Interlock Architectures – Pt. 5: Category 4 — Control Reliable

This entry is part 5 of 8 in the series Cir­cuit Archi­tec­tures Explored

The most reli­able of the five sys­tem archi­tec­tures, Cat­e­go­ry 4 is the only archi­tec­ture that uses mul­ti­ple-fault tol­er­ant tech­niques to help ensure that com­po­nent fail­ures do not result in an unac­cept­able expo­sure to risk. This post will delve into the depths of this archi­tec­ture in this install­ment on sys­tem archi­tec­tures. The def­i­n­i­tions and require­ments dis­cussed in this arti­cle come from ISO 13849–1, Edi­tion 2 (2006) and ISO 13849–2, Edi­tion 1 (2003).

As with pre­ced­ing arti­cles in this series, I’ll be build­ing on con­cepts dis­cussed in those arti­cles. If you need more infor­ma­tion, you should have a look at the pre­vi­ous arti­cles to see if I’ve answered your ques­tions there.

The Definition

The Cat­e­go­ry 4 def­i­n­i­tion builds on both Cat­e­go­ry B and Cat­e­go­ry 3. As you read, recall that “SRP/CS” stands for “Safe­ty Relat­ed Parts of the Con­trol Sys­tem”. Here is the com­plete def­i­n­i­tion:

6.2.7 Cat­e­go­ry 4
For cat­e­go­ry 4, the same require­ments as those accord­ing to 6.2.3 for cat­e­go­ry B shall apply. “Well-tried safe­ty prin­ci­ples” accord­ing to 6.2.4 shall also be fol­lowed. In addi­tion, the fol­low­ing applies.
SRP/CS of cat­e­go­ry 4 shall be designed such that

  • a sin­gle fault in any of these safe­ty-relat­ed parts does not lead to a loss of the safe­ty func­tion, and
  • the sin­gle fault is detect­ed at or before the next demand upon the safe­ty func­tions, e.g. imme­di­ate­ly, at switch on, or at end of a machine oper­at­ing cycle, but if this detec­tion is not pos­si­ble, then an accu­mu­la­tion of unde­tect­ed faults shall not lead to the loss of the safe­ty func­tion.

The diag­nos­tic cov­er­age (DCavg) of the total SRP/CS shall be high, includ­ing the accu­mu­la­tion of faults. The MTTFd of each of the redun­dant chan­nels shall be high. Mea­sures against CCF shall be applied (see
Annex F).

NOTE 1 Cat­e­go­ry 4 sys­tem behav­iour allows that

  • when a sin­gle fault occurs the safe­ty func­tion is always per­formed,
  • the faults will be detect­ed in time to pre­vent the loss of the safe­ty func­tion,
  • accu­mu­la­tion of unde­tect­ed faults is tak­en into account.

NOTE 2 The dif­fer­ence between cat­e­go­ry 3 and cat­e­go­ry 4 is a high­er DCavg in cat­e­go­ry 4 and a required MTTFd of each chan­nel of “high” only.

In prac­tice, the con­sid­er­a­tion of a fault com­bi­na­tion of two faults may be suf­fi­cient.

5% Dis­count on ISO and IEC Stan­dards with code: CC2011

Breaking it down

For cat­e­go­ry 4, the same require­ments as those accord­ing to 6.2.3 for cat­e­go­ry B shall apply. “Well-tried safe­ty prin­ci­ples” accord­ing to 6.2.4 shall also be fol­lowed.

The first two sen­tences give the basic require­ment for all the cat­e­gories from 2 through 4. Sound com­po­nent selec­tion based on the appli­ca­tion require­ments for volt­age, cur­rent, switch­ing capa­bil­i­ty and life­time must be con­sid­ered. In addi­tion, using well tried safe­ty prin­ci­ples, such as switch­ing the +V rail side of the coil cir­cuit for con­trol com­po­nents is required. If you aren’t sure about what con­sti­tutes a “well-tried safe­ty prin­ci­ple”, see the arti­cle on Cat­e­go­ry 2 where this is dis­cussed. Don’t con­fuse “well-tried safe­ty prin­ci­ples” with “well-tried com­po­nents”. There is no require­ment in Cat­e­go­ry 4 for the use of well-tried com­po­nents, although you can use them for addi­tion­al reli­a­bil­i­ty if the design require­ments war­rant.

In addi­tion, the fol­low­ing applies.
SRP/CS of cat­e­go­ry 4 shall be designed such that

  • a sin­gle fault in any of these safe­ty-relat­ed parts does not lead to a loss of the safe­ty func­tion, and
  • the sin­gle fault is detect­ed at or before the next demand upon the safe­ty func­tions, e.g. imme­di­ate­ly, at switch on, or at end of a machine oper­at­ing cycle, but if this detec­tion is not pos­si­ble, then an accu­mu­la­tion of unde­tect­ed faults shall not lead to the loss of the safe­ty func­tion.

This is the big one. This para­graph, and the two bul­lets that fol­low it, define the fun­da­men­tal per­for­mance require­ments for this cat­e­go­ry. No sin­gle fault can lead to the loss of the safe­ty func­tion in Cat­e­go­ry 4, and test­ing is required that can detect fail­ures and pre­vent an accu­mu­la­tion of faults that could even­tu­al­ly lead to the loss of the safe­ty func­tion. The sec­ond bul­let is the one that defines the mul­ti­ple-fault-tol­er­ance require­ment for this cat­e­go­ry. If you go back to the def­i­n­i­tion of Cat­e­go­ry 3, you will see that an accu­mu­la­tion of faults may lead to the loss of the safe­ty func­tion in that Cat­e­go­ry. This is the key dif­fer­ence between the cat­e­gories in my opin­ion.

The diag­nos­tic cov­er­age (DCavg) of the total SRP/CS shall be high, includ­ing the accu­mu­la­tion of faults. The MTTFd of each of the redun­dant chan­nels shall be high. Mea­sures against CCF shall be applied (see
Annex F).

These three sen­tences give the design­er the cri­te­ria for diag­nos­tic cov­er­age, chan­nel fail­ure rates and com­mon cause fail­ure pro­tec­tion. As you can see, the abil­i­ty to diag­nose fail­ures auto­mat­i­cal­ly is a crit­i­cal part of the design, as is the use of high­ly reli­able com­po­nents, lead­ing to high­ly reli­able chan­nels. The strongest CCF pro­tec­tion you can include in the design is also need­ed, although the “pass­ing score” of 65 remains unchanged (see Annex F in ISO 13849–1 for more details on scor­ing your design).

NOTE 1 Cat­e­go­ry 4 sys­tem behav­iour allows that

  • when a sin­gle fault occurs the safe­ty func­tion is always per­formed,
  • the faults will be detect­ed in time to pre­vent the loss of the safe­ty func­tion,
  • accu­mu­la­tion of unde­tect­ed faults is tak­en into account.

Note 2: …In prac­tice, the con­sid­er­a­tion of a fault com­bi­na­tion of two faults may be suf­fi­cient.

Note 1 expands on the first para­graph in the def­i­n­i­tion, fur­ther clar­i­fy­ing the per­for­mance require­ments by explic­it state­ments. Notice that nowhere is there a require­ment that sin­gle faults or accu­mu­la­tion of sin­gle faults be pre­vent­ed, only detect­ed by the diag­nos­tic sys­tem. Pre­ven­tion of sin­gle faults is near­ly impos­si­ble, since com­po­nents do fail. It is impor­tant to first under­stand which com­po­nents are crit­i­cal to the safe­ty func­tion, and sec­ond, what kinds of faults each com­po­nent is like­ly to have, is fun­da­men­tal to being able to design a diag­nos­tic sys­tem that can detect the faults.

The cat­e­go­ry relies on redun­dan­cy to ensure that the com­plete loss of one chan­nel will not cause the loss of the safe­ty func­tion, but this is only use­ful if the com­mon cause fail­ures have been prop­er­ly dealt with. Oth­er­wise, a sin­gle event could wipe out both chan­nels simul­ta­ne­ous­ly, caus­ing the loss of the safe­ty func­tion and pos­si­bly result in an injury or fatal­i­ty.

Also notice that mul­ti­ple sin­gle faults are per­mit­ted, as long as the accu­mu­la­tion does not result in the loss of the safe­ty func­tion. ISO 13849 allows for “fault exclu­sion”, a con­cept that is not used in the North Amer­i­can stan­dards.

The final sen­tence from Note 2 sug­gests that con­sid­er­a­tion of two con­cur­rent faults may be enough, but be care­ful. You need to look close­ly at the fault lists to see if there are any groups of high prob­a­bil­i­ty faults that are like­ly to occur con­cur­rent­ly. IF there are, you need to assess these com­bi­na­tions of faults, whether there are 5 or 50 to be eval­u­at­ed.

Fault Exclusion

Fault exclu­sion involves assess­ing the types of faults that can occur in each com­po­nent in the crit­i­cal path of the sys­tem. The deci­sion to exclude cer­tain kinds of faults is always a tech­ni­cal com­pro­mise between the the­o­ret­i­cal improb­a­bil­i­ty of the fault, the exper­tise of the designer(s) and engi­neers involved and the spe­cif­ic tech­ni­cal require­ments of the appli­ca­tion. When­ev­er the deci­sion is made to exclude a par­tic­u­lar type of fault, the deci­sion and the process used to make it must be doc­u­ment­ed in the Reli­a­bil­i­ty Report includ­ed in the design file. Sec­tion 7.3 of ISO 13849–1 pro­vides guid­ance on fault exclu­sion.

In the sec­tion dis­cussing Cat­e­go­ry 1, the stan­dard has this to say about fault exclu­sion, and the dif­fer­ence between “well-tried com­po­nents” and “fault exclu­sion”:

It is impor­tant that a clear dis­tinc­tion between “well-tried com­po­nent” and “fault exclu­sion” (see Clause 7) be made. The qual­i­fi­ca­tion of a com­po­nent as being well-tried depends on its appli­ca­tion. For exam­ple, a posi­tion switch with pos­i­tive open­ing con­tacts could be con­sid­ered as being well-tried for a machine tool, while at the same time as being inap­pro­pri­ate for appli­ca­tion in a food indus­try — in the milk indus­try, for instance, this switch would be destroyed by the milk acid after a few months. A fault exclu­sion can lead to a very high PL, but the appro­pri­ate mea­sures to allow this fault exclu­sion should be applied dur­ing the whole life­time of the device. In order to ensure this, addi­tion­al mea­sures out­side the con­trol sys­tem may be nec­es­sary. In the case of a posi­tion switch, some exam­ples of these kinds of mea­sures are

  • means to secure the fix­ing of the switch after its adjust­ment,
  • means to secure the fix­ing of the cam,
  • means to ensure the trans­verse sta­bil­i­ty of the cam,
  • means to avoid over-trav­el of the posi­tion switch, e.g. ade­quate mount­ing strength of the shock absorber and any align­ment devices, and
  • means to pro­tect it against dam­age from out­side.

To assist the design­er, ISO 13849–2 pro­vides lists of typ­i­cal faults and the allow­able exclu­sions in Annex D.5. As an exam­ple, let’s con­sid­er the typ­i­cal sit­u­a­tion where a robust guard inter­lock­ing device has been select­ed. The deci­sion has been made to use redun­dant elec­tri­cal cir­cuits to the switch­ing com­po­nents in the inter­lock, so elec­tri­cal faults can be detect­ed. But what about mechan­i­cal fail­ures? A fault list is need­ed:

 Inter­lock Mechan­i­cal Fault List
# Fault Descrip­tion Result Like­li­hood
1 Key breaks off Con­trol sys­tem can­not deter­mine guard posi­tion. Com­plete fail­ure of sys­tem through a sin­gle fault. Unlike­ly
2 Screws mount­ing key to guard fail Con­trol sys­tem can­not deter­mine guard posi­tion. Com­plete fail­ure of sys­tem through a sin­gle fault. Unlike­ly
3 Screws mount­ing inter­lock device to guard fail Con­trol sys­tem can­not deter­mine guard posi­tion. Com­plete fail­ure of sys­tem through a sin­gle fault. Unlike­ly
4 Key and inter­lock device mis­aligned. Guard can­not close, pre­vent­ing machine from oper­at­ing. Very like­ly
5 Key and inter­lock device mis­aligned. Key and / or inter­lock device dam­aged. Guard may not close, or the key may jam in the inter­lock device once closed. Machine is inop­er­a­ble if the inter­lock can­not be com­plet­ed, or the guard can­not be opened if the key jams in the device. Like­ly
6 Screws mount­ing key to guard removed by user. Inter­lock can now be bypassed by fix­ing the key into the inter­lock­ing device. Con­trol sys­tem can no longer sense the posi­tion of the guard. Like­ly
7 Screws mount­ing inter­lock device to guard removed by user Prob­a­bly com­bined with the pre­ced­ing con­di­tion. Con­trol sys­tem can no longer sense the posi­tion of the guard. Unlike­ly, but could hap­pen.

There may be more fail­ure modes, but for the pur­pose of this dis­cus­sion, lets lim­it them to this list.

Look­ing at Fault 1, there are a num­ber of things that could result in a bro­ken key. They include: mis­align­ment of the key and the inter­lock device, lack of main­te­nance on the guard and the inter­lock­ing hard­ware, or inten­tion­al dam­age by a user. Unless the hard­ware is excep­tion­al­ly robust, includ­ing the design of the guard and any align­ment fea­tures incor­po­rat­ed in the guard­ing, devel­op­ing sound ratio­nale for exclud­ing this fault will be very dif­fi­cult.

Fault 2 con­sid­ers mechan­i­cal fail­ure of the mount­ing screws for the inter­lock key. Screws are con­sid­ered to be well-tried com­po­nents (see Annex A.5), so you can con­sid­er them for fault exclu­sion. You can improve their reli­a­bil­i­ty by using thread lock­ing adhe­sives when installing the screws to pre­vent them from vibrat­ing loose, and “tam­per-proof” style screw heads to deter unau­tho­rized removal. Inclu­sion of these meth­ods will sup­port any deci­sion to exclude these faults. This goes to address­ing faults 3, 6 and 7 as well.

Faults 4 & 5 occur fre­quent­ly and are often caused by poor device selec­tion (i.e. an inter­lock device intend­ed for straight-line slid­ing-gate appli­ca­tions is cho­sen for a hinged gate), or by poor guard design (i.e. the guard is poor­ly guid­ed by the reten­tion mech­a­nism and can be closed in a mis­aligned con­di­tion). Ratio­nale for pre­ven­tion of these faults will need to include dis­cus­sion of design fea­tures that will pre­vent these con­di­tions.

Exclud­ing any oth­er kind of fault fol­lows the same process: Devel­op the fault list, assess each fault against the rel­e­vant Annex from ISO 13849–2, deter­mine if there are pre­ven­ta­tive mea­sures that can be designed into the prod­uct and whether these pro­vide suf­fi­cient risk reduc­tion to allow the exclu­sion of the fault from con­sid­er­a­tion.

DCavg and MTTFd requirements

NOTE 2 The dif­fer­ence between cat­e­go­ry 3 and cat­e­go­ry 4 is a high­er DCavg in cat­e­go­ry 4 and a required MTTFd of each chan­nel of “high” only.

The first sen­tence in Note 2 clar­i­fies the two main dif­fer­ences from a design stand­point, aside from the addi­tion­al fault tol­er­ance require­ments: Bet­ter diag­nos­tics are required and much high­er require­ments for indi­vid­ual com­po­nent, and there­fore chan­nel, MTTFd.

The Block Diagram

The block dia­gram for Cat­e­go­ry 4 is almost iden­ti­cal to Cat­e­go­ry 3, and was updat­ed by Cor­ri­gen­dum 1 to the dia­gram shown below. The text from the cor­ri­gen­dum that accom­pa­nies the dia­gram has this to say about the change:

Replace the draw­ing show­ing the des­ig­nat­ed archi­tec­ture for cat­e­go­ry 4 with the fol­low­ing draw­ing. This
cor­rects the arrowed lines labeled “m” between L1 and O1, and L2 and O2, by chang­ing them from dashed to sol­id lines, rep­re­sent­ing high­er diag­nos­tic cov­er­age.

I’ve high­light­ed this area using red ovals on Fig­ure 12 to make it eas­i­er to see .

ISO 13849-1 Figure 12 - Category 4 Block Diagram
ISO 13849–1 Fig­ure 12 — Cat­e­go­ry 4 Block Dia­gram

Here is Fig­ure 11 for com­par­i­son. Notice that the “m” lines are sol­id in Fig­ure 12 and dashed in Fig­ure 11? Sub­tle, but sig­nif­i­cant! There are no oth­er dif­fer­ences between the dia­grams.

ISO 13849-1 Figure 11I went look­ing for a cir­cuit dia­gram to sup­port the block dia­gram, but wasn’t able to find one from a com­mer­cial source that I could share with you. Con­sid­er­ing that the pri­ma­ry dif­fer­ences are in the reli­a­bil­i­ty of the com­po­nents cho­sen and in the way the test­ing is done, this isn’t too sur­pris­ing. The basic phys­i­cal con­struc­tion of the two cat­e­gories can be vir­tu­al­ly iden­ti­cal.

Applications

The fol­low­ing is not from the stan­dards — this is my per­son­al opin­ion, based on 15 years of prac­tice.

In the past, many man­u­fac­tur­ers decid­ed that they were going to apply Cat­e­go­ry 4 archi­tec­ture with­out real­ly under­stand­ing the design impli­ca­tions, because they believed that it was “the best”. With the change in the har­mo­niza­tion of EN 954–1 and ISO 13849–1 under the EU machin­ery direc­tive that comes into force on 29-Dec-2011, and con­sid­er­ing the great dif­fi­cul­ty that many man­u­fac­tur­ers had in prop­er­ly imple­ment­ing EN 954–1, I can eas­i­ly imag­ine man­u­fac­tur­ers who have tak­en the approach that they already have Cat­e­go­ry 4 SRP/CS on their sys­tems and mak­ing the state­ment that they now have PLe SRP/CS sys­tem per­for­mance. This is a bad deci­sion for a lot of rea­sons:

  1. ISO 13849–1 PLe, Cat­e­go­ry 4 sys­tems should be reserved for very dan­ger­ous machin­ery where the tech­ni­cal effort and expense involved is war­rant­ed by the risk assess­ment. Attempt­ing to apply this lev­el of design to machin­ery where a PLb per­for­mance lev­el is more suit­able based on a risk assess­ment, is a waste of design time and effort and a need­less expense. The prod­uct fam­i­ly stan­dards for these types of machines, such as EN 201 for plas­tic injec­tion mould­ing machines, or EN 692 for Mechan­i­cal Pow­er Press­es or EN 693 for Hydraulic Pow­er Press­es will explic­it­ly spec­i­fy the PL lev­el required for these machines.
  2. Man­u­fac­tur­ers have fre­quent­ly claimed EN 954–1 Cat­e­go­ry 4 per­for­mance based on the rat­ing of the safe­ty relay alone, with­out under­stand­ing that the rest of the SRP/CS must be con­sid­ered, and clear­ly this is wrong. The SRP/CS must be eval­u­at­ed as a com­plete sys­tem.

This lack of under­stand­ing endan­gers the users, the main­te­nance per­son­nel, the own­ers and the man­u­fac­tur­ers. If they con­tin­ue this approach and an injury occurs, it is my opin­ion that the courts will have more than enough evi­dence in the defendant’s pub­lished doc­u­ments to cause some seri­ous legal grief.

As design­ers involved with the safe­ty of our company’s prod­ucts or with our co-worker’s safe­ty, I believe that we owe it to every­one who uses our prod­ucts to be edu­cat­ed and to cor­rect­ly apply these con­cepts. The fact that you have read all of the posts lead­ing up to this one is evi­dence that you are work­ing on get­ting edu­cat­ed.

Always con­duct a risk assess­ment and use the out­come from that work to guide your selec­tion of safe­guard­ing mea­sures, com­ple­men­tary pro­tec­tive mea­sures and the per­for­mance of the SRP/CS that ties those sys­tems togeth­er. Choose per­for­mance lev­els that make sense based on the required risk reduc­tion and ensure that the design cri­te­ria is met by val­i­dat­ing the sys­tem once built.

As always, I wel­come your com­ments and ques­tions! Please feel free to com­ment below. I will respond to all your com­ments.

Digiprove sealCopy­right secured by Digiprove © 2011–2012
Acknowl­edge­ments: ISO for excerpts from ISO 13849–1 and more…
Some Rights Reserved

AntennaSys tests the iPhone 4…

Are you an Apple fan? An iPhone fan? Here’s an arti­cle on an inde­pen­dent test on the iPhone 4 by Anten­naSys that may inter­est you…

http://www.AntennaSys.com

You may also be inter­est­ed in this IEEE pod­cast with one of the prin­ci­ples at Anten­naSys, Spencer Webb

Are you an Apple fan? An iPhone fan? Here’s an arti­cle on an inde­pen­dent test on the iPhone 4 by Anten­naSys that may inter­est you…

http://www.AntennaSys.com

You may also be inter­est­ed in this IEEE pod­cast with one of the prin­ci­ples at Anten­naSys, Spencer Webb.

Inside Apple’s EMC Lab

Mac­world was invit­ed inside Apple’s EMC test lab for a tour — the first time jour­nal­ists have been per­mit­ted into this area. This arti­cle looks at what Apple does to make sure their prod­ucts meet EMC design require­ments. Test­ing indus­tri­al equip­ment is often sim­pler that this, and you don’t need to buy your own labs to do it. Are your machine designs com­pli­ant? Would you know if they

Mac­world was invit­ed inside Apple’s EMC test lab for a tour — the first time jour­nal­ists have been per­mit­ted into this area. This arti­cle looks at what Apple does to make sure their prod­ucts meet EMC design require­ments. Test­ing indus­tri­al equip­ment is often sim­pler that this, and you don’t need to buy your own labs to do it. Are your machine designs com­pli­ant? Would you know if they weren’t?