Safety is Good Business

In this excel­lent arti­cle from Rock­well Automation’s The Jour­nal, Mike Miller and Wayne Sol­berg explain how EN ISO 13849–1 and EN IEC 62061 mesh for machine builders.

Well worth the read in my opin­ion!

The Jour­nal: Safe­ty is Good Busi­ness — Mar­shall & Sol­berg

In this excel­lent arti­cle from Rock­well Automation’s The Jour­nal, Mike Miller and Wayne Sol­berg explain how EN ISO 13849–1 and EN IEC 62061 mesh for machine builders.

Well worth the read in my opin­ion!

The Jour­nal: Safe­ty is Good Busi­ness — Mar­shall & Sol­berg

Interlock Architectures – Pt. 2: Category 1

This entry is part 2 of 8 in the series Cir­cuit Archi­tec­tures Explored

This arti­cle expands on the first in the series “Inter­lock Archi­tec­tures – Pt. 1: What do those cat­e­gories real­ly mean?”. Learn about the basic cir­cuit archi­tec­tures that under­lie all safe­ty inter­lock sys­tems under ISO 13849–1, and CSA Z432 and ANSI RIA R15.06.

In Part 1 of this series we explored Cat­e­go­ry B, the Basic Cat­e­go­ry that under­pins all the oth­er Cat­e­gories. This post builds on Part 1 by tak­ing a look at Cat­e­go­ry 1. Let’s start by explor­ing the dif­fer­ence as defined in ISO 13849–1. When you are read­ing, remem­ber that “SRP/CS” stands for “Safe­ty Relat­ed Parts of Con­trol Sys­tems”.

SRP/CS of Cat­e­go­ry 1 shall be designed and con­struct­ed using well-tried com­po­nents and well-tried safe­ty prin­ci­ples (see ISO 13849–2).

Well-Tried Components

So what, exact­ly, is a “Well-Tried Com­po­nent”?? Let’s go back to the stan­dard for that:

A “well-tried com­po­nent” for a safe­ty-relat­ed appli­ca­tion is a com­po­nent which has been either

a) wide­ly used in the past with suc­cess­ful results in sim­i­lar appli­ca­tions, or
b) made and ver­i­fied using prin­ci­ples which demon­strate its suit­abil­i­ty and reli­a­bil­i­ty for safe­ty-relat­ed appli­ca­tions.

New­ly devel­oped com­po­nents and safe­ty prin­ci­ples may be con­sid­ered as equiv­a­lent to “well-tried” if they ful­fil the con­di­tions of b).

The deci­sion to accept a par­tic­u­lar com­po­nent as being “well-tried” depends on the appli­ca­tion.

NOTE 1 Com­plex elec­tron­ic com­po­nents (e.g. PLC, micro­proces­sor, appli­ca­tion-spe­cif­ic inte­grat­ed cir­cuit) can­not be con­sid­ered as equiv­a­lent to “well tried”.

[1, 6.2.4]

Lets look at what this all means by refer­ring to ISO 13849–2:

Table 1 — Well-Tried Com­po­nents [2]
Well-Tried Com­po­nents Con­di­tions for “well–tried” Stan­dard or spec­i­fi­ca­tion
Screw All fac­tors influ­enc­ing the screw con­nec­tion and the appli­ca­tion are to be con­sid­ered. See Table A.2 “List of well–tried safe­ty prin­ci­ples”. Mechan­i­cal joint­ing such as screws, nuts, wash­ers, riv­ets, pins, bolts etc. are stan­dard­ised.
Spring See Table A.2 “Use of a well–tried spring”. Tech­ni­cal spec­i­fi­ca­tions for spring steels and oth­er spe­cial appli­ca­tions are giv­en in ISO 4960.
Cam All fac­tors influ­enc­ing the cam arrange­ment (e. g. part of an inter­lock­ing device) are to be con­sid­ered. See Table A.2 “List of well–tried safe­ty prin­ci­ples”. See EN 1088 (ISO 14119) (Inter­lock­ing devices).
Break–pin All fac­tors influ­enc­ing the appli­ca­tion are to be con­sid­ered. See Table A.2 “List of well-tried safe­ty prin­ci­ples”.

Now we have a few ideas about what might con­sti­tute a ‘well-tried com­po­nent’. Unfor­tu­nate­ly, you will notice that ‘con­tac­tor’ or ‘relay’ or ‘lim­it switch’ appear nowhere on the list. This is a chal­lenge, but one that can be over­come. The key to deal­ing with this is to look at how the com­po­nents that you are choos­ing to use are con­struct­ed. If they use these com­po­nents and tech­niques, you are on your way to con­sid­er­ing them to be well-tried.

Anoth­er approach is to let the com­po­nent man­u­fac­tur­er wor­ry about the details of the con­struc­tion of the device, and sim­ply ensure that com­po­nents select­ed for use in the SRP/CS are ‘safe­ty rat­ed’ by the man­u­fac­tur­er. This can work in 80–90% of cas­es, with a small per­cent­age of com­po­nents, such as large motor starters, some ser­vo and step­per dri­ves and oth­er sim­i­lar com­po­nents unavail­able with a safe­ty rat­ing. It’s worth not­ing that many dri­ve man­u­fac­tur­ers are start­ing to pro­duce dri­ves with built-in safe­ty com­po­nents that are intend­ed to be inte­grat­ed into your SRP/CS.

Exclusion of Complex Electronics

Note 1 from the first part of the def­i­n­i­tion is very impor­tant. So impor­tant that I’m going to repeat it here:

NOTE 1 Com­plex elec­tron­ic com­po­nents (e.g. PLC, micro­proces­sor, appli­ca­tion-spe­cif­ic inte­grat­ed cir­cuit) can­not be con­sid­ered as equiv­a­lent to “well tried”.

I added the bold text to empha­size the impor­tance of this state­ment. While this is includ­ed in a Note and is there­fore con­sid­ered to be explana­to­ry text and not part of the nor­ma­tive body of the stan­dard, it illu­mi­nates a key con­cept. This lit­tle note is what pre­vents a stan­dard PLC from being used in Cat­e­go­ry 1 sys­tems. It’s also impor­tant to real­ize that this def­i­n­i­tion is only con­sid­er­ing the hard­ware — no men­tion of soft­ware is made here, and soft­ware is not dealt with until lat­er in the stan­dard.

Well-Tried Safety Principles

Let’s have a look at what ‘Well-Tried Safe­ty Prin­ci­ples’ might be.

Table 2 — Well-Tried Safe­ty Prin­ci­ples [2, A.2]
Well-tried Safe­ty Prin­ci­ples Remarks
Use of care­ful­ly select­ed mate­ri­als and man­u­fac­tur­ing Selec­tion of suit­able mate­r­i­al, ade­quate man­u­fac­tur­ing meth­ods and treat­ments relat­ed to the appli­ca­tion.
Use of com­po­nents with ori­ent­ed fail­ure mode The pre­dom­i­nant fail­ure mode of a com­po­nent is known in advance and always the same, see EN 292–2:1991, (ISO/TR 12100–2:1992), 3.7.4.
Over–dimensioning/safety fac­tor The safe­ty fac­tors are giv­en in stan­dards or by good expe­ri­ence in safe­ty-relat­ed appli­ca­tions.
Safe posi­tion The mov­ing part of the com­po­nent is held in one of the pos­si­ble posi­tions by mechan­i­cal means (fric­tion only is not enough). Force is need­ed for chang­ing the posi­tion.
Increased OFF force A safe position/state is obtained by an increased OFF force in rela­tion to ON force.
Care­ful selec­tion, com­bi­na­tion, arrange­ment, assem­bly and instal­la­tion of components/system relat­ed to the appli­ca­tion
Care­ful selec­tion of fas­ten­ing relat­ed to the appli­ca­tion Avoid rely­ing only on fric­tion.
Pos­i­tive mechan­i­cal action Depen­dent oper­a­tion (e. g. par­al­lel oper­a­tion) between parts is obtained by pos­i­tive mechan­i­cal link(s). Springs and sim­i­lar “flex­i­ble” ele­ments should not be part of the link(s) [see EN 292–2:1991 (ISO/TR 12100–2:1992), 3.5].
Mul­ti­ple parts Reduc­ing the effect of faults by mul­ti­ply­ing parts, e. g. where a fault of one spring (of many springs) does not lead to a dan­ger­ous con­di­tion.
Use of well–tried spring (see also Table A.3) A well–tried spring requires:
  • use of care­ful­ly select­ed mate­ri­als, man­u­fac­tur­ing meth­ods (e. g. pre­set­ting and cycling before use) and treat­ments (e. g. rolling and shot–peening),
  • suf­fi­cient guid­ance of the spring, and
  • suf­fi­cient safe­ty fac­tor for fatigue stress (i. e. with high prob­a­bil­i­ty a frac­ture will not occur).

Well–tried pres­sure coil springs may also be designed by:

  • use of care­ful­ly select­ed mate­ri­als, man­u­fac­tur­ing meth­ods (e. g. pre­set­ting and cycling before use) and treat­ments (e. g. rolling and shot-peen­ing),
  • suf­fi­cient guid­ance of the spring, and
  • clear­ance between the turns less than the wire diam­e­ter when unloaded, and
  • suf­fi­cient force after a fracture(s) is main­tained (i. e. a fracture(s) will not lead to a dan­ger­ous con­di­tion).
Lim­it­ed range of force and sim­i­lar para­me­ters Decide the nec­es­sary lim­i­ta­tion in rela­tion to the expe­ri­ence and appli­ca­tion. Exam­ples for lim­i­ta­tions are break pin, break plate, torque lim­it­ing clutch.
Lim­it­ed range of speed and sim­i­lar para­me­ters Decide the nec­es­sary lim­i­ta­tion in rela­tion to the expe­ri­ence and appli­ca­tion. Exam­ples for lim­i­ta­tions are cen­trifu­gal gov­er­nor; safe mon­i­tor­ing of speed or lim­it­ed dis­place­ment.
Lim­it­ed range of envi­ron­men­tal para­me­ters Decide the nec­es­sary lim­i­ta­tions. Exam­ples on para­me­ters are tem­per­a­ture, humid­i­ty, pol­lu­tion at the instal­la­tion. See clause 8 and con­sid­er manufacturer’s appli­ca­tion notes.
Lim­it­ed range of reac­tion time, lim­it­ed hys­tere­sis Decide the nec­es­sary lim­i­ta­tions.
Con­sid­er e. g. spring tired­ness, fric­tion, lubri­ca­tion, tem­per­a­ture, iner­tia dur­ing accel­er­a­tion and decel­er­a­tion,
com­bi­na­tion of tol­er­ances.

Use of Positive-Mode Operation

The use of these prin­ci­ples in the com­po­nents, as well as in the over­all design of the safe­guards is impor­tant. In devel­op­ing a sys­tem that uses ‘pos­i­tive mode oper­a­tion’, the mechan­i­cal link­age that oper­ates the elec­tri­cal con­tacts or the flu­id-pow­er valve that con­trols the prime-mover(s) (i.e. motors, cylin­ders, etc.), must act to direct­ly dri­ve the con­trol ele­ment (con­tacts or valve spool) to the safe state. Springs can be used to return the sys­tem to the run state or dan­ger­ous state, since a fail­ure of the spring will result in the inter­lock device stay­ing in the safe state (fail-safe or fail-to-safe­ty).

CSA Z432 [3] pro­vides us with a nice dia­gram that illus­trates the idea of “pos­i­tive-action” or “pos­i­tive-mode” oper­a­tion:

CSA Z432 Fig B.10 - Positive Mode Operation
Fig­ure 1 — Pos­i­tive Mode Oper­a­tion [3, B.10]

In Fig. 1, open­ing the guard door forces the roller to fol­low the cam attached to the door, dri­ving the switch con­tacts apart and open­ing the inter­lock. Even if the con­tacts were to weld, they would still be dri­ven apart since the mechan­i­cal advan­tage pro­vid­ed by the width of the door and the cam are more than enough to force the con­tacts apart.

Here’s an exam­ple of a ‘neg­a­tive mode’ oper­a­tion:

CSA Z432-04 Fig B.11 - Negative Mode operation
Fig­ure 2 — Neg­a­tive Mode oper­a­tion [3, B.11]

In Fig. 2, the inter­lock switch relies on a spring to enter the safe state when the door is opened. If the spring in the inter­lock device fails, the sys­tem fails-to-dan­ger. Also note that this design is very easy to defeat. A ‘zip-tie’ or some tape is all that would be required to keep the inter­lock in the ‘RUN’ con­di­tion.

You should have a bet­ter idea of what is meant when you read about pos­i­tive and neg­a­tive-modes of oper­a­tion now. We’ll talk about defeat resis­tance in anoth­er arti­cle.

Reliability

Com­bin­ing what you’ve learned so far, you can see that cor­rect­ly spec­i­fied com­po­nents, com­bined with over-dimen­sion­ing and imple­men­ta­tion of design lim­its along with the use of well-tried safe­ty prin­ci­ples will go a long way to improv­ing the reli­a­bil­i­ty of the con­trol sys­tem. The next part of the def­i­n­i­tion of Cat­e­go­ry 1 speaks to some addi­tion­al require­ments:

The MTTFd of each chan­nel shall be high.

The max­i­mum PL achiev­able with cat­e­go­ry 1 is PL = c.

NOTE 2 There is no diag­nos­tic cov­er­age (DCavg = none) with­in cat­e­go­ry 1 sys­tems. In such struc­tures (sin­gle-chan­nel sys­tems) the con­sid­er­a­tion of CCF is not rel­e­vant.

NOTE 3 When a fault occurs it can lead to the loss of the safe­ty func­tion. How­ev­er, the MTTFd of each chan­nel in cat­e­go­ry 1 is high­er than in cat­e­go­ry B. Con­se­quent­ly, the loss of the safe­ty func­tion is less like­ly.

We now know that the integri­ty of a Cat­e­go­ry 1 sys­tem is greater than a Cat­e­go­ry B sys­tem, since the chan­nel MTTFd of the sys­tem has gone from “Low-to-Medi­um” in sys­tems exhibit­ing PLa or PLb per­for­mance to “High” in sys­tems exhibit­ing PLb or PLc per­for­mance. [1, Table 5] shows this dif­fer­ence in terms of pre­dict­ed years to fail­ure. As you can see, MTTFd “High” results in a pre­dict­ed fail­ure rate between 30 and 100 years. This is a pret­ty good result for sim­ply improv­ing the com­po­nents used in the sys­tem!

Table 3 – Mean time to dangerous failure  [1, Table 5]
Table 3 – Mean time to dan­ger­ous fail­ure

The oth­er ben­e­fit is the increase in the over­all PL. Where Cat­e­go­ry B archi­tec­ture can pro­vide PLb per­for­mance at best, Cat­e­go­ry 1 takes this up a notch to PLc. To get a han­dle on what PLc means, let’s look at our sin­gle and three shift exam­ples again. If we take a Cana­di­an oper­a­tion with a sin­gle shift per day, and a 50 week work­ing year we get:

7.5 h/shift x 5 d/w x 50 w/a = 1875 h/a

Where

h = hours

d = days

w = weeks

a  = years

In this case, PLc is equiv­a­lent to one fail­ure in 533.3 years of oper­a­tion to 1600 years of oper­a­tion.

Look­ing at three shifts per day in the same oper­a­tion gives us:

7.5 h/shift x 3 shifts/d x 5 d/w x 50 w/a = 5625 h/a

In this case, PLc is equiv­a­lent to one fail­ure in 177.8 years of oper­a­tion to 533.3 years of oper­a­tion.

When com­plet­ing the analy­sis of a sys­tem, [1] lim­its the sys­tem MTTFd to 100 years regard­less of what the indi­vid­ual chan­nel MTTFd may be. Where the actu­al MTTFd is impor­tant relates to the need to replace com­po­nents dur­ing the life­time of the prod­uct. If a com­po­nent or a sub-sys­tem has an MTTFd that is less than the mis­sion time of the sys­tem, then the com­po­nent or sub­sys­tem must be replaced by the time the prod­uct reach­es it’s MTTFd. 20 years is the default mis­sion time, but you can choose a short­er or longer time span if it makes sense.

Remem­ber that these are prob­a­bil­i­ties, not guar­an­tees. A fail­ure could hap­pen in the first hour of oper­a­tion, the last hour of oper­a­tion or nev­er. These fig­ures sim­ply pro­vide a way for you as the design­er to gauge the rel­a­tive reli­a­bil­i­ty of the sys­tem.

Well-Tried Components versus Fault Exclusions

The stan­dard goes on to out­line some key dis­tinc­tions between ‘well-tried com­po­nent’ and ‘fault exclu­sion’. We’ll talk more about fault exclu­sions lat­er in the series.

It is impor­tant that a clear dis­tinc­tion between “well-tried com­po­nent” and “fault exclu­sion” (see Clause 7) be made. The qual­i­fi­ca­tion of a com­po­nent as being well-tried depends on its appli­ca­tion. For exam­ple, a posi­tion switch with pos­i­tive open­ing con­tacts could be con­sid­ered as being well-tried for a machine tool, while at the same time as being inap­pro­pri­ate for appli­ca­tion in a food indus­try — in the milk indus­try, for instance, this switch would be destroyed by the milk acid after a few months. A fault exclu­sion can lead to a very high PL, but the appro­pri­ate mea­sures to allow this fault exclu­sion should be applied dur­ing the whole life­time of the device. In order to ensure this, addi­tion­al mea­sures out­side the con­trol sys­tem may be nec­es­sary. In the case of a posi­tion switch, some exam­ples of these kinds of mea­sures are

  • means to secure the fix­ing of the switch after its adjust­ment,
  • means to secure the fix­ing of the cam,
  • means to ensure the trans­verse sta­bil­i­ty of the cam,
  • means to avoid over trav­el of the posi­tion switch, e.g. ade­quate mount­ing strength of the shock absorber and any align­ment devices, and
  • means to pro­tect it against dam­age from out­side.

[1, 6.2.4]

System Block Diagram

Final­ly, let’s look at the block dia­gram for Cat­e­go­ry 1. You will notice that it looks the same as the Cat­e­go­ry B block dia­gram, since only the com­po­nents used in the sys­tem have changed, and not the archi­tec­ture.

ISO 13849-1 Figure 9
Fig­ure 3 — Cat­e­go­ry 1 Block Dia­gram [1, Fig. 9]

References

[1]       Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 1: Gen­er­al prin­ci­ples for design. ISO Stan­dard 13849–1, Ed. 2. 2006.

[2]       Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 2: Val­i­da­tion. ISO Stan­dard 13849–2, Ed. 2. 2012.

[3]       Safe­guard­ing of Machin­ery. CSA Stan­dard Z432. 2004.

Add to your Library

If you are work­ing on imple­ment­ing these design stan­dards in your prod­ucts, you need to buy copies of the stan­dards for your library.

  • ISO 13849–1:2006 Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 1: Gen­er­al prin­ci­ples for design
  • ISO 13849–2:2003 Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 2: Val­i­da­tion

Down­load IEC stan­dards, Inter­na­tion­al Elec­trotech­ni­cal Com­mis­sion stan­dards.

If you are work­ing in the EU, or are work­ing on CE Mark­ing your prod­uct, you should hold the har­mo­nized ver­sion of this stan­dard, avail­able through the CEN resellers:

  • EN ISO 13849–1:2008 Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 1: Gen­er­al prin­ci­ples for design
  • EN ISO 13849–2:2012 Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 2: Val­i­da­tion

Next Installment

Watch for the next part of this series, “Inter­lock Archi­tec­tures – Pt. 3: Cat­e­go­ry 2″ where we expand on the first two cat­e­gories by adding some diag­nos­tic cov­er­age to improve reli­a­bil­i­ty.

Have ques­tions? Email me!

Digiprove sealCopy­right secured by Digiprove © 2011–2014
Acknowl­edge­ments: ISO, CSA. See ref­er­ences.
Some Rights Reserved

EN ISO 13849–1 Mandatory Implementation Date CONFIRMED!

The Euro­pean Com­mis­sion con­firms the manda­to­ry imple­men­ta­tion date for EN ISO 13849–1:2008 in the Offi­cial Jour­nal of the Euro­pean Com­mis­sion.

This morn­ing the Euro­pean Com­mis­sion con­firmed the state­ment made by Marie Poidevin of CEN last week by pub­lish­ing s revised list of stan­dards (2009/C 321/09) includ­ing EN 954–1:1996, EN ISO 13849–1:2006 and EN ISO 13849–1:2008, not­ing “The date of ces­sa­tion of pre­sump­tion of con­for­mi­ty of the super­seded stan­dard, ini­tial­ly fixed on 28.12.2009, has been post­poned for two years.”

Machine builders who have been putting off imple­men­ta­tion of this stan­dard in their designs have now gained anoth­er two years to edu­cate them­selves and to update their design process­es to include the addi­tion­al analy­sis required.

Com­ing on the manda­to­ry imple­men­ta­tion date of the lat­est revi­sion of the Machin­ery Direc­tive, which now explic­it­ly requires risk assess­ment to be com­plet­ed as part of the design process, and new rules that will bring in prod­ucts that were incor­rect­ly being marked exclu­sive­ly under the Low Volt­age Direc­tive, the next two years will be busy ones for those com­pa­nies who have not been pay­ing much atten­tion to the changes in this impor­tant direc­tive.

Com­pa­nies who are well pre­pared and were ready for the orig­i­nal date are ahead of the mar­ket and should take this oppor­tu­ni­ty to take some gains over the­or com­peti­tors by adver­tis­ing their abil­i­ty to pro­duce com­pli­ant machin­ery.

Today’s edi­tion of the OJ also brought in a cou­ple of stan­dards pre­vi­ous­ly noti­fied under the old Machin­ery Direc­tive, but there are many oth­ers that remain to be noti­fied. Most of these are pend­ing updates to bring them into con­for­mi­ty with the revised Essen­tial Require­ments, while some may be replaced by new ISO adop­tions of their con­tent with new mate­r­i­al added.

On the EMC-PSTC email forum, a cou­ple of ques­tions were posed that will like­ly be on the minds of many read­ers. For those who don’t know, Type C stan­dards are “prod­uct fam­i­ly” stan­dards that cov­er a spe­cif­ic type of machin­ery, like lifts, or pow­er press­es. :

What if a Type C stan­dard ref­er­ences only EN ISO 13849–1?

Would it be OK to claim pre­sump­tion of con­for­mi­ty using such a har­mo­nized type C stan­dard yet only using EN 954–1 for the con­trol cir­cuits?

If your machine is in the scope of a spe­cif­ic har­mo­nized stan­dard, do you have to use it, rather than gener­ics?

I’d like to address these ques­tions in this post, so here goes…

If you are declar­ing con­for­mi­ty to a Type C stan­dard, and that stan­dard calls out EN ISO 13849–1 for con­trol reli­a­bil­i­ty, then in my opin­ion you should be using that stan­dard UNLESS there is some over­rid­ing rea­son that pre­vents you from using it. “We didn’t feel like it” or “It’s too hard” don’t count. If you’re in a posi­tion where you must con­tin­ue to use EN 954–1, then ratio­nale must be writ­ten for the tech­ni­cal file that clear­ly describes the rea­sons pre­vent­ing the imple­men­ta­tion of the new stan­dard, and fur­ther­more, what has been done to pro­vide an equiv­a­lent lev­el of safe­ty and reli­a­bil­i­ty as would be gained by using the new stan­dard.

If your machine is in the scope of a spe­cif­ic har­mo­nized stan­dard, then it should be declared using that stan­dard and not the gener­ics. This is dis­cussed in the guid­ance doc­u­ments for the direc­tive. The gener­ic stan­dards are there to be used for prod­ucts that are not with­in the scope of exist­ing har­mo­nized stan­dards, and for the guid­ance of Tech­ni­cal Com­mit­tees writ­ing Type C stan­dards. The Type C stan­dard will give the user a spe­cif­ic list of com­mon haz­ards found on the type of machin­ery cov­ered by the stan­dard, and will pro­vide spe­cif­ic con­trol mea­sures that are expect­ed to be used to con­trol the risks asso­ci­at­ed with those haz­ards. If there are haz­ards that are not cov­ered by the stan­dard, then gener­ic stan­dards may be used to deal with the risks relat­ed to that unique haz­ard.

Need more infor­ma­tion? Feel free to con­tact me offline to dis­cuss your appli­ca­tion!