I’ve now written six posts, including this one, on the topic of circuit architectures for the safety–related parts of control systems. In this post, we’ll compare the International and North American systems. This comparison is not intended to draw conclusions about which is “better”, but rather to compare and contrast the two systems so that designers can clearly see where the overlaps and the gaps in the systems exist.
Since we’ve spent a lot of time talking about ISO 13849–1 [1] in the previous five posts in this series, I think we should begin there by looking at Table 10 from the standard.
| Category | Summary of requirements | System behaviour | Principle used to achieve safety | MTTFd of each channel | DCavg | CCF |
| B (see 6.2.3) | SRP/CS and/or their protective equipment, as well as their components, shall be designed, constructed, selected, assembled and combined in accordance with relevant standards so that they can withstand the expected influence. Basic safety principles shall be used. | The occurrence of a fault can lead to the loss of the safety function. | Mainly characterized by selection of components | Low to medium | None | Not relevant |
| 1 (see 6.2.4) | Requirements of B shall apply. Well-tried components and well-tried safety principles shall be used. | The occurrence of a fault can lead to the loss of the safety function but the probability of occurrence is lower than for category B. | Mainly characterized by selection of components | High | None | Not relevant |
| 2 (see 6.2.5) | Requirements of B and the use of well-tried safety principles shall apply. Safety function shall be checked at suitable intervals by the machine control system. | The occurrence of a fault can lead to the loss of the safety function between the checks. The loss of safety function is detected by the check. | Mainly characterized by structure | Low to high | Low to medium | See Annex F |
| 3 (see 6.2.6) | Requirements of B and the use of well-tried safety principles shall apply. Safety-related parts shall be designed, so that —a single fault in any of these parts does not lead to the loss of the safety function, and —whenever reasonably practicable, the single fault is detected. | When a single fault occurs, the safety function is always performed. Some, but not all, faults will be detected. Accumulation of undetected faults can lead to the loss of the safety function. | Mainly characterized by structure | Low to high | Low to medium | See Annex F |
| 4 (see 6.2.7) | Requirements of B and the use of well-tried safety principles shall apply. Safety-related parts shall be designed, so that —the single fault is detected at or before the next demand upon the safety function, but that if this detection is not possible, an accumulation of undetected faults shall not lead to the loss of the safety function.
| When a single fault occurs the safety function is always performed. Detection of accumulated faults reduces the probability of the loss of the safety function (high DC). The faults will be detected in time to prevent the loss of the safety function. | Mainly characterized by structure | High | High including accumulation of faults | See Annex F |
| NOTE For full requirements, see Clause 6. | ||||||
Table 10 summarizes all the key requirements for the five categories of architecture, giving the fundamental mechanism for achieving safety, the required MTTFd, DC and CCF. Note that fault exclusion can be used in Categories 3 and 4. There is no similar table available for CSA Z432 [2] or RIA R 15.06 [3], so I have constructed one following a similar format to Table 10.
| CSA Z432-04 / Z434-03 | RIA R15.06 1999 | |||
| Category | Summary of requirements | System behaviour | Principle used to achieve safety | Summary of requirements |
| All | Safety control systems (electric, hydraulic, pneumatic) shall meet one of the performance criteria listed in Clauses 4.5.2 to 4.5.5. | Safety circuits (electric, hydraulic, pneumatic) shall meet one of the performance criteria listed in 4.5.1 through 4.5.4.2 2 These performance criteria are not to be confused with the European categories B to 3 as described in ISO/IEC DIS 13849–1, Safety of machinery – Safety-related parts of control systems – Part 1: General principles for design (in correlation with EN 954–1.) They are different. The committee believes that the criteria in 4.5.1–4.5.4 exceed the criteria of B — 3 respectively, and further believe the reverse is not true. | ||
| SIMPLE | Simple safety control systemsshall be designed and constructed using accepted single channel circuitry. Such systems may be programmable. Note: This type of system should be used for signalling and annunciation purposes only. | The occurrence of a fault can lead to the loss of the safety function. | Mainly characterized by component selection. | Simple safety circuits shall be designed and constructed using accepted single channel circuitry, and may be programmable. |
| SINGLE CHANNEL | Single channel safety control systems shall a) be hardware based or comply with Clause 6.5; b) include components that should be safety rated; and c) be used in accordance with manufacturers’ recommendations and proven circuit designs (e.g., a single channel electromechanical positive break device that signals a stop in a de-energized state). Note: In this type of system a single component failure can lead to the loss of the safety function. | The occurrence of a fault can lead to the loss of the safety function. | Mainly characterized by component selection. | Single channel safety circuits shall be hardware based or comply with 6.4, include components which should be safety rated, be used in compliance with manufacturers’ recommendations and proven circuit designs (e.g. a single channel electro-mechanical positive break device which signals a stop in a de-energized state.) |
SINGLE CHANNEL | Single channel safety control systems with monitoring shall include the requirements for single channel, be safety rated, and be checked (preferably automatically) at suitable intervals in accordance with the following: a) The check of the safety function(s) shall be performed i) at machine start-up; and ii) periodically during operation (preferably at each change in state). b) The check shall either i) allow operation if no faults have been detected; or ii) generate a stop if a fault is detected. A warning shall be provided if a hazard remains after cessation of motion. c) The check itself shall not cause a hazardous situation. d) Following detection of a fault, a safe state shall be maintained until the fault is cleared. Note: In this type of circuit a single component failure can also lead to the loss of the safety function. | The occurrence of a fault can lead to the loss of the safety function. | Characterized by both component selection and structure. | Single channel with monitoring safety circuits shall include the requirements for single channel, shall be safety rated, and shall be checked (preferably automatically) at suitable intervals. a) The check of the safety function(s) shall be performed 1) at machine start-up, and 2) periodically during operation; b) The check shall either: 1) allow operation if no faults have been detected, or 2) generate a stop signal if a fault is detected. c) The check itself shall not cause a hazardous situation; d) Following detection of a fault, a safe state shall be maintained until the fault is cleared. |
| CONTROL RELIABLE | Control reliable safety control systems shall be dual channel with monitoring and shall be designed, constructed, and applied such that any single component failure, including monitoring, shall not prevent the stopping action of the robot. These safety control systems shall be hardware based or in accordance with Clause 6.5. The systems shall include automatic monitoring at the system level conforming to the following: a) The monitoring shall generate a stop if a fault is detected. A warning shall be provided if a hazard remains after cessation of motion. b) Following detection of a fault, a safe state shall be maintained until the fault is cleared. c) Common mode failures shall be taken into account when the probability of such a failure occurring is d) The single fault should be detected at time of failure. If not practicable, the failure shall be detected e) These safety control systems shall be independent of the normal program control (function) and shall be designed to be not easily defeated or not easily bypassed without detection. | When a single fault occurs, the safety function is always performed. Some, but not all, faults will be detected. Accumulation of undetected faults can lead to the loss of the safety function. | Characterized primarily by structure. | Control reliable safety circuitry shall be designed, constructed and applied such that any single component failure shall not prevent the stopping action of the robot. These circuits shall be hardware based or comply with 6.4, and include automatic monitoring at the system level. a) The monitoring shall generate a stop signal if a fault is detected. A warning shall be provided if a hazard remains after cessation of motion; b) Following detection of a fault, a safe state shall be maintained until the fault is cleared. c) Common mode failures shall be taken into account when the probability of such a failure occurring is significant. d) The single fault should be detected at time of failure. If not practicable, the failure shall be detected at the next demand upon the safety function. |
CSA Z434 vs. RIA R15.06
Before we dig into the comparison between North America and the International standards, we need to look at the differences between CSA and ANSI/RIA. There are some subtle differences here that can trip you up and cost significant money to correct after the fact. The following statements are based on my personal experience and on discussions that I have had with people on both the CSA and RIA technical committees tasked with writing these standards. One more note — ANSI RIA R15.06 has been revised and ALL OF SECTION 4 has been replaced with ANSI/RIA/ISO 10218–1 [7]. This is very significant, but we need to deal with this old discussion first.
Systems vs. Circuits
The CSA standard uses the term “control system(s)” throughout the definitions of the categories, while the ANSI/RIA standard uses the term “circuit(s)”. This is really the crux of the discussion between these two standards. While the difference between the terms may seem insignificant at first, you need to understand the background to get the difference.
The CSA term requires two separate sensing devices on the gate or other guard, just as the Category 3 and 4 definitions do, and for the same reason. The CSA committee felt that it was important to be able to detect all single faults, including mechanical ones. Also, the use of two interlocking devices on the guard makes it more difficult to bypass the interlock.
The RIA term requires redundant electrical connections to the interlocking device, but implicitly allows for a single interlocking device because it only explicitly refers to “circuits”.
The explanation I’ve been given for the discrepancy is rooted in the early days of industrial robotics. Many early robot cells had NO interlocks on the guarding because the hazards related to the robot motion was not well understood. There were a number of incidents resulting in fatalities that drove robot users to begin to seek better ways to protect workers. The RIA R15.06 committee decided that interlocks were needed, but there was a recognition that many users would balk at installing expensive interlock devices, so they compromised and allowed that ANY kind of interlocking device was better than none. This was amended in the 1999 edition to require that components be “safety rated”, effectively eliminating the use of conventional proximity switches and non-safety-rated limit switches.
The recent revision of ANSI/RIA R15.06 to include ANSI/ISO 10218–1 as a replacement for Section 4 is significant for a couple of reasons: 1) It now means that the robot itself need only meet the ISO standard; instead of the ISO and the RIA standards; and 2) It brings in ISO 13849–1 definitions of reliability categories. This means that the US has now officially dropped the “SIMPLE, SINGLE-CHANNEL,” etc. definitions and now uses “Category B, 1, etc.” However, they have only adopted the Edition 1 version of the standard, so none of the PL, MTTFd, etc. calculations have been adopted. This means that the RIA standard is now harmonized to the 1995 edition of EN 954–1. These updates to the 2006 edition may come in subsequent editions of R15.06.
CSA has chosen to reaffirm the 2003 edition of CSA Z434, so the Canadian National Standard continues to refer to the old definitions.
North America vs International Standards
In the description of single-channel systems / circuits under the North American standards you will notice that particular attention is paid to including descriptions of the use of “proven designs” and “positive-break devices”. What the TC’s were referring to are the same “well-tried safety principles” and “well-tried components” as referred to in the International standards, only with less description of what those might be. The only major addition to the definitions is the recommendation to use “safety-rated devices”, which is not included in the International standard. (N.B. The use of the word “should” in the definitions should be understood as a strong recommendation, but not necessarily a mandatory requirement.) Under EN 954–1 [4] and EN 1088 [5] (in the referenced editions, in any case) it was possible to use standard limit switches arranged in a redundant manner and activated using combined positive and non-positive-mode activation. In later editions this changed, and there is now a preference for devices intended for use in safety applications.
Also worth noting is that there is NO allowance for fault exclusion under the CSA standard or the 1999 edition of the ANSI standard.
As far as the RIA committee’s assertion that their definitions are not equivalent to the International standard, and may be superior, I think that there are too may missing qualities in the ANSI standard for that to stand. In any case, this is now moot, since ANSI has adopted EN ISO 13849–1:2006 as a reference to EN ISO 10218–1 [6], replacing Section 4 of ANSI/RIA R15.06–1999.
References
[1] “Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design”, ISO 13849–1, Edition 2, International Organization for Standardization (ISO), Geneva, 2006.
[2] “Safeguarding of machinery”, CSA Z432, Canadian Standards Association (CSA), Toronto, 2004.
[3] “American National Standard for Industrial Robots and Robot Systems — Safety Requirements”, ANSI/RIA R15.06, American National Standards Institute, Inc. (ANSI), Ann Arbor, 1999.
[4] “Safety of machinery — Safety related parts of control systems — Part 1. General principles for design”, EN 954–1, European Committee for Standardization (CEN), Geneva, 1996.
[5] “Safety of machinery — Interlocking devices associated with guards — Principles for design and selection”, EN 1088, CEN, Geneva, 1995.
[6] “Robots and robotic devices — Safety requirements for industrial robots — Part 1: Robots”, European Committee for Standardization (CEN), Geneva, 2011.
[7] “Robots for Industrial Environment — Safety Requirements — Part 1 — Robot”, ANSI/RIA/ISO 10218–1, American National Standards Institute, Inc. (ANSI), Ann Arbor, 2007.
Copyright secured by Digiprove © 2011
rankin
csa
Loading ...
Twitter
LinkedIn
Facebook
Email