Providing Safety

EN IEC 62061

EN IEC 62061 functional safety of programmable systems

The harmonised standard EN IEC 62061 covers all safety-relevant parts of electrical control systems in machinery. The standard applies to the whole life cycle of the machine from design to decommissioning.

EN IEC 62061 is the basis for the successful integration of safety-related electrical controls that comply with EN 13849-1 and IEC EN 61508 in order to validate the key requirements for the validation of the safety functions.

As with EN ISO 13849-1, the goal is to determine whether the implemented safety measures are suitable for reducing safety risks. In EN IEC 62061 this is assessed by using the risk graph and expressed in one of three Safety Integrity Levels (SIL), where SIL1 applies to the lowest safety risk and SIL3 to the highest.

Use the riskograph to determine the Safety Integrity Level (SIL)

How does a risk assessment according to EN 62061 work? Risk assessment is an iterative process. This means that it may be necessary to go through the process several times.

The risk must be assessed and the SIL determined for each hazard where the risk needs to be decreased by control technology measures.

The risk is estimated by EN IEC 62061 considering:

Se Severity of injury
Fr Frequency and duration of exposure to the hazard
Pr The likelihood of a hazardous event occurring
Av The possibility to avoid or reduce damage

Classification of severity of injury (Se)

Se 4 Irreversible: death, loss of an arm or eye
Se 3 Irreversible: broken limbs, loss of finger(s)
Se 2 Reversible: medical treatment required
Se 1 First aid (FAFS) required

Probability classification (Pr)

Pr 5 Very high
Pr 4 Likely
Pr 3 Possible
Pr 2 Rare
Pr 1 Negligible

To determine the risks, complex calculations are required. The PAScal calculation software makes this easier and more transparent.

Classification of frequency and duration of exposure (Fr) > 10 min

Fr 5 <= 1 hour
Fr 5 > 1 hour to <= 1 day
Fr 4 > 1 day to <= 2 weeks
Fr 3 > 2 weeks to <= 1 year
Fr 2 > 1 year

Classification of the possibility of restriction/prevention (Av)

Av 5 Impossible
Av 3 Rare
Av 1 Likely

Do you need support?
Contact our specialists

Safety Integrity Level (SIL) matrix of designation

The SIL is determined using the following table. Use the formula K = F + W + P for determining the K class.

Severity (S)Class (K)
3 – 4
Class (K)
5 – 7
Class (K)
8 – 10
Class (K)
11 – 13
Class (K)
14 – 15
4SIL 2SIL 2SIL 2SIL 3SIL 3
3 (OM)*SIL 1SIL 2SIL 3
2  (OM)*SIL 1SIL 2
1   (OM)*SIL 1

* OM = Other measures

What requirements should be taken into account?

The following minimum requirements are set when a design of the relevant safety functions is selected:

1. Structural limitations of subsystems

The SIL achieved by the SRECS (Safety-Related Electrical Control System) based on the structural constraints is lower than or equal to the lowest SILCL of any system involved in the execution of the safety function. The control system architecture and the “safe failure fraction” (SFF) play an important role in this respect.

Percent of safer failures (SFF)Hardware fault tolerance
HFT 0
Hardware fault tolerance
HFT 1
Hardware fault tolerance
HFT 2
< 60%Not permittedSIL 1SIL 2
60% to < 90%SIL 1SIL 2SIL 3
90% to < 99%SIL 2SIL 3SIL 3
>= 99%SIL 3SIL 3SIL 3

 

2. Probability of coincidental dangerous hardware failure

The probability of a dangerous failure of each Safety-Related Control Function (SRCF) due to dangerous random hardware failures shall be equal to or less than the failure limit specified in the specification of the safety requirements.

SIL according to EN 62061Probability of a dangerous failure per hour (PFHD) [1/h]
SIL 3>= 10 E-8 to < 10 E-7
SIL 2>= 10 E-7 to < 10 E-6
SIL 1>= 10 E-6 to < 10 E-5