Clima

3

Availability of standards, test data, etc.

The simplicity or complexity of the system and principle (i.e., fewer components means fewer potential modes of failure and more viable validation).

The frequency and nature of the check (i.e., more frequent checks allows less time for faults to remain undetected).

The frequency and nature of the check (i.e., more frequent checks allows less time for faults to accumulate).

The simplicity or complexity of the system and principle (i.e., fewer or simpler components mean fewer fault combination permutations).

Use of materials and components conforming to recognized standards, etc.

• Positive mode operation, life testing, oriented failure mode (e.g., defined weak link - relevant to simple (e.g.,mechanical) equipment

• Validation measures are usually too involved or not possible for more complex (e.g., electronic) equipment.

Simulation of device actuation and functional check by machine control system or dedicated monitoring unit with start interlock.

• Dual contact (or two separate) devices linked by two circuits to a separate unit which compares operation of each circuit at change of state

• Suitable where some faults cannot be prevented and there is relatively frequent actuation —particularly which must be complex to perform its primary task.

Particularly relevant to electronic technology.

Check specifications for conformity and suitability

• Fault analysis (e.g., Failure Mode and Effects Analysis or Fault Tree Analysis)

• Testing.

• Checking of safety margins.

Theoretical analysis

Factors affecting the Validation

Category

degree of performance Typical techniques

methods

Guide to the Categories for Safety-Related Parts of Control Systems From EN 954-1

3

36

Category B

No special measures for safety apply to parts complying with category B. The parts, when applied according to their specifications, should be able to withstand the expected operating stresses (e.g., load, number of operating cycles), the influence of material processed (e.g., detergents in a washing machine), and the relevant external influences (e.g., vibration, power disturbances).

Category 1

A well-tried component for a safety-related application is a component which has been:

1) widely used in the past with successful results in similar applications; or 2) made and verified using principles which demonstrate its suitability and reliability for safety-related applications. In some well-tried components, certain faults can be excluded because the fault rate is known to be very low.

Well-tried safety principles are, for example:

– avoidance of certain faults; e.g., avoidance of short circuit by separation – reducing the probability of faults; e.g., over-dimensioning or underrating

of components

– orienting the mode of fault; e.g, by ensuring an open circuit when it is vital to remove power in the event of fault

– detecting faults very early

– restricting the consequences of a fault; e.g., grounding of equipment

Newly-developed components and safety principles may be considered equivalent to “well-tried” if they fulfill the above mentioned conditions.

Note: On the level of single electronic components alone, it is not normally possible to meet category 1 requirements. See Appendix D for a list of some significant faults and failures for various technologies.

3

37

Category 2

Any check of safety functions (which can be automatic or manual) shall either: 1) allow operation if no faults are detected; or 2) generate an output which initiates control action if a fault is detected. When possible, this output shall initiate a safe state (e.g., prevent starting/restarting if the safety function is not available). When not possible, the output shall provide a warning of the hazard. In some cases, category 2 does not apply because checking cannot be applied to all components, e.g., a pressure switch or temperature sensor.

Category 3

Typical examples of feasible measures for fault detection are the connected movement of relay contacts (i.e., “positive guidance”) or monitoring of redundant electrical outputs.

“Feasible” means that fault detection measures, and the extent of their implementation, depends mainly on the consequence of a failure and the probability of the occurrence of that failure. The technology used influences the possibilities for implementing fault detection.

Category 4

Fault review may be stopped when the

probability of further faults occurring is sufficiently low. The number of faults considered “sufficiently Safety categories ≠Safety

hierarchy

Designers should note that performance categories do not indicate a safety hierarchy (i.e., category 4 is not necessarily safer than category 1). Rather, these categories state the required behavior for a safety system in relation to its resistance to faults.

Thus, according to the performance category required, machine designers must select safety-related parts on their ability to resist faults (i.e., both reliability and availability of the safety function must be considered).

Safety ≠reliability

However, designers must not confuse reliability and safety. For example, a system with unreliable components in a redundant structure can provide more safety than a non-redundant system with better components. This concept is important because in applications where the consequences of failure are serious, safety requires the higher priority regardless of the reliability achieved. Designers may want to refer to Annex D of EN 954 for more details.

3

38

low” varies. For example, in the case of complex microprocessor circuits, a large number of faults can exist. Conversely, in an electro-hydraulic circuit, two or three faults can be sufficient to initiate a safety action.

Fault review may be limited to two faults in combination when: the fault rates of the components are low AND the faults in combination are largely independent of each other AND the faults have to appear in a certain order to jeopardize the safety function.

When making purchasing decisions, consider that well-tried components help meet category 1 and higher requirements.

39 3.11