Interlocking Devices: The Good, The Bad and the Ugly

This entry is part 1 of 2 in the series Guards and Guarding

Note: A shorter version of this article was published in the May-2012 edition of  Manufacturing Automation Magazine.

When designing safeguarding systems for machines, one of the basic building blocks is the movable guard. Movable guards can be doors, panels, gates or other physical barriers that can be opened without using tools. Every one of these guards needs to be interlocked with the machine control system so that the hazards covered by the guards will be effectively controlled when the guard is opened.

There are a number of important aspects to the design of movable guards. This article will focus on the selection of interlocking devices that are used with movable guards.

The Hierarchy of Controls

The Hierarchy of Controls as an inverted pyrimid.
Figure 1 – The Hierarchy of Controls

This article assumes that a risk assessment has been done as part of the design process. If you haven’t done a risk assessment first, start there, and then come back to this point in the process. You can find more  information on risk assessment methods in this post from 31-Jan-11. ISO 12100 [1] can also be used for guidance in this area.

The hierarchy of controls describes levels of controls that a machine designer can use to control the assessed risks. The hierarchy is defined in [1]. Designers are required to apply every level of the hierarchy in order, starting at the top. Each level is applied until the available measures are exhausted, or cannot be applied without destroying the purpose of the machine, allowing the designer to move to the next lower level.

Engineering controls are subdivided into a number of different sub-groups. Only movable guards are required to have interlocks. There are a number of similar types of guards that can be mistaken for movable guards, so let’s take a minute to look at a few important definitions.

Table 1 – Definitions

International [1] Canadian [2] USA [10]
3.27 guard physical barrier, designed as part of the machine to provide protection.NOTE 1 A guard may act either alone, in which case it is only effective when “closed” (for a movable guard) or “securely held in place” (for a fixed guard), or  in conjunction with an interlocking device with or without guard locking, in which case protection is ensured whatever the position of the guard.NOTE 2Depending on its construction, a guard may be described as, for example, casing, shield, cover, screen, door, enclosing guard.NOTE 3 The terms for types of guards are defined in 3.27.1 to 3.27.6. See also 6.3.3.2 and ISO 14120 for types of guards and their requirements. Guard — a part of machinery specifically used to provide protection by means of a physical barrier. Depending on its construction, a guard may be called a casing, screen, door, enclosing guard, etc. 3.22 guard: A barrier that prevents exposure to an identified hazard.E3.22 Sometimes referred to as barrier guard.”
3.27.4 interlocking guard guard associated with an interlocking device so that, together with the control system of the machine, the following functions are performed:

  • the hazardous machine functions “covered” by the guard cannot operate until the guard is closed,
  • if the guard is opened while hazardous machine functions are operating, a stop command is given, and
  • when the guard is closed, the hazardous machine functions “covered” by the guard can operate (the closure of the guard does not by itself start the hazardous machine functions)

NOTE ISO 14119 gives detailed provisions.

Interlocked barrier guard — a fixed or movable guard attached and interlocked in such a manner that the machine tool will not cycle or will not continue to cycle unless the guard itself or its hinged or movable section encloses the hazardous area. 3.32 interlocked barrier guard: A barrier, or section of a barrier, interfaced with the machine control system in such a manner as to prevent inadvertent access to the hazard.
3.27.2 movable guard
guard which can be opened without the use of tools
Movable guard — a guard generally connected by mechanical means (e.g., hinges or slides) to the machine frame or an adjacent fixed element and that can be opened without the use of tools. The opening and closing of this type of guard may be powered. 3.37 movable barrier device: A safeguarding device arranged to enclose the hazard area before machine motion can be initiated.E3.37 There are two types of movable barrier devices:

  • Type A, which encloses the hazard area during the complete machine cycle;
  • Type B, which encloses the hazard area during the hazardous portion of the machine cycle.
3.28.1 interlocking device (interlock)mechanical, electrical or other type of device, the purpose of which is to prevent the operation of hazardous machine functions under specified conditions (generally as long as a guard is not closed) Interlocking device (interlock) — a mechanical, electrical, or other type of device, the purpose of which is to prevent the operation of machine elements under specified conditions (usually when the guard is not closed). No definition
3.27.5 interlocking guard with guard locking guard associated with an interlocking device and a guard locking device so that, together with the control system of the machine, the following functions are performed:

  • the hazardous machine functions “covered” by the guard cannot operate until the guard is closed and locked,
  • the guard remains closed and locked until the risk due to the hazardous machine functions “covered” by the guard has disappeared, and
  • when the guard is closed and locked, the hazardous machine functions “covered” by the guard can operate (the closure and locking of the guard do not by themselves start the hazardous machine functions)

NOTE ISO 14119 gives detailed provisions.

Guard locking device — a device that is designed to hold the guard closed and locked until the hazard has ceased. No definition

As you can see from the definitions, movable guards can be opened without the use of tools, and are generally fixed to the machine along one edge. Movable guards are always associated with an interlocking device. Guard selection is covered very well in ISO 14120 [11]. This standard contains a flowchart that is invaluable for selecting the appropriate style of guard for a given application.

5% Discount on ISO and IEC Standards with code: CC2012

Though much emphasis is placed on the correct selection of these interlocking devices, they represent a very small portion of the hierarchy. It is their widespread use that makes them so important when it comes to safety system design.

Electrical vs. Mechanical Interlocks

Mechanical Interlocking
Figure 2 – Mechanical Interlocking

Most modern machines use electrical interlocks because the machine is fitted with an electrical control system, but it is entirely possible to interlock the power to the prime movers using mechanical means. This doesn’t affect the portion of the hierarchy involved, but it may affect the control reliability analysis that you need to do.

Mechanical Interlocks

Figure 2, from ISO 14119 [7, Fig. H.1, H.2 ], shows one example of a mechanical interlock.  In this case, when cam 2 is rotated into the position shown in a), the guard cannot be opened. Once the hazardous condition behind the guard is effectively controlled, cam 2 rotates to the position in b), and the guard can be opened.

Arrangements that use the open guard to physically block operation of the controls can also be used in this way. See Figure 3 [7, Fig. C.1, C.2].

Mechanical Interlocking using control devices
Figure 3 – Mechanical Interlocking using machine control devices

Fluid Power Interlocks

Figure 4, from [7, Fig. K.2], shows an example of two fluid-power valves used in complementary mode on a single sliding gate.

Hydraulic interlock from ISO 14119
Figure 4 – Example of a fluid power interlock

In this example, fluid can flow from the pressure supply (the circle with the dot in it at the bottom of the diagram) through the two valves to the prime-mover, which could be a cylinder, or a motor or some other device when the guard is closed (position ‘a’). There could be an additional control valve following the interlock that would provide the normal control mode for the device.

When the guard is opened (position ‘b’), the two valve spools shift to the second position, the lower valve blocks the pressure supply, and the upper valve vents the pressure in the circuit, helping to prevent unexpected motion from trapped energy.

If the spring in the upper valve fails, the lower spool will be driven by the gate into a position that will still block the pressure supply and vent the trapped energy in the circuit.

5% Discount on ISO and IEC Standards with code: CC2012

Electrical Interlocks

By far the majority of interlocks used on machinery are electrical. Electrical interlocks offer ease of installation, flexibility in selection of interlocking devices, and complexity from simple to extremely complex. The architectural categories cover any technology, whether it is mechanical, fluidic, or electrical, so let’s have a look at architectures first.

Architecture Categories

Comparing ANSI, CSA, and ISO Control Reliability Categories
Figure 5 – Control Reliability Categories

In Canada, CSA Z432 [2] and CSA Z434 [3] provide four categories of control reliability: simple, single channel, single-channel monitored and control reliable. In the U.S., the categories are very similar, with some differences in the definition for control reliable (see RIA R15.06, 1999). In the EU, there are five levels of control reliability, defined as Performance Levels (PL) given in ISO 13849-1 [4]: PL a, b, c, d and e. Underpinning these levels are five architectural categories: B, 1, 2, 3 and 4. Figure 5 shows how these architectures line up.

To add to the confusion, IEC 62061 [5] is another international control reliability standard that could be used. This standard defines reliability in terms of Safety Integrity Levels (SILs). These SILs do not line up exactly with the PLs in [4], but they are similar. [5] is based on IEC 61508 [6], a well-respected control reliability standard used in the process industries. [5] is not well suited to applications involving hydraulic or pneumatic elements.

The orange arrow in Figure 5 highlights the fact that the definition in the CSA standards results in a more reliable system than the ANSI/RIA definition because the CSA definition requires TWO (2) separate physical switches on the guard to meet the requirement, while the ANSI/RIA definition only requires redundant circuits, but makes no requirement for redundant devices. Note that the arrow representing the ANSI/RIA Control reliability category falls below the ISO Category 3 arrow due to this same detail in the definition.

Note that Figure 5 does not address the question of PL’s or SIL’s and how they relate to each other. That is a topic for another article!

The North American architectures deal primarily with electrical or fluid-power controls, while the EU system can accommodate electrical, fluid-power and mechanical systems.

From the single-channel-monitored or Category 2 level up, the systems are required to have testing built-in, enabling the detection of failures in the system. The level of fault tolerance increases as the category increases.

Interlocking devices

Interlocking devices are the components that are used to create the interlock between the safeguarding device and the machine’s power and control systems. Interlocking systems can be purely mechanical, purely electrical or a combination of these.

Roller cam switch used as part of a complementary interlock
Photo 1 – Roller Cam Switch

Most machinery has an electrical/electronic control system, and these systems are the most common way that machine hazards are controlled. Switches and sensors connected to these systems are the most common types of interlocking devices.

Interlocking devices can be something as simple as a micro-switch or a reed switch, or as complex as a non-contact sensor with an electromagnetic locking device.

Images of interlocking devices used in this article are representative of some of the types and manufacturers available, but should not be taken as an endorsement of any particular make or type of device. There are lots of manufacturers and unique models that can fit any given application, and most manufacturers have similar devices available.

Photo 1 shows a safety-rated, direct-drive roller cam switch used as half of a complementary switch arrangement on a gate interlock. The integrator failed to cover the switches to prevent intentional defeat in this application.

Micro-Switch used for interlocking
Photo 2 – Micro-Switch used for interlocking

Photo 2 shows a ‘microswitch’ used for interlocking a machine cover panel that is normally held in place with fasteners, and so is a ‘fixed guard’ as long as the fasteners require a tool to remove. Fixed guards do not require interlocks under most circumstances. Some product family standards do require interlocks on fixed guards due to the nature of the hazards involved.

Microswitches are not safety-rated and are not recommended for use in this application. They are easily defeated and tend to fail to danger in my experience.

Requirements for interlocking devices are published in a number of standards, but the key ones for industrial machinery are ISO 14119 [7], [2], and ANSI B11.0 [8]. These standards define the electrical and mechanical requirements, and in some cases the testing requirements, that devices intended for safety applications must meet before they can be classified as safety components.
Download standards

Typical plastic-bodied interlocking device
Photo 3 – Schmersal AZ15 plastic interlock switch

These devices are also integral to the reliability of the control systems into which they are integrated. Interlock devices, on their own, cannot meet a reliability rating above ISO 13849-1 Category 1, or CSA Z432-04 Single Channel. To understand this, consider that the definitions for Category 2, 3 and 4 all require the ability for the system to monitor and detect failures, and in Categories 3 & 4, to prevent the loss of the safety function. Similar requirements exist in CSA and ANSI’s “single-channel-monitored,” and “control-reliable” categories. Unless the interlock device has a monitoring system integrated into the device, these categories cannot be achieved.

Guard Locking

Interlocking devices are often used in conjunction with  guard locking. There are a few reasons why a designer might want to lock a guard closed, but the most common one is a lack of safety distance. In some cases the guard may be locked closed to protect the process rather than the operator, or for other reasons.

Interlock Device with Guard Locking
Photo 4 – Interlocking Device with Guard Locking

Safety distance is the distance between the opening covered by the movable guard and the hazard. The minimum distance is determined using the safety distance calculations given in [2] and ISO 13855 [9]. This calculation uses a ‘hand-speed constant’, called K, to represent the theoretical speed that the average person can achieve when extending their hand straight forward when standing in front of the opening. In North America, K is usually 63 inches/second, or 1600 mm/s. Internationally and in the EU, there are two speeds, 2000 mm/s, used for an approach perpendicular to the plane of the guard, or 1600 mm/second for approaches at 45 degrees or less [9]. 2000 mm/s is used with movable guards, and is approximately equivalent to 79 inches/second. Using the International approach, if the value of Ds is greater than 500 mm when calculated using K = 2 000, then [9] permits the calculation to be done using K = 1 600 instead.

Using the stopping time of the machinery and K, the minimum safety distance can be calculated.

Eq. 1              Ds = K x Ts

Using Equation 1 [2], assume you have a machine that takes 250 ms to stop when the interlock is opened. Inserting the values into the equation gives you a minimum safety distance of:

Example 1             Ds = 63 in/s x 0.250 s = 15.75 inches

Example 2             Ds = 2000 mm/s x 0.250 s = 500 mm

As you can see, the International value of K gives a more conservative value, since 500 mm is approximately 20 inches.

Note that I have not included the ‘Penetration Factor’, Dpf in this calculation. This factor is used with presence sensing safeguarding devices like light curtains, fences, mats, two-hand controls, etc. This factor is not applicable to movable, interlocked guards.

Also important to consider is the amount the guard can be opened before activating the interlock. This will depend on many factors, but for simplicity, consider a hinged gate on an access point. If the guard uses two hinge-pin style switches, you may be able to open the gate a few inches before the switches rotate enough to detect the opening of the guard. In order to determine the opening size, you would slowly open the gate just to the point where the interlock is tripped, and then measure the width of the opening. Using the tables found in [2], [3], [10], or ISO 13857 [12], you can then determine how far the guard must be from the hazards behind it. If that distance is greater than what is available, you could remove one hinge-pin switch, and replace it with another type mounted on the post opposite the hinges. This could be a keyed interlock like Photo 3, or a non-contact device like Photo 5. This would reduce the opening width at the point of detection, and thereby reduce the safety distance behind the guard. But what if that is still not good enough?

If you have to install the guard closer to the hazard than the minimum safety distance, locking the guard closed and monitoring the stand-still of the machine allows you to ignore the safety distance requirement because the guard cannot be opened until the machinery is at a standstill, or in a safe state.

Guard locking devices can be mechanical, electromagnetic, or any other type that prevents the guard from opening. The guard locking device is only released when the machine has been made safe.

There are many types of safety-rated stand-still monitoring devices available now, and many variable-frequency drives and servo drive systems are available with safety-rated stand-still monitoring.

Environment, failure modes and fault exclusion

Every device has failure modes. The correct selection of the device starts with understanding the physical environment to which the device will be exposed. This means understanding the temperature, humidity, dust/abrasives exposure, chemical exposures, and mechanical shock and vibration exposures in the application. Selecting a delicate reed switch for use in a high-vibration, high-shock environment is a recipe for failure, just as selecting a mechanical switch in a dusty, damp, corrosive environment will also lead to premature failure.

Example of a non-contact interlocking device
Photo 5 – JOKAB EDEN Interlock System

Interlock device manufacturers have a variety of non-contact interlocking devices available today that use coded RF signals or RF ID technologies to ensure that the interlock cannot be defeated by simple measures, like taping a magnet to a reed switch. The Jokab EDEN system is one example of a system like this that also exhibits IP65 level resistance to moisture and dust. Note that systems like this include a safety monitoring device and the system as a whole can meet Control Reliable or Category 3 / 4 architectural requirements when a simple interlock switch could not.

The device standards do provide some guidance in making these selections, but it’s pretty general.

Fault Exclusion

Fault exclusion is another key concept that needs to be understood. Fault exclusion holds that failure modes that have an exceedingly low probability of occurring during the lifetime of the product can be excluded from consideration. This can apply to electrical or mechanical failures. Here’s the catch: Fault exclusion is not permitted under any North American standards at the moment. Designs based on the North American control reliability standards cannot take advantage of fault exclusions. Designs based on the International and EU standards can use fault exclusion, but be aware that significant documentation supporting the exclusion of each fault is needed.

Defeat resistance

Diagram showing one method of preventing interlock defeat.
Figure 6 – Preventing Defeat

The North American standards require that the devices chosen for safety-related interlocks be defeat-resistant, meaning they cannot be easily fooled with a cable-tie, a scrap of metal or a piece of tape.

Figure 6 [7, Fig. 10] shows a key-operated switch, like the Schmersal AZ15, installed with a cover that is intended to further guard against defeat. The key, sometimes called a ‘tongue’, used with the switch prevents defeat using a flat piece of metal or a knife blade. The cover prevents direct access to the interlocking device itself. Use of tamper-resistant hardware will further reduce the likelihood that someone can remove the key and insert it into the switch, bypassing the guard.

Inner-Tite tamper resistance fasteners
Photo 6 – Tamper-resistant fasteners

5% Discount on ISO and IEC Standards with code: CC2012

The International and EU standards do not require the devices to be inherently defeat resistant, which means that you can use “safety-rated” limit switches with roller-cam actuators, for example. However, as a designer, you are required to consider all reasonably foreseeable failure modes, and that includes intentional defeat. If the interlocking devices are easily accessible, then you must select defeat-resistant devices and install them with tamper-resistant hardware to cover these failure modes.

Photo 6 shows one type of tamper resistant fasteners made by Inner-Tite [13]. Photo 7 shows fasteners with uniquely keyed key ways made by Bryce Fastener [14], and Photo 8 shows more traditional tamperproof fasteners from the Tamperproof Screw Company [15]. Using fasteners like these will result in the highest level of security in a threaded fastener. There are many different designs available from a wide variety of manufacturers.

Bryce Key-Rex tamper-resistant fasteners
Photo 7 – Keyed Tamper-Resistant Fasteners
Tamper proof screws made by the Tamperproof Screw Company
Photo 8 – Tamper proof screws

Almost any interlocking device can be bypassed by a knowledgeable person using wire and the right tools. This type of defeat is not generally considered, as the degree of knowledge required is greater than that possessed by “normal” users.

How to select the right device

When selecting an interlocking device, start by looking at the environment in which the device will be located. Is it dry? Is it wet (i.e., with cutting fluid, oil, water, etc.)? Is it abrasive (dusty, sandy, chips, etc.)? Is it indoors or outdoors and subject to wide temperature variations?

Is there a product standard that defines the type of interlock you are designing? An example of this is the interlock types in ANSI B151.1 [4] for plastic injection moulding machines. There may be restrictions on the type of devices that are suitable based on the requirements in the standard.

Consider integration requirements with the controls. Is the interlock purely mechanical? Is it integrated with the electrical system? Do you require guard locking capability? Do you require defeat resistance? What about device monitoring or annunciation?

Once you can answer these questions, you will have narrowed down your selections considerably. The final question is: What brand is preferred? Go to your preferred supplier’s catalogues and make a selection that fits with the answers to the previous questions.

The next stage is to integrate the device(s) into the controls, using whichever control reliability standard you need to meet. That is the subject for a series of articles!

References

5% Discount on ISO and IEC Standards with code: CC2012

[1] Safety of machinery – General principles for design – Risk assessment and risk reduction, ISO Standard 12100, Edition 1, 2010

[2] Safeguarding of Machinery, CSA Standard Z432, 2004 (R2009)

Buy CSA Standards

[3] Industrial Robots and Robot Systems – General Safety Requirements, CSA Standard Z434, 2003 (R2008)

[4] Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design, ISO Standard 13849-1, 2006

[5] Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems, IEC Standard 62061, Edition 1, 2005

[6] Functional safety of electrical/electronic/programmable electronic safety-related systems (Seven Parts), IEC Standard 61508-X

[7] Safety of machinery — Interlocking devices associated with guards — Principles for design and selection, ISO Standard 14119, 1998

[8] American National Standard for Machines, General Safety Requirements Common to ANSI B11 Machines, ANSI Standard B11, 2008
Download ANSI standards

[9] Safety of machinery — Positioning of safeguards with respect to the approach speeds of parts of the human body, ISO 13855, 2010

[10] American National Standard for Machine Tools – Performance Criteria for Safeguarding, ANSI B11.19, 2003

[11] Safety of machinery — Guards — General requirements for the design and construction of fixed and movable guards, ISO 14120. 2002

[12] Safety of machinery – Safety distances to prevent hazard zones being reached by upper and lower limbs, ISO 13857. 2008.

[13] Inner-Tite Corp. home page. (2012). Available: http://www.inner-tite.com/

[14] Bryce Fastener, Inc. home page. (2012). Available: http://www.brycefastener.com/

[15] Tamperproof Screw Co., Inc., home page. (2013). Available: http://www.tamperproof.com

Interlock Architectures Pt. 6 – Comparing North American and International Systems

This entry is part 6 of 8 in the series Circuit Architectures Explored

I’ve now written six posts, including this one, on the topic of circuit architectures for the safety-related parts of control systems. In this post, we’ll compare the International and North American systems. This comparison is not intended to draw conclusions about which is “better”, but rather to compare and contrast the two systems so that designers can clearly see where the overlaps and the gaps in the systems exist.

Since we’ve spent a lot of time talking about ISO 13849-1 [1] in the previous five posts in this series, I think we should begin there by looking at Table 10 from the standard.

Table 10 — Summary of requirements for categories
Category Summary of requirements System behaviour Principle used
to achieve
safety
MTTFd
of each
channel
DCavg CCF
B
(see
6.2.3)
SRP/CS and/or their protective equipment, as well as their components, shall be designed, constructed, selected, assembled and combined in accordance with relevant standards so that they can withstand the expected influence.Basic safety principles shall be used. The occurrence of a fault can lead to the loss of the safety function. Mainly characterized by selection of components Low to medium None Not relevant
1
(see
6.2.4)
Requirements of B shall apply. Well-tried components and well-tried safety principles shall be used. The occurrence of a fault can lead to the loss of the safety function but the probability of occurrence is lower than for category B. Mainly characterized by selection of components High None Not relevant
2
(see
6.2.5)
Requirements of B and the use of well-tried safety principles shall apply. Safety function shall be checked at suitable intervals by the machine control system. The occurrence of a fault can lead to the loss of the safety function between the checks. The loss of safety function is detected by the check. Mainly characterized by structure Low to high Low to medium See Annex F
3
(see
6.2.6)
Requirements of B and the use of well-tried safety principles shall apply.Safety-related parts shall be designed, so that

—a single fault in any of these parts does not lead to the loss of the safety function, and

—whenever reasonably practicable, the single fault is detected.

When a single fault occurs, the safety function is always performed.Some, but not all, faults will be detected.

Accumulation of undetected faults can lead to the loss of the safety function.

 Mainly
characterized
by structure
Low to
high
Low to
medium
 See
Annex F
 4
(see
6.2.7)
Requirements of B and the use of well-tried safety principles shall apply. Safety-related parts shall be designed, so that
—a single fault in any of these parts does not lead to a loss of the safety function, and

—the single fault is detected at or before the next demand upon the safety function, but that if this detection is not possible, an accumulation of undetected faults shall not lead to the loss of the safety function.

 

When a single fault occurs the safety function is always performed. Detection of accumulated faults reduces the probability of the loss of the safety function (high DC). The faults will be detected in time to prevent the loss of the safety function.  Mainly characterized by structure  High  High including accumulation of faults  See Annex F
NOTE For full requirements, see Clause 6.

Table 10 summarizes all the key requirements for the five categories of architecture, giving the fundamental mechanism for achieving safety, the required MTTFd, DC and CCF. Note that fault exclusion can be used in Categories 3 and 4. There is no similar table available for CSA Z432 [2] or RIA R 15.06 [3], so I have constructed one following a similar format to Table 10.

Summary of requirements for CSA Z432 / Z434 and RIA R15.06
CSA Z432-04 / Z434-03 RIA R15.06 1999
Category  Summary of requirements  System behaviour  Principle used
to achieve
safety
Summary of requirements
All Safety control systems (electric, hydraulic, pneumatic) shall meet one of the performance criteria listed in Clauses 4.5.2 to 4.5.5. Safety circuits (electric, hydraulic, pneumatic) shall meet one of the performance criteria listed in 4.5.1 through 4.5.4.2

2 These performance criteria are not to be confused with the European categories B to 3 as described in ISO/IEC DIS 13849-1, Safety of machinery – Safety-related parts of control systems – Part 1: General principles for design (in correlation with EN 954-1.) They are different. The committee believes that the criteria in 4.5.1-4.5.4 exceed the criteria of B – 3 respectively, and further believe the reverse is not true.

SIMPLE Simple safety control systemsshall be designed and constructed using accepted single channel circuitry.Such systems may be programmable.

Note: This type of system should be used for signalling and annunciation purposes only.

The occurrence of a fault can lead to the loss of the safety function. Mainly characterized by component selection. Simple safety circuits shall be designed and constructed using accepted single channel
circuitry, and may be programmable.
SINGLE
CHANNEL
Single channel safety control systems shalla) be hardware based or comply with Clause 6.5;

b) include components that should be safety rated; and

c) be used in accordance with manufacturers’ recommendations and proven circuit designs (e.g., a single channel electromechanical positive break device that signals a stop in a de-energized state).

Note: In this type of system a single component failure can lead to the loss of the safety function.

The occurrence of a fault can lead to the loss of the safety function. Mainly characterized by component selection. Single channel safety circuits shall be hardware based or comply with 6.4, include components
which should be safety rated, be used in compliance with manufacturers’ recommendations
and proven circuit designs (e.g. a single channel electro-mechanical positive break device which signals a stop in a de-energized state.)
SINGLE CHANNEL
WITH
MONITORING
Single channel safety control systems with monitoring shall include the requirements for single channel,
be safety rated, and be checked (preferably automatically) at suitable intervals in accordance with the following:a) The check of the safety function(s) shall be performed

i) at machine start-up; and

ii) periodically during operation (preferably at each change in state).

b) The check shall either

i) allow operation if no faults have been detected; or

ii) generate a stop if a fault is detected. A warning shall be provided if a hazard remains after cessation of motion.

c) The check itself shall not cause a hazardous situation.

d) Following detection of a fault, a safe state shall be maintained until the fault is cleared.

Note: In this type of circuit a single component failure can also lead to the loss of the safety function.

The occurrence of a fault can lead to the loss of the safety function. Characterized by both component selection and structure. Single channel with monitoring safety circuits shall include the requirements for single channel,
shall be safety rated, and shall be checked (preferably automatically) at suitable intervals.a) The check of the safety function(s) shall be performed

1) at machine start-up, and

2) periodically during operation;

b) The check shall either:

1) allow operation if no faults have been detected, or

2) generate a stop signal if a fault is detected.
A warning shall be provided if a hazard remains after cessation of motion;

c) The check itself shall not cause a hazardous situation;

d) Following detection of a fault, a safe state shall be maintained until the fault is cleared.

CONTROL RELIABLE Control reliable safety control systems shall be dual channel with monitoring and shall be designed,
constructed, and applied such that any single component failure, including monitoring, shall not prevent
the stopping action of the robot.
These safety control systems shall be hardware based or in accordance with Clause 6.5. The systems shall include automatic monitoring at the system level conforming to the following:a) The monitoring shall generate a stop if a fault is detected. A warning shall be provided if a hazard remains after cessation of motion.

b) Following detection of a fault, a safe state shall be maintained until the fault is cleared.

c) Common mode failures shall be taken into account when the probability of such a failure occurring is
significant.

d) The single fault should be detected at time of failure. If not practicable, the failure shall be detected
at the next demand upon the safety function.

e) These safety control systems shall be independent of the normal program control (function) and shall be designed to be not easily defeated or not easily bypassed without detection.

When a single fault occurs, the safety function is always performed.Some, but not all, faults will be detected.

Accumulation of undetected faults can lead to the loss of the safety function.

Characterized primarily by structure. Control reliable safety circuitry shall be designed, constructed and applied such that any single component failure shall not prevent the stopping action of the robot.These circuits shall be hardware based or comply with 6.4, and include automatic monitoring at the system level.

a) The monitoring shall generate a stop signal if a fault is detected. A warning shall be provided if a hazard remains after cessation of motion;

b) Following detection of a fault, a safe state shall be maintained until the fault is cleared.

c) Common mode failures shall be taken into account when the probability of such a failure occurring is significant.

d) The single fault should be detected at time of failure. If not practicable, the failure shall be detected at the next demand upon the safety function.

CSA Z434 vs. RIA R15.06

Before we dig into the comparison between North America and the International standards, we need to look at the differences between CSA and ANSI/RIA. There are some subtle differences here that can trip you up and cost significant money to correct after the fact. The following statements are based on my personal experience and on discussions that I have had with people on both the CSA and RIA technical committees tasked with writing these standards. One more note – ANSI RIA R15.06 has been revised and ALL OF SECTION 4 has been replaced with ANSI/RIA/ISO 10218-1 [7]. This is very significant, but we need to deal with this old discussion first.

Systems vs. Circuits

The CSA standard uses the term “control system(s)” throughout the definitions of the categories, while the ANSI/RIA standard uses the term “circuit(s)”. This is really the crux of the discussion between these two standards. While the difference between the terms may seem insignificant at first, you need to understand the background to get the difference.

The CSA term requires two separate sensing devices on the gate or other guard, just as the Category 3 and 4 definitions do, and for the same reason. The CSA committee felt that it was important to be able to detect all single faults, including mechanical ones. Also, the use of two interlocking devices on the guard makes it more difficult to bypass the interlock.

The RIA term requires redundant electrical connections to the interlocking device, but implicitly allows for a single interlocking device because it only explicitly refers to “circuits”.

The explanation I’ve been given for the discrepancy is rooted in the early days of industrial robotics. Many early robot cells had NO interlocks on the guarding because the hazards related to the robot motion was not well understood. There were a number of incidents resulting in fatalities that drove robot users to begin to seek better ways to protect workers. The RIA R15.06 committee decided that interlocks were needed, but there was a recognition that many users would balk at installing expensive interlock devices, so they compromised and allowed that ANY kind of interlocking device was better than none. This was amended in the 1999 edition to require that components be “safety rated”, effectively eliminating the use of conventional proximity switches and non-safety-rated limit switches.

The recent revision of ANSI/RIA R15.06 to include ANSI/ISO 10218-1 as a replacement for Section 4 is significant for a couple of reasons: 1) It now means that the robot itself need only meet the ISO standard; instead of the ISO and the RIA standards; and 2) It brings in ISO 13849-1 definitions of reliability categories. This means that the US has now officially dropped the “SIMPLE, SINGLE-CHANNEL,” etc. definitions and now uses “Category B, 1, etc.” However, they have only adopted the Edition 1 version of the standard, so none of the PL, MTTFd, etc. calculations have been adopted. This means that the RIA standard is now harmonized to the 1995 edition of EN 954-1. These updates to the 2006 edition may come in subsequent editions of R15.06.

CSA has chosen to reaffirm the 2003 edition of CSA Z434, so the Canadian National Standard continues to refer to the old definitions.

North America vs International Standards

In the description of single-channel systems / circuits under the North American standards you will notice that particular attention is paid to including descriptions of the use of “proven designs” and “positive-break devices”. What the TC’s were referring to are the same “well-tried safety principles” and “well-tried components” as referred to in the International standards, only with less description of what those might be. The only major addition to the definitions is the recommendation to use “safety-rated devices”, which is not included in the International standard. (N.B. The use of the word “should” in the definitions should be understood as a strong recommendation, but not necessarily a mandatory requirement.) Under EN 954-1 [4] and EN 1088 [5] (in the referenced editions, in any case) it was possible to use standard limit switches arranged in a redundant manner and activated using combined positive and non-positive-mode activation. In later editions this changed, and there is now a preference for devices intended for use in safety applications.

Also worth noting is that there is NO allowance for fault exclusion under the CSA standard or the 1999 edition of the ANSI standard.

As far as the RIA committee’s assertion that their definitions are not equivalent to the International standard, and may be superior, I think that there are too may missing qualities in the ANSI standard for that to stand. In any case, this is now moot, since ANSI has adopted EN ISO 13849-1:2006 as a reference to EN ISO 10218-1 [6], replacing Section 4 of ANSI/RIA R15.06-1999.

References

[1] “Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design”, ISO 13849-1, Edition 2, International Organization for Standardization (ISO), Geneva, 2006.

[2] “Safeguarding of machinery”, CSA Z432, Canadian Standards Association (CSA), Toronto, 2004.

[3] “American National Standard for Industrial Robots and Robot Systems — Safety Requirements”, ANSI/RIA R15.06, American National Standards Institute, Inc. (ANSI), Ann Arbor, 1999.

[4] “Safety of machinery — Safety related parts of control systems — Part 1. General principles for design”, EN 954-1, European Committee for Standardization (CEN), Geneva, 1996.

[5] “Safety of machinery — Interlocking devices associated with guards — Principles for design and selection”, EN 1088, CEN, Geneva, 1995.

[6] “Robots and robotic devices — Safety requirements for industrial robots — Part 1: Robots”, European Committee for Standardization (CEN), Geneva, 2011.

[7] “Robots for Industrial Environment – Safety Requirements – Part 1 – Robot”, ANSI/RIA/ISO 10218-1, American National Standards Institute, Inc. (ANSI), Ann Arbor, 2007.

Digiprove sealCopyright secured by Digiprove © 2011-2012
Acknowledgements: See references listed at end of article.
Some Rights Reserved

CSA Z1002 Risk Assessment Standard – 60 Day Public Review

Get more information on CSA Z1002. The draft of this document is now available for public review through CSA.

60 Day Public Review Starts Today

CSA (the Canadian Standards Association) has been working on a new risk assessment standard called Z1002 – Occupational Health and Safety Hazard Identification and Elimination and Risk Assessment and Control, since the fall of 2007.

This risk assessment standard is the first of its kind globally and will place the CSA Z100x series of Occupational Health and Safety Management standards at the forefront globally when it is published this year.

This standard is destined to become a Canadian National Standard and will have influence on all the standards in the CSA Catalog that include risk assessment (CSA Z432, CSA Z434, CSA Z460, CSA Z462, etc.)

As of today, the standard is available for public review. This means that you can download a draft copy of the standard for free and have a look at the content of the document. It’s also hoped that you will provide comments on the document that will go back to the technical committee at the end of the Public Review phase on 17-Apr-11 17-Mar-11. Every comment will be reviewed by the Technical Committee. You have the chance to make change in the document before it is published later this year.

Public Review is only open for 60 days, so act quickly! On 17-Apr-11 17-Mar-11 review will close permanently for this edition of the document!

Get The Draft

If you are interested in reviewing and commenting on the draft, please visit:

https://review.csa.ca/opr/opr_list.asp

You can download the draft and you can link to the comments page for the document to provide your thoughts on it.

More Information

Need more information on this standard? Please contact the CSA Project Manager:
Elizabeth Rankin,
ph: (416) 747-2011