2.4.2 EN IEC 62061 "Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems"

This standard contains requirements and recommendations for drafting, integrating and validating safety-related electrical, electronic and programmable control systems (SRECS) for machinery, which cannot be carried by hand during the work. In contrast to EN ISO 13849-1, it does not define any requirements for the performance of non-electrical (e.g. hydraulic, pneumatic, electro-mechanical) safety-related control elements for machines. Within the full scope of EN ISO 12100‑1 it is used as an alternative to EN ISO 13849‑1 for specifying the safety-related performance of safety-related electrical control systems that are required for risk reduction. As a sector-specific standard that falls within the scope of IEC 61508 for the application area of machines, EN IEC 62061 incorporates the entire SRECS lifecycle, from the concept phase until taking out of operation. The safety-related capacity is described by the Safety Integrity Level (SIL).

Safety Integrity Level (SILCL) in accordance with EN IEC 62061

Safety Integrity LevelProbability of a dangerous failure per hour (PFHd)
3≥ 10-8 to < 10-7
2≥ 10-7 to < 10-6
1≥ 10-6 to < 10-5
Fig. 2.4.3-1: The EN IEC 62061 is used for specifying the safety-related performance (SIL) of safety-related electrical control systems as an alternative to EN ISO 13849 (source: ZVEI Flyer "Safety of machinery"). Fig. 2.4.3-1: The EN IEC 62061 is used for specifying the safety-related performance (SIL) of safety-related electrical control systems as an alternative to EN ISO 13849 (source: ZVEI Flyer "Safety of machinery").

SIL risk assessment and definition

The informative Annex A of EN IEC 62061 includes an example of a procedure for qualitative risk assessment and definition of the SILCL. This procedure must be implemented for each special hazard, for which an appropriate risk minimization is to be achieved with the help of an SRECS. It is based on the method presented in EN ISO 14121 and is used for evaluating the risk parameters.

SSeriousness of the possible harm or injury
FrFrequency and duration of exposure
PrProbability of a hazardous event occurring
PPossibility of avoiding or limiting the harm

For every special hazard, the individual risk parameters are considered and evaluated with a corresponding value according to their features (e.g. seriousness, frequency, probability).

SeriousnessSFrequency of exposureFrProbability of occurrencePrPossibility of preventionP
Irreversible: death, loss of an eye or arm4≤ 1h5very high5Impossible5
Irreversible: broken limbs, loss of a finger3> 1h to < 1 day5probable4rarely3
Reversible: treatment by a physician required2> 1 day to < 2 weeks4possible3probable1
Reversible: first aid required1> 2 weeks to ≤ 1 year3rarely2
> 1 year2negligible1
Table 4.3-1: Classification of risk parameters in accordance with EN IEC 62061

The class of the probability of harm K is calculated by adding the numbers for the frequency of the exposure F, the probability of occurrence W and the possibility of avoidance P (K = F + W + P). The two parameters S and K are then used in a matrix to define the SILCL. The intersection point of line S with the applicable column K shows whether and which need for treatment exists.

Class of probability of harm (K)
Seriousness (S)3 to 45 to 78 to 1011 to 1314 to 15
4SIL 2SIL 2SIL 2SIL 3SIL 3
3(AM)SIL 1SIL 2SIL 3
2(AM)SIL 1SIL 2
1(AM)SIL 1
Legend
SIL 1, SIL 2, SIL 3SIL reference value for the safety-related control function
(AM)Recommendation of application of other measures (AM)
-No need for treatment
Table 4.3-2: Matrix for defining the SIL (source: EN IEC 62061, Annex A)

Draft and integration of an SRECS in accordance with EN IEC 62061

The necessity of safety functions as measures for risk minimization emerges on the basis of the risk analysis and risk assessment in accordance with EN ISO 12100-1. Safety functions that are implemented with SRECSs are divided into sub-safety functions to design the system architecture. These virtual sub-safety functions are then assigned real sub-system elements.

These are either finished developed devices, such as sensors, control units, actuators or complex new components to be designed in accordance with the existing specifications in accordance with IEC 61508 and consisting of hardware with embedded software or application software. In accordance with the system design the achieved safety integrity level (SILCL) is determined and verifies whether or not the SIL has been achieved.

Determining the safety integrity level (SILCL) of an SRECS

The achieved SIL is always lower or the same as the lowest value of the SILCLs of one of the sub-systems.

Fig. 2.4.3-2: SRECS architecture consisting of sub-systems and sub-system elements (source: ZVEI Flyer "Safety of machinery") Fig. 2.4.3-2: SRECS architecture consisting of sub-systems and sub-system elements (source: ZVEI Flyer "Safety of machinery")

The sub-systems are described safety-related by the parameters, SILCL, PFHd and T1.

EN IEC 62061 parametersMeaning
SILCLSIL claim limit (maximum SIL value) of a sub-system
PFHdProbability of dangerous failure per hour
T1Lifetime of the sub-system or proof test interval if this value is less than the lifetime. Note: The proof test is used to uncover errors in SRECSs and their sub-systems.

Sub-systems can consist of various switched sub-system elements (devices) with the following parameters:

EN IEC 62061 parametersMeaning
λFailure rate; with electro-mechanical devices the failure rate is provided by the manufacturer as B10 value with reference to a number of switching cycles. The time-related failure rate and the lifetime must be determined on the basis of the switching frequency for the respective application.
SFFSafe Failure Fraction
T2Diagnostic test interval
ßSusceptibility to failures as a result of common cause
DCDiagnostic coverage

A chapter of the standard describes a simplified method for estimating the probability of hazardous hardware failures of sub-systems. 4 different sub-system architectures (A, B, C, D) form the basis here. The corresponding calculation formulas for the probability of a failure to danger of the sub-system (PFHd) are provided for each of these architectures. The PFHd value of the safety-related control system is determined by adding the individual PFHd values of the sub-systems.

Validation

Chapter 8 contains requirements for validating the safety-related electrical control system. With the validation it is ensured by inspection and testing that the design of each safety function meets the corresponding requirements of the specification.

Validity of EN IEC 62061

IEC 62061 was adopted at the end of 2004 and accepted without change as a European standard. EN 62061 has been listed in the Official EU Journal since 31.12.2005 as a standard with presumption of conformity with Machinery Directive 2006/42/EC.