Functional safety with

EN IEC 62061 and EN ISO 13849-1

When does which standard apply? Lexicon

EN IEC 62061 Technology EN ISO 13849-1
Architecture PFD
1) Electrical/electronic/ 1)
Specific configuration Probability of failure on
programmable electronic of hardware and software demand
elements in a system PFDavg
Not applicable Hydraulic/pneumatic/mechanical
Average probability of failure
1)
Compliance with just one standard is generally sufficient to assume compliance. B10d on demand
Lifetime of products before PFH
10 % of the product range Probability of dangerous
fails dangerously failure per hour
Probability of a dangerous
Beta factor or failure per hour (PFHD)
common cause factor; Average probability of
CCF measurement; propor- dangerous failure per hour

EN IEC 62061 EN ISO 13849-1

tion of failures which have a
common cause.
Category (CAT)
Classification of the safety
related parts of a control
system in respect of their
Redundancy
The duplication of means
required by a functional entity
to perform a required function
or in order for data to
represent information.

Determination of the PLr

Risk assessment and definition of the required safety integrity level (SIL) Determination of the required performance level (PLr) resistance to faults and their Repeat test
Low contribution to risk reduction subsequent behaviour in the Recurring test designed to

Required performance level (PLr)

Consequences Frequency Probability of Avoidance Class Cl S Severity of injury
a fault condition, and which is detect failures in a safety
Determining the

P1
and severity Se and duration Fr hazardous event Pr Av 3-4 5-7 8 - 10 11 - 13 14 - 15 S1 = Slight (normally reversible injury) F1 achieved by the structural related system, with the aim
required SIL

Death, losing an eye 4 1 hour 5 Very high 5 SIL 2 SIL 2 SIL 2 SIL 3 SIL 3 S2 = Serious (normally irreversible injury including death) P2 arrangement of the parts, of allowing the system to be
or arm
S1
P1 b fault detection and/or by restored if necessary to as
Permanent, 3 > 1 h 1 day 5 Likely 4 OM SIL 1 SIL 2 SIL 3 F Frequency and/or exposure to a hazard F2 their reliability. new status or to a status
losing fingers F1 = Seldom to less often and/or the exposure time is short P1
P2
c CCF which is as close as possible
Reversible, 2 > 1 day 2 weeks 4 Possible 3 Impossible 5 OM SIL 1 SIL 2 F2 = Frequent to continuous and/or the exposure time is long F1 Failure due to a common to this status under the given
Starting point P2
medical attention
for evaluation S2
P1 d cause practical constraints.
Reversible, first aid 1 > 2 weeks 1year 3 Rarely 2 Possible 3 OM SIL 1 P Possibilities of avoiding the hazard or limiting the harm Residual risk
of safety F2
> 1 year 2 Negligible 1 Likely 1
OM = other measures required
P1 = Possible under specific conditions
P2 = Scarcely possible
functions P2 e Demand rate rd
Frequency of demands per
Risk remaining after
protective measures have
contribution to risk
High contribution to risk reduction time unit for a safety related been taken.
reduction
action of an SRP/CS. Risk
Diagnostic coverage (DC) Combination of the probabil-
Measure for the effectivity of ity of occurrence of harm and
diagnostics, may be deter- the severity of that harm.
mined as a ratio between Risk analysis
the failure rate of detected Combination of the speci-
dangerous failures and the fication of the limits of the
failure rate of total dangerous machine, hazard identification
failures. and risk estimation.
DCavg Risk assessment
Average diagnostic coverage The overall process
Diagnostic test interval comprising risk analysis and
Estimation of CCF factor Determination of common cause failures Assessment of CCF influence risk evaluation.
Time period between online
tests carried out in order Risk evaluation
Overall score Common SIL points Requirement PL points Evaluation CCF
to detect faults in a safety Judgement, on the basis of
cause failure factor 25 Physical separation of safety circuits and other circuits 15 % Compliance > 65 %
related system with the risk analysis, of whether risk
(beta) 38 Diversity (use of diverse technologies) 20 % Noncompliance < 65 %
specified degree of diagnostic reduction objectives have
< 35 10 % (0,1) 2 Design/application/experience 20 %
coverage. been achieved.
35 65 5 % (0,05) 18 Assessment/analysis 5%
Diversity
66 85 2 % (0,02) 4 Competence/training 5%
Use of diverse means to Safety function
86 100 1 % (0,01) 18 Environmental influences (EMC, temperature, ...) 35 %
execute a required function. Function of the machine
whose failure can result in
Electrical/electronic/ an immediate increase of the
programmable electronic risk(s).
Architectural constraints on subsystems Determination of the MTTFd per channel Relationship between the categories (E/E/PE) Safety integrity

Safe failure Hardware Hardware Hardware 1 N 1 nj DC, MTTFd and PL Based on electrical (E) and/or Probability of a SRECS or its
= = electronic (E) and/or program- subsystem satisfactorily per-
fraction (SFF) fault tolerance fault tolerance fault tolerance MTTFd i=1 MTTFd,i j=1 MTTFd,j PFH/h-1 mable electronic (PE) forming the required safety-
SD + SU + DD S + DD 0 1 2 10-4
Performance Level technology. related control functions
SFF = = < 60 % not permitted SIL 1 SIL 2 The following applies to diverse systems: a
under all stated conditions.
SD + SU + DD + DU Dtotal 60 % < 90 % SIL 1 SIL 2 SIL 3 10-5
Failure Safety integrity level (SIL)
Realisation of the safety function determination of the achieved SIL

Realisation of the safety function determination of the achieved PL

90 % < 99 % SIL 2 SIL 3 SIL 3 2 1 b 3 years
MTTFd = MTTFd,C1 + MTTFd,C2 Termination of the ability of Discrete level (one out of a
99 % SIL 2 SIL 3 SIL 3 3 1 1 3x10-6
+ c an item to perform a required possible four) for specifying
MTTFd,C1 MTTFd,C2 10 years
function. the safety integrity require-
10-6
d 30 years Fault ments of the safety functions
Evaluation MTTFd 10-7 State of an item character- to be allocated to the E/E/PE
100
Low 3 years MTTFd < 10 years e MTTFoc = low, MTTFoc = medium, MTTFoc = high
years ized by inability to perform a safety-related systems, where
Medium 10 years MTTFd < 30 years 10-8
Cat B Cat. 1 Cat. 2 Cat. 2 Cat. 3 Cat. 3 Cat. 4 required function, excluding safety integrity level 4 has
High 30 years MTTFd < 100 years DCavg DCavg DCavg DCavg DCavg DCavg DCavg the inability during preventive the highest level of safety
= none = none = low = med. = low = med. = high
maintenance or other planned integrity and safety integrity
actions, or due to lack of level 1 has the lowest.
external resources. SFF
Functional safety Safe failure fraction, i.e.
Determination of the degree of diagnostic coverage (DC) Part of the overall safety fraction of the overall failure
(relating to the EUC and the rate that does not result in a
Diagnostic coverage: DC = DD / Dtotal Diagnostic coverage Range of DC EUC management or control dangerous failure
None DC < 60 % system) which depends on SIL claim limit (SILCL)
DC1 DC2 DCN Low 60 % DC < 90 % the correct functioning of the Maximum SIL that can
+ + + Medium 90 % DC < 99 % safety related E/E/PE system, be claimed for an SRECS
MTTFd1 MTTFd2 MTTFdN
Average DC: DCavg = High 99 % DC other technology safety-re- subsystem in relation to
1 1 1
+ + + lated systems and external architectural constraints and
MTTFd1 MTTFd2 MTTFdN risk reduction facilities. systematic safety integrity.
SRCF safety-related
Intended use of a machine control function
Use of a machine in accord- Control function implemented
Subsystem architectures Specification of categories ance with the information by an SRECS with a specified
provided in the user informa- integrity level that is intended
tion. to maintain the safe condition
Subsystem A Subsystem B Category B,1 Category 2
of the machine or to prevent
an immediate increase in risk.
Average probability of failure SRECS
avg Electric control system on a
S31 S32 S11 S12 S13 S14
CHIP-Card X1 X2 X3
Average probability of failure machine, the failure of which
Made in Germany
www.pilz.com
PSENme 1S/1AS
A1 B1 13

PNOZ X3
23 33 41
per hour can result in an immediate
DD
570002 X4
CI+
CI -
CO -
CO+
T0
T1
T2
T3

O0
O1
O2
O3
OA0
24V
24V
0V
0V

IEC/EN 60947-5-1

increase of the risk(s).

13

14
23

24
O4

O5

Ui 250V IP67
24V AC/DC
110 230V AC 13 23 33 41
1
2
AC15 230V/2.5A
contact rating
B300 R300 1
2
POWER
3
4 3
4

CH. 1

Dangerous detected failure SRP/CS safety related

PSEN 1.1p-20 PSEN 1.1-20 PNOZ m1p
PSEN 1.1p-20 PSEN 1.1-20
Ident. No.
524120
03000000
Ident. No.
514120
03000000
Ident. No.
524120
Ident. No.
514120
CH. 2
O FAULT
I FAULT

03000000 03000000
POWER

FAULT
DIAG

DU
RUN

I10
I11
I12
I13
I14
I15
I16
I17
I18
I19

14 24 34 42
A1
A1
A2
A2

part of a control system

I0
I1
I2
I3
I4
I5
I6
I7

I8
I9

Made in Germany
www.pilz.com
PSENme 1S/1AS
570002 X4
IEC/EN 60947-5-1
Ui 250V IP67
24V AC/DC

14 24 34 42 B2 A2
110 230V AC

Dangerous undetected failure Part of a control system

AC15 230V/2.5A
contact rating
B300 R300

X4 X5 X6 X7

SD
Y31 Y32 S21 S22 S33 S34
which reacts to safety related
Made in Germany
www.pilz.com
Safe detected failure input signals and generates
SU
PSENme 1S/1AS
570002 X4

safety related output signals

IEC/EN 60947-5-1
Ui 250V IP67
24V AC/DC
110 230V AC
AC15 230V/2.5A
contact rating
B300 R300

Safe undetected failure Subsystem

Entity of the top-level archi-
Mission time (TM) tectural design of the SRECS,
Subsystem C Subsystem D Category 3 Category 4 Period of time covering the where a failure of any subsys-
intended use of a SRP/CS. tem will result in a failure of a
MTTFd safety-related control function
- Mean time to danger-
A1 13 23 ous failure; time for which Test rate rt
X1 X3

S31 S32 S11 S12 S13 S14 S12 S22 S34

a single channel can be Frequency of automatic tests

Made in Germany
www.pilz.com

Made in Germany
www.pilz.com
PSENme 1S/1AS
570002 X4
PNOZ s2 Made in Germany
www.pilz.com
IEC/EN 60947-5-1 PSENme 1S/1AS
PSENme 1S/1AS
Ui 250V IP67 570002 X4

A1 B1 13 23 33 41
570002 X4 24V AC/DC IEC/EN 60947-5-1
IEC/EN 60947-5-1 110 230V AC Ui 250V IP67
Ui 250V IP67 AC15 230V/2.5A 24V AC/DC

expected to remain free of performed to detect faults in

24V AC/DC contact rating 110 230V AC
110 230V AC B300 R300 In2+ In2 AC15 230V/2.5A
AC15 230V/2.5A A A contact rating
contact rating B300 R300
B300 R300

PNOZ X3 Power
13 23 33 41 In1 mode
POWER In2

CH. 1
Out
Reset
Fault
dangerous failures an SRP/CS; reciprocal value
CH. 2

14 24 34 42
750103
000002 0.1
- Mean value for the operat- of the diagnostic test interval
ing time during which a Ti
Made in Germany
www.pilz.com
PSENme 1S/1AS
570002 X4
IEC/EN 60947-5-1
Ui 250V IP67
24V AC/DC

14 24 34 42 B2 A2
110 230V AC

S11 S21 Y32

X4 X2

AC15 230V/2.5A
contact rating

A2 14 24
B300 R300

Y31 Y32 S21 S22 S33 S34

single channel of a system Time intervals between peri-
Made in Germany
www.pilz.com
PSENme 1S/1AS
PSENme 1S/1AS
570002
Made in Germany
www.pilz.com

IEC/EN 60947-5-1
Ui 250V IP67
X4
Made in Germany
www.pilz.com
PSENme 1S/1AS
570002 X4
is expected to not have a odic tests on a safety system
570002 X4

dangerous failure.
24V AC/DC IEC/EN 60947-5-1
IEC/EN 60947-5-1 110 230V AC Ui 250V IP67
Ui 250V IP67 AC15 230V/2.5A 24V AC/DC
24V AC/DC contact rating 110 230V AC
110 230V AC B300 R300 AC15 230V/2.5A
AC15 230V/2.5A contact rating
contact rating B300 R300
B300 R300

MTTR
Average length of time taken
for the safety system to be
restored, measured from the
time of failure occurrence to
the completion of repairs.
PAScal
Calculation software for veri-
fying functional safety
Performance level (PL)
Discrete level which specifies
Achieved SIL >= SIL
Validation
Confirmation by examination
(e.g. tests, analysis) that the
SRECS meets the functional
safety requirements of the
specific application.
Verification
Confirmation by examination
(e.g. tests, analysis) that the
SRECS, its subsystems or
subsystem elements meet
the requirements set by the

Achieved PL >= PLr

the capability of safety relevant specification.

Probability per hour of a dangerous failure occurring comparison SIL/PL related parts of a control
Verification

Verification

system to perform a safety

Safety integrity level (SIL) Probability of a Performance level (PL) function under foreseeable
acc. to EN IEC 62061 dangerous failure acc. to EN ISO 13849-1 conditions.
per hour [1/h] Required performance
no special safety requirements 10-5 < PFH < 10-4 a level (PLr)
1 (1 failure in 100,000 h) 3 x 10-6 < PFH < 10-5 b Performance level (PL) in
1 (1 failure in 100,000 h) 10-6 < PFH < 3 x 10-6 c order to achieve the required
2 (1 failure in 1,000,000 h) 10-7 < PFH < 10-6 d risk reduction for each safety
3 (1 failure in 10,000,000 h) 10-8 < PFH < 10-7 e function.

Safety Calculator PAScal Calculation software for verifying functional safety

The safety calculator PAScal calculates Benefits to you:

the PFHDvalue of safety functions in
machines and installations. The result is Simple handling saves time
verified with the prescribed performance Comprehensive component database
level in accordance with EN ISO 13849 or Simple import and update function
safety integrity level in accordance with Report generator as documented For more information on laws The measures outlined here are simplified descriptions
and are intended to provide an overview of the
EN IEC 62061. The graphical representa- verification and standards: standards EN ISO 13849-1 and EN IEC 62061. Detailed
tion shows how individual components understanding and correct application of all relevant
Webcode 0240 standards and directives are needed for validation of safety
influence overall safety. circuits. As a result, we cannot accept any liability for
Online information at www.pilz.com omissions or incomplete information.