P14: Functional Safety in High Demand: IEC 62061 and Architectures, Part 2

Home » Pubblications » In-depth articles tuttomisure » P14: Functional Safety in High Demand: IEC 62061 and Architectures, Part 2

Get information

Last edit: 30/03/2026

Summary

This article is part of a series of articles written on Functional Safety of Machinery. We recently introduced one of the two standards used to design Safety Control Systems in High Demand: ISO 13849-1. We are now presenting the key aspects of IEC 62061. In the previous edition of TUTTOMISURE we presented Architecture A and B; we will now detail Architecture C: the equivalent of Category 2 of ISO 13849-1, in other terms a single cannel with diagnostics.

Basic Subsystem Architecture C: 1oo1D

Subsystem Architecture C

In this Architecture, single channel with diagnostic, any undetected dangerous fault of the subsystem element leads to a dangerous failure of the safety function. Where a fault of a subsystem element is detected, the diagnostic function initiates a fault reaction. This Architecture corresponds to a Hardware Fault Tolerance of 0.

Detailed logical representation

This Architecture corresponds to the Category 2 of ISO 13849-1; in figure 2 there is a more precise representation.

You can notice that the TE (Test Equipment) of Category 2 in ISO 13849-1 is defined as Fault Diagnostic Function in IEC 62061. Likewise, the equivalent of the OTE is the Fault Reaction Function. The TE + OTE is defined as the Fault Handling Function in IEC 62061.

Conditions for a correct implementation of Basic Subsystem Architecture C

Summary of 1oo1D conditions

For Architecture C, the calculation of PFH assumes a time-optimal fault handling. Time optimal fault handling of a subsystem element can be assumed if one of the following conditions are satisfied:

  • The diagnostic rate is at least a factor of 100 higher than the demand rate of the safety function and the time needed for the fault reaction is sufficiently short to bring the system to a safe state, before a hazardous event occurs; or
  • The fault handling is performed immediately upon any potential demand of the safety function and the time needed to detect a detectable fault and to bring the system to a safe state is shorter than the process safety time; or
  • The fault handling is performed continuously, and the time needed to detect a detectable fault and to bring the system to a safe state is shorter than the process safety time; or
  • The fault handling is performed periodically and the sum of the test interval, the time needed to detect a detectable fault and time needed to bring the system to a safe state is shorter than the process safety time.

The table 1 summarises all possible conditions related to a correct implementation of a 1oo1D architecture.

  • Situation 1 and 3. If no safe state is possible, regardless of the case if there is an optimal testing frequency or not, we cannot claim 1oo1D Architecture. Therefore, we fall back to a 1oo1 Architecture, where well-tried components must be used.

The reason for the difference with ISO 13849-1, in case of Situation 3, is due to the link of IEC 62061 to IEC 61508.

[IEC 61508-2] 7.4.8 Requirements for system behaviour on detection of a fault

7.4.8.3 The detection of a dangerous fault (by diagnostic tests, proof tests or by any other means) in any subsystem having a hardware fault tolerance of 0 shall, in the case of a subsystem that is implementing any safety function(s) operating in the high demand or the continuous mode, result in a specified action to achieve or maintain a safe state (see Note). 

NOTE: The specified action required to achieve or maintain a safe state will be specified in the E/E/PE system safety requirements (see IEC 61508-1, 7.10). It may consist, for example, of the safe shut-down of the EUC, or that part of the EUC that relies, for functional safety, on the faulty subsystem. 

  • Situation 2. No Optimal testing is present; however, in case a fault is detected, we can bring the system to a safe state. We can claim a 1oo1D Basic Subsystem Architecture and we can reach SIL 2, if all other conditions exist. No need to use well-tried components.
  • Situation 4. We have both optimal testing and, in case a fault is detected, we can bring the system to a safe state. We can claim a 1oo1D Basic Subsystem Architecture and we can reach SIL 2, if all other conditions exist. No need to use well-tried components.

This is a “delicate” Architecture, similarly to the Category 2. The issue is the failure of the Diagnostic Function, called Fault handling Function, while the Functional Channel is still working. The Fault Handling function includes both the Fault Diagnostics function and the Fault Reaction function.

Basic Subsystem Architecture C with Fault Handling done by the SCS

This one is the simplest situation, since the Diagnostic and Fault Reaction Functions (equivalent to TE and OTE in ISO 13849-1) are already part of the safety function. The fault handling function is completely performed by a separate subsystem of the SCS, which is also involved in performing the safety function, thus contributing to its PFH.

In other terms, in this case we can ignore the reliability of the Monitoring channel since that is already taken care while calculating the reliability of the Functional Channel.

external fault handling function

This could be the case whereby a Safety-related Control System monitors if a motor contactor has opened and, in case of failure, it de-energises another contactor, that is part of another safety function.

If we consider a Subsystem C, made of n elements numbered from 1 to n, the PFH is given by the following formula:

As you can see, the reliability of the Fault Handling Function (or monitoring function) is not present in the formula. It is the same formula used in the first edition of the standard.

Basic Subsystem Architecture C with mixed Fault Handling

These are all cases where the reliability of the monitoring channel, or better, the Fault Handling function, is outside of the Safety Function. In order to calculate the PFH of this architecture, a new failure rate has to be introduced: it is called the failure rate of the Fault Handling Function, or λD-FH.

A Markov model was used to arrive to the different PFH formulas.

There are 3 possible situations:

  1. The subsystem C has external Fault Diagnostics (TE), but the element performing the fault reaction (it would be the OTE in ISO 13849-1 Category 2) is internal to the subsystem.

In this case the fault handling failure rate includes the Fault Reaction function only.

That means λD-FH= λD-FR

The Failure Rate of the Fault Diagnostic function is not considered, since it is already taken care while calculating the reliability of the Functional Channel.

External fault Reaction

2. The Subsystem C has external Fault Reaction (OTE), while the Fault Diagnostic (TE) is done Internally to the subsystem.

In this case the fault handling failure rate includes the Fault Diagnostic function only.

That means λD-FH= λD-FD

The Failure Rate of the Fault Reaction function is not considered since it is already taken care while calculating the reliability of the Functional Channel.

3. The subsystem C has both Fault Diagnostics and Fault Reaction internal to the subsystem.

In this case the fault handling failure rate includes both the diagnostic function and the fault reaction function.

That means λD-FH = λD-FD + λD-FR

PFH in case of four conditions satisfied

In all of the 3 cases previously described, there is a simple equation that can be used to calculate the PFH value, provided all the following conditions are satisfied:

  1. β ≤ 2 %;
  2. DC ≤ 99 %;
  3. 1/λDe  ≤ 1.000 years;
  4. 1/ λD-FH has at least the minimum value according to Table 7.9 {7.2.4.1};

where λD-FH is the failure rate of the single element that realizes the fault handling function within the subsystem.

The equation is the following:

If the functional channel has more than one element, the related DC is calculated using the following formula.

PFH in case one of the four conditions is not satisfied

In case one of the above four conditions is not satisfied, the simplified formula cannot be used, since it may give a lower value of PFH and therefore provide a higher reliability than the reality.

If the functional channel is comprised by one element only and the fault handling function, within the subsystem, is realized by another single element, the following equation can be used:

Where:

  • T1 is the Proof Test interval of the perfect Proof Test or useful lifetime whichever is the smaller;
  • 𝜆De is the dangerous failure rate of the single element of the functional channel;
  • 𝜆D-FH is the failure rate of the single element that realizes the fault handling function(s) within the subsystem;
  • DC is the diagnostic coverage for the single element e of the functional channel;
  • β is the susceptibility to common cause failures of the functional channel and the channel that realizes the fault handling function(s) within the subsystem.

The same equation can be used even in case all the 4 above conditions are satisfied: it is the general formula for Architecture C: it is always valid.

You may notice that, in case the dangerous failure rate(s) of the fault handling function(s) within the subsystem can be assumed to be zero (𝜆D-FH = 0), the equation becomes the same as the one in § 7.2.6.1. The reason is obvious: the monitoring channel is assumed to have a very high reliability.

Please consider that the general formula can be used even if the reliability of the fault handling function is worse than that required by Table 2.

Implications of the Architectural Constraints in Basic Subsystem Architecture C

Architecture C subsystems have an HFT = 0. That means, based upon the SFF, a maximum of SIL 3 can be achieved. However, it is important to verify that one of the following conditions is satisfied:

  • the sum of the diagnostic test interval and the time to perform the specified fault reaction function to achieve or maintain a safe state shall be shorter than the process safety time (e.g. see ISO 13855);
  • Or, the ratio of the diagnostic test rate to the demand rate shall be equal to or greater than 100. This last condition aligns Architecture 1oo1D with Category 2.

Therefore, a monitored single channel subsystem (1oo1D), where none of the two conditions are met, has to be considered a Basic Subsystem Architecture A (1oo1); please refer to Table 7.8.

Table 3 is applicable. Normally SFF < 99%, since SFF ≥ 99 % is only possible when there is continuous monitoring of the correct functioning of the element: typically, only electronic technology can have this.

Example of a Basic Subsystem Architecture C

Let’s consider the output subsystem as shown in Figure 7. KP has B10 = 106 with 73% as percentage of dangerous failures. U< is has a B10 = 4·105. The Mission Time of both the contactor and the undervoltage coil is 20 years.

KP is supposed to open twice per minute while U< is supposed to open once per month.

Let’s now focus on the calculation of probability of random failures.

  1. The first step is to calculate the 𝜆D of the contactor KP. We assume the machine is working 240 days per year and eight hours per day.

2. The second step is to calculate T1 and β.

T1=min (Useful Life; Proof Test);

Useful Life= min (Mission Time; T10D);

Mission Time = 20 years;

 

Useful Life = min (20 years; 5,9 years) à Useful Life = 5,9 years;

Proof Test > 20 years

T1 = min (5,9 years ; > 20 years) àT1 = 5,9 years = 52 560 hours;

Based upon the CCF criteria listed in Annex E of the standard, we can assume a β = 0,02.

 

 

3. The third step is the determination of the Diagnostic Coverage. Being a single channel with a testing element, which directly monitors the status of KP, we assume DC = SFF = 90%.

Now, we have to check that the 𝜆D-FH value of the test channel is not lower than specified in Table 2. In this case, functional channel and testing channel have the Safety PLC in common, in other terms, we are in the situation of figure 4: External Fault Diagnostic. The Fault Reaction (the undervoltage coil) is considered part of the output subsystem while the Fault Handling is not, since its reliability is already taken care in the reliability calculation of the Functional Channel, that include the Safety Logic. For that reason, only the failure rate of the undervoltage coil is important for the 𝜆D-FH.

U< is used only when a fault is detected, once per month:

Since we claim a DC of 90%, based upon table 2, the minimum value of 1/𝜆D-FH  is 1200.

In this case 1/𝜆DU< is much higher than required in the table 2: the condition is fulfilled;

 

4. The fourth step is the determination of the Diagnostic Coverage. Being a single channel with a testing element, which directly monitors the status of KP, we assume DC = SFF = 90%.

5. The last step is to calculate PFH

All the following conditions are satisfied:

  • β ≤ 2 %;
  • DC ≤ 99 %;
  • 1/ 𝜆𝐷𝑒 =1/ 𝜆𝐷KP = 1/1,92 x 10-6 8760  = 59,5 < 1.000 years;
  • 1/ 𝜆D-FH =1/ 𝜆DFR =1/ 𝜆DU< = 333 333 > 1200 years;

Therefore the simplified equation can be used.

With a SFF = 90 % and HFT = 0, the SIL level is limited by the Architectural Constraints to SIL 2.

The Safety Subsystem reaches SIL 2 and has a PFH = 1,92 10-7

Read again

Index

In-depth articles tuttomisure P1: Reliability data for components used in safety systems P2: The Safe Failure Fraction and the Architectural Constraints P3: Considerations on the Safe Failure Fraction in High and Low Demand P4: Functional Safety – PFD calculation P5: Functional Safety – PFD Calculation Second part P6: The average probability of dangerous failure per hour (PFH) P7: Functional Safety in High demand – ISO 13849-1 categories P8: Functional Safety in High Demand: Category B, 1 and 2 of ISO 13849-1 P9: a comparison between RBD and Markov models for the analysis of Safety Instrumented Systems P10: Functional safety in high demand:The Markov model of Category 2 according to ISO 13849-1 P11: Functional safety in high demand: Categories 3 and 4 according to ISO 13849-1 P12: Functional Safety in High Demand: Introduction to IEC 62061 P13: Functional Safety in High Demand: IEC 62061 and Architectures P14: Functional Safety in High Demand: IEC 62061 and Architectures, Part 2