EN ISO_content

IEC62061:2021 Safety of machinery - Functional safety of safety-related control system

CONTENTS
FOREWORD
INTRODUCTION
1 Scope
2 Normative references
3 Terms, definitions and abbreviations
3.1 Alphabetical list of definitions
3.2 Terms and definitions
3.3 Abbreviations
4 Design process of an SCS and management of functional safety
4.1 Objective
4.2 Design process
4.3 Management of functional safety using a functional safety plan
4.4 Configuration management
4.5 Modification
5 Specification of a safety function
5.1 Objective
5.2 Safety requirements specification (SRS)
5.2.1 General
5.2.2 Information to be available
5.2.3 Functional requirements specification
5.2.4 Estimation of demand mode of operation
5.2.5 Safety integrity requirements specification
6 Design of an SCS
6.1 General
6.2 Subsystem architecture based on top down decomposition
6.3 Basic methodology – Use of subsystem
6.3.1 General
6.3.2 SCS decomposition
6.3.3 Sub-function allocation
6.3.4 Use of a pre-designed subsystem
6.4 Determination of safety integrity of the SCS .
6.4.1 General
6.4.2 PFH
6.5 Requirements for systematic safety integrity of the SCS
6.5.1 Requirements for the avoidance of systematic hardware failures
6.5.2 Requirements for the control of systematic faults
6.6 Electromagnetic immunity
6.7 Software based manual parameterization
6.7.1 General
6.7.2 Influences on safety-related parameters
6.7.3 Requirements for software based manual parameterization
6.7.4 Verification of the parameterization tool
6.7.5 Performance of software based manual parameterization
6.8 Security aspects
6.9 Aspects of periodic testing
7 Design and development of a subsystem
7.1 General
7.2 Subsystem architecture design
7.3 Requirements for the selection and design of subsystem and subsystem elements
7.3.1 General
7.3.2 Systematic integrity
7.3.3 Fault consideration and fault exclusion
7.3.4 Failure rate of subsystem element
7.4 Architectural constraints of a subsystem
7.4.1 General
7.4.2 Estimation of safe failure fraction (SFF)
7.4.3 Behaviour (of the SCS) on detection of a fault in a subsystem
7.4.4 Realization of diagnostic functions
7.5 Subsystem design architectures
7.5.1 General
7.5.2 Basic subsystem architectures
7.5.3 Basic requirements
7.5.2.4 Basic subsystem architecture D: dual channel with a diagnostic function(s)
7.6 PFH of subsystems
7.6.1 General
7.6.2 Methods to estimate the PFH of a subsystem
7.6.3 Simplified approach to estimation of contribution of common cause failure (CCF)
8 Software
8.1 General
8.2 Definition of software levels
8.3 Software – Level 1
8.3.1 Software safety lifecycle – SW level 1
8.3.2 Software design – SW level 1
8.3.3 Module design – SW level 1
8.3.4 Coding – SW level 1
8.3.5 Module test – SW level 1
8.3.6 Software testing – SW level 1
8.3.7 Documentation – SW level 1
8.3.8 Configuration and modification management process – SW level 1
8.4 Software level 2
8.4.1 Software safety lifecycle – SW level 2
8.4.2 Software design – SW level 2
8.4.3 Software system design – SW level 2
8.4.4 Module design – SW level 2
8.4.5 Coding – SW level 2
8.4.6 Module test – SW level 2
8.4.7 Software integration testing SW level 2
8.4.8 Software testing SW level 2
8.4.9 Documentation – SW level 2
8.4.1 0 Configuration and modification management process – SW level 2
9 Validation
9.1 Validation principles
9.1 .1 Validation plan
9.1 .2 Use of generic fault lists
9.1 .3 Specific fault lists
9.1 .4 Information for validation
9.1 .5 Validation record
9.2 Analysis as part of validation
9.2.1 General
9.2.2 Analysis techniques
9.2.3 Verification of safety requirements specification (SRS) .
9.3 Testing as part of validation
9.3.1 General
9.3.2 Measurement accuracy
9.3.3 More stringent requirements
9.3.4 Test samples
9.4 Validation of the safety function
9.4.1 General
9.4.2 Analysis and testing
9.5 Validation of the safety integrity of the SCS
9.5.1 General
9.5.2 Validation of subsystem(s)
9.5.3 Validation of measures against systematic failures
9.5.4 Validation of safety-related software
9.5.5 Validation of combination of subsystems
1 0 Documentation
1 0.1 General
1 0.2 Technical documentation
1 0.3 Information for use of the SCS
1 0.3.1 General
1 0.3.2 Information for use given by the manufacturer of subsystems
1 0.3.3 Information for use given by the SCS integrator

Annex A (informative) Determination of required safety integrity
A.1 General
A.2 Matrix assignment for the required SIL
A.2.1 Hazard identification/indication
A.2.2 Risk estimation
A.2.3 Severity (Se)
A.2.4 Probability of occurrence of harm
A.2.5 Class of probability of harm (Cl)
A.2.6 SIL assignment
A.3 Overlapping hazards
Annex B (informative) Example of SCS design methodology
B.1 General
B.2 Safety requirements specification
B.3 Decomposition of the safety function
B.4 Design of the SCS by using subsystems
B.4.1 General
B.4.2 Subsystem 1 design – “guard door monitoring”
B.4.3 Subsystem 2 design – “evaluation logic”
B.4.4 Subsystem 3 design – “motor control”
B.4.5 Evaluation of the SCS
B.4.6 PFH
B.5 Verification
B.5.1 General
B.5.2 Analysis
B.5.3 Tests
Annex C (informative) Examples of MTTF D values for single components
C.1 General
C.2 Good engineering practices method
C.3 Hydraulic components
C.4 MTTF D of pneumatic, mechanical and electromechanical components .

Annex D (informative) Examples for diagnostic coverage (DC)

Annex E (informative) Methodology for the estimation of susceptibility to common cause failures (CCF)
E.1 General
E.2 Methodology
E.2.1 Requirements for CCF
E.2.2 Estimation of effect of CCF
Annex F (informative) Guideline for software level 1
F.1 Software safety requirements
F.2 Coding guidelines
F.3 Specification of safety functions
F.4 Specification of hardware design
F.5 Software system design specification
F.6 Protocols
Annex G (informative) Examples of safety functions
Annex H (informative) Simplified approaches to evaluate the PFH value of a subsystem
H.1 Table allocation approach
Simplified formulas for the estimation of PFH
H.2.1 General
H.2.2 Basic subsystem architecture A: single channel without a diagnostic function
H.2.3 Basic subsystem architecture B: dual channel without a diagnostic function
H.2.4 Basic subsystem architecture C: single channel with a diagnostic function
H.2.5 Basic subsystem architecture D: dual channel with a diagnostic function(s)
H.3 Parts count method
Annex I (informative) The functional safety plan and design activities
I.1 General
I.2 Example of a machine design plan including a safety plan
I.3 Example of activities, documents and roles
Annex J (informative) Independence for reviews and testing/verification/validation activities
J.1 Software design
J.2 Validation
Bibliography
Figure 1 – Scope of this document
Figure 2 – Integration within the risk reduction process of ISO 1 21 00 (extract)
Figure 3 – Iterative process for design of the safety-related control system
Figure 4 – Example of a combination of subsystems as one SCS
Figure 5 – By activating a low demand safety function at least once per year it can be assumed to be high demand
Figure 6 – Examples of typical decomposition of a safety function into sub-functions and its allocation to subsystems
Figure 7 – Example of safety integrity of a safety function based on allocated subsystems as one SCS
Figure 8 – Subsystem A logical representation
Figure 9 – Subsystem B logical representation
Figure 1 0 – Subsystem C logical representation
Figure 1 1 – Subsystem D logical representation
Figure 1 2 – V-model for SW level 1
Figure 1 3 – V-model for software modules customized by the designer for SW level 1
Figure 1 4 – V-model of software safety lifecycle for SW level 2
Figure 1 5 – Overview of the validation process
Figure A.1 – Parameters used in risk estimation
Figure A.2 – Example proforma for SIL assignment process
Figure B.1 – Decomposition of the safety function
Figure B.2 – Overview of design of the subsystems of the SCS
Figure F.1 – Plant sketch
Figure F.2 – Principal module architecture design
Figure F.3 – Principal design approach of logical evaluation
Figure F.4 – Example of logical representation (program sketch)
Figure H.1 – Subsystem A logical representation
Figure H.2 – Subsystem B logical representation
Figure H.3 – Subsystem C logical representation
Figure H.4 – Correlation of subsystem C and the pertinent fault handling function
Figure H.5 – Subsystem C with external fault handling function
Figure H.6 – Subsystem C with external fault diagnostics
Figure H.7 – Subsystem C with external fault reaction
Figure H.8 – Subsystem C with internal fault diagnostics and internal fault reaction ............ 1 31
Figure H.9 – Subsystem D logical representation ................................................................ 1 33
Figure I.1 – Example of a machine design plan including a safety plan ............................... 1 35
Figure I.2 – Example of activities, documents and roles ...................................................... 1 36
Table 1 – Terms used in IEC 62061 ...................................................................................... 1 3
Table 2 – Abbreviations used in IEC 62061 ........................................................................... 28
Table 3 – SIL and limits of PFH values .................................................................................. 36
Table 4 – Required SIL and PFH of pre-designed subsystem ................................................ 40
Table 5 – Relevant information for each subsystem .............................................................. 47
Table 6 – Architectural constraints on a subsystem: maximum SIL that can be claimed
for an SCS using the subsystem ........................................................................................... 56
Table 7 – Overview of basic requirements and interrelation to basic subsystem
architectures ......................................................................................................................... 61
Table 8 – Different levels of application software .................................................................. 63
Table 9 – Documentation of an SCS ..................................................................................... 88
Table A.1 – Severity (Se) classification ................................................................................. 93
Table A.2 – Frequency and duration of exposure (Fr) classification ...................................... 94
Table A.3 – Probability (Pr) classification .............................................................................. 95
Table A.4 – Probability of avoiding or limiting harm (Av) classification .................................. 96
Table A.5 – Parameters used to determine class of probability of harm (Cl) .......................... 96
Table A.6 – Matrix assignment for determining the required SIL (or PL r ) for a safety
function ................................................................................................................................. 97
Table B.1 – Safety requirements specification – example of overview ................................... 99
Table B.2 – Systematic integrity – example of overview ...................................................... 1 04
Table B.3 – Verification by tests.......................................................................................... 1 05
Table C.1 – Standards references and MTTF D or B 1 0D values for components .................. 1 07
Table D.1 – Estimates for diagnostic coverage (DC) ........................................................... 1 09
Table E.1 – Criteria for estimation of CCF ........................................................................... 1 1 2
Table E.2 – Criteria for estimation of CCF ........................................................................... 1 1 3
Table F.1 – Example of relevant documents related to the simplified V-model ..................... 1 1 4
Table F.2 – Examples of coding guidelines ......................................................................... 1 1 5
Table F.3 – Specified safety functions................................................................................. 1 1 7
Table F.4 – Relevant list of input and output signals ........................................................... 1 1 8
Table F.5 – Example of simplified cause and effect matrix .................................................. 1 21
Table F.6 – Verification of software system design specification ......................................... 1 22
Table F.7 – Software code review ....................................................................................... 1 22
Table F.8 – Software validation ........................................................................................... 1 23
Table G.1 – Examples of typical safety functions ................................................................ 1 24
Table H.1 – Allocation of PFH value of a subsystem ........................................................... 1 26
Table H.2 – Relationship between B 1 0D , operations and MTTF D ........................................ 1 27
Table H.3 – Minimum value of 1 / λ D FH for the applicability of PFH equation (H.4) .............. 1 32
Table J.1 – Minimum levels of independence for review, testing and verification
activities ............................................................................................................................. 1 38
Table J.2 – Minimum levels of independence for validation activities ...