Catalogs > Safety Products Catalog > Principles, Standards and Implementation > System Design According to IEC/EN 62061
System Design According to IEC/EN 62061
| System Design According to IEC/EN 62061 |  |
Subsystem Design: IEC/EN 62061 | |
Transition Methodology for Categories | |
IEC/EN 62061 Terminology Overview | |
Diagnostic Coverage (DC) | |
| Management of Functional Safety | |
Probability of Dangerous Failure (PFHD) | |
Proof Test Interval | |
Safe Failure Fraction (SFF) | |
Systematic Failure | |
IEC/EN 62061, "Safety of machinery - Functional safety of safety related electrical, electronic and programmable electronic control systems," is the machinery specific implementation of IEC/EN 61508. It provides requirements that are applicable to the system level design of all types of machinery safety related electrical control systems and also for the design of non-complex subsystems or devices.
The risk assessment results in a risk reduction strategy which in turn, identifies the need for safety related control functions. These functions must be documented and must include:
- Functional requirements specification and a
- Safety integrity requirements specification
The functional requirements include details like frequency of operation, required response time, operating modes, duty cycles, operating environment, and fault reaction functions. The safety integrity requirements are expressed in levels called safety integrity levels (SIL). Depending on the complexity of the system, some or all of the elements in Table 11 must be considered to determine whether the system design meets the required SIL.
| Element for SIL Consideration | Symbol |
| Probability of Dangerous Failure per Hour | PFHD |
| Hardware Fault Tolerance | No Symbol |
| Safe Failure Fraction | SFF |
| Proof Test Interval | T1 |
| Diagnostic Test Interval | T2 |
| Susceptibility to Common Cause Failures | ß |
| Diagnostic Coverage | DC |
| Table 11: Elements for SIL Consideration | |
For electronic systems, a significant contribution to failure is time, as compared to number of operations for electro-mechanical devices. Therefore the failure rate of electronic systems is considered on an hourly basis. An analysis of the components must be undertaken to determine their probability of failure. Safety systems are specifically interested in not just the probability of failure, but more importantly, the probability of failure to danger on an hourly basis, the PFHD. Once this is known, Table 12 can be used to determine which SIL is achieved.
| SIL (Safety Integrity Level) | PFHD (Probability of Dangerous Failure per Hour) |
| 3 | ³10–8…<10–7 |
| 2 | ³10–7…<10-6 |
| 1 | ³10–6…<10–5 |
| Table 12: Probabilities of Dangerous Failure for SILs | |
The safety system is divided into subsystems. The hardware safety integrity level that can be claimed for a subsystem is limited by the hardware fault tolerance and the safe failure fraction of the subsystems. Hardware fault tolerance is ability of the system to execute its function in the presence of faults. A fault tolerance of zero means that the function is not performed when a single fault occurs. A fault tolerance of one allows the subsystem to perform its function in the presence of a single fault. Safe Failure Fraction is the portion of the overall failure rate that does not result in a dangerous failure. The combination of these two elements is known as the architectural constraint and is designated as SILCL. Table 13 shows the relationship of the architectural constraints to the SILCL.
| Safe Failure Fraction (SFF) | Hardware Fault Tolerance | ||
| 0 | 1 | 2 | |
| <60% | Not allowed unless specific exceptions apply | SIL1 | SIL2 |
| 60%…<90% | SIL1 | SIL2 | SIL3 |
| 90%…<99% | SIL2 | SIL3 | SIL3 |
| ³99% | SIL3 | SIL3 | SIL3 |
| Table 13: Architectural Constraints on SIL | |||
For example, an architecture that possesses single fault tolerance and has a safe failure fraction of 75% is limited to no higher than a SIL2 rating, regardless of the probability of dangerous failure.
To compute the probability of dangerous failure, each safety function must be broken down into function blocks, which are then realized as subsystems. The system design of many safety functions include a sensing device connected to a logic device connected to an actuator. This creates a series arrangement of subsystems. If we can determine the probability of dangerous failure for each subsystem and know its SILCL, then the system probability of failure is easily calculated by adding the probability of failures of the subsystems. This concept is shown in Figure 149.
|
| Figure 149: Example subsystem combination into system implementing a SIL 2 safety related electrical control function. |
If, for example, we want to achieve SIL 2, each subsystem must have a SIL Claim Limit (SIL CL) of at least SIL 2, and the sum of the PFHD for the system must not exceed the limit allowed in Table 12.
The term “subsystem” has a special meaning in IEC/EN 62061. It is the first level subdivision of a system into parts which if they fail, would cause a failure of the safety function. Therefore if two redundant switches are used in a system neither individual switch is a subsystem. The subsystem would comprise both switches and the associated fault diagnostic function (if any).