Last edit: 07/12/2025
THE DOUBT : What does it mean for a Safety Control System to operate in High Demand or Low Demand, and why is it important to know the difference?
CONSIDERATIONS: An analogy with urban mobility can help clarify this concept. Imagine two cars:
- one that is used every day,
- and another that is used only once every four years.
In both cases, we expect the car to be reliable. However, if we do not specify that the second car will remain parked for four years, we may be disappointed when it fails to start—perhaps because the battery has discharged over time. The same principle applies to safety control systems: the techniques to reach a high reliability level depends on how frequently the system is expected to operate. Because of this, safety systems are classified into two main categories:
- Safety Systems in High Demand
- Safety Systems in Low Demand
In Process Safety, most Safety Instrumented Systems (SIS) operate in the Low Demand mode.
Consider a high-pressure switch on a tank that is designed to close an incoming gas line. The process control system (BPCS) keeps the pressure within limits, and operators receive alarms well before the high-pressure trip point is reached. If the BPCS works correctly, the safety switch may never activate — or might operate only once every … four years?
This raises a critical question: How can we be confident that a device will still function correctly after years of inactivity?
Because Low Demand systems rarely operate, failures can accumulate unnoticed over long periods. This requires specific design criteria, testing intervals, and reliability calculations.
In Machinery Safety, we often deal with High Demand Safety Control Systems (SCS). For example, a safety interlock on a protective gate may be opened every day. Each operation provides immediate confirmation that the device is still functional. If two interlocks are installed on the same gate, we can reasonably assume that only one failure might occur between activations—say, between today and tomorrow—because the time window for failure accumulation is very small. Therefore, the situation is very different from the high-pressure switch that may remain “idle” for years and yers. The more frequently a safety function is demanded, the more directly and frequently its reliability is “automatically” verified.
That is, in essence, the reason why the “two worlds” of high and low demand run in parallel and have quite different approaches.
The reference standard for Low Demand Applications is IEC 61511:
IEC 61511-1: 2016. Functional safety – Safety instrumented systems for the process industry sector – Part 1: Framework, definitions, system, hardware and application programming requirements
IEC 61511-2: 2016. Functional safety – Safety instrumented systems for the process industry sector – Part 2: Guidelines for the application of IEC 61511-1:2016
IEC 61511-3: 2016. Functional safety – Safety instrumented systems for the process industry sector – Part 3: Guidance for the determination of the required safety integrity levels
While, for high demand, there are 2 different standards: IEC 62061 and ISO 13849-1:
IEC 62061: 2021. Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems
ISO 13849-1: 2023 – Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design
ISO 13849-2:2012 – Safety of machinery — Safety-related parts of control systems — Part 2: Validation
In 2023, we published a book on the High demand Safety Standards. Inside, we also describe how to tackle mixed systems.
ISO 13849-1 only deals, with High Demand Safety Related Parts of the control system (SRP/CS), while it is the role of IEC 62061 to tackle systems containing both high and low demand loops.
Within the technical committee responsible for IEC 62061—where GT Engineering contributes at the international level—there is growing interest in addressing Low Demand applications. The intent is not to overlap or “compete” with IEC 61511, but to acknowledge that in the Machinery sector manufacturers may encounter machines that incorporate both High Demand and Low Demand safety functions.
However, despite this shared interest, the working group has not yet reached a consensus on how Low Demand should be treated within the context of machinery safety. The methodologies used today in IEC 62061 and ISO 13849-1 are built around architectures and metrics suited for High Demand or Continuous mode, and they do not seamlessly extend to Low Demand scenarios.
Consider, for example, a heat treatment furnace equipped with high-temperature thermocouples designed to protect the chamber if its temperature exceeds the allowable limit. This protection function clearly operates in Low Demand mode: under normal operation, this High temperature safety function will never trigger, and the demand frequency may be extremely low—possibly only once in several years.
In such cases, it is not sufficient to simply apply the existing rules of ISO 13849-1 or IEC 62061. A Low Demand safety function requires:
- different reliability metrics (typically PFDavg rather than PFH),
- different assumptions about fault accumulation and diagnostics,
- and often methodologies derived from the process sector, or at least additional engineering considerations that go beyond the standard machinery frameworks.
This is precisely why the working group continues to explore how Low Demand concepts might be incorporated into future revisions of IEC 62061, ensuring that manufacturers have appropriate tools to design and validate safety functions that operate only rarely but must function flawlessly when needed.
In this respect, a new Technical Standard was published in 2023:
IEC TS 63394: 2023 – Safety of machinery – Guidelines on functional safety of safety-related control system
In the Annex J, it is shown a way to tackle safety systems with both High and Low demand mode (Mixed Systems). The same aproach will also be included in the new edition of IEC 61508-6, that will see the light in 2026.
CONCLUSIONS:
The distinction between High and Low Demand Safety Applications is important, especially for Machineries. When analysing each safety loop, always think about how often it will most likely be used or triggered.
If it is at least once a week, you can reason in terms of High Demand and you do not need to make other considerations.
For frequencies less than that, you need to think about additional maintenance and verifications.
For frequencies less than once per year (low demand), you need to use the approach of IEC 61511-1.