Inconsistencies in ISO 13849-1:2006

This entry is part 7 of 8 in the series Circuit Architectures Explored

I’ve written quite a bit recently on the topic of circuit architectures under ISO 13849-1, and one of my readers noticed an inconsistency between the text of the standard and Figure 5, the diagram that shows how the categories can span one or more Performance Levels.

ISO 13849-1 Figure 5
ISO 13849-1, Figure 5: Relationship between Categories, DC, MTTFd and PL

If you look at Category 2 in Figure 5, you will notice that there are TWO bands, one for DCavg LOW and one for DCavg MED. However, reading the text of the definition for Category 2 gives (§6.2.5):

The diagnostic coverage (DCavg) of the total SRP/CS including fault-detection shall be low.

This leaves some confusion, because it appears from the diagram that there are two options for this architecture. This is backed up by the data in Annex K that underlies the diagram.

The same confusion exists in the text describing Category 3, with Figure 5 showing two bands, one for DCavg LOW and one for DCavg MED.

I contacted the ISO TC199 Secretariat, the people responsible for the content of ISO 13849-1, and pointed out this apparent conflict. They responded that they would pass the comment on to the TC for resolution, and would contact me if they needed additional information. As of this writing, I have not heard more.

So what should you do if you are trying to design to this standard? My advice is to follow Figure 5. If you can achieve a DCavg MED in your design, it is completely reasonable to claim a higher PL. Refer to the data in Annex K to see where your design falls once you have completed the MTTFd calculations.

Thanks to Richard Harris and Douglas Florence, both members of the ISO 13849 and IEC 62061 Group on LinkedIn for bringing this to my attention!

If you are interested in contacting the TC199 Secretariat, you can email the Secretary, Mr. Stephen Kennedy. More details on ISO TC199 can be found on the Technical Committee page on the ISO web Site.

Interlock Architectures Pt. 6 – Comparing North American and International Systems

This entry is part 6 of 8 in the series Circuit Architectures Explored

I’ve now written six posts, including this one, on the topic of circuit architectures for the safety-related parts of control systems. In this post, we’ll compare the International and North American systems. This comparison is not intended to draw conclusions about which is “better”, but rather to compare and contrast the two systems so that designers can clearly see where the overlaps and the gaps in the systems exist.

Since we’ve spent a lot of time talking about ISO 13849-1 [1] in the previous five posts in this series, I think we should begin there by looking at Table 10 from the standard.

Table 10 — Summary of requirements for categories
Category Summary of requirements System behaviour Principle used
to achieve
safety
MTTFd
of each
channel
DCavg CCF
B
(see
6.2.3)
SRP/CS and/or their protective equipment, as well as their components, shall be designed, constructed, selected, assembled and combined in accordance with relevant standards so that they can withstand the expected influence.Basic safety principles shall be used. The occurrence of a fault can lead to the loss of the safety function. Mainly characterized by selection of components Low to medium None Not relevant
1
(see
6.2.4)
Requirements of B shall apply. Well-tried components and well-tried safety principles shall be used. The occurrence of a fault can lead to the loss of the safety function but the probability of occurrence is lower than for category B. Mainly characterized by selection of components High None Not relevant
2
(see
6.2.5)
Requirements of B and the use of well-tried safety principles shall apply. Safety function shall be checked at suitable intervals by the machine control system. The occurrence of a fault can lead to the loss of the safety function between the checks. The loss of safety function is detected by the check. Mainly characterized by structure Low to high Low to medium See Annex F
3
(see
6.2.6)
Requirements of B and the use of well-tried safety principles shall apply.Safety-related parts shall be designed, so that

—a single fault in any of these parts does not lead to the loss of the safety function, and

—whenever reasonably practicable, the single fault is detected.

When a single fault occurs, the safety function is always performed.Some, but not all, faults will be detected.

Accumulation of undetected faults can lead to the loss of the safety function.

 Mainly
characterized
by structure
Low to
high
Low to
medium
 See
Annex F
 4
(see
6.2.7)
Requirements of B and the use of well-tried safety principles shall apply. Safety-related parts shall be designed, so that
—a single fault in any of these parts does not lead to a loss of the safety function, and

—the single fault is detected at or before the next demand upon the safety function, but that if this detection is not possible, an accumulation of undetected faults shall not lead to the loss of the safety function.

 

When a single fault occurs the safety function is always performed. Detection of accumulated faults reduces the probability of the loss of the safety function (high DC). The faults will be detected in time to prevent the loss of the safety function.  Mainly characterized by structure  High  High including accumulation of faults  See Annex F
NOTE For full requirements, see Clause 6.

Table 10 summarizes all the key requirements for the five categories of architecture, giving the fundamental mechanism for achieving safety, the required MTTFd, DC and CCF. Note that fault exclusion can be used in Categories 3 and 4. There is no similar table available for CSA Z432 [2] or RIA R 15.06 [3], so I have constructed one following a similar format to Table 10.

Summary of requirements for CSA Z432 / Z434 and RIA R15.06
CSA Z432-04 / Z434-03 RIA R15.06 1999
Category  Summary of requirements  System behaviour  Principle used
to achieve
safety
Summary of requirements
All Safety control systems (electric, hydraulic, pneumatic) shall meet one of the performance criteria listed in Clauses 4.5.2 to 4.5.5. Safety circuits (electric, hydraulic, pneumatic) shall meet one of the performance criteria listed in 4.5.1 through 4.5.4.2

2 These performance criteria are not to be confused with the European categories B to 3 as described in ISO/IEC DIS 13849-1, Safety of machinery – Safety-related parts of control systems – Part 1: General principles for design (in correlation with EN 954-1.) They are different. The committee believes that the criteria in 4.5.1-4.5.4 exceed the criteria of B – 3 respectively, and further believe the reverse is not true.

SIMPLE Simple safety control systemsshall be designed and constructed using accepted single channel circuitry.Such systems may be programmable.

Note: This type of system should be used for signalling and annunciation purposes only.

The occurrence of a fault can lead to the loss of the safety function. Mainly characterized by component selection. Simple safety circuits shall be designed and constructed using accepted single channel
circuitry, and may be programmable.
SINGLE
CHANNEL
Single channel safety control systems shalla) be hardware based or comply with Clause 6.5;

b) include components that should be safety rated; and

c) be used in accordance with manufacturers’ recommendations and proven circuit designs (e.g., a single channel electromechanical positive break device that signals a stop in a de-energized state).

Note: In this type of system a single component failure can lead to the loss of the safety function.

The occurrence of a fault can lead to the loss of the safety function. Mainly characterized by component selection. Single channel safety circuits shall be hardware based or comply with 6.4, include components
which should be safety rated, be used in compliance with manufacturers’ recommendations
and proven circuit designs (e.g. a single channel electro-mechanical positive break device which signals a stop in a de-energized state.)
SINGLE CHANNEL
WITH
MONITORING
Single channel safety control systems with monitoring shall include the requirements for single channel,
be safety rated, and be checked (preferably automatically) at suitable intervals in accordance with the following:a) The check of the safety function(s) shall be performed

i) at machine start-up; and

ii) periodically during operation (preferably at each change in state).

b) The check shall either

i) allow operation if no faults have been detected; or

ii) generate a stop if a fault is detected. A warning shall be provided if a hazard remains after cessation of motion.

c) The check itself shall not cause a hazardous situation.

d) Following detection of a fault, a safe state shall be maintained until the fault is cleared.

Note: In this type of circuit a single component failure can also lead to the loss of the safety function.

The occurrence of a fault can lead to the loss of the safety function. Characterized by both component selection and structure. Single channel with monitoring safety circuits shall include the requirements for single channel,
shall be safety rated, and shall be checked (preferably automatically) at suitable intervals.a) The check of the safety function(s) shall be performed

1) at machine start-up, and

2) periodically during operation;

b) The check shall either:

1) allow operation if no faults have been detected, or

2) generate a stop signal if a fault is detected.
A warning shall be provided if a hazard remains after cessation of motion;

c) The check itself shall not cause a hazardous situation;

d) Following detection of a fault, a safe state shall be maintained until the fault is cleared.

CONTROL RELIABLE Control reliable safety control systems shall be dual channel with monitoring and shall be designed,
constructed, and applied such that any single component failure, including monitoring, shall not prevent
the stopping action of the robot.
These safety control systems shall be hardware based or in accordance with Clause 6.5. The systems shall include automatic monitoring at the system level conforming to the following:a) The monitoring shall generate a stop if a fault is detected. A warning shall be provided if a hazard remains after cessation of motion.

b) Following detection of a fault, a safe state shall be maintained until the fault is cleared.

c) Common mode failures shall be taken into account when the probability of such a failure occurring is
significant.

d) The single fault should be detected at time of failure. If not practicable, the failure shall be detected
at the next demand upon the safety function.

e) These safety control systems shall be independent of the normal program control (function) and shall be designed to be not easily defeated or not easily bypassed without detection.

When a single fault occurs, the safety function is always performed.Some, but not all, faults will be detected.

Accumulation of undetected faults can lead to the loss of the safety function.

Characterized primarily by structure. Control reliable safety circuitry shall be designed, constructed and applied such that any single component failure shall not prevent the stopping action of the robot.These circuits shall be hardware based or comply with 6.4, and include automatic monitoring at the system level.

a) The monitoring shall generate a stop signal if a fault is detected. A warning shall be provided if a hazard remains after cessation of motion;

b) Following detection of a fault, a safe state shall be maintained until the fault is cleared.

c) Common mode failures shall be taken into account when the probability of such a failure occurring is significant.

d) The single fault should be detected at time of failure. If not practicable, the failure shall be detected at the next demand upon the safety function.

CSA Z434 vs. RIA R15.06

Before we dig into the comparison between North America and the International standards, we need to look at the differences between CSA and ANSI/RIA. There are some subtle differences here that can trip you up and cost significant money to correct after the fact. The following statements are based on my personal experience and on discussions that I have had with people on both the CSA and RIA technical committees tasked with writing these standards. One more note – ANSI RIA R15.06 has been revised and ALL OF SECTION 4 has been replaced with ANSI/RIA/ISO 10218-1 [7]. This is very significant, but we need to deal with this old discussion first.

Systems vs. Circuits

The CSA standard uses the term “control system(s)” throughout the definitions of the categories, while the ANSI/RIA standard uses the term “circuit(s)”. This is really the crux of the discussion between these two standards. While the difference between the terms may seem insignificant at first, you need to understand the background to get the difference.

The CSA term requires two separate sensing devices on the gate or other guard, just as the Category 3 and 4 definitions do, and for the same reason. The CSA committee felt that it was important to be able to detect all single faults, including mechanical ones. Also, the use of two interlocking devices on the guard makes it more difficult to bypass the interlock.

The RIA term requires redundant electrical connections to the interlocking device, but implicitly allows for a single interlocking device because it only explicitly refers to “circuits”.

The explanation I’ve been given for the discrepancy is rooted in the early days of industrial robotics. Many early robot cells had NO interlocks on the guarding because the hazards related to the robot motion was not well understood. There were a number of incidents resulting in fatalities that drove robot users to begin to seek better ways to protect workers. The RIA R15.06 committee decided that interlocks were needed, but there was a recognition that many users would balk at installing expensive interlock devices, so they compromised and allowed that ANY kind of interlocking device was better than none. This was amended in the 1999 edition to require that components be “safety rated”, effectively eliminating the use of conventional proximity switches and non-safety-rated limit switches.

The recent revision of ANSI/RIA R15.06 to include ANSI/ISO 10218-1 as a replacement for Section 4 is significant for a couple of reasons: 1) It now means that the robot itself need only meet the ISO standard; instead of the ISO and the RIA standards; and 2) It brings in ISO 13849-1 definitions of reliability categories. This means that the US has now officially dropped the “SIMPLE, SINGLE-CHANNEL,” etc. definitions and now uses “Category B, 1, etc.” However, they have only adopted the Edition 1 version of the standard, so none of the PL, MTTFd, etc. calculations have been adopted. This means that the RIA standard is now harmonized to the 1995 edition of EN 954-1. These updates to the 2006 edition may come in subsequent editions of R15.06.

CSA has chosen to reaffirm the 2003 edition of CSA Z434, so the Canadian National Standard continues to refer to the old definitions.

North America vs International Standards

In the description of single-channel systems / circuits under the North American standards you will notice that particular attention is paid to including descriptions of the use of “proven designs” and “positive-break devices”. What the TC’s were referring to are the same “well-tried safety principles” and “well-tried components” as referred to in the International standards, only with less description of what those might be. The only major addition to the definitions is the recommendation to use “safety-rated devices”, which is not included in the International standard. (N.B. The use of the word “should” in the definitions should be understood as a strong recommendation, but not necessarily a mandatory requirement.) Under EN 954-1 [4] and EN 1088 [5] (in the referenced editions, in any case) it was possible to use standard limit switches arranged in a redundant manner and activated using combined positive and non-positive-mode activation. In later editions this changed, and there is now a preference for devices intended for use in safety applications.

Also worth noting is that there is NO allowance for fault exclusion under the CSA standard or the 1999 edition of the ANSI standard.

As far as the RIA committee’s assertion that their definitions are not equivalent to the International standard, and may be superior, I think that there are too may missing qualities in the ANSI standard for that to stand. In any case, this is now moot, since ANSI has adopted EN ISO 13849-1:2006 as a reference to EN ISO 10218-1 [6], replacing Section 4 of ANSI/RIA R15.06-1999.

References

[1] “Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design”, ISO 13849-1, Edition 2, International Organization for Standardization (ISO), Geneva, 2006.

[2] “Safeguarding of machinery”, CSA Z432, Canadian Standards Association (CSA), Toronto, 2004.

[3] “American National Standard for Industrial Robots and Robot Systems — Safety Requirements”, ANSI/RIA R15.06, American National Standards Institute, Inc. (ANSI), Ann Arbor, 1999.

[4] “Safety of machinery — Safety related parts of control systems — Part 1. General principles for design”, EN 954-1, European Committee for Standardization (CEN), Geneva, 1996.

[5] “Safety of machinery — Interlocking devices associated with guards — Principles for design and selection”, EN 1088, CEN, Geneva, 1995.

[6] “Robots and robotic devices — Safety requirements for industrial robots — Part 1: Robots”, European Committee for Standardization (CEN), Geneva, 2011.

[7] “Robots for Industrial Environment – Safety Requirements – Part 1 – Robot”, ANSI/RIA/ISO 10218-1, American National Standards Institute, Inc. (ANSI), Ann Arbor, 2007.

Digiprove sealCopyright secured by Digiprove © 2011-2012
Acknowledgements: See references listed at end of article.
Some Rights Reserved

Interlock Architectures – Pt. 5: Category 4 — Control Reliable

This entry is part 5 of 8 in the series Circuit Architectures Explored

The most reliable of the five system architectures, Category 4 is the only architecture that uses multiple-fault tolerant techniques to help ensure that component failures do not result in an unacceptable exposure to risk. This post will delve into the depths of this architecture in this installment on system architectures. The definitions and requirements discussed in this article come from ISO 13849-1, Edition 2 (2006) and ISO 13849-2, Edition 1 (2003).

As with preceding articles in this series, I’ll be building on concepts discussed in those articles. If you need more information, you should have a look at the previous articles to see if I’ve answered your questions there.

The Definition

The Category 4 definition builds on both Category B and Category 3. As you read, recall that “SRP/CS” stands for “Safety Related Parts of the Control System”. Here is the complete definition:

6.2.7 Category 4
For category 4, the same requirements as those according to 6.2.3 for category B shall apply. “Well-tried safety principles” according to 6.2.4 shall also be followed. In addition, the following applies.
SRP/CS of category 4 shall be designed such that

  • a single fault in any of these safety-related parts does not lead to a loss of the safety function, and
  • the single fault is detected at or before the next demand upon the safety functions, e.g. immediately, at switch on, or at end of a machine operating cycle, but if this detection is not possible, then an accumulation of undetected faults shall not lead to the loss of the safety function.

The diagnostic coverage (DCavg) of the total SRP/CS shall be high, including the accumulation of faults. The MTTFd of each of the redundant channels shall be high. Measures against CCF shall be applied (see
Annex F).

NOTE 1 Category 4 system behaviour allows that

  • when a single fault occurs the safety function is always performed,
  • the faults will be detected in time to prevent the loss of the safety function,
  • accumulation of undetected faults is taken into account.

NOTE 2 The difference between category 3 and category 4 is a higher DCavg in category 4 and a required MTTFd of each channel of “high” only.

In practice, the consideration of a fault combination of two faults may be sufficient.

5% Discount on ISO and IEC Standards with code: CC2011

Breaking it down

For category 4, the same requirements as those according to 6.2.3 for category B shall apply. “Well-tried safety principles” according to 6.2.4 shall also be followed.

The first two sentences give the basic requirement for all the categories from 2 through 4. Sound component selection based on the application requirements for voltage, current, switching capability and lifetime must be considered. In addition, using well tried safety principles, such as switching the +V rail side of the coil circuit for control components is required. If you aren’t sure about what constitutes a “well-tried safety principle”, see the article on Category 2 where this is discussed. Don’t confuse “well-tried safety principles” with “well-tried components”. There is no requirement in Category 4 for the use of well-tried components, although you can use them for additional reliability if the design requirements warrant.

In addition, the following applies.
SRP/CS of category 4 shall be designed such that

  • a single fault in any of these safety-related parts does not lead to a loss of the safety function, and
  • the single fault is detected at or before the next demand upon the safety functions, e.g. immediately, at switch on, or at end of a machine operating cycle, but if this detection is not possible, then an accumulation of undetected faults shall not lead to the loss of the safety function.

This is the big one. This paragraph, and the two bullets that follow it, define the fundamental performance requirements for this category. No single fault can lead to the loss of the safety function in Category 4, and testing is required that can detect failures and prevent an accumulation of faults that could eventually lead to the loss of the safety function. The second bullet is the one that defines the multiple-fault-tolerance requirement for this category. If you go back to the definition of Category 3, you will see that an accumulation of faults may lead to the loss of the safety function in that Category. This is the key difference between the categories in my opinion.

The diagnostic coverage (DCavg) of the total SRP/CS shall be high, including the accumulation of faults. The MTTFd of each of the redundant channels shall be high. Measures against CCF shall be applied (see
Annex F).

These three sentences give the designer the criteria for diagnostic coverage, channel failure rates and common cause failure protection. As you can see, the ability to diagnose failures automatically is a critical part of the design, as is the use of highly reliable components, leading to highly reliable channels. The strongest CCF protection you can include in the design is also needed, although the “passing score” of 65 remains unchanged (see Annex F in ISO 13849-1 for more details on scoring your design).

NOTE 1 Category 4 system behaviour allows that

  • when a single fault occurs the safety function is always performed,
  • the faults will be detected in time to prevent the loss of the safety function,
  • accumulation of undetected faults is taken into account.

Note 2: …In practice, the consideration of a fault combination of two faults may be sufficient.

Note 1 expands on the first paragraph in the definition, further clarifying the performance requirements by explicit statements. Notice that nowhere is there a requirement that single faults or accumulation of single faults be prevented, only detected by the diagnostic system. Prevention of single faults is nearly impossible, since components do fail. It is important to first understand which components are critical to the safety function, and second, what kinds of faults each component is likely to have, is fundamental to being able to design a diagnostic system that can detect the faults.

The category relies on redundancy to ensure that the complete loss of one channel will not cause the loss of the safety function, but this is only useful if the common cause failures have been properly dealt with. Otherwise, a single event could wipe out both channels simultaneously, causing the loss of the safety function and possibly result in an injury or fatality.

Also notice that multiple single faults are permitted, as long as the accumulation does not result in the loss of the safety function. ISO 13849 allows for “fault exclusion”, a concept that is not used in the North American standards.

The final sentence from Note 2 suggests that consideration of two concurrent faults may be enough, but be careful. You need to look closely at the fault lists to see if there are any groups of high probability faults that are likely to occur concurrently. IF there are, you need to assess these combinations of faults, whether there are 5 or 50 to be evaluated.

Fault Exclusion

Fault exclusion involves assessing the types of faults that can occur in each component in the critical path of the system. The decision to exclude certain kinds of faults is always a technical compromise between the theoretical improbability of the fault, the expertise of the designer(s) and engineers involved and the specific technical requirements of the application. Whenever the decision is made to exclude a particular type of fault, the decision and the process used to make it must be documented in the Reliability Report included in the design file. Section 7.3 of ISO 13849-1 provides guidance on fault exclusion.

In the section discussing Category 1, the standard has this to say about fault exclusion, and the difference between “well-tried components” and “fault exclusion”:

It is important that a clear distinction between “well-tried component” and “fault exclusion” (see Clause 7) be made. The qualification of a component as being well-tried depends on its application. For example, a position switch with positive opening contacts could be considered as being well-tried for a machine tool, while at the same time as being inappropriate for application in a food industry — in the milk industry, for instance, this switch would be destroyed by the milk acid after a few months. A fault exclusion can lead to a very high PL, but the appropriate measures to allow this fault exclusion should be applied during the whole lifetime of the device. In order to ensure this, additional measures outside the control system may be necessary. In the case of a position switch, some examples of these kinds of measures are

  • means to secure the fixing of the switch after its adjustment,
  • means to secure the fixing of the cam,
  • means to ensure the transverse stability of the cam,
  • means to avoid over-travel of the position switch, e.g. adequate mounting strength of the shock absorber and any alignment devices, and
  • means to protect it against damage from outside.

To assist the designer, ISO 13849-2 provides lists of typical faults and the allowable exclusions in Annex D.5. As an example, let’s consider the typical situation where a robust guard interlocking device has been selected. The decision has been made to use redundant electrical circuits to the switching components in the interlock, so electrical faults can be detected. But what about mechanical failures? A fault list is needed:

 Interlock Mechanical Fault List
# Fault Description Result Likelihood
1 Key breaks off Control system cannot determine guard position. Complete failure of system through a single fault. Unlikely
2 Screws mounting key to guard fail Control system cannot determine guard position. Complete failure of system through a single fault. Unlikely
3 Screws mounting interlock device to guard fail Control system cannot determine guard position. Complete failure of system through a single fault. Unlikely
4 Key and interlock device misaligned. Guard cannot close, preventing machine from operating. Very likely
5 Key and interlock device misaligned. Key and / or interlock device damaged. Guard may not close, or the key may jam in the interlock device once closed. Machine is inoperable if the interlock cannot be completed, or the guard cannot be opened if the key jams in the device. Likely
6 Screws mounting key to guard removed by user. Interlock can now be bypassed by fixing the key into the interlocking device. Control system can no longer sense the position of the guard. Likely
7 Screws mounting interlock device to guard removed by user Probably combined with the preceding condition. Control system can no longer sense the position of the guard. Unlikely, but could happen.

There may be more failure modes, but for the purpose of this discussion, lets limit them to this list.

Looking at Fault 1, there are a number of things that could result in a broken key. They include: misalignment of the key and the interlock device, lack of maintenance on the guard and the interlocking hardware, or intentional damage by a user. Unless the hardware is exceptionally robust, including the design of the guard and any alignment features incorporated in the guarding, developing sound rationale for excluding this fault will be very difficult.

Fault 2 considers mechanical failure of the mounting screws for the interlock key. Screws are considered to be well-tried components (see Annex A.5), so you can consider them for fault exclusion. You can improve their reliability by using thread locking adhesives when installing the screws to prevent them from vibrating loose, and “tamper-proof” style screw heads to deter unauthorized removal. Inclusion of these methods will support any decision to exclude these faults. This goes to addressing faults 3, 6 and 7 as well.

Faults 4 & 5 occur frequently and are often caused by poor device selection (i.e. an interlock device intended for straight-line sliding-gate applications is chosen for a hinged gate), or by poor guard design (i.e. the guard is poorly guided by the retention mechanism and can be closed in a misaligned condition). Rationale for prevention of these faults will need to include discussion of design features that will prevent these conditions.

Excluding any other kind of fault follows the same process: Develop the fault list, assess each fault against the relevant Annex from ISO 13849-2, determine if there are preventative measures that can be designed into the product and whether these provide sufficient risk reduction to allow the exclusion of the fault from consideration.

DCavg and MTTFd requirements

NOTE 2 The difference between category 3 and category 4 is a higher DCavg in category 4 and a required MTTFd of each channel of “high” only.

The first sentence in Note 2 clarifies the two main differences from a design standpoint, aside from the additional fault tolerance requirements: Better diagnostics are required and much higher requirements for individual component, and therefore channel, MTTFd.

The Block Diagram

The block diagram for Category 4 is almost identical to Category 3, and was updated by Corrigendum 1 to the diagram shown below. The text from the corrigendum that accompanies the diagram has this to say about the change:

Replace the drawing showing the designated architecture for category 4 with the following drawing. This
corrects the arrowed lines labeled “m” between L1 and O1, and L2 and O2, by changing them from dashed to solid lines, representing higher diagnostic coverage.

I’ve highlighted this area using red ovals on Figure 12 to make it easier to see .

ISO 13849-1 Figure 12 - Category 4 Block Diagram
ISO 13849-1 Figure 12 - Category 4 Block Diagram

Here is Figure 11 for comparison. Notice that the “m” lines are solid in Figure 12 and dashed in Figure 11? Subtle, but significant! There are no other differences between the diagrams.

ISO 13849-1 Figure 11I went looking for a circuit diagram to support the block diagram, but wasn’t able to find one from a commercial source that I could share with you. Considering that the primary differences are in the reliability of the components chosen and in the way the testing is done, this isn’t too surprising. The basic physical construction of the two categories can be virtually identical.

Applications

The following is not from the standards – this is my personal opinion, based on 15 years of practice.

In the past, many manufacturers decided that they were going to apply Category 4 architecture without really understanding the design implications, because they believed that it was “the best”. With the change in the harmonization of EN 954-1 and ISO 13849-1 under the EU machinery directive that comes into force on 29-Dec-2011, and considering the great difficulty that many manufacturers had in properly implementing EN 954-1, I can easily imagine manufacturers who have taken the approach that they already have Category 4 SRP/CS on their systems and making the statement that they now have PLe SRP/CS system performance. This is a bad decision for a lot of reasons:

  1. ISO 13849-1 PLe, Category 4 systems should be reserved for very dangerous machinery where the technical effort and expense involved is warranted by the risk assessment. Attempting to apply this level of design to machinery where a PLb performance level is more suitable based on a risk assessment, is a waste of design time and effort and a needless expense. The product family standards for these types of machines, such as EN 201 for plastic injection moulding machines, or EN 692 for Mechanical Power Presses or EN 693 for Hydraulic Power Presses will explicitly specify the PL level required for these machines.
  2. Manufacturers have frequently claimed EN 954-1 Category 4 performance based on the rating of the safety relay alone, without understanding that the rest of the SRP/CS must be considered, and clearly this is wrong. The SRP/CS must be evaluated as a complete system.

This lack of understanding endangers the users, the maintenance personnel, the owners and the manufacturers. If they continue this approach and an injury occurs, it is my opinion that the courts will have more than enough evidence in the defendant’s published documents to cause some serious legal grief.

As designers involved with the safety of our company’s products or with our co-worker’s safety, I believe that we owe it to everyone who uses our products to be educated and to correctly apply these concepts. The fact that you have read all of the posts leading up to this one is evidence that you are working on getting educated.

Always conduct a risk assessment and use the outcome from that work to guide your selection of safeguarding measures, complementary protective measures and the performance of the SRP/CS that ties those systems together. Choose performance levels that make sense based on the required risk reduction and ensure that the design criteria is met by validating the system once built.

As always, I welcome your comments and questions! Please feel free to comment below. I will respond to all your comments.

Digiprove sealCopyright secured by Digiprove © 2011-2012
Acknowledgements: ISO for excerpts from ISO 13849-1 and more...
Some Rights Reserved