Real-Time Measurement and Control

Hello I hope someone can be of some help.

I did just read the ISO 13849-1 and more standards.  To summarize, these standards are guides to achieve a performance level (PL), a higher PL will give you a lesser change your safety related part of your control system will fail e.g. a higher PL can be achieved with a redundant system, testing if the safety related part is still functioning as intended etc. A search on www will give more info on the standard. I did also read the IFA Report 2/2017e which is a excellent guide explaining how to implement safety.

For a new test-system I intend to use a cRIO Ni 9056. A few in/outputs will be used for the safety related part of the control system e.g. if a temperature gets too high this might be a sign of trouble ahead. Other IO will be used for logging non safety related parts e.g. room temperature.

Although there are some examples provided by Ni, suggesting you can use the cRIO for safety related designs, I was unable to find a white paper or a official howto, linking the performance levels described in the ISO 13849-1 to the Ni hardware. I did find this forum where some people tell they use the compact Rio for this purpose:

https://forums.ni.com/t5/Real-Time-Measurement-and/cRIO-in-safety-application/m-p/3613203 

It does not contain much detail however.

I hope someone can tell me how you can use the cRIO to achieve a certain performance level. I will try to explain whats not clear to me in the text below. 

the following picture shows a category 2 design (IFA report page 52)

A category 1 would not have the testing part, which is shown below the dotted line. The testing part could help to detect. The testequipment could be a separate watchdog (IFA).

Category 3 is depicted below. This can be done with two PLC's If two sensors need to measure the same value e.g. temperature and they both measure 30C its fine if one measures 200C and the other measures 20C then there will probably be an error. Great now I start to feel more secure! Melting of mother earth will not be in my diary!

But wait what about a CompactRIO. There are a few interpretations possible here the cRIO has a CPU and a FPGA. I could interpret:

1. The FPGA to be hardware, I could say it is software
2. The FPGA uses another compiler than is used for the CPU part, this could void the chance for systematic errors
3. I can use the IO from the same C-Module for L1 and L2, Or I could use a different C-module one module dedicated to the FPGA and the other C-module using DAQmx, which can use the ASIC of the cRIO and bypass the FPGA, I think this will work but I am not completely sure. 

before reinventing the wheel I though its best to ask on this forum what other people's thought's are on this subject. Has anyone seen a white paper describing the use of the cRIO for safety of machines related to standards? Or maybe someone did make a safety related system and is willing to share his/her thoughts?

thank you all for the great help!