PLENARY LECTURE

IEC 61508 and IEC 61511: application state and trends

Pasquale Fanellia
a

Invensys Operations Management, Sesto San Giovanni (Milan), Italy

pasquale.fanelli@invensys.com

IEC 61508 ed. 2.0 "Functional Safety of Electrical / Electronic / Programmable Electronic Safety-related
Systems" and IEC 61511 ed. 1.0 "Functional Safety - Safety Instrumented Systems for the Process
Industry Sector" are International Standards published by the International Electrotechnical Commission
(IEC). The main objectives of IEC 61508 with the status of a basic safety publication are to facilitate the
development of product and application sector international standards and to enable the development of
E/E/PE safety-related systems where product or application sector international standards do not exist.
The horizontal standard IEC 61511 has been developed as a process sector implementation of IEC 61508.
IEC 61511 gives requirements for the specification, design, installation, operation, maintenance and
testing of a safety instrumented system (SIS). The presentation introduces the current application state of
the activities to be implemented to execute the IEC 61508 and IEC 61511 lifecycle phases in conformity
with standard requirements. The current application state starts from Management of Functional Safety to
go through activities such as process hazard & risk assessment, safety functions allocation, risk reduction
target allocation to safety instrumented functions (SIF), SIF SIL determination, SIS safety requirements
specification (SRS), SIS implementation activities, SIS operation & maintenance, SIS modification and
decommissioning. The current application state includes the lack of Regulatory Codes requirements about
IEC 61508 and IEC 61511 applicability, objective interpretative issues of IEC 61508 and IEC 61511
requirements, applicability issues in real projects of IEC 61508 and IEC 61511, consistency of reliability
data and certification issues of SIS sub-systems and devices. At conclusion of presentation an excursus of
the IEC 61508 and IEC 61511 application current and favourable trends are given with consideration also
to users expectations.

1. IEC 61508, IEC 61511 and IEC 62061 background

1.1 IEC 61508 ed. 1
The international standard IEC 61508 ed. 1 in effect since 2000 states a performance based approach by
the introduction of the safety integrity level (SIL) of the safety instrumented functions (SIFs) implemented
by the safety-related instrumented systems. IEC 61508 introduces and addresses both hardware safety
integrity and systematic safety integrity as function of design, integration, verification and validation,
operation, maintenance and testing. Furthermore the standard IEC 61508 introduced the safety lifecycle
for safety-related instrumented systems and the management of functional safety (FSM). The standard
IEC 61508 found in a couple of years a wide application for safety-related instrumented systems such as
PSD, ESD, BMS, critical TMC, HIPS and F&G thanks to the easiness of adopting the safety integrity level
(SIL) as performance indicator of safety PLCs used as PE logic solvers of safety-related instrumented
systems. The immediate success of SIL was due to the large diffusion of safety PLCs as PE logic solvers
of safety-related instrumented systems since the middle nineties and the concurrent general adoption,
especially in EU countries, of German Standards DIN V 19250 "Fundamental safety aspects for
measurements and control equipment" and DIN V VDE 0801 Principles for computers in safety-related
systems. As matter of fact the PES (programmable electronic system) AK (AnforderungsKlasse or
Requirement Classes from 1 to 8) were introduced in DIN V 19250 and DIN V VDE 0801 was applied to
determine if the AK requirements, based on the safety classification in relation with AK class itself, were
met by the PES. After the issue of IEC 61508 the SIL as integrity ranking was immediately successful also
thanks to the the historical adoption of AK requirement classes; four years later in spite of withdrawal of
DIN V 19250 common practice was to report AK class joined to SIL requirement of safety PLCs. The
certification according to IEC 61508 requirements and specifically IEC 61508-2 for hardware requirements
and IEC 61508-3 for software requirements of safety-related instrumented systems was to move from
several national standards such as DIN V 19250, DIN V 19251 and DIN V VDE 0801 to a unique
international standard addressing the requirements of the E/E/PE safety-related instrumented systems
including logic solver, sensor and final element sub-systems. The consolidated practice of EPC

Contractors in Europe to require for the safety PLCs a certification of compliance with DIN standards
issued by German TV (Technical Inspection Agency) explains the immediate diffusion of the certification
of compliance with IEC 61508 of safety PLCs immediately after the publication of the standard even if the
standard itself did not require a certification of compliance.
In the last decade the requirement of a certification of compliance with IEC 61508 was expanded from PE
logic solvers to any active device of a safety-related instrumented system including sensors, barriers,
relays, solenoid valves, shutdown valves/actuators/positioners, electric motor contactors.
1.2 IEC 61511
One of the objectives of the international standard IEC 61508 as meta-standard is to facilitate the
development of product and application sector standards. The generic application of the functional safety
requirements dictated by IEC 61508 found a specific application with the issue of international standard
IEC 61511 in effect since 2003 focused to process industry sector including O&G, oil refining,
petrochemical/chemical, P&P, conventional power generation. The simpler approach of IEC 61511 did not
significantly alter the basic approach introduced by IEC 61508 to functional safety issues. The concurrent
introduction in USA of ANSI/ISA S84.00.01 (mod. IEC 61511) in 2004 replacing the ANSI/ISA S84.01 (Ed.
stating three SIL classes instead of four) further spread over the diffusion of a unique approach to
functional safety all over the world including the high economic growth areas such as PRC, ME, India,
Brazil covering the most of new installations in the process industry. IEC 61511 simplifies the approach
even in the title replacing the generic E/E/PE safety-related systems with Safety Instrumented Systems
(SIS) and de facto is the international standard that it can be confidently entrusted to place and/or
maintain the process in a safe state. One of the most important statements of IEC 61511 is the correlation
between IEC 61511 and IEC 61508 mandating the compliance with IEC 61508 for SIS devices Mfrs. and
Suppliers and with IEC 61511 for SIS designers, integrators and users. This statement not only saved all
the work previously done in particular on the conformity of logic solvers to IEC 61508 but further boosted
the functional safety culture and practice due to the much simpler approach to SIS safety lifecycle
activities. The adoption of the equivalent standard in US in 2004 eased the IEC 61511 application thanks
to the publication by ANSI/ISA of Technical Report ISA TR-84.00.04 Part 1 Guidelines for the
Implementation of ANSI/ISA-84.00.01-2004 (mod. IEC 61511) and TR-84.00.04 Part 2 Example
implementation of ANSI/ISA-84.00.01-2004 (mod. IEC 61511). Besides the IEC 61511 part 2 as
application guidelines, other guidelines on IEC 61511 application were published such as OLF 070
Recommended Guidelines for the application of IEC 61508 and IEC 61511 in the petroleum activities on
the Norwegian Continental Shelf issued by Norwegian Oil Industry Association, the EEMUA 222 Guide to
the application of IEC 61511 to safety instrumented systems in the UK process industries, and CEI65-186
Linea guida per l'applicazione della Norma della serie CEI EN 61511 Sicurezza funzionale - sistemi
strumentati di sicurezza per il settore dell'industria di processo issued by Italian CEI.
IEC 61511 is currently under revision and the new edition will come out very likely on the current year with
update of definitions and revision of requirements related mainly to hardware failure rates and fault
tolerance (HFT), fault detection, SRS, application software, SIS O&M and testing, prior use (PU) and
security.
1.3 IEC 61508 ed. 2
nd.
The 2 edition of IEC 61508 published on April 2010 introduced main changes such as the update of
definitions, Management of Functional Safety (FSM), IEC 61508 compliant items, SIF mode of operation,
Overall SRS, classified failure rates, System Design Requirements Specification, systematic capability,
hardware integrity compliance, systematic integrity compliance, on-chip redundancy requirements for
integrated circuits (IC), application specific integrated circuits (ASICS), FGPA (Field Programmable Grid
Arrays), functional safety assessment (FSA), common cause analysis (CCA), safety manual for compliant
items, proven in use (PIU) requirements and security. The impact of a so vast number of revisions and
changes after one full decade of application of IEC 61508 ed. 1 is limited only in the process industry SIS
applications since, in compliance with IEC 61511, the requirements of IEC 61508 apply - with a few
exceptions - to SIS device Mfrs. only.
1.4 IEC 62061
The international standard IEC 62061 "Safety of machinery - Functional safety of safety-related electrical,
electronic and programmable electronic control systems" states the requirements of the safety-related
control systems for industrial machinery. IEC 62061 applies to safety-related control systems based on
E/E/PE technology used, also combined, to execute safety control functions on non-portable machines by
hand and group of machines working coordinately. IEC 62061 is a sector standard derived from IEC 61508
with requirements concerning both hardware and software of safety instrumented functions aimed to

minimize the occupational risk of machinery operators during machine operation, maintenance/cleaning.
Management of Functional Safety (FSM), quantified occupational risk reduction target, hardware and
software integrity requirements - even if simplified for industrial machinery application - are the main
features of this performance based standard.
The installation of machinery packages (e.g. compressors, steam turbines, turbogas, diesel generators) in
the process industry sector mandates the compliance both with IEC 61511 and IEC 62061.
A guideline on IEC 62061 application was published by IEC as Technical Report IEC/TR 62061-1 ed
1.0 Guidance on the application of ISO 13849-1 and IEC 62061 in the design of safety-related control
systems for machinery. An application guide was published in Italy by CEI as CEI CLC/TR 62061-1
"Guida allapplicazione delle Norme ISO 13849-1 ed IEC 62061 nella progettazione di sistemi di controllo
relativi alla sicurezza per macchinari.

2. Legislation and IEC 61508, IEC 61511, IEC 62061

2.1 Legislation and EC 61508
The European Committee for Electrotechnical Standardization (CENELEC) supports IEC (International
Electrotechnical Commission) "to be globally recognized as the provider of standards and conformity
assessment and related services needed to facilitate international trade in the fields of electricity,
electronics and associated technologies". CENELEC publishes both standards requested to shape the EU
Internal Market and harmonized standards in support of EU legislation. Since the CENELEC Standards
(EN) must be transposed into EU member countries national standards, products and services compliant
to European standards (EN) get easier access to the EU market independently of manufacturer or supplier
original country. Member countries must also withdraw any conflicting national standard: the EN prevails
over any national standard (e.g. German standards DIN V 19250, DIN V 19251, DIN V VDE 0801 were
withdrawn in August 2004). CENELEC ratified the international standard IEC 61508 Parts 1 to 7 as
European Norm EN 61508-17:2001. The EN 61508-17:2001 have been finally transposed in EU
member countries as national standards (norms) starting from 2002 (e.g. in U.K. as BS EN 6150817:2002). CENELEC ratified the IEC 61508 ed. 2 in May 2010 immediately after the publication as
European Norm EN 61508-17:2010. In Italy the EN 61508-17:2010 has been transposed as CEI EN
61508-17:2011 issued in English and French languages as the original standard.
Even if laws and regulations may refer to standards (norm in French, German and Italian languages) so
making the compliance with norms compulsory, so far there is no automatic legal obligation to apply CEI
EN 61508-17:2011 in Italy and the same situation occurs in other EU Countries.
Compliance with EU harmonized standards applied to meet the essential requirements of EU Legislation,
provides a presumption of conformity with the corresponding harmonization requirements of EU
Legislation. To claim this presumption of conformity the harmonized standards must be published in the
EU Official Journal (OJEU). The harmonized standards use is on voluntary basis. "Manufacturers, other
economic operators or conformity assessment bodies are free to choose any other technical solution that
provides compliance with the mandatory legal requirements.", as stated by European Commission
definition of European Harmonized Standards. Consistently since in OJEU the only standard reported is
the EN 62061 for Machinery we can derive that the regulatory compliance with EN 61508 and EN 61511 is
transferred to national standardization. The result does not change in EU countries such as for instance
Italy where a law (L. 186/68) mandates the compliance with Italian Electrotechnical Committee (CEI) for
electrical and electronic installations, materials, devices, systems. The applicable CEI Norms shall be
used, but the same law does not state any sanction for the violation. EN 61508 and EN 61511 are not
listed in OJEU even for ATEX and Pressure Equipment Directive (PED) applications. Only thanks to the
mention in the harmonized norm EN 764-7 the application of IEC 61508 is stated for safety instrumented
functions protecting unfired pressure equipment falling under PED Directive. IEC states in IEC 61508-1 ed.
2.0 (ratified as EN) Foreword p. 5: "IEC itself does not provide any attestation of conformity. Independent
certification bodies provide conformity assessment services and, in some areas, access to IEC marks of
conformity. IEC is not responsible for any services carried out by independent certification bodies". The
same p. 5 in IEC 61508-1 ed. 1.0 (ratified as EN) states: "The IEC provides no marking procedure to
indicate its approval and cannot be rendered responsible for any equipment declared to be in conformity
with one of its standards". We can infer ten years after the first edition that IEC formalizes the role of the
independent certification bodies and being not responsible of the services carried out by the independent
certification bodies cannot be in any case responsible of declaration of conformity to the standard since
this responsibility is transferred to these third parties without any formal assignment or assignment criteria
stated by IEC. In any case by this statement IEC recognises the role and responsibility of the independent
certification bodies. The provision for (almost) any SIS active device by Mfr. of a compliance certificate
with IEC 61508 issued by an independent certification body has been de facto formalized by IEC after a
decade of practice. The EN 61508 application success without national, local, sector regulatory authorities'
prescriptions can be explained by the convergent interest of SIS device Manufacturers to offer on the
market the same device and for EPC Contractors to reuse SIS engineering with practically no differences

worldwide. Another driving factor being represented by the industrial insurance companies focused on an
effective major accident (large fire, explosion, toxic cloud, environmental impact) risk reduction. The BP
Texas City, Buncefield and BP Horizon accidents showed that huge economic losses, including company
loss of reputation, can derive from insufficient protection layers and the application of IEC 61508 and IEC
61511 could have played a fundamental role in risk reduction. The independent (from IEC) certification
bodies, in particular the German TV Rheinland (the first historically to certify the safety PLCs), TV Nord,
TV Sd, RW TV, are very active in this market area and play an important role in the IEC 61508
standard application.
The issue is that IEC 61508 compliance even if assessed and certified by independent certification bodies
does not have any part in device European Conformity (CE) Mark approval such as for PED and ATEX.
CE Marking demonstrates equipment conformity to Essential Safety Requirements of all the applicable
European Directives for that product. Seveso Directive is out of this virtuous cycle.
2.2 Legislation and IEC 61511
CENELEC ratified the international standard IEC 61511 Parts 1 to 3 as European Norm EN 6151113:2004. The EN 61511-13:2004 have been finally transposed in EU member countries as national
standards (norms) starting from 2004 (e.g. in U.K. as BS EN 61511-13:2004). In Italy the EN 6151113:2004 has been transposed as CEI EN 61511-13:2004 issued in English and French languages as
the original standard.
The same considerations made above for the European Norm EN 61508 applies to EN 61511.
2.3 Legislation and IEC 62061
CENELEC ratified the international standard IEC 62061 as European Norm EN 62061:2005. The EN
62061:2005 have been finally transposed in EU member countries as national standards (norms) starting
from 2005 (e.g. in U.K. as BS EN 62061:2005). In Italy the EN 62061:2005 has been transposed as CEI
EN 62061:2005 issued in Italian and English language as the original standard.
After the publishing in 2010 by CENELEC of the norm EN 62061:2005 + Amending Corrigendum AC:2010
became an harmonised standard under the Directive 2006/42/EC for Machinery and published in OJEU.
Compliance with harmonised standard EN 62061:2005 + Amending Corrigendum AC:2010 provides a
presumption of conformity with the corresponding Machinery Directive Health & Safety essential
requirements related to Safety and reliability of control systems.

3. Current application state of IEC 61508, IEC 61511, IEC 62061

3.1 Certification of Compliance
The current application state of IEC 61508 is massive for the Manufacturers of active SIS devices
including sensors, barriers, relays, solenoid valves, shutdown valves/actuators/positioners. For electric
devices such as electric motor contactors and occasionally electric motors and electric circuit breakers the
situation is unclear characterized by a reduced number of Manufacturers and even a reduced awareness
about the IEC 61508 requirements compliance in terms of safety integrity of electric devices. Since the
middle 90s with a prevailing use of PES as SIS logic solvers compliant with DIN V 19250 AK requirement
classes, the specific measures set forth in the German standard DIN V VDE 0801 were used for PES
design, coding, integration, testing evaluation by independent third parties. The German TV Rheinland
acting as Technical Inspection Authority started to evaluate PES and issue PES certificates of compliance
with German Norms DIN V 19250 and DIN V VDE 0801. This was prodromic to PES Certification of
Compliance with IEC 61508 after the standard coming into force. Other German TVs and other private
organizations extended their certification services to the most of SIS devices.
Being the certification mentioned - see above - in IEC 61508 ed. 2.0, but without execution requirements,
the independent third parties execute all the formal verifications with no or insufficient consistency. The
results of certification are in some cases contradictory such as in the case of BPCS and SIS independency
requirements differently interpreted by the Certification Bodies. Certification Reports and Restrictions to
Use should be part of the Certification, but the absence of unique certification criteria make this very
important documentation less important than the Certificate itself.
The Certification of Compliance with IEC 61511 for the Process Industry sector is complementary to IEC
61508 Certification of SIS devices, and generally applies to SIS implementation and integration activities.
Even if missing any specific requirement in IEC 61511 about Management of Functional Safety (FSM)
certification, currently the SIS FSM certification of the organizations responsible of SIS design and
integration is widely applied.
As far as IEC 62061 is concerned the situation is the same above reported for IEC 61508 with a wide
diffusion of certification of compliance. In addition being harmonised the compliance with EN 62061:2005 +
AC:2010t is binding. The Machinery Directive in Art. 14 p. 1 states: "Member States shall notify the

Commission and the other Member States of the bodies which they have appointed to carry out the
assessment of conformity for placing on the market referred to in Article 12(3) and (4), together with the
specific conformity assessment procedures and categories of machinery for which these bodies have been
appointed and the identification numbers assigned to them beforehand by the Commission. Member
States shall notify the Commission and other Member States of any subsequent amendment".
3.2 Process Hazard and Risk Assessment
Being the most of the current SIS installations provided in the Process Industry, the Process Hazard and
Risk Assessment as primary activity of SIS safety life-cycle shall be executed in accordance with IEC
61511. Being IEC 61511 clause 8 "Process Hazard and Risk Assessment" and clause 9 "Allocation of
safety functions to protection layers" generic, the practice of these phases gives highly inconsistent results.
For MAH process industries HazOp studies are executed to cover hazard and operability issues for normal
and abnormal operations such as start-up, shutdown, emergency shutdown, maintenance operations.
Other studies such as Hazid and What-if are occasionally executed. The HazOp studies are purely
qualitative and in spite of HazOp guidelines such as IEC 61882 and corporate procedures the results
dramatically depend upon several and variable factors, such as HazOp team composition, team expertise,
team leadership capabilities, session scheduling, project execution advancement state, novelty of the
process, language of communication. The HazOp study qualitatively determines process deviations,
causes of deviation, consequences of deviations, safeguards - including the safety instrumented functions
and alarms - already allocated or to be allocated according to the agreed HazOp Actions. The quality of
HazOp and the awareness of the HazOp team on functional safety issues severely affects the subsequent
SIL assignment activity. The missing classification of initiating event likelihood and of severity of
consequences makes the HazOp study useless for SIL assignment study and potentially inconsistent. The
merging of HazOp and SIL study ("extended" HazOp) by the introduction of purely qualitative risk
assessment during the HazOp makes both activities dependant on the same team and same leadership
potentially leading to SIL class over- or under-rating according to team and leader expertise. The IEC
61511 clause 8 and 9 requirements are nominally matched but ineffectively in several application cases.
The same applies to IEC 62061.
3.3 SIL Assignment
The SIF SIL assignment - known also as SIL determination, SIL assessment, SIL review, SIL study, SIL
allocation or even SIL classification since missing the standardized definition of the activity - is executed
worldwide by applying four main methodologies: CRG (Calibrated Risk Graph), LOPA (Layer of Protection
Analysis) , Risk Matrix, "Extended" HazOp. Being Risk Matrix and "Extended" HazOp purely qualitative the
results are inconsistent even with the same SIL assignment team depending on the activity progress state.
CRG and LOPA being semi-quantitative methodologies provide more consistent results but are severely
affected by the SIL Assignment Procedure assigned to the team. The IEC 61511 informative Part 3 does
provides scarce and in some cases contradictory information on these very important methodologies with
a dramatic impact on the results. CRG and LOPA being primarily based on consequence qualitative
determination very often in real application give as result a SIL upgrade or downgrade for the same
hazardous event according to the Corporate Mitigated Target Risk. CRG consistency of results is severely
affected by the W factor definition open to different interpretations, such as for LOPA the enabling events
and conditional modifiers are concerned. A further issue of SIL assignment is represented by the
qualitative evaluation of environmental impact consequences due to deficiency of information and by the
economic impact consequences optionally included being not required by the standard.
3.4 Safety Requirements Specification
The Safety Requirements Specification (SRS) according to IEC 61511 Clause 10 is a mandatory
document or collection of documents to be provided but only occasionally the SRS is as of today provided
to SIS design and engineering team. As part of SRS documents should be provided such as C&EM, SIF
specification inclusive of all the required SIF information and data, SIF individual and concurrent safe
state, allowable spurious trip, override requirements, SIF and SIS downgrading, manual shutdown
requirements, dangerous combinations of SIS output states, abnormal conditions and many others.
3.5 Functional Safety Assessment
IEC 61511-1 sub-clause 5.2.6.1.4 states at least one functional safety assessment (FSA) shall be carried
out to ensure the hazards arising from a process and its associated equipment are properly controlled. The
FSAs actually carried out by independent and expert third parties on SIS before start-up are occasional.
3.6 Management of Functional Safety
The IEC 61511-1 clause 5 states the requirements concerning the Management of Functional Safety
(FSM) associated to SIS safety lifecycle activities. The ISA-TR84.00.04-2005 "Guidelines for the

Implementation of ANSI/ISA-84.00.01-2004 (IEC 61511 Mod)" specifically addresses the FSM by defining
a Roles & Responsibilities Matrix including the experiences and skills required for the disciplines
represented in the R&RM. In spite of importance of a full and efficient FSM implementation, this process is
made difficult due to criminal and civil liabilities associable to accidents potentially having a direct
association to the approval responsibility defined in the FSM R&RM for SIS safety lifecycle activity.

4. Trends
4.1 Current trends
The current trend of IEC 61508 and IEC 61511 application is absolutely satisfactory in the process
industry with the exception of only a few sectors reluctant to any change of the approach to process safety.
The same successful trend applies to machinery sector where the compliance with IEC 62061 starting
from 2011 is full.
4.2 Favourable trends
- EN 61508 and EN 61511 Norms harmonization to Seveso Directive;
- IEC 61508 Certification Bodies notified by EU Authorities;
- IEC 61508 Certification Plan and Activities covered by IEC 61508;
- SIS active components all covered by IEC 61508 Certification;
- IEC 61508 application guidelines issue;
- IEC 61508 derived standards for non-process industry and road tunnels;
- SIS full compliance with IEC 61508 cyber-security requirements
- Safety Manuals and Restrictions to Use to cover the 100% of SIS active and passive components;
- HazOp team and leader competent and expert in functional safety;
- HazOp to fully determine initiating causes and consequences of hazardous events;
- HazOp to fully determine the occurrence of hazardous events in abnormal conditions;
- QRA application to be set up as HazOp action whenever consequences lead to SIL 3;
- Mitigation Risk Targets for Safety and Environment to be set per industry sector;
- Introduction of SIL, EIL, AIL respectively for Safety, Environment and Assets risk mitigation;
- SIL Assignment methodologies (CRG and LOPA) to be fully defined on IEC 61508 and/or IEC 61511-3;
- Independency criteria of DCS alarms, DCS interlocks, DCS permissives to be fully defined on IEC 61511;
- SRS to be fully defined on IEC 61511-1 including I/O channels segregation criteria;
- FSA activities to be fully defined on IEC 61511-2;
- Management of Functional Safety (FSM) to be fully defined on IEC 61511-2;
- Full Variability Language software currently to be executed under IEC 61508-3 requirements to be
defined under EC-61511-1 to avoid misinterpretations and double standard compliance inconsistencies;
- Minimum hardware fault tolerance to be uniquely defined for IEC 61508 and IEC 61511;
- SIL verification methodologies (simplified equations, RBD, FTA) to be fully reported on IEC-61511-3;
- Qualified FMEDA mandatory for the definition of failure rates and SFF for each SIS device;
- Mission time definition mandatory for each SIS device;
- Expert systems risk reduction capability recognition.
In spite of the efforts of four generations of engineers the goal of an accident-free process industry has still
to be reached, but we glimpse a light at the end of tunnel.
References
EN 61508, 2010, Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related
Systems
IEC, CH
EN 61511, 2003, Functional Safety: Safety Instrumented Systems for the Process Industry
IEC, CH
EN 62061, 2005, Safety of machinery - Functional safety of safety-related electrical, electronic and
programmable electronic control systems
IEC, CH