The most reli­able of the five sys­tem archi­tec­tures, Category 4 is the only archi­tec­ture that uses multiple-​​fault tol­er­ant tech­niques to help ensure that com­po­nent fail­ures do not result in an unac­cept­able expo­sure to risk. This post will delve into the depths of this archi­tec­ture in this install­ment on sys­tem archi­tec­tures. The def­i­n­i­tions and require­ments dis­cussed in this arti­cle come from ISO 13849–1, Edition 2 (2006) and ISO 13849–2, Edition 1 (2003).

As with pre­ced­ing arti­cles in this series, I’ll be build­ing on con­cepts dis­cussed in those arti­cles. If you need more infor­ma­tion, you should have a look at the pre­vi­ous arti­cles to see if I’ve answered your ques­tions there.

The Definition

The Category 4 def­i­n­i­tion builds on both Category B and Category 3. As you read, recall that “SRP/​CS” stands for “Safety Related Parts of the Control System”. Here is the com­plete definition:

6.2.7 Category 4
For cat­e­gory 4, the same require­ments as those accord­ing to 6.2.3 for cat­e­gory B shall apply. “Well-​​tried safety prin­ci­ples” accord­ing to 6.2.4 shall also be fol­lowed. In addi­tion, the fol­low­ing applies.
SRP/​CS of cat­e­gory 4 shall be designed such that

• a sin­gle fault in any of these safety-​​related parts does not lead to a loss of the safety func­tion, and
• the sin­gle fault is detected at or before the next demand upon the safety func­tions, e.g. imme­di­ately, at switch on, or at end of a machine oper­at­ing cycle, but if this detec­tion is not pos­si­ble, then an accu­mu­la­tion of unde­tected faults shall not lead to the loss of the safety function.

The diag­nos­tic cov­er­age (DC_avg) of the total SRP/​CS shall be high, includ­ing the accu­mu­la­tion of faults. The MTTF_d of each of the redun­dant chan­nels shall be high. Measures against CCF shall be applied (see
Annex F).

NOTE 1 Category 4 sys­tem behav­iour allows that

• when a sin­gle fault occurs the safety func­tion is always performed,
• the faults will be detected in time to pre­vent the loss of the safety function,
• accu­mu­la­tion of unde­tected faults is taken into account.

NOTE 2 The dif­fer­ence between cat­e­gory 3 and cat­e­gory 4 is a higher DC_avg in cat­e­gory 4 and a required MTTF_d of each chan­nel of “high” only.

In prac­tice, the con­sid­er­a­tion of a fault com­bi­na­tion of two faults may be sufficient.

5% Discount on ISO and IEC Standards with code: CC2011

Breaking it down

For cat­e­gory 4, the same require­ments as those accord­ing to 6.2.3 for cat­e­gory B shall apply. “Well-​​tried safety prin­ci­ples” accord­ing to 6.2.4 shall also be followed.

The first two sen­tences give the basic require­ment for all the cat­e­gories from 2 through 4. Sound com­po­nent selec­tion based on the appli­ca­tion require­ments for volt­age, cur­rent, switch­ing capa­bil­ity and life­time must be con­sid­ered. In addi­tion, using well tried safety prin­ci­ples, such as switch­ing the +V rail side of the coil cir­cuit for con­trol com­po­nents is required. If you aren’t sure about what con­sti­tutes a “well-​​tried safety prin­ci­ple”, see the arti­cle on Category 2 where this is dis­cussed. Don’t con­fuse “well-​​tried safety prin­ci­ples” with “well-​​tried com­po­nents”. There is no require­ment in Category 4 for the use of well-​​tried com­po­nents, although you can use them for addi­tional reli­a­bil­ity if the design require­ments warrant.

In addi­tion, the fol­low­ing applies.
SRP/​CS of cat­e­gory 4 shall be designed such that

• a sin­gle fault in any of these safety-​​related parts does not lead to a loss of the safety func­tion, and
• the sin­gle fault is detected at or before the next demand upon the safety func­tions, e.g. imme­di­ately, at switch on, or at end of a machine oper­at­ing cycle, but if this detec­tion is not pos­si­ble, then an accu­mu­la­tion of unde­tected faults shall not lead to the loss of the safety function.

This is the big one. This para­graph, and the two bul­lets that fol­low it, define the fun­da­men­tal per­for­mance require­ments for this cat­e­gory. No sin­gle fault can lead to the loss of the safety func­tion in Category 4, and test­ing is required that can detect fail­ures and pre­vent an accu­mu­la­tion of faults that could even­tu­ally lead to the loss of the safety func­tion. The sec­ond bul­let is the one that defines the multiple-​​fault-​​tolerance require­ment for this cat­e­gory. If you go back to the def­i­n­i­tion of Category 3, you will see that an accu­mu­la­tion of faults may lead to the loss of the safety func­tion in that Category. This is the key dif­fer­ence between the cat­e­gories in my opinion.

The diag­nos­tic cov­er­age (DC_avg) of the total SRP/​CS shall be high, includ­ing the accu­mu­la­tion of faults. The MTTF_d of each of the redun­dant chan­nels shall be high. Measures against CCF shall be applied (see
Annex F).

These three sen­tences give the designer the cri­te­ria for diag­nos­tic cov­er­age, chan­nel fail­ure rates and com­mon cause fail­ure pro­tec­tion. As you can see, the abil­ity to diag­nose fail­ures auto­mat­i­cally is a crit­i­cal part of the design, as is the use of highly reli­able com­po­nents, lead­ing to highly reli­able chan­nels. The strongest CCF pro­tec­tion you can include in the design is also needed, although the “pass­ing score” of 65 remains unchanged (see Annex F in ISO 13849–1 for more details on scor­ing your design).

NOTE 1 Category 4 sys­tem behav­iour allows that

• when a sin­gle fault occurs the safety func­tion is always performed,
• the faults will be detected in time to pre­vent the loss of the safety function,
• accu­mu­la­tion of unde­tected faults is taken into account.

Note 2: …In prac­tice, the con­sid­er­a­tion of a fault com­bi­na­tion of two faults may be sufficient.

Note 1 expands on the first para­graph in the def­i­n­i­tion, fur­ther clar­i­fy­ing the per­for­mance require­ments by explicit state­ments. Notice that nowhere is there a require­ment that sin­gle faults or accu­mu­la­tion of sin­gle faults be pre­vented, only detected by the diag­nos­tic sys­tem. Prevention of sin­gle faults is nearly impos­si­ble, since com­po­nents do fail. It is impor­tant to first under­stand which com­po­nents are crit­i­cal to the safety func­tion, and sec­ond, what kinds of faults each com­po­nent is likely to have, is fun­da­men­tal to being able to design a diag­nos­tic sys­tem that can detect the faults.

The cat­e­gory relies on redun­dancy to ensure that the com­plete loss of one chan­nel will not cause the loss of the safety func­tion, but this is only use­ful if the com­mon cause fail­ures have been prop­erly dealt with. Otherwise, a sin­gle event could wipe out both chan­nels simul­ta­ne­ously, caus­ing the loss of the safety func­tion and pos­si­bly result in an injury or fatality.

Also notice that mul­ti­ple sin­gle faults are per­mit­ted, as long as the accu­mu­la­tion does not result in the loss of the safety func­tion. ISO 13849 allows for “fault exclu­sion”, a con­cept that is not used in the North American standards.

The final sen­tence from Note 2 sug­gests that con­sid­er­a­tion of two con­cur­rent faults may be enough, but be care­ful. You need to look closely at the fault lists to see if there are any groups of high prob­a­bil­ity faults that are likely to occur con­cur­rently. IF there are, you need to assess these com­bi­na­tions of faults, whether there are 5 or 50 to be evaluated.

Fault Exclusion

Fault exclu­sion involves assess­ing the types of faults that can occur in each com­po­nent in the crit­i­cal path of the sys­tem. The deci­sion to exclude cer­tain kinds of faults is always a tech­ni­cal com­pro­mise between the the­o­ret­i­cal improb­a­bil­ity of the fault, the exper­tise of the designer(s) and engi­neers involved and the spe­cific tech­ni­cal require­ments of the appli­ca­tion. Whenever the deci­sion is made to exclude a par­tic­u­lar type of fault, the deci­sion and the process used to make it must be doc­u­mented in the Reliability Report included in the design file. Section 7.3 of ISO 13849–1 pro­vides guid­ance on fault exclusion.

In the sec­tion dis­cussing Category 1, the stan­dard has this to say about fault exclu­sion, and the dif­fer­ence between “well-​​tried com­po­nents” and “fault exclusion”:

It is impor­tant that a clear dis­tinc­tion between “well-​​tried com­po­nent” and “fault exclu­sion” (see Clause 7) be made. The qual­i­fi­ca­tion of a com­po­nent as being well-​​tried depends on its appli­ca­tion. For exam­ple, a posi­tion switch with pos­i­tive open­ing con­tacts could be con­sid­ered as being well-​​tried for a machine tool, while at the same time as being inap­pro­pri­ate for appli­ca­tion in a food indus­try — in the milk indus­try, for instance, this switch would be destroyed by the milk acid after a few months. A fault exclu­sion can lead to a very high PL, but the appro­pri­ate mea­sures to allow this fault exclu­sion should be applied dur­ing the whole life­time of the device. In order to ensure this, addi­tional mea­sures out­side the con­trol sys­tem may be nec­es­sary. In the case of a posi­tion switch, some exam­ples of these kinds of mea­sures are

• means to secure the fix­ing of the switch after its adjustment,
• means to secure the fix­ing of the cam,
• means to ensure the trans­verse sta­bil­ity of the cam,
• means to avoid over-​​travel of the posi­tion switch, e.g. ade­quate mount­ing strength of the shock absorber and any align­ment devices, and
• means to pro­tect it against dam­age from outside.

To assist the designer, ISO 13849–2 pro­vides lists of typ­i­cal faults and the allow­able exclu­sions in Annex D.5. As an exam­ple, let’s con­sider the typ­i­cal sit­u­a­tion where a robust guard inter­lock­ing device has been selected. The deci­sion has been made to use redun­dant elec­tri­cal cir­cuits to the switch­ing com­po­nents in the inter­lock, so elec­tri­cal faults can be detected. But what about mechan­i­cal fail­ures? A fault list is needed:

There may be more fail­ure modes, but for the pur­pose of this dis­cus­sion, lets limit them to this list.

Looking at Fault 1, there are a num­ber of things that could result in a bro­ken key. They include: mis­align­ment of the key and the inter­lock device, lack of main­te­nance on the guard and the inter­lock­ing hard­ware, or inten­tional dam­age by a user. Unless the hard­ware is excep­tion­ally robust, includ­ing the design of the guard and any align­ment fea­tures incor­po­rated in the guard­ing, devel­op­ing sound ratio­nale for exclud­ing this fault will be very difficult.

Fault 2 con­sid­ers mechan­i­cal fail­ure of the mount­ing screws for the inter­lock key. Screws are con­sid­ered to be well-​​tried com­po­nents (see Annex A.5), so you can con­sider them for fault exclu­sion. You can improve their reli­a­bil­ity by using thread lock­ing adhe­sives when installing the screws to pre­vent them from vibrat­ing loose, and “tamper-​​proof” style screw heads to deter unau­tho­rized removal. Inclusion of these meth­ods will sup­port any deci­sion to exclude these faults. This goes to address­ing faults 3, 6 and 7 as well.

Faults 4 & 5 occur fre­quently and are often caused by poor device selec­tion (i.e. an inter­lock device intended for straight-​​line sliding-​​gate appli­ca­tions is cho­sen for a hinged gate), or by poor guard design (i.e. the guard is poorly guided by the reten­tion mech­a­nism and can be closed in a mis­aligned con­di­tion). Rationale for pre­ven­tion of these faults will need to include dis­cus­sion of design fea­tures that will pre­vent these conditions.

Excluding any other kind of fault fol­lows the same process: Develop the fault list, assess each fault against the rel­e­vant Annex from ISO 13849–2, deter­mine if there are pre­ven­ta­tive mea­sures that can be designed into the prod­uct and whether these pro­vide suf­fi­cient risk reduc­tion to allow the exclu­sion of the fault from consideration.

DC_avg and MTTF_d requirements

NOTE 2 The dif­fer­ence between cat­e­gory 3 and cat­e­gory 4 is a higher DC_avg in cat­e­gory 4 and a required MTTF_d of each chan­nel of “high” only.

The first sen­tence in Note 2 clar­i­fies the two main dif­fer­ences from a design stand­point, aside from the addi­tional fault tol­er­ance require­ments: Better diag­nos­tics are required and much higher require­ments for indi­vid­ual com­po­nent, and there­fore chan­nel, MTTF_d.

The Block Diagram

The block dia­gram for Category 4 is almost iden­ti­cal to Category 3, and was updated by Corrigendum 1 to the dia­gram shown below. The text from the cor­ri­gen­dum that accom­pa­nies the dia­gram has this to say about the change:

Replace the draw­ing show­ing the des­ig­nated archi­tec­ture for cat­e­gory 4 with the fol­low­ing draw­ing. This
cor­rects the arrowed lines labeled “m” between L1 and O1, and L2 and O2, by chang­ing them from dashed to solid lines, rep­re­sent­ing higher diag­nos­tic coverage.

I’ve high­lighted this area using red ovals on Figure 12 to make it eas­ier to see .

ISO 13849–1 Figure 12 — Category 4 Block Diagram

Here is Figure 11 for com­par­i­son. Notice that the “m” lines are solid in Figure 12 and dashed in Figure 11? Subtle, but sig­nif­i­cant! There are no other dif­fer­ences between the diagrams.

I went look­ing for a cir­cuit dia­gram to sup­port the block dia­gram, but wasn’t able to find one from a com­mer­cial source that I could share with you. Considering that the pri­mary dif­fer­ences are in the reli­a­bil­ity of the com­po­nents cho­sen and in the way the test­ing is done, this isn’t too sur­pris­ing. The basic phys­i­cal con­struc­tion of the two cat­e­gories can be vir­tu­ally identical.

Applications

The fol­low­ing is not from the stan­dards — this is my per­sonal opin­ion, based on 15 years of practice.

In the past, many man­u­fac­tur­ers decided that they were going to apply Category 4 archi­tec­ture with­out really under­stand­ing the design impli­ca­tions, because they believed that it was “the best”. With the change in the har­mo­niza­tion of EN 954–1 and ISO 13849–1 under the EU machin­ery direc­tive that comes into force on 29-​​Dec-​​2011, and con­sid­er­ing the great dif­fi­culty that many man­u­fac­tur­ers had in prop­erly imple­ment­ing EN 954–1, I can eas­ily imag­ine man­u­fac­tur­ers who have taken the approach that they already have Category 4 SRP/​CS on their sys­tems and mak­ing the state­ment that they now have PL_e SRP/​CS sys­tem per­for­mance. This is a bad deci­sion for a lot of reasons:

1. ISO 13849–1 PL_e, Category 4 sys­tems should be reserved for very dan­ger­ous machin­ery where the tech­ni­cal effort and expense involved is war­ranted by the risk assess­ment. Attempting to apply this level of design to machin­ery where a PL_b per­for­mance level is more suit­able based on a risk assess­ment, is a waste of design time and effort and a need­less expense. The prod­uct fam­ily stan­dards for these types of machines, such as EN 201 for plas­tic injec­tion mould­ing machines, or EN 692 for Mechanical Power Presses or EN 693 for Hydraulic Power Presses will explic­itly spec­ify the PL level required for these machines.
2. Manufacturers have fre­quently claimed EN 954–1 Category 4 per­for­mance based on the rat­ing of the safety relay alone, with­out under­stand­ing that the rest of the SRP/​CS must be con­sid­ered, and clearly this is wrong. The SRP/​CS must be eval­u­ated as a com­plete system.

This lack of under­stand­ing endan­gers the users, the main­te­nance per­son­nel, the own­ers and the man­u­fac­tur­ers. If they con­tinue this approach and an injury occurs, it is my opin­ion that the courts will have more than enough evi­dence in the defendant’s pub­lished doc­u­ments to cause some seri­ous legal grief.

As design­ers involved with the safety of our company’s prod­ucts or with our co-worker’s safety, I believe that we owe it to every­one who uses our prod­ucts to be edu­cated and to cor­rectly apply these con­cepts. The fact that you have read all of the posts lead­ing up to this one is evi­dence that you are work­ing on get­ting educated.

Always con­duct a risk assess­ment and use the out­come from that work to guide your selec­tion of safe­guard­ing mea­sures, com­ple­men­tary pro­tec­tive mea­sures and the per­for­mance of the SRP/​CS that ties those sys­tems together. Choose per­for­mance lev­els that make sense based on the required risk reduc­tion and ensure that the design cri­te­ria is met by val­i­dat­ing the sys­tem once built.

As always, I wel­come your com­ments and ques­tions! Please feel free to com­ment below. I will respond to all your comments.

Copyright secured by Digiprove © 2011

Acknowledgements: ISO for excerpts from ISO 13849–1 and more…

Some Rights Reserved