Already a subscriber? 
MADCAD.com Free Trial
Sign up for a 3 day free trial to explore the MADCAD.com interface, PLUS access the
2009 International Building Code to see how it all works.
If you like to setup a quick demo, let us know at support@madcad.com
or +1 800.798.9296 and we will be happy to schedule a webinar for you.
Security check
Please login to your personal account to use this feature.
Please login to your authorized staff account to use this feature.
Are you sure you want to empty the cart?
PD IEC TS 63394:2023 Safety of machinery. Guidelines on functional safety of safety-related control system, 2023
- undefined
- CONTENTS
- FOREWORD
- INTRODUCTION
- 1 Scope
- 2 Normative references
- 3 Terms and definitions [Go to Page]
- 3.1 Terms and definitions
- 3.2 Alphabetical list of terms, definitions and abbreviated terms
- Tables [Go to Page]
- Table 1 – Terms used in this document
- 4 Typical classification of safety functions in safety of machinery [Go to Page]
- 4.1 General [Go to Page]
- 4.1.1 Overview
- 4.1.2 Risk assessment and risk reduction according to ISO 12100
- 4.1.3 Risk reduction and interconnection to SCS and SRP/CS
- 4.1.4 Basic assumptions for risk reduction in machinery
- Figures [Go to Page]
- Figure 1 – Integration within the risk reduction process of ISO 12100
- 4.3 Safety functions [Go to Page]
- 4.3.1 General
- 4.3.2 Risk reduction process by safety functions
- Figure 2 – Decomposition of an SCS or SRP/CS [Go to Page]
- 4.3.3 Typical classification of safety functions
- Figure 3 – Risk reduction process by safety functions
- 4.4 Interrelation between ISO 12100 and IEC 62061 or ISO 13849-1 [Go to Page]
- 4.4.1 General
- 4.4.2 Input information in accordance with IEC 62061 or ISO 13849-1
- 4.4.3 Output information from IEC 62061 or ISO 13849-1
- Table 2 – Input information for the safety requirements specification (SRS)
- Table 3 – Output information from SCS or SRP/CS design on overall risk assessment
- 4.5 Safety functions for protection of persons [Go to Page]
- 4.5.1 General
- 4.5.2 Safety functions for protection of persons based on guards and protective devices
- Table 4 – Safety functions for protection of persons
- 4.6 Other safety functions to prevent hazardous situations [Go to Page]
- 4.6.1 General
- 4.6.2 Other safety functions
- Table 5 – Other safety functions
- 4.7 Safety functions for protection of the integrity of the machine [Go to Page]
- 4.7.1 General
- 4.7.2 Safety functions for the protection of integrity of the machine
- 4.8 Safety functions and Type-C standards
- Table 6 – Safety functions for the protection of integrity of the machine
- 5 Demand mode of operation related to safety functions [Go to Page]
- 5.1 General
- 5.2 High demand or continuous mode of operation [Go to Page]
- 5.2.1 General
- 5.2.2 Approach of IEC 62061 and ISO 13849-1
- 5.2.3 Rarely activated safety functions
- Figure 4 – High demand mode of operation
- 5.3 Low demand mode of operation [Go to Page]
- 5.3.1 General
- Figure 5 – Process for determining high demand mode of operation [Go to Page]
- 5.3.2 Approach of IEC 62061 and ISO 13849-1
- 6 Design process of safety functions [Go to Page]
- 6.1 General
- 6.2 Design procedure
- Figure 6 – Low demand mode of operation
- 6.3 Evaluation of required safety integrity
- 6.4 Decomposition of a safety function
- 6.5 Subsystem design [Go to Page]
- 6.5.1 Architectural constraints
- Table 7 – Architectural constraints for high demand mode of operation [Go to Page]
- 6.5.2 Fault accumulation and undetected faults
- 6.5.3 Evaluation of PFH
- 6.6 Examples of safety functions
- 7 Verification procedures for safety functions [Go to Page]
- 7.1 General
- 7.2 Verification of the test interval of a safety function
- 7.3 Verification procedures
- 7.4 Initial verification
- 7.5 Periodic verification [Go to Page]
- 7.5.1 General
- 7.5.2 Frequency of periodic verification
- 7.6 Verification reporting
- Annex A (informative)Risk assessment and risk reduction according to ISO 12100 [Go to Page]
- A.1 General
- A.2 Risk assessment principles [Go to Page]
- A.2.1 General
- A.2.2 Basic information to be available (as input to risk assessment)
- A.2.3 Risk analysis
- Table A.1 – Basic information for risk assessment according to ISO 12100
- Table A.2 – Determination of limits of machinery according to ISO 12100
- Table A.3 – Principles of hazard identification according to ISO 12100
- Table A.4 – Risk estimation according to ISO 12100
- Table A.5 – Additional considered aspects during risk estimationaccording to ISO 12100
- A.3 Risk reduction by means of safeguarding and complementary protective measures [Go to Page]
- A.3.1 General
- A.3.2 Inherently safe design measures
- A.3.3 Selection of safeguarding and complementary protective measures
- A.4 Other protective measures (procedure based) [Go to Page]
- A.4.1 General
- A.4.2 Procedures for maintenance
- A.4.3 Organizational work procedures
- A.5 Guards and protective devices according to ISO 12100 [Go to Page]
- A.5.1 General
- A.5.2 Interlocking guard with a start function, with manual reset function
- Table A.6 – Guards according to ISO 12100 [Go to Page]
- A.5.3 Protective device according to ISO 12100
- A.5.4 Manual local control device (and procedure)
- Table A.7 – Examples of protective devices according to ISO 12100 [Go to Page]
- A.5.5 Manual parameter selection device (and procedure)
- A.5.6 Manual operating mode selection device (and procedure)
- A.5.7 Energy control device (and procedure)
- A.6 Matrix assignment approach [Go to Page]
- A.6.1 Overview
- A.6.2 General
- A.6.3 Methodology of IEC 62061:2021, Annex A
- A.7 Risk graph approach [Go to Page]
- A.7.1 General
- A.7.2 Methodology of ISO 13849-1:2015, Annex A with assigned SIL
- Figure A.1 – SIL assignment approach
- Figure A.2 – Risk graph approach of ISO 13849-1:2015, Figure A.1 with assigned SIL
- Annex B (informative)Methodology of SCS or SRP/CS design [Go to Page]
- B.1 General
- B.2 Functional safety plan
- Table B.1 – Overview functional safety plan
- B.3 Safety requirements specification [Go to Page]
- B.3.1 General
- B.3.2 Functional requirements
- B.3.3 Safety integrity requirements
- Table B.2 – Overview of basic functional requirements
- B.4 Protection against unexpected start-up
- B.5 Decomposition of the safety function [Go to Page]
- B.5.1 General
- B.5.2 Subsystem architecture based on top-down decomposition
- B.6 Design of the SCS by using subsystems
- Table B.3 – SIL and limits of PFH values
- B.7 Requirements for systematic safety integrity [Go to Page]
- B.7.1 General
- B.7.2 SCS level
- Figure B.1 – Example of decomposition of a safety function
- Table B.4 – Avoidance of systematic failures (SCS or SRP/CS level)
- Table B.5 – Control of systematic failures (SCS or SRP/CS level) [Go to Page]
- B.7.3 Subsystem level
- Table B.6 – Avoidance of systematic failures (subsystem level)
- B.8 Electromagnetic immunity
- B.9 Software-based manual parameterization
- Table B.7 – Control of systematic failures (subsystem level)
- Table B.8 – Software-based manual parameterization
- B.10 Security aspects
- B.11 Aspects of testing
- Figure B.2 – Possible effects of security risk(s) to a SCS (IEC TR 63074:2019, Figure 2)
- B.12 Design and development of a subsystem [Go to Page]
- B.12.1 General
- B.12.2 Subsystem architecture design
- B.12.3 Fault consideration and fault exclusion
- B.12.4 Architectural constraints of a subsystem
- Figure B.3 – Rarely activated safety functions and mode of operation of subsystems
- Table B.9 – Cause and effects of rarely activated safety functions
- Table B.10 – Architectural constraints and basic requirements on a subsystem [Go to Page]
- B.12.5 Subsystem design architectures
- B.12.6 PFH value of subsystems
- B.13 Validation
- Table B.11 – Overview of validation process with required information
- B.14 Documentation
- Table B.12 – Technical documentation based on the design process(Table 9 of IEC 62061:2021, modified)
- Table B.13 – Overview of documentation
- Annex C (informative)Examples of MTTFD values for single components [Go to Page]
- Table C.1 – MTTFD or B10D values for components (derived from ISO 13849-1:2015)
- Table C.2 – Relationship of λD, MTTFD and B10D
- Annex D (informative)Examples for diagnostic coverage (DC) [Go to Page]
- D.1 General
- D.2 Influence of cabling, wiring and interconnections [Go to Page]
- D.2.1 General
- D.2.2 "Serial wiring"
- Table D.1 – Measures to prevent of short circuit
- D.3 Use of manufacturing process information [Go to Page]
- D.3.1 General
- D.3.2 Use of expected timing or awaiting of signal status
- D.4 Typical DC measures
- Table D.2 – DC values and recommended measures
- Annex E (informative)Measures for the achievement of functional safetywith regards to electromagnetic phenomena [Go to Page]
- E.1 General
- E.2 Measures [Go to Page]
- E.2.1 General
- E.2.2 Recommendation for electrical/electronic items of equipment (devices or apparatus)
- E.2.3 Recommendation for the integration of an SCS or SRP/CS into the electrical equipment of the machine
- Table E.1 – Non-exhaustive list of recommendations regarding EMI measures for integration of devices or equipment into the electrical equipment of the machine
- Annex F (informative)Guidelines for software [Go to Page]
- F.1 General
- F.2 Documentation
- Table F.1 – Documents for SW level 1 and SW level 2
- Table F.2 – Coding guidelines
- F.3 Activities
- Table F.3 – Overview of protocols
- Table F.4 – SW level 1 – Overview of basic activities
- Table F.5 – SW level 2 – Overview of basic activities (1/2)
- Table F.5 – SW level 2 – Overview of basic activities (1/2) (continued)
- Table F.6 – SW level 2 – Overview of basic activities (2/2)
- Annex G (informative)Examples of safety functions [Go to Page]
- G.1 General
- G.2 Safety functions [Go to Page]
- G.2.1 Basic information
- Table G.1 – Examples of safety functions and associated safety-related devices [Go to Page]
- G.2.2 Detailed description of safety requirements
- Table G.2 – Basic information related to the safety requirements specification [Go to Page]
- G.2.3 Example of interlocking guard
- Table G.3 – Example of safety-related parameters fora safety function with required SIL 1
- Table G.4 – Example of safety-related parameters fora safety function with required SIL 3
- Annex H (informative)Evaluation of PFH value of a subsystem [Go to Page]
- H.1 General
- H.2 Table allocation approach (IEC 62061)
- H.3 Simplified formulas for the estimation of PFH value (IEC 62061)
- H.4 Approaches of IEC 61508, IEC 62061 and ISO 13849-1 [Go to Page]
- H.4.1 General
- H.4.2 Approach of IEC 61508
- H.4.3 Approach of IEC 62061
- H.4.4 Approach of ISO 13849-1:2015, Annex K
- H.5 Basic considerations regarding exponential and Weibull distributions [Go to Page]
- H.5.1 Exponential distribution
- H.5.2 Weibull distribution
- H.6 T10 and B10 [Go to Page]
- H.6.1 General
- H.6.2 T10 with exponential distribution
- H.6.3 T10 with Weibull distribution
- Figure H.1 – Cumulative distribution functions (CDF)
- H.7 Overview of PFH formulas [Go to Page]
- H.7.1 Definitions
- H.7.2 Formulas
- Table H.1 – Formulas for basic subsystem architecture A (1oo1)
- Table H.2 – Formulas for basic subsystem architecture C (1oo1D)
- Table H.3 – Formulas for basic subsystem architecture B (1oo2) [Go to Page]
- H.7.3 Examples
- Table H.4 – Formulas for basic subsystem architecture D (1oo2D)
- Table H.5 – Examples of PFH values based on B10D
- H.8 Methodology for the estimation of CCF
- Table H.6 – Examples of PFH values based on T10D and B10D
- H.9 Basic subsystem architecture A (1oo1) [Go to Page]
- H.9.1 General
- Figure H.2 – Common cause failure
- Figure H.3 – Basic subsystem architecture A (1oo1) reliability block diagram
- Figure H.4 – Unavailability function of basic subsystem architecture A (1oo1) [Go to Page]
- H.9.2 PFH
- H.9.3 Simplified Weibull approach
- Figure H.5 – 1oo1 reliability block diagram, simplified Weibull approach
- H.10 Basic subsystem architecture C (1oo1D) [Go to Page]
- H.10.1 General
- H.10.2 Fault reaction performed by another subsystem
- Figure H.6 – Basic subsystem architecture C (1oo1D) logical viewwith safe state initiation using another subsystem
- Figure H.7 – Basic subsystem architecture C (1oo1D) reliability block diagram with safe state initiation using another subsystem [Go to Page]
- H.10.3 Fault reaction to be considered in the subsystem
- Figure H.8 – Unavailability functions of basic subsystem architecture C (1oo1D)
- Figure H.9 – Basic subsystem architecture C (1oo1D) logical view with fault reaction
- Figure H.10 – Basic subsystem architecture C (1oo1D) reliabilityblock diagram with fault reaction
- Figure H.11 – Unavailability functions of basic subsystem architecture C (1oo1D) [Go to Page]
- H.10.4 PFH
- H.10.5 Influence of CCF
- H.11 Basic subsystem architecture B (1oo2) [Go to Page]
- H.11.1 General
- Figure H.12 – Basic subsystem architecture B (1oo2) reliability block diagram
- Figure H.13 – Unavailability functions of basic subsystem architecture B (1oo2) [Go to Page]
- H.11.2 PFH
- H.11.3 Influence of CCF
- H.12 Basic subsystem architecture D (1oo2D) [Go to Page]
- H.12.1 General
- Figure H.14 – Basic subsystem architecture D (1oo2D) reliability block diagram
- Figure H.15 – Unavailability functions of basic subsystem architecture D (1oo2D) [Go to Page]
- H.12.2 PFH evaluation of Term A
- H.12.3 PFH evaluation of Term B
- H.12.4 PFH evaluation of Term C and Term D
- H.12.5 PFH
- H.12.6 Influence of CCF
- H.13 Basic subsystem architecture D (1oo2D) with two periods of time consideration [Go to Page]
- H.13.1 General
- H.13.2 PFH evaluation of Term A
- H.13.3 PFH evaluation of Term B
- H.13.4 PFH evaluation of Term C and Term D
- H.13.5 PFH
- H.13.6 Influence of CCF
- Annex I (informative)Commented examples of current regulations [Go to Page]
- I.1 General
- I.2 European Union [Go to Page]
- I.2.1 General European legislation
- I.2.2 New proposed machinery regulation (under preparation)
- I.2.3 Relevant legislation
- I.2.4 Duties of the manufacturer of the machine
- I.3 North America – USA
- I.4 North America – Canada
- I.5 South America – Brazil
- I.6 China
- I.7 Japan
- Annex J (informative)Combination of modes of operation [Go to Page]
- J.1 General
- J.2 Basic approaches with different modes of operation [Go to Page]
- J.2.1 General
- Figure J.1 – Basic approach in high demand or continuous modeof operation based on IEC 61508 (and IEC 62061) [Go to Page]
- J.2.2 Risk reduction measures on low demand mode of operation
- Figure J.2 – Basic approach in low demand mode of operation basedon IEC 61508 (and IEC 61511)
- J.3 Use of subsystems in different modes of operation [Go to Page]
- J.3.1 General
- J.3.2 Example with different modes of operation
- Figure J.3 – Functional view
- Figure J.4 – Logical view [Go to Page]
- J.3.3 Subsystem(s) used for different modes of operation
- Figure J.5 – Decomposition view
- Figure J.6 – Quantitative SIL evaluation using the approach of ratioof probability of failures of each subsystem
- Figure J.7 – Example of quantitative SIL evaluation using the approachof ratio of probability of failures of each subsystem
- Table J.1 – PFDavg max and PFHmax for respective target SIL
- Bibliography [Go to Page]
