Guarding Emergency Stop Devices

This entry is part 4 of 13 in the series Emer­gency Stop

Can emer­gency stop devices that a prone to unin­tend­ed oper­a­tion be guard­ed? Find out!

Much con­fu­sion exists when it comes to Emer­gency Stop sys­tems, and clients often ask me if it is ‘OK’ to guard emer­gency stop devices like e-stop but­tons, foot ped­als, pull-cords, etc. With­out get­ting into a ton of reg­u­la­to­ry details, this arti­cle will look at the require­ments in for emer­gency stop devices in three key juris­dic­tions: Cana­da, the USA and the Euro­pean Union.

If you need infor­ma­tion on the func­tion­al aspects of emer­gency stop sys­tems, see “Emer­gency Stop — What’s so con­fus­ing about that?

Why Guard an Emergency Stop?

Gen­er­al­ly, emer­gency stop devices, or e-stop devices as they’re often called, need to be pro­tect­ed from unin­ten­tion­al use. This prob­lem occurs because e-stop devices have to be locat­ed close to where peo­ple work in order to be use­ful. An e-stop you can’t reach when you need it may as well not be there in the first place, so emer­gency stops are locat­ed at ‘nor­mal oper­a­tor sta­tions’. This often means they are locat­ed under the edge of a machine table, or on an oper­a­tor con­trol bar like that used on pow­er press­es, putting the e-stop with­in reach, but also in the ‘line-of-fire’ when it comes to the operator’s nor­mal move­ments.

To pre­vent unin­tend­ed oper­a­tion, peo­ple often want to put rings, col­lars, or worse — cov­ers — on or around the e-stop device to keep peo­ple from bump­ing the device. Some of these can be done and should be done, and oth­ers are nev­er per­mit­ted for good rea­son.

Regulatory Requirements

Let’s take a look at the key require­ments from the reg­u­la­tions world wide:

  1. Emer­gency Stop devices must be clear­ly iden­ti­fied. The tech­ni­cal stan­dards require that emer­gency stop devices be coloured RED with a YELLOW back­ground [1].
  2. They must be locat­ed with­in easy reach of the oper­a­tor. This applies to all nor­mal work­sta­tions where oper­a­tors inter­act with the machine. For main­te­nance and ser­vice activ­i­ties where work­ers may be in loca­tions oth­er than nor­mal work­sta­tions, a pen­dant or oth­er portable con­trol must be used to cause machine motion. This device must include an emer­gency stop con­trol along with oth­er com­ple­men­tary safe­guard­ing devices such as enabling devices and hold-to-run con­trols. Where access is only allowed under lock­out con­di­tions, this is not required [2], [3].
  3. But­tons must be palm or mush­room-shaped devices.
  4. Devices must require man­u­al reset­ting. This means that the device must latch in the oper­at­ed posi­tion and require a delib­er­ate action to reset the device. This includes actions such as: pulling put a pressed but­ton, twist­ing a but­ton to release the latched con­di­tion, press­ing a reset but­ton on a pull-cord to reset the tripped con­di­tion, etc [1].
  5. Unguard­ed. This means that easy access to the device may not be imped­ed, con­sid­er­ing the per­son­al pro­tec­tive equip­ment (PPE) that work­ers are required to wear. Devices that would be con­sid­ered to be guards would include:
  • Close fit­ting rings or col­lars that require a work­er to insert a fin­ger inside the ring or col­lar to reach the device and acti­vate it,
  • cov­ers that close over the device to pre­vent access,
  • lock­ing device that pre­vent access to the device, etc.

So, con­sid­er­ing point 5 above, isn’t this the end of the dis­cus­sion? Not at all! There are a few fac­tors to con­sid­er first.

An impor­tant con­sid­er­a­tion is the poten­tial for acci­den­tal oper­a­tion. Depend­ing on the machine or process, unin­ten­tion­al oper­a­tion of emer­gency stop devices may result in sig­nif­i­cant lost pro­duc­tion and/or dam­age to equip­ment. In cas­es like this, it is rea­son­able to pro­tect the device from inad­ver­tent oper­a­tion as long as the mea­sures tak­en to pro­tect the device do not impede the oper­a­tion of the device in emer­gency con­di­tions.

ISO 13850 [4] sup­ports this idea in Clause 4.4 Emer­gency stop device:

4.4.2 An emer­gency stop device shall be locat­ed at each oper­a­tor con­trol sta­tion, except where the risk assess­ment indi­cates that this is not nec­es­sary, as well as at oth­er loca­tions, as deter­mined by the risk assess­ment. It shall be posi­tioned such that it is read­i­ly acces­si­ble and capa­ble of non-haz­ardous actu­a­tion by the oper­a­tor and oth­ers who could need to actu­ate it. Mea­sures against inad­ver­tent actu­a­tion should not impair its acces­si­bil­i­ty. (Author’s Note: Bold text added for empha­sis.)

Summing Up

The key dif­fer­ence between North Amer­i­can think­ing and International/EU think­ing is in the term “unguard­ed” as used in the North Amer­i­can stan­dards, ver­sus [4, § 4.2.2], where the design­er is remind­ed, “Mea­sures against inad­ver­tent actu­a­tion should not impair its acces­si­bil­i­ty.”

In my opin­ion it is rea­son­able to pro­tect an emer­gency stop device from inad­ver­tent oper­a­tion by plac­ing a ring or oth­er sim­i­lar struc­ture around an emer­gency stop device as long as the struc­ture does not impair easy access to the device by the oper­a­tor.

I know this opin­ion appears ini­tial­ly to go against the estab­lished North Amer­i­can stan­dards, how­ev­er it can be log­i­cal­ly argued, based on the def­i­n­i­tion of the word “guard”.

A guard is a device that pre­vents access to some­thing, usu­al­ly a haz­ard. Con­sid­er­ing that we are talk­ing about a con­trol that is designed to reduce or lim­it harm, any struc­ture that does not pre­vent access to the emer­gency stop device asso­ci­at­ed with the struc­ture should be con­sid­ered to be accept­able.

That said, devices like:

  • hinged cov­ers;
  • doors;
  • lock­ing devices;
  • nar­row col­lars; and
  • any oth­er device or struc­ture

that undu­ly lim­its access to the emer­gency stop device can­not be con­sid­ered accept­able.

Effects of PPE

The phrase ‘undu­ly lim­its access’ has spe­cif­ic mean­ing here. If work­ers are expect­ed to be wear­ing PPE on the body part used to acti­vate the emer­gency stop device, such as gloves or boots for exam­ple, then the design of the struc­ture placed around the emer­gency stop device must take into account the added dimen­sions of the PPE, the reduc­tion in tac­tile capa­bil­i­ty that may occur (e.g. heavy work gloves make it hard to feel things eas­i­ly), and must com­pen­sate for the effects of the PPE. Big gloves/boots = Big open­ing in the struc­ture.

Light­ing and pro­tec­tive eye­wear can also play a part. You may need to use reflec­tive or lumi­nes­cent paint, or illu­mi­nat­ed e-stop devices, to high­light the loca­tion of the device in low light envi­ron­ments or where very dark eye­wear is required, like that need­ed by welders or used by work­ers around some infrared lasers with open beam paths.

Effects of State-of-Mind

It’s also impor­tant to con­sid­er the like­ly state-of-mind of a work­er need­ing to use an emer­gency stop device. They are either urgent­ly try­ing to stop the machine because,

  1. anoth­er safe­guard has failed an some­one is involved with a haz­ard, includ­ing them­selves, or
  2. the machine is dam­ag­ing itself or the prod­uct and they need to lim­it the dam­age.

Both sce­nar­ios have a high lev­el of urgency attached to them. The human mind tends to miss obvi­ous things includ­ing train­ing, when placed under high lev­els of stress. Struc­tures placed around emer­gency stop devices, such as cov­ers, that com­plete­ly block access, even though they may be eas­i­ly opened, may be enough to pre­vent access in an emer­gency.

The answer you’ve all been waiting for!

So in the end, can you put a struc­ture around an emer­gency stop to reduce inad­ver­tent oper­a­tion of the device:

YES!

Just make sure that you con­sid­er all the fac­tors that may affect it’s use, doc­u­ment your analy­sis, and don’t undu­ly restrict access to the device.

Need more help? Feel free to email me!


References

IEC – Inter­na­tion­al Elec­trotech­ni­cal Com­mis­sion

ISO – Inter­na­tion­al Orga­ni­za­tion for Stan­dard­iza­tion

[1]  Safe­ty of machin­ery — Elec­tri­cal equip­ment of machines — Part 1: Gen­er­al require­ments, IEC 60204–1, 2005

[2]  Con­trol of Haz­ardous Ener­gy ­– Lock­out and Oth­er Meth­ods, CSA Z460, 2005.

[3]  Con­trol of Haz­ardous Ener­gy – Lockout/Tagout and Alter­na­tive Meth­ods, ANSI ASSE Z244.1, 2003.

[4]  Safe­ty of machin­ery — Emer­gency stop — Prin­ci­ples for design, ISO 13850, 2006.

Interlock Architectures – Pt. 3: Category 2

This entry is part 3 of 8 in the series Cir­cuit Archi­tec­tures Explored

This arti­cle explores the require­ments for safe­ty relat­ed con­trol sys­tems meet­ing ISO 13849–1 Cat­e­go­ry 2 require­ments. “Gotcha!” points in the def­i­n­i­tion are high­light­ed to help design­ers avoid this com­mon pit­falls.

In the first two posts in this series, we looked at Cat­e­go­ry B, the Basic cat­e­go­ry of sys­tem archi­tec­ture, and then moved on to look at Cat­e­go­ry 1. Cat­e­go­ry B under­pins Cat­e­gories 2, 3 and 4. In this post we’ll look more deeply into Cat­e­go­ry 2.

Let’s start by look­ing at the def­i­n­i­tion for Cat­e­go­ry 2, tak­en from ISO 13849–1:2007. Remem­ber that in these excerpts, SRP/CS stands for Safe­ty Relat­ed Parts of Con­trol Sys­tems.

Definition

6.2.5 Category 2

For cat­e­go­ry 2, the same require­ments as those accord­ing to 6.2.3 for cat­e­go­ry B shall apply. “Well–tried safe­ty prin­ci­ples” accord­ing to 6.2.4 shall also be fol­lowed. In addi­tion, the fol­low­ing applies.

SRP/CS of cat­e­go­ry 2 shall be designed so that their function(s) are checked at suit­able inter­vals by the machine con­trol sys­tem. The check of the safe­ty function(s) shall be per­formed

  • at the machine start-up, and
  • pri­or to the ini­ti­a­tion of any haz­ardous sit­u­a­tion, e.g. start of a new cycle, start of oth­er move­ments, and/or
  • peri­od­i­cal­ly dur­ing oper­a­tion if the risk assess­ment and the kind of oper­a­tion shows that it is nec­es­sary.

The ini­ti­a­tion of this check may be auto­mat­ic. Any check of the safe­ty function(s) shall either

  • allow oper­a­tion if no faults have been detect­ed, or
  • gen­er­ate an out­put which ini­ti­ates appro­pri­ate con­trol action, if a fault is detect­ed.

When­ev­er pos­si­ble this out­put shall ini­ti­ate a safe state. This safe state shall be main­tained until the fault is cleared. When it is not pos­si­ble to ini­ti­ate a safe state (e.g. weld­ing of the con­tact in the final switch­ing device) the out­put shall pro­vide a warn­ing of the haz­ard.

For the des­ig­nat­ed archi­tec­ture of cat­e­go­ry 2, as shown in Fig­ure 10, the cal­cu­la­tion of MTTFd and DCavg should take into account only the blocks of the func­tion­al chan­nel (i.e. I, L and O in Fig­ure 10) and not the blocks of the test­ing chan­nel (i.e. TE and OTE in Fig­ure 10).

The diag­nos­tic cov­er­age (DCavg) of the total SRP/CS includ­ing fault-detec­tion shall be low. The MTTFd of each chan­nel shall be low-to-high, depend­ing on the required per­for­mance lev­el (PLr). Mea­sures against CCF shall be applied (see Annex F).

The check itself shall not lead to a haz­ardous sit­u­a­tion (e.g. due to an increase in response time). The check­ing equip­ment may be inte­gral with, or sep­a­rate from, the safe­ty-relat­ed part(s) pro­vid­ing the safe­ty func­tion.

The max­i­mum PL achiev­able with cat­e­go­ry 2 is PL = d.

NOTE 1 In some cas­es cat­e­go­ry 2 is not applic­a­ble because the check­ing of the safe­ty func­tion can­not be applied to all com­po­nents.

NOTE 2 Cat­e­go­ry 2 sys­tem behav­iour allows that

  • the occur­rence of a fault can lead to the loss of the safe­ty func­tion between checks,
  • the loss of safe­ty func­tion is detect­ed by the check.

NOTE 3 The prin­ci­ple that sup­ports the valid­i­ty of a cat­e­go­ry 2 func­tion is that the adopt­ed tech­ni­cal pro­vi­sions, and, for exam­ple, the choice of check­ing fre­quen­cy can decrease the prob­a­bil­i­ty of occur­rence of a dan­ger­ous sit­u­a­tion.

ISO 13849-1 Figure 10
Fig­ure 1 — Cat­e­go­ry 2 Block dia­gram [1, Fig.10]

Breaking it down

Let start by tak­ing apart the def­i­n­i­tion a piece at a time and look­ing at what each part means. I’ll also show a sim­ple cir­cuit that can meet the require­ments.

Category B & Well-tried Safety Principles

The first para­graph speaks to the build­ing block approach tak­en in the stan­dard:

For cat­e­go­ry 2, the same require­ments as those accord­ing to 6.2.3 for cat­e­go­ry B shall apply. “Well–tried safe­ty prin­ci­ples” accord­ing to 6.2.4 shall also be fol­lowed. In addi­tion, the fol­low­ing applies.

Sys­tems meet­ing Cat­e­go­ry 2 are required to meet all of the same require­ments as Cat­e­go­ry B, as far as the com­po­nents are con­cerned. Oth­er require­ments for the cir­cuits are dif­fer­ent, and we will look at those in a bit.

Self-Testing required

Cat­e­go­ry 2 brings in the idea of diag­nos­tics. If cor­rect­ly spec­i­fied com­po­nents have been select­ed (Cat­e­go­ry B), and are applied fol­low­ing ‘well-tried safe­ty prin­ci­ples’, then adding a diag­nos­tic com­po­nent to the sys­tem should allow the sys­tem to detect some faults and there­fore achieve a cer­tain degree of ‘fault-tol­er­ance’ or the abil­i­ty to func­tion cor­rect­ly even when some aspect of the sys­tem has failed.

Let’s look at the text:

SRP/CS of Cat­e­go­ry 2 shall be designed so that their function(s) are checked at suit­able inter­vals by the machine con­trol sys­tem. The check of the safe­ty function(s) shall be per­formed

  • at the machine start-up, and
  • pri­or to the ini­ti­a­tion of any haz­ardous sit­u­a­tion, e.g. start of a new cycle, start of oth­er move­ments, and/or
  • peri­od­i­cal­ly dur­ing oper­a­tion if the risk assess­ment and the kind of oper­a­tion shows that it is nec­es­sary.

The ini­ti­a­tion of this check may be auto­mat­ic. Any check of the safe­ty function(s) shall either

  • allow oper­a­tion if no faults have been detect­ed, or
  • gen­er­ate an out­put which ini­ti­ates appro­pri­ate con­trol action, if a fault is detect­ed.

When­ev­er pos­si­ble this out­put shall ini­ti­ate a safe state. This safe state shall be main­tained until the fault is cleared. When it is not pos­si­ble to ini­ti­ate a safe state (e.g. weld­ing of the con­tact in the final switch­ing device) the out­put shall pro­vide a warn­ing of the haz­ard.

Peri­od­ic check­ing is required. The checks must hap­pen at least each time there is a demand placed on the sys­tem, i.e. a guard door is opened and closed, or an emer­gency stop but­ton is pressed and reset. In addi­tion the integri­ty of the SRP/CS must be test­ed at the start of a cycle or haz­ardous peri­od, and poten­tial­ly peri­od­i­cal­ly dur­ing oper­a­tion if the risk assess­ment indi­cates that this is nec­es­sary. The test­ing fre­quen­cy must be at least 100x the demand rate [1, 4.5.4], e.g., a light cur­tain on a part load­ing work sta­tion that is inter­rupt­ed every 30 s dur­ing nor­mal oper­a­tion requires a min­i­mum test rate of once every 0.3 s, or 200x per minute or more.

The test­ing does not have to be auto­mat­ic, although in prac­tice it usu­al­ly is. As long as the sys­tem integri­ty is good, then the out­put is allowed to remain on, and the machin­ery or process can run.

Watch Out!

Notice that the words ‘when­ev­er pos­si­ble’ are used in the last para­graph in this part of the def­i­n­i­tion where the stan­dard speaks about ini­ti­a­tion of a safe state. This word­ing alludes to the fact that these sys­tems are still prone to faults that can lead to the loss of the safe­ty func­tion, and so can­not be called tru­ly ‘fault-tol­er­ant’. Loss of the safe­ty func­tion must be detect­ed by the mon­i­tor­ing sys­tem and a safe state ini­ti­at­ed. This requires care­ful thought, since the safe­ty sys­tem com­po­nents may have to inter­act with the process con­trol sys­tem to ini­ti­ate and main­tain the safe state in the event that the safe­ty sys­tem itself has failed. Also note that it is not pos­si­ble to use fault exclu­sions in Cat­e­go­ry 2 archi­tec­ture, because the sys­tem is not fault tol­er­ant.

All of this leads to an inter­est­ing ques­tion: If the sys­tem is hard­wired through the oper­at­ing chan­nel, and all the com­po­nents used in that chan­nel meet Cat­e­go­ry B require­ments, can the diag­nos­tic com­po­nent be pro­vid­ed by a mon­i­tor­ing the sys­tem with a stan­dard PLC? The answer to this is YES. Test equip­ment (called TE in Fig. 1) is specif­i­cal­ly exclud­ed, and Cat­e­go­ry 2 DOES NOT require the use of well-tried com­po­nents, only well-tried safe­ty prin­ci­ples.

Final­ly, for the faults that can be detect­ed by the mon­i­tor­ing sys­tem, detec­tion of a fault must ini­ti­ate a safe state. This means that on the next demand on the sys­tem, i.e. the next time the guard is opened or the emer­gency stop is pressed, the machine must go into a safe con­di­tion. Gen­er­al­ly, detec­tion of a fault should pre­vent the sub­se­quent reset of the sys­tem until the fault is cleared or repaired.

Test­ing is not per­mit­ted to intro­duce any new haz­ards or to slow the sys­tem down. The tests must occur ‘on-the-fly’ and with­out intro­duc­ing any delay in the sys­tem com­pared to how it would have oper­at­ed with­out the test­ing incor­po­rat­ed. Test equip­ment can be inte­grat­ed into the safe­ty sys­tem or be exter­nal to it.

One more ‘gotcha’

Note 1 in the def­i­n­i­tion high­lights a sig­nif­i­cant pit­fall for many design­ers: if all of the com­po­nents in the func­tion­al chan­nel of the sys­tem can­not be checked, you can­not claim con­for­mi­ty to Cat­e­go­ry 2. If you look back at Fig. 1, you will see that the dashed “m” lines con­nect all three func­tion­al blocks to the TE, indi­cat­ing that all three must be includ­ed in the mon­i­tor­ing chan­nel. A sys­tem that oth­er­wise would meet the archi­tec­tur­al require­ments for Cat­e­go­ry 2 must be down­grad­ed to Cat­e­go­ry 1 in cas­es where all the com­po­nents in the func­tion­al chan­nel can­not be test­ed. This is a major point and one which many design­ers miss when devel­op­ing their sys­tems.

Calculation of MTTFd

The next para­graph deals with the cal­cu­la­tion of the fail­ure rate of the sys­tem, or MTTFd.

For the des­ig­nat­ed archi­tec­ture of cat­e­go­ry 2, as shown in Fig­ure 10, the cal­cu­la­tion of MTTFd and DCavg should take into account only the blocks of the func­tion­al chan­nel (i.e. I, L and O in Fig­ure 10) and not the blocks of the test­ing chan­nel (i.e. TE and OTE in Fig­ure 10).

Cal­cu­la­tion of the fail­ure rate focus­es on the func­tion­al chan­nel, not on the mon­i­tor­ing sys­tem, mean­ing that the fail­ure rate of the mon­i­tor­ing sys­tem is ignored when ana­lyz­ing sys­tems using this archi­tec­ture. The MTTFd of each com­po­nent in the func­tion­al chan­nel is cal­cu­lat­ed and then the MTTFd of the total chan­nel is cal­cu­lat­ed.

The Diag­nos­tic Cov­er­age (DCavg) is also cal­cu­lat­ed based exclu­sive­ly on the com­po­nents in the func­tion­al chan­nel, so when deter­min­ing what per­cent­age of the faults can be detect­ed by the mon­i­tor­ing equip­ment, only faults in the func­tion­al chan­nel are con­sid­ered.

This high­lights the fact that a fail­ure of the mon­i­tor­ing sys­tem can­not be detect­ed, so a sin­gle fail­ure in the mon­i­tor­ing sys­tem that results in the sys­tem fail­ing to detect a sub­se­quent nor­mal­ly detectable fail­ure in the func­tion­al chan­nel will result in the loss of the safe­ty func­tion.

Summing Up

The next para­graph sums up the lim­its of this par­tic­u­lar archi­tec­ture:

The diag­nos­tic cov­er­age (DCavg) of the total SRP/CS includ­ing fault-detec­tion shall be low. The MTTFd of each chan­nel shall be low-to-high, depend­ing on the required per­for­mance lev­el (PLr). Mea­sures against CCF shall be applied (see Annex F).

The first sen­tence reflects back to the pre­vi­ous para­graph on diag­nos­tic cov­er­age, telling you, as the design­er, that you can­not make a claim to any­thing more than LOW DC cov­er­age when using this archi­tec­ture.

This rais­es an inter­est­ing ques­tion, since Fig­ure 5 in the stan­dard shows columns for both DCavg = LOW and DCavg=MED. My best advice to you as a user of the stan­dard is to abide by the text, mean­ing that you can­not claim high­er than LOW for DCavg in this archi­tec­ture. This con­flict will be addressed by future revi­sions of the stan­dard.

Anoth­er prob­lem raised by this sen­tence is the inclu­sion of the phrase “the total SRP/CS includ­ing fault-detec­tion”, since the pre­vi­ous para­graph explic­it­ly tells you that the assess­ment of DCavg ‘should’ only include the func­tion­al chan­nel, while this sen­tence appears to include it. In stan­dards writ­ing, sen­tences includ­ing the word ‘shall’ are clear­ly manda­to­ry, while those includ­ing the word ‘should’ indi­cate a con­di­tion which is advised but not required. Hope­ful­ly this con­fu­sion will be clar­i­fied in the next edi­tion of the stan­dard.

MTTFd in the func­tion­al chan­nel can be any­where in the range from LOW to HIGH depend­ing on the com­po­nents select­ed and the way they are applied in the design. The require­ment will be dri­ven by the desired PL of the sys­tem, so a PLd sys­tem will require HIGH MTTFd com­po­nents in the func­tion­al chan­nel, while the same archi­tec­ture used for a PLb sys­tem would require only LOW MTTFd com­po­nents.
Final­ly, applic­a­ble mea­sures against Com­mon Cause Fail­ures (CCF) must be used. Some of the mea­sures giv­en in Table F.1 in Annex F of the stan­dard can­not be applied, such as Chan­nel Sep­a­ra­tion, since you can­not sep­a­rate a sin­gle chan­nel. Oth­er CCF mea­sures can and must be applied, and so there­fore you must score at least the min­i­mum 65 on the CCF table in Annex F to claim com­pli­ance with Cat­e­go­ry 2 require­ments.

Example Circuit

Here’s an exam­ple of what a sim­ple Cat­e­go­ry 2 cir­cuit con­struct­ed from dis­crete com­po­nents might look like. Note that PB1 and PB2 could just as eas­i­ly be inter­lock switch­es on guard doors as push but­tons on a con­trol pan­el. For the sake of sim­plic­i­ty, I did not illus­trate surge sup­pres­sion on the relays, but you should include MOV’s or RC sup­pres­sors across all relay coils. All relays are con­sid­ered to be con­struct­ed with  ‘force-guid­ed’ designs and meet the require­ments for well-tried com­po­nents.

Example Category 2 circuit from discrete components
Fig­ure 2 — Exam­ple Cat­e­go­ry 2 cir­cuit from dis­crete com­po­nents

How the cir­cuit works:

  1. The machine is stopped with pow­er off. CR1, CR2, and M are off. CR3 is off until the reset but­ton is pressed, since the NC mon­i­tor­ing con­tacts on CR1, CR2 and M are all closed, but the NO reset push but­ton con­tact is open.
  2. The reset push but­ton, PB3,  is pressed. If both CR1, CR2 and M are off, their nor­mal­ly closed con­tacts will be closed, so press­ing PB3 will result in CR3 turn­ing on.
  3. CR3 clos­es its con­tacts, ener­giz­ing CR1 and CR2 which seal their con­tact cir­cuits in and de-ener­gize CR3. The time delays inher­ent in relays per­mit this to work.
  4. With CR1 and CR2 closed and CR3 held off because its coil cir­cuit opened when CR1 and CR2 turned on, M ener­gizes and motion can start.

In this cir­cuit the mon­i­tor­ing func­tion is pro­vid­ed by CR3. If any of CR1, CR2 or M were to weld closed, CR3 could not ener­gize, and so a sin­gle fault is detect­ed and the machine is pre­vent­ed from re-start­ing. If the machine is stopped by press­ing either PB1 or PB2, the machine will stop since CR1 and CR2 are redun­dant. If CR3 fails with weld­ed con­tacts, then the M rung is held open because CR3 has not de-ener­gized, and if it fails with an open coil, the reset func­tion will not work, there­fore both fail­ure modes will pre­vent the machine from start­ing with a failed mon­i­tor­ing sys­tem, if a “force-guid­ed” type of relay is used for CR3. If CR1 or CR2 fail with an open coil, then M can­not ener­gize because of the redun­dant con­tacts on the M rung.

This cir­cuit can­not detect a fail­ure in PB1, PB2, or PB3. Test­ing is con­duct­ed each time the cir­cuit is reset. This cir­cuit does not meet the 100x test rate require­ment, and so can­not be said to meet Cat­e­go­ry 2 require­ments.

If M is a motor starter rather than the motor itself, it will need to be dupli­cat­ed for redun­dan­cy and a mon­i­tor­ing con­tact added to the CR3 rung .

In cal­cu­lat­ing MTTFd, PB1, PB2, CR1, CR2, CR3 and M must be includ­ed. CR3 is includ­ed because it has a func­tion­al con­tact in the M rung and is there­fore part of the func­tion­al chan­nel of the cir­cuit as well as being part of the OT and OTE chan­nels.

Down­load IEC stan­dards, Inter­na­tion­al Elec­trotech­ni­cal Com­mis­sion stan­dards.
Down­load ISO Stan­dards

Watch for the next install­ment in this series where we’ll explore Cat­e­go­ry 3, the first of the ‘fault tol­er­ant’ archi­tec­tures!

Interlock Architectures – Pt. 2: Category 1

This entry is part 2 of 8 in the series Cir­cuit Archi­tec­tures Explored

This arti­cle expands on the first in the series “Inter­lock Archi­tec­tures – Pt. 1: What do those cat­e­gories real­ly mean?”. Learn about the basic cir­cuit archi­tec­tures that under­lie all safe­ty inter­lock sys­tems under ISO 13849–1, and CSA Z432 and ANSI RIA R15.06.

In Part 1 of this series we explored Cat­e­go­ry B, the Basic Cat­e­go­ry that under­pins all the oth­er Cat­e­gories. This post builds on Part 1 by tak­ing a look at Cat­e­go­ry 1. Let’s start by explor­ing the dif­fer­ence as defined in ISO 13849–1. When you are read­ing, remem­ber that “SRP/CS” stands for “Safe­ty Relat­ed Parts of Con­trol Sys­tems”.

SRP/CS of Cat­e­go­ry 1 shall be designed and con­struct­ed using well-tried com­po­nents and well-tried safe­ty prin­ci­ples (see ISO 13849–2).

Well-Tried Components

So what, exact­ly, is a “Well-Tried Com­po­nent”?? Let’s go back to the stan­dard for that:

A “well-tried com­po­nent” for a safe­ty-relat­ed appli­ca­tion is a com­po­nent which has been either

a) wide­ly used in the past with suc­cess­ful results in sim­i­lar appli­ca­tions, or
b) made and ver­i­fied using prin­ci­ples which demon­strate its suit­abil­i­ty and reli­a­bil­i­ty for safe­ty-relat­ed appli­ca­tions.

New­ly devel­oped com­po­nents and safe­ty prin­ci­ples may be con­sid­ered as equiv­a­lent to “well-tried” if they ful­fil the con­di­tions of b).

The deci­sion to accept a par­tic­u­lar com­po­nent as being “well-tried” depends on the appli­ca­tion.

NOTE 1 Com­plex elec­tron­ic com­po­nents (e.g. PLC, micro­proces­sor, appli­ca­tion-spe­cif­ic inte­grat­ed cir­cuit) can­not be con­sid­ered as equiv­a­lent to “well tried”.

[1, 6.2.4]

Lets look at what this all means by refer­ring to ISO 13849–2:

Table 1 — Well-Tried Com­po­nents [2]
Well-Tried Com­po­nents Con­di­tions for “well–tried” Stan­dard or spec­i­fi­ca­tion
Screw All fac­tors influ­enc­ing the screw con­nec­tion and the appli­ca­tion are to be con­sid­ered. See Table A.2 “List of well–tried safe­ty prin­ci­ples”. Mechan­i­cal joint­ing such as screws, nuts, wash­ers, riv­ets, pins, bolts etc. are stan­dard­ised.
Spring See Table A.2 “Use of a well–tried spring”. Tech­ni­cal spec­i­fi­ca­tions for spring steels and oth­er spe­cial appli­ca­tions are giv­en in ISO 4960.
Cam All fac­tors influ­enc­ing the cam arrange­ment (e. g. part of an inter­lock­ing device) are to be con­sid­ered. See Table A.2 “List of well–tried safe­ty prin­ci­ples”. See EN 1088 (ISO 14119) (Inter­lock­ing devices).
Break–pin All fac­tors influ­enc­ing the appli­ca­tion are to be con­sid­ered. See Table A.2 “List of well-tried safe­ty prin­ci­ples”.

Now we have a few ideas about what might con­sti­tute a ‘well-tried com­po­nent’. Unfor­tu­nate­ly, you will notice that ‘con­tac­tor’ or ‘relay’ or ‘lim­it switch’ appear nowhere on the list. This is a chal­lenge, but one that can be over­come. The key to deal­ing with this is to look at how the com­po­nents that you are choos­ing to use are con­struct­ed. If they use these com­po­nents and tech­niques, you are on your way to con­sid­er­ing them to be well-tried.

Anoth­er approach is to let the com­po­nent man­u­fac­tur­er wor­ry about the details of the con­struc­tion of the device, and sim­ply ensure that com­po­nents select­ed for use in the SRP/CS are ‘safe­ty rat­ed’ by the man­u­fac­tur­er. This can work in 80–90% of cas­es, with a small per­cent­age of com­po­nents, such as large motor starters, some ser­vo and step­per dri­ves and oth­er sim­i­lar com­po­nents unavail­able with a safe­ty rat­ing. It’s worth not­ing that many dri­ve man­u­fac­tur­ers are start­ing to pro­duce dri­ves with built-in safe­ty com­po­nents that are intend­ed to be inte­grat­ed into your SRP/CS.

Exclusion of Complex Electronics

Note 1 from the first part of the def­i­n­i­tion is very impor­tant. So impor­tant that I’m going to repeat it here:

NOTE 1 Com­plex elec­tron­ic com­po­nents (e.g. PLC, micro­proces­sor, appli­ca­tion-spe­cif­ic inte­grat­ed cir­cuit) can­not be con­sid­ered as equiv­a­lent to “well tried”.

I added the bold text to empha­size the impor­tance of this state­ment. While this is includ­ed in a Note and is there­fore con­sid­ered to be explana­to­ry text and not part of the nor­ma­tive body of the stan­dard, it illu­mi­nates a key con­cept. This lit­tle note is what pre­vents a stan­dard PLC from being used in Cat­e­go­ry 1 sys­tems. It’s also impor­tant to real­ize that this def­i­n­i­tion is only con­sid­er­ing the hard­ware — no men­tion of soft­ware is made here, and soft­ware is not dealt with until lat­er in the stan­dard.

Well-Tried Safety Principles

Let’s have a look at what ‘Well-Tried Safe­ty Prin­ci­ples’ might be.

Table 2 — Well-Tried Safe­ty Prin­ci­ples [2, A.2]
Well-tried Safe­ty Prin­ci­ples Remarks
Use of care­ful­ly select­ed mate­ri­als and man­u­fac­tur­ing Selec­tion of suit­able mate­r­i­al, ade­quate man­u­fac­tur­ing meth­ods and treat­ments relat­ed to the appli­ca­tion.
Use of com­po­nents with ori­ent­ed fail­ure mode The pre­dom­i­nant fail­ure mode of a com­po­nent is known in advance and always the same, see EN 292–2:1991, (ISO/TR 12100–2:1992), 3.7.4.
Over–dimensioning/safety fac­tor The safe­ty fac­tors are giv­en in stan­dards or by good expe­ri­ence in safe­ty-relat­ed appli­ca­tions.
Safe posi­tion The mov­ing part of the com­po­nent is held in one of the pos­si­ble posi­tions by mechan­i­cal means (fric­tion only is not enough). Force is need­ed for chang­ing the posi­tion.
Increased OFF force A safe position/state is obtained by an increased OFF force in rela­tion to ON force.
Care­ful selec­tion, com­bi­na­tion, arrange­ment, assem­bly and instal­la­tion of components/system relat­ed to the appli­ca­tion
Care­ful selec­tion of fas­ten­ing relat­ed to the appli­ca­tion Avoid rely­ing only on fric­tion.
Pos­i­tive mechan­i­cal action Depen­dent oper­a­tion (e. g. par­al­lel oper­a­tion) between parts is obtained by pos­i­tive mechan­i­cal link(s). Springs and sim­i­lar “flex­i­ble” ele­ments should not be part of the link(s) [see EN 292–2:1991 (ISO/TR 12100–2:1992), 3.5].
Mul­ti­ple parts Reduc­ing the effect of faults by mul­ti­ply­ing parts, e. g. where a fault of one spring (of many springs) does not lead to a dan­ger­ous con­di­tion.
Use of well–tried spring (see also Table A.3) A well–tried spring requires:
  • use of care­ful­ly select­ed mate­ri­als, man­u­fac­tur­ing meth­ods (e. g. pre­set­ting and cycling before use) and treat­ments (e. g. rolling and shot–peening),
  • suf­fi­cient guid­ance of the spring, and
  • suf­fi­cient safe­ty fac­tor for fatigue stress (i. e. with high prob­a­bil­i­ty a frac­ture will not occur).

Well–tried pres­sure coil springs may also be designed by:

  • use of care­ful­ly select­ed mate­ri­als, man­u­fac­tur­ing meth­ods (e. g. pre­set­ting and cycling before use) and treat­ments (e. g. rolling and shot-peen­ing),
  • suf­fi­cient guid­ance of the spring, and
  • clear­ance between the turns less than the wire diam­e­ter when unloaded, and
  • suf­fi­cient force after a fracture(s) is main­tained (i. e. a fracture(s) will not lead to a dan­ger­ous con­di­tion).
Lim­it­ed range of force and sim­i­lar para­me­ters Decide the nec­es­sary lim­i­ta­tion in rela­tion to the expe­ri­ence and appli­ca­tion. Exam­ples for lim­i­ta­tions are break pin, break plate, torque lim­it­ing clutch.
Lim­it­ed range of speed and sim­i­lar para­me­ters Decide the nec­es­sary lim­i­ta­tion in rela­tion to the expe­ri­ence and appli­ca­tion. Exam­ples for lim­i­ta­tions are cen­trifu­gal gov­er­nor; safe mon­i­tor­ing of speed or lim­it­ed dis­place­ment.
Lim­it­ed range of envi­ron­men­tal para­me­ters Decide the nec­es­sary lim­i­ta­tions. Exam­ples on para­me­ters are tem­per­a­ture, humid­i­ty, pol­lu­tion at the instal­la­tion. See clause 8 and con­sid­er manufacturer’s appli­ca­tion notes.
Lim­it­ed range of reac­tion time, lim­it­ed hys­tere­sis Decide the nec­es­sary lim­i­ta­tions.
Con­sid­er e. g. spring tired­ness, fric­tion, lubri­ca­tion, tem­per­a­ture, iner­tia dur­ing accel­er­a­tion and decel­er­a­tion,
com­bi­na­tion of tol­er­ances.

Use of Positive-Mode Operation

The use of these prin­ci­ples in the com­po­nents, as well as in the over­all design of the safe­guards is impor­tant. In devel­op­ing a sys­tem that uses ‘pos­i­tive mode oper­a­tion’, the mechan­i­cal link­age that oper­ates the elec­tri­cal con­tacts or the flu­id-pow­er valve that con­trols the prime-mover(s) (i.e. motors, cylin­ders, etc.), must act to direct­ly dri­ve the con­trol ele­ment (con­tacts or valve spool) to the safe state. Springs can be used to return the sys­tem to the run state or dan­ger­ous state, since a fail­ure of the spring will result in the inter­lock device stay­ing in the safe state (fail-safe or fail-to-safe­ty).

CSA Z432 [3] pro­vides us with a nice dia­gram that illus­trates the idea of “pos­i­tive-action” or “pos­i­tive-mode” oper­a­tion:

CSA Z432 Fig B.10 - Positive Mode Operation
Fig­ure 1 — Pos­i­tive Mode Oper­a­tion [3, B.10]

In Fig. 1, open­ing the guard door forces the roller to fol­low the cam attached to the door, dri­ving the switch con­tacts apart and open­ing the inter­lock. Even if the con­tacts were to weld, they would still be dri­ven apart since the mechan­i­cal advan­tage pro­vid­ed by the width of the door and the cam are more than enough to force the con­tacts apart.

Here’s an exam­ple of a ‘neg­a­tive mode’ oper­a­tion:

CSA Z432-04 Fig B.11 - Negative Mode operation
Fig­ure 2 — Neg­a­tive Mode oper­a­tion [3, B.11]

In Fig. 2, the inter­lock switch relies on a spring to enter the safe state when the door is opened. If the spring in the inter­lock device fails, the sys­tem fails-to-dan­ger. Also note that this design is very easy to defeat. A ‘zip-tie’ or some tape is all that would be required to keep the inter­lock in the ‘RUN’ con­di­tion.

You should have a bet­ter idea of what is meant when you read about pos­i­tive and neg­a­tive-modes of oper­a­tion now. We’ll talk about defeat resis­tance in anoth­er arti­cle.

Reliability

Com­bin­ing what you’ve learned so far, you can see that cor­rect­ly spec­i­fied com­po­nents, com­bined with over-dimen­sion­ing and imple­men­ta­tion of design lim­its along with the use of well-tried safe­ty prin­ci­ples will go a long way to improv­ing the reli­a­bil­i­ty of the con­trol sys­tem. The next part of the def­i­n­i­tion of Cat­e­go­ry 1 speaks to some addi­tion­al require­ments:

The MTTFd of each chan­nel shall be high.

The max­i­mum PL achiev­able with cat­e­go­ry 1 is PL = c.

NOTE 2 There is no diag­nos­tic cov­er­age (DCavg = none) with­in cat­e­go­ry 1 sys­tems. In such struc­tures (sin­gle-chan­nel sys­tems) the con­sid­er­a­tion of CCF is not rel­e­vant.

NOTE 3 When a fault occurs it can lead to the loss of the safe­ty func­tion. How­ev­er, the MTTFd of each chan­nel in cat­e­go­ry 1 is high­er than in cat­e­go­ry B. Con­se­quent­ly, the loss of the safe­ty func­tion is less like­ly.

We now know that the integri­ty of a Cat­e­go­ry 1 sys­tem is greater than a Cat­e­go­ry B sys­tem, since the chan­nel MTTFd of the sys­tem has gone from “Low-to-Medi­um” in sys­tems exhibit­ing PLa or PLb per­for­mance to “High” in sys­tems exhibit­ing PLb or PLc per­for­mance. [1, Table 5] shows this dif­fer­ence in terms of pre­dict­ed years to fail­ure. As you can see, MTTFd “High” results in a pre­dict­ed fail­ure rate between 30 and 100 years. This is a pret­ty good result for sim­ply improv­ing the com­po­nents used in the sys­tem!

Table 3 – Mean time to dangerous failure  [1, Table 5]
Table 3 – Mean time to dan­ger­ous fail­ure

The oth­er ben­e­fit is the increase in the over­all PL. Where Cat­e­go­ry B archi­tec­ture can pro­vide PLb per­for­mance at best, Cat­e­go­ry 1 takes this up a notch to PLc. To get a han­dle on what PLc means, let’s look at our sin­gle and three shift exam­ples again. If we take a Cana­di­an oper­a­tion with a sin­gle shift per day, and a 50 week work­ing year we get:

7.5 h/shift x 5 d/w x 50 w/a = 1875 h/a

Where

h = hours

d = days

w = weeks

a  = years

In this case, PLc is equiv­a­lent to one fail­ure in 533.3 years of oper­a­tion to 1600 years of oper­a­tion.

Look­ing at three shifts per day in the same oper­a­tion gives us:

7.5 h/shift x 3 shifts/d x 5 d/w x 50 w/a = 5625 h/a

In this case, PLc is equiv­a­lent to one fail­ure in 177.8 years of oper­a­tion to 533.3 years of oper­a­tion.

When com­plet­ing the analy­sis of a sys­tem, [1] lim­its the sys­tem MTTFd to 100 years regard­less of what the indi­vid­ual chan­nel MTTFd may be. Where the actu­al MTTFd is impor­tant relates to the need to replace com­po­nents dur­ing the life­time of the prod­uct. If a com­po­nent or a sub-sys­tem has an MTTFd that is less than the mis­sion time of the sys­tem, then the com­po­nent or sub­sys­tem must be replaced by the time the prod­uct reach­es it’s MTTFd. 20 years is the default mis­sion time, but you can choose a short­er or longer time span if it makes sense.

Remem­ber that these are prob­a­bil­i­ties, not guar­an­tees. A fail­ure could hap­pen in the first hour of oper­a­tion, the last hour of oper­a­tion or nev­er. These fig­ures sim­ply pro­vide a way for you as the design­er to gauge the rel­a­tive reli­a­bil­i­ty of the sys­tem.

Well-Tried Components versus Fault Exclusions

The stan­dard goes on to out­line some key dis­tinc­tions between ‘well-tried com­po­nent’ and ‘fault exclu­sion’. We’ll talk more about fault exclu­sions lat­er in the series.

It is impor­tant that a clear dis­tinc­tion between “well-tried com­po­nent” and “fault exclu­sion” (see Clause 7) be made. The qual­i­fi­ca­tion of a com­po­nent as being well-tried depends on its appli­ca­tion. For exam­ple, a posi­tion switch with pos­i­tive open­ing con­tacts could be con­sid­ered as being well-tried for a machine tool, while at the same time as being inap­pro­pri­ate for appli­ca­tion in a food indus­try — in the milk indus­try, for instance, this switch would be destroyed by the milk acid after a few months. A fault exclu­sion can lead to a very high PL, but the appro­pri­ate mea­sures to allow this fault exclu­sion should be applied dur­ing the whole life­time of the device. In order to ensure this, addi­tion­al mea­sures out­side the con­trol sys­tem may be nec­es­sary. In the case of a posi­tion switch, some exam­ples of these kinds of mea­sures are

  • means to secure the fix­ing of the switch after its adjust­ment,
  • means to secure the fix­ing of the cam,
  • means to ensure the trans­verse sta­bil­i­ty of the cam,
  • means to avoid over trav­el of the posi­tion switch, e.g. ade­quate mount­ing strength of the shock absorber and any align­ment devices, and
  • means to pro­tect it against dam­age from out­side.

[1, 6.2.4]

System Block Diagram

Final­ly, let’s look at the block dia­gram for Cat­e­go­ry 1. You will notice that it looks the same as the Cat­e­go­ry B block dia­gram, since only the com­po­nents used in the sys­tem have changed, and not the archi­tec­ture.

ISO 13849-1 Figure 9
Fig­ure 3 — Cat­e­go­ry 1 Block Dia­gram [1, Fig. 9]

References

[1]       Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 1: Gen­er­al prin­ci­ples for design. ISO Stan­dard 13849–1, Ed. 2. 2006.

[2]       Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 2: Val­i­da­tion. ISO Stan­dard 13849–2, Ed. 2. 2012.

[3]       Safe­guard­ing of Machin­ery. CSA Stan­dard Z432. 2004.

Add to your Library

If you are work­ing on imple­ment­ing these design stan­dards in your prod­ucts, you need to buy copies of the stan­dards for your library.

  • ISO 13849–1:2006 Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 1: Gen­er­al prin­ci­ples for design
  • ISO 13849–2:2003 Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 2: Val­i­da­tion

Down­load IEC stan­dards, Inter­na­tion­al Elec­trotech­ni­cal Com­mis­sion stan­dards.

If you are work­ing in the EU, or are work­ing on CE Mark­ing your prod­uct, you should hold the har­mo­nized ver­sion of this stan­dard, avail­able through the CEN resellers:

  • EN ISO 13849–1:2008 Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 1: Gen­er­al prin­ci­ples for design
  • EN ISO 13849–2:2012 Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 2: Val­i­da­tion

Next Installment

Watch for the next part of this series, “Inter­lock Archi­tec­tures – Pt. 3: Cat­e­go­ry 2″ where we expand on the first two cat­e­gories by adding some diag­nos­tic cov­er­age to improve reli­a­bil­i­ty.

Have ques­tions? Email me!

Digiprove sealCopy­right secured by Digiprove © 2011–2014
Acknowl­edge­ments: ISO, CSA. See ref­er­ences.
Some Rights Reserved