2.4.2 EN IEC 62061 "Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems"
This standard contains requirements and recommendations for drafting, integrating and validating safety-related electrical, electronic and programmable control systems (SRECS) for machinery, which cannot be carried by hand during the work. In contrast to EN ISO 13849-1, it does not define any requirements for the performance of non-electrical (e.g. hydraulic, pneumatic, electro-mechanical) safety-related control elements for machines. Within the full scope of EN ISO 12100‑1 it is used as an alternative to EN ISO 13849‑1 for specifying the safety-related performance of safety-related electrical control systems that are required for risk reduction. As a sector-specific standard that falls within the scope of IEC 61508 for the application area of machines, EN IEC 62061 incorporates the entire SRECS lifecycle, from the concept phase until taking out of operation. The safety-related capacity is described by the Safety Integrity Level (SIL).
Safety Integrity Level (SILCL) in accordance with EN IEC 62061
| Safety Integrity Level | Probability of a dangerous failure per hour (PFHd) |
|---|---|
| 3 | ≥ 10-8 to < 10-7 |
| 2 | ≥ 10-7 to < 10-6 |
| 1 | ≥ 10-6 to < 10-5 |
Fig. 2.4.3-1: The EN IEC 62061 is used for specifying the safety-related performance (SIL) of safety-related electrical control systems as an alternative to EN ISO 13849 (source: ZVEI Flyer "Safety of machinery").
SIL risk assessment and definition
The informative Annex A of EN IEC 62061 includes an example of a procedure for qualitative risk assessment and definition of the SILCL. This procedure must be implemented for each special hazard, for which an appropriate risk minimization is to be achieved with the help of an SRECS. It is based on the method presented in EN ISO 14121 and is used for evaluating the risk parameters.
| S | Seriousness of the possible harm or injury |
| Fr | Frequency and duration of exposure |
| Pr | Probability of a hazardous event occurring |
| P | Possibility of avoiding or limiting the harm |
For every special hazard, the individual risk parameters are considered and evaluated with a corresponding value according to their features (e.g. seriousness, frequency, probability).
| Seriousness | S | Frequency of exposure | Fr | Probability of occurrence | Pr | Possibility of prevention | P | |||
|---|---|---|---|---|---|---|---|---|---|---|
| Irreversible: death, loss of an eye or arm | 4 | ≤ 1h | 5 | very high | 5 | Impossible | 5 | |||
| Irreversible: broken limbs, loss of a finger | 3 | > 1h to < 1 day | 5 | probable | 4 | rarely | 3 | |||
| Reversible: treatment by a physician required | 2 | > 1 day to < 2 weeks | 4 | possible | 3 | probable | 1 | |||
| Reversible: first aid required | 1 | > 2 weeks to ≤ 1 year | 3 | rarely | 2 | |||||
| > 1 year | 2 | negligible | 1 |
The class of the probability of harm K is calculated by adding the numbers for the frequency of the exposure F, the probability of occurrence W and the possibility of avoidance P (K = F + W + P). The two parameters S and K are then used in a matrix to define the SILCL. The intersection point of line S with the applicable column K shows whether and which need for treatment exists.
| Class of probability of harm (K) | |||||
|---|---|---|---|---|---|
| Seriousness (S) | 3 to 4 | 5 to 7 | 8 to 10 | 11 to 13 | 14 to 15 |
| 4 | SIL 2 | SIL 2 | SIL 2 | SIL 3 | SIL 3 |
| 3 | (AM) | SIL 1 | SIL 2 | SIL 3 | |
| 2 | (AM) | SIL 1 | SIL 2 | ||
| 1 | (AM) | SIL 1 | |||
| Legend | |
|---|---|
| SIL 1, SIL 2, SIL 3 | SIL reference value for the safety-related control function |
| (AM) | Recommendation of application of other measures (AM) |
| - | No need for treatment |
Draft and integration of an SRECS in accordance with EN IEC 62061
The necessity of safety functions as measures for risk minimization emerges on the basis of the risk analysis and risk assessment in accordance with EN ISO 12100-1. Safety functions that are implemented with SRECSs are divided into sub-safety functions to design the system architecture. These virtual sub-safety functions are then assigned real sub-system elements.
These are either finished developed devices, such as sensors, control units, actuators or complex new components to be designed in accordance with the existing specifications in accordance with IEC 61508 and consisting of hardware with embedded software or application software. In accordance with the system design the achieved safety integrity level (SILCL) is determined and verifies whether or not the SIL has been achieved.
Determining the safety integrity level (SILCL) of an SRECS
The achieved SIL is always lower or the same as the lowest value of the SILCLs of one of the sub-systems.
Fig. 2.4.3-2: SRECS architecture consisting of sub-systems and sub-system elements (source: ZVEI Flyer "Safety of machinery")
The sub-systems are described safety-related by the parameters, SILCL, PFHd and T1.
| EN IEC 62061 parameters | Meaning |
|---|---|
| SILCL | SIL claim limit (maximum SIL value) of a sub-system |
| PFHd | Probability of dangerous failure per hour |
| T1 | Lifetime of the sub-system or proof test interval if this value is less than the lifetime. Note: The proof test is used to uncover errors in SRECSs and their sub-systems. |
Sub-systems can consist of various switched sub-system elements (devices) with the following parameters:
| EN IEC 62061 parameters | Meaning |
|---|---|
| λ | Failure rate; with electro-mechanical devices the failure rate is provided by the manufacturer as B10 value with reference to a number of switching cycles. The time-related failure rate and the lifetime must be determined on the basis of the switching frequency for the respective application. |
| SFF | Safe Failure Fraction |
| T2 | Diagnostic test interval |
| ß | Susceptibility to failures as a result of common cause |
| DC | Diagnostic coverage |
A chapter of the standard describes a simplified method for estimating the probability of hazardous hardware failures of sub-systems. 4 different sub-system architectures (A, B, C, D) form the basis here. The corresponding calculation formulas for the probability of a failure to danger of the sub-system (PFHd) are provided for each of these architectures. The PFHd value of the safety-related control system is determined by adding the individual PFHd values of the sub-systems.
Validation
Chapter 8 contains requirements for validating the safety-related electrical control system. With the validation it is ensured by inspection and testing that the design of each safety function meets the corresponding requirements of the specification.
Validity of EN IEC 62061
IEC 62061 was adopted at the end of 2004 and accepted without change as a European standard. EN 62061 has been listed in the Official EU Journal since 31.12.2005 as a standard with presumption of conformity with Machinery Directive 2006/42/EC.
