SIST EN 13611:2008/kprA1:2011

SLOVENSKI STANDARD
SIST EN 13611:2008/oprA1:2010
01-februar-2010
Varnostne in nadzorne naprave za plinske gorilnike in plinske aparate - Splošne
zahteve - Dopolnilo A1
Safety and control devices for gas burners and gas burning appliances - General
requirements
Sicherheits-, Regel- und Steuereinrichtungen für Gasbrenner und Gasgeräte -
Allgemeine Anforderungen
Équipements auxiliaires pour brûleurs à gaz et appareils à gaz - Exigences générales
Ta slovenski standard je istoveten z: EN 13611:2007/prA1
ICS:
23.060.40 7ODþQLUHJXODWRUML Pressure regulators
27.060.20 Plinski gorilniki Gas fuel burners
SIST EN 13611:2008/oprA1:2010 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST EN 13611:2008/oprA1:2010

---------------------- Page: 2 ----------------------

SIST EN 13611:2008/oprA1:2010
EUROPEAN STANDARD
DRAFT
EN 13611:2007
NORME EUROPÉENNE
EUROPÄISCHE NORM
prA1
October 2009
ICS 23.060.40

English Version
Safety and control devices for gas burners and gas burning
appliances - General requirements
Equipements auxiliaires pour brûleurs à gaz et appareils à Sicherheits-, Regel- und Steuereinrichtungen für
gaz - Exigences générales Gasbrenner und Gasgeräte - Allgemeine Anforderungen
This draft amendment is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee CEN/TC 58.
This draft amendment A1, if approved, will modify the European Standard EN 13611:2007. If this draft becomes an amendment, CEN
members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for inclusion of this amendment
into the relevant national standard without any alteration.
This draft amendment was established by CEN in three official versions (English, French, German). A version in any other language made
by translation under the responsibility of a CEN member into its own language and notified to the CEN Management Centre has the same
status as the official versions.
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland,
France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal,
Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland and United Kingdom.
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are aware and to
provide supporting documentation.
Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without notice and
shall not be referred to as a European Standard.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2009 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN 13611:2007/prA1:2009: E
worldwide for CEN national Members.

---------------------- Page: 3 ----------------------

SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
Contents Page
Foreword .4
Annex J (normative) Method for the determination of a Safety integrity level (SIL) .6
J.1 Scope .6
J.2 Normative References .6
J.3 Terms and definitions .7
J.4 Symbols .8
J.5 Special requirements to determine a Safety Integrity Level (SIL) .8
J.5.1 Functional safety .8
J.5.2 Management of functional safety .9
J.5.2.1 Methods of fault prevention .9
J.5.2.2 Functional Safety Management System .9
J.5.2.3 Specification of safety requirements . 12
J.5.2.4 Design and development . 13
J.5.2.5 Integration . 13
J.5.2.6 Validation . 13
J.5.2.7 Operation and maintenance . 14
J.5.2.8 Information to the appliance manufacturer . 14
J.5.3 Software requirements . 14
J.5.4 Hardware requirements . 15
J.5.4.1 General . 15
J.5.4.2 Procedural approach . 20
J.5.4.3 Diagnostic measures and their maximum coverage. 21
J.5.4.4 Failure rates and failure modes . 22
J.5.4.5 Determination of common cause factors for complex systems . 27
J.5.4.6 Calculation of PFH . 28
D
Bibliography . 33

2

---------------------- Page: 4 ----------------------

SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
Figures
Figure J.1 — Subsystem with basic architecture A – logical representation . 15
Figure J.2 — Subsystem with basic architecture C - logical representation . 16
Figure J.3 — Subsystem with basic architecture B - logical representation . 17
Figure J.4 — Subsystem with basic architecture D - logical representation . 17
Figure J.5 — Example of complex architecture: Burner control system (symbolized schematic) . 18
Figure J.6 — Example of a complex architecture: Reliability block diagram of a burner control system based
on segregation into function blocks . 19

Tables
Table J.1 —Diagnostic techniques . 21
Table J.2 — Diagnostic measures. 22
Table J.3 — Failure rates and failure modes . 23
Table J.4 — Scoring Electronics or sensors/actuators . 27
Table J.5 — Calculation of β . 28
Table J.6 — Requirements to the safe failure fraction of subsystems . 31
Table J.7 — Determination of the overall Safety Integrity Level (SIL) . 31

3

---------------------- Page: 5 ----------------------

SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
Foreword
This document (EN 13611:2007/prA1:2009) has been prepared by Technical Committee CEN/TC 58 “Safety
and control devices for burners and appliances burning gaseous or liquid fuels”, the secretariat of which is
held by BSI.
This document is currently submitted to the CEN Enquiry.
This document has been prepared under a mandate given to CEN by the European Commission and the
European Free Trade Association, and supports essential requirements of EC Directive(s).
For relationship with EC Directive(s), see informative Annexes ZA and ZB, which are integral parts of this
document.
4

---------------------- Page: 6 ----------------------

SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
Introduce the following modification to EN 13611:2007:

Foreword

th
Add the following wording after 11 paragraph of EN 13611:2007, Foreword:

Primarily in industrial applications it is common practice to rate the safety of a plant based on values describing
the likelihood of a dangerous failure. These values are being used to determine Safety Integrity Levels or
Performance Levels when the system is being assessed in its entirety.

CEN/TC58 standards for safety relevant controls do go beyond this approach, because for a certain life span
for which the product is specified, designed and tested a dangerous failure is not allowed at all. Failure modes
are described and assessed in greater detail. Measures to prevent from dangerous situations are defined.
Field experience over many decades is reflected in the CEN/TC 58 standards. Requirements of these
standards can be considered as proven in practice.

It can not be presumed that any Safety Integrity Level or Performance Level assessment alone would imply
that requirements of a CEN/TC 58 standard have been met.

To be able to provide parameters to allow for any formal Safety Integrity Level or Performance Level system
assessment the Annex J of this document defines a methodology to derive the relevant parameters from the
requirements of this standard.


Annex J:

Add the following informative Annex J "Special requirements to determine a Performance Level (PL) or a
Safety integrity level (SIL)" after the last Annex I and before the Annex ZA of EN 13611:2007.

5

---------------------- Page: 7 ----------------------

SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
Annex J
(normative)

Method for the determination of a Safety integrity level (SIL)
J.1 Scope
This Annex is only applicable to controls for which the manufacturer specifies a SIL Level.
This Annex specifies a a set of additional requirements to EN 13611:2007 to determine the safety integrity
level (SIL) according to EN 61508 for electrical/electronic/programmable electronic control systems in
industrial and thermo processing applications classified as class B or class C according to EN 13611. The
highest safety integrity level according to the method used in this annex is SIL 3 maximum, independent of the
hardware architecture.
The current status of this document does only include requirements for controls operated in high demand or
continuous mode according to EN 61508-4:2001, 3.5.12.
J.2 Normative References
EN 61508-1:2001, Functional safety of electrical/electronic/programmable electronic safety-related systems -
Part 1: General requirements (IEC 61508-1:1998 + Corrigendum 1999)
EN 61508-2:2001, Functional safety of electrical/electronic/programmable electronic safety-related systems —
Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems (IEC 61508-
2:2000)
EN 61508-3:2001, Functional safety of electrical/electronic/programmable electronic safety-related systems —
Part 3: Software requirements (IEC 61508-3:1998 + Corrigendum 1999)
EN 61508-4:2001, Functional safety of electrical/electronic/programmable electronic safety-related systems —
Part 4: Definitions and abbreviations (IEC 61508-4:1998 + Corrigendum 1999)
EN 61508-6:2001, Functional safety of electrical/electronic/programmable electronic safety-related systems —
Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3 (IEC 61508-6:2000)
EN 61508-7:2001, Functional safety of electrical/electronic/programmable electronic safety-related systems —
Part 7: Overview of techniques and measures (IEC 61508-7:2000)
EN 62061:2005, Safety of machinery — Functional safety of safety-related electrical, electronic and
programmable electronic control systems (IEC 62061:2005)
EN ISO 9000:2005, Quality management systems - Fundamentals and vocabulary (ISO 9000:2005)
EN ISO 13849-1:2008, Safety of machinery - Safety-related parts of control systems — Part 1: General
principles for design (ISO 13849-1:2006)
IEC 61508-6:2000, Functional safety of electrical/electronic/programmable electronic safety-related systems -
Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3 (IEC 61508-6:2000)
IEC 72/766/CDV:2008, IEC 60730-1, Ed. 4: Automatic electrical controls for household and similar use —
Part 1: General requirements (IEC 60730-1:1999, modified + A1:2003, modified)
6

---------------------- Page: 8 ----------------------

SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
1)
SN 29500-1:2004-01, Expected values, General
1)

SN 29500-1 H1:2008-02, Note 1 on Part 1: Expected values, General, Date of issue
1)

SN 29500-2:2004-12, Part 2: Expected values for integrated circuits
1)

SN 29500-3:2004-12, Part 3: Expected values for discrete semiconductors
1)

SN 29500-4:2004-03, Part 4: Expected values for passive components
1)

SN 29500-5:2004-06, Part 5: Expected values for electrical connections, electrical connectors and sockets
1)

SN 29500-7:2005-11, Part 7: Expected values for relays
1)

SN 29500-9:2005-11, Part 9: Expected values for switches and buttons
1)

SN 29500-10 :2005-12, Part 10: Expected values for signal and pilot lamps
1)

SN 29500-11:2007-07, Part 11: Expected values for contactors
1)

SN 29500-12 :2008-02, Part 12: Expected values for optical components
SN 29500-15:2008-02, Part 15: Expected values for electromechanical protection devices in low voltage

1)
networks
J.3 Terms and definitions
Shall be according to Clause 3 with the following addition:
J.2.1
common cause factor
ß
fraction of undetected failures that have a common cause (common cause factor)
[IEC 61508-6:2000, B.1]
J.2.2
failure modes and effects analysis
FMEA
analytical technique in which the failure modes of each hardware component are identified and examined for
their effects on the safety-related functions of the control
[IEC 72/766/CDV:2008, H.2.20.2]
J.2.3
failure modes, effects and diagnosis analysis
FMEDA
FMEA (refer to J.3.2) taking into account any automatic diagnostics to detect failures

1) Published by: Siemens AG, Corporate Technology, CT IRC LIS, Otto-Hahn-Ring 6, 81739 München,
Germany, phone: +49 (89) 636-40682, fax: +49 (89) 636-40688.

7

---------------------- Page: 9 ----------------------

SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
J.2.4
common cause failure
failure, which is the result of one or more events, causing coincident failures of two or more separate
subsystems resulting in a failure of the control (function)
J.2.5
proof test interval
Interval between two proof tests
NOTE For further information refer to EN 61508-4:2001, 3.8.5.
J.2.6 diagnostic test interval
Interval between two automatic diagnostic tests which have a specified diagnostic coverage
NOTE For further information refer to EN 61508-4:2001, 3.8.7.
J.4 Symbols
fit  Failure in time (failure rate of components):
9 -9
 Number of components which fail within 10 hours of operation (1 fit = 10 1/h).
PFH Probability of dangerous failures per hour for continuous or high demand mode
D
λ Rate of dangerous failures per hour
D
λ Rate of undetected dangerous failures per hour
DU
λ Rate of detected dangerous failures per hour
DD
SFF Safe failure fraction
DC Diagnostic coverage
B Mean number of cycles until 10 % of electromechanical components fail dangerously
10d
 [EN ISO 13849-1]
J.5 Special requirements to determine a Safety Integrity Level (SIL)
J.5.1 Functional safety
This annex deals with the requirements resulting from EN 61508 and which apply in addition to the
requirements of EN 13611.
The hardware requirements of clause J.5.4 are based on EN 61508-2.
For software the requirements of IEC 72/766/CDV:2008, Annex H, which are based on EN 61508-3, apply.
The requirements are only applicable to controls performing safety-related control functions (class B or class
C). If the circuit of a device includes components which are not relevant for safety-related control functions,
only the absence of interaction with the safety-relevant components has to be considered.
8

---------------------- Page: 10 ----------------------

SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
J.5.2 Management of functional safety
J.5.2.1 Methods of fault prevention
Methods of fault prevention shall be applied in all of the following phases:
 Specification of safety requirements
 Design and construction
 Implementation
 Integration of hardware and software
 Definition of operation and maintenance activities with respect to functional safety
The methods to avoid faults shall be based on a formal system, called Functional Safety Management
System.
J.5.2.2 Functional Safety Management System
J.5.2.2.1 General
The manufacturer of a control shall draw up and specify
 management and technical activities which are necessary to achieve the required functional safety of the
control;
 responsibilities applicable to persons, departments and organizations responsible for activities relating to
the development of a control.
The management activities shall include definitions of actions and responsibilities; scheduling and resource
allocation; training of relevant personnel; consistency checks after modifications.
NOTE For detailed examples refer to EN 61508-7:2001, B.1.1.
The management activities shall include procedures for periodic review and maintenance of the Functional
Safety Management System.
J.5.2.2.2 Documentation
The functional safety management system shall include requirements for the documentation of each activity or
procedure.
The documentation management shall consider the following aspects:
 Information to be documented
 Availability of documentation
 Accurate documentation
 Standardised documentation
 Company documentation structure
 Document revision index
9

---------------------- Page: 11 ----------------------

SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
 Structured documentation
 Review of documentation
Documentation shall be structured. It shall use natural language and graphical descriptions, such as block
diagrams and flow diagrams. The use of contents check-lists is highly recommended.
NOTE For detailed examples refer to EN 61508-7:2001, B.1.2.
J.5.2.2.3 Functional safety plan
J.5.2.2.3.1 General
The functional safety management system shall include requirements to set up a functional safety plan for
each project. If certain requirements for the functional safety plan apply generally to any project, the relevant
measures and procedures may be part of the functional safety management system to be referred to by the
functional safety plan.
A functional safety plan shall be drawn up, documented and maintained to control the activities specified for
each control design project.
The activities resulting from J.5.2.2.3.2 shall be implemented and progress monitored.
The requirements developed as a result of J.5.2.2.3.2 shall be formally reviewed by the organizations
(EN ISO 9000:2005, 3.3.1) concerned, and agreement reached. The functional safety plan shall be updated
as necessary.
J.5.2.2.3.2 Requirements
The functional safety plan shall be implemented to ensure prompt follow-up and satisfactory resolution of
issues relevant to a control arising from:
 specification activities;
 design and development activities;
 integration activities;
 verification activities;
 validation activities;
 operation and maintenance activities.
If not already covered by the general requirements J.5.2.2.1, the functional safety plan shall in particular
include the following activities:
a) Selection of appropriate measures and techniques used to meet the requirements of this annex.
This includes references to guidelines and standards which have to be observed.
b) Identification of the relevant activities specified in J.5.2.3.
c) Identification of the policy and strategy to achieve specified functional safety requirements.
d) Identification of the strategy to achieve functional safety for the software procurement, development,
integration, verification, validation and modification.
10

---------------------- Page: 12 ----------------------

SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
e) Identification of persons, departments or other units, and organizations (including, where relevant,
licensing authorities or safety regulatory bodies) that are responsible for carrying out and reviewing each
of the activities specified in J.5.2.3. All those persons specified as responsible for management of
functional safety activities shall be informed of the responsibilities assigned to them. Procedures shall be
defined to ensure that applicable parties involved in any activities are competent to carry out the activities
for which they are accountable, e.g. by training.
f) Definition of the way in which information is to be structured and the extent of the information to be
documented.
g) Identification and establishment of procedures to record and maintain information relevant to the
functional safety of a control. The procedures shall be based on the information which is related to the
activities described in J.5.2.3. The compilation of the information shall result in
 a functional requirements specification for the control;
 a safety requirements specification for the control.
h) Description of the procedures for functional safety assessment activities.
The plan for the functional safety assessment shall specify:
 those to undertake the functional safety assessment;
 the outputs from each functional safety assessment;
 the scope of the functional safety assessment;
NOTE In establishing the scope of the functional safety assessment, it will be necessary to specify the documents,
and their status, which are to be used as inputs for each assessment activity.
 the safety bodies involved;
 the resources required;
 the level of independence of those undertaking the functional safety assessment;
 the competence of those undertaking the functional safety assessment.
i) Establishment of a verification plan for all activities described in J.5.2.3. It shall include:
 details of when the verification shall take place;
 details of the persons, departments or units who shall carry out the verification;
 the selection of verification strategies and techniques;
 the selection and utilization of test equipment (including environment, tools, programs);
 the selection of verification activities;
 acceptance criteria; and
 the means to be used for the evaluation of verification results.
j) Establishment of a validation plan comprising:
 details of when the validation shall take place;
11

---------------------- Page: 13 ----------------------

SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
 requirements against which the control is to be validated;
 the technical strategy for validation, for example analytical methods or statistical tests;
 the test environment, tools, configuration and programs;
 acceptance criteria; and
 action to be taken in the event of failure to meet the acceptance criteria.
The validation plan shall include all activities and methods during development, implementation and
integration, which are necessary to prove the control against its functional requirements specification and
its safety integrity requirements specification.
k) Description of the procedures for configuration management taking into account relevant technical and
organisational issues, such as authorized persons and internal structures of the organisation.
l) Description of the procedures for modifications on controls and the required approval procedures and
authorities for modifications. For software configuration management IEC 72/766/CDV:2008,
H.11.12.3.4.3 applies.
J.5.2.3 Specification of safety requirements
J.5.2.3.1 The specification shall be structured with a hierarchical separation into sub requirements; refined
down to functional level.
J.5.2.3.2 The safety requirements specification shall include a description of all safety-related control
functions.
For each safety-related control function the description shall
 provide comprehensive detailed requirements sufficient for the design and development of the control;
 include the manner in which the control is intended to achieve or maintain a safe state for the appliance;
 specify the relevant modes of operation (e.g. permanent / non-permanent operation of the appliance), and
other time related aspects to achieve or maintain a safe state of the application;
 specify whether the control operates the safety-related control function in high demand/continuous mode;
 define the safety integrity level (SIL) for each safety-related control function, if necessary.
J.5.2.3.3 The safety requirements specification for the control shall include appropriate requirements to
consider
 the boundary of the application and possible hazards (from process, environment, etc.);
 operation, functions, interfaces, special safety regulations and environment of the appliance;
 all hazards or hazardous events of the appliance, and all potential hazards for the application arising from
the control itself;
 safety requirements, safety-related control functions requirements and safety integrity requirements for
the control.
12

---------------------- Page: 14 ----------------------

SIST EN 13611:2008/oprA1:2010
EN 13611:2007/prA1:2009 (E)
J.5.2.3.4 The interfaces between safety-related control functions and non-safety-related control functions
shall be well-defined.
Safety-related control functions and non-safety-related control functions as well as safety-related control
functions with different safety integrity levels shall be implemented sufficiently independent, otherwise they
shall be implemented with the highest safety integrity level associated to a function.
During design, the method of achieving independence and the justification of the method shall be documented
to show independence between functions as required above.
J.5.2.3.5 For software safety requirements specification IEC 72/766/CDV:2008, H.11.12.3.2 applies.
J.5.2.3.6 The safety requirements specification shall be inspected by an independent person using a formal
procedure with correction of all faults found.
NOTE For detailed examples refer to EN 61508-7:2001, B.2.6.
J.5.2.4 Design and development
J.5.2.4.1 Hardware and, if applicable, software shall be split into easy comprehensible modules of limited
size, with each module functionally isolated.
NOTE For detailed examples refer to EN 61508-7:2001, B.3.2.
J.5.2.4.2 Design shall be based on semi-formal methods. The use of computer aided design tools is
recommended.
NOTE For detailed examples refer to EN 61508-7:2001, B.2.3 and B.3.5.
J.5.2.4.3 Common cause failures shall be considered during design and the related reviews.
J.5.2.4.4 For software design and development IEC 72/766/CDV:2008, H.11.12.3.2.3 applies.
J.5.2.5 Integration
J.5.2.5.1 During integration all functions shall be tested based on predefined test cases. These tests shall be
performed as a black-box tests under consideration of boundary values combined with critical cases.
These tests shall also cover diagnostic methods realized as software to detect hardware faults.
NOTE For detailed examples refer to EN 61508-7:2001, B.5.2.
J.5.2.5.2 For software integration IEC 72/766/CDV:2008, H.11.12.3.2.1 applies.
J.5.2.6 Validation
J.5.2.6.1 Validation activities shall be independent from design activities.
J.5.2.6.2 Validation shall make use of static analysis and dynamic analysis by using detailed diagrams
...