Interlock Architectures – Pt. 1: What do those categories really mean?

Basic Stop/Start Circuit
This entry is part 1 of 8 in the series Circuit Architectures Explored

It all started with EN 954-1

In 1996 CEN published an important standard for machine builders – EN 954-1, “Safety of Machinery – Safety Related Parts of Control Systems – Part 1: General Principles for Design” [1]. This standard set the stage for defining control reliability in machinery safeguarding systems, introducing the Reliability categories that have become ubiquitous. So what do these categories mean, and how are they applied under the latest machinery functional safety standard, ISO 13849-1 [2]?

Download ISO Standards

Circuit Categories

The categories are used to describe system architectures for safety related control systems. Each architecture carries with it a range of reliability performance that can be related to the degree of risk reduction you are expecting to achieve with the system. These architectures can be applied equally to electrical, electronic, pneumatic, hydraulic or mechanical control systems.

Historical Circuits

Early electrical ‘master-control-relay’ circuits used a simple architecture with a single contactor, or sometimes two, and a single channel style of architecture to maintain the contactor coil circuit once the START or POWER ON button (PB2 in Fig. 1) had been pressed. Power to the output elements of the machine controls was supplied via contacts on the contactor, which is why it was called the Master Control Relay or ‘MCR’. The POWER OFF button (PB1 in Fig. 1) could be labeled that way, or you could make the same circuit into an Emergency Stop by simply replacing the operator with a red mushroom-head push button. These devices were usually spring-return, so to restore power, all that was needed was to push the POWER ON button again (Fig.1).

Basic Stop/Start Circuit
Figure 1 – Basic Stop/Start Circuit

Typically, the components used in these circuits were specified to meet the circuit conditions, but not more. Controls manufacturers brought out over-dimensioned versions, such as Allen-Bradley’s Bulletin 700-PK contactor which had 20 A rated contacts instead of the standard Bulletin 700’s 10 A contacts.

When interlocked guards began to show up, they were integrated into the original MCR circuit by adding a basic control relay (CR1 in Fig. 2) whose coil was controlled by the interlock switch(es) (LS1 in Fig. 2), and whose output contacts were in series with the coil circuit of the MCR contactor. Opening the guard interlock would open the MCR coil circuit and drop power to the machine controls. Very simple.

Start/Stop Circuit with Guard Relay
Figure 2 – Old-School Start/Stop Circuit with Guard Relay

‘Ice-cube’ style plug-in relays were often chosen for CR1. These devices did not have ‘force-guided’ contacts in them, so it was possible to have one contact in the relay fail while the other continued to operate properly.

LS1 could be any kind of switch. Frequently a ‘micro-switch’ style of limit switch was chosen. These snap-action switches could fail shorted internally, or weld closed and the actuator would continue to work normally even though the switch itself had failed. These switches are also ridiculously easy to bypass. All that is required is a piece of tape or an elastic band and the switch is no longer doing it’s job.

Micro-Switch style limit switch used as an interlock switch
Photo 1 – Micro-Switch style limit switch used as a cover interlock switch in a piece of industrial laundry equipment

The problem with these circuits is that they can fail in a number of ways that aren’t obvious to the user, with the result being that the interlock might not work as expected, or the Emergency Stop might fail just when you need it most.

Modern Circuits

Category B

These original circuits are the basis for what became known as ‘Category B’ (‘B’ for ‘Basic’) circuits. Here’s the definition from the standard. Note that I am taking this excerpt from ISO 13849-1: 2007 (Edition 2). “SRP/CS” stands for “Safety Related Parts of Control Systems”:

6.2.3 Category B
The SRP/CS shall, as a minimum, be designed, constructed, selected, assembled and combined in accordance with the relevant standards and using basic safety principles for the specific application to withstand

  • the expected operating stresses, e.g. the reliability with respect to breaking capacity and frequency,
  • the influence of the processed material, e.g. detergents in a washing machine, and
  • other relevant external influences, e.g. mechanical vibration, electromagnetic interference, power supply interruptions or disturbances.

There is no diagnostic coverage (DCavg = none) within category B systems and the MTTFd of each channel can be low to medium. In such structures (normally single-channel systems), the consideration of CCF is not relevant.

The maximum PL achievable with category B is PL = b.

NOTE When a fault occurs it can lead to the loss of the safety function.

Specific requirements for electromagnetic compatibility are found in the relevant product standards, e.g. IEC 61800-3 for power drive systems. For functional safety of SRP/CS in particular, the immunity requirements are relevant. If no product standard exists, at least the immunity requirements of IEC 61000-6-2 should be followed.

The standard also provides us with a nice block diagram of what a single-channel system might look like:

Category B Designated Architecture
ISO 13849-1 Category B Designated Architecture

If you look at this block diagram and the Start/Stop Circuit with Guard Relay above, you can see how this basic circuit translates into a single channel architecture, since from the control inputs to the controlled load you have a single channel. Even the guard loop is a single channel. A failure in any component in the channel can result in loss of control of the load.

Lets look at each part of this requirement in more detail, since each of the subsequent Categories builds upon these BASIC requirements.

The SRP/CS shall, as a minimum, be designed, constructed, selected, assembled and combined in accordance with the relevant standards and using basic safety principles for the specific application…

Basic Safety Principles

We have to go to ISO 13849-2 to get a definition of what Basic Safety Principles might include. Looking at Annex A.2 of the standard we find:

Table A.1 — Basic Safety Principles

Basic Safety Principles Remarks
Use of suitable materials and adequate manufacturing Selection of material, manufacturing methods and treatment in relation to, e. g. stress, durability, elasticity, friction, wear,
corrosion, temperature.
Correct dimensioning and shaping Consider e. g. stress, strain, fatigue, surface roughness, tolerances, sticking, manufacturing.
Proper selection, combination, arrangements, assembly and installation of components/systems. Apply manufacturer’s application notes, e. g. catalogue sheets, installation instructions, specifications, and use of good engineering practice in similar components/systems.
Use of de–energisation principle The safe state is obtained by release of energy. See primary action for stopping in EN 292–2:1991 (ISO/TR 12100-2:1992), 3.7.1. Energy is supplied for starting the movement of a mechanism. See primary action for starting in EN 292–2:1991 (ISO/TR 12100-2:1992), 3.7.1.Consider different modes, e. g. operation mode, maintenance mode.

This principle shall not be used in special applications, e. g. to keep energy for clamping devices.

Proper fastening For the application of screw locking consider manufacturer’s application notes.Overloading can be avoided by applying adequate torque loading technology.
Limitation of the generation and/or transmission of force and similar parameters Examples are break pin, break plate, torque limiting clutch.
Limitation of range of environmental parameters Examples of parameters are temperature, humidity, pollution at the installation place. See clause 8 and consider
manufacturer’s application notes.
Limitation of speed and similar parameters Consider e. g. the speed, acceleration, deceleration required by the application
Proper reaction time Consider e. g. spring tiredness, friction, lubrication, temperature, inertia during acceleration and deceleration,
combination of tolerances.
Protection against unexpected start–up Consider unexpected start-up caused by stored energy and after power “supply” restoration for different modes as
operation mode, maintenance mode etc.
Special equipment for release of stored energy may be necessary.
Special applications, e. g. to keep energy for clamping devices or ensure a position, need to be considered
separately.
Simplification Reduce the number of components in the safety-related system.
Separation Separation of safety-related functions from other functions.
Proper lubrication
Proper prevention of the ingress of fluids and dust Consider IP rating [see EN 60529 (IEC 60529)]

Download ISO Standards
As you can see, the basic safety principles are pretty basic – select components appropriately for the application, consider the operating conditions for the components, follow manufacturer’s data, and use de-energization to create the stop function. That way, a loss of power results in the system failing into a safe state, as does an open relay coil or set of burnt contacts.

“…the expected operating stresses, e.g. the reliability with respect to breaking capacity and frequency,”

Specify your components correctly with regard to voltage, current, breaking capacity, temperature, humidity, dust,…

“…other relevant external influences, e.g. mechanical vibration, electromagnetic interference, power supply interruptions or disturbances.”

“Specific requirements for electromagnetic compatibility are found in the relevant product standards, e.g. IEC 61800-3 for power drive systems. For functional safety of SRP/CS in particular, the immunity requirements are relevant. If no product standard exists, at least the immunity requirements of IEC 61000-6-2 should be followed.”

Probably the biggest ‘gotcha’ in this point is “electromagnetic interference”. This is important enough that the standard devotes a paragraph to it specifically. I added the bold text to highlight the idea of ‘functional safety’. You can find other information in other posts on this blog on that topic. If your product is destined for the European Union (EU), then you will almost certainly be doing some EMC testing, unless your product is a ‘fixed installation’. If it’s going to almost any other market, you probably are not undertaking this testing. So how do you know if your design meets this criteria? Unless you test, you don’t. You can make some educated guesses based on using sound engineering practices , but after that you can only hope.

Diagnostic Coverage

“…There is no diagnostic coverage (DCavg = none) within category B systems…”

Category B systems are fundamentally single channel. A single fault in the system will lead to the loss of the safety function. This sentence refers to the concept of “diagnostic coverage” that was introduced in ISO 13849-1:2007, but what this means in practice is that there is no monitoring or feedback from any critical elements. Remember our basic MCR circuit? If the MCR contactor welded closed, the only diagnostic was the failure of the machine to stop when the emergency stop button was pressed.

Component Failure Rates

“…the MTTFd of each channel can be low to medium.”

This part of the statement is referring to another new concept from ISO 13849-1:2007, “MTTFd“. Standing for “Mean Time to Failure Dangerous”, this concept looks at the expected failure rates of the component in hours. Calculating MTTFd is a significant part of implementing the new standard. From the perspective of understanding Category B, what this means is that you do not need to use high-reliability components in these systems.

Common Cause Failures

“In such structures (normally single-channel systems), the consideration of CCF is not relevant.”

CCF is another new concept from ISO 13849-1:2007, and stands for “Common Cause Failure”. I’m not going to get into this in any detail here, but suffice to say that design techniques, as well as channel separation (impossible in a single channel architecture) and other techniques are used to reduce the likelihood of CCF in higher reliability systems.

Performance Levels

“The maximum PL achievable with category B is PL = b.”

PL stands for “Performance Level”, divided into five degrees from ‘a’ to ‘e’. PLa is equal to an average probability of dangerous failure per hour of >= 10-5 to < 10-4 failures per hour. PLb is equal to >= 3 × 10-6 to < 10-5 failures per hour or once in 10,000 to 100,000 hours, to once in 3,000,000 hours of operation. This sounds like a lot, but when dealing with probabilities, these numbers are actually pretty low.

If you consider an operation running a single shift in Canada where the normal working year is 50 weeks and the normal workday is 7.5 hours, a working year is

7.5 h/d x 5 d/w x 50 w/a = 1875 hours/a

Taking the failure rates per hour above, yields:

PLa = one failure in 5.3 years of operation to one failure in 53.3 years

PLb = one failure in 1600 years of operation

If we go to an operation running three shifts in Canada, a working year is:

7.5 h/shift x 3 shifts x 5 d/w x 50 w/a = 5625 hours/a

Taking the failure rates per hour above, yields:

PLa = one failure in 1.8 years of operation to one failure in 17 years

PLb = one failure in 533 years of operation

Now you should be starting to get an idea about where this is going. It’s important to remember that probabilities are just that – the failure could happen in the first hour of operation or at any time after that, or never. These figures give you some way to gauge the relative reliability of the design, and ARE NOT any sort of guarantee.

Watch for the next post in this series where I will look at Category 1 requirements!

References

[1] Safety of Machinery – Safety Related Parts of Control Systems – Part 1: General Principles for Design. CEN Standard EN 954-1. 1996.

[2] Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design. ISO Standard 13849-1. 2006.

[3] Safety of machinery — Safety-related parts of control systems — Part 2: Validation, ISO Standard 13849-2. 2003.

[4] Safety of machinery — Safety-related parts of control systems — Part 100: Guidelines for the use and application of ISO 13849-1. ISO Technical Report TR 100. 2000.

[5] Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design. CEN Standard EN ISO 13849-1. 2008.

Download ISO Standards

Series NavigationInterlock Architectures – Pt. 2: Category 1

Author: Doug Nix

+DougNix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. (http://www.complianceinsight.ca) in Kitchener, Ontario, and is Lead Author and Managing Editor of the Machinery Safety 101 blog.

Doug's work includes teaching machinery risk assessment techniques privately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as providing technical services and training programs to clients related to risk assessment, industrial machinery safety, safety-related control system integration and reliability, laser safety and regulatory conformity.

Follow me on Academia.edu//a.academia-assets.com/javascripts/social.js

  • controlsgirl

    Great explanation and translation into how these standards are applied in the real world. One thing that I think is often confusing is the definition of failure. I often have found myself wondering if the standard means failure of a device to work as expected or failure in the sense that someone had to press an e-stop..etc. Could you help clarify that in the different places that the word is mentioned? I know that sometimes it is more obvious than others.

    • Hey controlsgirl! Thanks for posting this question – it’s a good one.

      When we’re talking about safety related controls there are a number of different types of failures we could be talking about. From the perspective of ISO 13849-1, what we care about are dangerous failures, meaning that the safety-related control function has failed in a way that immediately increases the risk to the operator. If a control function doesn’t work as expected, but no increase in risk occurs, it’s not a dangerous failure. If a dangerous failure occurs in a guard interlock, the result could be a situation where the operator opens the guard and the machine fails to stop. That is a dangerous failure.

      To sum up, failures as discussed in ISO 13849-1 are always faults in the safety-related parts of the control system that result in an increase in risk to the operator. They may be dangerous-detected failures, or dangerous-undetected failures. The standard doesn’t pay any attention to safe failures, detectable or not.

      Emergency stop is there to deal with ’emergent’ conditions, i.e., failures that weren’t foreseen by the designer, and so aren’t dealt with by the automatic safety functions designed into the machine. For example, a ‘silent’ failure occurs in the guard interlock we were talking about. ‘Silent’ means the control system diagnostics don’t detect it for whatever reason. The operator opens the guard and is immediately and unexpectedly exposed to the machine hazard, resulting in an injury. A co-worker presses the emergency stop to try to limit any additional harm that might occur, and then dials 911 (or 112, or whatever your local emergency phone number is). E-stops are considered ‘complementary protective measures’ because they complement the primary safeguards, like the guard interlocks.

      I think that covers it. Let me know if you have any more questions!

  • Pingback: Andy Garcia()

  • Pingback: MachinerySafety()

  • Pingback: Doug Nix()