EN 50495 standard for safety devices in ATEX

From SAFEC European project to EN 50495 standard for safety devices in ATEX - links with IEC 61508

This article defines some explanations on the use of EN 50495:2010 standard and its link with an other well known functional safety standard : IEC 61508.

But first of all, EN 50495: February 2010 : Safety devices required for the safe functioning of equipment with respect to explosion risks, must be placed in its regulatory scope : the ATEX 94/9/EC directive.


The ATEX 94/9/EC directive in CHAPTER I Scope, placing on the market and freedom of movement states :

Article 1

1. This Directive applies to equipment and protective systems intended for use in potentially explosive atmospheres.

2. Safety devices, controlling devices and regulating devices intended for use outside potentially explosive atmospheres but required for or contributing to the safe functioning of equipment and protective systems with respect to the risks of explosion are also covered by the scope of this Directive.

In annex II of ATEX 94/9/EC directive are also defined requirements for safety devices.

1.5. Requirements in respect of safety-related devices

1.5.1. Safety devices must function independently of any measurement or control devices required for operation.

As far as possible, failure of a safety device must be detected sufficiently rapidly by appropriate technical means to ensure that there is only very little likelihood that dangerous situations will occur.

For electrical circuits the fail-safe principle is to be applied in general.

Safety-related switching must in general directly actuate the relevant control devices without intermediate software command.

1.5.2. In the event of a safety device failure, equipment and/or protective systems shall, wherever possible, be secured.

1.5.3. Emergency stop controls of safety devices must, as far as possible, be fitted with restart lockouts. A new start command may take effect on normal operation only after the restart lockouts have been intentionally reset.

1.5.4. Control and display units

Where control and display units are used, they must be designed in accordance with ergonomic principles in order to achieve the highest possible level of operating safety with regard to the risk of explosion.

1.5.5. Requirements in respect of devices with a measuring function for explosion protection.

In so far as they relate to equipment used in explosive atmospheres, devices with a measuring function must be designed and constructed so that they can cope with foreseeable operating requirements and special conditions of use.

1.5.6. Where necessary, it must be possible to check the reading accuracy and serviceability of devices with a measuring function.

1.5.7. The design of devices with a measuring function must incorporate a safety factor which ensures that the alarm threshold lies far enough outside the explosion and/or ignition limits of the atmospheres to be registered, taking into account, in particular, the operating conditions of the installation and possible aberrations in the measuring system.

finally, the document that gives some rules for the application of the ATEX 94/9/EC directive is the application guide of the ATEX 94/9/EC directive.

In its first edition of this guide in May 2000, in chapter 3.10 Safety, controlling or regulating devices as defined in Article 1.2 where defined. In the fourth edition of the ATEX 94/9/EC guide, the definition of these safety devices is :

Devices in the scope of Article 1.2

  1. Safety devices, controlling devices and regulating devices, if they contribute to or are required for the safe functioning of equipment or protective systems with respect to the hazards of ignition or - respectively - with respect to the hazard of uncontrolled explosion are subject to the Directive; 
  2. These devices are covered even if they are intended for use outside the potentially explosive atmosphere. Those devices are not classified into categories according to Article 1. 
  3. Safety instrumented systems (e.g. a sensor, PLC and an actor) in the sense of items 1. and 2.. The whole system must be considered as a safety device in the sense of Article 1.2. Parts of this safety device may be located inside (e.g. a sensor) or outside (e.g. PLC) potentially explosive atmospheres. 

For such devices, the essential requirements shall only apply so far as they are necessary for the safe and reliable function and operation of those devices with respect to the hazards of ignition or - respectively - with respect to the hazard of uncontrolled explosion (Annex II, Preliminary observation B). 

Examples:

  • a pump, pressure regulating device, backup storage device, etc. ensuring sufficient pressure and flow for feeding a hydraulically actuated safety system (with respect to the ignition hazard); 
  • overload protective devices for electric motors of type of protection Ex e ‘Increased Safety’; 
  • controller units in a safe area, for an environmental monitoring system consisting of gas detectors distributed in a potentially explosive area, to provide executive actions on one or a small number of equipment or protective systems in terms of further avoiding an ignition hazard if dangerous levels of gas are detected; 
  • controller units connected to sensors measuring temperature, pressure, flow, etc, located in a safe area, used to control (in terms of further avoiding an ignition hazard) electrical apparatus, used in production or servicing operations in a potentially explosive area. 

 

(...)


After these mandatory requirements that are applicable to safety devices, we must discuss of standards.

At the time when ATEX directive 94/9/CE was published the state of art for safety devices was the premises of EN 954-1 and some years after the EN 61508 standard.

At this time the technology for safety devices was electromecanic based, as it was defined also for other industrial sectors such as for the machinery sector (see chapter "history for functional safety in machinery" ).


Today safety devices for use in potentially are defined in EN 50495 February 2010 : Safety devices required for the safe functioning of equipment with respect to explosion risks

(NF EN 50495 : juillet 2010 : Dispositifs de sécurité nécessaires pour le fonctionnement sûr d'un matériel vis-à-vis des risques d'explosion)

Sicherheitseinrichtungen für den sicheren Betrieb von Geräten im Hinblick auf Explosionsgefahren

Some specific standards for other safety devices are also defined such as the safety devices  whose safety function is define and in the scope of existing standards specific for ATEX eg EN 60079 and EN 61241 that do not need any complementary assessment and other safety devices that prevent the occurrence of explosive atmospheres, e.g. inerting systems, ventilation in workplaces and containers/vessels or Gas detectors, which are already covered other standards in EN 61779 series, EN 50271 or EN 50402 


EN 50495:2010 : Summary

1       Scope

2       Normative references

3       Terms and definitions

4       Ignition prevention by safety devices

4.1       General concept of ignition risk reduction

4.2       Selection of a safety device

5       Functional requirements for a safety device

5.1       General requirements

5.2       Special requirements for safety components

5.3       Requirements for achieving the Safety Integrity Level (SIL)

6       Tests

6.1       Type tests

6.2       Routine tests

6.3       Regular functional proof tests

7       Marking

8       Safety instructions

Annex A (informative)  Example of an assessment procedure for a simple safety device

Annex B (informative)  Example of an assessment procedure for the hardware safety integrity of a safety device

Annex C (informative)  Example of determining the hardware safety integrity level

Annex D (informative)  Examples for safety devices

Annex E (informative)  Basic concept for safety devices

Annex ZZ (informative)  Coverage of Essential Requirements of EC Directives

Bibliography

Tables

Table 1 – Requirements for Safety Integrity Level and Fault Tolerance of a safety device

Table B.1 – Failure rates assuming a series failure model

Table B.2 – Safety Integrity Levels: Target failure measures for a safety function

Table B.3 – Hardware safety integrity: Architectural constrains  on Type A or B safety-related subsystems

Table C.1 – Total hardware failure rates

Table E.1 – Increase of the failure tolerance of equipment by the control of a safety device

Table E.2 – Classified area, in which the ignition probability of controlled equipment would lead to a tolerable risk

Table E.3 – Required SIL and HFT of a safety device for the control of equipment.


This standard is mainly based on IEC 61508. If we compare the content of this standard we can see that most chapters are issued from IEC 61508 (identified in red color hereafter)

 

1       Scope

2       Normative references

3       Terms and definitions

4       Ignition prevention by safety devices

5       Functional requirements for a safety device

6       Tests

7       Marking

8       Safety instructions

Annex A (informative)  Example of an assessment procedure for a simple safety device

Annex B (informative)  Example of an assessment procedure for the hardware safety integrity of a safety device

Annex C (informative)  Example of determining the hardware safety integrity level

Annex D (informative)  Examples for safety devices

Annex E (informative)  Basic concept for safety devices

Annex ZZ (informative)  Coverage of Essential Requirements of EC Directives

Bibliography


Before the SAFEC project, the impact of safety device on the equipment under control was not clearly defined.

 

ATEX zone

Kind of device

Functionning of the EUC without safety device

Impact of the safety device

0

Equipment categorie 1

Safe with 2 harware failures

??

1

Equipment category 2

Safe with 1 harware failures

??

2

Equipment category 3

Safe in normal operation

??

The SAFEC project gives a table in which the contribution of the safety device was visible. This impact is defined in Table 10    Proposed safety requirements for safety functions

Hazardous Area

Zone 0

Zone 20

Zone 1

Zone 21

Zone 2

Zone 22

Fault tolerance requirement of ATEX Directive

2

1

0

Equipment

(EUC)

fault tolerance

2

1

0

1

0

-1

0

-1

SIL of the safety function that the monitoring or control unit is providing

-

SIL 2

SIL 3

-

SIL 1

SIL 2

-

SIL 1 

Resulting equipment category (under ATEX) of the combination

 

category 1

 

category 2

 

category 3

Note that a fault tolerance of “-1” implies that the equipment would be incendive in normal operation, without the intervention of the safety device

Table 10 assumes that any feature of the certified electrical equipment which provides a level of fault tolerance will achieve a risk reduction equivalent to a SIL of 1. This is consistent with the fact that SIL 1 represents the minimum integrity requirement of IEC 61508 for a system defined as being safety-related.

The fault tolerance "-1" was not taken into account in the EN50495 standard, and the SAFEC table 10 wa sreplaced by the following table :

Table 1 – Minimum requirements for Safety Integrity Level and Fault Tolerance of a safety device

EUC     Hardware Fault Tolerance

2

1

0

1

0

0

Safety device

 

 

 

 

 

 

      Hardware Fault Tolerance

-

0

1

-

0

-

            Safety Integrity Level

-

SIL 1

SIL 2

-

SIL 1

-

Combined equipment

 

 

 

          Group I         Category

M1

M2

-

          Group II, III    Category

1

2

3

NOTE 1 Fault tolerance:

“0” indicates that the EUC is safe in normal operation. One single fault may cause the apparatus to fail.

“1” indicates that the apparatus is safe with one single fault. Two independent faults may cause the apparatus to fail.

“2“ indicates that the apparatus is safe with two independent faults. Three faults may cause the apparatus to fail.

NOTE 2 SIL1 or SIL2 indicates the Safety Integrity Level of the Safety device according to EN 61508 series.

NOTE 3 Category 1 or 2 or 3: the appropriate categories are defined in EN 13237,

NOTE 4 “-“ means, that no safety device is required

NOTE 5 Equipment which contains a potential ignition source under normal operation is not included in Table 1, because this equipment is already covered under the types of protection.

 
Some explanations about this table :
The text in red color has been added by Industry-finder, and is not normative. It is an explanation only for illustration only.
For columns number 1, 4 and 6 no safety device is required for the following reasons :
  • column 1 the EUC is safe with 2 faults in zone 0 which is what is required in the ATEX directive (see above). This case correspond to the intinsic safety protection mode for "ia" level
  • column 4  the EUC is safe with 1 faults in zone 1 which is what is required in the ATEX directive (see above). This case correspond to the intinsic safety protection mode for "ib" level
  • column 6  the EUC is safe with 0 fault in zone 2 which is what is required in the ATEX directive (see above)
  • Case 2 and 3 are not defined yet because there is few applications for this case and practicaly, end users put for zone "0" devices that comply with "ia" protection mode or doble protection
  • The interessant casse are defined in case number 5 which correspond mostly to motor in zone "1" that are complying with "enclosure" protection mode (IEC 60079-1) or enhanced protection mode (IEC 60079-7). In those 2 cases, the protection mode mode is not fault tolerant (O in blue color). This means that the safety device must have a SIL 1 level with an Harware fault tolerance of 0 (in green color)
 
Colum number 1 2 3 4 5 6
Corresponding classic protection mode ia (intrinsic safety)     ib (intrinsic safety) d, e   

EUC     Hardware Fault Tolerance

2

1

0

1

0

0

Safety device

 

 

 

 

 

 

      Hardware Fault Tolerance

-

0

1

-

0

-

            Safety Integrity Level

-

SIL 1

SIL 2

-

SIL 1

-

Combined equipment

 

 

 

          Group I         Category

M1

M2

-

          Group II, III    Category

1

2

3

Zone 0 1 2

 

 

However, compliance with IEC 61508 requires also an Harware fault tolerance and if we combine the tables related to the architecture requirements of IEC 61508 and the requirments of the standard we can see that not all architectures of IEC 61508 are possible.

Table B.3 – Hardware safety integrity: Architectural constrains on Type A or B safety-related subsystems

Safe Failure Fraction (SFF)

Type A Subsystem

Type B Subsystem

Hardware fault tolerance

Hardware fault tolerance

0

1

2

0

1

2

< 60 %

SIL 1

SIL 2

SIL 3

Not allowed

SIL 1

SIL 2

60 % - < 90 %

SIL 2

SIL 3

SIL 4

SIL 1

SIL 2

SIL 3

90 % - < 99 %

SIL 3

SIL 4

SIL 4

SIL 2

SIL 3

SIL 4

³ 99 %

SIL 3

SIL 4

SIL 4

SIL 3

SIL 4

SIL 4

 
  • In green color what is acceptable by EN 50495 standard
  • in red color what is forbiden (for SIL2, the HFT must be 1)
  • in grey color, what is normaly out of the scope of the standard.
It is naturally possible for type A subsystem with HFT=0 and that need a SIL 1 level, to use a SIL 2 or SIL 3 device in order to realize a SIL 1 level function for ATEX.
Similarly, it is possible  for type B technolgy to use a SIL 2 level device with HFT =1 to realize a SIL 1 level protection for ATEX.
Annex D of the standard give five examples of safety devices that have to be used in ATEX
  • D.1     Heating device
  • D.2     Ex ‘d’ motor
  • D.3     Overload protective devices for electric motors of type of protection Ex e
  • D.4     Level detectors for the control of submersible pumps
  • D.5     Electrical resistance trace heating system