EN 50402:2005

SLOVENSKI STANDARD
01-december-2005
(OHNWULþQHQDSUDYH]DRGNULYDQMHLQPHUMHQMHYQHWOMLYLKDOLVWUXSHQLKSOLQRYKODSRY
DOLNLVLND=DKWHYH]DIXQNFLRQDOQRYDUQRVWYJUDMHQLKVLVWHPRY]DRGNULYDQMHSOLQD
Electrical apparatus for the detection and measurement of combustible or toxic gases or
vapours or of oxygen - Requirements on the functional safety of fixed gas detection
systems
Elektrische Geräte für die Detektion und Messung von brennbaren oder toxischen Gasen
und Dämpfen oder Sauerstoff - Anforderungen an die funktionale Sicherheit von
ortsfesten Gaswarnsystemen
Matériel électrique pour la détection et la mesure des gaz ou vapeurs combustibles ou
toxiques, ou de l'oxygène - Exigences relatives à la fonction de sécurité des systèmes
fixes de détection de gaz
Ta slovenski standard je istoveten z: EN 50402:2005
ICS:
13.230 Varstvo pred eksplozijo Explosion protection
13.320 Alarmni in opozorilni sistemi Alarm and warning systems
29.260.20 (OHNWULþQLDSDUDWL]D Electrical apparatus for
HNVSOR]LYQDR]UDþMD explosive atmospheres
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN 50402
NORME EUROPÉENNE
EUROPÄISCHE NORM August 2005
ICS 13.320
English version
Electrical apparatus for the detection and measurement of combustible
or toxic gases or vapours or of oxygen –
Requirements on the functional safety of fixed gas detection systems

Matériel électrique pour la détection et la Elektrische Geräte für die Detektion und
mesure des gaz ou vapeurs combustibles Messung von brennbaren oder toxischen
ou toxiques, ou de l'oxygène – Gasen und Dämpfen oder Sauerstoff –
Exigences relatives à la fonction Anforderungen an die funktionale
de sécurité des systèmes fixes Sicherheit von ortsfesten
de détection de gaz Gaswarnsystemen

This European Standard was approved by CENELEC on 2005-07-01. CENELEC members are bound to
comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European
Standard the status of a national standard without any alteration.

Up-to-date lists and bibliographical references concerning such national standards may be obtained on
application to the Central Secretariat or to any CENELEC member.

This European Standard exists in three official versions (English, French, German). A version in any other
language made by translation under the responsibility of a CENELEC member into its own language and
notified to the Central Secretariat has the same status as the official versions.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Cyprus, Czech
Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden,
Switzerland and United Kingdom.

CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung

Central Secretariat: rue de Stassart 35, B - 1050 Brussels

© 2005 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.

Ref. No. EN 50402:2005 E
Foreword
This European Standard was prepared by SC 31-9, Electrical apparatus for the detection and measurement of
combustible gases to be used in industrial and commercial potentially explosive atmospheres, of Technical
Committee CENELEC TC 31, Electrical apparatus for explosive atmospheres and by the Technical Committee
CENELEC TC 216, Gas detectors.
The text of the draft was submitted to the formal vote and was approved by CENELEC as EN 50402 on
2005–07-01.
The following dates were fixed:
– latest date by which the EN has to be implemented
at national level by publication of an identical
national standard or by endorsement (dop) 2006-07-01
– latest date by which the national standards conflicting
with the EN have to be withdrawn (dow) 2008-07-01
__________
– 3 – EN 50402:2005
Contents
Clause Page
Introduction.5
1 Scope .6
2 Normative references .7
3 Definitions.8
4 General requirements.12
4.1 Introduction .12
4.2 Functional safety characteristics of modules.13
5 Modules and elements - Characterisation and requirements .15
5.1 General requirements.19
5.2 Gas sampling.21
5.3 Sensor.23
5.4 Signal-transmission .24
5.5 Input of control unit .27
5.6 Signal processing in the control unit .29
5.7 Output of the control unit .32
6 Characterisation of safety requirement .35
6.1 General .35
6.2 Characterisation of safety function .36
6.3 Characterisation of safety integrity.37
6.4 Determination of SIL-capabilities for a safety function.38
6.5 Determination of hardware failure rates for a safety function .41
6.6 Safety performance requirements .42
7 Information requirements .42
7.1 Information delivered by the manufacturer of the gas detection system .42
7.2 Information delivered by the user of the gas detection system.43
8 Validation.43

Annex A (informative) Gas detection systems as part of a safety-related system .44
Annex B (normative) Transformation of the SIL-capabilities of gas detection systems .49
Annex C (normative) Transformation from generic standard requirements to modules .50
Annex D (normative) Management of functional safety.53
Annex E (informative) Determination of SIL-capability of a safety function of the gas detection system.55

Table 1 - Fault tolerance for complex modules according EN 61511-1, Table 5 .14
Table 2 - Fault tolerance for complex modules according EN 61508-2, Table 3 .14
Table 3 - Minimum hardware fault tolerance for simple modules according EN 61511-1, Table 6.15
Table 4 - Fault tolerance for simple modules according EN 61508-2, Table 2.15
Table 5 - Diagnostic measures for program sequence monitoring from EN 61508-2 .19
Table 6 - Diagnostic measures for memory from EN 61508-2.20
Table 7 - Determination of SIL-capability for a parallel chain block.40
Table B.1 - Transformation SIL-capability of EN 50402 to SIL of EN 61508.49
Table B.2 - Transformation SIL-capability of EN 50402 to Categories of EN ISO 13849-1 .49
Table E.1 - Determination of SIL-capability for a parallel chain block .57

Figure 1 - Definitions of measuring point, measuring group and measuring location.10
Figure 2 - Overview of safety-related system .16
Figure 3 - Modules of a gas detection system .18
Figure 4 - Implementation of a gas detection system in the overall safety life cycle (EN 61508-1: 7.1).36
Figure 5 - Single and parallel chains.38
Figure 6 – Handling of complex modules in a redundant structure .41
Figure A.1 - Functional safety of modules and systems (Proof test interval and mean time to repair (MTTR)
are not shown in the figure although they have to be included into the considerations) .47
Figure E.1 - Step 1 - Linkage of modules .55
Figure E.2 - Step 2 - Identification of modules necessary for the safety function.55
Figure E.3 - Step 3 - Elimination of modules and linkages without influence on the safety function.56
st
Figure E.4 - Step 4 (1 loop) - Summarising of single chains .56
st
Figure E.5 - Step 5 (1 loop) - Summarising of parallel chains .56
st
Figure E.6 - Step 6 (1 loop) - Adaptation of block diagram structure.58
nd
Figure E.7 - Step 4 (2 loop) - Summarising of single chains.58
nd
Figure E.8 - Step 5 (2 loop) - Summarising of parallel chains.58
nd
Figure E.9 - Step 6 (2 loop) - Adaptation of block diagram structure – No action required .58
rd
Figure E.10 - Step 4 (3 loop) - Summarising of single chains .58
rd
Figure E.11 - Step 5 (3 loop) - Summarising of parallel chains .59
rd
Figure E.12 - Step 6 (3 loop) - Adaptation of block diagram structure – No action required.59
th
Figure E.13 - Step 4 (4 loop) - Summarising of single chains – End of procedure.59
Figure E.14 - Step 1 - Linkages between modules for the example.60
Figure E.15 - Step 2 - Identification of modules with influence on the safety function.60
Figure E.16 - Step 3 - Elimination of modules and linkages without influence on the safety function .60
Figure E.17 - Step 4 - Summarising of single chains .61
Figure E.18 - Step 5 - Summarising of parallel chains – End of procedure.61
Figure E.19 - Step 2 - Identification of modules with influence on the safety function.61
Figure E.20 - Step 3 - Elimination of modules and linkages without influence on the safety function .62
st
Figure E.21 - Step 4 (1 loop) - Summarising of single chains .62
st
Figure E.22 - Step 5 (1 loop) - Summarising of parallel chains .62
st
Figure E.23 - Step 6 (1 loop) - Adaptation of block diagram structure – No action required .63
nd
Figure E.24 - Step 4 (2 loop) - Summarising of single chains – End of procedure .63

– 5 – EN 50402:2005
Introduction
This European Standard specifies requirements for functional safety of gas detection systems and
encompasses criteria for reliability, avoidance of faults and fault tolerance. Functional safety is that part of the
overall safety related to the measures within the gas detection system to avoid or to handle failures in such a
manner that the safety function will be assured. This includes not only design requirements of the gas
detection system but also information requirements for planning, putting into operation, maintenance and
repair.
Gas detection systems will fail to function if dangerous failures occur in the equipment used. Failure to
function will also occur if such systems are not installed or maintained in an appropriate manner. In some
applications failures of this type will dominate the functional safety achieved. This European Standard is only
targeted at reducing equipment failures to levels appropriate to the application. Users of gas detection
systems will therefore need to ensure installation and maintenance of such systems is carried out according
to requirements. This European Standard does not specify the physical positioning of sensors.
Gas detection systems may differ strongly in structure, complexity and performance. They may not be
handled in a uniform manner like low complexity devices. A general specification of requirements is not
possible on that basis.
Gas detection systems therefore need to be divided into functional modules for validation to ensure that
systems which have different structures are handled by appropriate procedures. A gas detection system will
not normally include all modules covered by this European Standard. Requirements are specified for each of
these modules in terms of hierarchical levels which represent one of the constituents of functional safety
performance. The hierarchical levels are termed as SIL-capabilities, with SIL-capability 1 representing the
minimum and SIL-capability 4 the maximum levels of performance to comply with this standard. The SIL-
capability of a module is related to the maximum safety integrity level that can be claimed for a safety function
which uses modules of that specified SIL-capability. Modules will be characterised in terms of the SIL-
capability. Information is also required on failure rate characteristics of modules or related physical
components to enable the overall performance of a gas detection system to be determined. In this way both
random failures of hardware components and systematic failures in hardware and software are taken account
of. The standard also specifies the requirements that will enable determination of whether the gas detection
system have a low enough failure rate when used in conjunction with other equipment necessary for
functional safety.
This European Standard will enable the functional safety characteristics of the gas detection system to be
determined from the characteristics of its modules and components (see Annex C). This will enable a gas
detection system to be used as a part of an overall safety system.
The characterisation including the determination of a SIL-capability and failure rate data will only need to be
carried out once for a particular design.
After characterisation of each module and component the properties of the whole gas detection system will
be specified depending on the chosen safety function. The procedure for determining the SIL-capability of the
safety function of a gas detection system will only need to be repeated for each new combination of modules
and components. Different combination of equivalent modules may lead to gas detection systems which
reach different SIL-capabilities.
A flexible adoption of the gas detection system to different applications will be possible without repeating all
steps of the validation procedure for each new configuration.
This European Standard does not include requirements for availability which will need to be considered
separately.
1 Scope
This European Standard is applicable to fixed gas detection systems for the detection and measurement of
1)
flammable or toxic gases or vapours or oxygen.
This European Standard supplements the requirements of the European Standards for electrical apparatus
for the detection and measurement of flammable gases, vapours (e.g. EN 61779 or EN 50241), toxic gases
(e.g. EN 45544) or oxygen (e.g. EN 50104).
NOTE 1 These European Standards will be mentioned in the text as "metrological standards".
NOTE 2 The examples above show the state of the standardisation for industrial applications at the time of publishing this European
Standard. There may be other metrological standards covering other application fields, for which this standard is also applicable.
NOTE 3 For fixed apparatus used for safety applications with a SIL requirement up to 1 and for portable apparatus the European
Standard EN 50271 may be applied instead of this European Standard.
Applying the above mentioned metrological standards will ensure the measuring performance is adequate in
normal operation of a gas detection system. Additionally the requirements of this European Standard address
the functional safety of gas detection systems and encompass criteria for reliability, fault tolerance and
avoidance of systematic faults.
This European Standard will lead to the characterisation of the gas detection system by a SIL-capability and
related hardware failure rate representing a hierarchical order of safety levels. This will allow the user to
incorporate the gas detection system into an overall safety system according to the safety integrity levels of
EN 61508 or the categories of EN ISO 13849-1 (see Annex B).
This European Standard is a product standard which is based on EN 61508 and includes additional
requirements of EN ISO 13849-1. It covers part of the phase 9 “realisation” of the overall safety lifecycle
defined in EN 61508-1.
This European Standard is applicable for gas detection systems, which may consist of the following functional
units:
− gas-sampling;
− sensor;
− signal transmission;
− input to control unit;
− signal processing in control unit;
− output from control unit.
This European Standard does not specify requirements for the installation and maintenance of gas detection
systems. It also does not specify the physical positioning of sensors.
This European Standard does not specify which SIL-capability is sufficient for which application.
NOTE 4 The SIL-capability required for an application will be specified by the user (see Annexes A and B).

1)
For the purpose of this standard the word ‘toxic’ covers ‘very toxic’, ‘toxic’, ‘harmful’, ‘corrosive‘, ‘irritating‘, ‘sensitising‘,
‘carcinogenic‘, ‘mutagenic‘ and ‘teratogenic‘.

– 7 – EN 50402:2005
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
2)
Safety of machinery – Safety related parts of control systems – Part 1: General
EN ISO 13849-1
principles of design (ISO 13849-1:1999)
EN 45544-1 1999 Workplace atmospheres - Electrical apparatus used for the direct detection and
direct concentration measurement of toxic gases and vapours
Part 1: General requirements and test methods
EN 45544-2 1999 Part 2: Performance requirements for apparatus used for measuring
concentrations in the region of limit values
EN 45544-3 1999 Part 3: Performance requirements for apparatus used for measuring
concentrations well above limit values
EN 45544-4 1999 Part 4: Guide for selection, installation, use and maintenance
EN 50073 1999 Guide for selection, installation, use and maintenance of apparatus for the
detection and measurement of combustible gases or oxygen
EN 50104 2002 Electrical apparatus for the detection and measurement of oxygen -
Performance requirements and test methods
EN 50241-1 1999 Specification for open path apparatus for the detection of combustible or toxic
gases and vapours
Part 1: General requirements and test methods
EN 50241-2 1999 Part 2: Performance requirements for apparatus for the detection of combustible
gases
EN 61508-1 2001 Functional safety of electrical / electronic / programmable electronic safety-
related systems
Part 1: General requirements (IEC 61508-1:1998)
EN 61508-2 2001 Part 2: Requirements for electrical/electronic/programmable electronic safety-
related systems (IEC 61508-2:2000)
EN 61508-3 2001 Part 3: Software requirements (IEC 61508-3:1998)
EN 61508-4 2001 Part 4: Definitions and abbreviations (IEC 61508-4:1998)
EN 61508-5 2001 Part 5: Examples of methods for the determination of safety integrity levels
(IEC 61508-5:1998)
EN 61508-6 2001 Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3
(IEC 61508-6:2000)
EN 61508-7 2001 Part 7: Overview of techniques and measures (IEC 61508-7:2000)
EN 61511-1 2004 Functional safety – Safety instrumented systems for the process industry sector
Part 1: Framework, definitions, system, hardware and software requirements
(IEC 61511-1:2003)
EN 61779-1 2000 Electrical apparatus for the detection and measurement of flammable gases
Part 1: General requirements and test methods (IEC 61779-1:1998, mod.)
EN 61779-2 2000 Part 2: Performance requirements for group I apparatus indicating a volume
fraction up to 5 % methane in air (IEC 61779-2:1998, mod.)

2)
At draft stage.
EN 61779-4 2000 Part 4: Performance requirements for group II apparatus indicating a volume
fraction up to 100 % lower explosive limit (IEC 61779-4:1998, mod.)
EN 61779-5 2000 Part 5: Performance requirement for group II apparatus indicating a volume
fraction up to 100 % gas (IEC 61779-5:1998, mod.)
3 Definitions
For the purpose of this document the definitions given in EN 61779 and EN 61508-4 apply. Some definitions
are repeated for convenience. Some definitions from EN 61508-4 are adapted to gas detection.
3.1
functional safety (EN 61508-4: 3.1.9)
part of the overall safety relating to the equipment under control (EUC) and the EUC control system which
depends on the correct functioning of the electrical/electronic/programmable electronic safety-related
systems (E/E/PES), other technology safety-related systems and external risk reduction facilities
NOTE 1 The EUC is the equipment under control or the process that the gas detection system is assuring the safety of (EN 61508-4:
3.2.3).
NOTE 2 The EUC control system responds to input signals from the process and generates output signals causing the EUC to
operate in the desired manner (EN 61508-4: 3.3.4).
NOTE 3 The gas detection system is part of the E/E/PES.
3.2
safety function of a gas detection system
function (inclusive from gas sampling to output of the gas detection system) implemented by the gas
detection system to enable the safety-related system to achieve a safe state of the EUC
3.3
safety related part
any part, e. g. module or element, which is necessary to implement the required safety function of a gas
detection system
3.4
fault (EN 61508-4: 3.6.1)
abnormal condition that may cause a reduction in, or loss of, the capability of a functional unit to perform a
required function
3.5
fault tolerance (EN 61508-4: 3.6.3)
ability of a functional unit to continue to perform a required function in the presence of faults or errors
3.6
SIL-capability
the SIL-capability is determined by the measures and techniques for avoidance and control of faults in both,
hardware and software. The SIL-capability number is a property of an element, a module, a combination of
modules or of one or several safety function(s) of a gas detection system. There are four different SIL-
capability numbers existing from 1 to 4, with SIL-capability 4 representing the highest level of safety
performance
3.7
module
modules form the functional units of a gas detection system. A module executes a defined part of the
functionality within the gas detection system. It consists of one or more elements
NOTE Modules may be simple or complex (see 4.2).

– 9 – EN 50402:2005
3.8
element
functional sub-unit of a module
NOTE The software or a part of it may be considered as an element.
3.9
component
the hardware of a gas detection system consists of components which are physically separable
subassemblies
NOTE Depending of the specific realisation an element of a functional module may belong to different hardware components.
3.10
periphery
components of the total system which do not belong to the gas detection system but are related with it
NOTE 1 See Figure 2.
NOTE 2 Periphery is not covered by this European Standard.
3.11
measuring point
location of a single sensor aspirated by diffusion or by a probe
NOTE See Figure 1.
3.12
measuring group
redundant combination of two measuring points belonging to one measuring location
NOTE See Figure 1.
3.13
measuring location
area containing one or more measuring points in which similar gas concentrations are expected
NOTE 1 See Figure 1.
NOTE 2 According to the definitions 3.11 to 3.13 it is possible that one sensor serves as a redundant partner for several other
sensors.
Location
Group
A
Point 1 Point 2
Group B Group C
Point 3
Figure 1 - Definitions of measuring point, measuring group and measuring location
3.14
measured signal
sensor signal in analogue or digital representation which may or may not be pre-amplified
3.15
measured value
processed measured signal including physical unit (e. g. % LEL). A measured value may be formed from a
single signal or a combination of several measurement signals. The combined measured signals may
represent different physical units, e. g. gas concentration and temperature
3.16
status signal
electrical signal which indicates operational states, switching status of devices, adherence of general
conditions (e. g. allowed temperature range or gas flow) within a module or to another module of the gas
detection system
3.17
alarm signal
electrical signal which indicates the alarm state of one or more measurement points. The alarm signal will be
processed either in the gas detection system (e. g. release of switching) or transmitted to the periphery
NOTE Alarm signals are handled separately from other signals because they are generally handled with higher priority.
3.18
special state
every state of a measurement point, module, control unit or the total gas detection system in which the
monitoring of gas concentration does not take place, e. g. put into operation, calibration mode or fault
condition
– 11 – EN 50402:2005
3.19
parameter
setting by the manufacturer or user which affect the operation of the software, e. g. changing of the alarm
thresholds or measuring ranges. Parameter options are included in the software during design of the gas
detection system. Changes of parameter settings are not modifications of the software. In the software
several different levels of permission to read or to change parameters may exist
3.20
minimum response time
value which is determined by the applicable metrological standards. In metrological standards the allowed
response times during type testing are given. If there are different requirements for the response time in
different applicable metrological standards the smallest value is the “minimum response time”
3.21
minimum deviation of indication
value which is determined by the applicable metrological standards. In metrological standards the allowed
tolerances for deviation of indication during type testing are given. If there are different requirements for the
tolerances in different applicable metrological standards the smallest tolerance is the “minimum deviation of
indication”.
The minimum deviation of indication is basis for the required resolution of measured signals which use digital
transmission and data processing to meet the requirements of the metrological standards when using digital
technologies
3.22
self testing facilities
test routines, e. g. memory check, which will be carried out within the gas detection system automatically and
repeated cyclically. These facilities may be carried out within a single module or check the interconnection or
co-operation between modules.
Self testing facilities are cyclically repeated test routines, which do not interrupt the measuring mode. Test
routines may also be carried out prior to operation, during start-up delay of a gas detection system before it
starts the measuring mode, carried out on user request or in calibration mode of single measurement points
or parts of the gas detection system
3.23
check
covers operational procedures, e. g. manual calibration, additional to self test facilities on user request
3.24
verification (EN 61508-4: 3.8.1)
confirmation by examination and provision of objective evidence that the requirements have been fulfilled
3.25
redundancy
existence of a means in addition to the means which would be sufficient to perform a required function
NOTE Redundancy is used to improve reliability and fault tolerance but may also be used to improve availability.
3.26
availability
the fraction of the time in the measuring mode in relation to the total time where the gas detection system is
either in measuring mode or in special state including repair
3.27
diffusion mode
mode in which the transfer of gas from the atmosphere to the gas sensing element takes place by diffusion,
i.e. there is no aspirated flow

3.28
aspiration mode
mode in which the transfer of gas from the atmosphere to the gas sensing element takes place by aspiration,
e. g. by a pump
4 General requirements
4.1 Introduction
The overall gas detection system may have both safety and non-safety functions. The SIL-capability may be
determined for one or several safety functions.
The safety requirement specification of a module or a gas detection system comprises three parts, safety
function, SIL-capability and hardware failure rate. This is addressed in Clauses 4 to 6.
Annex A gives guidance on the derivation of the safety requirement specification of a gas detection system
from the overall safety requirement specification.
In Clause 5 modules of the gas detection system will be defined according to function and for each SIL-
capability the requirements will be specified.
The modules described in Clause 5 show the range commonly encountered, but may not cover all technical
solutions. Requirements for new modules, not covered by this European Standard, shall be developed by
following Annex D of this European Standard.
The SIL-capability of a module is determined by the measures and techniques for avoidance and control of
faults in both, hardware and software. The SIL-capability number is a property of an element, a module, a
combination of modules or of one or several safety function(s) of a gas detection system. A module may have
one of four SIL-capabilities (1 to 4), with SIL-capability 4 representing the highest level of safety performance.
It is also a requirement of this European Standard to determine the hardware failure rates after dividing the
gas detection system into physical components.
Users should be able to determine the performance of an overall safety system that incorporates a gas
detection system in terms of safety integrity level (SIL) required according to EN 61508. This can be done if
the SIL-capability and associated hardware failure rate data is known for safety function of the gas detection
system and the equivalent data is known for the other equipment (periphery) required for functional safety
(see also A.3.2).
The SIL-capability of a module will also determine the compliance of the module in terms of category
according to EN ISO 13849-1.
There is in general no relationship between safety integrity levels in EN 61508 and categories in
EN ISO 13849-1. The requirements for modules in this European Standard have been derived by considering
the requirements in both of the above European Standards. Guidance on relationship between the SIL-
capability used in this European Standard and the Categories of EN ISO 13849-1 and the safety integrity
levels of EN 61508 is given in Annex B.
SIL-capability and hardware failure rate of a safety function of a gas detection system may be derived from
the SIL-capability of the modules and hardware failure rates of the components (see Clause 6 and Annex E).
NOTE 1 The assignment of a SIL-capability to a single module does not automatically imply that the same SIL-capability is valid for
the entire gas detection system.
NOTE 2 Different combinations of modules may result in a different SIL-capability for the chosen safety function of the entire gas
detection system.
NOTE 3 The same gas detection system may comply with the requirements for different SIL-capabilities depending on the safety
function chosen for the application.
NOTE 4 Alternatively the required SIL-capability for each module may be derived from the SIL-capability for the chosen safety
function of the gas detection system depending on the way in which modules are combined (see Annex A).

– 13 – EN 50402:2005
Determination of whether a specified safety function of the gas detection system together with other
equipment meets a specified safety integrity will also require consideration of the functional safety
characteristics of the other equipment (periphery) required for functional safety. Suitable procedures are
described in Clause 6.
The determination of SIL-capability for a module and hardware failure rate of a component need only be
carried out only once.
The determination of SIL-capability and hardware failure rate for the safety function of a gas detection system
shall be repeated for each new combination of modules and related components. The effect of all modules
and components belonging to the gas detection system shall be taken into account.
In addition to the functional safety of the gas detection system the availability and the avoidance of false
alarms are the most important selection criteria for the user to choose a suitable system for a specific
application.
This European Standard specifies requirements for the actions to be taken when failures are detected in the
modules. The gas detection system shall enter a predefined state after detecting failures.
EXAMPLE 1 To fulfil this requirement a shut down of the parts of the gas detection system affected by the failures
may be carried out. This may reduce the availability or give spurious activation.
EXAMPLE 2 In case of a loss of function or a failure in a redundant element it may be tolerable to operate in an
emergency mode for a limited period of time without redundancy provided the affected element is identified and
redundancy-loss is indicated within the gas detection system.
If means for increasing the availability are provided (e. g. by additional hardware or software), these functions
contained in the gas detection system shall be included in the tests according their relation to safety
relevance.
4.2 Functional safety characteristics of modules
This European Standard specifies for a number of modules the properties of safety related parts of a gas
detection system in respect of their resistance to faults and their subsequent behaviour in the fault condition
depending on the SIL capability claimed. There are four SIL-capabilities (numbered 1, 2, 3 and 4), SIL-
capabilities numbered higher than 1 include the requirements of the lower SIL-capability number unless
otherwise specified.
In Clause 5 the modules of the gas detection system are characterised as simple or complex and the
requirements are specified according to the SIL-capabilities.
Most modules have been characterised as either simple or complex. Where this is not the case or the
technical solution of a module differs from the characteristic in Clause 5 then characterisation shall be
determined according to the following criteria:
Modules with analogue data processing, and digital data processing where the user is unable to alter the
function of the software and only a few parameters (up to 10) can be adjusted, are presumed to be simple. All
other modules shall be handled as complex, e. g. modules that incorporate programmable systems with
limited or full variability software. Fault tolerance for all complex modules shall be in accordance with Table 1
or Table 2.
Table 1 - Fault tolerance for complex modules according EN 61511-1, Table 5
Minimum hardware fault tolerance
(see EN 61511-1, 11.4.2)
SIL-capability
Safe failure fraction Safe failure fraction Safe failure fraction
< 60 % 60 % to 90 % > 90 %
1 1 0 0
2 2 1 0
3 3 2 1
4 Special requirements apply - See EN 61508

Very similar is the approach of EN 61508-2 which is given in Table 2.
Table 2 - Fault tolerance for complex modules according EN 61508-2, Table 3
Minimum hardware fault tolerance
(see EN 61508-2, 7.4.3.1)
SIL-capability
Safe failure fraction Safe failure fraction Safe failure fraction Safe failure fraction
< 60 % 60 % to < 90 % 90 % to < 99 % ≥ 99 %
1 1 0 0 0
2 2 1 0 0
3 Not mentioned in 2 1 0
EN 61508-2
4 Not applicable Special requirements 2 1
apply - See EN 61508
For simple modules the minimum hardware fault tolerance according EN 61511-1 shall be as shown in
Table 3 provided that the dominant failure mode is to the safe state or dangerous failures are detected,
otherwise the fault tolerance shall be increased by one.
NOTE To establish whether the dominant failure mode is to the safe state it is necessary to consider each of the following:
− the process connection of the device;
− use of diagnostic information of the device to validate the process signal;
− use of inherent fail safe behaviour of the device (e. g. live zero signal, loss of power results in a safe state).
For all simple modules the minimum fault tolerance specified in may be reduced by one (as shown in the right
column of Table 3) if the modules used comply with all of the following:
− the hardware of the module is selected on the basis of prior use (see EN 61511-1, 11.5.3);
− the module allows adjustment of process-related parameters only, e. g. measuring range, upscale or
downscale failure direction, etc.;
− the adjustment of the process-related parameters of the module is protected, e. g. jumper, password;
− the function has a SIL requirement less than 4.

– 15 – EN 50402:2005
Table 3 - Minimum hardware fault tolerance for simple modules according EN 61511-1, Table 6
Minimum hardware fault tolerance Minimum hardware fault tolerance
SIL-capability
(see EN 61511-1, 11.4.3 and 11.4.4) reduced by one (see text above)
1 0 0
2 1 0
3 2 1
4 Special requirements apply - See EN 61508 Not applicable
The approach of EN 61508-2 taking into account the different safe failure fractions is shown in Table 4.
Table 4 - Fault tolerance for simple modules according EN 61508-2, Table 2
Minimum hardware fault tolerance
(see EN 61508-2, 7.4.3.1)
SIL-capability
Safe failure fraction Safe failure fraction Safe failure fraction Safe failure fraction
< 60 % 60 % to < 90 % 90 % to < 99 % ≥ 99 %
1 0 0 0 0
2 1 0 0 0
3 2 1 0 0
4 Not mentioned in 2 1 1
EN 61508-2
By complying with the requirements for simple or complex modules as described in Clause 5 a safe failure
fraction of 60 % - 90 % is assumed to be achieved. For specific modules described in Clause 5 a safe failure
fraction of 90 % - 99 % or ≥ 99 % is assumed to be achieved. Alternative arrangements are acceptable
provided the requirements in EN 61508 are complied with.
The requirements for a specified SIL-capability have been derived from the requirements in EN 61508
relating to the systematic requirements for the associated SIL. The fault tolerance requirements have been
derived from EN 61511-1 for the associated SIL. The requirements of EN ISO 13849-1 have also been
considered and included where appropriate in Clause 5.
5 Modules and elements - Characterisation and requirements
In this clause gas detection systems will be divided into functional modules, since those systems cannot be
described as stand-alone apparatus in general. The hardware design consisting of individual components
may be arranged in different ways. Therefore, modules are treated in this European Standard from the view
of their functionality within the gas detection system. Dependent on the respective realisation, components of
a functional module may therefore belong to different hardware-components.
NOTE A gas detection system need not necessarily include all modules presented in the following. Also a module need not include all
elements.
Subclause 5.1 includes general requirements for hardware and software. In 5.2 to 5.7 the modules of a gas
detection system are described and the requirements are defined in relation to the SIL-capabilities.
Figure 2 shows the integration of a gas detection system in a safety related system.

Periphery
Control unit A
Contr
...