BRITISH STANDARD

Safety of machinery —
Functional safety of
safety-related
electrical, electronic
and programmable
electronic control
systems

ICS 13.110; 25.040.99; 29.020

BS EN
EN
62061:2005
62061:2005

Incorporating
+A2:2015
+A1:2013
corrigenda
July 2005,
Incorporating
April
2008
and
corrigenda July 2005,
February
April 20082010
and
February 2010

BS EN 62061:2005+A2:2015

National foreword
This British Standard is the UK implementation of EN 62061:2005+A2:2015,
incorporating corrigendum February 2010. It is identical to IEC 62061:2005,
incorporating amendments 1:2012 and 2:2015, and corrigenda July 2005 and
April 2008. It supersedes BS EN 62061:2005+A1:2013, which is withdrawn.
The start and finish of text introduced or altered by amendment is indicated in
the text by tags. Tags indicating changes to IEC text carry the number of the
IEC amendment. For example, text altered by IEC amendment 1 is indicated
by A1 tags 
The start and finish of text introduced or altered by corrigendum is indicated
in the text by tags. Text altered by IEC corrigendum July 2005 is indicated
in the text by , and text altered by IEC corrigendum April 2008 is
indicated in the text by .
The UK participation in its preparation was entrusted to Technical Committee
MCE/3, Safeguarding of machinery.
A list of organizations represented on this committee can be obtained on
request to its secretary.
This publication does not purport to include all the necessary provisions of a
contract. Users are responsible for its correct application.
Compliance with a British Standard cannot confer immunity from
legal obligations.

Amendments/corrigenda issued since publication
Amd. No.

Date


Comments

15929

July 2006

Implementation of IEC corrigendum
July 2005

28 February 2009

Implementation of IEC corrigendum
April 2008

31 May 2010

Implementation of CENELEC
corrigendum February 2010.
Replacement of EC Directive 98/37/EC
with 2006/42/EC and deletion of the
second dashed item in Annex ZZ

30 June 2013

Implementation of IEC amendment
1:2012 with CENELEC endorsement
A1:2013: Annex ZA and ZZ updated

31 October 2015


Implementation of IEC amendment
2:2015 with CENELEC endorsement
A2:2015: Annex ZA updated

Corrigendum No. 1
This British Standard was
published under the authority
of the Standards Policy and
Strategy Committee
on 26 April 2005
© The British Standards
Institution 2015.
Published by BSI Standards
Limited 2015

ISBN 978 0 580 88106 0


62061:2005+A2
62061:2005+A1
EN 62061

EUROPEAN STANDARD
NORME EUROPÉENNE
EUROPÄISCHE NORM

August
2015
April

2005
February
2013

ICS 13.110; 25.040.99; 29.020

Incorporates corrigendum February 2010

English version

Safety of machinery –
Functional safety of safety-related electrical,
electronic and programmable electronic control systems
(IEC 62061:2005)
Sécurité des machines –
Sécurité fonctionnelle des systèmes
de commande électriques, électroniques
et électroniques programmables relatifs
à la sécurité
(CEI 62061:2005)

Sicherheit von Maschinen –
Funktionale Sicherheit
sicherheitsbezogener elektrischer,
elektronischer und programmierbarer
elektronischer Steuerungssysteme
(IEC 62061:2005)

This European Standard was approved by CENELEC on 2004-12-01. CENELEC members are bound to
comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European

Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on
application to the Central Secretariat or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other
language made by translation under the responsibility of a CENELEC member into its own language and
notified to the Central Secretariat has the same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Cyprus, Czech
Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden,
Switzerland and United Kingdom.

CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
Central Secretariat: rue de Stassart 35, B - 1050 Brussels
© 2005 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Ref. No. EN 62061:2005 E


Page 2

Page 2
62061:2005+A2:2015
BS EN 62061:2005+A1:2013
BS EN 62061:2005
62061:2005+A2:2015
EN 62061:2005+A1:2013
Foreword
The text of document 44/460/FDIS, future edition 1 of IEC 62061, prepared by IEC TC 44, Safety of

machinery - Electrotechnical aspects, was submitted to the IEC-CENELEC parallel vote and was
approved by CENELEC as EN 62061 on 2004-12-01.
The following dates were fixed:
– latest date by which the EN has to be implemented
at national level by publication of an identical
national standard or by endorsement

(dop)

2005-11-01

– latest date by which the national standards conflicting
with the EN have to be withdrawn

(dow)

2007-12-01

This European Standard has been prepared under a mandate given to CENELEC by the European
Commission and the European Free Trade Association and covers essential requirements of
98/37/EC. See
Annex
ZZ.ZZ.
EC Directive 2006/42/EC.
See
Annex
PROOF TEST INTERVAL AND LIFETIME
The following important information should be noted in relation to the requirements of this standard:
Where the probability of dangerous failure per hour (PFHD) is highly dependent upon proof testing (i.e.
tests intended to reveal faults not detected by diagnostic functions) then the proof test interval needs

to be shown as realistic and practicable in the context of the expected use of the safety-related
electrical control system (SRECS) (e.g. proof test intervals of less than 10 years can be unreasonably
short for many machinery applications).
CEN/TC114/WG6 have used a proof test interval (mission time) of 20 years to support the estimation
of mean time to dangerous failure (MTTFD) for the realization of designated architectures in Annex B
of prEN ISO 13849-1. Therefore, it is recommended that SRECS designers endeavour to use a 20
year proof test interval.
It is acknowledged that some subsystems and/or subsystem elements (e.g. electro-mechanical
components with high duty cycles) will require replacement within the SRECS proof test interval.
Proof testing involves detailed and comprehensive checks that can, in practice, only be performed
when the SRECS and/or its subsystems has been designed to facilitate proof testing (e.g. dedicated
test ports) and provided with necessary information (e.g. proof test instructions).
To ensure the validity of the proof test interval specified by the designer it is important that any other
necessary designated tests (e.g. functional tests) are also successfully performed at the SRECS.
Annexes ZA and ZZ have been added by CENELEC.
__________
Endorsement notice
The text of the International Standard IEC 62061:2005 was approved by CENELEC as a European
Standard without any modification.
__________
The contents of the corrigendum of February 2010 have been included in this copy.


EN 62061:2005/A1:2013

Page 3

62061:2005+A2:2015
BS EN 62061:2005+A1:2013
62061:2005+A2:2015

EN 62061:2005+A1:2013

-2-

ForewordForeword
to amendment A1
The text of document 44/655/CDV, future edition 1 of IEC 62061:2005/A1, prepared by IEC TC 44 "Safety
of machinery - Electrotechnical aspects" was submitted to the IEC-CENELEC parallel vote and approved
by CENELEC as EN 62061:2005/A1:2013.
The following dates are fixed:
•

•

latest date by which the document has
to be implemented at national level by
publication of an identical national
standard or by endorsement
latest date by which the national
standards conflicting with the
document have to be withdrawn

(dop)

2013-09-18

(dow)

2015-12-18


Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC [and/or CEN] shall not be held responsible for identifying any or all such patent
rights.

Endorsement notice
The text of the International Standard IEC 62061:2005/A1:2012 was approved by CENELEC as a
European Standard without any modification.

EN 62061:2005/A2:2015

Foreword
to amendment
European
foreword A2
The text of document 44/718/CDV, future edition 1 of IEC 62061:2005/A2, prepared by IEC TC 44 "Safety
of machinery - Electrotechnical aspects" was submitted to the IEC-CENELEC parallel vote and approved
by CENELEC as EN 62061:2005/A2:2015.
The following dates are fixed:
•

•

latest date by which the document has
to be implemented at national level by
publication of an identical national
standard or by endorsement
latest date by which the national
standards conflicting with the
document have to be withdrawn


(dop)

2016-05-01

(dow)

2018-07-31

Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC [and/or CEN] shall not be held responsible for identifying any or all such patent
rights.
For the relationship with EU Directive(s) see informative Annex ZZ, which is an integral part of EN
62061:2005.

Endorsement notice
The text of the International Standard IEC 62061:2005/A2:2015 was approved by CENELEC as a
European Standard without any modification.


BS EN 62061:2005
Page
Page103
97

Page 4

BS EN 62061:2005+A2:2015
EN 62061:2005+A2:2015

Page 103

BS EN BS
62061:2005+A1:2013
EN 62061:2005
BS
EN
62061:2005
EN 62061:2005+A1:2013

Annex ZA
(normative)

Page 97

Page 103
BS EN 62061:2005+A1:2013
BS
EN
62061:2005
EN 62061:2005+A1:2013

Annex ZA
Normative references
to international
publications
Annex
ZA
(normative)
(normative)
with their corresponding
European publications

Normative references
to international
publications
Annex
ZA

The following referenced
documents
are indispensable
for the application
of this document. For dated
Normative
references
to international
publications
(normative)
with
their
corresponding
European
publications
references, only the
edition
citedcorresponding
applies. For undated
references, publications
the latest edition of the referenced
with
their
European

document (including any amendments) applies.
The following referenced
documents
are indispensable
for the application
of this document. For dated
Normative
references
to international
publications
The
following
documents,
in
whole
or
part,
are normatively
referenced
this
document
and
are
following
referenced
documents
areinindispensable
for the application
of in
this

document.
For
dated
references,
only
the
edition
cited
applies.
For
undated
references,
the
latest
edition
the referenced
NOTE
Where an international
publication
has been modified European
by common modifications,
indicated
byof(mod),
the relevant
with
their
corresponding
publications
references,
only

the
edition
cited
applies.
For
undated
references,
the
latest
edition
of
the
referenced
indispensable
for
its
application.
For
dated
references,
only
the
edition
cited
applies.
For
undated
document
(including any amendments) applies.
EN/HD

applies.
document (including
anyedition
amendments)
applies. document (including any amendments) applies.
references,
the latest
of the referenced
The
following referenced
documents
are indispensable for the application ofEN/HD
this document. For Year
dated
Publication
Year
Title
NOTE
Where an international publication has been modified by common modifications, indicated by (mod), the relevant
references,
only
the
edition
cited
applies.
For
undated
references,
the
latest

edition
of
the
referenced
NOTE
When an
aninternational
International
Publication
modified
by common
modifications,
indicated
by the
(mod),
the 2)
NOTE
Where
publication
has has
beenbeen
modified
by common
modifications,
indicated
by (mod),
relevant
EN/HD 1 
applies.
1)

IEC
60204-1
Safety of machinery
EN 60204-1
1997
relevant
EN/HD
applies.any
document
(including
amendments)
applies. - Electrical
EN/HD
applies.
equipment
of machines
+ corr. September 1998
Publication
Year
Title
EN/HD
Year
NOTE
2  Up-to-date information
on the latest versions of the European Standards listed
in this annex is available
Part
1:
General
requirements

Publication
Year
Title
EN/HD
Year 2)
NOTE
Where
an
international
publication
has
been
modified
by
common
modifications,
indicated
by (mod), the relevant
here: www.cenelec.eu. 1)
IEC
60204-1
- 1)
Safety of machinery - Electrical
EN 60204-1
1997 2)
EN/HD
applies.
1)
IEC 61000-6-2,
60204-1

Safety
of machinery
- Electrical
EN
60204-1
1997 2)
1998
equipment
of machines
+ corr.
September 2001
Electromagnetic
compatibility
(EMC)
IEC
-EN
61000-6-2
1998
equipment
of
machines
+
corr.
September
General
requirements
Publication
Year
Title
EN/HD

Year
Part 1:
6-2:
Generic
standards - Immunity
mod.
Part
1: General
requirements
for industrial
environments
1)
2)
1)
IEC 61000-6-2,
60204-1
Safety
of machinery
- Electrical
EN
1997 2)
Electromagnetic
compatibility
(EMC)
IEC
-- 1)
EN 60204-1
61000-6-2
2001
1998 2)

equipment
of machines
+
corr.
September 2001
Electromagnetic
compatibility
(EMC)
IEC
61000-6-2,
EN
61000-6-2
Part
6-2:
standards
- Immunity
mod.
IEC 61310
Series
Safety
of Generic
machinery
- Indication,
marking
EN
61310
Series
Part
1:
General

requirements
6-2:
Generic
standards - Immunity
mod.
for industrial
environments
and
actuation
for industrial environments
1)
2)
Electromagnetic
compatibility (EMC)
IEC 61310
61000-6-2,
- 1)
EN 61310
61000-6-2
2001 2)
Series
Safety of machinery
EN
Series
Functional
safety of - Indication, marking
IEC 61508-2
61508-2
2001
Part

6-2:
standards
- Immunity
mod.
IEC 61310
Series and
Safety
of Generic
machinery
- Indication,
marking
EN 61310
Series
actuation
electrical/electronic/programmable
for industrial
environments
and
actuation
electronic safety-related systems
1)
2)
Functional
safety of for
IEC 61508-2
- 1)
EN 61508-2
2001 2)
Part 2: Requirements
IEC 61310

Series
Safety
of
machinery
Indication,
marking
EN
61310
Series
Functional
safety of
61508-2
61508-2
2001
electrical/electronic/programmable
and
actuation
electrical/electronic/programmable
electronic
safety-related systems
electronic
safety-related
Part 2: Requirements
for systems
1)
2)
Functional
safety
of
IEC 61508-2

- 1)
EN 61508-2
2001 2)
Part
2:
Requirements
for
electrical/electronic/programmable
Part
3: Software requirements
EN 61508-3
2001
IEC 61508-3
electrical/electronic/programmable
electronic safety-related systems
electronic
safety-related systems
ISO 12100-1
2003 Safety
of machinery
EN ISO 12100-1
2003
1)
2)
Part
2:
Requirements
for
IEC 61508-3
- 1)

Part
Software general
requirements
EN 61508-3
2001 2)
Basic3:concepts,
principles for
electrical/electronic/programmable
Part
3:
Software
requirements
EN
61508-3
2001
IEC 61508-3
design -- Part 1: Basic terminology,
electronic
safety-related systems
ISO 12100-1
2003 Safety
of machinery
EN ISO 12100-1
2003
methodology
2003 Safety
of
2003
ISO 12100-1
12100

2010
of machinery
machinery
– General
EN ISO 12100-1
12100
2010
Basic concepts,
general
principles for
1)
2)
Part
3:concepts,
Software
requirements
EN 61508-3
2001
IEC 61508-3
Basic
general
principles
for
principles
for
design
–
Risk
assessment
design

-Part
1:
Basic
terminology,
ISO 12100-2
2003 Basic concepts, general principles for
EN ISO 12100-2
2003
design
-- reduction
Part
Basic terminology,
and
risk-methodology
design
Part 1:
2: Technical
principles
2003 Safety
of
2003
ISO 12100-1
12100
2010
of machinery
machinery – General
EN ISO 12100-1
12100
2010
methodology

Basic
concepts,
general
principles
for
principles
for
design
–
Risk
assessment
ISO
13849-1
2006
of machinery
machinery
Safety-related
ISO 12100-2
13849-1 2008
12100-2
2003 Safety
Basic concepts,
general
principles forparts EN
2003
ISO 13849-1
1999
Safety
of
-–Safety-related

-EN ISO
design
--control
Part
1:
Basic terminology,
risk
reduction
ISO 12100-2
2003 and
Basic
concepts,
general
principles
EN ISO 12100-2
2003
parts
of
– principles
Part 1: for
design
-Part
2: systems
Technical
of
control
systems
methodology
design
Part 2:principles

Technical
principles
General
principles
for design
Part 1: -General
for
design
ISO
13849-1
2006
Safety
of
machinery
–
Safety-related
ISO 13849-1
1999 Safety of machinery - Safety-related parts EN
- ISO 13849-1 2008
ISO 13849-1
12100-2
2003 parts
Basic
concepts,
general
principles
forparts EN
12100-2
2003
1999

Safety
of
machinery
Safety-related
-EN ISO
-2003
of
control
systems
–
Part
1:
of
control
systems
ISO 13849-2
2003 Part 2: Validation
ISO 13849-2
design
Part
2:principles
Technical
principles
of
control
systems
General
principles
for design
Part

1: -General
for
design
1)
Part 1: of
General
principles for design
Safety
machinery
ISO 14121
ISO
13849-1
1999
Safety
of
machinery
- –Safety-related
parts
- ISO 13849-2
ISO 13849-2
13849-2
-
machinery
Safety-related

EN
13849-2 --2003
2003 Safety
Part
2: of

Validation
Principles
of risk assessment
of control
systems
ISO 13849-2
2003 parts
Part
2:ofValidation
EN ISO 13849-2
2003
control
systems – Part 2:
1)
Part
1:
General
principles
for
design
Safety of machinery
ISO 14121
- 1)
Validation
Safety
of machinery
ISO 14121
Principles
of risk assessment
ISO 13849-2

2003 Part
2: Validation
EN ISO 13849-2
2003
Principles
of risk assessment
ISO 14121

-

1) Undated reference.

1)

Safety of machinery
Principles of risk assessment

2) Valid edition at date of issue.
1)
1)
2)
2)

Undated reference.
Undated reference.
Valid edition at date of issue.
Valid edition at date of issue.

1) Undated reference.
2) Valid edition at date of issue.


-

-


Page 5

Page 98
PageEN
104
BS
62061:2005+A1:2013

BS EN 62061:2005+A2:2015
EN 62061:2005+A2:2015

BS 62061:2005+A1:2013
EN 62061:2005
EN

Annex ZZ
(informative)
Coverage of Essential Requirements of EC Directives
This European Standard has been prepared under a mandate given to CENELEC by the European
Commission and the European Free Trade Association and within its scope the standard covers the
following essential requirements out of those given in Annex I of the EC Directive 2006/42/EC
–

1.2.1


Compliance with this standard provides one means of conformity with the specified essential
requirements of the Directive concerned.
WARNING: Other requirements and other EC Directives may be applicable to the products falling
within the scope of this standard.
__________


6
Page 4

Page 3

62061:2005+A2:2015
BS EN 62061:2005+A1:2013
62061:2005+A2:2015
IEC 62061:2005+A1:2012

BS EN 62061:2005

CONTENTS
INTRODUCTION.....................................................................................................................67
9
1

Scope and object..............................................................................................................11
9

2


12
Normative references ..................................................................................................... 10

3

13
Terms, definitions and abbreviations .............................................................................. 11

4

13
3.1 Alphabetical list of definitions ................................................................................ 11
15
3.2 Terms and definitions ............................................................................................ 13
23
3.3 Abbreviations ........................................................................................................ 21
24
Management of functional safety .................................................................................... 22

5

24
4.1 Objective ............................................................................................................... 22
24
4.2 Requirements ........................................................................................................ 22
25
Requirements for the specification of Safety-Related Control Functions (SRCFs) ........... 23

6


25
5.1 Objective ............................................................................................................... 23
25
5.2 Specification of requirements for SRCFs ............................................................... 23
28
Design and integration of the safety-related electrical control system (SRECS) .............. 26

7

28
Objective ............................................................................................................... 26
28
General requirements ............................................................................................ 26
Requirements for behaviour (of the SRECS) on detection of a fault in the
29
SRECS.................................................................................................................. 27
30
6.4 Requirements for systematic safety integrity of the SRECS ................................... 28
32
6.5 Selection of safety-related electrical control system .............................................. 30
32
6.6 Safety-related electrical control system (SRECS) design and development ........... 30
37
6.7 Realisation of subsystems ..................................................................................... 35
53
6.8 Realisation of diagnostic functions ........................................................................ 51
54
6.9 Hardware implementation of the SRECS ............................................................... 52
54
6.10 Software safety requirements specification ............................................................ 52

55
6.11 Software design and development ......................................................................... 53
63
6.12 Safety-related electrical control system integration and testing.............................. 61
64
6.13 SRECS installation ................................................................................................ 62
64
Information for use of the SRECS ................................................................................... 62

8

64
7.1 Objective ............................................................................................................... 62
64
7.2 Documentation for installation, use and maintenance ............................................ 62
65
Validation of the safety-related electrical control system................................................. 63

9

65
63
8.1 General requirements ............................................................................................ 64
66
8.2 Validation of SRECS systematic safety integrity .................................................... 64
67
Modification .................................................................................................................... 65

6.1
6.2

6.3

67
9.1 Objective ............................................................................................................... 65
9.2 Modification procedure .......................................................................................... 65
67
68
9.3 Configuration management procedures ................................................................. 66
70
10 Documentation ............................................................................................................... 68


Page 4

Annex A (informative) SIL assignment ................................................................................. 70

BS EN 62061:2005+A1:2013

BS EN Annex
62061:2005
B (informative) Example of safety-related electrical control system (SRECS)
IEC 62061:2005+A1:2012

design using concepts and requirements of Clauses 5 and 6 ............................................... 78 Page 5
7
Annex A (informative) SIL assignment ................................................................................. 70
62061:2005+A2:2015
BS EN
62061:2005+A1:2013
Annex C (informative) Guide to embedded software design and development

......................
85
EN Annex
62061:2005
B
Example
of safety-related electrical control system (SRECS)
A (informative)
assignment
70
62061:2005+A2:2015
IEC 62061:2005+A1:2012
Annex D
(informative) SIL
Failure
modes of.................................................................................
electrical/electronic components ............................
94
design using concepts and requirements of Clauses 5 and 6 ............................................... 78
Annex
B
(informative)
Example
of
safety-related
electrical
control
system
(SRECS)
Annex E (informative) Electromagnetic (EM) phenomenon and increased immunity

Annex
Cusing
(informative)
Guide
to embeddedofsoftware
design
development ...................... 78
85
design
concepts
and for
requirements
Clauses
5 and 6and
...............................................
levels for
SRECS
intended
use in an industrial
environment
according to
72
Annex
A
(informative)
SIL
assignment
.................................................................................
70
Annex

D
Failure
of electrical/electronic
components
............................
IEC 61000-6-2
......................................................................................................................
99
C (informative)
Guide tomodes
embedded
software design and
development
...................... 94
85
Annex
B (informative)
(informative) Electromagnetic
Example of safety-related
electricaland
control
systemimmunity
(SRECS)
Annex D
E
(EM)
phenomenon
increased
F
Methodology

estimation
of susceptibility
to ............................
common
Failure modesforofthe
electrical/electronic
components
94
design
using
concepts
and
requirements
of
Clauses
5
and
6
...............................................
78
80
levels
for SRECS
intended
for use in an industrial environment according to
.101
95
cause failures
(CCF)
...........................................................................................................

Annex
E
(informative)
Electromagnetic
(EM)
phenomenon
and
increased
immunity
IEC 61000-6-2
......................................................................................................................
87
Annex
C (informative)
Guide to embedded software design and development ...................... 99
85
Annex ZA
Normative
references
to international
publications
with
levels
for (normative)
SRECS intended
for use
in an industrial
environment
according
to their

F (informative)
Methodology
estimation of susceptibility
to ............................
common
Annex
D
(informative)
Failure
modesfor
ofthe
electrical/electronic
components
94
.103
97
corresponding
European
publications
.................................................................................
IEC
61000-6-2
......................................................................................................................
99
97
95
cause failures (CCF) ........................................................................................................... .101
Annex F
E (informative)
Electromagnetic

(EM)
phenomenon
and
ZZ
(informative)Methodology
Coverage of for
Essential
Requirements
of increased
EC Directives
.................... .104
98
the
estimation
of susceptibility
to immunity
common
Annex
ZA
Normative
references
to international
publications
with
levels
for (normative)
SRECS
intended
for use
in an industrial

environment
according
to their
cause failures
(CCF)
...........................................................................................................
101
97
corresponding
publications ................................................................................. .103
IEC
61000-6-2 European
......................................................................................................................
99
Annex
references
international
publications
with their
10
Figure ZA
1 – (normative)
RelationshipNormative
of IEC 62061
to othertorelevant
standards
...........................................7
8
ZZ(informative)
(informative)

Coverage
of for
Essential
Requirements
of EC Directives
.................... .103
104
98
Annex
F
Methodology
the estimation
of susceptibility
to common
corresponding
European
publications
.................................................................................
34
Figure failures
2 – Workflow
the SRECS design and development process ...................................101
32
cause
(CCF) of
...........................................................................................................
Annex ZZ (informative) Coverage of Essential Requirements of EC Directives .................... 104
Figure 3 – (normative)
Allocation of safety requirements
of the

function blocks
to subsystems
Annex
references
international
publications
with their
Figure ZA
1 – RelationshipNormative
of IEC 62061
to othertorelevant
standards
...........................................7
8
35
(see 6.6.2.1.1) European
......................................................................................................................
33
corresponding
publications ................................................................................. 103
Figure 1
2 – Workflow
of the
SRECS
design
andrelevant
development
process
................................... 32
Relationship

of
IEC
62061
to other
standards
...........................................7
40
Figure ZZ
4–
Workflow
for Coverage
subsystem
and Requirements
development
(see
6B of Figure
2) ..........104
38
Annex
(informative)
ofdesign
Essential
of ECbox
Directives
....................
Figure 2
3 – Workflow
Allocation of
of the
safety

requirements
of the
function blocks
to ...................................
subsystems
SRECS
design
and
development
process
32
Figure 5 – Decomposition of function blocks to function block elements and their
(see 6.6.2.1.1) ...................................................................................................................... 33
41
associated
subsystemofelements............................................................................................
39
Figure
3 – Allocation
safety requirements of the function blocks to subsystems
Figure
1–
– Workflow
Relationship
IEC 62061
to other
standards
Figure
4
for of

subsystem
design
andrelevant
development
(see ...........................................7
box 6B of Figure 2) .......... 38
(see
6.6.2.1.1)
......................................................................................................................
33
47
Figure 6 – Subsystem A logical representation ..................................................................... 45
Figure
2
– Workflow
of theof
SRECS
design
and
...................................
32
Figure 4
5–
Decomposition
function
blocks
to development
function blockprocess
elements
and

their 2) .......... 38
Workflow
for
subsystem
design
and
development
(see
box
6B
of
Figure
48
Figure 7 – Subsystem B logical representation ..................................................................... 46
associated
subsystemofelements............................................................................................
39
Figure
3 – Allocation
safety requirements of the function blocks to subsystems
Figure
5
–
Decomposition
of
function
blocks
to
function
block

elements
and
their
48
Figure
8 – Subsystem
C logical representation ..................................................................... 33
46
(see
6.6.2.1.1)
......................................................................................................................
Figure
6 – Subsystem
logical representation ..................................................................... 39
45
associated
subsystem A
elements............................................................................................
50
9 – Workflow
Subsystem
logical representation
48
Figure
forDsubsystem
design and .....................................................................
development (see box 6B of Figure 2) .......... 38
Figure 4
7
6 – Subsystem B

A logical representation ..................................................................... 46
45
A.1
– Workflow of SIL
assignment
process.................................................................
71
73
Figure
5
– Decomposition
of function
blocks
to function block elements and their
Figure 8
7 – Subsystem C
B logical representation ..................................................................... 46
associated
subsystem
elements............................................................................................
39
74
Figure A.2 – Parameters used in risk estimation ................................................................... 72
Figure 9
8 – Subsystem D
C logical representation ..................................................................... 48
46
Figure
6
–

Subsystem
A
logical
representation
.....................................................................
45
79
Figure A.3 – Example proforma for SIL assignment process ................................................. 77
Figure 9
A.1
– Workflow D
of logical
SIL assignment
process.................................................................
– Subsystem
representation
..................................................................... 71
48
Figure
7
–
Subsystem
B
logical
representation
.....................................................................
46
80
Figure B.1 – Terminology used in functional decomposition .................................................. 78
A.2 – Workflow

Parameters
in risk estimation
................................................................... 71
72
Figure A.1
of used
SIL assignment
process.................................................................
Figure
8
–
Subsystem
C
logical
representation
.....................................................................
46
81
Figure B.2 – Example machine ............................................................................................. 79
Figure A.2
A.3 – Example
proforma
SIL
assignment
process ................................................. 77
Parameters
used infor
risk
estimation
...................................................................

72
Figure
9
–
Subsystem
D
logical
representation
.....................................................................
48
81
Figure B.3 – Specification of requirements for an SRCF ....................................................... 79
Figure B.1
used in
decomposition
A.3 – Terminology
Example proforma
forfunctional
SIL assignment
process..................................................
................................................. 78
77
Figure
A.1 –
– Workflow
of SILtoassignment
71
82
Figure B.4
Decomposition

a structureprocess.................................................................
of function blocks ................................................ 80
B.2 – Terminology
Example machine
Figure B.1
used .............................................................................................
in functional decomposition .................................................. 79
78
Figure
A.2
–
Parameters
used
in
risk
estimation
...................................................................
72
83
Figure B.5 – Initial concept of an architecture for a SRECS .................................................. 81
Figure B.2
B.3 – Example
Specification
of requirements
for an SRCF ....................................................... 79
machine
.............................................................................................
Figure
A.3
–

Example
proforma
for
SIL
assignment
process
.................................................
77
Figure B.6 – SRECS architecture with diagnostic functions embedded within each
Figure B.4
a structure of
blocks
................................................ 80
B.3 – Decomposition
Specification
of to
requirements
forfunction
an SRCF
.......................................................
79
84
subsystem
to SS4) .......................................................................................................
Figure
B.1 –(SS1
Terminology
used in functional decomposition .................................................. 82
78
Figure B.5

–
Initial
concept
of
an
architecture
for
a
SRECS
..................................................
81
B.4
Decomposition
to
a
structure
of
function
blocks
................................................
80
B.7 – Example
SRECS architecture
with diagnostic functions embedded within
Figure B.2
machine .............................................................................................
79
Figure
B.6 –SS3
SRECS

architecture
with diagnostic
embedded within each
85
subsystem
.....................................................................................................................
83
B.5
Initial
concept
of an architecture
for afunctions
SRECS ..................................................
81
Figure
B.3 –(SS1
Specification
of requirements for an SRCF ....................................................... 82
79
subsystem
to SS4) .......................................................................................................
86
a SRECS.......................................................................
84
of PFH D for
Figure B.8
B.6 – Estimation
SRECS architecture
with
diagnostic functions embedded within each

Figure
Decomposition
to a structure
of function
blocksembedded
................................................
80
Figure B.4
B.7 –
–(SS1
SRECS
architecture
with diagnostic
functions
within
subsystem
to SS4)
.......................................................................................................
82
subsystem
.....................................................................................................................
83
Figure
B.5 –SS3
Initial
concept of an architecture for a SRECS .................................................. 81
Figure B.7 – SRECS architecture with diagnostic functions embedded within
a SRECS.......................................................................
84
Figure

B.8
Estimation
of PFH D for
B.6 –SS3
SRECS
architecture
with
diagnostic functions embedded within each
subsystem
.....................................................................................................................
83
subsystem (SS1 to SS4) ....................................................................................................... 82
Figure B.8 – Estimation of PFH D for a SRECS....................................................................... 84
Figure B.7 – SRECS architecture with diagnostic functions embedded within
subsystem SS3 ..................................................................................................................... 83

Page 4

BS

Figure B.8 – Estimation of PFH D for a SRECS....................................................................... 84


BS EN 62061:2005
Table 2 – Overview and objectives of IEC 62061 ..................................................................
10
8
Page 6

Table 3 – Safety integrity levels: target failure values for SRCFs .......................................... 25


Page 5

BS EN 62061:2005
Table 4 – Characteristics of subsystems 1 and 2 used in this example..................................
35

62061:2005+A2:2015
BS EN 62061:2005+A1:2013
Table 1 – Recommended application of IEC 62061 and ISO 13849-1(under revision) ............. 8
Table 5 – Architectural constraints on subsystems: maximum SIL that can be claimed
62061:2005+A2:2015
IEC 62061:2005+A1:2012
for
a SRCF
using this
subsystem
..........................................................................................
Table
2 – Overview
and
objectives
of IEC 62061 .................................................................. 41
10
Table
1
–
Recommended
application
of

IEC
62061
and
ISO
13849-1(under
revision)
.............
8
6
Architectural
constraints:
SILCL
relating
to
categories
...........................................
41
Table 3 – Safety integrity levels: target failure values for SRCFs .......................................... 25
Table
Table
Table
Table

7
4
2
8
5
3


–
–
–
–

Probabilityand
of dangerous
failure
12
Characteristics
of subsystems
and 2 ..................................................................
used in this example.................................. 44
35
Overview
objectives
of IEC1.............................................................................
62061
10
Information
and
documentation
of
a
SRECS
..........................................................
68
Architectural
constraints
on subsystems:

maximum
SIL..........................................
that can be claimed
27
Safety integrity
levels: target
failure values
for SRCFs
25

for a SRCF using this subsystem .......................................................................................... 41
Table 4 – Characteristics of subsystems 1 and 2 used in this example.................................. 35
37
Table 6
– Architectural
constraints:
SILCL
relating to categories ........................................... 73
41
A.1
–
Severity
(Se)
classification
.................................................................................
Table 5 – Architectural constraints on subsystems: maximum SIL that can be claimed
43
Table
7
– Probability

dangerous
failure
.............................................................................
44
for a SRCF
using thisofsubsystem
..........................................................................................
41
A.2–
Frequency
and
duration
of exposure
(Fr) classification ....................................... 73

70
Table 8
– Information
documentation
of
a SRECS
..........................................................
6
Architectural
constraints:
SILCL
relating
to categories
........................................... 68
41

A.3–
Probabilityand
(Pr)
classification
...............................................................................
74
Table 7
– Probability
failure
.............................................................................
44
A.4–
Probabilityofofdangerous
avoiding or
limiting
harm (Av) classification ................................... 75

75
Table 8
A.1
– Parameters
Severity (Se)
classification
.................................................................................
– Information
and
documentation
of
a SRECS
..........................................................

68
A.5–
used
to determine
class
of probability
of harm (Cl) ........................... 73
75
75
Table A.2–
and duration
of exposure (Fr) classification ....................................... 73
A.6 – Frequency
SIL assignment
matrix........................................................................................
76
76
Table D.1
A.3–– Probability
(Pr)
classification
...............................................................................
74
A.1
Severity
classification
.................................................................................
73
Examples(Se)
of

the
failure mode
ratios for electrical/electronic components ........... 94
77
Table E.1
A.4–
Probability
of avoiding
oroflimiting
harm
(Av)
classification
...................................
75
A.2–– Frequency
and
duration
exposure
(Fr)
classification
.......................................
73
EM phenomenon
and increased
immunity
levels
for SRECS
.............................. 99
77
Table A.5–

used
to determine
class
of .............................................................
probability of harm (Cl) ...........................100
75
A.3–– Parameters
Probability
(Pr)
classification
74
E.2
Selected frequencies
for RF ...............................................................................
field
tests
Table A.4–
A.6 – Probability
SIL assignment
matrix........................................................................................
76
of avoiding
or limiting
harm
classification
...................................100
75
78
E.3
Selected

frequencies
for
conducted
RF(Av)
tests
...................................................
Table D.1
Examples
the failure
ratios
forprobability
electrical/electronic
components
............101
94
A.5–––Parameters
used
to determine
class of
of harm (Cl)
...........................
75
96
94
F.1
Criteria
for of
estimation
ofmode
CCF ...........................................................................

Table F.2
E.1
EM
and
increased
immunity levels for SRECS ...............................102
99
A.6 – Estimation
SIL phenomenon
assignment
matrix........................................................................................
76
97
of CCF
factor
(ȕ) .............................................................................
95
Table D.1
E.2 – Selected
formode
RF field
tests
Examplesfrequencies
of the failure
ratios
for.............................................................
electrical/electronic components ...........100
94
Table E.1
E.3 – EM

Selected
frequencies
conducted
RF tests
...................................................
phenomenon
and for
increased
immunity
levels
for SRECS ..............................100
99
Table F.1
estimation for
of CCF
...........................................................................
E.2 – Criteria
Selectedfor
frequencies
RF field
tests ............................................................. 101
100
Table F.2
of CCF factor
(ȕ) .............................................................................
E.3 – Estimation
Selected frequencies
for conducted
RF tests ................................................... 102
100

Table F.1 – Criteria for estimation of CCF ........................................................................... 101
Table F.2 – Estimation of CCF factor (ȕ) ............................................................................. 102


9
Page 7

Page 6

62061:2005+A2:2015
BS EN 62061:2005+A1:2013
62061:2005+A2:2015
IEC 62061:2005+A1:2012

BS EN 62061:2005

INTRODUCTION
As a result of automation, demand for increased production and reduced operator physical
effort, Safety-Related Electrical Control Systems (referred to as SRECS) of machines play an
increasing role in the achievement of overall machine safety. Furthermore, the SRECS
themselves increasingly employ complex electronic technology.
Previously, in the absence of standards, there has been a reluctance to accept SRECS in
safety-related functions for significant machine hazards because of uncertainty regarding the
performance of such technology.
This International Standard is intended for use by machinery designers, control system
manufacturers and integrators, and others involved in the specification, design and validation
of a SRECS. It sets out an approach and provides requirements to achieve the necessary
performance.

This standard is machine sector specific within the framework of IEC 61508. It is intended to

facilitate the specification of the performance of safety-related electrical control systems in
ISOISO
12100-1)
of machines.
relation to the significant hazards (see 3.8 of 
12100:2010
 ) of machines.
This standard provides a machine sector specific framework for functional safety of a SRECS
of machines. It only covers those aspects of the safety lifecycle that are related to safety
requirements allocation through to safety validation. Requirements are provided for
information for safe use of SRECS of machines that can also be relevant to later phases of
the life of a SRECS.
There are many situations on machines where SRECS are employed as part of safety
measures that have been provided to achieve risk reduction. A typical case is the use of an
interlocking guard that, when it is opened to allow access to the danger zone, signals the
electrical control system to stop hazardous machine operation. Also in automation, the
electrical control system that is used to achieve correct operation of the machine process
often contributes to safety by mitigating risks associated with hazards arising directly from
control system failures. This standard gives a methodology and requirements to
x

assign the required safety integrity level for each safety-related control function to be
implemented by SRECS;

x

enable the design of the SRECS appropriate to the assigned safety-related control
function(s);

x


integrate safety-related subsystems designed in accordance with ISO 13849 ;

x

validate the SRECS.

This standard is intended to be used within the framework of systematic risk reduction
12100-1
and
conjunction
with riskwith
assessment
accordingaccording
to the principles
described in
in ISO
 ISO
12100
in and
in conjunction
risk assessment
to the
described described
in ISO 14121
(EN
1050).
suggested
methodology
for safety

integrity
level (SIL)
principles
in 
ISO
12100A
. A suggested
methodology
for safety
integrity
level
assignment
is given
in informative
AnnexAnnex
A.
(SIL)
assignment
is given
in informative
A.
Measures are given to co-ordinate the performance of the SRECS with the intended risk
reduction taking into account the probabilities and consequences of random or systematic
faults within the electrical control system.
Figure 1 shows the relationship of this standard to other relevant standards.
Table
gives recommendations
on the recommended application of this standard and the

Text1 deleted


revision of ISO 13849-1.


Page 7

10
Page 8

BS EN 62061:2005

62061:2005+A2:2015
BS EN 62061:2005+A1:2013
62061:2005+A2:2015
IEC 62061:2005+A1:2012
Design and risk asseessment of the machine
ISO
SafetySafety
of machinery
– Basic–concept,
principles
12100,
ISO 12100,
of machinery
Generalgeneral
principles
for
for
design
design

– Risk assessment and risk reduction 
ISO 14121, Safety of machinery – Principles for risk assessement

Design of safety-related electrical, electronic and programmable elecronic control systems
(SRECS) for machinery
Methodology using:
Safety-related control functions
System-based approach
-

Quantitative index of safety:
Safety integrity level (SIL)

-

SIL assignment methodology for
SRECS of machinery

- Category assigned by
qualitative risk graphing

-

Architecture oriented
Requirements for
avoidance/control of systematic
failures

- Architecture oriented


- Index of safety:
Category/performance level

Design objective for the
SRECS
Relevant standards
Electrical safety aspects of machinery
Design of low complexity
subsystems to categories

IEC 60204-1, Safety of machinery Electrical equipment of machinery Part 1: General requirements

ISO 13849-1 and 2 Safety of
machinery – Safety related
parts of control systems (SRPCS)

Design of complex subsystems
to SILs
IEC 61508, Functional safety of
electrical, electronic and
programmable electronic safety related systems

- Part 1: General princples
for design and Part 2:
Validation
Non-electrical SRPCS
(mechanical,
pneumatic, etc.)

Electrical SRPCS


IEC 62061
Safety of machinery Functional safety of
safety-related electrical,
electronic and programmable
electronic control systems

Key:
Electrical safety aspects
Functional safety aspects

Figure 1 – Relationship of IEC 62061 to other relevant standards
 TextInformation
deleted  on the recommended application of IEC 62061 and ISO 13849-1
(under revision)
 IEC 62061 and ISO 13849-1 specify requirements for the design and implementation of
safety-related control systems of machinery. The use of either of these standards, in accordance
with their scopes, can be presumed to fulfil the relevant essential safety requirements.
IEC/TR 62061-1 provides guidance on the application of IEC 62061 and ISO 13849-1 in the
design of safety-related control systems for machinery. 
 Text deleted 


Page
Page11
9

Page 9
62061:2005+A2:2015
BS EN 62061:2005+A1:2013

BS
EN
62061:2005
62061:2005+A2:2015
IEC 62061:2005+A1:2012
Page 9

BS EN 62061:2005

SAFETY OF MACHINERY –
FUNCTIONAL SAFETY
OFOF
SAFETY-RELATED
SAFETY
MACHINERY – ELECTRICAL,
ELECTRONIC
AND OF
PROGRAMMABLE
ELECTRONIC
FUNCTIONAL
SAFETY
SAFETY-RELATED
ELECTRICAL,
CONTROL
SYSTEMS
ELECTRONIC AND PROGRAMMABLE ELECTRONIC
CONTROL SYSTEMS

1


Scope

1

Scope

This International Standard specifies requirements and makes recommendations for the
design, integration and validation of safety-related electrical, electronic and programmable
This
International
Standard(SRECS)
specifiesforrequirements
andNotes
makes
recommendations
for the
electronic
control systems
machines (see
1 and
2). It is applicable
to
design, systems
integration
and either
validation
of or
safety-related
electrical,
electronic

and programmable
control
used,
singly
in combination,
to carry
out safety-related
control
electronic
control
systems
for machines
(see while
Notesworking,
1 and 2).
It is applicable
to
functions on
machines
that(SRECS)
are not portable
by hand
including
a group of
control
systems
used,
either
singly
or

in
combination,
to
carry
out
safety-related
control
machines working together in a co-ordinated manner.
functions on machines that are not portable by hand while working, including a group of
NOTE
1 In working
this standard,
the term
controlmanner.
systems” is used to stand for ”Electrical, Electronic and
machines
together
in a“electrical
co-ordinated

Programmable Electronic (E/E/PE) control systems” and “SRECS” is used to stand for “safety-related electrical,
electronic
andthis
programmable
electronic
control systems”.
NOTE 1 In
standard, the
term “electrical
control systems” is used to stand for ”Electrical, Electronic and

Programmable Electronic (E/E/PE) control systems” and “SRECS” is used to stand for “safety-related electrical,
NOTE
2
In
this
standard,
it
is
presumed
that
the
NOTE
2 
this standard,electronic
it is presumed
thedesign
designofofcomplex
complex programmable
programmable electronic
electronic subsystems
subsystems or
or
electronic
and In
programmable
control that
systems”.
subsystem elements
elements conforms
conformstotothe

therelevant
relevantrequirements
requirements
IEC
61508.
methodology
subsystem
of of
IEC
61508
andThis
usesstandard
Route 1 Hprovides
(see IEC a61508-2:2010,
for
the use,
rather
than development,
of
subsystems
andofsubsystem
elements
as partelectronic
offor
a SRECS.
NOTE
2 ItInis
this
standard,
it is

presumed
that
the61508-2:2010,
design
complex
programmable
subsystems
or
7.4.4.2).
considered
that
Route
2 Hsuch
(see
IEC
7.4.4.3)
is not suitable
general
machinery.
subsystem this
elements
conforms
to deal
the relevant
requirements
of IEC provides
61508. This
standard provides
a methodology
Therefore,

standard
does not
with Route
2 H . This standard
a methodology
for the use,
rather than
for
thestandard
use, rather
than
development,
such subsystems
subsystem
elements
as part
of a SRECS.
development,
of such
subsystems
andofsubsystem
elements
as
partintended
of a SRECS.
This
is
an
application
standard

and isand
not
to 
limit
or inhibit
technological

advancement. It does not cover all the requirements (e.g. guarding, non-electrical interlocking
This
standard is an
application
standard
not intended
to limit
or inhibit
technological
or
non-electrical
control)
that are
neededand
or is
required
by other
standards
or regulations
in
advancement.
It does
not cover

the requirements
guarding,
non-electrical
interlocking
order to safeguard
persons
fromallhazards.
Each type(e.g.
of machine
has
unique requirements
to
or
control)
that are
needed or required by other standards or regulations in
be non-electrical
satisfied to provide
adequate
safety.
order to safeguard persons from hazards. Each type of machine has unique requirements to
be satisfied to provide adequate safety.
This standard:
Thisisstandard:
–
concerned only with functional safety requirements intended to reduce the risk of injury
or damage to the health of persons in the immediate vicinity of the machine and those
– is
concerned
onlyinwith

functional
safety requirements intended to reduce the risk of injury
directly
involved
the use
of the machine;
or damage to the health of persons in the immediate vicinity of the machine and those
– directly
is restricted
to risks
arising
directly
from the hazards of the machine itself or from a group
involved
in the
use of
the machine;
of machines working together in a co-ordinated manner;
– is restricted to risks arising directly from the hazards of the machine itself or from a group
NOTE 3 Requirements to mitigate risks arising from other hazards are provided in relevant sector standards.
of machines
working
together
in a ofco-ordinated
manner;
For
example, where
a machine(s)
is part
a process activity,

the machine electrical control system functional
–
–

–
–

safety
should,
in addition,
satisfy from
otherother
requirements
(e.g.
IEC 61511)
insofarsector
as safety
of the
NOTE 3requirements
Requirements
to mitigate
risks arising
hazards are
provided
in relevant
standards.
process
is concerned.
For example,
where a machine(s) is part of a process activity, the machine electrical control system functional

safety requirements should, in addition, satisfy other requirements (e.g. IEC 61511) insofar as safety of the
does not
specify requirements for the performance of non-electrical (e.g. hydraulic,
process
is concerned.

pneumatic) control elements for machines;
does not specify requirements for the performance of non-electrical (e.g. hydraulic,

NOTE 4 Although the requirements of this standard are specific to electrical control systems, the framework
pneumatic) control elements for machines;
and methodology specified can be applicable to safety-related parts of control systems employing other
technologies.
NOTE 4 Although the requirements of this standard are specific to electrical control systems, the framework
and methodology specified can be applicable to safety-related parts of control systems employing other
does not cover electrical hazards arising from the electrical control equipment itself (e.g.
technologies.

electric shock – see IEC 60204–1).
does not cover electrical hazards arising from the electrical control equipment itself (e.g.
electric shock – see IEC 60204–1).


12
Page 10
PageEN
1062061:2005+A1:2013
62061:2005+A2:2015
BS


BS EN
62061:2005
62061:2005+A2:2015
IEC
62061:2005+A1:2012

The objectives of specific Clauses in IEC 62061 are as given in Table 2.
Table 2 – Overview and objectives of IEC 62061
Clause

Objective

4:
Management
of functional
safety
5:
Requirements
for the
specification of
safety-related
control
functions

To specify the management and technical activities which are necessary for the achievement of
the required functional safety of the SRECS.

6:
Design and
integration of

the safetyrelated
electrical
control system

To specify the selection criteria and/or the design and implementation methods of the SRECS to
meet the functional safety requirements. This includes:

To set out the procedures to specify the requirements for safety-related control functions. These
requirements are expressed in terms of functional requirements specification, and safety integrity
requirements specification.

selection of the system architecture,
selection of the safety-related hardware and software,
design of hardware and software,
verification that the designed hardware and software meets the functional safety requirements.

7:
Information for
use of the
machine

To specify requirements for the information for use of the SRECS, which has to be supplied with
the machine. This includes:
provision of the user manual and procedures,
provision of the maintenance manual and procedures.

8:
Validation of
the safetyrelated
electrical

control system

To specify the requirements for the validation process to be applied to the SRECS. This includes
inspection and testing of the SRECS to ensure that it achieves the requirements stated in the
safety requirements specification.

9:
Modification of
the safetyrelated
electrical
control system

To specify the requirements for the modification procedure that has to be applied when modifying
the SRECS. This includes:

2

modifications to any SRECS are properly planned and verified prior to making the change;
the safety requirements specification of the SRECS is satisfied after any modifications have taken
place.

Normative references

The following referenced documents are indispensable for the application of this document.
For dated references, only the edition cited applies. For undated references, the latest edition
of the referenced document (including any amendments) applies.
IEC 60204–1, Safety of machinery – Electrical equipment of machines – Part 1: General
requirements
IEC 61000-6-2, Electromagnetic compatibility (EMC) – Part 6-2: Generic standards –
Immunity for industrial environments



Page 11

BS EN 62061:2005
Page 13
11

Page 11
BS EN 62061:2005+A1:2013
62061:2005+A2:2015
EN 62061:2005
IEC BS
62061:2005+A1:2012
62061:2005+A2:2015
IEC 61310 (all parts), Safety of machinery – Indication, marking and actuation
IEC 61508-2, Functional safety of electrical/electronic/ programmable electronic safety-related
systems
Part
2: Requirements
for electrical/electronic/programmable
electronic safetyIEC
61310– (all
parts),
Safety of machinery
– Indication, marking and actuation
related systems
IEC 61508-2, Functional safety of electrical/electronic/ programmable electronic safety-related
systems
– Part

2: Requirements
for electrical/electronic/programmable
electronic
safetyIEC 61508-3,
Functional
safety of electrical/electronic/programmable
electronic
safety-related
related
systemssystems
– Part 3: Software requirements
ISO 61508-3,
12100-1:2003,
Safety
of machinery
– Basic concepts, general electronic
principles safety-related
for design –
IEC
Functional
safety
of electrical/electronic/programmable
Part 1: Basic
terminology,
systems
– Part
3: Softwaremethodology
requirements

12100:2010, Safety

Safety of
of machinery
machinery –
– General
principlesgeneral
for design
– Riskfor
assessment
ISOISO
12100-1:2003,
Basic concepts,
principles
design –
12100-2:2003,
Part risk
1: Technical
Basic
terminology,
and
reduction
2:
principlesmethodology
ISO 13849-1:1999,
parts
of
systems
Part
12100-2:2003, Safety
Safety of
of machinery

machinery ––– Safety
Basic related
concepts,
general
principles
for –
–
ISO
13849-1:2006,
Safety
of
machinery
Safety-related
parts
of control
control
systems
–design
Part 1:
1:
principles
principles
Part
2:
Technical
principles
General
for
design


General
for design
ISOISO
13849-1:1999,
Safety
of of
machinery
–– –Safety
related parts
1:

13849-2:2012,
Safety
machinery
Safety-related
partsofofcontrol
controlsystems
systems ––– Part
Part 2:
2:
13849-2:2003,
Safety-related
control
systems
Part
General
principles for design
Validation
Validation


Text
deleted

Safety
ofSafety
machinery
– Principles
of risk assessment
ISO 14121,
13849-2:2003,
of machinery
– Safety-related
parts of control systems – Part 2:
Validation

3 Terms, definitions and abbreviations
ISO 14121, Safety of machinery – Principles of risk assessment
3.1

3

Alphabetical list of definitions

Terms, definitions and abbreviations
Term

Definition
number

3.1

Alphabetical list of definitions
application software
Term
architectural constraint

3.2.46
Definition
3.2.36number

architecturesoftware
application

3.2.35
3.2.46

common
cause
failure
architectural
constraint

3.2.43
3.2.36

complex component
architecture

3.2.8
3.2.35


control
commonfunction
cause failure

3.2.14
3.2.43

dangerous
failure
complex
component

3.2.40
3.2.8

demand
control function

3.2.25
3.2.14

diagnostic coverage
dangerous
failure

3.2.38
3.2.40

electrical
demand control system


3.2.3
3.2.25

embedded coverage
software
diagnostic

3.2.47
3.2.38

failure
electrical control system

3.2.39
3.2.3

fault
embedded
software

3.2.30
3.2.47

fault
tolerance
failure

3.2.31
3.2.39


full variability language (FVL)
fault

3.2.48
3.2.30

function
block
fault tolerance

3.2.32
3.2.31

function
block language
element (FVL)
full
variability

3.2.33
3.2.48

function block

3.2.32

function block element

3.2.33



14
Page 12
PageEN
1262061:2005+A1:2013
62061:2005+A2:2015
BS

BS EN
62061:2005
62061:2005+A2:2015
IEC
62061:2005+A1:2012

functional safety

3.2.9

hardware safety integrity

3.2.20

hazard (from machinery)

3.2.10

hazardous situation

3.2.11


high demand or continuous mode

3.2.27

limited variability language (LVL)

3.2.49

low complexity component

3.2.7

low demand mode

3.2.26

machine control system

3.2.2

machinery (machine)

3.2.1

mean time to failure (MTTF)

3.2.34

probability of dangerous failure per hour (PFH D )


3.2.28

proof test

3.2.37

protective measure

3.2.12

random hardware failure

3.2.44

risk

3.2.13

safe failure

3.2.41

safe failure fraction

3.2.42

safety function

3.2.15


safety integrity

3.2.19

safety integrity level (SIL)

3.2.23

safety-related control function (SRCF)

3.2.16

safety-related electrical control system (SRECS)

3.2.4

safety-related software

3.2.50

SIL claim limit

3.2.24

software safety integrity

3.2.21

SRECS diagnostic function


3.2.17

SRECS fault reaction function

3.2.18

subsystem

3.2.5

subsystem element

3.2.6

systematic failure

3.2.45

systematic safety integrity

3.2.22

target failure value

3.2.29

validation

3.2.52


verification

3.2.51


15
Page 13

Page 13
62061:2005+A2:2015
BS EN 62061:2005+A1:2013
EN 62061:2005
62061:2005+A2:2015
IEC BS
62061:2005+A1:2012

3.2

Terms and definitions

For the purposes of this standard, the following terms and definitions apply.
3.2.1
machinery
assembly of linked parts or components, at least one of which moves, with the appropriate
machine actuators, control and power circuits, joined together for a specific application, in
particular for the processing, treatment, moving or packaging of a material.
The terms “machinery” and “machine” also cover an assembly of machines which, in order to
achieve the same end, are arranged and controlled so that they function as an integral whole.
[ISO 12100-1:2003,

12100:2010, 3.1]

3.1]
3.2.2
machine control system
system which responds to an input from, for example, the process, other machine elements,
an operator, external control equipment, and generates an output(s) causing the machine to
behave in the intended manner
3.2.3
electrical control system
all the electrical, electronic and programmable electronic parts of the machine control system
used to provide, for example, operational control, monitoring, interlocking, communications,
protection and safety-related control functions
NOTE Safety-related control functions can be performed by an electrical control system that is either integral to or
independent of those parts of a machine’s control system that perform non-safety-related functions.

3.2.4
Safety-Related Electrical Control System
SRECS
electrical control system of a machine whose failure can result in an immediate increase of
the risk(s)
NOTE A SRECS includes all parts of an electrical control system whose failure may result in a reduction or loss of
functional safety and this can comprise both electrical power circuits and control circuits.

3.2.5
subsystem
entity
of the
top-level
architectural

design
of the
SRECS
where
a failure
of any subsystem
will

entity
of the
top-level
architectural
design
of the
SRECS
where
a dangerous
failure of any
result in a failure
of a in
safety-related
subsystem
will result
a dangerouscontrol
failure function
of a safety-related control function
NOTE 1

A complete subsystem can be made up from a number of identifiable and separate subsystem elements,


3.4.4 3.2.7]
modified]
[IEC
61508-4:2010,
 the function blocks allocated to the subsystem.
which 61508-4,
when put together
implement

NOTE 2 This definition is a limitation of the general definition of IEC 61508-4: `set of elements which interact
NOTE
1 Atocomplete
subsystem
be made
from a can
number
of identifiable
and
separate
subsystemwhich
elements,
according
a design,
where ancan
element
of aupsystem
be another
system,
called
a subsystem,

may
which
put together
implement
the interaction.
function blocks allocated to the subsystem.
includewhen
hardware,
software
and human
NOTE 32 This
This differs
differs from common language
language where
where “subsystem”
“subsystem” may
may mean
mean any
any sub-divided
sub-divided part
part of
of an
an entity,
entity, the
term “subsystem” is used in this standard within a strongly defined hierarchy of terminology: “subsystem” is the first
level
level subdivision of a system. The
The parts resulting from further subdivision of a subsystem are called “subsystem
elements”.
elements”. 


3.2.6
subsystem element
part of a subsystem, comprising a single component or any group of components


16
Page 14
PageEN
1462061:2005+A1:2013
62061:2005+A2:2015
BS

BS EN
62061:2005
62061:2005+A2:2015
IEC
62061:2005+A1:2012

3.2.7
low complexity component
component in which
–

the failure modes are well-defined; and

–

the behaviour under fault conditions can be completely defined


 [IEC 61508-4,
61508-4:2010,

3.4.4 3.4.3]

3.4.3
modified]
NOTE 1 Behaviour of the low complexity component under fault conditions may be determined by analytical
and/or test methods.
NOTE 2 A subsystem or subsystem element comprising one or more limit switches, operating, possibly via
interposing electro-mechanical relays, one or more contactors to de-energise an electric motor is an example of a
low complexity component.

3.2.8
complex component
component in which
– the failure modes are not well-defined; or
– the behaviour under fault conditions cannot be completely defined
3.2.9
functional safety
part of the safety of the machine and the machine control system which depends on the
correct functioning of the SRECS, other technology safety-related systems and external risk
reduction facilities
61508-4, 3.1.12
3.1.9 3.1.12]
modified]
 [IEC 61508-4:2010,


modified]

NOTE 1 This standard only considers the functional safety that depends on the correct functioning of the SRECS
in machinery applications.
NOTE 2

ISO/IEC Guide 51 defines safety as freedom from unacceptable risk.

3.2.10
hazard (from machinery)
potential source of physical injury or damage to health
 [ISO 12100-1:
12100:2010,
3.6]
modified]

12100,
3.6
modified]

2003,
3.6
NOTE The term hazard can be qualified in order to define its origin or the nature of the expected harm (e.g.
electric shock hazard, crushing hazard, cutting hazard, toxic hazard, fire hazard).

3.2.11
hazardous situation
circumstance in which a person is exposed to a hazard(s)
 [ISO 12100-1:2003,
12100:2010,
3.10]


12100,
3.10 modified]

3.9
modified]
3.2.12
protective measure
measure intended to achieve risk reduction
 [ISO
12100:2010,
3.19]


12100,
3.19 modified]

[ISO 12100-1:2003,
3.18
modified]


17
Page 15

Page 15
62061:2005+A2:2015
BS EN 62061:2005+A1:2013
BS
EN
62061:2005

62061:2005+A2:2015
IEC 62061:2005+A1:2012

3.2.13
risk
combination of the probability of occurrence of harm and the severity of that harm
ISO
[ISO 12100-1:2003,
12100:2010,
3.12]


12100,
3.12] 
3.11]
3.2.14
control function
function that evaluates input information or signals and produces output information or
activities
3.2.15
safety function
function of a machine whose failure can result in an immediate increase of the risk(s)
[ISO
12100:2010,
3.30]


[ISO 12100-1:2003,
12100,
3.30] 

3.28]
NOTE This definition differs from the definitions in IEC 61508-4 and ISO 13849-1.

3.2.16
Safety-Related Control Function
SRCF
control function implemented by a SRECS with a specified integrity level that is intended to
maintain the safe condition of the machine or prevent an immediate increase of the risk(s)
3.2.17
SRECS diagnostic function
function intended to detect faults in the SRECS and produce a specified output information or
activity when a fault is detected
NOTE This function is intended to detect faults that could lead to a dangerous failure of a SRCF and initiate a
specified fault reaction function.

3.2.18
SRECS fault reaction function
function that is initiated when a fault within a SRECS is detected by the SRECS diagnostic
function
3.2.19
safety integrity
probability of a SRECS or its subsystem satisfactorily performing the required safety-related
control functions under all stated conditions
3.5.2
modified]
[IEC 61508-4,
61508-4:2010,


3.5.4 3.5.4]

NOTE 1 The higher the level of safety integrity of the item, the lower the probability that the item will fail to carry
out the required safety-related control function.
NOTE 2
3.2.22).

Safety integrity comprises hardware safety integrity (see 3.2.20) and systematic safety integrity (see

3.2.20
hardware safety integrity
part of the safety integrity of a SRECS or its subsystems comprising requirements for both the
probability of dangerous random hardware failures and architectural constraints
 [IEC 61508-4,
61508-4:2010,


3.5.7 3.5.7]
modified]
3.5.5


18
Page 16
PageEN
1662061:2005+A1:2013
62061:2005+A2:2015
BS

BS EN
62061:2005
62061:2005+A2:2015

IEC
62061:2005+A1:2012

3.2.21
software safety integrity
part of the systematic safety integrity of a SRECS or its subsystems related to the capability
of software in a programmable electronic system performing its safety-related control
functions under all stated conditions during a stated period of time
 [IEC
61508-4:2010,


modified]
[IEC 61508-4,
61508-4, 3.5.5
3.5.3 3.5.5]
modified
]
NOTE

Software safety integrity cannot usually be quantified precisely.

3.2.22
systematic safety integrity
part of the safety integrity of a SRECS or its subsystems relating to its resistance to
systematic failures (see 3.2.45) in a dangerous mode.
 [IEC
61508-4:2010,



modified]
[IEC 61508-4,
61508-4, 3.5.6
3.5.4 3.5.6]
modified]
NOTE 1

Systematic safety integrity cannot usually be quantified precisely.

NOTE 2 Requirements for systematic safety integrity apply to both hardware and software aspects of a SRECS or
its subsystems.

3.2.23
Safety Integrity Level
SIL
discrete level (one out of a possible three) for specifying the safety integrity requirements of
the safety-related control functions to be allocated to the SRECS, where safety integrity level
three has the highest level of safety integrity and safety integrity level one has the lowest
 [IEC
61508-4:2010,


modified]
[IEC 61508-4,
61508-4, 3.5.8
3.5.6 3.5.8]
modified]
NOTE SIL 4 is not considered in this standard, as it is not relevant to the risk reduction requirements normally
associated with machinery. For requirements applicable to SIL 4, see IEC 61508-1 and IEC 61508-2.


3.2.24
SIL Claim Limit (for a subsystem)
SILCL
maximum SIL that can be claimed for a SRECS subsystem in relation to architectural
constraints and systematic safety integrity
3.2.25
demand
event that causes the SRECS to perform its SRCF
3.2.26
low demand mode

mode
of operation
in which
frequency
of demands
a SRECS
no greater
mode
of operation
in which
the the
frequency
of demands
on aonSRECS
is nois greater
thanthan
one one
per
per

yearyear
and
no greater than twice the proof-test frequency
NOTE Equipment that is only designed in accordance with requirements for the low demand mode of operation
described in IEC 61508-1 and IEC 61508-2 can be unsuitable for use as part of a SRECS in this standard. Low
demand mode of operation is not considered to be relevant for SRECS applications at machinery.

3.2.27
high demand or continuous mode
mode
of operation
in in
which
thethe
frequency
ofofdemands
mode
of operation
which
frequency
demandsonona aSRECS
SRECSisis greater
greater than
than one
one per

greater
than
twicethe
themachine

proof-test
year or the
SRCF
retains
in frequency
a safe state as part of normal operation
[IEC 61508-4, 3.5.12 modified]
3.5.163.5.16]
modified]
 [IEC 61508-4,
61508-4:2010,



19
Page 17

Page 17
62061:2005+A2:2015
BS EN 62061:2005+A1:2013
Page 17
BS
EN
62061:2005
62061:2005+A2:2015
IEC 62061:2005+A1:2012
Page 17
BS EN 62061:2005+A1:2013
BS
EN

62061:2005
IEC 62061:2005+A1:2012
Page 17

BSat EN
62061:2005
NOTE 1 Low demand mode of operation is not considered to be relevant for SRECS applications
machinery.
Therefore, in this standard SRECS are only considered to operate in the high demand or continuous mode.
NOTE 1 Low demand mode of operation is not considered to be relevant for SRECS applications at machinery.
NOTE 2 Demand
mode means
that
safety-related
function
onlydemand
performed
on request
(demand) in
Therefore,
in this standard
SRECS
areaonly
considered control
to operate
in theishigh
or continuous
mode.
order
transfer

the machine
a specified
The SRECS
not for
influence
machine until
there is a
NOTE to
1 Low
demand
mode of into
operation
is notstate.
considered
to be does
relevant
SRECSthe
applications
at machinery.
NOTE
2 on
Demand
mode means
that
aonly
safety-related
function
onlydemand
performed
on request

(demand) in
demand
safety-related
control
Therefore,
inthe
this
standard
SRECS
arefunction.
considered control
to operate
in theishigh
or continuous
mode.
order to transfer the machine into a specified state. The SRECS does not influence the machine until there is a
NOTE
Continuous
mode
means
a safety-related
control
function
is performed
perpetually
(continuously),
demand
the safety-related
control
function.

NOTE 3
2 on
Demand
mode
means
thatthat
a safety-related
control
function
is only
performed
on request
(demand) in
i.e. theto SRECS
continuously
controlling
the state.
machine
a (dangerous)
failure of the
its machine
function can
a
order
transfer isthe
machine into
a specified
Theand
SRECS
does not influence

until result
there in
is a
NOTE
3 on
Continuous
mode means
a safety-related control function is performed perpetually (continuously),
hazard.
demand
the safety-related
controlthat
function.
i.e. the SRECS is continuously controlling the machine and a (dangerous) failure of its function can result in a
hazard.
NOTE
3.2.283 Continuous mode means that a safety-related control function is performed perpetually (continuously),
i.e. the SRECS is continuously controlling the machine and a (dangerous) failure of its function can result in a
Probability
of dangerous Failure per Hour
hazard.
3.2.28
PFH D
Probability of dangerous Failure per Hour

Probability
of dangerous
Failurefailure
per Hour
average

probability
of dangerous
withinper
1 hhour of a safety related system/subsystem to
average
probability
of a dangerous
failure

3.2.28
PFH
D
perform
the
specified
safety
function
over
a
given
period of time
Probability
of
dangerous
Failure
per
Hour
average
probability
within

1 hhour
average
probability
of
a dangerous
failure
of a safety
related system/subsystem to

NOTE
PFH
notof
bedangerous
confused
withfailure
probability
ofper
failure
on demand
(PFD).
D should
PFH D
perform the specified safety function over a given period of time
PFH
should
not
be
confused
with
probability

failure
demand
( PFD
). 
NOTE
PFH
should
not
bedangerous
confused
with
probability
of of
dangerous
failure
onon
demand
( PFD
). 
average
probability
ofbe
failure
within
1dangerous
h on demand
should
not
confused
with

probability
of
failure
(PFD).
NOTE 1 PFH
D
DD D
3.2.29
target
failure
value

NOTE
2  DWithin
this
λ is with
expressed
as the
failure
rate
respect
to ).
1
hour. 
NOTE
PFH
should
not standard
be confused
probability

of constant
dangerous
failure
onwith
demand
( PFD
NOTE
PFH
D should not be confused with probability of failure on demand (PFD).
3.2.29
intended PFH D to be achieved to meet a specific safety integrity requirement(s)
target failure value
target failure value
3.2.29
to be
achieved
to inmeet
safety
intended
PFH
NOTE
Target
failure
value
is specified
termsaofspecific
the probability
of integrity
dangerousrequirement(s)
failure per hour.

target failureDvalue
to be
achieved
to inmeet
safety
intended
PFH
[IEC 61508-4,
modified]
NOTE
Target
failure
value
is specified
termsaofspecific
the probability
of integrity
dangerousrequirement(s)
failure per hour.
D3.5.13

3.5.13
modified]
[IEC
3.5.17
in terms of the probability of dangerous failure per hour.
NOTE 61508-4,
Target failure
value
is specified

3.2.30

[IEC 61508-4,
3.5.173.5.17]
modified]
fault
61508-4:2010.

3.5.13
3.2.30
abnormal condition that may cause a reduction in or loss of, the capability of a
fault
subsystem, or a subsystem element to perform a required function
3.2.30
abnormal condition that may cause a reduction in or loss of, the capability of a
fault
subsystem,
or 3.6.1
a subsystem
element to perform a required function
[IEC
61508-4,
modified]
abnormal
condition
that may cause a reduction in or loss of, the capability of a
subsystem,
or 3.6.1
a subsystem
element to perform a required function

[IEC
61508-4,
modified]
3.2.31
modified]
[IEC
61508-4:2010,

fault 61508-4,
tolerance3.6.1 3.6.1]
3.2.31
ability of a SRECS, a subsystem, or subsystem element to continue to perform
fault tolerance
function
3.2.31 in the presence of faults or failures
ability of a SRECS, a subsystem, or subsystem element to continue to perform
fault tolerance
function
in the 3.6.3
presence
of faults or failures
[IEC
modified]
ability61508-4,
of a SRECS,
a subsystem, or subsystem element to continue to perform
function
in the 3.6.3
presence
of faults or failures

[IEC 61508-4,
modified]
3.2.32
[IEC
[IEC 61508-4,
61508-4:2010,

modified]
function
block3.6.3 3.6.3]
3.2.32
smallest element of a SRCF whose failure can result in a failure of the SRCF
function block
3.2.32
smallest
of a SRCF
in a of
failure
of theblocks
SRCF
NOTE 1 Inelement
this standard,
a SRCF whose
(F) may failure
be seen can
as a result
logical AND
the function
(FB), i.e.
function

block
FB
AND
FB
.
2
n
smallest
of a SRCF
in a of
failure
of theblocks
SRCF
NOTE
1 Inelement
this standard,
a SRCF whose
(F) may failure
be seen can
as a result
logical AND
the function
(FB), i.e.
NOTE
2
FB
AND
2
2
NOTE 1

NOTE
2
FB
AND
3.2.33
2

This. definition of a function block differs from
FB
n
n
In this standard, a SRCF (F) may be seen as
This
FB . definition of a function block differs from
n

SRECS, a
SRECS, a
SRECS, a

a required
a required
a required

F = FB 1 AND

F = FB 11 AND
those used in IEC 61131-3 and other standards.
a logical AND of the function blocks (FB), i.e. F = FB 1 AND
those used in IEC 61131-3 and other standards.


function
block
element
NOTE 2 This
definition
of a function block differs from those used in IEC 61131-3 and other standards.
3.2.33
part of a function block
function block element
3.2.33
part of a function block
function
block element
3.2.34
part
a function
block
MeanofTime
To Failure
3.2.34
MTTF
Mean Time To Failure
expectation of the mean time to failure
3.2.34
MTTF
Mean Time To Failure
expectation
of the mean time to failure
[IEV

MTTF191-12-07, modified]
expectation
of the
mean
time to failure
[IEV
modified]
NOTE 191-12-07,
MTTF is normally
expressed as an average value of expectation of the time to failure.
[IEV 191-12-07,
modified]
NOTE
MTTF is normally
expressed as an average value of expectation of the time to failure.
NOTE

MTTF is normally expressed as an average value of expectation of the time to failure.


PagePage
18
20 18
Page
18
Page
18
BS
BS
EN

EN
62061:2005
62061:2005
62061:2005+A2:2015
BS EN 62061:2005+A1:2013

BS
62061:2005+A2:2015
IEC
62061:2005+A1:2012
PageEN
18 62061:2005
BS EN 62061:2005

3.2.35
3.2.35
3.2.35
architecture
architecture
architecture
specific
specific
configuration
configuration
of hardware
of hardware
and and
software
software
elements

elements
in a in
SRECS
a SRECS
3.2.35
specific configuration of hardware and software elements in a SRECS
architecture
[IEC[IEC
61508-4,
61508-4,
3.3.53.3.5
modified]
modified]
configuration
of hardware

[IEC
61508-4:2010,
  and software elements in a SRECS
 specific
61508-4,
3.3.4
modified]
3.3.5 3.3.4]
3.2.36
3.2.36
61508-4, 3.3.5 modified]
[IEC
3.2.36
architectural

architectural
constraint
constraint
architectural
constraint
set of
setarchitectural
of architectural
requirements
requirements
that that
limit limit
the SIL
the that
SIL that
can can
be claimed
be claimed
for afor
subsystem
a subsystem
3.2.36
set of architectural requirements that limit the SIL that can be claimed for a subsystem
architectural
constraint
NOTENOTE
Requirements
Requirements
for architectural
for architectural

constraints
constraints
are given
are given
in 6.7.6.
in 6.7.6.
set
of architectural
requirements
that limitare
thegiven
SIL inthat
can be claimed for a subsystem
NOTE
Requirements for
architectural constraints
6.7.6.
3.2.37
3.2.37
NOTE Requirements for architectural constraints are given in 6.7.6.
3.2.37
proof
proof
test test
proof
testcan can
test
test
that
detect

detect
faults
faults
and and
degradation
degradation
in ainSRECS
a SRECS
and and
its subsystems
its subsystems
so that,
so that,
if if
3.2.37 that

periodic
testdetect
performed
toand
detect
dangerous
failures
and
degradation
incondition
a SRECS
test
that
can

faults
and
degradation
inhidden
a SRECS
and
its“as
subsystems
so
that,
if as
necessary,
necessary,
the
the
SRECS
SRECS
and
its
subsystems
its
subsystems
can
can
be
restored
be
restored
to
an

to
an
“as
new”
new”
condition
or
as
or
proof test
necessary,
the
SRECS
and
its
subsystems
can be and
restored
to an “as can
new”becondition
as
and
itsassubsystems
so
that,
ifcondition
necessary,
the SRECS
its subsystems
restored or

to an
close
close
practical
as
practical
to
this
to
this
condition
test that can detect faults and degradation in a SRECS and its subsystems so that, if
close
as practical
condition
“as
new”
conditiontoorthis
as close
as practical to this condition 
necessary, the SRECS and its subsystems can be restored to an “as new” condition or as
[IEC[IEC
61508-4,
61508-4,
3.8.53.8.5
modified]
modified]
close61508-4:2010,
as practical
to 3.8.5]

this condition
 [IEC

61508-4,
3.8.5
modified]
NOTENOTE
A proof
A proof
test is
test
intended
is intended
to confirm
to confirm
that
[IEC
61508-4,
3.8.5
modified]
integrity.
NOTEintegrity.
A proof test
is intended
to confirm that
integrity.
NOTE
A proof test is intended to confirm that
3.2.38
3.2.38

integrity.

the
that SRECS
the SRECS
is in isa in
condition
a condition
that assures
that assures
the specified
the specified
safetysafety
the SRECS is in a condition that assures the specified safety
the SRECS is in a condition that assures the specified safety

3.2.38
diagnostic
diagnostic
coverage
coverage
diagnostic
coverage
decrease
decrease
in
the
in
probability
the probability

of dangerous
of dangerous
hardware
hardware
failures
failures
resulting
resulting
fromfrom
the operation
the operation
of the
of the
3.2.38
decrease
in
probability
of dangerous
failures
resulting
from test
the 
operation of the
fraction
ofthe
dangerous
failures
detectedhardware
by automatic
on-line

diagnostic

automatic
automatic
diagnostic
diagnostic
tests
tests
diagnostic coverage
automatic diagnostic tests
decrease in the probability of dangerous hardware failures resulting from the operation of the
 [IEC[IEC
61508-4:2010,
3.8.6]

61508-4,
61508-4,
3.8.63.8.6
modified]
modified]
automatic
diagnostic
tests
[IEC 61508-4,
3.8.6 modified]
NOTENOTE
1
Diagnostic
Diagnostic
coverage

coverage
(DC) (DC)
can be
can
calculated
be calculated
usingusing
the following
the following
equation:
equation:
[IEC
modified]
NOTE 61508-4,
Diagnostic3.8.6
coverage
(DC) can be calculated using the following equation:
Ȉ O=DDȈ/ODD
/ ODtotal
DC =DC
Dtotal
NOTE Diagnostic coverage (DC) can be calculated
the
equation:
Ȉ ODD
/ Ofollowing
DC =using
Dtotal

wherewhere

O DD isO DD
theisrate
the of
rate
detected
of detected
dangerous
dangerous
hardware
hardware
failures
failures
and Oand
is theisrate
the of
rate
total
of total
dangerous
dangerous
hardware
hardware
DtotalO Dtotal
failures.
failures.
where
O DD is the rate of detected dangerous hardware
and O Dtotal is the rate of total dangerous hardware
ODD / ODtotal
DC = Ȉ failures

failures.

NOTE
Therate
fraction
of detected
dangerous
failures
is computed
to beisthe
failureshardware
that are
where
O DD 2is the
of detected
dangerous
hardware
failures
and O Dtotal
therate
rateofofdangerous
total dangerous
3.2.39
3.2.39
detected
failures. by automatic on-line diagnostic tests divided by the rate of total dangerous failures. 

3.2.39
failure
failure

failure
termination
termination
of the
of the
ability
ability
of aofSRECS,
a SRECS,
a subsystem,
a subsystem,
or aorsubsystem
a subsystem
element
element
to perform
to perform
a a
3.2.39
termination
offunction
the ability of a SRECS, a subsystem, or a subsystem element to perform a
required
required
function
failure
required function
termination of the ability of a SRECS, a subsystem, or a subsystem element to perform a
[IEC[IEC
61508-4,

61508-4,
3.6.43.6.4
modified
modified
and and
ISO ISO
12100-1:2003,
12100-1:2003,
3.32]3.32]
required
function
[IEC 61508-4,
3.6.4 modified and ISO 12100-1:2003, 3.32]
NOTENOTE
Failures
Failures
are either
are either
random
random
(in hardware)
(in hardware)
or systematic
or systematic
(in hardware
(in hardware
or software).
or software).

 [IEC

3.6.4
modified
and12100-1:2003,
ISO
12100:2010,
3.34] 
61508-4,
3.6.4
modified
and
ISO
[IEC 61508-4:2010,
NOTE
Failures are
either
random
(in
hardware)
or systematic
(in3.32]
hardware
or software).
3.2.40
3.2.40
NOTE Failures are either random (in hardware) or systematic (in hardware or software).
3.2.40
dangerous
dangerous
failure
failure

dangerous
failure
failure
failure
of
a
of
SRECS,
a
SRECS,
a subsystem,
a subsystem,
or a or
subsystem
a subsystem
element
element
that that
has has
the potential
the potential
to cause
to cause
a a
3.2.40
failure
of
anon-functional
SRECS,
a subsystem,

or a subsystem element that has the potential to cause a
hazard
hazard
or
or
non-functional
state
state
dangerous failure
hazard or non-functional state
failure of a SRECS, a subsystem, or a subsystem element that has the potential to cause a
[IEC[IEC
61508-4,
61508-4,
3.6.73.6.7
modified]
modified]
hazard
or non-functional
state
[IEC 61508-4,
3.6.7 modified]
NOTENOTE
1 Whether
1 Whether
or not
or the
not potential
the potential
is realised

is realised
can depend
can depend
on the
on channel
the channel
architecture
architecture
of the
of system;
the system;
for for


Text
deleted

[IEC
61508-4,
3.6.7
example,
example,
systems
in systems
multiple
with
channels
channels
to improve
to improve

safety,
safety,
a dangerous
hardware
hardware
failure
failure
is less
likely
lesssystem;
likely
to lead
tofor
to
lead to
NOTE
1 in
Whether
orwith
notmodified]
the multiple
potential
is realised
can
depend
ona dangerous
the channel
architecture
ofisthe


the
overall
the overall
dangerous
or fail-to
or fail-to
function
function
state.
example,
indangerous
systems
with
multiple
channels
tostate.
improve safety, a dangerous hardware failure is less likely to lead to
NOTE
1 Whether
or or
notfail-to
the potential
is realised can depend on the channel architecture of the system; for
the overall
dangerous
function state.
NOTE
NOTE
2
In

2
a
In
subsystem
a
subsystem
with
with
multiple
multiple
channels,
channels,
the safety,
probability
the probability
of dangerous
of dangerous
failure
failure
of the
subsystem
thelikely
subsystem
can
example, in systems with multiple channels to improve
a dangerous
hardware
failure
isofless
to can

lead be
to be
smaller
smaller
the
dangerous
the dangerous
failure
failure
rate state.
of
rate
a channel
of a channel
constitutes
that constitutes
subsystem.
the subsystem.
Theofprobability
The
of dangerous
ofcan
dangerous
NOTE
2 than
Indangerous
athan
subsystem
with
multiple

channels,
thethat
probability
of the
dangerous
failure
the probability
subsystem
be
the
overall
or fail-to
function
failure
failure
ofthan
a SRECS
ofthe
a SRECS
cannot
cannot
be
smaller
be rate
smaller
than
that
of
that
any

of subsystem
any
subsystem
constituting
the SRECS.
the
(This (This
comes
from from
the the
smaller
dangerous
failure
of a than
channel
that
constitutes
theconstituting
subsystem.
TheSRECS.
probability
of comes
dangerous
NOTE
2of a
In
a definition
subsystem
multiple
channels,

dangerousthe
failure
of the
subsystem
can the
be
particular
particular
definition
of
“subsystem”
of with
“subsystem”
in this
in
standard.)
this
standard.)
failure
SRECS
cannot
be smaller
than
that
of the
any probability
subsystem ofconstituting
SRECS.
(This
comes from

smaller
than
the dangerous
failure in
rate
a channel that constitutes the subsystem. The probability of dangerous
particular
definition
of “subsystem”
thisofstandard.)
NOTE
NOTE
3of a
A 3SRECS
dangerous
A dangerous
failure
failure
normally
normally
results
in aoffailure
in
a failure
or potential
or potential
failure
failure
to perform
to perform

the SRCF.
the
SRCF.
failure
cannot
be
smaller
than results
that
any
subsystem
constituting
the
SRECS.
(This
comes from the
NOTE 3 A
dangerous
failure normally
results
in a failure or potential failure to perform the SRCF.
particular
definition
of “subsystem”
in this
standard.)
NOTE 3

A dangerous failure normally results in a failure or potential failure to perform the SRCF.



21
Page 19

Page 19
62061:2005+A2:2015
BS EN 62061:2005+A1:2013
BS
EN
62061:2005
62061:2005+A2:2015
IEC 62061:2005+A1:2012

3.2.41
safe failure
failure of a SRECS, a subsystem of a SRECS, or a subsystem element of a SRECS that does
not have the potential to cause a hazard

Text
deleted3.6.8
 modified]
[IEC
61508-4,

ŠNote deleted‹
3.2.42
Safe Failure Fraction
SFF
fraction of the overall failure rate of a subsystem that does not result in a dangerous failure
NOTE


Safe Failure Fraction (SFF) can be calculated using the following equation:

(6 O S + 6 O DD ) / (6 O S + 6 O D )
where

OS

is the rate of safe failure,

6O S + 6O D

is the overall failure rate,

O DD

is the rate of dangerous failure which is detected by the diagnostic functions, and

OD

is the rate of dangerous failure.

The diagnostic coverage (if any) of each subsystem in SRECS is taken into account in the calculation of the
probability of random hardware failures. The safe failure fraction is taken into account when determining the
architectural constraints on hardware safety integrity (see 6.7.7).

3.2.43
Common Cause Failure
CCF
failure, which is the result

concurrent
 failures
or
result of
of one
one or
or more
more events,
events, causing
causing 
coincident
failures
of twoofortwo
more
separate
channels
in a multiple
channel
(redundant
architecture)
subsystem,
leadingleading
to failure
more
separate
channels
in a multiple
channel
(redundant
architecture)

subsystem,
to
of a SRCF
failure
of a SRCF
[IEC 61508-4,
61508-4:2010,

3.6.103.6.10]
modified]
NOTE 
 ISO
12100
IEV
and191-04-23.
IEV 191-04-23.
NOTE This definition differs from that given in ISO
12100-1
and

3.2.44
random hardware failure
failure occurring at a random time, which results from one or more of the possible degradation
mechanisms in the hardware
[IEC
[IEC 61508-4,
61508-4:2010,
3.6.5]3.6.5] 
3.2.45
systematic failure

failure related in a deterministic way to a certain cause, which can only be eliminated by a
modification of the design or of the manufacturing process, operational procedures,
documentation or other relevant factors
[IEC 61508-4,
61508-4:2010,
3.6.6]3.6.6] 
NOTE 1

Corrective maintenance without modification will usually not eliminate the failure cause.

NOTE 2

A systematic failure can be induced by simulating the failure cause.

NOTE 3

Examples of causes of systematic failures include human error in

ƒ the safety requirements specification;
ƒ the design, manufacture, installation and/or operation of the hardware;
ƒ the design and/or implementation of the software.


22
Page 20
PageEN
2062061:2005+A1:2013
62061:2005+A2:2015
BS


BS EN
62061:2005
62061:2005+A2:2015
IEC
62061:2005+A1:2012

3.2.46
application software
software specific to the application, that is implemented by the designer of the SRECS,
generally containing logic sequences, limits and expressions that control the appropriate
input, output, calculations, and decisions necessary to meet the SRECS functional
requirements
3.2.47
embedded software
software, supplied by the manufacturer, that is part of the SRECS and that is not normally
accessible for modification
NOTE

Firmware and system software are examples of embedded software.

3.2.48
Full Variability Language
FVL
type of language that provides the capability to implement a wide variety of functions and
applications
61511-1, 3.2.81.1.3
modified]
 [IEC 61511-1:2003,
3.2.81.1.3]


NOTE 1

Typical example of systems using FVL are general-purpose computers.

NOTE 2

FVL is normally found in embedded software and is rarely used in application software.

NOTE 3

FVL examples include: Ada, C, Pascal, Instruction List, assembler languages, C++, Java, SQL.

3.2.49
Limited Variability Language
LVL
type of language that provides the capability to combine predefined, application specific,
library functions to implement the safety requirements specifications
 [IEC 61511-1:2003,
3.2.81.1.2]

61511-1, 3.2.81.1.2
modified]
NOTE 1

A LVL provides a close functional correspondence with the functions required to achieve the application.

NOTE 2 Typical examples of LVL are given in IEC 61131-3. They include ladder diagram, function block diagram
and sequential function chart. Instruction lists and structured text are not considered to be LVL.
NOTE 3
control.


Typical example of systems using LVL: Programmable Logic Controller (PLC) configured for machine

3.2.50
safety-related software
software that is used to implement safety-related control functions in a safety-related system
3.2.51
verification
confirmation by examination (e.g. tests, analysis) that the SRECS, its subsystems or
subsystem elements meet the requirements set by the relevant specification
 [IEC 61508-4:2010,
andand
IECIEC
61511-1:2003,
3.2.92]

61508-4, 3.8.1 3.8.1
modified
61511-1, 3.2.92
modified]
NOTE

The verification results should provide documented objective evidence.


23
Page 21

Page 21
62061:2005+A2:2015

BS EN 62061:2005+A1:2013
BS
EN
62061:2005
62061:2005+A2:2015
IEC 62061:2005+A1:2012
EXAMPLE: Verification activities include:
ƒ reviews on outputs (documents from all phases) to ensure compliance with the objectives and requirements of
the phase, taking into account the specific inputs to that phase;
ƒ design reviews;
ƒ tests performed on the designed products to ensure that they perform according to their specification;
ƒ integration tests performed where different parts of a system are put together in a step-by-step manner and by
the performance of environmental tests to ensure that all the parts work together in the specified manner.

3.2.52
validation
confirmation by examination (e.g. tests, analysis) that the SRECS meets the functional safety
requirements of the specific application
[IEC 61508-4,
61508-4:2010,

3.8.2 3.8.2]
modified]
3.3

Abbreviations

The following abbreviations are used in this standard.
CCF


Common Cause Failure(s)

DC

Diagnostic Coverage

EMC

Electromagnetic Compatibility

FB

Function Block

FVL

Full Variability Language

I/O

Input/Output

LVL

Limited Variability Language

PFHD

Probability of dangerous Failure per Hour


MTTF

Mean Time To Failure

MTTR

Mean Time To Restoration

P TE

Probability of dangerous Transmission Error

SFF

Safe Failure Fraction

SIL

Safety Integrity Level

SILCL

Safety Integrity Level (SIL) Claim Limit (for subsystems)

S-R

Safety Related

SRECS


Safety-Related Electrical Control System

SRCF

Safety-Related Control Function

SRS

Safety Requirements Specification

SYS

System