Category Archives: Robotics

Interlock Architectures Pt. 6 — Comparing North American and International Systems

Posted by on October 3, 2011 Comments Off
industrial Control Console
This entry is part 6 of 8 in the series Circuit Architectures Explored

I’ve now writ­ten six posts, includ­ing this one, on the topic of cir­cuit archi­tec­tures for the safety–related parts of con­trol sys­tems. In this post, we’ll com­pare the International and North American sys­tems. This com­par­i­son is not intended to draw con­clu­sions about which is “bet­ter”, but rather to com­pare and con­trast the two sys­tems so that design­ers can clearly see where the over­laps and the gaps in the sys­tems exist.

Since we’ve spent a lot of time talk­ing about ISO 13849–1 [1] in the pre­vi­ous five posts in this series, I think we should begin there by look­ing at Table 10 from the standard.

Table 10 — Summary of require­ments for cat­e­gories
Category Summary of requirements System behaviour Principle used
to achieve
safety		 MTTFd
of each
chan­nel		 DCavg CCF
B
(see
6.2.3)		SRP/​CS and/​or their pro­tec­tive equip­ment, as well as their com­po­nents, shall be designed, con­structed, selected, assem­bled and com­bined in accor­dance with rel­e­vant stan­dards so that they can with­stand the expected influence.

Basic safety prin­ci­ples shall be used.

The occur­rence of a fault can lead to the loss of the safety function.Mainly char­ac­ter­ized by selec­tion of componentsLow to mediumNoneNot rel­e­vant
1
(see
6.2.4)		Requirements of B shall apply. Well-​​tried com­po­nents and well-​​tried safety prin­ci­ples shall be used.The occur­rence of a fault can lead to the loss of the safety func­tion but the prob­a­bil­ity of occur­rence is lower than for cat­e­gory B.Mainly char­ac­ter­ized by selec­tion of componentsHighNoneNot rel­e­vant
2
(see
6.2.5)		Requirements of B and the use of well-​​tried safety prin­ci­ples shall apply. Safety func­tion shall be checked at suit­able inter­vals by the machine con­trol system.The occur­rence of a fault can lead to the loss of the safety func­tion between the checks. The loss of safety func­tion is detected by the check.Mainly char­ac­ter­ized by structureLow to highLow to mediumSee Annex F
3
(see
6.2.6)		Requirements of B and the use of well-​​tried safety prin­ci­ples shall apply.

Safety-​​related parts shall be designed, so that

—a sin­gle fault in any of these parts does not lead to the loss of the safety func­tion, and

—when­ever rea­son­ably prac­ti­ca­ble, the sin­gle fault is detected.

When a sin­gle fault occurs, the safety func­tion is always performed.

Some, but not all, faults will be detected.

Accumulation of unde­tected faults can lead to the loss of the safety function.

 Mainly
char­ac­ter­ized
by struc­ture		Low to
high		Low to
medium		 See
Annex F
 4
(see
6.2.7)

Requirements of B and the use of well-​​tried safety prin­ci­ples shall apply. Safety-​​related parts shall be designed, so that
—a sin­gle fault in any of these parts does not lead to a loss of the safety func­tion, and

—the sin­gle fault is detected at or before the next demand upon the safety func­tion, but that if this detec­tion is not pos­si­ble, an accu­mu­la­tion of unde­tected faults shall not lead to the loss of the safety function.

 

When a sin­gle fault occurs the safety func­tion is always per­formed. Detection of accu­mu­lated faults reduces the prob­a­bil­ity of the loss of the safety func­tion (high DC). The faults will be detected in time to pre­vent the loss of the safety function. Mainly char­ac­ter­ized by structure High High includ­ing accu­mu­la­tion of faults See Annex F
NOTE For full require­ments, see Clause 6.

Table 10 sum­ma­rizes all the key require­ments for the five cat­e­gories of archi­tec­ture, giv­ing the fun­da­men­tal mech­a­nism for achiev­ing safety, the required MTTFd, DC and CCF. Note that fault exclu­sion can be used in Categories 3 and 4. There is no sim­i­lar table avail­able for CSA Z432 [2] or RIA R 15.06 [3], so I have con­structed one fol­low­ing a sim­i­lar for­mat to Table 10.

Summary of require­ments for CSA Z432 /​ Z434 and RIA R15.06
 CSA Z432-​​04 /​ Z434-​​03RIA R15.06 1999
Category Summary of requirements System behav­iour Principle used
to achieve
safety		Summary of requirements
AllSafety con­trol sys­tems (elec­tric, hydraulic, pneu­matic) shall meet one of the per­for­mance cri­te­ria listed in Clauses 4.5.2 to 4.5.5.

Safety cir­cuits (elec­tric, hydraulic, pneu­matic) shall meet one of the per­for­mance cri­te­ria listed in 4.5.1 through 4.5.4.2

2 These per­for­mance cri­te­ria are not to be con­fused with the European cat­e­gories B to 3 as described in ISO/​IEC DIS 13849–1, Safety of machin­ery – Safety-​​related parts of con­trol sys­tems – Part 1: General prin­ci­ples for design (in cor­re­la­tion with EN 954–1.) They are dif­fer­ent. The com­mit­tee believes that the cri­te­ria in 4.5.1–4.5.4 exceed the cri­te­ria of B — 3 respec­tively, and fur­ther believe the reverse is not true.

SIMPLESimple safety con­trol sys­temsshall be designed and con­structed using accepted sin­gle chan­nel circuitry.

Such sys­tems may be programmable.

Note: This type of sys­tem should be used for sig­nalling and annun­ci­a­tion pur­poses only.

The occur­rence of a fault can lead to the loss of the safety function. Mainly char­ac­ter­ized by com­po­nent selection.Simple safety cir­cuits shall be designed and con­structed using accepted sin­gle chan­nel
cir­cuitry, and may be programmable.
SINGLE
CHANNEL		Single chan­nel safety con­trol sys­tems shall

a) be hard­ware based or com­ply with Clause 6.5;

b) include com­po­nents that should be safety rated; and

c) be used in accor­dance with man­u­fac­tur­ers’ rec­om­men­da­tions and proven cir­cuit designs (e.g., a sin­gle chan­nel electro­mechan­i­cal pos­i­tive break device that sig­nals a stop in a de-​​energized state).

Note: In this type of sys­tem a sin­gle com­po­nent fail­ure can lead to the loss of the safety function.

The occur­rence of a fault can lead to the loss of the safety function. Mainly char­ac­ter­ized by com­po­nent selection.Single chan­nel safety cir­cuits shall be hard­ware based or com­ply with 6.4, include com­po­nents
which should be safety rated, be used in com­pli­ance with man­u­fac­tur­ers’ rec­om­men­da­tions
and proven cir­cuit designs (e.g. a sin­gle chan­nel electro-​​mechanical pos­i­tive break device which sig­nals a stop in a de-​​energized state.) 

SINGLE CHANNEL
WITH
MONITORING

Single chan­nel safety con­trol sys­tems with mon­i­tor­ing shall include the require­ments for sin­gle chan­nel,
be safety rated, and be checked (prefer­ably auto­mat­i­cally) at suit­able inter­vals in accor­dance with the following:

a) The check of the safety function(s) shall be performed

i) at machine start-​​up; and

ii) peri­od­i­cally dur­ing oper­a­tion (prefer­ably at each change in state).

b) The check shall either

i) allow oper­a­tion if no faults have been detected; or

ii) gen­er­ate a stop if a fault is detected. A warn­ing shall be pro­vided if a haz­ard remains after ces­sa­tion of motion.

c) The check itself shall not cause a haz­ardous sit­u­a­tion.

d) Following detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

Note: In this type of cir­cuit a sin­gle com­po­nent fail­ure can also lead to the loss of the safety function.

The occur­rence of a fault can lead to the loss of the safety function.Characterized by both com­po­nent selec­tion and structure.Single chan­nel with mon­i­tor­ing safety cir­cuits shall include the require­ments for sin­gle chan­nel,
shall be safety rated, and shall be checked (prefer­ably auto­mat­i­cally) at suit­able intervals.

a) The check of the safety function(s) shall be performed

1) at machine start-​​up, and

2) peri­od­i­cally dur­ing operation;

b) The check shall either:

1) allow oper­a­tion if no faults have been detected, or

2) gen­er­ate a stop sig­nal if a fault is detected.
A warn­ing shall be pro­vided if a haz­ard remains after ces­sa­tion of motion;

c) The check itself shall not cause a haz­ardous situation;

d) Following detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

CONTROL RELIABLEControl reli­able safety con­trol sys­tems shall be dual chan­nel with mon­i­tor­ing and shall be designed,
con­structed, and applied such that any sin­gle com­po­nent fail­ure, includ­ing mon­i­tor­ing, shall not pre­vent
the stop­ping action of the robot.
These safety con­trol sys­tems shall be hard­ware based or in accor­dance with Clause 6.5. The sys­tems shall include auto­matic mon­i­tor­ing at the sys­tem level con­form­ing to the following:

a) The mon­i­tor­ing shall gen­er­ate a stop if a fault is detected. A warn­ing shall be pro­vided if a haz­ard remains after ces­sa­tion of motion.

b) Following detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

c) Common mode fail­ures shall be taken into account when the prob­a­bil­ity of such a fail­ure occur­ring is
sig­nif­i­cant.

d) The sin­gle fault should be detected at time of fail­ure. If not prac­ti­ca­ble, the fail­ure shall be detected
at the next demand upon the safety function.

e) These safety con­trol sys­tems shall be inde­pen­dent of the nor­mal pro­gram con­trol (func­tion) and shall be designed to be not eas­ily defeated or not eas­ily bypassed with­out detection.

When a sin­gle fault occurs, the safety func­tion is always performed.

Some, but not all, faults will be detected.

Accumulation of unde­tected faults can lead to the loss of the safety function.

Characterized pri­mar­ily by structure.Control reli­able safety cir­cuitry shall be designed, con­structed and applied such that any sin­gle com­po­nent fail­ure shall not pre­vent the stop­ping action of the robot.

These cir­cuits shall be hard­ware based or com­ply with 6.4, and include auto­matic mon­i­tor­ing at the sys­tem level.

a) The mon­i­tor­ing shall gen­er­ate a stop sig­nal if a fault is detected. A warn­ing shall be pro­vided if a haz­ard remains after ces­sa­tion of motion;

b) Following detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

c) Common mode fail­ures shall be taken into account when the prob­a­bil­ity of such a fail­ure occur­ring is significant.

d) The sin­gle fault should be detected at time of fail­ure. If not prac­ti­ca­ble, the fail­ure shall be detected at the next demand upon the safety function.

CSA Z434 vs. RIA R15.06

Before we dig into the com­par­i­son between North America and the International stan­dards, we need to look at the dif­fer­ences between CSA and ANSI/​RIA. There are some sub­tle dif­fer­ences here that can trip you up and cost sig­nif­i­cant money to cor­rect after the fact. The fol­low­ing state­ments are based on my per­sonal expe­ri­ence and on dis­cus­sions that I have had with peo­ple on both the CSA and RIA tech­ni­cal com­mit­tees tasked with writ­ing these stan­dards. One more note — ANSI RIA R15.06 has been revised and ALL OF SECTION 4 has been replaced with ANSI/​RIA/​ISO 10218–1 [7]. This is very sig­nif­i­cant, but we need to deal with this old dis­cus­sion first.

Systems vs. Circuits

The CSA stan­dard uses the term “con­trol system(s)” through­out the def­i­n­i­tions of the cat­e­gories, while the ANSI/​RIA stan­dard uses the term “circuit(s)”. This is really the crux of the dis­cus­sion between these two stan­dards. While the dif­fer­ence between the terms may seem insignif­i­cant at first, you need to under­stand the back­ground to get the difference.

The CSA term requires two sep­a­rate sens­ing devices on the gate or other guard, just as the Category 3 and 4 def­i­n­i­tions do, and for the same rea­son. The CSA com­mit­tee felt that it was impor­tant to be able to detect all sin­gle faults, includ­ing mechan­i­cal ones. Also, the use of two inter­lock­ing devices on the guard makes it more dif­fi­cult to bypass the interlock.

The RIA term requires redun­dant elec­tri­cal con­nec­tions to the inter­lock­ing device, but implic­itly allows for a sin­gle inter­lock­ing device because it only explic­itly refers to “circuits”.

The expla­na­tion I’ve been given for the dis­crep­ancy is rooted in the early days of indus­trial robot­ics. Many early robot cells had NO inter­locks on the guard­ing because the haz­ards related to the robot motion was not well under­stood. There were a num­ber of inci­dents result­ing in fatal­i­ties that drove robot users to begin to seek bet­ter ways to pro­tect work­ers. The RIA R15.06 com­mit­tee decided that inter­locks were needed, but there was a recog­ni­tion that many users would balk at installing expen­sive inter­lock devices, so they com­pro­mised and allowed that ANY kind of inter­lock­ing device was bet­ter than none. This was amended in the 1999 edi­tion to require that com­po­nents be “safety rated”, effec­tively elim­i­nat­ing the use of con­ven­tional prox­im­ity switches and non-​​safety-​​rated limit switches.

The recent revi­sion of ANSI/​RIA R15.06 to include ANSI/​ISO 10218–1 as a replace­ment for Section 4 is sig­nif­i­cant for a cou­ple of rea­sons: 1) It now means that the robot itself need only meet the ISO stan­dard; instead of the ISO and the RIA stan­dards; and 2) It brings in ISO 13849–1 def­i­n­i­tions of reli­a­bil­ity cat­e­gories. This means that the US has now offi­cially dropped the “SIMPLE, SINGLE-​​CHANNEL,” etc. def­i­n­i­tions and now uses “Category B, 1, etc.” However, they have only adopted the Edition 1 ver­sion of the stan­dard, so none of the PL, MTTFd, etc. cal­cu­la­tions have been adopted. This means that the RIA stan­dard is now har­mo­nized to the 1995 edi­tion of EN 954–1. These updates to the 2006 edi­tion may come in sub­se­quent edi­tions of R15.06.

CSA has cho­sen to reaf­firm the 2003 edi­tion of CSA Z434, so the Canadian National Standard con­tin­ues to refer to the old definitions.

North America vs International Standards

In the descrip­tion of single-​​channel sys­tems /​ cir­cuits under the North American stan­dards you will notice that par­tic­u­lar atten­tion is paid to includ­ing descrip­tions of the use of “proven designs” and “positive-​​break devices”. What the TC’s were refer­ring to are the same “well-​​tried safety prin­ci­ples” and “well-​​tried com­po­nents” as referred to in the International stan­dards, only with less descrip­tion of what those might be. The only major addi­tion to the def­i­n­i­tions is the rec­om­men­da­tion to use “safety-​​rated devices”, which is not included in the International stan­dard. (N.B. The use of the word “should” in the def­i­n­i­tions should be under­stood as a strong rec­om­men­da­tion, but not nec­es­sar­ily a manda­tory require­ment.) Under EN 954–1 [4] and EN 1088 [5] (in the ref­er­enced edi­tions, in any case) it was pos­si­ble to use stan­dard limit switches arranged in a redun­dant man­ner and acti­vated using com­bined pos­i­tive and non-​​positive-​​mode acti­va­tion. In later edi­tions this changed, and there is now a pref­er­ence for devices intended for use in safety applications.

Also worth not­ing is that there is NO allowance for fault exclu­sion under the CSA stan­dard or the 1999 edi­tion of the ANSI standard.

As far as the RIA committee’s asser­tion that their def­i­n­i­tions are not equiv­a­lent to the International stan­dard, and may be supe­rior, I think that there are too may miss­ing qual­i­ties in the ANSI stan­dard for that to stand. In any case, this is now moot, since ANSI has adopted EN ISO 13849–1:2006 as a ref­er­ence to EN ISO 10218–1 [6], replac­ing Section 4 of ANSI/​RIA R15.06–1999.

References

[1] “Safety of machin­ery — Safety-​​related parts of con­trol sys­tems — Part 1: General prin­ci­ples for design”, ISO 13849–1, Edition 2, International Organization for Standardization (ISO), Geneva, 2006.

[2] “Safeguarding of machin­ery”, CSA Z432, Canadian Standards Association (CSA), Toronto, 2004.

[3] “American National Standard for Industrial Robots and Robot Systems — Safety Requirements”, ANSI/​RIA R15.06, American National Standards Institute, Inc. (ANSI), Ann Arbor, 1999.

[4] “Safety of machin­ery — Safety related parts of con­trol sys­tems — Part 1. General prin­ci­ples for design”, EN 954–1, European Committee for Standardization (CEN), Geneva, 1996.

[5] “Safety of machin­ery — Interlocking devices asso­ci­ated with guards — Principles for design and selec­tion”, EN 1088, CEN, Geneva, 1995.

[6] “Robots and robotic devices — Safety require­ments for indus­trial robots — Part 1: Robots”, European Committee for Standardization (CEN), Geneva, 2011.

[7] “Robots for Industrial Environment — Safety Requirements — Part 1 — Robot”, ANSI/​RIA/​ISO 10218–1, American National Standards Institute, Inc. (ANSI), Ann Arbor, 2007.

Copyright secured by Digiprove © 2011
Acknowledgements: See ref­er­ences listed at end of article.
Some Rights Reserved

Interlock Architectures – Pt. 4: Category 3 — Control Reliable

Posted by on September 19, 2011 Comments Off
ISO 13849-1 Figure 11
This entry is part 4 of 8 in the series Circuit Architectures Explored

Category 3 sys­tem archi­tec­ture is the first cat­e­gory that could be con­sid­ered to have sim­i­lar­ity to “Control Reliable” cir­cuits or sys­tems as defined in the North American stan­dards. It is not the same as Control Reliable, but we’ll get to in a fol­low­ing post. If you haven’t read the first three posts in this series, you may want to go back and review them as the con­cepts in those arti­cles are the basis for the dis­cus­sion in this post.

So what is “Control Reliable” any­way? This term was coined by the ANSI RIA R15.06 tech­ni­cal com­mit­tee when they were devel­op­ing their def­i­n­i­tions for con­trol sys­tem reli­a­bil­ity, first pub­lished in the 1999 edi­tion of the stan­dard. No men­tion of the con­cept of con­trol reli­a­bil­ity appears in the 1994 edi­tion of CSA Z434 or the pre­ced­ing edi­tion of RIA R15.06.

Essentially, the term “Control Reliable” means that the con­trol sys­tem is designed with some degree of fault tol­er­ance. Depending on the def­i­n­i­tions that you read, this could be sin­gle– or multiple-​​fault-​​tolerance.

There are a num­ber of design tech­niques that can be used to increase the fault tol­er­ance of a con­trol sys­tem. The older approaches, such as those given in ANSI RIA R15.06–1999, CSA Z434-​​03 or EN 954–1:95, rely pri­mar­ily on the struc­ture or archi­tec­ture of the cir­cuit, and the char­ac­ter­is­tics of the com­po­nents selected for use. ISO 13849–1 uses the same basic archi­tec­tures defined by EN 954–1:95, and extends them to include diag­nos­tic cov­er­age, com­mon cause fail­ure resis­tance and an under­stand­ing of the fail­ure rate of the com­po­nents to deter­mine the degree of fault tol­er­ance and reli­a­bil­ity pro­vided by the design.

OK, enough back­ground for now! Let’s look at the def­i­n­i­tion for Category 3 sys­tems. Remember that “SRP/​CS” means “Safety Related Parts of the Control System”.

Definition

6.2.6 Category 3

For cat­e­gory 3, the same require­ments as those accord­ing to 6.2.3 for cat­e­gory B shall apply. “Well-​​tried safety prin­ci­ples” accord­ing to 6.2.4 shall also be fol­lowed. In addi­tion, the fol­low­ing applies. SRP/​CS of cat­e­gory 3 shall be designed so that a sin­gle fault in any of these parts does not lead to the loss of the safety func­tion. Whenever rea­son­ably prac­ti­ca­ble, the sin­gle fault shall be detected at or before the next demand upon the safety function.

The diag­nos­tic cov­er­age (DCavg) of the total SRP/​CS includ­ing fault-​​detection shall be low. The MTTFd of each of the redun­dant chan­nels shall be low-​​to-​​high, depend­ing on the PLr. Measures against CCF shall be applied (see Annex F).

NOTE 1 The require­ment of single-​​fault detec­tion does not mean that all faults will be detected. Consequently, the accu­mu­la­tion of unde­tected faults can lead to an unin­tended out­put and a haz­ardous sit­u­a­tion at the machine. Typical exam­ples of prac­ti­ca­ble mea­sures for fault detec­tion are use of the feed­back of mechan­i­cally guided relay con­tacts and mon­i­tor­ing of redun­dant elec­tri­cal outputs.

NOTE 2 If nec­es­sary because of tech­nol­ogy and appli­ca­tion, type-​​C stan­dard mak­ers need to give fur­ther details on the detec­tion of faults.

NOTE 3 Category 3 sys­tem behav­iour allows that

  • when the sin­gle fault occurs the safety func­tion is always performed,
  • some but not all faults will be detected,
  • accu­mu­la­tion of unde­tected faults can lead to the loss of the safety function.

NOTE 4 The tech­nol­ogy used will influ­ence the pos­si­bil­i­ties for the imple­men­ta­tion of fault detection.

5% Discount on ISO and IEC Standards with code: CC2011

Breaking it down

Let’s take the def­i­n­i­tion apart and look at the com­po­nents that make it up.

For cat­e­gory 3, the same require­ments as those accord­ing to 6.2.3 for cat­e­gory B shall apply. “Well-​​tried safety prin­ci­ples” accord­ing to 6.2.4 shall also be followed.

The first cou­ple of lines remind the designer of two key points:

  • The com­po­nents selected must be suit­able for the appli­ca­tion, i.e. cor­rectly spec­i­fied for volt­age, cur­rent, envi­ron­men­tal con­di­tions, etc.; and
  • well-​​tried safety prin­ci­ples” must be used in the design.

It’s impor­tant to note here that we are talk­ing about “well tried safety prin­ci­ples” and NOT “well-​​tried com­po­nents”. The require­ment to use com­po­nents designed for safety appli­ca­tions comes from other stan­dards, like EN 1088 and ISO 13850. The require­ments from these stan­dards, such as the use of “direct-​​drive” con­tacts improves the fault tol­er­ance of the com­po­nent, and so ben­e­fits the design in the end. These improve­ments are gen­er­ally reflected in the B10d or MTTFd of the com­po­nent, and are points that inspec­tors will com­monly look for, since they are easy to spot in the field, since “safety-​​rated com­po­nents” often use red or yel­low caps to iden­tify them clearly in the con­trol panel.

In addi­tion, the fol­low­ing applies. SRP/​CS of cat­e­gory 3 shall be designed so that a sin­gle fault in any of these parts does not lead to the loss of the safety function.

This sen­tence makes the require­ment for single-​​fault tol­er­ance. This means that the fail­ure of any sin­gle com­po­nent in the func­tional chan­nel can­not result in the loss of the safety func­tion. To meet this require­ment, redun­dancy is needed. With redun­dant sys­tems, one com­plete chan­nel can fail with­out los­ing the abil­ity to stop the machin­ery. It is pos­si­ble to lose the func­tion of the mon­i­tor­ing sys­tem from a sin­gle com­po­nent fail­ure, but as long as the sys­tem con­tin­ues to pro­vide the safety func­tion this may be accept­able. The sys­tem should not per­mit itself to be reset if the mon­i­tor­ing sys­tem is not working.

One more “gotcha” from this sen­tence: In order to meet the require­ment that any sin­gle com­po­nent fail­ure can be detected, the design will require two sep­a­rate sen­sors to detect the posi­tion of a gate, for exam­ple. This per­mits the sys­tem to detect a fail­ure in either sen­sor, includ­ing mechan­i­cal fail­ures like bro­ken keys or attempts to defeat the safety sys­tem. You can clearly see this in both the block dia­gram, which does not show any mon­i­tor­ing con­nec­tion to the input devices, and in the cir­cuit dia­gram. Both of these dia­grams are shown later in this post. The only way out of the require­ment to have redun­dant sen­sors is to select a gate switch that is robust enough that mechan­i­cal faults can rea­son­ably be excepted. I’ll get into fault excep­tions later in this article.

Whenever rea­son­ably prac­ti­ca­ble, the sin­gle fault shall be detected at or before the next demand upon the safety function.

This sen­tence can be a bit sticky. The phrase “Whenever rea­son­ably prac­ti­ca­ble” means that your design needs to be able to detect sin­gle faults unless it would be “unrea­son­able” to do so. What con­sti­tutes an unrea­son­able degree of effort? This is for you to decide. I will say that if there is a com­mon, off the shelf com­po­nent (COTS) avail­able that will do the job, and you choose not to use it, you will have a dif­fi­cult time con­vinc­ing a court that you took every rea­son­ably prac­ti­ca­ble means to detect the fault.

Following the comma, the rest of the sen­tence pro­vides the designer with the basic require­ment for the test sys­tem: it must be able to detect a sin­gle com­po­nent fail­ure at the moment of demand (this is usu­ally how it’s done, since this is typ­i­cally the sim­plest way) or before it occurs, which can hap­pen if your test equip­ment has a means to detect a change in some crit­i­cal char­ac­ter­is­tic of the mon­i­tored component(s).

 The diag­nos­tic cov­er­age (DCavg) of the total SRP/​CS includ­ing fault-​​detection shall be low.

This sen­tence tells you that your design must meet the require­ments for LOW Diagnostic Coverage. To get to LOW DCavg, we need to look first at Table 6:

ISO 13849–1:06 Table 6

Diagnostic Coverage (DC)

Denotation Range
 None DC < 60%
 Low 60% ? DC < 90%
 Medium 90% ? DC < 99%
 High 99% ? DC

NOTE 1 For SRP/​CS con­sist­ing of sev­eral parts an aver­age value DCavg for DC is used in Figure 5, Clause 6 and E.2. 

NOTE 2 The choice of the DC ranges is based on the key val­ues 60 %, 90 % and 99 % also estab­lished in other stan­dards (e.g. IEC 61508) deal­ing with diag­nos­tic cov­er­age of tests. Investigations show that (1 — DC) rather than DC itself is a char­ac­ter­is­tic mea­sure for the effec­tive­ness of the test. (1 — DC) for the key val­ues 60 %, 90 % and 99 % forms a kind of log­a­rith­mic scale fit­ting to the log­a­rith­mic PL-​​scale. A DC-​​value less than 60 % has only slight effect on the reli­a­bil­ity of the tested sys­tem and is there­fore called “none”. A DC-​​value greater than 99 % for com­plex sys­tems is very hard to achieve. To be prac­ti­ca­ble, the num­ber of ranges was restricted to four. The indi­cated bor­ders of this table are assumed within an accu­racy of 5 %.

Based on Table 6, the DCavg must be between 60% and 90%, all com­po­nents con­sid­ered. To score this, we must go to Annex E and look at Table E1. Using the fac­tors in Table E1, score the design. If you end up in the desired range between 60% and 90% DC cov­er­age, you can move on. If not, the design will require mod­i­fi­ca­tion to bring it into this range.

The MTTFd of each of the redun­dant chan­nels shall be low-​​to-​​high, depend­ing on the PLr

This sen­tence reminds you that your com­po­nent selec­tions mat­ter. Depending on the PLr you are try­ing to achieve, you will need to choose com­po­nents with suit­able MTTFd rat­ings. Remember that just because you are using a Category 3 archi­tec­ture, you have not auto­mat­i­cally achieved the high­est lev­els of reli­a­bil­ity. If you refer to Figure 5 in the stan­dard, you can see that a Category 3 archi­tec­ture can meet a range of PL’s, all the way from PLa through PLe!

ISO 13849-1 Figure 5

ISO 13849–1 Figure 5

 If you want, or need, to know the numeric bound­aries of each of the bands in the dia­gram above, look at Annex K of the stan­dard. The full numeric rep­re­sen­ta­tion of Figure 5 is pro­vided in that Annex.

Measures against CCF shall be applied (see Annex F).

In order for the archi­tec­ture of your design to meet Category 3 archi­tec­ture, CCF mea­sures are required. I’ve dis­cussed Common Cause Failures else­where on the blog, but as a reminder, a Common Cause Failure is one where a sin­gle event, like a light­ning strike on the power line, or a cable being cut, results in the fail­ure of the sys­tem. This is not the same as a Common Mode Failure, where sim­i­lar or dif­fer­ent com­po­nents fail in the same way. For instance, if both out­put con­tac­tors were to weld closed either simul­ta­ne­ously or at dif­fer­ent time due to over­load­ing because they were under­sized, this could be con­sid­ered to be a Common Mode Failure. If they both weld closed due to a light­ning strike, that is a Common Cause Failure.

Annex F pro­vides a check­list that is used to score the CCF of the design. The design must meet at least 65 points to be con­sid­ered to meet the min­i­mum level of CCF pro­tec­tion, and more is bet­ter of course! Score your design and see where you come out. Less than 65 and you need to do more. 65 or more and you are good to go.

The Notes

The notes given in the def­i­n­i­tion are also impor­tant. Note 1 reminds the designer that not all faults will be detected, and an accu­mu­la­tion of unde­tected faults can lead to the loss of the safety func­tion. Be aware that it is up to you as the designer to min­i­mize the kinds of fail­ures that can accu­mu­late undetected.

Note 2 speaks to the pos­si­bil­ity that a Type-​​C prod­uct stan­dard, like EN 201 for injec­tion mould­ing machines for exam­ple, may impose a min­i­mum PLr on the design. Make sure that you get a copy of any Type-​​C stan­dard that is rel­e­vant for your prod­uct and mar­ket. Note that the des­ig­na­tion “Type-​​C” comes from ISO. If you go look­ing for this ter­mi­nol­ogy in ANSI or CSA stan­dards, you won’t find it used because the con­cept doesn’t exist in the same way in these National standards.

Note 3 gives you the basic per­for­mance para­me­ters for the design. If your design can do these things, then you’re halfway there.

Finally, Note 4 is a reminder that dif­fer­ent kinds of tech­nol­ogy have greater or lesser capa­bil­ity to detect fail­ures. More sophis­ti­cated tech­nol­ogy may be required to achieve the PL level you need.

The Block Diagram

Let’s have a look at the func­tional block dia­gram for this Category.

ISO 13849-1 Figure 11By look­ing at the dia­gram you can see clearly the two inde­pen­dent chan­nels and the cross-​​monitoring con­nec­tion between the chan­nels. Input devices are not mon­i­tored, but out­put devices are mon­i­tored. This is another sig­nif­i­cant rea­son requir­ing the use of two phys­i­cally sep­a­rate input devices to sense the guard posi­tion or what­ever other safe­guard­ing device is inte­grated into the sys­tem. The only way that a fail­ure in the input devices can be detected is if one chan­nel changes state and one does not.

If you want to learn more about apply­ing the block dia­gram­ming method to you design, there is a good expla­na­tion of the method in the SISTEMA Cookbook 1, pub­lished by the IFA in Germany. You can down­load the English ver­sion from the link above, or get the doc­u­ment directly from the IFA web site.

Circuit Diagram

By now you prob­a­bly get the idea that there are as many ways to con­fig­ure a Category 3 cir­cuit as there are appli­ca­tions. Below is a typ­i­cal cir­cuit dia­gram bor­rowed from Rockwell Allen-​​Bradley, show­ing the appli­ca­tion of typ­i­cal safety relays in a com­plete sys­tem that includes the emer­gency stop sys­tem, a gate inter­lock and a safety mat. You can meet the require­ments for Category 3 archi­tec­ture in other ways, so don’t feel that you must use a COTS safety relay. It just may be the most straight­for­ward way in many cases.

This is not a plug for A-​​B prod­ucts. Neither Machinery Safety 101, nor I, have any rela­tion­ship with Rockwell Allen-​​Bradley.

From Rockwell Automation pub­li­ca­tion SAFETY-​​WD001A-​​EN-​​P – June 2011, p.6.

If you’re inter­ested in obtain­ing the source doc­u­ment con­tain­ing this dia­gram, you can down­load it directly from the Rockwell Automation web site.

Emergency Stop Subsystem

The emer­gency stop cir­cuit uses the 440R-​​512R2 relay on the left side of the dia­gram. This par­tic­u­lar sys­tem uses Category 3 archi­tec­ture in the e-​​stop sys­tem, which may be more than is required. A risk assess­ment and a start-​​stop analy­sis is required to deter­mine what per­for­mance level is needed for this sub­sys­tem. Get more infor­ma­tion on emer­gency stop.

 Gate Interlock Subsystem

The gate inter­lock cir­cuit is located in the cen­ter of the dia­gram, and uses the 440R-​​D22R2 relay. As you can see, there are two phys­i­cally sep­a­rate gate inter­lock switches. Only one con­tact from each switch is used, so one switch is con­nected to Channel 1, and the other to Channel 2. Notice that there is no other mon­i­tor­ing of these devices (i.e. no sec­ond con­nec­tion to either switch). The sec­ondary con­tacts on these switches could be con­nected to the PLC for annun­ci­a­tion pur­poses. This would allow the PLC to dis­play the open/​closed sta­tus of the gate on the machine HMI.

The out­put con­tac­tors, K3 and K4, are mon­i­tored by the reset loop con­nected to S34 and the +V rail.

One more inter­est­ing point — did you notice that there is a “zone e-​​stop” included in the gate inter­lock? If you look imme­di­ately below the cen­tral safety relay and a lit­tle to the left you will find an emer­gency stop device. This device is wired in series with the gate inter­lock, so acti­vat­ing it will drop out K3 and K4 but not dis­turb the oper­a­tion of the rest of the machine. The safety relay can’t dis­tin­guish between the e-​​stop but­ton and the gate inter­locks, so if annun­ci­a­tion is needed, you may want to use a third con­tact on the e-​​stop device to con­nect to a PLC input for this purpose.

Safety Mat Subsystem

The safety mat sub­sys­tem is located on the right side of the dia­gram and uses a sec­ond 440R-​​D22R2 relay. Safety mats can be either sin­gle or dual chan­nel in design. The mat show in this draw­ing is a dual-​​channel type. Stepping on the mat causes the con­duc­tive lay­ers in the mat to touch, short­ing Channel 1 to Channel 2. This cre­ates an input fault that will be detected by the 440R relay. The fault con­di­tion will cause the out­put of the relay to open, stop­ping the machine.

Safety mats can be dam­aged rea­son­ably eas­ily, and the cir­cuit design shown will detect shorts or opens within the mat and will pre­vent the haz­ardous motion from start­ing or continuing.

The out­put con­tac­tors, K5 and K6 are mon­i­tored by the relay reset loop con­nected to S34 and the +V rail.

This cir­cuit also includes a con­ven­tional start-​​stop cir­cuit that doesn’t rely on the safety relay.

One more thing — just like the gate inter­lock cir­cuit, this cir­cuit also includes a “zone e-​​stop”. Look below and to the left of the safety mat relay. As with the gate inter­lock, press­ing this but­ton will drop out K5 and K6, stop­ping the same motions pro­tected by the safety mat. Since the relay can’t tell the dif­fer­ence between the e-​​stop but­ton and the mat being acti­vated, you may want to use the same approach and add a third con­tact to the e-​​stop but­ton, con­nect­ing it to the PLC for annunciation.

Component Selection

The com­po­nents used in the cir­cuit are crit­i­cal to the final PL rat­ing of the design. The final PL of the design depends on the MTTFd of the com­po­nents used in each chan­nel. No knowl­edge of the inter­nal con­struc­tion of the safety relays is needed, because the relays come with a PL rat­ing from the man­u­fac­turer. They can be treated as a sub­sys­tem unto them­selves. The selec­tion of the input and out­put devices is then the sig­nif­i­cant fac­tor. Component data sheets can be down­loaded from the Rockwell site if you want to dig a bit deeper.

What did you think about this arti­cle? What ques­tions came to mind that weren’t answered for you? I look for­ward to hear­ing your thoughts and questions!

Copyright secured by Digiprove © 2011
Acknowledgements: ISO for excerpts from ISO 13849–1 and more…
Some Rights Reserved

The Fukushima Diaries: A Robot Operator Tells All

Posted by on August 24, 2011 2 comments

iRobot PacBot in action at Fukushima Dai-Ichi Nuclear PlantIEEE Spectrum’s Automation Blog has run a series of excep­tional arti­cles on the Fukushima Dai-​​Ichi cri­sis since the earth­quake and tsunami occurred on 11-​​March. Recently they uncov­ered a blog writ­ten by a robot oper­a­tor at the plant that speaks can­didly about the oper­a­tions there and the prob­lems occur­ring as they try to shut the plant down.

From the IEEE Spectrum Automation Blog:

Editor’s Note: This is part of IEEE Spectrum’s ongo­ing cov­er­age of Japan’s earth­quake and nuclear emer­gency.

An anony­mous worker at Japan’s Fukushima Dai-​​ichi nuclear power plant has writ­ten dozens of blog posts describ­ing the ups and downs of his expe­ri­ence as one of the lead robot oper­a­tors at the crip­pled facility.

Read more on the Automation Blog

Copyright secured by Digiprove © 2011
Acknowledgements: IEEE Spectrum Automation Blog
Some Rights Reserved
All original content on these pages is fingerprinted and certified by Digiprove
Performance Optimization WordPress Plugins by W3 EDGE