FprEN IEC 62061:2020
(Main)Safety of machinery - Functional safety of safety-related control systems
Safety of machinery - Functional safety of safety-related control systems
This International Standard specifies requirements and makes recommendations for the design, integration and validation of safety-related control systems (SCS) for machines. It is applicable to control systems used, either singly or in combination, to carry out safety functions on machines that are not portable by hand while working, including a group of machines working together in a co-ordinated manner. This document is a machinery sector specific standard within the framework of IEC 61508 (all parts). The design of complex programmable electronic subsystems or subsystem elements is not within the scope of this document. This is in the scope of IEC 61508 or standards linked to it; see Figure 1. NOTE 1 Elements such as systems on chip or microcontroller boards are considered complex programmable electronic subsystems. The main body of this sector standard specifies general requirements for the design, and verification of a safety-related control system intended to be used in high/continuous demand mode. This document: - is concerned only with functional safety requirements intended to reduce the risk of hazardous situations; - is restricted to risks arising directly from the hazards of the machine itself or from a group of machines working together in a co-ordinated manner; NOTE 2 Requirements to mitigate risks arising from other hazards are provided in relevant sector standards. For example, where a machine(s) is part of a process activity, additional information is available in IEC 61511. This document does not cover - electrical hazards arising from the electrical control equipment itself (e.g. electric shock - see IEC 60204-1); - other safety requirements necessary at the machine level such as safeguarding; - specific measures for security aspects - see IEC TR 63074. This document is not intended to limit or inhibit technological advancement. Figure 1 illustrates the scope of this document. [Figure 1]
Sicherheit von Maschinen - Funktionale Sicherheit sicherheitsbezogener elektrischer, elektronischer und programmierbarer elektronischer Steuerungssysteme
Sécurité des machines - Sécurité fonctionnelle des systèmes de commande relatifs à la sécurité
L'IEC 62061:2021 spécifie les exigences et donne des recommandations pour la conception, l'intégration et la validation des systèmes de commande relatifs à la sécurité (SCS) pour les machines. Elle s'applique aux systèmes de commande utilisés, séparément ou en combinaison, pour assurer les fonctions de sécurité de machines qui ne sont pas portables à la main en fonctionnement, y compris un groupe de machines fonctionnant ensemble d'une manière coordonnée. Le présent document est spécifique au secteur des machines dans le cadre de l'IEC 61508 (toutes les parties). La conception de sous-systèmes ou d'éléments de sous-système électroniques programmables complexes ne relève pas du domaine d'application du présent document. Ces éléments relèvent du domaine d'application de l'IEC 61508 ou de normes qui lui sont associées. Le présent document: – se concerne que les exigences de sécurité fonctionnelle destinées à réduire le risque de situations dangereuses; – se limite aux risques résultant directement des phénomènes dangereux de la machine elle même ou d'un groupe de machines fonctionnant ensemble d'une manière coordonnée; Le présent document ne concerne pas – les phénomènes dangereux électriques provenant du matériel de commande électrique lui même (par exemple choc électrique – voir l'IEC 60204-1); – les autres exigences relatives à la sécurité nécessaires au niveau de la machine (la protection par protecteur, par exemple); – les mesures particulières pour les aspects liés à la sécurité – voir l'IEC TR 63074. Le présent document n'est pas destiné à limiter ou inhiber les progrès technologiques. L'IEC 62061:2021 annule et remplace la première édition parue en 2005, l’Amendement 1:2012 ainsi que l’Amendement 2:2015. Cette édition constitue une révision technique. Cette édition inclut les modifications techniques majeures suivantes par rapport à l'édition précédente: – la structure a été modifiée et le contenu a été mis à jour pour refléter le processus de conception de la fonction de sécurité, – la norme a été étendue aux technologies non électriques, – définitions mises à jour pour être alignées sur l'IEC 61508-4, – plan de sécurité fonctionnelle introduit et gestion de configuration mise à jour (Article 4), – exigences relatives au paramétrage étendues (Article 6), – référence aux exigences relatives à la sécurité ajoutée (Paragraphe 6.8) – exigences relatives aux essais périodiques ajoutées (Paragraphe 6.9), – différentes améliorations et clarifications relatives aux architectures et aux calculs de fiabilité (Article 6 et Article 7), – décalage entre le "SILCL" et le "SIL maximal" d'un sous-système (Article 7), – cas d'utilisation pour les logiciels décrits, y compris les exigences (Article 8), – exigences relatives à l'indépendance des activités de vérification (Article 8) et de validation (Article 9) du logiciel ajoutées, – nouvelle annexe informative avec des exemples (Annex G), – nouvelles annexes informatives relatives aux valeurs MTTFD, aux diagnostics et aux méthodes de calcul des architectures (Annex C, Annex D et Annex H).
Varnost strojev - Funkcijska varnost nadzornih sistemov, povezanih z varnostjo
General Information
RELATIONS
Standards Content (sample)
SLOVENSKI STANDARD
oSIST prEN IEC 62061:2019
01-julij-2019
Varnost strojev - Funkcijska varnost nadzornih sistemov, povezanih z varnostjo
Safety of machinery - Functional safety of safety-related control systems
Ta slovenski standard je istoveten z: prEN IEC 62061
ICS:
13.110 Varnost strojev Safety of machinery
25.040.40 Merjenje in krmiljenje Industrial process
industrijskih postopkov measurement and control
oSIST prEN IEC 62061:2019 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------oSIST prEN IEC 62061:2019
---------------------- Page: 2 ----------------------
oSIST prEN IEC 62061:2019
44/847/CDV
COMMITTEE DRAFT FOR VOTE (CDV)
PROJECT NUMBER:
IEC 62061 ED2
DATE OF CIRCULATION: CLOSING DATE FOR VOTING:
2019-04-26 2019-07-19
SUPERSEDES DOCUMENTS:
44/827/CD, 44/844A/CC
IEC TC 44 : SAFETY OF MACHINERY - ELECTROTECHNICAL ASPECTS
SECRETARIAT: SECRETARY:
United Kingdom Mrs Nyomee Hla-Shwe Tun
OF INTEREST TO THE FOLLOWING COMMITTEES: PROPOSED HORIZONTAL STANDARD:
Other TC/SCs are requested to indicate their interest, if any, in
this CDV to the secretary.
FUNCTIONS CONCERNED:
EMC ENVIRONMENT QUALITY ASSURANCE SAFETY
SUBMITTED FOR CENELEC PARALLEL VOTING NOT SUBMITTED FOR CENELEC PARALLEL VOTING
Attention IEC-CENELEC parallel votingThe attention of IEC National Committees, members of
CENELEC, is drawn to the fact that this Committee Draft for
Vote (CDV) is submitted for parallel voting.
The CENELEC members are invited to vote through the
CENELEC online voting system.
This document is still under study and subject to change. It should not be used for reference purposes.
Recipients of this document are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.TITLE:
Safety of machinery – Functional safety of safety-related control systems
PROPOSED STABILITY DATE: 2024
NOTE FROM TC/SC OFFICERS:
Copyright © 2019 International Electrotechnical Commission, IEC. All rights reserved. It is permitted to download this
electronic file, to make a copy and to print out the content for the sole purpose of preparing National Committee positions.
You may not copy or "mirror" the file or printed version of the document, or any part of it, for any other purpose without
permission in writing from IEC.---------------------- Page: 3 ----------------------
oSIST prEN IEC 62061:2019
– 2 – IEC CDV 62061 IEC 2019
CONTENTS
FOREWORD ........................................................................................................................... 9
INTRODUCTION ................................................................................................................... 12
1 Scope ............................................................................................................................ 13
2 Normative references .................................................................................................... 14
3 Terms, definitions and abbreviations ............................................................................. 15
3.1 Alphabetical list of definitions ................................................................................ 15
3.2 Terms and definitions............................................................................................ 17
3.3 Abbreviations ........................................................................................................ 28
4 Design process of an SCS and management of functional safety ................................... 29
4.1 Objective .............................................................................................................. 29
4.2 Design process ..................................................................................................... 29
4.3 Management of functional safety using a functional safety plan ............................ 31
4.4 Configuration management ................................................................................... 32
4.5 Modification .......................................................................................................... 33
5 Specification of a safety function ................................................................................... 33
5.1 Objective .............................................................................................................. 33
5.2 Safety Requirements Specification (SRS) ............................................................. 33
5.2.1 Information to be available............................................................................. 34
5.2.2 Functional requirements specification ............................................................ 34
5.2.3 Safety integrity requirements specification ..................................................... 35
6 Design of an SCS .......................................................................................................... 35
6.1 General ................................................................................................................. 35
6.2 Subsystem architecture based on top down decomposition ................................... 36
6.3 Basic methodology – Use of subsystem ................................................................ 36
6.3.1 General ......................................................................................................... 36
6.3.2 SCS architecture design based on subsystems .............................................. 36
6.3.3 Sub-function allocation .................................................................................. 38
6.3.4 Use of a pre-designed subsystem .................................................................. 38
6.4 Determination of safety integrity of the SCS .......................................................... 38
6.4.1 General ......................................................................................................... 38
6.4.2 Average frequency of dangerous failures ....................................................... 39
6.5 Requirements for systematic safety integrity of the SCS ....................................... 39
6.5.1 Requirements for the avoidance of systematic hardware failures ................... 39
6.5.2 Requirements for the control of systematic faults ........................................... 40
6.6 Electromagnetic immunity ..................................................................................... 41
6.7 Software based manual parameterization .............................................................. 41
6.7.1 General ......................................................................................................... 41
6.7.2 Influences on safety-related parameters ........................................................ 41
6.7.3 Requirements for software based manual parameterization ........................... 42
6.7.4 Verification of the parameterization tool ......................................................... 43
6.7.5 Performance of software based manual parameterization .............................. 43
6.8 Security aspects ................................................................................................... 43
6.9 Aspects of periodic testing .................................................................................... 44
6.9.1 General principle ........................................................................................... 44
---------------------- Page: 4 ----------------------oSIST prEN IEC 62061:2019
IEC CDV 62061 IEC 2019 – 3 –
6.9.2 Proof test ....................................................................................................... 44
7 Design and development of a subsystem ....................................................................... 45
7.1 General ................................................................................................................. 45
7.2 Subsystem architecture design ............................................................................. 46
7.3 Requirements for the selection and design of subsystem and subsystemelements ............................................................................................................... 46
7.3.1 General ......................................................................................................... 46
7.3.2 Systematic integrity ....................................................................................... 46
7.3.3 Fault consideration and fault exclusion .......................................................... 49
7.3.4 Failure rate of subsystem element ................................................................. 50
7.4 Architectural constraints of a subsystem ............................................................... 52
7.4.1 General ......................................................................................................... 52
7.4.2 Estimation of safe failure fraction (SFF) ......................................................... 53
7.4.3 Behaviour (of the SCS) on detection of a fault in a subsystem ....................... 54
7.4.4 Realization of diagnostic functions ................................................................. 55
7.5 Subsystem design architectures ............................................................................ 56
7.5.1 General ......................................................................................................... 56
7.5.2 Basic subsystem architectures ....................................................................... 56
7.5.3 Basic requirements ........................................................................................ 57
7.6 Probability of dangerous random hardware failures of subsystems ........................ 58
7.6.1 General ......................................................................................................... 58
7.6.2 Methods to estimate the PFH of a subsystem ................................................ 58
7.6.3 Methods to estimate the PFD of a subsystem ............................................ 58
avg7.6.4 Simplified approach to estimation of contribution of common cause
failure (CCF) .................................................................................................. 58
8 Software ........................................................................................................................ 59
8.1 General ................................................................................................................. 59
8.2 Definition of Software Levels................................................................................. 59
8.3 Software Level 1 ................................................................................................... 60
8.3.1 Software safety lifecycle SW Level 1 ............................................................. 60
8.3.2 Software Design SW Level 1 ......................................................................... 61
8.3.3 Module design SW Level 1 ............................................................................ 63
8.3.4 Coding SW Level 1 ........................................................................................ 64
8.3.5 Module test SW Level 1 ................................................................................. 64
8.3.6 Software testing SW Level 1 .......................................................................... 64
8.3.7 Documentation SW Level 1 ............................................................................ 65
8.3.8 Configuration and modification management process SW Level 1 .................. 65
8.4 Software Level 3 ................................................................................................... 66
8.4.1 Software safety lifecycle SW Level 3 ............................................................. 66
8.4.2 Software Design SW Level 3 ......................................................................... 68
8.4.3 Software system design SW Level 3 .............................................................. 69
8.4.4 Module design SW Level 3 ............................................................................ 70
8.4.5 Coding SW Level 3 ........................................................................................ 70
8.4.6 Module test SW Level 3 ................................................................................. 71
8.4.7 Software integration testing SW Level 3 ........................................................ 71
8.4.8 Software testing SW Level 3 .......................................................................... 71
8.4.9 Documentation SW Level 3 ............................................................................ 73
8.4.10 Configuration and modification management process SW Level 3 .................. 73
9 Validation ...................................................................................................................... 73
---------------------- Page: 5 ----------------------oSIST prEN IEC 62061:2019
– 4 – IEC CDV 62061 IEC 2019
9.1 Validation principles .............................................................................................. 73
9.1.1 Validation plan ............................................................................................... 77
9.1.2 Use of generic fault lists ................................................................................ 77
9.1.3 Specific fault lists .......................................................................................... 78
9.1.4 Information for validation ............................................................................... 78
9.1.5 Validation record ........................................................................................... 79
9.2 Analysis as part of validation ................................................................................ 79
9.2.1 General ......................................................................................................... 79
9.2.2 Analysis techniques ....................................................................................... 79
9.2.3 Verification of safety requirements specification for safety functions .............. 79
9.3 Testing as part of validation .................................................................................. 80
9.3.1 General ......................................................................................................... 80
9.3.2 Measurement accuracy .................................................................................. 80
9.3.3 More stringent requirements .......................................................................... 81
9.3.4 Number of test samples ................................................................................. 81
9.4 Validation of the safety function ............................................................................ 81
9.4.1 General ......................................................................................................... 81
9.4.2 Analysis and testing....................................................................................... 82
9.5 Validation of the safety integrity of the SCS .......................................................... 82
9.5.1 Validation of subsystem(s) ............................................................................. 82
9.5.2 Validation of measures against systematic failures ........................................ 82
9.5.3 Validation of safety-related software .............................................................. 83
9.5.4 Validation of combination of subsystems ....................................................... 83
9.5.5 Verification of safety integrity......................................................................... 84
10 Documentation .............................................................................................................. 84
10.1 General ................................................................................................................. 84
10.2 Technical documentation ...................................................................................... 84
10.3 Information for use of the SCS .............................................................................. 85
10.3.1 General ......................................................................................................... 85
10.3.2 Information for use given by the manufacturer of subsystems ........................ 86
10.3.3 Information for use given by the SCS integrator ............................................. 86
Annex A (informative) Determination of required safety integrity ......................................... 88
A.1 General ................................................................................................................. 88
A.2 Matrix assignment for the required SIL .................................................................. 88
A.2.1 Hazard identification/indication ...................................................................... 88
A.2.2 Risk estimation .............................................................................................. 88
A.2.3 Severity (Se) ................................................................................................. 89
A.2.4 Probability of occurrence of harm .................................................................. 89
A.2.5 Class of probability of harm (Cl) .................................................................... 92
A.2.6 SIL assignment .............................................................................................. 92
A.3 Overlapping hazards ............................................................................................. 94
Annex B (informative) Example of SCS design methodology ............................................... 95
B.1 General ................................................................................................................. 95
B.2 Safety requirements specification ......................................................................... 95
B.3 Decomposition of the safety function ..................................................................... 95
B.4 Design of the SCS by using subsystems ............................................................... 97
B.4.1 General ......................................................................................................... 97
B.4.2 Subsystem 1 design – “guard door monitoring” .............................................. 97
---------------------- Page: 6 ----------------------oSIST prEN IEC 62061:2019
IEC CDV 62061 IEC 2019 – 5 –
B.4.3 Subsystem 2 design – “evaluation logic” ........................................................ 99
B.4.4 Subsystem 3 design – “motor control” ............................................................ 99
B.4.5 Evaluation of the SCS .................................................................................... 99
B.5 Verification ......................................................................................................... 100
B.5.1 Analysis ....................................................................................................... 100
B.5.2 Tests ........................................................................................................... 100
Annex C (informative) Examples of MTTF values for single components ......................... 101
C.1 General ............................................................................................................... 101
C.2 Good engineering practices method .................................................................... 101
C.3 Hydraulic components ......................................................................................... 101
C.4 MTTF of pneumatic, mechanical and electromechanical components ................ 101
Annex D (normative) Low demand requirements ................................................................ 103
D.1 General ............................................................................................................... 103
D.2 Normative references .......................................................................................... 103
D.3 Terms and definitions.......................................................................................... 103
D.4 Design process of an SCS and management of functional safety ........................ 103
D.5 Specification of a safety function ......................................................................... 103
D.6 Design of an SCS ............................................................................................... 104
D.7 Design and development of subsystem ............................................................... 105
D.8 Software ............................................................................................................. 106
D.9 Validation............................................................................................................ 106
D.10 Documentation .................................................................................................... 106
Annex E (informative) Examples for diagnostic coverage (DC) .......................................... 107
Annex F (informative) Methodology for the estimation of susceptibility to common
cause failures (CCF) .................................................................................................... 109
F.1 General ............................................................................................................... 109
F.2 Methodology ....................................................................................................... 109
F.2.1 Requirements for CCF ................................................................................. 109
F.2.2 Estimation of effect of CCF .......................................................................... 109
Annex G (informative) Guideline for Software level 1 ........................................................ 111
G.1 Software safety requirements .............................................................................. 111
G.2 Coding guidelines ............................................................................................... 112
G.3 Specification of safety functions .......................................................................... 112
G.4 Specification of hardware design ........................................................................ 114
G.5 Software system design specification .................................................................. 115
G.6 Protocols ............................................................................................................ 118
Annex H (informative) ((void)) ........................................................................................... 120
Annex I (informative) Examples of safety functions ........................................................... 121
I.1 Examples of safety functions .............................................................................. 121
I.2 Example of low demand function ......................................................................... 122
Annex J (informative) ((void)) ............................................................................................ 126
Annex K (informative) Simplified approaches to evaluate the PFH value of asubsystem ................................................................................................................... 127
K.1 Table allocation approach ................................................................................... 127
K.2 Simplified Formulas for the estimation of PFH ..................................................... 129
K.2.1 General ....................................................................................................... 129
K.2.2 Basic subsystem architecture A: single channel without a diagnosticfunction ....................................................................................................... 129
---------------------- Page: 7 ----------------------oSIST prEN IEC 62061:2019
– 6 – IEC CDV 62061 IEC 2019
K.2.3 Basic subsystem architecture B: dual channel without a diagnostic
function ....................................................................................................... 130
K.2.4 Basic subsystem architecture C: single channel with a diagnosticfunction ....................................................................................................... 130
K.2.5 Basic subsystem architecture D: dual channel with a diagnosticfunction(s) ................................................................................................... 135
K.3 Parts count method ............................................................................................. 135
Annex L ((void)) .................................................................................................................. 137
Annex M (informative) The functional safety plan and design activities ............................. 138
M.1 General ............................................................................................................... 138
M.2 Example of a machine design plan including a safety plan .................................. 138
M.3 Example of activities, documents and roles ......................................................... 138
Bibliography ........................................................................................................................ 141
Figure 1 - Relationship of this standard to other standards ................................................... 14
Figure 2 – Integration within the risk reduction process of ISO 12100 (excerpt) .................... 29
Figure 3 – Iterative process for design of the safety-related control system .......................... 30
Figure 4 – Examples of combination of subsystems as one SCS ........................................... 31
Figure 5 – Examples of typical decomposition of a safety function into sub-functions
and its allocation to subsystems ........................................................................................... 37
Figure 6 - Example of safety integrity of a safety function based on allocatedsubsystems as one SCS ....................................................................................................... 38
Figure 7 – Subsystem A logical representation ..................................................................... 56
Figure 8 – Subsystem B logical representation ..................................................................... 57
Figure 9 – Subsystem C logical representation ..................................................................... 57
Figure 10 – Subsystem D logical representation ................................................................... 57
Figure 11 – V-model for SW level 1....................................................................................... 60
Figure 12 – V-model for software modules customized by the designer for SW level 1 .......... 60
Figure 13 – V-model of software safety lifecycle for SW Level 3 ........................................... 66
Figure 14 – Overview of the validation process ..................................................................... 76
Figure A.1 - Parameters used in risk estimation .................................................................... 88
Figure A.2 – Example proforma for SIL assignment process ................................................. 93
Figure B.1 – Decomposition of the safety function ................................................................ 96
Figure B.2 – Overview of design of the subsystems of the SCS ............................................ 97
Figure D.1 — Example of safety integrity of a safety function based on allocatedsubsystems as one SCS ..................................................................................................... 104
Figure G.1 – Plant sketch ................................................................................................... 113
Figure G.2 – Principal module architecture design .............................................................. 116
Figure G.3 – Principal design approach of logical evaluation .............................................. 117
Figure G.4 – Example of logical representation (program sketch)........................................ 118
Figure I.1 – Relationship between demand of a safety function, failure and trip limit in a
safety function .................................................................................................................... 123
Figure I.2 - Typical configuration of a gas turbine ............................................................... 124
Figure K.1 - Subsystem A logical representation. ................................................................ 129
Figure K.2 - Subsystem B logical representation ................................................................. 130
Figure K.3 – Subsystem C logical representation ................................................................ 130
----------------...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.