Last edit: 15/02/2026
THE DOUBT: What components are part of a Safety Instrumented System (SIS)?
CONSIDERATIONS.
In order to be included in a Safety Control System (SCS – IEC 62061) or a Safety-Related Parts of a Control System (SRP/CS – ISO 13849-1), components must be supported by appropriate reliability data. Since not all components are characterized by such data, an important question arises: which components are actually considered part of the SCS or a SRP/CS?
The diagram below, taken from ISO 12100, Annex A, shows that the following elements are included in a Safety Control System:
- Sensors (e.g., interlocking devices),
- Logic systems (e.g., safety PLCs),
- Power control elements (e.g., contactors, valves).
Conversely, machine actuators such as motors or cylinders are not considered part of the SCS. Why is this the case?
That graph is valid, for example, in the case of an Emergency Stop functions, meaning a safety function that brings a system to a safe state by removing energy. In general that is called a Safety-related stop function. A safety-related stop function (e.g. initiated by a safeguard) shall as soon as necessary after actuation, put the machine in a safe state.
The situation is different in case of an Emergency Start function. The relevant definitions are provided in IEC 60204-1, Annex E:
[IEC 60204-1] Annex E: Explanation of emergency operation functions
Emergency stop: An emergency operation intended to stop a process or a movement that has become hazardous.
Emergency start: An emergency operation intended to start a process or a movement to remove or to avoid a hazardous situation.
There are two philosophies to design safety systems:
- A loss of energy provokes the safety action (“de-energize to trip” safety systems);
- An emission of energy provokes the safety action (“energize to trip” safety systems).
These definitions highlight that, depending on the nature of the safety function, the system boundaries — and consequently the components to be considered within the SCS — may need to be evaluated differently.
With regard to the safety action, the first case is more reliable than the second one because the safety action occurs any time the energy is lost somewhere in the safety system. All failures related to energy or signal losses are safe and don’t need to be considered when evaluating the probability of dangerous failures. Therefore, this simplifies very much the analysis to be performed as well as the safety systems modelling.
This philosophy seems perfect and this is the solution which is the most widely implemented. Nevertheless the counterpoint is that it increases the probability of spurious action.
This may be critical when spurious actions have detrimental effects on the installation. In this case, the spurious actions should be limited and the second philosophy could be used for this purpose.
With regard to the safety action, the de-energize-to-trip philosophy is generally more reliable than the energize-to-trip approach. In a de-energize-to-trip system, the safety action is automatically triggered whenever energy is lost at any point within the safety system. As a result, failures related to energy or signal loss are inherently safe and do not need to be considered when calculating the probability of dangerous failures. This significantly simplifies both the safety analysis and the modelling of the safety-related control system. At first glance, this philosophy appears ideal and is indeed the most widely implemented solution in industrial safety systems. However, its main drawback is an increased probability of spurious trips (undesired safety activations).
In certain applications, spurious actions may have detrimental consequences for the installation, such as production losses, process instability, or secondary risks. In these cases, it becomes necessary to limit false activations. For this reason, the energize-to-trip philosophy may be preferred, despite its more demanding reliability assessment.
CONCLUSIONS.
Machine actuators (e.g., motors, cylinders) are generally not part of a SIS (IEC 61511-1), or SCS (IEC 62061), or SRP/CS (ISO 13849-1), when the safety function is a safety-related stop function; for example, an Emergency Stop. In these cases, the safe state is achieved by removing energy, and the safety boundary ends at the power control element.
However, the situation differs for Emergency Start functions (IEC 60204-1, Annex E), where starting a movement may be necessary to remove a hazard. In such cases, machine actuators (e.g., brakes or cylinders) become part of the safety system, since energy must be applied to achieve the safe state.
