demand mode of operation, the maximum proof test interval is 1 year (high or low demand
as defined in IEC 61508, IEC/EN 62061 and EN ISO 13849-1). Regardless of the mode of
operation, it is a good practice to do the proof test for the safety function at least once a
year. It is also a good practice to include the proof test for the safety function in the routine
maintenance program of the machinery.
The person responsible for the design of the complete safety system should also note the
Recommendation of Use CNB/M/11.050 published by the European co-ordination of Notified
Bodies for Machinery concerning dual-channel safety-related systems with electromechanical
• When the safety integrity requirement for the safety function is SIL 3 or PL e (cat. 3 or
4), the proof test for the function must be done at least every month.
• When the safety integrity requirement for the safety function is SIL 2 (HFT = 1) or PL d
(cat. 3), the proof test for the function must be done at least every 12 months.
This is a recommendation and depends on the required (not achieved) SIL/PL. For example,
contactors, breakers, safety relays, contactor relays, emergency stop buttons, switches,
etc. are typically safety devices which have electromechanical outputs. The STO circuit of
the drive does not have electromechanical outputs.
Functional safety components
The mission time of functional safety components is 20 years which equals the time during
which failure rates of electronic components remain constant. This applies to the components
of the standard Safe torque off circuit as well as any modules, relays and, typically, any
other components that are part of functional safety circuits.
The expiry of mission time terminates the certification and SIL/PL classification of the safety
function. The following options exist:
• Renewal of the whole drive and all optional functional safety module(s) and components.
• Renewal of the components in the safety function circuit. In practice, this is economical
only with larger drives that have replaceable circuit boards and other components such
as relays.
Note that some of the components may already have been renewed earlier, restarting their
mission time. The remaining mission time of the whole circuit is however determined by its
oldest component.
Contact your local ABB service representative for more information.
The person who does the maintenance and proof test activities of the safety function must
be a competent person with expertise and knowledge of the safety function and functional
safety, as required by IEC 61508-1 clause 6.
Residual risk
The safety functions are used to reduce the recognized hazardous conditions. In spite of
this, it is not always possible to eliminate all potential hazards. Thus, the warnings for the
residual risks must be given to the operators.
32 Maintenance