Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
IEC 62061: Functional Safety of Safety-Related Electrical Control Systems for Machinery
Designing Safe Machines with SIL-Based Performance Requirements
Introduction and Scope
IEC 62061 is the machinery-sector-specific functional safety standard derived from the generic IEC 61508 framework. Officially titled “Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems,” it provides a structured methodology for designing and validating Safety-Related Electrical Control Systems (SRECS) for machinery applications. The standard addresses a critical gap: as machines become increasingly automated and rely on complex programmable electronics for safety functions, designers need a systematic approach to ensure that control system failures do not lead to hazardous situations.
The standard applies to control systems used singly or in combination to carry out safety-related control functions on machines that are not portable by hand while working, including groups of machines working together in a coordinated manner. It covers electrical, electronic, and programmable electronic technologies, and is designed to be technology-neutral while providing specific guidance for each implementation approach. Importantly, IEC 62061 does not cover non-electrical systems such as purely hydraulic or pneumatic safety systems, which fall under other standards like ISO 13849.
IEC 62061 uses a Safety Integrity Level (SIL) framework adapted from IEC 61508, with SIL 3 being the highest achievable level for machinery applications. This is different from the Performance Level (PL) system used in ISO 13849-1, though both standards can be used for similar applications with appropriate cross-reference mapping.
Relationship with IEC 61508 and ISO 13849-1
IEC 62061 operates within the broader ecosystem of functional safety standards. It is an application-specific standard within the IEC 61508 framework, meaning it inherits fundamental concepts from IEC 61508 while tailoring requirements for machinery contexts. The standard explicitly defines how it relates to other key standards:
| Technology Type | ISO 13849-1 (rev.) | IEC 62061 |
|---|---|---|
| Non-electrical (hydraulics, pneumatics) | Covered up to PL=e | Not covered |
| Electromechanical (relays, non-complex electronics) | Restricted to designated architectures up to PL=e | All architectures up to SIL 3 |
| Complex electronics (programmable) | Restricted to designated architectures up to PL=d | All architectures up to SIL 3 |
| Combined (complex + electromechanical) | Restricted up to PL=d | All architectures up to SIL 3 |
For complex programmable electronic subsystems, IEC 62061 presumes that design conforms to the relevant requirements of IEC 61508-2 using Route 1H. The standard explicitly states that Route 2H (proven-in-use) is not suitable for general machinery applications. This is a pragmatic recognition that machinery control systems evolve rapidly and cannot typically accumulate the operating hours needed for Route 2H justification.
Designers must carefully consider which standard to apply: IEC 62061 allows all architectures up to SIL 3 for complex electronics, while ISO 13849-1 restricts complex electronics to designated architectures up to PL=d. For systems combining multiple technologies, cross-standard evaluation is often necessary and guidance from IEC/TR 62061-1 should be consulted.
The SRECS Lifecycle: From Specification to Validation
IEC 62061 defines a comprehensive safety lifecycle for SRECS, covering nine key clauses that guide designers from initial concept through to decommissioning. The core of the standard is organized around the following phases:
Clause 4 – Management of Functional Safety: Specifies the management and technical activities necessary for achieving the required functional safety. This includes defining roles and responsibilities, establishing procedures for safety planning, and ensuring competence of personnel involved in safety-related work.
Clause 5 – Specification of Safety-Related Control Functions (SRCFs): Requires the creation of both a functional requirements specification and a safety integrity requirements specification. The functional specification describes what the SRECS must do, while the integrity specification defines how reliably it must perform these functions, expressed in terms of SIL targets.
Clause 6 – Design and Integration: Covers selection of system architecture, hardware and software design, and verification. This is the most technically detailed section, addressing architectural constraints, fault tolerance requirements, diagnostic coverage, and systematic capability. The standard supports multiple architectural configurations including 1oo1, 1oo2, and 2oo2 voting arrangements.
Clauses 7-9 – Information for Use, Validation, and Modification: Address the later phases of the lifecycle, ensuring that end users receive adequate documentation for safe operation and maintenance, that the completed SRECS is systematically validated against its requirements specification, and that any subsequent modifications follow a controlled procedure.
| Clause | Objective |
|---|---|
| 4 – Management | Define activities and responsibilities for functional safety achievement |
| 5 – SRCF Specification | Establish functional and integrity requirements for safety-related control functions |
| 6 – Design & Integration | Select architecture, design hardware/software, and verify against requirements |
| 7 – Information for Use | Provide user and maintenance manuals for safe SRECS operation |
| 8 – Validation | Inspect and test to ensure SRECS meets safety requirements specification |
| 9 – Modification | Plan and verify modifications before implementation |
SIL Assignment and Architectural Considerations
The assignment of Safety Integrity Levels in IEC 62061 follows a risk-based approach. For machinery applications, the SIL determination considers three parameters: severity of injury (Se), frequency and duration of exposure to the hazard (Fr), and probability of avoiding the hazard (Av). The combination of these parameters yields a SIL target ranging from SIL 1 (lowest) to SIL 3 (highest for machinery).
Each SRECS is decomposed into subsystems, and each subsystem is further divided into subsystem elements. A dangerous failure of any subsystem results in a dangerous failure of the safety-related control function. The standard distinguishes between two fundamental component types:
- Low complexity components — failure modes are well-defined and behavior under fault conditions can be completely determined (e.g., electromechanical relays, limit switches, contactors).
- Complex components — failure modes are not well-defined or behavior under fault conditions cannot be completely defined (e.g., microprocessors, programmable logic controllers).
For each subsystem, designers must calculate the probability of dangerous failure per hour (PFHD) and ensure it does not exceed the target failure measure for the assigned SIL. Architectural constraints related to safe failure fraction (SFF) and hardware fault tolerance (HFT) must also be satisfied. The standard provides tables for determining the maximum achievable SIL for different subsystem architectures, considering diagnostic coverage and proof test intervals.
A well-designed SRECS should achieve diagnostic coverage exceeding 90% for subsystems rated at SIL 2 or above. This typically requires implementing automatic self-tests for processors, cross-monitoring for sensors, and forced guided contacts for electromechanical outputs. The additional engineering cost is modest compared to the liability reduction and safety improvement achieved.
Engineering Design Insights
From a practical engineering perspective, several lessons emerge from applying IEC 62061. First, the distinction between systematic and random hardware failures is fundamental. Systematic failures (design errors, software bugs, specification mistakes) must be addressed through rigorous development processes and validation, while random hardware failures are managed through architectural measures and diagnostic coverage. The standard requires both approaches to be applied comprehensively.
Second, the concept of “safe failure fraction” is particularly important for machinery because the demand mode for most machine safety functions is “high demand” or “continuous” rather than “low demand.” This means the SRECS must maintain its safety function continuously during machine operation, and the probability of dangerous failure per hour (PFHD) is the relevant metric rather than probability of failure on demand (PFD).
Third, the standard’s modification clause (Clause 9) is often underestimated in its importance. Any modification to an SRECS – whether hardware, software, or parameter change – must undergo a structured impact analysis and re-validation. Field experience shows that a significant proportion of safety-related incidents occur after undocumented modifications have been made to previously validated systems.
Never bypass a safety function for troubleshooting without implementing compensating measures. Operations teams should establish clear procedures for temporary override of safety functions, including time limits, authorization levels, and mandatory re-testing after restoration. A bypassed safety function is effectively absent from the risk reduction measures.
Frequently Asked Questions
Q1: What is the difference between IEC 62061 and ISO 13849-1?
IEC 62061 uses SIL levels (1-3) and is specifically for electrical/electronic/programmable electronic control systems, while ISO 13849-1 uses Performance Levels (a-e) and covers all technologies including hydraulic, pneumatic, and mechanical. Both standards can achieve comparable safety integrity levels. IEC 62061 allows more flexible architectures for complex electronics, while ISO 13849-1 provides a simpler route for electromechanical systems using designated architectures.
Q2: Can IEC 62061 be used for retrofitting safety systems on existing machinery?
Yes, the standard applies to both new designs and modifications of existing machinery. However, retrofitting may require additional considerations for integration with legacy control elements that may not meet modern functional safety requirements. In such cases, a risk assessment should determine whether the legacy components are included within the SRECS boundary or isolated from it.
Q3: What documentation is required for IEC 62061 compliance?
Key documents include: safety requirements specification, risk assessment report, SRECS architecture design, hardware and software design documentation, verification reports, validation plan and results, information for use (user manual), and modification records. The level of detail should be proportionate to the SIL target – higher SIL requires more rigorous documentation.
Q4: How is software safety addressed in IEC 62061?
The standard addresses software through requirements for software safety integrity, specifying techniques for avoidance of systematic faults (structured design, modular decomposition, coding standards) and control of faults (diverse monitoring, test coverage, static analysis). For complex programmable electronics, it references IEC 61508-3 for detailed software safety lifecycle requirements.
