Safety of machinery - Functional safety of safety-related control systems

IEC 62061:2021 specifies requirements and makes recommendations for the design, integration and validation of safety-related control systems (SCS) for machines. It is applicable to control systems used, either singly or in combination, to carry out safety functions on machines that are not portable by hand while working, including a group of machines working together in a co-ordinated manner.
This document is a machinery sector specific standard within the framework of IEC 61508 (all parts).
The design of complex programmable electronic subsystems or subsystem elements is not within the scope of this document.
The main body of this sector standard specifies general requirements for the design, and verification of a safety-related control system intended to be used in high/continuous demand mode.
This document:
– is concerned only with functional safety requirements intended to reduce the risk of hazardous situations;
– is restricted to risks arising directly from the hazards of the machine itself or from a group of machines working together in a co-ordinated manner;
This document does not cover
– electrical hazards arising from the electrical control equipment itself (e.g. electric shock – see IEC 60204-1);
– other safety requirements necessary at the machine level such as safeguarding;
– specific measures for security aspects – see IEC TR 63074.
This document is not intended to limit or inhibit technological advancement.
IEC 62061:2021 cancels and replaces the first edition, published in 2005, Amendment 1:2012 and Amendment 2:2015. This edition constitutes a technical revision.
This edition includes the following significant technical changes with respect to the previous edition:
– structure has been changed and contents have been updated to reflect the design process of the safety function,
– standard extended to non-electrical technologies,
– definitions updated to be aligned with IEC 61508-4,
– functional safety plan introduced and configuration management updated (Clause 4),
– requirements on parametrization expanded (Clause 6),
– reference to requirements on security added (Subclause 6.8),
– requirements on periodic testing added (Subclause 6.9),
– various improvements and clarification on architectures and reliability calculations (Clause 6 and Clause 7),
– shift from "SILCL" to "maximum SIL" of a subsystem (Clause 7),
– use cases for software described including requirements (Clause 8),
– requirements on independence for software verification (Clause 8) and validation activities (Clause 9) added,
– new informative annex with examples (Annex G),
– new informative annexes on typical MTTFD values, diagnostics and calculation methods for the architectures (Annex C, Annex D and Annex H).

Sécurité des machines - Sécurité fonctionnelle des systèmes de commande relatifs à la sécurité

L'IEC 62061:2021 spécifie les exigences et donne des recommandations pour la conception, l'intégration et la validation des systèmes de commande relatifs à la sécurité (SCS) pour les machines. Elle s'applique aux systèmes de commande utilisés, séparément ou en combinaison, pour assurer les fonctions de sécurité de machines qui ne sont pas portables à la main en fonctionnement, y compris un groupe de machines fonctionnant ensemble d'une manière coordonnée.
Le présent document est spécifique au secteur des machines dans le cadre de l'IEC 61508 (toutes les parties).
La conception de sous-systèmes ou d'éléments de sous-système électroniques programmables complexes ne relève pas du domaine d'application du présent document. Ces éléments relèvent du domaine d'application de l'IEC 61508 ou de normes qui lui sont associées.
Le présent document:
– se concerne que les exigences de sécurité fonctionnelle destinées à réduire le risque de situations dangereuses;
– se limite aux risques résultant directement des phénomènes dangereux de la machine elle même ou d'un groupe de machines fonctionnant ensemble d'une manière coordonnée;
Le présent document ne concerne pas
– les phénomènes dangereux électriques provenant du matériel de commande électrique lui même (par exemple choc électrique – voir l'IEC 60204-1);
– les autres exigences relatives à la sécurité nécessaires au niveau de la machine (la protection par protecteur, par exemple);
– les mesures particulières pour les aspects liés à la sécurité – voir l'IEC TR 63074.
Le présent document n'est pas destiné à limiter ou inhiber les progrès technologiques.
L'IEC 62061:2021 annule et remplace la première édition parue en 2005, l’Amendement 1:2012 ainsi que l’Amendement 2:2015. Cette édition constitue une révision technique.
Cette édition inclut les modifications techniques majeures suivantes par rapport à l'édition précédente:
– la structure a été modifiée et le contenu a été mis à jour pour refléter le processus de conception de la fonction de sécurité,
– la norme a été étendue aux technologies non électriques,
– définitions mises à jour pour être alignées sur l'IEC 61508-4,
– plan de sécurité fonctionnelle introduit et gestion de configuration mise à jour (Article 4),
– exigences relatives au paramétrage étendues (Article 6),
– référence aux exigences relatives à la sécurité ajoutée (Paragraphe 6.8)
– exigences relatives aux essais périodiques ajoutées (Paragraphe 6.9),
– différentes améliorations et clarifications relatives aux architectures et aux calculs de fiabilité (Article 6 et Article 7),
– décalage entre le "SILCL" et le "SIL maximal" d'un sous-système (Article 7),
– cas d'utilisation pour les logiciels décrits, y compris les exigences (Article 8),
– exigences relatives à l'indépendance des activités de vérification (Article 8) et de validation (Article 9) du logiciel ajoutées,
– nouvelle annexe informative avec des exemples (Annex G),
– nouvelles annexes informatives relatives aux valeurs MTTFD, aux diagnostics et aux méthodes de calcul des architectures (Annex C, Annex D et Annex H).

General Information

Status
Published
Publication Date
21-Mar-2021
Current Stage
PPUB - Publication issued
Completion Date
22-Mar-2021
Ref Project

Buy Standard

Standard
IEC 62061:2021 - Safety of machinery - Functional safety of safety-related control systems
English and French language
304 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

IEC 62061
Edition 2.0 2021-03
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Safety of machinery – Functional safety of safety-related control systems
Sécurité des machines – Sécurité fonctionnelle des systèmes de commande
relatifs à la sécurité
IEC 62061:2021-03(en-fr)
---------------------- Page: 1 ----------------------
THIS PUBLICATION IS COPYRIGHT PROTECTED
Copyright © 2021 IEC, Geneva, Switzerland

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form

or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from

either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC

copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or

your local IEC member National Committee for further information.

Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite ni

utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie et

les microfilms, sans l'accord écrit de l'IEC ou du Comité national de l'IEC du pays du demandeur. Si vous avez des

questions sur le copyright de l'IEC ou si vous désirez obtenir des droits supplémentaires sur cette publication, utilisez

les coordonnées ci-après ou contactez le Comité national de l'IEC de votre pays de résidence.

IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé info@iec.ch
CH-1211 Geneva 20 www.iec.ch
Switzerland
About the IEC

The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes

International Standards for all electrical, electronic and related technologies.
About IEC publications

The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the

latest edition, a corrigendum or an amendment might have been published.

IEC publications search - webstore.iec.ch/advsearchform IEC online collection - oc.iec.ch

The advanced search enables to find IEC publications by a Discover our powerful search engine and read freely all the

variety of criteria (reference number, text, technical publications previews. With a subscription you will always have

committee, …). It also gives information on projects, replaced access to up to date content tailored to your needs.

and withdrawn publications.
Electropedia - www.electropedia.org
IEC Just Published - webstore.iec.ch/justpublished
The world's leading online dictionary on electrotechnology,
Stay up to date on all new IEC publications. Just Published
containing more than 22 000 terminological entries in English
details all new publications released. Available online and once
and French, with equivalent terms in 18 additional languages.
a month by email.
Also known as the International Electrotechnical Vocabulary
(IEV) online.
IEC Customer Service Centre - webstore.iec.ch/csc
If you wish to give us your feedback on this publication or need
further assistance, please contact the Customer Service
Centre: sales@iec.ch.
A propos de l'IEC

La Commission Electrotechnique Internationale (IEC) est la première organisation mondiale qui élabore et publie des

Normes internationales pour tout ce qui a trait à l'électricité, à l'électronique et aux technologies apparentées.

A propos des publications IEC

Le contenu technique des publications IEC est constamment revu. Veuillez vous assurer que vous possédez l’édition la

plus récente, un corrigendum ou amendement peut avoir été publié.

Recherche de publications IEC - Découvrez notre puissant moteur de recherche et consultez

webstore.iec.ch/advsearchform gratuitement tous les aperçus des publications. Avec un

La recherche avancée permet de trouver des publications IEC abonnement, vous aurez toujours accès à un contenu à jour

en utilisant différents critères (numéro de référence, texte, adapté à vos besoins.

comité d’études, …). Elle donne aussi des informations sur les

projets et les publications remplacées ou retirées. Electropedia - www.electropedia.org

Le premier dictionnaire d'électrotechnologie en ligne au monde,
IEC Just Published - webstore.iec.ch/justpublished
avec plus de 22 000 articles terminologiques en anglais et en
Restez informé sur les nouvelles publications IEC. Just
français, ainsi que les termes équivalents dans 16 langues
Published détaille les nouvelles publications parues.
additionnelles. Egalement appelé Vocabulaire
Disponible en ligne et une fois par mois par email.
Electrotechnique International (IEV) en ligne.
Service Clients - webstore.iec.ch/csc
Si vous désirez nous donner des commentaires sur cette
publication ou si vous avez des questions contactez-nous:
sales@iec.ch.
IEC online collection - oc.iec.ch
---------------------- Page: 2 ----------------------
IEC 62061
Edition 2.0 2021-03
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Safety of machinery – Functional safety of safety-related control systems
Sécurité des machines – Sécurité fonctionnelle des systèmes de commande
relatifs à la sécurité
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 13.110; 25.040.99; 29.020 ISBN 978-2-8322-9333-1

Warning! Make sure that you obtained this publication from an authorized distributor.

Attention! Veuillez vous assurer que vous avez obtenu cette publication via un distributeur agréé.

® Registered trademark of the International Electrotechnical Commission
Marque déposée de la Commission Electrotechnique Internationale
---------------------- Page: 3 ----------------------
– 2 – IEC 62061:2021  IEC 2021
CONTENTS

FOREWORD ........................................................................................................................... 8

INTRODUCTION ................................................................................................................... 10

1 Scope ............................................................................................................................ 11

2 Normative references .................................................................................................... 12

3 Terms, definitions and abbreviations ............................................................................. 13

3.1 Alphabetical list of definitions ................................................................................ 13

3.2 Terms and definitions ............................................................................................ 15

3.3 Abbreviations ........................................................................................................ 28

4 Design process of an SCS and management of functional safety ................................... 28

4.1 Objective .............................................................................................................. 28

4.2 Design process ..................................................................................................... 29

4.3 Management of functional safety using a functional safety plan ............................ 31

4.4 Configuration management ................................................................................... 33

4.5 Modification .......................................................................................................... 33

5 Specification of a safety function ................................................................................... 34

5.1 Objective .............................................................................................................. 34

5.2 Safety requirements specification (SRS) ............................................................... 34

5.2.1 General ......................................................................................................... 34

5.2.2 Information to be available ............................................................................. 34

5.2.3 Functional requirements specification ............................................................ 35

5.2.4 Estimation of demand mode of operation ....................................................... 35

5.2.5 Safety integrity requirements specification ..................................................... 36

6 Design of an SCS .......................................................................................................... 37

6.1 General ................................................................................................................. 37

6.2 Subsystem architecture based on top down decomposition ................................... 37

6.3 Basic methodology – Use of subsystem ................................................................ 37

6.3.1 General ......................................................................................................... 37

6.3.2 SCS decomposition ....................................................................................... 38

6.3.3 Sub-function allocation .................................................................................. 39

6.3.4 Use of a pre-designed subsystem .................................................................. 39

6.4 Determination of safety integrity of the SCS .......................................................... 40

6.4.1 General ......................................................................................................... 40

6.4.2 PFH ............................................................................................................... 40

6.5 Requirements for systematic safety integrity of the SCS ....................................... 41

6.5.1 Requirements for the avoidance of systematic hardware failures ................... 41

6.5.2 Requirements for the control of systematic faults ........................................... 42

6.6 Electromagnetic immunity ..................................................................................... 43

6.7 Software based manual parameterization .............................................................. 43

6.7.1 General ......................................................................................................... 43

6.7.2 Influences on safety-related parameters ........................................................ 43

6.7.3 Requirements for software based manual parameterization ........................... 44

6.7.4 Verification of the parameterization tool ......................................................... 45

6.7.5 Performance of software based manual parameterization .............................. 45

6.8 Security aspects ................................................................................................... 45

6.9 Aspects of periodic testing .................................................................................... 46

7 Design and development of a subsystem ....................................................................... 46

---------------------- Page: 4 ----------------------
IEC 62061:2021  IEC 2021 – 3 –

7.1 General ................................................................................................................. 46

7.2 Subsystem architecture design ............................................................................. 47

7.3 Requirements for the selection and design of subsystem and subsystem

elements ............................................................................................................... 48

7.3.1 General ......................................................................................................... 48

7.3.2 Systematic integrity ....................................................................................... 48

7.3.3 Fault consideration and fault exclusion .......................................................... 51

7.3.4 Failure rate of subsystem element ................................................................. 52

7.4 Architectural constraints of a subsystem ............................................................... 55

7.4.1 General ......................................................................................................... 55

7.4.2 Estimation of safe failure fraction (SFF) ......................................................... 56

7.4.3 Behaviour (of the SCS) on detection of a fault in a subsystem ....................... 57

7.4.4 Realization of diagnostic functions ................................................................. 58

7.5 Subsystem design architectures ............................................................................ 59

7.5.1 General ......................................................................................................... 59

7.5.2 Basic subsystem architectures ....................................................................... 59

7.5.3 Basic requirements ........................................................................................ 61

7.6 PFH of subsystems ............................................................................................... 62

7.6.1 General ......................................................................................................... 62

7.6.2 Methods to estimate the PFH of a subsystem ................................................ 62

7.6.3 Simplified approach to estimation of contribution of common cause

failure (CCF) .................................................................................................. 62

8 Software ........................................................................................................................ 62

8.1 General ................................................................................................................. 62

8.2 Definition of software levels .................................................................................. 63

8.3 Software – Level 1 ................................................................................................ 64

8.3.1 Software safety lifecycle – SW level 1 ........................................................... 64

8.3.2 Software design – SW level 1 ........................................................................ 65

8.3.3 Module design – SW level 1 ........................................................................... 67

8.3.4 Coding – SW level 1 ...................................................................................... 67

8.3.5 Module test – SW level 1 ............................................................................... 68

8.3.6 Software testing – SW level 1 ........................................................................ 68

8.3.7 Documentation – SW level 1 .......................................................................... 69

8.3.8 Configuration and modification management process – SW level 1 ................ 69

8.4 Software level 2 .................................................................................................... 70

8.4.1 Software safety lifecycle – SW level 2 ........................................................... 70

8.4.2 Software design – SW level 2 ........................................................................ 71

8.4.3 Software system design – SW level 2 ............................................................ 73

8.4.4 Module design – SW level 2 ........................................................................... 73

8.4.5 Coding – SW level 2 ...................................................................................... 74

8.4.6 Module test – SW level 2 ............................................................................... 75

8.4.7 Software integration testing SW level 2 .......................................................... 75

8.4.8 Software testing SW level 2 ........................................................................... 75

8.4.9 Documentation – SW level 2 .......................................................................... 76

8.4.10 Configuration and modification management process – SW level 2 ................ 77

9 Validation ...................................................................................................................... 77

9.1 Validation principles .............................................................................................. 77

9.1.1 Validation plan ............................................................................................... 80

9.1.2 Use of generic fault lists ................................................................................ 80

---------------------- Page: 5 ----------------------
– 4 – IEC 62061:2021  IEC 2021

9.1.3 Specific fault lists .......................................................................................... 80

9.1.4 Information for validation ............................................................................... 81

9.1.5 Validation record ........................................................................................... 81

9.2 Analysis as part of validation ................................................................................ 82

9.2.1 General ......................................................................................................... 82

9.2.2 Analysis techniques ....................................................................................... 82

9.2.3 Verification of safety requirements specification (SRS) .................................. 82

9.3 Testing as part of validation .................................................................................. 83

9.3.1 General ......................................................................................................... 83

9.3.2 Measurement accuracy .................................................................................. 83

9.3.3 More stringent requirements .......................................................................... 84

9.3.4 Test samples ................................................................................................. 84

9.4 Validation of the safety function ............................................................................ 84

9.4.1 General ......................................................................................................... 84

9.4.2 Analysis and testing ....................................................................................... 85

9.5 Validation of the safety integrity of the SCS .......................................................... 85

9.5.1 General ......................................................................................................... 85

9.5.2 Validation of subsystem(s) ............................................................................. 85

9.5.3 Validation of measures against systematic failures ........................................ 86

9.5.4 Validation of safety-related software .............................................................. 86

9.5.5 Validation of combination of subsystems ....................................................... 87

10 Documentation .............................................................................................................. 87

10.1 General ................................................................................................................. 87

10.2 Technical documentation ...................................................................................... 87

10.3 Information for use of the SCS .............................................................................. 89

10.3.1 General ......................................................................................................... 89

10.3.2 Information for use given by the manufacturer of subsystems ........................ 89

10.3.3 Information for use given by the SCS integrator ............................................. 90

Annex A (informative) Determination of required safety integrity .......................................... 92

A.1 General ................................................................................................................. 92

A.2 Matrix assignment for the required SIL .................................................................. 92

A.2.1 Hazard identification/indication ...................................................................... 92

A.2.2 Risk estimation .............................................................................................. 92

A.2.3 Severity (Se) ................................................................................................. 93

A.2.4 Probability of occurrence of harm .................................................................. 93

A.2.5 Class of probability of harm (Cl)..................................................................... 96

A.2.6 SIL assignment .............................................................................................. 96

A.3 Overlapping hazards ............................................................................................. 98

Annex B (informative) Example of SCS design methodology ................................................ 99

B.1 General ................................................................................................................. 99

B.2 Safety requirements specification ......................................................................... 99

B.3 Decomposition of the safety function ..................................................................... 99

B.4 Design of the SCS by using subsystems ............................................................. 100

B.4.1 General ....................................................................................................... 100

B.4.2 Subsystem 1 design – “guard door monitoring” ............................................ 100

B.4.3 Subsystem 2 design – “evaluation logic” ...................................................... 102

B.4.4 Subsystem 3 design – “motor control” .......................................................... 103

B.4.5 Evaluation of the SCS .................................................................................. 103

B.4.6 PFH ............................................................................................................. 104

---------------------- Page: 6 ----------------------
IEC 62061:2021  IEC 2021 – 5 –

B.5 Verification.......................................................................................................... 104

B.5.1 General ....................................................................................................... 104

B.5.2 Analysis ....................................................................................................... 104

B.5.3 Tests ........................................................................................................... 105

Annex C (informative) Examples of MTTFD values for single components .......................... 106

C.1 General ............................................................................................................... 106

C.2 Good engineering practices method .................................................................... 106

C.3 Hydraulic components ......................................................................................... 106

C.4 MTTF of pneumatic, mechanical and electromechanical components ................ 107

Annex D (informative) Examples for diagnostic coverage (DC) ........................................... 109

Annex E (informative) Methodology for the estimation of susceptibility to common

cause failures (CCF) .................................................................................................... 111

E.1 General ............................................................................................................... 111

E.2 Methodology ....................................................................................................... 111

E.2.1 Requirements for CCF ................................................................................. 111

E.2.2 Estimation of effect of CCF .......................................................................... 111

Annex F (informative) Guideline for software level 1 .......................................................... 114

F.1 Software safety requirements .............................................................................. 114

F.2 Coding guidelines ............................................................................................... 115

F.3 Specification of safety functions .......................................................................... 116

F.4 Specification of hardware design ........................................................................ 117

F.5 Software system design specification .................................................................. 119

F.6 Protocols ............................................................................................................ 121

Annex G (informative) Examples of safety functions........................................................... 124

Annex H (informative) Simplified approaches to evaluate the PFH value of a

subsystem ................................................................................................................... 125

H.1 Table allocation approach ................................................................................... 125

H.2 Simplified formulas for the estimation of PFH ...................................................... 127

H.2.1 General ....................................................................................................... 127

H.2.2 Basic subsystem architecture A: single channel without a diagnostic

function ....................................................................................................... 127

H.2.3 Basic subsystem architecture B: dual channel without a diagnostic

function ....................................................................................................... 128

H.2.4 Basic subsystem architecture C: single channel with a diagnostic

function ....................................................................................................... 128

H.2.5 Basic subsystem architecture D: dual channel with a diagnostic

function(s) ................................................................................................... 133

H.3 Parts count method ............................................................................................. 134

Annex I (informative) The functional safety plan and design activities ................................ 135

I.1 General ............................................................................................................... 135

I.2 Example of a machine design plan including a safety plan .................................. 135

I.3 Example of activities, documents and roles ......................................................... 135

Annex J (informative) Independence for reviews and testing/verification/validation

activities ...................................................................................................................... 138

J.1 Software design .................................................................................................. 138

J.2 Validation ............................................................................................................ 138

Bibliography ........................................................................................................................ 140

Figure 1 – Scope of this document ........................................................................................ 12

---------------------- Page: 7 ----------------------
– 6 – IEC 62061:2021  IEC 2021

Figure 2 – Integration within the risk reduction process of ISO 12100 (extract) ..................... 29

Figure 3 – Iterative process for design of the safety-related control system .......................... 30

Figure 4 – Example of a combination of subsystems as one SCS .......................................... 31

Figure 5 – By activating a low demand safety function at least once per year it can be

assumed to be high demand ................................................................................................. 36

Figure 6 – Examples of typical decomposition of a safety function into sub-functions

and its allocation to subsystems ........................................................................................... 39

Figure 7 – Example of safety integrity of a safety function based on allocated

subsystems as one SCS ....................................................................................................... 40

Figure 8 – Subsystem A logical representation ..................................................................... 60

Figure 9 – Subsystem B logical representation ..................................................................... 60

Figure 10 – Subsystem C logical representation ................................................................... 60

Figure 11 – Subsystem D logical representation ................................................................... 61

Figure 12 – V
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.