IEC/TR 62061–1 Reviewed

This entry is part 2 of 2 in the series IEC/TR 62061–1

Why You Need to Spend More Cash on Yet Another Document

Stan­dards orga­ni­za­tions pub­lish doc­u­ments in a fair­ly con­tin­u­ous stream, so for those of us tasked with stay­ing cur­rent with a large num­ber of stan­dards (say, more than 10), the pub­li­ca­tion of anoth­er new stan­dard or Tech­ni­cal Report isn’t news — it’s busi­ness as usu­al. The ques­tion is always: Do we real­ly need to add this to the library?

For those who are new to this busi­ness, hav­ing to pay for crit­i­cal design infor­ma­tion is a new expe­ri­ence. Find­ing out that it can cost hun­dreds, if not thou­sands, to build the library you need can be over­whelm­ing.

This review aims to help you decide if you need IEC/TR 62061–1 in your library.

The Problem

As a machine builder or a man­u­fac­tur­er build­ing a prod­uct designed to be inte­grat­ed into machin­ery, how do you choose between ISO 13849–1 and IEC 62061?

IEC 62061–1 attempts to pro­vide guid­ance on how to make this choice.

History

When CENELEC pub­lished EN 954–1 in 1995, machine builders were intro­duced to a whole new world of con­trol reli­a­bil­i­ty require­ments. Pri­or to its pub­li­ca­tion, most machines were built with very sim­ple inter­locks, and no spe­cif­ic stan­dards for inter­lock­ing devices exist­ed. In the years since then, the EN 954–1 Cat­e­gories have become well known and are applied inside and out­side the EU.

In the inter­ven­ing years, IEC pub­lished IEC 61508. This sev­en-part stan­dard intro­duced the idea of ‘Safe­ty Integri­ty  Lev­els’ or SILs. This stan­dard is aimed at process con­trol sys­tems and could be used for com­plex machin­ery as well.

Why the Confusion?

In 2006, IEC pub­lished a machin­ery sec­tor spe­cif­ic stan­dard based on IEC 61508, called IEC 62061. This stan­dard offered a sim­pli­fied appli­ca­tion of the IEC 61508 method­ol­o­gy intend­ed for machine builders. The key prob­lem with this stan­dard is that it did not pro­vide a means to deal with pneu­mat­ic or hydraulic con­trol ele­ments, which are cov­ered by ISO 13849–1.

ISO adopt­ed EN 954–1 and reis­sued it as ISO 13849–1 in 1999. This edi­tion of the stan­dard was vir­tu­al­ly iden­ti­cal to the stan­dard it replaced from a tech­ni­cal require­ments per­spec­tive. EN 954–1/ISO 13849–1 did not pro­vide any means to esti­mate the integri­ty of the safe­ty relat­ed con­trols, but did define cir­cuit archi­tec­tures (Cat­e­gories B, 1–4) and spoke to the selec­tion of com­po­nents, intro­duc­ing the con­cepts of ‘well-tried safe­ty prin­ci­ples’ and ‘well-tried com­po­nents’. A sec­ond prob­lem had long exist­ed in addi­tion to this — EN 954–2, Val­i­da­tion, was nev­er pub­lished by CENELEC except as a com­mit­tee draft, so a key ele­ment in the appli­ca­tion of the stan­dard had been miss­ing for five years at the point where ISO 13849–1 Edi­tion 1 was pub­lished.

The first cut at guid­ing users in choos­ing an appro­pri­ate stan­dard came with the pub­li­ca­tion of IEC 62061 Edi­tion 1.  Pub­lished in 2005, Edi­tion 1 includ­ed a table that attempt­ed to pro­vide users with some guid­ance on how to choose between ISO 13849–1 or IEC 62061.

…and then came 2007…

In 2007, ISO pub­lished the Sec­ond Edi­tion of ISO 13849–1, and brought a whole new twist to the dis­cus­sion by intro­duc­ing ‘Per­for­mance Lev­els’ or PLs. PLs can be loose­ly equat­ed to SILs, even though PLs are stat­ed in fail­ures per year and SILs in fail­ures per hour. The same table includ­ed in IEC 62061 was includ­ed in this edi­tion of ISO 13849–1.

Table 1
Recommended application of
IEC 62061 and ISO 13849–1(under revision)

(from the Sec­ond Edi­tion, 2007)

Tech­nol­o­gy imple­ment­ing the
safe­ty relat­ed con­trol function(s)
ISO
13849–1 (under revi­sion)
IEC 62061
A Non elec­tri­cal, e.g. hydraulics X Not cov­ered
B Electro­mechan­i­cal, e.g. relays, or
non-com­plex elec­tron­ics
Restrict­ed to des­ig­nat­ed
archi­tec­tures (see Note 1) and up to PL=e

All archi­tec­tures and up to
SIL 3

C Com­plex elec­tron­ics, e.g. pro­gram­ma­ble Restrict­ed to des­ig­nat­ed
archi­tec­tures (see Note 1) and up
to PL=d
All archi­tec­tures and up to
SIL 3
D A com­bined with B Restrict­ed to des­ig­nat­ed
archi­tec­tures (see Note 1) and up
to PL=e
X
see Note 3
E C com­bined with B Restrict­ed to des­ig­nat­ed
archi­tec­tures (see Note 1) and up
to PL=d
All archi­tec­tures and up to
SIL 3
F C com­bined with A, or C com­bined with
A and B
X
see Note 2
X
see Note 3

X” indi­cates that this item is dealt with by the stan­dard shown in the col­umn head­ing.

NOTE 1 Des­ig­nat­ed archi­tec­tures are defined in Annex B of EN ISO 13849–1(rev.) to give a sim­pli­fied approach for quan­tifi­ca­tion of per­for­mance lev­el.

NOTE 2 For com­plex elec­tron­ics: Use of des­ig­nat­ed archi­tec­tures accord­ing to EN ISO 13849–1(rev.) up to PL=d or any archi­tec­ture accord­ing to IEC 62061.

NOTE 3 For non-elec­tri­cal tech­nol­o­gy use parts accord­ing to EN ISO 13849–1(rev.) as sub­sys­tems.

So how is a machine builder to choose the ‘cor­rect’ stan­dard, if both stan­dards are applic­a­ble and both are cor­rect? Fur­ther­more, how do you assess the reli­a­bil­i­ty of the safe­ty-relat­ed con­trols when inte­grat­ing equip­ment from var­i­ous sup­pli­ers, some of whom rate their equip­ment in PLs and some in SILs? Why are two stan­dards address­ing the same top­ic required? Will ISO 13849–1 and IEC 62061 ever be merged?

The Technical Report

In July this year the IEC pub­lished a Tech­ni­cal Report that dis­cuss­es the selec­tion and appli­ca­tion of these two key con­trol reli­a­bil­i­ty stan­dards for machine builders. This guide has long been need­ed, and pre­cedes a face to face event planned by IEC to bring machine builders and stan­dards writ­ers face-to-face to dis­cuss these same issues.

The guide, titled IEC/TR 62061–1 — Tech­ni­cal Report — Guid­ance on the appli­ca­tion of ISO 13849–1 and IEC 62061 in the design of safe­ty-relat­ed con­trol sys­tems for machin­ery pro­vides direct guid­ance on how to select between these two stan­dards.

Down­load IEC stan­dards, Inter­na­tion­al Elec­trotech­ni­cal Com­mis­sion stan­dards.

Merger

In the intro­duc­tion to the report the TC makes it clear that the stan­dards will be merged, although they don’t pro­vide any kind of a time line for the merg­er. Quot­ing from the intro­duc­tion:

It is intend­ed that this Tech­ni­cal Report be incor­po­rat­ed into both IEC 62061 and ISO 13849–1 by means of cor­ri­gen­da that ref­er­ence the pub­lished ver­sion of this doc­u­ment. These cor­ri­gen­da will also remove the infor­ma­tion giv­en in Table 1, Rec­om­mend­ed appli­ca­tion of IEC 62061 and ISO 13849–1, pro­vid­ed in the com­mon intro­duc­tion to both stan­dards, which is now rec­og­nized as being out of date. Sub­se­quent­ly, it is intend­ed to merge ISO 13849–1 and IEC 62061 by means of a JWG of ISO/TC 199 and IEC/TC 44.

I added the bold face to the para­graph above to high­light the key state­ment regard­ing the even­tu­al merg­er of the two doc­u­ments.  If you’re not famil­iar with the stan­dards acronyms, a ‘JWG’ is a Joint Work­ing Group, and a TC is a Tech­ni­cal Com­mit­tee. TC’s are formed from vol­un­teer experts from indus­try and acad­e­mia sup­port­ed by their orga­ni­za­tions. So a JWG formed from two TC’s just means that a joint com­mit­tee has been formed to work out the details of the merg­er. Even­tu­al­ly.

The oth­er key point in this para­graph relates to the replace­ment of Table 1. In the inter­im, IEC/TR 62061–1 will be incor­po­rat­ed into both stan­dards, replac­ing Table 1.

Even­tu­al­ly the con­fu­sion will be cleared up because only one stan­dard will exist in the machin­ery sec­tor, but until then, machine builders will need to fig­ure out which stan­dard best fits their prod­ucts.

Comparing PL’s and SIL’s

The Tech­ni­cal Report does a good job of dis­cussing the dif­fer­ences between PL and SIL, includ­ing pro­vid­ing an expla­na­tion of how to covert one to the oth­er, very use­ful if you are try­ing to inte­grate an SIL rat­ed device into a PL analy­sis or vice-ver­sa.

Selecting a Standard

Clause 2.5 gives some sol­id advice on select­ing between the two stan­dards based on the tech­nolo­gies employed in the design and your own com­fort lev­el in using the ana­lyt­i­cal tech­niques in the two stan­dards.

Anoth­er key point is that EITHER stan­dard can be used to ana­lyze com­plex OR sim­ple con­trol sys­tems. Some fans of IEC 62061 have been known to put ISO 13849–1 down as use­ful exclu­sive­ly for sim­ple hard­wired con­trol sys­tems. Clause 3.3 makes it clear that this is not the case. Pick the one you like or know the best and go with that. As an addi­tion­al thought, con­sid­er which stan­dard your com­peti­tors are using, and also which your cus­tomers are using. For exam­ple, if your cus­tomers use ISO 13849–1 pri­mar­i­ly, qual­i­fy­ing your prod­uct under IEC 62061 might seem like a good idea, but may dri­ve your cus­tomers to a com­peti­tor who makes their life eas­i­er by using ISO 13849–1. If your com­peti­tors are using a dif­fer­ent stan­dard, try to under­stand the choice before climb­ing on the band­wag­on. There may be a com­pet­i­tive advan­tage lurk­ing in being dif­fer­ent.

Risk Assessment

Clause 4 speaks direct­ly to the indis­pens­able need to con­duct a method­i­cal risk assess­ment, and to use that to guide the design of the con­trols.

In my prac­tice, many clients decide that they would pre­fer to choose a con­trol reli­a­bil­i­ty lev­el that they feel will be more than good enough for any of their designs, and then to ‘stan­dard­ize’ on that design for all their prod­ucts, there­by elim­i­nat­ing the need to thought­ful­ly decide on the appro­pri­ate design for the appli­ca­tion. In oth­er cas­es, end-users may choose to use a ‘stan­dard’ design through­out their facil­i­ty to assist main­te­nance per­son­nel by lim­it­ing their need to become tech­ni­cal­ly famil­iar with a vari­ety of designs. This is done to speed trou­bleshoot­ing and reduce down time and spares stocks.

The prob­lem with this approach can be that some man­agers believe this approach can elim­i­nate the need to con­duct risk assess­ments, see­ing this as a fruit­less, expen­sive and often futile exer­cise. This is emphat­i­cal­ly NOT the case. Risk assess­ments address much more than the selec­tion of con­trol reli­a­bil­i­ty require­ments and need to be done to ensure that all haz­ards that can­not be elim­i­nat­ed or sub­sti­tut­ed are safe­guard­ed. A miss­ing or bad­ly done risk assess­ment may inval­i­date your claim to a CE mark, or be the land­mine that ends a lia­bil­i­ty case — with you on the los­ing end.

Safety Requirement Specification (SRS)

Each safe­ty func­tion needs to be defined in detail in a Safe­ty Require­ment Spec­i­fi­ca­tion (SRS). A reli­a­bil­i­ty assess­ment needs to be com­plet­ed for each safe­ty func­tion defined in the SRS. This point is dis­cussed in detail in IEC 62061, but is not dealt with in any detail in ISO 13849–1, so IEC/TR 62061–1 once again bridges the gap by pro­vid­ing an impor­tant detail that is miss­ing in one of the two stan­dards.

If you are unfa­mil­iar with the con­cept of an SRS, each safe­ty func­tion needs to be described with a cer­tain min­i­mum amount of infor­ma­tion, includ­ing:

  • The name of safe­ty func­tion;
  • A descrip­tion of the func­tion;
  • The required lev­el of per­for­mance based on the risk assess­ment and accord­ing to either ISO 13849–1 (PLr a to e) or the required safe­ty integri­ty accord­ing to IEC 62061 (SIL 1 to 3)

Once the safe­ty func­tions are defined and ana­lyzed, each safe­ty func­tion must be imple­ment­ed by a con­trol cir­cuit. The select­ed PL will dri­ve the design to one or two of the defined ISO 13849–1 archi­tec­tures, and then the com­po­nent selec­tions and oth­er design details will dri­ve the final fail­ure rate and PL. Alter­na­tive­ly, the SRS will dri­ve the selec­tion of IEC 62061 archi­tec­ture (1oo1, 1oo2, 2oo2, etc.) and the rest of the design details will lead to the final fail­ure rate and SIL.

Table 1 in the Tech­ni­cal Report com­pares the lev­els.

Table 1 – Relationship between PLs and SILs based on the average probability
of dangerous failure per hour

Per­for­mance Lev­el (PL) Aver­age prob­a­bil­i­ty of a dan­ger­ous
fail­ure per hour (1/h)
Safe­ty integri­ty lev­el (SIL)
a >= 10-5 to < 10-4 No spe­cial safe­ty require­ments
b >= 3 x 10-6 to < 10-5 1
c >= 10-6 to < 3 x 10-6 1
d >= 10-7 to < 10-6 2
e >= 10-8 to < 10-7 3

This table com­bines ISO 13849–1 2007, Tables 3 & 4. No sim­i­lar tables exist in IEC 62061 2005.

Combining Equipment with PLs and SILs

Sec­tion 7 of the report speaks to the chal­lenge of inte­grat­ing equip­ment with rat­ings in a mix of PLs and SILs. Until the stan­dards merge and a sin­gle sys­tem for describ­ing reli­a­bil­i­ty cat­e­gories is agreed on, this prob­lem will be with us.

When design­ing sys­tems using either sys­tem the design­er has to deter­mine the approx­i­mate rate of dan­ger­ous fail­ures. In ISO 13849–1, MTTFd is the com­po­nent fail­ure rate para­me­ter, while in IEC 62061, PFHd is the sub­sys­tem fail­ure rate para­me­ter. MTTFd does not con­sid­er diag­nos­tics or archi­tec­ture, only the com­po­nent fail­ure rate per year, while PFHd does include diag­nos­tics and archti­tec­ture, and it speaks to the sys­tem fail­ure rate per hour. To com­pare these rates, ISO 13849–1 Annex K describes the rela­tion­ship between MTTFd and PFHd for dif­fer­ent archi­tec­tures.

In the design process only one method can be used, so where equip­ment with dif­fer­ent rat­ings must be com­bined the fail­ure rates must be con­vert­ed to either MTTFd or to PFHd, depend­ing on the sys­tem being used to com­plete the analy­sis. Mix­ing require­ments with­in the design of a sub­sys­tem is not per­mit­ted (See Clause 7.3.3).

Fault Exclusions

Fault exclu­sions are per­mit­ted under both stan­dards with some lim­i­ta­tions: up to IEC 62061 SIL 2. No fault exclu­sions are per­mit­ted in SIL 3. Prop­er­ly jus­ti­fied fault exclu­sions can be used up to PLe. “Prop­er­ly jus­ti­fied” fault exclu­sions are those that can be shown to be valid through the life­time of the SRP/CS.

In gen­er­al, fault exclu­sions for mechan­i­cal fail­ures of electro­mechan­i­cal devices such as inter­lock devices or emer­gency stop devices are not per­mit­ted, with a few excep­tions giv­en in ISO 13849–2, (See Claus­es 7.2.2.4 and 7.2.2.5).

This approach is con­sis­tent with the cur­rent approach tak­en in Cana­da, as described in CSA Z432 & Z434. Fault exclu­sions are gen­er­al­ly not per­mit­ted under ANSI stan­dards.

Worked Examples

Sec­tion 8 of the Tech­ni­cal Report gives a cou­ple of worked exam­ples, one done under ISO 13849–1, and one under IEC 62061. For some­one look­ing for a good exam­ple of what a prop­er­ly com­plet­ed analy­sis should look like, this sec­tion is the gold at the end of the rain­bow. Sec­tion 8.2 pro­vides a good, clear exam­ple of the appli­ca­tion of the stan­dards along with a nice, sim­ple exam­ple of what a safe­ty require­ment spec­i­fi­ca­tion might look like.

Understanding the Differences

One area where pro­po­nents of the two stan­dards often dis­agree is on the ‘accu­ra­cy’ of the ana­lyt­i­cal pro­ce­dures giv­en in the two stan­dards. The Tech­ni­cal Report pro­vides a detailed expla­na­tion of why the two tech­niques pro­vide slight­ly dif­fer­ent results and pro­vides the ratio­nale explain­ing why this vari­a­tion should be con­sid­ered accept­able.

To Buy or Not to Buy…

At the end of the day, the ques­tion that needs to be answered is whether to buy this doc­u­ment or not. If you use either of these stan­dards, I strong­ly rec­om­mend that you spend the mon­ey to get this Tech­ni­cal Report, if for noth­ing more than the worked exam­ples. Until the two stan­dards are merged, and that could be a few years, you will need to be able to effec­tive­ly apply these approach­es to PL and SIL rat­ed equip­ment. This Tech­ni­cal Report will be an invalu­able aid.

It also pro­vides some guid­ance on the direc­tion that the new merged stan­dard will take. Some old argu­ments can be set­tled, or at least re-direct­ed, by this doc­u­ment.

Final­ly, since the TR is to be incor­po­rat­ed in both stan­dards and con­tains mate­r­i­al replac­ing that in the cur­rent edi­tions of the stan­dard, you must buy a copy to remain cur­rent.

For all of these rea­sons, I would spend the mon­ey to acquire this doc­u­ment, read and apply it.

Down­load IEC stan­dards, Inter­na­tion­al Elec­trotech­ni­cal Com­mis­sion stan­dards.

Down­load ISO Stan­dards

If you’ve bought the report and would like to add your thoughts, please add a com­ment below. Got ques­tions? Con­tact me!

Series Nav­i­ga­tionISO 13849–1 and IEC 62061”>New Guide to Apply­ing ISO 13849–1 and IEC 62061

Author: Doug Nix

Doug Nix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. (http://www.complianceinsight.ca) in Kitchener, Ontario, and is Lead Author and Senior Editor of the Machinery Safety 101 blog. Doug's work includes teaching machinery risk assessment techniques privately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as providing technical services and training programs to clients related to risk assessment, industrial machinery safety, safety-related control system integration and reliability, laser safety and regulatory conformity. For more see Doug's LinkedIn profile.