SIST ENV 14459:2004

SLOVENSKI STANDARD
SIST ENV 14459:2004
01-januar-2004
0HWRGD]DRFHQRWYHJDQMDLQSULSRURþLODSULXSRUDELHOHNWURQLNHYVLVWHPLK]D
QDG]RUSOLQVNLKJRULOQLNRYLQSOLQVNLKDSDUDWRY
Method of risk analysis and recommendations for the use of electronics in systems for
the control of gas burners and gas burning appliances
Risikobewertung und Empfehlungen bei der Anwendung von Elektronik in Systemen für
Schutz-, Regel- und Steuerungseinrichtungen an Gasbrennern und Gasgeräten
Méthode d'analyse des risques et recommandations d'utilisation de l'électronique dans
les systemes de commande des bruleurs a gaz et appareils a gaz
Ta slovenski standard je istoveten z: ENV 14459:2002
ICS:
91.140.40 Sistemi za oskrbo s plinom Gas supply systems
97.100.20 Plinski grelniki Gas heaters
SIST ENV 14459:2004 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

EUROPEAN PRESTANDARD
ENV 14459
PRÉNORME EUROPÉENNE
EUROPÄISCHE VORNORM
December 2002
ICS 91.140.40; 97.100.20
English version
Method of risk analysis and recommendations for the use of
electronics in systems for the control of gas burners and gas
burning appliances
Méthode d'analyse des risques et recommandations Risikobewertung und Empfehlungen bei der Anwendung
d'utilisation de l'électronique dans les systèmes de von Elektronik in Systemen für Schutz-, Regel- und
commande des brûleurs à gaz et appareils à gaz Steuerungseinrichtungen fu*r Gasbrenner und Gasgeräte
This European Prestandard (ENV) was approved by CEN on 16 October 2002 as a prospective standard for provisional application.
The period of validity of this ENV is limited initially to three years. After two years the members of CEN will be requested to submit their
comments, particularly on the question whether the ENV can be converted into a European Standard.
CEN members are required to announce the existence of this ENV in the same way as for an EN and to make the ENV available promptly
at national level in an appropriate form. It is permissible to keep conflicting national standards in force (in parallel to the ENV) until the final
decision about the possible conversion of the ENV into an EN is reached.
CEN members are the national standards bodies of Austria, Belgium, Czech Republic, Denmark, Finland, France, Germany, Greece,
Iceland, Ireland, Italy, Luxembourg, Malta, Netherlands, Norway, Portugal, Spain, Sweden, Switzerland and United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
Management Centre: rue de Stassart, 36  B-1050 Brussels
© 2002 CEN All rights of exploitation in any form and by any means reserved Ref. No. ENV 14459:2002 E
worldwide for CEN national Members.

---------------------- Page: 2 ----------------------

ENV 14459:2002 (E)
Contents
Foreword.3
Introduction .4
1 Scope .5
2 Normative references .5
3 Terms and definitions.5
4 Classification.8
5 Requirements .8
5.1 General.8
5.2 Classification.9
5.3 Construction.9
5.4 Performance requirements .9
5.5 EMC/Electrical requirements .9
5.6 Markings, operation and installation requirements .9
5.7 Alternative fault conditions.9
5.8 Combined apparatus .9
5.9 Multifunctional Systems.9
5.10 Data exchange.10
5.10.1 General.10
5.10.2 Type of data.10
5.10.3 Communication of safety related data.10
6 Assessment under fault conditions.12
6.1 General.12
6.2 Class A.12
6.3 Class B.13
6.4 Class C.13
7 Specific Requirements .13
7.1 Electronic combustion products discharge safety functions (TTB) .14
7.1.1 General.14
7.1.2 Construction requirements.14
7.1.3 Performance requirements .14
7.1.4 Declarations.15
7.1.5 Long term performance.15
7.2 Reset functions .15
7.2.1 General.15
7.2.2 Performance requirements .15
7.2.3 Long term performance.16
Annex A (informative) General risks in gas appliances handled by control functions.17
Annex B (informative) Control standards not within the scope of this prestandard (not exhaustive list) .21
Bibliography .22
2

---------------------- Page: 3 ----------------------

ENV 14459:2002 (E)
Foreword
This document ENV 14459:2002 has been prepared by Technical Committee CEN /TC 58, "Safety and control
devices for gas-burners and gas-burning appliances burning appliances", the secretariat of which is held by BSI.
This document supersedes ENV 1954:1996.
Annexes A and B are informative.
This document includes a Bibliography.
According to the CEN/CENELEC Internal Regulations, the national standards organizations of the following
countries are bound to announce this European Prestandard : Austria, Belgium, Czech Republic, Denmark,
Finland, France, Germany, Greece, Iceland, Ireland, Italy, Luxembourg, Malta, Netherlands, Norway, Portugal,
Spain, Sweden, Switzerland and the United Kingdom.
3

---------------------- Page: 4 ----------------------

ENV 14459:2002 (E)
Introduction
Control systems are designed to control and protect gas appliances and the combustion process. All functions are
performed depending on their safety relevance within a specific tolerance of measures and time and with a specific
certainty under external influences and internal failures.
Existing control standards are based on fault recognition up to 2 faults deep. It was concluded in controls
committees that it is not always needed to protect against the consequences of any hazardous event with uniform
measures as hazards differ in severity and also the probability of unwanted occurrence may differ. As there exists
large interpretation differences on what level of protection is needed against certain hazards, there is a need for
guidance to bring the safety philosophy for gas appliances and controls in line. The discussions of different
committees regarding safety related control functions and the application of controls in the appliances show that it
is worthwhile to refine the basic safety philosophy of gas appliances into different risk levels.
For the evaluation of preventative measures concerning fault tolerance and avoidance of hazards it is essential to
classify control functions with regard to their fault behaviour. For the classification of control functions their
integration into the complete safety concept of the appliance should be taken into account.
For electronic controls covered by CEN/TC 58 consensus was reached by assuming 2 faults, including hardware
and software, that should result in a safe situation. Class C software is regarded equivalent to this 2 faults
assessment.
In the appliance standards only specific fault conditions are considered when controls complying with CEN/TC 58
standards are used, e.g. flame simulation and air proving before each new start. In some cases (e.g. switch
contacts) shorting is excluded when certain tests have proven that the probability of a fault occurrence is low. For
gas valves it is considered that a single valve is not sufficient.
Regarding protection against overheat of gas appliances reference is made to EN 60730-2-9. In case of electronic
temperature controls the safety philosophy is not on the same level as for controls covered by CEN/TC 58 (see e.g.
EN 483:2000, 5.6.7.6 where only fault conditions of the sensor are considered, however other hardware or software
faults are not considered). Actually the proper safety level for the control is not specified by the appliance
committees.
This prestandard will give the manufacturer and the test house a method for a safety check for new products in the
field of GAD for which no product standards are actually available.
The safety check is oriented on the controlled parameters (high/low temperature, pressure, flow) in the combustion
process and in the functionality of the controls (open/closed; lock/un-lock; start/stop). Each control function needs to
be classified concerning the safety aspect (Class A, B, C):
To analyse the effect of fault conditions it is essential to know the specific application and the related risk.
NOTE As a consequence of this, the appliance standard is supposed to describe the allowed behaviour of the appliance
under fault conditions (e. g. specifying testing under abnormal operating conditions; for examples see EN 60335-series,
clause 19 “Abnormal operation”). In order to evaluate the appliance on functional safety after inducing faults in safety relevant
components and circuits such a description should also contain operating conditions in such cases when the appliance
continues to operate to guide in judgements if remaining hazards or risks can be acceptable (examples are volatile lockout
instead of non-volatile lockout, cycling operation, extended safety time etc.).
This European Prestandard covers type testing only.
4

---------------------- Page: 5 ----------------------

ENV 14459:2002 (E)
1 Scope
This European Prestandard specifies the control functions of electric and electronic controls that are used to
prevent unsafe operation of gas burners and gas burning appliances.
For this purpose this European Prestandard specifies methods for the assessment of function blocks with regards
to their fault behaviour and preventative measures.
Function blocks which are not covered by dedicated control standards (see annex A) are within the scope of this
prestandard.
An electric or an electronic device which contains a control function is based on the principle that it provides the
same safety level as other technologies (e.g. mechanical solutions).
2 Normative references
This European Prestandard incorporates by dated or undated reference, provisions from other publications. These
normative references are cited at the appropriate places in the text, and the publications are listed hereafter. For
dated references, subsequent amendments to or revisions of any of these publications apply to this European
Prestandard only when incorporated in it by amendment or revision. For undated references the latest edition of the
publication referred to applies (including amendments).
EN 13611:2000, Safety and control devices for gas burners and gas-burning appliances — General requirements.
EN 60730-1:2000, Automatic electrical controls for household and similar use - Part 1: General requirements (IEC
60730-1:1999, modified).
EN 60730-2-9, Automatic electrical controls for household and similar use — Part 2-9: Particular requirements for
temperature sensing controls (IEC 60730-2-9:2000, modified).
EN 61058-1, Switches for appliances — Part 1: General requirements (IEC 61058-1:2000 + A1:2001, modified).
3 Terms and definitions
For the purposes of this European Prestandard, the following terms and definitions apply.
NOTE Some of the following definition are not yet used in the draft but listed for clarification and for use during discussions.
3.1
control function
function providing safe operation of gas burners and gas burning appliances (examples see Table A.1)
3.2
function block
control function which is part of electric or electronic systems
NOTE This may include sensors, converters, actuators etc.
3.3
defined state
state of a system which is declared by the manufacturer for normal and abnormal operation (relevant failure mode
see e.g. EN 60730-1) with the following characterisation:
a) the system passively assumes a status in which the output terminals ensure a safe situation in all circum-
stances. When the effect is lifted, the application should start-up in accordance with the appropriate
requirements; or
5

---------------------- Page: 6 ----------------------

ENV 14459:2002 (E)
b) the system actively executes a protective action causing it to shut down and/or lock-out; or
c) the system remains in operation, continuing to satisfy all safety related functional requirements.
3.4
electronic combustion products discharge safety function (later on referred to as TTB)control function causing at
least shut down of the main burner when there is an unacceptable spillage of combustion products at the draught
diverter
[1.3.3.2.4 of EN 297:1994]
3.5
reset function
function which provides reset from lock-out to allow the system to attempt a restart. The reset function may be
performed by various electric/electronic (mobile) devices
3.6
failure
termination of the ability of an item to perform a required function
[191-14-01 of IEC 60050-191:1990]
3.7
degradation (of performance)
undesired departure in the operational performance of any device, equipment or system from its intended
performance
[161-11-19 of IEC 60050-161:1990]
NOTE The term "degradation" can apply to temporary or permanent failure.
3.8
fault
state of an item characterised by its inability to perform a required function, excluding the inability during preventive
maintenance or other planned actions, or due to lack of external resources [IEV 60191-05 01]
EXPLANATORY NOTE 1 „Failure“ is an event, as distinguished from „fault“, which is a state.
EXPLANATORY NOTE 2 After failure the item has a fault.
EXPLANATORY NOTE 3 This concept as defined does not apply to items consisting of software only.
EXPLANATORY NOTE 4 A fault is often the result of a failure of the item itself, but may exist without prior failure.
3.9
harm
physical injury and/or damage to health or property [see ISO/IEC Guide 51:1999]
3.10
hazard
potential source of harm
[ISO/IEC Guide 51:1999]
3.11
risk
probable rate of occurrence of a hazard causing harm and the degree of severity of the harm
[ISO/IEC Guide 51:1999]
6

---------------------- Page: 7 ----------------------

ENV 14459:2002 (E)
3.12
reasonably foreseeable misuse
use of a product, process or service under conditions or for purposes not intended by the supplier, but which may
happen, induced by the design of the product in combination with, or as result of, common human behaviour
[ISO/IEC Guide 51:1999]
3.13
functional safety
freedom from an unacceptable risk of harm due to the malfunctioning of the equipment or a system including that
resulting from reasonably foreseeable misuse
3.14
safety integrity
probability that an electric or electronic equipment will perform satisfactorily with regards to the safety functions
under all the stated conditions within a stated period of time
[IEC 61508-4:1998]
3.15
apparatus
single piece of equipment with (a) direct function(s) intended for final use
3.16
system
combination of apparatus and/or active components constituting a single functional unit and intended to be installed
and operated to perform (a) specific task(s)
NOTE 1 “Safety related systems“ are specifically “designed” equipment that both:
– implement the required safety functions necessary to achieve or maintain a safe state for a controlled equipment
– are intended to achieve on their own or with other safety-related equipment’s or external risk: reduction facilities, the
necessary safety integrity for the required safety requirements.
NOTE 2 Adapted from IEC 61508-4:1998, 3-4-1.
3.17
installation
combination of apparatuses, components and systems assembled and/or erected (individually) in a given area
For physical reasons (e. g. long distances between individual items) it is in many cases not possible to test an
installation as a unit.
7

---------------------- Page: 8 ----------------------

ENV 14459:2002 (E)
3.18
fault tolerating time
time between the occurrence of a fault and the shut down of the burner (see Figure 1)
Fault tolerating time
<------------------------------------------------------------------------------------------------------------------>
Fault detection time Fault reaction time
<-----------------------------------------------------><--------------------------------------------------------->
Fault occurs               fault flagged      shut down
I------------------------------------------------------I----------------------------------------------------------I
Figure 1 — Fault tolerating time
3.19
abnormal operation
operation of the appliance under the effect of internal failures or under the effect of foreseeable influences outside
the specified operational conditions
4 Classification
For the evaluation of preventative measures for fault tolerance and avoidance of hazards it is necessary to classify
control functions with regard to their fault behaviour.
At the classification of control functions their integration into the complete safety concept of the appliance shall be
taken into account.
For the purpose of evaluating the design of a control function, present requirements recognise three distinct
classes:
Class A: Control functions which are not intended to be relied upon for the safety of the application, however could
contribute to safety in combination with other control functions or safety measures;
NOTE Examples are: room thermostats, temperature control.
Class B: Control functions which are intended to prevent an unsafe state of the appliance. Failure of the control
function will not lead directly to a hazardous situation during normal operation;
NOTE Examples are: thermal limiter, pressure limiter.
Class C: Control functions which are intended to prevent
...