This International Standard specifies requirements and makes recommendations for the design, integration and validation of safety-related control systems (SCS) for machines. It is applicable to control systems used, either singly or in combination, to carry out safety functions on machines that are not portable by hand while working, including a group of machines working together in a co-ordinated manner. This document is a machinery sector specific standard within the framework of IEC 61508 (all parts). The design of complex programmable electronic subsystems or subsystem elements is not within the scope of this document. This is in the scope of IEC 61508 or standards linked to it; see Figure 1. NOTE 1 Elements such as systems on chip or microcontroller boards are considered complex programmable electronic subsystems. The main body of this sector standard specifies general requirements for the design, and verification of a safety-related control system intended to be used in high\/continuous demand mode. This document: – is concerned only with functional safety requirements intended to reduce the risk of hazardous situations; – is restricted to risks arising directly from the hazards of the machine itself or from a group of machines working together in a co-ordinated manner; NOTE 2 Requirements to mitigate risks arising from other hazards are provided in relevant sector standards. For example, where a machine(s) is part of a process activity, additional information is available in IEC 61511. This document does not cover – electrical hazards arising from the electrical control equipment itself (e.g. electric shock – see IEC 60204-1); – other safety requirements necessary at the machine level such as safeguarding; – specific measures for security aspects – see IEC TR 63074. This document is not intended to limit or inhibit technological advancement. Figure 1 illustrates the scope of this document. [Figure 1]<\/p>\n
| PDF Pages<\/th>\n | PDF Title<\/th>\n<\/tr>\n | ||||||
|---|---|---|---|---|---|---|---|
| 1<\/td>\n | 30447129 <\/td>\n<\/tr>\n | ||||||
| 233<\/td>\n | A-30379166 <\/td>\n<\/tr>\n | ||||||
| 234<\/td>\n | undefined <\/td>\n<\/tr>\n | ||||||
| 240<\/td>\n | Annex ZA(normative)Normative references to international publicationswith their corresponding European publications <\/td>\n<\/tr>\n | ||||||
| 241<\/td>\n | Annex ZZ(informative)Relationship between this European standard and the essential requirements of Directive 2006\/42\/EC [2006 OJ L 157] aimed to be covered <\/td>\n<\/tr>\n | ||||||
| 243<\/td>\n | English CONTENTS <\/td>\n<\/tr>\n | ||||||
| 249<\/td>\n | FOREWORD <\/td>\n<\/tr>\n | ||||||
| 251<\/td>\n | INTRODUCTION <\/td>\n<\/tr>\n | ||||||
| 252<\/td>\n | 1 Scope <\/td>\n<\/tr>\n | ||||||
| 253<\/td>\n | 2 Normative references Figures Figure 1 \u2013 Scope of this document <\/td>\n<\/tr>\n | ||||||
| 254<\/td>\n | 3 Terms, definitions and abbreviations 3.1 Alphabetical list of definitions Tables Table 1 \u2013 Terms used in IEC 62061 <\/td>\n<\/tr>\n | ||||||
| 256<\/td>\n | 3.2 Terms and definitions <\/td>\n<\/tr>\n | ||||||
| 269<\/td>\n | 3.3 Abbreviations 4 Design process of an SCS and management of functional safety 4.1 Objective Table 2 \u2013 Abbreviations used in IEC 62061 <\/td>\n<\/tr>\n | ||||||
| 270<\/td>\n | 4.2 Design process Figure 2 \u2013 Integration within the risk reduction process of ISO 12100 (extract) <\/td>\n<\/tr>\n | ||||||
| 271<\/td>\n | Figure 3 \u2013 Iterative process for design of the safety-related control system <\/td>\n<\/tr>\n | ||||||
| 272<\/td>\n | 4.3 Management of functional safety using a functional safety plan Figure 4 \u2013 Example of a combination of subsystems as one SCS <\/td>\n<\/tr>\n | ||||||
| 274<\/td>\n | 4.4 Configuration management 4.5 Modification <\/td>\n<\/tr>\n | ||||||
| 275<\/td>\n | 5 Specification of a safety function 5.1 Objective 5.2 Safety requirements specification (SRS) 5.2.1 General 5.2.2 Information to be available <\/td>\n<\/tr>\n | ||||||
| 276<\/td>\n | 5.2.3 Functional requirements specification 5.2.4 Estimation of demand mode of operation <\/td>\n<\/tr>\n | ||||||
| 277<\/td>\n | 5.2.5 Safety integrity requirements specification Figure 5 \u2013 By activating a low demand safety function at least onceper year it can be assumed to be high demand Table 3 \u2013 SIL and limits of PFH values <\/td>\n<\/tr>\n | ||||||
| 278<\/td>\n | 6 Design of an SCS 6.1 General 6.2 Subsystem architecture based on top down decomposition 6.3 Basic methodology \u2013 Use of subsystem 6.3.1 General <\/td>\n<\/tr>\n | ||||||
| 279<\/td>\n | 6.3.2 SCS decomposition <\/td>\n<\/tr>\n | ||||||
| 280<\/td>\n | 6.3.3 Sub-function allocation 6.3.4 Use of a pre-designed subsystem Figure 6 \u2013 Examples of typical decomposition of a safetyfunction into sub-functions and its allocation to subsystems <\/td>\n<\/tr>\n | ||||||
| 281<\/td>\n | 6.4 Determination of safety integrity of the SCS 6.4.1 General 6.4.2 PFH Figure 7 \u2013 Example of safety integrity of a safety functionbased on allocated subsystems as one SCS Table 4 \u2013 Required SIL and PFH of pre-designed subsystem <\/td>\n<\/tr>\n | ||||||
| 282<\/td>\n | 6.5 Requirements for systematic safety integrity of the SCS 6.5.1 Requirements for the avoidance of systematic hardware failures <\/td>\n<\/tr>\n | ||||||
| 283<\/td>\n | 6.5.2 Requirements for the control of systematic faults <\/td>\n<\/tr>\n | ||||||
| 284<\/td>\n | 6.6 Electromagnetic immunity 6.7 Software based manual parameterization 6.7.1 General 6.7.2 Influences on safety-related parameters <\/td>\n<\/tr>\n | ||||||
| 285<\/td>\n | 6.7.3 Requirements for software based manual parameterization <\/td>\n<\/tr>\n | ||||||
| 286<\/td>\n | 6.7.4 Verification of the parameterization tool 6.7.5 Performance of software based manual parameterization 6.8 Security aspects <\/td>\n<\/tr>\n | ||||||
| 287<\/td>\n | 6.9 Aspects of periodic testing 7 Design and development of a subsystem 7.1 General <\/td>\n<\/tr>\n | ||||||
| 288<\/td>\n | 7.2 Subsystem architecture design Table 5 \u2013 Relevant information for each subsystem <\/td>\n<\/tr>\n | ||||||
| 289<\/td>\n | 7.3 Requirements for the selection and design of subsystem and subsystem elements 7.3.1 General 7.3.2 Systematic integrity <\/td>\n<\/tr>\n | ||||||
| 292<\/td>\n | 7.3.3 Fault consideration and fault exclusion <\/td>\n<\/tr>\n | ||||||
| 293<\/td>\n | 7.3.4 Failure rate of subsystem element <\/td>\n<\/tr>\n | ||||||
| 296<\/td>\n | 7.4 Architectural constraints of a subsystem 7.4.1 General <\/td>\n<\/tr>\n | ||||||
| 297<\/td>\n | 7.4.2 Estimation of safe failure fraction (SFF) Table 6 \u2013 Architectural constraints on a subsystem: maximum SILthat can be claimed for an SCS using the subsystem <\/td>\n<\/tr>\n | ||||||
| 298<\/td>\n | 7.4.3 Behaviour (of the SCS) on detection of a fault in a subsystem <\/td>\n<\/tr>\n | ||||||
| 299<\/td>\n | 7.4.4 Realization of diagnostic functions <\/td>\n<\/tr>\n | ||||||
| 300<\/td>\n | 7.5 Subsystem design architectures 7.5.1 General 7.5.2 Basic subsystem architectures <\/td>\n<\/tr>\n | ||||||
| 301<\/td>\n | Figure 8 \u2013 Subsystem A logical representation Figure 9 \u2013 Subsystem B logical representation Figure 10 \u2013 Subsystem C logical representation <\/td>\n<\/tr>\n | ||||||
| 302<\/td>\n | 7.5.3 Basic requirements Figure 11 \u2013 Subsystem D logical representation Table 7 \u2013 Overview of basic requirements and interrelationto basic subsystem architectures <\/td>\n<\/tr>\n | ||||||
| 303<\/td>\n | 7.6 PFH of subsystems 7.6.1 General 7.6.2 Methods to estimate the PFH of a subsystem 7.6.3 Simplified approach to estimation of contribution of common cause failure (CCF) 8 Software 8.1 General <\/td>\n<\/tr>\n | ||||||
| 304<\/td>\n | 8.2 Definition of software levels Table 8 \u2013 Different levels of application software <\/td>\n<\/tr>\n | ||||||
| 305<\/td>\n | 8.3 Software \u2013 Level 1 8.3.1 Software safety lifecycle \u2013 SW level 1 Figure 12 \u2013 V-model for SW level 1 Figure 13 \u2013 V-model for software modules customized by the designer for SW level 1 <\/td>\n<\/tr>\n | ||||||
| 306<\/td>\n | 8.3.2 Software design \u2013 SW level 1 <\/td>\n<\/tr>\n | ||||||
| 308<\/td>\n | 8.3.3 Module design \u2013 SW level 1 8.3.4 Coding \u2013 SW level 1 <\/td>\n<\/tr>\n | ||||||
| 309<\/td>\n | 8.3.5 Module test \u2013 SW level 1 8.3.6 Software testing \u2013 SW level 1 <\/td>\n<\/tr>\n | ||||||
| 310<\/td>\n | 8.3.7 Documentation \u2013 SW level 1 8.3.8 Configuration and modification management process \u2013 SW level 1 <\/td>\n<\/tr>\n | ||||||
| 311<\/td>\n | 8.4 Software level 2 8.4.1 Software safety lifecycle \u2013 SW level 2 Figure 14 \u2013 V-model of software safety lifecycle for SW level 2 <\/td>\n<\/tr>\n | ||||||
| 312<\/td>\n | 8.4.2 Software design \u2013 SW level 2 <\/td>\n<\/tr>\n | ||||||
| 314<\/td>\n | 8.4.3 Software system design \u2013 SW level 2 8.4.4 Module design \u2013 SW level 2 <\/td>\n<\/tr>\n | ||||||
| 315<\/td>\n | 8.4.5 Coding \u2013 SW level 2 <\/td>\n<\/tr>\n | ||||||
| 316<\/td>\n | 8.4.6 Module test \u2013 SW level 2 8.4.7 Software integration testing SW level 2 8.4.8 Software testing SW level 2 <\/td>\n<\/tr>\n | ||||||
| 317<\/td>\n | 8.4.9 Documentation \u2013 SW level 2 <\/td>\n<\/tr>\n | ||||||
| 318<\/td>\n | 8.4.10 Configuration and modification management process \u2013 SW level 2 9 Validation 9.1 Validation principles <\/td>\n<\/tr>\n | ||||||
| 320<\/td>\n | Figure 15 \u2013 Overview of the validation process <\/td>\n<\/tr>\n | ||||||
| 321<\/td>\n | 9.1.1 Validation plan 9.1.2 Use of generic fault lists 9.1.3 Specific fault lists <\/td>\n<\/tr>\n | ||||||
| 322<\/td>\n | 9.1.4 Information for validation 9.1.5 Validation record <\/td>\n<\/tr>\n | ||||||
| 323<\/td>\n | 9.2 Analysis as part of validation 9.2.1 General 9.2.2 Analysis techniques 9.2.3 Verification of safety requirements specification (SRS) <\/td>\n<\/tr>\n | ||||||
| 324<\/td>\n | 9.3 Testing as part of validation 9.3.1 General 9.3.2 Measurement accuracy <\/td>\n<\/tr>\n | ||||||
| 325<\/td>\n | 9.3.3 More stringent requirements 9.3.4 Test samples 9.4 Validation of the safety function 9.4.1 General <\/td>\n<\/tr>\n | ||||||
| 326<\/td>\n | 9.4.2 Analysis and testing 9.5 Validation of the safety integrity of the SCS 9.5.1 General 9.5.2 Validation of subsystem(s) <\/td>\n<\/tr>\n | ||||||
| 327<\/td>\n | 9.5.3 Validation of measures against systematic failures 9.5.4 Validation of safety-related software <\/td>\n<\/tr>\n | ||||||
| 328<\/td>\n | 9.5.5 Validation of combination of subsystems 10 Documentation 10.1 General 10.2 Technical documentation <\/td>\n<\/tr>\n | ||||||
| 329<\/td>\n | Table 9 \u2013 Documentation of an SCS <\/td>\n<\/tr>\n | ||||||
| 330<\/td>\n | 10.3 Information for use of the SCS 10.3.1 General 10.3.2 Information for use given by the manufacturer of subsystems <\/td>\n<\/tr>\n | ||||||
| 331<\/td>\n | 10.3.3 Information for use given by the SCS integrator <\/td>\n<\/tr>\n | ||||||
| 333<\/td>\n | Annex A (informative)Determination of required safety integrity A.1 General A.2 Matrix assignment for the required SIL A.2.1 Hazard identification\/indication A.2.2 Risk estimation Figure A.1 \u2013 Parameters used in risk estimation <\/td>\n<\/tr>\n | ||||||
| 334<\/td>\n | A.2.3 Severity (Se) A.2.4 Probability of occurrence of harm Table A.1 \u2013 Severity (Se) classification <\/td>\n<\/tr>\n | ||||||
| 335<\/td>\n | Table A.2 \u2013 Frequency and duration of exposure (Fr) classification <\/td>\n<\/tr>\n | ||||||
| 336<\/td>\n | Table A.3 \u2013 Probability (Pr) classification <\/td>\n<\/tr>\n | ||||||
| 337<\/td>\n | A.2.5 Class of probability of harm (Cl) A.2.6 SIL assignment Table A.4 \u2013 Probability of avoiding or limiting harm (Av) classification Table A.5 \u2013 Parameters used to determine class of probability of harm (Cl) <\/td>\n<\/tr>\n | ||||||
| 338<\/td>\n | Table A.6 \u2013 Matrix assignment for determining the required SIL (or PLr)for a safety function <\/td>\n<\/tr>\n | ||||||
| 339<\/td>\n | A.3 Overlapping hazards Figure A.2 \u2013 Example proforma for SIL assignment process <\/td>\n<\/tr>\n | ||||||
| 340<\/td>\n | Annex B (informative)Example of SCS design methodology B.1 General B.2 Safety requirements specification B.3 Decomposition of the safety function Table B.1 \u2013 Safety requirements specification \u2013 example of overview <\/td>\n<\/tr>\n | ||||||
| 341<\/td>\n | B.4 Design of the SCS by using subsystems B.4.1 General B.4.2 Subsystem 1 design \u2013 \u201cguard door monitoring\u201d Figure B.1 \u2013 Decomposition of the safety function Figure B.2 \u2013 Overview of design of the subsystems of the SCS <\/td>\n<\/tr>\n | ||||||
| 343<\/td>\n | B.4.3 Subsystem 2 design \u2013 \u201cevaluation logic\u201d <\/td>\n<\/tr>\n | ||||||
| 344<\/td>\n | B.4.4 Subsystem 3 design \u2013 \u201cmotor control\u201d B.4.5 Evaluation of the SCS <\/td>\n<\/tr>\n | ||||||
| 345<\/td>\n | B.4.6 PFH B.5 Verification B.5.1 General B.5.2 Analysis Table B.2 \u2013 Systematic integrity \u2013 example of overview <\/td>\n<\/tr>\n | ||||||
| 346<\/td>\n | B.5.3 Tests Table B.3 \u2013 Verification by tests <\/td>\n<\/tr>\n | ||||||
| 347<\/td>\n | Annex C (informative)Examples of MTTFD values for single components C.1 General C.2 Good engineering practices method C.3 Hydraulic components <\/td>\n<\/tr>\n | ||||||
| 348<\/td>\n | C.4 MTTFD of pneumatic, mechanical and electromechanical components Table C.1 \u2013 Standards references and MTTFD or B10D values for components <\/td>\n<\/tr>\n | ||||||
| 350<\/td>\n | Annex D (informative)Examples for diagnostic coverage (DC) Table D.1 \u2013 Estimates for diagnostic coverage (DC) (1 of 2) <\/td>\n<\/tr>\n | ||||||
| 352<\/td>\n | Annex E (informative)Methodology for the estimation of susceptibilityto common cause failures (CCF) E.1 General E.2 Methodology E.2.1 Requirements for CCF E.2.2 Estimation of effect of CCF <\/td>\n<\/tr>\n | ||||||
| 353<\/td>\n | Table E.1 \u2013 Criteria for estimation of CCF <\/td>\n<\/tr>\n | ||||||
| 354<\/td>\n | Table E.2 \u2013 Criteria for estimation of CCF <\/td>\n<\/tr>\n | ||||||
| 355<\/td>\n | Annex F (informative)Guideline for software level 1 F.1 Software safety requirements Table F.1 \u2013 Example of relevant documents related to the simplified V-model <\/td>\n<\/tr>\n | ||||||
| 356<\/td>\n | F.2 Coding guidelines Table F.2 \u2013 Examples of coding guidelines <\/td>\n<\/tr>\n | ||||||
| 357<\/td>\n | F.3 Specification of safety functions Figure F.1 \u2013 Plant sketch <\/td>\n<\/tr>\n | ||||||
| 358<\/td>\n | F.4 Specification of hardware design Table F.3 \u2013 Specified safety functions <\/td>\n<\/tr>\n | ||||||
| 359<\/td>\n | Table F.4 \u2013 Relevant list of input and output signals <\/td>\n<\/tr>\n | ||||||
| 360<\/td>\n | F.5 Software system design specification Figure F.2 \u2013 Principal module architecture design <\/td>\n<\/tr>\n | ||||||
| 361<\/td>\n | Figure F.3 \u2013 Principal design approach of logical evaluation <\/td>\n<\/tr>\n | ||||||
| 362<\/td>\n | F.6 Protocols Figure F.4 \u2013 Example of logical representation (program sketch) Table F.5 \u2013 Example of simplified cause and effect matrix <\/td>\n<\/tr>\n | ||||||
| 363<\/td>\n | Table F.6 \u2013 Verification of software system design specification Table F.7 \u2013 Software code review <\/td>\n<\/tr>\n | ||||||
| 364<\/td>\n | Table F.8 \u2013 Software validation <\/td>\n<\/tr>\n | ||||||
| 365<\/td>\n | Annex G (informative)Examples of safety functions Table G.1 \u2013 Examples of typical safety functions <\/td>\n<\/tr>\n | ||||||
| 366<\/td>\n | Annex H (informative)Simplified approaches to evaluate the PFH value of a subsystem H.1 Table allocation approach <\/td>\n<\/tr>\n | ||||||
| 367<\/td>\n | Table H.1 \u2013 Allocation of PFH value of a subsystem <\/td>\n<\/tr>\n | ||||||
| 368<\/td>\n | H.2 Simplified formulas for the estimation of PFH H.2.1 General H.2.2 Basic subsystem architecture A: single channel without a diagnostic function Figure H.1 \u2013 Subsystem A logical representation Table H.2 \u2013 Relationship between B10D, operations and MTTFD <\/td>\n<\/tr>\n | ||||||
| 369<\/td>\n | H.2.3 Basic subsystem architecture B: dual channel without a diagnostic function H.2.4 Basic subsystem architecture C: single channel with a diagnostic function Figure H.2 \u2013 Subsystem B logical representation Figure H.3 \u2013 Subsystem C logical representation <\/td>\n<\/tr>\n | ||||||
| 370<\/td>\n | Figure H.4 \u2013 Correlation of subsystem C and the pertinent fault handling function Figure H.5 \u2013 Subsystem C with external fault handling function <\/td>\n<\/tr>\n | ||||||
| 372<\/td>\n | Figure H.6 \u2013 Subsystem C with external fault diagnostics Figure H.7 \u2013 Subsystem C with external fault reaction Figure H.8 \u2013 Subsystem C with internal fault diagnostics and internal fault reaction <\/td>\n<\/tr>\n | ||||||
| 373<\/td>\n | Table H.3 \u2013 Minimum value of 1\/\u03bbD FH for the applicability of PFH equation (H.4) <\/td>\n<\/tr>\n | ||||||
| 374<\/td>\n | H.2.5 Basic subsystem architecture D: dual channel with a diagnostic function(s) Figure H.9 \u2013 Subsystem D logical representation <\/td>\n<\/tr>\n | ||||||
| 375<\/td>\n | H.3 Parts count method <\/td>\n<\/tr>\n | ||||||
| 376<\/td>\n | Annex I (informative)The functional safety plan and design activities I.1 General I.2 Example of a machine design plan including a safety plan I.3 Example of activities, documents and roles Figure I.1 \u2013 Example of a machine design plan including a safety plan <\/td>\n<\/tr>\n | ||||||
| 377<\/td>\n | Figure I.2 \u2013 Example of activities, documents and roles (1 of 2) <\/td>\n<\/tr>\n | ||||||
| 379<\/td>\n | Annex J (informative)Independence for reviews and testing\/verification\/validation activities J.1 Software design J.2 Validation Table J.1 \u2013 Minimum levels of independence for review,testing and verification activities Table J.2 \u2013 Minimum levels of independence for validation activities <\/td>\n<\/tr>\n | ||||||
| 381<\/td>\n | Bibliography <\/td>\n<\/tr>\n<\/table>\n","protected":false},"excerpt":{"rendered":" Tracked Changes. Safety of machinery. Functional safety of safety-related control systems<\/b><\/p>\n |