Category The structure for the component(s) in the block is assessed to determine the category (B, 1-4) it corresponds to. For category 4, for example, individual failures do not result in any loss of the safety function. In order to achieve category 4 with contactors, you need to have two channels - i.e., two contactors - that can cut the power to the machine individually. The contactors need to be monitored by connecting opening contacts to a test input on, for example a safety relay. For monitoring of this type to work, the contactors need to have positive-guided contacts.Diagnostic Coverage (DC)A simple method to determine DC is explained in Appendix E in EN ISO 13849-1. It lists various measures and what they correspond to in terms of DC. For example, DC=99 % (which corresponds to DC high) is achieved for a pair of contactors by monitoring the contactors with the logic device.Mean Time To dangerous Failure (MTTFd)The MTTFd-value should primarily come from the manufac-turer. If the manufacturer cannot provide values, they are given from tables in EN ISO 13849-1 or you have to calculate MTTFd using the B10d-value, (average number of cycles until 10% of the components have a dangerous failure). To calcu-late the MTTFd, you also need to know the average number of cycles per year that the component will execute.Calculation of the average number of cycles is as follows:dop x hop x 3600tcyclenop =B10d0,1 x nopMTTFd =wherenop = Number of cycles per yeardop = Operation days per year hop = Operation hours per daytcycle = Cycle time (seconds)Example: dop= 365 days, hop= 24 hours and tcycle= 1,800 sec-onds (2 times/hour) which gives nop= 17,520 cycles. With a B10d=2·106 this gives a MTTFd=1,141 year which corresponds to MTTFd=high. Note that when you calculate MTTFd you have to calculate ac-cording to the total number of cycles the component will be working. A typical example of this is the contactors that fre-quently work for several safety functions simultaneously. This means that you must add the number of estimated cycles per year from all the safety functions that use the contactors.When MTTFd is calculated from a B10d-value, also consider that if the MTTFd-value is less than 200 years, the component needs to be replaced after 10% of the MTTFd-value (due to the T10d-value). That is, a component with MTTFd = 160 years needs to be replaced after 16 years in order for the condi-tions for achieving PL to continue to be valid. This is because EN ISO 13849-1 is based on a “mission time” of 20 years.Common Cause Failure (CCF)In Appendix F of EN ISO 13849-1 there is a table of actions to be taken to protect against CCF, to ensure a failure does not knock out both channels.Systematic errorsAppendix G of EN ISO 13849-1 describes a range of actions that need to be taken to protect against incorporating faults into your design.PL for safety functionsPL is given in the table on the previous page. If you want to use an exact PFHD-value instead, this can be produced using a table in Appendix K in EN ISO 13849-1.Once you have produced the PL for each block, you can generate a total PL for the safety function in Table 11 of EN ISO 13849-1. This gives a rough estimate of the PL. If you have calculated PFHD for each block instead, you can get a total of PFHD for the safety function by adding together all the values of the blocks. The safety function’s total PFHD corresponds to a particular PL in Table 3 of EN ISO 13849-1.Requirements for safety-related softwareIf you use a safety PLC for implementing safety func-tions, this places requirements on how the software is developed and validated. To avoid error conditions, the software should be readable, understandable and be possible to test and maintain.A software specification must be prepared to ensure that you can check the functionality of the program. It is also important to divide the program into modules that can be tested individually. Paragraph 4.6 and Appen-dix J of EN ISO 13849-1 specify requirements for safety related software.The following are examples of requirements for soft-ware from EN ISO 13849-1: –A development life cycle must be produced with validation measures that indicate how and when the program should be validated, for example, following a change. –The specification and design must be documented. –Function tests must be performed. –Validated functional blocks must be used whenever possible. –Data and control flow are to be described using, for example, a condition diagram or software flow chart.1INTRODUCTION1– 15
