Category: EU European Union

In Part 1 of this series we explored Cat­e­go­ry B, the Basic Cat­e­go­ry that under­pins all the oth­er Cat­e­gories. This post builds on Part 1 by tak­ing a look at Cat­e­go­ry 1. Let’s start by explor­ing the dif­fer­ence as defined in ISO 13849–1. When you are read­ing, remem­ber that “SRP/CS” stands for “Safe­ty Relat­ed Parts of Con­trol Sys­tems”.

SRP/CS of Cat­e­go­ry 1 shall be designed and con­struct­ed using well-tried com­po­nents and well-tried safe­ty prin­ci­ples (see ISO 13849–2).

Well-Tried Components

So what, exact­ly, is a “Well-Tried Com­po­nent”?? Let’s go back to the stan­dard for that:

A “well-tried com­po­nent” for a safe­ty-relat­ed appli­ca­tion is a com­po­nent which has been either

a) wide­ly used in the past with suc­cess­ful results in sim­i­lar appli­ca­tions, or
b) made and ver­i­fied using prin­ci­ples which demon­strate its suit­abil­i­ty and reli­a­bil­i­ty for safe­ty-relat­ed appli­ca­tions.

New­ly devel­oped com­po­nents and safe­ty prin­ci­ples may be con­sid­ered as equiv­a­lent to “well-tried” if they ful­fil the con­di­tions of b).

The deci­sion to accept a par­tic­u­lar com­po­nent as being “well-tried” depends on the appli­ca­tion.

NOTE 1 Com­plex elec­tron­ic com­po­nents (e.g. PLC, micro­proces­sor, appli­ca­tion-spe­cif­ic inte­grat­ed cir­cuit) can­not be con­sid­ered as equiv­a­lent to “well tried”.

[1, 6.2.4]

Lets look at what this all means by refer­ring to ISO 13849–2:

Table 1 — Well-Tried Com­po­nents [2]

Well-Tried Com­po­nents	Con­di­tions for “well–tried”	Stan­dard or spec­i­fi­ca­tion
Screw	All fac­tors influ­enc­ing the screw con­nec­tion and the appli­ca­tion are to be con­sid­ered. See Table A.2 “List of well–tried safe­ty prin­ci­ples”.	Mechan­i­cal joint­ing such as screws, nuts, wash­ers, riv­ets, pins, bolts etc. are stan­dard­ised.
Spring	See Table A.2 “Use of a well–tried spring”.	Tech­ni­cal spec­i­fi­ca­tions for spring steels and oth­er spe­cial appli­ca­tions are giv­en in ISO 4960.
Cam	All fac­tors influ­enc­ing the cam arrange­ment (e. g. part of an inter­lock­ing device) are to be con­sid­ered. See Table A.2 “List of well–tried safe­ty prin­ci­ples”.	See EN 1088 (ISO 14119) (Inter­lock­ing devices).
Break–pin	All fac­tors influ­enc­ing the appli­ca­tion are to be con­sid­ered. See Table A.2 “List of well-tried safe­ty prin­ci­ples”.	—

Now we have a few ideas about what might con­sti­tute a ‘well-tried com­po­nent’. Unfor­tu­nate­ly, you will notice that ‘con­tac­tor’ or ‘relay’ or ‘lim­it switch’ appear nowhere on the list. This is a chal­lenge, but one that can be over­come. The key to deal­ing with this is to look at how the com­po­nents that you are choos­ing to use are con­struct­ed. If they use these com­po­nents and tech­niques, you are on your way to con­sid­er­ing them to be well-tried.

Anoth­er approach is to let the com­po­nent man­u­fac­tur­er wor­ry about the details of the con­struc­tion of the device, and sim­ply ensure that com­po­nents select­ed for use in the SRP/CS are ‘safe­ty rat­ed’ by the man­u­fac­tur­er. This can work in 80–90% of cas­es, with a small per­cent­age of com­po­nents, such as large motor starters, some ser­vo and step­per dri­ves and oth­er sim­i­lar com­po­nents unavail­able with a safe­ty rat­ing. It’s worth not­ing that many dri­ve man­u­fac­tur­ers are start­ing to pro­duce dri­ves with built-in safe­ty com­po­nents that are intend­ed to be inte­grat­ed into your SRP/CS.

Exclusion of Complex Electronics

Note 1 from the first part of the def­i­n­i­tion is very impor­tant. So impor­tant that I’m going to repeat it here:

NOTE 1 Com­plex elec­tron­ic com­po­nents (e.g. PLC, micro­proces­sor, appli­ca­tion-spe­cif­ic inte­grat­ed cir­cuit) can­not be con­sid­ered as equiv­a­lent to “well tried”.

I added the bold text to empha­size the impor­tance of this state­ment. While this is includ­ed in a Note and is there­fore con­sid­ered to be explana­to­ry text and not part of the nor­ma­tive body of the stan­dard, it illu­mi­nates a key con­cept. This lit­tle note is what pre­vents a stan­dard PLC from being used in Cat­e­go­ry 1 sys­tems. It’s also impor­tant to real­ize that this def­i­n­i­tion is only con­sid­er­ing the hard­ware — no men­tion of soft­ware is made here, and soft­ware is not dealt with until lat­er in the stan­dard.

Well-Tried Safety Principles

Let’s have a look at what ‘Well-Tried Safe­ty Prin­ci­ples’ might be.

Table 2 — Well-Tried Safe­ty Prin­ci­ples [2, A.2]

Well-tried Safe­ty Prin­ci­ples	Remarks
Use of care­ful­ly select­ed mate­ri­als and man­u­fac­tur­ing	Selec­tion of suit­able mate­r­i­al, ade­quate man­u­fac­tur­ing meth­ods and treat­ments relat­ed to the appli­ca­tion.
Use of com­po­nents with ori­ent­ed fail­ure mode	The pre­dom­i­nant fail­ure mode of a com­po­nent is known in advance and always the same, see EN 292–2:1991, (ISO/TR 12100–2:1992), 3.7.4.
Over–dimensioning/safety fac­tor	The safe­ty fac­tors are giv­en in stan­dards or by good expe­ri­ence in safe­ty-relat­ed appli­ca­tions.
Safe posi­tion	The mov­ing part of the com­po­nent is held in one of the pos­si­ble posi­tions by mechan­i­cal means (fric­tion only is not enough). Force is need­ed for chang­ing the posi­tion.
Increased OFF force	A safe position/state is obtained by an increased OFF force in rela­tion to ON force.
Care­ful selec­tion, com­bi­na­tion, arrange­ment, assem­bly and instal­la­tion of components/system relat­ed to the appli­ca­tion	—
Care­ful selec­tion of fas­ten­ing relat­ed to the appli­ca­tion	Avoid rely­ing only on fric­tion.
Pos­i­tive mechan­i­cal action	Depen­dent oper­a­tion (e. g. par­al­lel oper­a­tion) between parts is obtained by pos­i­tive mechan­i­cal link(s). Springs and sim­i­lar “flex­i­ble” ele­ments should not be part of the link(s) [see EN 292–2:1991 (ISO/TR 12100–2:1992), 3.5].
Mul­ti­ple parts	Reduc­ing the effect of faults by mul­ti­ply­ing parts, e. g. where a fault of one spring (of many springs) does not lead to a dan­ger­ous con­di­tion.
Use of well–tried spring (see also Table A.3)	A well–tried spring requires: use of care­ful­ly select­ed mate­ri­als, man­u­fac­tur­ing meth­ods (e. g. pre­set­ting and cycling before use) and treat­ments (e. g. rolling and shot–peening), suf­fi­cient guid­ance of the spring, and suf­fi­cient safe­ty fac­tor for fatigue stress (i. e. with high prob­a­bil­i­ty a frac­ture will not occur). Well–tried pres­sure coil springs may also be designed by: use of care­ful­ly select­ed mate­ri­als, man­u­fac­tur­ing meth­ods (e. g. pre­set­ting and cycling before use) and treat­ments (e. g. rolling and shot-peen­ing), suf­fi­cient guid­ance of the spring, and clear­ance between the turns less than the wire diam­e­ter when unloaded, and suf­fi­cient force after a fracture(s) is main­tained (i. e. a fracture(s) will not lead to a dan­ger­ous con­di­tion).
Lim­it­ed range of force and sim­i­lar para­me­ters	Decide the nec­es­sary lim­i­ta­tion in rela­tion to the expe­ri­ence and appli­ca­tion. Exam­ples for lim­i­ta­tions are break pin, break plate, torque lim­it­ing clutch.
Lim­it­ed range of speed and sim­i­lar para­me­ters	Decide the nec­es­sary lim­i­ta­tion in rela­tion to the expe­ri­ence and appli­ca­tion. Exam­ples for lim­i­ta­tions are cen­trifu­gal gov­er­nor; safe mon­i­tor­ing of speed or lim­it­ed dis­place­ment.
Lim­it­ed range of envi­ron­men­tal para­me­ters	Decide the nec­es­sary lim­i­ta­tions. Exam­ples on para­me­ters are tem­per­a­ture, humid­i­ty, pol­lu­tion at the instal­la­tion. See clause 8 and con­sid­er manufacturer’s appli­ca­tion notes.
Lim­it­ed range of reac­tion time, lim­it­ed hys­tere­sis	Decide the nec­es­sary lim­i­ta­tions. Con­sid­er e. g. spring tired­ness, fric­tion, lubri­ca­tion, tem­per­a­ture, iner­tia dur­ing accel­er­a­tion and decel­er­a­tion, com­bi­na­tion of tol­er­ances.

Use of Positive-Mode Operation

The use of these prin­ci­ples in the com­po­nents, as well as in the over­all design of the safe­guards is impor­tant. In devel­op­ing a sys­tem that uses ‘pos­i­tive mode oper­a­tion’, the mechan­i­cal link­age that oper­ates the elec­tri­cal con­tacts or the flu­id-pow­er valve that con­trols the prime-mover(s) (i.e. motors, cylin­ders, etc.), must act to direct­ly dri­ve the con­trol ele­ment (con­tacts or valve spool) to the safe state. Springs can be used to return the sys­tem to the run state or dan­ger­ous state, since a fail­ure of the spring will result in the inter­lock device stay­ing in the safe state (fail-safe or fail-to-safe­ty).

CSA Z432 [3] pro­vides us with a nice dia­gram that illus­trates the idea of “pos­i­tive-action” or “pos­i­tive-mode” oper­a­tion:

In Fig. 1, open­ing the guard door forces the roller to fol­low the cam attached to the door, dri­ving the switch con­tacts apart and open­ing the inter­lock. Even if the con­tacts were to weld, they would still be dri­ven apart since the mechan­i­cal advan­tage pro­vid­ed by the width of the door and the cam are more than enough to force the con­tacts apart.

Here’s an exam­ple of a ‘neg­a­tive mode’ oper­a­tion:

In Fig. 2, the inter­lock switch relies on a spring to enter the safe state when the door is opened. If the spring in the inter­lock device fails, the sys­tem fails-to-dan­ger. Also note that this design is very easy to defeat. A ‘zip-tie’ or some tape is all that would be required to keep the inter­lock in the ‘RUN’ con­di­tion.

You should have a bet­ter idea of what is meant when you read about pos­i­tive and neg­a­tive-modes of oper­a­tion now. We’ll talk about defeat resis­tance in anoth­er arti­cle.

Reliability

Com­bin­ing what you’ve learned so far, you can see that cor­rect­ly spec­i­fied com­po­nents, com­bined with over-dimen­sion­ing and imple­men­ta­tion of design lim­its along with the use of well-tried safe­ty prin­ci­ples will go a long way to improv­ing the reli­a­bil­i­ty of the con­trol sys­tem. The next part of the def­i­n­i­tion of Cat­e­go­ry 1 speaks to some addi­tion­al require­ments:

The MTTF_d of each chan­nel shall be high.

The max­i­mum PL achiev­able with cat­e­go­ry 1 is PL = c.

NOTE 2 There is no diag­nos­tic cov­er­age (DC_avg = none) with­in cat­e­go­ry 1 sys­tems. In such struc­tures (sin­gle-chan­nel sys­tems) the con­sid­er­a­tion of CCF is not rel­e­vant.

NOTE 3 When a fault occurs it can lead to the loss of the safe­ty func­tion. How­ev­er, the MTTF_d of each chan­nel in cat­e­go­ry 1 is high­er than in cat­e­go­ry B. Con­se­quent­ly, the loss of the safe­ty func­tion is less like­ly.

We now know that the integri­ty of a Cat­e­go­ry 1 sys­tem is greater than a Cat­e­go­ry B sys­tem, since the chan­nel MTTF_d of the sys­tem has gone from “Low-to-Medi­um” in sys­tems exhibit­ing PL_a or PL_b per­for­mance to “High” in sys­tems exhibit­ing PL_b or PL_c per­for­mance. [1, Table 5] shows this dif­fer­ence in terms of pre­dict­ed years to fail­ure. As you can see, MTTFd “High” results in a pre­dict­ed fail­ure rate between 30 and 100 years. This is a pret­ty good result for sim­ply improv­ing the com­po­nents used in the sys­tem!

The oth­er ben­e­fit is the increase in the over­all PL. Where Cat­e­go­ry B archi­tec­ture can pro­vide PL_b per­for­mance at best, Cat­e­go­ry 1 takes this up a notch to PL_c. To get a han­dle on what PL_c means, let’s look at our sin­gle and three shift exam­ples again. If we take a Cana­di­an oper­a­tion with a sin­gle shift per day, and a 50 week work­ing year we get:

7.5 h/shift x 5 d/w x 50 w/a = 1875 h/a

Where

h = hours

d = days

w = weeks

a  = years

In this case, PL_c is equiv­a­lent to one fail­ure in 533.3 years of oper­a­tion to 1600 years of oper­a­tion.

Look­ing at three shifts per day in the same oper­a­tion gives us:

7.5 h/shift x 3 shifts/d x 5 d/w x 50 w/a = 5625 h/a

In this case, PL_c is equiv­a­lent to one fail­ure in 177.8 years of oper­a­tion to 533.3 years of oper­a­tion.

When com­plet­ing the analy­sis of a sys­tem, [1] lim­its the sys­tem MTTF_d to 100 years regard­less of what the indi­vid­ual chan­nel MTTF_d may be. Where the actu­al MTTF_d is impor­tant relates to the need to replace com­po­nents dur­ing the life­time of the prod­uct. If a com­po­nent or a sub-sys­tem has an MTTF_d that is less than the mis­sion time of the sys­tem, then the com­po­nent or sub­sys­tem must be replaced by the time the prod­uct reach­es it’s MTTF_d. 20 years is the default mis­sion time, but you can choose a short­er or longer time span if it makes sense.

Remem­ber that these are prob­a­bil­i­ties, not guar­an­tees. A fail­ure could hap­pen in the first hour of oper­a­tion, the last hour of oper­a­tion or nev­er. These fig­ures sim­ply pro­vide a way for you as the design­er to gauge the rel­a­tive reli­a­bil­i­ty of the sys­tem.

Well-Tried Components versus Fault Exclusions

The stan­dard goes on to out­line some key dis­tinc­tions between ‘well-tried com­po­nent’ and ‘fault exclu­sion’. We’ll talk more about fault exclu­sions lat­er in the series.

It is impor­tant that a clear dis­tinc­tion between “well-tried com­po­nent” and “fault exclu­sion” (see Clause 7) be made. The qual­i­fi­ca­tion of a com­po­nent as being well-tried depends on its appli­ca­tion. For exam­ple, a posi­tion switch with pos­i­tive open­ing con­tacts could be con­sid­ered as being well-tried for a machine tool, while at the same time as being inap­pro­pri­ate for appli­ca­tion in a food indus­try — in the milk indus­try, for instance, this switch would be destroyed by the milk acid after a few months. A fault exclu­sion can lead to a very high PL, but the appro­pri­ate mea­sures to allow this fault exclu­sion should be applied dur­ing the whole life­time of the device. In order to ensure this, addi­tion­al mea­sures out­side the con­trol sys­tem may be nec­es­sary. In the case of a posi­tion switch, some exam­ples of these kinds of mea­sures are

• means to secure the fix­ing of the switch after its adjust­ment,
• means to secure the fix­ing of the cam,
• means to ensure the trans­verse sta­bil­i­ty of the cam,
• means to avoid over trav­el of the posi­tion switch, e.g. ade­quate mount­ing strength of the shock absorber and any align­ment devices, and
• means to pro­tect it against dam­age from out­side.

[1, 6.2.4]

System Block Diagram

Final­ly, let’s look at the block dia­gram for Cat­e­go­ry 1. You will notice that it looks the same as the Cat­e­go­ry B block dia­gram, since only the com­po­nents used in the sys­tem have changed, and not the archi­tec­ture.

References

[1]       Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 1: Gen­er­al prin­ci­ples for design. ISO Stan­dard 13849–1, Ed. 2. 2006.

[2]       Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 2: Val­i­da­tion. ISO Stan­dard 13849–2, Ed. 2. 2012.

[3]       Safe­guard­ing of Machin­ery. CSA Stan­dard Z432. 2004.

Add to your Library

If you are work­ing on imple­ment­ing these design stan­dards in your prod­ucts, you need to buy copies of the stan­dards for your library.

• ISO 13849–1:2006 Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 1: Gen­er­al prin­ci­ples for design
• ISO 13849–2:2003 Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 2: Val­i­da­tion

Down­load IEC stan­dards, Inter­na­tion­al Elec­trotech­ni­cal Com­mis­sion stan­dards.

If you are work­ing in the EU, or are work­ing on CE Mark­ing your prod­uct, you should hold the har­mo­nized ver­sion of this stan­dard, avail­able through the CEN resellers:

• EN ISO 13849–1:2008 Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 1: Gen­er­al prin­ci­ples for design
• EN ISO 13849–2:2012 Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 2: Val­i­da­tion

Next Installment

Watch for the next part of this series, “Inter­lock Archi­tec­tures – Pt. 3: Cat­e­go­ry 2″ where we expand on the first two cat­e­gories by adding some diag­nos­tic cov­er­age to improve reli­a­bil­i­ty.

Have ques­tions? Email me!