Interlock Architectures – Pt. 3: Category 2

ISO 13849-1 Figure 10

In the first two posts in this series, we looked at Cat­e­go­ry B, the Basic cat­e­go­ry of sys­tem archi­tec­ture, and then moved on to look at Cat­e­go­ry 1. Cat­e­go­ry B under­pins Cat­e­gories 2, 3 and 4. In this post we’ll look more deeply into Cat­e­go­ry 2.

Let’s start by look­ing at the def­i­n­i­tion for Cat­e­go­ry 2, tak­en from ISO 13849–1:2007. Remem­ber that in these excerpts, SRP/CS stands for Safe­ty Relat­ed Parts of Con­trol Sys­tems.

Definition

6.2.5 Category 2

For cat­e­go­ry 2, the same require­ments as those accord­ing to 6.2.3 for cat­e­go­ry B shall apply. “Well–tried safe­ty prin­ci­ples” accord­ing to 6.2.4 shall also be fol­lowed. In addi­tion, the fol­low­ing applies.

SRP/CS of cat­e­go­ry 2 shall be designed so that their function(s) are checked at suit­able inter­vals by the machine con­trol sys­tem. The check of the safe­ty function(s) shall be per­formed

  • at the machine start-up, and
  • pri­or to the ini­ti­a­tion of any haz­ardous sit­u­a­tion, e.g. start of a new cycle, start of oth­er move­ments, and/or
  • peri­od­i­cal­ly dur­ing oper­a­tion if the risk assess­ment and the kind of oper­a­tion shows that it is nec­es­sary.

The ini­ti­a­tion of this check may be auto­mat­ic. Any check of the safe­ty function(s) shall either

  • allow oper­a­tion if no faults have been detect­ed, or
  • gen­er­ate an out­put which ini­ti­ates appro­pri­ate con­trol action, if a fault is detect­ed.

When­ev­er pos­si­ble this out­put shall ini­ti­ate a safe state. This safe state shall be main­tained until the fault is cleared. When it is not pos­si­ble to ini­ti­ate a safe state (e.g. weld­ing of the con­tact in the final switch­ing device) the out­put shall pro­vide a warn­ing of the haz­ard.

For the des­ig­nat­ed archi­tec­ture of cat­e­go­ry 2, as shown in Fig­ure 10, the cal­cu­la­tion of MTTFd and DCavg should take into account only the blocks of the func­tion­al chan­nel (i.e. I, L and O in Fig­ure 10) and not the blocks of the test­ing chan­nel (i.e. TE and OTE in Fig­ure 10).

The diag­nos­tic cov­er­age (DCavg) of the total SRP/CS includ­ing fault-detec­tion shall be low. The MTTFd of each chan­nel shall be low-to-high, depend­ing on the required per­for­mance lev­el (PLr). Mea­sures against CCF shall be applied (see Annex F).

The check itself shall not lead to a haz­ardous sit­u­a­tion (e.g. due to an increase in response time). The check­ing equip­ment may be inte­gral with, or sep­a­rate from, the safe­ty-relat­ed part(s) pro­vid­ing the safe­ty func­tion.

The max­i­mum PL achiev­able with cat­e­go­ry 2 is PL = d.

NOTE 1 In some cas­es cat­e­go­ry 2 is not applic­a­ble because the check­ing of the safe­ty func­tion can­not be applied to all com­po­nents.

NOTE 2 Cat­e­go­ry 2 sys­tem behav­iour allows that

  • the occur­rence of a fault can lead to the loss of the safe­ty func­tion between checks,
  • the loss of safe­ty func­tion is detect­ed by the check.

NOTE 3 The prin­ci­ple that sup­ports the valid­i­ty of a cat­e­go­ry 2 func­tion is that the adopt­ed tech­ni­cal pro­vi­sions, and, for exam­ple, the choice of check­ing fre­quen­cy can decrease the prob­a­bil­i­ty of occur­rence of a dan­ger­ous sit­u­a­tion.

ISO 13849-1 Figure 10
Fig­ure 1 — Cat­e­go­ry 2 Block dia­gram [1, Fig.10]

Breaking it down

Let start by tak­ing apart the def­i­n­i­tion a piece at a time and look­ing at what each part means. I’ll also show a sim­ple cir­cuit that can meet the require­ments.

Category B & Well-tried Safety Principles

The first para­graph speaks to the build­ing block approach tak­en in the stan­dard:

For cat­e­go­ry 2, the same require­ments as those accord­ing to 6.2.3 for cat­e­go­ry B shall apply. “Well–tried safe­ty prin­ci­ples” accord­ing to 6.2.4 shall also be fol­lowed. In addi­tion, the fol­low­ing applies.

Sys­tems meet­ing Cat­e­go­ry 2 are required to meet all of the same require­ments as Cat­e­go­ry B, as far as the com­po­nents are con­cerned. Oth­er require­ments for the cir­cuits are dif­fer­ent, and we will look at those in a bit.

Self-Testing required

Cat­e­go­ry 2 brings in the idea of diag­nos­tics. If cor­rect­ly spec­i­fied com­po­nents have been select­ed (Cat­e­go­ry B), and are applied fol­low­ing ‘well-tried safe­ty prin­ci­ples’, then adding a diag­nos­tic com­po­nent to the sys­tem should allow the sys­tem to detect some faults and there­fore achieve a cer­tain degree of ‘fault-tol­er­ance’ or the abil­i­ty to func­tion cor­rect­ly even when some aspect of the sys­tem has failed.

Let’s look at the text:

SRP/CS of Cat­e­go­ry 2 shall be designed so that their function(s) are checked at suit­able inter­vals by the machine con­trol sys­tem. The check of the safe­ty function(s) shall be per­formed

  • at the machine start-up, and
  • pri­or to the ini­ti­a­tion of any haz­ardous sit­u­a­tion, e.g. start of a new cycle, start of oth­er move­ments, and/or
  • peri­od­i­cal­ly dur­ing oper­a­tion if the risk assess­ment and the kind of oper­a­tion shows that it is nec­es­sary.

The ini­ti­a­tion of this check may be auto­mat­ic. Any check of the safe­ty function(s) shall either

  • allow oper­a­tion if no faults have been detect­ed, or
  • gen­er­ate an out­put which ini­ti­ates appro­pri­ate con­trol action, if a fault is detect­ed.

When­ev­er pos­si­ble this out­put shall ini­ti­ate a safe state. This safe state shall be main­tained until the fault is cleared. When it is not pos­si­ble to ini­ti­ate a safe state (e.g. weld­ing of the con­tact in the final switch­ing device) the out­put shall pro­vide a warn­ing of the haz­ard.

Peri­od­ic check­ing is required. The checks must hap­pen at least each time there is a demand placed on the sys­tem, i.e. a guard door is opened and closed, or an emer­gency stop but­ton is pressed and reset. In addi­tion the integri­ty of the SRP/CS must be test­ed at the start of a cycle or haz­ardous peri­od, and poten­tial­ly peri­od­i­cal­ly dur­ing oper­a­tion if the risk assess­ment indi­cates that this is nec­es­sary. The test­ing fre­quen­cy must be at least 100x the demand rate [1, 4.5.4], e.g., a light cur­tain on a part load­ing work sta­tion that is inter­rupt­ed every 30 s dur­ing nor­mal oper­a­tion requires a min­i­mum test rate of once every 0.3 s, or 200x per minute or more.

The test­ing does not have to be auto­mat­ic, although in prac­tice it usu­al­ly is. As long as the sys­tem integri­ty is good, then the out­put is allowed to remain on, and the machin­ery or process can run.

Watch Out!

Notice that the words ‘when­ev­er pos­si­ble’ are used in the last para­graph in this part of the def­i­n­i­tion where the stan­dard speaks about ini­ti­a­tion of a safe state. This word­ing alludes to the fact that these sys­tems are still prone to faults that can lead to the loss of the safe­ty func­tion, and so can­not be called tru­ly ‘fault-tol­er­ant’. Loss of the safe­ty func­tion must be detect­ed by the mon­i­tor­ing sys­tem and a safe state ini­ti­at­ed. This requires care­ful thought, since the safe­ty sys­tem com­po­nents may have to inter­act with the process con­trol sys­tem to ini­ti­ate and main­tain the safe state in the event that the safe­ty sys­tem itself has failed. Also note that it is not pos­si­ble to use fault exclu­sions in Cat­e­go­ry 2 archi­tec­ture, because the sys­tem is not fault tol­er­ant.

All of this leads to an inter­est­ing ques­tion: If the sys­tem is hard­wired through the oper­at­ing chan­nel, and all the com­po­nents used in that chan­nel meet Cat­e­go­ry B require­ments, can the diag­nos­tic com­po­nent be pro­vid­ed by a mon­i­tor­ing the sys­tem with a stan­dard PLC? The answer to this is YES. Test equip­ment (called TE in Fig. 1) is specif­i­cal­ly exclud­ed, and Cat­e­go­ry 2 DOES NOT require the use of well-tried com­po­nents, only well-tried safe­ty prin­ci­ples.

Final­ly, for the faults that can be detect­ed by the mon­i­tor­ing sys­tem, detec­tion of a fault must ini­ti­ate a safe state. This means that on the next demand on the sys­tem, i.e. the next time the guard is opened or the emer­gency stop is pressed, the machine must go into a safe con­di­tion. Gen­er­al­ly, detec­tion of a fault should pre­vent the sub­se­quent reset of the sys­tem until the fault is cleared or repaired.

Test­ing is not per­mit­ted to intro­duce any new haz­ards or to slow the sys­tem down. The tests must occur ‘on-the-fly’ and with­out intro­duc­ing any delay in the sys­tem com­pared to how it would have oper­at­ed with­out the test­ing incor­po­rat­ed. Test equip­ment can be inte­grat­ed into the safe­ty sys­tem or be exter­nal to it.

One more ‘gotcha’

Note 1 in the def­i­n­i­tion high­lights a sig­nif­i­cant pit­fall for many design­ers: if all of the com­po­nents in the func­tion­al chan­nel of the sys­tem can­not be checked, you can­not claim con­for­mi­ty to Cat­e­go­ry 2. If you look back at Fig. 1, you will see that the dashed “m” lines con­nect all three func­tion­al blocks to the TE, indi­cat­ing that all three must be includ­ed in the mon­i­tor­ing chan­nel. A sys­tem that oth­er­wise would meet the archi­tec­tur­al require­ments for Cat­e­go­ry 2 must be down­grad­ed to Cat­e­go­ry 1 in cas­es where all the com­po­nents in the func­tion­al chan­nel can­not be test­ed. This is a major point and one which many design­ers miss when devel­op­ing their sys­tems.

Calculation of MTTFd

The next para­graph deals with the cal­cu­la­tion of the fail­ure rate of the sys­tem, or MTTFd.

For the des­ig­nat­ed archi­tec­ture of cat­e­go­ry 2, as shown in Fig­ure 10, the cal­cu­la­tion of MTTFd and DCavg should take into account only the blocks of the func­tion­al chan­nel (i.e. I, L and O in Fig­ure 10) and not the blocks of the test­ing chan­nel (i.e. TE and OTE in Fig­ure 10).

Cal­cu­la­tion of the fail­ure rate focus­es on the func­tion­al chan­nel, not on the mon­i­tor­ing sys­tem, mean­ing that the fail­ure rate of the mon­i­tor­ing sys­tem is ignored when ana­lyz­ing sys­tems using this archi­tec­ture. The MTTFd of each com­po­nent in the func­tion­al chan­nel is cal­cu­lat­ed and then the MTTFd of the total chan­nel is cal­cu­lat­ed.

The Diag­nos­tic Cov­er­age (DCavg) is also cal­cu­lat­ed based exclu­sive­ly on the com­po­nents in the func­tion­al chan­nel, so when deter­min­ing what per­cent­age of the faults can be detect­ed by the mon­i­tor­ing equip­ment, only faults in the func­tion­al chan­nel are con­sid­ered.

This high­lights the fact that a fail­ure of the mon­i­tor­ing sys­tem can­not be detect­ed, so a sin­gle fail­ure in the mon­i­tor­ing sys­tem that results in the sys­tem fail­ing to detect a sub­se­quent nor­mal­ly detectable fail­ure in the func­tion­al chan­nel will result in the loss of the safe­ty func­tion.

Summing Up

The next para­graph sums up the lim­its of this par­tic­u­lar archi­tec­ture:

The diag­nos­tic cov­er­age (DCavg) of the total SRP/CS includ­ing fault-detec­tion shall be low. The MTTFd of each chan­nel shall be low-to-high, depend­ing on the required per­for­mance lev­el (PLr). Mea­sures against CCF shall be applied (see Annex F).

The first sen­tence reflects back to the pre­vi­ous para­graph on diag­nos­tic cov­er­age, telling you, as the design­er, that you can­not make a claim to any­thing more than LOW DC cov­er­age when using this archi­tec­ture.

This rais­es an inter­est­ing ques­tion, since Fig­ure 5 in the stan­dard shows columns for both DCavg = LOW and DCavg=MED. My best advice to you as a user of the stan­dard is to abide by the text, mean­ing that you can­not claim high­er than LOW for DCavg in this archi­tec­ture. This con­flict will be addressed by future revi­sions of the stan­dard.

Anoth­er prob­lem raised by this sen­tence is the inclu­sion of the phrase “the total SRP/CS includ­ing fault-detec­tion”, since the pre­vi­ous para­graph explic­it­ly tells you that the assess­ment of DCavg ‘should’ only include the func­tion­al chan­nel, while this sen­tence appears to include it. In stan­dards writ­ing, sen­tences includ­ing the word ‘shall’ are clear­ly manda­to­ry, while those includ­ing the word ‘should’ indi­cate a con­di­tion which is advised but not required. Hope­ful­ly this con­fu­sion will be clar­i­fied in the next edi­tion of the stan­dard.

MTTFd in the func­tion­al chan­nel can be any­where in the range from LOW to HIGH depend­ing on the com­po­nents select­ed and the way they are applied in the design. The require­ment will be dri­ven by the desired PL of the sys­tem, so a PLd sys­tem will require HIGH MTTFd com­po­nents in the func­tion­al chan­nel, while the same archi­tec­ture used for a PLb sys­tem would require only LOW MTTFd com­po­nents.
Final­ly, applic­a­ble mea­sures against Com­mon Cause Fail­ures (CCF) must be used. Some of the mea­sures giv­en in Table F.1 in Annex F of the stan­dard can­not be applied, such as Chan­nel Sep­a­ra­tion, since you can­not sep­a­rate a sin­gle chan­nel. Oth­er CCF mea­sures can and must be applied, and so there­fore you must score at least the min­i­mum 65 on the CCF table in Annex F to claim com­pli­ance with Cat­e­go­ry 2 require­ments.

Example Circuit

Here’s an exam­ple of what a sim­ple Cat­e­go­ry 2 cir­cuit con­struct­ed from dis­crete com­po­nents might look like. Note that PB1 and PB2 could just as eas­i­ly be inter­lock switch­es on guard doors as push but­tons on a con­trol pan­el. For the sake of sim­plic­i­ty, I did not illus­trate surge sup­pres­sion on the relays, but you should include MOV’s or RC sup­pres­sors across all relay coils. All relays are con­sid­ered to be con­struct­ed with  ‘force-guid­ed’ designs and meet the require­ments for well-tried com­po­nents.

Example Category 2 circuit from discrete components
Fig­ure 2 — Exam­ple Cat­e­go­ry 2 cir­cuit from dis­crete com­po­nents

How the cir­cuit works:

  1. The machine is stopped with pow­er off. CR1, CR2, and M are off. CR3 is off until the reset but­ton is pressed, since the NC mon­i­tor­ing con­tacts on CR1, CR2 and M are all closed, but the NO reset push but­ton con­tact is open.
  2. The reset push but­ton, PB3,  is pressed. If both CR1, CR2 and M are off, their nor­mal­ly closed con­tacts will be closed, so press­ing PB3 will result in CR3 turn­ing on.
  3. CR3 clos­es its con­tacts, ener­giz­ing CR1 and CR2 which seal their con­tact cir­cuits in and de-ener­gize CR3. The time delays inher­ent in relays per­mit this to work.
  4. With CR1 and CR2 closed and CR3 held off because its coil cir­cuit opened when CR1 and CR2 turned on, M ener­gizes and motion can start.

In this cir­cuit the mon­i­tor­ing func­tion is pro­vid­ed by CR3. If any of CR1, CR2 or M were to weld closed, CR3 could not ener­gize, and so a sin­gle fault is detect­ed and the machine is pre­vent­ed from re-start­ing. If the machine is stopped by press­ing either PB1 or PB2, the machine will stop since CR1 and CR2 are redun­dant. If CR3 fails with weld­ed con­tacts, then the M rung is held open because CR3 has not de-ener­gized, and if it fails with an open coil, the reset func­tion will not work, there­fore both fail­ure modes will pre­vent the machine from start­ing with a failed mon­i­tor­ing sys­tem, if a “force-guid­ed” type of relay is used for CR3. If CR1 or CR2 fail with an open coil, then M can­not ener­gize because of the redun­dant con­tacts on the M rung.

This cir­cuit can­not detect a fail­ure in PB1, PB2, or PB3. Test­ing is con­duct­ed each time the cir­cuit is reset. This cir­cuit does not meet the 100x test rate require­ment, and so can­not be said to meet Cat­e­go­ry 2 require­ments.

If M is a motor starter rather than the motor itself, it will need to be dupli­cat­ed for redun­dan­cy and a mon­i­tor­ing con­tact added to the CR3 rung .

In cal­cu­lat­ing MTTFd, PB1, PB2, CR1, CR2, CR3 and M must be includ­ed. CR3 is includ­ed because it has a func­tion­al con­tact in the M rung and is there­fore part of the func­tion­al chan­nel of the cir­cuit as well as being part of the OT and OTE chan­nels.

Down­load IEC stan­dards, Inter­na­tion­al Elec­trotech­ni­cal Com­mis­sion stan­dards.
Down­load ISO Stan­dards

Watch for the next install­ment in this series where we’ll explore Cat­e­go­ry 3, the first of the ‘fault tol­er­ant’ archi­tec­tures!

Series Nav­i­ga­tionInter­lock Archi­tec­tures – Pt. 2: Cat­e­go­ry 1Inter­lock Archi­tec­tures – Pt. 4: Cat­e­go­ry 3 — Con­trol Reli­able

Author: Doug Nix

Doug Nix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. (http://www.complianceinsight.ca) in Kitchener, Ontario, and is Lead Author and Senior Editor of the Machinery Safety 101 blog. Doug's work includes teaching machinery risk assessment techniques privately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as providing technical services and training programs to clients related to risk assessment, industrial machinery safety, safety-related control system integration and reliability, laser safety and regulatory conformity. For more see Doug's LinkedIn profile.