Functional Safety Components; Competence; Residual Risk; Intentional Misuse - ABB ACS880 User Manual

56 Maintenance
once a year. It is also a good practice to include the proof test for the safety function in the
routine maintenance program of the machinery.
The person responsible for the design of the complete safety system should also note the
Recommendation of Use CNB/M/11.050 published by the European co-ordination of Notified
Bodies for Machinery concerning dual-channel safety-related systems with electromechanical
outputs:
• When the safety integrity requirement for the safety function is SIL 3 or PL e (cat. 3 or
4), the proof test for the function must be done at least every month.
• When the safety integrity requirement for the safety function is SIL 2 (HFT = 1) or PL
d (cat. 3), the proof test for the function must be done at least every 12 months.
This is a recommendation and depends on the required (not achieved) SIL/PL. For example,
contactors, breakers, safety relays, contactor relays, emergency stop buttons, switches,
etc. are typically safety devices which have electromechanical outputs. The STO circuit of
the inverter unit does not have electromechanical outputs. Also, the FSO module does not
have electromechanical outputs.

Functional safety components

The mission time of functional safety components is 20 years which equals the time during
which failure rates of electronic components remain constant. This applies to the components
of the standard Safe torque off circuit as well as any modules, relays and, typically, any
other components that are part of functional safety circuits.
The expiry of mission time terminates the certification and SIL/PL classification of the safety
function. The following options exist:
• Renewal of the whole drive and all optional functional safety module(s) and components.
• Renewal of the components in the safety function circuit. In practice, this is economical
only with larger drives that have replaceable circuit boards and other components such
as relays.
Note that some of the components may already have been renewed earlier, restarting their
mission time. The remaining mission time of the whole circuit is however determined by its
oldest component.
Contact your local ABB service representative for more information.

Competence

The person who does the maintenance and proof test activities of the safety function must
be a competent person with expertise and knowledge of the safety function and functional
safety, as required by IEC 61508-1 clause 6.

Residual risk

The safety functions are used to reduce the recognized hazardous conditions. In spite of
this, it is not always possible to eliminate all potential hazards. Thus, the warnings for the
residual risks must be given to the operators.

Intentional misuse

The safety circuit is not designed to protect a machine against intentional misuse.