- Interlock Architectures — Pt. 1: What do those categories really mean?
- Interlock Architectures – Pt. 2: Category 1
- Interlock Architectures – Pt. 3: Category 2
- Interlock Architectures – Pt. 4: Category 3 — Control Reliable
- Interlock Architectures – Pt. 5: Category 4 — Control Reliable
- Interlock Architectures Pt. 6 — Comparing North American and International Systems
- ISO 13849–1:2006">Inconsistencies in ISO 13849–1:2006
- YOU ready?">31-Dec-2011 — Are YOU ready?
In the first two posts in this series, we looked at Category B, the Basic category of system architecture, and then moved on to look at Category 1. Category B underpins Categories 2, 3 and 4. In this post we’ll look more deeply into Category 2.
Let’s start by looking at the definition for Category 2, taken from ISO 13849–1:2007. Remember that in these excerpts, SRP/CS stands for Safety Related Parts of Control Systems.
Definition
6.2.5 Category 2
For category 2, the same requirements as those according to 6.2.3 for category B shall apply. “Well–tried safety principles” according to 6.2.4 shall also be followed. In addition, the following applies.
SRP/CS of category 2 shall be designed so that their function(s) are checked at suitable intervals by the machine control system. The check of the safety function(s) shall be performed
- at the machine start-up, and
- prior to the initiation of any hazardous situation, e.g. start of a new cycle, start of other movements, and/or
- periodically during operation if the risk assessment and the kind of operation shows that it is necessary.
The initiation of this check may be automatic. Any check of the safety function(s) shall either
- allow operation if no faults have been detected, or
- generate an output which initiates appropriate control action, if a fault is detected.
Whenever possible this output shall initiate a safe state. This safe state shall be maintained until the fault is cleared. When it is not possible to initiate a safe state (e.g. welding of the contact in the final switching device) the output shall provide a warning of the hazard.
For the designated architecture of category 2, as shown in Figure 10, the calculation of MTTFd and DCavg should take into account only the blocks of the functional channel (i.e. I, L and O in Figure 10) and not the blocks of the testing channel (i.e. TE and OTE in Figure 10).
The diagnostic coverage (DCavg) of the total SRP/CS including fault-detection shall be low. The MTTFd of each channel shall be low-to-high, depending on the required performance level (PLr). Measures against CCF shall be applied (see Annex F).
The check itself shall not lead to a hazardous situation (e.g. due to an increase in response time). The checking equipment may be integral with, or separate from, the safety-related part(s) providing the safety function.
The maximum PL achievable with category 2 is PL = d.
NOTE 1 In some cases category 2 is not applicable because the checking of the safety function cannot be applied to all components.
NOTE 2 Category 2 system behaviour allows that
- the occurrence of a fault can lead to the loss of the safety function between checks,
- the loss of safety function is detected by the check.
NOTE 3 The principle that supports the validity of a category 2 function is that the adopted technical provisions, and, for example, the choice of checking frequency can decrease the probability of occurrence of a dangerous situation.
ISO 13849–1 Figure 10 — Category 2 Block diagram
Breaking it down
Let start by taking apart the definition a piece at a time and looking at what each part means. I’ll also show a simple circuit that can meet the requirements.
Category B & Well-tried Components
The first paragraph speaks to the building block approach taken in the standard:
For category 2, the same requirements as those according to 6.2.3 for category B shall apply. “Well–tried safety principles” according to 6.2.4 shall also be followed. In addition, the following applies.
Systems meeting Category 2 are required to meet all of the same requirements as Category B, as far as the components are concerned. Other requirements for the circuits are different, and we will look at those in a bit.
Self-Testing required
Category 2 brings in the idea of diagnostics. If correctly specified components have been selected (Category B), and those components can be considered ‘well-tried’ and are applied following ‘well-tried safety principles’, then adding a diagnostic component to the system should allow the system to detect some faults and therefore achieve a certain degree of ‘fault-tolerance’ or the ability to function correctly even when some aspect of the system has failed.
Let’s look at the text:
SRP/CS of Category 2 shall be designed so that their function(s) are checked at suitable intervals by the machine control system. The check of the safety function(s) shall be performed
- at the machine start-up, and
- prior to the initiation of any hazardous situation, e.g. start of a new cycle, start of other movements, and/or
- periodically during operation if the risk assessment and the kind of operation shows that it is necessary.
The initiation of this check may be automatic. Any check of the safety function(s) shall either
- allow operation if no faults have been detected, or
- generate an output which initiates appropriate control action, if a fault is detected.
Whenever possible this output shall initiate a safe state. This safe state shall be maintained until the fault is cleared. When it is not possible to initiate a safe state (e.g. welding of the contact in the final switching device) the output shall provide a warning of the hazard.
Periodic checking is required. The checks must happen at least each time there is a demand placed on the system, i.e. a guard door is opened and closed, or an emergency stop button is pressed and reset. In addition the integrity of the SRP/CS must be tested at the start of a cycle or hazardous period, and potentially periodically during operation if the risk assessment indicates that this is necessary.
The testing does not have to be automatic, although in practice it usually is. As long as the system integrity is good, then the output is allowed to remain on, and the machinery or process can run.
Watch Out!
Notice that the words ‘whenever possible’ are used in the last paragraph in this part of the definition where the standard speaks about initiation of a safe state. This wording alludes to the fact that these systems are still prone to faults that can lead to the loss of the safety function, and so cannot be called truly ‘fault-tolerant’. Loss of the safety function must be detected by the monitoring system and a safe state initiated. This requires careful thought, since the safety system components may have to interact with the process control system to initiate and maintain the safe state in the event that the safety system itself has failed.
All of this leads to an interesting question: If the system is hardwired through the operating channel, and all the components used in that channel meet Category B requirements, can the diagnostic component be provided by a monitoring the system with a standard PLC?
Unfortunately, the answer to this is NO. This is true because ALL of the components must meet the well-tried requirement, and since programmable electronics are specifically excluded from being considered well-tried, this approach cannot be used. Some North American standards are written so that this approach could be applied, but under the International and EU requirements it is not acceptable.
Finally, for the faults that can be detected by the monitoring system, detection of a fault must initiate a safe state. This means that on the next demand on the system, i.e. the next time the guard is opened or the emergency stop is pressed, the machine must go into a safe condition. Generally, detection of a fault should prevent the subsequent reset of the system until the fault is cleared or repaired.
Testing is not permitted to introduce any new hazards or to slow the system down. The tests must occur ‘on-the-fly’ and without introducing any delay in the system compared to how it would have operated without the testing incorporated. Test equipment can be integrated into the safety system or be external to it.
One more ‘gotcha’
Note 1 in the definition highlights a significant pitfall for many designers: if all of the components in the functional channel of the system cannot be checked, you cannot claim conformity to Category 2. A system that otherwise would meet the architectural requirements for Category 2 must be downgraded to Category 1 in cases where all the components in the functional channel cannot be tested. This is a major point and one which many designers miss when developing their systems.
Calculation of MTTFd
The next paragraph deals with the calculation of the failure rate of the system, or MTTFd.
For the designated architecture of category 2, as shown in Figure 10, the calculation of MTTFd and DCavg should take into account only the blocks of the functional channel (i.e. I, L and O in Figure 10) and not the blocks of the testing channel (i.e. TE and OTE in Figure 10).
Calculation of the failure rate focuses on the functional channel, not on the monitoring system, meaning that the failure rate of the monitoring system is ignored when analyzing systems using this architecture. The MTTFd of each component in the functional channel is calculated and then the MTTFd of the total channel is calculated.
The Diagnostic Coverage (DCavg) is also calculated based exclusively on the components in the functional channel, so when determining what percentage of the faults can be detected by the monitoring equipment, only faults in the functional channel are considered.
This highlights the fact that a failure of the monitoring system cannot be detected, so a single failure in the monitoring system that results in the system failing to detect a subsequent normally detectable failure in the functional channel will result in the loss of the safety function.
Summing Up
The next paragraph sums up the limits of this particular architecture:
The diagnostic coverage (DCavg) of the total SRP/CS including fault-detection shall be low. The MTTFd of each channel shall be low-to-high, depending on the required performance level (PLr). Measures against CCF shall be applied (see Annex F).
The first sentence reflects back to the previous paragraph on diagnostic coverage, telling you, as the designer, that you cannot make a claim to anything more than LOW DC coverage when using this architecture.
This raises an interesting question, since Figure 5 in the standard shows columns for both DCavg = LOW and DCavg=MED. My best advice to you as a user of the standard is to abide by the text, meaning that you cannot claim higher than LOW for DCavg in this architecture.
Another problem raised by this sentence is the inclusion of the phrase “the total SRP/CS including fault-detection”, since the previous paragraph explicitly tells you that the assessment of DCavg ‘should’ only include the functional channel, while this sentence appears to include it. In standards writing, sentences including the word ‘shall’ are clearly mandatory, while those including the word ‘should’ indicate a condition which is advised but not required. Hopefully this confusion will be clarified in the next edition of the standard.
Failure rates in the functional channel can be anywhere in the range from LOW to HIGH depending on the components selected and the way they are applied in the design. The requirement will be driven by the desired PL of the system, so a PLd system will require HIGH MTTFd components in the functional channel, while the same architecture used for a PLb system would require only LOW MTTFd components.
Finally, applicable measures against Common Cause Failures (CCF) must be used. Some of the measures given in Table F.1 in Annex F of the standard cannot be applied, such as Channel Separation, since you cannot separate a single channel. Other CCF measures can and must be applied, and so therefore you must score at least the minimum 65 on the CCF table in Annex F to claim compliance with Category 2 requirements.
Example Circuit
Here’s an example of what a simple Category 2 circuit constructed from discrete components might look like. Note that PB1 and PB2 could just as easily be interlock switches on guard doors as push buttons on a control panel. For the sake of simplicity, I did not illustrate surge suppression on the relays, but you should include MOV’s or RC suppressors across all relay coils. All relays are considered to be constructed with ‘force-guided’ designs and meet the requirements for well-tried components.
Example Example Category 2 circuit from discrete components
Here is how the circuit works:
- The machine is stopped with power off. CR1, CR2, and M are off. CR3 is off until the reset button is pressed, since the NC monitoring contacts on CR1, CR2 and M are all closed, but the NO reset push button contact is open.
- The reset push button, PB3, is pressed. If both CR1, CR2 and M are off, their normally closed contacts will be closed, so pressing PB3 will result in CR3 turning on.
- CR3 closes its contacts, energizing CR1 and CR2 which seal their contact circuits in and de-energize CR3. The time delays inherent in relays permit this to work.
- With CR1 and CR2 closed and CR3 held off because its coil circuit opened when CR1 and CR2 turned on, M energizes and motion can start.
In this circuit the monitoring function is provided by CR3. If any of CR1, CR2 or M were to weld closed, CR3 could not energize, and so a single fault is detected and the machine is prevented from re-starting. If the machine is stopped by pressing either PB1 or PB2, the machine will stop since CR1 and CR2 are redundant. If CR3 fails, then the M rung is all held open because CR3 has not de-energized, preventing the machine from starting with a failed monitoring system. If CR1 or CR2 fail with an open coil, then M cannot energize because of the redundant contacts on the M rung.
This circuit cannot detect a failure in PB1, PB2, or PB3. Testing is conducted each time the circuit is reset.
If M is a motor starter rather than the motor itself, it will need to be duplicated for redundancy and a monitoring contact added to the CR3 rung unless a reasonable case for fault exclusion can be made.
In calculating MTTFd, PB1, PB2, CR1, CR2, CR3 and M must be included. CR3 is included because it has a functional contact in the M rung and is therefore part of the functional channel of the circuit as well as being part of the OT and OTE channels.
Download IEC standards, International Electrotechnical Commission standards.
Download ISO Standards
Watch for the next installment in this series where we’ll explore Category 3, the first of the ‘fault tolerant’ architectures!
+DougNix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. (http://www.complianceinsight.ca) in Kitchener, Ontario, and is Lead Author and Managing Editor of the Machinery Safety 101 blog.
Doug’s work includes teaching machinery risk assessment techniques privately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as providing technical services and training programs to clients related to risk assessment, industrial machinery safety, safety-related control system integration and reliability, laser safety and regulatory conformity.
Loading ...
2 Comments.