Safety of machinery - Functional safety of safety-related electrical, electronic and programmable electronic control systems

This International Standard specifies requirements and makes recommendations for the design, integration and validation of safety-related electrical, electronic and programmable electronic control systems (SRECS) for machines (see Notes 1 and 2). It is applicable to control systems used, either singly or in combination, to carry out safety-related control functions on machines that are not portable by hand while working, including a group of machines working together in a co-ordinated manner.

Sicherheit von Maschinen - Funktionale Sicherheit sicherheitsbezogener elektrischer, elektronischer und programmierbarer elektronischer Steuerungssysteme

Sécurité des machines - Sécurité fonctionnelle des systèmes de commande électriques, électroniques et électroniques programmables relatifs à la sécurité

spécifie les exigences et donne des recommandations pour la conception, l'intégration et la validation des systèmes de commande électriques, électroniques et électroniques programmables relatifs à la sécurité (SRECS) pour les machines (voir Notes 1 et 2). Elle s'applique aux systèmes de commande utilisés, séparément ou en combinaison, pour assurer des fonctions de commande relatives à la sécurité de machines qui ne sont pas portables à la main en fonctionnement, y compris un groupe de machines fonctionnant ensemble d'une manière coordonnée

Varnost strojev – Funkcijska varnost na varnost vezanih električnih, elektronskih in programirljivih elektronskih krmilnih sistemov (IEC 62061:2005)

Ta mednarodni standard določa zahteve in priporočila za izdelavo, vgradnjo in ovrednotenje na varnost vezanih električnih, elektronskih in programirljivih elektronskih krmilnih sistemov (SRECS) za stroje (glej opombi 1 in 2). Uporablja se za krmilne sisteme, ki se samostojno ali v kombinaciji uporabljajo za izvajanje na varnost vezanih krmilnih funkcij na strojih, ki jih med delom ni mogoče prenašati v roki, vključno s skupino strojev, ki delujejo skupaj na usklajen način.

General Information

Status
Published
Publication Date
30-Nov-2005
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
01-Dec-2005
Due Date
01-Dec-2005
Completion Date
01-Dec-2005

Relations

Buy Standard

Standard
SIST EN 62061:2005
English language
107 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

SLOVENSKI SIST EN 62061:2005
STANDARD
december 2005
Varnost strojev – Funkcijska varnost na varnost vezanih električnih,
elektronskih in programirljivih elektronskih krmilnih sistemov (IEC
62061:2005)

Safety of machinery – Functional safety of safety-related electrical, electronic and

programmable electronic control systems (IEC 62061:2005)
ICS 13.110; 25.040.40 Referenčna številka
SIST EN 62061:2005(en)

© Standard je založil in izdal Slovenski inštitut za standardizacijo. Razmnoževanje ali kopiranje celote ali delov tega dokumenta ni dovoljeno

---------------------- Page: 1 ----------------------
EUROPEAN STANDARD EN 62061
NORME EUROPÉENNE
EUROPÄISCHE NORM April 2005
ICS 13.110; 25.040.99; 29.020
English version
Safety of machinery –
Functional safety of safety-related electrical,
electronic and programmable electronic control systems
(IEC 62061:2005)
Sécurité des machines – Sicherheit von Maschinen –
Sécurité fonctionnelle des systèmes Funktionale Sicherheit
de commande électriques, électroniques sicherheitsbezogener elektrischer,
et électroniques programmables relatifs elektronischer und programmierbarer
à la sécurité elektronischer Steuerungssysteme
(CEI 62061:2005) (IEC 62061:2005)

This European Standard was approved by CENELEC on 2004-12-01. CENELEC members are bound to

comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European

Standard the status of a national standard without any alteration.

Up-to-date lists and bibliographical references concerning such national standards may be obtained on

application to the Central Secretariat or to any CENELEC member.

This European Standard exists in three official versions (English, French, German). A version in any other

language made by translation under the responsibility of a CENELEC member into its own language and

notified to the Central Secretariat has the same status as the official versions.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Cyprus, Czech

Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,

Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden,

Switzerland and United Kingdom.
CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
Central Secretariat: rue de Stassart 35, B - 1050 Brussels

© 2005 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.

Ref. No. EN 62061:2005 E
---------------------- Page: 2 ----------------------
EN 62061:2005 - 2 -
Foreword

The text of document 44/460/FDIS, future edition 1 of IEC 62061, prepared by IEC TC 44, Safety of

machinery - Electrotechnical aspects, was submitted to the IEC-CENELEC parallel vote and was

approved by CENELEC as EN 62061 on 2004-12-01.
The following dates were fixed:
– latest date by which the EN has to be implemented
at national level by publication of an identical
national standard or by endorsement (dop) 2005-11-01
– latest date by which the national standards conflicting
with the EN have to be withdrawn (dow) 2007-12-01

This European Standard has been prepared under a mandate given to CENELEC by the European

Commission and the European Free Trade Association and covers essential requirements of

EC Directive 98/37/EC. See Annex ZZ.
PROOF TEST INTERVAL AND LIFETIME

The following important information should be noted in relation to the requirements of this standard:

Where the probability of dangerous failure per hour (PFH ) is highly dependent upon proof testing (i.e.

tests intended to reveal faults not detected by diagnostic functions) then the proof test interval needs

to be shown as realistic and practicable in the context of the expected use of the safety-related

electrical control system (SRECS) (e.g. proof test intervals of less than 10 years can be unreasonably

short for many machinery applications).

CEN/TC114/WG6 have used a proof test interval (mission time) of 20 years to support the estimation

of mean time to dangerous failure (MTTF ) for the realization of designated architectures in Annex B

of prEN ISO 13849-1. Therefore, it is recommended that SRECS designers endeavour to use a 20

year proof test interval.

It is acknowledged that some subsystems and/or subsystem elements (e.g. electro-mechanical

components with high duty cycles) will require replacement within the SRECS proof test interval.

Proof testing involves detailed and comprehensive checks that can, in practice, only be performed

when the SRECS and/or its subsystems has been designed to facilitate proof testing (e.g. dedicated

test ports) and provided with necessary information (e.g. proof test instructions).

To ensure the validity of the proof test interval specified by the designer it is important that any other

necessary designated tests (e.g. functional tests) are also successfully performed at the SRECS.

Annexes ZA and ZZ have been added by CENELEC.
__________
Endorsement notice

The text of the International Standard IEC 62061:2005 was approved by CENELEC as a European

Standard without any modification.
__________
---------------------- Page: 3 ----------------------
- 3 - EN 62061:2005
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications

The following referenced documents are indispensable for the application of this document. For dated

references, only the edition cited applies. For undated references, the latest edition of the referenced

document (including any amendments) applies.

NOTE Where an international publication has been modified by common modifications, indicated by (mod), the relevant

EN/HD applies.
Publication Year Title EN/HD Year
1) 2)
IEC 60204-1 - Safety of machinery - Electrical EN 60204-1 1997
equipment of machines + corr. September 1998
Part 1: General requirements
1) 2)
IEC 61000-6-2, - Electromagnetic compatibility (EMC) EN 61000-6-2 2001
mod. Part 6-2: Generic standards - Immunity
for industrial environments
IEC 61310 Series Safety of machinery - Indication, marking EN 61310 Series
and actuation
1) 2)
IEC 61508-2 - Functional safety of EN 61508-2 2001
electrical/electronic/programmable
electronic safety-related systems
Part 2: Requirements for
electrical/electronic/programmable
electronic safety-related systems
1) 2)
IEC 61508-3 - Part 3: Software requirements EN 61508-3 2001
EN ISO 12100-1 2003
ISO 12100-1 2003 Safety of machinery
Basic concepts, general principles for
design -- Part 1: Basic terminology,
methodology
ISO 12100-2 2003 Basic concepts, general principles for EN ISO 12100-2 2003
design -- Part 2: Technical principles
ISO 13849-1 1999 Safety of machinery - Safety-related parts - -
of control systems
Part 1: General principles for design
ISO 13849-2 2003 Part 2: Validation EN ISO 13849-2 2003
ISO 14121 - Safety of machinery - -
Principles of risk assessment
Undated reference.
Valid edition at date of issue.
---------------------- Page: 4 ----------------------
EN 62061:2005 - 4 -
Annex ZZ
(informative)
Coverage of Essential Requirements of EC Directives

This European Standard has been prepared under a mandate given to CENELEC by the European

Commission and the European Free Trade Association and within its scope the standard covers the

following essential requirements out of those given in Annex I of the EC Directive 98/37/EC:

– 1.2.1;
– 1.2.7.

Compliance with this standard provides one means of conformity with the specified essential

requirements of the Directive concerned.

WARNING: Other requirements and other EC Directives may be applicable to the products falling

within the scope of this standard.
__________
---------------------- Page: 5 ----------------------
IEC 62061
Edition 1.0 2005-01
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
Safety of machinery – Functional safety of safety-related electrical, electronic
and programmable electronic control systems
Sécurité des machines – Sécurité fonctionnelle des systèmes de commande
électriques, électroniques et électroniques programmables relatifs à la sécurité
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
PRICE CODE
INTERNATIONALE
CODE PRIX
ICS 13.110; 25.040.99; 29.020 ISBN 2-8318-7818-7
---------------------- Page: 6 ----------------------
– 2 – 62061 © IEC:2005
CONTENTS

FOREWORD...........................................................................................................................5

INTRODUCTION.....................................................................................................................7

1 Scope and object............................................................................................................10

2 Normative references .....................................................................................................11

3 Terms, definitions and abbreviations ..............................................................................12

3.1 Alphabetical list of definitions ................................................................................12

3.2 Terms and definitions ............................................................................................14

3.3 Abbreviations ........................................................................................................22

4 Management of functional safety ....................................................................................23

4.1 Objective...............................................................................................................23

4.2 Requirements........................................................................................................23

5 Requirements for the specification of Safety-Related Control Functions (SRCFs) ...........24

5.1 Objective...............................................................................................................24

5.2 Specification of requirements for SRCFs ...............................................................24

6 Design and integration of the safety-related electrical control system (SRECS) ..............27

6.1 Objective...............................................................................................................27

6.2 General requirements............................................................................................27

6.3 Requirements for behaviour (of the SRECS) on detection

of a fault in the SRECS .........................................................................................28

6.4 Requirements for systematic safety integrity of the SRECS ...................................29

6.5 Selection of safety-related electrical control system ..............................................31

6.6 Safety-related electrical control system (SRECS) design and development ...........31

6.7 Realisation of subsystems .....................................................................................36

6.8 Realisation of diagnostic functions ........................................................................52

6.9 Hardware implementation of the SRECS ...............................................................53

6.10 Software safety requirements specification............................................................53

6.11 Software design and development.........................................................................54

6.12 Safety-related electrical control system integration and testing..............................62

6.13 SRECS installation ................................................................................................63

7 Information for use of the SRECS...................................................................................63

7.1 Objective...............................................................................................................63

7.2 Documentation for installation, use and maintenance ............................................63

8 Validation of the safety-related electrical control system.................................................64

8.1 General requirements............................................................................................65

8.2 Validation of SRECS systematic safety integrity ....................................................65

9 Modification....................................................................................................................66

9.1 Objective...............................................................................................................66

9.2 Modification procedure ..........................................................................................66

9.3 Configuration management procedures .................................................................67

10 Documentation ...............................................................................................................69

---------------------- Page: 7 ----------------------
62061 © IEC:2005 – 3 –

Annex A (informative) SIL assignment .................................................................................71

Annex B (informative) Example of safety-related electrical control system (SRECS)

design using concepts and requirements of Clauses 5 and 6 ...............................................79

Annex C (informative) Guide to embedded software design and development......................86

Annex D (informative) Failure modes of electrical/electronic components ............................95

Annex E (informative) Electromagnetic (EM) phenomenon and increased immunity
levels for SRECS intended for use in an industrial environment according to

IEC 61000-6-2 ....................................................................................................................100

Annex F (informative) Methodology for the estimation of susceptibility to common

cause failures (CCF)...........................................................................................................102

Figure 1 – Relationship of IEC 62061 to other relevant standards ...........................................8

Figure 2 – Workflow of the SRECS design and development process ...................................33

Figure 3 – Allocation of safety requirements of the function blocks to subsystems

(see 6.6.2.1.1) ......................................................................................................................34

Figure 4 – Workflow for subsystem design and development (see box 6B of Figure 2) ..........39

Figure 5 – Decomposition of a function block into redundant function block elements

and their associated subsystem elements .............................................................................40

Figure 6 – Subsystem A logical representation .....................................................................46

Figure 7 – Subsystem B logical representation .....................................................................47

Figure 8 – Subsystem C logical representation .....................................................................47

Figure 9 – Subsystem D logical representation .....................................................................49

Figure A.1 – Workflow of SIL assignment process.................................................................72

Figure A.2 – Parameters used in risk estimation ...................................................................73

Figure A.3 – Example proforma for SIL assignment process .................................................78

Figure B.1 – Terminology used in functional decomposition ..................................................79

Figure B.2 – Example machine .............................................................................................80

Figure B.3 – Specification of requirements for an SRCF .......................................................80

Figure B.4 – Decomposition to a structure of function blocks ................................................81

Figure B.5 – Initial concept of an architecture for a SRECS ..................................................82

Figure B.6 – SRECS architecture with diagnostic functions embedded within each

subsystem (SS1 to SS4) .......................................................................................................83

Figure B.7 – SRECS architecture with diagnostic functions embedded within

subsystem SS3.....................................................................................................................84

Figure B.8 – Estimation of PFH for a SRECS.......................................................................85

Table 1 – Recommended application of IEC 62061 and ISO 13849-1(under revision) .............9

Table 2 – Overview and objectives of IEC 62061 ..................................................................11

Table 3 – Safety integrity levels: target failure values for SRCFs ..........................................26

Table 4 – Characteristics of subsystems 1 and 2 used in this example..................................36

Table 5 – Architectural constraints on subsystems: maximum SIL that can be claimed

for a SRCF using this subsystem ..........................................................................................42

Table 6 – Architectural constraints: SILCL relating to categories...........................................42

Table 7 – Probability of dangerous failure .............................................................................45

Table 8 – Information and documentation of a SRECS..........................................................69

---------------------- Page: 8 ----------------------
– 4 – 62061 © IEC:2005

Table A.1 – Severity (Se) classification.................................................................................74

Table A.2– Frequency and duration of exposure (Fr) classification .......................................74

Table A.3– Probability (Pr) classification...............................................................................75

Table A.4– Probability of avoiding or limiting harm (Av) classification ...................................76

Table A.5– Parameters used to determine class of probability of harm (Cl) ...........................76

Table A.6 – SIL assignment matrix........................................................................................77

Table D.1 – Examples of the failure mode ratios for electrical/electronic components ...........95

Table E.1 – EM phenomenon and increased immunity levels for SRECS ............................ 100

Table E.2 – Selected frequencies for RF field tests.............................................................101

Table E.3 – Selected frequencies for conducted RF tests ................................................... 101

Table F.1 – Criteria for estimation of CCF...........................................................................102

Table F.2 – Estimation of CCF factor (β).............................................................................103

---------------------- Page: 9 ----------------------
62061 © IEC:2005 – 5 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
SAFETY OF MACHINERY –
FUNCTIONAL SAFETY OF SAFETY-RELATED ELECTRICAL,
ELECTRONIC AND PROGRAMMABLE ELECTRONIC
CONTROL SYSTEMS
FOREWORD

1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising

all national electrotechnical committees (IEC National Committees). The object of IEC is to promote

international co-operation on all questions concerning standardization in the electrical and electronic fields. To

this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,

Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC

Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested

in the subject dealt with may participate in this preparatory work. International, governmental and non-

governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely

with the International Organization for Standardization (ISO) in accordance with conditions determined by

agreement between the two organizations.

2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international

consensus of opinion on the relevant subjects since each technical committee has representation from all

interested IEC National Committees.

3) IEC Publications have the form of recommendations for international use and are accepted by IEC National

Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC

Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any

misinterpretation by any end user.

4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications

transparently to the maximum extent possible in their national and regional publications. Any divergence

between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in

the latter.

5) IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any

equipment declared to be in conformity with an IEC Publication.

6) All users should ensure that they have the latest edition of this publication.

7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and

members of its technical committees and IEC National Committees for any personal injury, property damage or

other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and

expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC

Publications.

8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is

indispensable for the correct application of this publication.

9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of

patent rights. IEC shall not be held responsible for identifying any or all such patent rights.

International Standard IEC 62061 has been prepared by IEC technical committee 44: Safety

of machinery – Electrotechnical aspects.
The text of this standard is based on the following documents:
FDIS Report on voting
44/460/FDIS 44/470/RVD

Full information on the voting for the approval of this standard can be found in the report on

voting indicated in the above table.

This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.

---------------------- Page: 10 ----------------------
– 6 – 62061 © IEC:2005

The committee has decided that the contents of this publication will remain unchanged until

the maintenance result date indicated on the IEC web site under "http://webstore.iec.ch" in

the data related to the specific publication. At this date, the publication will be

• reconfirmed;
• withdrawn;
• replaced by a revised edition, or
• amended.
The contents of the corrigendum of July 2005 have been included in this copy.
---------------------- Page: 11 ----------------------
62061 © IEC:2005 – 7 –
INTRODUCTION

As a result of automation, demand for increased production and reduced operator physical

effort, Safety-Related Electrical Control Systems (referred to as SRECS) of machines play an

increasing role in the achievement of overall machine safety. Furthermore, the SRECS

themselves increasingly employ complex electronic technology.

Previously, in the absence of standards, there has been a reluctance to accept SRECS in

safety-related functions for significant machine hazards because of uncertainty regarding the

performance of such technology.

This International Standard is intended for use by machinery designers, control system

manufacturers and integrators, and others involved in the specification, design and validation

of a SRECS. It sets out an approach and provides requirements to achieve the necessary

performance.

This standard is machine sector specific within the framework of IEC 61508. It is intended to

facilitate the specification of the performance of safety-related electrical control systems in

relation to the significant hazards (see 3.8 of ISO 12100-1) of machines.

This standard provides a machine sector specific framework for functional safety of a SRECS

of machines. It only covers those aspects of the safety lifecycle that are related to safety

requirements allocation through to safety validation. Requirements are provided for

information for safe use of SRECS of machines that can also be relevant to later phases of

the life of a SRECS.
There are many situations on machines where SRECS are employed as part of safety

measures that have been provided to achieve risk reduction. A typical case is the use of an

interlocking guard that, when it is opened to allow access to the danger zone, signals the

electrical control system to stop hazardous machine operation. Also in automation, the

electrical control system that is used to achieve correct operation of the machine process

often contributes to safety by mitigating risks associated with hazards arising directly from

control system failures. This standard gives a methodology and requirements to

• assign the required safety integrity level for each safety-related control function to be

implemented by SRECS;

• enable the design of the SRECS appropriate to the assigned safety-related control

function(s);
• integrate safety-related subsystems designed in accordance with ISO 13849 ;
• validate the SRECS.

This standard is intended to be used within the framework of systematic risk reduction

described in ISO 12100-1 and in conjunction with risk assessment according to the principles

described in ISO 14121 (EN 1050). A suggested methodology for safety integrity level (SIL)

assignment is given in informative Annex A.

Measures are given to co-ordinate the performance of the SRECS with the intended risk

reduction taking into account the probabilities and consequences of random or systematic

faults within the electrical control system.
Figure 1 shows the relationship of this standard to other relevant standards.

Table 1 gives recommendations on the recommended application of this standard and the

revision of ISO 13849-1.
---------------------- Page: 12 ----------------------
– 8 – 62061 © IEC:2005
Design and risk asseessment of the machine
ISO 12100, Safety of machinery – Basic concept, general principles
for design
ISO 14121, Safety of machinery – Principles for risk assessement

Design of safety-related electrical, electronic and programmable elecronic control systems

(SRECS) for machinery
Methodology using:
Safety-related control functions
System-based approach
- Quantitative index of safety:
- Index of safety:
Safety integrity level (SIL)
Category/performance level
- SIL assignment methodology for
- Category assigned by
SRECS of machinery
qualitative risk graphing
- Architecture oriented
- Architecture oriented
- Requirements for
avoidance/control of systematic
failures
Design objective for the
SRECS
Relevant standards
Electrical safety aspects of machinery
Design of low complexity
IEC 60204-1, Safety of machinery -
subsystems to categories
Electrical equipment of machinery -
Part 1: General requirements
ISO 13849-1 and 2 Safety of
machinery – Safety related
parts of control systems (SRPCS)
- Part 1: General princples
for design and Part 2:
Design of complex subsystems Validation
to SILs
Non-electrical SRPCS
IEC 61508, Functional safety of
(mechanical,
electrical, electronic and
pneumatic, etc.)
programmable electronic safety -
related systems
Electrical SRPCS
IEC 62061
Safety of machinery -
Functional safety of
safety-related electrical,
electronic and programmable
Key:
electronic control systems
Electrical safety aspects
Functional safety aspects
Figure 1 – Relationship of IEC 62061 to other relevant standards
Information on the recommended application of IEC 62061 and ISO 13849-1
(under revision)
---------------------- Page: 13 ----------------------
62061 © IEC:2005 – 9 –

IEC 62061 and ISO 13849-1 (under revision) specify requirements for the design and

implementation of safety-related control systems of machinery. The use of either of these

standards, in accordance with their scopes, can be presumed to fulfil the relevant essential

safety requirements. Table 1 summarises the scopes of IEC 62061 and ISO 13849-1(under

revision).
NOTE ISO 13849-1 is currently under preparation by ISO TC 199 and CEN TC 114.
Table 1 – Recommended application of IEC 62061 and ISO 13849-1(under revision)
Technology implementing the safety- ISO IEC 62061
related control function(s) 13849-1 (under revision)
A Non electrical, e.g. hydraulics X Not covered

B Electromechanical, e.g. relays, or non Restricted to designated All architectures and up to SIL 3

complex electronics architectur
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.