Interlock Architectures – Pt. 3: Category 2

ISO 13849-1 Figure 10
This entry is part 3 of 8 in the series Circuit Architectures Explored

In the first two posts in this series, we looked at Category B, the Basic cat­egory of sys­tem archi­tec­ture, and then moved on to look at Category 1. Category B under­pins Categories 2, 3 and 4. In this post we’ll look more deeply into Category 2.

Let’s start by look­ing at the defin­i­tion for Category 2, taken from ISO 13849 – 1:2007. Remember that in these excerpts, SRP/​CS stands for Safety Related Parts of Control Systems.

Definition

6.2.5 Category 2

For cat­egory 2, the same require­ments as those accord­ing to 6.2.3 for cat­egory B shall apply. “Well – tried safety prin­ciples” accord­ing to 6.2.4 shall also be fol­lowed. In addi­tion, the fol­low­ing applies.

SRP/​CS of cat­egory 2 shall be designed so that their function(s) are checked at suit­able inter­vals by the machine con­trol sys­tem. The check of the safety function(s) shall be per­formed

  • at the machine start-​up, and
  • pri­or to the ini­ti­ation of any haz­ard­ous situ­ation, e.g. start of a new cycle, start of oth­er move­ments, and/​or
  • peri­od­ic­ally dur­ing oper­a­tion if the risk assess­ment and the kind of oper­a­tion shows that it is neces­sary.

The ini­ti­ation of this check may be auto­mat­ic. Any check of the safety function(s) shall either

  • allow oper­a­tion if no faults have been detec­ted, or
  • gen­er­ate an out­put which ini­ti­ates appro­pri­ate con­trol action, if a fault is detec­ted.

Whenever pos­sible this out­put shall ini­ti­ate a safe state. This safe state shall be main­tained until the fault is cleared. When it is not pos­sible to ini­ti­ate a safe state (e.g. weld­ing of the con­tact in the final switch­ing device) the out­put shall provide a warn­ing of the haz­ard.

For the des­ig­nated archi­tec­ture of cat­egory 2, as shown in Figure 10, the cal­cu­la­tion of MTTFd and DCavg should take into account only the blocks of the func­tion­al chan­nel (i.e. I, L and O in Figure 10) and not the blocks of the test­ing chan­nel (i.e. TE and OTE in Figure 10).

The dia­gnost­ic cov­er­age (DCavg) of the total SRP/​CS includ­ing fault-​detection shall be low. The MTTFd of each chan­nel shall be low-​to-​high, depend­ing on the required per­form­ance level (PLr). Measures against CCF shall be applied (see Annex F).

The check itself shall not lead to a haz­ard­ous situ­ation (e.g. due to an increase in response time). The check­ing equip­ment may be integ­ral with, or sep­ar­ate from, the safety-​related part(s) provid­ing the safety func­tion.

The max­im­um PL achiev­able with cat­egory 2 is PL = d.

NOTE 1 In some cases cat­egory 2 is not applic­able because the check­ing of the safety func­tion can­not be applied to all com­pon­ents.

NOTE 2 Category 2 sys­tem beha­viour allows that

  • the occur­rence of a fault can lead to the loss of the safety func­tion between checks,
  • the loss of safety func­tion is detec­ted by the check.

NOTE 3 The prin­ciple that sup­ports the valid­ity of a cat­egory 2 func­tion is that the adop­ted tech­nic­al pro­vi­sions, and, for example, the choice of check­ing fre­quency can decrease the prob­ab­il­ity of occur­rence of a dan­ger­ous situ­ation.

ISO 13849-1 Figure 10
Figure 1 – Category 2 Block dia­gram [1, Fig.10]

Breaking it down

Let start by tak­ing apart the defin­i­tion a piece at a time and look­ing at what each part means. I’ll also show a simple cir­cuit that can meet the require­ments.

Category B & Well-​tried Safety Principles

The first para­graph speaks to the build­ing block approach taken in the stand­ard:

For cat­egory 2, the same require­ments as those accord­ing to 6.2.3 for cat­egory B shall apply. “Well – tried safety prin­ciples” accord­ing to 6.2.4 shall also be fol­lowed. In addi­tion, the fol­low­ing applies.

Systems meet­ing Category 2 are required to meet all of the same require­ments as Category B, as far as the com­pon­ents are con­cerned. Other require­ments for the cir­cuits are dif­fer­ent, and we will look at those in a bit.

Self-​Testing required

Category 2 brings in the idea of dia­gnostics. If cor­rectly spe­cified com­pon­ents have been selec­ted (Category B), and are applied fol­low­ing ‘well-​tried safety prin­ciples’, then adding a dia­gnost­ic com­pon­ent to the sys­tem should allow the sys­tem to detect some faults and there­fore achieve a cer­tain degree of ‘fault-​tolerance’ or the abil­ity to func­tion cor­rectly even when some aspect of the sys­tem has failed.

Let’s look at the text:

SRP/​CS of Category 2 shall be designed so that their function(s) are checked at suit­able inter­vals by the machine con­trol sys­tem. The check of the safety function(s) shall be per­formed

  • at the machine start-​up, and
  • pri­or to the ini­ti­ation of any haz­ard­ous situ­ation, e.g. start of a new cycle, start of oth­er move­ments, and/​or
  • peri­od­ic­ally dur­ing oper­a­tion if the risk assess­ment and the kind of oper­a­tion shows that it is neces­sary.

The ini­ti­ation of this check may be auto­mat­ic. Any check of the safety function(s) shall either

  • allow oper­a­tion if no faults have been detec­ted, or
  • gen­er­ate an out­put which ini­ti­ates appro­pri­ate con­trol action, if a fault is detec­ted.

Whenever pos­sible this out­put shall ini­ti­ate a safe state. This safe state shall be main­tained until the fault is cleared. When it is not pos­sible to ini­ti­ate a safe state (e.g. weld­ing of the con­tact in the final switch­ing device) the out­put shall provide a warn­ing of the haz­ard.

Periodic check­ing is required. The checks must hap­pen at least each time there is a demand placed on the sys­tem, i.e. a guard door is opened and closed, or an emer­gency stop but­ton is pressed and reset. In addi­tion the integ­rity of the SRP/​CS must be tested at the start of a cycle or haz­ard­ous peri­od, and poten­tially peri­od­ic­ally dur­ing oper­a­tion if the risk assess­ment indic­ates that this is neces­sary. The test­ing fre­quency must be at least 100x the demand rate [1, 4.5.4], e.g., a light cur­tain on a part load­ing work sta­tion that is inter­rup­ted every 30 s dur­ing nor­mal oper­a­tion requires a min­im­um test rate of once every 0.3 s, or 200x per minute or more.

The test­ing does not have to be auto­mat­ic, although in prac­tice it usu­ally is. As long as the sys­tem integ­rity is good, then the out­put is allowed to remain on, and the machinery or pro­cess can run.

Watch Out!

Notice that the words ‘whenev­er pos­sible’ are used in the last para­graph in this part of the defin­i­tion where the stand­ard speaks about ini­ti­ation of a safe state. This word­ing alludes to the fact that these sys­tems are still prone to faults that can lead to the loss of the safety func­tion, and so can­not be called truly ‘fault-​tolerant’. Loss of the safety func­tion must be detec­ted by the mon­it­or­ing sys­tem and a safe state ini­ti­ated. This requires care­ful thought, since the safety sys­tem com­pon­ents may have to inter­act with the pro­cess con­trol sys­tem to ini­ti­ate and main­tain the safe state in the event that the safety sys­tem itself has failed. Also note that it is not pos­sible to use fault exclu­sions in Category 2 archi­tec­ture, because the sys­tem is not fault tol­er­ant.

All of this leads to an inter­est­ing ques­tion: If the sys­tem is hard­wired through the oper­at­ing chan­nel, and all the com­pon­ents used in that chan­nel meet Category B require­ments, can the dia­gnost­ic com­pon­ent be provided by a mon­it­or­ing the sys­tem with a stand­ard PLC? The answer to this is YES. Test equip­ment (called TE in Fig. 1) is spe­cific­ally excluded, and Category 2 DOES NOT require the use of well-​tried com­pon­ents, only well-​tried safety prin­ciples.

Finally, for the faults that can be detec­ted by the mon­it­or­ing sys­tem, detec­tion of a fault must ini­ti­ate a safe state. This means that on the next demand on the sys­tem, i.e. the next time the guard is opened or the emer­gency stop is pressed, the machine must go into a safe con­di­tion. Generally, detec­tion of a fault should pre­vent the sub­sequent reset of the sys­tem until the fault is cleared or repaired.

Testing is not per­mit­ted to intro­duce any new haz­ards or to slow the sys­tem down. The tests must occur ‘on-​the-​fly’ and without intro­du­cing any delay in the sys­tem com­pared to how it would have oper­ated without the test­ing incor­por­ated. Test equip­ment can be integ­rated into the safety sys­tem or be extern­al to it.

One more ‘gotcha’

Note 1 in the defin­i­tion high­lights a sig­ni­fic­ant pit­fall for many design­ers: if all of the com­pon­ents in the func­tion­al chan­nel of the sys­tem can­not be checked, you can­not claim con­form­ity to Category 2. If you look back at Fig. 1, you will see that the dashed “m” lines con­nect all three func­tion­al blocks to the TE, indic­at­ing that all three must be included in the mon­it­or­ing chan­nel. A sys­tem that oth­er­wise would meet the archi­tec­tur­al require­ments for Category 2 must be down­graded to Category 1 in cases where all the com­pon­ents in the func­tion­al chan­nel can­not be tested. This is a major point and one which many design­ers miss when devel­op­ing their sys­tems.

Calculation of MTTFd

The next para­graph deals with the cal­cu­la­tion of the fail­ure rate of the sys­tem, or MTTFd.

For the des­ig­nated archi­tec­ture of cat­egory 2, as shown in Figure 10, the cal­cu­la­tion of MTTFd and DCavg should take into account only the blocks of the func­tion­al chan­nel (i.e. I, L and O in Figure 10) and not the blocks of the test­ing chan­nel (i.e. TE and OTE in Figure 10).

Calculation of the fail­ure rate focuses on the func­tion­al chan­nel, not on the mon­it­or­ing sys­tem, mean­ing that the fail­ure rate of the mon­it­or­ing sys­tem is ignored when ana­lyz­ing sys­tems using this archi­tec­ture. The MTTFd of each com­pon­ent in the func­tion­al chan­nel is cal­cu­lated and then the MTTFd of the total chan­nel is cal­cu­lated.

The Diagnostic Coverage (DCavg) is also cal­cu­lated based exclus­ively on the com­pon­ents in the func­tion­al chan­nel, so when determ­in­ing what per­cent­age of the faults can be detec­ted by the mon­it­or­ing equip­ment, only faults in the func­tion­al chan­nel are con­sidered.

This high­lights the fact that a fail­ure of the mon­it­or­ing sys­tem can­not be detec­ted, so a single fail­ure in the mon­it­or­ing sys­tem that res­ults in the sys­tem fail­ing to detect a sub­sequent nor­mally detect­able fail­ure in the func­tion­al chan­nel will res­ult in the loss of the safety func­tion.

Summing Up

The next para­graph sums up the lim­its of this par­tic­u­lar archi­tec­ture:

The dia­gnost­ic cov­er­age (DCavg) of the total SRP/​CS includ­ing fault-​detection shall be low. The MTTFd of each chan­nel shall be low-​to-​high, depend­ing on the required per­form­ance level (PLr). Measures against CCF shall be applied (see Annex F).

The first sen­tence reflects back to the pre­vi­ous para­graph on dia­gnost­ic cov­er­age, telling you, as the design­er, that you can­not make a claim to any­thing more than LOW DC cov­er­age when using this archi­tec­ture.

This raises an inter­est­ing ques­tion, since Figure 5 in the stand­ard shows columns for both DCavg = LOW and DCavg=MED. My best advice to you as a user of the stand­ard is to abide by the text, mean­ing that you can­not claim high­er than LOW for DCavg in this archi­tec­ture. This con­flict will be addressed by future revi­sions of the stand­ard.

Another prob­lem raised by this sen­tence is the inclu­sion of the phrase “the total SRP/​CS includ­ing fault-​detection”, since the pre­vi­ous para­graph expli­citly tells you that the assess­ment of DCavg ‘should’ only include the func­tion­al chan­nel, while this sen­tence appears to include it. In stand­ards writ­ing, sen­tences includ­ing the word ‘shall’ are clearly man­dat­ory, while those includ­ing the word ‘should’ indic­ate a con­di­tion which is advised but not required. Hopefully this con­fu­sion will be cla­ri­fied in the next edi­tion of the stand­ard.

MTTFd in the func­tion­al chan­nel can be any­where in the range from LOW to HIGH depend­ing on the com­pon­ents selec­ted and the way they are applied in the design. The require­ment will be driv­en by the desired PL of the sys­tem, so a PLd sys­tem will require HIGH MTTFd com­pon­ents in the func­tion­al chan­nel, while the same archi­tec­ture used for a PLb sys­tem would require only LOW MTTFd com­pon­ents.
Finally, applic­able meas­ures against Common Cause Failures (CCF) must be used. Some of the meas­ures giv­en in Table F.1 in Annex F of the stand­ard can­not be applied, such as Channel Separation, since you can­not sep­ar­ate a single chan­nel. Other CCF meas­ures can and must be applied, and so there­fore you must score at least the min­im­um 65 on the CCF table in Annex F to claim com­pli­ance with Category 2 require­ments.

Example Circuit

Here’s an example of what a simple Category 2 cir­cuit con­struc­ted from dis­crete com­pon­ents might look like. Note that PB1 and PB2 could just as eas­ily be inter­lock switches on guard doors as push but­tons on a con­trol pan­el. For the sake of sim­pli­city, I did not illus­trate surge sup­pres­sion on the relays, but you should include MOV’s or RC sup­press­ors across all relay coils. All relays are con­sidered to be con­struc­ted with  ‘force-​guided’ designs and meet the require­ments for well-​tried com­pon­ents.

Example Category 2 circuit from discrete components
Figure 2 – Example Category 2 cir­cuit from dis­crete com­pon­ents

How the cir­cuit works:

  1. The machine is stopped with power off. CR1, CR2, and M are off. CR3 is off until the reset but­ton is pressed, since the NC mon­it­or­ing con­tacts on CR1, CR2 and M are all closed, but the NO reset push but­ton con­tact is open.
  2. The reset push but­ton, PB3,  is pressed. If both CR1, CR2 and M are off, their nor­mally closed con­tacts will be closed, so press­ing PB3 will res­ult in CR3 turn­ing on.
  3. CR3 closes its con­tacts, ener­giz­ing CR1 and CR2 which seal their con­tact cir­cuits in and de-​energize CR3. The time delays inher­ent in relays per­mit this to work.
  4. With CR1 and CR2 closed and CR3 held off because its coil cir­cuit opened when CR1 and CR2 turned on, M ener­gizes and motion can start.

In this cir­cuit the mon­it­or­ing func­tion is provided by CR3. If any of CR1, CR2 or M were to weld closed, CR3 could not ener­gize, and so a single fault is detec­ted and the machine is pre­ven­ted from re-​starting. If the machine is stopped by press­ing either PB1 or PB2, the machine will stop since CR1 and CR2 are redund­ant. If CR3 fails with wel­ded con­tacts, then the M rung is held open because CR3 has not de-​energized, and if it fails with an open coil, the reset func­tion will not work, there­fore both fail­ure modes will pre­vent the machine from start­ing with a failed mon­it­or­ing sys­tem, if a “force-​guided” type of relay is used for CR3. If CR1 or CR2 fail with an open coil, then M can­not ener­gize because of the redund­ant con­tacts on the M rung.

This cir­cuit can­not detect a fail­ure in PB1, PB2, or PB3. Testing is con­duc­ted each time the cir­cuit is reset. This cir­cuit does not meet the 100x test rate require­ment, and so can­not be said to meet Category 2 require­ments.

If M is a motor starter rather than the motor itself, it will need to be duplic­ated for redund­ancy and a mon­it­or­ing con­tact added to the CR3 rung .

In cal­cu­lat­ing MTTFd, PB1, PB2, CR1, CR2, CR3 and M must be included. CR3 is included because it has a func­tion­al con­tact in the M rung and is there­fore part of the func­tion­al chan­nel of the cir­cuit as well as being part of the OT and OTE chan­nels.

Download IEC stand­ards, International Electrotechnical Commission stand­ards.
Download ISO Standards 

Watch for the next install­ment in this series where we’ll explore Category 3, the first of the ‘fault tol­er­ant’ archi­tec­tures!

Series NavigationInterlock Architectures – Pt. 2: Category 1Interlock Architectures – Pt. 4: Category 3 – Control Reliable

Author: Doug Nix

+DougNix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. (http://www.complianceinsight.ca) in Kitchener, Ontario, and is Lead Author and Managing Editor of the Machinery Safety 101 blog.

Doug's work includes teaching machinery risk assessment techniques privately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as providing technical services and training programs to clients related to risk assessment, industrial machinery safety, safety-related control system integration and reliability, laser safety and regulatory conformity.

Follow me on Academia.edu//a.academia-assets.com/javascripts/social.js