Last edit: 25/02/2026
Summary
This article is part of a series of articles written on Functional Safety of Machinery. We recently introduced one of the two standards used to design Safety Control Systems in High Demand: ISO 13849-1. We now presenting the key aspects of IEC 62061.
In this article we will detail Architecture A and B.
Architecture A represent a safety system with single channel without diagnostic: for example, an interlock on a robot cell gate connected with a Logic Solver with 2 wires (one voltage free contact).
Architecture B dual channel without a diagnostic, is such that a single fault of any subsystem element does not cause the loss of the safety function. This Architecture corresponds to a Hardware Fault Tolerance of 1. It is an architecture that is not modelled in ISO 13849-1 since it is rarely used; normally, in case of a redundant channel (two contactors in series to stop a motor) diagnostics is provided (the monitoring of the contactor status).
What is Functional Safety?
You enter the domain of Functional Safety whenever you use an automation system to reduce the risks associated with machinery or industrial processes. Risk reduction is typically achieved by removing or controlling sources of energy. These energies may be electrical (for example, a motor driving a hazardous movement), pneumatic, hydraulic, or even process-related, such as methane gas feeding a burner or a pump increasing the pressure in a tank.
Whenever you determine that risk reduction requires, for instance, a pressure sensor that triggers the closure of a valve in case of an excessively high pressure, you are operating within the scope of Functional Safety. The key challenge lies in the fact that any component of the so-called Safety Instrumented System (SIS)—including sensors, logic solvers, or final elements—can itself fail.
Components fail because of 2 reasons:
- They fail because they are not properly designed, manufactured, installed, used or subject to correct maintenance. If we take the example of car tyres, if we use a car with the tires badly inflated, they are likely to fail faster than normal. Those are Systematic Failures: they are failures due to mistakes in the design, manufacturing, installation or maintenance of the component. Systematic Failures are difficult to estimate and can only be reduced by making sure the whole process, from the component design up through the usage and maintenance of the product, is done properly.
That is the reason for the importance of concepts like Systematic Capability or Systematic Safety Integrity of components, or of Safety-related Control Systems.
Both ISO 13849-1 and IEC 62061 define good engineering practices to be followed, in order to reduce the probability of Systematic Failures: they are called Basic and Well-tried safety principles. Moreover, both standards require a Functional Safety Plan. You may refer to Annex I in IEC 62061 or Annex G in ISO 13849-1.
- Despite the whole process (from design to maintenance) is done according to correct rules and procedures, during their lifetime, components experience Random Failures: those are the failures that can be statistically estimated.
The first edition of IEC 62061 was published in 2005. Around 2010, a working group was established with the task of developing a unified standard for the functional safety of machinery, designated ISO/IEC 17305. This new standard was intended to combine ISO 13849-1 and IEC 62061 into a single document. Unfortunately, the project never came to fruition.
When the IEC Maintenance Team 62061 (MT 62061) convened for the first time, they decided to use the results of that earlier effort as the foundation for the new edition. This is one of the reasons why the revised IEC 62061 aligns more closely in approach with ISO 13849-1: the team sought to balance the systematic methodology of IEC 61508 with the pragmatic framework of ISO 13849-1.
Repairable vs non-repairable systems
Several reliability techniques can be directly applied to evaluate the failure probability of safety-related subsystems, including Reliability Block Diagrams and Markov Chains. The first edition of IEC 62061 adopted Reliability Block Diagrams and treated safety subsystems as non-repairable.
In the new edition of IEC 62061, the formula for Basic Subsystem Architecture C is derived from a Markov state model, which assumes the system is repairable. The other architecture formulas remain unchanged from the first edition.
Architecture C will be discussed in detail in the next issue of TUTTOMISURE.
Basic Subsystem Architecture A: 1oo1
In this Architecture, single channel without diagnostic, any dangerous failure of a subsystem element causes a failure of the safety function. This Architecture corresponds to a Hardware Fault Tolerance of 0.
In high or continuous mode of operation, Architecture A shall not rely on a Proof Test interval shorter than lifetime (Mission Time).
Implications of the Architectural Constraints in Basic Subsystem Architecture A
Considering table 1, being HFT = 0, up to SIL 3 could be reached. That may be valid for electronic components. However, for electromechanical components, being usually SFF = DC = 0, a maximum of SIL 1 can be achieved, even if the formula gives a lower PFH, provided well-tried components are used.
|
Safe Failure Fraction (SFF) |
Hardware fault tolerance (HFT) | ||
|
0 |
1 |
2 |
|
|
SFF < 60 % |
SIL 1 if well-tried components are used | SIL 1 | SIL 2 |
|
60 % ≤ SFF < 90 % |
SIL 1 | SIL 2 | SIL 3 |
| 90 % ≤ SFF < 99 % | SIL 2 | SIL 3 |
SIL 3 |
| SFF ≥ 99 % | SIL 3 | SIL 3 |
SIL 3 |
Table 1: Architectural constraints for an electromechanical subsystem
Example of a Basic Subsystem Architecture A
Let’s consider the input subsystem shown in Figure 2
The interlocking device has a B10D = 20·106 and it is supposed to open twice per hour.
Basic and well-tried safety principles shall be applied. Moreover, well-tried components are used. CCF is not significant.
Let’s now focus on the probability of random failures.
The first step is to calculate the . We assume the machine is working 240 days in a year and eight hours per day.
Being a subsystem architecture A, there is no diagnostic, that means, we assume SFF = DC < 60%.
Despite the PFH is very low, the fact that SFF < 60 % and HFT = 0, the SIL level is limited by the Architectural Constraints to SIL 1.
|
Safe Failure Fraction (SFF) |
Hardware fault tolerance (HFT) | ||
| 0 | 1 |
2 |
|
|
SFF < 60 % |
SIL 1 | SIL 1 | SIL 2 |
|
60 % ≤ SFF < 90 % |
SIL 1 | SIL 2 | SIL 3 |
| 90 %≤ SFF < 99 % | SIL 2 | SIL 3 |
SIL 3 |
| SFF ≥ 99 % | SIL 3 | SIL 3 |
SIL 3 |
Table 2: SIL 1 is the maximum SIL reachable
Therefore, the Safety Subsystem reaches SIL 1 and has a PFH = 2,19∙10-9 1/h.
Basic Subsystem Architecture B: 1oo2
This Architecture, dual channel without a diagnostic, is such that a single fault of any subsystem element does not cause the loss of the safety function. This Architecture corresponds to a Hardware Fault Tolerance of 1.
This Architecture has no equivalent in ISO 13849-1.
For architecture B, the PFH of the subsystem is given by the following formula:
Where:
- T1 is the Proof Test interval of the perfect Proof Test or the useful lifetime, whichever is the smaller; the useful lifetime is the minimum between T10D and the Mission Time of the subsystem.
- β is the susceptibility to common cause failures.
Implications of the Architectural Constraints in Basic Subsystem Architecture B
Considering table 3 for architectural constraints, being HFT = 1, up to SIL 3 could be reached. That may be valid for electronic components. However, for electromechanical components, being SFF = DC = 0, a maximum of SIL 1 can be achieved, even if the formula gives a lower PFH.
|
Safe Failure Fraction (SFF) |
Hardware fault tolerance (HFT) | ||
| 0 | 1 |
2 |
|
|
SFF < 60 % |
SIL 1 if well-tried components are used | SIL 1 | SIL 2 |
|
60 % ≤ SFF < 90 % |
SIL 1 | SIL 2 | SIL 3 |
| 90 % ≤ SFF < 99 % | SIL 2 | SIL 3 |
SIL 3 |
| SFF ≥ 99 % | SIL 3 | SIL 3 |
SIL 3 |
Table 3: Architectural constraints on a subsystem: Maximum SIL that can be claimed for an SCS
In case of Basic Subsystem architecture B and SFF < 60%, it is not required to use well-tried components.
Example of a Basic Output Subsystem Architecture B: Electric Motor
For the electrical circuit shown in figure 5, the Safety-related Block Diagram output subsystem is shown in figure 6.
- Safety data: KP1 and KP2 have B10 = 10·106 with 73% as percentage of dangerous failures (RDF according to § 1.12.1). Looking at the manufacturer datasheet, the Mission Time is 20 years and we assume a Proof Test of the same length. For the proof test, it is our decision not to have it shorter than the Mission Time.
- Usage Frequency: Contactors are supposed to open twice every minute.
- Avoidance of Systematic Failures: Since we want to claim Architecture B, basic and well-tried safety principles are applied. Since SFF < 60%, also well-tried components must be used (in this case two contactors). We also verified that enough measures have been applied to prevent common cause failures: a β = 2% can be assumed.
Let’s now focus on the calculation of probability of random failures:
1.The first step is to calculate λD. We assume the machine is working 240 days per year and eight hours per day.
2. The second step is to estimate T10D and T1
3. The last step is to calculate PFH
Being a subsystem architecture B, there is no diagnostic. That means we assume SFF = DC < 60%.
Despite the PFH is very low, the fact that SFF < 60 % and HFT = 1, the SIL level is limited by the Architectural Constraints to SIL 1.
|
Safe Failure Fraction (SFF) |
Hardware fault tolerance (HFT) | ||
| 0 | 1 |
2 |
|
| SFF < 60 % | SIL 1 | SIL 1 | SIL 2 |
| 60 % ≤ SFF < 90 % | SIL 1 | SIL 2 | SIL 3 |
| 90 %≤ SFF < 99 % | SIL 2 | SIL 3 | SIL 3 |
| SFF ≥ 99 % | SIL 3 | SIL 3 | SIL 3 |
Table 4: Maximum SIL that can be claimed for an SCS
The Safety Subsystem reaches SIL 1 and has a PFH = 1,01 10-8 1/h