safety function at least once a year. It is also a good practice to include the proof test
for the safety function in the routine maintenance program of the machinery.
The person responsible for the design of the complete safety system should also note
the Recommendation of Use CNB/M/11.050 published by the European co-ordination
of Notified Bodies for Machinery concerning dual-channel safety-related systems with
electromechanical outputs:
• When the safety integrity requirement for the safety function is SIL 3 or PL e (cat.
3 or 4), the proof test for the function must be done at least every month.
• When the safety integrity requirement for the safety function is SIL 2 (HFT = 1) or
PL d (cat. 3), the proof test for the function must be done at least every 12 months.
This is a recommendation and depends on the required (not achieved) SIL/PL. For
example, contactors, breakers, safety relays, contactor relays, emergency stop buttons,
switches, etc. are typically safety devices which have electromechanical outputs. The
STO circuit of the drive does not have electromechanical outputs.
Functional safety components
The mission time of functional safety components is 20 years which equals the time
during which failure rates of electronic components remain constant. This applies to
the components of the standard Safe torque off circuit as well as any modules, relays
and, typically, any other components that are part of functional safety circuits.
The expiry of mission time terminates the certification and SIL/PL classification of
the safety function. The following options exist:
• Renewal of the whole drive and all optional functional safety module(s) and
components.
• Renewal of the components in the safety function circuit. In practice, this is
economical only with larger drives that have replaceable circuit boards and other
components such as relays.
Note that some of the components may already have been renewed earlier, restarting
their mission time. The remaining mission time of the whole circuit is however
determined by its oldest component.
Contact your local ABB service representative for more information.
Competence
The person who does the maintenance and proof test activities of the safety function
must be a competent person with expertise and knowledge of the safety function and
functional safety, as required by IEC 61508-1 clause 6.
Residual risk
The safety functions are used to reduce the recognized hazardous conditions. In spite
of this, it is not always possible to eliminate all potential hazards. Thus, the warnings
for the residual risks must be given to the operators.
Intentional misuse
The safety circuit is not designed to protect a machine against intentional misuse.
32 Maintenance
To Next Page
Loading...
