In Part 1 of this series we explored Category B, the Basic Category that under­pins all of the other Categories.

This post builds on Part 1 by tak­ing a look at Category 1. Let’s start by explor­ing the dif­fer­ence as defined in ISO 13849–1. Remember that “SRP/​CS” stands for “Safety Related Parts of Control Systems”.

SRP/​CS of cat­e­gory 1 shall be designed and con­structed using well-​​tried com­po­nents and well-​​tried safety prin­ci­ples (see ISO 13849–2).

Well-​​Tried Components

So what, exactly, is a “Well-​​Tried Component”?? Let’s go back to the stan­dard for that:

A “well-​​tried com­po­nent” for a safety-​​related appli­ca­tion is a com­po­nent which has been either

a) widely used in the past with suc­cess­ful results in sim­i­lar appli­ca­tions, or
b) made and ver­i­fied using prin­ci­ples which demon­strate its suit­abil­ity and reli­a­bil­ity for safety-​​related applications.

Newly devel­oped com­po­nents and safety prin­ci­ples may be con­sid­ered as equiv­a­lent to “well-​​tried” if they ful­fil the con­di­tions of b).

The deci­sion to accept a par­tic­u­lar com­po­nent as being “well-​​tried” depends on the application.

NOTE 1 Complex elec­tronic com­po­nents (e.g. PLC, micro­proces­sor, application-​​specific inte­grated cir­cuit) can­not be con­sid­ered as equiv­a­lent to “well tried”.

Lets look at what this all means by ref­er­enc­ing ISO 13849–2:

Table A.3 — Well-​​Tried Components

OK, so now we have a few ideas about what might con­sti­tute a ‘well-​​tried com­po­nent’. Unfortunately, you will notice that ‘con­tac­tor’ or ‘relay’ or ‘limit switch’ appear nowhere on the list. This is a chal­lenge, but one that can be over­come. The key to deal­ing with this is to look at how the com­po­nents that you are choos­ing to use are con­structed. If they use these com­po­nents and tech­niques, you are on your way to con­sid­er­ing them to be well-​​tried.

Another approach is to let the com­po­nent man­u­fac­turer worry about the details of the con­struc­tion of the device, and sim­ply ensure that com­po­nents selected for use in the SRP/​CS are ‘safety rated’ by the man­u­fac­turer. This can work in 80–90% of cases, with a small per­cent­age of com­po­nents, such as large motor starters, some servo and step­per dri­ves and other sim­i­lar com­po­nents unavail­able with a safety rat­ing. It’s worth not­ing that many drive man­u­fac­tur­ers are start­ing to pro­duce dri­ves with built-​​in safety com­po­nents that are intended to be inte­grated into your SRP/​CS.

Exclusion of Complex Electronics

Note 1 from the first part of the def­i­n­i­tion is very impor­tant. So impor­tant that I’m going to repeat it here:

NOTE 1 Complex elec­tronic com­po­nents (e.g. PLC, micro­proces­sor, application-​​specific inte­grated cir­cuit) can­not be con­sid­ered as equiv­a­lent to “well tried”.

This lit­tle note is what pre­vents any safety sys­tem that incor­po­rates a stan­dard PLC from being con­sid­ered any­thing more than Category B, regard­less of redun­dancy and com­po­nent selec­tions for all other com­po­nents. Its also impor­tant to real­ize that this def­i­n­i­tion is only con­sid­er­ing the hard­ware — no men­tion of soft­ware is made here, and soft­ware is not dealt with until later in the standard.

Well-​​Tried Safety Principles

Let’s have a look at what ‘Well-​​Tried Safety Principles’ might be.

Table A.2 — Well-​​Tried Safety Principles

Use of Positive-​​Mode Operation

The use of these prin­ci­ples in the com­po­nents, as well as in the over­all design of the safe­guards is impor­tant. In devel­op­ing a sys­tem that uses ‘pos­i­tive mode oper­a­tion’, the mechan­i­cal link­age that oper­ates the elec­tri­cal con­tacts or the fluid-​​power valve that con­trols the prime-mover(s) (i.e. motors, cylin­ders, etc.), must act to directly drive the con­trol ele­ment (con­tacts or valve spool) to the safe state. Springs can be used to return the sys­tem to the run state or dan­ger­ous state, since a fail­ure of the spring will result in the inter­lock device stay­ing in the safe state (fail-​​safe or fail-​​to-​​safety).

CSA Z432 pro­vides us with a nice dia­gram that illus­trates the idea of “positive-​​action” or “positive-​​mode” operation:

CSA Z432-​​04 Fig B.10 — Positive Mode Operation

In Figure B.10, open­ing the guard door forces the roller to fol­low the cam attached to the door, dri­ving the switch con­tacts apart and open­ing the inter­lock. Even if the con­tacts were to weld, they would still be dri­ven apart since the mechan­i­cal advan­tage pro­vided by the width of the door and the cam are more than enough to force the con­tacts apart.

Here’s an exam­ple of a ‘neg­a­tive mode’ operation:

CSA Z432-​​04 Fig B.11 — Negative Mode operation

In Figure B.11, the inter­lock switch relies on a spring to enter the safe state when the door is opened. If the spring in the inter­lock device fails, the sys­tem fails-​​to-​​danger. Also note that this design is very easy to defeat. A ‘zip-​​tie’ or some tape is all that would be required to keep the inter­lock in the ‘RUN’ condition.

You should have a bet­ter idea of what is meant when you read about pos­i­tive and negative-​​modes of oper­a­tion now. We’ll talk about defeat resis­tance in another article.

Reliability

Combining what you’ve learned so far, you can see that cor­rectly spec­i­fied com­po­nents, com­bined with over-​​dimensioning and imple­men­ta­tion of design lim­its along with the use of well-​​tried safety prin­ci­ples will go a long way to improv­ing the reli­a­bil­ity of the con­trol sys­tem. The next part of the def­i­n­i­tion of Category 1 speaks to some addi­tional requirements:

The MTTF_d of each chan­nel shall be high.

The max­i­mum PL achiev­able with cat­e­gory 1 is PL = c.

NOTE 2 There is no diag­nos­tic cov­er­age (DC_avg = none) within cat­e­gory 1 sys­tems. In such struc­tures (single-​​channel sys­tems) the con­sid­er­a­tion of CCF is not relevant.

NOTE 3 When a fault occurs it can lead to the loss of the safety func­tion. However, the MTTF_d of each chan­nel in cat­e­gory 1 is higher than in cat­e­gory B. Consequently, the loss of the safety func­tion is less likely.

We now know that the con­trol reli­a­bil­ity is bet­ter with a Category 1 sys­tem than with a B, since the MTTF_d of the sys­tem has gone from a max­i­mum of ‘b’ to ‘c’. PL_c >= 10^–6 to < 3 x 10^–6 fail­ures per hour. This is a pretty good result for sim­ply improv­ing the com­po­nents used in the system!

To get a han­dle on what PL_c means, let’s look at our sin­gle and three shift exam­ples again. If we take a Canadian oper­a­tion with a sin­gle shift per day, and a 50 week work­ing year we get:

7.5 h/​shift x 5 d/​w x 50 w/​a = 1875 h/​a

In this case, PL_c is equiv­a­lent to one fail­ure in 533.3 years of oper­a­tion to 1600 years of operation.

Looking at three shifts per day in the same oper­a­tion gives us:

7.5 h/​shift x 3 shifts/​d x 5 d/​w x 50 w/​a = 5625 h/​a

In this case, PL_c is equiv­a­lent to one fail­ure in 177.8 years of oper­a­tion to 533.3 years of operation.

Remember that these are prob­a­bil­i­ties, not guar­an­tees. A fail­ure could hap­pen in the first hour of oper­a­tion, the last hour of oper­a­tion or never. These fig­ures sim­ply pro­vide a way for you as the designer to gauge the rel­a­tive reli­a­bil­ity of the system.

Well-​​Tried Components ver­sus Fault Exclusions

The stan­dard goes on to out­line some key dis­tinc­tions between ‘well-​​tried com­po­nent’ and ‘fault exclu­sion’. We’ll talk more about fault exclu­sions later in the series.

It is impor­tant that a clear dis­tinc­tion between “well-​​tried com­po­nent” and “fault exclu­sion” (see Clause 7) be made. The qual­i­fi­ca­tion of a com­po­nent as being well-​​tried depends on its appli­ca­tion. For exam­ple, a posi­tion switch with pos­i­tive open­ing con­tacts could be con­sid­ered as being well-​​tried for a machine tool, while at the same time as being inap­pro­pri­ate for appli­ca­tion in a food indus­try — in the milk indus­try, for instance, this switch would be destroyed by the milk acid after a few months. A fault exclu­sion can lead to a very high PL, but the appro­pri­ate mea­sures to allow this fault exclu­sion should be applied dur­ing the whole life­time of the device. In order to ensure this, addi­tional mea­sures out­side the con­trol sys­tem may be nec­es­sary. In the case of a posi­tion switch, some exam­ples of these kinds of mea­sures are

• means to secure the fix­ing of the switch after its adjustment,
• means to secure the fix­ing of the cam,
• means to ensure the trans­verse sta­bil­ity of the cam,
• means to avoid over travel of the posi­tion switch, e.g. ade­quate mount­ing strength of the shock absorber and any align­ment devices, and
• means to pro­tect it against dam­age from outside.

System Block Diagram

Finally, Here is the block dia­gram for Category 1, which looks the same as that for Category B, since only the com­po­nents used in the sys­tem have changed, and not the architecture.

ISO 13849–1 Figure 9 — Category 1 Block Diagram

Add to your Library

If you are work­ing on imple­ment­ing these design stan­dards in your prod­ucts, you need to buy copies of the stan­dards for your library.

• ISO 13849–1:2006 Safety of machin­ery — Safety-​​related parts of con­trol sys­tems — Part 1: General prin­ci­ples for design
• ISO 13849–2:2003 Safety of machin­ery — Safety-​​related parts of con­trol sys­tems — Part 2: Validation
• ISO TR 13849–100:2000 Safety of machin­ery — Safety-​​related parts of con­trol sys­tems — Part 100: Guidelines for the use and appli­ca­tion of ISO 13849–1

Download IEC stan­dards, International Electrotechnical Commission standards.

If you are work­ing in the EU, or are work­ing on CE Marking your prod­uct, you should hold the har­mo­nized ver­sion of this stan­dard, avail­able through the CEN resellers:

EN ISO 13849–1:2008 Safety of machin­ery — Safety-​​related parts of con­trol sys­tems — Part 1: General prin­ci­ples for design

Next Installment

Watch for the next part of this series, “Interlock Architectures – Pt. 3: Category 2″ where we expand on the first two cat­e­gories by adding some diag­nos­tic cov­er­age to improve reliability.

Have ques­tions? Email me!

Copyright secured by Digiprove © 2011–2012Some Rights Reserved