Last edit: 22/08/2025
Proof Testing in High Demand
During the revision of IEC 62061 there was much discussion about the effectiveness of a Proof Test in high-demand mode, especially for electromechanical components.
The first aspect to consider is that, for electromechanical components, manufacturers typically don’t provide instructions on how a proof test should be performed on these components. Furthermore, a proof test on these components can only be partial, due to the presence of degraded faults . In other words, an electromechanical component, even after a proof test, will never be as good as new, because it is subject to wear.
In high-demand applications for electromechanical components, the standard recommends not using the Proof Test concept. This is clearly specified, for example, for Basic Subsystem Architecture A.
[IEC 62061] 7.5.2.1 Basic subsystem architecture A: single channel without a diagnostic function
[…] In high or continuous mode of operation, architecture A shall not rely on a Proof Test.
For other architectures, the Proof Test interval is included in a parameter called T1, which corresponds to the smaller value between:
- Proof Test interval of the perfect Proof Test e
- Useful lifetime , the shorter of the component’s Mission Time and the T 10D parameter .
In high-demand mode, for electronic components, the PFH is usually provided by the manufacturer; therefore, determining the Proof Test interval is usually not necessary for calculating the reliability of the safety system.
Mission Time and Useful Lifetime
Mission Time represents the period within which the component’s failure rate is considered constant and is a value defined by the component manufacturer; here is its definition.
[ISO 13849-1] 3.1 Terms and definitions
3.1.37 Mission Time T M . Period of time covering the intended use of an SRP/CS
Typically, components compliant with both IEC 62061 and ISO 13849-1 have a constant failure rate of 20 years, but the manufacturer may specify a longer period. However, depending on the frequency of use, the period over which the failure rate is considered constant may be less than the 20 years indicated by the component manufacturer: for components with wear characteristics, this period is limited by T 10D .
It is for this reason that, in the new edition of IEC 62061, it was decided to use the term Useful Lifetime ; its definition is given below:
[IEC 62061] 3.2 Terms and definitions
3.2.42 Useful Lifetime. Minimum elapsed time between the installation of the SCS or subsystem or subsystem element and the point in time when component failure rates of the SCS or subsystem or subsystem element can no longer be predicted, with any accuracy.
Useful Lifetime can be defined as the minimum value between the Mission Time, indicated by the component manufacturer, and the T10D calculated by the machine manufacturer.
Please note that Mission Time T M is a characteristic of the component and not of the subsystem, and can only be specified by the component manufacturer. This is different from the Proof Test interval T i or T 10D , which are determined by the machine manufacturer.
Each component within the Safety Control System (SCS) can have a different Mission Time. Typically, at the end of its Mission Time, the component must be replaced if the Safety Control System (SCS) is to continue functioning.
In high-demand mode, if the subsystem’s useful life is greater than or equal to the Safety System (SCS) useful life, a proof test is not necessary, and in the PFH estimates, T 1 is equal to the useful life. If it is less, the subsystem or subsystem element must be replaced during the SCS’s useful life if a proof test is not possible.
In IEC 62061, the parameter T 1 is defined as “ the proof test interval of the perfect proof test or useful lifetime whichever is the smaller ”.
The concept is also present in ISO 13849-1 and is called “ operating life time ”.
Managing Systematic Failures
Even in the case of IEC 62061, it is important to eliminate systematic failures. This is achieved by following the recommendations listed in Table 3.
Refer to ISO 13849-2:2012, Annexes A to D, for examples of basic safety principles and proven safety principles. Also see Annexes A and D of the same standard for examples of well-tried components.
Table 3 is the equivalent of Table 7 of IEC 62061.
Correlation between λD and MTTFD
Recall that both IEC 62061 and ISO 13849-1 assume a constant failure rate for subsystem elements. This assumption leads to the following:
MTTF and MTTF D are typically expressed in years. λ values are typically expressed in FIT (Failure in Time), where 1 FIT corresponds to one failure every 10⁹ hours.
One year corresponds to approximately 8,760 hours . Therefore, an MTTF value can be converted to a λ value using the following formula:
Considering that the value B 10D is provided for electromechanical and pneumatic components and knowing that:
The failure rate λ D can be calculated from B 10D with the following formula:
Again, the component’s service life is limited by its T 10D .
In the next article, we will introduce the four architectures and provide calculation examples recommended by the standard.