Functional safety with

EN IEC 62061 and EN ISO 13849-1

When does which standard apply?

Lexicon

EN IEC 62061
1)

Technology
Electrical/electronic/
programmable electronic
Hydraulic/pneumatic/mechanical

Not applicable

Compliance with just one standard is generally sufficient to assume compliance.

EN ISO 13849-1

Se
4

Fr
5

Probability of
Avoidance
hazardous event Pr
Very high
5

> 1 h 1 day

Likely

Av

3-4
SIL 2

Determination of the required performance level (PLr)

Class Cl
5-7
8 - 10 11 - 13 14 - 15
SIL 2 SIL 2 SIL 3 SIL 3
OM

> 1 day 2 weeks 4

Possible

3 Impossible

> 2 weeks 1year 3

> 1 year
2

Rarely
Negligible

2 Possible
1 Likely

3
1

SIL 1
OM

SIL 2

S Severity of injury
S1 = Slight (normally reversible injury)
S2 = Serious (normally irreversible injury including death)

SIL 3

SIL 1

SIL 2

OM

SIL 1

Overall score

< 35
35 65
66 85
86 100

SIL points
25
38
2
18
4
18

Requirement
Physical separation of safety circuits and other circuits
Diversity (use of diverse technologies)
Design/application/experience
Assessment/analysis
Competence/training
Environmental influences (EMC, temperature, ...)

SD + SU + DD + DU

S + DD

Dtotal

< 60 %
60 % < 90 %
90 % < 99 %
99 %

PL points
15 %
20 %
20 %
5%
5%
35 %

Hardware
fault tolerance
2
SIL 2
SIL 3
SIL 3
SIL 3

MTTFd

i=1

MTTFd,i

P1

P2

F2

High contribution to risk reduction

Evaluation
Compliance
Noncompliance

j=1

CCF
> 65 %
< 65 %

nj
MTTFd,j

PFH/h-1
10-4

Performance Level

a
10-5

MTTFd =

2
MTTFd,C1 + MTTFd,C2
3

3 years

1
1
+
MTTFd,C1 MTTFd,C2

3x10-6
c

10 years

10-6

30 years

MTTFd
3 years MTTFd < 10 years
10 years MTTFd < 30 years
30 years MTTFd < 100 years

10-7
e
10-8

100
years

MTTFoc = low, MTTFoc = medium, MTTFoc = high

Cat B
DCavg
= none

Cat. 1
DCavg
= none

Cat. 2
DCavg
= low

Cat. 2
DCavg
= med.

Cat. 3
DCavg
= low

Cat. 3
DCavg
= med.

Cat. 4
DCavg
= high

Determination of the degree of diagnostic coverage (DC)

Diagnostic coverage: DC =

DD / Dtotal
DC1

Average DC:

Subsystem architectures

DC2

+ +

Diagnostic coverage
None
Low
Medium
High

DCN

MTTFd1 MTTFd2
MTTFdN
1
1
1
+
+ +
MTTFd1 MTTFd2
MTTFdN

DCavg =

Range of DC
DC < 60 %
60 % DC < 90 %
90 % DC < 99 %
99 % DC

Specification of categories

Subsystem A

Subsystem B

Category B,1

Category 2

S31 S32 S11 S12 S13 S14

CHIP-Card

X1

X2

X3

A1 B1 13

23

33

41

13
O4
14
23
O5
24

O0
O1
O2
O3
OA0
24V
24V
0V
0V

CI+
CI CO CO+
T0
T1
T2
T3

Made in Germany
www.pilz.com

PSENme 1S/1AS
570002
IEC/EN 60947-5-1
Ui 250V IP67

PNOZ X3

X4

24V AC/DC
110 230V AC
AC15 230V/2.5A
contact rating
B300 R300

1
2
3
4

POWER

1
2
3
4

03000000

PNOZ m1p

13 23 33 41

CH. 1

PSEN 1.1p-20
Ident. No.
524120
03000000

PSEN 1.1-20
Ident. No.
514120

CH. 2

03000000

14 24 34 42

A1
A1
A2
A2

PSEN 1.1-20
Ident. No.
514120

I8
I9
I10
I11
I12
I13
I14
I15
I16
I17
I18
I19

03000000

I0
I1
I2
I3
I4
I5
I6
I7

PSEN 1.1p-20
Ident. No.
524120

Made in Germany
www.pilz.com

PSENme 1S/1AS
570002
IEC/EN 60947-5-1
Ui 250V IP67

X4

24V AC/DC
110 230V AC

14

AC15 230V/2.5A
contact rating
B300 R300

X4

X5

X6

24

34

42

B2 A2

X7

Y31 Y32 S21 S22 S33 S34

Made in Germany
www.pilz.com

PSENme 1S/1AS
570002
IEC/EN 60947-5-1
Ui 250V IP67

X4

24V AC/DC
110 230V AC
AC15 230V/2.5A
contact rating
B300 R300

Subsystem D

Category 3

A1 13 23
S12 S22 S34

S31 S32 S11 S12 S13 S14

Made in Germany
www.pilz.com

PSENme 1S/1AS
570002
IEC/EN 60947-5-1
Ui 250V IP67

Made in Germany
www.pilz.com

A1 B1 13

23

33

41

PSENme 1S/1AS
570002
IEC/EN 60947-5-1
Ui 250V IP67

X4

X4

PNOZ s2

Made in Germany
www.pilz.com

PSENme 1S/1AS
570002
IEC/EN 60947-5-1
Ui 250V IP67

24V AC/DC
110 230V AC
AC15 230V/2.5A
contact rating
B300 R300

24V AC/DC
110 230V AC
AC15 230V/2.5A
contact rating
B300 R300

PNOZ X3
POWER

Category 4

X1 X3

Subsystem C

In2+
A

X4

24V AC/DC
110 230V AC

In2
A

AC15 230V/2.5A
contact rating
B300 R300

Power
In1 mode
In2
Out
Reset
Fault

13 23 33 41

CH. 1
CH. 2

750103

000002 0.1

14 24 34 42
Made in Germany
www.pilz.com

24V AC/DC
110 230V AC
AC15 230V/2.5A
contact rating
B300 R300

X4

14

24

34

42

B2 A2

S11 S21 Y32

A2 14 24

X4 X2

PSENme 1S/1AS
570002
IEC/EN 60947-5-1
Ui 250V IP67

Y31 Y32 S21 S22 S33 S34

Made in Germany
www.pilz.com

X4

Verification
Achieved SIL >= SIL

Made in Germany
www.pilz.com

X4

PSENme 1S/1AS
570002
IEC/EN 60947-5-1
Ui 250V IP67

24V AC/DC
110 230V AC
AC15 230V/2.5A
contact rating
B300 R300

24V AC/DC
110 230V AC
AC15 230V/2.5A
contact rating
B300 R300

X4

24V AC/DC
110 230V AC
AC15 230V/2.5A
contact rating
B300 R300

Verification
Achieved PL >= PLr

PSENme 1S/1AS
570002
IEC/EN 60947-5-1
Ui 250V IP67

Made in Germany
www.pilz.com

PSENme 1S/1AS
570002
IEC/EN 60947-5-1
Ui 250V IP67

Probability per hour of a dangerous failure occurring comparison SIL/PL

Safety integrity level (SIL)
acc. to EN IEC 62061
no special safety requirements
1 (1 failure in 100,000 h)
1 (1 failure in 100,000 h)
2 (1 failure in 1,000,000 h)
3 (1 failure in 10,000,000 h)

Probability of a
dangerous failure
per hour [1/h]
10-5 < PFH < 10-4
3 x 10-6 < PFH < 10-5
10-6 < PFH < 3 x 10-6
10-7 < PFH < 10-6
10-8 < PFH < 10-7

Category (CAT)
Classification of the safety
related parts of a control
system in respect of their
resistance to faults and their
subsequent behaviour in the
fault condition, and which is
achieved by the structural
arrangement of the parts,
fault detection and/or by
their reliability.
CCF
Failure due to a common
cause
Demand rate rd
Frequency of demands per
time unit for a safety related
action of an SRP/CS.
Diagnostic coverage (DC)
Measure for the effectivity of
diagnostics, may be determined as a ratio between
the failure rate of detected
dangerous failures and the
failure rate of total dangerous
failures.
DCavg
Average diagnostic coverage
Diagnostic test interval
Time period between online
tests carried out in order
to detect faults in a safety
related system with the
specified degree of diagnostic
coverage.
Diversity
Use of diverse means to
execute a required function.
Electrical/electronic/
programmable electronic
(E/E/PE)
Based on electrical (E) and/or
electronic (E) and/or programmable electronic (PE)
technology.

Relationship between the categories

DC, MTTFd and PL

The following applies to diverse systems:

Evaluation
Low
Medium
High

POWER
RUN
DIAG
FAULT
I FAULT
O FAULT

Realisation of the safety function determination of the achieved SIL

SFF =

SD + SU + DD

Hardware
fault tolerance
1
SIL 1
SIL 2
SIL 3
SIL 3

P2

Assessment of CCF influence

Determination of the MTTFd per channel

Hardware
fault tolerance
0
not permitted
SIL 1
SIL 2
SIL 2

P2

P1

F1

P1

F2

Starting point
S2
for evaluation
P Possibilities of avoiding the hazard or limiting the harm
of safety
P1 = Possible under specific conditions
functions
P2 = Scarcely possible
contribution to risk
reduction

Architectural constraints on subsystems

Safe failure
fraction (SFF)

P2

S1

Determination of common cause failures

Common
cause failure factor
(beta)
10 % (0,1)
5 % (0,05)
2 % (0,02)
1 % (0,01)

P1
F1

F Frequency and/or exposure to a hazard

F1 = Seldom to less often and/or the exposure time is short
F2 = Frequent to continuous and/or the exposure time is long

OM = other measures required

Estimation of CCF factor

Low contribution to risk reduction

Realisation of the safety function determination of the achieved PL

Determining the
required SIL

Risk assessment and definition of the required safety integrity level (SIL)
Frequency
and duration
1 hour

B10d
Lifetime of products before
10 % of the product range
fails dangerously

Beta factor or
common cause factor;
CCF measurement; proportion of failures which have a
common cause.

Determination of the PLr

EN IEC 62061
Consequences
and severity
Death, losing an eye
or arm
Permanent,
losing fingers
Reversible,
medical attention
Reversible, first aid

Architecture
Specific configuration
of hardware and software
elements in a system

Required performance level (PLr)

1)

EN ISO 13849-1
1)

Performance level (PL)

acc. to EN ISO 13849-1
a
b
c
d
e

Failure
Termination of the ability of
an item to perform a required
function.
Fault
State of an item characterized by inability to perform a
required function, excluding
the inability during preventive
maintenance or other planned
actions, or due to lack of
external resources.
Functional safety
Part of the overall safety
(relating to the EUC and the
EUC management or control
system) which depends on
the correct functioning of the
safety related E/E/PE system,
other technology safety-related systems and external
risk reduction facilities.
Intended use of a machine
Use of a machine in accordance with the information
provided in the user information.

Average probability of failure

avg
Average probability of failure
per hour
DD
Dangerous detected failure
DU
Dangerous undetected failure
SD
Safe detected failure
SU
Safe undetected failure
Mission time (TM)
Period of time covering the
intended use of a SRP/CS.
MTTFd
- Mean time to dangerous failure; time for which
a single channel can be
expected to remain free of
dangerous failures
- Mean value for the operating time during which a
single channel of a system
is expected to not have a
dangerous failure.
MTTR
Average length of time taken
for the safety system to be
restored, measured from the
time of failure occurrence to
the completion of repairs.
PAScal
Calculation software for verifying functional safety
Performance level (PL)
Discrete level which specifies
the capability of safety
related parts of a control
system to perform a safety
function under foreseeable
conditions.
Required performance
level (PLr)
Performance level (PL) in
order to achieve the required
risk reduction for each safety
function.

PFD
Probability of failure on
demand
PFDavg
Average probability of failure
on demand
PFH
Probability of dangerous
failure per hour
Probability of a dangerous
failure per hour (PFHD)
Average probability of
dangerous failure per hour
Redundancy
The duplication of means
required by a functional entity
to perform a required function
or in order for data to
represent information.
Repeat test
Recurring test designed to
detect failures in a safety
related system, with the aim
of allowing the system to be
restored if necessary to as
new status or to a status
which is as close as possible
to this status under the given
practical constraints.
Residual risk
Risk remaining after
protective measures have
been taken.
Risk
Combination of the probability of occurrence of harm and
the severity of that harm.
Risk analysis
Combination of the specification of the limits of the
machine, hazard identification
and risk estimation.
Risk assessment
The overall process
comprising risk analysis and
risk evaluation.
Risk evaluation
Judgement, on the basis of
risk analysis, of whether risk
reduction objectives have
been achieved.
Safety function
Function of the machine
whose failure can result in
an immediate increase of the
risk(s).
Safety integrity
Probability of a SRECS or its
subsystem satisfactorily performing the required safetyrelated control functions
under all stated conditions.
Safety integrity level (SIL)
Discrete level (one out of a
possible four) for specifying
the safety integrity requirements of the safety functions
to be allocated to the E/E/PE
safety-related systems, where
safety integrity level 4 has
the highest level of safety
integrity and safety integrity
level 1 has the lowest.
SFF
Safe failure fraction, i.e.
fraction of the overall failure
rate that does not result in a
dangerous failure
SIL claim limit (SILCL)
Maximum SIL that can
be claimed for an SRECS
subsystem in relation to
architectural constraints and
systematic safety integrity.
SRCF safety-related
control function
Control function implemented
by an SRECS with a specified
integrity level that is intended
to maintain the safe condition
of the machine or to prevent
an immediate increase in risk.
SRECS
Electric control system on a
machine, the failure of which
can result in an immediate
increase of the risk(s).
SRP/CS safety related
part of a control system
Part of a control system
which reacts to safety related
input signals and generates
safety related output signals
Subsystem
Entity of the top-level architectural design of the SRECS,
where a failure of any subsystem will result in a failure of a
safety-related control function
Test rate rt
Frequency of automatic tests
performed to detect faults in
an SRP/CS; reciprocal value
of the diagnostic test interval
Ti
Time intervals between periodic tests on a safety system
Validation
Confirmation by examination
(e.g. tests, analysis) that the
SRECS meets the functional
safety requirements of the
specific application.
Verification
Confirmation by examination
(e.g. tests, analysis) that the
SRECS, its subsystems or
subsystem elements meet
the requirements set by the
relevant specification.

Safety Calculator PAScal Calculation software for verifying functional safety

The safety calculator PAScal calculates
the PFHDvalue of safety functions in
machines and installations. The result is
verified with the prescribed performance
level in accordance with EN ISO 13849 or
safety integrity level in accordance with
EN IEC 62061. The graphical representation shows how individual components
influence overall safety.

Benefits to you:
Simple handling saves time
Comprehensive component database
Simple import and update function
Report generator as documented
verification

For more information on laws

and standards:
Webcode 0240

Online information at www.pilz.com

The measures outlined here are simplified descriptions

and are intended to provide an overview of the
standards EN ISO 13849-1 and EN IEC 62061. Detailed
understanding and correct application of all relevant
standards and directives are needed for validation of safety
circuits. As a result, we cannot accept any liability for
omissions or incomplete information.