Interlock Architectures – Pt. 2: Category 1

This entry is part 2 of 8 in the series Circuit Architectures Explored

In Part 1 of this series we explored Category B, the Basic Category that underpins all the other Categories. This post builds on Part 1 by taking a look at Category 1. Let’s start by exploring the difference as defined in ISO 13849-1. When you are reading, remember that “SRP/CS” stands for “Safety Related Parts of Control Systems”.

SRP/CS of Category 1 shall be designed and constructed using well-tried components and well-tried safety principles (see ISO 13849-2).

Well-Tried Components

So what, exactly, is a “Well-Tried Component”?? Let’s go back to the standard for that:

A “well-tried component” for a safety-related application is a component which has been either

a) widely used in the past with successful results in similar applications, or
b) made and verified using principles which demonstrate its suitability and reliability for safety-related applications.

Newly developed components and safety principles may be considered as equivalent to “well-tried” if they fulfil the conditions of b).

The decision to accept a particular component as being “well-tried” depends on the application.

NOTE 1 Complex electronic components (e.g. PLC, microprocessor, application-specific integrated circuit) cannot be considered as equivalent to “well tried”.

[1, 6.2.4]

Lets look at what this all means by referring to ISO 13849-2:

Table 1 — Well-Tried Components [2]
Well-Tried Components Conditions for “well–tried” Standard or specification
Screw All factors influencing the screw connection and the application are to be considered. See Table A.2 “List of well–tried safety principles”. Mechanical jointing such as screws, nuts, washers, rivets, pins, bolts etc. are standardised.
Spring See Table A.2 “Use of a well–tried spring”. Technical specifications for spring steels and other special applications are given in ISO 4960.
Cam All factors influencing the cam arrangement (e. g. part of an interlocking device) are to be considered. See Table A.2 “List of well–tried safety principles”. See EN 1088 (ISO 14119) (Interlocking devices).
Break–pin All factors influencing the application are to be considered. See Table A.2 “List of well-tried safety principles”.

Now we have a few ideas about what might constitute a ‘well-tried component’. Unfortunately, you will notice that ‘contactor’ or ‘relay’ or ‘limit switch’ appear nowhere on the list. This is a challenge, but one that can be overcome. The key to dealing with this is to look at how the components that you are choosing to use are constructed. If they use these components and techniques, you are on your way to considering them to be well-tried.

Another approach is to let the component manufacturer worry about the details of the construction of the device, and simply ensure that components selected for use in the SRP/CS are ‘safety rated’ by the manufacturer. This can work in 80-90% of cases, with a small percentage of components, such as large motor starters, some servo and stepper drives and other similar components unavailable with a safety rating. It’s worth noting that many drive manufacturers are starting to produce drives with built-in safety components that are intended to be integrated into your SRP/CS.

Exclusion of Complex Electronics

Note 1 from the first part of the definition is very important. So important that I’m going to repeat it here:

NOTE 1 Complex electronic components (e.g. PLC, microprocessor, application-specific integrated circuit) cannot be considered as equivalent to “well tried”.

I added the bold text to emphasize the importance of this statement. While this is included in a Note and is therefore considered to be explanatory text and not part of the normative body of the standard, it illuminates a key concept. This little note is what prevents a standard PLC from being used in Category 1 systems. It’s also important to realize that this definition is only considering the hardware – no mention of software is made here, and software is not dealt with until later in the standard.

Well-Tried Safety Principles

Let’s have a look at what ‘Well-Tried Safety Principles’ might be.

Table 2 — Well-Tried Safety Principles [2, A.2]
Well-tried Safety Principles Remarks
Use of carefully selected materials and manufacturing Selection of suitable material, adequate manufacturing methods and treatments related to the application.
Use of components with oriented failure mode The predominant failure mode of a component is known in advance and always the same, see EN 292-2:1991, (ISO/TR 12100-2:1992), 3.7.4.
Over–dimensioning/safety factor The safety factors are given in standards or by good experience in safety-related applications.
Safe position The moving part of the component is held in one of the possible positions by mechanical means (friction only is not enough). Force is needed for changing the position.
Increased OFF force A safe position/state is obtained by an increased OFF force in relation to ON force.
Careful selection, combination, arrangement, assembly and installation of components/system related to the application
Careful selection of fastening related to the application Avoid relying only on friction.
Positive mechanical action Dependent operation (e. g. parallel operation) between parts is obtained by positive mechanical link(s). Springs and similar “flexible” elements should not be part of the link(s) [see EN 292-2:1991 (ISO/TR 12100-2:1992), 3.5].
Multiple parts Reducing the effect of faults by multiplying parts, e. g. where a fault of one spring (of many springs) does not lead to a dangerous condition.
Use of well–tried spring (see also Table A.3) A well–tried spring requires:

  • use of carefully selected materials, manufacturing methods (e. g. presetting and cycling before use) and treatments (e. g. rolling and shot–peening),
  • sufficient guidance of the spring, and
  • sufficient safety factor for fatigue stress (i. e. with high probability a fracture will not occur).

Well–tried pressure coil springs may also be designed by:

  • use of carefully selected materials, manufacturing methods (e. g. presetting and cycling before use) and treatments (e. g. rolling and shot-peening),
  • sufficient guidance of the spring, and
  • clearance between the turns less than the wire diameter when unloaded, and
  • sufficient force after a fracture(s) is maintained (i. e. a fracture(s) will not lead to a dangerous condition).
Limited range of force and similar parameters Decide the necessary limitation in relation to the experience and application. Examples for limitations are break pin, break plate, torque limiting clutch.
Limited range of speed and similar parameters Decide the necessary limitation in relation to the experience and application. Examples for limitations are centrifugal governor; safe monitoring of speed or limited displacement.
Limited range of environmental parameters Decide the necessary limitations. Examples on parameters are temperature, humidity, pollution at the installation. See clause 8 and consider manufacturer’s application notes.
Limited range of reaction time, limited hysteresis Decide the necessary limitations.
Consider e. g. spring tiredness, friction, lubrication, temperature, inertia during acceleration and deceleration,
combination of tolerances.

Use of Positive-Mode Operation

The use of these principles in the components, as well as in the overall design of the safeguards is important. In developing a system that uses ‘positive mode operation’, the mechanical linkage that operates the electrical contacts or the fluid-power valve that controls the prime-mover(s) (i.e. motors, cylinders, etc.), must act to directly drive the control element (contacts or valve spool) to the safe state. Springs can be used to return the system to the run state or dangerous state, since a failure of the spring will result in the interlock device staying in the safe state (fail-safe or fail-to-safety).

CSA Z432 [3] provides us with a nice diagram that illustrates the idea of “positive-action” or “positive-mode” operation:

CSA Z432 Fig B.10 - Positive Mode Operation
Figure 1 – Positive Mode Operation [3, B.10]

In Fig. 1, opening the guard door forces the roller to follow the cam attached to the door, driving the switch contacts apart and opening the interlock. Even if the contacts were to weld, they would still be driven apart since the mechanical advantage provided by the width of the door and the cam are more than enough to force the contacts apart.

Here’s an example of a ‘negative mode’ operation:

CSA Z432-04 Fig B.11 - Negative Mode operation
Figure 2 – Negative Mode operation [3, B.11]

In Fig. 2, the interlock switch relies on a spring to enter the safe state when the door is opened. If the spring in the interlock device fails, the system fails-to-danger. Also note that this design is very easy to defeat. A ‘zip-tie’ or some tape is all that would be required to keep the interlock in the ‘RUN’ condition.

You should have a better idea of what is meant when you read about positive and negative-modes of operation now. We’ll talk about defeat resistance in another article.

Reliability

Combining what you’ve learned so far, you can see that correctly specified components, combined with over-dimensioning and implementation of design limits along with the use of well-tried safety principles will go a long way to improving the reliability of the control system. The next part of the definition of Category 1 speaks to some additional requirements:

The MTTFd of each channel shall be high.

The maximum PL achievable with category 1 is PL = c.

NOTE 2 There is no diagnostic coverage (DCavg = none) within category 1 systems. In such structures (single-channel systems) the consideration of CCF is not relevant.

NOTE 3 When a fault occurs it can lead to the loss of the safety function. However, the MTTFd of each channel in category 1 is higher than in category B. Consequently, the loss of the safety function is less likely.

We now know that the integrity of a Category 1 system is greater than a Category B system, since the channel MTTFd of the system has gone from “Low-to-Medium” in systems exhibiting PLa or PLb performance to “High” in systems exhibiting PLb or PLc performance. [1, Table 5] shows this difference in terms of predicted years to failure. As you can see, MTTFd “High” results in a predicted failure rate between 30 and 100 years. This is a pretty good result for simply improving the components used in the system!

Table 3 – Mean time to dangerous failure  [1, Table 5]
Table 3 – Mean time to dangerous failure

The other benefit is the increase in the overall PL. Where Category B architecture can provide PLb performance at best, Category 1 takes this up a notch to PLc. To get a handle on what PLc means, let’s look at our single and three shift examples again. If we take a Canadian operation with a single shift per day, and a 50 week working year we get:

7.5 h/shift x 5 d/w x 50 w/a = 1875 h/a

Where

h = hours

d = days

w = weeks

a  = years

In this case, PLc is equivalent to one failure in 533.3 years of operation to 1600 years of operation.

Looking at three shifts per day in the same operation gives us:

7.5 h/shift x 3 shifts/d x 5 d/w x 50 w/a = 5625 h/a

In this case, PLc is equivalent to one failure in 177.8 years of operation to 533.3 years of operation.

When completing the analysis of a system, [1] limits the system MTTFd to 100 years regardless of what the individual channel MTTFd may be. Where the actual MTTFd is important relates to the need to replace components during the lifetime of the product. If a component or a sub-system has an MTTFd that is less than the mission time of the system, then the component or subsystem must be replaced by the time the product reaches it’s MTTFd. 20 years is the default mission time, but you can choose a shorter or longer time span if it makes sense.

Remember that these are probabilities, not guarantees. A failure could happen in the first hour of operation, the last hour of operation or never. These figures simply provide a way for you as the designer to gauge the relative reliability of the system.

Well-Tried Components versus Fault Exclusions

The standard goes on to outline some key distinctions between ‘well-tried component’ and ‘fault exclusion’. We’ll talk more about fault exclusions later in the series.

It is important that a clear distinction between “well-tried component” and “fault exclusion” (see Clause 7) be made. The qualification of a component as being well-tried depends on its application. For example, a position switch with positive opening contacts could be considered as being well-tried for a machine tool, while at the same time as being inappropriate for application in a food industry — in the milk industry, for instance, this switch would be destroyed by the milk acid after a few months. A fault exclusion can lead to a very high PL, but the appropriate measures to allow this fault exclusion should be applied during the whole lifetime of the device. In order to ensure this, additional measures outside the control system may be necessary. In the case of a position switch, some examples of these kinds of measures are

  • means to secure the fixing of the switch after its adjustment,
  • means to secure the fixing of the cam,
  • means to ensure the transverse stability of the cam,
  • means to avoid over travel of the position switch, e.g. adequate mounting strength of the shock absorber and any alignment devices, and
  • means to protect it against damage from outside.

[1, 6.2.4]

System Block Diagram

Finally, let’s look at the block diagram for Category 1. You will notice that it looks the same as the Category B block diagram, since only the components used in the system have changed, and not the architecture.

ISO 13849-1 Figure 9
Figure 3 – Category 1 Block Diagram [1, Fig. 9]

References

[1]       Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design. ISO Standard 13849-1, Ed. 2. 2006.

[2]       Safety of machinery — Safety-related parts of control systems — Part 2: Validation. ISO Standard 13849-2, Ed. 2. 2012.

[3]       Safeguarding of Machinery. CSA Standard Z432. 2004.

Add to your Library

If you are working on implementing these design standards in your products, you need to buy copies of the standards for your library.

  • ISO 13849-1:2006 Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design
  • ISO 13849-2:2003 Safety of machinery — Safety-related parts of control systems — Part 2: Validation

Download IEC standards, International Electrotechnical Commission standards.

If you are working in the EU, or are working on CE Marking your product, you should hold the harmonized version of this standard, available through the CEN resellers:

  • EN ISO 13849-1:2008 Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design
  • EN ISO 13849-2:2012 Safety of machinery — Safety-related parts of control systems — Part 2: Validation

Next Installment

Watch for the next part of this series, “Interlock Architectures – Pt. 3: Category 2” where we expand on the first two categories by adding some diagnostic coverage to improve reliability.

Have questions? Email me!

Series NavigationInterlock Architectures – Pt. 1: What do those categories really mean?Interlock Architectures – Pt. 3: Category 2

Author: Doug Nix

+DougNix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. (http://www.complianceinsight.ca) in Kitchener, Ontario, and is Lead Author and Managing Editor of the Machinery Safety 101 blog.

Doug's work includes teaching machinery risk assessment techniques privately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as providing technical services and training programs to clients related to risk assessment, industrial machinery safety, safety-related control system integration and reliability, laser safety and regulatory conformity.

Follow me on Academia.edu//a.academia-assets.com/javascripts/social.js