PT 12.1: Functional Safety in High Demand: Introduction to IEC 62061

Home » Insights » Process Safety » PT 12.1: Functional Safety in High Demand: Introduction to IEC 62061

Get information

Last edit: 21/08/2025

Summary

This article is part of a series of articles written on Functional Safety of Machinery. We recently introduced one of the two standards used to design Safety Control Systems in High Demand: ISO 13849-1. We will now present indicated in the IEC 62061.

The standard was updated in 2021, and an amendment was published in 2024. It is the second standard used in Machinery Safety and the least used. It is derived from the IEC 61508 series approach and the reliability level of a safety function is indicated in SIL (safety integrity level). It is the preferred standard to be used for machinery that have process loops inside, like in Industrial Furnaces, or chemical installations.

A brief history of the IEC 62061

The first edition of IEC 62061 was published in 2005. It is part of the approach detailed in IEC 61508. It is addressed to the machinery sector, and it allows the verification of the Reliability level reached by a Safety-related Control System (SCS).

[IEC 62061 DIS: 2020] Introduction

[…] This International Standard is intended for use by machinery designers, control system manufacturers and integrators, and others involved in the specification, design and validation of an SCS. It sets out an approach and provides requirements to achieve the necessary performance. 

Around 2010, a working group was established, with the assignment of writing one common standard for Functional Safety of Machinery, called ISO/IEC 17305, combining ISO 13849-1 and ISO 62061. Unfortunately, the new standard did not see the light. When the MT 62061 (maintenance team, as they are called in IEC) met for the first time, they decided that the results of that work should be the starting point for the new edition. That is one of the reasons why the new edition of IEC 62061 is closer in the approach to ISO 13849-1: the team mediated the IEC 61508 approach with the pragmatism of ISO 13849-1. These are the main changes, compared with the previous edition:

  • The new standard is now applicable to non-electrical technologies. That is the reason why it now refers to Safety-related Control Systems (SCS) instead of Safety Related Electrical Control Systems (SRECS).
  • The Architectures are now better defined, especially Architecture C, as well as the formulas to be used.
  • The Architectural constraint, previously called SIL Claim, is now defined as the maximum SIL that a Subsystem can reach.
  • Requirements on independence for software verification and validation activities were added.
  • New important Informative annexes were added; the information contained, and the approach described come from ISO 13849-1:
    • Annex C on examples of B10D and MTTFD values for components.
    • Annex D: examples of Diagnostic Coverage values

Architectural Constraints

IEC 62061 remains connected to the IEC 61508 approach called Route 1 H.

In low-demand mode , components are classified as Type A or Type B, and two different tables are used to determine the maximum SIL level a safety subsystem can achieve. IEC 62061, however, defines a single table for all component types, the contents of which are similar to those used for Type B components.

In the context of hardware safety integrity , the highest level that can be declared by a Safety-Related Control System (SCS) is limited by the hardware fault tolerance (HFT) and the safe failure fraction (SFF) of the subsystem performing the safety function: the reference to use is Table 1, which corresponds to Table 6 of IEC 62061.

Please note that the SIL limitation does not imply a PFH limitation; in the new edition, PFH D is now simply referred to as PFH, in line with the IEC 61508 series. This means that, for each subsystem, due to the architectural constraint, the PFH value will be lower than what is normally indicated for that particular SIL level.

Overall, the language used and the approaches described in this second edition of the standard are more clearly expressed, making it more accessible than the first edition. Unfortunately, there are still some inherited expressions from the 2005 edition, which can lead to confusion regarding the approach to be adopted and should be definitively eliminated in the next edition.

Table 2 compares the Architectural Constraints of IEC 62061 with the limitations defined by ISO 13849-1 and is therefore applicable to all Safety Systems in high demand mode.

NOTE 1: A Hardware Fault Tolerance of N means that N+1 faults can cause the loss of the safety function.
NOTE 2: “Low”, “medium” and “high” are the denominations used by ISO 13849-1 for the quantification and classification of DC avg ranges.
NOTE 3: For HFT = 0 and SFF ≥ 99 %, the following limitations may be relevant: 

§ It is recommended to limit the maximum achievable SIL to 2 where fault exclusions have been applied that could lead to dangerous situations (see IEC 62061, 7.3.3.3)

SIL 3 can only be achieved with continuous monitoring of the correct functioning of the element. Typically, electronic components are required for this purpose.
NOTE 4: Where product standards, such as IEC 61800-5, IEC 61800-5, IEC 61131-2, are used, it can be assumed that the basic safety principles are respected
NOTE 5: According to ISO 13849-1, PL d can only be achieved when the output ( OTE or Fault Reaction function) leads to a safe state which is maintained until the fault has been corrected: it is not sufficient for the output of the test equipment (OTE) to emit an alarm.
NOTE 6: If you have both the basic Architectures A and B, we consider the case with only electromechanical components.

It can be noted that there is no equivalence between SIL levels and “PL a” or “PL b”. According to ISO 13849-1, it is possible to create a single-channel safety system that does not use well-tried components: it is sufficient to use Category B subsystems with reliability levels equal to PL a or PL b.

Using IEC 62061, this is not possible , since a Basic Subsystem Architecture of type A (1oo1) can only be realized using well-tried components. In other words, according to ISO 13849-1, it is possible to use a “general purpose” PLC to implement a safety system: the maximum achievable PL is PL b. This is not allowed by IEC 62061, neither with a single channel (Architecture A), nor with a redundant channel without diagnostics (Architecture B).

Simplified approach

Similar to the categories in ISO 13849-1, IEC 62061 provides four Basic Subsystem Architectures for each safety subsystem, allowing for a simplified approach, as in ISO 13849-1. Instead of a graph or table showing PFH values, IEC 62061 provides the user with formulas that generally represent a simplification of Reliability Block Diagrams and are designed to provide conservative estimates of PFH. In other words, each Basic Architecture has a formula for calculating PFH. The formula contains variables such as failure rate or diagnostic coverage. In the last issue of Tuttomisure for 2025, we will go into detail about each Basic Architecture and show the different formulas.

However, these formulas are applicable only if the following two conditions are met:

  • λ 1 << 1 . This means that the MTTF is much greater than T 1 : which represents the minimum value between the test interval (Proof Test) and the useful life of the subsystem.
  • During the useful life, which corresponds to the minimum value between the Mission Time and the T 10D , the failure rates are constant .

Differences with ISO 13849-1

Some of the differences between the two standards are as follows:

  • In IEC 62061, the risk of common cause failure (CCF) is assessed using a table similar to that of ISO 13849-1; however, there is no minimum score; this is a significant advantage in favor of IEC 62061.
  • In Category 2, ISO 13849-1 requires that the MTTF D of the test channel (TE or Test Element) be no less than half the MTTF D value of the functional channel. The equivalent of Category 2 in IEC 62061 is Architecture C. In this case, however, no minimum reliability level is provided for the Fault Management Function (λ D-FH ). If the value does not comply with Table H.3 of the standard, it is not possible to use the simplified formula for calculating the PFH of the subsystem and the general formula provided for Basic Subsystem Architecture C must be used. This is also an advantage of using IEC 62061.
  • In ISO 13849-1, the MTTF D of subsystems is limited to 100 years, except for Category 4; in IEC 62061, there is no limitation of the PFH, in any of the four architectures, even when the architectural constraint (limitation of the maximum achievable SIL) is applied. Another advantage of IEC 62061.

How to calculate the PFH of a basic subsystem architecture

The following elements must be considered in order to determine the PFH of a subsystem:

  • Each subsystem must be associated with one of the four Basic Architectures.
  • Diagnostic Coverage (DC) and testing intervals must be established.
  • Common Cause Failure must be calculated.
  • The λ D or the MTTF D of the subsystem elements must be calculated .
  • The useful life of components is typically 20 years, although for components with wear characteristics, the useful life is limited by T 10D .
PT 12.2: Functional Safety in High Demand: Introduction to IEC 62061

Index

PT 12.1: Functional Safety in High Demand: Introduction to IEC 62061 PT 12.2: Functional Safety in High Demand: Introduction to IEC 62061

Core Competencies

Machinery Directive Machinery Safety Process Safety Functional Safety UL and CSA Conformity Electrical Safety and Arc Flash Mitigation ATEX Risk Gas Furnaces - CE Marking
Safety in Collaborative Robotics
There is no “Collaborative Robot”. That is one of the first statements you hear from people working in Collaborative Robotics. The reason is because...
Read more