this situation could be a safety door equipped with a door protection switch. This solution would then have to be implemented in line with the safety level corresponding to the risk graph of the associated standard.

The aim should be to employ as many design-engineering measures as possible to ensure risk reduction. Only after minimizing residual safety functions to the fullest extent possible, should you consider augmenting them with electrical/electronic and programmable safety equipment.

1.2 Definition of requirements: The safety/performance level

The reliability of safety functions is evaluated based on the safety or performance level of electrical/electronic and programmable safety equipment.

Depending on the applicable standards, there are two systems: Technical safety based on the performance level (PL) or the safety integrity level (SIL). The SIL-based standards are, e.g., IEC 61508 (SIL) and DIN EN 62061 (SIL CL). The PL-based standards are, e.g., EN ISO 13849 (PL) or ISO 25119 (AgPL).

The level necessary is determined by referencing the risk graphs of the applicable standard.

Risk graph

This is an example of the ISO 13849 risk graph and its parameters:

  • (S) Severity of injury: A distinction is made between slight injuries (S1) and serious injuries (S2). Slight injuries are injuries that heal without any lasting problems. Serious injuries are all other injuries.
  • (F) Frequency and exposure time in the hazard zone: F2 should be selected if an individual is frequently or continuously exposed to a hazard, e.g. with a frequency exceeding once every 15 minutes. F1 can be selected if the frequency is less than once every 15 minutes.
  • (P) Possibility of avoiding the hazard: P1 should only be selected if there is a realistic possibility of avoiding or substantially reducing the hazard; otherwise, select P2. Further, empirical values related to the likelihood of the hazard occurring should be taken into account.

The combination of these three parameters results in the required safety level.

If you now consider a safety function, e.g. a safety door, designed to protect against a hazard with the following specifications:

  • Loss of an arm by being drawn into a roller.
  • The roller has to be cleaned every 30 minutes.
  • Avoidance is not possible, as contact with the roller is inevitable during the cleaning process.

This would result in the following parameters: S2, F1, P2.

With these parameters, the required PLr = d. The entire safety function, i.e. the door contact switch, safety relay, drive, etc., would have to achieve at least Performance Level d.

1.3 Procedure

Initially, check whether your machine is subject to a directive, e.g. the Machinery Directive.

The Machinery Directive demands that fundamental health and safety requirements specified in Annex I are met. It is necessary to demonstrate compliance with these requirements. Create a checklist containing all the requirements and identify which points apply to your machine and which do not. These checklists are also available free of charge online.

If the directive includes harmonized standards with safety specifications appropriate for your machine, compliance with these harmonized standards and a corresponding declaration of conformity may serve as evidence of conformity with the essential health and safety requirements for the relevant parts or the entirety of the machine.

Note that by issuing a declaration of conformity you are declaring full compliance with all the requirements of the relevant standard. If the signatory is aware of non-compliance with certain safety requirements, whether knowingly or negligently, it represents a liability risk.

If no harmonized standards are available for the relevant parts of your machine, you must devise alternative solutions to ensure the requirements are satisfied.

In the absence of a directive, the German Product Safety Act ("Produktsicherheitsgesetz") mandates that a product can only be placed on the market if it does not pose a health and safety risk to individuals when utilized in a foreseeable or intended manner. You are then basically in the same situation as specified by the Machinery Directive.

Your contact person

Volker Kugler
Functional Safety Management
  +49 (7141) 2550-659

More information

Your contact person