oSIST prEN 746-11:2020

SLOVENSKI STANDARD
01-marec-2020
Industrijska termoprocesna oprema - 11. del: Varnostne zahteve za zaščitne
sisteme
Industrial thermoprocessing equipment - Part 11: Safety requirements for protective
systems
Industrielle Thermoprozessanlagen - Teil 11: Sicherheitsanforderungen an
Schutzsysteme
Équipements thermiques industriels - Partie 11 : Prescriptions de sécurité pour les
systèmes de protection
Ta slovenski standard je istoveten z: prEN 746-11
ICS:
25.180.01 Industrijske peči na splošno Industrial furnaces in general
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

DRAFT
EUROPEAN STANDARD
NORME EUROPÉENNE
EUROPÄISCHE NORM
January 2020
ICS 25.180.01
English Version
Industrial thermoprocessing equipment - Part 11: Safety
requirements for protective systems
Équipements thermiques industriels - Partie 11 : Industrielle Thermoprozessanlagen - Teil 11:
Prescription de sécurité pour les systèmes de Sicherheitsanforderungen an Schutzsysteme
protection
This draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee
CEN/TC 186.
If this draft becomes a European Standard, CEN members are bound to comply with the CEN/CENELEC Internal Regulations
which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.

This draft European Standard was established by CEN in three official versions (English, French, German). A version in any other
language made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,
Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and
United Kingdom.
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a European Standard.

EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2020 CEN All rights of exploitation in any form and by any means reserved Ref. No. prEN 746-11:2020 E
worldwide for CEN national Members.

Contents Page
European foreword . 3
Introduction . 4
1 Scope . 5
2 Normative references . 5
3 Terms and definitions . 6
4 Design requirements for equipment in a protective system . 9
4.1 General . 9
4.2 Requirements for protective systems. 10
4.3 Fault assessment for the hardwired section of protective systems . 19
4.4 Failure of utilities . 19
4.5 Reset . 20
Annex A (informative) Explanation of techniques and measures for avoiding systematic
faults . 21
Annex B (informative) Examples of techniques for avoiding failures from external wiring . 23
Annex C (informative) Examples for the determination of safety integrity level SIL using the
risk graph method . 27
Annex D (informative) Example of an extended risk assessment for one safety
instrumented function using the EN 61511 method . 46
Annex E (informative) Sample schematic diagrams of protective system . 54
Annex F (normative) Hardwiring protective systems . 64
Annex ZA (informative) Relationship between this European Standard and the essential
requirements of Directive 2006/42/EC aimed to be covered . 74
Bibliography . 76

European foreword
This document (prEN 746-11:2020) has been prepared by Technical Committee CEN/TC 186
“Industrial Thermoprocess Equipment - Safety”, the secretariat of which is held by DIN.
This document is currently submitted to the CEN Enquiry.
The contents of prEN 746-11:2020 are based on parts of EN 746-2:2009 and ISO 13577-4:2016.
This document has been prepared under a mandate given to CEN by the European Commission and the
European Free Trade Association and supports essential requirements of EU Directive(s).
For relationship with EU Directive(s), see informative Annex ZA, which is an integral part of this
document.
Introduction
This part of EN 746 was developed to specify the requirements of a protective system, which is a safety-
related electrical control system (SRECS) of industrial thermoprocessing equipment and associated
processing equipment (TPE).
Mandatory safety-related control functions of TPE are specified in EN 746-1, EN 746-2, and EN 746-3.
It is intended that in designing the protective system of TPE, manufacturers of TPE choose from the four
methods provided in this part of EN 746.
This part of EN 746 is to be used together with the other parts of EN 746 with the principles of
EN ISO 12100. However, there are cases in which a risk assessment according to EN 61511 (all parts) is
more suitable for the design of a TPE protective system.
This document is a type-C standard as stated in EN ISO 12100.
The machinery concerned and the extent to which hazards, hazardous situations, or hazardous events
are covered are indicated in the scope of this part of EN 746.
When requirements of this type-C standard are different from those which are stated in type-A or -B
standards, the requirements of this type-C standard take precedence over the requirements of the other
standards for machines that have been designed and built according to the requirements of this type-C
standard.
EN 61511 (all parts) provides the option of a low-demand rate on the protective system.
EN 62061:2005 or EN ISO 13849-1:2015 always assume high-demand applications.
Therefore, this part of EN 746 permits extended risk assessment for SRECS in which risk assessment
based on EN 61511 (all parts) can be chosen as an alternative.
1 Scope
This part of EN 746 specifies the requirements for protective systems used in industrial furnaces and
associated processing equipment (TPE).
The functional requirements to which the protective systems apply are specified in the other parts of
the EN 746 series.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable to its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
1)
prEN ISO 13574:— , Industrial furnaces and associated processing equipment — Vocabulary
EN 298:2012, Automatic burner control systems for burners and appliances burning gaseous or liquid
fuels
EN ISO 13849-1:2015, Safety of machinery - Safety-related parts of control systems - Part 1: General
principles for design (ISO 13849-1:2015)
EN 14597:2012, Temperature control devices and temperature limiters for heat generating systems
EN IEC 60947-4-1:2019, Low-voltage switchgear and controlgear — Part 4-1: Contactors and motor-
starters - Electromechanical contactors and motor-starters (IEC 60947-4-1:2018)
EN 60947-5-1:2017, Low-voltage switchgear and controlgear — Part 5-1: Control circuit devices and
switching elements - Electromechanical control circuit devices (IEC 60947-5-1:2016)
EN 60204-1:2018, Safety of machinery — Electrical equipment of machines — Part 1: General
requirements (IEC 60204-1:2016)
EN 60730-2-5:2015, Automatic electrical controls — Part 2-5: Particular requirements for automatic
electrical burner control systems (IEC 60730-2-5:2013)
EN 61508 (all parts), Functional safety of electrical/electronic/programmable electronic safety-related
systems (IEC 61508)
EN 61131-3:2013, Programmable controllers — Part 3: Programming languages (IEC 61131-3:2013)
EN 61511 (all parts), Functional safety — Safety instrumented systems for the process industry sector (IEC
61511 (all parts))
2)
EN 62061:2005 , Safety of machinery — Functional safety of safety-related electrical, electronic and
programmable electronic control systems (IEC 62061:2005)

1) Under preparation.
2) This document is impacted by the amendments EN 62061:2005/A1:2013 and EN 62061:2005/A2:2015.
3 Terms and definitions
For the purposes of this document, the terms and definitions given in prEN ISO 13574 and the following
apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
• IEC Electropedia: available at http://www.electropedia.org/
• ISO Online browsing platform: available at https://www.iso.org/obp
3.1
final element
part of a protective system which implements the physical action necessary to achieve a safe state
Note 1 to entry: Examples are valves, switch gear, motors including their auxiliary elements, for example, a
solenoid valve and actuator if involved in the safety function.
[SOURCE EN 61511-1:2017, 3.2.24 modified: "instrumented system" had been changed to read
"protective system" in the definition.]
3.2
flame detector device
device by which the presence of a flame is detected and signaled
Note 1 to entry: It can consist of a flame sensor, an amplifier, and a relay for signal transmission.
[SOURCE: prEN ISO 13574:—, 2.65, modified: The second sentence in the original definition had been
presented as in the Note.]
3.3 automatic burner control system
protective system comprised of at least a programming unit and all the elements of a flame detector
device
Note 1 to entry: The various functions of an automatic burner control system can be in one or more housings.
[SOURCE: prEN ISO 13574:—, 2.5, modified: The second sentence in the original definition had been
presented as in the Note.]
3.4
functional safety
capability of a protective system or other means to reduce risk, to execute the actions required for
achieving or maintaining a safe state for the process and its related equipment
[SOURCE: prEN ISO 13574:—, 2.73]
3.5
logic function
function that performs the transformations between input information (provided by one or more input
functions or sensors) and output information (used by one or more output functions or final elements)
Note 1 to entry: Logic functions are executed by the logic solver of a protective system.
[SOURCE: EN 61511-1:2017, 3.2.39, modified — "input functions" had been changed to read "input
functions or sensors" and "output function" had been changed to read "output function or final
elements" in the definition, and the second sentence in the original definition had been deleted; Note
has been added.]
3.6
logic solver
portion of a protective system that performs one or more logic function(s)
Note 1 to entry: Examples are electrical systems, electronic systems, programmable electronic systems,
pneumatic systems, and hydraulic systems. Sensors and final elements are not part of the logic solver.
[SOURCE: EN 61511-1:2017, 3.2.40 modified: "either a BPCS or SIS" had been changed to read "a
protective system" in the definition; Note 1 in the original definition had been deleted.]
3.7
manual reset
action after a lockout of a safety device (e.g. automatic burner control) carried out manually by the
supervising operator
[SOURCE: prEN ISO 13574:—, 2.107]
3.8
performance level
PL
discrete level used to specify the ability of safety-related parts of control systems to perform a safety
function under foreseeable conditions
[SOURCE: EN ISO 13849-1:2015, 3.1.23]
3.9
product standard
standard for products and devices which are listed in EN 746 (all parts) except this part of EN 746
[SOURCE: prEN ISO 13574:—, 2.135 modified: "EN 746-4" has been changed to read "this part of
EN 746" in the definition.]
3.10
programmable logic control
PLC
electronic device designed for control of the logical sequence of events
[SOURCE: prEN ISO 13574:—, 2.125]
3.11
protective system
instrumented system used to implement one or more safety-related instrumented functions which is
composed of any combination of sensor(s), logic solver(s), and final elements (for example, see
Figure 2)
Note 1 to entry: This can include safety-related instrumented control functions or safety-related instrumented
protection functions or both.
[SOURCE: prEN ISO 13574:—, 2.138]
3.12
safety bus
bus system and/or protocol for digital network communication between safety devices, which is
designed to achieve and/or maintain a safe state of the protective system in compliance with
EN 61508 (all parts) or EN 60730-2-5:2015
[SOURCE: prEN ISO 13574:—, 2.164]
3.13
safety device
device that is used to perform protective functions, either on its own or as a part of a protective system
Note 1 to entry: Examples are sensors, limiters, flame monitors, burner control systems, logic systems, final
elements, and automatic shut-off valves.
3.14
safety integrity level
SIL
discrete level (one out of a possible four) for specifying the safety integrity requirements of the safety
functions to be allocated to the E/E/PE safety-related systems, where safety integrity level 4 has the
highest level of safety integrity and safety integrity level 1 has the lowest
Note 1 to entry: The target failure measures for the four safety integrity levels are specified in EN 61508-
1:2010, Tables 2 and 3.
Note 2 to entry: A safety integrity level (SIL) is not a property of a system, subsystem, element, or device. The
correct interpretation of the phrase "SIL n safety-related system" (where n is 1, 2, 3, or 4) is that the system is
potentially capable of supporting safety functions with a safety integrity level up to n.
[SOURCE: EN ISO 13849-1:2015, 3.1.33]
3.15
sensor
device that produces a signal based on a process variable
EXAMPLES Transmitters, transducers, process switches, and position switches.
3.16
system for permanent operation
system, which is intended to remain in the running position for longer than 24 h without interruption
[SOURCE: EN 60730-2-5:2015, 2.5.101]
3.17
system for non-permanent operation
system, which is intended to remain in the running position for less than 24 h
[SOURCE: EN 60730-2-5:2015, 2.5.102]
3.18
systematic capability
measure (expressed on a scale of SC 1 to SC 4) of the confidence that the systematic safety integrity of
an element meets the requirements of the specified SIL, in respect of the specified element safety
function, when the element is applied in accordance with the instructions specified in the compliant
item safety manual for the element
Note 1 to entry: Systematic capability is determined with reference to the requirements for the avoidance and
control of systematic faults (see EN 61508-2:2010 and EN 61508-3:2010).
Note 2 to entry: What qualifies as a relevant systematic failure mechanism depends on the nature of the
element. For example, for an element comprising solely software, only software failure mechanisms will need to
be considered. For an element comprising hardware and software, it is necessary to consider both systematic
hardware and software failure mechanisms.
Note 3 to entry: A systematic capability of SC N for an element, in respect of the specified element safety
function, means that the systematic safety integrity of SIL N has been met when the element is applied in
accordance with the instructions specified in the compliant item safety manual for the element.
[SOURCE: prEN ISO 13574:—, 2.183]
4 Design requirements for equipment in a protective system
4.1 General
Electrical equipment shall comply with EN 60204-1 and withstand the hazards identified in the risk
assessment required at the design stage. Electrical equipment shall be protected against damage. In
particular, it shall be robust to withstand damage during continuous operation.
Devices shall be used in accordance with the manufacturer's instructions including safety manuals. Any
device used outside of its published technical specification shall be verified and validated to be suitable
for the intended application.
Devices of a protective system shall withstand the environmental conditions and fulfill their intended
function.
Sensors (e.g. pressure transmitters, temperature transmitters, flow transmitters) used in the protective
system shall be independent from the process control system.
Figure 1 is provided as an aid to understanding the relationship between the various elements of TPE
and their ancillary equipment, the heating system, the process control system, and the protective
system.
Figure 1 — Block diagram of control and protective systems
An appropriate group of techniques and measures shall be used that are designed to prevent the
introduction of faults during the design and development of the hardware and software of the
protective system (see Annex A).
Failure due to short circuit in external wiring shall be avoided (see Annex B).
Requirements for testing and testing intervals for protective systems shall be specified in the
instruction handbook. Except as permitted by method D, the testing of all safety functions shall be
performed at least annually. Method D shall be used if the testing of all safety functions is performed
beyond 1 y.
See Annex C and D for examples of SIL/PL determinations.
4.2 Requirements for protective systems
4.2.1 General
Any one or a combination of the four (4) methods shall be used to implement a protective system for
the safety function(s) requirements identified in EN 746 (all parts); however, only one method shall be
used for any one specific safety function. The four methods are the following:
— Method A as specified in 4.2.1;
— Method B as specified in 4.2.2;
— Method C as specified in 4.2.3;
— Method D as specified in 4.2.4.
Figure 2 shows the basic configuration of a protective system.

Figure 2 — Basic configuration of a protective system
Figure 3 shows the basic characteristics of each method.
NOTE 1 Software interconnections are links between software function blocks, safety PLC inputs, and safety
PLC outputs. These are similar to hardwired interconnections between devices.
NOTE 2 Safety function software is either a software function block or program to perform safety logic
functions (e.g. prepurge, automatic burner control).

Figure 3 — Method overview
See Annex E for sample schematic diagrams of the various methods.Error! Unknown op code for
conditional.
4.2.2 Method A
Method A shall be a hardwired system in which all devices (i.e. sensors, logic solver, and final elements
described in Figure 4) comply with the relevant product standards as specified in EN 746 (all parts) and
EN 14597:2012.
The requirements of EN 61508 (all parts), EN 61511 (all parts), EN 62061:2005, and
EN ISO 13849-1:2015 are not applicable for this type of protective system.
The following requirements for hardwiring shall be fulfilled:
— all logic solvers shall be supplied by the devices and through the direct interconnections between
the devices;
— connections shall not be permitted through data communication buses;
— devices with fixed program language, which meet the relevant product standards, shall be
permitted;
— hardwiring shall be in accordance with Annex F.

Figure 4 — Hardware configuration of Method A
NOTE The safety devices used in 4.2.1 correspond to specific safety requirements, matched to the field of
application and the functional requirements made of these devices, as demanded in the corresponding products
standards for safety devices, e.g. automatic burner control systems, valve-proving systems, pressure-sensing
devices, automatic shut-off valves. Even without additional SIL/PL certification of these safety devices, the safety
requirements for use of safety devices are in compliance with relevant product standards. Implementation of a
protective system in accordance with 4.2.1 is one of several alternative methods.
4.2.3 Method B
Method B shall be a combination of devices meeting the relevant product standards and/or SIL/PL
capable devices for which no relevant product standard exits. Safety PLCs are excluded (see Figure 5).
The following requirements for hardwiring shall be fulfilled:
— all logic solvers shall be supplied by the devices and through the direct interconnections between
the devices;
— devices with fixed program language, which meet the relevant product standards, shall be
permitted;
— interconnections may be hardwired or through safety bus;
— hardwiring shall be in accordance with Annex F.
For devices which are not covered by product standards, the following requirements shall be fulfilled:
— the device shall be SIL 3 capable in accordance with EN 61508 (all parts), EN 62061:2005, or
EN 61511 (all parts) or it shall be PL e capable in accordance with EN ISO 13849-1:2015;
— SIL/PL capability certification shall apply to the complete device, including the hardware and
software.
NOTE 1 Verification and validations of SIL/PL certification for devices is typically carried out by a notified
body, accredited national testing laboratory, or by an organization in accordance with EN ISO/IEC 17025:2005.
Devices with less than SIL 3/PL e capability shall be permitted, provided the SIL/PL requirements for
the loop (safety function) are determined and calculated.
When the SIL is determined by prior use (i.e. proven in use), the requirements in EN 61511 (all parts)
shall be followed.
All requirements in the safety handbook for the device shall be adhered to, such as the proof test
interval.
NOTE 2 See Annex C for examples of determining SIL/PL.
Figure 5 — Hardware configuration of Method B
4.2.4 Method C
4.2.4.1 General
Method C shall be a combination of devices meeting the relevant product standards and/or SIL/PL
capable devices for which no relevant product standard exits and/or safety PLCs.
The following requirements for hardwiring shall be fulfilled:
— all logic solvers shall be supplied by the devices and through the direct interconnections between
the devices;
— devices with fixed program language, which meet the relevant product standards, shall be
permitted;
— the interconnections may be hardwired, through safety bus, or through software interconnections;
— hardwiring shall be in accordance with Annex F.
Safety function software is only permitted in the form of verified and validated SIL 3 capable software
function blocks (see Figure 6).
Safety functions shall be permitted within a safety-rated device (e.g. a safety PLC) or within an external
device covered by the relevant product standard.
For the devices (safety PLC, timers, etc.) which are NOT covered by product standards, the following
requirements shall be fulfilled:
— the devices shall be SIL 3 capable in accordance with EN 61508 (all parts), EN 62061:2005, or
EN 61511 (all parts) or it shall be PL e capable in accordance with EN ISO 13849-1:2015;
— where a programmable device implements a safety function that is partly or entirely addressed in a
relevant product standard, the software function shall be verified and validated with respect to the
applicable requirements in the related product standard including but not limited to the sequences
and timings of the product standard;
— software interconnections in a programmable device shall be verified by a functional test;
— software programming languages for PLCs shall be in accordance with EN 61131-3:2013;
— software shall be locked and secured against unauthorized and unintentional changes.
NOTE 1 Verification and validations of SIL/PL certification is typically carried out by a notified body, accredited
national testing laboratory, or by an organization in accordance with EN ISO/IEC 17025:2005.
Devices with less than SIL 3/PL e capability shall be permitted, provided the SIL/PL requirements for
the loop (safety function) are determined and calculated.
When the SIL is determined by prior use (i.e. proven in use), the requirements in EN 61511 (all parts)
shall be followed.
All requirements in the safety manual for the device shall be adhered to such as the proof test interval.
NOTE 2 See Annex C for examples of determining SIL/PL.
Figure 6 — Hardware configuration of Method C
4.2.4.2 Requirements for application software
4.2.4.1.1 In accordance with the required safety integrity level, the chosen programmable protective
equipment and its software shall meet the safety integrity requirements of the particular application:
— correctness of functionality;
— sequencing and time-related information;
— timing constraints;
— concurrency (software interrupts should be avoided);
— data structures and properties;
— design assumptions and dependencies;
— testability.
4.2.4.1.2 The proof of the items listed in 4.2.4.1.1 has to be carried out by verification and validation
steps according to the design and development phases within the life cycle of the software, including
— validity of the software requirement specification and
— completeness, consistency, understandability, and unambiguousness of documentation and
programs.
The application design representations shall be based on a notation (e.g. functional diagram), which is
unambiguously defined or restricted to unambiguously defined features; as far as practicable, the
application design shall minimize the safety-related part of the software. Where the software is to
implement both safety and non-safety functions then all of the software shall be treated as safety-
related, unless adequate independence between the functions can be demonstrated in the application
design. Where the software is to implement safety functions of different safety integrity levels, then all
of the software shall be treated as belonging to the highest safety integrity level unless adequate
independence between the safety functions of the different safety integrity levels can be shown in the
application design. The justification for independence shall be recorded in the relevant design
documentation.
If software modules proven in operation are to be used as part of the application software, they shall be
clearly identified and documented. The software's suitability in satisfying the requirements of a
particular application shall be justified. Suitability shall be based upon evidence of satisfactory
operation in a similar application or having been subject to the same verification and validation
procedures as would be expected for any newly developed software. For software modules proven in
operation, the extent of testing may be limited to the tests required to ensure proper implementation.
Constraints from the previous software environment (e.g. operating system and compiler
dependencies) should be evaluated. Depending on the nature of the software development,
responsibility for conformance with 4.2.4.1 can vary from the supplier alone, the user alone, or both.
The division of responsibility shall be recorded. The proposed software architecture shall be based on a
partitioning into devices/subsystems, which can be identified to be part of the system software and of
the plant-specific application software.
The following information shall be provided:
— whether they are new, existing, or proprietary;
— whether they have been previously verified, and if so, their verification conditions;
— whether each subsystem/device is safety-related or not;
— the software safety integrity level of the subsystem/device;
— identification, evaluation, and details of the significance of all hardware/software interactions;
— a notation used to represent the architecture which is unambiguously defined or restricted to
unambiguously defined features;
— identification of the design features used for maintaining the safety integrity of all data (this shall
include plant input-output data, communications data, operator interface data, maintenance data,
and internal database data).
4.2.5 Method D
Method D shall be in accordance with the full requirements of EN 61508 (all parts), EN 62061:2005,
EN 61511 (all parts), or EN ISO 13849-1:2015 (see Figure 7).
NOTE 1 See Annex D for the method in accordance with EN 61511 (all parts).
Method D shall also fulfill the following requirements:
a) the flame detector device shall comply with EN 60730-2-5:2009 od EN 298:2012;
b) all requirements of the PLC and all safety devices shall be used in accordance with all instructions
in the device manufacturer’s product safety manual including voting and testing frequency
requirements;
c) each functional safety requirement, as identified in EN 746 (all parts), shall be evaluated for its
need in accordance with the standards, such as EN 61511 (all parts), EN ISO 13849-1:2015, and
EN 62061:2005, and implemented with the required SIL for each function. Safety functions of the
safety-related system, such as automatic burner control, valve proving, air/fuel ratio control, etc.
shall fulfill the intent of the safety requirements in the relevant product standards;
NOTE 2 An extended risk assessment in Method D can take precedence over the safety requirements in EN 746
(all parts). By nature of the extended risk assessment under Method D, the overall safety is not reduced and meets
or exceeds the intended requirements of EN 746 (all parts).
d) the interconnections may be hardwired, through safety bus, or through software interconnections;
e) hardwiring shall be in accordance with Annex F.
NOTE 3 Verification and validations of SIL/PL certification is typically carried out by a notified body, accredited
national testing laboratory, or by an organization according to EN ISO/IEC 17025:2005.
Figure 7 — Hardware configuration of Method D
4.3 Fault assessment for the hardwired section of protective systems
The protective system shall be designed such that the devices required in EN 746 (all parts) shall be
used as follows:
a) When relays are used in safety functions, the contacts shall be supervised and forced guided and
the current applied to all contacts shall be a maximum of 60 % of the contacts' rating. Control relays
for safety shall be in accordance with EN 60947-5-1:2017 or the requested SIL/PL requirement.
Power relays for safety with or without mirror contacts shall be in accordance with EN IEC 60947-
4-1:2019 or the requested SIL/PL requirement.
b) The device shall be wired in accordance with the manufacturer’s instructions.
c) For Methods B and C, when timers not complying with the relevant product standards as specified
in all the other parts of EN 746 are used in safety functions, timers shall have a systematic
capability of SC 3 (SIL 3 capable). Setting of adjustable timers shall be locked or sealed.
d) Overcurrent protection shall be provided to limit current in the safety circuit to below 60 % of the
lowest device contact rating.
e) Additional requirements are given in Annex F.
4.4 Failure of utilities
Loss of utilities (e.g. electrical power, instrument air) to the TPE shall result in safe state (e.g. lock-out).
Any restart shall be initiated by manual intervention only. The start-up and ignition sequence shall
apply (see prEN 746-2:2020, 4.2.7 or 4.3.7).
4.5 Reset
Unless permitted by Method D, on devices performing a safety function, reset after lock-out shall be
triggered manually after remedying the fault (see prEN ISO 13574:—, 2.107).
A reset shall not override a safety function.
The design shall incorporate means to prevent unintended and permanent resets.
The design shall incorporate means to prevent unintended start of the TPE.
The instruction handbook shall include a requirement that the operator ensures safe operation prior to
initiating a reset.
The maximum number of resets within a defined time span shall be limited based on the risk
assessment and shall be specified in the instruction handbook.
When the manual reset is initiated without visible sight on the TPE, a safe operation shall be ensured
from the reset action and the actual status and relevant information of the process under control shall
be visible to the user.
Annex A
(informative)
Explanation of techniques and measures for avoiding systematic faults
A.1 General
Random faults have physical causes (e.g. temperature extremes, corrosion, wear) and statistical
information can be used for a risk analysis. However, systematic faults originate from human errors in
the specification and design of the protective system. Systematic faults can be hidden until specific
conditions occur and might not be discovered for long periods of time. These specific conditions will
cause all equipment that was produced from that system to fail in the same manner. Consequently, it is
very important to guard against systematic faults from the beginning stages of a project.
A.2 Competency
Because systematic faults are human in nature, the people and their organization involved in the design
and development of protective systems need to be competent for the particular activities for which they
are responsible. Each person, department, organization, or other unit needs to be identified and
informed of the responsibilities assigned to them (including, where relevant, licensing authorities or
safety regulatory bodies). The following items need to be addressed in determining competency for
protective system design:
a) engineering knowledge, training, and experience appropriate to
1) the process application,
2) the applicable technology used (e.g. electrical, electronic, programming), and
3) the sensors and final elements;
b) safety engineering knowledge (e.g. process safety analysis);
c) knowledge of the legal and regulatory functional safety requirements;
d) adequate management and leadership skills appropriate to their role in the design;
e) understanding of the potential consequence of an event;
f) suitability to the novelty and complexity of the application and the technology.
Additional information on competency can be found in EN 61511-1:2017.
A.3 Avoidance of systematic faults
The following provide a summary of typical activities needed for avoidance of systematic faults during
the design stage. More details can be found in EN 61508-2:2010.
Choose a design method with features that facilitate the following:
a) transparency, modularity, and other features that control complexity;
b) clear and precise expression of
1) functionality,
2) subsystem and element interfaces,
3) sequencing and time-related information, and
4) concurrency and synchronization;
c) clear and precise documentation and communication of information;
d) verification and validation.
Use design features that make the protective system tolerant against systematic and random faults and
residual design faults in the hardware, software, and data communication process.
During the design, distinguish and identify those activities that can be carried out at the developer’s
premises from those that require access to the user’s site.
Formalize maintenance requirements during the design stage to ensure that the safety integrity
requirements of the protective systems continue to be met throughout its lifecycle.
Take into account human capabilities and limitations and the actions assigned to operators and
maintenance staff, including their likely level of training or awareness.
Plan the protective system integration tests and for the test plan documentation, including the
following:
— the types of tests to be performed and procedures to be followed;
— the test environment, tools, configuration, and programs;
— the pass/fail criteria.
Where applicable, use automatic testing tools and integrated development tools.
Annex B
(informative)
Examples of techniques for avoiding failures from external wiring
Figure B.1 shows how a possible short circuit at cable 2 would defeat the protective system. For normal
safety function, an open state of the pressure switch contacts would cause the logic solver to perform an
action through the final element to bring the system to a safe state. With a short circuit at cable 2, the
open state of either switch is not detected.

Key
1 cable 1
2 cable 2
3 cable 3
Figure B.1 — Improper external wiring method
CAUTION —Figure B.1 shows an IMPROPER example of external wiring practice.
Figure B.2 shows a technique that can provide a sufficient level of protection for the safety function
when used with protective system methods A and B. All conductors are brought back to the main
enclosure through cable ducts or conduits, which provide sufficient protection from mechanical and
thermal damage. Also, the interconnecting wire links are made within the main enclosure of the
protective system logic solver.
Key
1 cable 1
2 cable 2
3 cable 3
Figure B.2 — Protected wiring
Figure B.3 shows a slight variation of Figure B.2 where the protective system device accepts each
conductor from the sensors and can provide a sufficient level of protection for the safety function when
using any of the protective system methods, A, B, C, or D.

Key
1 cable 1
2 cable 2
3 cable 3
Figure B.3 — Protected wiring, all conductors carried throughout
Figure B.4 shows a technique where both states of the sensor switch is monitored by the protective
system and whose logic solver detects the improper condition caused by a short circuit in the field
wiring. This technique is suitable when using any of the protective system methods, A, B, C, or D.
Key
1 cable 1
2 cable 2
3 cable 3
Figure B.4 — Supervising both states
Figure B.5 shows a variation of Figure B.4 where the 6-conductor single cable 2 could be replaced with
two 3-conductor cables.
Key
1 cable 1
2 cable 2
3 cable 3
Figure B.5 — Supervising both states, multiple cables
Figure B.6 shows a technique using analog signals for the switching states and the protective system
logic solver detects the improper condition caused by a short circuit in the field wiring (analog level is
out of the acceptable bands for either the high or low state). This technique is suitable when using any
of the protective system methods, A, B, C, or D.
Key
1 cable 1
2 cable 2
3 cable 3
Figure B.6 — Supervision by analog value
Annex C
(informative)
Examples for the determination of safety integrity level SIL using the risk
graph method
C.1 General
Several International Standards can be used for determination of the required SIL/PL. For machinery,
EN 62061:2005 was developed to determine the SIL while EN 61511 (all parts) was developed to
determine the required SIL for process industry. Risk graph methods for determining the safety
integrity level SIL are given in both European Standards [EN 62061 and EN 61511 (all parts)]. In
addition, EN ISO 13849-1:2015 covers the determination of a performance level PL and also includes a
method to determine PL from SIL (EN ISO 13849-1:2015, Table 4).
A hazard and risk analysis shall be carried out for each hazard to the industrial furnace and associated
processing equipment (TPE). When describing the hazard, the cause of the hazardous situation shall
also always be stated. For example, an explosion in the furnace can be brought about by a wide variety
of causes such as overheating, excess fuel pressure, insufficient fuel/air ratio, etc. Each of these causes is
then assigned at least one safety-related function which then must reduce the resultant risk.
The required SIL/PL for each safety-related
...