Catalogs > Safety Products Catalog > Principles, Standards and Implementation > System Design According to IEC/EN 62061
System Design According to IEC/EN 62061
| Introduction |  |
Subsystem Design: IEC/EN 62061 | |
Affect of the Proof Test Interval | |
Affect of Common Cause Failure Analysis | |
Common Cause Failure (CCF) | |
Diagnostic Coverage (DC) | |
| Hardware Fault Tolerance | |
Management of Functional Safety | |
Proof Test Interval | |
Safe Failure Fraction (SFF) | |
Systematic Failure | |
IEC/EN 62061, ”Safety of machinery: Functional safety of electrical, electronic and programmable electronic control systems,” is the machinery specific implementation of IEC/EN 61508. It provides requirements that are applicable to the system level design of all types of machinery safety-related electrical control systems and also for the design of non-complex subsystems or devices.
The risk assessment results in a risk reduction strategy which in turn, identifies the need for safety-related control functions. These functions must be documented and must include:
- Functional requirements specification
- Safety integrity requirements specification
The functional requirements include details like frequency of operation, required response time, operating modes, duty cycles, operating environment, and fault reaction functions. The safety integrity requirements are expressed in levels called safety integrity levels (SIL). Depending on the complexity of the system, some or all of the elements in Table 14 must be considered to determine whether the system design meets the required SIL.
| Element for SIL Consideration | Symbol |
| Probability of Dangerous Failure per Hour | PFHD |
| Hardware Fault Tolerance | No Symbol |
| Safe Failure Fraction | SFF |
| Proof Test Interval | T1 |
| Diagnostic Test Interval | T2 |
| Susceptibility to Common Cause Failures | ß |
| Diagnostic Coverage | DC |
| Table 14: Elements for SIL Consideration | |
Subsystems
The term “subsystem” has a special meaning in IEC/EN 62061. It is the first level subdivision of a system into parts which, if they fail, would cause a failure of the safety function. Therefore if two redundant switches are used in a system neither individual switch is a subsystem. The subsystem would comprise both switches and any associated fault diagnostic function.
Probability of Dangerous Failure per Hour (PFHD)
IEC/EN 62061 uses the same basic methods as discussed in the section on EN ISO 13849-1 to determine failure rates at the component level. The same provisions and methods apply for “mechanistic” and electronic components. In IEC/EN 62061 there is no consideration of MTTFd in years. The failure rate per hour (l) is either calculated directly or obtained or derived from the B10 value by the following formula:
l = 0.1 x C/B10 (where C = the number of operating cycles per hour)
There is a significant difference between the standards in the methodology for determining the total PFHD for a subsystem or system. An analysis of the components must be undertaken to determine the probability of failure of the subsystems. Simplified formulae are provided for the calculation of common subsystem architectures (described later in text). Where these formulae are not appropriate it will be necessary to use more complex calculation methods such as Markov models. The Probability of Dangerous Failure (PFHD) of each subsystem are then added together to determine the total PFHD for the system. Table 15 (Table 3 of the standard) can then be used to determine which Safety Integrity Level (SIL) is appropriate to that range of PFHD.
lDssB = (1-ß)2 x lDe1 x lDe2 x T1 + ßx (lDe1 + lDe2) / 2
PFHDssB = lDssB x 1h
The formulae for this architecture take into account the parallel arrangement of the subsystem elements and add the following two elements from Table 14:
ß (Beta) is the susceptibility to common cause failures.
| SIL (Safety Integrity Level) | PFHD (Probability of Dangerous Failure per Hour) |
| 3 | ³10–8…<10–7 |
| 2 | ³10–7…<10-6 |
| 1 | ³10–6…<10–5 |
| Table 15: Probabilities of Dangerous Failure for SILs | |
The PFHD data for a subsystem will usually be provided by the manufacturer. Data for Rockwell Automation safety components and systems is available in a number of forms including: http://discover.rockwellautomation.com/EN_Safety_Solutions.aspx
This website will be periodically updated as more data for other Rockwell Automation components and systems will become available over time.
IEC/EN 62061 also makes it clear that reliability data handbooks can be used if and where applicable.
For low complexity electromechanical devices, the failure mechanism is usually linked to the number and frequency of operations rather than just time. Therefore for these components the data will derived from some form of testing (e.g. B10 testing as described in the chapter on EN ISO 13849-1). Application based information such as the anticipated number of operations per year is then required in order to convert the B10d or similar data to PFHD.
NOTE: In general the following is true (taking into account a factor to change years to hours):
PFHD = 1/MTTFd
However, it is important to understand that, for a dual channel system (with or without diagnostics), it is not correct to use 1/ PFHD to determine the MTTFd that is required by EN ISO 13849-1. That standard calls for the MTTFd of a single channel. This is a very different value to the MTTFd of the combination of both channels of a two channel subsystem.
Architectural Constraints
The essential characteristic of IEC/EN 62061 is that the safety system is divided into subsystems. The hardware safety integrity level that can be claimed for a subsystem is limited not only by the PFHD but also by the hardware fault tolerance and the safe failure fraction of the subsystems. Hardware fault tolerance is ability of the system to execute its function in the presence of faults. A fault tolerance of zero means that the function is not performed when a single fault occurs. A fault tolerance of one allows the subsystem to perform its function in the presence of a single fault. Safe Failure Fraction is the portion of the overall failure rate that does not result in a dangerous failure. The combination of these two elements is known as the architectural constraint and its output is the SIL Claim Limit (SIL CL) Table 16 shows the relationship of the architectural constraints to the SILCL. A subsystem (and therefore its system) must satisfy both the PFHD requirements and the Architectural Constraints together with the other relevant provisions of the standard.
| Safe Failure Fraction (SFF) | Hardware Fault Tolerance | ||
| 0 | 1 | 2 | |
| <60% | Not allowed unless specific exceptions apply | SIL1 | SIL2 |
| 60%…<90% | SIL1 | SIL2 | SIL3 |
| 90%…<99% | SIL2 | SIL3 | SIL3 |
| ³99% | SIL3 | SIL3 | SIL3 |
| Table 16: Architectural Constraints on SIL | |||
For example, a subsystem architecture that possesses single fault tolerance and has a safe failure fraction of 75% is limited to no higher than a SIL2 rating, regardless of the probability of dangerous failure.
System Realization
To compute the probability of dangerous failure, each safety function must be broken down into function blocks, which are then realized as subsystems. A system design implementation of a typical safety function would include a sensing device connected to a logic device connected to an actuator. This creates a series arrangement of subsystems. As we have already seen, if we can determine the probability of dangerous failure for each subsystem and know its SIL CL, then the system probability of failure is easily calculated by adding the probability of failures of the subsystems. This concept is shown in Figure 136.
|
| Figure 135: Example combination of subsystems |
If, for example, we want to achieve SIL 2, each subsystem must have a SIL CL of at least SIL 2, and the sum of the PFHD for the system must not exceed the limit allowed in Table 15.