SIST EN 50495:2010

SLOVENSKI STANDARD
01-junij-2010
Varnostne naprave, potrebne za varno obratovanje opreme glede tveganja
eksplozije
Safety devices required for the safe functioning of equipment with respect to explosion
risks
Sicherheitseinrichtungen für den sicheren Betrieb von Geräten im Hinblick auf
Explosionsgefahren
Dispositifs de sécurité nécessaires pour le fonctionnement sûr d'un matériel vis-à-vis des
risques d'explosion
Ta slovenski standard je istoveten z: EN 50495:2010
ICS:
13.230 Varstvo pred eksplozijo Explosion protection
29.260.20 (OHNWULþQLDSDUDWL]D Electrical apparatus for
HNVSOR]LYQDR]UDþMD explosive atmospheres
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD
EN 50495
NORME EUROPÉENNE
February 2010
EUROPÄISCHE NORM
ICS 13.230; 29.260.30
English version
Safety devices required for the safe functioning of equipment
with respect to explosion risks

Dispositifs de sécurité nécessaires  Sicherheitseinrichtungen
pour le fonctionnement sûr d'un matériel für den sicheren Betrieb von Geräten
vis-à-vis des risques d'explosion im Hinblick auf Explosionsgefahren

This European Standard was approved by CENELEC on 2009-12-01. CENELEC members are bound to comply
with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard
the status of a national standard without any alteration.

Up-to-date lists and bibliographical references concerning such national standards may be obtained on
application to the Central Secretariat or to any CENELEC member.

This European Standard exists in three official versions (English, French, German). A version in any other
language made by translation under the responsibility of a CENELEC member into its own language and notified
to the Central Secretariat has the same status as the official versions.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus,
the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia,
Spain, Sweden, Switzerland and the United Kingdom.

CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung

Central Secretariat: Avenue Marnix 17, B - 1000 Brussels

© 2010 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Ref. No. EN 50495:2010 E
Foreword
This European Standard was prepared by the Technical Committee CENELEC TC 31, Electrical apparatus
for potentially explosive atmospheres. The text of the draft was submitted to the formal vote and was
approved by CENELEC as EN 50495 on 2009-12-01.
This European Standard is to be read in conjunction with the European Standards for the specific types of
protection listed in EN 60079 or EN 61241 series of standards.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. CEN and CENELEC shall not be held responsible for identifying any or all such patent rights.
The following dates were fixed:
– latest date by which the EN has to be implemented

at national level by publication of an identical

national standard or by endorsement
(dop) 2010-12-01
– latest date by which the national standards conflicting

with the EN have to be withdrawn
(dow) 2012-12-01
This European Standard has been prepared under a mandate given to CENELEC by the European
Commission and the European Free Trade Association and covers essential requirements of EC Directive
94/9/EC. See Annex ZZ.
_________
– 3 – EN 50495:2010
Contents
Introduction . 4
1 Scope . 5
2 Normative references . 6
3 Terms and definitions . 7
4 Ignition prevention by safety devices . 10
4.1 General concept of ignition risk reduction . 10
4.2 Selection of a safety device . 11
5 Functional requirements for a safety device . 11
5.1 General requirements . 11
5.2 Special requirements for safety components . 13
5.3 Requirements for achieving the Safety Integrity Level (SIL) . 13
6 Tests . 15
6.1 Type tests . 15
6.2 Routine tests . 16
6.3 Regular functional proof tests . 16
7 Marking . 16
8 Safety instructions . 17
Annex A (informative) Example of an assessment procedure for a simple safety device . 18
Annex B (informative) Example of an assessment procedure for the hardware safety integrity of a
safety device . 19
Annex C (informative) Example of determining the hardware safety integrity level . 24
Annex D (informative) Examples for safety devices . 33
Annex E (informative) Basic concept for safety devices . 34
Annex ZZ (informative) Coverage of Essential Requirements of EC Directives. 36
Bibliography . 37
Tables
Table 1 – Requirements for Safety Integrity Level and Fault Tolerance of a safety device . 11
Table B.1 – Failure rates assuming a series failure model . 20
Table B.2 – Safety Integrity Levels: Target failure measures for a safety function . 22
Table B.3 – Hardware safety integrity: Architectural constrains on Type A or B safety-related subsystems . 23
Table C.1 – Total hardware failure rates . 31
Table E.1 – Increase of the failure tolerance of equipment by the control of a safety device . 34
Table E.2 – Classified area, in which the ignition probability of controlled equipment would lead to a
tolerable risk . 35
Table E.3 – Required SIL and HFT of a safety device for the control of equipment . 35

Introduction
Safety devices, controlling devices and regulating devices which are used for the protection concept of
equipment for explosive atmospheres, shall function reliably for the intended purpose. This shall be
expressed in terms of some measure of confidence that the devices will be able to maintain a required level
of safety at all times. This measure of confidence needs to be in conformity with [1], CENELEC standards of
the series EN 60079 and EN 61241 for apparatus for use in explosive atmospheres and relevant control
standards.
CENELEC identified the need for research to determine whether existing and proposed standards in the field
of safety-related control systems were suitable for this purpose. Research proposals on this topic were
invited under the Standardisation, Measurement and Testing (SMT) Programme of the EU-commission and
the SAFEC project was selected for funding (contract SMT4-CT98-2255). The project was a 12 month
project which began in January 1999. The SAFEC partners were the Health and Safety Laboratory (HSL) of
the Health and Safety Executive in the UK (the project coordinator), the Deutsche Montan Technologie
(DMT) in Germany, the National Institute for Industrial Environment and Risks (INERIS) in France and the
Laboratorio Oficial J.M. Madariaga (LOM) in Spain. The result of this project is summarised in [2] and
recommends the application of Safety Integrity Levels as specified in EN 61508-1 for safety devices. A short
description of the basic concept is provided in Annex E of this standard.

– 5 – EN 50495:2010
1 Scope
This European Standard specifies the requirements of electrical safety devices, which are used to avoid
potential ignition sources of equipment in explosive atmospheres.
This also includes safety devices, which are operated outside areas with explosive atmospheres, to
guarantee the safe function of equipment with respect to explosion hazards.
NOTE 1 This European Standard can also be used to design and assess safety devices for protective systems.
Electrical equipment, which is intended for use in explosive atmospheres, may rely on the correct operation
of safety devices which for example maintain certain characteristics of the equipment within acceptable
limits. Examples of such safety devices are motor protection devices (to limit temperature rise during stall
conditions) and controlling devices for pressurisation protection.
By means of control or monitoring devices, sources of ignition can be avoided. Therefore these devices shall
execute the appropriate measures in the appropriate reaction time, for example the initiation of an alarm or
an automatic shut down.
NOTE 2 Some potential ignition sources might not be controllable by safety devices, e.g. electrostatic discharges, ignition sparks
caused by mechanical impact. Also some protection measures might not be controllable by safety devices, e.g.
flameproof enclosures.
Safety devices, whose safety function can not adequately be specified under the existing EN 60079 or
EN 61241 series of standards, shall additionally be designed according to the requirements of this standard.
Generally for complex safety devices appropriate design requirements are not provided in the existing types
of protection (see 3.13 for the definition of a complex device).
NOTE 3 In general the levels of safety required by this standard are considered to be equivalent to those provided by conformity
to EN 60079-0 or EN 61241-0. No increase or decrease of safety is intended or required. Similarly neither increase nor
decrease of safety with respect to EN 61508 series is intended.
Safety devices can be classified in 2 types:
a) devices, which are included as component in the equipment under control (see 3.8). The combined
apparatus is considered as equipment.
EXAMPLES
- thermal switch or thermistor to avoid overheating,
- temperature monitoring devices to control the surface temperature.
b) devices, which are installed separately from the equipment under control and considered as
associated apparatus exclusively for a specific type of protection or specific equipment under control.
The combined apparatus is considered as a system.
EXAMPLES
- external control devices or safety related parts of a control system for type of protection pressurisation,
- overload protective device for electric motors of type of protection Ex e ‘Increased Safety’,
- control devices for battery charging equipment (protection against overcharging or deep discharging),
- level detectors for the control of submersible pumps.
Exclusions from this standard:
Safety devices, where the safety function is adequately covered in the existing standards of EN 60079 and
EN 61241 series do not need any additional assessment according to this standard.
EXAMPLES Intrinsically safe associated apparatus, fuses, electromechanical overload protection, simple thermal protection devices
(e.g. thermal fuses, thermal switches).
The standard does not include devices or systems to prevent the occurrence of explosive atmospheres, e.g.
inerting systems, ventilation in workplaces and containers/vessels.

Gas detectors, which are covered under EN 61779 series, EN 50271 or EN 50402 are also excluded from
the scope of this standard.
This standard does not deal with protection by control of ignition source ‘b’ for non-electrical equipment as
defined in EN 13463-6.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
EN 13237 Potentially explosive atmospheres – Terms and definitions for equipment and
protective systems intended for use in potentially explosive atmospheres
EN 13463-6 Non-electrical equipment for use in potentially explosive atmospheres –
Part 6: Protection by control of ignition source ‘b’
EN 50271 Electrical apparatus for the detection and measurement of combustible gases, toxic
gases or oxygen – Requirements and tests for apparatus using software and/or
digital technologies
EN 50402 + A1 Electrical apparatus for the detection and measurement of combustible or toxic
gases or vapours or of oxygen – Requirements on the functional safety of fixed gas
detection systems
EN 60079 series Explosive atmospheres (IEC 60079 series)
EN 60079-0 Electrical apparatus for explosive gas atmospheres – Part 0: General requirements
(IEC 60079-0, mod.)
EN 60079-10-1 Explosive atmospheres – Part 10-1: Classification of areas – Explosive gas
atmospheres (IEC 60079-10-1)
EN 60079-30-1 Explosive atmospheres – Part 30-1: Electrical resistance trace heating – General
and testing requirements (IEC 60079-30-1)
EN 60079-30-2 Explosive atmospheres – Part 30-2: Electrical resistance trace heating –
Application guide for design, installation and maintenance (IEC 60079-30-2)
EN 60812 Analysis techniques for system reliability – Procedure for failure mode and effects
analysis (FMEA) (IEC 60812)
EN 61010-1 Safety requirements for electrical equipment for measurement, control, and
laboratory use – Part 1: General requirements (IEC 61010-1)
EN 61025 Fault tree analysis (FTA) (IEC 61025)
EN 61165 Application of Markov techniques (IEC 61165)
EN 61241 series Electrical apparatus for use in the presence of combustible dust (IEC 61241 series)
EN 61241-0 Electrical apparatus for use in the presence of combustible dust – Part 0: General
requirements (IEC 61241-0, mod.)
EN 61496-1 Safety of machinery – Electro-sensitive protective equipment – Part 1: General
requirements and tests (IEC 61496-1, mod.)
EN 61508 series Functional safety of electrical/electronic/programmable electronic safety-related
systems (IEC 61508 series)
– 7 – EN 50495:2010
EN 61508-1 Functional safety of electrical/electronic/programmable electronic safety-related
systems – Part 1: General requirements (IEC 61508-1)
EN 61508-2:2001 Functional safety of electrical/electronic/programmable electronic safety-related
systems – Part 2: Requirements for electrical/electronic/programmable electronic
safety-related systems (IEC 61508-2:2000)
EN 61508-3 Functional safety of electrical/electronic/programmable electronic safety-related
systems – Part 3: Software requirements (IEC 61508-3)
EN 61508-4 Functional safety of electrical/electronic/programmable electronic safety-related
systems – Part 4: Definitions and abbreviations (IEC 61508-4)
EN 61508-7:2001 Functional safety of electrical/electronic/programmable electronic safety-related
systems – Part 7: Overview of techniques and measures (IEC 61508-7:2000)
EN 61511 series Functional safety – Safety instrumented systems for the process industry sector
(IEC 61511 series)
EN 61511-1:2004 Functional safety – Safety instrumented systems for the process industry sector –
Part 1: Framework, definitions, system, hardware and software requirements
(IEC 61511-1:2003)
EN 61779 series Electrical apparatus for the detection and measurement of flammable gases
(IEC 61779 series, mod.)
EN 62061 Safety of machinery – Functional safety of safety-related electrical, electronic and
programmable electronic control systems (IEC 62061)
EN ISO 13849-1 Safety of machinery – Safety-related parts of control systems – Part 1: General
principles for design (ISO 13849-1)
EN ISO 13849-2 Safety of machinery – Safety-related parts of control systems – Part 2: Validation
(ISO 13849-2)
3 Terms and definitions
For the purposes of this document, the terms and definitions given in EN 60079-0 and the following apply.
3.1
types of protection
the types of protection, as referred to in this standard, are the explosion protection measures for electrical
equipment
NOTE The protection measures are defined in EN 60079-0 or EN 61241-0.
3.2
equipment category
classification of equipment into different levels of safety with respect to the ignition risk
[EN 13237, EN 60079-0, [1] ]
NOTE The equipment category is equivalent to the appropriate Equipment Protection Levels (EPLs), defined in the EN 60079-0. This
standard may be applied for EPLs correspondingly.
3.3
functional safety
part of the overall safety relating to the EUC and the EUC control system which depends on the correct
functioning of the safety-related systems and external risk reduction facilities
[EN 61508-4]
3.4
safety device
safety devices, controlling devices and regulating devices required for or contributing to the safe functioning
of equipment with respect to the risks of explosion
Safety devices provide explosion protection by executing a safety function that works independently of the
normal functions of the equipment under its control. A safety device may consist of one or more safety
components, forming a Safety Instrumented System (SIS)
NOTE A regulating device which is controlling an ignition risk is also considered as a safety device.
3.5
Safety Instrumented System (SIS)
instrumented system used to implement one or more safety instrumented functions. A SIS is composed of
any combination of sensor(s), logic solver(s), and final elements(s) [see EN 61511-1:2004, 3.2.72]. A safety
instrumented system is equivalent to a safety-related system, which is defined under EN 61508-4
NOTE Safety device is a term of [EN 13237], [1] and can also be a safety related system.
3.6
safety component
one of the parts of a system or device performing a specific safety function
[EN 61511-1]
3.7
safety function
a function to be implemented by a safety device, which is intended to achieve or maintain a safe state for the
EUC, in respect of ignition hazards
[EN 61508-4]
3.8
Equipment Under Control (EUC)
equipment, machines, apparatus or components which contain a potential ignition source, which is controlled
by a safety device
[EN 61508-4]
3.9
safe state
state of the safety device which leads to a safe condition of the EUC
[EN 61508-4]
3.10
safe condition
the safe condition of an Equipment Under Control (EUC) defines the operating mode in which an acceptable
ignition risk according to the category of the protected equipment is provided by the equipment. The safe
condition of the EUC is intended to be ensured by activating the safety function of the safety device
3.11
combined equipment
combination of a safety device and the Equipment Under Control (EUC). It may be physically combined in
one unit or as separate units. In both cases the combination is considered as equipment according to [1]
3.12
simple safety device
safety devices where the safety function does not depend on complex technology (e.g. microprocessor
technology)
– 9 – EN 50495:2010
3.13
complex safety device
safety devices where the safety function depends on complex technology, e.g. microprocessor technology
3.14
Safety Integrity Level (SIL)
discrete level (one out of a possible four) for specifying the safety integrity requirements of the safety
function(s) to be performed by the safety device, where safety integrity level 4 has the highest level of safety
integrity and safety integrity level 1 has the lowest [EN 61508-4]. If the safety device consists of several
safety components the Safety Integrity Level is defined for the complete safety instrumented system
NOTE SIL 4 is not applied in this standard.
3.15
SIL capability
if a safety component is provided separately, its specified SIL capability is the maximum SIL that can be
achieved by a safety device using this component in single channel mode
3.16
Failure Mode and Effect Analysis (FMEA)
analysis of possible failures of any component of the safety device and determination of their consequences
for the overall safety function. Allows to classify any failure as safe, dangerous, detected or undetected with
respect to the safety function
3.17
Probability of a Failure on Demand (PFD)
specifies the average probability of a failure to perform the safety function on demand. In the low demand
mode the frequency of demands for operation made on a safety related system is not greater than one per
year and no greater than twice the proof-test frequency
[EN 61508-4]
EXAMPLES FOR LOW DEMAND SYSTEMS Running dry protection, circuit breaker, thermistor relay
3.18
Probability of a dangerous Failure per Hour (PFH)
specifies the failure rate (e.g. per hour) to perform the safety function continuously. This value shall be
considered if the safety device is operated in high demand or continuous mode of operation, where the
frequency of demands for operation made on a safety-related system is greater than one per year or greater
than twice the proof-test frequency
[EN 61508-4]
EXAMPLE FOR HIGH DEMAND SYSTEM Continuous flow control of pressurisation
3.19
Safe Failure Fraction (SFF)
the ratio, expressed as a percentage, of the average rate of safe and detected failures to the total average
failure rate of a safety device. A safe failure is a failure which does not put the safety device into a
fail-to-function state (see EN 61508-4 and EN 61508-2:2001, Annex C). A detected failure is a failure which
is detected by the automatic diagnostic tests, or through normal operation
3.20
Hardware Fault Tolerance (HFT)
ability of a safety device to continue to perform a required function in the presence of faults [EN 61508-4]
EXAMPLE HFT = 1 means, the required function is still performed in the presence of 1 arbitrary fault of the safety device

Regarding the equipment under control, the requisite level of protection is assured in the event of faults
occurring independently of each other.
EXAMPLE Category 1 equipment is characterised by HFT=2, which means
– either, in the event of failure of one means of protection, at least an independent second means provides the
requisite level of protection,
– or the requisite level of protection is assured in the event of two faults occurring independently of each other.

3.21
trip level
a threshold for a safety critical parameter pre-adjusted in the safety device. When exceeding this threshold
the safety device activates the safety function
3.22
architecture
specific configuration of hardware and software elements in a system
[EN 61508-4]
3.23
channel
element or group of elements that independently performs a function
[EN 61508-4]
EXAMPLE A two channel (or dual channel) configuration is one with two channels that independently perform the same function
3.24
confidence level
the confidence level is the probability, that the confidence interval around the mean value of a statistical
distribution of test results includes the real value. It indicates the significance of a statistical evaluation.
A specified confidence level for a probabilistic proven-in-use evaluation allows to determine the minimum
number of treated demands (low demand mode) or the minimum hours of operation (continuous mode)
[see EN 61508-7:2001, Annex D]
3.25
average ambient temperature
the average ambient temperature is the mean value of the ambient temperature of the components in
comparable applications. This may involve averaging temperature fluctuations with time ([5])
4 Ignition prevention by safety devices
4.1 General concept of ignition risk reduction
The ignition risk analysis of electrical apparatus starts with the evaluation of potential ignition sources even
under the presumption of faults related to the equipment. If appropriate types of protection (EN 60079 or
EN 61241 series of standards) are applied the ignition risk of the protected equipment is reduced to comply
with the required equipment category. E.g. if equipment shall be classified in Category 1, even rare incidents
related to the equipment must be considered. Hence, the equipment must
- either be safe with 2 faults occurring independently in the equipment. If a type of protection is only safe up
to one fault, the fault tolerance of the equipment may be enhanced by the control with an appropriate safety
device,
- or, in the event of one means of protection fails, provide at least an independent second means to ensure
the requisite the level of protection. For this purpose also a suitable safety device can be used.
For category 2 equipment frequently occurring disturbances or single equipment faults must be considered
with respect to potential ignition sources. If equipment would only be safe in normal operation, those
disturbances or equipment faults can be controlled with a suitable safety device and the ignition risk reduced
correspondingly.
If equipment contains several potential ignition sources, for each ignition source the same consideration
must be performed and the ignition risk decreased by appropriate measures. The controlled equipment shall
comply with the relevant standards EN 60079-0 and/or EN 61241-0 with respect to the final equipment
category.
– 11 – EN 50495:2010
NOTE Residual risks, which cannot be eliminated by a safety device, may be addressed by safety instructions for installation and
use. Such ignition sources may be for example:
– electrostatic discharge of chargeable surfaces,
– mechanical impact or friction sparks on light metal alloys.
EXAMPLE Equipment complying with Category 3G requirements contains electrical circuits and an enclosure with Mg > 7,5 %. To
comply with Category 2G the electrical circuits can be protected by pressurising the enclosure (Ex p) using a programmable control
system as a safety device. The potential ignition risk created by the enclosure surface can be addressed by a safety instruction.
4.2 Safety characteristics of a safety device
A safety device shall meet a level of reliability depending on the reduction of the ignition risk of the
equipment under control. The required safety integrity level of the safety device can be assessed and
classified according to 5.3. Table 1 shows the required safety characteristics for a safety device when used
to control equipment (EUC) with a potential ignition source and initial fault tolerance to achieve the final
equipment category of the combined equipment
Table 1 – Minimum requirements for Safety Integrity Level and Fault Tolerance of a safety device
EUC  Hardware Fault Tolerance 2 1 0 1 0 0
Safety device
Hardware Fault Tolerance - 0 1 - 0 -
Safety Integrity Level - SIL 1 SIL 2 - SIL 1 -
Combined equipment
Group I Category M1 M2 -
Group II, III Category 1 2 3
NOTE 1 Fault tolerance:
“0” indicates that the EUC is safe in normal operation. One single fault may cause the apparatus to fail.
“1” indicates that the apparatus is safe with one single fault. Two independent faults may cause the
apparatus to fail.
“2“ indicates that the apparatus is safe with two independent faults. Three faults may cause the
apparatus to fail.
NOTE 2 SIL1 or SIL2 indicates the Safety Integrity Level of the Safety device according to EN 61508
series.
NOTE 3 Category 1 or 2 or 3: the appropriate categories are defined in EN 13237, [1]
NOTE 4 “-“ means, that no safety device is required
NOTE 5 Equipment which contains a potential ignition source under normal operation is not included in
Table 1, because this equipment is already covered under the types of protection.

Examples of combined equipment are listed in Annex D.
5 Functional requirements for a safety device
5.1 General requirements
A safety device shall be specified taking into account the equipment under control including the ignition
source which shall be controlled. If applicable, the type of protection the safety device is designed for, shall
be considered. The safety function and all required components for the safety instrumented system shall be
determined.
The safety function shall be performed reliably under the specified ambient and the operational conditions of
the safety device. To avoid operation errors, the setting of the safety device shall be fail-safe as far as
possible and/or be reduced to the minimum.

In case of power supply or interconnection failures the safety device shall go into a well defined state. Hence,
the safe state of the safety device shall be defined (e.g. off state, on state, maintain last value, etc.). After a
fault has been remedied, the safety device can be reset automatically if it can be ensured that the EUC
remains in the safe state until it will be restarted under safe conditions. The safety device and control
devices shall operate independently from each other. The interfaces of the safety components shall be
clearly specified.
5.1.1 Ambient and operational conditions
The safety device shall be designed in such a manner that a safe and accurate functioning under the
specified ambient conditions is provided. The ambient and operational conditions shall be specified by the
manufacturer, e.g.:
• supply voltage range;
• electromagnetic environment;
• ambient temperature range, average ambient temperature (see 5.3.4, Note);
• degree of pollution;
• humidity range;
• maximum vibration values;
• maximum shock values.
5.1.2 Demands on the safety function
The demand of the safety device shall bring the EUC into a safe condition and/or start suitable risk reduction
measures, before an ignition risk occurs. The ignition threshold (maximum and/or minimum) of the potential
source of ignition shall be considered (e.g. temperature class, max. surface temperature). The measuring
range, accuracy and the reaction time as well as the reaction thresholds of the safety device have to be
defined in such a way, that no risk occurs from the potential ignition source. For combined equipment the
ignition threshold and the reaction time of the EUC have to be considered as well. If a safety margin is
required by the applied standard (EN 60079-x and/or EN 61241-x), this shall be taken into account
additionally.
NOTE 1 The specified testing conditions of the applied standard should be the base for safety parameters e.g. the reduction of
maximum surface temperature according to the standards for gas and/or dust atmosphere.
NOTE 2 In the specific application the reaction time of the complete safety instrumented system should be considered with respect to
the ignition mechanism of the equipment under control (EUC). The user should take into account the total reaction time of the safety
instrumented system including the reaction time of the equipment under control, to ensure, that no ignition risk may occur.
5.1.3 Serviceability
Any setting and operational modes of the safety device shall be restricted to a minimum and if necessary
protected against unauthorised changes. All safety relevant setting modes shall be marked significantly and
described in detail in a way that any effect of these modes on the EUC shall be clearly comprehensible to the
user of the equipment. If required, measures shall be provided to enable the user to perform regular
functional proof tests or the device provides a self testing routine.

– 13 – EN 50495:2010
5.2 Special requirements for safety components
Where applicable,
– the sensor,
– the actuator,
– control unit,
– display unit
shall comply with the relevant product standards.
NOTE In order to obtain a maximum of safety during the operation, control and display units shall be designed in compliance with
ergonomic principles:
– ergonomic arrangement of actuators and display devices;
– minimised number of actuators and display devices required for safety measures.
For combined equipment the interconnections, sensor, control unit and actuator shall meet the requirements
of the standard series EN 60079 and/or EN 61241.
Where possible the control unit shall recognise any dangerous failure of the safety device and its associated
interconnection and shall initiate appropriate risk reduction measures.
The measuring and recording units shall be designed in such a manner that any calibrations necessary can
be carried out onsite. The manufacturer shall provide the intervals at which calibrations shall be carried out
as part of the instruction manual.
EXAMPLE A 4 mA to 20 mA current loop is a suitable interconnection, if a short circuit or circuit break is detected by the connected
logic unit. In the case of using a bus system it shall comply with the required SIL.
5.3 Requirements for achieving the Safety Integrity Level (SIL)
5.3.1 General
The safety integrity of a complex safety device shall be derived
• either according to EN 61508 series or related standards (e.g. EN 62061, EN ISO 13849-1);
The safety requirements shall be specified in a systematic risk-based manner in accordance with the
mentioned standards. The safety function shall be described clearly in the requirement specification.
Hard- and software measures shall be considered in the design process to control the occurrence of
random hardware faults and to achieve an appropriate diagnostic coverage. The probability of random
hardware faults shall be assessed e.g. by a systematic failure mode and effect analysis (FMEA). Design
test requirements shall be systematically derived from the requirement specifications. A safety
management system shall be applied during the whole life-cycle of the equipment, to minimise the
probability of systematic faults (e.g. software errors).
NOTE The detailed requirements for the management of functional safety, hardware safety integrity and software safety
integrity are specified in e.g. EN 61508 Parts 1, 2 and 3 respectively.

• or based on proven-in-use experience according to EN 61508/EN 61511 series. The safety integrity is
assessed by a statistical failure analysis of an appropriate number of devices used in an appropriate
number of typical applications.
The failure rates can be determined from valid field reliability data records from prior use. To exclude
systematic faults a statistical basis with a confidence level of at least 70 % shall be used. The statistical
determination of the confidence level is defined in EN 61508-7.
5.3.2 General hardware requirements
Any components shall be used within their specifications. Automated diagnostic measures (e.g. a watchdog)
shall be provided to detect hardware failures as far as possible. If the safety function relies on stored data, all
relevant information shall be retained in the safety device. Even after an interruption of the power supply
(e.g. power off) this information shall be available at the restart. If the safety function relies on the use of any
battery modules or similar modules, their lifetime shall be stated in the instruction manual.
5.3.3 General software requirements
The user shall be able to identify the software version, e.g. by marking the installed memory module, by
showing the software version on the display during power up or on user request.
Safety parameter modifications by unauthorised persons shall be prevented e.g. by using a protected access
procedure for the safety related software function. All parameters that can be modified by the user shall be
unambiguously described.
NOTE 1 This can be done by installing an access code or by a deliberate manual, mechanical confirmation (e.g. button behind special
locking device).
Wherever possible, the plausibility of any parameter inputs shall be checked automatically. Invalid inputs
shall be refused.
To increase the Safety Integrity Level of a safety device a multi-channel architecture can be used. If the
individual channels use the same software, failures cannot be considered to be independent. In this case the
software shall comply with the required Safety Integrity Level of the final system.
NOTE 2 Different revisions of software generally are based on the same method which indicates that they don’t fulfil the requirements
of independence of the two channels.
EXAMPLE A safety device of the architecture 1oo2 is equipped with 2 channels. The hardware of each channel is
independent of the other and complies with SIL 1. Both channels use the same software. In order to achieve an overall
SIL 2, this software shall meet the requirements of SIL 2 according to EN 61508-3.
5.3.4 Determination of random hardware failure rates and modes
The random hardware failure rates and modes of the safety device shall be determined. Different methods
are suitable like Failure Mode and Effect Analysis (FMEA, EN 60812), Fault tree analysis (FTA, EN 61025),
Application of Markov Techniques (EN 61165).
The component failure rates can be derived from several industry databases (e.g. [5], [6], [7]). Where
available, data provided by the supplier may be used as well. Generally, these failure rates can be expected
on average under given ambient conditions. They are determined under reference conditions, which
correspond to the majority of applications for the stated components e.g. a mean ambient temperature of
40 °C. Under extreme ambient conditions, e.g. if the safety device is operated continuously at the maximum
(or minimum) specified ambient temperature, the failure rates shall be modified for that average ambient
temperature using the corresponding formula given in the referenced databases.
To determine the hardware failure rates in the FMEA, the impact of every fault presumption for each
assembly shall be determined and assessed. If the impact of any assembly faults on the safety function of a
safety device cannot be determined, this fault shall be regarded as dangerous. The failure rate should be
proportioned 50 % detected and 50 % undetected (according to EN 61508 series).

– 15 – EN 50495:2010
Faults, for which proper fault exclusion can be presumed (e.g. the assembly meets the requirements of
appropriate standards), may not be considered. The component is considered to be infallible with respect to
this fault.
Fault presumptions and the reasons for fault exclusion shall follow acknowledged technical standards (e.g.
EN 60079 series, EN 61241 series, EN 61496-1, EN ISO 13849-2 and EN 61010-1) and shall be
documented.
Failures, which cause a loss of the safety function, are considered as dangerous, others as safe. Failures
which are indicated or visible (e.g. causing a fault alarm) are considered as detected, others as undetected.
Finally, the failures are classified into the failure modes safe-detected (sd), safe-undetected (su), dangerous-
detected (dd) and dangerous-undetected (du). The corresponding failure rates λ , λ , λ , λ of all
sd su dd du
components are summarized and used for the calculation of the basic safety parameters PFD/PFH, SFF
from which the Safety Integrity Level is determined.
The method indicated in Annex B fulfils the requirements of this standard.
5.3.5 Simple Safety Devices
Simple safety devices shall comply either with definition of “Type A” in [EN 61508-2], or
a) the failure modes of all constituent components are well defined, and
b) the behaviour of the safety device under fault conditions can be completely determined and
c) systematic failures can be excluded (verification of safety function can be completely determined by
test), and
d) where the safety device is formed by an assembly of components, the probability of random hardware
failures can be determined (e.g. by FMEA)
A simple safety device does not require a complete functional safety assessment according to 5.3.1 - 5.3.4.
It can be assessed according to its dangerous hardware failure rate in a FMEA (see Annex A). For
simplification, the dangerous hardware failure rate may be estimated by the inverse of its total MTBF value
(see Annex A). The safety device shall comply with the failure rate per hour (PFH) of the required SIL-Level
and with the fault tolerance requirement of Table 1. Instead of a regular functional proof test according to 6.3
a useful lifetime may be specified.
6 Tests
6.1 Type tests
The safety function of the safety device shall be verified according to the relevant standards, e.g. EN 61508
series. Appropriate functional tests shall be done to ensure, that the safety function is performed correctly
under all specified conditions.
Test conditions:
The safety function of the safety device shall be tested under the specified ambient and operational
conditions separately (supply voltage limits, EMC, temperature, vibration, humidity). If not practical due to
weight or dimension of the test sample the tests can be performed with the individual components separately
at the resulting operational conditions of the component.
NOTE EMC testing should be performed according to the applicable product standards.
Acceptance criteria:
The safety device shall perform its safety function correctly under all conditions according to the safety
requirement specifications.
----
...