Download document () of 20
Send email
Download
You have exceeded the download limit
IEC62061 plays a decisive role when it comes to the functional safety (FuSa) of a machine or plant. It covers safety-related electrical, electronic and programmable electronic (E/E/PE) control systems. As a sector-specific standard below basic safety standard IEC 61508 , IEC 62061 considers the entire life cycle of a machine or plant from conception to dismantling. The international safety integrity level (SIL) (also referred to as the "safety requirement level" or "security level"), serves as an important parameter in describing the safety-related performance capability. This blog post explains what SIL is all about, why it is required for machine and plant construction and how it can be calculated.
Get our functional safety manual
EN 61508, which followed on from IEC 61508, defines the safety integrity level as follows:
The SIL refers to "four well-differentiated levels for specifying the requirement for safety integrity of safety functions assigned to the E/E/PE safety-related system, with Safety Integrity Level 4 being the highest level of safety integrity and Safety Integrity Level 1 being the lowest."
Manufacturers of safety-related components provide corresponding safety-related charakteristics for calculation of the SIL. The Eaton safety manual provides detailed information as well as useful switching and calculation examples.
In addition to the SIL, there is also another parameter for safety-related performance capability - the performance level (PL) according to EN ISO 13849-1. Both safety standards use different classification systems and definitions for the safety levels. Depending on the technology, risk classification and architecture, either the iterative process for designing safety-related parts of a control system (SRP/CS safety-related parts of control systems) according to EN ISO 13849-1 or safety-related electrical control systems (SRECS, safety-related electrical, electronic and programmable control systems) according to IEC 62061 must be applied.
It should be noted that IEC 62061 does not include requirements governing the performance of non-electrical (e.g. hydraulic or pneumatic) safety-related control elements. These types of devices are covered by EN ISO 13849-1.
Get every important blog post or new information Eaton publishes for machine and system builders.
IEC 62061 provides recommendations for the design, integration and validation of SRECS. The requirements for the SRECS are derived from the risk analysis according to EN ISO 12100. Based on IEC 62061, the following four steps describe the necessary procedure to adequately reduce the probability of systematic and accidental failures that could lead to a dangerous failure of the safety function.
Step 1 - Risk assessment
Various risk parameters must be considered for the risk assessment. IEC 62061 provides the following parameters:
o frequency and duration F of exposure of persons to a hazard
o probability of the occurrence of a hazardous event W
o ways to limit or avoid damage P
Using F, W, and P, a point system can be used to determine the class K. The assessment of severity S in the context of the value K results in the required SIL.
Step 2 - Design of control architecture
In the second step, the machine or plant manufacturer must define the safety-related control function (SRCF) according to the determined SIL. An SRCF may involve a protective door, a light barrier, a hand-operated or foot-operated enabling switch, a two-hand device for safe operation or circuits for stopping in the event of an emergency.
For each SRCF, the engineer must then define a corresponding safety-related electrical control system (SRECS). An SRECS may be composed of an emergency stop button with safety relay, as well as safety and power contactor.
For the designed safety function, it is now necessary to determine the achieved safety integrity.
Step 3 - Determination of SIL
For this purpose, the architecture of the various subsystems must first be considered. IEC 62061 distinguishes four different basic subsystem architectures (A, B, C, D), which differ mainly by their hardware fault tolerance HFT and diagnostic function criteria:
In practice, this means that the designed SRCF safety function must be broken down into function blocks and then mapped to subsystems. Function blocks may involve an input (emergency stop button), logic (safety relay) and output function (safety contactor/power contactor), which then each represent a subsystem that has a specific subsystem architecture. The subsystems themselves are described by three parameters:
Subsystems can be made up of different subsystem elements. For each element, the probability of failure must then be determined. The parameters of the subsystem elements are:
Examples for calculating the individual subsystem element parameters are provided in the Eaton safety manual. In principle, calculating individual parameters is not necessary if the manufacturer of the subsystem provides a PFHd value directly.
SIL claim limit
The SIL claim limit (CL) is the maximum SIL of a subsystem that can be claimed with respect to structural limitations and systematic safety integrity. It can be determined from the HFT hardware fault tolerance and the SFF. In this case, the SFF is calculated from the sum of failure rates based on safe and dangerous, but detected, faults for the total failure rate.
Duration of use T1
IEC 62061 refers to EN ISO 13849-1 with regard to the duration of use and recommends specifying a duration of use of 20 years. A repeat test, known as a "proof test", can be used to confirm that an SRECS still meets the required safety integrity. For a proof test interval of 20 years, T1 is calculated as follows:
T1= 20 a x 365 d x 24 h = 175,200 h
The duration of use T1 is required for calculation of the individual failure probabilities of the subsystems.
Determination of the SIL for the overall SRECS system
The safety integrity of an overall system is composed of the sum of the individual probabilities of all subsystems involved in the safety function. The SIL of the overall system can then be read from Table 3 of the above standard.
The structural limitations for the overall system must also be considered. For example, the SIL of the SRECS must be less than or equal to the lowest SIL CL of a subsystem involved in the execution of the SRCF. This means that the low SIL CL of a subsystem reduces the SIL of the overall system.
Step 4 - Documentation, implementation and validation of the SRECS
The final step is to document the SRECS and its architecture with the subsystems and subsystem elements. The machine or plant manufacturer must then implement the SRECS in accordance with the documented design. The final part of validation using inspection and testing is to ensure that each SRCF safety function also meets the requirements of the specification.
The safety integrity level is an important component of ensuring a safe machine or plant and thus functional safety. IEC 62061 provides a detailed process for determining and validating the SIL of an SRECS. Compared to the PL, the SIL is particularly suitable for large, complex plants or factories with several machines.
Contact our team or sign up to ask questions and stay up-to-date on news, product updates and industry trends.
Sign up for our newsletter for machine and panel builders. Stay connected for information about changing regulations and new technologies and services to facilitate your day-to-day working and help you grow your business faster.
