1.5. Requirements in respect of safety-related devices
1.5.1. Safety devices must function independently of any measurement and/or control devices required for operation.
As far as possible, failure of a safety device must be detected sufficiently rapidly by appropriate technical means to ensure that there is only very little likelihood that dangerous situations will occur.
The fail-safe principle is to be applied in general.
Safety-related switching must in general directly actuate the relevant control devices without intermediate software command.
1.5.2. In the event of a safety device failure, equipment and/or protective systems shall, wherever possible, be secured.
1.5.3. Emergency stop controls of safety devices must, as far as possible, be fitted with restart lockouts. A new start command may take effect on normal operation only after the restart lockouts have been intentionally reset.
§ 168 Requirements in respect of safety-related devices
It should be noted that the text of clause 1.5 was written before standards in the EN 61508 series (and its derivatives) were written, which expand considerably on the “fail-safe principle”. European harmonised standard EN 50495 interprets the EN 61508 requirements in the context of clause 1.5 of the EHSRs of 2014/34/EU.
ATEX safety devices and control devices for non-ATEX related functions shall operate independently from each other. Therefore, the control device and safety device cannot be integrated in one single device, but may be mounted in a common enclosure.
The Directive defines a specific number of faults (according to Category – see section § 176) that have to be taken into account when evaluating protection systems. The “fail safe principle” means that the safety systems should function reliably even in the case of these faults and the equipment and/or protective systems should be secured to reduce the ignition risk to the required level.
See also section § 36 on safety devices, controlling devices and regulating devices as defined in Article 1(1)(b).