Interlock Architectures Pt. 6 — Comparing North American and International Systems

industrial Control Console
This entry is part 6 of 8 in the series Cir­cuit Archi­tec­tures Explored

I’ve now writ­ten six posts, includ­ing this one, on the top­ic of cir­cuit archi­tec­tures for the safe­ty-relat­ed parts of con­trol sys­tems. In this post, we’ll com­pare the Inter­na­tion­al and North Amer­i­can sys­tems. This com­par­i­son is not intend­ed to draw con­clu­sions about which is “bet­ter”, but rather to com­pare and con­trast the two sys­tems so that design­ers can clear­ly see where the over­laps and the gaps in the sys­tems exist.

Since we’ve spent a lot of time talk­ing about ISO 13849–1 [1] in the pre­vi­ous five posts in this series, I think we should begin there by look­ing at Table 10 from the stan­dard.

Table 10 — Sum­ma­ry of require­ments for cat­e­gories
Cat­e­go­ry Sum­ma­ry of require­ments Sys­tem behav­iour Prin­ci­ple used
to achieve
safe­ty
MTTFd
of each
chan­nel
DCavg CCF
B
(see
6.2.3)
SRP/CS and/or their pro­tec­tive equip­ment, as well as their com­po­nents, shall be designed, con­struct­ed, select­ed, assem­bled and com­bined in accor­dance with rel­e­vant stan­dards so that they can with­stand the expect­ed influence.Basic safe­ty prin­ci­ples shall be used. The occur­rence of a fault can lead to the loss of the safe­ty func­tion. Main­ly char­ac­ter­ized by selec­tion of com­po­nents Low to medi­um None Not rel­e­vant
1
(see
6.2.4)
Require­ments of B shall apply. Well-tried com­po­nents and well-tried safe­ty prin­ci­ples shall be used. The occur­rence of a fault can lead to the loss of the safe­ty func­tion but the prob­a­bil­i­ty of occur­rence is low­er than for cat­e­go­ry B. Main­ly char­ac­ter­ized by selec­tion of com­po­nents High None Not rel­e­vant
2
(see
6.2.5)
Require­ments of B and the use of well-tried safe­ty prin­ci­ples shall apply. Safe­ty func­tion shall be checked at suit­able inter­vals by the machine con­trol sys­tem. The occur­rence of a fault can lead to the loss of the safe­ty func­tion between the checks. The loss of safe­ty func­tion is detect­ed by the check. Main­ly char­ac­ter­ized by struc­ture Low to high Low to medi­um See Annex F
3
(see
6.2.6)
Require­ments of B and the use of well-tried safe­ty prin­ci­ples shall apply.Safety-related parts shall be designed, so that

—a sin­gle fault in any of these parts does not lead to the loss of the safe­ty func­tion, and

—when­ev­er rea­son­ably prac­ti­ca­ble, the sin­gle fault is detect­ed.

When a sin­gle fault occurs, the safe­ty func­tion is always performed.Some, but not all, faults will be detect­ed.

Accu­mu­la­tion of unde­tect­ed faults can lead to the loss of the safe­ty func­tion.

 Main­ly
char­ac­ter­ized
by struc­ture
Low to
high
Low to
medi­um
 See
Annex F
 4
(see
6.2.7)
Require­ments of B and the use of well-tried safe­ty prin­ci­ples shall apply. Safe­ty-relat­ed parts shall be designed, so that
—a sin­gle fault in any of these parts does not lead to a loss of the safe­ty func­tion, and

—the sin­gle fault is detect­ed at or before the next demand upon the safe­ty func­tion, but that if this detec­tion is not pos­si­ble, an accu­mu­la­tion of unde­tect­ed faults shall not lead to the loss of the safe­ty func­tion.

 

When a sin­gle fault occurs the safe­ty func­tion is always per­formed. Detec­tion of accu­mu­lat­ed faults reduces the prob­a­bil­i­ty of the loss of the safe­ty func­tion (high DC). The faults will be detect­ed in time to pre­vent the loss of the safe­ty func­tion.  Main­ly char­ac­ter­ized by struc­ture  High  High includ­ing accu­mu­la­tion of faults  See Annex F
NOTE For full require­ments, see Clause 6.

Table 10 sum­ma­rizes all the key require­ments for the five cat­e­gories of archi­tec­ture, giv­ing the fun­da­men­tal mech­a­nism for achiev­ing safe­ty, the required MTTFd, DC and CCF. Note that fault exclu­sion can be used in Cat­e­gories 3 and 4. There is no sim­i­lar table avail­able for CSA Z432 [2] or RIA R 15.06 [3], so I have con­struct­ed one fol­low­ing a sim­i­lar for­mat to Table 10.

Sum­ma­ry of require­ments for CSA Z432 / Z434 and RIA R15.06
CSA Z432-04 / Z434-03 RIA R15.06 1999
Cat­e­go­ry  Sum­ma­ry of require­ments  Sys­tem behav­iour  Prin­ci­ple used
to achieve
safe­ty
Sum­ma­ry of require­ments
All Safe­ty con­trol sys­tems (elec­tric, hydraulic, pneu­mat­ic) shall meet one of the per­for­mance cri­te­ria list­ed in Claus­es 4.5.2 to 4.5.5. Safe­ty cir­cuits (elec­tric, hydraulic, pneu­mat­ic) shall meet one of the per­for­mance cri­te­ria list­ed in 4.5.1 through 4.5.4.2

2 These per­for­mance cri­te­ria are not to be con­fused with the Euro­pean cat­e­gories B to 3 as described in ISO/IEC DIS 13849–1, Safe­ty of machin­ery – Safe­ty-relat­ed parts of con­trol sys­tems – Part 1: Gen­er­al prin­ci­ples for design (in cor­re­la­tion with EN 954–1.) They are dif­fer­ent. The com­mit­tee believes that the cri­te­ria in 4.5.1–4.5.4 exceed the cri­te­ria of B — 3 respec­tive­ly, and fur­ther believe the reverse is not true.

SIMPLE Sim­ple safe­ty con­trol sys­temsshall be designed and con­struct­ed using accept­ed sin­gle chan­nel circuitry.Such sys­tems may be pro­gram­ma­ble.

Note: This type of sys­tem should be used for sig­nalling and annun­ci­a­tion pur­pos­es only.

The occur­rence of a fault can lead to the loss of the safe­ty func­tion. Main­ly char­ac­ter­ized by com­po­nent selec­tion. Sim­ple safe­ty cir­cuits shall be designed and con­struct­ed using accept­ed sin­gle chan­nel
cir­cuit­ry, and may be pro­gram­ma­ble.
SINGLE
CHANNEL
Sin­gle chan­nel safe­ty con­trol sys­tems shal­la) be hard­ware based or com­ply with Clause 6.5;

b) include com­po­nents that should be safe­ty rat­ed; and

c) be used in accor­dance with man­u­fac­tur­ers’ rec­om­men­da­tions and proven cir­cuit designs (e.g., a sin­gle chan­nel electro­mechan­i­cal pos­i­tive break device that sig­nals a stop in a de-ener­gized state).

Note: In this type of sys­tem a sin­gle com­po­nent fail­ure can lead to the loss of the safe­ty func­tion.

The occur­rence of a fault can lead to the loss of the safe­ty func­tion. Main­ly char­ac­ter­ized by com­po­nent selec­tion. Sin­gle chan­nel safe­ty cir­cuits shall be hard­ware based or com­ply with 6.4, include com­po­nents
which should be safe­ty rat­ed, be used in com­pli­ance with man­u­fac­tur­ers’ rec­om­men­da­tions
and proven cir­cuit designs (e.g. a sin­gle chan­nel elec­tro-mechan­i­cal pos­i­tive break device which sig­nals a stop in a de-ener­gized state.)
SINGLE CHANNEL
WITH
MONITORING
Sin­gle chan­nel safe­ty con­trol sys­tems with mon­i­tor­ing shall include the require­ments for sin­gle chan­nel,
be safe­ty rat­ed, and be checked (prefer­ably auto­mat­i­cal­ly) at suit­able inter­vals in accor­dance with the following:a) The check of the safe­ty function(s) shall be per­formed

i) at machine start-up; and

ii) peri­od­i­cal­ly dur­ing oper­a­tion (prefer­ably at each change in state).

b) The check shall either

i) allow oper­a­tion if no faults have been detect­ed; or

ii) gen­er­ate a stop if a fault is detect­ed. A warn­ing shall be pro­vid­ed if a haz­ard remains after ces­sa­tion of motion.

c) The check itself shall not cause a haz­ardous sit­u­a­tion.

d) Fol­low­ing detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

Note: In this type of cir­cuit a sin­gle com­po­nent fail­ure can also lead to the loss of the safe­ty func­tion.

The occur­rence of a fault can lead to the loss of the safe­ty func­tion. Char­ac­ter­ized by both com­po­nent selec­tion and struc­ture. Sin­gle chan­nel with mon­i­tor­ing safe­ty cir­cuits shall include the require­ments for sin­gle chan­nel,
shall be safe­ty rat­ed, and shall be checked (prefer­ably auto­mat­i­cal­ly) at suit­able intervals.a) The check of the safe­ty function(s) shall be per­formed

1) at machine start-up, and

2) peri­od­i­cal­ly dur­ing oper­a­tion;

b) The check shall either:

1) allow oper­a­tion if no faults have been detect­ed, or

2) gen­er­ate a stop sig­nal if a fault is detect­ed.
A warn­ing shall be pro­vid­ed if a haz­ard remains after ces­sa­tion of motion;

c) The check itself shall not cause a haz­ardous sit­u­a­tion;

d) Fol­low­ing detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

CONTROL RELIABLE Con­trol reli­able safe­ty con­trol sys­tems shall be dual chan­nel with mon­i­tor­ing and shall be designed,
con­struct­ed, and applied such that any sin­gle com­po­nent fail­ure, includ­ing mon­i­tor­ing, shall not pre­vent
the stop­ping action of the robot.
These safe­ty con­trol sys­tems shall be hard­ware based or in accor­dance with Clause 6.5. The sys­tems shall include auto­mat­ic mon­i­tor­ing at the sys­tem lev­el con­form­ing to the following:a) The mon­i­tor­ing shall gen­er­ate a stop if a fault is detect­ed. A warn­ing shall be pro­vid­ed if a haz­ard remains after ces­sa­tion of motion.

b) Fol­low­ing detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

c) Com­mon mode fail­ures shall be tak­en into account when the prob­a­bil­i­ty of such a fail­ure occur­ring is
sig­nif­i­cant.

d) The sin­gle fault should be detect­ed at time of fail­ure. If not prac­ti­ca­ble, the fail­ure shall be detect­ed
at the next demand upon the safe­ty func­tion.

e) These safe­ty con­trol sys­tems shall be inde­pen­dent of the nor­mal pro­gram con­trol (func­tion) and shall be designed to be not eas­i­ly defeat­ed or not eas­i­ly bypassed with­out detec­tion.

When a sin­gle fault occurs, the safe­ty func­tion is always performed.Some, but not all, faults will be detect­ed.

Accu­mu­la­tion of unde­tect­ed faults can lead to the loss of the safe­ty func­tion.

Char­ac­ter­ized pri­mar­i­ly by struc­ture. Con­trol reli­able safe­ty cir­cuit­ry shall be designed, con­struct­ed and applied such that any sin­gle com­po­nent fail­ure shall not pre­vent the stop­ping action of the robot.These cir­cuits shall be hard­ware based or com­ply with 6.4, and include auto­mat­ic mon­i­tor­ing at the sys­tem lev­el.

a) The mon­i­tor­ing shall gen­er­ate a stop sig­nal if a fault is detect­ed. A warn­ing shall be pro­vid­ed if a haz­ard remains after ces­sa­tion of motion;

b) Fol­low­ing detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

c) Com­mon mode fail­ures shall be tak­en into account when the prob­a­bil­i­ty of such a fail­ure occur­ring is sig­nif­i­cant.

d) The sin­gle fault should be detect­ed at time of fail­ure. If not prac­ti­ca­ble, the fail­ure shall be detect­ed at the next demand upon the safe­ty func­tion.

CSA Z434 vs. RIA R15.06

Before we dig into the com­par­i­son between North Amer­i­ca and the Inter­na­tion­al stan­dards, we need to look at the dif­fer­ences between CSA and ANSI/RIA. There are some sub­tle dif­fer­ences here that can trip you up and cost sig­nif­i­cant mon­ey to cor­rect after the fact. The fol­low­ing state­ments are based on my per­son­al expe­ri­ence and on dis­cus­sions that I have had with peo­ple on both the CSA and RIA tech­ni­cal com­mit­tees tasked with writ­ing these stan­dards. One more note — ANSI RIA R15.06 has been revised and ALL OF SECTION 4 has been replaced with ANSI/RIA/ISO 10218–1 [7]. This is very sig­nif­i­cant, but we need to deal with this old dis­cus­sion first.

Systems vs. Circuits

The CSA stan­dard uses the term “con­trol system(s)” through­out the def­i­n­i­tions of the cat­e­gories, while the ANSI/RIA stan­dard uses the term “circuit(s)”. This is real­ly the crux of the dis­cus­sion between these two stan­dards. While the dif­fer­ence between the terms may seem insignif­i­cant at first, you need to under­stand the back­ground to get the dif­fer­ence.

The CSA term requires two sep­a­rate sens­ing devices on the gate or oth­er guard, just as the Cat­e­go­ry 3 and 4 def­i­n­i­tions do, and for the same rea­son. The CSA com­mit­tee felt that it was impor­tant to be able to detect all sin­gle faults, includ­ing mechan­i­cal ones. Also, the use of two inter­lock­ing devices on the guard makes it more dif­fi­cult to bypass the inter­lock.

The RIA term requires redun­dant elec­tri­cal con­nec­tions to the inter­lock­ing device, but implic­it­ly allows for a sin­gle inter­lock­ing device because it only explic­it­ly refers to “cir­cuits”.

The expla­na­tion I’ve been giv­en for the dis­crep­an­cy is root­ed in the ear­ly days of indus­tri­al robot­ics. Many ear­ly robot cells had NO inter­locks on the guard­ing because the haz­ards relat­ed to the robot motion was not well under­stood. There were a num­ber of inci­dents result­ing in fatal­i­ties that drove robot users to begin to seek bet­ter ways to pro­tect work­ers. The RIA R15.06 com­mit­tee decid­ed that inter­locks were need­ed, but there was a recog­ni­tion that many users would balk at installing expen­sive inter­lock devices, so they com­pro­mised and allowed that ANY kind of inter­lock­ing device was bet­ter than none. This was amend­ed in the 1999 edi­tion to require that com­po­nents be “safe­ty rat­ed”, effec­tive­ly elim­i­nat­ing the use of con­ven­tion­al prox­im­i­ty switch­es and non-safe­ty-rat­ed lim­it switch­es.

The recent revi­sion of ANSI/RIA R15.06 to include ANSI/ISO 10218–1 as a replace­ment for Sec­tion 4 is sig­nif­i­cant for a cou­ple of rea­sons: 1) It now means that the robot itself need only meet the ISO stan­dard; instead of the ISO and the RIA stan­dards; and 2) It brings in ISO 13849–1 def­i­n­i­tions of reli­a­bil­i­ty cat­e­gories. This means that the US has now offi­cial­ly dropped the “SIMPLE, SINGLE-CHANNEL,” etc. def­i­n­i­tions and now uses “Cat­e­go­ry B, 1, etc.” How­ev­er, they have only adopt­ed the Edi­tion 1 ver­sion of the stan­dard, so none of the PL, MTTFd, etc. cal­cu­la­tions have been adopt­ed. This means that the RIA stan­dard is now har­mo­nized to the 1995 edi­tion of EN 954–1. These updates to the 2006 edi­tion may come in sub­se­quent edi­tions of R15.06.

CSA has cho­sen to reaf­firm the 2003 edi­tion of CSA Z434, so the Cana­di­an Nation­al Stan­dard con­tin­ues to refer to the old def­i­n­i­tions.

North America vs International Standards

In the descrip­tion of sin­gle-chan­nel sys­tems / cir­cuits under the North Amer­i­can stan­dards you will notice that par­tic­u­lar atten­tion is paid to includ­ing descrip­tions of the use of “proven designs” and “pos­i­tive-break devices”. What the TC’s were refer­ring to are the same “well-tried safe­ty prin­ci­ples” and “well-tried com­po­nents” as referred to in the Inter­na­tion­al stan­dards, only with less descrip­tion of what those might be. The only major addi­tion to the def­i­n­i­tions is the rec­om­men­da­tion to use “safe­ty-rat­ed devices”, which is not includ­ed in the Inter­na­tion­al stan­dard. (N.B. The use of the word “should” in the def­i­n­i­tions should be under­stood as a strong rec­om­men­da­tion, but not nec­es­sar­i­ly a manda­to­ry require­ment.) Under EN 954–1 [4] and EN 1088 [5] (in the ref­er­enced edi­tions, in any case) it was pos­si­ble to use stan­dard lim­it switch­es arranged in a redun­dant man­ner and acti­vat­ed using com­bined pos­i­tive and non-pos­i­tive-mode acti­va­tion. In lat­er edi­tions this changed, and there is now a pref­er­ence for devices intend­ed for use in safe­ty appli­ca­tions.

Also worth not­ing is that there is NO allowance for fault exclu­sion under the CSA stan­dard or the 1999 edi­tion of the ANSI stan­dard.

As far as the RIA committee’s asser­tion that their def­i­n­i­tions are not equiv­a­lent to the Inter­na­tion­al stan­dard, and may be supe­ri­or, I think that there are too may miss­ing qual­i­ties in the ANSI stan­dard for that to stand. In any case, this is now moot, since ANSI has adopt­ed EN ISO 13849–1:2006 as a ref­er­ence to EN ISO 10218–1 [6], replac­ing Sec­tion 4 of ANSI/RIA R15.06–1999.

References

[1] “Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 1: Gen­er­al prin­ci­ples for design”, ISO 13849–1, Edi­tion 2, Inter­na­tion­al Orga­ni­za­tion for Stan­dard­iza­tion (ISO), Gene­va, 2006.

[2] “Safe­guard­ing of machin­ery”, CSA Z432, Cana­di­an Stan­dards Asso­ci­a­tion (CSA), Toron­to, 2004.

[3] “Amer­i­can Nation­al Stan­dard for Indus­tri­al Robots and Robot Sys­tems — Safe­ty Require­ments”, ANSI/RIA R15.06, Amer­i­can Nation­al Stan­dards Insti­tute, Inc. (ANSI), Ann Arbor, 1999.

[4] “Safe­ty of machin­ery — Safe­ty relat­ed parts of con­trol sys­tems — Part 1. Gen­er­al prin­ci­ples for design”, EN 954–1, Euro­pean Com­mit­tee for Stan­dard­iza­tion (CEN), Gene­va, 1996.

[5] “Safe­ty of machin­ery — Inter­lock­ing devices asso­ci­at­ed with guards — Prin­ci­ples for design and selec­tion”, EN 1088, CEN, Gene­va, 1995.

[6] “Robots and robot­ic devices — Safe­ty require­ments for indus­tri­al robots — Part 1: Robots”, Euro­pean Com­mit­tee for Stan­dard­iza­tion (CEN), Gene­va, 2011.

[7] “Robots for Indus­tri­al Envi­ron­ment — Safe­ty Require­ments — Part 1 — Robot”, ANSI/RIA/ISO 10218–1, Amer­i­can Nation­al Stan­dards Insti­tute, Inc. (ANSI), Ann Arbor, 2007.

Digiprove sealCopy­right secured by Digiprove © 2011–2012
Acknowl­edge­ments: See ref­er­ences list­ed at end of arti­cle.
Some Rights Reserved
Series Nav­i­ga­tionInter­lock Archi­tec­tures – Pt. 5: Cat­e­go­ry 4 — Con­trol Reli­ableISO 13849–1:2006”>Inconsistencies in ISO 13849–1:2006

Author: Doug Nix

Doug Nix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. (http://www.complianceinsight.ca) in Kitchener, Ontario, and is Lead Author and Senior Editor of the Machinery Safety 101 blog. Doug's work includes teaching machinery risk assessment techniques privately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as providing technical services and training programs to clients related to risk assessment, industrial machinery safety, safety-related control system integration and reliability, laser safety and regulatory conformity. For more see Doug's LinkedIn profile.