30 Maintenance
Proof test interval
After the operation of the safety function is validated at start-up, the safety function must
be maintained by periodic proof testing. In high demand mode of operation, the maximum
proof test interval is 20 years. In low demand mode of operation, the maximum proof test
interval is 2 or 5 years (high or low demand as defined in IEC 61508, EN/IEC 62061 and
EN ISO 13849-1). Regardless of the mode of operation, it is a good practice to check the
operation of the safety function at least once a year. Do the test as described in section
on page
.
The person responsible for the design of the complete safety function should also note the
Recommendation of Use CNB/M/11.050 published by the European co-ordination of
Notified Bodies for Machinery concerning dual-channel safety-related systems with
electromechanical outputs:
•
When the safety integrity requirement for the safety function is SIL 3 or PL e (cat. 3 or
4), the proof test for the function must be performed at least every month.
•
When the safety integrity requirement for the safety function is SIL 2 (HFT = 1) or PL d
(cat. 3), the proof test for the function must be performed at least every 12 months.
This is a recommendation and depends on the required (not achieved) SIL/PL. For
example, contactors, breakers, safety relays, contactor relays, emergency stop buttons,
switches etc. are typically safety devices which contain electromechanical outputs.
The
FSO and FSE modules and the STO circuit of the inverter unit do not contain any
electromechanical components.
Competence
The maintenance and proof test activities of the safety function must be carried out by a
competent person with expertise and knowledge of the safety function as well as
functional safety, as required by IEC 61508-1 clause 6.
Residual risk
The safety functions are used to reduce the recognized hazardous conditions. In spite of
this, it is not always possible to eliminate all potential hazards. Therefore the warnings for
the residual risks must be given to the operators.
Intentional misuse
The safety circuit is not designed to protect a machine against intentional misuse.
Decommissioning
When you decommission a POUS circuit or an inverter unit, make sure that the safety of
the machine is maintained until the decommissioning is complete.