IEC/​TR 62061 – 1 Reviewed

This entry is part 2 of 2 in the series IEC/​TR 62061 – 1

Why You Need to Spend More Cash on Yet Another Document

Standards organ­iz­a­tions pub­lish doc­u­ments in a fairly con­tinu­ous stream, so for those of us tasked with stay­ing cur­rent with a large num­ber of stand­ards (say, more than 10), the pub­lic­a­tion of anoth­er new stand­ard or Technical Report isn’t news – it’s busi­ness as usu­al. The ques­tion is always: Do we really need to add this to the lib­rary?

For those who are new to this busi­ness, hav­ing to pay for crit­ic­al design inform­a­tion is a new exper­i­ence. Finding out that it can cost hun­dreds, if not thou­sands, to build the lib­rary you need can be over­whelm­ing.

This review aims to help you decide if you need IEC/​TR 62061 – 1 in your lib­rary.

The Problem

As a machine build­er or a man­u­fac­turer build­ing a product designed to be integ­rated into machinery, how do you choose between ISO 13849 – 1 and IEC 62061?

IEC 62061 – 1 attempts to provide guid­ance on how to make this choice.

History

When CENELEC pub­lished EN 954 – 1 in 1995, machine build­ers were intro­duced to a whole new world of con­trol reli­ab­il­ity require­ments. Prior to its pub­lic­a­tion, most machines were built with very simple inter­locks, and no spe­cif­ic stand­ards for inter­lock­ing devices exis­ted. In the years since then, the EN 954 – 1 Categories have become well known and are applied inside and out­side the EU.

In the inter­ven­ing years, IEC pub­lished IEC 61508. This seven-​part stand­ard intro­duced the idea of ‘Safety Integrity  Levels’ or SILs. This stand­ard is aimed at pro­cess con­trol sys­tems and could be used for com­plex machinery as well.

Why the Confusion?

In 2006, IEC pub­lished a machinery sec­tor spe­cif­ic stand­ard based on IEC 61508, called IEC 62061. This stand­ard offered a sim­pli­fied applic­a­tion of the IEC 61508 meth­od­o­logy inten­ded for machine build­ers. The key prob­lem with this stand­ard is that it did not provide a means to deal with pneu­mat­ic or hydraul­ic con­trol ele­ments, which are covered by ISO 13849 – 1.

ISO adop­ted EN 954 – 1 and reis­sued it as ISO 13849 – 1 in 1999. This edi­tion of the stand­ard was vir­tu­ally identic­al to the stand­ard it replaced from a tech­nic­al require­ments per­spect­ive. EN 954 – 1/​ISO 13849 – 1 did not provide any means to estim­ate the integ­rity of the safety related con­trols, but did define cir­cuit archi­tec­tures (Categories B, 1 – 4) and spoke to the selec­tion of com­pon­ents, intro­du­cing the con­cepts of ‘well-​tried safety prin­ciples’ and ‘well-​tried com­pon­ents’. A second prob­lem had long exis­ted in addi­tion to this – EN 954 – 2, Validation, was nev­er pub­lished by CENELEC except as a com­mit­tee draft, so a key ele­ment in the applic­a­tion of the stand­ard had been miss­ing for five years at the point where ISO 13849 – 1 Edition 1 was pub­lished.

The first cut at guid­ing users in choos­ing an appro­pri­ate stand­ard came with the pub­lic­a­tion of IEC 62061 Edition 1.  Published in 2005, Edition 1 included a table that attemp­ted to provide users with some guid­ance on how to choose between ISO 13849 – 1 or IEC 62061.

…and then came 2007…

In 2007, ISO pub­lished the Second Edition of ISO 13849 – 1, and brought a whole new twist to the dis­cus­sion by intro­du­cing ‘Performance Levels’ or PLs. PLs can be loosely equated to SILs, even though PLs are stated in fail­ures per year and SILs in fail­ures per hour. The same table included in IEC 62061 was included in this edi­tion of ISO 13849 – 1.

Table 1
Recommended application of
IEC 62061 and ISO 13849 – 1(under revision)

(from the Second Edition, 2007)

Technology imple­ment­ing the
safety related con­trol function(s)
ISO
13849 – 1 (under revi­sion)
IEC 62061
A Non elec­tric­al, e.g. hydraul­ics X Not covered
B Electromechanical, e.g. relays, or 
non-​complex elec­tron­ics
Restricted to des­ig­nated
archi­tec­tures (see Note 1) and up to PL=e

All archi­tec­tures and up to
SIL 3

C Complex elec­tron­ics, e.g. pro­gram­mable Restricted to des­ig­nated
archi­tec­tures (see Note 1) and up
to PL=d
All archi­tec­tures and up to 
SIL 3
D A com­bined with B Restricted to des­ig­nated
archi­tec­tures (see Note 1) and up
to PL=e
X
see Note 3
E C com­bined with B Restricted to des­ig­nated
archi­tec­tures (see Note 1) and up
to PL=d
All archi­tec­tures and up to 
SIL 3
F C com­bined with A, or C com­bined with
A and B
X
see Note 2
X
see Note 3

X” indic­ates that this item is dealt with by the stand­ard shown in the column head­ing.

NOTE 1 Designated archi­tec­tures are defined in Annex B of EN ISO 13849 – 1(rev.) to give a sim­pli­fied approach for quan­ti­fic­a­tion of per­form­ance level.

NOTE 2 For com­plex elec­tron­ics: Use of des­ig­nated archi­tec­tures accord­ing to EN ISO 13849 – 1(rev.) up to PL=d or any archi­tec­ture accord­ing to IEC 62061.

NOTE 3 For non-​electrical tech­no­logy use parts accord­ing to EN ISO 13849 – 1(rev.) as sub­sys­tems.

So how is a machine build­er to choose the ‘cor­rect’ stand­ard, if both stand­ards are applic­able and both are cor­rect? Furthermore, how do you assess the reli­ab­il­ity of the safety-​related con­trols when integ­rat­ing equip­ment from vari­ous sup­pli­ers, some of whom rate their equip­ment in PLs and some in SILs? Why are two stand­ards address­ing the same top­ic required? Will ISO 13849 – 1 and IEC 62061 ever be merged?

The Technical Report

In July this year the IEC pub­lished a Technical Report that dis­cusses the selec­tion and applic­a­tion of these two key con­trol reli­ab­il­ity stand­ards for machine build­ers. This guide has long been needed, and pre­cedes a face to face event planned by IEC to bring machine build­ers and stand­ards writers face-​to-​face to dis­cuss these same issues.

The guide, titled IEC/​TR 62061 – 1 — Technical Report — Guidance on the applic­a­tion of ISO 13849 – 1 and IEC 62061 in the design of safety-​related con­trol sys­tems for machinery provides dir­ect guid­ance on how to select between these two stand­ards.

Download IEC stand­ards, International Electrotechnical Commission stand­ards.

Merger

In the intro­duc­tion to the report the TC makes it clear that the stand­ards will be merged, although they don’t provide any kind of a time line for the mer­ger. Quoting from the intro­duc­tion:

It is inten­ded that this Technical Report be incor­por­ated into both IEC 62061 and ISO 13849 – 1 by means of cor­ri­genda that ref­er­ence the pub­lished ver­sion of this doc­u­ment. These cor­ri­genda will also remove the inform­a­tion giv­en in Table 1, Recommended applic­a­tion of IEC 62061 and ISO 13849 – 1, provided in the com­mon intro­duc­tion to both stand­ards, which is now recog­nized as being out of date. Subsequently, it is inten­ded to merge ISO 13849 – 1 and IEC 62061 by means of a JWG of ISO/​TC 199 and IEC/​TC 44.

I added the bold face to the para­graph above to high­light the key state­ment regard­ing the even­tu­al mer­ger of the two doc­u­ments.  If you’re not famil­i­ar with the stand­ards acronyms, a ‘JWG’ is a Joint Working Group, and a TC is a Technical Committee. TC’s are formed from volun­teer experts from industry and aca­demia sup­por­ted by their organ­iz­a­tions. So a JWG formed from two TC’s just means that a joint com­mit­tee has been formed to work out the details of the mer­ger. Eventually.

The oth­er key point in this para­graph relates to the replace­ment of Table 1. In the inter­im, IEC/​TR 62061 – 1 will be incor­por­ated into both stand­ards, repla­cing Table 1.

Eventually the con­fu­sion will be cleared up because only one stand­ard will exist in the machinery sec­tor, but until then, machine build­ers will need to fig­ure out which stand­ard best fits their products.

Comparing PL’s and SIL’s

The Technical Report does a good job of dis­cuss­ing the dif­fer­ences between PL and SIL, includ­ing provid­ing an explan­a­tion of how to cov­ert one to the oth­er, very use­ful if you are try­ing to integ­rate an SIL rated device into a PL ana­lys­is or vice-​versa.

Selecting a Standard

Clause 2.5 gives some sol­id advice on select­ing between the two stand­ards based on the tech­no­lo­gies employed in the design and your own com­fort level in using the ana­lyt­ic­al tech­niques in the two stand­ards.

Another key point is that EITHER stand­ard can be used to ana­lyze com­plex OR simple con­trol sys­tems. Some fans of IEC 62061 have been known to put ISO 13849 – 1 down as use­ful exclus­ively for simple hard­wired con­trol sys­tems. Clause 3.3 makes it clear that this is not the case. Pick the one you like or know the best and go with that. As an addi­tion­al thought, con­sider which stand­ard your com­pet­it­ors are using, and also which your cus­tom­ers are using. For example, if your cus­tom­ers use ISO 13849 – 1 primar­ily, qual­i­fy­ing your product under IEC 62061 might seem like a good idea, but may drive your cus­tom­ers to a com­pet­it­or who makes their life easi­er by using ISO 13849 – 1. If your com­pet­it­ors are using a dif­fer­ent stand­ard, try to under­stand the choice before climb­ing on the band­wag­on. There may be a com­pet­it­ive advant­age lurk­ing in being dif­fer­ent.

Risk Assessment

Clause 4 speaks dir­ectly to the indis­pens­able need to con­duct a meth­od­ic­al risk assess­ment, and to use that to guide the design of the con­trols.

In my prac­tice, many cli­ents decide that they would prefer to choose a con­trol reli­ab­il­ity level that they feel will be more than good enough for any of their designs, and then to ‘stand­ard­ize’ on that design for all their products, thereby elim­in­at­ing the need to thought­fully decide on the appro­pri­ate design for the applic­a­tion. In oth­er cases, end-​users may choose to use a ‘stand­ard’ design through­out their facil­ity to assist main­ten­ance per­son­nel by lim­it­ing their need to become tech­nic­ally famil­i­ar with a vari­ety of designs. This is done to speed troubleshoot­ing and reduce down time and spares stocks.

The prob­lem with this approach can be that some man­agers believe this approach can elim­in­ate the need to con­duct risk assess­ments, see­ing this as a fruit­less, expens­ive and often futile exer­cise. This is emphat­ic­ally NOT the case. Risk assess­ments address much more than the selec­tion of con­trol reli­ab­il­ity require­ments and need to be done to ensure that all haz­ards that can­not be elim­in­ated or sub­sti­tuted are safe­guarded. A miss­ing or badly done risk assess­ment may inval­id­ate your claim to a CE mark, or be the land­mine that ends a liab­il­ity case – with you on the los­ing end.

Safety Requirement Specification (SRS)

Each safety func­tion needs to be defined in detail in a Safety Requirement Specification (SRS). A reli­ab­il­ity assess­ment needs to be com­pleted for each safety func­tion defined in the SRS. This point is dis­cussed in detail in IEC 62061, but is not dealt with in any detail in ISO 13849 – 1, so IEC/​TR 62061 – 1 once again bridges the gap by provid­ing an import­ant detail that is miss­ing in one of the two stand­ards.

If you are unfa­mil­i­ar with the concept of an SRS, each safety func­tion needs to be described with a cer­tain min­im­um amount of inform­a­tion, includ­ing:

  • The name of safety func­tion;
  • A descrip­tion of the func­tion;
  • The required level of per­form­ance based on the risk assess­ment and accord­ing to either ISO 13849 – 1 (PLr a to e) or the required safety integ­rity accord­ing to IEC 62061 (SIL 1 to 3)

Once the safety func­tions are defined and ana­lyzed, each safety func­tion must be imple­men­ted by a con­trol cir­cuit. The selec­ted PL will drive the design to one or two of the defined ISO 13849 – 1 archi­tec­tures, and then the com­pon­ent selec­tions and oth­er design details will drive the final fail­ure rate and PL. Alternatively, the SRS will drive the selec­tion of IEC 62061 archi­tec­ture (1oo1, 1oo2, 2oo2, etc.) and the rest of the design details will lead to the final fail­ure rate and SIL.

Table 1 in the Technical Report com­pares the levels.

Table 1 – Relationship between PLs and SILs based on the average probability
of dangerous failure per hour

Performance Level (PL) Average prob­ab­il­ity of a dan­ger­ous
fail­ure per hour (1/​h)
Safety integ­rity level (SIL)
a >= 10-5 to < 10-4 No spe­cial safety require­ments
b >= 3 x 10-6 to < 10-5 1
c >= 10-6 to < 3 x 10-6 1
d >= 10-7 to < 10-6 2
e >= 10-8 to < 10-7 3

This table com­bines ISO 13849 – 1 2007, Tables 3 & 4. No sim­il­ar tables exist in IEC 62061 2005.

Combining Equipment with PLs and SILs

Section 7 of the report speaks to the chal­lenge of integ­rat­ing equip­ment with rat­ings in a mix of PLs and SILs. Until the stand­ards merge and a single sys­tem for describ­ing reli­ab­il­ity cat­egor­ies is agreed on, this prob­lem will be with us.

When design­ing sys­tems using either sys­tem the design­er has to determ­ine the approx­im­ate rate of dan­ger­ous fail­ures. In ISO 13849 – 1, MTTFd is the com­pon­ent fail­ure rate para­met­er, while in IEC 62061, PFHd is the sub­sys­tem fail­ure rate para­met­er. MTTFd does not con­sider dia­gnostics or archi­tec­ture, only the com­pon­ent fail­ure rate per year, while PFHd does include dia­gnostics and archti­tec­ture, and it speaks to the sys­tem fail­ure rate per hour. To com­pare these rates, ISO 13849 – 1 Annex K describes the rela­tion­ship between MTTFd and PFHd for dif­fer­ent archi­tec­tures.

In the design pro­cess only one meth­od can be used, so where equip­ment with dif­fer­ent rat­ings must be com­bined the fail­ure rates must be con­ver­ted to either MTTFd or to PFHd, depend­ing on the sys­tem being used to com­plete the ana­lys­is. Mixing require­ments with­in the design of a sub­sys­tem is not per­mit­ted (See Clause 7.3.3).

Fault Exclusions

Fault exclu­sions are per­mit­ted under both stand­ards with some lim­it­a­tions: up to IEC 62061 SIL 2. No fault exclu­sions are per­mit­ted in SIL 3. Properly jus­ti­fied fault exclu­sions can be used up to PLe. “Properly jus­ti­fied” fault exclu­sions are those that can be shown to be val­id through the life­time of the SRP/​CS.

In gen­er­al, fault exclu­sions for mech­an­ic­al fail­ures of elec­tromech­an­ic­al devices such as inter­lock devices or emer­gency stop devices are not per­mit­ted, with a few excep­tions giv­en in ISO 13849 – 2, (See Clauses 7.2.2.4 and 7.2.2.5).

This approach is con­sist­ent with the cur­rent approach taken in Canada, as described in CSA Z432 & Z434. Fault exclu­sions are gen­er­ally not per­mit­ted under ANSI stand­ards.

Worked Examples

Section 8 of the Technical Report gives a couple of worked examples, one done under ISO 13849 – 1, and one under IEC 62061. For someone look­ing for a good example of what a prop­erly com­pleted ana­lys­is should look like, this sec­tion is the gold at the end of the rain­bow. Section 8.2 provides a good, clear example of the applic­a­tion of the stand­ards along with a nice, simple example of what a safety require­ment spe­cific­a­tion might look like.

Understanding the Differences

One area where pro­ponents of the two stand­ards often dis­agree is on the ‘accur­acy’ of the ana­lyt­ic­al pro­ced­ures giv­en in the two stand­ards. The Technical Report provides a detailed explan­a­tion of why the two tech­niques provide slightly dif­fer­ent res­ults and provides the rationale explain­ing why this vari­ation should be con­sidered accept­able.

To Buy or Not to Buy…

At the end of the day, the ques­tion that needs to be answered is wheth­er to buy this doc­u­ment or not. If you use either of these stand­ards, I strongly recom­mend that you spend the money to get this Technical Report, if for noth­ing more than the worked examples. Until the two stand­ards are merged, and that could be a few years, you will need to be able to effect­ively apply these approaches to PL and SIL rated equip­ment. This Technical Report will be an invalu­able aid.

It also provides some guid­ance on the dir­ec­tion that the new merged stand­ard will take. Some old argu­ments can be settled, or at least re-​directed, by this doc­u­ment.

Finally, since the TR is to be incor­por­ated in both stand­ards and con­tains mater­i­al repla­cing that in the cur­rent edi­tions of the stand­ard, you must buy a copy to remain cur­rent.

For all of these reas­ons, I would spend the money to acquire this doc­u­ment, read and apply it.

Download IEC stand­ards, International Electrotechnical Commission stand­ards.

Download ISO Standards 

If you’ve bought the report and would like to add your thoughts, please add a com­ment below. Got ques­tions? Contact me!

Series NavigationISO 13849 – 1 and IEC 62061”>New Guide to Applying ISO 13849 – 1 and IEC 62061

Author: Doug Nix

+DougNix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. (http://www.complianceinsight.ca) in Kitchener, Ontario, and is Lead Author and Managing Editor of the Machinery Safety 101 blog.

Doug's work includes teaching machinery risk assessment techniques privately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as providing technical services and training programs to clients related to risk assessment, industrial machinery safety, safety-related control system integration and reliability, laser safety and regulatory conformity.

Follow me on Academia.edu//a.academia-assets.com/javascripts/social.js

  • Pingback: Gabriela Ehrlich()

  • Pingback: Sicurezzaonline()

  • Pingback: Gabriela Ehrlich()

  • Hi Doug,
    Thanks for the read, it was very eye­open­ing.
    I have one remark;
    You wrote that the SRS (Safety require­ment Specification) is not dealt with in ISO 13849 – 1. I guess that’s true but the soft­ware I use (Sistema) does ask you to spe­cify the neces­sary require­ments, that is, filling in the fields for the name and descrip­tion of the safety func­tion. The required per­form­ance level is ofcourse man­dat­ory in the soft­ware to be able to work out the over­all per­form­ance.
    The prob­lem I am facing now is that there is not enough inform­a­tion avail­able from man­u­fac­tur­ers world­wide to ful­fill the require­ments. And I mean MTTFd data.. Might be an idea to write a blog on this top­ic..?
    Regards,
    Wouter

    • Wouter,

      Thanks for the com­ments! I’m glad you found the review use­ful!

      I agree that Sistema requires the equi­val­ent of an SRS, and this is the cor­rect approach in my opin­ion. I think that the ISO TC decided to sim­pli­fy the ana­lyt­ic­al approach giv­en in the stand­ard as much as pos­sible, since the machine build­ing com­munity was already strug­gling with imple­ment­ing EN 954 – 1:96 or ISO 13849 – 1 1999. This is sup­por­ted by the EC Machinery Working Group’s decision earli­er this year to extend the trans­ition peri­od from EN 954 – 1 to ISO 13849 – 1 Edition 2 until the end of 2012. 

      I’ve had the same exper­i­ence as you in try­ing to find MTTFd data or B10d data. In a recent ana­lys­is I con­duc­ted for a cli­ent, I ended up hav­ing to use the default ’10 years’ for a sig­ni­fic­ant num­ber of com­pon­ents. In some cases, addi­tion­al data can be found in some of the oth­er reli­ab­il­ity stand­ards, like MIL-​HDBK-​217F, UTE 80810, NPRD 95 or the Siemens SN 29500 doc­u­ments.

      I like your idea for an art­icle! Keep watch­ing!

      Regards,
      Doug

  • Pingback: Sicurezzaonline()

  • Pingback: Sicurezzaonline()