Iec 62061:2005/Amd1:2012; Table 121. Sil Classification Versus Hft - ST STM32F2 Series User Manual

ISO 13849-1
Information to be provided
Test sheets
A.2

IEC 62061:2005/AMD1:2012

This standard is applicable in the specification, design and verification or validation of Safety-Related Electrical
Control Systems (SRECS) of machines. SRECS is the electrical or electronics control system of the machine
which failure could lead to reduction or loss of safety. SRECS implements a Safety-Related Control Function
(SRCF) to prevent any increase of the risk.
With respect of the safety lifecycle, the scope of this standard is limited from safety requirements allocation to
safety validation.
IEC 62061 is the special standard for the machine domain within the framework of the more generic IEC
61508:2010. Since it is just an application standard, IEC 62061 is not strict with respect to the technical solutions.
Moreover it is focused on electrical, electronic and programmable electronic parts of safety-related control
systems.
Note that §3.2.26 and §3.2.27 in IEC 62061 apply only to SRECS in HD or CM, suitable for the machines domain.
LD equipment are still ruled by IEC 61508 requirements.
The close relationship with IEC 61508:2010 is synthesized by the main assumption that the design of complex
electronic components as subsystems or elements of subsystems has to be compliant with requirements of IEC
61508:2010 part 2, Route 1H, ref. to §7.4.4.2. Coming from the IEC 62061 definition §3.2.8, natively a
microprocessor has to be considered as a complex component.
For this reason, the results reported in this Safety Manual for the STM32F2 Series item (refer to
results), in the scope of IEC 61508 are still applicable also in the machines context ruled by IEC 62061.
End-users can effectively adopt the STM32F2 Series compliant item to design SRECS suitable for the
achievement of SIL2 or SIL3 (by adopting two STM32F2 Series MCUs) machines control loops.
The standard defines as "subsystem" (refer to §3.2.5) the level of parts for a system architecture where a
dangerous failure could lead to the loss of the safety function.
Concerning the integrity levels achievable for subsystems, the standard suggests a classification based on HFT
and SFF as shown in
SIL 3 is the highest requirement for SRCF in this context. SIL 4 is out of scope since the final outcome of the
development is a control system for one machine only.
For the designer, the SIL values listed in the table has to be seen as the SILCL for the subsystem where SILCL is
the maximum SIL claimable for a SRECS subsystem, as defined in IEC 62061, §3.2.24.
UM1845 - Rev 4
ISO 13849-1 Part-Clause
App. J, tab.J.1 (SW)
Table 121.
Table 121.
SFF
<60%
60% - <90%
90% - <99%
≥99%
Software system integration test report
Programmable electronic hardware and software
(End user responsibility because in charge of
implementing software-based diagnostics)
SIL classification versus HFT
HFT
0
Not allowed
SIL1
SIL2
SIL3
UM1845
IEC 62061:2005/AMD1:2012
STM32F2 Series
IEC 61508 document
Software module test report
integration tests report
SW verification report
Section 4 Safety
1 2
SIL1 SIL2
SIL2 SIL3
SIL3 SIL3
SIL3 SIL3
page 92/108