- Index
- Bienvenue sur le site WEB "industry-finder".
- Résolution du Conseil, du 7 mai 1985, concernant une nouvelle approche
- Nouveau guide bleu pour la mise en oeuvre des directives européennes pour les produits règles 2016
- l'éco-conception et les produits industriels
- le marquage CE des machines
- Le nouveau guide bleu daté de avril 2014
- Directive Machines
- Historique de la directive machines 2006/42/CE
- Directive machines 2006/42/CE
- Considerants de la directive machines 2006/42/CE
- Articles de la directive machines 2006/42/CE
- Article 1 de la directive machine 2006/42/CE - Champ d'application
- Article 2 de la directive machine 2006/42/CE - Definitions
- Article 3 de la directive machine 2006/42/CE - Directives particulières
- Article 4 de la directive machine 2006/42/CE - Surveillance du marché
- Article 5 de la directive machine 2006/42/CE - Mise sur le marché et mise en service
- Article 6 de la directive machine 2006/42/CE - Libre circulation
- Article 7 de la directive machine 2006/42/CE - Présomption de conformité et normes harmonisées
- Article 8 de la directive machine 2006/42/CE - Mesures spécifiques
- Article 9 de la directive machine 2006/42/CE - Mesures particulières visant des machines potentiellement dangereuses
- Article 10 de la directive machine 2006/42/CE - Procédure de contestation d'une norme harmonisée
- Article 11 de la directive machine 2006/42/CE - Clause de sauvegarde
- Article 12 : Procédures d'évaluation de la conformité des machines - directive machines 2006/42/CE
- Article 13 de la directive machine 2006/42/CE - Procédure pour les quasi-machines
- Article 14 de la directive machine 2006/42/CE - Organismes notifiés
- Article 15 de la directive machine 2006/42/CE - Installation et utilisation des machines
- Article 16 de la directive machine 2006/42/CE - Marquage CE
- Article 17 de la directive machine 2006/42/CE - Marquage non conforme
- Article 18 de la directive machine 2006/42/CE - Confidentialité
- Article 19 de la directive machine 2006/42/CE - Coopération entre les États membres
- Article 20 de la directive machine 2006/42/CE - Voies de recours
- Article 21 de la directive machine 2006/42/CE - Diffusion de l'information
- Article 22 de la directive machine 2006/42/CE - Comité
- Article 23 de la directive machine 2006/42/CE - Sanctions
- Article 24 de la directive machine 2006/42/CE - Modification de la directive 95/16/CE
- Article 25 : Abrogation de la directive machines 2006/42/CE
- Article 26 : Transposition - directive machines 2006/42/CE
- Article 27 : Dérogation - directive machines 2006/42/CE
- Article 28 : Entrée en vigueur - directive machine 2006/42/CE
- Article 29 : Destinataires - directive machine 2006/42/CE
- ANNEXE I de la directive machines - sommaire
- principes généraux - annexe 1 directive machines 2006/42/CE
- 1 EXIGENCES ESSENTIELLES DE SANTE ET DE SECURITE - definitions - Annexe I de la directive machines 2006/42/CE
- Article 1.1.2. Principes d'intégration de la sécurité - Annexe I de la directive machines 2006/42/CE
- Article 1.1.3. Matériaux et produits - Annexe I de la directive machines 2006/42/CE
- Article 1.1.4. Éclairage - Annexe I de la directive machines 2006/42/CE
- Article 1.1.5. Conception de la machine en vue de sa manutention - Annexe I de la directive machines 2006/42/CE
- Article 1.1.6. Ergonomie - Annexe I de la directive machines 2006/42/CE
- Article 1.1.7. Poste de travail - Annexe I de la directive machines 2006/42/CE
- Article 1.1.8. Siège - Annexe I de la directive machines 2006/42/CE
- Article 1.2.1. Sécurité et fiabilité des systèmes de commande - annexe 1 de la directive machines 2006/42/CE
- Article 1.2.2. Organes de service - Annexe I de la directive machines 2006/42/CE
- Article 1.2.2. Organes de service - Annexe I de la directive machines 2006/42/CE
- Article 1.2.3. Mise en marche - Annexe I de la directive machines 2006/42/CE
- Articles 1.2.4. Arrêt, arrêt normal, arrêt d'urgence - Annexe I de la directive machines 2006/42/CE
- Article 1.2.4.4. Ensembles de machines - Annexe I de la directive machines 2006/42/CE
- Article 1.2.5. Sélection des modes de commande ou de fonctionnement - Annexe I de la directive machines 2006/42/CE
- Article 1.2.6. Défaillance de l'alimentation en énergie - Annexe I de la directive machines 2006/42/CE
- Article 1.3. MESURES DE PROTECTION CONTRE LES RISQUES MÉCANIQUES - Annexe I de la directive machines 2006/42/CE
- Article 1.4. CARACTÉRISTIQUES - PROTECTEURS ET DISPOSITIFS DE PROTECTION - Annexe I de la directive machines 2006/42/CE
- Article 1.5. RISQUES DUS À D'AUTRES DANGERS - Annexe I de la directive machines 2006/42/CE
- Article 1.6. ENTRETIEN - Annexe I de la directive machines 2006/42/CE
- Article 1.7. INFORMATION - Annexe I de la directive machines 2006/42/CE
- Article 2. EXIGENCES COMPLÉMENTAIRES POUR CERTAINES CATÉGORIES DE MACHINES - Annexe I de la directive machines 2006/42/CE
- Article 3. EXIGENCES POUR PALLIER LES DANGERS DUS À LA MOBILITÉ DES MACHINES - Annexe I de la directive machines 2006/42/CE
- Article 4. EXIGENCES COMPLÉMENTAIRES - DANGERS DUS AUX OPÉRATIONS DE LEVAGE - Annexe I directive machines 2006/42/CE
- Article 5. EXIGENCES COMPLÉMENTAIRES MACHINES DESTINÉES À DES TRAVAUX SOUTERRAINS - Annexe I de la directive machines 2006/42/CE
- Article 6. EXIGENCES COMPLÉMENTAIRES DANGERS DUS AU LEVAGE DE PERSONNES - Annexe I de la directive machines 2006/42/CE
- Annexe II de la directive machines 2006/42/CE - déclaration CE de conformité
- Annexe III de la directive machines 2006/42/CE - marquage CE
- Annexe IV de la directive machines 2006/42/CE
- Annexe V de la directive machines 2006/42/CE - Liste des composants de sécurité
- Annexe VI de la directive machines 2006/42/CE - Notice d'assemblage d'une quasi-machine
- Annexe VII de la directive machines 2006/42/CE - Dossier technique pour les machines et les quasi-machines
- Annexe VIII directive machines 2006/42/CE - Évaluation de la conformité avec contrôle interne de fabrication d'une machine
- Annexe IX de la directive machines 2006/42/CE - Examen CE de type
- Annexe X de la directive machines 2006/42/CE - Assurance qualité complète
- Annexe XI directive machines 2006/42/CE - Critères minimaux pour la notification des organismes notifiés
- Annexe XII directive machines 2006/42/CE - Tableau de correspondance entre directive machines 2006/42/CE et directive 1998/37/CE
- Directive machines 98/37/CE
- considérants de la directive machines 1998/37/CE
- articles de la directive machines 1998/37/CE
- Annexe I de la directive machines 1998/37/CE
- Annexe II de la directive machines 1998/37/CE
- Annexe III de la directive machines 1998/37/CE
- Annexe IV de la directive machines 1998/37/CE
- Annexe V de la directive machines 1998/37/CE
- Annexe VI de la directive machines 1998/37/CE
- Annexe VII de la directive machines 1998/37/CE
- Annexe VIII de la directive machines 1998/37/CE
- Annexe IX de la directive machines 1998/37/CE
- Directive machines 1989/392/CE
- Considérants de la directive machines 1989/392/CEE
- articles de la directive machines 1989/392/CEE
- Annexe I de la directive machines 1989/392/CEE
- Annexe II de la directive machines 1989/392/CEE
- Annexe III de la directive machines 1989/392/CEE
- Annexe IV de la directive machines 1989/392/CEE
- Annexe V de la directive machines 1989/392/CEE
- Annexe VI de la directive machines 1989/392/CEE
- Annexe VII de la directive machines 1989/392/CEE
- Amendements de la directive machines 1989/392/CEE
- guide de la Direction Générale du Travail modifications de machines
- Directives ATEX
- Directive ATEX 94/9/CE
- Considerants de la directive ATEX 94/9/CE
- Articles de la directive ATEX 94/9/CE
- Article 1 de la directive ATEX 94/9/CE
- Article 2 de la directive ATEX 94/9/CE
- Article 3 de la directive ATEX 94/9/CE
- Article 4 de la directive ATEX 94/9/CE
- Article 5 de la directive ATEX 94/9/CE
- Article 6 de la directive ATEX 94/9/CE
- Article 7 de la directive ATEX 94/9/CE
- Article 8 de la directive ATEX 94/9/CE
- Article 9 de la directive ATEX 94/9/CE
- Article 10 de la directive ATEX 94/9/CE
- Article 11 de la directive ATEX 94/9/CE
- Article 12 de la directive ATEX 94/9/CE
- Article 13 de la directive ATEX 94/9/CE
- Article 14 de la directive ATEX 94/9/CE
- Article 15 de la directive ATEX 94/9/CE
- Article 16 de la directive ATEX 94/9/CE
- ANNEXE I de la directive ATEX 94/9/CE : CRITÈRES DÉTERMINANT LA CLASSIFICATION DES GROUPES D'APPAREILS EN CATeGORIES
- ANNEXE II de la directive ATEX 94/9/CE : EXIGENCES ESSENTIELLES DE SeCURITe ET de SANTE
- ANNEXE III de la directive ATEX 94/9/CE : MODULE: EXAMEN CE DE TYPE
- ANNEXE IV de la directive ATEX 94/9/CE : MODULE: ASSURANCE QUALITE DE PRODUCTION
- ANNEXE V de la directive ATEX 94/9/CE : MODULE VÉRIFICATION SUR PRODUIT
- ANNEXE VI de la directive ATEX 94/9/CE : MODULE CONFORMITE AU TYPE
- ANNEXE VII de la directive ATEX 94/9/CE : MODULE ASSURANCE QUALITE DU PRODUIT
- ANNEXE VIII de la directive ATEX 94/9/CE : MODULE CONTROLE INTERNE DE FABRICATION
- ANNEXE IX de la directive ATEX 94/9/CE : MODULE: VERIFICATION À L'UNITE
- ANNEXE X de la directive ATEX 94/9/CE : marquage CE et contenu de la declaration CE de conformite
- ANNEXE XI de la directive ATEX 94/9/CE: NOTIFICATION DES ORGANISMES
- Directive ATEX 99/92/CE
- Directive ATEX 2014/34/UE
- Considérants de la directive ATEX 2014/34/UE
- les articles de la directive ATEX 2014/34/UE
- Annexe 1 de la directive ATEX 2014/34/UE
- Annexe 2 de la directive ATEX 2014/34/UE
- Annexe 3 de la directive ATEX 2014/34/UE
- Annexe 4 de la directive ATEX 2014/34/UE
- Annexe 5 de la directive ATEX 2014/34/UE
- Annexe 6 de la directive ATEX 2014/34/UE
- Annexe 7 de la directive ATEX 94/9/EC
- Annexe 8 de la directive ATEX 2014/34/UE
- Annexe 9 de la directive ATEX 2014/34/UE
- Annexe 10 de la directive ATEX 2014/34/UE
- Annexe 11 de la directive ATEX 2014/34/UE
- Annexe 12 de la directive ATEX 2014/34/UE
- La nouvelle directive ATEX
- Audits dans le domaine Ex - EN 13980, OD 005 et EN ISO / CEI 80079-34
- La déclaration CE de conformité en ATEX
- Directive ATEX 94/9/CE
- IECEX
- Normalisation & réglementation européenne
- Sécurité des machines - réglementation européenne et normalisation
- Réglementation européenne sur les machines - normes harmonisées
- Sécurité des machines : normalisation et réglementation européenn
- Normalisation dans le secteur des machines
- FD ISO/TR 14121-2 - Février 2008
- ISO 11161:2007
- ISO 13849-1:2006
- ISO 13849-2:2012
- ISO 13850:2006 - Sécurité des machines -- Arrêt d'urgence -- Principes de conception
- ISO 13851:2002 - Sécurité des machines -- Dispositifs de commande bimanuelle -- Aspects fonctionnels et principes de conception
- ISO 13854:1996 - Sécurité des machines -- Écartements minimaux pour prévenir les risques d'écrasement de parties du corps humain
- ISO 13854:1996 Sécurité des machines -- Écartements minimaux pour prévenir les risques d'écrasement de parties du corps humain
- ISO 13855:2010 - Safety of machinery -- Positioning of safeguards with respect to the approach speeds of parts of the human body
- ISO 13856-1:2013 Sécurité des machines -- Dispositifs de protection sensibles à la pression -- Partie 1
- ISO 13856-2:2013 - Sécurité des machines -- Dispositifs de protection sensibles à la pression -- Partie 2: Principes généraux
- ISO 13856-3:2013 Sécurité des machines -- Dispositifs de protection sensibles à la pression - Partie 3
- ISO 13857:2008 Sécurité des machines - Distances de sécurité - zones dangereuses
- ISO 14119:2013- Dispositifs de verrouillage associés à des protecteurs
- ISO 14120:2002 -Protecteurs - Prescriptions generales pour la conception et la construction
- ISO 14122-2:2001 - Moyens d'acces permanents aux machines
- ISO 14122-3:2001- Moyens d'acces permanents aux machines
- ISO 14122-4:2004 - Moyens d'acces permanents aux machines
- ISO 14123-1:1998 - Reduction des risques pour la sante resultant de substances dangereuses emises par des machines
- ISO 14123-2:1998 - Reduction des risques pour la sante resultant de substances dangereuses emises par des machines -- Partie 2
- ISO 14159:2002 - Prescriptions relatives à l'hygiene lors de la conception des machines
- ISO 19353:2005 Securite des machines - Prevention et protection contre l'incendie
- ISO/DTR 22100-2 - Securite des machines - Partie 2: La relation entre l'ISO 12100 et l'ISO 13849
- ISO/TR 14121-2:2012 - Appréciation du risque - Partie 2: Lignes directrices pratiques et exemples
- ISO/TR 18569:2004 - Lignes directrices pour la comprehension et l'utilisation des normes sur la securite des machines
- ISO/TR 23849:2010 - Lignes directrices relatives à l'application de l'ISO 13849-1 et de la CEI 62061
- NF EN ISO 12100 Novembre 2010
- NF EN ISO 12100-1 - Janvier 2004
- NF EN ISO 12100-1/A1 Août 2009
- NF EN ISO 12100-2 JANVIER 2004
- NF EN ISO 12100-2/A1 Août 2009
- NF EN ISO 14121-1 - Novembre 2007
- Liste des normes harmonisées - directive machines 2006/42/CE
- Liste des normes harminisées - directive machines 2006/42/CE - 09.06.2017
- Liste des normes harmonisées - directive machines - OJ C 2016/C173/01 du 15/05/2016
- Liste des normes harmonisées - directive machines 2006/42/CE - corrigendum OJ C 2015/C 087/03 du 13/03/2015
- Liste des normes harmonisées - directive machines - OJ C 2015/C 054/01 du 13/02/2015
- Liste des normes harmonisées - directive machines - OJ C 220 du 11/07/2014
- Liste des normes harmonisées - directive machines - OJ C 110 du 11/04/2014
- Liste des normes harmonisées - directive machines - OJ C 348 du 28/11/2013
- Liste des normes harmonisées directive machines - OJ C 099 du 05/04/2013
- Guide d'application de la directive machines 2006/42/CE, recommendations for use - normes harmonisées
- recommendation for use - directive machines 2006/42/CE
- Organismes notifiés au titre de la directive machines 2006/42/CE
- Sécurité de matériels et équipements EX, IECEx : Normalisation - réglementation européenne
- Normalisation dans le domaine des ATEX et des Ex
- liste des normes harmonisées - directive ATEX 94/9/CE
- Liste des normes harmonisées directive ATEX 2014/34/UE - 12-10-2018
- Harmonized standards list ATEX 94/9/EC directive - OJ C 126 - 08/04/2016
- Liste des normes harmonisées directive ATEX 94/9/CE - OJ C 335 - 09/10/2015
- Liste des normes harmonisées directive ATEX 94/9/CE - OJ-C 445-02 - 12/12/2014
- Liste des normes harmonisées directive ATEX 94/9/CE - OJ-C 076-14/03/2014
- Liste des normes harmonisées - directive ATEX 94/9/CE - OJ-C 319 05/11/2013
- Réglementation européenne pour la directive ATEX 94/9/CE
- Guide d'application de la directive ATEX 94/9/CE
- Guide d'application de la directive ATEX 2014/34/UE
- Alignement de dix directives d’harmonisation technique sur la décision n° 768/2008/CE
- Sécurité des machines - réglementation européenne et normalisation
- Dernières news
- Sécurité fonctionnelle
- Les dispositifs de sécurité en ATEX
- Historique des normes de sécurité fonctionnelle et directive machines
- Sécurité fonctionnelle
- Principes de sécurité éprouvés : l'action mécanique positive
- la sécurité fonctionnelle et les réseaux de terrain
- les microprocesseurs dans les techniques de sécurité
- principes de conception sûr - Les relais de sécurité et les machines
- prévention de la mise en marche intempestive norme EN 1037+A1
- Sécurité fonctionnelle - les codes détecteurs d'erreur - parité et chechsum
- Sécurité fonctionnelle - les codes détecteurs d'erreur - le CRC et les codes de Hamming
- Nouveau règlement machines 2023/1230
Rapport final du project européen SAFEC
Note : ce document est une traduction partielle du rapport final du projet Européen SAFEC.
L'édition originale en anglais se trouve à la page suivante : Main report of the SAFEC project
Détermination des catégories de sécurité des dispositifs électriques utilisés dans les atmosphères explosibles (SAFEC)
Contrat SMT4-CT98-2255
Rapport final
Coordinateur: AJ Wilday (Santé et sécurité au laboratoire, Royaume-Uni)
Auteurs: AJ Wilday, AM Wray (HSL, Royaume-Uni)
F Eickhoff, M Unruh (DMT, Allemagne)
S Halama, E Faé (INERIS, France)
E Condé Lazaro, P Reina Perbal (LOM, Espagne)
Durée du projet: Janvier 1999 - May 2000
Date de rapport: 10 Juillet 2000
1 INTRODUCTION
1.1 Contexte
l'appareil électrique, qui est destiné à être utilisé en atmosphères explosibles, repose sur le principe du fonctionnement correct des systèmes de commande ou des dispositifs de protection qui sont utilisés. afin de maintenir l'appareil dans des limites acceptables. Des exemples de tels dispositifs sont des circuits de protection du moteur (pour limiter la hausse de température dans des conditions de décrochage) et la protection de la surpression.
L'approbation et la certification des appareils électriques pour atmosphères explosibles, par conséquent, exige que, lorsque ces dispositifs de contrôle et de protection sont utilisés, une évaluation soit faite de leur aptitude à l'usage prévu. Ceci devra être exprimé en termes d'une mesure de la confiance que les dispositifs en mesure pour maintenir un niveau de sécurité nécessaire à tout moment. Cette mesure de confiance doit être compatible avec la directive ATEX CE (1), les normes CENELEC (2-15) pour les appareils électriques pour une utilisation dans des atmosphères potentiellement explosives et des normes pertinentes du système de contrôle, par exemple (16,17).
Le CENELEC a identifié le besoin de recherches pour déterminer si les normes existantes et proposées dans le domaine des systèmes de contrôle en matière de sécurité sont adaptés à cet effet, et a également identifié un besoin d'élaborer une méthodologie qui fournit le soutien nécessaire pour le processus d'approbation et de certification. Les propositions de recherche sur ce sujet ont été réalisées dans le cadre du programme de normalisation, mesure et d'essais (SMT) de normalisation, de mesure et et le projet SAFEC a été sélectionné pour financement. Le projet a débuté en Janvier 1999 et la date de fin, après prolongation intervenue, est mai 2000.
1.2 Le projet SAFEC
Le projet SAFEC (contrat SMT4-CT98-2255) avait pour objectif global de produire un système harmonisé de subdivision de dispositifs de sécurité qui sont utilisés dans des atmosphères potentiellement explosives, avec une méthodologie de sélection de la subdivision appropriée de dispositif de sécurité pour une application particulière.
Les partenaires SAFEC étaient leHealth and Safety Laboratory of the Health and Safety Executive (HSL) au Royaume-Uni (coordinateur du projet), la Deutsche Montan Technologie (DMT) en Allemagne, l'Institut National de l'Environnement Industriel et des Risques (INERIS) en France et le Laboratorio Oficial J.M. Madariaga (LOM) en Espagne.
Le projet SAFEC comprend six tâches:
- Dérivation des mesures de défaillances cible (tous / HSL).
- Évaluation des normes de systèmes de contrôle actuels, en référence aux mesures de défaillances cible de la tâche 1 (HSL).
- Identification des dispositifs de sécurité actuellement utilisés en référence aux normes CENELEC (LOM).
- Étude des dispositifs de sécurité» utilisés mentionnées dans la tâche 3 (INERIS).
- Détermination d'une méthodologie de test, de validation et de certification (DMT).
- Production d'un rapport final, y compris une proposition pour l'incorporation dans les normes européennes (tous / HSL).
Les rapports sur ces tâches à des projets forment annexes A à E, respectivement, de ce rapport final sur le projet.
1.3 Portée
La portée du projet SAFEC a été limitée à:
a) les appareils électriques qui relèvent des exigences de la directive ATEX (1), c'est à dire l'accent était mis sur ce qui peut être fait par le fabricant de l'équipement qui est à vendre (plutôt que sur ce qui devrait être fait par l'utilisateur de l'équipement et couvert en vertu de l'article 118A (18)).
b) les appareils électriques pour utilisation en atmosphères explosives pour lesquels les dispositifs de sécurité sont pertinents. Cela inclut type "e" (sécurité augmentée) (7) et de type "p" (pressurisation) (4).
c) Tous les types de dispositifs de sécurité. Cela inclut ceux qui sont électriques, électroniques ou électroniques programmables. Certains de ces dispositifs peuvent être relativement complexes de ce fait, le type et la conséquence de la défaillance ou du dysfonctionnement peuvent être indéterminée, par exemple, car les défaillances peuvent résulter de défauts systématiques latents. Des dispositifs de sécurité moins complexes sont également inclus tels que, par exemple, un interrupteur qui coupe l'alimentation de l'équipement résistant à la pression s'il est ouvert; ou des fusibles thermiques (si ces derniers sont fournis par le fabricant et non par l'utilisateur).
Le projet SAFEC s'est intéressé en précisant les fiabilités / tolérances aux pannes / l'intégrité des dispositifs de sécurité. Ces dispositifs de sécurité peuvent être situés dans la zone dangereuse ou à l'extérieur. S'ils sont localisés à l'intérieur de la zone dangereuse, alors le dispositif de sécurité lui-même devrait être conçu de manière à ne pas provoquer une inflammation. La conception des dispositifs de sécurité afin que ces derniers ne soient pas un risque d'inflammation n'a pas été examiné par le projet.
Bien que le projet SAFEC concerne les dispositifs de sécurité pour les appareils électriques, les résultats peuvent aussi s'appliquer aux appareils non électriques.
Fin de la traduction
1.4 Liaison with CENELEC and CEN
The partners of the SAFEC project worked co-operatively with the members of CENELEC Technical Committee 31, Working Group 09 (WG09), which is drafting a standard on “Reliability of safety-related devices”. It is intended that the SAFEC results will be utilised by WG09 in this standard. A number of joint meetings were held. Dr Eickhoff of DMT, who was one of the partners of the SAFEC project with responsibility for the delivery of Task 5, was also a member of WG09. He took over the role of convenor of WG09 in February 2000. During the course of the SAFEC project, liaison was also maintained with CEN Technical Committee 305, Working Group 2 (WG02), who are concerned with non-electrical sources of ignition. A representative of WG02 attended the joint meetings of SAFEC and WG09.
2. IDENTIFICATION OF SAFETY DEVICES
The SAFEC project is focused on safety, controlling and regulating devices. These are parts of equipment or protective systems, and have an autonomous safety function. Task 3 of the project (see Annex C), performed by LOM, was concerned with the identification of safety devices which are used within electrical apparatus for use within potentially flammable atmospheres and which therefore came within the scope of the SAFEC project. LOM reviewed relevant CENELEC standards (2-9), together with their database and manufacturers’ equipment catalogues. Information relating to safety devices was extracted.
A summary of the identified safety devices is given in Table 1. Each item includes an indication whether the safety devices are already specified in existing CENELEC standards or whether the safety device would need to be handled by the standard that is being developed by WG09. It should be noted that the list is neither definitive nor exhaustive. However, it does establish a guide list of the of sorts of safety devices that needed to be studied or considered within the SAFEC project.
Table 1 Examples of identified safety devices
Description of safety device |
Specified by existing standard(s)? |
Motor protection; especially for type ‘e’: thermal and current relays, PT100, switches |
Yes. CENELEC |
Overload monitoring devices for ‘e’ motors, which models the temperature-time characteristic |
Yes. CENELEC |
Thermal protection devices and non-electronic control units for heating systems |
Yes. CENELEC |
Overvoltage protection |
Yes. CENELEC |
Monitoring units for concentration of flammable gases, oxygen or inert gas levels, e.g. gas detectors, limit detectors for end of line |
Yes. CENELEC |
Description of safety device |
Specified by existing standard(s)? |
Systems for transmission and data acquisition (SCADA) for safety purposes, e.g. mining power shut-off in Group 1 |
Yes. existing national standards and code of practice |
PLC (programmable logic control) units, including the application software, for safety purposes |
No. To be covered by WG09 |
Level indicators and switches for liquids used to provide safety for submersible equipment |
No. To be covered by WG09 |
Adjustable protection elements of AC converters for ‘p’, ‘e’, ‘d’. ‘n’ type motors (current limitation, overload protection, thermal limitation, etc...). |
No. To be covered by WG09 |
Electronic devices controlling flow, temperature and/or level of cooling (liquid or gas) for ‘d’, ‘p’ and ‘e’ motors |
No. To be covered by WG09 |
Control devices for bearings in big rotating machines. Lubrication and temperature control devices |
No. To be covered by WG09 |
Pressure monitoring systems for ‘p’ type. |
No. To be covered by WG09 |
In belt transportation systems, devices for controlling the alignment and slip of the belt. |
No. To be covered by WG09 |
For bucket elevators anti-runback devices and belt speed meters to detect belt slip. Also control of bearings. Detectors of feed rate to avoid overloads |
No. To be covered by WG09 |
Some issues that came out of the identification exercise were:
· In some cases it can be difficult to differentiate components and safety devices. This has to be carefully considered, because otherwise a large number of components could be considered as safety devices (for example safety barriers separating intrinsically-safe from non-intrinsically-safe circuits).
· The same device can have different safety or protecting levels depending on the particular situation in which it is applied ( for example, a thermocouple, the signal of which can be used just for monitoring temperature or to activate a disconnecting switch).
A table of safety devices, based on Table 1 and Annex C was further developed in conjunction with WG09. This table is given as Table A1 in Appendix 1.
3. REVIEW OF CONTROL SYSTEM STANDARDS
Task 2 of the SAFEC project, carried out by HSL, included a review of existing control system standards. Since safety devices are defined as having an autonomous safety function (or controlling function), it was expected that control system standards might be useful in defining the requirements for safety devices. The report on Task 2 of the project is Annex B of this report.
There are two standards which provide guidance on the design of control systems for use in safety-related applications:
· EN 954-1 (16), and
· IEC 61508 (17).
3.1 EN 954-1 requirements
EN 954-1 (16) allows control systems to be categorised as B, 1, 2, 3 or 4. The principles of EN 954-1 are based on fault tolerance. This is adequate for simple systems where there is a good understanding of the failure modes. However, it is less appropriate for more complex systems, including programmable systems, in which there is not a good understanding of fault behaviour.
EN 954-1 gives no means of assessing or ensuring the integrity of software.
EN 954-1 mentions maintenance, but gives little guidance. In any safety-related protection system (which may be called to operate only infrequently), regular manual proof testing (in the absence of automatic diagnostics) is an important factor in maintaining the integrity, which will vary approximately linearly with the frequency of the manual proof checks.
EN 954-1 is a concept standard, so does not give advice on the manufacture of the system being designed. A well-designed system that is not well manufactured or maintained could have a reduced integrity.
By assuming that subsystems are single components and applying the fault exclusion principle, it is possible to determine a Category without the need for complex calculation. However, the failure rate of a complex subsystem may be considerably higher than that of a single component. Therefore, the Category of a dual-channel subsystem cannot be considered equivalent to a dual-channel system at the component level, e.g. an interlock based on 2 relays cannot be compared with one based on two complex PLCs, even if both interlocks achieve Category 3. Hence, two systems, each having the same Category, may not necessarily have the same level of safety integrity (see 3.2 below for definition).
The Categories in EN 954-1 are not hierarchical.
3.2 IEC 61508 requirements
IEC 61508 (17) is a much later standard than EN 954-1, having been only recently published. IEC 61508 defines safety integrity levels (SIL) for safety-related control functions by taking into account:
· quantified reliability of the safety function (see Table 2). The failure-to-danger rate of the functions carried out by a safety-related system must be less than that which would lead to an unacceptable hazard rate. The quantified analysis of a system deals with the random hardware failure rate;
· qualitative reliability. The techniques used to design, maintain, etc. the system throughout its lifecycle must be sufficient to ensure that the rate of systematic failures is less than the random hardware failure rate; and
· architectural constraints, based on fault tolerance and fail-to-safety characteristics. These put a ceiling on the safety integrity level (SIL) that can be claimed for any particular system in order to ensure that uncertain reliability calculations, e.g., where reliability data are sparse, do not lead to an inflated SIL (see Table 3).
Table 2 Quantitative reliability requirements of IEC 61508
SIL |
Probability of failure on demand (for low demand rate operation) |
Frequency of failure (per hour) for continuous operation |
4 |
10-5 - 10-4 |
10-9 -10-8 |
3 |
10-4 - 10-3 |
10-8 - 10-7 |
2 |
10-3 - 10-2 |
10-7 - 10-6 |
1 |
10-2 - 10-1 |
10-6 - 10-5 |
Table 3 Architectural constraints of IEC 61508
For type A safety-related subsystems
Safe failure fraction |
Hardware fault tolerance |
||
|
0 |
1 |
2 |
< 60 % |
SIL1 |
SIL2 |
SIL3 |
60 % - < 90 % |
SIL2 |
SIL3 |
SIL4 |
90 % - < 99 % |
SIL3 |
SIL4 |
SIL4 |
> 99 % |
SIL3 |
SIL4 |
SIL4 |
For type B safety-related subsystems
Safe failure fraction |
Hardware fault tolerance |
||
|
0 |
1 |
2 |
< 60 % |
not allowed |
SIL1 |
SIL2 |
60 % - < 90 % |
SIL1 |
SIL2 |
SIL3 |
90 % - < 99% |
SIL2 |
SIL3 |
SIL4 |
> 99 % |
SIL3 |
SIL4 |
SIL4 |
3.1 Summary of the standards with respect to the ATEX Directive
The ATEX Directive (1) (see Annex B) requires that:
The time to detect a fault of a safety device shall be small in order give a high probability of ensuring that equipment will be put into a safe state before a dangerous situation can occur.
The design should take the mode of failure of components into account and ensure that the most probable failure modes of the components lead to a safe state.
In general, safety-related systems should be mechanical, pneumatic, hydraulic, electromechanical, electrical or electronic but not programmable.
Software should be designed to minimize the probability of systematic faults.
For Category 1 equipment, if a single protection system is used, this should have a fault tolerance of two. If multiple protection systems are arranged in a redundancy configuration, the design should tolerate the failure of a single channel. Therefore, the component fault tolerance must be two (single-channel protection) and the channel failure tolerance should be at least one (multiple-channel protection).
Category 2 equipment should tolerate "normally taken into account" single faults - faults considered to be credible by the designer and/or specified in relevant CENELEC standards.
There is no fault-tolerance requirement for Category 3 equipment.
There are no requirements for fail-safe fraction, diagnostics, diagnostic coverage or component/equipment failure rates. In this respect, the ATEX Directive appears to assume that the failure rate of a fault tolerant system is likely to be low over the lifetime of the equipment. This may be difficult to justify without further qualification.
However, these ATEX Directive requirements lead to concerns that:
- Although all the parameters required in a quantified risk assessment seem to have been covered, these parameters have been considered individually as if they are independent. Unfortunately, they are not;
- In trying to measure integrity in terms of fault tolerance, the Directive does not take into account reliability.
These concerns may not be a problem when safety devices are fully specified by existing CENELEC standards. However, the SAFEC project is concerned with specifying the requirements for safety devices which are not already fully specified and may perhaps be implemented using novel technology (PLC etc.).
A summary of how the two control system standards, EN 954 (16) and IEC 61508 (17) are useful in defining the requirements of safety devices under the ATEX Directive (1) is as follows:
IEC 61508 takes an overall approach to safety integrity and covers all types of electronic safety-related systems, whereas EN 954-1 is not suited for application to programmable systems.
IEC 61508 gives a determination of integrity but EN 954-1 is based on fault tolerance.
IEC 61508 uses fault tolerance only to determine a ceiling for the SIL that can be claimed for a system and even then uses this only in conjunction with diagnostic coverage (or fail-safe fraction).
EN 954 is based on fault tolerance; however, it does not have a category corresponding directly to a fault tolerance of 2 as required by the ATEX Directive for Category 1 of equipment-group II. EN 954 has 5 categories for describing control systems:
- Category B has a fault tolerance of 0;
- Category 1 has a fault tolerance of 0;
- Category 2 has a fault tolerance of 0 but has automatic monitoring;
- Category 3 has a fault tolerance of 1, and
- Category 4 has:
- a fault tolerance of 1 with automatic monitoring, or
- a fault tolerance of 2 or more.
IEC 61508 (or industry-specific standards that will be based on it) is likely to be the dominant standard for all future safety-related systems using complex and programmable components.
IEC 61508 allows the integrity of systems containing programmable electronics to be determined and, as a result, will allow the integrity of these systems to be determined in the future when they eventually become widespread in this type of application.
It will be realised that either standard could be used to determine the integrity of equipment intended for a hazardous atmosphere; but:
- IEC 61508 would provide a better indication of system integrity; however,
- neither standard would fully provide the ATEX requirements of fault tolerance which are required by legislation to be followed by any standard appropriate to equipment for use in hazardous zones.
EN 954 can be used for simple safety devices, e.g. mechanical interlocks, especially where the appropriate CENELEC standard refers to EN 954. However, it is recognised that some existing CENELEC standards make reference to EN 954 in cases where nowadays it would be more appropriate to refer to IEC 61508, particularly for complex or programmable safety devices.
Therefore, it is proposed that any industry-specific standard for complex and programmable safety devices should be based on IEC 61508 but have an additional requirement, based on fault tolerance, which will ensure that the fault tolerance requirements of the ATEX Directive are met:
- a fault tolerance of 2 is required by the ATEX Directive for the protection system of Category 1 equipment when the protection system is the sole means of protection against explosion;
- a fault tolerance of 1 is required by the ATEX Directive for the protection system of Category 2 equipment when the protection system is the sole means of protection against explosion;
- a fault tolerance of 0 is required by the ATEX Directive for the protection system of Category 3 equipment.
4. CHOICE OF TARGET FAILURE MEASURES
4.1 Types of target failure measure
The choice of target failure measure is discussed fully in Annex A. The following types of target failure measure are possible, as highlighted by the discussion of control system standards in section 3 above:
- fault tolerance - the number of faults which must be tolerated by the system before the loss of safety function;
- reliability, e.g. the maximum frequency of occurrence of faults or the maximum probability of failure on demand;
- functional safety management – to reduce the likelihood of systematic faults in hardware and software during all stages in the lifecycle.
For the purposes of this report, which is concerned only with failures to danger, and, in the absence of any alternative concise and convenient term, the term “reliability” is used to refer only to those failures which result in the system in which they occur moving to a less-safe state.
4.2 Discussion
The ATEX Directive (1) sets requirements in terms of fault tolerance. This can be summarised as follows:
- For Category 1 equipment, if a single means of protection is used, this should have a fault tolerance of two. If multiple protection systems are arranged in a redundancy configuration, the design should tolerate the failure of a single channel.
- Category 2 equipment should tolerate "normally taken into account" single faults. Such credible faults would sometimes be defined by the relevant CENELEC standards.
- There is no fault-tolerance requirement for Category 3 equipment, i.e. it shall be safe in normal operation.
However, the integrity of any system with a fault tolerance greater than 0 will be dependent on the automatic diagnostic and manual proof tests (including the intervals between them) carried out on the system. Therefore, a requirement for a particular level of fault tolerance is an incomplete requirement for defining system integrity for complex and/or programmable systems.
For example, consider a system designed to have a fault tolerance of 1. If that system is never tested, eventually a fault will occur. The system now has a fault tolerance of 0 and this situation will remain until a test, that will identify the fault, is carried out and the system is repaired. All that can be stated regarding a system with a fault tolerance of 1 is that its integrity is likely to be higher than that of a system with a fault tolerance of 0 and likely to be lower than that with a fault tolerance of 2. However, even this limited statement assumes that the proof-test interval and the failure rate of the components/channels are approximately the same in all cases.
Possible target failure measures, which are defined within existing standards, are:
- safety integrity level (SIL), as defined in IEC 61508 (17); and
- categories, as defined by EN 954 (16).
These were discussed in section 3 above. It is noted that CENELEC TC31 Working Group 9 (WG09) had independently reached the conclusion that IEC 61508 SIL was an appropriate target failure measure for safety devices. The draft standard which they were developing (19) was attempting to define the required SIL for safety devices on each of the different ATEX categories of electrical apparatus. However, some existing CENELEC standards make reference to EN 954.
It was decided that the target failure measures for safety devices should be as follows:
1. The fault tolerance requirement of the ATEX Directive shall be met.
2. In addition,
- complex/programmable systems should achieve the relevant safety integrity level (SIL);
- simple systems should meet the EN 954 category which achieves the relevant ATEX fault tolerance requirement.
However, it was also recognised that some safety devices may already be fully specified within relevant CENELEC standards, e.g. references (2-15). In these cases, it may not be necessary to further specify the safety device in terms of IEC 61508 or EN 954. Table 1 has identified some example safety devices for which this is the case.
5. CALIBRATION OF SIL REQUIREMENTS FOR COMPLEX AND/OR PROGRAMMABLE SAFETY DEVICES
5.1 Introduction
Since SIL is to be used as target failure measure for complex/programmable safety devices, it is necessary to define or calibrate the SIL required for each ATEX equipment category. The ATEX Directive (1) defines two Groups of application of electrical equipment, each of which has Categories of electrical equipment according to the level of protection required:
Group I comprises mining applications where the flammable material is methane (firedamp) or flammable dust:
- Category M1 means that the equipment is required to remain functional in an explosive atmosphere.
- Category M2 equipment is intended to be de-energised in the event of an explosive atmosphere.
Group II comprises other applications where equipment is to be used in a potentially explosive atmosphere:
- Category 1 equipment is intended for use in Zone 0 and/or 20, where explosive atmospheres are present continuously, for long periods of time or frequently.
- Category 2 equipment is intended for use in Zone 1 and/or 21, where explosive atmospheres are likely to occur.
- Category 3 equipment is intended for use in Zone 2 and/or 22, where explosive atmospheres are less likely to occur, and if they do occur, do so infrequently and for only a short period of time.
The SIL required to be calibrated by the SAFEC project is that for a safety device which forms part of the electrical equipment. The remainder of the equipment is the “equipment under control” (EUC) as defined in IEC 61508 (17). This is illustrated in Figure 1.
Figure 1 Definition of terms
The requirement is to calibrate the SIL needed for each ATEX equipment category and hence for each hazardous zone. However, it needs to be remembered that a target SIL requirement applies to a particular safety function, not to a safety device. According to IEC 61508 (17), the safety function may be implemented by a range of technologies and each may achieve a part of the required risk reduction. This is illustrated in Figures A.1 and A.2 of Part 3, Annex A of IEC 61508, on which Figure 2 is based.
External risk reduction facilities and “other technology” safety systems may include factors such as an operating procedure for pressurised equipment which prohibits the opening of the pressurised cabinet if an external flammable atmosphere is detected (see 5.4.1, function 2). The E/E/PE safety-related systems may include both the safety device and the power supply for the apparatus being protected (see 5.4.1, function 1).
Figure 2 Risk concepts from IEC 61508
The objective here is to calibrate the required risk reduction and hence the SIL required for the safety function of preventing ignition of a potentially explosive atmosphere. Three approaches were used to calibrate the SILs required:
- Use of individual risk criteria to determine the necessary risk reduction;
- Use of accident statistics to attempt to determine the SIL for existing equipment;
- Estimation of SILs of safety devices within existing equipment.
These are discussed in more detail in the following sections.
5.2 Use of individual risk criteria.
A review of possible risk criteria was undertaken during Task 1 of the project and is included in Annex A. The use of such criteria to calibrate SILs was undertaken during Task 2 and is reported in detail in Annex B.
The probability of a flammable gas being present in a particular zone is normally defined in a qualitative way, e.g., continuous, frequent or less frequent. Reference (20) provides a convenient quantitative definition of the zones in terms of the time that flammable gas would be expected to be present. This is:
Zone 0: >1000 hours per year;
Zone 1: <=1000 but >10 hours per year, and
Zone 2: <=10 hours per year.
It should be noted that these values have not been well accepted in all industrial sectors so, although they have been considered by CENELEC working groups, they have not been incorporated in standards. For the purpose of calculations here, Zone 1 was divided into two equal zones each covering a factor of 10 leading to the values shown in Table 4. In all cases, the probability of occurrence corresponds to the worst-case probability for the particular zone.
Table 4 Probability of an explosive atmosphere being present
Zone |
Quantitative assumption (hrs/yr) |
Probability of occurrence (%) |
0 |
>1000 |
100 |
1H |
<1000 and >100 |
10 |
1L |
<100 and >10 |
1 |
2 |
<10 |
0.1 |
The HSE document Tolerability of risk from nuclear power stations (21) indicates that a probability of death of 10-3 per year is intolerable for a worker and 10-4 per year is intolerable for a member of the public. In the other direction, a probability of death of 10-6 would be considered to be acceptable. Based on these overriding criteria, we can determine a coarse estimate of the system integrity, as shown in Table 5. The shaded column corresponds to a tolerable risk criterion of 10-5 per year of death. This is the criterion used in reference (22).
Table 5 Coarse estimate of integrity requirement based on risk tolerability criteria
|
Unit |
||||
Probability of death to be achieved |
1,000 |
100 |
10 |
1 |
per 106 yrs |
Number of workers/members of the public present1 |
0.2 |
0.2 |
0.2 |
0.2 |
|
Required risk reduction: |
|||||
Maximum possible failure frequency, assuming a continuous source of ignition, Zone 0 |
0.57 |
0.057 |
0.006 |
0.0006 |
per 106 hrs |
Maximum possible failure frequency, assuming a continuous source of ignition, Zone 1H |
5.7 |
0.57 |
0.06 |
0.006 |
per 106 hrs |
Maximum possible failure frequency, assuming a continuous source of ignition, Zone 1L |
57 |
5.7 |
0.57 |
0.06 |
per 106 hrs |
Maximum possible failure frequency, assuming a continuous source of ignition, Zone 2 |
570 |
57 |
5.7 |
0.57 |
per 106 hrs |
Equivalent safety integrity requirement: |
|||||
SIL required to achieve target2, Zone 0 |
SIL2 |
SIL3 |
SIL4 |
SIL53 |
|
SIL required to achieve target, Zone 1H |
SIL1 |
SIL2 |
SIL3 |
SIL4 |
|
SIL required to achieve target, Zone 1L |
SIL14 |
SIL1 |
SIL2 |
SIL3 |
|
SIL required to achieve target, Zone 2 |
SIL15 |
SIL16 |
SIL1 |
SIL2 |
|
|
|
|
|
|
|
Notes to Table 5: |
|
|
|
|
|
1 This assumes 20 deaths per 100 explosions involving pressurization systems. |
|||||
2 This is the SIL of the overall safety function and includes all protection measures/devices. It is based directly on the maximum allowable failure frequency of the safety function, from the rows above, and assumes continuous operation of the safety function with the SIL taken from Table 2. |
|||||
3 SIL5 is outside the range of achievable SILs considered by IEC 61508; however, SIL 5 has been used here in order to make the table more meaningful. |
|||||
4, 5 and 6 SIL1 represents the minimum integrity requirement of IEC 61508 for a system defined as being safety-related; therefore, SIL1 must apply to these positions. |
5.3 Use of accident statistics
It can be assumed that existing certified electrical equipment is of adequate integrity, given that there is no history of explosions which have been ignited by certified electrical equipment. Discussion with a UK manufacturer of pressurization systems has indicated that about 18,000
[1]such systems have been put into service in the UK over the past 20 years. Assuming a life expectancy in the region of 8 years, this suggests an average of about 6,000 systems have been in use over this time.
The partners were not aware of any explosions resulting from the failure of a pressurization system. Therefore, this sets a lower limit on the integrity of pressurization systems over the past 20 years, as shown in Table 6, below. The values in Table 6 were calculated on the assumption that, if no explosions occur over N operating hours, the probability of an explosion occurring in the next N operating hours is 0.5 (see also Annex B).
Table 6 suggests that the integrity of existing pressurization systems is:
SIL1, if they have been mainly used in Zone 2;
SIL2, if they have been mainly used at the lower end of Zone 1, or
SIL3, if they have been mainly used at the upper end of Zone 1.
However, as the probability of gas in the majority of Zone 1 environments will probably lie near the lower end of the zone (i.e., Zone 1L as shown in Table 6) with few at the upper end (shown as Zone 1H), Table 6 should not be considered to indicate that existing pressurization systems are able to achieve SIL3.
It is understood that pressurization systems are used:
- in Zone 1 with incendive equipment. In this case, the equipment is tripped if pressurization were to fail and an alarm is given.
- to protect Zone 2-type equipment in Zone 1. In this case, if pressurization were to fail an alarm is given.
- to protect incendive equipment in Zone 2. In this case, if pressurization were to fail an alarm is given.
Table 6 SIL indications from accident records
|
|
Assumed zone of operation1 |
Units |
|
||||||||
|
Zone 1H |
Zone 1L |
Zone 2 |
|
|
|||||||
Period of study |
20 |
20 |
20 |
years |
|
|||||||
Number of systems in use in the UK over this period |
6,000 |
6,000 |
6,000 |
|
|
|||||||
Total operating period |
1,051,920,000 |
1,051,920,000 |
1,051,920,000 |
system-hours |
|
|||||||
Probability of gas presence2 |
0.032 |
0.0032 |
0.00032 |
|
|
|||||||
Operating period with gas present |
33,661,440 |
3,366,144 |
336,614 |
"gas" hours |
|
|||||||
Number of known explosions |
0 |
0 |
0 |
|
|
|||||||
Indicated dangerous failure rate for each system |
0.015 |
0.15 |
1.5 |
per 106 hrs |
|
|||||||
Indicated SIL for the overall safety system3 |
SIL3 |
SIL2 |
SIL1 |
|
|
|||||||
Notes to Table 6: |
|
|
|
|
|
|||||||
1 The data in each of the columns have been calculated on the basis that all systems were used in the single specified zone. 2 It would be inappropriate to use the worst-case probabilities for the presence of flammable gas in the calculations in this particular table, as we must use an estimate of the actual probability. Without any prior knowledge of the distribution of this probability, the logarithmic mean of the range of probabilities covered by each (sub) zone has been used. This is: Zone 1H - 3.2%; Zone 1L - 0.32% and Zone 2 - 0.032%. 3 This is the average SIL of the total configuration of safety-related systems. The pressurization control system (e.g., purge and shutdown systems) will contribute to this SIL together with other systems, e.g., the air supply. |
|
|||||||||||
The equipment may be used in either Zone 1 or Zone 2, but for Zone 2 the pressurisation system would be less sophisticated and without automatic purging. Table 6 strongly suggests that the overall integrity of existing pressurization systems is at least SIL1. The available data is insufficient to prove that the SIL is higher than this. The SIL estimation is based on the best information available but a number of assumptions have been made.
5.4 Estimation of SILs for existing safety devices
Again, it can be assumed that existing certified electrical equipment is of adequate integrity, given that there is no history of explosions which have been ignited by certified electrical equipment. Therefore the SILs of existing safety devices can be assumed adequate. SILs for the following safety devices have been estimated during the SAFEC project:
- Two safety functions within a pressurisation system. This was done during Task 2 and further details are given in Annex B.
- Diode safety barrier. This was done during Task 4 and further details are given in Annex D.
- Level detection safety device. This was done during Task 4 and further details are given in Annex D.
- Pressure and temperature safety devices. This was done during Task 4 and further details are given in Annex D.
These are discussed further below.
5.4.1 Pressurisation system
A generic design of pressurisation equipment was provided by a manufacturer. This was assessed in order to estimate the SIL by component failure analysis for the two safety functions:
- Function 1: to turn off the equipment within the pressurized enclosure if the pressurization fails. The author understands that this function may not be used, depending on the application; however, for the purpose of this assessment, it will be assumed that this function is utilized. This will be referred to as Function 1.
- Function 2: to purge the enclosure prior to power being allowed to the equipment within it. This will be referred to as Function 2.
The pressurisation system design and failure rate calculations are detailed in Annex B. Component failure rates were taken from the literature and are also detailed in Annex B.
For function 1, the probability of failure on demand was estimated as 9.2x10-4. However, loss of Function 1 will not lead to a failure of the pressurized enclosure unless it is associated with a simultaneous failure of the air supply. The failure rate of the air supply was estimated as 201 per 106 hours. This leads to an overall failure rate of the pressurized enclosure (i.e., loss of pressurization with equipment in the enclosure powered) of 0.18 per 106 hours, as shown in Column 2 of Table 7. This is equivalent to SIL 2. However, the overall probability of a pressurization failure with the power applied is proportional to the failure rate of the air supply, so an increase in the availability of compressed air will lead to a corresponding increase in the integrity of the safety function. For example, in practice, the air supply may:
- be a redundancy system in order to achieve a high availability for use by other systems in the plant associated with production, or
- lead to a shutdown of the plant if the air supply fails. Therefore, minimizing the probability of subsequent leakage of flammable substances.
The effect of improving the reliability of the air supply by a factor of 10 to 20 per 106 hours, as shown in the shaded column of Table 7. This would be equivalent to SIL 3 for the safety function.
Table 7 Determination of the hazard rate associated with Function 1
Component |
Item |
Item |
Unit |
Probability of failure on demand: Function 1 (P=l1T/2) |
9.2 |
9.2 |
*10-4 |
Failure rate of air supply (l2) |
201 |
20 |
per 106 hrs |
Failure rate of pressurization with power applied (P*l2) |
0.18 |
0.02 |
per 106 hrs |
Safety integrity level of overall protection function (this has only been determined quantitatively and does not consider the qualitative requirements of IEC 61508) |
SIL2 |
SIL3 |
|
For function 2, the estimated probability of failure on demand was calculated as 1.99 x 10-3, equivalent to SIL2 (based solely on the quantitative analysis and not considering any of the qualitative requirements of IEC 61508). However, the reliability of achieving the safety function could be higher than this because the human nose can detect most gases at levels well below their lower explosive limit and it is considered unlikely that a pressurized enclosure would be opened if gas were smelled. The reliability of the operator would therefore contribute to achieving the safety function.
5.4.2 Diode safety barrier
Diode safety barriers are assemblies incorporating shunt diodes or diode chains (including zener diodes) protected by fuses or resistors or a combination of these. The diodes limit the voltage applied to an intrinsically safe circuit and a following infallible current limiting resistor limits the current which can flow into the circuit. These assemblies are intended for use as interfaces between intrinsically safe circuits and non-intrinsically safe circuits.
The diode safety barrier shall comply with requirements of EN 50020 [8] which specifies in particular for safety devices that the assembly must contain :
- three diodes or three diode chains for category « ia » (safe with two faults and suitable for use in Zone 0),
- two diodes or two diode chains for category « ib » (safe with one fault and suitable for use in Zone 1).
The analysis of a category « ia » Zener diode safety barrier (see Annex D) indicates that it meets the SIL 4 level qualitative and quantitative requirements.
5.4.3 Level detection safety device
A safety low level detection system installed in a tank containing liquid or liquefied hydrocarbons was considered. The system is constituted of one detector connected to a processing unit to detect a low level in order to shut off the electric power. Such safety devices are required to prevent ignition by submersible equipment (see Table 1).
The assessment of the SIL for such a safety device is detailed in Annex D. If a processing unit design in simple chain tolerance to “ 0 ” failures is selected and if the following values are selected for the overall safety level detection system : a failsafe fraction (FSF) inferior to 60% and a probability of failure on demand (PFD) of 1.7*10-2, the safety level detection system can be graded as safety related control system, and is compliant with the SIL 1 level qualitative and quantitative requirements for a one year term and for operation on demand.
5.4.4 Pressure and temperature safety devices
This could include the pressure trip within a pressurisation system (i.e. the same as function 1 in 5.4.1 above) and the temperature trip used to protect a motor from overheating.
Full details of the assessment are given in Annex D. If the power supply shut off device is designed in simple chain tolerance to “ 0 ” failure, a failsafe fraction of 85% and a PFD of 1.35*10-3 is selected, the device meets the SIL 2 level qualitative and quantitative requirements for operation on demand for a year and for a safety related protection system.
5.5 Discussion and calibration of risk reduction targets
A summary of the results of the above calculations for the purpose of calibrating the target risk reduction (SIL) requirement are given in Table 8.
It can be seen from Table 8 that there is a good degree of convergence between the different methods of calibrating the target risk reduction requirements for the different hazardous zones. The approach of the SAFEC project has been to find targets which are in line with published risk tolerability criteria and are also achievable by existing safety devices. The lack of any history of explosions ignited by certified electrical equipment strongly suggests that current designs of safety devices are adequate.
It is proposed that the target risk reduction requirements, for the safety function of protecting against a hypothetical case in which there is a source of ignition in normal operation, be defined according to Table 9. This hypothetical case was found to be a useful concept for the purposes of SIL calibration. However, it should not be taken to imply that the authors believe that apparatus with ignition sources during normal operation and protected only by a safety device would be a suitable design for use in a potentially explosive atmosphere. Indeed, the authors expect the results derived here to be used to fully specify safety devices within apparatus which is otherwise specified by CENELEC standards, such as references (2-15).
Table 8 Summary of calculations for calibrating target risk reduction requirement
Section of report |
Description of method |
Target risk reduction requirement |
||
Zone 0 |
Zone 1 |
Zone 2 |
||
5.2 |
Use of individual risk criteria |
SIL 3 |
SIL 2 (Note a) |
SIL 1 |
5.3 |
Use of accident statistics applied to pressurised systems |
|
SIL 2 or SIL 3 |
SIL 1 |
5.4.1 |
Estimated SIL for pressurisation system. Turn off equipment if pressurisation fails. |
|
SIL 2 or SIL 3 (Note b) |
|
5.4.1 |
Estimated SIL for pressurisation system. Purge before allowing power onto equipment |
|
SIL 2 (Note c) |
|
5.4.2 |
Estimated SIL for diode safety barrier |
SIL 4
|
|
|
5.4.3 |
Estimated SIL for low level detection system |
|
|
SIL 1 (Note d) |
5.4.4 |
Estimated SIL for pressure safety device |
|
SIL 2 (note e) |
|
5.4.4 |
Estimated SIL for temperature safety device |
|
SIL 2 (note f) |
SIL 2 (Note f) |
Notes for Table 8
(a) This is the worst case, corresponding to the higher band of assumed probability that a flammable atmosphere would be present.
(b) SIL 3 is possible given a suitably reliable air supply.
(c) The overall integrity could be increased by suitable operating procedures, such that SIL 3 may also be possible.
(d) The assumed application was within an LPG tank. This will usually be non-flammable (above UFL) and will therefore correspond to Zone 2.
(e) This could be increased given a suitably reliable air supply (see 5.4.1)
(f) The temperature safety device is assumed to be on a motor intended for use in either Zone 1 or Zone 2.
Table 9 Proposed target risk reduction requirements for the hypothetical case of protecting against an ignition source during normal operation
Hazardous Zone |
ATEX equipment categories |
Target SIL requirement |
0 or 20 |
1 |
SIL 3 |
1 or 21 |
2 |
SIL 2 |
2 or 22 |
3 |
SIL 1 |
It is very important to note that these target risk reduction requirements refer to the safety function and not to the safety device. The safety function may be partly achieved by design features of the certified electrical equipment other than the safety device. Indeed, for certified electrical equipment, such design features will usually be present to prevent there being a source of ignition during normal operation.
The proposals given in Table 9 can be used to revise a Table which was developed by WG09 (19). The result is Table 10.
Table 10 Proposed safety requirements for safety functions
Hazardous Area |
Zone 0 Zone 20 |
Zone 1 Zone 21 |
Zone 2 Zone 22 |
|||||
Fault tolerance requirement of ATEX Directive |
2 |
1 |
0 |
|||||
Equipment (EUC) fault tolerance |
2 |
1 |
0 |
1 |
0 |
-1 |
0 |
-1 |
SIL of the safety function that the monitoring or control unit is providing |
- |
SIL 2 |
SIL 3 |
- |
SIL 1 |
SIL 2 |
- |
SIL 1 |
Resulting equipment category (under ATEX) of the combination |
category 1 |
category 2 |
category 3 |
|||||
Note that a fault tolerance of “-1” implies that the equipment would be incendive in normal operation, without the intervention of the safety device |
Table 10 assumes that any feature of the certified electrical equipment which provides a level of fault tolerance will achieve a risk reduction equivalent to a SIL of 1. This is consistent with the fact that SIL 1 represents the minimum integrity requirement of IEC 61508 for a system defined as being safety-related.
6 DETERMINATION OF EN954 CATEGORIES FOR SIMPLE SAFETY DEVICES
In section 4.2 above, it was concluded that simple safety devices should meet the EN 954 category, which achieves the relevant ATEX fault tolerance requirement. A suggested definition of “simple safety device” is one which is simple enough that all the failure modes can be identified.
The ATEX Directive (1) fault tolerance requirements can be summarised as follows:
- a fault tolerance of 2 is required by the ATEX Directive for the protection system of Category 1 equipment when the protection system is the sole means of protection against explosion;
- a fault tolerance of 1 is required by the ATEX Directive for the protection system of Category 2 equipment when the protection system is the sole means of protection against explosion;
- a fault tolerance of 0 is required by the ATEX Directive for the protection system of Category 3 equipment.
EN 954 has 5 categories for describing control systems:
- Category B has a fault tolerance of 0;
- Category 1 has a fault tolerance of 0;
- Category 2 has a fault tolerance of 0 but has automatic monitoring;
- Category 3 has a fault tolerance of 1, and
- Category 4 has:
- a fault tolerance of 1 with automatic monitoring, or
- a fault tolerance of 2 or more.
It therefore follows that the mapping between ATEX equipment categories and EN 954 categories for the safety devices is as given in Table 11. (Note that the addition of a safety device with a fault tolerance of zero to equipment with a fault tolerance of zero gives an overall fault tolerance of one.)
Table 11 EN 954 requirements for simple safety devices
Hazardous Area |
Zone 0 Zone 20 |
Zone 1 Zone 21 |
Zone 2 Zone 22 |
|||||
Fault tolerance requirement of ATEX Directive |
2 |
1 |
0 |
|||||
Equipment (EUC) fault tolerance |
2 |
1 |
0 |
1 |
0 |
-1 |
0 |
-1 |
EN 954 category of the monitoring or control unit |
- |
B, 1, 2, 3 or 4 |
3 or 4 |
- |
B, 1, 2, 3 or 4 |
3 or 4 |
- |
B, 1, 2, 3 or 4 |
Resulting equipment category (under ATEX) of the combination |
ATEX category 1 |
ATEX category 2 |
ATEX category 3 |
|||||
Note that a fault tolerance of “-1” implies that the equipment would be incendive in normal operation, without the intervention of the safety device |
7 METHODOLOGY FOR TESTING, VALIDATION AND CERTIFICATION
7.1 Introduction
Task 5 of the SAFEC project entailed the determination of a methodology for testing, validation and certification. It is described in detail in Annex E. The objective was to develop a certification scheme for safety devices, which come within the scope of the SAFEC project, and which is suitable for inclusion in the standard being drafted by WG09. Task 4 of the project was concerned with the study of safety devices and this task developed a methodology for determining the SIL of a safety device. Such a methodology is needed by the certification scheme and could be included as an informative annex within the standard. The case studies to calculate the SILs of particular safety devices are not suitable for inclusion as worked examples, however, because the examples were for the purpose of calibration and therefore were concerned with simple safety devices rather than complex ones. Task 4 is described in detail in Annex D.
This section of the report discusses the reasons for the certification scheme, which has been chosen. Appendix 1 gives details of the target failure measures, certification scheme and methodology for determining SIL. It is proposed that the information in Appendix 1 be incorporated into the WG09 standard.
7.2 Requirements of certification scheme
The first problem is to identify safety devices. The ATEX Guidelines (25) indicate that the main identification aspect for a safety device is the autonomous function for avoiding explosion risk. A thermal fuse is therefore a safety device. The certification scheme theoretically has to be applicable to these simple safety devices. However, it makes no sense to develop a new certification scheme for simple safety devices. There are already standards available for these devices. Therefore, the new aspects of the certification scheme are mostly to be used for complex safety devices, but must have no contradiction to available standards for simple safety devices. Table 1 has been prepared to define the safety devices not specified by available standards based on Task 3 of this research project. This has been further developed into Table A1 in Appendix 1, which indicates whether a particular safety device should be certified according to existing CENELEC standards, EN 954 or IEC 61508.
Within Table A1, a first classification is made in the following way:
- Whether the technical aspects of the safety device are defined in existing standards for explosion protection (in some cases they are mentioned in existing standards, but no further definition is made, example see EN 50053-1 6.1.1).
- Whether other standards are applicable (advice is given if known, for example EN or prEN).
- Whether the safety device is normally certified as a component (advice is C),
- Whether the safety device is normally certified as equipment (advice is E, although it can be installed outside the explosion protected area),
- Whether the safety device is a protective system according to 94/9/EC (advice is P).
For simple safety devices no further assessment for the safety against faults is necessary Table A1 indicates if the safety against faults of the device typically can not be assessed only by the standards for explosion protection. It is possible to realise some simple safety functions for example with programmable logic controllers. In this case safety standards have to be used although they are not mentioned. The assessment for more complex electric / electronic or programmable electronic devices could be made by:
- EN 954-1: especially when all failure modes can be fully described,
- IEC 61508: especially when the failure modes can not be fully described (for example complex integrated circuits) and software is used.
The certification scheme for the functional safety of safety devices is independent of the certification scheme for the safety against potential ignition sources if the safety device is also in the scope of the ATEX Directive (1) as equipment. This is in general the same situation for gas measurement systems, for protection systems and safety devices.
A safety device can be based on several different technologies. The construction principle may be electrical / electronic or programmable electronic. In addition, mechanic, pneumatic, hydraulic and other technologies may be used. For example, a standard thermal protection relay, used for the protection of type EEx „e“ – engines, consists of a bimetal heating system and several mechanical elements. The mechanical components are responsible for the triggering of the relay if one phase is disconnected. The function and the reliability of the overload relay also depends on mechanical components. The application for example of IEC 61508 part 2 is not possible in that case. There must be a distinction between the certification scheme and the applicable standards for different technologies. The two standards EN 954-1 and IEC 61508 may not be the only standards for assessment.
The certification scheme is mainly intended for the certification of products in the scope of the ATEX Directive (1). However, the products are used under the scope of the 118A Directive (18). There may also be safety aspects which are the responsibility of the user and communicated from the manufacturer to the user via the “Information for use”. Aspects of the safe use of products may be taken into account in the certification scheme if these technical aspects are different from existing standards for the use of explosion protected equipment.
The technical requirements (essential safety requirements ESR) of the ATEX Directive (1) are based on existing technical standards for explosion protection in group I and group II. The ESRs are not fully described in the Directive. The authors of the Directive take the existing standards for explosion protection into account. Many aspects seem to be open but are mostly written clearly in the standards for explosion protection.
The aspects of using the products are defined in the 118A Directive (18). It is the ‘instructions for use’ which are the link between the manufacturer and the user. Therefore, the instructions are given an important role. With existing standards for explosion protection, therefore products are certified with a view to existing standards for installation, maintenance, repair etc., and use.
A certification scheme for safety devices has to assess the required safety. Furthermore the certification scheme has to include all the information for use and special details necessary to decide about the users application. For example, a safety device is to be certified such that it can be used in an application with SIL 3. In this special application the safety device needs a manual periodic test every day. It cannot be used normally in explosion protection with standard test rates / maintenance rates. There has to be some information about proof intervals and maintenance rates if they are different from common used rates. If this is not possible for the application of the equipment, every parameter for diagnostics, periodic test etc. has to be defined in the certification under worst conditions and given to the user in the instruction to make sure that the equipment is used in a safe way and the necessary risk reduction is achieved in practical use for every application.
7.3 Selection of a concept for certification
Three possible concepts for certification were compared:
- A concept independent from technologies and application, based on EN 1441 (26).
- A concept based on a hierarchical structure of standards (A-, B- and C-type standards), based on EN 954 (16) and EN 1050 (27).
- A concept based on a life cycle structure, based on IEC 61508 (17).
It was concluded that the lifecycle approach of IEC 61508 is the most appropriate. The main disadvantage of the standard could seem to be the possibility of application only to electric, electronic and programmable electronic systems. This is wrong. It is possible to distinguish in IEC 61508 two main parts:
- The systematic description for the overall life cycle of a system not depending on a specific technology. This is located in the part 1 of IEC 61508
- The description of requirements based on safety integrity level (SIL) for electrical / electronic / programmable electronic safety-related systems. This is included in parts 2 - 7 of IEC 61508.
IEC 61508 describes the whole life cycle of equipment from concept to decommissioning or disposal. The validation and certification in general must be open for the application of different technologies and standards. This is possible in the life cycle scheme of IEC 61508. There is a possibility to use other standards. The verification process can take into account the different approaches of the applied standards.
Every life cycle has a corresponding part in existing explosion protection standards (for example life cycle 12 and 14: standards for installation and maintenance). For a certification, the SIL (step 9) and the steps 6, 7 and 8 have to be tested. It has to be checked whether the life cycles 12 - 14 can be fulfilled under the scope of explosion protection.
A safety device with other technologies can be certified according to step 10 with other standards. Table 11 has been provided by this project to define the allowable categories within EN 954-1 for particular applications within electrical equipment for use in potentially explosive atmospheres.
EN 954-1 gives no information about maintenance. Proof testing can be taken as a risk reduction facility but applied standards like EN 954-1 give no information about proof test interval and this will be required in the instructions for use, as required by the 118A Directive.
IEC 61508 contains a complete scheme for the handling of a product. This is an advantage to other possible schemes.
Tables which map the lifecycle approach of IEC 61508 to the requirements for safety devices for explosion protection are included within Annex E. A complete mapping was possible.
7.4 Certification scheme
Feedback from users and manufacturers, on the above proposal to base the certification scheme on IEC 61508, indicated that this would be too complex and time-consuming for simple systems, particularly given that there is no evidence that explosions have been caused by electrical equipment designed for use in potentially explosive atmospheres. It is therefore proposed that the certification scheme should be based on the following:
- For electrical equipment and safety devices, which are fully specified within CENELEC or other standards, certification should be against the provisions of the relevant standard.
- For electrical equipment incorporating simple safety devices, the safety devices should be specified in terms of the relevant EN 954-1 category. Certification that the device achieves this category should be against the requirements of EN 954.
- For electrical equipment incorporating complex/programmable safety devices, the safety function should be specified in terms of the IEC 61508 SIL. The necessary risk reduction can then be allocated between available safety systems, including the safety device. Certification that the safety device achieves its required level of risk reduction should be against the requirements of IEC 61508.
The proposed certification scheme is given in Appendix 1.
The following limitations apply to this certification scheme, in terms of the need to certify complex and programmable safety devices against the requirements of IEC 61508:
- Some parts of IEC 61508 are currently only available in draft and the whole IEC 61508 is not harmonised. However, the issue of the remaining parts of IEC 61508 is in process and there is an intention to achieve harmonisation.
- A common database of component reliabilities is needed for the application of IEC 61508. Without such a database, certification will have to use available sources of data, e.g. (28-29), but equal levels of safety within different European countries cannot be guaranteed. However, any alternative certification schemes would either need a similar database or would have to ignore reliability aspects of certification and thereby risk compromising safety.
8 CONCLUSIONS
- Safety devices, as defined under the ATEX Directive (1) have an autonomous safety function. They include implementation in a number of technologies. However, those which need to be defined by the SAFEC project (because they are not already defined in existing CENELEC standards) are mainly electric/electronic/electronic programmable in nature and are defined by Table 1.
- Control system standards have been reviewed in terms of their usefulness in defining the requirements of safety devices. A number of problems have been identified with the use of EN 954 because the defined categories are not hierarchical in terms of reliability/integrity. IEC 61508 is therefore preferred for complex or programmable safety devices.
- Safety devices should be certified according to the following:
- For electrical equipment and safety devices, which are fully specified within CENELEC or other standards, certification should be against the provisions of the relevant standard.
- For electrical equipment incorporating simple safety devices, the safety devices should be specified in terms of the relevant EN 954-1 category. Certification that the device achieves this category should be against the requirements of EN 954.
- For electrical equipment incorporating complex/programmable safety devices, the safety function should be specified in terms of the IEC 61508 SIL. The necessary risk reduction can then be allocated between available safety systems, including the safety device. Certification that the safety device achieves its required level of risk reduction should be against the requirements of IEC 61508.
- Safety integrity level (SIL) as defined by IEC 61508 is a suitable target failure measure for definition of complex or programmable safety devices. However, it will also be necessary to define additional fault tolerance requirements to conform with the ATEX Directive.
- SIL targets for safety functions and hence safety devices have been calibrated by considering individual risk criteria, accident statistics and the performance of existing safety devices. Good agreement was achieved between these different calibration methods. The results are presented in Table 10.
- The safety categories of EN 954-1 are a suitable target failure measure for simple safety devices. Table 11 defines the required categories for different applications.
- The following limitations apply to th need to certify complex/programmable safety devices against the requirements of IEC 61508:
- Some parts of IEC 61508 are currently only available in draft and the whole IEC 61508 is not harmonised. However, the issue of the remaining parts of IEC 61508 is in process and there is an intention to achieve harmonisation.
- A common database of component reliabilities is needed for the application of IEC 61508. Without such a database, certification will have to use available sources of data, e.g. (26-27), but equal levels of safety within different European countries cannot be guaranteed. However, any alternative certification schemes would either need a similar database or would have to ignore reliability aspects of certification and thereby risk compromising safety.
9 REFERENCES
- Directive 94/9/EC of the European Parliament and the Council of 23 March 1994 on the approximation of the laws of the Member States concerning equipment and protective systems intended for use in potentially explosive atmospheres, Official Journal of the European Communities, 19/4/94
- EN 50014 Electrical apparatus for potentially explosive atmospheres. General requirements.
- EN 50015 Electrical apparatus for potentially explosive atmospheres. Specific requirements for the protective mode "o" oil immersion.
- EN 50016 Electrical apparatus for potentially explosive atmospheres. Specific requirements for the protective mode : pressurised apparatus "p".
- EN 50017 Electrical apparatus for potentially explosive atmospheres. Specific requirements for the protective mode : powder filling "q".
- EN 50018 Electrical apparatus for potentially explosive atmospheres. Specific requirements for the protective mode : flameproof enclosure "d".
- EN 50019 Electrical apparatus for potentially explosive atmospheres. Specific requirements for the protective mode : increased safety "e".
- EN 50020 Electrical apparatus for potentially explosive atmospheres. Specific requirements for the protective mode : intrinsic safety "i".
- EN 50028 Electrical apparatus for potentially explosive atmospheres. Specific requirements for the protective mode : encapsulation “m” .
- EN 50039 Electrical apparatus for potentially explosive atmospheres. Systems.
- EN 50284 - Specific requirements for of construction for test and marking for electrical apparatus of equipment Group II category 1G
- PREN 50303-Equipment intended for use in potentially explosive atmosphere Group 1 Category M
- EN 60079-14 Electrical apparatus for explosive gas atmosphere : Installation
- EN 60079-17 Electrical apparatus for explosive gas atmosphere : Maintenance
- EN-60079-19 Electrical apparatus for explosive gas atmosphere : Repair and overhaul
- EN 954-1 Safety of machinery - Safety-related parts of control systems
- IEC 61508 Functional safety of electrical, electronic and programmable electronic safety-related systems
- Directive 1999/92/EC of the European Parliament and of the council of 16 December 1999 on minimum requirements for improving the safety and health protection of workers potentially at risk from explosive atmospheres (15th individual Directive within the meaning of Article 16(1) of Directive 89/391/EEC)
- CENELEC TC31/WG09, Draft proposal for a European Standard, "Electrical Equipment of Potentially Explosive Atmospheres - Reliability of safety-related devices", 12.02.99
-
Area Classification Code for Petroleum Installations (Part 15 of the Institute of Petroleum Model Code of Safe Practice in the Petroleum Industry), Institute of Petroleum/John Wiley, 1990
- The tolerability of risk from nuclear power stations, HSE/HMSO, 1992
- Institute of Petroleum Electrical Committee, "A risk based approach to hazardous area classification", Portland Press, 1998
- BIA, “Dokumentation Staubexplosionen, Analyse und Einzelfalldarstellung”, Report 11/97, 1997
- A. W. Cox, F. P. Lees & M. L. Ang, “Classification of hazardous locations”, Institution of Chemical Engineers, 1990
- ATEX Guidelines - Guidelines on the Application of Council Directive 94/9/EC of 23 March 1994 on the Approximation of the Laws of the Member States concerning Equipment and Protective Systems intended for Use in potentially explosive Atmospheres, Draft 3 February 1999
- EN 1441:1997 Medical devices - Risk analysis
- EN 1050 : 1997, "Safety of Machinery. Principles for Risk Assessment"
- RDF 93, Recueil de données de fiabilité des composants électroniques (Electronic component reliability data log)
-
A.BIROLINI, Quality and reliability of technical Systems (Ed. Springer - Verlag)
- Draft 5 (5/13/1996 - ISA technical report).
French