IEC 62061:2005/COR2:2008
(Corrigendum)Corrigendum 2 - Safety of machinery - Functional safety of safety-related electrical, electronic and programmable electronic control systems
Corrigendum 2 - Safety of machinery - Functional safety of safety-related electrical, electronic and programmable electronic control systems
Applies to equipment and sub-assemblies forming those constituent components of diagnostic X-ray installations that generate, influence the propagation of, and detect the X-radiation, and process, present and store the radiological information. Presents the concept of quality assurance in diagnostic X-ray departments, and introduces a series of test methods to be carried out under the responsibility of the user. This publication has the status of a technical report.
Corrigendum 2 - Sécurité des machines - Sécurité fonctionnelle des systèmes de commande électriques, électroniques et électroniques programmables relatifs à la sécurité
S'applique aux appareils et sous-ensembles en tant que composants constitutifs des installations à rayonnement X de diagnostic qui engendrent ce rayonnement, le détectent, influent sur sa propagation et traitent, présentent et stockent l'information radiologique. Présente le concept d'assurance de la qualité dans les services de radiodiagnostic et introduit une série de méthodes d'essai à appliquer sous la responsabilité de l'utilisateur.
General Information
Relations
Standards Content (Sample)
IEC 62061
(First edition – 2005)
Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic
control systems
CORRIGENDUM 2
Page 39
3.2 Terms and definitions
Delete the Note to definition 3.2.41: safe failure.
Page 83
Replace Table 5 with the following:
Table 5 – Architectural constraints on subsystems: maximum SIL
that can be claimed for a SRCF using this subsystem
Hardware fault tolerance (see Note 1)
Safe failure fraction
0 1 2
< 60 % Not allowed (for SIL1 SIL2
exceptions see Note 3)
60 % – < 90 % SIL1 SIL2 SIL3
90 % – < 99 % SIL2 SIL3 SIL3 (see Note 2)
SIL3 SIL3 (see Note 2) SIL3 (see Note 2)
≥ 99 %
NOTE 1 A hardware fault tolerance of N means that N+1 faults could cause a loss of the safety-related control
function.
NOTE 2 A SIL 4 claim limit is not considered in this standard. For SIL 4 see IEC 61508-1.
NOTE 3 See 6.7.6.4 or for subsystems where fault exclusions have been applied to faults that could lead to a
dangerous failure, see 6.7.7.
Page 83
Clause 6, add a new subclause 6.7.6.4 as follows:
6.7.6.4 Electromechanical subsystems, which have a safe failure fraction of less than 60 % and zero hardware
fault tolerance, that use well-tried components (see Note) in accordance with ISO 13849-1:2006 Category 1 PLC
shall be considered to achieve a SILCL of SIL1.
NOTE A well-tried component for a safety-related application is a component which has been:
a) widely used in the past with successful results in similar applications, or
b) made and verified using principles which demonstrate its suitability and reliability for safety-related applications.
Renumber subclause 6.7.6.4 as:
6.7.6.5 Where a subsystem is designed according to ISO 13849-1:1999 and validated according to ISO 13849-
2:2003, the following relationship in the context of architectural constraints alone can be applied in accordance with
Table 6. It is assumed that a subsystem with a particular category complying with ISO 13849-1:1999 has the
associated hardware fault tolerance and safe failure fraction as indicated in Table 6.
NOTE To achieve a required SIL, it is also necessary to fulfil the requirements according to probability of dangerous failure and
systematic safety integrity.
April 2008
Replace Table 6 with the following:
Table 6 – Architectural constraints: SILCL relating to categories
Category Hardware fault tolerance SFF Maximum SIL claim limit
according to architectural
It is assumed that subsystems with the stated
constraints
category have the characteristics given below
1 0 < 60 % See Note 1
2 0 60 % – 90 % SIL 1 (see Note 2)
3 1 < 60 % SIL 1
60 % – 90 % SIL 2
4 >1 60 % – 90 % SIL 3 (see Note 3)
1 > 90 % SIL 3 (see Note 4)
NOTE 1 Subsystems that have a SFF of <60% but are designed in accordance with Category 1 of ISO 13849-
1:1999 and validated in accordance with ISO 13849-2:2003 are assumed to achieve a SILCL of SIL1.
NOTE 2 The case for Category 2 where SFF is > 90 % is assumed not to be achieved by the design
requirements of ISO 13849-1:1999.
NOTE 3 The diagnostic coverage is assumed to be less than 90 % for Category 4 subsystems where greater
than single hardware fault tolerance (i.e. accumulated faults) is considered.
NOTE 4 Category 4 requires a SFF of more than 90 % but less than 99 % when single hardware fault tolerance
is considered.
NOTE 5 Category B in accordance with ISO 13849-1:1999 is not considered sufficient to achieve SIL 1.
Page 85
Change Note to subclause 6.7.7.3 as follows:
NOTE It is permissible to exclude faults in accordance with 3.3 and D.5 of ISO 13849-2:2003.
Page 89
Change subclause 6.7.8.1.6 and Table 7 as follows:
6.7.8.1.6 Where a low complexity subsystem is designed according to ISO 13849-1:1999 and validated
according to ISO 13849-2:2003 and also meets the requirements for architectural constraints (see 6.7.6)
and systematic safety integrity (see 6.7.9), the threshold values of probability of dangerous failure (PFH )
D
given in Table 7 can be used to estimate the hardware safety integrity (see 6.6.3.2).
Table 7 – Probability of dangerous failure
PFH threshold values (per hour)
Hardware fault tolerance DC D
that can be claimed for the
subsystem
Category
It is assumed that subsystems with the stated category have
PFH (MTTF ,
D subsystem
the characteristics given below
T , DC) (See Note 1)
test
1 0 0 % To be provided by supplier or use
generic data (see Annex D)
–6
2 0 60 % – 90 % ≥ 10
–7
3 1 60 % – 90 %
≥2 x 10
–8
4 >1 60 % – 90 % ≥ 3 x 10
–8
1 > 90 % ≥ 3 x 10
NOTE 1 The PFH threshold value is a function of the subsystem MTTF (to be derived by the subsystem
D
manufacturer or from relevant component data handbooks), test/check cycle time as specified in the safety
requirements specification (this information is also required for subsystem validation in accordance with ISO
13849-2:2003, 3.5) and the diagnostic coverage as shown in this table (these values are based on the
requirements of the categories described in ISO 13849-1:1999).
NOTE 2 Category B in accordance with ISO 13849-1:1999 cannot be considered sufficient to achieve SIL 1.
April 2008
Change Note 2 to subclause 6.7.8.2.1 as follows:
NOTE 2 For equations (A) to (D) given in 6.7.8.2 constant and sufficiently low (1>> λ x T) failure rates (λ) of the subsystem
elements are assumed (this means that the mean time to dangerous failure has to be much greater than the proof test interval or
the lifetime of the subsystem). Therefore, the following basic equations can be used:
ƒ λ = 1/MTTF, where MTTF is expressed in hours.
For electromechanical devices the failure rate is determined using the B value and the number of operating cycles C (expressed
as the number of operating cycles per hour) of the application as specified (see 5.2.3).
ƒ λ = 0,1 x C/B .
Page 147
Annex A: SIL assignment
Change the third paragraph in A.2.4.1 as follows:
It should also be possible to foresee the duration, for example if it will be longer than 10 min. Where the
duration is shorter than 10 min, the value may be decreased to the number in the row below in Table A.2.
This does not apply to frequency of exposure ≤ 1 h, which should not be decreased at any time.
Change Table A.2 as follows:
Table A.2– Frequency and duration of exposure (Fr) classification
Frequency and duration of exposure (Fr)
Frequency, Fr
Frequency of exposure
(see A.2.4.1)
≤ 1 per h
< 1 per h to ≥ 1 per day 5
< 1 per day to ≥ 1 per 2 weeks 4
< 1 per 2 weeks to ≥ 1 per year 3
< 1 per year 2
Page 153
Change Table A.6 as follows:
Table A.6 – SIL assignment matrix
Severity (Se) Class (Cl)
4 5-7 8-10 11-13 14-15
4 SIL 2 SIL 2 SIL 2 SIL 3 SIL 3
3 (OM) SIL 1 SIL 2 SIL 3
2 (OM) SIL 1 SIL 2
1 (OM) SIL 1
Page 155
Change Figure A.3 as follows:
April 2008
Document No.:
Part of:
Risk assessment and safety measures
Pre risk assessment
Product:
Issued by: Intermediate risk assessment
Follow up risk assessment
Date: Black area = Safety measures required
Grey area = Safety measures recommended
Consequences Severity Class Cl Frequency, Probability of hzd. Avoidance
Se 45 - 7 8 - 10 11 - 13 14 - 15 Fr event, Pr Av
Death, loosing an eye or arm 4 SIL 2 SIL 2 SIL 2 SIL 3 SIL 3 ≥ 1 per hr 5Common5
Permanent, loosing fingers 3 OM SIL 1 SIL 2 SIL 3 <1 per hr - ≥ 1 per day5Likely 4
Reversible, medical attention 2 OM SIL 1 SIL 2 <1 per day - ≥1 per 14days 4 Possible 3 Impossible 5
Reversible, first aid 1 OM SIL 1 <1 per 2wks - ≥1 per yr3Rarely 2 Possible 3
<1 per yr 2 Negligible 1 Likely 1
Ser. Hzd. Hazard Se Fr Pr Av Cl Safety measure Safe
No. No.
Comments
Figure A.3 – Example proforma for SIL assignment process
April 2008
Page 205
Anne x F: Methodology for the estimation of susceptibility to common cause failures (CCF)
Change Table F.2 as follows:
Table F.2 – Estimation of CCF factor (β)
Overall score Common cause failure factor (β)
≤ 35 10 % (0,1)
36 – 65 5 % (0,05)
66 – 85 2 % (0,02)
86 – 100 1 % (0,01)
April 2008
CEI 62061
(Première édition – 2005)
Sécurité des machines – Sécurité fonctionnelle des systèmes de commande électriques, électroniques et
électroniques programmables relatifs à la sécurité
CORRIGENDUM 2
Page 38
3.2 Termes et définitions
Supprimer la Note de la définition 3.2.41 : défaillance en sécurité.
Page 82
Remplacer le Tableau 5 par ce qui suit:
Tableau 5 – Contraintes architecturales sur les sous-systèmes: SIL maximal
pouvant être revendiqué pour une SRCF utilisant ce sous-système
Tolérance aux anomalies du matériel (voir Note 1)
Proportion de défaillances
en sécurité
0 1 2
< 60 % N
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.