Interlock Architectures Pt. 6 – Comparing North American and International Systems

industrial Control Console
This entry is part 6 of 8 in the series Circuit Architectures Explored

I’ve now writ­ten six posts, includ­ing this one, on the top­ic of cir­cuit archi­tec­tures for the safety-​related parts of con­trol sys­tems. In this post, we’ll com­pare the International and North American sys­tems. This com­par­is­on is not inten­ded to draw con­clu­sions about which is “bet­ter”, but rather to com­pare and con­trast the two sys­tems so that design­ers can clearly see where the over­laps and the gaps in the sys­tems exist.

Since we’ve spent a lot of time talk­ing about ISO 13849 – 1 [1] in the pre­vi­ous five posts in this series, I think we should begin there by look­ing at Table 10 from the stand­ard.

Table 10 — Summary of require­ments for cat­egor­ies
Category Summary of require­ments System beha­viour Principle used
to achieve
safety
MTTFd
of each
chan­nel
DCavg CCF
B
(see
6.2.3)
SRP/​CS and/​or their pro­tect­ive equip­ment, as well as their com­pon­ents, shall be designed, con­struc­ted, selec­ted, assembled and com­bined in accord­ance with rel­ev­ant stand­ards so that they can with­stand the expec­ted influence.Basic safety prin­ciples shall be used. The occur­rence of a fault can lead to the loss of the safety func­tion. Mainly char­ac­ter­ized by selec­tion of com­pon­ents Low to medi­um None Not rel­ev­ant
1
(see
6.2.4)
Requirements of B shall apply. Well-​tried com­pon­ents and well-​tried safety prin­ciples shall be used. The occur­rence of a fault can lead to the loss of the safety func­tion but the prob­ab­il­ity of occur­rence is lower than for cat­egory B. Mainly char­ac­ter­ized by selec­tion of com­pon­ents High None Not rel­ev­ant
2
(see
6.2.5)
Requirements of B and the use of well-​tried safety prin­ciples shall apply. Safety func­tion shall be checked at suit­able inter­vals by the machine con­trol sys­tem. The occur­rence of a fault can lead to the loss of the safety func­tion between the checks. The loss of safety func­tion is detec­ted by the check. Mainly char­ac­ter­ized by struc­ture Low to high Low to medi­um See Annex F
3
(see
6.2.6)
Requirements of B and the use of well-​tried safety prin­ciples shall apply.Safety-related parts shall be designed, so that

—a single fault in any of these parts does not lead to the loss of the safety func­tion, and

—whenev­er reas­on­ably prac­tic­able, the single fault is detec­ted.

When a single fault occurs, the safety func­tion is always performed.Some, but not all, faults will be detec­ted.

Accumulation of undetec­ted faults can lead to the loss of the safety func­tion.

 Mainly
char­ac­ter­ized
by struc­ture
Low to
high
Low to
medi­um
 See
Annex F
 4
(see
6.2.7)
Requirements of B and the use of well-​tried safety prin­ciples shall apply. Safety-​related parts shall be designed, so that
—a single fault in any of these parts does not lead to a loss of the safety func­tion, and

—the single fault is detec­ted at or before the next demand upon the safety func­tion, but that if this detec­tion is not pos­sible, an accu­mu­la­tion of undetec­ted faults shall not lead to the loss of the safety func­tion.

 

When a single fault occurs the safety func­tion is always per­formed. Detection of accu­mu­lated faults reduces the prob­ab­il­ity of the loss of the safety func­tion (high DC). The faults will be detec­ted in time to pre­vent the loss of the safety func­tion.  Mainly char­ac­ter­ized by struc­ture  High  High includ­ing accu­mu­la­tion of faults  See Annex F
NOTE For full require­ments, see Clause 6.

Table 10 sum­mar­izes all the key require­ments for the five cat­egor­ies of archi­tec­ture, giv­ing the fun­da­ment­al mech­an­ism for achiev­ing safety, the required MTTFd, DC and CCF. Note that fault exclu­sion can be used in Categories 3 and 4. There is no sim­il­ar table avail­able for CSA Z432 [2] or RIA R 15.06 [3], so I have con­struc­ted one fol­low­ing a sim­il­ar format to Table 10.

Summary of require­ments for CSA Z432 /​ Z434 and RIA R15.06
CSA Z432-​04 /​ Z434-​03 RIA R15.06 1999
Category  Summary of require­ments  System beha­viour  Principle used
to achieve
safety
Summary of require­ments
All Safety con­trol sys­tems (elec­tric, hydraul­ic, pneu­mat­ic) shall meet one of the per­form­ance cri­ter­ia lis­ted in Clauses 4.5.2 to 4.5.5. Safety cir­cuits (elec­tric, hydraul­ic, pneu­mat­ic) shall meet one of the per­form­ance cri­ter­ia lis­ted in 4.5.1 through 4.5.4.2

2 These per­form­ance cri­ter­ia are not to be con­fused with the European cat­egor­ies B to 3 as described in ISO/​IEC DIS 13849 – 1, Safety of machinery – Safety-​related parts of con­trol sys­tems – Part 1: General prin­ciples for design (in cor­rel­a­tion with EN 954 – 1.) They are dif­fer­ent. The com­mit­tee believes that the cri­ter­ia in 4.5.1 – 4.5.4 exceed the cri­ter­ia of B – 3 respect­ively, and fur­ther believe the reverse is not true.

SIMPLE Simple safety con­trol sys­temsshall be designed and con­struc­ted using accep­ted single chan­nel circuitry.Such sys­tems may be pro­gram­mable.

Note: This type of sys­tem should be used for sig­nalling and annun­ci­ation pur­poses only.

The occur­rence of a fault can lead to the loss of the safety func­tion. Mainly char­ac­ter­ized by com­pon­ent selec­tion. Simple safety cir­cuits shall be designed and con­struc­ted using accep­ted single chan­nel
cir­cuitry, and may be pro­gram­mable.
SINGLE
CHANNEL
Single chan­nel safety con­trol sys­tems shalla) be hard­ware based or com­ply with Clause 6.5;

b) include com­pon­ents that should be safety rated; and

c) be used in accord­ance with man­u­fac­tur­ers’ recom­mend­a­tions and proven cir­cuit designs (e.g., a single chan­nel elec­tromech­an­ic­al pos­it­ive break device that sig­nals a stop in a de-​energized state).

Note: In this type of sys­tem a single com­pon­ent fail­ure can lead to the loss of the safety func­tion.

The occur­rence of a fault can lead to the loss of the safety func­tion. Mainly char­ac­ter­ized by com­pon­ent selec­tion. Single chan­nel safety cir­cuits shall be hard­ware based or com­ply with 6.4, include com­pon­ents
which should be safety rated, be used in com­pli­ance with man­u­fac­tur­ers’ recom­mend­a­tions
and proven cir­cuit designs (e.g. a single chan­nel electro-​mechanical pos­it­ive break device which sig­nals a stop in a de-​energized state.)
SINGLE CHANNEL
WITH
MONITORING
Single chan­nel safety con­trol sys­tems with mon­it­or­ing shall include the require­ments for single chan­nel,
be safety rated, and be checked (prefer­ably auto­mat­ic­ally) at suit­able inter­vals in accord­ance with the following:a) The check of the safety function(s) shall be per­formed

i) at machine start-​up; and

ii) peri­od­ic­ally dur­ing oper­a­tion (prefer­ably at each change in state).

b) The check shall either

i) allow oper­a­tion if no faults have been detec­ted; or

ii) gen­er­ate a stop if a fault is detec­ted. A warn­ing shall be provided if a haz­ard remains after ces­sa­tion of motion.

c) The check itself shall not cause a haz­ard­ous situ­ation.

d) Following detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

Note: In this type of cir­cuit a single com­pon­ent fail­ure can also lead to the loss of the safety func­tion.

The occur­rence of a fault can lead to the loss of the safety func­tion. Characterized by both com­pon­ent selec­tion and struc­ture. Single chan­nel with mon­it­or­ing safety cir­cuits shall include the require­ments for single chan­nel,
shall be safety rated, and shall be checked (prefer­ably auto­mat­ic­ally) at suit­able intervals.a) The check of the safety function(s) shall be per­formed

1) at machine start-​up, and

2) peri­od­ic­ally dur­ing oper­a­tion;

b) The check shall either:

1) allow oper­a­tion if no faults have been detec­ted, or

2) gen­er­ate a stop sig­nal if a fault is detec­ted.
A warn­ing shall be provided if a haz­ard remains after ces­sa­tion of motion;

c) The check itself shall not cause a haz­ard­ous situ­ation;

d) Following detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

CONTROL RELIABLE Control reli­able safety con­trol sys­tems shall be dual chan­nel with mon­it­or­ing and shall be designed,
con­struc­ted, and applied such that any single com­pon­ent fail­ure, includ­ing mon­it­or­ing, shall not pre­vent
the stop­ping action of the robot.
These safety con­trol sys­tems shall be hard­ware based or in accord­ance with Clause 6.5. The sys­tems shall include auto­mat­ic mon­it­or­ing at the sys­tem level con­form­ing to the following:a) The mon­it­or­ing shall gen­er­ate a stop if a fault is detec­ted. A warn­ing shall be provided if a haz­ard remains after ces­sa­tion of motion.

b) Following detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

c) Common mode fail­ures shall be taken into account when the prob­ab­il­ity of such a fail­ure occur­ring is
sig­ni­fic­ant.

d) The single fault should be detec­ted at time of fail­ure. If not prac­tic­able, the fail­ure shall be detec­ted
at the next demand upon the safety func­tion.

e) These safety con­trol sys­tems shall be inde­pend­ent of the nor­mal pro­gram con­trol (func­tion) and shall be designed to be not eas­ily defeated or not eas­ily bypassed without detec­tion.

When a single fault occurs, the safety func­tion is always performed.Some, but not all, faults will be detec­ted.

Accumulation of undetec­ted faults can lead to the loss of the safety func­tion.

Characterized primar­ily by struc­ture. Control reli­able safety cir­cuitry shall be designed, con­struc­ted and applied such that any single com­pon­ent fail­ure shall not pre­vent the stop­ping action of the robot.These cir­cuits shall be hard­ware based or com­ply with 6.4, and include auto­mat­ic mon­it­or­ing at the sys­tem level.

a) The mon­it­or­ing shall gen­er­ate a stop sig­nal if a fault is detec­ted. A warn­ing shall be provided if a haz­ard remains after ces­sa­tion of motion;

b) Following detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

c) Common mode fail­ures shall be taken into account when the prob­ab­il­ity of such a fail­ure occur­ring is sig­ni­fic­ant.

d) The single fault should be detec­ted at time of fail­ure. If not prac­tic­able, the fail­ure shall be detec­ted at the next demand upon the safety func­tion.

CSA Z434 vs. RIA R15.06

Before we dig into the com­par­is­on between North America and the International stand­ards, we need to look at the dif­fer­ences between CSA and ANSI/​RIA. There are some subtle dif­fer­ences here that can trip you up and cost sig­ni­fic­ant money to cor­rect after the fact. The fol­low­ing state­ments are based on my per­son­al exper­i­ence and on dis­cus­sions that I have had with people on both the CSA and RIA tech­nic­al com­mit­tees tasked with writ­ing these stand­ards. One more note – ANSI RIA R15.06 has been revised and ALL OF SECTION 4 has been replaced with ANSI/​RIA/​ISO 10218 – 1 [7]. This is very sig­ni­fic­ant, but we need to deal with this old dis­cus­sion first.

Systems vs. Circuits

The CSA stand­ard uses the term “con­trol system(s)” through­out the defin­i­tions of the cat­egor­ies, while the ANSI/​RIA stand­ard uses the term “circuit(s)”. This is really the crux of the dis­cus­sion between these two stand­ards. While the dif­fer­ence between the terms may seem insig­ni­fic­ant at first, you need to under­stand the back­ground to get the dif­fer­ence.

The CSA term requires two sep­ar­ate sens­ing devices on the gate or oth­er guard, just as the Category 3 and 4 defin­i­tions do, and for the same reas­on. The CSA com­mit­tee felt that it was import­ant to be able to detect all single faults, includ­ing mech­an­ic­al ones. Also, the use of two inter­lock­ing devices on the guard makes it more dif­fi­cult to bypass the inter­lock.

The RIA term requires redund­ant elec­tric­al con­nec­tions to the inter­lock­ing device, but impli­citly allows for a single inter­lock­ing device because it only expli­citly refers to “cir­cuits”.

The explan­a­tion I’ve been giv­en for the dis­crep­ancy is rooted in the early days of indus­tri­al robot­ics. Many early robot cells had NO inter­locks on the guard­ing because the haz­ards related to the robot motion was not well under­stood. There were a num­ber of incid­ents res­ult­ing in fatal­it­ies that drove robot users to begin to seek bet­ter ways to pro­tect work­ers. The RIA R15.06 com­mit­tee decided that inter­locks were needed, but there was a recog­ni­tion that many users would balk at installing expens­ive inter­lock devices, so they com­prom­ised and allowed that ANY kind of inter­lock­ing device was bet­ter than none. This was amended in the 1999 edi­tion to require that com­pon­ents be “safety rated”, effect­ively elim­in­at­ing the use of con­ven­tion­al prox­im­ity switches and non-​safety-​rated lim­it switches.

The recent revi­sion of ANSI/​RIA R15.06 to include ANSI/​ISO 10218 – 1 as a replace­ment for Section 4 is sig­ni­fic­ant for a couple of reas­ons: 1) It now means that the robot itself need only meet the ISO stand­ard; instead of the ISO and the RIA stand­ards; and 2) It brings in ISO 13849 – 1 defin­i­tions of reli­ab­il­ity cat­egor­ies. This means that the US has now offi­cially dropped the “SIMPLE, SINGLE-​CHANNEL,” etc. defin­i­tions and now uses “Category B, 1, etc.” However, they have only adop­ted the Edition 1 ver­sion of the stand­ard, so none of the PL, MTTFd, etc. cal­cu­la­tions have been adop­ted. This means that the RIA stand­ard is now har­mon­ized to the 1995 edi­tion of EN 954 – 1. These updates to the 2006 edi­tion may come in sub­sequent edi­tions of R15.06.

CSA has chosen to reaf­firm the 2003 edi­tion of CSA Z434, so the Canadian National Standard con­tin­ues to refer to the old defin­i­tions.

North America vs International Standards

In the descrip­tion of single-​channel sys­tems /​ cir­cuits under the North American stand­ards you will notice that par­tic­u­lar atten­tion is paid to includ­ing descrip­tions of the use of “proven designs” and “positive-​break devices”. What the TC’s were refer­ring to are the same “well-​tried safety prin­ciples” and “well-​tried com­pon­ents” as referred to in the International stand­ards, only with less descrip­tion of what those might be. The only major addi­tion to the defin­i­tions is the recom­mend­a­tion to use “safety-​rated devices”, which is not included in the International stand­ard. (N.B. The use of the word “should” in the defin­i­tions should be under­stood as a strong recom­mend­a­tion, but not neces­sar­ily a man­dat­ory require­ment.) Under EN 954 – 1 [4] and EN 1088 [5] (in the ref­er­enced edi­tions, in any case) it was pos­sible to use stand­ard lim­it switches arranged in a redund­ant man­ner and activ­ated using com­bined pos­it­ive and non-​positive-​mode activ­a­tion. In later edi­tions this changed, and there is now a pref­er­ence for devices inten­ded for use in safety applic­a­tions.

Also worth not­ing is that there is NO allow­ance for fault exclu­sion under the CSA stand­ard or the 1999 edi­tion of the ANSI stand­ard.

As far as the RIA committee’s asser­tion that their defin­i­tions are not equi­val­ent to the International stand­ard, and may be super­i­or, I think that there are too may miss­ing qual­it­ies in the ANSI stand­ard for that to stand. In any case, this is now moot, since ANSI has adop­ted EN ISO 13849 – 1:2006 as a ref­er­ence to EN ISO 10218 – 1 [6], repla­cing Section 4 of ANSI/​RIA R15.06 – 1999.

References

[1] “Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 1: General prin­ciples for design”, ISO 13849 – 1, Edition 2, International Organization for Standardization (ISO), Geneva, 2006.

[2] “Safeguarding of machinery”, CSA Z432, Canadian Standards Association (CSA), Toronto, 2004.

[3] “American National Standard for Industrial Robots and Robot Systems — Safety Requirements”, ANSI/​RIA R15.06, American National Standards Institute, Inc. (ANSI), Ann Arbor, 1999.

[4] “Safety of machinery — Safety related parts of con­trol sys­tems — Part 1. General prin­ciples for design”, EN 954 – 1, European Committee for Standardization (CEN), Geneva, 1996.

[5] “Safety of machinery — Interlocking devices asso­ci­ated with guards — Principles for design and selec­tion”, EN 1088, CEN, Geneva, 1995.

[6] “Robots and robot­ic devices — Safety require­ments for indus­tri­al robots — Part 1: Robots”, European Committee for Standardization (CEN), Geneva, 2011.

[7] “Robots for Industrial Environment – Safety Requirements – Part 1 – Robot”, ANSI/​RIA/​ISO 10218 – 1, American National Standards Institute, Inc. (ANSI), Ann Arbor, 2007.

Digiprove sealCopyright secured by Digiprove © 2011 – 2012
Acknowledgements: See ref­er­ences lis­ted at end of art­icle.
Some Rights Reserved
Series NavigationInterlock Architectures – Pt. 5: Category 4 — Control ReliableInconsistencies in ISO 13849 – 1:2006

Author: Doug Nix

+DougNix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. (http://www.complianceinsight.ca) in Kitchener, Ontario, and is Lead Author and Managing Editor of the Machinery Safety 101 blog.

Doug's work includes teaching machinery risk assessment techniques privately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as providing technical services and training programs to clients related to risk assessment, industrial machinery safety, safety-related control system integration and reliability, laser safety and regulatory conformity.

Follow me on Academia.edu//a.academia-assets.com/javascripts/social.js