DIFFERENCES BETWEEN EN 62061 AND EN ISO 13849-1

The purpose of this report is to highlight the common points and the differ-
ences between standards:
EN 62061:2005 (April 2005): Safety of machinery – Functional safety of
safety-related electrical, electronic and programmable electronic control
systems
and
EN ISO 13849-1 (November 2006): Safety of machinery – Safety-related
parts of control systems – Part 1: General principles for design
Both standards are harmonized under machinery directive 98/37/EC.
EN 62061:2005 corresponds to IEC 62061 (January 2005) standard, while EN
ISO 13849-1:2006 corresponds to ISO 13849-1 (November 2006) standard.
1. Definitions
Safety–Related part of a Control System (SRP/CS): part of a control system that
responds to safety-related input signals and generates safety-related output
signals.
Category: classification of the safety-related parts of a control system in respect
of their resistance to faults and their subsequent behaviour in the fault condi-
tion, and which is achieved by the structural arrangement of the parts, fault
detection and/or by their reliability (see Errore. L'origine riferimento non è
stata trovata.).
Electrical control system: all the electrical, electronic and programmable elec-
tronic parts of the machine control system used to provide, for example, op-
erational control, monitoring, interlocking, communications, protection and
safety-related control functions.
Safety-Related Electrical Control System (SRECS): electrical control system of a
machine whose failure can result in an immediate increase of the risk(s).
Safety-Related Control Function (SRCF): control function implemented by a
SRECS with a specified integrity level that is intended to maintain the safe
condition of the machine or prevent an immediate increase of the risk(s).
Probability of dangerous Failure per Hour (PFH D): average probability of danger-
ous failure within 1 hour.
Fault: abnormal condition that may cause a reduction in or loss of, the capa-
bility of a SRECS, a subsystem, or a subsystem element to perform a required
function.
Failure: termination of the ability of a SRECS, a subsystem, or a subsystem
QUADRA S .R.L .
20040 C O R N A T E D ' A D D A (M I) – V I A M A Z Z I N I 32A
T E L . 0396060383 / 039 6060351 – F A X 0396887635
E -M A I L : Q U A D R A @ Q U A D R A S R L . N E T
P OSTA EL ETTRONICA CE RTIFICA TA : QUA DRAS RL @PE C.IT
S I T O I N T E R N E T : HTTP :// WWW . QUADRASRL .NET
P .I V A E C O D . F I S C . 0246238096 1
C A P I T A L E S O C I A L E € 100.000,00 I .V . 1/16
C .C .I.A .A . M I L A N O N . 1461945 - T R I B . M O N Z A N . 564 63
 element to perform a required function.
Fault tolerance: ability of a SRECS, a subsystem, or subsystem element to con-
tinue to perform a required function in the presence of faults or failures.
Common Cause Failure (CCF): failures of different items, resulting from a sin-
gle event, where these failures are not consequences of each other.
Performance Level (PL): discrete level used to specify the ability of safety-
related parts of control systems to perform a safety function under foreseeable
conditions.
Required Performance Level (PL r): performance level (PL) applied in order to
achieve the required risk reduction for each safety function.
Mean Time To Failure (MTTF): Expectation of the mean time to failure.
Mean Time To dangerous Failure (MTTF d): Expectation of the mean time to
dangerous failure.
Diagnostic Coverage (DC): Measure of the effectiveness of diagnostics, which
may be determined as the ratio between the failure rate of detected dangerous
failures and the failure rate of total dangerous failures.
Safety Integrity Level (SIL): Discrete level (one out of a possible four) for speci-
fying the safety integrity requirements of the safety functions to be allocated
to the E/E/PE safety-related systems, where safety integrity level 4 has the
highest level of safety integrity and safety integrity level 1 has the lowest.
2. Why these standards?
The standard EN 954-1:1996 has been replaced as missing a probabilistic as-
sessment of the performance of command and control systems for the safety of
machinery.
EN 62061:2005 and EN ISO 13849-1:2006 standards respond to this need by
introducing concrete measures and benchmarks for evaluating the performance
of devices in terms of reliability, diagnostic coverage, immunities to common
cause failures in relation to a particular architecture of the control system.
3. Scopes
3.1. Scope of EN ISO 13849-1
The first part of EN ISO 13849 provides safety requirements and guidance
on the principles for the design and integration of safety-related parts of control
systems (SRP/CS), including the design of software. For these parts of SRP/CS,
it specifies characteristics that include the performance level required for carr y-
ing out safety functions.
It applies to SRP/CS, regardless of the type of technology and energy used
(electrical, hydraulic, pneumatic, mechanical, etc.), for all kinds of machinery.
It does not specify the safety functions or performance levels that are to be
used in a particular case.

2/16
 EN ISO 13849-1:2006 standard provides also specific requirements for
SRP/CS using programmable electronic system(s).
It does not give specific requirements for the design of products which are
parts of SRP/CS; nevertheless, the principles given, such as categories or per-
formance levels, can be used.
3.2. Scope of EN 62061:2005
EN 62061:2005 standard specifies requirements and makes recommendations
for the design, integration and validation of safety-related electrical, electronic
and programmable electronic control systems (SRECS) for machines. It is appli-
cable to control systems used, either singly or in combination, to carry out
safety-related control functions on machines that are not portable by hand while
working, including a group of machines working together in a co-ordinated
manner.
EN 62061:2005 standard:
is concerned only with functional safety requirements intended to reduce
the risk of injury or damage to the health of persons in the immediate
vicinity of the machine and those directly involved in the use of the ma-
chine;
is restricted to risks arising directly from the hazards of the machine i t-
self or from a group of machines working together in a co-ordinated
manner;
does not specify requirements for the performance of non-electrical (e.g.
hydraulic, pneumatic) control elements for machines;
does not cover electrical hazards arising from the electrical control
equipment itself (e.g. electric shock, see EN 60204-1:2006).
EN 62061:2005 is the machine sector specific standard within the framework
of EN 61508 series of standards relating to functional safety of electrical / elec-
tronic / programmable electronic safety-related systems.
4. Comparison of scopes
Both standards specify requirements for the design and implementation of
safety-related control systems of machinery. The use of either of these standards,
in accordance with their scopes, can be presumed to fulfil the relevant essential
safety requirements.
Table 1 summarises the scopes of EN 62061:2005 and EN ISO 13849-1.

3/16
 Table 1 — Scopes

5. Similar elements
Both standards introduce the use of supplementary data of components i n-
cluded in the safety circuit, amongst others mean time to dangerous failure
(MTTFd), diagnostic coverage (DC) and common cause failure measures (CCF).
The manufacturers of safety control components must provide them with
these data.
EN 62061:2005 analyze the safety circuit to determine the SIL necessary to
reach the correct protection of the machinery.
EN ISO 13849-1:2006 use information of components to determine the per-
formance level (PL).
In both cases there is a correspondence among the performance levels or the
safety integrity levels and the probability of dangerous failure per hour (see Ta-
ble 3 and Table 2).

Table 2 — Relationship among safety integrity levels and probability of dangerous failure per hour

4/16
 Table 3 — Relationship among performance levels and probability of dangerous failure per hour
From this consideration derives the possibility to move from a characteriz a-
tion to another (i.e. from SIL to PL and vice-versa); Table 4 can be used to un-
derstand the correspondence between PL and SIL (SIL is used not only in the
EN 62061:2005 standard but also in the EN 61508-1:2001 standard to which the
table refers).

Table 4 — Relationship between PL and SIL

It is important to note that the correspondence is not complete; in fact for
low PL (PL a) there is no correspondence whit any SIL.
SIL 4 is dedicated to catastrophic events possible in the process industry and
this range is not relevant for risks at machines. Thus PL e corresponding to SIL
3 is defined by the EN ISO 13849-1:2006 and EN 62061:2005 standards as the
highest level; in fact EN 62061:2005 standard does not consider SIL 4, as it is
not relevant to the risk reduction requirements normally associated with ma-
chinery (requirements applicable to SIL 4 are defined in the EN 61508 series of
standards).
In practice EN ISO 13849-1:2006 standard covers the whole range of prob-
ability of dangerous failure per hour covered by EN 62061:2005, and extend it in
the lowest end.
Requirement for software design are not very different in the two standards;
EN ISO 13849-1:2006 gives more details for the requirements of software design
and both standards refers to EN 61508-3:2001 for safety-related embedded soft-

5/16
ware (only for safety-related embedded software with PL r equal to e in EN ISO
13849-1:2006 standard).
6. Differences
The main difference between EN 62061:2005 and EN ISO 13849-1:2006 is
that EN 62061:2005 cannot be applied to non-electrical control circuits (such as
hydraulics or pneumatics circuits, see Table 1).
On the other side, one restriction for EN ISO 13849-1:2006 is that when
complex electronic and programmable technology is used, the maximum PL to
be considered is d (see Table 1).
EN 62061:2005 is applicable to all architectures and allow the designer to de-
termine exactly what it needs and personalize the project to the machinery.
Otherwise EN ISO 13849-1:2006 provides a more direct and less complicated
route for more conventional safety functionality implemented by conventional
system architectures.

Figure 1 — Specification of system architecture of EN 62061:2005 standard

7. Examples
7.1. How to determine the required SIL
EN 62061:2005 standard propose a qualitative approach for risk estimation
and SIL assignment that can be applied to SRCFs for machines.
For each specific hazard, the safety integrity requirements should be dete r-
mined separately for the safety-related control function(s) to be performed by the
SRECS.

6/16
 Risk estimation should be carried out for each hazard by determining the
risk parameters shown in Figure 2:
severity of harm (Se);
probability of occurrence of that harm, which is a function of:
frequency and duration of the exposure of persons to the hazard (Fr);
probability of occurrence of a hazardous event (Pr);
possibilities to avoid or limit the harm (Av).

Figure 2 — Parameters contributing to risk estimation

For every hazard it is necessary to determine the values of the parameters us-
ing the following tables (see Table 5, Table 6, Table 7 and Table 8).

Table 5 — Severity classification

Table 6 — Frequency classification

7/16
 Table 7 — Probability of occurrence classification

Table 8 — Probability of avoiding harm classification

For each hazard, and as applicable, for each severity level the points from
the Fr, Pr and Av columns are add up and the sum is entered into the column
Cl (see Table 9).

Table 9 — Parameters used to determine class of probability of harm (Cl)

Using Table 10, where the severity (Se) row crosses the relevant column
(Cl), the intersection point indicates whether action is required:
the black area indicates the SIL assigned as the target for the SRCF;
the lighter shaded areas should be used as a recommendation that other
measures (OM) be used.

Table 10 — SIL assignment matrix

8/16
 For example for a specific hazard with a Se assigned as 3, a Fr as 4, a Pr as 5
and a Av as 5 (Cl = Fr + Pr + Av = 4 + 5 + 5 = 14) the required SIL is 3, so
it is necessary to construct an architecture of SRECS whit a PFH D included be-
tween 10 -8 and 10 -7 (see Table 2).
Every subsystem of the architecture will contribute to determine the PFH D .
7.2. How to determine the achieved SIL
The achieved SIL of a SRECS can be determined as described in point 6.6.3
of EN 62061:2005 standard.
Assuming that a failure of any function block will result in a failure of the
SRCF, the probability of dangerous random hardware failure of the SRECS is
the sum of the probabilities of dangerous random hardware failure of all subsy s-
tems involved in the performance of the SRCF and shall include, where appro-
priate, the probability of dangerous transmission errors for digital data comm u-
nication processes (PTE):
PFHD = PFHD1 + ...+ PFHDn + PTE
The determination of the achieved SIL must take into consideration also ar-
chitectural constraints (see Table 11 and Table 12) and systematic safety integ-
rity.

Table 11 — Architectural constraints on subsystems: maximum SIL that can be claimed for a SRCF u s-
ing this subsystem

9/16
 Table 12 — Architectural constraints: SILCL relating to categories
Safe failure fraction (SFF) is the fraction of the overall failure rate of a sub-
system that does not result in a dangerous failure and can be calculated using
the following equation:
( S + DD )/( S + D )
where:
S is the rate of safe failure,
S + D is the overall failure rate,
DD is the rate of dangerous failure which is detected by the diagnostic func-

tions, and
D is the rate of dangerous failure.
The diagnostic coverage (if any) of each subsystem in SRECS is taken into
account in the calculation of the probability of random hardware failures. The
safe failure fraction is taken into account when determining the architectural
constraints on hardware safety integrity.
It is then necessary to determine the probability of dangerous failure per
hour (PFHDi) of every function block used in the realization of the SRECS.
Where a low complexity subsystem is designed according to EN ISO 13849-
1:2006 and validated according to ISO 13849-2:2003 and also meets the require-
ments for architectural constraints and systematic safety integrity, the threshold
values of probability of dangerous failure (PFH D ) given in Table 13 can be used
to estimate the hardware safety integrity.

10/16
 Table 13 — Probability of dangerous failure
Point 6.7.8.2 of EN 62061:2005 propose a simplified approach for the estima-
tion of probability of dangerous random hardware failures of subsystems as-
sumed that:
× T1 << 1
where:
T1 is the smaller of the proof test interval or the lifetime and the subsystem is
operating in the “high demand or continuous mode”
= S + D = 1/MTTF
The calculation is made on defined basic subsystem architectures (see, for
example, Figure 3 that illustrates subsystem B logical architecture).

11/16
 Figure 3 — Subsystem B logical representation

7.3. How to determine the required PLr

Required performance level for a specific safety function can be determined
using the risk graph of EN ISO 13849-1:2006 (see Figure 4).
For example, the required performance level for an emergency stop co m-
mand can be determined assigning to the parameters of the risk graph the fo l-
lowing values:
severity S2, being the potential injury to persons severe;
frequency F1, as the emergency stop command is an additional protection
measure that can be used in addition to protection measures taken on the
machine to stop the machine when its operation can be dangerous for people,
and the frequency with which this condition can happen is very low;
possibility of avoiding the hazard P1 because the machine is intended to be
used by experienced professional operators.
The performance level required (PL r) obtained is c.

12/16
 Figure 4 — Risk graph for determining required PL r for safety function

7.4. How to determine the achieved PL

EN ISO 13849-1:2006 standard proposes a simplified method to determine
the achieved performance level when a safety function is performed using a cir-
cuit conform to a designated architecture (see Figure 5, Figure 6 and Figure 7),
corresponding to a safety category (see Errore. L'origine riferimento non è sta-
ta trovata.).
In the above illustrated example, the required performance level PL r c, can
be achieved with designated architectures having safety categories from 1 to 4
(see Figure 8); in order to achieve the required performance level circuits must
comply to the requirements of the chosen defined architecture and have the cor-
rect values of MTTF d and DCavg.

13/16
Figure 5 — Designated architecture corresponding to safety categories B and 1

Figure 6 — Designated architecture corresponding to safety category 2

14/16
 Figure 7 — Designated architecture corresponding to safety categories 3 and 4

MTTFd low

MTTFd medium

MTTFd high

Figure 8 — Relationship between categories, DC avg , MTTF d and PL

8. Conclusions
The two standards considered have many similar elements and do not differ
too much in the conceptual approach; especially for software requirements there
are many resemblances between the standards.

15/16
 EN ISO 13849-1:2006 standard appears more adequate to the definition of
performance characteristics for control circuits of machinery because:
it is applicable to all kind of circuits and not only to electrical circuits; in
any case also choosing to use EN 62061:2005 standard for electrical cir-
cuits, for other type of circuits (like pneumatics) EN ISO 13849-1:2006
should be used;
it can be applied without problems to circuits that use electronic safety
components and programmable logic performing safety functions;
it uses designated architectures corresponding to safety categories, allo w-
ing in this manner a smooth transition with the «old» EN 954-1:1996
standard, widely used for many years by machine manufacturers and
producers of safety components;
practically all the control circuits used on the machines can be took back
to a designated architecture, permitting in this way to determine the
achieved PL in a simple manner.
EN 62061:2005 standard appears instead more adequate when designing
complex electronic circuits, so can be adequately used by manufacturers of this
type of equipments.
This standard can be used also when the safety-related control circuits of
machinery cannot be took back to designated architectures of EN ISO 13849-
1:2006 (but, as said before, this case practically never arises).

16/16