Last edit: 23/10/2024
In Category 1, the same requirements as those for Category B applies; moreover, well-tried safety principles should be followed, if applicable. Additionally, Category 1 is the only one requiring the use of well-tried components. The Safety-related Block Diagram is the same as for Category B. There is no diagnostic coverage; CCF considerations are not relevant and the maximum PL achievable is PL c.
A fault can lead to the loss of the safety function however, the MTTFD of a single channel in Category 1 is higher than in Category B; consequently, the loss of the safety function is less likely.
Example of a Category 1 Input Subsystem: Interlocking Device
Let’s consider an electromechanical interlocking device, connected to a Safety Logic. When the door is opened, the interlocking device output system (a Voltage Free Contact) opens and the input to the safety logic is de-energised. The circuit structure is shown in Figure 2, while in figure 3 the same input subsystem is represented as a Safety-related Block Diagram. The interlocking device has a B10D = 20·106 and it is supposed to open twice per hour.
Looking at the manufacturer’s datasheet, its Mission Time is 20 years and it should be protected by a max. 4 A fuse type gG, installed on the 24 Vdc line. That is important to avoid systematic failures: if the interlocking device output system is not properly protected from short circuits, all Reliability calculations have no real meaning. That is also the case for the maximum ambient temperature of 80°C stated by the manufacturer, or the maximum impulse voltage Uimp of 2,5 kV that the component can withstand. Those are just examples: in general, being a Category 1 subsystem, basic and well-tried safety principles must be applied.
Moreover, being a Category 1 subsystem, the components used should be well-tried and it is the case. The interlocking device is a “Switch with positive mode actuation” that complies with IEC 60947-5-1 and therefore, it is a well-tried component.
Let’s now focus on the probability of random failures.
- The first step is to calculate the MTTFD. We assume the machinery is working 240 days per year and eight hours per day.
However, since we are in Category 1, the subsystem MTTFD has to be limited to 100 years.
- Moreover, being a Category 1, there is no diagnostic. That means we assume a DC < 60%.
- The last step is to refer to table K.1 of ISO 13849-1 where, for Category 1 and MTTFD = 100 years, the PFHD = 1,1410-6. Finally, we verified that T10D is higher than the interlocking device mission time: that means the interlocking device can be used up to its mission time of 20 years.
