(high or low demand as defined in IEC 61508, EN/IEC 62061 and EN ISO 13849-1).
Regardless of the mode of operation, it is a good practice to check the operation of the
safety function at least once a year by doing the start-up and acceptance test of the safety
function.
The person responsible for the design of the complete safety system should also note the
Recommendation of Use CNB/M/11.050 published by the European co-ordination of Notified
Bodies for Machinery concerning dual-channel safety-related systems with electromechanical
outputs:
•
When the safety integrity requirement for the safety function is SIL 3 or PL e (cat. 3 or
4), the proof test for the function must be performed at least every month.
•
When the safety integrity requirement for the safety function is SIL 2 (HFT = 1) or PL d
(cat. 3), the proof test for the function must be performed at least every 12 months.
This is a recommendation and depends on the required (not achieved) SIL/PL. For example,
safety relays, contactor relays, emergency stop buttons, switches, etc. are typically safety
devices which contain electromechanical outputs.
Competence
The maintenance and proof test activities of the safety function must be carried out by a
competent person with expertise and knowledge of the safety function as well as functional
safety, as required by IEC 61508-1 clause 6.
Residual risk
The safety functions are used to reduce the recognized hazardous conditions. In spite of
this, it is not always possible to eliminate all potential hazards. Therefore the warnings for
the residual risks must be given to the operators.
Intentional misuse
The safety circuit is not designed to protect a machine against intentional misuse.
Decommissioning
When you decommission an emergency stop circuit or a drive, make sure that the safety
of the machine is maintained until the decommissioning is complete.
36 Maintenance