What does PUWER Regulation 18 (Control Systems) Cover?


PUWER Regulation 18 covers Control Systems, the most recent changes were made to the ACOP (Approved Code of Practice) in November 2014.

The Regulation deals with taking realistic and practical allowances into account when choosing or specifying control systems, and not increasing risk when the control system is operating, either directly or indirectly, by impeding the operation of other safety measures; not increasing risk if a control system fails or loses its power supply.

This regulation states that every employer shall ensure, so far as is reasonably practicable, that all control systems of work equipment are safe, and are chosen making due allowance for the failures, faults and constraints to be expected in the planned circumstances of use.

Failure of any part of the control system or its power supply should lead to a ‘fail-safe’ condition. Fail-safe can be more correctly and realistically called ‘minimised failure to danger’ where the minimisation can be quantified as a “probability of dangerous failure per hour”, or PFH. This should not impede the operation of the ‘stop’ or ‘emergency stop’ controls. The greater the risk, the more resistant the control system should be to the effects of failure. Bringing a machine to a safe halt may achieve the objective. Halting a chemical process, however, could create further hazards. Care should be taken to fully assess the consequences of such events and provide further protection, for example standby power plant or diverting chemicals to a place of safety. It should always be possible to recover to a safe condition.

Regulation 18 mentions the standards BS EN 60204-1, BS EN ISO 13849-1 BS EN 62061 which provide guidance on design of control systems to achieve high levels of performance related to safety. Importantly, though they are aimed at new machinery, they may be used as guidance for existing work equipment as “state of the art” guidance.

What is new here is the fact that both functional safety standard BS EN ISO 13849-1 (first published in 2006) and BS EN 62061 (first published in 2005) are now available; at the time that the previous version of PUWER in 1998 was released, both standards were only in preparation. EN 60204-1 was already around in 1998. So what are these standards and when would you apply them?

BS EN 60204-1 is a standard harmonised to The Supply of Machinery (Safety) Regulations and the Low Voltage directive and is titled: "Safety of machinery. Electrical equipment of machines. General requirements". It is intended to cover the electrical safety aspects of machines. This includes safety requirements for electrical, electronic and computer-controlled equipment and systems for machines. It gives specific instructions for the safe maintenance of the point where electrical or electronic equipment connects to the machine i.e. at the main machine isolator connecting the machine to the electrical supply; it refers to machinery that operates with nominal supply voltages below 1,000Vac or 1,500Vdc, or with nominal supply frequencies below 200 Hz.

When it comes to the safety related controls on machines (systems containing safety relays/controllers, interlocked guards, two hand controllers, safety mats, light curtains, emergency stops and the like) there is choice between BS EN ISO 13849-1 (with part 2 for validation) and BS EN 62061. Which you use will depend upon the application.

BS EN ISO 13849-1 is harmonised to The Supply of Machinery (Safety) Regulations and is titled: "Safety of machinery. Safety-related parts of control systems. General principles for design". It provides safety requirements and guidance on the principles for the design and integration of safety-related parts of control systems (SRP/CS), including the design of software. It was developed as the direct replacement for its predecessor EN 954-1 (with its attendant categories B, 1, 2, 3 and 4 for SRP/CS). For these parts of SRP/CS, it specifies characteristics that include the Performance Level (PL a - e) required for carrying out safety functions.

The PL is based upon not only the old categories of EN 954-1 but also parameters including Diagnostic Coverage (DC), failure rates expressed at Mean Time to Dangerous Failure (MTTFd) and steps taken to reduce Common Cause Failures (CCF). These four factors combine via look up tables (such as one found in Annex K1 of the standard) to form a Probability of Dangerous Failure per Hour (PFH), the order of magnitude of which corresponds to a particular Performance Level (e.g. 10-7 – 10-8 = PL e). It applies to SRP/CS, regardless of the type of technology and energy used (electrical, hydraulic, pneumatic, mechanical, etc.), for all kinds of machinery. It is recommended that EN ISO 13849-1 is used primarily for the design of low complexity SRP/CS.

BS EN 62061 (also harmonised to The Supply of Machinery (Safety) Regulations) is titled: "Safety of machinery. Functional safety of safety-related electrical, electronic and programmable electronic control systems". It gives best-practice recommendations for the design, integration and validation of safety related electronic control equipment for machines - just like EN ISO 13849-1/-2. Rather than specifying Performance Levels it specifies a range of Safety Integrity Levels (SIL 1 - 3) for carrying out safety functions.

The SIL for a safety related control function comprises the architecture (A, C, B, D which are almost equivalent to categories 1,2,3 and 4 of BS EN ISO 138491), Hardware Fault Tolerance (HFT), Safe Failure Fraction (SFF), Diagnostic Coverage (DC) , steps taken against Common Cause Failure (CCF and a beta-factor), test intervals (T1 and T2) and failure rates (expressed as lambda); when these factors are combined in specific equations the result is a Probability of Dangerous Failure per Hour (PFH) the order of which correlates with a particular SIL (e.g. 10-7 – 10-8 = SIL 3). It applies to the safety related control functions (SRCF) which are electrical, electronic and programmable electronic only - it cannot be applied to non-electrical/electronic systems, and this is perhaps the key difference in scope between EN ISO 13849-1 and EN 62061.

The term SIL comes from a much broader functional safety standard BS EN 61508 which describes in detail the entire lifecycle for managing safety related controls from cradle to grave of any system be it a device, software tool, a petrochemical plant, rail traffic management system and so on; it is so big that sectorial versions exist for particular branches of industry. BS EN 62061 is such a sectorial version. Other sectorial versions include BS EN 61511 for industrial processes (e.g. petrochemical plants) or EN 61513 for nuclear. Hence, in these particular sectors (and others which use SIL), from a Functional Safety Management point of view, it may be attractive to use EN 62061 for machines.

So the reasons for using EN ISO 13849 include the ease of migration from EN 954-1 and its applicability to all systems regardless of source of energy, especially where they’re not complex.
EN 62061 is a more rigorous standard, it lends itself to more complex applications (as long as they do not include non-electrical sources of energy), and it may appeal to those already using SIL-rated systems (for example in the process industries) who are familiar with the BS EN 61508 lifecycle.


Pilz Automation Ltd
Pilz House, Little Colliers Field
Corby, Northants, NN18 8TJ
United Kingdom

Telephone: +44 1536 460766
E-Mail: sales@pilz.co.uk

Pilz Automation Ltd

Telephone: +44 1536 460766
E-Mail: sales@pilz.co.uk