The requirement for category 4 is found under section 6.2.5 in the EM 954-1 regulations. The main requirement is:
Safety related components in the control system of category 4 shall be constructed so that:                an individual fault in any of these safety related components does not lead to loss of the safety function, and        the individual fault is detected at or before the next time the safety function is demanded, e.g. immediately, at start, at the end of a work cycle.If this is not possible, accumulation of faults shall not lead to loss of the safety function. Category 4 implies that a random (stochastic) fault in the system should not lead to a safety function being left out, and the fault should be detected within one on-/off cycle for the safety function.        
If the system can determine that a fault corresponds to a particular safety function, e.g. an input or output, the output is disconnected for the actual safety function. Remaining outputs, which are not affected by the fault, continue to function.
European patent application EP 748 762 relates to a safety system for flow control, in which two processors are arranged which control the flow. Each processor runs its own programmed, in the form of different “firmweare”, and controls its own relay. If one of the relays is not controlled in the correct way, the processor linked to that relay ceases its control.