Interlock Architectures — Pt. 1: What do those categories really mean?

Basic Stop/Start Circuit

What do those categories really mean?

The archi­tec­tures used as the basis of inter­lock design and analy­sis have a long his­to­ry. Two basic forms exist­ed in the ear­ly days: the ANSI cat­e­gories and the CSA vari­ant, and the CEN forms.

The ANSI/CSA archi­tec­tures were called SIMPLE, SINGLE CHANNEL, SINGLE CHANNEL-MONITORED, and CONTROL RELIABLE. The basic sys­tem arose in the ANSI/RIA R15.06 1992 stan­dard and was used until 2014. The CSA vari­ant used the same names as the ANSI ver­sion but made a small dif­fer­en­ti­a­tion in the CONTROL RELIABLE cat­e­go­ry. This dif­fer­en­ti­a­tion was very sub­tle and was often com­plete­ly mis­un­der­stood by read­ers. This sys­tem was intro­duced in Cana­da in CSA Z434-1994 and was dis­con­tin­ued in 2016. This sys­tem of safe­ty-relat­ed con­trol sys­tem archi­tec­ture cat­e­gories is no longer used in any juris­dic­tion.

And then there was EN 954–1

In 1996 CEN pub­lished an impor­tant stan­dard for machine builders — EN 954–1, “Safe­ty of Machin­ery — Safe­ty Relat­ed Parts of Con­trol Sys­tems — Part 1: Gen­er­al Prin­ci­ples for Design” [1]. This stan­dard set the stage for defin­ing con­trol reli­a­bil­i­ty in machin­ery safe­guard­ing sys­tems, intro­duc­ing the Reli­a­bil­i­ty cat­e­gories that have become ubiq­ui­tous. So what do these cat­e­gories mean, and how are they applied under the lat­est machin­ery func­tion­al safe­ty stan­dard, ISO 13849–1 [2]?

Down­load ISO Stan­dards

Circuit Categories

The cat­e­gories are used to describe sys­tem archi­tec­tures for safe­ty-relat­ed con­trol sys­tems. Each archi­tec­ture car­ries with it a range of reli­able per­for­mance that can be relat­ed to the degree of risk reduc­tion you are expect­ing to achieve with the sys­tem. These archi­tec­tures can be applied equal­ly to elec­tri­cal, elec­tron­ic, pneu­mat­ic, hydraulic or mechan­i­cal con­trol sys­tems.

Historical Circuits

Ear­ly elec­tri­cal ‘mas­ter-con­trol-relay’ cir­cuits used a sim­ple archi­tec­ture with a sin­gle con­tac­tor, or some­times two, and a sin­gle chan­nel style of archi­tec­ture to main­tain the con­tac­tor coil cir­cuit once the START or POWER ON but­ton (PB2 in Fig. 1) had been pressed. Pow­er to the out­put ele­ments of the machine con­trols was sup­plied via con­tacts on the con­tac­tor, which is why it was called the Mas­ter Con­trol Relay or ‘MCR’. The POWER OFF but­ton (PB1 in Fig. 1) could be labeled that way, or you could make the same cir­cuit into an Emer­gency Stop by sim­ply replac­ing the oper­a­tor with a red mush­room-head push but­ton. These devices were usu­al­ly spring-return, so to restore pow­er, all that was need­ed was to push the POWER ON but­ton again (Fig.1).

Basic Stop/Start Circuit
Fig­ure 1 — Basic Stop/Start Cir­cuit
Allen-Bradley 700PK Heavy Duty Contactor
Allen-Bradley 700PK Heavy Duty Con­tac­tor

Typ­i­cal­ly, the com­po­nents used in these cir­cuits were spec­i­fied to meet the cir­cuit con­di­tions, but not more. Con­trols man­u­fac­tur­ers brought out over-dimen­sioned ver­sions, such as Allen-Bradley’s Bul­letin 700-PK con­tac­tor which had 20 A rat­ed con­tacts instead of the stan­dard Bul­letin 700’s 10 A con­tacts.

When inter­locked guards began to show up, they were inte­grat­ed into the orig­i­nal MCR cir­cuit by adding a basic con­trol relay (CR1 in Fig. 2) whose coil was con­trolled by the inter­lock switch(es) (LS1 in Fig. 2), and whose out­put con­tacts were in series with the coil cir­cuit of the MCR con­tac­tor. Open­ing the guard inter­lock would open the MCR coil cir­cuit and drop pow­er to the machine con­trols. Very sim­ple.

Start/Stop Circuit with Guard Relay
Fig­ure 2 — Old-School Start/Stop Cir­cuit with Guard Relay
Typical ice-cube style relay
Typ­i­cal ice-cube style relay

Ice-cube’ style plug-in relays were often cho­sen for CR1. These devices did not have ‘force-guid­ed’ con­tacts in them, so it was pos­si­ble to have one con­tact in the relay fail while the oth­er con­tin­ued to oper­ate prop­er­ly.

LS1 could be any kind of switch. Fre­quent­ly a ‘micro-switch’ style of lim­it switch was cho­sen. These snap-action switch­es could fail short­ed inter­nal­ly, or weld closed and the actu­a­tor would con­tin­ue to work nor­mal­ly even though the switch itself had failed. These switch­es are also ridicu­lous­ly easy to bypass. All that is required is a piece of tape or an elas­tic band and the switch is no longer doing its job.

Micro-Switch style limit switch used as an interlock switch
Micro-Switch style lim­it switch used as a cov­er inter­lock switch in a piece of indus­tri­al laun­dry equip­ment

The prob­lem with these cir­cuits is that they can fail in a num­ber of ways that aren’t obvi­ous to the user, with the result being that the inter­lock might not work as expect­ed, or the Emer­gency Stop might fail just when you need it most.

Modern Circuits

Category B

These orig­i­nal cir­cuits are the basis for what became known as ‘Cat­e­go­ry B’ (‘B’ for ‘Basic’) cir­cuits. Here’s the def­i­n­i­tion from the stan­dard. Note that I am tak­ing this excerpt from ISO 13849–1: 2007 (Edi­tion 2). “SRP/CS” stands for “Safe­ty Relat­ed Parts of Con­trol Sys­tems”:

6.2.3 Cat­e­go­ry B
The SRP/CS shall, as a min­i­mum, be designed, con­struct­ed, select­ed, assem­bled and com­bined in accor­dance with the rel­e­vant stan­dards and using basic safe­ty prin­ci­ples for the spe­cif­ic appli­ca­tion to with­stand

  • the expect­ed oper­at­ing stress­es, e.g. the reli­a­bil­i­ty with respect to break­ing capac­i­ty and fre­quen­cy,
  • the influ­ence of the processed mate­r­i­al, e.g. deter­gents in a wash­ing machine, and
  • oth­er rel­e­vant exter­nal influ­ences, e.g. mechan­i­cal vibra­tion, elec­tro­mag­net­ic inter­fer­ence, pow­er sup­ply inter­rup­tions or dis­tur­bances.

There is no diag­nos­tic cov­er­age (DCavg = none) with­in cat­e­go­ry B sys­tems and the MTTFd of each chan­nel can be low to medi­um. In such struc­tures (nor­mal­ly sin­gle-chan­nel sys­tems), the con­sid­er­a­tion of CCF is not rel­e­vant.

The max­i­mum PL achiev­able with cat­e­go­ry B is PL = b.

NOTE When a fault occurs it can lead to the loss of the safe­ty func­tion.

Spe­cif­ic require­ments for elec­tro­mag­net­ic com­pat­i­bil­i­ty are found in the rel­e­vant prod­uct stan­dards, e.g. IEC 61800–3 for pow­er dri­ve sys­tems. For func­tion­al safe­ty of SRP/CS in par­tic­u­lar, the immu­ni­ty require­ments are rel­e­vant. If no prod­uct stan­dard exists, at least the immu­ni­ty require­ments of IEC 61000–6-2 should be fol­lowed.

The stan­dard also pro­vides us with a nice block dia­gram of what a sin­gle-chan­nel sys­tem might look like:

Category B Designated Architecture
ISO 13849–1 Cat­e­go­ry B Des­ig­nat­ed Archi­tec­ture

If you look at this block dia­gram and the Start/Stop Cir­cuit with Guard Relay above, you can see how this basic cir­cuit trans­lates into a sin­gle chan­nel archi­tec­ture, since from the con­trol inputs to the con­trolled load you have a sin­gle chan­nel. Even the guard loop is a sin­gle chan­nel. A fail­ure in any com­po­nent in the chan­nel can result in loss of con­trol of the load.

Lets look at each part of this require­ment in more detail, since each of the sub­se­quent Cat­e­gories builds upon these BASIC require­ments.

The SRP/CS shall, as a min­i­mum, be designed, con­struct­ed, select­ed, assem­bled and com­bined in accor­dance with the rel­e­vant stan­dards and using basic safe­ty prin­ci­ples for the spe­cif­ic appli­ca­tion…

Basic Safety Principles

We have to go to ISO 13849–2 to get a def­i­n­i­tion of what Basic Safe­ty Prin­ci­ples might include. Look­ing at Annex A.2 of the stan­dard we find:

Table A.1 — Basic Safety Principles

Basic Safe­ty Prin­ci­ples Remarks
Use of suit­able mate­ri­als and ade­quate man­u­fac­tur­ing Selec­tion of mate­r­i­al, man­u­fac­tur­ing meth­ods and treat­ment in rela­tion to, e. g. stress, dura­bil­i­ty, elas­tic­i­ty, fric­tion, wear,
cor­ro­sion, tem­per­a­ture.
Cor­rect dimen­sion­ing and shap­ing Con­sid­er e. g. stress, strain, fatigue, sur­face rough­ness, tol­er­ances, stick­ing, man­u­fac­tur­ing.
Prop­er selec­tion, com­bi­na­tion, arrange­ments, assem­bly and instal­la­tion of components/systems. Apply manufacturer’s appli­ca­tion notes, e. g. cat­a­logue sheets, instal­la­tion instruc­tions, spec­i­fi­ca­tions, and use of good engi­neer­ing prac­tice in sim­i­lar components/systems.
Use of de–energisation prin­ci­ple The safe state is obtained by release of ener­gy. See pri­ma­ry action for stop­ping in EN 292–2:1991 (ISO/TR 12100–2:1992), 3.7.1. Ener­gy is sup­plied for start­ing the move­ment of a mech­a­nism. See pri­ma­ry action for start­ing in EN 292–2:1991 (ISO/TR 12100–2:1992), 3.7.1.Consider dif­fer­ent modes, e. g. oper­a­tion mode, main­te­nance mode.

This prin­ci­ple shall not be used in spe­cial appli­ca­tions, e. g. to keep ener­gy for clamp­ing devices.

Prop­er fas­ten­ing For the appli­ca­tion of screw lock­ing con­sid­er manufacturer’s appli­ca­tion notes.Overloading can be avoid­ed by apply­ing ade­quate torque load­ing tech­nol­o­gy.
Lim­i­ta­tion of the gen­er­a­tion and/or trans­mis­sion of force and sim­i­lar para­me­ters Exam­ples are break pin, break plate, torque lim­it­ing clutch.
Lim­i­ta­tion of range of envi­ron­men­tal para­me­ters Exam­ples of para­me­ters are tem­per­a­ture, humid­i­ty, pol­lu­tion at the instal­la­tion place. See clause 8 and con­sid­er
manufacturer’s appli­ca­tion notes.
Lim­i­ta­tion of speed and sim­i­lar para­me­ters Con­sid­er e. g. the speed, accel­er­a­tion, decel­er­a­tion required by the appli­ca­tion
Prop­er reac­tion time Con­sid­er e. g. spring tired­ness, fric­tion, lubri­ca­tion, tem­per­a­ture, iner­tia dur­ing accel­er­a­tion and decel­er­a­tion,
com­bi­na­tion of tol­er­ances.
Pro­tec­tion against unex­pect­ed start–up Con­sid­er unex­pect­ed start-up caused by stored ener­gy and after pow­er “sup­ply” restora­tion for dif­fer­ent modes as
oper­a­tion mode, main­te­nance mode etc.
Spe­cial equip­ment for release of stored ener­gy may be nec­es­sary.
Spe­cial appli­ca­tions, e. g. to keep ener­gy for clamp­ing devices or ensure a posi­tion, need to be con­sid­ered
sep­a­rate­ly.
Sim­pli­fi­ca­tion Reduce the num­ber of com­po­nents in the safe­ty-relat­ed sys­tem.
Sep­a­ra­tion Sep­a­ra­tion of safe­ty-relat­ed func­tions from oth­er func­tions.
Prop­er lubri­ca­tion
Prop­er pre­ven­tion of the ingress of flu­ids and dust Con­sid­er IP rat­ing [see EN 60529 (IEC 60529)]

Down­load ISO Stan­dards
As you can see, the basic safe­ty prin­ci­ples are pret­ty basic — select com­po­nents appro­pri­ate­ly for the appli­ca­tion, con­sid­er the oper­at­ing con­di­tions for the com­po­nents, fol­low manufacturer’s data, and use de-ener­giza­tion to cre­ate the stop func­tion. That way, a loss of pow­er results in the sys­tem fail­ing into a safe state, as does an open relay coil or set of burnt con­tacts.

…the expect­ed oper­at­ing stress­es, e.g. the reli­a­bil­i­ty with respect to break­ing capac­i­ty and fre­quen­cy,”

Spec­i­fy your com­po­nents cor­rect­ly with regard to volt­age, cur­rent, break­ing capac­i­ty, tem­per­a­ture, humid­i­ty, dust,…

…oth­er rel­e­vant exter­nal influ­ences, e.g. mechan­i­cal vibra­tion, elec­tro­mag­net­ic inter­fer­ence, pow­er sup­ply inter­rup­tions or dis­tur­bances.”

Spe­cif­ic require­ments for elec­tro­mag­net­ic com­pat­i­bil­i­ty are found in the rel­e­vant prod­uct stan­dards, e.g. IEC 61800–3 for pow­er dri­ve sys­tems. For func­tion­al safe­ty of SRP/CS in par­tic­u­lar, the immu­ni­ty require­ments are rel­e­vant. If no prod­uct stan­dard exists, at least the immu­ni­ty require­ments of IEC 61000–6-2 should be fol­lowed.”

Prob­a­bly the biggest ‘gotcha’ in this point is “elec­tro­mag­net­ic inter­fer­ence”. This is impor­tant enough that the stan­dard devotes a para­graph to it specif­i­cal­ly. I added the bold text to high­light the idea of ‘func­tion­al safe­ty’. You can find oth­er infor­ma­tion in oth­er posts on this blog on that top­ic. If your prod­uct is des­tined for the Euro­pean Union (EU), then you will almost cer­tain­ly be doing some EMC test­ing, unless your prod­uct is a ‘fixed instal­la­tion’. If it’s going to almost any oth­er mar­ket, you prob­a­bly are not under­tak­ing this test­ing. So how do you know if your design meets this cri­te­ria? Unless you test, you don’t. You can make some edu­cat­ed guess­es based on using sound engi­neer­ing prac­tices , but after that you can only hope.

Diagnostic Coverage

…There is no diag­nos­tic cov­er­age (DCavg = none) with­in cat­e­go­ry B sys­tems…”

Cat­e­go­ry B sys­tems are fun­da­men­tal­ly sin­gle-chan­nel. A sin­gle fault in the sys­tem will lead to the loss of the safe­ty func­tion. This sen­tence refers to the con­cept of “diag­nos­tic cov­er­age” that was intro­duced in ISO 13849–1:2007, but what this means in prac­tice is that there is no mon­i­tor­ing or feed­back from any crit­i­cal ele­ments. Remem­ber our basic MCR cir­cuit? If the MCR con­tac­tor weld­ed closed, the only diag­nos­tic was the fail­ure of the machine to stop when the emer­gency stop but­ton was pressed.

Component Failure Rates

…the MTTFd of each chan­nel can be low to medi­um.”

This part of the state­ment is refer­ring to anoth­er new con­cept from ISO 13849–1:2007, “MTTFd”. Stand­ing for “Mean Time to Fail­ure Dan­ger­ous”, this con­cept looks at the expect­ed fail­ure rates of the com­po­nent in hours. Cal­cu­lat­ing MTTFd is a sig­nif­i­cant part of imple­ment­ing the new stan­dard. From the per­spec­tive of under­stand­ing Cat­e­go­ry B, what this means is that you do not need to use high-reli­a­bil­i­ty com­po­nents in these sys­tems.

Common Cause Failures

In such struc­tures (nor­mal­ly sin­gle-chan­nel sys­tems), the con­sid­er­a­tion of CCF is not rel­e­vant.”

CCF is anoth­er new con­cept from ISO 13849–1:2007, and stands for “Com­mon Cause Fail­ure”. I’m not going to get into this in any detail here, but suf­fice to say that design tech­niques, as well as chan­nel sep­a­ra­tion (impos­si­ble in a sin­gle chan­nel archi­tec­ture) and oth­er tech­niques are used to reduce the like­li­hood of CCF in high­er reli­a­bil­i­ty sys­tems.

Performance Levels

The max­i­mum PL achiev­able with cat­e­go­ry B is PL = b.”

PL stands for “Per­for­mance Lev­el”, divid­ed into five degrees from ‘a’ to ‘e’. PLa is equal to an aver­age prob­a­bil­i­ty of dan­ger­ous fail­ure per hour of >= 10-5 to < 10-4 fail­ures per hour. PLb is equal to >= 3 × 10-6 to < 10-5 fail­ures per hour or once in 10,000 to 100,000 hours, to once in 3,000,000 hours of oper­a­tion. This sounds like a lot, but when deal­ing with prob­a­bil­i­ties, these num­bers are actu­al­ly pret­ty low.

If you con­sid­er an oper­a­tion run­ning a sin­gle shift in Cana­da where the nor­mal work­ing year is 50 weeks and the nor­mal work­day is 7.5 hours, a work­ing year is

7.5 h/d x 5 d/w x 50 w/a = 1875 hours/a

Tak­ing the fail­ure rates per hour above, yields:

PLa = one fail­ure in 5.3 years of oper­a­tion to one fail­ure in 53.3 years

PLb = one fail­ure in 1600 years of oper­a­tion

If we go to an oper­a­tion run­ning three shifts in Cana­da, a work­ing year is:

7.5 h/shift x 3 shifts x 5 d/w x 50 w/a = 5625 hours/a

Tak­ing the fail­ure rates per hour above, yields:

PLa = one fail­ure in 1.8 years of oper­a­tion to one fail­ure in 17 years

PLb = one fail­ure in 533 years of oper­a­tion

Now you should be start­ing to get an idea about where this is going. It’s impor­tant to remem­ber that prob­a­bil­i­ties are just that — the fail­ure could hap­pen in the first hour of oper­a­tion or at any time after that, or nev­er. These fig­ures give you some way to gauge the rel­a­tive reli­a­bil­i­ty of the design, and ARE NOT any sort of guar­an­tee.

Watch for the next post in this series where I will look at Cat­e­go­ry 1 require­ments!

References

[1] Safe­ty of Machin­ery — Safe­ty Relat­ed Parts of Con­trol Sys­tems — Part 1: Gen­er­al Prin­ci­ples for Design. CEN Stan­dard EN 954–1. 1996.

[2] Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 1: Gen­er­al prin­ci­ples for design. ISO Stan­dard 13849–1. 2006.

[3] Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 2: Val­i­da­tion, ISO Stan­dard 13849–2. 2003.

[4] Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 100: Guide­lines for the use and appli­ca­tion of ISO 13849–1. ISO Tech­ni­cal Report TR 100. 2000.

[5] Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 1: Gen­er­al prin­ci­ples for design. CEN Stan­dard EN ISO 13849–1. 2008.

Down­load ISO Stan­dards

Digiprove sealCopy­right secured by Digiprove © 2011–2012
Acknowl­edge­ments: As cit­ed-IDEC, Allen Bradley
Some Rights Reserved
Series Nav­i­ga­tionInter­lock Archi­tec­tures – Pt. 2: Cat­e­go­ry 1

Author: Doug Nix

Doug Nix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. (http://www.complianceinsight.ca) in Kitchener, Ontario, and is Lead Author and Senior Editor of the Machinery Safety 101 blog. Doug's work includes teaching machinery risk assessment techniques privately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as providing technical services and training programs to clients related to risk assessment, industrial machinery safety, safety-related control system integration and reliability, laser safety and regulatory conformity. For more see Doug's LinkedIn profile.