- Home
- Machinery Directive
- History of the Machinery Directive 2006/42/EC
- Machinery directive 2006/42/EC
- Whereas of machinery directive 2006/42/EC
- Articles of machinery directive 2006/42/EC
- Article 1 of machinery directive 2006/42/EC - Scope
- Article 2 of machinery directive 2006/42/EC - Definitions
- Article 3 : Specific Directives of machinery directive 2006/42/EC
- Article 4 : Market surveillance of machinery directive 2006/42/EC
- Article 5 : Placing on the market and putting into service - machinery directive 2006/42/EC
- Article 6 : Freedom of movement - machinery directive 2006/42/EC
- Article 7 : Presumption of conformity and harmonised standards - machinery directive 2006/42/EC
- Article 8 : Specific measures - machinery directive 2006/42/EC
- Article 9 : Specific measures to deal with potentially hazardous machinery - machinery directive 2006/42/EC
- Article 10 : Procedure for disputing a harmonised standard - machinery directive 2006/42/EC
- Article 11 : Safeguard clause - machinery directive 2006/42/EC
- Article 12 : Procedures for assessing the conformity of machinery - machinery directive 2006/42/EC
- Article 13 : Procedure for partly completed machinery - 2006/42/EC
- Article 14 : Notified bodies - machinery directive 2006/42/EC
- Article 15 : Installation and use of machinery - machinery directive 2006/42/EC
- Article 16 : CE marking - machinery directive 2006/42/EC
- Article 17 : Non-conformity of marking - machinery directive 2006/42/EC
- Article 18 : Confidentiality - machinery directive 2006/42/EC
- Article 19 : Cooperation between Member States - machinery directive 2006/42/EC
- Article 20 : Legal remedies - machinery directive 2006/42/EC
- Article 21 : Dissemination of information - machinery directive 2006/42/EC
- Article 22 : Committee - machinery directive 2006/42/EC
- Article 23 : Penalties - machinery directive 2006/42/EC
- Article 24 : Amendment of Directive 95/16/EC - machinery directive 2006/42/EC
- Article 25 : Repeal - machinery directive 2006/42/EC
- Article 26 : Transposition - machinery directive 2006/42/EC
- Article 27 : Derogation - machinery directive 2006/42/EC
- Article 28 : Entry into force - machinery directive 2006/42/EC
- Article 29 : Addressees - machinery directive 2006/42/EC
- ANNEX I of machinery directive 2006/42/EC - Summary
- GENERAL PRINCIPLES of annex 1 of machinery directive 2006/42/EC
- 1 ESSENTIAL HEALTH AND SAFETY REQUIREMENTS of annex 1 - definitions - machinery directive 2006/42/EC
- Article 1.1.2. Principles of safety integration of annex 1 machinery directive 2006/42/EC
- Article 1.1.3. Materials and products annex 1 machinery directive 2006/42/EC
- Article 1.1.4. Lighting - annex 1 machinery directive 2006/42/EC
- Article 1.1.5. Design of machinery to facilitate its handling - annex 1 machinery directive 2006/42/EC
- Article 1.1.6. Ergonomics - annex 1 machinery directive 2006/42/EC
- Article 1.1.7. Operating positions - annex 1 machinery directive 2006/42/EC
- Article 1.1.8. Seating - annex 1 machinery directive 2006/42/EC
- Article 1.2.1. Safety and reliability of control systems - annex 1 of machinery directive 2006/42/EC
- Article 1.2.2. Control devices - annex 1 of machinery directive 2006/42/EC
- Article 1.2.3. Starting - annex 1 of machinery directive 2006/42/EC
- Article 1.2.4. Stopping - annex 1 of machinery directive 2006/42/EC
- Article 1.2.4.4. Assembly of machinery - Annex 1 of machinery directive 2006/42/EC
- Article 1.2.5. Selection of control or operating modes - annex 1 of machinery directive 2006/42/EC
- Article 1.2.6. Failure of the power supply - annex 1 of machinery directive 2006/42/EC
- Article 1.3. PROTECTION AGAINST MECHANICAL HAZARDS - annex 1 of machinery directive 2006/42/EC
- Article 1.4. REQUIRED CHARACTERISTICS OF GUARDS AND PROTECTIVE DEVICES - annex 1 of machinery directive 2006/42/EC
- Article 1.5. RISKS DUE TO OTHER HAZARDS - annex 1 of machinery directive 2006/42/EC
- Article 1.6. MAINTENANCE - annex 1 of machinery directive 2006/42/EC
- Article 1.7. INFORMATION - annex 1 of machinery directive 2006/42/EC
- Article 2. SUPPLEMENTARY ESSENTIAL HEALTH AND SAFETY REQUIREMENTS - annex 1 machinery directive 2006/42/EC
- Article 3. SUPPLEMENTARY ESSENTIAL HEALTH TO THE MOBILITY OF MACHINERY - annex 1 machinery directive 2006/42/EC
- Article 4. SUPPLEMENTARY REQUIREMENTS TO OFFSET HAZARDS DUE TO LIFTING OPERATIONS of machinery directive 2006/42/EC
- Article 5. SUPPLEMENTARY ESSENTIAL HEALTH AND SAFETY REQUIREMENTS FOR UNDERGROUND WORK of machinery directive 2006/42/EC
- Article 6. SUPPLEMENTARY REQUIREMENTS - HAZARDS DUE TO THE LIFTING OF PERSONS of machinery directive 2006/42/EC
- Annex II : Declarations of CONFORMITY OF THE MACHINERY, DECLARATION OF INCORPORATION - machinery directive 2006/42/EC
- Annex III of machinery directive 2006/42/EC - CE marking
- Annex IV of machinery directive 2006/42/EC
- Annex V of machinery directive 2006/42/EC
- Annex VI of machinery directive 2006/42/EC
- Annex VII - Technical file for machinery - machinery directive 2006/42/EC
- Annex VIII - Assessment of conformity of machinery directive 2006/42/EC
- Annex IX of machinery directive 2006/42/EC - EC type-examination
- Annex X of machinery directive 2006/42/EC - Full quality assurance
- Annex XI of machinery directive 2006/42/EC - Minimum criteria for the notification of bodies
- Annex XII of machinery directive 2006/42/EC - Correlation table between machinery directive 2006/42/CE and MD 1998/37/CE
- Machinery directive 1998/37/EC
- considerings of machinery directive 1998/37/CE
- articles of 1998/37/EC machinery directive
- Annex I of 1998/37/CE machinery directive
- Annex II of 1998/37/EC machinery directive
- Annex III of machinery directive 1998/37/CE
- Annex IV of machine directive 1998/37/EC
- Annex V of machines directive 1998/37/CE
- Annex VI of machines directive 1998/37/EC
- Annex VII of machines directive 1998/37/EC
- Annex VIII of 1998/37/CE machine directive
- Annex IX of machinery directive 1998/37/CE
- Machinery directive 1989/392/EC
- whereas of machinery directive machines 1989/392/EEC
- articles of machinery directive 1989/392/EEC
- Annex I of machinery directive 1989/392/EEC
- Annex II of machine directive 1989/392/EEC
- Annex III of machinery directive 1989/392/EEC
- Annex IV of machinery directive 1989/392/EEC
- Annex V of machinery directive 1989/392/EEC
- Annex VI of machine directive 1989/392/EEC
- Annexe VII of machinery directive 1989/392/EEC
- Amendments of 1989/392/EEC directive
- ATEX directives
- ATEX 94/9/EC directive
- Whereas of ATEX 94/9/CE directive
- Articles of ATEX 94/9/CE directive
- article 1 ATEX 94/9/EC directive
- article 2 ATEX 94/9/EC directive
- article 3 ATEX 94/9/EC directive
- article 4 : ATEX 94/9/EC directive
- article 5 : ATEX 94/9/EC directive
- article 6 : ATEX 94/9/EC directive
- article 7 : ATEX 94/9/EC directive
- article 8 ATEX 94/9/EC directive
- article 9 : ATEX 94/9/EC directive
- article 10 : ATEX 94/9/EC directive
- article 11 : ATEX 94/9/EC directive
- article 12 : ATEX 94/9/EC directive
- article 13 : ATEX 94/9/EC directive
- article 14 : ATEX 94/9/EC directive
- article 15 : ATEX 94/9/EC directive
- article 16 : ATEX 94/9/EC directive
- ANNEX I of ATEX 94/9/EC directive : CRITERIA DETERMINING THE CLASSIFICATION OF EQUIPMENT-GROUPS INTO CATEGORIES
- ANNEX II of ATEX 94/9/EC : directive ESSENTIAL HEALTH AND SAFETY REQUIREMENTS -EHSR
- ANNEX III of ATEX 94/9/EC directive : MODULE EC-TYPE EXAMINATION
- ANNEX IV of ATEX 94/9/EC directive : MODULE PRODUCTION QUALITY ASSURANCE
- ANNEX V of ATEX 94/9/EC directive : MODULE PRODUCT VERIFICATION
- ANNEX VI of ATEX 94/9/EC directive : MODULE CONFORMITY TO TYPE
- ANNEX VII of ATEX 94/9/EC directive : MODULE PRODUCT QUALITY ASSURANCE
- ANNEX VIII of ATEX 94/9/EC directive : MODULE INTERNAL CONTROL OF PRODUCTION
- ANNEX IX of ATEX 94/9/EC directive : MODULE UNIT VERIFICATION
- ANNEX X of ATEX 94/9/EC directive : CE Marking - Content of the EC declaration of conformity
- ANNEX XI of ATEX 94/9/EC directive: NOTIFICATION OF BODIES
- ATEX 99/92/EC Directive
- ATEX DIRECTIVE 2014/34/UE
- whereas of 2014/34/UE ATEX directive
- Articles of ATEX 2014/34/UE directive
- Annex 1 of ATEX 2014/34/UE directive
- Annex 2 of the ATEX 2014/34/UE directive
- Annex 3 of ATEX 2014/34/UE directive
- Annex 4 of ATEX 2014/34/UE directive
- Annex 5 of ATEX 2014/34/UE directive
- Annex 6 of ATEX 2014/34/UE directive
- Annex 7 of ATEX 94/9/EC directive
- Annex 8 of the ATEX 2014/34/UE directive
- Annex 9 of the ATEX 2014/34/UE directive
- Annex 10 of ATEX 2014/34/UE directive
- Annex 11 of ATEX 2014/34/UE directive
- Annex 12 of the ATEX 2014/34/UE directive
- Audits in Ex field - EN 13980, OD 005 and EN ISO/CEI 80079-34
- New ATEX directive
- RASE european project
- ATEX 94/9/EC directive
- IECEX
- Standardization & European Regulation
- Safety of machines : Standardization and European regulations
- European regulation for machines - standardization for machines - harmonized standards
- Standardization in machinery
- EN ISO 12100 - Décembre 2010
- EN ISO 12100-1 - January 2004
- EN ISO 12100-1:2003/A1
- EN ISO 12100-2 November 2003
- EN ISO 12100-2:2003/A1
- EN ISO 14121-1 September 2007
- ISO/TR 14121-2 - 2007
- EN 50205:2002 standard - Relays with forcibly guided (mechanically linked) contacts
- ISO 11161:2007
- ISO 13849-1:2006
- ISO 13849-2:2012
- ISO 13850:2006 - Safety of machinery -- Emergency stop -- Principles for design
- ISO 13851:2002 - Safety of machinery -- Two-hand control devices -- Functional aspects and design principles
- ISO 13854:1996 Safety of machinery - Minimum gaps to avoid crushing of parts of the human body
- ISO 13855:2010 - Safety of machinery -- Positioning of safeguards with respect to the approach speeds of parts of the human body
- ISO 13856-1:2013 Safety of machinery -- Pressure-sensitive protective devices -- Part 1: General principles
- ISO 13856-2:2013 - Safety of machinery -- Pressure-sensitive protective devices -- Part 2: General principles for design testing
- ISO 13856-3:2013 Safety of machinery -- Pressure-sensitive protective devices - Part 3: General principles for design
- ISO 13857:2008 Safety of machinery -- Safety distances to prevent hazard zones
- ISO 14118:2000 - Safety of machinery -- Prevention of unexpected start-up
- ISO 14119:2013- Interlocking devices associated with guards
- ISO 14120:2002 - Guards -- General requirements for the design and construction
- ISO 14122-1:2001 - Permanent means of access to machinery
- ISO 14122-2:2001 - Permanent means of access to machinery
- ISO 14122-4:2004 - Permanent means of access to machinery
- ISO 14123-1:1998 - Reduction of risks to health from hazardous substances emitted by machinery
- ISO 14123-2:1998 - Reduction of risks to health from hazardous substances emitted by machinery
- ISO 14159:2002 - Hygiene requirements for the design of machinery
- ISO 19353:2005 -- Fire prevention and protection
- ISO/AWI 17305 - Safety of machinery - Safety functions of control systems
- ISO/DTR 22100-2 - Safety of machinery -- Part 2: How ISO 12100 relates to ISO 13849-1
- ISO/TR 14121-2:2012 - Risk assessment - Part 2: Practical guidance
- ISO/TR 18569:2004 - Guidelines for the understanding and use of safety of machinery standards
- ISO/TR 23849:2010 - Guidance on the application of ISO 13849-1 and IEC 62061 in the design of safety-related control systems
- STABILITY DATES FOR Machinery STANDARDS
- harmonized standards list - machinery-directive 2006/42/CE
- Publication of harmonised standards for machinery directive 2006/42/EC - 9.3.2018
- Harmonized standard list - machinery directive 2006/42/EC - 9.6.2017
- Harmonized standards for machinery - OJ C 2016/C173/01 of 15/05/2016
- Harmonized standards for machinery -OJ C 2016/C14/102 of 15/01/2016
- Harmonized standards for machinery - corrigendum OJ C 2015/C 087/03 of 13/03/2015
- harmonized standards for machinery - OJ C 2015/C 054/01 of 13/02/2015
- Application guide for machinery directive 2006/42/EC
- Guide to application of the machinery directive 2006/42/CE - July 2017
- Guide to application of the Machinery Directive 2006/42/EC - second edition June 2010
- Guide to application of machinery directive - 1-2 : The citations
- Guide to application of machinery directive - § 3 to § 31 The Recitals
- Guide to application of machinery directive - § 32 to § 156 - The Articles
- Guide to application of machinery directive - § 157 to § 381 - Annex I
- Guide to application of machinery directive - § 382 to § 386 - ANNEX II Declarations
- Guide to application of machinery directive - § 387 - ANNEX III CE marking
- recommendation for use - machinery directive 2006/42/EC
- Notified bodies under the machinery directive 2006/42/CE
- Safety of Ex, ATEX and IECEx equipments : Standardization
- Standardization in Ex Field
- The transposition of the ATEX 94/9/EC Directive to the 2014/34/EU directive
- harmonized standards list - ATEX directive 2014/34/EU
- Harmonized standard list for ATEX 2014/34/UE - 12-10-2018
- Harmonized standard list for ATEX 2014/34/UE - 15.6.2018
- Harmonized standard list for ATEX 2014/34/UE - 12-07-2019
- Harmonized standard list for ATEX 2014/34/UE - 9.6.2017
- Harmonized standards list ATEX 2014/34/UE directive - OJ C 126 - 08/04/2016
- Guide to application of the ATEX Directive 2014/34/EU
- application guide of 2014/34/EU directive - preambule, citations and recitals
- Guide to application of the ATEX 2014/34/UE directive - THE ARTICLES OF THE ATEX DIRECTIVE
- Guide to application of the ATEX 2014/34/UE directive - ANNEX I CLASSIFICATION INTO CATEGORIES
- Guide to application of the ATEX 2014/34/UE directive - ANNEX II ESSENTIAL HEALTH AND SAFETY REQUIREMENTS
- Guide to application of the ATEX 2014/34/UE directive - ANNEX III MODULE B: EU-TYPE EXAMINATION
- Guide to application of the ATEX 2014/34/UE directive - ANNEX IV MODULE D: CONFORMITY TO TYPE
- Guide to application of machinery directive - § 388 - ANNEX IV machinery and mandatory certification
- Guide to application of the ATEX 2014/34/UE directive - ANNEX V MODULE F: CONFORMITY TO TYPE
- Alignment of ten technical harmonisation directives - Decision No 768/2008/EC
- ATEX 94/9/EC directive documents
- ATEX 94/9/EC guidelines
- ATEX 94/9/EC guidelines 4th edition
- 1 INTRODUCTION of ATEX 94/9/EC guidelines 4th edition
- 2 OBJECTIVE OF THE ATEX DIRECTIVE 94/9/EC - ATEX 94/9/EC guidelines 4th edition
- 3 GENERAL CONCEPTS of ATEX 94/9/EC directive ATEX 94/9/EC guidelines 4th edition
- 4 IN WHICH CASES DOES DIRECTIVE 94/9/EC APPLY - ATEX 94/9/EC guidelines 4th edition
- 5 EQUIPMENT NOT IN THE SCOPE OF DIRECTIVE 94/9/EC - ATEX 94/9/EC guidelines 4th edition
- 6 APPLICATION OF DIRECTIVE 94/9/EC ALONGSIDE OTHERS THAT MAY APPLY - ATEX 94/9/EC guidelines 4th edition
- 7 USED, REPAIRED OR MODIFIED PRODUCTS AND SPARE PARTS - ATEX 94/9/EC guidelines 4th edition
- 8 CONFORMITY ASSESSMENT PROCEDURES - ATEX 94/9/EC guidelines 4th edition
- 9 NOTIFIED BODIES - ATEX 94/9/EC guidelines 4th edition
- 10 DOCUMENTS OF CONFORMITY - ATEX 94/9/EC guidelines 4th edition
- 11 MARKING - CE marking -ATEX 94/9/EC guidelines 4th edition
- 12 SAFEGUARD CLAUSE AND PROCEDURE - ATEX 94/9/EC guidelines 4th edition
- 13 EUROPEAN HARMONISED STANDARDS - ATEX 94/9/EC guidelines 4th edition
- 14 USEFUL WEBSITES - ATEX 94/9/EC guidelines 4th edition
- ANNEX I: SPECIFIC MARKING OF EXPLOSION PROTECTION - ATEX 94/9/EC guidelines 4th edition
- ANNEX II: BORDERLINE LIST - ATEX PRODUCTS - ATEX 94/9/EC guidelines 4th edition
- ATEX 94/9/EC guidelines 4th edition
- Harmonized standards list - ATEX 94/9/EC directive
- Harmonized standards list ATEX 94/9/EC directive - OJ C 126 - 08/04/2016
- Harmonized standards list ATEX 94/9/EC - OJ C 335 - 09/10/2015
- Harmonized standards list ATEX 94/9/EC - OJ-C 445-02 - 12/12/2014
- Harmonized standards list ATEX 94/9/EC - OJ-C 076-14/03/2014
- Harmonized standards list ATEX 94/9/EC - OJ-C 319 05/11/2013
- ATEX 94/9/EC guidelines
- European regulation for ATEX 94/9/EC ATEX directive
- Guide to application of ATEX 2014/34/EU directive second edition
- Safety of machines : Standardization and European regulations
- Latest news & Newsletters
- Functional safety
- Terms and definitions for functional safety
- Safety devices in ATEX
- The SAFEC project
- main report of the SAFEC project
- Appendix 1 of the SAFEC project - guidelines for functional safety
- Appendix 2 of the SAFEC project
- ANNEX A - SAFEC project - DERIVATION OF TARGET FAILURE MEASURES
- ANNEX B - SAFEC project - ASSESSMENT OF CURRENT CONTROL SYSTEM STANDARDS
- ANNEX C - safec project - IDENTIFICATION OF “USED SAFETY DEVICES”
- Annex D - SAFEC project - study of ‘ Used Safety Devices’
- Annex E - Determination of a methodology for testing, validation and certification
- EN 50495 standard for safety devices
- The SAFEC project
- Safety components in Machinery
- STSARCES - Standards for Safety Related Complex Electronic Systems
- STSARCES project - final report
- STSARCES - Annex 1 : Software engineering tasks - Case tools
- STSARCES - Annex 2 : tools for Software - fault avoidance
- STSARCES - Annex 3 : Guide to evaluating software quality and safety requirements
- STSARCES - Annex 4 : Guide for the construction of software tests
- STSARCES - Annex 5 : Common mode faults in safety systems
- STSARCES - Annex 6 : Quantitative Analysis of Complex Electronic Systems using Fault Tree Analysis and Markov Modelling
- STSARCES - Annex 7 : Methods for fault detection
- STSARCES - Annex 8 : Safety Validation of Complex Components - Validation by Analysis
- STSARCES - Annex 9 : safety Validation of complex component
- STSARCES - Annex 10 : Safety Validation of Complex Components - Validation Tests
- STSARCES - Annex 11 : Applicability of IEC 61508 - EN 954
- STSARCES - Annex 12 : Task 2 : Machine Validation Exercise
- STSARCES - Annex 13 : Task 3 : Design Process Analysis
- STSARCES - Annex 14 : ASIC development and validation in safety components
- Functional safety in machinery - EN 13849-1 - Safety-related parts of control systems
- STSARCES - Standards for Safety Related Complex Electronic Systems
- History of standards for functional safety in machinery
- Basic safety principles - Well-tried safety principles - well tried components
- Functional safety - detection error codes - CRC and Hamming codes
- Functional safety - error codes detection - parity and chechsum
- Functional safety and safety fieldbus
- ISO 13849-1 and SISTEMA
- Prevention of unexpected start-up and machinery directive
- Self tests for micro-controllers
- Validation by analysis of complex safety systems
- basic safety principles - safety relays for machinery
- Download center
- New machinery regulation
- Revision of machinery directive 2006/42/EC
- security for machines
Appendix 1 of the SAFEC project - guidelines for functional safety
APPENDIX 1
DETAILED GUIDELINES FOR TESTING, VALIDATION AND CERTIFICATION
A1.1 Scope
This certification scheme applies to safety devices as defined by the ATEX Directive (1) and which are a part of electrical equipment for use in potentially explosive atmospheres. It does not apply to the certification of “equipment” as defined by the ATEX Directive.
A1.2 Overview
The method of certification depends on the complexity of the safety device. Three cases are identified:
- For electrical equipment and safety devices, which are fully specified within CENELEC or other standards, certification should be against the provisions of the relevant standard.
- For electrical equipment incorporating simple safety devices, the safety devices should be specified in terms of the relevant EN 954-1 category. Simple safety devices are those for which the failure modes are known. Certification that the device achieves this category should be against the requirements of EN 954.
- For electrical equipment incorporating complex/programmable safety devices, the safety function should be specified in terms of the IEC 61508 SIL. The necessary risk reduction can then be allocated between available safety systems, including the safety device. Certification that the safety device achieves its required level of risk reduction should be against the requirements of IEC 61508.
Table A1 has been developed to indicate which types of safety device may fall under which of the three cases above. This will depend on the function of the safety device, the type of electrical equipment in which it is used and the technology of implementation. The first step in the certification is to determine which of the three cases apply.
For case 1, certification should be directly against the requirements of the CENELEC standard which applies. This is identified by a “X” in the column “EN 50014ff” in Table A1.
For case 2, certification should be against the requirements of EN 954 (which are not detailed here). However, the allowable EN 954 categories of safety device for use in different applications are covered in A1.3 below. This is identified by a “X” in the column “EN 954-1” in Table A1.
For case 3, certification is covered in A1.4 below. This is identified by a “X” in the column “IEC 61508” in Table A1.
Table A1 Safety devices defined in the existing European Standards for explosion protection
|
Standard |
Clause |
Safety Device |
Component |
Equipment |
Protective Systems |
EN 50014ff |
Possible other Standards |
EN 954-1 |
IEC 61508 |
|---|---|---|---|---|---|---|---|---|---|
|
EN 1127-1 |
6.2.2.2 |
Gas-warning devices |
|
E |
|
X |
EN |
X |
X |
|
|
6.2.2.2 |
Flow-control devices |
|
E |
|
X |
|
X |
X |
|
|
6.4.8 |
Lightning protection |
C |
|
|
X |
|
|
|
|
|
6.5.3 |
Explosion pressure relieve devices |
|
|
P |
|
prEN |
|
|
|
|
6.5.4 |
Explosion suppression devices |
|
|
P |
|
prEN |
X |
X |
|
|
6.5.5 |
Flame barriers (various systems) |
|
|
P |
|
prEN |
|
|
|
|
6.5.5.2.1 |
Deflagration arrester |
|
|
P |
|
prEN |
|
|
|
|
6.5.5.2.2 |
Flame arrester |
|
|
P |
|
prEN |
|
|
|
|
6.5.5.2.3 |
Detonation arrester |
|
|
P |
|
prEN |
|
|
|
|
6.5.5.2.4 |
Flashback preventer |
|
|
P |
|
prEN |
|
|
|
|
6.5.5.3.2 |
Rapid-action valves |
|
|
P |
|
prEN |
|
|
|
|
6.5.5.3.3 |
Rotary valves |
|
|
P |
|
prEN |
|
|
|
|
6.5.5.3.5 |
Double valves with its controls |
|
|
P |
|
prEN |
X |
X |
|
|
|
|
|
|
|
|
|
|
|
|
EN 50014 |
10. |
Interlocking devices |
|
|
|
X |
|
|
|
|
|
18.2 |
Electrically or mechanically interlocked disconnectors with a suitable load breaking device |
C |
|
|
X |
|
|
|
|
|
18.3 |
an interlock for disconnectors in switchgears |
|
|
|
X |
|
|
|
|
|
18.5 |
Short-circuit and earth fault relays |
|
E |
|
X |
EN |
|
|
|
|
18.6 |
doors and covers Interlocked with a disconnector |
|
|
|
X |
|
|
|
|
|
19. |
Interlocking for enclosures containing fuses |
|
|
|
X |
|
|
|
|
|
20.1 |
plugs and sockets shall be interlocked |
C |
|
|
X |
|
|
|
|
|
20.2 |
plugs and sockets witch breaks the rated current with delayed release |
|
E |
|
X |
|
|
|
|
|
21.2 |
luminaries interlocked with automatically disconnecting all poles |
C |
|
|
X |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
EN 50015 (Ex o) |
4.3.1 |
Pressure relieve device (for sealed devices) |
|
|
|
X |
|
|
|
|
|
4.3.2 |
Breathing device |
|
|
|
X |
|
|
|
|
|
4.4 |
Devices to indicate the liquid level |
|
|
|
X |
|
|
|
|
|
4.5 |
Liquid level indicating device |
|
|
|
X |
|
|
|
|
|
4.9 |
Devices for draining the liquid |
|
|
|
X |
|
|
|
|
|
4.11 |
Manually only resettable protective device which causes interruption of the supply current |
|
E |
|
X |
EN |
X |
X |
|
|
|
|
|
|
|
|
|
|
|
|
EN 50016 (Ex p) |
3.3 |
A safety device to limit the maximum internal overpressure |
C |
|
|
X |
|
|
|
|
|
3.6.1 |
Interlocking devices disconnecting the power supply |
C |
|
|
X |
|
|
|
|
|
3.6.2 |
Similar to 3.6.1 |
C |
|
|
X |
|
|
|
|
|
4.2 |
By bringing an auxiliary ventilation system into operation |
|
E |
|
X |
|
X |
X |
|
|
5.6 |
Safety devices such as time-delay relays and devices for monitoring the flow of protective gas |
|
E |
|
X |
|
X |
X |
|
|
5.7 |
The protection gas is air. Not exceed 25% of the LEL (it could be monitored with a gas analyser) |
|
|
|
X |
|
|
|
|
|
5.7 |
The protection gas is other than air. Not exceed 2% by volume (an oxygen analyser could be used) |
|
|
|
X |
|
|
|
|
|
5.7 |
The purging flow rate shall be monitored |
|
E |
|
X |
|
X |
X |
|
|
5.8 |
One or more automatic safety devices shall be provided to operate when the overpressure falls below the minimum value specified by the manufacturer |
|
E |
|
X |
|
X |
X |
|
|
6.2 |
Oxygen analysers |
|
E |
|
X |
EN |
X |
X |
|
|
6.5 |
Two automatic safety devices shall be provided to operate when the overpressure falls below the prescribed value |
|
E |
|
X |
|
X |
X |
|
|
7 |
Supply of protective gas |
|
|
|
|
|
|
|
|
|
10.2 |
The flow limiting device |
C |
|
|
X |
|
|
|
|
|
12. |
Flame arrestors |
C |
|
|
X |
|
|
|
|
|
13. |
Safety devices |
|
E |
|
X |
|
X |
X |
|
|
Annex A.A.1 |
Two independent firedamp detectors. Arranged to disconnect automatically the electricity supply. |
|
|
P |
X |
|
X |
X |
|
|
Annex A.A.2 |
Fitting of barriers |
C |
|
|
X |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
EN 50017 (Ex q) |
11.2 |
Electrical or thermal protective device for temperature limitation, non self-resetting |
C |
|
|
X |
|
|
|
|
|
11.3 |
Current limiting device (resistor) |
|
|
|
X |
|
|
|
|
|
14. |
associated power supply with limited ratings |
|
E |
|
X |
|
|
|
|
|
10. |
Protected against fault conditions such as short-circuit or thermal overload |
|
E |
|
X |
|
|
|
|
|
11.2 |
Temperature limitation shall be achieved by an internal or external, electrical or thermal, protective device |
|
E |
|
X |
|
X |
|
|
|
11.2 |
When fuses are used as protective devices |
C |
|
|
X |
|
|
|
|
|
11.3 |
Current limiting device |
C |
|
|
X |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
EN 50018 (Ex d) |
12.6 |
Suitable detection device enables the power supply to the enclosure to be disconnected, on the supply side, before possible decomposition of the insulating materials leads to dangerous conditions. |
C |
|
|
X |
|
|
|
|
|
17.2.1 |
Quick acting doors or covers shall be mechanically interlocked with an isolator |
|
|
|
X |
|
|
|
|
|
18.1 |
Quick-acting switch in a flameproof enclosure, which breaks all poles of the lamp circuit before contact separation |
|
|
|
X |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
EN 50019 (Ex e) |
4.7.4 |
Appropriate devices for winding protection |
|
E |
|
X |
|
X |
X |
|
|
5.1.4.3 |
Current dependent safety devices |
|
E |
|
X |
EN |
X |
X |
|
|
5.1.4.4 |
Protection against overloads (e.g. motor stalled) with temperature sensors |
|
E |
|
X |
EN |
X |
X |
|
|
5.1.4.5 |
Frequency and voltage converter, with the protecting device incorporated |
|
E |
|
X |
|
X |
X |
|
|
5.3 |
Electrically or mechanically interlocked in order to avoid the separation of contacts in a hazardous zone |
|
|
|
X |
|
|
|
|
|
5.4 |
Current transformer |
C |
|
|
X |
|
|
|
|
|
5.6.2.3 |
level indicating device |
|
|
|
X |
|
|
|
|
|
5.8.3 |
Electrical protecting device, limiting the heating effect due to abnormal earth fault and earth leakage currents: - for TT and TN systems a residual current protective device - for TI an insulator monitoring device |
|
E |
|
X |
EN |
|
|
|
|
5.8.8 |
Isolate all energized parts of the resistance heating device or unit |
|
|
|
X |
|
|
|
|
|
5.8.9 |
Sensing the temperature. Sensing that temperature and other parameters. Measuring one or more parameters other than temperature. |
|
E |
|
X |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
EN 50020 (Ex i) |
8.4 |
Resistors |
|
|
|
X |
|
|
|
|
|
8.5 |
Blocking capacitor |
|
|
|
X |
|
|
|
|
|
8.6 / 7.5.2 |
shunt safety assemblies |
|
|
|
X |
|
|
|
|
|
9. |
diode safety barriers |
|
E |
|
X |
|
|
|
|
|
7.5.3 |
series blocking diodes |
|
|
|
X |
|
|
|
|
|
8. |
Transformers and damping windings |
C |
|
|
X |
|
|
|
|
|
7.3 |
Fuses |
C |
|
|
X |
|
|
|
|
|
6.6 |
Earth conductors |
|
|
|
X |
|
|
|
|
|
6.3.2 |
Plugs and sockets |
C |
|
|
X |
|
|
|
|
|
6.4.12 |
Relays |
C |
|
|
X |
|
|
|
|
|
8.8 |
Galvanically separating components |
C |
|
|
X |
|
|
|
|
|
8.7/ 6.4.11 |
Wiring and connections |
|
|
|
X |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
EN 50021 (Ex n) |
10.9.2.1 |
Supplied at varying frequency and voltage by a converter. Supply other than that derived from a converter. Non sinusoidal load (e.g. thyristors). |
|
E |
|
|
X |
X |
X |
|
|
11. |
Fuses and fuse assemblies |
|
|
|
X |
|
|
|
|
|
12.1 |
Fuses and fuse assemblies |
|
|
|
X |
|
|
|
|
|
12.2.5.2 |
Glow type starters |
|
|
|
X |
|
|
|
|
|
12.2.5.3 |
Electronic starters and ignitors |
C |
|
|
X |
|
|
|
|
|
12.2.5.5 |
Ballasts (electronic ballasts) |
C |
|
|
X |
|
|
|
|
|
15.1. |
Interlocked mechanically or electrically |
|
|
|
X |
|
|
|
|
|
16.3.2 |
Interlocked mechanically or electrically |
|
|
|
X |
|
|
|
|
|
16.4.2 |
Chargers for type 2 cells and batteries |
|
E |
|
X |
|
|
|
|
|
21.2 |
Reliable means of limiting the voltage and current available to energy storing components or at any normally sparking contact, e.g. by the use of zener diodes and series resistors |
|
|
|
X |
|
|
|
|
|
21.7 |
Polarity reversal |
|
|
|
X |
|
|
|
|
|
21.8.2 |
Fuses |
|
|
|
X |
|
|
|
|
|
21.8.3 |
Shunt safety components such as diodes or voltage limiting devices |
|
|
|
X |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
EN 50028 (Ex m) |
4.1.3 |
Fuse |
|
|
|
X |
|
|
|
|
|
4.1.5 |
wire wound resistor |
|
|
|
X |
|
|
|
|
|
4.1.5 |
plastic foil capacitor |
|
|
|
X |
|
|
|
|
|
4.1.5 |
paper capacitor |
|
|
|
X |
|
|
|
|
|
4.1.5 |
ceramic capacitor |
|
|
|
X |
|
|
|
|
|
4.1.5 |
opto-coupler |
|
|
|
X |
|
|
|
|
|
4.1.5 |
transformer |
|
|
|
X |
|
|
|
|
|
4.1.5 |
coil |
|
|
|
X |
|
|
|
|
|
4.1.5 |
motor windings |
|
|
|
X |
|
|
|
|
|
4.4 |
Temperature limitation: this can be achieved by a non self-resetting internal or external, electrical or thermal, protecting device. |
|
|
|
X |
|
|
|
|
|
4.2.3 |
Use of a duplicated, non self-resetting thermal protection devices, positioned as necessary throughout the circuit. |
|
|
|
|
|
|
|
|
|
4.2.3 |
Other apparatus or associated apparatus having control over voltage and current limitation equivalent of that of a category “ib” circuit according to EN 50020, though not necessary at the same levels of voltage, current or power. |
|
E |
|
X |
|
|
|
|
|
4.2.5 |
Mechanical separation element. Separation elements consist of a partition wall, possibly combined with a flameproof joint or an air gap with natural ventilation. |
|
|
|
X |
|
|
|
|
|
4.5 |
The mechanical connection to the boundary shall be flameproof |
|
|
|
X |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
EN 50053-1 |
5.3.1 |
An exhaust ventilation system |
C |
|
|
X |
|
|
|
|
|
5.3.2 |
The exhaust ventilation system shall be interlocked |
|
|
|
X |
|
|
|
|
|
5.4.5 |
Earthing and bonding |
|
|
|
X |
|
|
|
|
|
6.1.1 |
The high voltage supply shall be switched off in such a manner that it cannot be re-energised |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
EN 50053-2 |
5.3.3 |
Explosion suppression system, an explosion relief, explosion barriers, or other explosion protection systems |
|
|
P |
X |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
EN 50053-3 |
5.3.1 |
Ventilation system. Exhaust ventilation system. |
C |
|
|
X |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
EN 50177 |
5.1.2.2 |
Device which automatically switches off the high voltage |
|
|
|
|
|
|
|
|
|
5.1.3.2 |
Voltage discharges |
|
|
|
|
|
|
|
|
|
5.2.1 |
An exhaust ventilation system |
C |
|
|
X |
|
|
|
|
|
5.2.2 |
Interlocked with other equipment. Devices shall be installed to monitor the actual flow of the exhaust ventilation system air and arranged to interrupt immediately the high voltage supply if the volumetric flow falls ... |
|
|
|
|
|
|
|
|
|
5.2.4 |
Explosion suppression or explosion relief venting |
|
|
P |
X |
|
|
|
|
|
5.2.6 |
Interlocked so that the high voltage supply system will be switched off |
|
|
|
|
|
|
|
|
|
5.2.10 |
Automatic local fire extinguishing systems.... switched off by automatic means |
|
|
P |
X |
|
|
|
|
|
5.3.1 |
Interlocking shall be provided to prevent the high voltage being applied |
|
|
|
|
|
|
|
|
|
5.5 |
Earthing measures |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
EN 50281-1-1 |
4.3 |
Fasteners |
|
|
|
X |
|
|
|
|
|
4.4 |
Interlocking devices |
|
|
|
X |
|
|
|
|
|
5.2.2 |
Interlocked with a suitable load breaking device |
C |
|
|
X |
|
|
|
|
|
5.2.3 |
Any interlock |
|
|
|
X |
|
|
|
|
|
5.2.4 |
Interlocked with a disconnector |
|
|
|
X |
|
|
|
|
|
5.3 |
Enclosures containing fuses |
|
|
|
X |
|
|
|
|
|
5.4.1 |
Shall be interlocked |
|
|
|
X |
|
|
|
|
|
5.4.2 |
Breaks the rated current with delayed release |
|
E |
|
X |
|
|
|
|
|
5.5.2 |
Automatically disconnecting all poles |
C |
|
|
X |
|
|
|
|
|
6.3 |
Fasteners |
|
|
|
X |
|
|
|
|
|
6.4 |
Interlocking devices |
|
|
|
X |
|
|
|
|
|
7.2.2 |
Interlocked with a suitable load breaking device |
|
|
|
X |
|
|
|
|
|
7.2.3 |
Any interlock |
|
|
|
X |
|
|
|
|
|
7.3 |
Enclosures containing fuses shall be interlocked |
|
|
|
X |
|
|
|
|
|
7.4.1 |
Shall be interlocked |
|
|
|
X |
|
|
|
|
|
7.4.2 |
Breaks the rated current with delayed release |
C |
|
|
X |
|
|
|
|
|
7.5.2 |
Automatically disconnecting all poles |
|
|
|
X |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
EN 50281-1-2 |
7. |
System power limitation |
|
E |
|
X |
EN |
X |
X |
|
|
|
|
|
|
|
|
|
|
|
|
EN 50284 |
4.2.2 |
Associated apparatus e.g. Ex ia power supply |
|
E |
|
X |
|
|
|
|
|
4.2.3 |
thermal protective devices, non self-resetting |
C |
|
|
X |
|
|
|
|
|
4.2.3 |
associated power supply with limited ratings, similar to Ex ib, (safe with one fault) |
|
E |
|
X |
|
|
|
|
|
4.2.3 |
Non self-resetting thermal protection devices, positioned as necessary throughout the circuit. |
|
|
|
X |
|
|
|
|
|
4.2.3 |
Apparatus or associated apparatus having control over voltage and current limitation equivalent of that of a category “ib” circuit according to EN 50020, though not necessary at the same levels of voltage, current or power |
|
|
|
X |
|
|
|
|
|
4.2.5 |
Mechanical separation element. Separation elements consist of a partition wall, possibly combined with a flameproof joint or an air gap with natural ventilation. |
|
|
|
X |
|
|
|
|
|
4.5 |
Mechanical connection to the boundary shall be flameproof |
|
|
|
X |
|
|
|
A1.3 Conformity assessment procedure according to EN 954-1
The allowable categories of safety device for any given application are defined by Table A1.2.
Table A1.2 Definition of allowable EN 954 categories for safety devices
|
Hazardous Area |
Zone 0 Zone 20 |
Zone 1 Zone 21 |
Zone 2 Zone 22 |
|||||
|
Fault tolerance requirement of ATEX Directive |
2 |
1 |
0 |
|||||
|
Equipment (EUC) fault tolerance |
2 |
1 |
0 |
1 |
0 |
-1 |
0 |
-1 |
|
EN 954 category of the monitoring or control unit |
- |
B, 1, 2, 3 or 4 |
3 or 4 |
- |
B, 1, 2, 3 or 4 |
3 or 4 |
- |
B, 1, 2, 3 or 4 |
|
Resulting equipment category (under ATEX) of the combination |
ATEX category 1 |
ATEX category 2 |
ATEX category 3 |
|||||
|
Note that a fault tolerance of “-1” implies that the equipment would be incendive in normal operation, without the intervention of the safety device |
||||||||
Assessment of whether a particular device meets the requirements for a particular category should be carried out according to EN 954.
A1.4 Conformity assessment procedure according to IEC 61508
This follows the overall lifecycle given in Figure A1 (IEC 61508 Part 1 Figure 2).
A1.4.1 Conditions
For a conformity assessment procedure based on IEC 61508 minor changes have to be made for the application to safety devices.
- The boxes 1 - 4 are already fulfilled by existing standards for explosion protection and the work in Task 1 and Task 2 of the SAFEC project.
- The box 5 is mainly defined by existing standards for explosion protection (function) and Task 2 (safety integrity level).
The required safety integrity requirements for the overall safety function of preventing an explosion (box 4), depending on the hazardous zone, is defined by Table A3 (based on Table 9 in the main text).
Table A3 Proposed overall risk reduction requirements
|
Hazardous Zone |
ATEX equipment categories |
Target SIL requirement |
|
0 or 20 |
1 |
SIL 3 |
|
1 or 21 |
2 |
SIL 2 |
|
2 or 22 |
3 |
SIL 1 |
If the safety requirements allocation (box 5) is such that the requirements are allocated between the fault tolerance of the equipment (without the safety device) and the safety device, then the SIL requirement for the safety device is as defined in Table A4 (based on Table 10 in the main text of this report).
Figure A1 The safety lifecycle from IEC 61508
Table A4 Proposed target risk reduction requirements for safety functions
|
Hazardous Area |
Zone 0 Zone 20 |
Zone 1 Zone 21 |
Zone 2 Zone 22 |
|||||
|
Fault tolerance requirement of ATEX Directive |
2 |
1 |
0 |
|||||
|
Equipment (EUC) fault tolerance |
2 |
1 |
0 |
1 |
0 |
-1 |
0 |
-1 |
|
SIL of the safety function that the monitoring or control unit is providing |
- |
SIL 2 |
SIL 3 |
- |
SIL 1 |
SIL 2 |
- |
SIL 1 |
|
Resulting equipment category (under ATEX) of the combination |
category 1 |
category 2 |
category 3 |
|||||
|
Note that a fault tolerance of “-1” implies that the equipment would be incendive in normal operation, without the intervention of the safety device |
||||||||
In addition, the fault tolerance requirements of the ATEX Directive shall be met. These are defined by Table A5 (same as Table 3)
Table A5 Fault tolerance requirements of the safety device as required by the ATEX Directive
|
ATEX category |
Fault tolerance requirement |
|
1 |
2 |
|
2 |
1 |
|
3 |
0 |
In any cases where more safety systems are available for safety requirement allocation, the manufacturer and the notified body would have to do the safety requirement allocation according to IEC 61508, Part 1, 7.6.
A1.4.2 Validation process
- The certification scheme itself is based on box 9, for electric / electronic or programmable electronic safety devices or on box 10, together with box 11 for other technologies.
Figures A2 and A3 (Figures 3 and 4 of IEC 61508 part 1) show the lifecycle realization phase including validation process.
- The notified bodies have to carry out the conformity assessment procedure according to boxes 9.1 to 9.6 for hardware and software. The assessment can include less or more the point 9.1 to 9.5. This is depending on the safety devices. The most important step is 9.6.
The tasks included in realization phase relate to the description in IEC 61508 Part 1. The objective of the requirements of this sub clause is to create E/E/PE safety-related systems conforming to the specification for the E/E/PES safety requirements (comprising the specification for the E/E/PES safety functions requirements and the specification for the E/E/PES safety integrity requirements.
The specific demands are contained in IEC 61508 Part 2 and 3. Further information can be obtained from IEC 61508 parts 2 and 3. A possible methodology for determining SIL for E/E/EP systems is given in the Informative Annex below.
Figure A2 E/E/PES safety lifecycle (in realization phase)
Figure A3 Software safety lifecycle (in realization phase)
A1.4.3 Validation process for other technologies and external risk reduction facilities
The validation for other technologies can be led by using EN 954-1. Specification of the validation process may use PrEN 954-2. Other standards are possible (for example DIN EN 61496-1 06/98).
The lack of information e.g. about proof intervals has to be covered by special procedures. The validation of an electrical / electronic or programmable electronic device with EN 954-1 needs separate calculation of reliability for circuits responsible for the validated safety function. The reliability of external risk reduction facilities should be handled similarly. The reliability calculations suggested by the Informative Annex will be appropriate.
A1.4.4 Validation of instructions for use
The notified bodies should ensure that, when particular maintenance procedures or proof test intervals are required to achieve the necessary safety integrity of the safety devices, that these are detailed in the instructions for use.
A1.5 Independence for validation / conformity assessment procedures
Tables A6 and A7 define the levels of independence which are changed by the ATEX Directive (1) to the two groups "notified bodies" and "manufacturers".
Table A6 - Responsibility for conformity assessment procedure of safety devices in use with electrical equipment or internal combustion engines
|
Zone of intended use (overall equipment category) |
Safety integrity level |
|||
|
1 |
2 |
3 |
4 |
|
|
0 (1, M1) |
- |
Notified Body |
Notified Body |
Notified Body |
|
1 (2, M2) |
- |
Notified Body |
Notified Body |
- |
|
2 (3) |
- |
- |
- |
- |
Table A7 - Responsibility for conformity assessment procedure of safety devices in use with non-electrical equipment
|
Zone of intended use (overall equipment category) |
Safety integrity level |
|||
|
1 |
2 |
3 |
4 |
|
|
0 (1, M1) |
- |
Notified Body |
Notified Body |
Notified Body |
|
1 (2, M2) |
- |
Manufacturer |
Manufacturer |
- |
|
2 (3) |
- |
- |
- |
- |
A1.6 INFORMATIVE ANNEX TO CERTIFICATION SCHEME
METHODOLOGY FOR DETERMINING THE SIL OF A SAFETY DEVICE
The system's safety integrity level is assessed in accordance with the following procedure that breaks down the assessment into the five following stages with logical links :
- 1st stage : functional analysis,
- 2nd stage : failure rate prediction
- 3rd stage : failure modes, effects and criticality analysis,
- 4th stage : modelling of the system's various states,
- 5th stage : system safety integrity level assessment.
It should be noted that this assessment does not take into account :
- common mode failures,
- systematic errors,
- connection failures,
- errors linked to cabling,
- human errors.
1.6.1 First stage : functional analysis
The purpose of the functional analysis is to identify the functions to be fulfilled by the system. It is also intended to explain the system's operation by establishing a link between the hardware and software functions. This stage is the assessment's input point. It needs to be sufficiently accurate to identify failures with an impact on the system's safety.
Several functional analysis procedures may be used to explain the operation of automatic systems :
- functional block diagram procedure,
- SADT procedure,
- SA_RT procedure,
- etc.
A1.6.2 Second stage : failure rate prediction
The purpose of the failure rate prediction is not to assess the system's reliability. Calculations are only conducted for the components with a risk in relation to safety, in order to quantify the dangerous failure rate. To that end, a calculation makes it possible to assess an equivalent failure rate of the system. This calculation comprises : component failure rates, component stress, climatic environment, component quality, etc.
The failure rate prediction allows us to quantify the FMECA (Failure Modes Effects and Criticality Analysis - See 3rd stage) and to identify the contribution of the various failure modes to the system's unsafe situation.
Failure rate calculations are grounded on databases that supply a basic failure rate for each type of component. This basic failure rate is modulated according to corrective factors according to the environment and component.
A1.6.3 Third stage : failure modes effects and criticality analysis (FMECA)
After identifying the components fulfilling the functions (hardware and software), identified by the functional analysis, the failure modes and their effects on the system's operation must be analysed in the scope of this study. The purpose of this stage is to analyse the failures to identify “ dangerous ” failure modes, and to quantify the probability of failure occurrence.
The Failure Modes Effects and Criticality Analysis (FMECA) is conducted at electronic component detail level for the safety device. The purpose of this analysis is :
- to identify the “ dangerous ” failure modes to assess the “ dangerous ” failure rates leading to the hazardous event, while assessing a coverage rate for the various tests;
- to identify the possible preventive maintenance provisions to be integrated to guarantee a safety integrity level in compliance with the defined goals.
Failures are classified in 4 classes :
- dangerous detected failures whose effects are on safety and availability (λDD),
- dangerous un-detected failures whose effects are only on safety (λDU),
- non-dangerous detected failures whose effects are only on availability (λSD),
- non-dangerous and undetected failures whose effects are only on availability (λSU).
( λDU = λ Dangerous, Undetected ; λS = λ Safe).
λS = Safe failure : i.e. a failure that results in system fallback (safe situation for safety).
λDU = Unsafe failure : failure whose consequence leads to a dangerous state from the standpoint of safety.
The following diagram (Figure A4) gives further details of this notion of distribution of failures according to their effect. The objective of this stage is to define the unsafe failure modes. References (28) and (29) are examples of sources of data for the failure mode distribution for various components.
Figure A4 : Failure distribution according to their effect
A1.6.4 Fourth stage : modelling of the system's various states
There are three system types according to the various encountered systems :
[1] Failsafe systems
[2] Non-redundant systems
[3] Redundant systems
The system's dangerous failure probability calculation is different according to the various types of system.
Failsafe systems
Failsafe systems are systems in which the failure modes of all components of the system lead to a « safe state » in relation to safety. For these systems, there is no use in calculating the dangerous failure probability as the λDU dangerous failure rate does not exist
Non-redundant systems
Non-redundant systems are “ simple ” systems in which the safety function can be lost in the event of failure. Two states are possible : safe state or dangerous state. The calculation of the dangerous failure probability for the systems comes down to a specific reliability calculation depending on the dangerous failure rate (λDU - identified in FMECA) and with the same duration as the preventive maintenance operations.
Redundant systems
In the event of redundant systems, the safety function can be lost due to combinations of failures depending on the logic implemented within the safety system. There are several safety integrity level quantitative assessment procedures for such systems. The main drawback of the more traditional procedures such as the analysis by fault tree system, or the analysis by reliability block diagram, is that they do not always take into account the time aspect, test periodicity, coverage levels, as well as the repair rate.
The various failure and operating states can be modelled with MARKOV graphs, by integrating the time aspect of the preventive maintenance tests, the autotests as well as the coverage rate, as the electronic systems are subject to a failure law of exponential form with a constant failure rate.
A1.6.4.1 Influence of testability on safety
For safety purposes, the state of the resources must be known on a permanent basis to see if hidden (or dormant or latent) failures liable to mask the safety function exist. These dormant failures are only detected during periodic tests voluntarily conducted by the user.
A test policy is useless for failsafe systems as each failure leads to a “ safe ” position in relation to safety.
On the contrary, for systems that are neither failsafe nor autotestable and on which dangerous failures exist, a test policy to detect the “ dangerous failures ” (with a risk for safety) is required.
These tests must be conducted according to a periodicity grounded on the characteristics of the various elements constituting the system. Dangerous failures can be detected in two ways :
- Either by the test and autotests system of the safety system for detectable failures (lDD),
- Or during verification operations for non-detectable failures (lDU).
The PLC's reliability level is not increased by testability. It just makes it possible to ensure that resources are still available : to read the inputs and control the outputs, on the one hand, and to make sure that the processing modules are still functional, on the other hand. Only dangerous failure detection comes into play. It is possible to detect and switch to safe position in the event of failure, thanks to this test, and therefore to better guarantee safety. The following diagram shows the impact of testability on safety, and the impact of a state changeover test policy conducted every 24 hours or every 6 months on safety.
Figure A5 : Testability impact on safety
A1.6.4.2 Graph establishment
IEC 61508 (18) and reference (30) stipulate the procedure and various stages of system modelling. State graphs are represented below for each safety function. Modelling is achieved with “ states ” that the system is liable to enter. There are 3 states in most cases :
State 2 represented as follows : (2)
This state corresponds to the modelling of redundancy. In this state, all implemented resources are present and operate in a nominal manner.
State 1 represented as follows : (1)
This state corresponds to the modelling of redundancy downgraded by the dangerous failure of a hardware element on one of two channels. In this state, all implemented resources are not present. It is an undetected dangerous failure state. Safety is still guaranteed.
State 0 represented as follows : (0)
This state corresponds to the modelling of the loss of redundancy due to the dangerous failure of several hardware elements from the channels. In this state, safety is no longer guaranteed and in the event that the safety function is called upon, the system will not go to safe position.
The “ P ” probability of being in “ 0 ” state is designated by PFD(t) in the IEC 61508 standard. The meaning of PFD(t) value is the value defined in the previous paragraph.
A1.6.4.3 Assumptions
MARKOV graph modelling for the studied systems by INERIS was grounded on the following assumptions :
[1] failure rates (l) and repair rates (m) are assumed constant to make it possible to model and calculate the safety level with MARKOV graphs.
[2] The mission time (TI) corresponds to the intervals between the OFF LINE periodic test times. All test rates concerning the aptitude to detect state changeovers (mPTi) are stated for each arc of each graph.
[3] Inputs and outputs do not go to the safe state if the power supply is cut off.
[4] The common failure modes, and the systematic errors are assumed equal to those defined in reference (28). lD common mode failures or faults have the specificity of affecting all lines at the same time. The selected values are those defined in the same document.
A1.6.4.4 System modelling example
Two active redundancy systems are modelled as follows
Figure A6 : Redundant system state modelling
This graph is equivalent to the following graph :
Figure A7 : Redundant system state reduced modelling
The “ P ” probability of being in a “ 0 ” state therefore depends on a failure rate that in turn depends on time T : P = L(t) x T.
This example shows that the more time T increases and the more the probability of being at “ 0 ” state increases.
A1.6.5 Fifth stage : Safety integrity level assessment
The system's various states were modelled with the fourth stage. This stage consists of resolving the mathematical calculation and comparing the level achieved by the system with the classifications of the IEC 61508 standard.
The dangerous failure probability calculation (PFD) is a function of a system failure rate (function variable over time) and of a duration, in most cases. Therefore, the safety integrity level calculation is a specific reliability calculation in which safety is equal : either to the reliability during a time equal to that of the auto-test's overall time, or to that of the preventive maintenance intervals.
English
