Last edit: 06/08/2025
IEC 62061 remains linked to IEC 61508 approach of Route 1H.
In low demand mode, components are classified as Type A or Type B and there are two different tables to be used to decide what is the maximum SIL that a Safety Subsystem can reach. In IEC 62061, one table only is defined for all types of components, and its content is like the one used for Type B components.
In the context of hardware safety integrity, the highest level that can be claimed by a SCS is limited by the hardware fault tolerances (HFT) and safe failure fractions (SFF) of the subsystem that carries out the safety function: the reference to be used is Table 1, same as Table 6 in IEC 62061.
Table 1: Architectural constraints on a subsystem: maximum SIL that can be claimed for an SCS using the subsystem
Please bear in mind that the SIL limitation does not imply a PFH limitation; in the new edition the PFHD is now referred to as PFH, in line with IEC 61508 series. That means for each subsystem, due to the architectural constraint, the PFH would be smaller than normally indicated for that particular SIL level.
In general, the language used, and the approaches described in this second edition of the standard are fully understandable and usable. Unfortunately, there remains language from the 2005 edition that may generate confusion for the approach to be used and that should be finally removed in the next edition.
Table 2 compares the Architectural Constraints of IEC 62061 with the limitations given by ISO 13849-1 and it is therefore applicable to all Safety Systems in high demand mode.
|
NOTE 1: A hardware fault tolerance of N means that N+1 faults could cause a loss of the safety function. |
| NOTE 2: “Low”, “medium” and “high” is the denomination used in ISO 13849-1 in context of quantification and classification of DCavg ranges. |
| NOTE 3: For HFT = 0 and SFF ≥ 99 %, the following limitations can be relevant:
§ It is highly recommended to limit the maximum to SIL 2, where fault exclusions have been applied to faults that could lead to a dangerous failure (see IEC 62061, 7.3.3.3); § SIL 3 can only be claimed when there is continuous monitoring of the correct functioning of the element. Typically, electronic technology will be required to achieve this. |
| NOTE 4: Where product standards, e.g. IEC 61800-5, IEC 61800-5, IEC 61131-2, … are used, it can be assumed that basic safety principles can be fulfilled. |
| NOTE 5: According to ISO 13849-1, PL d can only be reached when the output (OTE or Fault Reaction function) initiates a safe state that is maintained until the fault is cleared: it is not sufficient that the output of the test equipment (OTE) only provides a warning. |
| NOTE 6: In case of both Basic Subsystem Architecture A and B, we considers here the case of electromechanical components only. |
Table 2: Architectural constraints for high demand mode of operation
You can notice that there is no SIL equivalence to PL a or PL b. According to ISO 13849-1, it is possible to have a single channel safety system that does not use well-tried components: it is enough to use Category B subsystems with reliability levels equal to PL a or PL b.
Using IEC 62061 that is not possible, since a Basic Subsystem Architecture A (1oo1) can be done only using well-tried components. In other terms, according to ISO 13849-1, it is possible to use a general purpose PLC to implement a Safety System: the maximum PL reachable is PL b. That is not allowed by IEC 62061, neither with a single channel (Architecture A) nor with a redundant channel without diagnostics (Architecture B).