ISO 13856-3:2013

Safety of machinery -- Pressure-sensitive protective devices -- Part 3: General principles for design and testing of pressure-sensitive bumpers, plates, wires and similar devices

Abstract

ISO 13856-3:2013 establishes general principles and specifies requirements for the design and testing of those pressure-sensitive protective devices, with or without an external reset facility, that are not specified in either ISO 13856‑1 or ISO 13856‑2, and the majority of which are produced for specific applications and are not available as "off-the-shelf" items.

ISO 13856-3:2013 also gives specific requirements for the following pressure-sensitive protective devices: pressure-sensitive bumpers; pressure-sensitive plates; pressure-sensitive wires (trip wires).

It deals with the design of a pressure-sensitive device with regard to safety and reliability rather than its suitability for particular applications.

It is not applicable to specifying the dimensions of pressure-sensitive protective devices in relation to any particular application, or stopping devices according to IEC 60204‑1 used for the normal operation, including emergency stopping of machinery.

While requirements are given for the immunity of the device to electromagnetic disturbances, these are not intended to cover all aspects of electromagnetic compatibility (EMC).

ISO 13854:1996 - Safety of machinery - Minimum gaps to avoid crushing of parts of the human body

The purpose of this standard is to enable the user (e.g. standard makers, designers of machinery) to avoid hazards from crushing zones. Specifies minimum gaps relative to parts of the human body. Applicable when adequate safety can be achieved by this method.

If you want to create a link from your Website to Industry-finder, use the following codes to insert a banner.

Title : Industry-finder - The Virtual Web portal of Industry
 

Insert a Text link

You will see on your Web page : www.industry-finder.com

HTML code to be inserted into your Web-page

<a href="http://www.industry-finder.com/" target="_blank">www.industry-finder.com.com</a>

Insert a image link

You will see on your Web page : 

HTML code to be inserted into your Web-page

<a href="http://www.industry-finder.com/" target="_blank"><img src="http://www.industry-finder.com/download/images/industry-finder-logo-171X60.jpg" border="0" alt="industry-finder, ATEX 94/9/EC and machinery 2006/42/EC directives"></a>

EN 60079-1:2007 : Explosive atmospheres - Part 1: Equipment protection by flameproof enclosures ‘d’

IEC 60079-1:2007

SOMMAIRE
AVANT-PROPOS
1 Domaine d'application
2 Références normatives
3 Termes et définitions
4 Groupement et classification en température
5 Joints antidéflagrants
5.1 Règles générales
5.2 Joints non filetés
5.3 Joints filetés
5.4 Garnitures (comprenant les bagues toriques)
5.5 Matériels utilisant des capillaires
6 Joints scellés
6.1 Généralités
6.2 Résistance mécanique
6.3 Longueur des joints scellés
7 Tiges de manoeuvre (axes)
8 Exigences supplémentaires pour les arbres et paliers
8.1 Joints des arbres
8.2 Paliers
9 Parties transparentes ou translucides
10 Dispositifs de respiration et de drainage faisant partie d’une enveloppe antidéflagrante
10.1 Ouvertures pour respiration ou drainage
10.2 Teneurs limites
10.3 Dimensions
10.4 Eléments avec passages mesurables
10.5 Eléments avec passages non mesurables
10.6 Dispositifs démontables
10.7 Dispositions de montage des éléments
10.8 Résistance mécanique
10.9 Dispositifs de respiration et de drainage utilisés comme composants Ex
11 Fermetures, orifices associés et dispositifs d’obturation
12 Matériaux et résistance mécanique de l’enveloppe – Matériaux à l’intérieur de l’enveloppe
13 Entrées des enveloppes antidéflagrantes
13.1 Entrées de câbles
13.2 Dispositifs d’étanchéité de conduit
13.3 Prises de courant et prolongateurs de câble
13.4 Traversées
14 Vérifications et essais

15 Essais de type
15.1 Essais de tenue à la pression de l’enveloppe
15.2 Essai de non-transmission d’une inflammation interne 
15.3 (Réservé pour une utilisation future)
15.4 Essais des enveloppes antidéflagrantes avec dispositifs de respiration et de drainage
16 Essais individuels de série
17 Appareillage pour le groupe I
17.1 Organes de mise hors tension
17.2 Portes ou couvercles
18 Douilles et culots de lampes
18.1 Dispositif empêchant l’autodesserrage des lampes
18.2 Douilles et culots pour lampes à culots cylindriques
18.3 Douilles pour lampes à culots à vis
19 Enveloppes non métalliques et parties non métalliques d’enveloppes
19.1 (Réservé pour une utilisation future)
19.2 Exigences de construction particulières
19.3 Exigences complémentaires pour les essais de type
20 Marquage
20.1 Généralités
20.2 Avertissement et marquages
20.3 Marquages informatifs
Annexe A (normative) Exigences complémentaires pour les éléments du type ruban gaufré et les éléments d’écran multiples des dispositifs de respiration et de drainage
Annexe B (normative) Exigences complémentaires pour les éléments avec passages non mesurables pour les dispositifs de respiration et de drainage
B.1 Eléments en métal fritté
B.2 Eléments en fil métallique pressé
B.3 Eléments en mousse métallique
Annexe C (normative) Exigences supplémentaires pour les dispositifs d’entrée antidéflagrants
C.1 Généralités
C.2 Exigences de construction
C.3 Essais de type
Annexe D (normative) Enveloppes antidéflagrantes vides, comme composants Ex
D.1 Généralités
D.2 Remarques introductives
D.3 Exigences d’enveloppe de composants Ex
D.4 Utilisation du certificat d’enveloppe de composant Ex pour préparer un certificat du matériel
Annexe E (normative) Piles et accumulateurs utilisés dans les enveloppes antidéflagrantes «d»
E.1 Remarques introductives
E.2 Systèmes électrochimiques admissibles
E.3 Exigences générales pour piles (ou accumulateurs) à l’intérieur d’enveloppes antidéflagrantes
E.4 Dispositions des dispositifs de sécurité
E.5 Charge des accumulateurs à l’intérieur des enveloppes antidéflagrantes
E.6 Seuil des diodes de protection et fiabilité des dispositifs de protection

Annexe F (informative) Propriétés mécaniques pour vis et écrous
Annexe G (informative) Introduction à une méthode alternative d’évaluation des risques incluant les « niveaux de protection du matériel » pour les matériels Ex
G.0 Introduction
G.1 Rappel historique
G.2 Généralités
G.3 Protection adaptée contre le risque d’inflammabilité
G.4 Mise en oeuvre
Annexe ZA (normative) Références normatives à d’autres publications internationales avec les publications européennes correspondantes
Annexe ZZ (informative) Couverture des Exigences Essentielles des Directives CE
Bibliographie
Figure 1 – Exemple de construction pour la vérification indirecte d’un joint plan antidéflagrant du groupe I
Figure 2 – Joints à emboîtement
Figures 3, 4, 5 – Orifices aux surfaces des joints plans
Figures 6, 7, 8 – Orifices aux surfaces des joints à emboîtement
Figure 9a – Exemple d’un joint avec des surfaces cylindriques partielles
Figure 9b – Exemple d’un joint dentelé
Figures 10 à 16 – Illustration des exigences relatives aux garnitures d'étanchéité
Figure 17 – Exemple de joint cylindrique pour arbre de machine électrique tournante
Figure 18 – Exemple de joint à labyrinthe pour arbre de machine électrique tournante
Figure 19 – Exemple de joint à bague flottante pour arbre de machine électrique tournante
Figure 20 – Joints des traversées d’arbre de machines électriques tournantes
Figure 21 – Dispositif d'essai pour dispositifs de respiration et de drainage
Figure 22 – Exemples de dispositifs d’obturation pour les ouvertures non utilisées
Figure C.1 – Dispositif pour les essais d'étanchéité des entrées de câble
Figure C.2 – Exemples d’adaptateurs filetés Ex
Figure E.1 – Montage de diodes pour trois éléments en série
Figure E.2 – Mise en place de diodes de blocage pour répondre à E.4.3 (troisième exemple)

NF EN ISO 13849-1 October 2008

Safety of machinery

Safety-related parts of control systems — Part 1: General principles for design

D : D : Sicherheit von Maschinen — Sicherheitsbezogene Teile von Steuerungen — Teil 1 : Allgemeine Gestaltungsleitsätz

ISO 13849 standard comprises several parts:

• Part 1: General principles for design
• Part 2: Validation
• Part 100: Guidelines for the use and application of ISO 13849-1 [Technical Report]

Parts 1 and 2 of the standard are harmonized standards under the Machinery Directive 2006/42/EC standards.

Contents of EN 13849-1 standard

Foreword
Introduction
1 Scope
2 Normative references
3 Terms, definitions, symbols and abbreviated terms
3.1 Terms and definitions
3.2 Symbols and abbreviated terms
4 Design considerations
4.1 Safety objectives in design
4.2 Strategy for risk reduction
4.2.1 General
4.2.2 Contribution to the risk reduction by the control system
4.3 Determination of required performance level (PLr)
4.4 Design of SRP/CS
4.5 Evaluation of the achieved performance level PL and relationship with SIL
4.5.1 Performance level PL
4.5.2 Mean time to dangerous failure of each channel (MTTFd)
4.5.3 Diagnostic coverage (DC)
4.5.4 Simplified procedure for estimating PL
4.6 Software safety requirements
4.6.1 General.
4.6.2 Safety-related embedded software (SRESW)
4.6.3 Safety-related application software (SRASW)
4.6.4 Software-based parameterization
4.7 Verification that achieved PL meets PLr
4.8 Ergonomic aspects of design
5 Safety functions
5.1 Specification of safety functions
5.2 Details of safety functions
5.2.1 Safety-related stop function
5.2.2 Manual reset function
5.2.3 Start/restart function
5.2.4 Local control function
5.2.5 Muting function
5.2.6 Response time
5.2.7 Safety–related parameters
5.2.8 Fluctuations, loss and restoration of power sources
6 Categories and their relation to MTTFd of each channel, DCavg and CCF
6.1 General
6.2 Specifications of categories
6.2.1 General
6.2.2 Designated architectures
6.2.3 Category B
6.2.4 Category 1
6.2.5 Category 2
6.2.6 Category 3
6.2.7 Category 4
6.3 Combination of SRP/CS to achieve overall PL
7 Fault consideration, fault exclusion
7.1 General
7.2 Fault consideration
7.3 Fault exclusion
8 Validation
9 Maintenance
10 Technical documentation
11 Information for use
Annex A (informative) Determination of required performance level (PLr)
Annex B (informative) Block method and safety-related block diagram
Annex C (informative) Calculating or evaluating MTTFd values for single components
Annex D (informative) Simplified method for estimating MTTFd for each channel
Annex E (informative) Estimates for diagnostic coverage (DC) for functions and modules
Annex F (informative) Estimates for common cause failure (CCF)
Annex G (informative) Systematic failure
Annex H (informative) Example of combination of several safety-related parts of the control system
Annex I (informative) Examples
Annex J (informative) Software
Annex K (informative) Numerical representation of Figure 5
Bibliography

Standards for design of ATEX and IECEx equipment

IEC 60079-0 ED. 6.0 2011 - Explosive atmospheres - Part 0: Equipment - General requirements

This part of IEC 60079 specifies the general requirements for construction, testing and marking of electrical equipment and Ex Components intended for use in explosive 
atmospheres. The standard atmospheric conditions (relating to the explosion characteristics of the atmosphere) under which it may be assumed that electrical equipment can be operated are: 

• temperature –20 °C to +60 °C; 
• pressure 80 kPa (0,8 bar) to 110 kPa (1,1 bar); and 
• air with normal oxygen content, typically 21 % v/v. 

This standard and other standards supplementing this standard specify additional test requirements for equipment operating outside the standard temperature range, but further 
additional consideration and additional testing may be required for equipment operating outside the standard atmospheric pressure range and standard oxygen content, particularly 
with respect to types of protection that depend on quenching of a flame such as ‘flameproof enclosure “d”’ (IEC 60079-1) or limitation of energy, ‘intrinsic safety “i”’ (IEC 60079-11). 

You can see the content of the present standard on the web site of IEC at the following address : http://www.iec-normen.de/

CONTENTS 
FOREWORD
1 Scope
2 Normative references
3 Terms and definitions
4 Equipment grouping
4.1 Group I
4.2 Group II
4.3 Group III
4.4 Equipment for a particular explosive atmosphere
5 Temperatures
5.1 Environmental influences
5.1.1 Ambient temperature
5.1.2 External source of heating or cooling
5.2 Service temperature
5.3 Maximum surface temperature
5.3.1 Determination of maximum surface temperature
5.3.2 Limitation of maximum surface temperature
5.3.3 Small component temperature for Group I or Group II electrical equipment
6 Requirements for all electrical equipment
6.1 General
6.2 Mechanical strength of equipment
6.3 Opening times
6.4 Circulating currents in enclosures (e.g. of large electrical machines)
6.5 Gasket retention
6.6 Electromagnetic and ultrasonic energy radiating equipment
6.6.1 Radio frequency sources
6.6.2 Lasers or other continuous wave sources
6.6.3 Ultrasonic sources
7 Non-metallic enclosures and non-metallic parts of enclosures
7.1 General
7.1.1 Applicability
7.1.2 Specification of materials
7.2 Thermal endurance
7.2.1 Tests for thermal endurance
7.2.2 Material selection
7.2.3 Alternative qualification of elastomeric sealing O-rings
7.3 Resistance to light
7.4 Electrostatic charges on external non-metallic materials
7.4.1 Applicability
7.4.2 Avoidance of a build-up of electrostatic charge on Group I or Group II electrical equipment 
7.4.3 Avoidance of a build-up of electrostatic charge on equipment for Group III
7.5 Accessible metal parts
8 Metallic enclosures and metallic parts of enclosures
 

From SAFEC European project to EN 50495 standard for safety devices in ATEX - links with IEC 61508

This article defines some explanations on the use of EN 50495:2010 standard and its link with an other well known functional safety standard : IEC 61508.

But first of all, EN 50495: February 2010 : Safety devices required for the safe functioning of equipment with respect to explosion risks, must be placed in its regulatory scope : the ATEX 94/9/EC directive.

The ATEX 94/9/EC directive in CHAPTER I Scope, placing on the market and freedom of movement states :

Article 1

1. This Directive applies to equipment and protective systems intended for use in potentially explosive atmospheres.

2. Safety devices, controlling devices and regulating devices intended for use outside potentially explosive atmospheres but required for or contributing to the safe functioning of equipment and protective systems with respect to the risks of explosion are also covered by the scope of this Directive.

In annex II of ATEX 94/9/EC directive are also defined requirements for safety devices.

1.5. Requirements in respect of safety-related devices

1.5.1. Safety devices must function independently of any measurement or control devices required for operation.

As far as possible, failure of a safety device must be detected sufficiently rapidly by appropriate technical means to ensure that there is only very little likelihood that dangerous situations will occur.

For electrical circuits the fail-safe principle is to be applied in general.

Safety-related switching must in general directly actuate the relevant control devices without intermediate software command.

1.5.2. In the event of a safety device failure, equipment and/or protective systems shall, wherever possible, be secured.

1.5.3. Emergency stop controls of safety devices must, as far as possible, be fitted with restart lockouts. A new start command may take effect on normal operation only after the restart lockouts have been intentionally reset.

1.5.4. Control and display units

Where control and display units are used, they must be designed in accordance with ergonomic principles in order to achieve the highest possible level of operating safety with regard to the risk of explosion.

1.5.5. Requirements in respect of devices with a measuring function for explosion protection.

In so far as they relate to equipment used in explosive atmospheres, devices with a measuring function must be designed and constructed so that they can cope with foreseeable operating requirements and special conditions of use.

1.5.6. Where necessary, it must be possible to check the reading accuracy and serviceability of devices with a measuring function.

1.5.7. The design of devices with a measuring function must incorporate a safety factor which ensures that the alarm threshold lies far enough outside the explosion and/or ignition limits of the atmospheres to be registered, taking into account, in particular, the operating conditions of the installation and possible aberrations in the measuring system.

finally, the document that gives some rules for the application of the ATEX 94/9/EC directive is the application guide of the ATEX 94/9/EC directive.

In its first edition of this guide in May 2000, in chapter 3.10 Safety, controlling or regulating devices as defined in Article 1.2 where defined. In the fourth edition of the ATEX 94/9/EC guide, the definition of these safety devices is :

Devices in the scope of Article 1.2

1. Safety devices, controlling devices and regulating devices, if they contribute to or are required for the safe functioning of equipment or protective systems with respect to the hazards of ignition or - respectively - with respect to the hazard of uncontrolled explosion are subject to the Directive; 
2. These devices are covered even if they are intended for use outside the potentially explosive atmosphere. Those devices are not classified into categories according to Article 1. 
3. Safety instrumented systems (e.g. a sensor, PLC and an actor) in the sense of items 1. and 2.. The whole system must be considered as a safety device in the sense of Article 1.2. Parts of this safety device may be located inside (e.g. a sensor) or outside (e.g. PLC) potentially explosive atmospheres. 

For such devices, the essential requirements shall only apply so far as they are necessary for the safe and reliable function and operation of those devices with respect to the hazards of ignition or - respectively - with respect to the hazard of uncontrolled explosion (Annex II, Preliminary observation B). 

Examples:

• a pump, pressure regulating device, backup storage device, etc. ensuring sufficient pressure and flow for feeding a hydraulically actuated safety system (with respect to the ignition hazard); 
• overload protective devices for electric motors of type of protection Ex e ‘Increased Safety’; 
• controller units in a safe area, for an environmental monitoring system consisting of gas detectors distributed in a potentially explosive area, to provide executive actions on one or a small number of equipment or protective systems in terms of further avoiding an ignition hazard if dangerous levels of gas are detected; 
• controller units connected to sensors measuring temperature, pressure, flow, etc, located in a safe area, used to control (in terms of further avoiding an ignition hazard) electrical apparatus, used in production or servicing operations in a potentially explosive area. 

(...)

After these mandatory requirements that are applicable to safety devices, we must discuss of standards.

At the time when ATEX directive 94/9/CE was published the state of art for safety devices was the premises of EN 954-1 and some years after the EN 61508 standard.

At this time the technology for safety devices was electromecanic based, as it was defined also for other industrial sectors such as for the machinery sector (see chapter "history for functional safety in machinery" ).

Today safety devices for use in potentially are defined in EN 50495 February 2010 : Safety devices required for the safe functioning of equipment with respect to explosion risks

(NF EN 50495 : juillet 2010 : Dispositifs de sécurité nécessaires pour le fonctionnement sûr d'un matériel vis-à-vis des risques d'explosion)

Sicherheitseinrichtungen für den sicheren Betrieb von Geräten im Hinblick auf Explosionsgefahren

Some specific standards for other safety devices are also defined such as the safety devices  whose safety function is define and in the scope of existing standards specific for ATEX eg EN 60079 and EN 61241 that do not need any complementary assessment and other safety devices that prevent the occurrence of explosive atmospheres, e.g. inerting systems, ventilation in workplaces and containers/vessels or Gas detectors, which are already covered other standards in EN 61779 series, EN 50271 or EN 50402 

EN 50495:2010 : Summary

1       Scope

2       Normative references

3       Terms and definitions

4       Ignition prevention by safety devices

4.1       General concept of ignition risk reduction

4.2       Selection of a safety device

5       Functional requirements for a safety device

5.1       General requirements

5.2       Special requirements for safety components

5.3       Requirements for achieving the Safety Integrity Level (SIL)

6       Tests

6.1       Type tests

6.2       Routine tests

6.3       Regular functional proof tests

7       Marking

8       Safety instructions

Annex A (informative)  Example of an assessment procedure for a simple safety device

Annex B (informative)  Example of an assessment procedure for the hardware safety integrity of a safety device

Annex C (informative)  Example of determining the hardware safety integrity level

Annex D (informative)  Examples for safety devices

Annex E (informative)  Basic concept for safety devices

Annex ZZ (informative)  Coverage of Essential Requirements of EC Directives

Bibliography

Tables

Table 1 – Requirements for Safety Integrity Level and Fault Tolerance of a safety device

Table B.1 – Failure rates assuming a series failure model

Table B.2 – Safety Integrity Levels: Target failure measures for a safety function

Table B.3 – Hardware safety integrity: Architectural constrains  on Type A or B safety-related subsystems

Table C.1 – Total hardware failure rates

Table E.1 – Increase of the failure tolerance of equipment by the control of a safety device

Table E.2 – Classified area, in which the ignition probability of controlled equipment would lead to a tolerable risk

Table E.3 – Required SIL and HFT of a safety device for the control of equipment.

This standard is mainly based on IEC 61508. If we compare the content of this standard we can see that most chapters are issued from IEC 61508 (identified in red color hereafter)

1       Scope

2       Normative references

3       Terms and definitions

4       Ignition prevention by safety devices

5       Functional requirements for a safety device

6       Tests

7       Marking

8       Safety instructions

Annex A (informative)  Example of an assessment procedure for a simple safety device

Annex B (informative)  Example of an assessment procedure for the hardware safety integrity of a safety device

Annex C (informative)  Example of determining the hardware safety integrity level

Annex D (informative)  Examples for safety devices

Annex E (informative)  Basic concept for safety devices

Annex ZZ (informative)  Coverage of Essential Requirements of EC Directives

Bibliography

Before the SAFEC project, the impact of safety device on the equipment under control was not clearly defined.

The SAFEC project gives a table in which the contribution of the safety device was visible. This impact is defined in Table 10    Proposed safety requirements for safety functions

Table 10 assumes that any feature of the certified electrical equipment which provides a level of fault tolerance will achieve a risk reduction equivalent to a SIL of 1. This is consistent with the fact that SIL 1 represents the minimum integrity requirement of IEC 61508 for a system defined as being safety-related.

The fault tolerance "-1" was not taken into account in the EN50495 standard, and the SAFEC table 10 wa sreplaced by the following table :

Table 1 – Minimum requirements for Safety Integrity Level and Fault Tolerance of a safety device

• column 1 the EUC is safe with 2 faults in zone 0 which is what is required in the ATEX directive (see above). This case correspond to the intinsic safety protection mode for "ia" level
• column 4  the EUC is safe with 1 faults in zone 1 which is what is required in the ATEX directive (see above). This case correspond to the intinsic safety protection mode for "ib" level
• column 6  the EUC is safe with 0 fault in zone 2 which is what is required in the ATEX directive (see above)
• Case 2 and 3 are not defined yet because there is few applications for this case and practicaly, end users put for zone "0" devices that comply with "ia" protection mode or doble protection
• The interessant casse are defined in case number 5 which correspond mostly to motor in zone "1" that are complying with "enclosure" protection mode (IEC 60079-1) or enhanced protection mode (IEC 60079-7). In those 2 cases, the protection mode mode is not fault tolerant (O in blue color). This means that the safety device must have a SIL 1 level with an Harware fault tolerance of 0 (in green color)

3.4.1      Conclusion for IEC 61508

IEC 61508 is applicable for the certification of safety devices under the scope of the 94/9/EC [1]. The approach of IEC 61508 covers the scope of 94/9/EC and 1999/92/EC. IEC 61508 allows the use of not explicitly mentioned technologies for validation. The ESR can be covered by validation following IEC 61508.

There may be some differences for instance if a thermal control device is used for the control of electrical equipment or for the protection of non-electrical equipment because in 94/9/EC the certification procedure is different.

3.5      Summary

Every concept has advantages and disadvantages. With the use of EN 1441 or EN 954-1 many things have to be  added to get a certification scheme for safety devices in the area of explosion protection.

IEC 61508 gives a complete concept for the certification of safety devices. The disadvantage is application only for specific technologies. The concept on the other hand is open for use of standards with other technologies. IEC 61508 only has to adapt to the use with safety devices for explosion protection.

4    Conformity assessment procedure according to IEC 61508

4.1      Conditions

For a conformity assessment procedure based on IEC 61508 minor changes have to be made for the application to safety devices.

• The boxes 1 - 4 are already fulfilled by existing standards for explosion protection and the work in Task 1 and Task 2 [11].

• The box 5 is mainly defined by existing standards for explosion protection (function) and Task 2 (safety integrity level).

The safety integrity level for a purge control system is defined. Even the safety integrity level for a thermal protection system can easily be defined.

For example, a type “e” engine is not suitable for zone 1 without a thermal protection system. So this safety device is needed. It has to be added and the safety function “thermal protection” has to fulfil SIL 2.

In other cases, the manufacturer and the notified body have to do the safety requirement allocation according to IEC 61508, Part 1, 7.6.

4.2      Validation process

• The certification scheme itself bases on the box 9, Figure 3 for electric / electronic or programmable electronic safety devices or on box 10, Figure 3 together with box 11 for other technologies.

Figure 5 and Figure 6 shows lifecycle realization phase including validation process.

• The notified bodies have to carry out the conformity assessment procedure according to boxes 9.1 to 9.6 for hardware and software. The assessment can include less or more the point 9.1 to 9.5. This is depending on the safety devices. The most important step is 9.6.

Figure 5     E/E/PES safety lifecycle (in realization phase)

                   (IEC 61508 part 1, figure 3)

Figure 6     Software safety lifecycle (in realization phase)

                   (IEC 61508 part 1, figure 4)

The tasks included in realization phase relate to the description in IEC 61508 Part 1. The following lifecycle / task has to be fulfilled [4]:

7.10   Realisation: E/E/PES

NOTE   This phase is box 9 of figure 3 and boxes 9.1 to 9.6 of figures 4 and 5.

7.10.1         Objective

The objective of the requirements of this sub clause is to create E/E/PE safety-related systems conforming to the specification for the E/E/PES safety requirements (comprising the specification for the E/E/PES safety functions requirements and the specification for the E/E/PES safety integrity requirements). See parts 2 and 3.

7.10.2         Requirements

The requirements that shall be met are contained in parts 2 and 3.

The specific demands are contained in IEC 61508 Part 2 and 3. Further information can get from IEC 61508 parts 2 and 3.

4.3      Special demands with other standards in validation process

For other technologies, IEC 61508 includes the following recommendation:

7.11   Realization: other technology

NOTE: This phase is box 10 of figure 3.

7.11.1         Objective

The objective of the requirements of this sub clause is to create other technology safety-related systems to meet the safety functions requirements and safety integrity requirements specified for such systems.

7.11.2         Requirements

The specification to meet the safety functions requirements and safety integrity requirements for other technology safety-related systems is not covered in this standard.

NOTE: Other technology safety-related systems are based on a technology other than electrical/electronic/programmable electronic (for example hydraulic, pneumatic etc). The other technology safety-related systems have been included in the overall safety lifecycle, together with the external risk reduction facilities, for completeness (see 7.12).

The validation for other technologies can be led by using EN 954-1. Specification of the validation process is urgent necessary (see Task 2). PrEN 954-2 e.g. can be used. Other standards are possible (for example DIN EN 61496-1 06/98).

The lack of information e.g. about proof intervals has to be covered by special procedures. The validation of a electrical / electronic or programmable electronic devices with the EN 954-1 needs separate calculation of reliability for circuits responsible for the validated safety function.

This additional validation may be allocated to the lifecycles Overall safety validation planning (box 6, Figure 3) or to External risk reduction facilities (box 11, Figure 3). IEC 61508 part 1, Chapter 7.12 give some further information.

7.12   Realisation: external risk reduction facilities

NOTE:  This phase is box 11 of figure 3.

7.12.1         Objective

The objective of the requirements of this sub clause is to create external risk reduction facilities to meet the safety functions requirements and safety integrity requirements specified for such facilities.

7.12.2         Requirements

The specification to meet the safety functions requirements and safety integrity requirements for the external risk reduction facilities is not covered in this standard.

NOTE   The external risk reduction facilities have been included in the overall safety lifecycle, together with the other technology safety-related systems for completeness (see 7.11).

4.4      Special information for instruction

Furthermore, the notified bodies have to proof the results of the E 7 E / PES safety validation (lifecycle 9.6). The overall planning (lifecycles shown in box 6 - 8 (Figure 3)) has to proof according to the directive 1999/92 and the existing standards if special information must given in the instruction for the use of safety devices.

4.5      Actual problems with IEC 61508

A problem for application of IEC 61508 – 2 is that the standard is only available a draft and the whole IEC 61508 is not harmonised. The EN 954-1 is available as a harmonised standard. Therefore, standardisation committees for example in the type EEx “p” standard refer to EN 954-1 for validation. Even the committee for gas measurement systems do this.

The IEC 61508 needs for application a reliable database. There are several databases in use (Task 2, Task 4). Today no common database exists. Like in other standards for explosion protection, this common database must be established before certification can bases on IEC 61508 alone.

The authors do certification for some pressurized system controller according EN 954-1. The systems were suitable for application in category 3. Category 3 was recommend in an earlier draft for pressurised systems.

The controllers were also validated applying IEC 61508 - 2. Special attention was given to the dangerous undetected faults. The probability for dangerous undetected faults was calculated to give special information in the instruction if necessary. Two databases had been used ([22], [23]). The probability for failure in low demand mode of operation was low enough to fulfill safety integrity level 3. Because of a lack for proof testing the controllers are only suitable for a SIL 2 application (because of architectural constraints 61508 – 2, 7.4.5). This is the recommended SIL for pressurised system controller in Task 2. The result from EN 954-1 and IEC 61508 fits in this special application.

4.6      Independence for validation / conformity assessment procedures

IEC 61508 gives recommendation for level of independence for validation. This is shown in the following passage taken from the IEC 61508.

8.2.12 Unless otherwise stated in application sector international standards, the minimum level of independence of those carrying out the functional safety assessment shall be as specified in tables 4 and 5. The recommendations in the tables are as follows.

• HR: the level of independence specified is highly recommended as a minimum for the specified consequence (table 4) or safety integrity level (table 5). If a lower level of independence is adopted then the rationale for not using the HR level should be detailed.

• NR: the level of independence specified is considered insufficient and is positively not recommended for the specified consequence (table 4) or safety integrity level (table 5). If this level of independence is adapted then the rationale for using it should be detailed.

-: the level of independence specified has no recommendation for or against being used.

NOTE 1             Prior to the application of table 4, it will be necessary to define the resulting categories taking into account current good practices in the application sector. The consequences are those that would arise in the event of failure, when required to operate, of the E/E/PE safety-related systems.

NOTE 2             Depending upon the company organisation and expertise within the company, the requirement for independent persons and departments may have to be met by using an external organisation.  Conversely, companies which  have internal organisations skilled in risk assessment and the application of safety-related systems, which are independent of and separate (by ways of management and other resources) from those responsible for the main development, may be able to use their own resources to meet the requirements for an independent organization.

NOTE 3             See 3.8.10, 3.8.11 and 3.8.12 of part 4 for definitions of independent person, independent department and independent organisation respectively.

8.2.13 In the context of tables 4 and 5, either HR¹ or HR² is applicable (not both), depending on a number of factors specific to the application. If HR¹ is applicable then HR² should be read as no requirement; if HR² is applicable then HR¹ should be read as NR (not recommended). If no application sector standard exists, the rationale for choosing HR¹ or HR² should be detailed. Factors that will tend to make HR² more appropriate than HR¹ are:

• lack of previous experience with a similar design;

• greater degree of complexity;

• greater degree of novelty of design;

• greater degree of novelty of technology;

• lack of degree of standardisation of design features.

8.2.14 In the context of table 4, the minimum levels of independence shall be based on the safety function, carried out by the E/E/PE safety-related system, that has the highest safety integrity level.

Table 4 - Minimum levels of independence of those carrying out functional safety assessment (overall safety lifecycle phase 9 - includes all phases of E/E/PES and software safety lifecycles (see Figure 3, Figure 5 and Figure 6))

IEC 61508 is not written to a special scope of application. The tables given by IEC 61508 part 1 have to change in respect to the regulations of 94/9/EC CHAPTER II Conformity assessment procedures, Article 8. Under the scope of the directive 94/9/EC, the table have to be divided into two parts, because the certification of electrical and non-electrical equipment is different ([1], Chapter II, Article 8)

Table 5 - Target SIL determination for protection systems used in Hazardous Zones (Task 2 [11], Table 14)

In reference to the results of Task 2 the levels of independence are changed by the 94/9/EC to the two groups "notified bodies" and "manufactures". Therefore, the Table 4 changed to Table 6 and Table 7.

Table 6 - Responsibility for conformity assessment procedure of safety devices in use with electrical equipment or internal combustion engines

Table 7 - Responsibility for conformity assessment procedure of safety devices in use with non-electrical equipment

5    Summary

For the conformity assessment procedure, several standards are available. The most general standard is the IEC 61508. Because there is a large number of very different safety devices identified in Task 3 [13] it is important to take a general standard. This should be the IEC 61508, because this standards covers although the production and the use of electrical / electronic / programmable electronic systems. This is an important fact because for safety devices the two areas defined by the directives 94/9/EC [1] and 1999/92/EC [3] cannot be separated.

The IEC 61508 is open for the use of other standards for the validation of safety devices. This is even an important fact. For example, the EN 50 016 [16] recommends the use of the EN 954-1 for the validation of the used safety devices. This is done even in other standards or drafts [24].

The IEC 61508 can be regarded as a standard for the basic procedure and as "generic standard" for safety devices. In some cases "products standards" can be used if they are recommended from the specific standardisation committee. This is nearly the same principle like in the directive 89/336/EC for electromagnetic compatibility (“generic standards” 50082-xx together with test standards IEC 61000-4-xx and “product standards” with test standards IEC 61000-4-xx).

Common database is urgently needed (reliability of used components) for application of IEC 61508-2 in certification of safety devices. Without such a data base a certification in the scope of 94/9/EG in an equal safety level in different European countries cannot be achieved.

Furthermore today certification of safety devices is only possible according to harmonized standards like EN 954-1 or according to the directive 94/9/EC itself.

6    References

[1]        Directive 94/9/EC of the European Parliament and the Council of 23 March 1994 on the approximation of the laws of the Member States concerning equipment and protective systems intended for use in potentially explosive atmospheres, 394L0009

[2]        ATEX Guidelines - Guidelines on the Application of Council Directive 94/9/EC of 23 March 1994 on the Approximation of the Laws of the Member States concerning Equipment and Protective Systems intended for Use in potentially explosive Atmospheres, Draft 3 February 1999

[3]        Directive 1999/92/EC of the European Parliament and of the Council of 16 December 1999 on minimum requirements for improving the safety and health protection of workers potentially at risk from explosive atmospheres (15th individual Directive within the meaning of Article 16(1) of Directive 89/391/EEC)

[4]        IEC 61508 Functional safety of electrical/electronic/ programmable electronic safety-related systems - Part 1: General requirements, 1998-12

[5]        Draft IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems

[6]        IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 3: Software requirements, 1998-12

[7]        EN 954-1: 1997, Safety of machinery - Safety-related parts of control systems - Part 1. General principles for design

[8]        prEN 954-2:1998, Safety of machinery - Safety-related parts of control systems - Part 2: Validation

[9]        EN 1441:1997 Medical devices - Risk analysis

[10]     Draft EN xxxxx Explosives for civil uses - Detonators and relays , Part 27 Definitions, methods and requirements for electronic initiation systems

[11]     Determination of safety categories of electrical devices used in potentially explosive atmospheres: Report on Task 1: Derivation of Target Failure Measures

[12]     Determination of safety categories of electrical devices used in potentially explosive atmospheres: Report on Task 2: Assessment of Current Control System Standards, SAFEC project, Contract SMT4-CT98-2255, A. M. Wray, Engineering Control Group, Health & Safety Executive, 01/2000

[13]     Determination of safety categories of Electrical devices used in Potentially Explosive Atmospheres: Report on Task 3:, Identification of “Used Safety Devices”, SAFEC project, Contract SMT4-CT98-2255, E. Conde, LABORATORIO OFICIAL MADARIAGA (LOM), November 1999

[14]     Determination of safety categories of Electrical devices used in Potentially Explosive Atmospheres: Report on Task 4:, Study of “Used Safety Devices”, SAFEC project, Contract SMT4-CT98-2255, E. Faé, S. Halama, Institut National De L'Environnement Industriel Et Des Risques (INERIS), November 1999

[15]     EN 50014:1999 Electrical apparatus for potentially explosive atmospheres - General requirements

[16]     EN 50016:1995 Electrical apparatus for potentially explosive atmospheres - Pressurised apparatus "p"

[17]     EN 50281-1-2:1999 Electrical apparatus for use in the presence of combustible dust - Part 1-2: Electrical apparatus protected by enclosure - Selection, installation and maintenance

[18]     EN 60079-10:1996 Electrical apparatus for explosive atmospheres - Part 10: Classification of hazardous areas

[19]     EN 60079-14:1997 Electrical apparatus for potentially explosive atmospheres  - Electrical installations in hazardous areas (other than mines)

[20]     EN 60079-17:1997 Electrical apparatus for potentially explosive atmospheres  - Inspection and maintenance of electrical installations in hazardous areas (other than mines)

[21]     prEN60079-19:1992 Installation of electrical apparatus in hazardous areas; Repair and overhaul for apparatus used in explosive atmospheres (other than mines)

[22]     SN 29000 Teil 1 - 14, Ausfallraten Bauelemente, Erwartungswerte, Allgemeines, Siemens AG, 11.1991

[23]     Reliability, Maintainability and Risk, Practical methods for engineers, David J. Smith, Butterworth Heinemann, Fifth Edition

[24]     Electrical apparatus for the detection and measurement of combustible or toxic gases or vapours or of oxygen; Requirements on the functional safety of fixed gas detection systems, First draft, 15.12.1999

[25]     TC31-WG9, CENELEC, Electrical equipment for potentially explosive atmospheres, Reliability of safety-related devices, 1. Draft proposal 1999-xx-yy, 12/02/1999.