Last edit: 27/06/2023
Annex B contain the methodology to be followed for the design of a Safety Related Control System (SCS). The annex contains the following examples:
- B.4.2 Subsystem 1 design – “guard door monitoring”
- B.4.3 Subsystem 2 design – “evaluation logic”
- B.4.4 Subsystem 3 design – “motor control”
In the first example there is an important consideration the standard does for the SFF calculation in case of single channel electromechanical devices.
Hereafter the important language:
[IEC 62061: 2021] – B.4.2.2 Evaluation of SFF
The theoretical failure effects of the position switch are:
- the contact will not (anymore) open: dangerous failure (unintended closed);
- the contact will open “by itself”: safe failure (unintended opened, can be considered as very unlikely for an electromechanical device);
- the contact will not (anymore) close: safe failure which do not have any influence of the safety function (unintended opened);
- the contact will close “by itself”: dangerous failure (unintended closed).
And the considerations continue with the following conclusion:
[IEC 62061: 2021] – B.4.2.2 Evaluation of SFF
Practical considerations:
The opening of the guard door defines the failure modes of the position switch to be considered. That means that practically no safe failures of the position switch related to this safety function exist:
- the failure mode “unintended closed” contact is always dangerous (typical dangerous failure of the position switch);
- the failure mode “unintended opened“ contact is not relevant for the opening of the guard door and only has an influence on the availability of the machine. It is a no effect failure (IEC 615084:2010, 3.6.14) for the defined function. Therefore, it is not a safe failure and λS = 0.
The reasoning means, when evaluating the SFF of electromechanical Input Subsystems, that normally λS≈0 and therefore:
That reasoning is valid for the majority of electromechanical components. Those components would be defined as Type A, according to IEC 61508-2 (§3.4.7.1). The reasoning is not applicable to Type B components.
You can find on the market electromechanical components, like pressure switches, certified for high demand safety applications with a SIL 2 reliability level according to IEC 62061. That was made possible by assuming a certain number of Safe Failures that bring the SFF > 90%. Using the Table 6, shown hereafter, with HFT = 0, the component has a SIL CLAIM (old language) or an architectural constraints = SIL 2.
|
Safe Failure Fraction (SFF) |
Hardware fault tolerance (HFT) |
||
|
0 |
1 |
2 |
|
|
SFF < 60 % |
Not Allowed (NOTE 1) |
SIL 1 |
SIL 2 |
|
60 % ≤ SFF < 90 % |
SIL 1 |
SIL 2 |
SIL 3 |
|
90 % ≤ SFF < 99 % |
SIL 2 |
SIL 3 |
SIL 3 |
|
SFF ≥ 99 % |
SIL 3 |
SIL 3 |
SIL 3 |
|
NOTE 1: For subsystems which have a SFF < 60 %, HFT = 0 and that use well-tried components, SIL 1 can be achieved. |
|||
With the new edition of IEC 62061, that will be more difficult to demonstrate, since the standard recommends, in case of electromechanical components, that there are no safe failures and therefore, once again, SFF = DC.