IEC 62061:2005

IEC 62061
Edition 1.0 2005-01
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
Safety of machinery – Functional safety of safety-related electrical, electronic
and programmable electronic control systems

Sécurité des machines – Sécurité fonctionnelle des systèmes de commande
électriques, électroniques et électroniques programmables relatifs à la sécurité
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by
any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either IEC or
IEC's member National Committee in the country of the requester.
If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,
please contact the address below or your local IEC member National Committee for further information.

Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite
ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie
et les microfilms, sans l'accord écrit de la CEI ou du Comité national de la CEI du pays du demandeur.
Si vous avez des questions sur le copyright de la CEI ou si vous désirez obtenir des droits supplémentaires sur cette
publication, utilisez les coordonnées ci-après ou contactez le Comité national de la CEI de votre pays de résidence.

IEC Central Office
3, rue de Varembé
CH-1211 Geneva 20
Switzerland
Email: inmail@iec.ch
Web: www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.
ƒ Catalogue of IEC publications: www.iec.ch/searchpub
The IEC on-line Catalogue enables you to search by a variety of criteria (reference number, text, technical committee,…).
It also gives information on projects, withdrawn and replaced publications.
ƒ IEC Just Published: www.iec.ch/online_news/justpub
Stay up to date on all new IEC publications. Just Published details twice a month all new publications released. Available
on-line and also by email.
ƒ Electropedia: www.electropedia.org
The world's leading online dictionary of electronic and electrical terms containing more than 20 000 terms and definitions
in English and French, with equivalent terms in additional languages. Also known as the International Electrotechnical
Vocabulary online.
ƒ Customer Service Centre: www.iec.ch/webstore/custserv
If you wish to give us your feedback on this publication or need further assistance, please visit the Customer Service
Centre FAQ or contact us:
Email: csc@iec.ch
Tel.: +41 22 919 02 11
Fax: +41 22 919 03 00
A propos de la CEI
La Commission Electrotechnique Internationale (CEI) est la première organisation mondiale qui élabore et publie des
normes internationales pour tout ce qui a trait à l'électricité, à l'électronique et aux technologies apparentées.

A propos des publications CEI
Le contenu technique des publications de la CEI est constamment revu. Veuillez vous assurer que vous possédez
l’édition la plus récente, un corrigendum ou amendement peut avoir été publié.
ƒ Catalogue des publications de la CEI: www.iec.ch/searchpub/cur_fut-f.htm
Le Catalogue en-ligne de la CEI vous permet d’effectuer des recherches en utilisant différents critères (numéro de référence,
texte, comité d’études,…). Il donne aussi des informations sur les projets et les publications retirées ou remplacées.
ƒ Just Published CEI: www.iec.ch/online_news/justpub
Restez informé sur les nouvelles publications de la CEI. Just Published détaille deux fois par mois les nouvelles
publications parues. Disponible en-ligne et aussi par email.
ƒ Electropedia: www.electropedia.org
Le premier dictionnaire en ligne au monde de termes électroniques et électriques. Il contient plus de 20 000 termes et
définitions en anglais et en français, ainsi que les termes équivalents dans les langues additionnelles. Egalement appelé
Vocabulaire Electrotechnique International en ligne.
ƒ Service Clients: www.iec.ch/webstore/custserv/custserv_entry-f.htm
Si vous désirez nous donner des commentaires sur cette publication ou si vous avez des questions, visitez le FAQ du
Service clients ou contactez-nous:
Email: csc@iec.ch
Tél.: +41 22 919 02 11
Fax: +41 22 919 03 00
IEC 62061
Edition 1.0 2005-01
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
Safety of machinery – Functional safety of safety-related electrical, electronic
and programmable electronic control systems

Sécurité des machines – Sécurité fonctionnelle des systèmes de commande
électriques, électroniques et électroniques programmables relatifs à la sécurité

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
PRICE CODE
INTERNATIONALE
XD
CODE PRIX
ICS 13.110; 25.040.99; 29.020 ISBN 2-8318-7818-7

– 2 – 62061 © IEC:2005
CONTENTS
FOREWORD.5
INTRODUCTION.7

1 Scope and object.10
2 Normative references .11
3 Terms, definitions and abbreviations .12
3.1 Alphabetical list of definitions .12
3.2 Terms and definitions .14
3.3 Abbreviations .22
4 Management of functional safety .23
4.1 Objective.23
4.2 Requirements.23
5 Requirements for the specification of Safety-Related Control Functions (SRCFs) .24
5.1 Objective.24
5.2 Specification of requirements for SRCFs .24
6 Design and integration of the safety-related electrical control system (SRECS) .27
6.1 Objective.27
6.2 General requirements.27
6.3 Requirements for behaviour (of the SRECS) on detection
of a fault in the SRECS .28
6.4 Requirements for systematic safety integrity of the SRECS .29
6.5 Selection of safety-related electrical control system .31
6.6 Safety-related electrical control system (SRECS) design and development .31
6.7 Realisation of subsystems .36
6.8 Realisation of diagnostic functions .52
6.9 Hardware implementation of the SRECS .53
6.10 Software safety requirements specification.53
6.11 Software design and development.54
6.12 Safety-related electrical control system integration and testing.62
6.13 SRECS installation .63
7 Information for use of the SRECS.63
7.1 Objective.63
7.2 Documentation for installation, use and maintenance .63
8 Validation of the safety-related electrical control system.64
8.1 General requirements.65
8.2 Validation of SRECS systematic safety integrity .65
9 Modification.66
9.1 Objective.66
9.2 Modification procedure .66
9.3 Configuration management procedures .67
10 Documentation .69

62061 © IEC:2005 – 3 –
Annex A (informative) SIL assignment .71
Annex B (informative)  Example of safety-related electrical control system (SRECS)
design using concepts and requirements of Clauses 5 and 6 .79
Annex C (informative) Guide to embedded software design and development.86
Annex D (informative) Failure modes of electrical/electronic components .95
Annex E (informative) Electromagnetic (EM) phenomenon and increased immunity
levels for SRECS intended for use in an industrial environment according to
IEC 61000-6-2 .100
Annex F (informative) Methodology for the estimation of susceptibility to common
cause failures (CCF).102

Figure 1 – Relationship of IEC 62061 to other relevant standards .8
Figure 2 – Workflow of the SRECS design and development process .33
Figure 3 – Allocation of safety requirements of the function blocks to subsystems
(see 6.6.2.1.1) .34
Figure 4 – Workflow for subsystem design and development (see box 6B of Figure 2) .39
Figure 5 – Decomposition of a function block into redundant function block elements
and their associated subsystem elements .40
Figure 6 – Subsystem A logical representation .46
Figure 7 – Subsystem B logical representation .47
Figure 8 – Subsystem C logical representation .47
Figure 9 – Subsystem D logical representation .49
Figure A.1 – Workflow of SIL assignment process.72
Figure A.2 – Parameters used in risk estimation .73
Figure A.3 – Example proforma for SIL assignment process .78
Figure B.1 – Terminology used in functional decomposition .79
Figure B.2 – Example machine .80
Figure B.3 – Specification of requirements for an SRCF .80
Figure B.4 – Decomposition to a structure of function blocks .81
Figure B.5 – Initial concept of an architecture for a SRECS .82
Figure B.6 – SRECS architecture with diagnostic functions embedded within each
subsystem (SS1 to SS4) .83
Figure B.7 – SRECS architecture with diagnostic functions embedded within
subsystem SS3.84
Figure B.8 – Estimation of PFH for a SRECS.85
D
Table 1 – Recommended application of IEC 62061 and ISO 13849-1(under revision) .9
Table 2 – Overview and objectives of IEC 62061 .11
Table 3 – Safety integrity levels: target failure values for SRCFs .26
Table 4 – Characteristics of subsystems 1 and 2 used in this example.36
Table 5 – Architectural constraints on subsystems: maximum SIL that can be claimed
for a SRCF using this subsystem .42
Table 6 – Architectural constraints: SILCL relating to categories.43
Table 7 – Probability of dangerous failure .45
Table 8 – Information and documentation of a SRECS.69

– 4 – 62061 © IEC:2005
Table A.1 – Severity (Se) classification.74
Table A.2– Frequency and duration of exposure (Fr) classification .74
Table A.3– Probability (Pr) classification.75
Table A.4– Probability of avoiding or limiting harm (Av) classification .76
Table A.5– Parameters used to determine class of probability of harm (Cl) .76
Table A.6 – SIL assignment matrix.76
Table D.1 – Examples of the failure mode ratios for electrical/electronic components .95
Table E.1 – EM phenomenon and increased immunity levels for SRECS .100
Table E.2 – Selected frequencies for RF field tests.101
Table E.3 – Selected frequencies for conducted RF tests .101
Table F.1 – Criteria for estimation of CCF.102
Table F.2 – Estimation of CCF factor (β).103

62061 © IEC:2005 – 5 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
SAFETY OF MACHINERY –
FUNCTIONAL SAFETY OF SAFETY-RELATED ELECTRICAL,
ELECTRONIC AND PROGRAMMABLE ELECTRONIC
CONTROL SYSTEMS
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any
equipment declared to be in conformity with an IEC Publication.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 62061 has been prepared by IEC technical committee 44: Safety
of machinery – Electrotechnical aspects.
The text of this standard is based on the following documents:
FDIS Report on voting
44/460/FDIS 44/470/RVD
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.

– 6 – 62061 © IEC:2005
The committee has decided that the contents of this publication will remain unchanged until
the maintenance result date indicated on the IEC web site under "http://webstore.iec.ch" in
the data related to the specific publication. At this date, the publication will be
• reconfirmed;
• withdrawn;
• replaced by a revised edition, or
• amended.
The contents of the corrigenda of July 2005 and April 2008 have been included in this copy.

62061 © IEC:2005 – 7 –
INTRODUCTION
As a result of automation, demand for increased production and reduced operator physical
effort, Safety-Related Electrical Control Systems (referred to as SRECS) of machines play an
increasing role in the achievement of overall machine safety. Furthermore, the SRECS
themselves increasingly employ complex electronic technology.
Previously, in the absence of standards, there has been a reluctance to accept SRECS in
safety-related functions for significant machine hazards because of uncertainty regarding the
performance of such technology.
This International Standard is intended for use by machinery designers, control system
manufacturers and integrators, and others involved in the specification, design and validation
of a SRECS. It sets out an approach and provides requirements to achieve the necessary
performance.
This standard is machine sector specific within the framework of IEC 61508. It is intended to
facilitate the specification of the performance of safety-related electrical control systems in
relation to the significant hazards (see 3.8 of ISO 12100-1) of machines.
This standard provides a machine sector specific framework for functional safety of a SRECS
of machines. It only covers those aspects of the safety lifecycle that are related to safety
requirements allocation through to safety validation. Requirements are provided for
information for safe use of SRECS of machines that can also be relevant to later phases of
the life of a SRECS.
There are many situations on machines where SRECS are employed as part of safety
measures that have been provided to achieve risk reduction. A typical case is the use of an
interlocking guard that, when it is opened to allow access to the danger zone, signals the
electrical control system to stop hazardous machine operation. Also in automation, the
electrical control system that is used to achieve correct operation of the machine process
often contributes to safety by mitigating risks associated with hazards arising directly from
control system failures. This standard gives a methodology and requirements to
• assign the required safety integrity level for each safety-related control function to be
implemented by SRECS;
• enable the design of the SRECS appropriate to the assigned safety-related control
function(s);
• integrate safety-related subsystems designed in accordance with ISO 13849 ;
• validate the SRECS.
This standard is intended to be used within the framework of systematic risk reduction
described in ISO 12100-1 and in conjunction with risk assessment according to the principles
described in ISO 14121 (EN 1050). A suggested methodology for safety integrity level (SIL)
assignment is given in informative Annex A.
Measures are given to co-ordinate the performance of the SRECS with the intended risk
reduction taking into account the probabilities and consequences of random or systematic
faults within the electrical control system.
Figure 1 shows the relationship of this standard to other relevant standards.
Table 1 gives recommendations on the recommended application of this standard and the
revision of ISO 13849-1.
– 8 – 62061 © IEC:2005
Design and risk asseessment of the machine
ISO 12100, Safety of machinery – Basic concept, general principles
for design
ISO 14121, Safety of machinery – Principles for risk assessement
Design of safety-related electrical, electronic and programmable elecronic control systems
(SRECS) for machinery
Methodology using:
Safety-related control functions
System-based approach
-  Quantitative index of safety:
- Index of safety:
Safety integrity level (SIL)
Category/performance level
-  SIL assignment methodology for
- Category assigned by
SRECS of machinery
qualitative risk graphing
- Architecture oriented
-  Architecture oriented
-  Requirements for
avoidance/control of systematic
failures
Design objective for the
SRECS
Relevant standards
Electrical safety aspects of machinery
Design of low complexity
IEC 60204-1, Safety of machinery -
subsystems to categories
Electrical equipment of machinery -
Part 1: General requirements
ISO 13849-1 and 2 Safety of
machinery – Safety related
parts of control systems (SRPCS)
- Part 1: General princples
for design and Part 2:
Design of complex subsystems Validation
to SILs
Non-electrical SRPCS
IEC 61508, Functional safety of
(mechanical,
electrical, electronic and
pneumatic, etc.)
programmable electronic safety -
related systems
Electrical SRPCS
IEC 62061
Safety of machinery -
Functional safety of
safety-related electrical,
electronic and programmable
Key:
electronic control systems
Electrical safety aspects
Functional safety aspects
Figure 1 – Relationship of IEC 62061 to other relevant standards
Information on the recommended application of IEC 62061 and ISO 13849-1
(under revision)
62061 © IEC:2005 – 9 –
IEC 62061 and ISO 13849-1 (under revision) specify requirements for the design and
implementation of safety-related control systems of machinery. The use of either of these
standards, in accordance with their scopes, can be presumed to fulfil the relevant essential
safety requirements. Table 1 summarises the scopes of IEC 62061 and ISO 13849-1(under
revision).
NOTE ISO 13849-1 is currently under preparation by ISO TC 199 and CEN TC 114.
Table 1 – Recommended application of IEC 62061 and ISO 13849-1(under revision)
Technology implementing the safety- ISO IEC 62061
related control function(s) 13849-1 (under revision)
A Non electrical, e.g. hydraulics X Not covered
B Electromechanical, e.g. relays, or non Restricted to designated All architectures and up to SIL 3
complex electronics architectures
(see Note 1) and up to PL=e
C Complex electronics, e.g. programmable Restricted to designated All architectures and up to SIL 3
architectures (see Note 1) and up
to PL=d
D A combined with B Restricted to designated X see Note 3
architectures (see Note 1) and up
to PL=e
E C combined with B Restricted to designated All architectures and up to SIL 3
architectures (see Note 1) and up
to PL=d
F C combined with A, or C combined with X see Note 2 X see Note 3
A and B
“X” indicates that this item is dealt with by the standard shown in the column heading.
NOTE 1 Designated architectures are defined in Annex B of EN ISO 13849-1(rev.) to give a simplified approach for
quantification of performance level.
NOTE 2 For complex electronics: Use of designated architectures according to EN ISO 13849-1(rev.) up to PL=d or
any architecture according to IEC 62061.
NOTE 3 For non-electrical technology use parts according to EN ISO 13849-1(rev.) as subsystems.

– 10 – 62061 © IEC:2005
SAFETY OF MACHINERY –
FUNCTIONAL SAFETY OF SAFETY-RELATED ELECTRICAL,
ELECTRONIC AND PROGRAMMABLE ELECTRONIC
CONTROL SYSTEMS
1 Scope
This International Standard specifies requirements and makes recommendations for the
design, integration and validation of safety-related electrical, electronic and programmable
electronic control systems (SRECS) for machines (see Notes 1 and 2). It is applicable to
control systems used, either singly or in combination, to carry out safety-related control
functions on machines that are not portable by hand while working, including a group of
machines working together in a co-ordinated manner.
NOTE 1 In this standard, the term “electrical control systems” is used to stand for ”Electrical, Electronic and
Programmable Electronic (E/E/PE) control systems” and “SRECS” is used to stand for “safety-related electrical,
electronic and programmable electronic control systems”.
NOTE 2 In this standard, it is presumed that the design of complex programmable electronic subsystems or
subsystem elements conforms to the relevant requirements of IEC 61508. This standard provides a methodology
for the use, rather than development, of such subsystems and subsystem elements as part of a SRECS.
This standard is an application standard and is not intended to limit or inhibit technological
advancement. It does not cover all the requirements (e.g. guarding, non-electrical interlocking
or non-electrical control) that are needed or required by other standards or regulations in
order to safeguard persons from hazards. Each type of machine has unique requirements to
be satisfied to provide adequate safety.
This standard:
– is concerned only with functional safety requirements intended to reduce the risk of injury
or damage to the health of persons in the immediate vicinity of the machine and those
directly involved in the use of the machine;
– is restricted to risks arising directly from the hazards of the machine itself or from a group
of machines working together in a co-ordinated manner;
NOTE 3 Requirements to mitigate risks arising from other hazards are provided in relevant sector standards.
For example, where a machine(s) is part of a process activity, the machine electrical control system functional
safety requirements should, in addition, satisfy other requirements (e.g. IEC 61511) insofar as safety of the
process is concerned.
– does not specify requirements for the performance of non-electrical (e.g. hydraulic,
pneumatic) control elements for machines;
NOTE 4 Although the requirements of this standard are specific to electrical control systems, the framework
and methodology specified can be applicable to safety-related parts of control systems employing other
technologies.
– does not cover electrical hazards arising from the electrical control equipment itself (e.g.
electric shock – see IEC 60204–1).

62061 © IEC:2005 – 11 –
The objectives of specific Clauses in IEC 62061 are as given in Table 2.
Table 2 – Overview and objectives of IEC 62061
Clause Objective
4: To specify the management and technical activities which are necessary for the achievement of
Management the required functional safety of the SRECS.
of functional
safety
5: To set out the procedures to specify the requirements for safety-related control functions. These
Requirements requirements are expressed in terms of functional requirements specification, and safety integrity
for the requirements specification.
specification of
safety-related
control
functions
6: To specify the selection criteria and/or the design and implementation methods of the SRECS to
Design and meet the functional safety requirements. This includes:
integration of
the safety- selection of the system architecture,
related
electrical selection of the safety-related hardware and software,
control system
design of hardware and software,

verification that the designed hardware and software meets the functional safety requirements.
7: To specify requirements for the information for use of the SRECS, which has to be supplied with
Information for the machine. This includes:
use of the
machine provision of the user manual and procedures,

provision of the maintenance manual and procedures.
8: To specify the requirements for the validation process to be applied to the SRECS. This includes
Validation of inspection and testing of the SRECS to ensure that it achieves the requirements stated in the
the safety- safety requirements specification.
related
electrical
control system
9: To specify the requirements for the modification procedure that has to be applied when modifying
Modification of the SRECS. This includes:
the safety-
related modifications to any SRECS are properly planned and verified prior to making the change;
electrical
control system the safety requirements specification of the SRECS is satisfied after any modifications have taken
place.
2 Normative references
The following referenced documents are indispensable for the application of this document.
For dated references, only the edition cited applies. For undated references, the latest edition
of the referenced document (including any amendments) applies.
IEC 60204–1, Safety of machinery – Electrical equipment of machines – Part 1: General
requirements
IEC 61000-6-2, Electromagnetic compatibility (EMC) – Part 6-2: Generic standards –
Immunity for industrial environments

– 12 – 62061 © IEC:2005
IEC 61310 (all parts), Safety of machinery – Indication, marking and actuation
IEC 61508-2, Functional safety of electrical/electronic/ programmable electronic safety-related
systems – Part 2: Requirements for electrical/electronic/programmable electronic safety-
related systems
IEC 61508-3, Functional safety of electrical/electronic/programmable electronic safety-related
systems – Part 3: Software requirements
ISO 12100-1:2003, Safety of machinery – Basic concepts, general principles for design –
Part 1: Basic terminology, methodology
ISO 12100-2:2003, Safety of machinery – Basic concepts, general principles for design –
Part 2: Technical principles
ISO 13849-1:1999, Safety of machinery – Safety related parts of control systems – Part 1:
General principles for design
ISO 13849-2:2003, Safety of machinery – Safety-related parts of control systems – Part 2:
Validation
ISO 14121, Safety of machinery – Principles of risk assessment
3 Terms, definitions and abbreviations
3.1 Alphabetical list of definitions
Term Definition
number
application software 3.2.46
architectural constraint 3.2.36
architecture 3.2.35
common cause failure 3.2.43
complex component 3.2.8
control function 3.2.14
dangerous failure 3.2.40
demand 3.2.25
diagnostic coverage 3.2.38
electrical control system 3.2.3
embedded software 3.2.47
failure 3.2.39
fault 3.2.30
fault tolerance 3.2.31
full variability language (FVL) 3.2.48
function block 3.2.32
function block element 3.2.33
62061 © IEC:2005 – 13 –
functional safety 3.2.9
hardware safety integrity 3.2.20
hazard (from machinery) 3.2.10
hazardous situation 3.2.11
high demand or continuous mode 3.2.27
limited variability language (LVL) 3.2.49
low complexity component 3.2.7
low demand mode 3.2.26
machine control system 3.2.2
machinery (machine) 3.2.1
mean time to failure (MTTF) 3.2.34
probability of dangerous failure per hour (PFH) 3.2.28
D
proof test 3.2.37
protective measure 3.2.12
random hardware failure 3.2.44
risk 3.2.13
safe failure 3.2.41
safe failure fraction 3.2.42
safety function 3.2.15
safety integrity 3.2.19
safety integrity level (SIL) 3.2.23
safety-related control function (SRCF) 3.2.16
safety-related electrical control system (SRECS) 3.2.4
safety-related software 3.2.50
SIL claim limit 3.2.24
software safety integrity 3.2.21
SRECS diagnostic function 3.2.17
SRECS fault reaction function 3.2.18
subsystem 3.2.5
subsystem element 3.2.6
systematic failure 3.2.45
systematic safety integrity 3.2.22
target failure value 3.2.29
validation 3.2.52
verification 3.2.51
– 14 – 62061 © IEC:2005
3.2 Terms and definitions
For the purposes of this standard, the following terms and definitions apply.
3.2.1
machinery
assembly of linked parts or components, at least one of which moves, with the appropriate
machine actuators, control and power circuits, joined together for a specific application, in
particular for the processing, treatment, moving or packaging of a material.
The terms “machinery” and “machine” also cover an assembly of machines which, in order to
achieve the same end, are arranged and controlled so that they function as an integral whole.
[ISO 12100-1:2003, 3.1]
3.2.2
machine control system
system which responds to an input from, for example, the process, other machine elements,
an operator, external control equipment, and generates an output(s) causing the machine to
behave in the intended manner
3.2.3
electrical control system
all the electrical, electronic and programmable electronic parts of the machine control system
used to provide, for example, operational control, monitoring, interlocking, communications,
protection and safety-related control functions
NOTE Safety-related control functions can be performed by an electrical control system that is either integral to or
independent of those parts of a machine’s control system that perform non-safety-related functions.
3.2.4
Safety-Related Electrical Control System
SRECS
electrical control system of a machine whose failure can result in an immediate increase of
the risk(s)
NOTE A SRECS includes all parts of an electrical control system whose failure may result in a reduction or loss of
functional safety and this can comprise both electrical power circuits and control circuits.
3.2.5
subsystem
entity of the top-level architectural design of the SRECS where a failure of any subsystem will
result in a failure of a safety-related control function
NOTE 1 A complete subsystem can be made up from a number of identifiable and separate subsystem elements,
which when put together implement the function blocks allocated to the subsystem.
NOTE 2 This definition is a limitation of the general definition of IEC 61508-4: `set of elements which interact
according to a design, where an element of a system can be another system, called a subsystem, which may
include hardware, software and human interaction.
NOTE 3 This differs from common language where “subsystem” may mean any sub-divided part of an entity, the
term “subsystem” is used in this standard within a strongly defined hierarchy of terminology: “subsystem” is the first
level subdivision of a system. The parts resulting from further subdivision of a subsystem are called “subsystem
elements”.
3.2.6
subsystem element
part of a subsystem, comprising a single component or any group of components

62061 © IEC:2005 – 15 –
3.2.7
low complexity component
component in which
– the failure modes are well-defined; and
– the behaviour under fault conditions can be completely defined
[IEC 61508-4, 3.4.4 modified]
NOTE 1 Behaviour of the low complexity component under fault conditions may be determined by analytical
and/or test methods.
NOTE 2 A subsystem or subsystem element comprising one or more limit switches, operating, possibly via
interposing electro-mechanical relays, one or more contactors to de-energise an electric motor is an example of a
low complexity component.
3.2.8
complex component
component in which
– the failure modes are not well-defined; or
– the behaviour under fault conditions cannot be completely defined
3.2.9
functional safety
part of the safety of the machine and the machine control system which depends on the
correct functioning of the SRECS, other technology safety-related systems and external risk
reduction facilities
[IEC 61508-4, 3.1.9 modified]
NOTE 1 This standard only considers the functional safety that depends on the correct functioning of the SRECS
in machinery applications.
NOTE 2 ISO/IEC Guide 51 defines safety as freedom from unacceptable risk.
3.2.10
hazard (from machinery)
potential source of physical injury or damage to health
[ISO 12100-1: 2003, 3.6 modified]
NOTE The term hazard can be qualified in order to define its origin or the nature of the expected harm (e.g.
electric shock hazard, crushing hazard, cutting hazard, toxic hazard, fire hazard).
3.2.11
hazardous situation
circumstance in which a person is exposed to a hazard(s)
[ISO 12100-1:2003, 3.9 modified]
3.2.12
protective measure
measure intended to achieve risk reduction
[ISO 12100-1:2003, 3.18 modified]

– 16 – 62061 © IEC:2005
3.2.13
risk
combination of the probability of occurrence of harm and the severity of that harm
ISO 12100-1:2003, 3.11]
3.2.14
control function
function that evaluates input information or signals and produces output information or
activities
3.2.15
safety function
function of a machine whose failure can result in an immediate increase of the risk(s)
[ISO 12100-1:2003, 3.28]
NOTE This definition differs from the definitions in IEC 61508-4 and ISO 13849-1.
3.2.16
Safety-Related Control Function
SRCF
control function implemented by a SRECS with a specified integrity level that is intended to
maintain the safe condition of the machine or prevent an immediate increase of the risk(s)
3.2.17
SRECS diagnostic function
function intended to detect faults in the SRECS and produce a specified output information or
activity when a fault is detected
NOTE This function is intended to detect faults that could lead to a dangerous failure of a SRCF and initiate a
specified fault reaction function.
3.2.18
SRECS fault reaction function
function that is initiated when a fault within a SRECS is detected by the SRECS diagnostic
function
3.2.19
safety integrity
probability of a SRECS or its subsystem satisfactorily performing the required safety-related
control functions under all stated conditions
[IEC 61508-4, 3.5.2 modified]
NOTE 1 The higher the level of safety integrity of the item, the lower the probability that the item will fail to carry
out the required safety-related control function.
NOTE 2 Safety integrity comprises hardware safety integrity (see 3.2.20) and systematic safety integrity (see
3.2.22).
3.2.20
hardware safety integrity
part of the safety integrity of a SRECS or its subsystems comprising requirements for both the
probability of dangerous random hardware failures and architectural constraints
[IEC 61508-4, 3.5.5 modified]
62061 © IEC:2005 – 17 –
3.2.21
software safety integrity
part of the systematic safety integrity of a SRECS or its subsystems related to the capability
of software in a programmable electronic system performing its safety-related control
functions under all stated conditions during a stated period of time
[IEC 61508-4, 3.5.3 modified ]
NOTE Software safety integrity cannot usually be quantified precisely.
3.2.22
systematic safety integrity
part of the safety integrity of a SRECS or its subsystems relating to its resistance to
systematic failures (see 3.2.45) in a dangerous mode.
[IEC 61508-4, 3.5.4 modified]
NOTE 1 Systematic safety integrity cannot usually be quantified precisely.
NOTE 2 Requirements for systematic safety integrity apply to both hardware and software aspects of a SRECS or
its subsystems.
3.2.23
Safety Integrity Level
SIL
discrete level (one out of a possible three) for specifying the safety integrity requirements of
the safety-related control functions to be allocated to the SRECS, where safety integrity level
three has the highest level of safety integrity and safety integrity level one has the lowest
[IEC 61508-4, 3.5.6 modified]
NOTE SIL 4 is not considered in this standard, as it is not relevant to the risk reduction requirements normally
associated with machinery. For requirements applicable to SIL 4, see IEC 61508-1 and IEC 61508-2.
3.2.24
SIL Claim Limit (for a subsystem)
SILCL
maximum SIL that can be claimed for a SRECS subsystem in relation to architectural
constraints and systematic safety integrity
3.2.25
demand
event that causes the SRECS to perform its SRCF
3.2.26
low demand mode
mode of operation in which the frequency of demands on a SRECS is no greater than one per
year and no greater than twice the proof-test frequency
NOTE Equipment that is only designed in accordance with requirements for the low demand mode of operation
described in IEC 61508-1 and IEC 61508-2 can be unsuitable for use as part of a SRECS in this standard. Low
demand mode of operation is not considered to be relevant for SRECS application
...

IEC 62061 ®
Edition 1.1 2012-11
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Safety of machinery – Functional safety of safety-related electrical, electronic
and programmable electronic control systems

Sécurité des machines – Sécurité fonctionnelle des systèmes de commande
électriques, électroniques et électroniques programmables relatifs à la sécurité

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form

or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester.
If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,

please contact the address below or your local IEC member National Committee for further information.

Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite ni
utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie et les

microfilms, sans l'accord écrit de la CEI ou du Comité national de la CEI du pays du demandeur.

Si vous avez des questions sur le copyright de la CEI ou si vous désirez obtenir des droits supplémentaires sur cette

publication, utilisez les coordonnées ci-après ou contactez le Comité national de la CEI de votre pays de résidence.

IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé Fax: +41 22 919 03 00
CH-1211 Geneva 20 info@iec.ch
Switzerland www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.

Useful links:
IEC publications search - www.iec.ch/searchpub Electropedia - www.electropedia.org
The advanced search enables you to find IEC publications The world's leading online dictionary of electronic and
by a variety of criteria (reference number, text, technical electrical terms containing more than 30 000 terms and
committee,…). definitions in English and French, with equivalent terms in
It also gives information on projects, replaced and additional languages. Also known as the International
withdrawn publications. Electrotechnical Vocabulary (IEV) on-line.

IEC Just Published - webstore.iec.ch/justpublished Customer Service Centre - webstore.iec.ch/csc
Stay up to date on all new IEC publications. Just Published If you wish to give us your feedback on this publication
details all new publications released. Available on-line and or need further assistance, please contact the
also once a month by email. Customer Service Centre: csc@iec.ch.

A propos de la CEI
La Commission Electrotechnique Internationale (CEI) est la première organisation mondiale qui élabore et publie des
Normes internationales pour tout ce qui a trait à l'électricité, à l'électronique et aux technologies apparentées.

A propos des publications CEI
Le contenu technique des publications de la CEI est constamment revu. Veuillez vous assurer que vous possédez
l’édition la plus récente, un corrigendum ou amendement peut avoir été publié.

Liens utiles:
Recherche de publications CEI - www.iec.ch/searchpub Electropedia - www.electropedia.org
La recherche avancée vous permet de trouver des Le premier dictionnaire en ligne au monde de termes
publications CEI en utilisant différents critères (numéro de électroniques et électriques. Il contient plus de 30 000
référence, texte, comité d’études,…). termes et définitions en anglais et en français, ainsi que
Elle donne aussi des informations sur les projets et les les termes équivalents dans les langues additionnelles.
publications remplacées ou retirées. Egalement appelé Vocabulaire Electrotechnique
International (VEI) en ligne.
Just Published CEI - webstore.iec.ch/justpublished
Service Clients - webstore.iec.ch/csc
Restez informé sur les nouvelles publications de la CEI.
Just Published détaille les nouvelles publications parues. Si vous désirez nous donner des commentaires sur
Disponible en ligne et aussi une fois par mois par email. cette publication ou si vous avez des questions
contactez-nous: csc@iec.ch.
IEC 62061 ®
Edition 1.1 2012-11
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Safety of machinery – Functional safety of safety-related electrical, electronic

and programmable electronic control systems

Sécurité des machines – Sécurité fonctionnelle des systèmes de commande

électriques, électroniques et électroniques programmables relatifs à la sécurité

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 13.110; 25.040.99; 29.020 ISBN 978-2-8322-0487-0

– 2 – 62061  IEC:2005+A1:2012

CONTENTS
FOREWORD . 5

INTRODUCTION . 7

1 Scope and object . 10

2 Normative references . 11

3 Terms, definitions and abbreviations . 12

3.1 Alphabetical list of definitions . 12

3.2 Terms and definitions . 14
3.3 Abbreviations . 22
4 Management of functional safety . 22
4.1 Objective . 22
4.2 Requirements . 22
5 Requirements for the specification of Safety-Related Control Functions (SRCFs) . 24
5.1 Objective . 24
5.2 Specification of requirements for SRCFs . 24
6 Design and integration of the safety-related electrical control system (SRECS) . 26
6.1 Objective . 26
6.2 General requirements . 26
6.3 Requirements for behaviour (of the SRECS) on detection
of a fault in the SRECS . 27
6.4 Requirements for systematic safety integrity of the SRECS . 28
6.5 Selection of safety-related electrical control system . 30
6.6 Safety-related electrical control system (SRECS) design and development . 30
6.7 Realisation of subsystems . 35
6.8 Realisation of diagnostic functions . 51
6.9 Hardware implementation of the SRECS . 52
6.10 Software safety requirements specification . 52
6.11 Software design and development . 53
6.12 Safety-related electrical control system integration and testing . 60
6.13 SRECS installation . 62
7 Information for use of the SRECS . 62
7.1 Objective . 62

7.2 Documentation for installation, use and maintenance . 62
8 Validation of the safety-related electrical control system . 63
8.1 Objective . 63
8.2 General requirements . 63
8.3 Validation of SRECS systematic safety integrity . 64
9 Modification . 65
9.1 Objective . 65
9.2 Modification procedure . 65
9.3 Configuration management procedures . 65
10 Documentation . 67

62061  IEC:2005+A1:2012 – 3 –

Annex A (informative) SIL assignment . 69

Annex B (informative)  Example of safety-related electrical control system (SRECS)

design using concepts and requirements of Clauses 5 and 6 . 77

Annex C (informative) Guide to embedded software design and development . 84

Annex D (informative) Failure modes of electrical/electronic components . 92

Annex E (informative) Electromagnetic (EM) phenomenon and increased immunity

levels for SRECS intended for use in an industrial environment according to

IEC 61000-6-2 . 97

Annex F (informative) Methodology for the estimation of susceptibility to common

cause failures (CCF) . 99

Figure 1 – Relationship of IEC 62061 to other relevant standards . 8
Figure 2 – Workflow of the SRECS design and development process . 32
Figure 3 – Allocation of safety requirements of the function blocks to subsystems
(see 6.6.2.1.1) . 33
Figure 4 – Workflow for subsystem design and development (see box 6B of Figure 2) . 38
Figure 5 – Decomposition of a function block into redundant function block elements
and their associated subsystem elements . 39
Figure 6 – Subsystem A logical representation . 45
Figure 7 – Subsystem B logical representation . 46
Figure 8 – Subsystem C logical representation . 46
Figure 9 – Subsystem D logical representation . 48
Figure A.1 – Workflow of SIL assignment process . 70
Figure A.2 – Parameters used in risk estimation . 71
Figure A.3 – Example proforma for SIL assignment process . 78
Figure B.1 – Terminology used in functional decomposition . 77
Figure B.2 – Example machine . 78
Figure B.3 – Specification of requirements for an SRCF . 78
Figure B.4 – Decomposition to a structure of function blocks . 79
Figure B.5 – Initial concept of an architecture for a SRECS . 80
Figure B.6 – SRECS architecture with diagnostic functions embedded within each
subsystem (SS1 to SS4) . 81
Figure B.7 – SRECS architecture with diagnostic functions embedded within
subsystem SS3 . 82

Figure B.8 – Estimation of PFH for a SRECS. 83
D
Table 1 – Recommended application of IEC 62061 and ISO 13849-1(under revision) . 9
Table 2 – Overview and objectives of IEC 62061 . 11
Table 3 – Safety integrity levels: target failure values for SRCFs . 26
Table 4 – Characteristics of subsystems 1 and 2 used in this example . 35
Table 5 – Architectural constraints on subsystems: maximum SIL that can be claimed
for a SRCF using this subsystem . 41
Table 6 – Architectural constraints: SILCL relating to categories . 41
Table 7 – Probability of dangerous failure . 44
Table 8 – Information and documentation of a SRECS . 68

– 4 – 62061  IEC:2005+A1:2012

Table A.1 – Severity (Se) classification . 72

Table A.2– Frequency and duration of exposure (Fr) classification . 72

Table A.3– Probability (Pr) classification . 73

Table A.4– Probability of avoiding or limiting harm (Av) classification . 74

Table A.5– Parameters used to determine class of probability of harm (Cl) . 74

Table A.6 – SIL assignment matrix . 75

Table D.1 – Examples of the failure mode ratios for electrical/electronic components . 92

Table E.1 – EM phenomenon and increased immunity levels for SRECS . 97

Table E.2 – Selected frequencies for RF field tests . 98
Table E.3 – Selected frequencies for conducted RF tests . 98
Table F.1 – Criteria for estimation of CCF . 99
Table F.2 – Estimation of CCF factor (β) . 100

62061  IEC:2005+A1:2012 – 5 –

INTERNATIONAL ELECTROTECHNICAL COMMISSION

____________
SAFETY OF MACHINERY –
FUNCTIONAL SAFETY OF SAFETY-RELATED ELECTRICAL,

ELECTRONIC AND PROGRAMMABLE ELECTRONIC

CONTROL SYSTEMS
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of

patent rights. IEC shall not be held responsible for identifying any or all such patent rights.

This consolidated version of IEC 62061 consists of the first edition (2005) [documents
44/460/FDIS and 44/470/RVD], its amendment 1 (2012) [documents 44/655/CDV and
44/663/RVC] and its corrigenda of July 2005 and April 2008. It bears the edition
number 1.1.
The technical content is therefore identical to the base edition and its amendment and
has been prepared for user convenience. A vertical line in the margin shows where the
base publication has been modified by amendment 1. Additions and deletions are
displayed in red, with deletions being struck through.

– 6 – 62061 © IEC:2005+A1:2012

International Standard IEC 62061 has been prepared by IEC technical committee 44: Safety
of machinery – Electrotechnical aspects.

This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.

The committee has decided that the contents of the base publication and its amendments will
remain unchanged until the stability date indicated on the IEC web site under
"http://webstore.iec.ch" in the data related to the specific publication. At this date, the

publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
The contents of the corrigendum of August 2015 have been included in this copy.

IMPORTANT – The “colour inside” logo on the cover page of this publication indicates
that it contains colours which are considered to be useful for the correct understanding
of its contents. Users should therefore print this publication using a colour printer.

62061  IEC:2005+A1:2012 – 7 –

INTRODUCTION
As a result of automation, demand for increased production and reduced operator physical

effort, Safety-Related Electrical Control Systems (referred to as SRECS) of machines play an

increasing role in the achievement of overall machine safety. Furthermore, the SRECS

themselves increasingly employ complex electronic technology.

Previously, in the absence of standards, there has been a reluctance to accept SRECS in

safety-related functions for significant machine hazards because of uncertainty regarding the

performance of such technology.

This International Standard is intended for use by machinery designers, control system
manufacturers and integrators, and others involved in the specification, design and validation
of a SRECS. It sets out an approach and provides requirements to achieve the necessary
performance.
This standard is machine sector specific within the framework of IEC 61508. It is intended to
facilitate the specification of the performance of safety-related electrical control systems in
relation to the significant hazards (see 3.8 of ISO 12100-1) of machines.
This standard provides a machine sector specific framework for functional safety of a SRECS
of machines. It only covers those aspects of the safety lifecycle that are related to safety
requirements allocation through to safety validation. Requirements are provided for
information for safe use of SRECS of machines that can also be relevant to later phases of
the life of a SRECS.
There are many situations on machines where SRECS are employed as part of safety
measures that have been provided to achieve risk reduction. A typical case is the use of an
interlocking guard that, when it is opened to allow access to the danger zone, signals the
electrical control system to stop hazardous machine operation. Also in automation, the
electrical control system that is used to achieve correct operation of the machine process
often contributes to safety by mitigating risks associated with hazards arising directly from
control system failures. This standard gives a methodology and requirements to
• assign the required safety integrity level for each safety-related control function to be
implemented by SRECS;
• enable the design of the SRECS appropriate to the assigned safety-related control
function(s);
• integrate safety-related subsystems designed in accordance with ISO 13849 ;
• validate the SRECS.
This standard is intended to be used within the framework of systematic risk reduction
described in ISO 12100-1 and in conjunction with risk assessment according to the principles
described in ISO 14121 (EN 1050). A suggested methodology for safety integrity level (SIL)
assignment is given in informative Annex A.
Measures are given to co-ordinate the performance of the SRECS with the intended risk
reduction taking into account the probabilities and consequences of random or systematic
faults within the electrical control system.
Figure 1 shows the relationship of this standard to other relevant standards.
Table 1 gives recommendations on the recommended application of this standard and the
revision of ISO 13849-1.
– 8 – 62061  IEC:2005+A1:2012

Design and risk asseessment of the machine

ISO 12100, Safety of machinery – Basic concept, general principles
for design
ISO 14121, Safety of machinery – Principles for risk assessement

Design of safety-related electrical, electronic and programmable elecronic control systems

(SRECS) for machinery
Methodology using:
Safety-related control functions
System-based approach
-  Quantitative index of safety:
- Index of safety:
Safety integrity level (SIL)
Category/performance level
-  SIL assignment methodology for
- Category assigned by
SRECS of machinery
qualitative risk graphing
- Architecture oriented
-  Architecture oriented
-  Requirements for
avoidance/control of systematic
failures
Design objective for the
SRECS
Relevant standards
Electrical safety aspects of machinery
Design of low complexity
IEC 60204-1, Safety of machinery -
subsystems to categories
Electrical equipment of machinery -
Part 1: General requirements
ISO 13849-1 and 2 Safety of
machinery – Safety related
parts of control systems
(SRPCS)
- Part 1: General princples
for design and Part 2:
Validation
Design of complex subsystems
to SILs
Non-electrical SRPCS
IEC 61508, Functional safety of
(mechanical,
electrical, electronic and
pneumatic, etc.)
programmable electronic safety -
related systems
Electrical SRPCS
IEC 62061
Safety of machinery -
Functional safety of
safety-related electrical,
electronic and programmable
Key:
electronic control systems
Electrical safety aspects
Functional safety aspects
Figure 1 – Relationship of IEC 62061 to other relevant standards
Information on the recommended application of IEC 62061 and ISO 13849-1
(under revision)
62061  IEC:2005+A1:2012 – 9 –

IEC 62061 and ISO 13849-1 (under revision) specify requirements for the design and

implementation of safety-related control systems of machinery. The use of either of these

standards, in accordance with their scopes, can be presumed to fulfil the relevant essential

safety requirements. Table 1 summarises the scopes of IEC 62061 and ISO 13849-1(under

revision). IEC/TR 62061-1 provides guidance on the application of IEC 62061 and ISO 13849-

1 in the design of safety-related control systems for machinery.

NOTE ISO 13849-1 is currently under preparation by ISO TC 199 and CEN TC 114.

Table 1 – Recommended application of IEC 62061 and ISO 13849-1(under revision)

Technology implementing the safety- ISO IEC 62061
related control function(s) 13849-1 (under revision)
A Non electrical, e.g. hydraulics X Not covered
B Electromechanical, e.g. relays, or non Restricted to designated All architectures and up to SIL 3
complex electronics architectures
(see Note 1) and up to PL=e
C Complex electronics, e.g. programmable Restricted to designated All architectures and up to SIL 3
architectures (see Note 1) and up
to PL=d
D A combined with B Restricted to designated X see Note 3
architectures (see Note 1) and up
to PL=e
E C combined with B Restricted to designated All architectures and up to SIL 3
architectures (see Note 1) and up
to PL=d
F C combined with A, or C combined with X see Note 2 X see Note 3
A and B
“X” indicates that this item is dealt with by the standard shown in the column heading.
NOTE 1 Designated architectures are defined in Annex B of EN ISO 13849-1(rev.) to give a simplified approach for
quantification of performance level.
NOTE 2 For complex electronics: Use of designated architectures according to EN ISO 13849-1(rev.) up to PL=d or
any architecture according to IEC 62061.
NOTE 3 For non-electrical technology use parts according to EN ISO 13849-1(rev.) as subsystems.

– 10 – 62061  IEC:2005+A1:2012

SAFETY OF MACHINERY –
FUNCTIONAL SAFETY OF SAFETY-RELATED ELECTRICAL,

ELECTRONIC AND PROGRAMMABLE ELECTRONIC

CONTROL SYSTEMS
1 Scope
This International Standard specifies requirements and makes recommendations for the
design, integration and validation of safety-related electrical, electronic and programmable
electronic control systems (SRECS) for machines (see Notes 1 and 2). It is applicable to
control systems used, either singly or in combination, to carry out safety-related control
functions on machines that are not portable by hand while working, including a group of
machines working together in a co-ordinated manner.
NOTE 1 In this standard, the term “electrical control systems” is used to stand for ”Electrical, Electronic and
Programmable Electronic (E/E/PE) control systems” and “SRECS” is used to stand for “safety-related electrical,
electronic and programmable electronic control systems”.
NOTE 2 In this standard, it is presumed that the design of complex programmable electronic subsystems or
subsystem elements conforms to the relevant requirements of IEC 61508 and uses Route 1 (see
H
IEC 61508-2:2010, 7.4.4.2). It is considered that Route 2 (see IEC 61508-2:2010, 7.4.4.3) is not suitable for
H
general machinery. Therefore, this standard does not deal with Route 2 . This standard provides a methodology for
H
the use, rather than development, of such subsystems and subsystem elements as part of a SRECS.
This standard is an application standard and is not intended to limit or inhibit technological
advancement. It does not cover all the requirements (e.g. guarding, non-electrical interlocking
or non-electrical control) that are needed or required by other standards or regulations in
order to safeguard persons from hazards. Each type of machine has unique requirements to
be satisfied to provide adequate safety.
This standard:
– is concerned only with functional safety requirements intended to reduce the risk of injury
or damage to the health of persons in the immediate vicinity of the machine and those
directly involved in the use of the machine;
– is restricted to risks arising directly from the hazards of the machine itself or from a group
of machines working together in a co-ordinated manner;
NOTE 3 Requirements to mitigate risks arising from other hazards are provided in relevant sector standards.
For example, where a machine(s) is part of a process activity, the machine electrical control system functional
safety requirements should, in addition, satisfy other requirements (e.g. IEC 61511) insofar as safety of the
process is concerned.
– does not specify requirements for the performance of non-electrical (e.g. hydraulic,
pneumatic) control elements for machines;
NOTE 4 Although the requirements of this standard are specific to electrical control systems, the framework
and methodology specified can be applicable to safety-related parts of control systems employing other
technologies.
– does not cover electrical hazards arising from the electrical control equipment itself (e.g.
electric shock – see IEC 60204–1).

62061  IEC:2005+A1:2012 – 11 –

The objectives of specific Clauses in IEC 62061 are as given in Table 2.

Table 2 – Overview and objectives of IEC 62061

Clause Objective
4: To specify the management and technical activities which are necessary for the achievement of
Management the required functional safety of the SRECS.

of functional
safety
5: To set out the procedures to specify the requirements for safety-related control functions. These

Requirements requirements are expressed in terms of functional requirements specification, and safety integrity

for the requirements specification.

specification of
safety-related
control
functions
6: To specify the selection criteria and/or the design and implementation methods of the SRECS to
Design and meet the functional safety requirements. This includes:
integration of
the safety- selection of the system architecture,
related
electrical selection of the safety-related hardware and software,
control system
design of hardware and software,

verification that the designed hardware and software meets the functional safety requirements.
7: To specify requirements for the information for use of the SRECS, which has to be supplied with
Information for the machine. This includes:
use of the
machine provision of the user manual and procedures,

provision of the maintenance manual and procedures.
8: To specify the requirements for the validation process to be applied to the SRECS. This includes
Validation of inspection and testing of the SRECS to ensure that it achieves the requirements stated in the
the safety- safety requirements specification.
related
electrical
control system
9: To specify the requirements for the modification procedure that has to be applied when modifying
Modification of the SRECS. This includes:
the safety-
related modifications to any SRECS are properly planned and verified prior to making the change;
electrical
control system the safety requirements specification of the SRECS is satisfied after any modifications have taken
place.
2 Normative references
The following referenced documents are indispensable for the application of this document.
For dated references, only the edition cited applies. For undated references, the latest edition
of the referenced document (including any amendments) applies.
IEC 60204–1, Safety of machinery – Electrical equipment of machines – Part 1: General
requirements
IEC 61000-6-2, Electromagnetic compatibility (EMC) – Part 6-2: Generic standards –
Immunity for industrial environments

– 12 – 62061  IEC:2005+A1:2012

IEC 61310 (all parts), Safety of machinery – Indication, marking and actuation

IEC 61508-2, Functional safety of electrical/electronic/ programmable electronic safety-related
systems – Part 2: Requirements for electrical/electronic/programmable electronic safety-
related systems
IEC 61508-3, Functional safety of electrical/electronic/programmable electronic safety-related
systems – Part 3: Software requirements

ISO 12100-1:2003, Safety of machinery – Basic concepts, general principles for design –
Part 1: Basic terminology, methodology

ISO 12100-2:2003, Safety of machinery – Basic concepts, general principles for design –
Part 2: Technical principles
ISO 12100:2010, Safety of machinery – General principles for design – Risk assessment and
risk reduction
ISO 13849-1:1999 2006, Safety of machinery – Safety-related parts of control systems – Part
1: General principles for design
ISO 13849-2:2003, Safety of machinery – Safety-related parts of control systems – Part 2:
Validation
ISO 14121, Safety of machinery – Principles of risk assessment
3 Terms, definitions and abbreviations
3.1 Alphabetical list of definitions
Term Definition
number
application software 3.2.46
architectural constraint 3.2.36
architecture 3.2.35
common cause failure 3.2.43
complex component 3.2.8
control function 3.2.14
dangerous failure 3.2.40
demand 3.2.25
diagnostic coverage 3.2.38
electrical control system 3.2.3
embedded software 3.2.47
failure 3.2.39
fault 3.2.30
fault tolerance 3.2.31
full variability language (FVL) 3.2.48
function block 3.2.32
function block element 3.2.33
62061  IEC:2005+A1:2012 – 13 –

functional safety 3.2.9
hardware safety integrity 3.2.20

hazard (from machinery) 3.2.10

hazardous situation 3.2.11
high demand or continuous mode 3.2.27

limited variability language (LVL) 3.2.49

low complexity component 3.2.7

low demand mode 3.2.26
machine control system 3.2.2
machinery (machine) 3.2.1
mean time to failure (MTTF) 3.2.34
probability of dangerous failure per hour (PFH ) 3.2.28
D
proof test 3.2.37
protective measure 3.2.12
random hardware failure 3.2.44
risk 3.2.13
safe failure 3.2.41
safe failure fraction 3.2.42
safety function 3.2.15
safety integrity 3.2.19
safety integrity level (SIL) 3.2.23
safety-related control function (SRCF) 3.2.16
safety-related electrical control system (SRECS) 3.2.4
safety-related software 3.2.50
SIL claim limit 3.2.24
software safety integrity 3.2.21
SRECS diagnostic function 3.2.17
SRECS fault reaction function 3.2.18
subsystem 3.2.5
subsystem element 3.2.6
systematic failure 3.2.45
systematic safety integrity 3.2.22
target failure value 3.2.29
validation 3.2.52
verification 3.2.51
– 14 – 62061  IEC:2005+A1:2012

3.2 Terms and definitions
For the purposes of this standard, the following terms and definitions apply.

3.2.1
machinery
assembly of linked parts or components, at least one of which moves, with the appropriate

machine actuators, control and power circuits, joined together for a specific application, in

particular for the processing, treatment, moving or packaging of a material.

The terms “machinery” and “machine” also cover an assembly of machines which, in order to

achieve the same end, are arranged and controlled so that they function as an integral whole.
[ISO 12100-1:2003, 3.1]
3.2.2
machine control system
system which responds to an input from, for example, the process, other machine elements,
an operator, external control equipment, and generates an output(s) causing the machine to
behave in the intended manner
3.2.3
electrical control system
all the electrical, electronic and programmable electronic parts of the machine control system
used to provide, for example, operational control, monitoring, interlocking, communications,
protection and safety-related control functions
NOTE Safety-related control functions can be performed by an electrical control system that is either integral to or
independent of those parts of a machine’s control system that perform non-safety-related functions.
3.2.4
Safety-Related Electrical Control System
SRECS
electrical control system of a machine whose failure can result in an immediate increase of
the risk(s)
NOTE A SRECS includes all parts of an electrical control system whose failure may result in a reduction or loss of
functional safety and this can comprise both electrical power circuits and control circuits.
3.2.5
subsystem
entity of the top-level architectural design of the SRECS where a dangerous failure of any
subsystem will result in a dangerous failure of a safety-related control function

[IEC 61508-4, 3.4.4 modified]
NOTE 1 A complete subsystem can be made up from a number of identifiable and separate subsystem elements,
which when put together implement the function blocks allocated to the subsystem.
NOTE 2 This definition is a limitation of the general definition of IEC 61508-4: `set of elements which interact
according to a design, where an element of a system can be another system, called a subsystem, which may
include hardware, software and human interaction.
NOTE 3 2 This differs from common language where “subsystem” may mean any sub-divided part of an entity, the
term “subsystem” is used in this standard within a strongly defined hierarchy of terminology: “subsystem” is the first
level subdivision of a system. The parts resulting from further subdivision of a subsystem are called “subsystem
elements”.
3.2.6
subsystem element
part of a subsystem, comprising a single component or any group of components

62061  IEC:2005+A1:2012 – 15 –

3.2.7
low complexity component
component in which
– the failure modes are well-defined; and

– the behaviour under fault conditions can be completely defined

[IEC 61508-4, 3.4.4 3.4.3 modified]

NOTE 1 Behaviour of the low complexity component under fault conditions may be determined by analytical
and/or test methods.
NOTE 2 A subsystem or subsystem element comprising one or more limit switches, operating, possibly via
interposing electro-mechanical relays, one or more contactors to de-energise an electric motor is an example of a
low complexity component.
3.2.8
complex component
component in which
– the failure modes are not well-defined; or
– the behaviour under fault conditions cannot be completely defined
3.2.9
functional safety
part of the safety of the machine and the machine control system which depends on the
correct functioning of the SRECS, other technology safety-related systems and external risk
reduction facilities
[IEC 61508-4, 3.1.9 3.1.12 modified]
NOTE 1 This standard only considers the functional safety that depends on the correct functioning of the SRECS
in machinery applications.
NOTE 2 ISO/IEC Guide 51 defines safety as freedom from unacceptable risk.
3.2.10
hazard (from machinery)
potential source of physical injury or damage to health
[ISO 12100-1: 2003, 3.6 modified]
NOTE The term hazard can be qualified in order to define its origin or the nature of the expected harm (e.g.
electric shock hazard, crushing hazard, cutting hazard, toxic hazard, fire hazard).
3.2.11
hazardous situation
circumstance in which a person is exposed to a hazard(s)

[ISO 12100-1:2003, 3.9, 3.10 modified]
3.2.12
protective measure
measure intended to achieve risk reduction
[ISO 12100-1:2003, 3.18, 3.19 modified]
3.2.13
risk
combination of the probability of occurrence of harm and the severity of that harm
[ISO 12100-1:2003, 3.11, 3.12]

– 16 – 62061  IEC:2005+A1:2012

3.2.14
control function
function that evaluates input information or signals and produces output information or

activities
3.2.15
safety function
function of a machine whose failure can result in an immediate increase of the risk(s)

[ISO 12100-1:2003, 3.28, 3.30]

NOTE This definition differs from the definitions in IEC 61508-4 and ISO 13849-1.

3.2.16
Safety-Related Control Function
SRCF
control function implemented by a SRECS with a specified integrity level that is intended to
maintain the safe condition of the machine or prevent an immediate increase of the risk(s)
3.2.17
SRECS diagnostic function
function intended to detect faults in the SRECS and produce a specified output information or
activity when a fault is detected
NOTE This function is intended to detect faults that could lead to a dangerous failure of a SRCF and initiate a
specified fault reaction function.
3.2.18
SRECS fault reaction function
function that is initiated when a fault within a SRECS is detected by the SRECS diagnostic
function
3.2.19
safety integrity
probability of a SRECS or its subsystem satisfactorily performing the required safety-related
control functions under all stated conditions
[IEC 61508-4, 3.5.2 3.5.4 modified]
NOTE 1 The higher the level of safety integrity of the item, the lower the probability that the item will fail to carry
out the required safety-related control function.
NOTE 2 Safety integrity comprises hardware safety integrity (see 3.2.20) and systematic s
...

IEC 62061 ®
Edition 1.2 2015-06
CONSOLIDATED VERSION
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Safety of machinery – Functional safety of safety-related electrical, electronic
and programmable electronic control systems

Sécurité des machines – Sécurité fonctionnelle des systèmes de commande
électriques, électroniques et électroniques programmables relatifs à la sécurité

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form

or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from

either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or

your local IEC member National Committee for further information.

Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite
ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie

et les microfilms, sans l'accord écrit de l'IEC ou du Comité national de l'IEC du pays du demandeur. Si vous avez des

questions sur le copyright de l'IEC ou si vous désirez obtenir des droits supplémentaires sur cette publication, utilisez
les coordonnées ci-après ou contactez le Comité national de l'IEC de votre pays de résidence.

IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé Fax: +41 22 919 03 00
CH-1211 Geneva 20 info@iec.ch
Switzerland www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.

IEC Catalogue - webstore.iec.ch/catalogue Electropedia - www.electropedia.org
The stand-alone application for consulting the entire The world's leading online dictionary of electronic and
bibliographical information on IEC International Standards, electrical terms containing more than 30 000 terms and
Technical Specifications, Technical Reports and other definitions in English and French, with equivalent terms in 15
documents. Available for PC, Mac OS, Android Tablets and additional languages. Also known as the International
iPad. Electrotechnical Vocabulary (IEV) online.

IEC publications search - www.iec.ch/searchpub IEC Glossary - std.iec.ch/glossary
The advanced search enables to find IEC publications by a More than 60 000 electrotechnical terminology entries in
variety of criteria (reference number, text, technical English and French extracted from the Terms and Definitions
committee,…). It also gives information on projects, replaced clause of IEC publications issued since 2002. Some entries
and withdrawn publications. have been collected from earlier publications of IEC TC 37,

77, 86 and CISPR.
IEC Just Published - webstore.iec.ch/justpublished

Stay up to date on all new IEC publications. Just Published IEC Customer Service Centre - webstore.iec.ch/csc
details all new publications released. Available online and If you wish to give us your feedback on this publication or
also once a month by email. need further assistance, please contact the Customer Service
Centre: csc@iec.ch.
A propos de l'IEC
La Commission Electrotechnique Internationale (IEC) est la première organisation mondiale qui élabore et publie des
Normes internationales pour tout ce qui a trait à l'électricité, à l'électronique et aux technologies apparentées.

A propos des publications IEC
Le contenu technique des publications IEC est constamment revu. Veuillez vous assurer que vous possédez l’édition la
plus récente, un corrigendum ou amendement peut avoir été publié.

Catalogue IEC - webstore.iec.ch/catalogue Electropedia - www.electropedia.org
Application autonome pour consulter tous les renseignements
Le premier dictionnaire en ligne de termes électroniques et
bibliographiques sur les Normes internationales,
électriques. Il contient plus de 30 000 termes et définitions en
Spécifications techniques, Rapports techniques et autres
anglais et en français, ainsi que les termes équivalents dans
documents de l'IEC. Disponible pour PC, Mac OS, tablettes
15 langues additionnelles. Egalement appelé Vocabulaire
Android et iPad.
Electrotechnique International (IEV) en ligne.

Recherche de publications IEC - www.iec.ch/searchpub
Glossaire IEC - std.iec.ch/glossary
La recherche avancée permet de trouver des publications IEC Plus de 60 000 entrées terminologiques électrotechniques, en
en utilisant différents critères (numéro de référence, texte, anglais et en français, extraites des articles Termes et
comité d’études,…). Elle donne aussi des informations sur les Définitions des publications IEC parues depuis 2002. Plus
projets et les publications remplacées ou retirées. certaines entrées antérieures extraites des publications des

CE 37, 77, 86 et CISPR de l'IEC.
IEC Just Published - webstore.iec.ch/justpublished

Service Clients - webstore.iec.ch/csc
Restez informé sur les nouvelles publications IEC. Just
Published détaille les nouvelles publications parues. Si vous désirez nous donner des commentaires sur cette
Disponible en ligne et aussi une fois par mois par email. publication ou si vous avez des questions contactez-nous:
csc@iec.ch.
IEC 62061 ®
Edition 1.2 2015-06
CONSOLIDATED VERSION
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
colour
inside
Safety of machinery – Functional safety of safety-related electrical, electronic

and programmable electronic control systems

Sécurité des machines – Sécurité fonctionnelle des systèmes de commande

électriques, électroniques et électroniques programmables relatifs à la sécurité

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 13.110; 25.040.99; 29.020 ISBN 978-2-8322-2774-9

IEC 62061 ®
Edition 1.2 2015-06
CONSOLIDATED VERSION
REDLINE VERSION
VERSION REDLINE
colour
inside
Safety of machinery – Functional safety of safety-related electrical, electronic
and programmable electronic control systems

Sécurité des machines – Sécurité fonctionnelle des systèmes de commande
électriques, électroniques et électroniques programmables relatifs à la sécurité

– 2 – IEC 62061:2005
+AMD1:2012+AMD2:2015 CSV  IEC 2015
CONTENTS
FOREWORD . 5
INTRODUCTION . 7

1 Scope . 10
2 Normative references . 11
3 Terms, definitions and abbreviations . 12
3.1 Alphabetical list of definitions . 12
3.2 Terms and definitions . 14
3.3 Abbreviations . 22
4 Management of functional safety . 22
4.1 Objective . 22
4.2 Requirements . 22
5 Requirements for the specification of Safety-Related Control Functions (SRCFs) . 23
5.1 Objective . 23
5.2 Specification of requirements for SRCFs . 24
6 Design and integration of the safety-related electrical control system (SRECS) . 26
6.1 Objective . 26
6.2 General requirements . 26
6.3 Requirements for behaviour (of the SRECS) on detection of a fault in the
SRECS . 27
6.4 Requirements for systematic safety integrity of the SRECS . 27
6.5 Selection of safety-related electrical control system . 29
6.6 Safety-related electrical control system (SRECS) design and development . 29
6.7 Realisation of subsystems . 35
6.8 Realisation of diagnostic functions . 50
6.9 Hardware implementation of the SRECS . 52
6.10 Software safety requirements specification . 52
6.11 Software design and development . 53
6.12 Safety-related electrical control system integration and testing . 59
6.13 SRECS installation . 61
7 Information for use of the SRECS . 61
7.1 Objective . 61
7.2 Documentation for installation, use and maintenance . 61
8 Validation of the safety-related electrical control system . 62
8.1 Objective . 62
8.2 General requirements . 62
8.3 Validation of SRECS systematic safety integrity . 62
9 Modification . 63
9.1 Objective . 63
9.2 Modification procedure . 64
9.3 Configuration management procedures . 64
10 Documentation . 66

+AMD1:2012+AMD2:2015 CSV  IEC 2015
Annex A (informative) SIL assignment . 68
Annex B (informative)  Example of safety-related electrical control system (SRECS)
design using concepts and requirements of Clauses 5 and 6 . 76
Annex C (informative) Guide to embedded software design and development . 83
Annex D (informative) Failure modes of electrical/electronic components .
Annex E (informative) Electromagnetic (EM) phenomenon and increased immunity
levels for SRECS intended for use in an industrial environment according to
IEC 61000-6-2 .
Annex F (informative) Methodology for the estimation of susceptibility to common
cause failures (CCF) . 98

Figure 1 – Relationship of IEC 62061 to other relevant standards . 8
Figure 2 – Workflow of the SRECS design and development process . 32
Figure 3 – Allocation of safety requirements of the function blocks to subsystems
(see 6.6.2.1.1) . 33
Figure 4 – Workflow for subsystem design and development (see box 6B of Figure 2) . 38
Figure 5 – Decomposition of a function block into redundant function block elements
and their associated subsystem elements . 39
Figure 6 – Subsystem A logical representation . 45
Figure 7 – Subsystem B logical representation . 46
Figure 8 – Subsystem C logical representation . 46
Figure 9 – Subsystem D logical representation . 48
Figure A.1 – Workflow of SIL assignment process . 69
Figure A.2 – Parameters used in risk estimation . 70
Figure A.3 – Example proforma for SIL assignment process . 75
Figure B.1 – Terminology used in functional decomposition . 76
Figure B.2 – Example machine . 77
Figure B.3 – Specification of requirements for an SRCF . 77
Figure B.4 – Decomposition to a structure of function blocks . 78
Figure B.5 – Initial concept of an architecture for a SRECS . 79
Figure B.6 – SRECS architecture with diagnostic functions embedded within each
subsystem (SS1 to SS4) . 80
Figure B.7 – SRECS architecture with diagnostic functions embedded within
subsystem SS3 . 81
Figure B.8 – Estimation of PFH for a SRECS. 82
D
Table 1 – Recommended application of IEC 62061 and ISO 13849-1(under revision) .
Table 2 – Overview and objectives of IEC 62061 . 11
Table 3 – Safety integrity levels: target failure values for SRCFs . 25
Table 4 – Characteristics of subsystems 1 and 2 used in this example (see Note
above) . 35
Table 5 – Architectural constraints on subsystems: maximum SIL that can be claimed
for a SRCF using this subsystem . 41
Table 6 – Architectural constraints: SILCL relating to categories .
Table 7 – Probability of dangerous failure .

– 4 – IEC 62061:2005
+AMD1:2012+AMD2:2015 CSV  IEC 2015
Table 8 – Information and documentation of a SRECS . 67
Table A.1 – Severity (Se) classification . 70
Table A.2– Frequency and duration of exposure (Fr) classification . 71
Table A.3– Probability (Pr) classification . 72
Table A.4– Probability of avoiding or limiting harm (Av) classification . 73
Table A.5– Parameters used to determine class of probability of harm (Cl) . 73
Table A.6 – SIL assignment matrix . 74
Table D.1 – Examples of the failure mode ratios for electrical/electronic components .
Table E.1 – EM phenomenon and increased immunity levels for SRECS .
Table E.2 – Selected frequencies for RF field tests .
Table E.3 – Selected frequencies for conducted RF tests .
Table F.1 – Criteria for estimation of CCF . 99
Table F.2 – Estimation of CCF factor (β) . 100

+AMD1:2012+AMD2:2015 CSV © IEC 2015
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
SAFETY OF MACHINERY –
FUNCTIONAL SAFETY OF SAFETY-RELATED ELECTRICAL,
ELECTRONIC AND PROGRAMMABLE ELECTRONIC
CONTROL SYSTEMS
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
This consolidated version of the official IEC Standard and its amendments has been
prepared for user convenience.
IEC 62061 edition 1.2 contains the first edition (2005-01) [documents 44/460/FDIS and
44/470/RVD], its amendment 1 (2012-11) [documents 44/655/CDV and 44/663/RVC] and its
amendment 2 (2015-06) [documents 44/718/CDV and 44/725/RVC].
In this Redline version, a vertical line in the margin shows where the technical content
is modified by amendments 1 and 2. Additions and deletions are displayed in red, with
deletions being struck through. A separate Final version with all changes accepted is
available in this publication.

– 6 – IEC 62061:2005
+AMD1:2012+AMD2:2015 CSV © IEC 2015
International Standard IEC 62061 has been prepared by IEC technical committee 44: Safety
of machinery – Electrotechnical aspects.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
The committee has decided that the contents of the base publication and its amendments will
remain unchanged until the stability date indicated on the IEC web site under
"http://webstore.iec.ch" in the data related to the specific publication. At this date, the
publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
The contents of the corrigendum of August 2015 have been included in this copy.
IMPORTANT – The 'colour inside' logo on the cover page of this publication indicates
that it contains colours which are considered to be useful for the correct
understanding of its contents. Users should therefore print this document using a
colour printer.
+AMD1:2012+AMD2:2015 CSV  IEC 2015
INTRODUCTION
As a result of automation, demand for increased production and reduced operator physical
effort, Safety-Related Electrical Control Systems (referred to as SRECS) of machines play an
increasing role in the achievement of overall machine safety. Furthermore, the SRECS
themselves increasingly employ complex electronic technology.
Previously, in the absence of standards, there has been a reluctance to accept SRECS in
safety-related functions for significant machine hazards because of uncertainty regarding the
performance of such technology.
This International Standard is intended for use by machinery designers, control system
manufacturers and integrators, and others involved in the specification, design and validation
of a SRECS. It sets out an approach and provides requirements to achieve the necessary
performance.
This standard is machine sector specific within the framework of IEC 61508. It is intended to
facilitate the specification of the performance of safety-related electrical control systems in
relation to the significant hazards (see 3.8 of ISO 12100-1 12100:2010) of machines.
This standard provides a machine sector specific framework for functional safety of a SRECS
of machines. It only covers those aspects of the safety lifecycle that are related to safety
requirements allocation through to safety validation. Requirements are provided for
information for safe use of SRECS of machines that can also be relevant to later phases of
the life of a SRECS.
There are many situations on machines where SRECS are employed as part of safety
measures that have been provided to achieve risk reduction. A typical case is the use of an
interlocking guard that, when it is opened to allow access to the danger zone, signals the
electrical control system to stop hazardous machine operation. Also in automation, the
electrical control system that is used to achieve correct operation of the machine process
often contributes to safety by mitigating risks associated with hazards arising directly from
control system failures. This standard gives a methodology and requirements to
• assign the required safety integrity level for each safety-related control function to be
implemented by SRECS;
• enable the design of the SRECS appropriate to the assigned safety-related control
function(s);
• integrate safety-related subsystems designed in accordance with ISO 13849 ;
• validate the SRECS.
This standard is intended to be used within the framework of systematic risk reduction
described in ISO 12100-1 12100 and in conjunction with risk assessment according to the
principles described in ISO 14121 (EN 1050) 12100. A suggested methodology for safety
integrity level (SIL) assignment is given in informative Annex A.
Measures are given to co-ordinate the performance of the SRECS with the intended risk
reduction taking into account the probabilities and consequences of random or systematic
faults within the electrical control system.

– 8 – IEC 62061:2005
+AMD1:2012+AMD2:2015 CSV  IEC 2015
Figure 1 shows the relationship of this standard to other relevant standards.
Table 1 gives recommendations on the recommended application of this standard and the
revision of ISO 13849-1.
Design and risk asseessment of the machine
ISO 12100, Safety of machinery – Basic concept, General principles
for design – Risk assessment and risk reduction
Safety of machinery – Principles for risk assessement
ISO 14121,
Design of safety-related electrical, electronic and programmable elecronic control systems
(SRECS) for machinery
Methodology using:
Safety-related control functions
System-based approach
-  Quantitative index of safety:
- Index of safety:
Safety integrity level (SIL)
Category/performance level
-  SIL assignment methodology for
- Category assigned by
SRECS of machinery
qualitative risk graphing
- Architecture oriented
-  Architecture oriented
-  Requirements for
avoidance/control of systematic
failures
Design objective for the
SRECS
Relevant standards
Electrical safety aspects of machinery
Design of low complexity
IEC 60204-1, Safety of machinery -
subsystems to categories
Electrical equipment of machinery -
Part 1: General requirements
ISO 13849-1 and 2 Safety of
machinery – Safety related
parts of control systems (SRPCS)
- Part 1: General princples
for design and Part 2:
Validation
Design of complex subsystems
to SILs
Non-electrical SRPCS
IEC 61508, Functional safety of
(mechanical,
electrical, electronic and
pneumatic, etc.)
programmable electronic safety -
related systems
Electrical SRPCS
IEC 62061
Safety of machinery -
Functional safety of
safety-related electrical,
electronic and programmable
Key:
electronic control systems
Electrical safety aspects
Functional safety aspects
Figure 1 – Relationship of IEC 62061 to other relevant standards
Information on the recommended application of IEC 62061 and ISO 13849-1 (under
revision)
+AMD1:2012+AMD2:2015 CSV  IEC 2015
IEC 62061 and ISO 13849-1 (under revision) specify requirements for the design and
implementation of safety-related control systems of machinery. The use of either of these
standards, in accordance with their scopes, can be presumed to fulfil the relevant essential
safety requirements. Table 1 summarises the scopes of IEC 62061 and ISO 13849-1(under
revision). IEC/TR 62061-1 provides guidance on the application of IEC 62061 and ISO 13849-
1 in the design of safety-related control systems for machinery.
NOTE ISO 13849-1 is currently under preparation by ISO TC 199 and CEN TC 114.

Table 1 – Recommended application of IEC 62061 and ISO 13849-1(under revision)
Technology implementing the safety- ISO IEC 62061
related control function(s) 13849-1 (under revision)
A Non electrical, e.g. hydraulics X Not covered
B Electromechanical, e.g. relays, or non Restricted to designated All architectures and up to SIL 3
complex electronics architectures
(see Note 1) and up to PL=e
C Complex electronics, e.g. programmable Restricted to designated All architectures and up to SIL 3
architectures (see Note 1) and up
to PL=d
D A combined with B Restricted to designated X see Note 3
architectures (see Note 1) and up
to PL=e
E C combined with B Restricted to designated All architectures and up to SIL 3
architectures (see Note 1) and up
to PL=d
F C combined with A, or C combined with X see Note 2 X see Note 3
A and B
“X” indicates that this item is dealt with by the standard shown in the column heading.
NOTE 1 Designated architectures are defined in Annex B of EN ISO 13849-1(rev.) to give a simplified approach for
quantification of performance level.
NOTE 2 For complex electronics: Use of designated architectures according to EN ISO 13849-1(rev.) up to PL=d or
any architecture according to IEC 62061.
NOTE 3 For non-electrical technology use parts according to EN ISO 13849-1(rev.) as subsystems.

– 10 – IEC 62061:2005
+AMD1:2012+AMD2:2015 CSV  IEC 2015
SAFETY OF MACHINERY –
FUNCTIONAL SAFETY OF SAFETY-RELATED ELECTRICAL,
ELECTRONIC AND PROGRAMMABLE ELECTRONIC
CONTROL SYSTEMS
1 Scope
This International Standard specifies requirements and makes recommendations for the
design, integration and validation of safety-related electrical, electronic and programmable
electronic control systems (SRECS) for machines (see Notes 1 and 2). It is applicable to
control systems used, either singly or in combination, to carry out safety-related control
functions on machines that are not portable by hand while working, including a group of
machines working together in a co-ordinated manner.
NOTE 1 In this standard, the term “electrical control systems” is used to stand for ”Electrical, Electronic and
Programmable Electronic (E/E/PE) control systems” and “SRECS” is used to stand for “safety-related electrical,
electronic and programmable electronic control systems”.
NOTE 2 In this standard, it is presumed that the design of complex programmable electronic subsystems or
subsystem elements conforms to the relevant requirements of IEC 61508 and uses Route 1 (see
H
IEC 61508-2:2010, 7.4.4.2). It is considered that Route 2 (see IEC 61508-2:2010, 7.4.4.3) is not suitable for
H
general machinery. Therefore, this standard does not deal with Route 2 . This standard provides a methodology for
H
the use, rather than development, of such subsystems and subsystem elements as part of a SRECS.
This standard is an application standard and is not intended to limit or inhibit technological
advancement. It does not cover all the requirements (e.g. guarding, non-electrical interlocking
or non-electrical control) that are needed or required by other standards or regulations in
order to safeguard persons from hazards. Each type of machine has unique requirements to
be satisfied to provide adequate safety.
This standard:
– is concerned only with functional safety requirements intended to reduce the risk of injury
or damage to the health of persons in the immediate vicinity of the machine and those
directly involved in the use of the machine;
– is restricted to risks arising directly from the hazards of the machine itself or from a group
of machines working together in a co-ordinated manner;
NOTE 3 Requirements to mitigate risks arising from other hazards are provided in relevant sector standards.
For example, where a machine(s) is part of a process activity, the machine electrical control system functional
safety requirements should, in addition, satisfy other requirements (e.g. IEC 61511) insofar as safety of the
process is concerned.
– does not specify requirements for the performance of non-electrical (e.g. hydraulic,
pneumatic) control elements for machines;
NOTE 4 Although the requirements of this standard are specific to electrical control systems, the framework
and methodology specified can be applicable to safety-related parts of control systems employing other
technologies.
– does not cover electrical hazards arising from the electrical control equipment itself (e.g.
electric shock – see IEC 60204–1).
The objectives of specific Clauses in IEC 62061 are as given in Table 2.

+AMD1:2012+AMD2:2015 CSV  IEC 2015
Table 2 – Overview and objectives of IEC 62061
Clause Objective
4: To specify the management and technical activities which are necessary for the achievement of
Management the required functional safety of the SRECS.
of functional
safety
5: To set out the procedures to specify the requirements for safety-related control functions. These
Requirements requirements are expressed in terms of functional requirements specification, and safety integrity
for the requirements specification.
specification of
safety-related
control
functions
6: To specify the selection criteria and/or the design and implementation methods of the SRECS to
Design and meet the functional safety requirements. This includes:
integration of
the safety- selection of the system architecture,
related
electrical selection of the safety-related hardware and software,
control system
design of hardware and software,

verification that the designed hardware and software meets the functional safety requirements.
7: To specify requirements for the information for use of the SRECS, which has to be supplied with
Information for the machine. This includes:
use of the
machine provision of the user manual and procedures,

provision of the maintenance manual and procedures.
8: To specify the requirements for the validation process to be applied to the SRECS. This includes
Validation of inspection and testing of the SRECS to ensure that it achieves the requirements stated in the
the safety- safety requirements specification.
related
electrical
control system
9: To specify the requirements for the modification procedure that has to be applied when modifying
Modification of the SRECS. This includes:
the safety-
related modifications to any SRECS are properly planned and verified prior to making the change;
electrical
control system the safety requirements specification of the SRECS is satisfied after any modifications have taken
place.
2 Normative references
The following referenced documents are indispensable for the application of this document.
For dated references, only the edition cited applies. For undated references, the latest edition
of the referenced document (including any amendments) applies.
IEC 60204–1, Safety of machinery – Electrical equipment of machines – Part 1: General
requirements
IEC 61000-6-2, Electromagnetic compatibility (EMC) – Part 6-2: Generic standards –
Immunity for industrial environments
IEC 61310 (all parts), Safety of machinery – Indication, marking and actuation
IEC 61508-2, Functional safety of electrical/electronic/ programmable electronic safety-related
systems – Part 2: Requirements for electrical/electronic/programmable electronic safety-
related systems
IEC 61508-3, Functional safety of electrical/electronic/programmable electronic safety-related
systems – Part 3: Software requirements

– 12 – IEC 62061:2005
+AMD1:2012+AMD2:2015 CSV  IEC 2015
ISO 12100-1:2003, Safety of machinery – Basic concepts, general principles for design –
Part 1: Basic terminology, methodology
ISO 12100-2:2003, Safety of machinery – Basic concepts, general principles for design –
Part 2: Technical principles
ISO 12100:2010, Safety of machinery – General principles for design – Risk assessment and
risk reduction
ISO 13849-1:1999 2006, Safety of machinery – Safety-related parts of control systems – Part
1: General principles for design
ISO 13849-2:2003 2012, Safety of machinery – Safety-related parts of control systems –
Part 2: Validation
ISO 14121, Safety of machinery – Principles of risk assessment
3 Terms, definitions and abbreviations
3.1 Alphabetical list of definitions
Term Definition
number
application software 3.2.46
architectural constraint 3.2.36
architecture 3.2.35
common cause failure 3.2.43
complex component 3.2.8
control function 3.2.14
dangerous failure 3.2.40
demand 3.2.25
diagnostic coverage 3.2.38
electrical control system 3.2.3
embedded software 3.2.47
failure 3.2.39
fault 3.2.30
fault tolerance 3.2.31
full variability language (FVL) 3.2.48
function block 3.2.32
function block element 3.2.33
functional safety 3.2.9
hardware safety integrity 3.2.20
hazard (from machinery) 3.2.10
hazardous situation 3.2.11
high demand or continuous mode 3.2.27
limited variability language (LVL) 3.2.49

+AMD1:2012+AMD2:2015 CSV  IEC 2015
low complexity component 3.2.7
low demand mode 3.2.26
machine control system 3.2.2
machinery (machine) 3.2.1
mean time to failure (MTTF) 3.2.34
probability of dangerous failure per hour (PFH ) 3.2.28
D
proof test 3.2.37
protective measure 3.2.12
random hardware failure 3.2.44
risk 3.2.13
safe failure 3.2.41
safe failure fraction 3.2.42
safety function 3.2.15
safety integrity 3.2.19
safety integrity level (SIL) 3.2.23
safety-related control function (SRCF) 3.2.16
safety-related electrical control system (SRECS) 3.2.4
safety-related software 3.2.50
SIL claim limit 3.2.24
software safety integrity 3.2.21
SRECS diagnostic function 3.2.17
SRECS fault reaction function 3.2.18
subsystem 3.2.5
subsystem element 3.2.6
systematic failure 3.2.45
systematic safety integrity 3.2.22
target failure value 3.2.29
validation 3.2.52
verification 3.2.51
– 14 – IEC 62061:2005
+AMD1:2012+AMD2:2015 CSV  IEC 2015
3.2 Terms and definitions
For the purposes of this standard, the following terms and definitions apply.
3.2.1
machinery
assembly of linked parts or components, at least one of which moves, with the appropriate
machine actuators, control and power circuits, joined together for a specific application, in
particular for the processing, treatment, moving or packaging of a material.
The terms “machinery” and “machine” also cover an assembly of machines which, in order to
achieve the same end, are arranged and controlled so that they function as an integral whole.
[ISO 12100-1:2003 12100:2010, 3.1]
3.2.2
machine control system
system which responds to an input from, for example, the process, other machine elements,
an operator, external control equipment, and generates an output(s) causing the machine to
behave in the intended manner
3.2.3
electrical control system
all the electrical, electronic and programmable electronic parts of the machine control system
used to provide, for example, operational control, monitoring, interlocking, communications,
protection and safety-related control functions
NOTE Safety-related control functions can be performed by an electrical control system that is either integral to or
independent of those parts of a machine’s control system that perform non-safety-related functions.
3.2.4
Safety-Related Electrical Control System
SRECS
electrical control system of a machine whose failure can result in an immediate increase of
the risk(s)
NOTE A SRECS includes all parts of an electrical control system whose failure may result in a reduction or loss of
functional safety and this can comprise both electrical power circuits and control circuits.
3.2.5
subsystem
entity of the top-level architectural design of the SRECS where a dangerous failure of any
subsystem will result in a dangerous failure of a safety-related control function
[IEC 61508-4:2010, 3.2.7]
NOTE 1 A complete subsystem can be made up from a number of identifiable and separate subsystem elements,
which when put together implement the function blocks allocated to the subsystem.
NOTE 2 This definition is a limitation of the general definition of IEC 61508-4: `set of elements which interact
according to a design, where an element of a system can be another system, called a subsystem, which may
include hardware, software and human interaction.
NOTE 3 2 This differs from common language where “subsystem” may mean any sub-divided part of an entity, the
term “subsystem” is used in this standard within a strongly defined hierarchy of terminology: “subsystem” is the first
level subdivision of a system. The parts resulting from further subdivision of a subsystem are called “subsystem
elements”.
3.2.6
subsystem element
part of a subsystem, comprising a single component or any group of components

+AMD1:2012+AMD2:2015 CSV  IEC 2015
3.2.7
low complexity component
component in which
– the failure modes are well-defined; and
– the behaviour under fault conditions can be completely defined
[IEC 61508-4:2010, 3.4.4 3.4.3 modified]
NOTE 1 Behaviour of the low complexity component under fault conditions may be determined by analytical
and/or test methods.
NOTE 2 A subsystem or subsystem element comprising one or more limit switches, operating, possibly via
interposing electro-mechanical relays, one or more contactors to de-energise an electric motor is an example of a
low complexity component.
3.2.8
complex component
component in which
– the failure modes are not well-defined; or
– the behaviour under fault conditions cannot be completely defined
3.2.9
functional safety
part of the safety of the machine and the machine control system which depends on the
correct functioning of the SRECS, other technology safety-related systems and external risk
reduction facilities
[IEC 61508-4:2010, 3.1.9 3.1.12 modified]
NOTE 1 This standard only considers the functional safety that depends on the correct functioning of the SRECS
in machinery applications.
NOTE 2 ISO/IEC Guide 51 defines safety as freedom from unacceptable risk.
3.2.10
hazard (from machinery)
potential source of physical injury or damage to health
[ISO 12100-1: 2003 12100:2010, 3.6 modified]
NOTE The term hazard can be qualified in order to define its origin or the nature of
...