Interlock Architectures – Pt. 2: Category 1

In Part 1 of this series we explored Cat­e­go­ry B, the Basic Cat­e­go­ry that under­pins all the oth­er Cat­e­gories. This post builds on Part 1 by tak­ing a look at Cat­e­go­ry 1. Let’s start by explor­ing the dif­fer­ence as defined in ISO 13849–1. When you are read­ing, remem­ber that “SRP/CS” stands for “Safe­ty Relat­ed Parts of Con­trol Sys­tems”.

SRP/CS of Cat­e­go­ry 1 shall be designed and con­struct­ed using well-tried com­po­nents and well-tried safe­ty prin­ci­ples (see ISO 13849–2).

Well-Tried Components

So what, exact­ly, is a “Well-Tried Com­po­nent”?? Let’s go back to the stan­dard for that:

A “well-tried com­po­nent” for a safe­ty-relat­ed appli­ca­tion is a com­po­nent which has been either

a) wide­ly used in the past with suc­cess­ful results in sim­i­lar appli­ca­tions, or
b) made and ver­i­fied using prin­ci­ples which demon­strate its suit­abil­i­ty and reli­a­bil­i­ty for safe­ty-relat­ed appli­ca­tions.

New­ly devel­oped com­po­nents and safe­ty prin­ci­ples may be con­sid­ered as equiv­a­lent to “well-tried” if they ful­fil the con­di­tions of b).

The deci­sion to accept a par­tic­u­lar com­po­nent as being “well-tried” depends on the appli­ca­tion.

NOTE 1 Com­plex elec­tron­ic com­po­nents (e.g. PLC, micro­proces­sor, appli­ca­tion-spe­cif­ic inte­grat­ed cir­cuit) can­not be con­sid­ered as equiv­a­lent to “well tried”.

[1, 6.2.4]

Lets look at what this all means by refer­ring to ISO 13849–2:

Table 1 — Well-Tried Com­po­nents [2]
Well-Tried Com­po­nents Con­di­tions for “well–tried” Stan­dard or spec­i­fi­ca­tion
Screw All fac­tors influ­enc­ing the screw con­nec­tion and the appli­ca­tion are to be con­sid­ered. See Table A.2 “List of well–tried safe­ty prin­ci­ples”. Mechan­i­cal joint­ing such as screws, nuts, wash­ers, riv­ets, pins, bolts etc. are stan­dard­ised.
Spring See Table A.2 “Use of a well–tried spring”. Tech­ni­cal spec­i­fi­ca­tions for spring steels and oth­er spe­cial appli­ca­tions are giv­en in ISO 4960.
Cam All fac­tors influ­enc­ing the cam arrange­ment (e. g. part of an inter­lock­ing device) are to be con­sid­ered. See Table A.2 “List of well–tried safe­ty prin­ci­ples”. See EN 1088 (ISO 14119) (Inter­lock­ing devices).
Break–pin All fac­tors influ­enc­ing the appli­ca­tion are to be con­sid­ered. See Table A.2 “List of well-tried safe­ty prin­ci­ples”.

Now we have a few ideas about what might con­sti­tute a ‘well-tried com­po­nent’. Unfor­tu­nate­ly, you will notice that ‘con­tac­tor’ or ‘relay’ or ‘lim­it switch’ appear nowhere on the list. This is a chal­lenge, but one that can be over­come. The key to deal­ing with this is to look at how the com­po­nents that you are choos­ing to use are con­struct­ed. If they use these com­po­nents and tech­niques, you are on your way to con­sid­er­ing them to be well-tried.

Anoth­er approach is to let the com­po­nent man­u­fac­tur­er wor­ry about the details of the con­struc­tion of the device, and sim­ply ensure that com­po­nents select­ed for use in the SRP/CS are ‘safe­ty rat­ed’ by the man­u­fac­tur­er. This can work in 80–90% of cas­es, with a small per­cent­age of com­po­nents, such as large motor starters, some ser­vo and step­per dri­ves and oth­er sim­i­lar com­po­nents unavail­able with a safe­ty rat­ing. It’s worth not­ing that many dri­ve man­u­fac­tur­ers are start­ing to pro­duce dri­ves with built-in safe­ty com­po­nents that are intend­ed to be inte­grat­ed into your SRP/CS.

Exclusion of Complex Electronics

Note 1 from the first part of the def­i­n­i­tion is very impor­tant. So impor­tant that I’m going to repeat it here:

NOTE 1 Com­plex elec­tron­ic com­po­nents (e.g. PLC, micro­proces­sor, appli­ca­tion-spe­cif­ic inte­grat­ed cir­cuit) can­not be con­sid­ered as equiv­a­lent to “well tried”.

I added the bold text to empha­size the impor­tance of this state­ment. While this is includ­ed in a Note and is there­fore con­sid­ered to be explana­to­ry text and not part of the nor­ma­tive body of the stan­dard, it illu­mi­nates a key con­cept. This lit­tle note is what pre­vents a stan­dard PLC from being used in Cat­e­go­ry 1 sys­tems. It’s also impor­tant to real­ize that this def­i­n­i­tion is only con­sid­er­ing the hard­ware — no men­tion of soft­ware is made here, and soft­ware is not dealt with until lat­er in the stan­dard.

Well-Tried Safety Principles

Let’s have a look at what ‘Well-Tried Safe­ty Prin­ci­ples’ might be.

Table 2 — Well-Tried Safe­ty Prin­ci­ples [2, A.2]
Well-tried Safe­ty Prin­ci­ples Remarks
Use of care­ful­ly select­ed mate­ri­als and man­u­fac­tur­ing Selec­tion of suit­able mate­r­i­al, ade­quate man­u­fac­tur­ing meth­ods and treat­ments relat­ed to the appli­ca­tion.
Use of com­po­nents with ori­ent­ed fail­ure mode The pre­dom­i­nant fail­ure mode of a com­po­nent is known in advance and always the same, see EN 292–2:1991, (ISO/TR 12100–2:1992), 3.7.4.
Over–dimensioning/safety fac­tor The safe­ty fac­tors are giv­en in stan­dards or by good expe­ri­ence in safe­ty-relat­ed appli­ca­tions.
Safe posi­tion The mov­ing part of the com­po­nent is held in one of the pos­si­ble posi­tions by mechan­i­cal means (fric­tion only is not enough). Force is need­ed for chang­ing the posi­tion.
Increased OFF force A safe position/state is obtained by an increased OFF force in rela­tion to ON force.
Care­ful selec­tion, com­bi­na­tion, arrange­ment, assem­bly and instal­la­tion of components/system relat­ed to the appli­ca­tion
Care­ful selec­tion of fas­ten­ing relat­ed to the appli­ca­tion Avoid rely­ing only on fric­tion.
Pos­i­tive mechan­i­cal action Depen­dent oper­a­tion (e. g. par­al­lel oper­a­tion) between parts is obtained by pos­i­tive mechan­i­cal link(s). Springs and sim­i­lar “flex­i­ble” ele­ments should not be part of the link(s) [see EN 292–2:1991 (ISO/TR 12100–2:1992), 3.5].
Mul­ti­ple parts Reduc­ing the effect of faults by mul­ti­ply­ing parts, e. g. where a fault of one spring (of many springs) does not lead to a dan­ger­ous con­di­tion.
Use of well–tried spring (see also Table A.3) A well–tried spring requires:
  • use of care­ful­ly select­ed mate­ri­als, man­u­fac­tur­ing meth­ods (e. g. pre­set­ting and cycling before use) and treat­ments (e. g. rolling and shot–peening),
  • suf­fi­cient guid­ance of the spring, and
  • suf­fi­cient safe­ty fac­tor for fatigue stress (i. e. with high prob­a­bil­i­ty a frac­ture will not occur).

Well–tried pres­sure coil springs may also be designed by:

  • use of care­ful­ly select­ed mate­ri­als, man­u­fac­tur­ing meth­ods (e. g. pre­set­ting and cycling before use) and treat­ments (e. g. rolling and shot-peen­ing),
  • suf­fi­cient guid­ance of the spring, and
  • clear­ance between the turns less than the wire diam­e­ter when unloaded, and
  • suf­fi­cient force after a fracture(s) is main­tained (i. e. a fracture(s) will not lead to a dan­ger­ous con­di­tion).
Lim­it­ed range of force and sim­i­lar para­me­ters Decide the nec­es­sary lim­i­ta­tion in rela­tion to the expe­ri­ence and appli­ca­tion. Exam­ples for lim­i­ta­tions are break pin, break plate, torque lim­it­ing clutch.
Lim­it­ed range of speed and sim­i­lar para­me­ters Decide the nec­es­sary lim­i­ta­tion in rela­tion to the expe­ri­ence and appli­ca­tion. Exam­ples for lim­i­ta­tions are cen­trifu­gal gov­er­nor; safe mon­i­tor­ing of speed or lim­it­ed dis­place­ment.
Lim­it­ed range of envi­ron­men­tal para­me­ters Decide the nec­es­sary lim­i­ta­tions. Exam­ples on para­me­ters are tem­per­a­ture, humid­i­ty, pol­lu­tion at the instal­la­tion. See clause 8 and con­sid­er manufacturer’s appli­ca­tion notes.
Lim­it­ed range of reac­tion time, lim­it­ed hys­tere­sis Decide the nec­es­sary lim­i­ta­tions.
Con­sid­er e. g. spring tired­ness, fric­tion, lubri­ca­tion, tem­per­a­ture, iner­tia dur­ing accel­er­a­tion and decel­er­a­tion,
com­bi­na­tion of tol­er­ances.

Use of Positive-Mode Operation

The use of these prin­ci­ples in the com­po­nents, as well as in the over­all design of the safe­guards is impor­tant. In devel­op­ing a sys­tem that uses ‘pos­i­tive mode oper­a­tion’, the mechan­i­cal link­age that oper­ates the elec­tri­cal con­tacts or the flu­id-pow­er valve that con­trols the prime-mover(s) (i.e. motors, cylin­ders, etc.), must act to direct­ly dri­ve the con­trol ele­ment (con­tacts or valve spool) to the safe state. Springs can be used to return the sys­tem to the run state or dan­ger­ous state, since a fail­ure of the spring will result in the inter­lock device stay­ing in the safe state (fail-safe or fail-to-safe­ty).

CSA Z432 [3] pro­vides us with a nice dia­gram that illus­trates the idea of “pos­i­tive-action” or “pos­i­tive-mode” oper­a­tion:

CSA Z432 Fig B.10 - Positive Mode Operation
Fig­ure 1 — Pos­i­tive Mode Oper­a­tion [3, B.10]

In Fig. 1, open­ing the guard door forces the roller to fol­low the cam attached to the door, dri­ving the switch con­tacts apart and open­ing the inter­lock. Even if the con­tacts were to weld, they would still be dri­ven apart since the mechan­i­cal advan­tage pro­vid­ed by the width of the door and the cam are more than enough to force the con­tacts apart.

Here’s an exam­ple of a ‘neg­a­tive mode’ oper­a­tion:

CSA Z432-04 Fig B.11 - Negative Mode operation
Fig­ure 2 — Neg­a­tive Mode oper­a­tion [3, B.11]

In Fig. 2, the inter­lock switch relies on a spring to enter the safe state when the door is opened. If the spring in the inter­lock device fails, the sys­tem fails-to-dan­ger. Also note that this design is very easy to defeat. A ‘zip-tie’ or some tape is all that would be required to keep the inter­lock in the ‘RUN’ con­di­tion.

You should have a bet­ter idea of what is meant when you read about pos­i­tive and neg­a­tive-modes of oper­a­tion now. We’ll talk about defeat resis­tance in anoth­er arti­cle.

Reliability

Com­bin­ing what you’ve learned so far, you can see that cor­rect­ly spec­i­fied com­po­nents, com­bined with over-dimen­sion­ing and imple­men­ta­tion of design lim­its along with the use of well-tried safe­ty prin­ci­ples will go a long way to improv­ing the reli­a­bil­i­ty of the con­trol sys­tem. The next part of the def­i­n­i­tion of Cat­e­go­ry 1 speaks to some addi­tion­al require­ments:

The MTTFd of each chan­nel shall be high.

The max­i­mum PL achiev­able with cat­e­go­ry 1 is PL = c.

NOTE 2 There is no diag­nos­tic cov­er­age (DCavg = none) with­in cat­e­go­ry 1 sys­tems. In such struc­tures (sin­gle-chan­nel sys­tems) the con­sid­er­a­tion of CCF is not rel­e­vant.

NOTE 3 When a fault occurs it can lead to the loss of the safe­ty func­tion. How­ev­er, the MTTFd of each chan­nel in cat­e­go­ry 1 is high­er than in cat­e­go­ry B. Con­se­quent­ly, the loss of the safe­ty func­tion is less like­ly.

We now know that the integri­ty of a Cat­e­go­ry 1 sys­tem is greater than a Cat­e­go­ry B sys­tem, since the chan­nel MTTFd of the sys­tem has gone from “Low-to-Medi­um” in sys­tems exhibit­ing PLa or PLb per­for­mance to “High” in sys­tems exhibit­ing PLb or PLc per­for­mance. [1, Table 5] shows this dif­fer­ence in terms of pre­dict­ed years to fail­ure. As you can see, MTTFd “High” results in a pre­dict­ed fail­ure rate between 30 and 100 years. This is a pret­ty good result for sim­ply improv­ing the com­po­nents used in the sys­tem!

Table 3 – Mean time to dangerous failure  [1, Table 5]
Table 3 – Mean time to dan­ger­ous fail­ure

The oth­er ben­e­fit is the increase in the over­all PL. Where Cat­e­go­ry B archi­tec­ture can pro­vide PLb per­for­mance at best, Cat­e­go­ry 1 takes this up a notch to PLc. To get a han­dle on what PLc means, let’s look at our sin­gle and three shift exam­ples again. If we take a Cana­di­an oper­a­tion with a sin­gle shift per day, and a 50 week work­ing year we get:

7.5 h/shift x 5 d/w x 50 w/a = 1875 h/a

Where

h = hours

d = days

w = weeks

a  = years

In this case, PLc is equiv­a­lent to one fail­ure in 533.3 years of oper­a­tion to 1600 years of oper­a­tion.

Look­ing at three shifts per day in the same oper­a­tion gives us:

7.5 h/shift x 3 shifts/d x 5 d/w x 50 w/a = 5625 h/a

In this case, PLc is equiv­a­lent to one fail­ure in 177.8 years of oper­a­tion to 533.3 years of oper­a­tion.

When com­plet­ing the analy­sis of a sys­tem, [1] lim­its the sys­tem MTTFd to 100 years regard­less of what the indi­vid­ual chan­nel MTTFd may be. Where the actu­al MTTFd is impor­tant relates to the need to replace com­po­nents dur­ing the life­time of the prod­uct. If a com­po­nent or a sub-sys­tem has an MTTFd that is less than the mis­sion time of the sys­tem, then the com­po­nent or sub­sys­tem must be replaced by the time the prod­uct reach­es it’s MTTFd. 20 years is the default mis­sion time, but you can choose a short­er or longer time span if it makes sense.

Remem­ber that these are prob­a­bil­i­ties, not guar­an­tees. A fail­ure could hap­pen in the first hour of oper­a­tion, the last hour of oper­a­tion or nev­er. These fig­ures sim­ply pro­vide a way for you as the design­er to gauge the rel­a­tive reli­a­bil­i­ty of the sys­tem.

Well-Tried Components versus Fault Exclusions

The stan­dard goes on to out­line some key dis­tinc­tions between ‘well-tried com­po­nent’ and ‘fault exclu­sion’. We’ll talk more about fault exclu­sions lat­er in the series.

It is impor­tant that a clear dis­tinc­tion between “well-tried com­po­nent” and “fault exclu­sion” (see Clause 7) be made. The qual­i­fi­ca­tion of a com­po­nent as being well-tried depends on its appli­ca­tion. For exam­ple, a posi­tion switch with pos­i­tive open­ing con­tacts could be con­sid­ered as being well-tried for a machine tool, while at the same time as being inap­pro­pri­ate for appli­ca­tion in a food indus­try — in the milk indus­try, for instance, this switch would be destroyed by the milk acid after a few months. A fault exclu­sion can lead to a very high PL, but the appro­pri­ate mea­sures to allow this fault exclu­sion should be applied dur­ing the whole life­time of the device. In order to ensure this, addi­tion­al mea­sures out­side the con­trol sys­tem may be nec­es­sary. In the case of a posi­tion switch, some exam­ples of these kinds of mea­sures are

  • means to secure the fix­ing of the switch after its adjust­ment,
  • means to secure the fix­ing of the cam,
  • means to ensure the trans­verse sta­bil­i­ty of the cam,
  • means to avoid over trav­el of the posi­tion switch, e.g. ade­quate mount­ing strength of the shock absorber and any align­ment devices, and
  • means to pro­tect it against dam­age from out­side.

[1, 6.2.4]

System Block Diagram

Final­ly, let’s look at the block dia­gram for Cat­e­go­ry 1. You will notice that it looks the same as the Cat­e­go­ry B block dia­gram, since only the com­po­nents used in the sys­tem have changed, and not the archi­tec­ture.

ISO 13849-1 Figure 9
Fig­ure 3 — Cat­e­go­ry 1 Block Dia­gram [1, Fig. 9]

References

[1]       Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 1: Gen­er­al prin­ci­ples for design. ISO Stan­dard 13849–1, Ed. 2. 2006.

[2]       Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 2: Val­i­da­tion. ISO Stan­dard 13849–2, Ed. 2. 2012.

[3]       Safe­guard­ing of Machin­ery. CSA Stan­dard Z432. 2004.

Add to your Library

If you are work­ing on imple­ment­ing these design stan­dards in your prod­ucts, you need to buy copies of the stan­dards for your library.

  • ISO 13849–1:2006 Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 1: Gen­er­al prin­ci­ples for design
  • ISO 13849–2:2003 Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 2: Val­i­da­tion

Down­load IEC stan­dards, Inter­na­tion­al Elec­trotech­ni­cal Com­mis­sion stan­dards.

If you are work­ing in the EU, or are work­ing on CE Mark­ing your prod­uct, you should hold the har­mo­nized ver­sion of this stan­dard, avail­able through the CEN resellers:

  • EN ISO 13849–1:2008 Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 1: Gen­er­al prin­ci­ples for design
  • EN ISO 13849–2:2012 Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 2: Val­i­da­tion

Next Installment

Watch for the next part of this series, “Inter­lock Archi­tec­tures – Pt. 3: Cat­e­go­ry 2″ where we expand on the first two cat­e­gories by adding some diag­nos­tic cov­er­age to improve reli­a­bil­i­ty.

Have ques­tions? Email me!

Digiprove sealCopy­right secured by Digiprove © 2011–2014
Acknowl­edge­ments: ISO, CSA. See ref­er­ences.
Some Rights Reserved
Series Nav­i­ga­tionInter­lock Archi­tec­tures — Pt. 1: What do those cat­e­gories real­ly mean?Inter­lock Archi­tec­tures – Pt. 3: Cat­e­go­ry 2

Author: Doug Nix

Doug Nix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. (http://www.complianceinsight.ca) in Kitchener, Ontario, and is Lead Author and Senior Editor of the Machinery Safety 101 blog. Doug's work includes teaching machinery risk assessment techniques privately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as providing technical services and training programs to clients related to risk assessment, industrial machinery safety, safety-related control system integration and reliability, laser safety and regulatory conformity. For more see Doug's LinkedIn profile.