Determining SIL in accordance with IEC 6206106 December 2022

IEC62061 safety mobile plant electronic control

Sector-specific standard IEC 62061 considers the entire life cycle of a machine or plant from conception to dismantling. International safety integrity level (SIL) describes the safety-related performance capability. This article explains SIL, why it is required for machine and plant construction and how it can be calculated

IEC62061 plays a decisive role when it comes to the functional safety of a machine or plant. It covers safety-related electrical, electronic and programmable electronic (E/E/PE) control systems.

EN 61508, which followed on from IEC 61508, defines the safety integrity level as follows. The SIL refers to “four well-differentiated levels for specifying the requirement for safety integrity of safety functions assigned to the E/E/PE safety-related system, with Safety Integrity Level 4 being the highest level of safety integrity and Safety Integrity Level 1 being the lowest.” Manufacturers of safety-related components provide corresponding safety-related characteristics for calculation of the SIL.

In addition to the SIL, there is also another parameter for safety-related performance capability: the performance level (PL) according to EN ISO 13849-1. Both safety standards use different classification systems and definitions for the safety levels. Depending on the technology, risk classification and architecture, either the iterative process for designing safety-related parts of a control system (SRP/CS safety-related parts of control systems) according to EN ISO 13849-1 or safety-related electrical control systems (SRECS, safety-related electrical, electronic and programmable control systems) according to IEC 62061 must be applied.

IEC 62061 provides recommendations for the design, integration and validation of SRECS. The requirements for the SRECS are derived from the risk analysis according to EN ISO 12100. Based on IEC 62061, the following four steps describe the necessary procedure to adequately reduce the probability of systematic and accidental failures that could lead to a dangerous failure of the safety function.

Step 1 - Risk assessment

Various risk parameters must be considered for the risk assessment. IEC 62061 provides the following parameters:

- Severity of damage S

- Probability of the occurrence of damage as a function of

  • frequency and duration F of exposure of persons to a hazard
  • probability of the occurrence of a hazardous event W
  • ways to limit or avoid damage P

Using F, W, and P, a point system can be used to determine the class K. The assessment of severity S in the context of the value K results in the required SIL.

Although IEC 61508 defines four safety integrity levels, general mechanical engineering applications require a maximum of SIL 3. SIL 4 only relates to very specific, highly critical applications with a high level of loss or a high number of potential personal injury hazards. These include, for example, fly-by-wire or steer-by-wire systems in aircraft or vehicles.

Step 2 - Design of control architecture In the second step, the machine or plant manufacturer must define the safety-related control function (SRCF) according to the determined SIL. An SRCF may involve a protective door, a light barrier, a hand-operated or foot-operated enabling switch, a two-hand device for safe operation or circuits for stopping in the event of an emergency. For each SRCF, the engineer must then define a corresponding safety-related electrical control system (SRECS). An SRECS may be composed of an emergency stop button with safety relay, as well as safety and power contactor.

For the designed safety function, it is now necessary to determine the achieved safety integrity.

Step 3 - Determination of SIL

For this purpose, the architecture of the various subsystems must first be considered. IEC 62061 distinguishes four different basic subsystem architectures (A, B, C, D), which differ mainly by their hardware fault tolerance HFT and diagnostic function criteria:

A: Zero-fault tolerance, without diagnostic function

B: Single-fault tolerance, without diagnostic function

C: Zero-fault tolerance, with diagnostic function

D: Single-fault tolerance, with diagnostic function.

In practice, this means that the designed SRCF safety function must be broken down into function blocks and then mapped to subsystems. Function blocks may involve an input (emergency stop button), logic (safety relay) and output function (safety contactor/power contactor), which then each represent a subsystem that has a specific subsystem architecture. The subsystems are described by three parameters:

  • SIL CL (Claim Limit)
  • PFHd Probability of Dangerous Failure Per Hour
  • T1 Duration of use

Subsystems can be made up of different subsystem elements. For each element, the probability of failure must then be determined. The parameters of the subsystem elements are:

  • λd Dangerous failure rate
  • β Characteristic value of common cause faults
  • DC Diagnostic Coverage
  • T2 Diagnostic test interval
  • SFF Safe Failure Fraction (proportion of safe failures of subsystems).

Examples for calculating the individual subsystem element parameters are provided in the Eaton safety manual. In principle, calculating individual parameters is not necessary if the manufacturer of the subsystem provides a PFHd value.

The SIL claim limit (CL) is the maximum SIL of a subsystem that can be claimed with respect to structural limitations and systematic safety integrity. It can be determined from the HFT hardware fault tolerance and the SFF. In this case, the SFF is calculated from the sum of failure rates based on safe and dangerous, but detected, faults for the total failure rate.

IEC 62061 refers to EN ISO 13849-1 with regard to the duration of use and recommends specifying a duration of use of 20 years. A repeat test, known as a ‘proof test’, can be used to confirm that an SRECS still meets the required safety integrity. For a proof test interval of 20 years, T1 = 20a x 365d x 24h = 175,200h. The duration of use T1 is required for calculation of the individual failure probabilities of the subsystems.

The safety integrity of an overall system is composed of the sum of the individual probabilities of all subsystems involved in the safety function. The SIL of the overall system can then be read from Table 3 of the above standard.

BOX: Learn more about performance level and functional safety for machinery

The Eaton Safety Manual uses example circuits to show how functional safety can be implemented with electrical, electronic and programmable components and systems in safety applications. It shows how different safety levels (SIL or PL) can be achieved. International import standards EN ISO 13849-1 and IEC 62061 for the safety of machines and systems are explained with practical examples.

This article is an edited version of an Eaton blog, ‘How is the safety integrity level determined in accordance with IEC 62061?’ available via www.is.gd/efiboj.

Dirk Meyer, Eaton specialist engineer solution architect

This material is protected by MA Business copyright
See Terms and Conditions.
One-off usage is permitted but bulk copying is not.
For multiple copies contact the sales team.