Safety of machinery - Functional safety of safety-related control systems (IEC 62061:2021)

This International Standard specifies requirements and makes recommendations for the design,
integration and validation of safety-related control systems (SCS) for machines. It is applicable
to control systems used, either singly or in combination, to carry out safety functions on
machines that are not portable by hand while working, including a group of machines working
together in a co-ordinated manner.
This document is a machinery sector specific standard within the framework of IEC 61508 (all
parts).
The design of complex programmable electronic subsystems or subsystem elements is not
within the scope of this document. This is in the scope of IEC 61508 or standards linked to it;
see Figure 1.
NOTE 1 Elements such as systems on chip or microcontroller boards are considered complex programmable
electronic subsystems.
The main body of this sector standard specifies general requirements for the design, and
verification of a safety-related control system intended to be used in high/continuous demand
mode.
This document:
– is concerned only with functional safety requirements intended to reduce the risk of
hazardous situations;
– is restricted to risks arising directly from the hazards of the machine itself or from a group
of machines working together in a co-ordinated manner;
NOTE 2 Requirements to mitigate risks arising from other hazards are provided in relevant sector standards.
For example, where a machine(s) is part of a process activity, additional information is available in IEC 61511.
This document does not cover
– electrical hazards arising from the electrical control equipment itself (e.g. electric shock –
see IEC 60204-1);
– other safety requirements necessary at the machine level such as safeguarding;
– specific measures for security aspects – see IEC TR 63074.
This document is not intended to limit or inhibit technological advancement.
Figure 1 illustrates the scope of this document.

Sicherheit von Maschinen - Funktionale Sicherheit sicherheitsbezogener Steuerungssysteme (IEC 62061:2021)

Sécurité des machines - Sécurité fonctionnelle des systèmes de commande relatifs à la sécurité (IEC 62061:2021)

L'IEC 62061:2021 spécifie les exigences et donne des recommandations pour la conception, l'intégration et la validation des systèmes de commande relatifs à la sécurité (SCS) pour les machines. Elle s'applique aux systèmes de commande utilisés, séparément ou en combinaison, pour assurer les fonctions de sécurité de machines qui ne sont pas portables à la main en fonctionnement, y compris un groupe de machines fonctionnant ensemble d'une manière coordonnée.
Le présent document est spécifique au secteur des machines dans le cadre de l'IEC 61508 (toutes les parties).
La conception de sous-systèmes ou d'éléments de sous-système électroniques programmables complexes ne relève pas du domaine d'application du présent document. Ces éléments relèvent du domaine d'application de l'IEC 61508 ou de normes qui lui sont associées.
Le présent document:
– se concerne que les exigences de sécurité fonctionnelle destinées à réduire le risque de situations dangereuses;
– se limite aux risques résultant directement des phénomènes dangereux de la machine elle même ou d'un groupe de machines fonctionnant ensemble d'une manière coordonnée;
Le présent document ne concerne pas
– les phénomènes dangereux électriques provenant du matériel de commande électrique lui même (par exemple choc électrique – voir l'IEC 60204-1);
– les autres exigences relatives à la sécurité nécessaires au niveau de la machine (la protection par protecteur, par exemple);
– les mesures particulières pour les aspects liés à la sécurité – voir l'IEC TR 63074.
Le présent document n'est pas destiné à limiter ou inhiber les progrès technologiques.
L'IEC 62061:2021 annule et remplace la première édition parue en 2005, l’Amendement 1:2012 ainsi que l’Amendement 2:2015. Cette édition constitue une révision technique.
Cette édition inclut les modifications techniques majeures suivantes par rapport à l'édition précédente:
– la structure a été modifiée et le contenu a été mis à jour pour refléter le processus de conception de la fonction de sécurité,
– la norme a été étendue aux technologies non électriques,
– définitions mises à jour pour être alignées sur l'IEC 61508-4,
– plan de sécurité fonctionnelle introduit et gestion de configuration mise à jour (Article 4),
– exigences relatives au paramétrage étendues (Article 6),
– référence aux exigences relatives à la sécurité ajoutée (Paragraphe 6.8)
– exigences relatives aux essais périodiques ajoutées (Paragraphe 6.9),
– différentes améliorations et clarifications relatives aux architectures et aux calculs de fiabilité (Article 6 et Article 7),
– décalage entre le "SILCL" et le "SIL maximal" d'un sous-système (Article 7),
– cas d'utilisation pour les logiciels décrits, y compris les exigences (Article 8),
– exigences relatives à l'indépendance des activités de vérification (Article 8) et de validation (Article 9) du logiciel ajoutées,
– nouvelle annexe informative avec des exemples (Annex G),
– nouvelles annexes informatives relatives aux valeurs MTTFD, aux diagnostics et aux méthodes de calcul des architectures (Annex C, Annex D et Annex H).

Varnost strojev - Funkcijska varnost nadzornih sistemov, povezanih z varnostjo (IEC 62061:2021)

General Information

Status
Published
Public Enquiry End Date
11-Jul-2019
Publication Date
07-Sep-2021
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
27-Jul-2021
Due Date
01-Oct-2021
Completion Date
08-Sep-2021

Relations

Buy Standard

Standard
EN IEC 62061:2021 - BARVE
English language
148 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day
Draft
prEN IEC 62061:2019 - BARVE
English language
141 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

SLOVENSKI STANDARD
SIST EN IEC 62061:2021
01-oktober-2021
Nadomešča:
SIST EN 62061:2005
SIST EN 62061:2005/A1:2013
SIST EN 62061:2005/A2:2016
Varnost strojev - Funkcijska varnost nadzornih sistemov, povezanih z varnostjo
(IEC 62061:2021)
Safety of machinery - Functional safety of safety-related control systems (IEC
62061:2021)
Sicherheit von Maschinen - Funktionale Sicherheit sicherheitsbezogener
Steuerungssysteme (IEC 62061:2021)
Sécurité des machines - Sécurité fonctionnelle des systèmes de commande relatifs à la
sécurité (IEC 62061:2021)
Ta slovenski standard je istoveten z: EN IEC 62061:2021
ICS:
13.110 Varnost strojev Safety of machinery
25.040.40 Merjenje in krmiljenje Industrial process
industrijskih postopkov measurement and control
SIST EN IEC 62061:2021 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN IEC 62061:2021

---------------------- Page: 2 ----------------------
SIST EN IEC 62061:2021


EUROPEAN STANDARD EN IEC 62061

NORME EUROPÉENNE

EUROPÄISCHE NORM
July 2021
ICS 13.110; 25.040.99; 29.020 Supersedes EN 62061:2005 and all of its amendments
and corrigenda (if any)
English Version
Safety of machinery - Functional safety of safety-related control
systems
(IEC 62061:2021)
Sécurité des machines - Sécurité fonctionnelle des Sicherheit von Maschinen - Funktionale Sicherheit
systèmes de commande relatifs à la sécurité sicherheitsbezogener Steuerungssysteme
(IEC 62061:2021) (IEC 62061:2021)
This European Standard was approved by CENELEC on 2021-04-26. CENELEC members are bound to comply with the CEN/CENELEC
Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the
same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the
Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and the United Kingdom.


European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2021 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
 Ref. No. EN IEC 62061:2021 E

---------------------- Page: 3 ----------------------
SIST EN IEC 62061:2021
EN IEC 62061:2021 (E)
European foreword
The text of document 44/885/FDIS, future edition 2 of IEC 62061, prepared by IEC/TC 44 "Safety of
machinery - Electrotechnical aspects" was submitted to the IEC-CENELEC parallel vote and approved
by CENELEC as EN IEC 62061:2021.
The following dates are fixed:
• latest date by which the document has to be implemented at national (dop) 2022-01-26
level by publication of an identical national standard or by endorsement
• latest date by which the national standards conflicting with the (dow) 2024-04-26
document have to be withdrawn
This document supersedes EN 62061:2005 and all of its amendments and corrigenda (if any).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC shall not be held responsible for identifying any or all such patent rights.
This document has been prepared under a mandate given to CENELEC by the European Commission
and the European Free Trade Association, and supports essential requirements of EU Directive(s).
For the relationship with EU Directive(s) see informative Annex ZZ, which is an integral part of this
document.
Any feedback and questions on this document should be directed to the users’ national committee. A
complete listing of these bodies can be found on the CENELEC website.
Endorsement notice
The text of the International Standard IEC 62061:2021 was approved by CENELEC as a European
Standard without any modification.
In the official version, for Bibliography, the following notes have to be added for the standards
indicated:
IEC 60068 (series) NOTE Harmonized as EN 60068 (series)
IEC 60364-4-41:2005 NOTE Harmonized as HD 60364-4-41:2017
IEC 60529 NOTE Harmonized as EN 60529
IEC 60721 (series) NOTE Harmonized as EN 60721-3-9:1993/A1 (series)
IEC 60812 NOTE Harmonized as EN IEC 60812
IEC 60947-4-1:2018 NOTE Harmonized as EN IEC 60947-4-1:2019 (not modified)
IEC 60947-5-1 NOTE Harmonized as EN 60947-5-1
IEC 60947-5-3 NOTE Harmonized as EN 60947-5-3
IEC 60947-5-5 NOTE Harmonized as EN 60947-5-5
IEC 60947-5-8 NOTE Harmonized as EN IEC 60947-5-8
IEC 61000-6-7 NOTE Harmonized as EN 61000-6-7
IEC 61025:2006 NOTE Harmonized as EN 61025:2007 (not modified)
IEC 61131-2:2017 NOTE Harmonized as EN 61131-2:2017 (not modified) to be published
IEC 61131-6:2012 NOTE Harmonized as EN 61131-6:2012 (not modified)
2

---------------------- Page: 4 ----------------------
SIST EN IEC 62061:2021
EN IEC 62061:2021 (E)
IEC 61140:2016 NOTE Harmonized as EN 61140:2016 (not modified)
IEC 61165 NOTE Harmonized as EN 61165
IEC 61204-7:2016 NOTE Harmonized as EN IEC 61204-7:2018 (not modified)
IEC 61310 (series) NOTE Harmonized as EN 61310 (series)
IEC 61326-3-1 NOTE Harmonized as EN 61326-3-1
IEC 61496 (series) NOTE Harmonized as EN IEC 61496 (series)
IEC 61508-1:2010 NOTE Harmonized as EN 61508-1:2010 (not modified)
IEC 61508-4:2010 NOTE Harmonized as EN 61508-4:2010 (not modified)
IEC 61508-5:2010 NOTE Harmonized as EN 61508-5:2010 (not modified)
IEC 61508-6:2010 NOTE Harmonized as EN 61508-6:2010 (not modified)
IEC 61508-7:2010 NOTE Harmonized as EN 61508-7:2010 (not modified)
IEC 61511 (series) NOTE Harmonized as EN 61511 (series)
IEC 61511-1:2016 NOTE Harmonized as EN 61511-1:2017 (not modified)
IEC 61511-1:2016/A1:2017 NOTE Harmonized as EN 61511-1:2017/A1:2017 (not modified)
IEC 61511-3:2016 NOTE Harmonized as EN 61511-3:2017 (not modified)
IEC 61649 NOTE Harmonized as EN 61649
IEC 61709:2017 NOTE Harmonized as EN 61709:2017 (not modified)
IEC 61784-3 (series) NOTE Harmonized as EN 61784-3 (series)
IEC 61784-3:2016 NOTE Harmonized as EN 61784-3:2016 (not modified)
IEC 61800-5-2 NOTE Harmonized as EN 61800-5-2
IEC 61810 (series) NOTE Harmonized as EN 61810 (series)
IEC 62443 (series) NOTE Harmonized as EN IEC 62443 (series)
IEC 62477 (series) NOTE Harmonized as EN IEC 62477 (series)
IEC 62502 NOTE Harmonized as EN 62502
ISO/IEC 27001:2013 NOTE Harmonized as EN ISO/IEC 27001:2017 (not modified)
ISO 4413:2010 NOTE Harmonized as EN ISO 4413:2010 (not modified)
ISO 4414:2010 NOTE Harmonized as EN ISO 4414:2010 (not modified)
ISO 11161:2007 NOTE Harmonized as EN ISO 11161:2007 (not modified)
ISO 13850:2015 NOTE Harmonized as EN ISO 13850:2015 (not modified)
ISO 13851:2019 NOTE Harmonized as EN ISO 13851:2019 (not modified)
ISO 13855:2010 NOTE Harmonized as EN ISO 13855:2010 (not modified)
ISO 14118:2017 NOTE Harmonized as EN ISO 14118:2018 (not modified)
ISO 14119:2013 NOTE Harmonized as EN ISO 14119:2013 (not modified)
ISO/TR 22100-4:2018 NOTE Harmonized as CEN ISO/TR 22100-4:2020 (not modified)
3

---------------------- Page: 5 ----------------------
SIST EN IEC 62061:2021
EN IEC 62061:2021 (E)
Annex ZA
(normative)

Normative references to international publications
with their corresponding European publications
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments)
applies.
NOTE 1 Where an International Publication has been modified by common modifications, indicated by (mod),
the relevant EN/HD applies.
NOTE 2 Up-to-date information on the latest versions of the European Standards listed in this annex is
available here: www.cenelec.eu.
Publication Year Title EN/HD Year
IEC 60204-1 (mod) 2016 Safety of machinery - Electrical equipment EN 60204-1 2018
of machines - Part 1: General requirements
IEC 61000-1-2 2016 Electromagnetic compatibility (EMC) - Part EN 61000-1-2 2016
1-2: General - Methodology for the
achievement of functional safety of
electrical and electronic systems including
equipment with regard to electromagnetic
phenomena
IEC 61508 series Functional safety of EN 61508 series
electrical/electronic/programmable
electronic safety-related systems
IEC 61508-2 2010 Functional safety of EN 61508-2 2010
electrical/electronic/programmable
electronic safety-related systems - Part 2:
Requirements for
electrical/electronic/programmable
electronic safety-related systems
IEC 61508-3 2010 Functional safety of EN 61508-3 2010
electrical/electronic/programmable
electronic safety-related systems - Part 3:
Software requirements
ISO 12100 2010 Safety of machinery - General principles EN ISO 12100 2010
for design - Risk assessment and risk
reduction
ISO 13849 series Safety of machinery - Safety-related parts EN ISO 13849 series
of control systems
ISO 13849-1 2015 Safety of machinery - Safety-related parts EN ISO 13849-1 2015
of control systems - Part 1: General
principles for design
ISO 13849-2 2012 Safety of machinery - Safety-related parts EN ISO 13849-2 2012
of control systems - Part 2: Validation
4

---------------------- Page: 6 ----------------------
SIST EN IEC 62061:2021
EN IEC 62061:2021 (E)
Annex ZZ
(informative)

Relationship between this European standard and the essential
requirements of Directive 2006/42/EC [2006 OJ L 157] aimed to be
covered
This European standard has been prepared under a Commission’s standardisation request “M/396” to
provide one voluntary means of conforming to essential requirements of Directive 2006/42/EC of the
European Parliament and of the Council of 17 May 2006 on machinery, and amending Directive
95/16/EC (recast) [2006 OJ L 157].
Once this standard is cited in the Official Journal of the European Union under that Directive,
compliance with the normative clauses of this standard given in Table ZZ.1 confers, within the limits of
the scope of this standard, a presumption of conformity with the corresponding essential requirements
of that Directive, and associated EFTA regulations.
Table ZZ.1 — Correspondence between this European standard and Annex 1 of Directive]
2006/42/EC [2006 OJ L 157]
The relevant Essential
Clause(s) / sub-clause(s)
Requirements of Directive Remarks / Notes
of this EN
2006/42/EC
1.2.1 Clauses 4, 5, 6, 7, 8, 9.
1.7.4.2 (e, g, i, r, s) 10.3 This subclause only deals with
the instruction for safety
functions
WARNING 1: Presumption of conformity stays valid only as long as a reference to this European
standard is maintained in the list published in the Official Journal of the European Union. Users of this
standard should consult frequently the latest list published in the Official Journal of the European
Union.
WARNING 2: Other Union legislation may be applicable to the product(s) falling within the scope of
this standard.

5

---------------------- Page: 7 ----------------------
SIST EN IEC 62061:2021

---------------------- Page: 8 ----------------------
SIST EN IEC 62061:2021




IEC 62061

®


Edition 2.0 2021-03




INTERNATIONAL



STANDARD




NORME


INTERNATIONALE
colour

inside










Safety of machinery – Functional safety of safety-related control systems



Sécurité des machines – Sécurité fonctionnelle des systèmes de commande

relatifs à la sécurité

















INTERNATIONAL

ELECTROTECHNICAL

COMMISSION


COMMISSION

ELECTROTECHNIQUE


INTERNATIONALE




ICS 13.110; 25.040.99; 29.020 ISBN 978-2-8322-9333-1




Warning! Make sure that you obtained this publication from an authorized distributor.

Attention! Veuillez vous assurer que vous avez obtenu cette publication via un distributeur agréé.

® Registered trademark of the International Electrotechnical Commission
Marque déposée de la Commission Electrotechnique Internationale

---------------------- Page: 9 ----------------------
SIST EN IEC 62061:2021
– 2 – IEC 62061:2021  IEC 2021
CONTENTS
FOREWORD . 8
INTRODUCTION . 10
1 Scope . 11
2 Normative references . 12
3 Terms, definitions and abbreviations . 13
3.1 Alphabetical list of definitions . 13
3.2 Terms and definitions . 15
3.3 Abbreviations . 28
4 Design process of an SCS and management of functional safety . 28
4.1 Objective . 28
4.2 Design process . 29
4.3 Management of functional safety using a functional safety plan . 31
4.4 Configuration management . 33
4.5 Modification . 33
5 Specification of a safety function . 34
5.1 Objective . 34
5.2 Safety requirements specification (SRS) . 34
5.2.1 General . 34
5.2.2 Information to be available . 34
5.2.3 Functional requirements specification . 35
5.2.4 Estimation of demand mode of operation . 35
5.2.5 Safety integrity requirements specification . 36
6 Design of an SCS . 37
6.1 General . 37
6.2 Subsystem architecture based on top down decomposition . 37
6.3 Basic methodology – Use of subsystem . 37
6.3.1 General . 37
6.3.2 SCS decomposition . 38
6.3.3 Sub-function allocation . 39
6.3.4 Use of a pre-designed subsystem . 39
6.4 Determination of safety integrity of the SCS . 40
6.4.1 General . 40
6.4.2 PFH . 40
6.5 Requirements for systematic safety integrity of the SCS . 41
6.5.1 Requirements for the avoidance of systematic hardware failures . 41
6.5.2 Requirements for the control of systematic faults . 42
6.6 Electromagnetic immunity . 43
6.7 Software based manual parameterization . 43
6.7.1 General . 43
6.7.2 Influences on safety-related parameters . 43
6.7.3 Requirements for software based manual parameterization . 44
6.7.4 Verification of the parameterization tool . 45
6.7.5 Performance of software based manual parameterization . 45
6.8 Security aspects . 45
6.9 Aspects of periodic testing . 46
7 Design and development of a subsystem . 46

---------------------- Page: 10 ----------------------
SIST EN IEC 62061:2021
IEC 62061:2021  IEC 2021 – 3 –
7.1 General . 46
7.2 Subsystem architecture design . 47
7.3 Requirements for the selection and design of subsystem and subsystem
elements . 48
7.3.1 General . 48
7.3.2 Systematic integrity . 48
7.3.3 Fault consideration and fault exclusion . 51
7.3.4 Failure rate of subsystem element . 52
7.4 Architectural constraints of a subsystem . 55
7.4.1 General . 55
7.4.2 Estimation of safe failure fraction (SFF) . 56
7.4.3 Behaviour (of the SCS) on detection of a fault in a subsystem . 57
7.4.4 Realization of diagnostic functions . 58
7.5 Subsystem design architectures . 59
7.5.1 General . 59
7.5.2 Basic subsystem architectures . 59
7.5.3 Basic requirements . 61
7.6 PFH of subsystems . 62
7.6.1 General . 62
7.6.2 Methods to estimate the PFH of a subsystem . 62
7.6.3 Simplified approach to estimation of contribution of common cause
failure (CCF) . 62
8 Software . 62
8.1 General . 62
8.2 Definition of software levels . 63
8.3 Software – Level 1 . 64
8.3.1 Software safety lifecycle – SW level 1 . 64
8.3.2 Software design – SW level 1 . 65
8.3.3 Module design – SW level 1 . 67
8.3.4 Coding – SW level 1 . 67
8.3.5 Module test – SW level 1 . 68
8.3.6 Software testing – SW level 1 . 68
8.3.7 Documentation – SW level 1 . 69
8.3.8 Configuration and modification management process – SW level 1 . 69
8.4 Software level 2 . 70
8.4.1 Software safety lifecycle – SW level 2 . 70
8.4.2 Software design – SW level 2 . 71
8.4.3 Software system design – SW level 2 . 73
8.4.4 Module design – SW level 2 . 73
8.4.5 Coding – SW level 2 . 74
8.4.6 Module test – SW level 2 . 75
8.4.7 Software integration testing SW level 2 . 75
8.4.8 Software testing SW level 2 . 75
8.4.9 Documentation – SW level 2 . 76
8.4.10 Configuration and modification management process – SW level 2 . 77
9 Validation . 77
9.1 Validation principles . 77
9.1.1 Validation plan . 80
9.1.2 Use of generic fault lists . 80

---------------------- Page: 11 ----------------------
SIST EN IEC 62061:2021
– 4 – IEC 62061:2021  IEC 2021
9.1.3 Specific fault lists . 80
9.1.4 Information for validation . 81
9.1.5 Validation record . 81
9.2 Analysis as part of validation . 82
9.2.1 General . 82
9.2.2 Analysis techniques . 82
9.2.3 Verification of safety requirements specification (SRS) . 82
9.3 Testing as part of validation . 83
9.3.1 General . 83
9.3.2 Measurement accuracy . 83
9.3.3 More stringent requirements . 84
9.3.4 Test samples . 84
9.4 Validation of the safety function . 84
9.4.1 General . 84
9.4.2 Analysis and testing . 85
9.5 Validation of the safety integrity of the SCS . 85
9.5.1 General . 85
9.5.2 Validation of subsystem(s) . 85
9.5.3 Validation of measures against systematic failures . 86
9.5.4 Validation of safety-related software . 86
9.5.5 Validation of combination of subsystems . 87
10 Documentation . 87
10.1 General . 87
10.2 Technical documentation . 87
10.3 Information for use of the SCS . 89
10.3.1 General . 89
10.3.2 Information for use given by the manufacturer of subsystems . 89
10.3.3 Information for use given by the SCS integrator . 90
Annex A (informative) Determination of required safety integrity . 92
A.1 General . 92
A.2 Matrix assignment for the required SIL . 92
A.2.1 Hazard identification/indication . 92
A.2.2 Risk estimation . 92
A.2.3 Severity (Se) . 93
A.2.4 Probability of occurrence of harm . 93
A.2.5 Class of probability of harm (Cl). 96
A.2.6 SIL assignment . 96
A.3 Overlapping hazards . 98
Annex B (informative) Example of SCS design methodology . 99
B.1 General . 99
B.2 Safety requirements specification . 99
B.3 Decomposition of the safety function . 99
B.4 Design of the SCS by using subsystems . 100
B.4.1 General . 100
B.4.2 Subsystem 1 design – “guard door monitoring” . 100
B.4.3 Subsystem 2 design – “evaluation logic” . 102
B.4.4 Subsystem 3 design – “motor control” . 103
B.4.5 Evaluation of the SCS . 103
B.4.6 PFH . 104

---------------------- Page: 12 -
...

SLOVENSKI STANDARD
oSIST prEN IEC 62061:2019
01-julij-2019
Varnost strojev - Funkcijska varnost nadzornih sistemov, povezanih z varnostjo
Safety of machinery - Functional safety of safety-related control systems
Ta slovenski standard je istoveten z: prEN IEC 62061
ICS:
13.110 Varnost strojev Safety of machinery
25.040.40 Merjenje in krmiljenje Industrial process
industrijskih postopkov measurement and control
oSIST prEN IEC 62061:2019 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST prEN IEC 62061:2019

---------------------- Page: 2 ----------------------
oSIST prEN IEC 62061:2019
44/847/CDV

COMMITTEE DRAFT FOR VOTE (CDV)
PROJECT NUMBER:
IEC 62061 ED2
DATE OF CIRCULATION: CLOSING DATE FOR VOTING:
2019-04-26 2019-07-19
SUPERSEDES DOCUMENTS:
44/827/CD, 44/844A/CC

IEC TC 44 : SAFETY OF MACHINERY - ELECTROTECHNICAL ASPECTS
SECRETARIAT: SECRETARY:
United Kingdom Mrs Nyomee Hla-Shwe Tun
OF INTEREST TO THE FOLLOWING COMMITTEES: PROPOSED HORIZONTAL STANDARD:


Other TC/SCs are requested to indicate their interest, if any, in
this CDV to the secretary.
FUNCTIONS CONCERNED:

EMC ENVIRONMENT QUALITY ASSURANCE SAFETY
SUBMITTED FOR CENELEC PARALLEL VOTING NOT SUBMITTED FOR CENELEC PARALLEL VOTING
Attention IEC-CENELEC parallel voting
The attention of IEC National Committees, members of
CENELEC, is drawn to the fact that this Committee Draft for
Vote (CDV) is submitted for parallel voting.
The CENELEC members are invited to vote through the
CENELEC online voting system.

This document is still under study and subject to change. It should not be used for reference purposes.
Recipients of this document are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.

TITLE:
Safety of machinery – Functional safety of safety-related control systems

PROPOSED STABILITY DATE: 2024

NOTE FROM TC/SC OFFICERS:


Copyright © 2019 International Electrotechnical Commission, IEC. All rights reserved. It is permitted to download this
electronic file, to make a copy and to print out the content for the sole purpose of preparing National Committee positions.
You may not copy or "mirror" the file or printed version of the document, or any part of it, for any other purpose without
permission in writing from IEC.

---------------------- Page: 3 ----------------------
oSIST prEN IEC 62061:2019
– 2 – IEC CDV 62061  IEC 2019
CONTENTS

FOREWORD . 9
INTRODUCTION . 12
1 Scope . 13
2 Normative references . 14
3 Terms, definitions and abbreviations . 15
3.1 Alphabetical list of definitions . 15
3.2 Terms and definitions. 17
3.3 Abbreviations . 28
4 Design process of an SCS and management of functional safety . 29
4.1 Objective . 29
4.2 Design process . 29
4.3 Management of functional safety using a functional safety plan . 31
4.4 Configuration management . 32
4.5 Modification . 33
5 Specification of a safety function . 33
5.1 Objective . 33
5.2 Safety Requirements Specification (SRS) . 33
5.2.1 Information to be available. 34
5.2.2 Functional requirements specification . 34
5.2.3 Safety integrity requirements specification . 35
6 Design of an SCS . 35
6.1 General . 35
6.2 Subsystem architecture based on top down decomposition . 36
6.3 Basic methodology – Use of subsystem . 36
6.3.1 General . 36
6.3.2 SCS architecture design based on subsystems . 36
6.3.3 Sub-function allocation . 38
6.3.4 Use of a pre-designed subsystem . 38
6.4 Determination of safety integrity of the SCS . 38
6.4.1 General . 38
6.4.2 Average frequency of dangerous failures . 39
6.5 Requirements for systematic safety integrity of the SCS . 39
6.5.1 Requirements for the avoidance of systematic hardware failures . 39
6.5.2 Requirements for the control of systematic faults . 40
6.6 Electromagnetic immunity . 41
6.7 Software based manual parameterization . 41
6.7.1 General . 41
6.7.2 Influences on safety-related parameters . 41
6.7.3 Requirements for software based manual parameterization . 42
6.7.4 Verification of the parameterization tool . 43
6.7.5 Performance of software based manual parameterization . 43
6.8 Security aspects . 43
6.9 Aspects of periodic testing . 44
6.9.1 General principle . 44

---------------------- Page: 4 ----------------------
oSIST prEN IEC 62061:2019
IEC CDV 62061  IEC 2019 – 3 –
6.9.2 Proof test . 44
7 Design and development of a subsystem . 45
7.1 General . 45
7.2 Subsystem architecture design . 46
7.3 Requirements for the selection and design of subsystem and subsystem
elements . 46
7.3.1 General . 46
7.3.2 Systematic integrity . 46
7.3.3 Fault consideration and fault exclusion . 49
7.3.4 Failure rate of subsystem element . 50
7.4 Architectural constraints of a subsystem . 52
7.4.1 General . 52
7.4.2 Estimation of safe failure fraction (SFF) . 53
7.4.3 Behaviour (of the SCS) on detection of a fault in a subsystem . 54
7.4.4 Realization of diagnostic functions . 55
7.5 Subsystem design architectures . 56
7.5.1 General . 56
7.5.2 Basic subsystem architectures . 56
7.5.3 Basic requirements . 57
7.6 Probability of dangerous random hardware failures of subsystems . 58
7.6.1 General . 58
7.6.2 Methods to estimate the PFH of a subsystem . 58
7.6.3 Methods to estimate the PFD of a subsystem . 58
avg
7.6.4 Simplified approach to estimation of contribution of common cause
failure (CCF) . 58
8 Software . 59
8.1 General . 59
8.2 Definition of Software Levels. 59
8.3 Software Level 1 . 60
8.3.1 Software safety lifecycle SW Level 1 . 60
8.3.2 Software Design SW Level 1 . 61
8.3.3 Module design SW Level 1 . 63
8.3.4 Coding SW Level 1 . 64
8.3.5 Module test SW Level 1 . 64
8.3.6 Software testing SW Level 1 . 64
8.3.7 Documentation SW Level 1 . 65
8.3.8 Configuration and modification management process SW Level 1 . 65
8.4 Software Level 3 . 66
8.4.1 Software safety lifecycle SW Level 3 . 66
8.4.2 Software Design SW Level 3 . 68
8.4.3 Software system design SW Level 3 . 69
8.4.4 Module design SW Level 3 . 70
8.4.5 Coding SW Level 3 . 70
8.4.6 Module test SW Level 3 . 71
8.4.7 Software integration testing SW Level 3 . 71
8.4.8 Software testing SW Level 3 . 71
8.4.9 Documentation SW Level 3 . 73
8.4.10 Configuration and modification management process SW Level 3 . 73
9 Validation . 73

---------------------- Page: 5 ----------------------
oSIST prEN IEC 62061:2019
– 4 – IEC CDV 62061  IEC 2019
9.1 Validation principles . 73
9.1.1 Validation plan . 77
9.1.2 Use of generic fault lists . 77
9.1.3 Specific fault lists . 78
9.1.4 Information for validation . 78
9.1.5 Validation record . 79
9.2 Analysis as part of validation . 79
9.2.1 General . 79
9.2.2 Analysis techniques . 79
9.2.3 Verification of safety requirements specification for safety functions . 79
9.3 Testing as part of validation . 80
9.3.1 General . 80
9.3.2 Measurement accuracy . 80
9.3.3 More stringent requirements . 81
9.3.4 Number of test samples . 81
9.4 Validation of the safety function . 81
9.4.1 General . 81
9.4.2 Analysis and testing. 82
9.5 Validation of the safety integrity of the SCS . 82
9.5.1 Validation of subsystem(s) . 82
9.5.2 Validation of measures against systematic failures . 82
9.5.3 Validation of safety-related software . 83
9.5.4 Validation of combination of subsystems . 83
9.5.5 Verification of safety integrity. 84
10 Documentation . 84
10.1 General . 84
10.2 Technical documentation . 84
10.3 Information for use of the SCS . 85
10.3.1 General . 85
10.3.2 Information for use given by the manufacturer of subsystems . 86
10.3.3 Information for use given by the SCS integrator . 86
Annex A (informative)  Determination of required safety integrity . 88
A.1 General . 88
A.2 Matrix assignment for the required SIL . 88
A.2.1 Hazard identification/indication . 88
A.2.2 Risk estimation . 88
A.2.3 Severity (Se) . 89
A.2.4 Probability of occurrence of harm . 89
A.2.5 Class of probability of harm (Cl) . 92
A.2.6 SIL assignment . 92
A.3 Overlapping hazards . 94
Annex B (informative)  Example of SCS design methodology . 95
B.1 General . 95
B.2 Safety requirements specification . 95
B.3 Decomposition of the safety function . 95
B.4 Design of the SCS by using subsystems . 97
B.4.1 General . 97
B.4.2 Subsystem 1 design – “guard door monitoring” . 97

---------------------- Page: 6 ----------------------
oSIST prEN IEC 62061:2019
IEC CDV 62061  IEC 2019 – 5 –
B.4.3 Subsystem 2 design – “evaluation logic” . 99
B.4.4 Subsystem 3 design – “motor control” . 99
B.4.5 Evaluation of the SCS . 99
B.5 Verification . 100
B.5.1 Analysis . 100
B.5.2 Tests . 100
Annex C (informative)  Examples of MTTF values for single components . 101
D
C.1 General . 101
C.2 Good engineering practices method . 101
C.3 Hydraulic components . 101
C.4 MTTF of pneumatic, mechanical and electromechanical components . 101
D
Annex D (normative) Low demand requirements . 103
D.1 General . 103
D.2 Normative references . 103
D.3 Terms and definitions. 103
D.4 Design process of an SCS and management of functional safety . 103
D.5 Specification of a safety function . 103
D.6 Design of an SCS . 104
D.7 Design and development of subsystem . 105
D.8 Software . 106
D.9 Validation. 106
D.10 Documentation . 106
Annex E (informative)  Examples for diagnostic coverage (DC) . 107
Annex F (informative)  Methodology for the estimation of susceptibility to common
cause failures (CCF) . 109
F.1 General . 109
F.2 Methodology . 109
F.2.1 Requirements for CCF . 109
F.2.2 Estimation of effect of CCF . 109
Annex G (informative)  Guideline for Software level 1 . 111
G.1 Software safety requirements . 111
G.2 Coding guidelines . 112
G.3 Specification of safety functions . 112
G.4 Specification of hardware design . 114
G.5 Software system design specification . 115
G.6 Protocols . 118
Annex H (informative)  ((void)) . 120
Annex I (informative)  Examples of safety functions . 121
I.1 Examples of safety functions . 121
I.2 Example of low demand function . 122
Annex J (informative)  ((void)) . 126
Annex K (informative)  Simplified approaches to evaluate the PFH value of a
subsystem . 127
K.1 Table allocation approach . 127
K.2 Simplified Formulas for the estimation of PFH . 129
K.2.1 General . 129
K.2.2 Basic subsystem architecture A: single channel without a diagnostic
function . 129

---------------------- Page: 7 ----------------------
oSIST prEN IEC 62061:2019
– 6 – IEC CDV 62061  IEC 2019
K.2.3 Basic subsystem architecture B: dual channel without a diagnostic
function . 130
K.2.4 Basic subsystem architecture C: single channel with a diagnostic
function . 130
K.2.5 Basic subsystem architecture D: dual channel with a diagnostic
function(s) . 135
K.3 Parts count method . 135
Annex L ((void)) . 137
Annex M (informative)  The functional safety plan and design activities . 138
M.1 General . 138
M.2 Example of a machine design plan including a safety plan . 138
M.3 Example of activities, documents and roles . 138
Bibliography . 141

Figure 1 - Relationship of this standard to other standards . 14
Figure 2 – Integration within the risk reduction process of ISO 12100 (excerpt) . 29
Figure 3 – Iterative process for design of the safety-related control system . 30
Figure 4 – Examples of combination of subsystems as one SCS . 31
Figure 5 – Examples of typical decomposition of a safety function into sub-functions
and its allocation to subsystems . 37
Figure 6 - Example of safety integrity of a safety function based on allocated
subsystems as one SCS . 38
Figure 7 – Subsystem A logical representation . 56
Figure 8 – Subsystem B logical representation . 57
Figure 9 – Subsystem C logical representation . 57
Figure 10 – Subsystem D logical representation . 57
Figure 11 – V-model for SW level 1. 60
Figure 12 – V-model for software modules customized by the designer for SW level 1 . 60
Figure 13 – V-model of software safety lifecycle for SW Level 3 . 66
Figure 14 – Overview of the validation process . 76
Figure A.1 - Parameters used in risk estimation . 88
Figure A.2 – Example proforma for SIL assignment process . 93
Figure B.1 – Decomposition of the safety function . 96
Figure B.2 – Overview of design of the subsystems of the SCS . 97
Figure D.1 — Example of safety integrity of a safety function based on allocated
subsystems as one SCS . 104
Figure G.1 – Plant sketch . 113
Figure G.2 – Principal module architecture design . 116
Figure G.3 – Principal design approach of logical evaluation . 117
Figure G.4 – Example of logical representation (program sketch). 118
Figure I.1 – Relationship between demand of a safety function, failure and trip limit in a
safety function . 123
Figure I.2 - Typical configuration of a gas turbine . 124
Figure K.1 - Subsystem A logical representation. . 129
Figure K.2 - Subsystem B logical representation . 130
Figure K.3 – Subsystem C logical representation . 130

----------------
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.