EN/IEC 62061 represents a sector-specific standard under IEC 61508. It describes the implementation of safety-related control systems on machinery and examines the whole lifecycle from the concept phase through to decommissioning.
Safety Integrity Level (SIL)
Functional safety in accordance with IEC 62061
Revision of the standard IEC 62061
The new edition of IEC 62061 was published in mid-February 2021. This new edition is not just an update of the existing standard. For a start the standard is no longer limited to electrical systems but can be used for all types of technologies such as hydraulic or pneumatic systems for example.
Further important changes are:
- Changes to the methodology used to define the required SIL level
- The need to draft a Safety Requirements Specification
- The option to use devices developed in accordance with other standards
- More details on safety-related application software
Important information: The new edition of IEC 62061 (2021 edition) has not yet been published in the Official Journal of the EU as a harmonised EN standard under the Machinery Directive. However, harmonisation is expected in the near future. The current harmonised version of EN 62061 is from 2015.
This website has already been updated with the changes to IEC 62061 (2021 edition) and gives you a compact overview.
Contents of IEC 62061
IEC 62061 addresses the issue of how reliable a safety-related control system needs to be. In this case the estimation is based on a hybrid method, a combination of a matrix and a quantitative approach. It also addresses the validation of safety functions based on structural and statistical methods.
As with EN 13849-1, the objective is to establish the suitability of safety measures to reduce risks. Even with this standard, extensive calculations are required. You can significantly reduce the work involved by using appropriate software such as the Safety Calculator PAScal.
How do you determine the required safety integrity in accordance with IEC 62061?
For each risk requiring a safety-related control system, the risk must be estimated and the risk reduction (SIL) defined, dependent on the control system. The risk associated with the safety function is estimated in accordance with IEC 62061, with consideration given to the following parameters:
- Severity of injury (Se)
- Frequency and duration of exposure (Fr)
- Probability of occurrence of a hazardous event (Pr)
- Probability of avoiding or limiting harm (Av)
SIL classification in accordance with IEC 62061
Classification of severity (Se)
|Irreversible: death, losing an eye or arm||4|
|Irreversible: broken limb(s), losing a finger(s)||3|
|Reversible: requiring attention from a medical practitioner||2|
|Reversible: requiring first aid||1|
Classification of the frequency and duration of exposure (Fr)
|Frequency of exposure||Duration (Fr) <= 10 min||Duration (Fr) > 10 min|
|≥ 1 per h||5||5|
|< 1 per h up to ≥ 1 per day||4||5|
|< 1 per day up to ≥ 1 every 2 weeks||3||4|
|< 1 every 2 weeks up to ≥ 1 per year||2||3|
|< 1 per year||1||2|
Classification of probability (Pr)
|Probability of occurrence||Probability (Pr)|
Classification of probability of avoiding or limiting harm (Av)
|Probability of avoiding or limiting||Avoiding and limiting (P)|
What is determination of the required Safety Integrity like in accordance with IEC 62061?
Assignment matrix for determining the required SIL (or Plr) for a safety function
(Click on the graphic to enlarge it.)
EXAMPLE: For a specific hazard where Se = 3, Fr = 4, Pr = 5 and Av = 5, then:
Cl = Fr + Pr + Av = 4 + 5 + 5 = 14
Using this table would lead to a SIL 3 or PL e being assigned to the safety function that is intended to mitigate the specific hazard.
How do you design a safety function?
For each safety function it is necessary to identify the critical elements for performing the function, the so-called subsystems. The selection or design of these subsystems must cater for a SIL which is equal to or higher than the required level. The combination of all of these subsystems must also enable you to reach the required SIL.
Each subsystem must meet the following requirements:
- Architectural constraints for hardware safety integrity
- Probability of dangerous random hardware failures (PFH)
- Systematic safety integrity (requirements for avoiding failures and requirements for controlling systematic faults)
Architectural constraints of a subsystem
The SIL value that subsystems achieve is influenced by the architecture of the control system and the "Safe failure fraction" (SFF) or diagnostic level.
|Safe failure fraction
|Hardware fault tolerance
|Hardware fault tolerance
|Hardware fault tolerance
|< 60 %||Not permitted, unless well-tried components||SIL 1||SIL 2|
|60 % to < 90 %||SIL 1||SIL 2||SIL 3|
|90 % to < 99 %||SIL 2||SIL 3||SIL 3|
|>= 99 %||SIL 3||SIL 3||SIL 3|
HFT: Hardware fault tolerance
SFF: Safe failure fraction
Requirements for the probability of dangerous random hardware failures
The probability of a dangerous failure of any safety-related control function (SRCF) as a result of dangerous random hardware failures shall be equal to or less than the failure threshold value defined in the safety requirements specification.
|SIL level in accordance with IEC 62061||Probability of a dangerous failure per hour (PFHD) [1/h]|
|SIL 3||>= 10 E-8 to < 10 E-7|
|SIL 2||>= 10 E-7 to < 10 E-6|
|SIL 1||>= 10 E-6 to < 10 E-5|
Why not try our calculation tool (PAScal), which you can use to determine the relevant characteristic values with ease.
Our experts will be happy to support you with the implementation of IEC 62061, thereby ensuring safe operation of your plant and machinery.