Last edit: 29/06/2023
IEC TS 63394 is not an International Standard like IEC 62061 or ISO 13849-1 but a Technical Specification.
IEC TS 63394:2023 – Safety of machinery – Guidelines on functional safety of safety-related control system
It was published, as a first edition, in February 2023.
In the context of Machinery Safety, the sector standard IEC 62061 as well as ISO 13849-1 provide requirements to manufacturers of machines for the design, development and integration of safety-related control systems (SCS) or safety-related parts of control systems (SRP/CS), depending on the technology used (mechanical, pneumatic, hydraulic or electrical technologies) to perform safety function(s).
This document gives additional guidance for the application of IEC 62061 or ISO 13849-1:
- It gives guidelines and specifies additional requirements for specific safety functions based on the methodology of ISO 12100, which are relevant in machinery and respecting typical boundary conditions of machinery;
- It considers safety functions which are designed for high demand mode of operation yet are rarely operated, called rarely activated safety functions;
- It gives additional information for the calculation of failure rates using other (non-electronic) technologies based e.g. on Weibull distribution. Instead, all formulas in IEC 62061 and ISO 13849-1 are based on exponential distribution.
This document does not address low demand mode of operation according to IEC 61508, even if in Annex J it shows how to approach “mixed” High and Low demand Safety systems. That is a typical situation in Machinery like for Furnaces and Process Reactors.
This document does not take into account neither the layer of protection analysis (LOPA) nor basic process control system (BPCS), according to IEC 61511 as a risk reduction measure. This document considers all lifecycle phases of the machine regarding functional safety, and SCS or SRP/CS
Rarely activated safety functions
When a manufacturer design a safety function, he normally assumes a high demand mode of operation. However, it can occur that the assumed demand of a safety function is not performed during a one year period. This may occur when the machine manufacturer is presuming the average demand rate to ensure the safety integrity as a kind of worst-case consideration when determining the required safety integrity. Those safety functions which are designed for high demand mode of operation but which sometimes might not be demanded during one year are called "rarely activated safety functions".
Rarely activated safety functions are designed, implemented and integrated as safety functions in high demand mode of operation, however, since they are triggered less than once in a year, but anyway more that once every 2 years, measures against fault accumulation and undetected faults must be designed. Periodic verification is necessary to ensure the safety integrity of these Safety Function.
The figure hereafter indicates the process for determining if a Safety System is operating in low demand, in high demand or in high demand but it is a rarely activated safety function.
This Technical Specification give indication how to treat those Safety System still in high demand mode of operation, despite the fact, according to IEC 61508 -2, they should be classified as Low demand mode safety system.
Architectural constraints
Safety functions will be performed by SCS or SRP/CS which is decomposed into subsystems.
As the diagnostic test interval is linked to the demand rate, some diagnostics are only possible when the safety function is demanded. Based on accumulation of faults the architectural constraints should be evaluated depending on the mode of operation. In high demand mode of operation, the following Table is a good overview how ISO 13849-1 and IEC 62061 analyse safety subsystems.
The Table compares the Architectural Constraints of IEC 62061 with the limitations given by ISO 13849-1 and it is therefore applicable to all Safety Systems in high demand mode.
You can notice that there is no SIL equivalence to PL a or PL b. According to ISO 13849-1, it is possible to have a single channel safety system that does not use well-tried components: it is enough to use Category B subsystems with reliability levels equal to PL a or PL b. Using IEC 62061 that is not possible, since a Basic Subsystem Architecture A (1oo1) can be done only using well-tried components.
Annex J: Combination of modes of Operation
The Annex describes the situations that we find in machineries that have processes inside. It is the case of an Industrial Furnace. The following safety functions are considered:
- Safety function for “low pressure monitoring” in high demand mode of operation where two low pressure switches, installed on a gas train, trigger the closure of two on/off gas valves, installed on the same gas train itself;
- Safety instrumented function (SIF) for “high temperature monitoring” in low demand mode of operation where two thermocouples detecting a critical temperature value, designed in low demand mode of operation, trigger the same two on/off gas valves triggered by the low pressure switches working in high demand.
As you can understand, there are 2 input subsystems, one in high and one in low demand of operation and one output subsystem working in high demand. It is what we call a “mixed safety system”. The required SIL for the safety instrumented function (SIF) in low demand mode of operation and the safety function in high demand mode of operation is supposed to be SIL 2.
The reliability block diagram is shown in the following drawing.
The low demand safety instrumented subfunction is analysed using IEC 61511-1 standard, however only components certified with Route 1H can be used.
The pressure switch input subsystem, the logic and the two solenoid valves output subsystem is analysed using either IEC 62061 or ISO 13849-1. You find the full methodology in Annex J.