Last edit: 21/09/2025
In the machinery sector, one of the earliest milestones in safety regulation was the British Standard BS 5304: “Code of Practice for Safety of Machinery”, first issued in 1975. Its design principles were mainly qualitative, providing broad guidance rather than precise technical criteria. For two decades, through a series of revisions, BS 5304 served as the reference point for machinery safety in the UK.
By the mid-1990s, however, the European harmonisation process was underway. The role of BS 5304 was gradually assumed by the European Standard EN 954-1:1996, “Safety of Machinery – Safety-Related Parts of Control Systems – General Principles for Design.” This marked a turning point: with EN 954-1, the first official Machinery Safety Standard was born, offering a structured and unified framework across Europe.
Yet, at this stage, programmable electronics were still intentionally left out of the picture. Even though they were already widely deployed in sectors such as chemical and petrochemical plants, they were considered too unpredictable for machinery safety. If a safety loop was needed to reduce risk, programmable devices were not permitted; only electromechanical circuits could be used. The cautious mindset of the time is well illustrated by the 1998 edition of IEC 60204-1, which explicitly described how emergency stop functions had to be implemented.
[IEC 60204-1: 1997] 9.2.5.4 Emergency operations (emergency stop, emergency switching off)
9.2.5.4.2 Emergency Stop. [….] Where a category 0 stop is used for the emergency stop function, it shall have only hardwired electromechanical components. In addition, its operation shall not depend on electronic logic (hardware or software) or on the transmission of commands over a communications network or link. Where a category 1 stop is used for the emergency stop function, final removal of power to the machine actuators shall be ensured and carried out by means of electromechanical components.
The hesitation to embrace electronics in machinery safety was rooted in their perceived unpredictability. Electromechanical components had the advantage of clearly defined failure modes—a power contactor, for instance, could only fail in two ways: open or closed.
When EN 954-1 was introduced, it embodied what later became known as a deterministic approach. Safety was entrusted solely to electromechanical devices or, at most, to simple electronics. The focus was on system architectures, either single- or dual-channel. For applications with only a modest level of risk, a single interlocking device and a single contactor stopping the motor were considered sufficient. But when the motor powered a high-risk element—such as a saw—two contactors with a monitoring function (fault detection) were mandated to ensure the motor could be safely stopped.
The use of software and programmable electronics in safety systems was still regarded with suspicion. Nevertheless, some countries began exploring them through local standards. In Germany, during the 1990s, the standard DIN VDE 0801 provided guidance for processor- and software-based safety-related control systems. It was sometimes applied alongside EN 954-1, and many of its core principles would later be carried over into the landmark international standard, the IEC 61508 series.
During the 1990s, the IEC began drafting what would later evolve into the landmark IEC 61508 series of standards, which for the first time officially defined the concept of Functional Safety. It is important to note, however, that IEC 61508 was limited in scope: it addressed only electrical, electronic, and programmable electronic (E/E/PE) safety-related systems. This focus explains why its definition of Functional Safety was framed specifically around the reliability and performance of such technologies.
[IEC 61508-4] 3 Definitions and abbreviations
3.1.12 Functional Safety. Part of the overall safety relating to the EUC and the EUC control system that depends on the correct functioning of the E/E/PE safety-related systems and other risk reduction measures
Within the standard, the acronym EUC (Equipment Under Control) is used to designate the machinery or processes whose risks are to be reduced.
[IEC 61508-4] 3 Definitions and abbreviations
3.2.1 Equipment Under Control (EUC). Equipment, machinery, apparatus or plant used for manufacturing, process, transportation, medical or other activities However, Functional Safety can be achieved with other technologies, like Pneumatic or Hydraulic; therefore, this is another definition [1]:
[Electropedia] Functional Safety: part of the overall safety that depends on functional and physical units operating correctly in response to their inputs.
IEC 61508 quickly became the reference framework for Functional Safety. Rather than being applied directly in every field, it served as a foundation for sector- and product-specific standards. On its basis, dedicated standards were developed for industries such as process (IEC 61511-1), nuclear (IEC 61513), and railway (EN 50129), as well as for machinery (IEC 62061) and power drive systems (IEC 61800-5-1). Over time, its principles have not only shaped the design of E/E/PE safety-related systems but have also influenced entire generations of products. Even today, IEC 61508 continues to guide and inspire the evolution of Functional Safety across multiple sectors.