Category Archives: Interlocks

Machinery Safety 101

Category Archives: Interlocks

Interlock Architectures – Pt. 5: Category 4 — Control Reliable

The Definition

Breaking it down

Fault Exclusion

The Block Diagram

Applications

Interlock Architectures – Pt. 4: Category 3 — Control Reliable

Definition

Breaking it down

The Block Diagram

Circuit Diagram

Understanding the Hierarchy of Controls

Introducing the Hierarchy of Controls

Effectiveness

Time to Apply the Hierarchy

References

Safe designs for safe workplaces

Interlock Architectures – Pt. 5: Category 4 — Control Reliable

The Definition

Breaking it down

Fault Exclusion

The Block Diagram

Applications

Interlock Architectures – Pt. 4: Category 3 — Control Reliable

Definition

Breaking it down

The Block Diagram

Circuit Diagram

Understanding the Hierarchy of Controls

Introducing the Hierarchy of Controls

Effectiveness

Time to Apply the Hierarchy

References

DC_avg and MTTF_d requirements

The Notes

Emergency Stop Subsystem

Gate Interlock Subsystem

Safety Mat Subsystem

Component Selection

1. Hazard Elimination or Substitution

2. Engineering Controls

3. Information for Use

4. Administrative Controls

5. Personal Protective Equipment (PPE)

DCavg and MTTFd requirements

6.2.6 Category 3

The Notes

Emergency Stop Subsystem

Gate Interlock Subsystem

Safety Mat Subsystem

Component Selection

1. Hazard Elimination or Substitution

2. Engineering Controls

3. Information for Use

4. Administrative Controls

5. Personal Protective Equipment (PPE)

Compliance InSight Links

Sign Up For Our Newsletter!

Coming Events

Polls

Popular Posts

Recent Posts

Series

Categories

Tags

Countries Visiting Us:

DC_avg and MTTF_d requirements

Hazard Elimination

Substitution

Control reliability

Failure Modes

Awareness Devices

Failure Modes

Complementary Protective Measures

Failure Modes:

Failure Modes

Failure Modes

Hazard Elimination

Substitution

Control reli­a­bil­ity

Failure Modes

Awareness Devices

Failure Modes

Complementary Protective Measures

Failure Modes:

Failure Modes

Failure Modes

Control reliability

Failure Modes:

Failure Modes:

Failure Modes:

Failure Modes:

Failure Modes:

Failure Modes:

This entry is part 5 of 8 in the series Circuit Architectures Explored

The most reliable of the five system architectures, Category 4 is the only architecture that uses multiple-fault tolerant techniques to help ensure that component failures do not result in an unacceptable exposure to risk. This post will delve into the depths of this architecture in this installment on system architectures. The definitions and requirements discussed in this article come from ISO 13849–1, Edition 2 (2006) and ISO 13849–2, Edition 1 (2003).

As with preceding articles in this series, I’ll be building on concepts discussed in those articles. If you need more information, you should have a look at the previous articles to see if I’ve answered your questions there.

The Category 4 definition builds on both Category B and Category 3. As you read, recall that “SRP/CS” stands for “Safety Related Parts of the Control System”. Here is the complete definition:

6.2.7 Category 4
For category 4, the same requirements as those according to 6.2.3 for category B shall apply. “Well-tried safety principles” according to 6.2.4 shall also be followed. In addition, the following applies.
SRP/CS of category 4 shall be designed such that
a single fault in any of these safety-related parts does not lead to a loss of the safety function, and
the single fault is detected at or before the next demand upon the safety functions, e.g. immediately, at switch on, or at end of a machine operating cycle, but if this detection is not possible, then an accumulation of undetected faults shall not lead to the loss of the safety function.
The diagnostic coverage (DC_avg) of the total SRP/CS shall be high, including the accumulation of faults. The MTTF_d of each of the redundant channels shall be high. Measures against CCF shall be applied (see
Annex F).
NOTE 1 Category 4 system behaviour allows that
when a single fault occurs the safety function is always performed,
the faults will be detected in time to prevent the loss of the safety function,
accumulation of undetected faults is taken into account.
NOTE 2 The difference between category 3 and category 4 is a higher DC_avg in category 4 and a required MTTF_d of each channel of “high” only.
In practice, the consideration of a fault combination of two faults may be sufficient.

5% Discount on ISO and IEC Standards with code: CC2011

For category 4, the same requirements as those according to 6.2.3 for category B shall apply. “Well-tried safety principles” according to 6.2.4 shall also be followed.

The first two sentences give the basic requirement for all the categories from 2 through 4. Sound component selection based on the application requirements for voltage, current, switching capability and lifetime must be considered. In addition, using well tried safety principles, such as switching the +V rail side of the coil circuit for control components is required. If you aren’t sure about what constitutes a “well-tried safety principle”, see the article on Category 2 where this is discussed. Don’t confuse “well-tried safety principles” with “well-tried components”. There is no requirement in Category 4 for the use of well-tried components, although you can use them for additional reliability if the design requirements warrant.

In addition, the following applies.
SRP/CS of category 4 shall be designed such that
a single fault in any of these safety-related parts does not lead to a loss of the safety function, and
the single fault is detected at or before the next demand upon the safety functions, e.g. immediately, at switch on, or at end of a machine operating cycle, but if this detection is not possible, then an accumulation of undetected faults shall not lead to the loss of the safety function.

This is the big one. This paragraph, and the two bullets that follow it, define the fundamental performance requirements for this category. No single fault can lead to the loss of the safety function in Category 4, and testing is required that can detect failures and prevent an accumulation of faults that could eventually lead to the loss of the safety function. The second bullet is the one that defines the multiple-fault-tolerance requirement for this category. If you go back to the definition of Category 3, you will see that an accumulation of faults may lead to the loss of the safety function in that Category. This is the key difference between the categories in my opinion.

The diagnostic coverage (DC_avg) of the total SRP/CS shall be high, including the accumulation of faults. The MTTF_d of each of the redundant channels shall be high. Measures against CCF shall be applied (see
Annex F).

These three sentences give the designer the criteria for diagnostic coverage, channel failure rates and common cause failure protection. As you can see, the ability to diagnose failures automatically is a critical part of the design, as is the use of highly reliable components, leading to highly reliable channels. The strongest CCF protection you can include in the design is also needed, although the “passing score” of 65 remains unchanged (see Annex F in ISO 13849–1 for more details on scoring your design).

NOTE 1 Category 4 system behaviour allows that
when a single fault occurs the safety function is always performed,
the faults will be detected in time to prevent the loss of the safety function,
accumulation of undetected faults is taken into account.
Note 2: …In practice, the consideration of a fault combination of two faults may be sufficient.

Note 1 expands on the first paragraph in the definition, further clarifying the performance requirements by explicit statements. Notice that nowhere is there a requirement that single faults or accumulation of single faults be prevented, only detected by the diagnostic system. Prevention of single faults is nearly impossible, since components do fail. It is important to first understand which components are critical to the safety function, and second, what kinds of faults each component is likely to have, is fundamental to being able to design a diagnostic system that can detect the faults.

The category relies on redundancy to ensure that the complete loss of one channel will not cause the loss of the safety function, but this is only useful if the common cause failures have been properly dealt with. Otherwise, a single event could wipe out both channels simultaneously, causing the loss of the safety function and possibly result in an injury or fatality.

Also notice that multiple single faults are permitted, as long as the accumulation does not result in the loss of the safety function. ISO 13849 allows for “fault exclusion”, a concept that is not used in the North American standards.

The final sentence from Note 2 suggests that consideration of two concurrent faults may be enough, but be careful. You need to look closely at the fault lists to see if there are any groups of high probability faults that are likely to occur concurrently. IF there are, you need to assess these combinations of faults, whether there are 5 or 50 to be evaluated.

Fault exclusion involves assessing the types of faults that can occur in each component in the critical path of the system. The decision to exclude certain kinds of faults is always a technical compromise between the theoretical improbability of the fault, the expertise of the designer(s) and engineers involved and the specific technical requirements of the application. Whenever the decision is made to exclude a particular type of fault, the decision and the process used to make it must be documented in the Reliability Report included in the design file. Section 7.3 of ISO 13849–1 provides guidance on fault exclusion.

In the section discussing Category 1, the standard has this to say about fault exclusion, and the difference between “well-tried components” and “fault exclusion”:

It is important that a clear distinction between “well-tried component” and “fault exclusion” (see Clause 7) be made. The qualification of a component as being well-tried depends on its application. For example, a position switch with positive opening contacts could be considered as being well-tried for a machine tool, while at the same time as being inappropriate for application in a food industry — in the milk industry, for instance, this switch would be destroyed by the milk acid after a few months. A fault exclusion can lead to a very high PL, but the appropriate measures to allow this fault exclusion should be applied during the whole lifetime of the device. In order to ensure this, additional measures outside the control system may be necessary. In the case of a position switch, some examples of these kinds of measures are
means to secure the fixing of the switch after its adjustment,
means to secure the fixing of the cam,
means to ensure the transverse stability of the cam,
means to avoid over-travel of the position switch, e.g. adequate mounting strength of the shock absorber and any alignment devices, and
means to protect it against damage from outside.

To assist the designer, ISO 13849–2 provides lists of typical faults and the allowable exclusions in Annex D.5. As an example, let’s consider the typical situation where a robust guard interlocking device has been selected. The decision has been made to use redundant electrical circuits to the switching components in the interlock, so electrical faults can be detected. But what about mechanical failures? A fault list is needed:

Interlock Mechanical Fault List
#	Fault Description	Result	Likelihood
1	Key breaks off	Control system cannot determine guard position. Complete failure of system through a single fault.	Unlikely
2	Screws mounting key to guard fail	Control system cannot determine guard position. Complete failure of system through a single fault.	Unlikely
3	Screws mounting interlock device to guard fail	Control system cannot determine guard position. Complete failure of system through a single fault.	Unlikely
4	Key and interlock device misaligned.	Guard cannot close, preventing machine from operating.	Very likely
5	Key and interlock device misaligned.	Key and / or interlock device damaged. Guard may not close, or the key may jam in the interlock device once closed. Machine is inoperable if the interlock cannot be completed, or the guard cannot be opened if the key jams in the device.	Likely
6	Screws mounting key to guard removed by user.	Interlock can now be bypassed by fixing the key into the interlocking device. Control system can no longer sense the position of the guard.	Likely
7	Screws mounting interlock device to guard removed by user	Probably combined with the preceding condition. Control system can no longer sense the position of the guard.	Unlikely, but could happen.

There may be more failure modes, but for the purpose of this discussion, lets limit them to this list.

Looking at Fault 1, there are a number of things that could result in a broken key. They include: misalignment of the key and the interlock device, lack of maintenance on the guard and the interlocking hardware, or intentional damage by a user. Unless the hardware is exceptionally robust, including the design of the guard and any alignment features incorporated in the guarding, developing sound rationale for excluding this fault will be very difficult.

Fault 2 considers mechanical failure of the mounting screws for the interlock key. Screws are considered to be well-tried components (see Annex A.5), so you can consider them for fault exclusion. You can improve their reliability by using thread locking adhesives when installing the screws to prevent them from vibrating loose, and “tamper-proof” style screw heads to deter unauthorized removal. Inclusion of these methods will support any decision to exclude these faults. This goes to addressing faults 3, 6 and 7 as well.

Faults 4 & 5 occur frequently and are often caused by poor device selection (i.e. an interlock device intended for straight-line sliding-gate applications is chosen for a hinged gate), or by poor guard design (i.e. the guard is poorly guided by the retention mechanism and can be closed in a misaligned condition). Rationale for prevention of these faults will need to include discussion of design features that will prevent these conditions.

Excluding any other kind of fault follows the same process: Develop the fault list, assess each fault against the relevant Annex from ISO 13849–2, determine if there are preventative measures that can be designed into the product and whether these provide sufficient risk reduction to allow the exclusion of the fault from consideration.

NOTE 2 The difference between category 3 and category 4 is a higher DC_avg in category 4 and a required MTTF_d of each channel of “high” only.

The first sentence in Note 2 clarifies the two main differences from a design standpoint, aside from the additional fault tolerance requirements: Better diagnostics are required and much higher requirements for individual component, and therefore channel, MTTF_d.

The block diagram for Category 4 is almost identical to Category 3, and was updated by Corrigendum 1 to the diagram shown below. The text from the corrigendum that accompanies the diagram has this to say about the change:

Replace the drawing showing the designated architecture for category 4 with the following drawing. This
corrects the arrowed lines labeled “m” between L1 and O1, and L2 and O2, by changing them from dashed to solid lines, representing higher diagnostic coverage.

I’ve highlighted this area using red ovals on Figure 12 to make it easier to see .

ISO 13849–1 Figure 12 — Category 4 Block Diagram

Here is Figure 11 for comparison. Notice that the “m” lines are solid in Figure 12 and dashed in Figure 11? Subtle, but significant! There are no other differences between the diagrams.

I went looking for a circuit diagram to support the block diagram, but wasn’t able to find one from a commercial source that I could share with you. Considering that the primary differences are in the reliability of the components chosen and in the way the testing is done, this isn’t too surprising. The basic physical construction of the two categories can be virtually identical.

The following is not from the standards — this is my personal opinion, based on 15 years of practice.

In the past, many manufacturers decided that they were going to apply Category 4 architecture without really understanding the design implications, because they believed that it was “the best”. With the change in the harmonization of EN 954–1 and ISO 13849–1 under the EU machinery directive that comes into force on 29-Dec-2011, and considering the great difficulty that many manufacturers had in properly implementing EN 954–1, I can easily imagine manufacturers who have taken the approach that they already have Category 4 SRP/CS on their systems and making the statement that they now have PL_e SRP/CS system performance. This is a bad decision for a lot of reasons:

ISO 13849–1 PL_e, Category 4 systems should be reserved for very dangerous machinery where the technical effort and expense involved is warranted by the risk assessment. Attempting to apply this level of design to machinery where a PL_b performance level is more suitable based on a risk assessment, is a waste of design time and effort and a needless expense. The product family standards for these types of machines, such as EN 201 for plastic injection moulding machines, or EN 692 for Mechanical Power Presses or EN 693 for Hydraulic Power Presses will explicitly specify the PL level required for these machines.
Manufacturers have frequently claimed EN 954–1 Category 4 performance based on the rating of the safety relay alone, without understanding that the rest of the SRP/CS must be considered, and clearly this is wrong. The SRP/CS must be evaluated as a complete system.

This lack of understanding endangers the users, the maintenance personnel, the owners and the manufacturers. If they continue this approach and an injury occurs, it is my opinion that the courts will have more than enough evidence in the defendant’s published documents to cause some serious legal grief.

As designers involved with the safety of our company’s products or with our co-worker’s safety, I believe that we owe it to everyone who uses our products to be educated and to correctly apply these concepts. The fact that you have read all of the posts leading up to this one is evidence that you are working on getting educated.

Always conduct a risk assessment and use the outcome from that work to guide your selection of safeguarding measures, complementary protective measures and the performance of the SRP/CS that ties those systems together. Choose performance levels that make sense based on the required risk reduction and ensure that the design criteria is met by validating the system once built.

As always, I welcome your comments and questions! Please feel free to comment below. I will respond to all your comments.

Acknowledgements: ISO for excerpts from ISO 13849–1 and more…

Some Rights Reserved

Posted by Doug Nix on September 19, 2011 Comments Off

This entry is part 4 of 8 in the series Circuit Architectures Explored

Category 3 system architecture is the first category that could be considered to have similarity to “Control Reliable” circuits or systems as defined in the North American standards. It is not the same as Control Reliable, but we’ll get to in a following post. If you haven’t read the first three posts in this series, you may want to go back and review them as the concepts in those articles are the basis for the discussion in this post.

So what is “Control Reliable” anyway? This term was coined by the ANSI RIA R15.06 technical committee when they were developing their definitions for control system reliability, first published in the 1999 edition of the standard. No mention of the concept of control reliability appears in the 1994 edition of CSA Z434 or the preceding edition of RIA R15.06.

Essentially, the term “Control Reliable” means that the control system is designed with some degree of fault tolerance. Depending on the definitions that you read, this could be single– or multiple-fault-tolerance.

There are a number of design techniques that can be used to increase the fault tolerance of a control system. The older approaches, such as those given in ANSI RIA R15.06–1999, CSA Z434-03 or EN 954–1:95, rely primarily on the structure or architecture of the circuit, and the characteristics of the components selected for use. ISO 13849–1 uses the same basic architectures defined by EN 954–1:95, and extends them to include diagnostic coverage, common cause failure resistance and an understanding of the failure rate of the components to determine the degree of fault tolerance and reliability provided by the design.

OK, enough background for now! Let’s look at the definition for Category 3 systems. Remember that “SRP/CS” means “Safety Related Parts of the Control System”.

6.2.6 Category 3
For category 3, the same requirements as those according to 6.2.3 for category B shall apply. “Well-tried safety principles” according to 6.2.4 shall also be followed. In addition, the following applies. SRP/CS of category 3 shall be designed so that a single fault in any of these parts does not lead to the loss of the safety function. Whenever reasonably practicable, the single fault shall be detected at or before the next demand upon the safety function.
The diagnostic coverage (DC_avg) of the total SRP/CS including fault-detection shall be low. The MTTF_d of each of the redundant channels shall be low-to-high, depending on the PL_r. Measures against CCF shall be applied (see Annex F).
NOTE 1 The requirement of single-fault detection does not mean that all faults will be detected. Consequently, the accumulation of undetected faults can lead to an unintended output and a hazardous situation at the machine. Typical examples of practicable measures for fault detection are use of the feedback of mechanically guided relay contacts and monitoring of redundant electrical outputs.
NOTE 2 If necessary because of technology and application, type-C standard makers need to give further details on the detection of faults.
NOTE 3 Category 3 system behaviour allows that
when the single fault occurs the safety function is always performed,
some but not all faults will be detected,
accumulation of undetected faults can lead to the loss of the safety function.
NOTE 4 The technology used will influence the possibilities for the implementation of fault detection.

5% Discount on ISO and IEC Standards with code: CC2011

Let’s take the definition apart and look at the components that make it up.

For category 3, the same requirements as those according to 6.2.3 for category B shall apply. “Well-tried safety principles” according to 6.2.4 shall also be followed.

The first couple of lines remind the designer of two key points:

The components selected must be suitable for the application, i.e. correctly specified for voltage, current, environmental conditions, etc.; and
“well-tried safety principles” must be used in the design.

It’s important to note here that we are talking about “well tried safety principles” and NOT “well-tried components”. The requirement to use components designed for safety applications comes from other standards, like EN 1088 and ISO 13850. The requirements from these standards, such as the use of “direct-drive” contacts improves the fault tolerance of the component, and so benefits the design in the end. These improvements are generally reflected in the B10_d or MTTF_d of the component, and are points that inspectors will commonly look for, since they are easy to spot in the field, since “safety-rated components” often use red or yellow caps to identify them clearly in the control panel.

In addition, the following applies. SRP/CS of category 3 shall be designed so that a single fault in any of these parts does not lead to the loss of the safety function.

This sentence makes the requirement for single-fault tolerance. This means that the failure of any single component in the functional channel cannot result in the loss of the safety function. To meet this requirement, redundancy is needed. With redundant systems, one complete channel can fail without losing the ability to stop the machinery. It is possible to lose the function of the monitoring system from a single component failure, but as long as the system continues to provide the safety function this may be acceptable. The system should not permit itself to be reset if the monitoring system is not working.

One more “gotcha” from this sentence: In order to meet the requirement that any single component failure can be detected, the design will require two separate sensors to detect the position of a gate, for example. This permits the system to detect a failure in either sensor, including mechanical failures like broken keys or attempts to defeat the safety system. You can clearly see this in both the block diagram, which does not show any monitoring connection to the input devices, and in the circuit diagram. Both of these diagrams are shown later in this post. The only way out of the requirement to have redundant sensors is to select a gate switch that is robust enough that mechanical faults can reasonably be excepted. I’ll get into fault exceptions later in this article.

Whenever reasonably practicable, the single fault shall be detected at or before the next demand upon the safety function.

This sentence can be a bit sticky. The phrase “Whenever reasonably practicable” means that your design needs to be able to detect single faults unless it would be “unreasonable” to do so. What constitutes an unreasonable degree of effort? This is for you to decide. I will say that if there is a common, off the shelf component (COTS) available that will do the job, and you choose not to use it, you will have a difficult time convincing a court that you took every reasonably practicable means to detect the fault.

Following the comma, the rest of the sentence provides the designer with the basic requirement for the test system: it must be able to detect a single component failure at the moment of demand (this is usually how it’s done, since this is typically the simplest way) or before it occurs, which can happen if your test equipment has a means to detect a change in some critical characteristic of the monitored component(s).

The diagnostic coverage (DC_avg) of the total SRP/CS including fault-detection shall be low.

This sentence tells you that your design must meet the requirements for LOW Diagnostic Coverage. To get to LOW DC_avg, we need to look first at Table 6:

ISO 13849–1:06 Table 6
Diagnostic Coverage (DC)
Denotation	Range
None	DC < 60%
Low	60% ? DC < 90%
Medium	90% ? DC < 99%
High	99% ? DC
NOTE 1 For SRP/CS consisting of several parts an average value DC_avg for DC is used in Figure 5, Clause 6 and E.2. NOTE 2 The choice of the DC ranges is based on the key values 60 %, 90 % and 99 % also established in other standards (e.g. IEC 61508) dealing with diagnostic coverage of tests. Investigations show that (1 — DC) rather than DC itself is a characteristic measure for the effectiveness of the test. (1 — DC) for the key values 60 %, 90 % and 99 % forms a kind of logarithmic scale fitting to the logarithmic PL-scale. A DC-value less than 60 % has only slight effect on the reliability of the tested system and is therefore called “none”. A DC-value greater than 99 % for complex systems is very hard to achieve. To be practicable, the number of ranges was restricted to four. The indicated borders of this table are assumed within an accuracy of 5 %.

Based on Table 6, the DC_avg must be between 60% and 90%, all components considered. To score this, we must go to Annex E and look at Table E1. Using the factors in Table E1, score the design. If you end up in the desired range between 60% and 90% DC coverage, you can move on. If not, the design will require modification to bring it into this range.

The MTTF_d of each of the redundant channels shall be low-to-high, depending on the PL_r.

This sentence reminds you that your component selections matter. Depending on the PL_r you are trying to achieve, you will need to choose components with suitable MTTF_d ratings. Remember that just because you are using a Category 3 architecture, you have not automatically achieved the highest levels of reliability. If you refer to Figure 5 in the standard, you can see that a Category 3 architecture can meet a range of PL’s, all the way from PL_a through PL_e!

ISO 13849–1 Figure 5

If you want, or need, to know the numeric boundaries of each of the bands in the diagram above, look at Annex K of the standard. The full numeric representation of Figure 5 is provided in that Annex.

Measures against CCF shall be applied (see Annex F).

In order for the architecture of your design to meet Category 3 architecture, CCF measures are required. I’ve discussed Common Cause Failures elsewhere on the blog, but as a reminder, a Common Cause Failure is one where a single event, like a lightning strike on the power line, or a cable being cut, results in the failure of the system. This is not the same as a Common Mode Failure, where similar or different components fail in the same way. For instance, if both output contactors were to weld closed either simultaneously or at different time due to overloading because they were undersized, this could be considered to be a Common Mode Failure. If they both weld closed due to a lightning strike, that is a Common Cause Failure.

Annex F provides a checklist that is used to score the CCF of the design. The design must meet at least 65 points to be considered to meet the minimum level of CCF protection, and more is better of course! Score your design and see where you come out. Less than 65 and you need to do more. 65 or more and you are good to go.

The notes given in the definition are also important. Note 1 reminds the designer that not all faults will be detected, and an accumulation of undetected faults can lead to the loss of the safety function. Be aware that it is up to you as the designer to minimize the kinds of failures that can accumulate undetected.

Note 2 speaks to the possibility that a Type-C product standard, like EN 201 for injection moulding machines for example, may impose a minimum PL_r on the design. Make sure that you get a copy of any Type-C standard that is relevant for your product and market. Note that the designation “Type-C” comes from ISO. If you go looking for this terminology in ANSI or CSA standards, you won’t find it used because the concept doesn’t exist in the same way in these National standards.

Note 3 gives you the basic performance parameters for the design. If your design can do these things, then you’re halfway there.

Finally, Note 4 is a reminder that different kinds of technology have greater or lesser capability to detect failures. More sophisticated technology may be required to achieve the PL level you need.

Let’s have a look at the functional block diagram for this Category.

By looking at the diagram you can see clearly the two independent channels and the cross-monitoring connection between the channels. Input devices are not monitored, but output devices are monitored. This is another significant reason requiring the use of two physically separate input devices to sense the guard position or whatever other safeguarding device is integrated into the system. The only way that a failure in the input devices can be detected is if one channel changes state and one does not.

If you want to learn more about applying the block diagramming method to you design, there is a good explanation of the method in the SISTEMA Cookbook 1, published by the IFA in Germany. You can download the English version from the link above, or get the document directly from the IFA web site.

By now you probably get the idea that there are as many ways to configure a Category 3 circuit as there are applications. Below is a typical circuit diagram borrowed from Rockwell Allen-Bradley, showing the application of typical safety relays in a complete system that includes the emergency stop system, a gate interlock and a safety mat. You can meet the requirements for Category 3 architecture in other ways, so don’t feel that you must use a COTS safety relay. It just may be the most straightforward way in many cases.

This is not a plug for A-B products. Neither Machinery Safety 101, nor I, have any relationship with Rockwell Allen-Bradley.

From Rockwell Automation publication SAFETY-WD001A-EN-P – June 2011, p.6.

If you’re interested in obtaining the source document containing this diagram, you can download it directly from the Rockwell Automation web site.

The emergency stop circuit uses the 440R-512R2 relay on the left side of the diagram. This particular system uses Category 3 architecture in the e-stop system, which may be more than is required. A risk assessment and a start-stop analysis is required to determine what performance level is needed for this subsystem. Get more information on emergency stop.

The gate interlock circuit is located in the center of the diagram, and uses the 440R-D22R2 relay. As you can see, there are two physically separate gate interlock switches. Only one contact from each switch is used, so one switch is connected to Channel 1, and the other to Channel 2. Notice that there is no other monitoring of these devices (i.e. no second connection to either switch). The secondary contacts on these switches could be connected to the PLC for annunciation purposes. This would allow the PLC to display the open/closed status of the gate on the machine HMI.

The output contactors, K3 and K4, are monitored by the reset loop connected to S34 and the +V rail.

One more interesting point — did you notice that there is a “zone e-stop” included in the gate interlock? If you look immediately below the central safety relay and a little to the left you will find an emergency stop device. This device is wired in series with the gate interlock, so activating it will drop out K3 and K4 but not disturb the operation of the rest of the machine. The safety relay can’t distinguish between the e-stop button and the gate interlocks, so if annunciation is needed, you may want to use a third contact on the e-stop device to connect to a PLC input for this purpose.

The safety mat subsystem is located on the right side of the diagram and uses a second 440R-D22R2 relay. Safety mats can be either single or dual channel in design. The mat show in this drawing is a dual-channel type. Stepping on the mat causes the conductive layers in the mat to touch, shorting Channel 1 to Channel 2. This creates an input fault that will be detected by the 440R relay. The fault condition will cause the output of the relay to open, stopping the machine.

Safety mats can be damaged reasonably easily, and the circuit design shown will detect shorts or opens within the mat and will prevent the hazardous motion from starting or continuing.

The output contactors, K5 and K6 are monitored by the relay reset loop connected to S34 and the +V rail.

This circuit also includes a conventional start-stop circuit that doesn’t rely on the safety relay.

One more thing — just like the gate interlock circuit, this circuit also includes a “zone e-stop”. Look below and to the left of the safety mat relay. As with the gate interlock, pressing this button will drop out K5 and K6, stopping the same motions protected by the safety mat. Since the relay can’t tell the difference between the e-stop button and the mat being activated, you may want to use the same approach and add a third contact to the e-stop button, connecting it to the PLC for annunciation.

The components used in the circuit are critical to the final PL rating of the design. The final PL of the design depends on the MTTF_d of the components used in each channel. No knowledge of the internal construction of the safety relays is needed, because the relays come with a PL rating from the manufacturer. They can be treated as a subsystem unto themselves. The selection of the input and output devices is then the significant factor. Component data sheets can be downloaded from the Rockwell site if you want to dig a bit deeper.

What did you think about this article? What questions came to mind that weren’t answered for you? I look forward to hearing your thoughts and questions!

Acknowledgements: ISO for excerpts from ISO 13849–1 and more…

Some Rights Reserved

Posted by Doug Nix on February 28, 2011 4 comments

Effectiveness of the Hierarchy of Controls

This entry is part 2 of 3 in the series Hierarchy of Controls

Risk assessment is the first step in reducing the risk that your customers and users are exposed to when they use your products. The second step is Risk Reduction, sometimes called Risk Control or Risk Mitigation. This article looks at the ways that risk can be controlled using the Hierarchy of Controls. Figure 2 from ISO 12100–1 (shown below) illustrates this point.

The system is called a hierarchy because you must apply each level in the order that they fall in the list. In terms of effectiveness at reducing risk, the first level in the hierarchy, elimination, is the most effective, down to the last, PPE*, which has the least effectiveness.

It’s important to understand that questions must be asked after each step in the hierarchy is implemented, and that is “Is the risk reduced as much as possible? Is the residual risk a) in compliance with legal requirements, and b) acceptable to the user or worker?”. When you can answer ‘YES’ to all of these questions, the last step is to ensure that you have warned the user of the residual risks, have identified the required training needed and finally have made recommendations for any needed PPE.

*PPE — Personal Protective Equipment. e.g. Protective eye wear, safety boots, bump caps, hard hats, clothing, gloves, respirators, etc. CSA Z1002 includes ‘…anything designed to be worn, held, or carried by an individual for protection against one or more hazards.’ in this definition.

Risk Reduction from the Designer's Viewpoint

ISO 12100:2010 — Figure 2

The Hierarchy of Controls was developed in a number of different standards over the last 20 years or so. The idea was to provide a common structure that would provide guidance to designers when controlling risk.

Typically, the first three levels of the hierarchy may be considered to be ‘engineering controls’ because they are part of the design process for a product. This does not mean that they must be done by engineers!

We’ll look at each level in the hierarchy in detail. First, let’s take a look at what is included in the Hierarchy.

The Hierarchy of Controls includes:

1) Hazard Elimination or Substitution (Design)
2) Engineering Controls (see [1, 2, 8, 9, 10, and 11])

a) Barriers

b) Guards (Fixed, Movable w/interlocks)

c) Safeguarding Devices

d) Complementary Protective Measures

3) Information for Use (see [1, 2, 4, 7, 8, 12, and 13])

a) Hazard Warnings

b) Manuals

c) HMI* & Awareness Devices (lights, horns)

4) Administrative Controls (see [1, 2, 4, 5, 7, and 8])

a) Training

b) SOP’s,

c) Hazardous Energy Control Procedures (see [5, 14])

d) Authorization

5) Personal Protective Equipment

a) Specification

b) Fitting

c) Training in use

d) Maintenance

*HMI — Human-Machine Interface. Also called the ‘console’ or ‘operator station’. The location on the machine where the operator controls are located. Often includes a programmable screen or operator display, but can be a simple array of buttons, switches and indicator lights.

The manufacturer, developer or integrator of the system should provide the first three levels of the hierarchy. Where they have not been provided, the workplace or user should provide them.

The last two levels must be provided by the workplace or user.

Each layer in the hierarchy has a level of effectiveness that is related to the failure modes associated with the control measures and the relative effectiveness in reducing risk in that layer. As you go down the hierarchy, the reliability and effectiveness decrease as shown below.

There is no way to measure or specifically quantify the reliability or effectiveness of each layer of the hierarchy — that must wait until you make some selections from each level, and even then it can be very hard to do. The important thing to understand is that Elimination is more effective than Guarding (engineering controls), which is more effective than Awareness Means, etc.

Hazard elimination is the most effective means of reducing risk from a particular hazard, for the simple reason that once the hazard has been eliminated there is no remaining risk. Remember that risk is a function of severity and probability. Since both severity and probability are affected by the existence of the hazard, eliminating the hazard reduces the risk from that particular hazard to zero. Some practitioners consider this to mean the elimination is 100% effective, however it’s my opinion that this is not the case because even elimination has failure modes that can re-introduce the hazard.

Hazard elimination can fail if the hazard is reintroduced into the design. With machinery this isn’t that likely to occur, but in processes, services and workplaces it can occur.

Substitution requires the designer to substitute a less hazardous material or process for the original material or process. For example, beryllium is a highly toxic metal that is used in some high tech applications. Inhalation or skin contact with beryllium dust can do serious harm to a person very quickly, causing acute beryllium disease. Long term exposure can cause chronic beryllium disease. Substituting a less toxic material with similar properties in place of the beryllium in the process could reduce or eliminate the possibility of beryllium disease, depending on the exact content of the substitute material. If the substitute material includes any amount of beryllium, then the risk is only reduced. If it contains no beryllium, the risk is eliminated. Note that the risk can also be reduced by ensuring that the beryllium dust is not created by the process, since beryllium is not toxic unless ingested.

Alternatively, using processes to handle the beryllium without creating dust or particles could reduce the exposure to the material in forms that are likely to cause beryllium disease. An example of this could be substitution of water-jet cutting instead of mechanical sawing of the material.

Reintroduction of the substituted material into a process is the primary failure mode, however there may be others that are specific to the hazard and the circumstances. In the above example, pre– and post-cutting handling of the material could still create dust or small particles, resulting in exposure to beryllium. A substituted material might introduce other, new hazards, or might create failure modes in the final product that would result in risks to the end user. Careful consideration is required!

If neither elimination or substitution is possible, we move to the next level in the hierarchy.

Engineering controls typically include various types of mechanical guards [16, 17, & 18], interlocking systems [9, 10, 11, & 15], and safeguarding devices like light curtains or fences, area scanners, safety mats and two-hand controls [19]. These systems are proactive in nature, acting automatically to prevent access to a hazard and therefore preventing injury. These systems are designed to act before a person can reach the danger zone and be exposed to the hazard.

Barrier guards and fixed guards are not evaluated for reliability because they do not rely on a control system for their effectiveness. As long as they are placed correctly in the first place, and are otherwise properly designed to contain the hazards they are protecting, then nothing more is required. On the other hand, safeguarding devices, like interlocked guards, light fences, light curtains, area scanners, safety mats, two-hand controls and safety edges, all rely on a control system for their effectiveness. Correct application of these devices requires correct placement based on the stopping performance of the hazard and correct integration of the safety device into the safety related parts of the control system [19]. The degree of reliability is based on the amount of risk reduction that is being required of the safeguarding device and the degree of risk present in the unguarded state [9, 10].

There are many detailed technical requirements for engineering controls that I can’t get into in this article, but you can learn more by checking out the references at the end of this article and other articles on this blog.

Failure modes for engineering controls are as many and as varied as the devices used and the methods of integration chosen. This discussion will have to wait for another article!

Of special note are ‘awareness devices’. This group includes warning lights, horns, buzzers, bells, etc. These devices have some aspects that are similar to engineering controls, in that they are usually part of the machine control system, but they are also sometimes classed as ‘information for use’, particularly when you consider indicator or warning lights and HMI screens. In addition to these ‘active’ types of devices, awareness devices may also include lines painted or taped on the floor or on the edge of a step or elevation change, warning chains, signage, etc. Signage may also be included in the class of ‘information for use’, along with HMI screens.

Failure modes for Awareness Devices include:

Ignoring the warnings (Complacency or Failure to comprehend the meaning of the warning);
Failure to maintain the device (warning lights burned out or removed);
Defeat of the device (silencing an audible warning device);
Inappropriate selection of the device (invisible or inaudible in the predominating conditions).

Complementary Protective measures are a class of controls that are separate from the various types of safeguarding because they generally cannot prevent injury, but may reduce the severity of injury or the probability of the injury occurring. Complementary protective measures are reactive in nature, meaning that they are not automatic. They must be manually activated by a user before anything will occur, e.g. pressing an emergency stop button. They can only complement the protection provided by the automatic systems.

A good example of this is the Emergency Stop system that is designed into many machines. On its own, the emergency stop system will do nothing to prevent an injury. The system must be activated manually by pressing a button or pulling a cable. This relies on someone detecting a problem and realizing that the machine needs to be stopped to avoid or reduce the severity of an injury that is about to occur or is occurring. Emergency stop can only ever be a back-up measure to the automatic interlocks and safeguarding devices used on the machine. In many cases, the next step in emergency response after pressing the emergency stop is to call 911.

The failure modes for these kinds of controls are too numerous to list here, however they range from simple failure to replace a fixed guard or barrier fence, to failure of electrical, pneumatic or hydraulic controls. These failure modes are enough of a concern that a new field of safety engineering called ‘Functional Safety Engineering’ has grown up around the need to be able to analyze the probability of failure of these systems and to use additional design elements to reduce the probability of failure to a level we can tolerate. For more on this, see [9, 10, 11].

Once you have exhausted all the possibilities in Engineering Controls, you can move to the next level down in the hierarchy.

This is a very broad topic, including manuals, instruction sheets, information labels on the product, hazard warning signs and labels, HMI screens, indicator and warning lights, training materials, video, photographs, drawings, bills of materials, etc. There are some excellent standards now available that can guide you in developing these materials [1, 12 and 13].

The major failure modes in this level include:

Poorly written or incomplete materials;
Provision of the materials in a language that is not understood by the user;
Failure by the user to read and understand the materials;
Inability to access the materials when needed;
Etcetera.

When all possibilities for informing the user have been covered, you can move to the next level down in the hierarchy. Note that this is the usual separation point between the manufacturer and the user of a product. This is nicely illustrated in Fig 2 from ISO 12100 above. It is important to understand at this point that the residual risk posed by the product to the user may not yet be tolerable. The user is responsible for implementing the next two levels in the hierarchy in most cases. The manufacturer can make recommendations that the user may want to follow, but typically that is the extent of influence that the manufacturer will have on the user.

This level in the hierarchy includes:

Training;
Standard Operating Procedures (SOP’s);
Safe working procedures e.g. Hazardous Energy Control, Lockout, Tagout (where permitted by law), etc.;
Authorization; and
Supervision.

Training is the method used to get the information provided by the manufacturer to the worker or end user. This can be provided by the manufacturer, by a third party, or self-taught by the user or worker.
SOP’s can include any kind of procedure instituted by the workplace to reduce risk. For example, requiring workers who drive vehicles to do a walk-around inspection of the vehicle before use, and logging of any problems found during the inspection is an example of an SOP to reduce risk while driving.
Safe working procedures can be strongly influenced by the manufacturer through the information for use provided. Maintenance procedures for hazardous tasks provided in the maintenance manual are an example of this.
Authorization is the procedure that an employer uses to authorize a worker to carry out a particular task. For example, an employer might put a policy in place that only permits licensed electricians to access electrical enclosures and carry out work with the enclosure live. The employer might require that workers who may need to use ladders in their work take a ladder safety and a fall protection training course. Once the prerequisites for authorization are completed, the worker is ‘authorized’ by the employer to carry out the task.
Supervision is one of the most critical of the Administrative Controls. Sound supervision can make all of the above work. Failure to properly supervise work can cause all of these measures to fail.

Administrative controls have many failure modes. Here are some of the most common:

Failure to train;
Failure to inform workers regarding the hazards present and the related risks;
Failure to create and implement SOP’s;
Failure to provide and maintain special equipment needed to implement SOP’s;
No formal means of authorization — i.e. How do you KNOW that Joe has his lift truck license?;
Failure to supervise adequately.

I’m sure you can think of MANY other ways that Administrative Controls can go wrong!

PPE includes everything from safety glasses, to hardhats and bump caps, to fire-retardant clothing, hearing defenders, and work boots. Some standards even include warning devices that are worn by the user, such as gas detectors and person-down detectors, in this group.
PPE is probably the single most over-used and least understood risk control measure. It falls at the bottom of the hierarchy for a number of reasons:

It is a measure of last resort;
It permits the hazard to come as close to the person as their clothing;
It is often incorrectly specified;
It is often poorly fitted;
It is often poorly maintained; and
It is often improperly used.

The problems with PPE are hard to deal with. You cannot glue or screw a set of safety glasses to a person’s face, so ensuring the the protective equipment is used is a big problem that goes back to supervision.

Many small and medium sized enterprises do not have the expertise in the organization to properly specify, fit and maintain the equipment.

User comfort is extremely important. Uncomfortable equipment won’t be used for long.

Finally, by the time that properly specified, fitted and used equipment can do it’s job, the hazard is as close to the person as it can get. The probability of failure at this point is very high, which is what makes PPE a measure of last resort, complementary to the more effective measures that can be provided in the first three levels of the hierarchy.

If workers are not properly trained and adequately informed about the hazards they face and the reasons behind the use of PPE, they are deprived of the opportunity to make safe choices, even if that choice is to refuse the work.

Failure modes for PPE include:

Incorrect specification (not suitable for the hazard);
Incorrect fit (allows hazard to bypass PPE);
Poor maintenance (prevents or restricts vision or movement, increasing the risk; causes PPE failure under stress or allows hazard to bypass PPE);
Incorrect usage (failure to train and inform users, incorrect selection or specification of PPE).

So now you know something about the ‘hierarchy of controls’. Each layer has its own intricacies and nuances that can only be learned by training and experience. With a documented risk assessment in hand, you can begin to apply the hierarchy to control the risks. Don’t forget to iterate the assessment post-control to document the degree of risk reduction achieved. You may create new hazards when control measures are applied, and you may need to add additional control measures to achieve effective risk reduction.

The documents referenced below should give you a good start in understanding some of these challenges.

5% Discount on All Standards with code: CC2011

[1]             Safety of machinery – Basic concepts, general principles for design – Part 1: Basic terminology and methodology, ISO Standard 12100–1, 2003.
[2]            Safety of machinery – Basic concepts, general principles for design – Basic terminology and methodology, Part 2: Technical principles, ISO Standard 12100–2, 2003.
[3]            Safety of Machinery – Risk Assessment – Part 1: Principles, ISO Standard 14121–1, 2007.
[4]            Safety of machinery — Prevention of unexpected start-up, ISO 14118, 2000
[5]            Control of hazardous energy – Lockout and other methods, CSA Z460, 2005
[6]            Fluid power systems and components – Graphic symbols and circuit diagrams – Part 1: Graphic symbols for conventional use and data-processing applications, ISO Standard 1219–1, 2006
[7]            Pneumatic fluid power — General rules and safety requirements for systems and their components, ISO Standard 4414, 1998
[8]            American National Standard for Industrial Robots and Robot Systems — Safety Requirements, ANSI/RIA R15.06, 1999.
[9]            Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design, ISO Standard 13849–1, 2006
[10]          Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems, IEC Standard 62061, 2005
[11]           Functional safety of electrical/electronic/programmable electronic safety-related systems, IEC Standard 61508-X, seven parts.
[12]          Preparation of Instructions — Structuring, Content and Presentation, IEC Standard 62079, 2001
[13]          American National Standard For Product Safety Information in Product Manuals, Instructions, and Other Collateral Materials, ANSI Standard Z535.6, 2010.
[14]          Control of Hazardous Energy Lockout/Tagout and Alternative Methods, ANSI Standard Z244.1, 2003.
[15]          Safety of Machinery — Interlocking devices associated with guards — principles for design and selection, EN 1088+A1:2008.
[16]          Safety of Machinery — Guards — General requirements for the design and construction of fixed and movable guards, EN 953+A1:2009.
[17]          Safety of machinery — Guards — General requirements for the design and construction of fixed and movable guards, ISO 14120.
[18]         Safety of machinery — Safety distances to prevent hazard zones being reached by upper and lower limbs, ISO 13857:2008.
[19]        Safety of machinery — Positioning of safeguards with respect to the approach speeds of parts of the human body, ISO 13855:2010.

5% Discount on All Standards with code: CC2011

Original content here is published under these license terms:		X

License Type:	Non-commercial, Attribution, Share Alike

License Summary:	You may copy this content, create derivative work from it, and re-publish it for non-commercial purposes, provided you include an overt attribution to the author(s) and the re-publication must itself be under the terms of this license or similar.

License URL:	http://creativecommons.org/licenses/by-nc-sa/3.0/

Original content here is published under these license terms:		X

License Type:	Non-commercial, Attribution, Share Alike

License Summary:	You may copy this content, create derivative work from it, and re-publish it for non-commercial purposes, provided you include an overt attribution to the author(s) and the re-publication must itself be under the terms of this license or similar.

License URL:	http://creativecommons.org/licenses/by-nc-sa/3.0/

Original content here is published under these license terms:		X

License Type:	Non-commercial, Attribution, Share Alike

License Summary:	You may copy this content, create derivative work from it, and re-publish it for non-commercial purposes, provided you include an overt attribution to the author(s) and the re-publication must itself be under the terms of this license or similar.

License URL:	http://creativecommons.org/licenses/by-nc-sa/3.0/

17 Events on February 17, 2012 Toronto Engineering & Human Environment ExCom More details