BS EN 50495:2010 pdf free download Safety devices required for the safe functioning of equipment with respect to explosion risks
5.2 Special requirements for safety componentsWhere applicable,
– the sensor,- the actuator,- control unit,- display unit
shall comply with the relevant product standards.
NOTE ln order to obtain a maximum of safety during the operation, control and display units shall be designed in compliance withergonomic principles:
– ergonomic arrangement of actuators and display devices;
– minimised number of actuators and display devices required for safety measures.
For combined equipment the interconnections, sensor, control unit and actuator shall meet the requirementsof the standard series EN 60079 and/or EN 61241.
Where possible the control unit shall recognise any dangerous failure of the safety device and its associatedinterconnection and shall initiate appropriate risk reduction measures.
The measuring and recording units shall be designed in such a manner that any calibrations necessary canbe carried out onsite. The manufacturer shall provide the intervals at which calibrations shall be carried outas part of the instruction manual.
EXAMPLE A4mA to 20 mA current loop is a suitable interconnection , if a short circuit or circuit break is detected by the connectedlogic unit. ln the case of using a bus system it shall comply with the required SIL.
5.3 Requirements for achieving the Safety Integrity Level (SIL)5.3.1 General
The safety integrity of a complex safety device shall be derived
. either according to EN 61508 series or related standards (e.g.EN 62061,EN IlSO 13849-1);
The safety requirements shall be specified in a systematic risk-based manner in accordance with thementioned standards. The safety function shall be described clearly in the requirement specification.Hard- and software measures shall be considered in the design process to control the occurrence ofrandom hardware faults and to achieve an appropriate diagnostic coverage. The probability of randomhardware faults shall be assessed e.g. by a systematic failure mode and effect analysis (FMEA). Designtest requirements shall be systematically derived from the requirement specifications. A safetymanagement system shall be applied during the whole life-cycle of the equipment, to minimise theprobability of systematic faults (e.g.software errors).
NOTE The detailed requirements for the management of functional safety, hardware safety integrity and software safetyintegrity are specified in e.g. EN 61508 Parts 1, 2 and 3 respectively.
• or based on proven-in-use experience according to EN 61 508/EN 61 51 1 series. The safety integrity is assessed by a statistical failure analysis of an appropriate number of devices used in an appropriate number of typical applications. The failure rates can be determined from valid field reliability data records from prior use. To exclude systematic faults a statistical basis with a confidence level of at least 70 % shall be used. The statistical determination of the confidence level is defined in EN 61 508-7.
5.3.2 General hardware requirements Any components shall be used within their specifications. Automated diagnostic measures (e.g. a watchdog) shall be provided to detect hardware failures as far as possible. If the safety function relies on stored data, all relevant information shall be retained in the safety device. Even after an interruption of the power supply (e.g. power off) this information shall be available at the restart. If the safety function relies on the use of any battery modules or similar modules, their lifetime shall be stated in the instruction manual.
5.3.3 General software requirements The user shall be able to identify the software version, e.g. by marking the installed memory module, by showing the software version on the display during power up or on user request. Safety parameter modifications by unauthorised persons shall be prevented e.g. by using a protected access procedure for the safety related software function. All parameters that can be modified by the user shall be unambiguously described. NOTE 1 This can be done by installing an access code or by a deliberate manual, mechanical confirmation (e.g. button behind special locking device). Wherever possible, the plausibility of any parameter inputs shall be checked automatically. Invalid inputs shall be refused. To increase the Safety Integrity Level of a safety device a multi-channel architecture can be used. If the individual channels use the same software, failures cannot be considered to be independent. In this case the software shall comply with the required Safety Integrity Level of the final system. NOTE 2 Different revisions of software generally are based on the same method which indicates that they don‟t fulfil the requirements of independence of the two channels. EXAMPLE A safety device of the architecture 1 oo2 is equipped with 2 channels. The hardware of each channel is independent of the other and complies with SIL 1. Both channels use the same software. In order to achieve an overall SIL 2, this software shall meet the requirements of SIL 2 according to EN 61 508-3.