Fagor DDS Series Hardware Manual page 325

9.11 Maintenance, repair and analysis of hazardous events
Mission times
Mission time is the period of time covering the intended use of the safety
functions.
Mission time of the STO
 Electromechanical components of the STO. The mission times of the
internal electromechanical safety relay of the Drive Enable and the main
external contactor - KM1 depend on their respective B10d · Mean No. of
cycles until 10 % of the components fail in a dangerous manner·.
 Wear depends on the nop. The electromechanical components of the
STO suffer deterioration from wear over time, according to the average
No. of annual operations (nop). Therefore, their mission time depends
on the real demand frequency.
 B10d value of the Drive Enable. The T. H9/1 indicates that the B10d
value of the Drive Enable is 10 000 000 cycles.
 B10d value of the - KM1 contactor. Depends on the - KM1 contactor
used. The values of the T. H9/1 have been calculated for a - KM1
contactor with a B10d of 1 300 000, which is the typical value given in
table C.1 of ISO 13849-1 for contactors with a rated load.
 Mission time as a function of B10d. According to EN ISO 13849-1, the
mission time is:
mission time = B10d / No. demands per year
Bear in mind that this formula is included in the SISTEMA tool, supplied
by IFA, that is very widely used.
 The mission time of the drive is the mission time of the Drive Enable,
i.e., 20 years, and is indicated in T. H9/1 , as long as it does not exceed
500 000 operations per year, or approximately one every minute. This
value is obtained from the formula.
 Mission time of the - KM1 contactor . The machine designer must
calculate the mission time of the - KM1 contactor, applying the previous
formula.
Expiration date
If the - KM1 contactor or the Drive Enable exceed their mission time, it is no
longer valid. The expiration date of the drive must be calculated by adding the
mission time to the date shown on the version label of the AXD/SPD. Do the
same with the - KM1 contactor. Write down these dates in the maintenance
plan of the installation. Once exceeded, the safety functions are no longer
valid.
Probabilities of dangerous failure. PFH and MTTFd
Bear in mind that PFH and MTTFd are theoretical values calculated from the
MTTFd of the components of the circuit and show the probability of failure.
This does not guarantee the mission time of a particular unit.
It is impossible to know the instant when a component is going to fail. Only
the probability of a failure to occur is known (PFH or MTTFd). When a channel
fails, the safety function is executed because there are two channels, but
failure accumulation over time that disable it must be avoided. That's why, the
safety functions must be demanded at least at each STO forced test interval
and also, after each demand, the external safety controller must run
plausibility check .
Analysis of hazardous events of the drive in the field
Fagor Automation monitors that field MTTFd are less than the theoretical
ones.
   Functional safety
9.
DDS
HARDWARE
Ref.1912
· 325 ·