EN 13611:2007/FprA1

SLOVENSKI STANDARD
SIST EN 13611:2008/oprA1:2010
01-februar-2010
Varnostne in nadzorne naprave za plinske gorilnike in plinske aparate - Splošne
zahteve - Dopolnilo A1
Safety and control devices for gas burners and gas burning appliances - General
requirements
Sicherheits-, Regel- und Steuereinrichtungen für Gasbrenner und Gasgeräte -
Allgemeine Anforderungen
Équipements auxiliaires pour brûleurs à gaz et appareils à gaz - Exigences générales
Ta slovenski standard je istoveten z: EN 13611:2007/prA1
ICS:
23.060.40 7ODþQLUHJXODWRUML Pressure regulators
27.060.20 Plinski gorilniki Gas fuel burners
SIST EN 13611:2008/oprA1:2010 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

SIST EN 13611:2008/oprA1:2010
SIST EN 13611:2008/oprA1:2010
EUROPEAN STANDARD
DRAFT
EN 13611:2007
NORME EUROPÉENNE
EUROPÄISCHE NORM
prA1
October 2009
ICS 23.060.40
English Version
Safety and control devices for gas burners and gas burning
appliances - General requirements
Equipements auxiliaires pour brûleurs à gaz et appareils à Sicherheits-, Regel- und Steuereinrichtungen für
gaz - Exigences générales Gasbrenner und Gasgeräte - Allgemeine Anforderungen
This draft amendment is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee CEN/TC 58.
This draft amendment A1, if approved, will modify the European Standard EN 13611:2007. If this draft becomes an amendment, CEN
members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for inclusion of this amendment
into the relevant national standard without any alteration.
This draft amendment was established by CEN in three official versions (English, French, German). A version in any other language made
by translation under the responsibility of a CEN member into its own language and notified to the CEN Management Centre has the same
status as the official versions.
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland,
France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal,
Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland and United Kingdom.
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are aware and to
provide supporting documentation.
Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without notice and
shall not be referred to as a European Standard.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2009 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN 13611:2007/prA1:2009: E
worldwide for CEN national Members.

SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
Contents Page
Foreword .4
Annex J (normative) Method for the determination of a Safety integrity level (SIL) .6
J.1 Scope .6
J.2 Normative References .6
J.3 Terms and definitions .7
J.4 Symbols .8
J.5 Special requirements to determine a Safety Integrity Level (SIL) .8
J.5.1 Functional safety .8
J.5.2 Management of functional safety .9
J.5.2.1 Methods of fault prevention .9
J.5.2.2 Functional Safety Management System .9
J.5.2.3 Specification of safety requirements . 12
J.5.2.4 Design and development . 13
J.5.2.5 Integration . 13
J.5.2.6 Validation . 13
J.5.2.7 Operation and maintenance . 14
J.5.2.8 Information to the appliance manufacturer . 14
J.5.3 Software requirements . 14
J.5.4 Hardware requirements . 15
J.5.4.1 General . 15
J.5.4.2 Procedural approach . 20
J.5.4.3 Diagnostic measures and their maximum coverage. 21
J.5.4.4 Failure rates and failure modes . 22
J.5.4.5 Determination of common cause factors for complex systems . 27
J.5.4.6 Calculation of PFH . 28
D
Bibliography . 33

SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
Figures
Figure J.1 — Subsystem with basic architecture A – logical representation . 15
Figure J.2 — Subsystem with basic architecture C - logical representation . 16
Figure J.3 — Subsystem with basic architecture B - logical representation . 17
Figure J.4 — Subsystem with basic architecture D - logical representation . 17
Figure J.5 — Example of complex architecture: Burner control system (symbolized schematic) . 18
Figure J.6 — Example of a complex architecture: Reliability block diagram of a burner control system based
on segregation into function blocks . 19

Tables
Table J.1 —Diagnostic techniques . 21
Table J.2 — Diagnostic measures. 22
Table J.3 — Failure rates and failure modes . 23
Table J.4 — Scoring Electronics or sensors/actuators . 27
Table J.5 — Calculation of β . 28
Table J.6 — Requirements to the safe failure fraction of subsystems . 31
Table J.7 — Determination of the overall Safety Integrity Level (SIL) . 31

SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
Foreword
This document (EN 13611:2007/prA1:2009) has been prepared by Technical Committee CEN/TC 58 “Safety
and control devices for burners and appliances burning gaseous or liquid fuels”, the secretariat of which is
held by BSI.
This document is currently submitted to the CEN Enquiry.
This document has been prepared under a mandate given to CEN by the European Commission and the
European Free Trade Association, and supports essential requirements of EC Directive(s).
For relationship with EC Directive(s), see informative Annexes ZA and ZB, which are integral parts of this
document.
SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
Introduce the following modification to EN 13611:2007:

Foreword
th
Add the following wording after 11 paragraph of EN 13611:2007, Foreword:

Primarily in industrial applications it is common practice to rate the safety of a plant based on values describing
the likelihood of a dangerous failure. These values are being used to determine Safety Integrity Levels or
Performance Levels when the system is being assessed in its entirety.

CEN/TC58 standards for safety relevant controls do go beyond this approach, because for a certain life span
for which the product is specified, designed and tested a dangerous failure is not allowed at all. Failure modes
are described and assessed in greater detail. Measures to prevent from dangerous situations are defined.
Field experience over many decades is reflected in the CEN/TC 58 standards. Requirements of these
standards can be considered as proven in practice.

It can not be presumed that any Safety Integrity Level or Performance Level assessment alone would imply
that requirements of a CEN/TC 58 standard have been met.

To be able to provide parameters to allow for any formal Safety Integrity Level or Performance Level system
assessment the Annex J of this document defines a methodology to derive the relevant parameters from the
requirements of this standard.

Annex J:
Add the following informative Annex J "Special requirements to determine a Performance Level (PL) or a
Safety integrity level (SIL)" after the last Annex I and before the Annex ZA of EN 13611:2007.

SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
Annex J
(normative)
Method for the determination of a Safety integrity level (SIL)
J.1 Scope
This Annex is only applicable to controls for which the manufacturer specifies a SIL Level.
This Annex specifies a a set of additional requirements to EN 13611:2007 to determine the safety integrity
level (SIL) according to EN 61508 for electrical/electronic/programmable electronic control systems in
industrial and thermo processing applications classified as class B or class C according to EN 13611. The
highest safety integrity level according to the method used in this annex is SIL 3 maximum, independent of the
hardware architecture.
The current status of this document does only include requirements for controls operated in high demand or
continuous mode according to EN 61508-4:2001, 3.5.12.
J.2 Normative References
EN 61508-1:2001, Functional safety of electrical/electronic/programmable electronic safety-related systems -
Part 1: General requirements (IEC 61508-1:1998 + Corrigendum 1999)
EN 61508-2:2001, Functional safety of electrical/electronic/programmable electronic safety-related systems —
Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems (IEC 61508-
2:2000)
EN 61508-3:2001, Functional safety of electrical/electronic/programmable electronic safety-related systems —
Part 3: Software requirements (IEC 61508-3:1998 + Corrigendum 1999)
EN 61508-4:2001, Functional safety of electrical/electronic/programmable electronic safety-related systems —
Part 4: Definitions and abbreviations (IEC 61508-4:1998 + Corrigendum 1999)
EN 61508-6:2001, Functional safety of electrical/electronic/programmable electronic safety-related systems —
Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3 (IEC 61508-6:2000)
EN 61508-7:2001, Functional safety of electrical/electronic/programmable electronic safety-related systems —
Part 7: Overview of techniques and measures (IEC 61508-7:2000)
EN 62061:2005, Safety of machinery — Functional safety of safety-related electrical, electronic and
programmable electronic control systems (IEC 62061:2005)
EN ISO 9000:2005, Quality management systems - Fundamentals and vocabulary (ISO 9000:2005)
EN ISO 13849-1:2008, Safety of machinery - Safety-related parts of control systems — Part 1: General
principles for design (ISO 13849-1:2006)
IEC 61508-6:2000, Functional safety of electrical/electronic/programmable electronic safety-related systems -
Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3 (IEC 61508-6:2000)
IEC 72/766/CDV:2008, IEC 60730-1, Ed. 4: Automatic electrical controls for household and similar use —
Part 1: General requirements (IEC 60730-1:1999, modified + A1:2003, modified)
SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
1)
SN 29500-1:2004-01, Expected values, General
1)
SN 29500-1 H1:2008-02, Note 1 on Part 1: Expected values, General, Date of issue
1)
SN 29500-2:2004-12, Part 2: Expected values for integrated circuits
1)
SN 29500-3:2004-12, Part 3: Expected values for discrete semiconductors
1)
SN 29500-4:2004-03, Part 4: Expected values for passive components
1)
SN 29500-5:2004-06, Part 5: Expected values for electrical connections, electrical connectors and sockets
1)
SN 29500-7:2005-11, Part 7: Expected values for relays
1)
SN 29500-9:2005-11, Part 9: Expected values for switches and buttons
1)
SN 29500-10 :2005-12, Part 10: Expected values for signal and pilot lamps
1)
SN 29500-11:2007-07, Part 11: Expected values for contactors
1)
SN 29500-12 :2008-02, Part 12: Expected values for optical components
SN 29500-15:2008-02, Part 15: Expected values for electromechanical protection devices in low voltage

1)
networks
J.3 Terms and definitions
Shall be according to Clause 3 with the following addition:
J.2.1
common cause factor
ß
fraction of undetected failures that have a common cause (common cause factor)
[IEC 61508-6:2000, B.1]
J.2.2
failure modes and effects analysis
FMEA
analytical technique in which the failure modes of each hardware component are identified and examined for
their effects on the safety-related functions of the control
[IEC 72/766/CDV:2008, H.2.20.2]
J.2.3
failure modes, effects and diagnosis analysis
FMEDA
FMEA (refer to J.3.2) taking into account any automatic diagnostics to detect failures

1) Published by: Siemens AG, Corporate Technology, CT IRC LIS, Otto-Hahn-Ring 6, 81739 München,
Germany, phone: +49 (89) 636-40682, fax: +49 (89) 636-40688.

SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
J.2.4
common cause failure
failure, which is the result of one or more events, causing coincident failures of two or more separate
subsystems resulting in a failure of the control (function)
J.2.5
proof test interval
Interval between two proof tests
NOTE For further information refer to EN 61508-4:2001, 3.8.5.
J.2.6 diagnostic test interval
Interval between two automatic diagnostic tests which have a specified diagnostic coverage
NOTE For further information refer to EN 61508-4:2001, 3.8.7.
J.4 Symbols
fit  Failure in time (failure rate of components):
9 -9
Number of components which fail within 10 hours of operation (1 fit = 10 1/h).
PFH Probability of dangerous failures per hour for continuous or high demand mode
D
λ Rate of dangerous failures per hour
D
λ Rate of undetected dangerous failures per hour
DU
λ Rate of detected dangerous failures per hour
DD
SFF Safe failure fraction
DC Diagnostic coverage
B Mean number of cycles until 10 % of electromechanical components fail dangerously
10d
[EN ISO 13849-1]
J.5 Special requirements to determine a Safety Integrity Level (SIL)
J.5.1 Functional safety
This annex deals with the requirements resulting from EN 61508 and which apply in addition to the
requirements of EN 13611.
The hardware requirements of clause J.5.4 are based on EN 61508-2.
For software the requirements of IEC 72/766/CDV:2008, Annex H, which are based on EN 61508-3, apply.
The requirements are only applicable to controls performing safety-related control functions (class B or class
C). If the circuit of a device includes components which are not relevant for safety-related control functions,
only the absence of interaction with the safety-relevant components has to be considered.
SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
J.5.2 Management of functional safety
J.5.2.1 Methods of fault prevention
Methods of fault prevention shall be applied in all of the following phases:
 Specification of safety requirements
 Design and construction
 Implementation
 Integration of hardware and software
 Definition of operation and maintenance activities with respect to functional safety
The methods to avoid faults shall be based on a formal system, called Functional Safety Management
System.
J.5.2.2 Functional Safety Management System
J.5.2.2.1 General
The manufacturer of a control shall draw up and specify
 management and technical activities which are necessary to achieve the required functional safety of the
control;
 responsibilities applicable to persons, departments and organizations responsible for activities relating to
the development of a control.
The management activities shall include definitions of actions and responsibilities; scheduling and resource
allocation; training of relevant personnel; consistency checks after modifications.
NOTE For detailed examples refer to EN 61508-7:2001, B.1.1.
The management activities shall include procedures for periodic review and maintenance of the Functional
Safety Management System.
J.5.2.2.2 Documentation
The functional safety management system shall include requirements for the documentation of each activity or
procedure.
The documentation management shall consider the following aspects:
 Information to be documented
 Availability of documentation
 Accurate documentation
 Standardised documentation
 Company documentation structure
 Document revision index
SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
 Structured documentation
 Review of documentation
Documentation shall be structured. It shall use natural language and graphical descriptions, such as block
diagrams and flow diagrams. The use of contents check-lists is highly recommended.
NOTE For detailed examples refer to EN 61508-7:2001, B.1.2.
J.5.2.2.3 Functional safety plan
J.5.2.2.3.1 General
The functional safety management system shall include requirements to set up a functional safety plan for
each project. If certain requirements for the functional safety plan apply generally to any project, the relevant
measures and procedures may be part of the functional safety management system to be referred to by the
functional safety plan.
A functional safety plan shall be drawn up, documented and maintained to control the activities specified for
each control design project.
The activities resulting from J.5.2.2.3.2 shall be implemented and progress monitored.
The requirements developed as a result of J.5.2.2.3.2 shall be formally reviewed by the organizations
(EN ISO 9000:2005, 3.3.1) concerned, and agreement reached. The functional safety plan shall be updated
as necessary.
J.5.2.2.3.2 Requirements
The functional safety plan shall be implemented to ensure prompt follow-up and satisfactory resolution of
issues relevant to a control arising from:
 specification activities;
 design and development activities;
 integration activities;
 verification activities;
 validation activities;
 operation and maintenance activities.
If not already covered by the general requirements J.5.2.2.1, the functional safety plan shall in particular
include the following activities:
a) Selection of appropriate measures and techniques used to meet the requirements of this annex.
This includes references to guidelines and standards which have to be observed.
b) Identification of the relevant activities specified in J.5.2.3.
c) Identification of the policy and strategy to achieve specified functional safety requirements.
d) Identification of the strategy to achieve functional safety for the software procurement, development,
integration, verification, validation and modification.
SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
e) Identification of persons, departments or other units, and organizations (including, where relevant,
licensing authorities or safety regulatory bodies) that are responsible for carrying out and reviewing each
of the activities specified in J.5.2.3. All those persons specified as responsible for management of
functional safety activities shall be informed of the responsibilities assigned to them. Procedures shall be
defined to ensure that applicable parties involved in any activities are competent to carry out the activities
for which they are accountable, e.g. by training.
f) Definition of the way in which information is to be structured and the extent of the information to be
documented.
g) Identification and establishment of procedures to record and maintain information relevant to the
functional safety of a control. The procedures shall be based on the information which is related to the
activities described in J.5.2.3. The compilation of the information shall result in
 a functional requirements specification for the control;
 a safety requirements specification for the control.
h) Description of the procedures for functional safety assessment activities.
The plan for the functional safety assessment shall specify:
 those to undertake the functional safety assessment;
 the outputs from each functional safety assessment;
 the scope of the functional safety assessment;
NOTE In establishing the scope of the functional safety assessment, it will be necessary to specify the documents,
and their status, which are to be used as inputs for each assessment activity.
 the safety bodies involved;
 the resources required;
 the level of independence of those undertaking the functional safety assessment;
 the competence of those undertaking the functional safety assessment.
i) Establishment of a verification plan for all activities described in J.5.2.3. It shall include:
 details of when the verification shall take place;
 details of the persons, departments or units who shall carry out the verification;
 the selection of verification strategies and techniques;
 the selection and utilization of test equipment (including environment, tools, programs);
 the selection of verification activities;
 acceptance criteria; and
 the means to be used for the evaluation of verification results.
j) Establishment of a validation plan comprising:
 details of when the validation shall take place;
SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
 requirements against which the control is to be validated;
 the technical strategy for validation, for example analytical methods or statistical tests;
 the test environment, tools, configuration and programs;
 acceptance criteria; and
 action to be taken in the event of failure to meet the acceptance criteria.
The validation plan shall include all activities and methods during development, implementation and
integration, which are necessary to prove the control against its functional requirements specification and
its safety integrity requirements specification.
k) Description of the procedures for configuration management taking into account relevant technical and
organisational issues, such as authorized persons and internal structures of the organisation.
l) Description of the procedures for modifications on controls and the required approval procedures and
authorities for modifications. For software configuration management IEC 72/766/CDV:2008,
H.11.12.3.4.3 applies.
J.5.2.3 Specification of safety requirements
J.5.2.3.1 The specification shall be structured with a hierarchical separation into sub requirements; refined
down to functional level.
J.5.2.3.2 The safety requirements specification shall include a description of all safety-related control
functions.
For each safety-related control function the description shall
 provide comprehensive detailed requirements sufficient for the design and development of the control;
 include the manner in which the control is intended to achieve or maintain a safe state for the appliance;
 specify the relevant modes of operation (e.g. permanent / non-permanent operation of the appliance), and
other time related aspects to achieve or maintain a safe state of the application;
 specify whether the control operates the safety-related control function in high demand/continuous mode;
 define the safety integrity level (SIL) for each safety-related control function, if necessary.
J.5.2.3.3 The safety requirements specification for the control shall include appropriate requirements to
consider
 the boundary of the application and possible hazards (from process, environment, etc.);
 operation, functions, interfaces, special safety regulations and environment of the appliance;
 all hazards or hazardous events of the appliance, and all potential hazards for the application arising from
the control itself;
 safety requirements, safety-related control functions requirements and safety integrity requirements for
the control.
SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
J.5.2.3.4 The interfaces between safety-related control functions and non-safety-related control functions
shall be well-defined.
Safety-related control functions and non-safety-related control functions as well as safety-related control
functions with different safety integrity levels shall be implemented sufficiently independent, otherwise they
shall be implemented with the highest safety integrity level associated to a function.
During design, the method of achieving independence and the justification of the method shall be documented
to show independence between functions as required above.
J.5.2.3.5 For software safety requirements specification IEC 72/766/CDV:2008, H.11.12.3.2 applies.
J.5.2.3.6 The safety requirements specification shall be inspected by an independent person using a formal
procedure with correction of all faults found.
NOTE For detailed examples refer to EN 61508-7:2001, B.2.6.
J.5.2.4 Design and development
J.5.2.4.1 Hardware and, if applicable, software shall be split into easy comprehensible modules of limited
size, with each module functionally isolated.
NOTE For detailed examples refer to EN 61508-7:2001, B.3.2.
J.5.2.4.2 Design shall be based on semi-formal methods. The use of computer aided design tools is
recommended.
NOTE For detailed examples refer to EN 61508-7:2001, B.2.3 and B.3.5.
J.5.2.4.3 Common cause failures shall be considered during design and the related reviews.
J.5.2.4.4 For software design and development IEC 72/766/CDV:2008, H.11.12.3.2.3 applies.
J.5.2.5 Integration
J.5.2.5.1 During integration all functions shall be tested based on predefined test cases. These tests shall be
performed as a black-box tests under consideration of boundary values combined with critical cases.
These tests shall also cover diagnostic methods realized as software to detect hardware faults.
NOTE For detailed examples refer to EN 61508-7:2001, B.5.2.
J.5.2.5.2 For software integration IEC 72/766/CDV:2008, H.11.12.3.2.1 applies.
J.5.2.6 Validation
J.5.2.6.1 Validation activities shall be independent from design activities.
J.5.2.6.2 Validation shall make use of static analysis and dynamic analysis by using detailed diagrams. The
analysis shall result in a specification of test cases which are basis for functional tests (refer to J.5.2.6.3) and
for fault insertion tests (see EN 298:2003, Clause 9).
NOTE For detailed examples refer to EN 61508-7:2001, B.6.4 and B.6.5.
SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
J.5.2.6.3 Validation shall be based on expanded functional tests, proving that all safety-related control
functions are maintained in the case of static input states and/or unusual input changes, caused by faulty
process or operating conditions.
NOTE For detailed examples refer to EN 61508-7:2001, B.6.8.
J.5.2.6.4 Appropriate information shall be communicated to the appliance manufacturer for the safety
validation of the control system within the appliance, (refer to J.5.2.8).
J.5.2.6.5 For software validation IEC 72/766/CDV:2008, H.11.12.3.3.3.3 applies.
J.5.2.7 Operation and maintenance
J.5.2.7.1 The instructions shall be user and maintenance friendly.
NOTE For detailed examples refer to EN 61508-7:2001, B.4.2 and B.4.3.
J.5.2.7.2 Access to operation possibilities shall be limited by appropriate safety measures, such as password
protection.
Safety related functions of the control shall be protected against operator mistakes by input acknowledgement
and consistency checks on each operating command.
NOTE For detailed examples refer to EN 61508-7:2001, B.4.4 and B.4.6.
J.5.2.7.3 If necessary to maintain functional safety of the control within the application, appropriate
information shall be communicated to the appliance manufacturer (refer to J.5.2.8).
J.5.2.8 Information to the appliance manufacturer
If not covered by the controls standard additional information shall be provided to the appliance manufacturer
concerning:
 hazards for the application arising from the control itself;
NOTE With reference to the appliance standards, a hazard analysis for the control is usually not required if all
hazards are completely covered by the appliance standard.
 actions and methods for installation, commissioning, decommissioning and disposal of the control within
the application;
 actions and methods for safety validation of the control within the application;
 actions and methods for operation, maintenance, repair, modification and retrofit of the control within the
application;
 actions to maintain the required functional safety of the control during operation and maintenance.
NOTE This may include:
 the substitution of the complete control;
 the inspection of components with limited operating life (e. g. UV photo tubes);
 the substitution of components with limited operating life.
J.5.3 Software requirements
Refer to IEC 72/766/CDV:2008, Annex H.
SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
J.5.4 Hardware requirements
J.5.4.1 General
J.5.4.1.1 The determination of the SIL level is based on a fault assessment according to
EN 13611:2007, 6.6, under additional consideration of
 J.5.4.3 Diagnostic measures and their maximum coverage
 Failure rates and failure modes
 J.5.4.5 Determination of common cause factors for complex systems
J.5.4.1.2 All hardware modules of the control that perform safety functions according to the functional
specification of the control standard shall be considered in the analysis. Thus all components within those
modules which had been subject of fault assessment of EN 13611:2007, 6.6., shall be identified to be subject
of this additional examination. This does also include components which are shared between safety and non
safety functions or provide de-coupling from non-safety related functions.
J.5.4.1.3 All requirements of Clause J.5 consider controls to be operated in high demand mode according
to EN 61508-4:2001, 3.5.12. Thus a PFH value needs to be determined.
D
J.5.4.1.4 1oo1 architecture
Controls that have a simple linear structure without redundant modules are classified as 1oo1 architecture.
Those controls are represented by the following architecture models A and C based upon EN 62061:2005,
6.7.8.2.
J.5.4.1.4.1 Basic architecture A: 1oo1 architecture without diagnostic function
Any dangerous failure of a subsystem element causes a failure of the control function. The subsystem does
not include diagnostic measures.

Figure J.1 — Subsystem with basic architecture A – logical representation
NOTE Figure J.1 is a logical representation of the subsystem A architecture and should not be interpreted as its
physical implementation (e. g. flame sensor without self check or O probe without self check).
J.5.4.1.4.2 Basic architecture C: 1oo1 architecture with diagnostic function(s)
Any undetected dangerous fault of a subsystem element results in a dangerous failure of the safety related
control function(s). Where a fault of a subsystem element is detected, the diagnostic function(s) initiates a fault
reaction function The diagnostic functions are carried out by either:
SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
 the subsystem which requires diagnostics; or
 other subsystems of the safety related control function(s); or
 subsystems not involved in the performance of the safety-related control function.

Figure J.2 — Subsystem with basic architecture C - logical representation
NOTE Figure J.2 is a logical representation of the subsystem C architecture and should not be interpreted as its
physical implementation (e. g. flame sensor with self check or O probe with self check).
J.5.4.1.5 Complex architecture
J.5.4.1.5.1 General
All systems other than 1oo1 systems shall be split into subsystems such that the methods of J.5.4.6.7.2 can
be applied to calculate the overall PFH .
D
Complex architectures require a common cause factor β to be determined for calculation according to J.5.4.5.
Those controls are represented by a combination of subsystems with architecture models A, B, C or D based
upon EN 62061:2005, 6.7.8.2.
J.5.4.1.5.2 Basic architecture B: 1oo2 architecture without diagnostic function
This architecture is such that a single failure of any subsystem element does not cause a loss of the safety
related control function(s). Thus, there would have to be a dangerous failure in more than one element before
failure of the safety related control function(s) can occur. The subsystem does not include diagnostic
measures.
SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
Figure J.3 — Subsystem with basic architecture B - logical representation
NOTE Figure J.3 is a logical representation of the subsystem B architecture and should not be interpreted as its
physical implementation.
J.5.4.1.5.3 Basic architecture D: 1oo2 architecture with diagnostic function(s)
This architecture is such that a single failure of any subsystem element does not cause a loss of the safety
related control function(s). Where a fault of a subsystem element is detected, the diagnostic function(s)
initiates a fault reaction function. The diagnostic functions are carried out by either
 the subsystem which requires diagnostics; or
 other subsystems of the safety related control function(s); or
 subsystems not involved in the performance of the safety-related control function.

Figure J.4 — Subsystem with basic architecture D - logical representation
SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
NOTE 1 Figure J.4 is a logical representation of the subsystem D architecture and should not be interpreted as its
physical implementation.
NOTE 2 The fault reaction for this subsystem is assumed to be termination of the relevant operation. Online repair, as
defined in IEC 62061, is not assumed to be applicable for controls according to EN 13611.
J.5.4.1.5.4 Examples of complex architecture systems
Figure J.5 represents the physical fragmentation of the circuit of a burner control system into hardware
modules (hardware block diagram).

Key
1) Flame amplifier 5) Disconnecting element for uC1
2) Power supply (NT) 6) uC2
3) Disconnecting element for NT 7) Disconnecting element for uC2
4) uC1 8) Output module
Figure J.5 — Example of complex architecture: Burner control system (symbolized schematic)
Figure J.6 demonstrates the logical segregation of a burner control system into function blocks. Each function
block represents a subsystem element, or a common cause failure of redundant subsystem elements. The
function blocks are connected to form a reliability block diagram of the system.
NOTE The control systems represented by Figures J.5 and J.6 are different.

SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
Key
F1 … F12 function blocks, e. g. DC diagnostic coverage (example) for function block F
n
– power supply (with voltage monitoring) ʄ failure rate of function block F
n    n
– microcontroller
– EEPROM
– relay driver
– relay contact
– flame sensor and flame signal amplifier
– common cause failures
– control and monitoring of external
component
– etc.
Figure J.6 — Example of a complex architecture: Reliability block diagram of a burner control system
based on segregation into function blocks
J.5.4.1.6 The calculation of λ (failure rate), DC (Diagnostic Coverage) and SFF (Safe Failure Fraction)
according to J.5.4.6 is based on the single failure assessment under consideration of all control functions
performed by the system.
J.5.4.1.7 In accordance with EN 61508-2:2001, C.1, the hardware failure effects are classified as follows:
 Dangerous: failures which, under absence of diagnostic methods, would cause a dangerous failure of the
system (e. g. short circuit of one of the components in the shut-off path; open circuit of a crystal
resonator).
 Safe: failures which, under absence of diagnostic methods, would not cause a dangerous failure of the
system, but may impair the reliability (e. g. open circuit of components for safety related inputs, open
circuit of components in the shut-off path).
 Don’t care: Failures which neither impair safety integrity nor reliability (e. g. open circuit of emc protection
capacitors).
SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
Two independent faults are not considered for calculation of λ, DC and SFF.
NOTE Controls are assumed to be safe if they comply with the requirements for functional safety of EN 13611:2007,
6.6, which include the assumption of up to two independent faults, as well as the diagnostic methods and the reaction on
detected faults. Thus there is no direct relationship between the fault effect categorization "a", "b", "c" or "d" of
EN 13611:2007, 6.6.3.2 and 6.6.4.2 and the classifications „dangerous“ or „safe“ of this document.
J.5.4.2 Procedural approach
J.5.4.2.1 Based on the parts list for each system (or subsystem) a failure modes and effects analysis
(according to definition xyz) is performed with a classification of failures into “dangerous” or “safe” according to
J.5.4.1.7.
J.5.4.2.2 Failures which are classified as "dangerous“ are subject to an analysis considering their possible
detection by diagnostic measures or techniques described in J.5.4.3 (FMEDA = failure modes, effects and
diagnosis analysis, refer to J.3.3) resulting in detected and undetected failures.
J.5.4.2.3 If the system is not separated into subsystems a 1oo1 structure is assumed (refer to J.5.4.1.4).
J.5.4.2.4 A separation into subsystems helps to analyze the effectiveness of diagnostic measures in complex
design structures more accurately. This requires determining the evidence of common cause failures
according to the method described in J.5.4.5.
It is assumed that any safety related control system can be separated into subsystems of basic architecture
types A, B, C or D according to J.5.4.1.4 and J.5.4.1.5.
Concerning the failure effects each subsystem has to be analyzed separately.
NOTE In particular a separation into subsystems may apply to class C / SIL 3 controls.
J.5.4.2.5 Finally an overall calculation is performed using all individual results of the subsystems.
The system architecture will influence the calculation method.
SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
J.5.4.3 Diagnostic measures and their maximum coverage
The following information is only valid if the diagnostic measures are performed automatically by the control
system (but not by the process), either periodically or on demand.
Table J.1 provides techniques, and Table J.2 provides measures of diagnostic tests to detect and to control
random hardware failures in order to achieve the relevant level of diagnostic coverage (DC).
If diagnostic tests comply with the requirements of "Reference", the mentioned diagnostic coverage (DC) may
be used for calculation. Other measures and techniques may be used, provided evidence is produced to
support the claimed diagnostic coverage.
Table J.1 —Diagnostic techniques
Diagnostic technique Reference DC Notes
Failure detection by on-line EN 61508-2:2001, A.2, A.3 90 % Depends on diagnostic
monitoring coverage of failure detection
Idle current principle EN 61508-2:2001, A.2, A.15 60 % electromechanical systems,
actuators
Monitoring of relay contacts EN 61508-2:2001, A.2, A.15 99 % electromechanical systems,
actuators
Comparator EN 61508-2:2001, A.2, A.3 99 % High if failure modes are
predominantly in a safe direction
Depends on the quality of the
Majority voter EN 61508-2:2001, A.2, A.3 99 %
voting
Depends on diagnostic
Test by redundant hardware EN 61508-2:2001, A.3 90 %
coverage of failure detection
Depends on diagnostic
Dynamic principles EN 61508-2:2001, A.3 90 %
coverage of failure detection
Depends on diagnostic
Monitored redundancy EN 61508-2:2001, A.3 90 %
coverage of failure detection
Watch-dog with separate time
EN 61508-2:2001, A.10, A.12 60 % Program sequence, clock
base without time window
Watch-dog with separate time
EN 61508-2:2001, A.10, A.12 90 % Program sequence, clock
base with time window
Combination of temporal and
logical monitoring of the
EN 61508-2:2001, A.10, A.12 99 % Program sequence, clock
program sequence
Overvoltage protection
EN 61508-2:2001, A.9 60 % Power Supply
with safety shut-off
Secondary voltage control and
EN 61508-2:2001, A.9 99 % Power Supply
protection with safety shut-off

SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
Table J.2 — Diagnostic
...