Machinery Safety 101

IEC/TR 62061 – 1 Reviewed

Why You Need to Spend More Cash on Yet Another Document

Stand­ards organ­iz­a­tions pub­lish doc­u­ments in a fairly con­tinu­ous stream, so for those of us tasked with stay­ing cur­rent with a large num­ber of stand­ards (say, more than 10), the pub­lic­a­tion of anoth­er new stand­ard or Tech­nic­al Report isn’t news – it’s busi­ness as usu­al. The ques­tion is always: Do we really need to add this to the library?

For those who are new to this busi­ness, hav­ing to pay for crit­ic­al design inform­a­tion is a new exper­i­ence. Find­ing out that it can cost hun­dreds, if not thou­sands, to build the lib­rary you need can be overwhelming.

This review aims to help you decide if you need IEC/TR 62061 – 1 in your library.

The Problem

As a machine build­er or a man­u­fac­turer build­ing a product designed to be integ­rated into machinery, how do you choose between ISO 13849 – 1 and IEC 62061?

IEC 62061 – 1 attempts to provide guid­ance on how to make this choice.


When CENELEC pub­lished EN 954 – 1 in 1995, machine build­ers were intro­duced to a whole new world of con­trol reli­ab­il­ity require­ments. Pri­or to its pub­lic­a­tion, most machines were built with very simple inter­locks, and no spe­cif­ic stand­ards for inter­lock­ing devices exis­ted. In the years since then, the EN 954 – 1 Cat­egor­ies have become well known and are applied inside and out­side the EU.

In the inter­ven­ing years, IEC pub­lished IEC 61508. This sev­en-part stand­ard intro­duced the idea of ‘Safety Integ­rity  Levels’ or SILs. This stand­ard is aimed at pro­cess con­trol sys­tems and could be used for com­plex machinery as well.

Why the Confusion?

In 2006, IEC pub­lished a machinery sec­tor spe­cif­ic stand­ard based on IEC 61508, called IEC 62061. This stand­ard offered a sim­pli­fied applic­a­tion of the IEC 61508 meth­od­o­logy inten­ded for machine build­ers. The key prob­lem with this stand­ard is that it did not provide a means to deal with pneu­mat­ic or hydraul­ic con­trol ele­ments, which are covered by ISO 13849 – 1.

ISO adop­ted EN 954 – 1 and reis­sued it as ISO 13849 – 1 in 1999. This edi­tion of the stand­ard was vir­tu­ally identic­al to the stand­ard it replaced from a tech­nic­al require­ments per­spect­ive. EN 954 – 1/ISO 13849 – 1 did not provide any means to estim­ate the integ­rity of the safety related con­trols, but did define cir­cuit archi­tec­tures (Cat­egor­ies B, 1 – 4) and spoke to the selec­tion of com­pon­ents, intro­du­cing the con­cepts of ‘well-tried safety prin­ciples’ and ‘well-tried com­pon­ents’. A second prob­lem had long exis­ted in addi­tion to this – EN 954 – 2, Val­id­a­tion, was nev­er pub­lished by CENELEC except as a com­mit­tee draft, so a key ele­ment in the applic­a­tion of the stand­ard had been miss­ing for five years at the point where ISO 13849 – 1 Edi­tion 1 was published.

The first cut at guid­ing users in choos­ing an appro­pri­ate stand­ard came with the pub­lic­a­tion of IEC 62061 Edi­tion 1.  Pub­lished in 2005, Edi­tion 1 included a table that attemp­ted to provide users with some guid­ance on how to choose between ISO 13849 – 1 or IEC 62061.

…and then came 2007…

In 2007, ISO pub­lished the Second Edi­tion of ISO 13849 – 1, and brought a whole new twist to the dis­cus­sion by intro­du­cing ‘Per­form­ance Levels’ or PLs. PLs can be loosely equated to SILs, even though PLs are stated in fail­ures per year and SILs in fail­ures per hour. The same table included in IEC 62061 was included in this edi­tion of ISO 13849 – 1.

Table 1
Recommended application of
IEC 62061 and ISO 13849 – 1(under revision)

(from the Second Edi­tion, 2007)

Tech­no­logy imple­ment­ing the
safety related con­trol function(s)
13849 – 1 (under revision)
IEC 62061
A Non elec­tric­al, e.g. hydraulics X Not covered
B Elec­tromech­an­ic­al, e.g. relays, or 
non-com­plex electronics
Restric­ted to designated
archi­tec­tures (see Note 1) and up to PL=e

All archi­tec­tures and up to

C Com­plex elec­tron­ics, e.g. programmable Restric­ted to designated
archi­tec­tures (see Note 1) and up
to PL=d
All archi­tec­tures and up to 
D A com­bined with B Restric­ted to designated
archi­tec­tures (see Note 1) and up
to PL=e
see Note 3
E C com­bined with B Restric­ted to designated
archi­tec­tures (see Note 1) and up
to PL=d
All archi­tec­tures and up to 
F C com­bined with A, or C com­bined with
A and B
see Note 2
see Note 3

X” indic­ates that this item is dealt with by the stand­ard shown in the column heading.

NOTE 1 Des­ig­nated archi­tec­tures are defined in Annex B of EN ISO 13849 – 1(rev.) to give a sim­pli­fied approach for quan­ti­fic­a­tion of per­form­ance level.

NOTE 2 For com­plex elec­tron­ics: Use of des­ig­nated archi­tec­tures accord­ing to EN ISO 13849 – 1(rev.) up to PL=d or any archi­tec­ture accord­ing to IEC 62061.

NOTE 3 For non-elec­tric­al tech­no­logy use parts accord­ing to EN ISO 13849 – 1(rev.) as subsystems.

So how is a machine build­er to choose the ‘cor­rect’ stand­ard, if both stand­ards are applic­able and both are cor­rect? Fur­ther­more, how do you assess the reli­ab­il­ity of the safety-related con­trols when integ­rat­ing equip­ment from vari­ous sup­pli­ers, some of whom rate their equip­ment in PLs and some in SILs? Why are two stand­ards address­ing the same top­ic required? Will ISO 13849 – 1 and IEC 62061 ever be merged?

The Technical Report

In July this year the IEC pub­lished a Tech­nic­al Report that dis­cusses the selec­tion and applic­a­tion of these two key con­trol reli­ab­il­ity stand­ards for machine build­ers. This guide has long been needed, and pre­cedes a face to face event planned by IEC to bring machine build­ers and stand­ards writers face-to-face to dis­cuss these same issues.

The guide, titled IEC/TR 62061 – 1 — Tech­nic­al Report — Guid­ance on the applic­a­tion of ISO 13849 – 1 and IEC 62061 in the design of safety-related con­trol sys­tems for machinery provides dir­ect guid­ance on how to select between these two standards.

Down­load IEC stand­ards, Inter­na­tion­al Elec­tro­tech­nic­al Com­mis­sion standards.


In the intro­duc­tion to the report the TC makes it clear that the stand­ards will be merged, although they don’t provide any kind of a time line for the mer­ger. Quot­ing from the introduction:

It is inten­ded that this Tech­nic­al Report be incor­por­ated into both IEC 62061 and ISO 13849 – 1 by means of cor­ri­genda that ref­er­ence the pub­lished ver­sion of this doc­u­ment. These cor­ri­genda will also remove the inform­a­tion giv­en in Table 1, Recom­men­ded applic­a­tion of IEC 62061 and ISO 13849 – 1, provided in the com­mon intro­duc­tion to both stand­ards, which is now recog­nized as being out of date. Sub­sequently, it is inten­ded to merge ISO 13849 – 1 and IEC 62061 by means of a JWG of ISO/TC 199 and IEC/TC 44.

I added the bold face to the para­graph above to high­light the key state­ment regard­ing the even­tu­al mer­ger of the two doc­u­ments.  If you’re not famil­i­ar with the stand­ards acronyms, a ‘JWG’ is a Joint Work­ing Group, and a TC is a Tech­nic­al Com­mit­tee. TC’s are formed from volun­teer experts from industry and aca­demia sup­por­ted by their organ­iz­a­tions. So a JWG formed from two TC’s just means that a joint com­mit­tee has been formed to work out the details of the mer­ger. Eventually.

The oth­er key point in this para­graph relates to the replace­ment of Table 1. In the inter­im, IEC/TR 62061 – 1 will be incor­por­ated into both stand­ards, repla­cing Table 1.

Even­tu­ally the con­fu­sion will be cleared up because only one stand­ard will exist in the machinery sec­tor, but until then, machine build­ers will need to fig­ure out which stand­ard best fits their products.

Comparing PL’s and SIL’s

The Tech­nic­al Report does a good job of dis­cuss­ing the dif­fer­ences between PL and SIL, includ­ing provid­ing an explan­a­tion of how to cov­ert one to the oth­er, very use­ful if you are try­ing to integ­rate an SIL rated device into a PL ana­lys­is or vice-versa.

Selecting a Standard

Clause 2.5 gives some sol­id advice on select­ing between the two stand­ards based on the tech­no­lo­gies employed in the design and your own com­fort level in using the ana­lyt­ic­al tech­niques in the two standards.

Anoth­er key point is that EITHER stand­ard can be used to ana­lyze com­plex OR simple con­trol sys­tems. Some fans of IEC 62061 have been known to put ISO 13849 – 1 down as use­ful exclus­ively for simple hard­wired con­trol sys­tems. Clause 3.3 makes it clear that this is not the case. Pick the one you like or know the best and go with that. As an addi­tion­al thought, con­sider which stand­ard your com­pet­it­ors are using, and also which your cus­tom­ers are using. For example, if your cus­tom­ers use ISO 13849 – 1 primar­ily, qual­i­fy­ing your product under IEC 62061 might seem like a good idea, but may drive your cus­tom­ers to a com­pet­it­or who makes their life easi­er by using ISO 13849 – 1. If your com­pet­it­ors are using a dif­fer­ent stand­ard, try to under­stand the choice before climb­ing on the band­wag­on. There may be a com­pet­it­ive advant­age lurk­ing in being different.

Risk Assessment

Clause 4 speaks dir­ectly to the indis­pens­able need to con­duct a meth­od­ic­al risk assess­ment, and to use that to guide the design of the controls.

In my prac­tice, many cli­ents decide that they would prefer to choose a con­trol reli­ab­il­ity level that they feel will be more than good enough for any of their designs, and then to ‘stand­ard­ize’ on that design for all their products, thereby elim­in­at­ing the need to thought­fully decide on the appro­pri­ate design for the applic­a­tion. In oth­er cases, end-users may choose to use a ‘stand­ard’ design through­out their facil­ity to assist main­ten­ance per­son­nel by lim­it­ing their need to become tech­nic­ally famil­i­ar with a vari­ety of designs. This is done to speed troubleshoot­ing and reduce down time and spares stocks.

The prob­lem with this approach can be that some man­agers believe this approach can elim­in­ate the need to con­duct risk assess­ments, see­ing this as a fruit­less, expens­ive and often futile exer­cise. This is emphat­ic­ally NOT the case. Risk assess­ments address much more than the selec­tion of con­trol reli­ab­il­ity require­ments and need to be done to ensure that all haz­ards that can­not be elim­in­ated or sub­sti­tuted are safe­guarded. A miss­ing or badly done risk assess­ment may inval­id­ate your claim to a CE mark, or be the land­mine that ends a liab­il­ity case – with you on the los­ing end.

Safety Requirement Specification (SRS)

Each safety func­tion needs to be defined in detail in a Safety Require­ment Spe­cific­a­tion (SRS). A reli­ab­il­ity assess­ment needs to be com­pleted for each safety func­tion defined in the SRS. This point is dis­cussed in detail in IEC 62061, but is not dealt with in any detail in ISO 13849 – 1, so IEC/TR 62061 – 1 once again bridges the gap by provid­ing an import­ant detail that is miss­ing in one of the two standards.

If you are unfa­mil­i­ar with the concept of an SRS, each safety func­tion needs to be described with a cer­tain min­im­um amount of inform­a­tion, including:

  • The name of safety function;
  • A descrip­tion of the function;
  • The required level of per­form­ance based on the risk assess­ment and accord­ing to either ISO 13849 – 1 (PLr a to e) or the required safety integ­rity accord­ing to IEC 62061 (SIL 1 to 3)

Once the safety func­tions are defined and ana­lyzed, each safety func­tion must be imple­men­ted by a con­trol cir­cuit. The selec­ted PL will drive the design to one or two of the defined ISO 13849 – 1 archi­tec­tures, and then the com­pon­ent selec­tions and oth­er design details will drive the final fail­ure rate and PL. Altern­at­ively, the SRS will drive the selec­tion of IEC 62061 archi­tec­ture (1oo1, 1oo2, 2oo2, etc.) and the rest of the design details will lead to the final fail­ure rate and SIL.

Table 1 in the Tech­nic­al Report com­pares the levels.

Table 1 – Relationship between PLs and SILs based on the average probability
of dangerous failure per hour

Per­form­ance Level (PL) Aver­age prob­ab­il­ity of a dangerous
fail­ure per hour (1/h)
Safety integ­rity level (SIL)
a >= 10-5 to < 10-4 No spe­cial safety requirements
b >= 3 x 10-6 to < 10-5 1
c >= 10-6 to < 3 x 10-6 1
d >= 10-7 to < 10-6 2
e >= 10-8 to < 10-7 3

This table com­bines ISO 13849 – 1 2007, Tables 3 & 4. No sim­il­ar tables exist in IEC 62061 2005.

Combining Equipment with PLs and SILs

Sec­tion 7 of the report speaks to the chal­lenge of integ­rat­ing equip­ment with rat­ings in a mix of PLs and SILs. Until the stand­ards merge and a single sys­tem for describ­ing reli­ab­il­ity cat­egor­ies is agreed on, this prob­lem will be with us.

When design­ing sys­tems using either sys­tem the design­er has to determ­ine the approx­im­ate rate of dan­ger­ous fail­ures. In ISO 13849 – 1, MTTFd is the com­pon­ent fail­ure rate para­met­er, while in IEC 62061, PFHd is the sub­sys­tem fail­ure rate para­met­er. MTTFd does not con­sider dia­gnostics or archi­tec­ture, only the com­pon­ent fail­ure rate per year, while PFHd does include dia­gnostics and archti­tec­ture, and it speaks to the sys­tem fail­ure rate per hour. To com­pare these rates, ISO 13849 – 1 Annex K describes the rela­tion­ship between MTTFd and PFHd for dif­fer­ent architectures.

In the design pro­cess only one meth­od can be used, so where equip­ment with dif­fer­ent rat­ings must be com­bined the fail­ure rates must be con­ver­ted to either MTTFd or to PFHd, depend­ing on the sys­tem being used to com­plete the ana­lys­is. Mix­ing require­ments with­in the design of a sub­sys­tem is not per­mit­ted (See Clause 7.3.3).

Fault Exclusions

Fault exclu­sions are per­mit­ted under both stand­ards with some lim­it­a­tions: up to IEC 62061 SIL 2. No fault exclu­sions are per­mit­ted in SIL 3. Prop­erly jus­ti­fied fault exclu­sions can be used up to PLe. “Prop­erly jus­ti­fied” fault exclu­sions are those that can be shown to be val­id through the life­time of the SRP/CS.

In gen­er­al, fault exclu­sions for mech­an­ic­al fail­ures of elec­tromech­an­ic­al devices such as inter­lock devices or emer­gency stop devices are not per­mit­ted, with a few excep­tions giv­en in ISO 13849 – 2, (See Clauses and

This approach is con­sist­ent with the cur­rent approach taken in Canada, as described in CSA Z432 & Z434. Fault exclu­sions are gen­er­ally not per­mit­ted under ANSI standards.

Worked Examples

Sec­tion 8 of the Tech­nic­al Report gives a couple of worked examples, one done under ISO 13849 – 1, and one under IEC 62061. For someone look­ing for a good example of what a prop­erly com­pleted ana­lys­is should look like, this sec­tion is the gold at the end of the rain­bow. Sec­tion 8.2 provides a good, clear example of the applic­a­tion of the stand­ards along with a nice, simple example of what a safety require­ment spe­cific­a­tion might look like.

Understanding the Differences

One area where pro­ponents of the two stand­ards often dis­agree is on the ‘accur­acy’ of the ana­lyt­ic­al pro­ced­ures giv­en in the two stand­ards. The Tech­nic­al Report provides a detailed explan­a­tion of why the two tech­niques provide slightly dif­fer­ent res­ults and provides the rationale explain­ing why this vari­ation should be con­sidered acceptable.

To Buy or Not to Buy…

At the end of the day, the ques­tion that needs to be answered is wheth­er to buy this doc­u­ment or not. If you use either of these stand­ards, I strongly recom­mend that you spend the money to get this Tech­nic­al Report, if for noth­ing more than the worked examples. Until the two stand­ards are merged, and that could be a few years, you will need to be able to effect­ively apply these approaches to PL and SIL rated equip­ment. This Tech­nic­al Report will be an invalu­able aid.

It also provides some guid­ance on the dir­ec­tion that the new merged stand­ard will take. Some old argu­ments can be settled, or at least re-dir­ec­ted, by this document.

Finally, since the TR is to be incor­por­ated in both stand­ards and con­tains mater­i­al repla­cing that in the cur­rent edi­tions of the stand­ard, you must buy a copy to remain current.

For all of these reas­ons, I would spend the money to acquire this doc­u­ment, read and apply it.

Down­load IEC stand­ards, Inter­na­tion­al Elec­tro­tech­nic­al Com­mis­sion standards.

Down­load ISO Standards 

If you’ve bought the report and would like to add your thoughts, please add a com­ment below. Got ques­tions? Con­tact me!

7 thoughts on “IEC/TR 62061 – 1 Reviewed

  1. Hi Doug,
    Thanks for the read, it was very eyeopening.
    I have one remark;
    You wrote that the SRS (Safety require­ment Spe­cific­a­tion) is not dealt with in ISO 13849 – 1. I guess that’s true but the soft­ware I use (Sis­tema) does ask you to spe­cify the neces­sary require­ments, that is, filling in the fields for the name and descrip­tion of the safety func­tion. The required per­form­ance level is ofcourse man­dat­ory in the soft­ware to be able to work out the over­all performance.
    The prob­lem I am facing now is that there is not enough inform­a­tion avail­able from man­u­fac­tur­ers world­wide to ful­fill the require­ments. And I mean MTTFd data.. Might be an idea to write a blog on this topic..?

    1. Wouter,

      Thanks for the com­ments! I’m glad you found the review useful!

      I agree that Sis­tema requires the equi­val­ent of an SRS, and this is the cor­rect approach in my opin­ion. I think that the ISO TC decided to sim­pli­fy the ana­lyt­ic­al approach giv­en in the stand­ard as much as pos­sible, since the machine build­ing com­munity was already strug­gling with imple­ment­ing EN 954 – 1:96 or ISO 13849 – 1 1999. This is sup­por­ted by the EC Machinery Work­ing Group’s decision earli­er this year to extend the trans­ition peri­od from EN 954 – 1 to ISO 13849 – 1 Edi­tion 2 until the end of 2012. 

      I’ve had the same exper­i­ence as you in try­ing to find MTTFd data or B10d data. In a recent ana­lys­is I con­duc­ted for a cli­ent, I ended up hav­ing to use the default ’10 years’ for a sig­ni­fic­ant num­ber of com­pon­ents. In some cases, addi­tion­al data can be found in some of the oth­er reli­ab­il­ity stand­ards, like MIL-HDBK-217F, UTE 80810, NPRD 95 or the Siemens SN 29500 documents.

      I like your idea for an art­icle! Keep watching!


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.