Interlock Architectures – Pt. 2: Category 1

This entry is part 2 of 8 in the series Circuit Architectures Explored

In Part 1 of this series we explored Category B, the Basic Category that under­pins all the oth­er Categories. This post builds on Part 1 by tak­ing a look at Category 1. Let’s start by explor­ing the dif­fer­ence as defined in ISO 13849 – 1. When you are read­ing, remem­ber that “SRP/​CS” stands for “Safety Related Parts of Control Systems”.

SRP/​CS of Category 1 shall be designed and con­struc­ted using well-​tried com­pon­ents and well-​tried safety prin­ciples (see ISO 13849 – 2).

Well-​Tried Components

So what, exactly, is a “Well-​Tried Component”?? Let’s go back to the stand­ard for that:

A “well-​tried com­pon­ent” for a safety-​related applic­a­tion is a com­pon­ent which has been either

a) widely used in the past with suc­cess­ful res­ults in sim­il­ar applic­a­tions, or
b) made and veri­fied using prin­ciples which demon­strate its suit­ab­il­ity and reli­ab­il­ity for safety-​related applications.

Newly developed com­pon­ents and safety prin­ciples may be con­sidered as equi­val­ent to “well-​tried” if they ful­fil the con­di­tions of b).

The decision to accept a par­tic­u­lar com­pon­ent as being “well-​tried” depends on the application.

NOTE 1 Complex elec­tron­ic com­pon­ents (e.g. PLC, micro­pro­cessor, application-​specific integ­rated cir­cuit) can­not be con­sidered as equi­val­ent to “well tried”.

[1, 6.2.4]

Lets look at what this all means by refer­ring to ISO 13849 – 2:

Table 1 — Well-​Tried Components [2]
Well-​Tried Components Conditions for “well – tried” Standard or specification
Screw All factors influ­en­cing the screw con­nec­tion and the applic­a­tion are to be con­sidered. See Table A.2 “List of well – tried safety principles”. Mechanical joint­ing such as screws, nuts, wash­ers, riv­ets, pins, bolts etc. are standardised.
Spring See Table A.2 “Use of a well – tried spring”. Technical spe­cific­a­tions for spring steels and oth­er spe­cial applic­a­tions are giv­en in ISO 4960.
Cam All factors influ­en­cing the cam arrange­ment (e. g. part of an inter­lock­ing device) are to be con­sidered. See Table A.2 “List of well – tried safety principles”. See EN 1088 (ISO 14119) (Interlocking devices).
Break – pin All factors influ­en­cing the applic­a­tion are to be con­sidered. See Table A.2 “List of well-​tried safety principles”.

Now we have a few ideas about what might con­sti­tute a ‘well-​tried com­pon­ent’. Unfortunately, you will notice that ‘con­tact­or’ or ‘relay’ or ‘lim­it switch’ appear nowhere on the list. This is a chal­lenge, but one that can be over­come. The key to deal­ing with this is to look at how the com­pon­ents that you are choos­ing to use are con­struc­ted. If they use these com­pon­ents and tech­niques, you are on your way to con­sid­er­ing them to be well-tried.

Another approach is to let the com­pon­ent man­u­fac­turer worry about the details of the con­struc­tion of the device, and simply ensure that com­pon­ents selec­ted for use in the SRP/​CS are ‘safety rated’ by the man­u­fac­turer. This can work in 80 – 90% of cases, with a small per­cent­age of com­pon­ents, such as large motor starters, some servo and step­per drives and oth­er sim­il­ar com­pon­ents unavail­able with a safety rat­ing. It’s worth not­ing that many drive man­u­fac­tur­ers are start­ing to pro­duce drives with built-​in safety com­pon­ents that are inten­ded to be integ­rated into your SRP/​CS.

Exclusion of Complex Electronics

Note 1 from the first part of the defin­i­tion is very import­ant. So import­ant that I’m going to repeat it here:

NOTE 1 Complex elec­tron­ic com­pon­ents (e.g. PLC, micro­pro­cessor, application-​specific integ­rated cir­cuit) can­not be con­sidered as equi­val­ent to “well tried”.

I added the bold text to emphas­ize the import­ance of this state­ment. While this is included in a Note and is there­fore con­sidered to be explan­at­ory text and not part of the norm­at­ive body of the stand­ard, it illu­min­ates a key concept. This little note is what pre­vents a stand­ard PLC from being used in Category 1 sys­tems. It’s also import­ant to real­ize that this defin­i­tion is only con­sid­er­ing the hard­ware – no men­tion of soft­ware is made here, and soft­ware is not dealt with until later in the standard.

Well-​Tried Safety Principles

Let’s have a look at what ‘Well-​Tried Safety Principles’ might be.

Table 2 — Well-​Tried Safety Principles [2, A.2]
Well-​tried Safety Principles Remarks
Use of care­fully selec­ted mater­i­als and manufacturing Selection of suit­able mater­i­al, adequate man­u­fac­tur­ing meth­ods and treat­ments related to the application.
Use of com­pon­ents with ori­ented fail­ure mode The pre­dom­in­ant fail­ure mode of a com­pon­ent is known in advance and always the same, see EN 292 – 2:1991, (ISO/​TR 12100 – 2:1992), 3.7.4.
Over – dimensioning/​safety factor The safety factors are giv­en in stand­ards or by good exper­i­ence in safety-​related applications.
Safe pos­i­tion The mov­ing part of the com­pon­ent is held in one of the pos­sible pos­i­tions by mech­an­ic­al means (fric­tion only is not enough). Force is needed for chan­ging the position.
Increased OFF force A safe position/​state is obtained by an increased OFF force in rela­tion to ON force.
Careful selec­tion, com­bin­a­tion, arrange­ment, assembly and install­a­tion of components/​system related to the application
Careful selec­tion of fasten­ing related to the application Avoid rely­ing only on friction.
Positive mech­an­ic­al action Dependent oper­a­tion (e. g. par­al­lel oper­a­tion) between parts is obtained by pos­it­ive mech­an­ic­al link(s). Springs and sim­il­ar “flex­ible” ele­ments should not be part of the link(s) [see EN 292 – 2:1991 (ISO/​TR 12100 – 2:1992), 3.5].
Multiple parts Reducing the effect of faults by mul­tiply­ing parts, e. g. where a fault of one spring (of many springs) does not lead to a dan­ger­ous condition.
Use of well – tried spring (see also Table A.3) A well – tried spring requires:
  • use of care­fully selec­ted mater­i­als, man­u­fac­tur­ing meth­ods (e. g. pre­set­ting and cyc­ling before use) and treat­ments (e. g. rolling and shot – peening),
  • suf­fi­cient guid­ance of the spring, and
  • suf­fi­cient safety factor for fatigue stress (i. e. with high prob­ab­il­ity a frac­ture will not occur).

Well – tried pres­sure coil springs may also be designed by:

  • use of care­fully selec­ted mater­i­als, man­u­fac­tur­ing meth­ods (e. g. pre­set­ting and cyc­ling before use) and treat­ments (e. g. rolling and shot-peening),
  • suf­fi­cient guid­ance of the spring, and
  • clear­ance between the turns less than the wire dia­met­er when unloaded, and
  • suf­fi­cient force after a fracture(s) is main­tained (i. e. a fracture(s) will not lead to a dan­ger­ous condition).
Limited range of force and sim­il­ar parameters Decide the neces­sary lim­it­a­tion in rela­tion to the exper­i­ence and applic­a­tion. Examples for lim­it­a­tions are break pin, break plate, torque lim­it­ing clutch.
Limited range of speed and sim­il­ar parameters Decide the neces­sary lim­it­a­tion in rela­tion to the exper­i­ence and applic­a­tion. Examples for lim­it­a­tions are cent­ri­fu­gal gov­ernor; safe mon­it­or­ing of speed or lim­ited displacement.
Limited range of envir­on­ment­al parameters Decide the neces­sary lim­it­a­tions. Examples on para­met­ers are tem­per­at­ure, humid­ity, pol­lu­tion at the install­a­tion. See clause 8 and con­sider manufacturer’s applic­a­tion notes.
Limited range of reac­tion time, lim­ited hysteresis Decide the neces­sary limitations.
Consider e. g. spring tired­ness, fric­tion, lub­ric­a­tion, tem­per­at­ure, iner­tia dur­ing accel­er­a­tion and deceleration,
com­bin­a­tion of tolerances.

Use of Positive-​Mode Operation

The use of these prin­ciples in the com­pon­ents, as well as in the over­all design of the safe­guards is import­ant. In devel­op­ing a sys­tem that uses ‘pos­it­ive mode oper­a­tion’, the mech­an­ic­al link­age that oper­ates the elec­tric­al con­tacts or the fluid-​power valve that con­trols the prime-mover(s) (i.e. motors, cyl­in­ders, etc.), must act to dir­ectly drive the con­trol ele­ment (con­tacts or valve spool) to the safe state. Springs can be used to return the sys­tem to the run state or dan­ger­ous state, since a fail­ure of the spring will res­ult in the inter­lock device stay­ing in the safe state (fail-​safe or fail-to-safety).

CSA Z432 [3] provides us with a nice dia­gram that illus­trates the idea of “positive-​action” or “positive-​mode” operation:

CSA Z432 Fig B.10 - Positive Mode Operation
Figure 1 – Positive Mode Operation [3, B.10]

In Fig. 1, open­ing the guard door forces the roller to fol­low the cam attached to the door, driv­ing the switch con­tacts apart and open­ing the inter­lock. Even if the con­tacts were to weld, they would still be driv­en apart since the mech­an­ic­al advant­age provided by the width of the door and the cam are more than enough to force the con­tacts apart.

Here’s an example of a ‘neg­at­ive mode’ operation:

CSA Z432-04 Fig B.11 - Negative Mode operation
Figure 2 – Negative Mode oper­a­tion [3, B.11]

In Fig. 2, the inter­lock switch relies on a spring to enter the safe state when the door is opened. If the spring in the inter­lock device fails, the sys­tem fails-​to-​danger. Also note that this design is very easy to defeat. A ‘zip-​tie’ or some tape is all that would be required to keep the inter­lock in the ‘RUN’ condition.

You should have a bet­ter idea of what is meant when you read about pos­it­ive and negative-​modes of oper­a­tion now. We’ll talk about defeat res­ist­ance in anoth­er article.

Reliability

Combining what you’ve learned so far, you can see that cor­rectly spe­cified com­pon­ents, com­bined with over-​dimensioning and imple­ment­a­tion of design lim­its along with the use of well-​tried safety prin­ciples will go a long way to improv­ing the reli­ab­il­ity of the con­trol sys­tem. The next part of the defin­i­tion of Category 1 speaks to some addi­tion­al requirements:

The MTTFd of each chan­nel shall be high.

The max­im­um PL achiev­able with cat­egory 1 is PL = c.

NOTE 2 There is no dia­gnost­ic cov­er­age (DCavg = none) with­in cat­egory 1 sys­tems. In such struc­tures (single-​channel sys­tems) the con­sid­er­a­tion of CCF is not relevant.

NOTE 3 When a fault occurs it can lead to the loss of the safety func­tion. However, the MTTFd of each chan­nel in cat­egory 1 is high­er than in cat­egory B. Consequently, the loss of the safety func­tion is less likely.

We now know that the integ­rity of a Category 1 sys­tem is great­er than a Category B sys­tem, since the chan­nel MTTFd of the sys­tem has gone from “Low-​to-​Medium” in sys­tems exhib­it­ing PLa or PLb per­form­ance to “High” in sys­tems exhib­it­ing PLb or PLc per­form­ance. [1, Table 5] shows this dif­fer­ence in terms of pre­dicted years to fail­ure. As you can see, MTTFd “High” res­ults in a pre­dicted fail­ure rate between 30 and 100 years. This is a pretty good res­ult for simply improv­ing the com­pon­ents used in the system!

Table 3 – Mean time to dangerous failure  [1, Table 5]
Table 3 – Mean time to dan­ger­ous failure

The oth­er bene­fit is the increase in the over­all PL. Where Category B archi­tec­ture can provide PLb per­form­ance at best, Category 1 takes this up a notch to PLc. To get a handle on what PLc means, let’s look at our single and three shift examples again. If we take a Canadian oper­a­tion with a single shift per day, and a 50 week work­ing year we get:

7.5 h/​shift x 5 d/​w x 50 w/​a = 1875 h/​a

Where

h = hours

d = days

w = weeks

a  = years

In this case, PLc is equi­val­ent to one fail­ure in 533.3 years of oper­a­tion to 1600 years of operation.

Looking at three shifts per day in the same oper­a­tion gives us:

7.5 h/​shift x 3 shifts/​d x 5 d/​w x 50 w/​a = 5625 h/​a

In this case, PLc is equi­val­ent to one fail­ure in 177.8 years of oper­a­tion to 533.3 years of operation.

When com­plet­ing the ana­lys­is of a sys­tem, [1] lim­its the sys­tem MTTFd to 100 years regard­less of what the indi­vidu­al chan­nel MTTFd may be. Where the actu­al MTTFd is import­ant relates to the need to replace com­pon­ents dur­ing the life­time of the product. If a com­pon­ent or a sub-​system has an MTTFd that is less than the mis­sion time of the sys­tem, then the com­pon­ent or sub­sys­tem must be replaced by the time the product reaches it’s MTTFd. 20 years is the default mis­sion time, but you can choose a short­er or longer time span if it makes sense.

Remember that these are prob­ab­il­it­ies, not guar­an­tees. A fail­ure could hap­pen in the first hour of oper­a­tion, the last hour of oper­a­tion or nev­er. These fig­ures simply provide a way for you as the design­er to gauge the rel­at­ive reli­ab­il­ity of the system.

Well-​Tried Components versus Fault Exclusions

The stand­ard goes on to out­line some key dis­tinc­tions between ‘well-​tried com­pon­ent’ and ‘fault exclu­sion’. We’ll talk more about fault exclu­sions later in the series.

It is import­ant that a clear dis­tinc­tion between “well-​tried com­pon­ent” and “fault exclu­sion” (see Clause 7) be made. The qual­i­fic­a­tion of a com­pon­ent as being well-​tried depends on its applic­a­tion. For example, a pos­i­tion switch with pos­it­ive open­ing con­tacts could be con­sidered as being well-​tried for a machine tool, while at the same time as being inap­pro­pri­ate for applic­a­tion in a food industry — in the milk industry, for instance, this switch would be des­troyed by the milk acid after a few months. A fault exclu­sion can lead to a very high PL, but the appro­pri­ate meas­ures to allow this fault exclu­sion should be applied dur­ing the whole life­time of the device. In order to ensure this, addi­tion­al meas­ures out­side the con­trol sys­tem may be neces­sary. In the case of a pos­i­tion switch, some examples of these kinds of meas­ures are

  • means to secure the fix­ing of the switch after its adjustment,
  • means to secure the fix­ing of the cam,
  • means to ensure the trans­verse sta­bil­ity of the cam,
  • means to avoid over travel of the pos­i­tion switch, e.g. adequate mount­ing strength of the shock absorber and any align­ment devices, and
  • means to pro­tect it against dam­age from outside.

[1, 6.2.4]

System Block Diagram

Finally, let’s look at the block dia­gram for Category 1. You will notice that it looks the same as the Category B block dia­gram, since only the com­pon­ents used in the sys­tem have changed, and not the architecture.

ISO 13849-1 Figure 9
Figure 3 – Category 1 Block Diagram [1, Fig. 9]

References

[1]       Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 1: General prin­ciples for design. ISO Standard 13849 – 1, Ed. 2. 2006.

[2]       Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 2: Validation. ISO Standard 13849 – 2, Ed. 2. 2012.

[3]       Safeguarding of Machinery. CSA Standard Z432. 2004.

Add to your Library

If you are work­ing on imple­ment­ing these design stand­ards in your products, you need to buy cop­ies of the stand­ards for your library.

  • ISO 13849 – 1:2006 Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 1: General prin­ciples for design
  • ISO 13849 – 2:2003 Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 2: Validation

Download IEC stand­ards, International Electrotechnical Commission standards.

If you are work­ing in the EU, or are work­ing on CE Marking your product, you should hold the har­mon­ized ver­sion of this stand­ard, avail­able through the CEN resellers:

  • EN ISO 13849 – 1:2008 Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 1: General prin­ciples for design
  • EN ISO 13849 – 2:2012 Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 2: Validation

Next Installment

Watch for the next part of this series, “Interlock Architectures – Pt. 3: Category 2″ where we expand on the first two cat­egor­ies by adding some dia­gnost­ic cov­er­age to improve reliability.

Have ques­tions? Email me!

Series NavigationInterlock Architectures – Pt. 1: What do those cat­egor­ies really mean?Interlock Architectures – Pt. 3: Category 2

Author: Doug Nix

+DougNix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. (http://www.complianceinsight.ca) in Kitchener, Ontario, and is Lead Author and Managing Editor of the Machinery Safety 101 blog. Doug's work includes teaching machinery risk assessment techniques privately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as providing technical services and training programs to clients related to risk assessment, industrial machinery safety, safety-related control system integration and reliability, laser safety and regulatory conformity. Follow me on Academia.edu//a.academia-assets.com/javascripts/social.js