Functional Safety
Functional safety in industrial machine design is the engineering discipline of designing, verifying, and documenting safety-related control functions that bring a machine to a safe state when a hazard is detected — and of demonstrating that those functions achieve the required reliability level. In the EU, functional safety implementation is mandatory under the Machine Directive (2006/42/EC) and is assessed against ISO 13849-1 (Performance Level, PLa–PLe) or IEC 62061 (Safety Integrity Level, SIL 1–3). A missing or incorrectly implemented safety function is the most common reason a CE technical file is rejected.
- E-stop circuits on SPMs: The emergency stop function must be designed to at least PLc (ISO 13849) for most industrial machines, requiring a safety relay or safety PLC with monitored input channels.
- Guard door interlocking: Interlocked guard doors on machining and assembly SPMs require a safety function that prevents machine motion when the door is open — typically PLd or PLe depending on the severity and frequency of exposure.
- Two-hand control devices: Press and forming machines use two-hand control as a safeguarding measure — the control circuit must be ISO 13851-compliant and achieve at least PLc.
- Light curtains and safety mats: Area access detection for collaborative zones on assembly lines — safety function design must account for the stopping time of the hazardous motion and the detection zone position (safety distance per ISO 13855).
ISO 13849-1 determines Performance Level (PL) from three parameters: Category (the structural architecture of the safety circuit — Cat B, 1, 2, 3, or 4), MTTFd (Mean Time To dangerous Failure of each channel, from component datasheets), and DCavg (Diagnostic Coverage — the fraction of dangerous failures detected by automatic diagnostics). The combination of Category + MTTFd + DCavg maps to a PL (a through e). The required PLr is determined from the risk assessment: severity (S1 = reversible, S2 = irreversible), frequency of exposure (F1 = seldom, F2 = frequent), and possibility of avoidance (P1 = possible, P2 = not possible). The calculated PL must meet or exceed PLr. IEC 62061 uses a similar method expressed in failure rate (PFHd) mapped to SIL levels.
- Specifying a single-channel E-stop circuit (Cat 1) when the risk assessment demands PLd — Cat 1 cannot achieve PLd because it has no diagnostic capability to detect stuck contacts.
- Using a standard PLC for safety functions without a separate safety-rated watchdog or safety PLC — standard PLCs are not architecturally suitable for Cat 3 or Cat 4 safety circuits.
- Calculating PL using component MTTFd values without verifying that the values apply to the specific failure modes relevant to the safety function.
- Designing the safety function correctly but failing to document it — an undocumented safety function cannot be validated, which means the CE technical file is incomplete regardless of whether the hardware is correct.
- Assuming that fitting a CE-marked safety relay automatically achieves the required PL — the PL depends on how the safety relay is wired and integrated, not just what it is.
ClusterVise generates the safety I/O architecture from the declared safety functions and PLr targets — selecting appropriate safety relay types, specifying dual-channel input wiring, and flagging incompatible architectures before detailed design begins. The safety I/O list is generated alongside the standard I/O list, with PLC safety module sizing included in the BOM. Design documentation outputs include a safety function register that forms the starting point for the ISO 13849 technical file.
