What has changed and what is new in the amendment to BS EN 62061? David Collier, the Business Development Manager at Pilz Automation Technology, reviews BS EN 62061:2005+A1:2013.
BSI published BS EN 62061:2005+A1:2013 in June 2013, and the equivalent EN 62061:2005/A1:2013 was listed in the Official Journal of the European Union (OJ) as a Machinery Directive Harmonised Standard on 28 November 2013. But what has changed in the amendment to BS EN 62061? Unless you were familiar with the unamended BS EN 62061 Safety of machinery. Functional safety of safety-related electrical, electronic and programmable electronic control systems (which is identical to IEC 62061), you cannot see what the changes are in the amended standard, only where the changes have been made and the new text that has been inserted. What follows is based on a side-by-side comparison of BS EN 62061:2005+A1:2013 and BS EN 62061:2005 (incorporating the corrigenda of July 2005 and April 2008), but readers are responsible for ensuring that any safety-related control systems for machinery in Europe are designed to meet the applicable essential health and safety requirements of the Machinery Directive 2006/42/EC – which readers may choose to do by complying with the correct versions of the relevant harmonised standards.
When to use BS EN 62061 and BS EN ISO 13849-1?
Machine builders who were comfortable designing to BS EN 954-1 were initially confused when it was superseded by BS EN ISO 13849-1, as this standard and BS EN 62061 both appeared to cover the same subject, namely designing machine safety systems by applying functional safety principles. Fortunately this question was addressed succinctly in a table that could be found in both of these standards. However, this table (Table 1, Recommended application of IEC 62061 and ISO 13849-1 (under revision)) has been removed from the Introduction to the amended BS EN 62061.
Although Table 1 has been has been deleted, useful guidance is available in IEC/TR 62061-1:2010 or ISO/TR 23849:2010, the identical technical reports that have been published to assist with the application of IEC 62061 (EN 62061) or ISO 13849-1 (EN ISO 13849-1).
Design of complex programmable electronic subsystems or subsystem elements
In section 1, Scope, there is a new note about the design of complex programmable electronic subsystems or subsystem elements, and this note or similar wording is repeated several times at different points throughout the amended standard. In essence, the note says that it is presumed that the design of complex programmable electronic subsystems or subsystem elements conforms to the relevant requirements of the functional safety standard IEC 61508 and uses Route 1H, as Route 2H is considered to be unsuitable for general machinery.
For information, routes 1H and 2H concern architectural constraints to realise a particular safety integrity level. Route 1H is based upon hardware fault tolerance (HFT) and safe failure fraction (SFF) concepts. For example, to realise a SIL 2 safety function according to EN 62061 one would need a combination of HFT = 0 (single channel carries out the safety function, 1oo1 voting) and SFF 90-99 per cent, or HFT = 1 (dual channel carries out the safety function, with the ability to tolerate one channel failing without loss of the safety function, 1oo2 voting) and SFF 60-90 per cent. This route has always been what EN 62061 stipulates, and the amended standard clarifies that route 2H is not permitted. Route 2H is more applicable in the process industry, and it is based on component reliability data from feedback from end users, increased confidence levels and hardware fault tolerance for specified safety integrity levels; route 2H makes no reference to SFF.
As you would expect, since 2005 there have been changes to the normative references (ie the other standards to which BS EN 62061 refers), so there are appropriate changes in Section 2, Normative references, in the A1 amendment to BS EN 62061. In particular, both ISO 12100-1:2003 and ISO 12100-2:2003 have been deleted and their replacement, ISO 12100:2010, is now included (note, however, that ISO 14121 is still listed, even though this is withdrawn and superseded by ISO 12100:2010). In addition, ISO 13849-1 has been updated to the 2006 edition. Elsewhere in the amended BS EN 62061, standard references have been updated as appropriate.
Terms, definitions and abbreviations
Section 3, Terms, definitions and abbreviations, has mainly been updated with references to the new versions of ISO 12100 and IEC 61508-4. There are also clearer definitions of low demand mode (3.2.26), high demand or continuous mode (3.2.27), probability of dangerous failure per hour (PFHD) (3.2.28), proof test (3.2.37) and diagnostic coverage (3.2.38).
Specification of Safety-Related Control Functions
In Section 5, Requirements for the specification of Safety-Related Control Functions (SRCFs), 18.104.22.168 and 22.214.171.124 have been amalgamated into 5.2.3, Functional requirements specification for SRCFs.
Design and integration of the SRECS
In section 6, Design and integration of the safety-related electrical control system (SRECS), point 126.96.36.199 has been deleted, together with Table 6, Architectural constraints: SIL CL relating to categories. This deleted material relates to the relationships between ISO 13849-1 Categories, hardware fault tolerance, safe failure fraction (SFF) and the maximum SIL Claim Limit (SIL CL) according to the architectural constraints. It has probably been deleted because it implies that it is acceptable to develop a subsystem within a safety function in one standard (EN ISO 13849-1) and then switch to the other standard (EN 62061) - which is not acceptable. Note, however, that although it is not permitted to use two standards to develop a safety function, it is permitted to develop different safety functions on the same machine in either standard. As far as using EN 62061 is concerned, the architectural constrains on subsystems to achieve a particular subsystem SIL CL (based upon hardware fault tolerance and safe failure fraction) is adequately covered in Table 5, which remains in the amended standard.
Estimation of safe failure fraction
Point 6.7.7, Estimation of safe failure fraction (SFF), benefits from a new note in the amended standard, providing some useful sources of information for failure mode ratios for electrical and electronic components. These sources include MIL-spec documents, Siemens standard SN 29500 parts 7 and 11, UTE C 80-810 RDF 2000 Reliability data handbook, and the Reliability Analysis Center’s FMD-91 Failure mode/mechanism distributions (1991 edition). This has been done to offset the removal of Annex D which contained informative examples of failure modes and failure mode ratios for electrical and electronic devices; this information could have gone out of date and was not as extensive as the new references.
Random hardware failures
Point 188.8.131.52.6 has been deleted from 6.7.8, Requirements for the probability of dangerous random hardware failures of subsystems, together with the corresponding Table 7, Probability of dangerous failure. This deleted point related to low-complexity subsystems designed to ISO 13849-1 and meeting the requirements for architectural constraints and systematic safety integrity; the threshold values of the probability of dangerous failure (PFHD) could be found in Table 7 and used to estimate the hardware safety integrity.
Annex A – SIL assignment
The second note has been deleted from this annex. This note referred to C type standards (relating to specific classes of machinery) in which a risk estimation had been carried out to select a required Category in accordance with ISO 13849-1. The note stated that these relationships were commonly used for simplification:
- Required Category 1 to required SIL 1
- Required Category 2 to required SIL 1
- Required Category 3 to required SIL 2
- Required Category 4 to required SIL 3
In addition, the note said that more comprehensive methods of mapping between required Categories and SILs were under consideration.
The deletion of this note reflects the fact that many C type standards are archaic, and referring to Categories alone is, although still commonplace, not state of the art.
Table A.2, Frequency and duration of exposure (Fr) classification, which had already been altered in the second IEC corrigendum in April 2008, has been corrected; the first line now refers to a frequency of exposure of greater than or equal to once per hour (in the unamended standard the frequency was written as less than or equal to once per hour).
Annex D – Failure modes of electrical/electronic components
This annex, which was informative only, has been deleted. It contained Table D.1, Examples of the failure mode ratios for electrical/electronic components, listing components, their potential failure modes and typical failure mode ratios. It has been deleted to simplify the standard and, as mentioned above, useful sources of SFF data are now referenced in section 6.7.7.
Annex E – Electromagnetic (EM) phenomenon and increased immunity levels for SRECS intended for use in an industrial environment according to IEC 6100-6-2
This annex, which was informative only, has been deleted. It contained Table E.1, EM phenomenon and increased immunity levels for SRECS, listing ports (eg enclosure, AC power, DC power, I/O signal control lines), phenomena (eg electrostatic discharge, electromagnetic field, surge), basic standards, and the increased values for additional tests for SRECS performance. However, the deletion of this Annex does not mean that EMC immunity is no longer required. Point 6.4.3, Electromagnetic (EM) immunity, now refers to IEC 61326-3-1, Electrical equipment for measurement, control and laboratory use - EMC requirements - Part 3-1: Immunity requirements for safety-related systems and for equipment intended to perform safety-related functions (functional safety) - General industrial applications instead of Annex E. In addition, Table F.1, Criteria for estimation of CCF, in informative Annex F Methodology for the estimation of susceptibility to common cause failures (CCF), now includes this item: is the subsystem immune to adverse influences from electromagnetic interference up to and including the limits specified in IEC 61326-3-1?. The reason behind these changes to EN 62061 is that IEC 61326-3-1 was published in 2008, after the publication of EN 62061.
In addition to the main amendments outlined above, there are other detail changes. Machine builders and system integrators should ensure that they are working to the correct harmonised version of the standard if they are CE marking a machine or preparing a Declaration of Incorporation for partly-completed machinery.
Follow the link for more information about BS EN 62061:2005+A1:2013 from BSI, which is priced at £218 or £109 for Members of BSI. For assistance with interpreting machinery safety standards, please contact Pilz Automation Technology.