31-Dec-2011 — Are YOU ready?

This entry is part 8 of 8 in the series Cir­cuit Archi­tec­tures Explored

31-Decem­ber-2011 marks a key mile­stone for machine builders mar­ket­ing their prod­ucts in the Euro­pean Union, the EEA and many of the Can­di­date States. Func­tion­al Safe­ty takes a pos­i­tive step for­ward with the manda­to­ry appli­ca­tion of EN ISO 13849–1 and -2. As of 1-Jan­u­ary-2012, the safe­ty-relat­ed parts of the con­trol sys­tems on all machin­ery bear­ing a CE Mark will be required to meet these stan­dards.

This change start­ed six years ago, when these stan­dards were first har­mo­nized under the Machin­ery Direc­tive. The EC Machin­ery Com­mit­tee gave machine builders an addi­tion­al three years to make the tran­si­tion to these stan­dards, after much oppo­si­tion to the orig­i­nal manda­to­ry imple­men­ta­tion date of 31-Dec-08 was announced.

If you aren’t aware of these stan­dards, or if you aren’t famil­iar with the con­cept of func­tion­al safe­ty, you need to get up to speed, and fast.

Under EN 954–1:1995 and the 1st Edi­tion of ISO 13849–1, pub­lished in 1999, a design­er need­ed to select a design Cat­e­go­ry or archi­tec­ture, that would pro­vide the degree of fault tol­er­ance and reli­a­bil­i­ty need­ed based on the out­come of the risk assess­ment for the machin­ery. The Cat­e­gories, B, 1–4, remain unchanged in the 2nd Edi­tion. I’ve talked about the Cat­e­gories in detail in oth­er posts, so I won’t spend any time on them here.

The 2nd Edi­tion brings Mean Time to Fail­ure into the pic­ture, along with Diag­nos­tic Cov­er­age and Com­mon Cause Fail­ures. These new con­cepts require design­ers to use more ana­lyt­i­cal tech­niques in devel­op­ing their designs, and also require addi­tion­al doc­u­men­ta­tion (as usu­al!).

One of the main fail­ings with EN 954–1 was Val­i­da­tion. This top­ic was sup­posed to have been cov­ered by EN 954–2, but this stan­dard was nev­er pub­lished. This has led machine builders to make design deci­sions with­out keep­ing the nec­es­sary design doc­u­men­ta­tion trail, and fur­ther­more, to skip the Val­i­da­tion step entire­ly in many cas­es.

The miss­ing Val­i­da­tion stan­dard was final­ly pub­lished in 2003 as ISO 13849–2:2003, and sub­se­quent­ly adopt­ed and har­mo­nized in 2009 as EN ISO 13849–2:2003. While no manda­to­ry imple­men­ta­tion date for this stan­dard is giv­en in the cur­rent list of stan­dards har­mo­nized under 2006/42/EC-Machin­ery, use of Part 1 of the stan­dard man­dates use of Part 2, so this stan­dard is effec­tive­ly manda­to­ry at the same time.

Part 2 brings a num­ber of key annex­es that are nec­es­sary for the imple­men­ta­tion of Part 1, and also out­lines the com­plete doc­u­men­ta­tion trail need­ed for val­i­da­tion, and coin­ci­den­tal­ly, audit. Noti­fied bpdies will be look­ing for this infor­ma­tion when eval­u­at­ing the con­tent of Tech­ni­cal Files used in CE Mark­ing.

From a North Amer­i­can per­spec­tive, these two stan­dards gain access through ANSI’s adop­tion of ISO 10218 for Indus­tri­al Robots. Part 1 of this stan­dard, cov­er­ing the robot itself, was adopt­ed last year. Part 2 of the stan­dard will be adopt­ed in 2012, and RIA R15.06 will be with­drawn. At the same time, CSA will be adopt­ing the ISO stan­dards and with­draw­ing CSA Z434.

These changes will final­ly bring North Amer­i­ca, the Inter­na­tion­al Com­mu­ni­ty and the EU onto the same foot­ing when it comes to Func­tion­al Safe­ty in indus­tri­al machin­ery appli­ca­tions. The days of “SIMPLE, SINGLE CHANNEL, SINGLE CHANNEL-MONITORED and CONTROL RELIABLE” are num­bered.

Are you ready?

Com­pli­ance InSight Con­sult­ing will be offer­ing a series of train­ing events in 2012 on this top­ic. For more infor­ma­tion, con­tact Doug Nix.

Interlock Architectures Pt. 6 — Comparing North American and International Systems

This entry is part 6 of 8 in the series Cir­cuit Archi­tec­tures Explored

I’ve now writ­ten six posts, includ­ing this one, on the top­ic of cir­cuit archi­tec­tures for the safe­ty-relat­ed parts of con­trol sys­tems. In this post, we’ll com­pare the Inter­na­tion­al and North Amer­i­can sys­tems. This com­par­i­son is not intend­ed to draw con­clu­sions about which is “bet­ter”, but rather to com­pare and con­trast the two sys­tems so that design­ers can clear­ly see where the over­laps and the gaps in the sys­tems exist.

Since we’ve spent a lot of time talk­ing about ISO 13849–1 [1] in the pre­vi­ous five posts in this series, I think we should begin there by look­ing at Table 10 from the stan­dard.

Table 10 — Sum­ma­ry of require­ments for cat­e­gories
Cat­e­go­ry Sum­ma­ry of require­ments Sys­tem behav­iour Prin­ci­ple used
to achieve
safe­ty
MTTFd
of each
chan­nel
DCavg CCF
B
(see
6.2.3)
SRP/CS and/or their pro­tec­tive equip­ment, as well as their com­po­nents, shall be designed, con­struct­ed, select­ed, assem­bled and com­bined in accor­dance with rel­e­vant stan­dards so that they can with­stand the expect­ed influence.Basic safe­ty prin­ci­ples shall be used. The occur­rence of a fault can lead to the loss of the safe­ty func­tion. Main­ly char­ac­ter­ized by selec­tion of com­po­nents Low to medi­um None Not rel­e­vant
1
(see
6.2.4)
Require­ments of B shall apply. Well-tried com­po­nents and well-tried safe­ty prin­ci­ples shall be used. The occur­rence of a fault can lead to the loss of the safe­ty func­tion but the prob­a­bil­i­ty of occur­rence is low­er than for cat­e­go­ry B. Main­ly char­ac­ter­ized by selec­tion of com­po­nents High None Not rel­e­vant
2
(see
6.2.5)
Require­ments of B and the use of well-tried safe­ty prin­ci­ples shall apply. Safe­ty func­tion shall be checked at suit­able inter­vals by the machine con­trol sys­tem. The occur­rence of a fault can lead to the loss of the safe­ty func­tion between the checks. The loss of safe­ty func­tion is detect­ed by the check. Main­ly char­ac­ter­ized by struc­ture Low to high Low to medi­um See Annex F
3
(see
6.2.6)
Require­ments of B and the use of well-tried safe­ty prin­ci­ples shall apply.Safety-related parts shall be designed, so that

—a sin­gle fault in any of these parts does not lead to the loss of the safe­ty func­tion, and

—when­ev­er rea­son­ably prac­ti­ca­ble, the sin­gle fault is detect­ed.

When a sin­gle fault occurs, the safe­ty func­tion is always performed.Some, but not all, faults will be detect­ed.

Accu­mu­la­tion of unde­tect­ed faults can lead to the loss of the safe­ty func­tion.

 Main­ly
char­ac­ter­ized
by struc­ture
Low to
high
Low to
medi­um
 See
Annex F
 4
(see
6.2.7)
Require­ments of B and the use of well-tried safe­ty prin­ci­ples shall apply. Safe­ty-relat­ed parts shall be designed, so that
—a sin­gle fault in any of these parts does not lead to a loss of the safe­ty func­tion, and

—the sin­gle fault is detect­ed at or before the next demand upon the safe­ty func­tion, but that if this detec­tion is not pos­si­ble, an accu­mu­la­tion of unde­tect­ed faults shall not lead to the loss of the safe­ty func­tion.

 

When a sin­gle fault occurs the safe­ty func­tion is always per­formed. Detec­tion of accu­mu­lat­ed faults reduces the prob­a­bil­i­ty of the loss of the safe­ty func­tion (high DC). The faults will be detect­ed in time to pre­vent the loss of the safe­ty func­tion.  Main­ly char­ac­ter­ized by struc­ture  High  High includ­ing accu­mu­la­tion of faults  See Annex F
NOTE For full require­ments, see Clause 6.

Table 10 sum­ma­rizes all the key require­ments for the five cat­e­gories of archi­tec­ture, giv­ing the fun­da­men­tal mech­a­nism for achiev­ing safe­ty, the required MTTFd, DC and CCF. Note that fault exclu­sion can be used in Cat­e­gories 3 and 4. There is no sim­i­lar table avail­able for CSA Z432 [2] or RIA R 15.06 [3], so I have con­struct­ed one fol­low­ing a sim­i­lar for­mat to Table 10.

Sum­ma­ry of require­ments for CSA Z432 / Z434 and RIA R15.06
CSA Z432-04 / Z434-03 RIA R15.06 1999
Cat­e­go­ry  Sum­ma­ry of require­ments  Sys­tem behav­iour  Prin­ci­ple used
to achieve
safe­ty
Sum­ma­ry of require­ments
All Safe­ty con­trol sys­tems (elec­tric, hydraulic, pneu­mat­ic) shall meet one of the per­for­mance cri­te­ria list­ed in Claus­es 4.5.2 to 4.5.5. Safe­ty cir­cuits (elec­tric, hydraulic, pneu­mat­ic) shall meet one of the per­for­mance cri­te­ria list­ed in 4.5.1 through 4.5.4.2

2 These per­for­mance cri­te­ria are not to be con­fused with the Euro­pean cat­e­gories B to 3 as described in ISO/IEC DIS 13849–1, Safe­ty of machin­ery – Safe­ty-relat­ed parts of con­trol sys­tems – Part 1: Gen­er­al prin­ci­ples for design (in cor­re­la­tion with EN 954–1.) They are dif­fer­ent. The com­mit­tee believes that the cri­te­ria in 4.5.1–4.5.4 exceed the cri­te­ria of B — 3 respec­tive­ly, and fur­ther believe the reverse is not true.

SIMPLE Sim­ple safe­ty con­trol sys­temsshall be designed and con­struct­ed using accept­ed sin­gle chan­nel circuitry.Such sys­tems may be pro­gram­ma­ble.

Note: This type of sys­tem should be used for sig­nalling and annun­ci­a­tion pur­pos­es only.

The occur­rence of a fault can lead to the loss of the safe­ty func­tion. Main­ly char­ac­ter­ized by com­po­nent selec­tion. Sim­ple safe­ty cir­cuits shall be designed and con­struct­ed using accept­ed sin­gle chan­nel
cir­cuit­ry, and may be pro­gram­ma­ble.
SINGLE
CHANNEL
Sin­gle chan­nel safe­ty con­trol sys­tems shal­la) be hard­ware based or com­ply with Clause 6.5;

b) include com­po­nents that should be safe­ty rat­ed; and

c) be used in accor­dance with man­u­fac­tur­ers’ rec­om­men­da­tions and proven cir­cuit designs (e.g., a sin­gle chan­nel electro­mechan­i­cal pos­i­tive break device that sig­nals a stop in a de-ener­gized state).

Note: In this type of sys­tem a sin­gle com­po­nent fail­ure can lead to the loss of the safe­ty func­tion.

The occur­rence of a fault can lead to the loss of the safe­ty func­tion. Main­ly char­ac­ter­ized by com­po­nent selec­tion. Sin­gle chan­nel safe­ty cir­cuits shall be hard­ware based or com­ply with 6.4, include com­po­nents
which should be safe­ty rat­ed, be used in com­pli­ance with man­u­fac­tur­ers’ rec­om­men­da­tions
and proven cir­cuit designs (e.g. a sin­gle chan­nel elec­tro-mechan­i­cal pos­i­tive break device which sig­nals a stop in a de-ener­gized state.)
SINGLE CHANNEL
WITH
MONITORING
Sin­gle chan­nel safe­ty con­trol sys­tems with mon­i­tor­ing shall include the require­ments for sin­gle chan­nel,
be safe­ty rat­ed, and be checked (prefer­ably auto­mat­i­cal­ly) at suit­able inter­vals in accor­dance with the following:a) The check of the safe­ty function(s) shall be per­formed

i) at machine start-up; and

ii) peri­od­i­cal­ly dur­ing oper­a­tion (prefer­ably at each change in state).

b) The check shall either

i) allow oper­a­tion if no faults have been detect­ed; or

ii) gen­er­ate a stop if a fault is detect­ed. A warn­ing shall be pro­vid­ed if a haz­ard remains after ces­sa­tion of motion.

c) The check itself shall not cause a haz­ardous sit­u­a­tion.

d) Fol­low­ing detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

Note: In this type of cir­cuit a sin­gle com­po­nent fail­ure can also lead to the loss of the safe­ty func­tion.

The occur­rence of a fault can lead to the loss of the safe­ty func­tion. Char­ac­ter­ized by both com­po­nent selec­tion and struc­ture. Sin­gle chan­nel with mon­i­tor­ing safe­ty cir­cuits shall include the require­ments for sin­gle chan­nel,
shall be safe­ty rat­ed, and shall be checked (prefer­ably auto­mat­i­cal­ly) at suit­able intervals.a) The check of the safe­ty function(s) shall be per­formed

1) at machine start-up, and

2) peri­od­i­cal­ly dur­ing oper­a­tion;

b) The check shall either:

1) allow oper­a­tion if no faults have been detect­ed, or

2) gen­er­ate a stop sig­nal if a fault is detect­ed.
A warn­ing shall be pro­vid­ed if a haz­ard remains after ces­sa­tion of motion;

c) The check itself shall not cause a haz­ardous sit­u­a­tion;

d) Fol­low­ing detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

CONTROL RELIABLE Con­trol reli­able safe­ty con­trol sys­tems shall be dual chan­nel with mon­i­tor­ing and shall be designed,
con­struct­ed, and applied such that any sin­gle com­po­nent fail­ure, includ­ing mon­i­tor­ing, shall not pre­vent
the stop­ping action of the robot.
These safe­ty con­trol sys­tems shall be hard­ware based or in accor­dance with Clause 6.5. The sys­tems shall include auto­mat­ic mon­i­tor­ing at the sys­tem lev­el con­form­ing to the following:a) The mon­i­tor­ing shall gen­er­ate a stop if a fault is detect­ed. A warn­ing shall be pro­vid­ed if a haz­ard remains after ces­sa­tion of motion.

b) Fol­low­ing detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

c) Com­mon mode fail­ures shall be tak­en into account when the prob­a­bil­i­ty of such a fail­ure occur­ring is
sig­nif­i­cant.

d) The sin­gle fault should be detect­ed at time of fail­ure. If not prac­ti­ca­ble, the fail­ure shall be detect­ed
at the next demand upon the safe­ty func­tion.

e) These safe­ty con­trol sys­tems shall be inde­pen­dent of the nor­mal pro­gram con­trol (func­tion) and shall be designed to be not eas­i­ly defeat­ed or not eas­i­ly bypassed with­out detec­tion.

When a sin­gle fault occurs, the safe­ty func­tion is always performed.Some, but not all, faults will be detect­ed.

Accu­mu­la­tion of unde­tect­ed faults can lead to the loss of the safe­ty func­tion.

Char­ac­ter­ized pri­mar­i­ly by struc­ture. Con­trol reli­able safe­ty cir­cuit­ry shall be designed, con­struct­ed and applied such that any sin­gle com­po­nent fail­ure shall not pre­vent the stop­ping action of the robot.These cir­cuits shall be hard­ware based or com­ply with 6.4, and include auto­mat­ic mon­i­tor­ing at the sys­tem lev­el.

a) The mon­i­tor­ing shall gen­er­ate a stop sig­nal if a fault is detect­ed. A warn­ing shall be pro­vid­ed if a haz­ard remains after ces­sa­tion of motion;

b) Fol­low­ing detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

c) Com­mon mode fail­ures shall be tak­en into account when the prob­a­bil­i­ty of such a fail­ure occur­ring is sig­nif­i­cant.

d) The sin­gle fault should be detect­ed at time of fail­ure. If not prac­ti­ca­ble, the fail­ure shall be detect­ed at the next demand upon the safe­ty func­tion.

CSA Z434 vs. RIA R15.06

Before we dig into the com­par­i­son between North Amer­i­ca and the Inter­na­tion­al stan­dards, we need to look at the dif­fer­ences between CSA and ANSI/RIA. There are some sub­tle dif­fer­ences here that can trip you up and cost sig­nif­i­cant mon­ey to cor­rect after the fact. The fol­low­ing state­ments are based on my per­son­al expe­ri­ence and on dis­cus­sions that I have had with peo­ple on both the CSA and RIA tech­ni­cal com­mit­tees tasked with writ­ing these stan­dards. One more note — ANSI RIA R15.06 has been revised and ALL OF SECTION 4 has been replaced with ANSI/RIA/ISO 10218–1 [7]. This is very sig­nif­i­cant, but we need to deal with this old dis­cus­sion first.

Systems vs. Circuits

The CSA stan­dard uses the term “con­trol system(s)” through­out the def­i­n­i­tions of the cat­e­gories, while the ANSI/RIA stan­dard uses the term “circuit(s)”. This is real­ly the crux of the dis­cus­sion between these two stan­dards. While the dif­fer­ence between the terms may seem insignif­i­cant at first, you need to under­stand the back­ground to get the dif­fer­ence.

The CSA term requires two sep­a­rate sens­ing devices on the gate or oth­er guard, just as the Cat­e­go­ry 3 and 4 def­i­n­i­tions do, and for the same rea­son. The CSA com­mit­tee felt that it was impor­tant to be able to detect all sin­gle faults, includ­ing mechan­i­cal ones. Also, the use of two inter­lock­ing devices on the guard makes it more dif­fi­cult to bypass the inter­lock.

The RIA term requires redun­dant elec­tri­cal con­nec­tions to the inter­lock­ing device, but implic­it­ly allows for a sin­gle inter­lock­ing device because it only explic­it­ly refers to “cir­cuits”.

The expla­na­tion I’ve been giv­en for the dis­crep­an­cy is root­ed in the ear­ly days of indus­tri­al robot­ics. Many ear­ly robot cells had NO inter­locks on the guard­ing because the haz­ards relat­ed to the robot motion was not well under­stood. There were a num­ber of inci­dents result­ing in fatal­i­ties that drove robot users to begin to seek bet­ter ways to pro­tect work­ers. The RIA R15.06 com­mit­tee decid­ed that inter­locks were need­ed, but there was a recog­ni­tion that many users would balk at installing expen­sive inter­lock devices, so they com­pro­mised and allowed that ANY kind of inter­lock­ing device was bet­ter than none. This was amend­ed in the 1999 edi­tion to require that com­po­nents be “safe­ty rat­ed”, effec­tive­ly elim­i­nat­ing the use of con­ven­tion­al prox­im­i­ty switch­es and non-safe­ty-rat­ed lim­it switch­es.

The recent revi­sion of ANSI/RIA R15.06 to include ANSI/ISO 10218–1 as a replace­ment for Sec­tion 4 is sig­nif­i­cant for a cou­ple of rea­sons: 1) It now means that the robot itself need only meet the ISO stan­dard; instead of the ISO and the RIA stan­dards; and 2) It brings in ISO 13849–1 def­i­n­i­tions of reli­a­bil­i­ty cat­e­gories. This means that the US has now offi­cial­ly dropped the “SIMPLE, SINGLE-CHANNEL,” etc. def­i­n­i­tions and now uses “Cat­e­go­ry B, 1, etc.” How­ev­er, they have only adopt­ed the Edi­tion 1 ver­sion of the stan­dard, so none of the PL, MTTFd, etc. cal­cu­la­tions have been adopt­ed. This means that the RIA stan­dard is now har­mo­nized to the 1995 edi­tion of EN 954–1. These updates to the 2006 edi­tion may come in sub­se­quent edi­tions of R15.06.

CSA has cho­sen to reaf­firm the 2003 edi­tion of CSA Z434, so the Cana­di­an Nation­al Stan­dard con­tin­ues to refer to the old def­i­n­i­tions.

North America vs International Standards

In the descrip­tion of sin­gle-chan­nel sys­tems / cir­cuits under the North Amer­i­can stan­dards you will notice that par­tic­u­lar atten­tion is paid to includ­ing descrip­tions of the use of “proven designs” and “pos­i­tive-break devices”. What the TC’s were refer­ring to are the same “well-tried safe­ty prin­ci­ples” and “well-tried com­po­nents” as referred to in the Inter­na­tion­al stan­dards, only with less descrip­tion of what those might be. The only major addi­tion to the def­i­n­i­tions is the rec­om­men­da­tion to use “safe­ty-rat­ed devices”, which is not includ­ed in the Inter­na­tion­al stan­dard. (N.B. The use of the word “should” in the def­i­n­i­tions should be under­stood as a strong rec­om­men­da­tion, but not nec­es­sar­i­ly a manda­to­ry require­ment.) Under EN 954–1 [4] and EN 1088 [5] (in the ref­er­enced edi­tions, in any case) it was pos­si­ble to use stan­dard lim­it switch­es arranged in a redun­dant man­ner and acti­vat­ed using com­bined pos­i­tive and non-pos­i­tive-mode acti­va­tion. In lat­er edi­tions this changed, and there is now a pref­er­ence for devices intend­ed for use in safe­ty appli­ca­tions.

Also worth not­ing is that there is NO allowance for fault exclu­sion under the CSA stan­dard or the 1999 edi­tion of the ANSI stan­dard.

As far as the RIA committee’s asser­tion that their def­i­n­i­tions are not equiv­a­lent to the Inter­na­tion­al stan­dard, and may be supe­ri­or, I think that there are too may miss­ing qual­i­ties in the ANSI stan­dard for that to stand. In any case, this is now moot, since ANSI has adopt­ed EN ISO 13849–1:2006 as a ref­er­ence to EN ISO 10218–1 [6], replac­ing Sec­tion 4 of ANSI/RIA R15.06–1999.

References

[1] “Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 1: Gen­er­al prin­ci­ples for design”, ISO 13849–1, Edi­tion 2, Inter­na­tion­al Orga­ni­za­tion for Stan­dard­iza­tion (ISO), Gene­va, 2006.

[2] “Safe­guard­ing of machin­ery”, CSA Z432, Cana­di­an Stan­dards Asso­ci­a­tion (CSA), Toron­to, 2004.

[3] “Amer­i­can Nation­al Stan­dard for Indus­tri­al Robots and Robot Sys­tems — Safe­ty Require­ments”, ANSI/RIA R15.06, Amer­i­can Nation­al Stan­dards Insti­tute, Inc. (ANSI), Ann Arbor, 1999.

[4] “Safe­ty of machin­ery — Safe­ty relat­ed parts of con­trol sys­tems — Part 1. Gen­er­al prin­ci­ples for design”, EN 954–1, Euro­pean Com­mit­tee for Stan­dard­iza­tion (CEN), Gene­va, 1996.

[5] “Safe­ty of machin­ery — Inter­lock­ing devices asso­ci­at­ed with guards — Prin­ci­ples for design and selec­tion”, EN 1088, CEN, Gene­va, 1995.

[6] “Robots and robot­ic devices — Safe­ty require­ments for indus­tri­al robots — Part 1: Robots”, Euro­pean Com­mit­tee for Stan­dard­iza­tion (CEN), Gene­va, 2011.

[7] “Robots for Indus­tri­al Envi­ron­ment — Safe­ty Require­ments — Part 1 — Robot”, ANSI/RIA/ISO 10218–1, Amer­i­can Nation­al Stan­dards Insti­tute, Inc. (ANSI), Ann Arbor, 2007.

Digiprove sealCopy­right secured by Digiprove © 2011–2012
Acknowl­edge­ments: See ref­er­ences list­ed at end of arti­cle.
Some Rights Reserved

Interlock Architectures – Pt. 5: Category 4 — Control Reliable

This entry is part 5 of 8 in the series Cir­cuit Archi­tec­tures Explored

The most reli­able of the five sys­tem archi­tec­tures, Cat­e­go­ry 4 is the only archi­tec­ture that uses mul­ti­ple-fault tol­er­ant tech­niques to help ensure that com­po­nent fail­ures do not result in an unac­cept­able expo­sure to risk. This post will delve into the depths of this archi­tec­ture in this install­ment on sys­tem archi­tec­tures. The def­i­n­i­tions and require­ments dis­cussed in this arti­cle come from ISO 13849–1, Edi­tion 2 (2006) and ISO 13849–2, Edi­tion 1 (2003).

As with pre­ced­ing arti­cles in this series, I’ll be build­ing on con­cepts dis­cussed in those arti­cles. If you need more infor­ma­tion, you should have a look at the pre­vi­ous arti­cles to see if I’ve answered your ques­tions there.

The Definition

The Cat­e­go­ry 4 def­i­n­i­tion builds on both Cat­e­go­ry B and Cat­e­go­ry 3. As you read, recall that “SRP/CS” stands for “Safe­ty Relat­ed Parts of the Con­trol Sys­tem”. Here is the com­plete def­i­n­i­tion:

6.2.7 Cat­e­go­ry 4
For cat­e­go­ry 4, the same require­ments as those accord­ing to 6.2.3 for cat­e­go­ry B shall apply. “Well-tried safe­ty prin­ci­ples” accord­ing to 6.2.4 shall also be fol­lowed. In addi­tion, the fol­low­ing applies.
SRP/CS of cat­e­go­ry 4 shall be designed such that

  • a sin­gle fault in any of these safe­ty-relat­ed parts does not lead to a loss of the safe­ty func­tion, and
  • the sin­gle fault is detect­ed at or before the next demand upon the safe­ty func­tions, e.g. imme­di­ate­ly, at switch on, or at end of a machine oper­at­ing cycle, but if this detec­tion is not pos­si­ble, then an accu­mu­la­tion of unde­tect­ed faults shall not lead to the loss of the safe­ty func­tion.

The diag­nos­tic cov­er­age (DCavg) of the total SRP/CS shall be high, includ­ing the accu­mu­la­tion of faults. The MTTFd of each of the redun­dant chan­nels shall be high. Mea­sures against CCF shall be applied (see
Annex F).

NOTE 1 Cat­e­go­ry 4 sys­tem behav­iour allows that

  • when a sin­gle fault occurs the safe­ty func­tion is always per­formed,
  • the faults will be detect­ed in time to pre­vent the loss of the safe­ty func­tion,
  • accu­mu­la­tion of unde­tect­ed faults is tak­en into account.

NOTE 2 The dif­fer­ence between cat­e­go­ry 3 and cat­e­go­ry 4 is a high­er DCavg in cat­e­go­ry 4 and a required MTTFd of each chan­nel of “high” only.

In prac­tice, the con­sid­er­a­tion of a fault com­bi­na­tion of two faults may be suf­fi­cient.

5% Dis­count on ISO and IEC Stan­dards with code: CC2011

Breaking it down

For cat­e­go­ry 4, the same require­ments as those accord­ing to 6.2.3 for cat­e­go­ry B shall apply. “Well-tried safe­ty prin­ci­ples” accord­ing to 6.2.4 shall also be fol­lowed.

The first two sen­tences give the basic require­ment for all the cat­e­gories from 2 through 4. Sound com­po­nent selec­tion based on the appli­ca­tion require­ments for volt­age, cur­rent, switch­ing capa­bil­i­ty and life­time must be con­sid­ered. In addi­tion, using well tried safe­ty prin­ci­ples, such as switch­ing the +V rail side of the coil cir­cuit for con­trol com­po­nents is required. If you aren’t sure about what con­sti­tutes a “well-tried safe­ty prin­ci­ple”, see the arti­cle on Cat­e­go­ry 2 where this is dis­cussed. Don’t con­fuse “well-tried safe­ty prin­ci­ples” with “well-tried com­po­nents”. There is no require­ment in Cat­e­go­ry 4 for the use of well-tried com­po­nents, although you can use them for addi­tion­al reli­a­bil­i­ty if the design require­ments war­rant.

In addi­tion, the fol­low­ing applies.
SRP/CS of cat­e­go­ry 4 shall be designed such that

  • a sin­gle fault in any of these safe­ty-relat­ed parts does not lead to a loss of the safe­ty func­tion, and
  • the sin­gle fault is detect­ed at or before the next demand upon the safe­ty func­tions, e.g. imme­di­ate­ly, at switch on, or at end of a machine oper­at­ing cycle, but if this detec­tion is not pos­si­ble, then an accu­mu­la­tion of unde­tect­ed faults shall not lead to the loss of the safe­ty func­tion.

This is the big one. This para­graph, and the two bul­lets that fol­low it, define the fun­da­men­tal per­for­mance require­ments for this cat­e­go­ry. No sin­gle fault can lead to the loss of the safe­ty func­tion in Cat­e­go­ry 4, and test­ing is required that can detect fail­ures and pre­vent an accu­mu­la­tion of faults that could even­tu­al­ly lead to the loss of the safe­ty func­tion. The sec­ond bul­let is the one that defines the mul­ti­ple-fault-tol­er­ance require­ment for this cat­e­go­ry. If you go back to the def­i­n­i­tion of Cat­e­go­ry 3, you will see that an accu­mu­la­tion of faults may lead to the loss of the safe­ty func­tion in that Cat­e­go­ry. This is the key dif­fer­ence between the cat­e­gories in my opin­ion.

The diag­nos­tic cov­er­age (DCavg) of the total SRP/CS shall be high, includ­ing the accu­mu­la­tion of faults. The MTTFd of each of the redun­dant chan­nels shall be high. Mea­sures against CCF shall be applied (see
Annex F).

These three sen­tences give the design­er the cri­te­ria for diag­nos­tic cov­er­age, chan­nel fail­ure rates and com­mon cause fail­ure pro­tec­tion. As you can see, the abil­i­ty to diag­nose fail­ures auto­mat­i­cal­ly is a crit­i­cal part of the design, as is the use of high­ly reli­able com­po­nents, lead­ing to high­ly reli­able chan­nels. The strongest CCF pro­tec­tion you can include in the design is also need­ed, although the “pass­ing score” of 65 remains unchanged (see Annex F in ISO 13849–1 for more details on scor­ing your design).

NOTE 1 Cat­e­go­ry 4 sys­tem behav­iour allows that

  • when a sin­gle fault occurs the safe­ty func­tion is always per­formed,
  • the faults will be detect­ed in time to pre­vent the loss of the safe­ty func­tion,
  • accu­mu­la­tion of unde­tect­ed faults is tak­en into account.

Note 2: …In prac­tice, the con­sid­er­a­tion of a fault com­bi­na­tion of two faults may be suf­fi­cient.

Note 1 expands on the first para­graph in the def­i­n­i­tion, fur­ther clar­i­fy­ing the per­for­mance require­ments by explic­it state­ments. Notice that nowhere is there a require­ment that sin­gle faults or accu­mu­la­tion of sin­gle faults be pre­vent­ed, only detect­ed by the diag­nos­tic sys­tem. Pre­ven­tion of sin­gle faults is near­ly impos­si­ble, since com­po­nents do fail. It is impor­tant to first under­stand which com­po­nents are crit­i­cal to the safe­ty func­tion, and sec­ond, what kinds of faults each com­po­nent is like­ly to have, is fun­da­men­tal to being able to design a diag­nos­tic sys­tem that can detect the faults.

The cat­e­go­ry relies on redun­dan­cy to ensure that the com­plete loss of one chan­nel will not cause the loss of the safe­ty func­tion, but this is only use­ful if the com­mon cause fail­ures have been prop­er­ly dealt with. Oth­er­wise, a sin­gle event could wipe out both chan­nels simul­ta­ne­ous­ly, caus­ing the loss of the safe­ty func­tion and pos­si­bly result in an injury or fatal­i­ty.

Also notice that mul­ti­ple sin­gle faults are per­mit­ted, as long as the accu­mu­la­tion does not result in the loss of the safe­ty func­tion. ISO 13849 allows for “fault exclu­sion”, a con­cept that is not used in the North Amer­i­can stan­dards.

The final sen­tence from Note 2 sug­gests that con­sid­er­a­tion of two con­cur­rent faults may be enough, but be care­ful. You need to look close­ly at the fault lists to see if there are any groups of high prob­a­bil­i­ty faults that are like­ly to occur con­cur­rent­ly. IF there are, you need to assess these com­bi­na­tions of faults, whether there are 5 or 50 to be eval­u­at­ed.

Fault Exclusion

Fault exclu­sion involves assess­ing the types of faults that can occur in each com­po­nent in the crit­i­cal path of the sys­tem. The deci­sion to exclude cer­tain kinds of faults is always a tech­ni­cal com­pro­mise between the the­o­ret­i­cal improb­a­bil­i­ty of the fault, the exper­tise of the designer(s) and engi­neers involved and the spe­cif­ic tech­ni­cal require­ments of the appli­ca­tion. When­ev­er the deci­sion is made to exclude a par­tic­u­lar type of fault, the deci­sion and the process used to make it must be doc­u­ment­ed in the Reli­a­bil­i­ty Report includ­ed in the design file. Sec­tion 7.3 of ISO 13849–1 pro­vides guid­ance on fault exclu­sion.

In the sec­tion dis­cussing Cat­e­go­ry 1, the stan­dard has this to say about fault exclu­sion, and the dif­fer­ence between “well-tried com­po­nents” and “fault exclu­sion”:

It is impor­tant that a clear dis­tinc­tion between “well-tried com­po­nent” and “fault exclu­sion” (see Clause 7) be made. The qual­i­fi­ca­tion of a com­po­nent as being well-tried depends on its appli­ca­tion. For exam­ple, a posi­tion switch with pos­i­tive open­ing con­tacts could be con­sid­ered as being well-tried for a machine tool, while at the same time as being inap­pro­pri­ate for appli­ca­tion in a food indus­try — in the milk indus­try, for instance, this switch would be destroyed by the milk acid after a few months. A fault exclu­sion can lead to a very high PL, but the appro­pri­ate mea­sures to allow this fault exclu­sion should be applied dur­ing the whole life­time of the device. In order to ensure this, addi­tion­al mea­sures out­side the con­trol sys­tem may be nec­es­sary. In the case of a posi­tion switch, some exam­ples of these kinds of mea­sures are

  • means to secure the fix­ing of the switch after its adjust­ment,
  • means to secure the fix­ing of the cam,
  • means to ensure the trans­verse sta­bil­i­ty of the cam,
  • means to avoid over-trav­el of the posi­tion switch, e.g. ade­quate mount­ing strength of the shock absorber and any align­ment devices, and
  • means to pro­tect it against dam­age from out­side.

To assist the design­er, ISO 13849–2 pro­vides lists of typ­i­cal faults and the allow­able exclu­sions in Annex D.5. As an exam­ple, let’s con­sid­er the typ­i­cal sit­u­a­tion where a robust guard inter­lock­ing device has been select­ed. The deci­sion has been made to use redun­dant elec­tri­cal cir­cuits to the switch­ing com­po­nents in the inter­lock, so elec­tri­cal faults can be detect­ed. But what about mechan­i­cal fail­ures? A fault list is need­ed:

 Inter­lock Mechan­i­cal Fault List
# Fault Descrip­tion Result Like­li­hood
1 Key breaks off Con­trol sys­tem can­not deter­mine guard posi­tion. Com­plete fail­ure of sys­tem through a sin­gle fault. Unlike­ly
2 Screws mount­ing key to guard fail Con­trol sys­tem can­not deter­mine guard posi­tion. Com­plete fail­ure of sys­tem through a sin­gle fault. Unlike­ly
3 Screws mount­ing inter­lock device to guard fail Con­trol sys­tem can­not deter­mine guard posi­tion. Com­plete fail­ure of sys­tem through a sin­gle fault. Unlike­ly
4 Key and inter­lock device mis­aligned. Guard can­not close, pre­vent­ing machine from oper­at­ing. Very like­ly
5 Key and inter­lock device mis­aligned. Key and / or inter­lock device dam­aged. Guard may not close, or the key may jam in the inter­lock device once closed. Machine is inop­er­a­ble if the inter­lock can­not be com­plet­ed, or the guard can­not be opened if the key jams in the device. Like­ly
6 Screws mount­ing key to guard removed by user. Inter­lock can now be bypassed by fix­ing the key into the inter­lock­ing device. Con­trol sys­tem can no longer sense the posi­tion of the guard. Like­ly
7 Screws mount­ing inter­lock device to guard removed by user Prob­a­bly com­bined with the pre­ced­ing con­di­tion. Con­trol sys­tem can no longer sense the posi­tion of the guard. Unlike­ly, but could hap­pen.

There may be more fail­ure modes, but for the pur­pose of this dis­cus­sion, lets lim­it them to this list.

Look­ing at Fault 1, there are a num­ber of things that could result in a bro­ken key. They include: mis­align­ment of the key and the inter­lock device, lack of main­te­nance on the guard and the inter­lock­ing hard­ware, or inten­tion­al dam­age by a user. Unless the hard­ware is excep­tion­al­ly robust, includ­ing the design of the guard and any align­ment fea­tures incor­po­rat­ed in the guard­ing, devel­op­ing sound ratio­nale for exclud­ing this fault will be very dif­fi­cult.

Fault 2 con­sid­ers mechan­i­cal fail­ure of the mount­ing screws for the inter­lock key. Screws are con­sid­ered to be well-tried com­po­nents (see Annex A.5), so you can con­sid­er them for fault exclu­sion. You can improve their reli­a­bil­i­ty by using thread lock­ing adhe­sives when installing the screws to pre­vent them from vibrat­ing loose, and “tam­per-proof” style screw heads to deter unau­tho­rized removal. Inclu­sion of these meth­ods will sup­port any deci­sion to exclude these faults. This goes to address­ing faults 3, 6 and 7 as well.

Faults 4 & 5 occur fre­quent­ly and are often caused by poor device selec­tion (i.e. an inter­lock device intend­ed for straight-line slid­ing-gate appli­ca­tions is cho­sen for a hinged gate), or by poor guard design (i.e. the guard is poor­ly guid­ed by the reten­tion mech­a­nism and can be closed in a mis­aligned con­di­tion). Ratio­nale for pre­ven­tion of these faults will need to include dis­cus­sion of design fea­tures that will pre­vent these con­di­tions.

Exclud­ing any oth­er kind of fault fol­lows the same process: Devel­op the fault list, assess each fault against the rel­e­vant Annex from ISO 13849–2, deter­mine if there are pre­ven­ta­tive mea­sures that can be designed into the prod­uct and whether these pro­vide suf­fi­cient risk reduc­tion to allow the exclu­sion of the fault from con­sid­er­a­tion.

DCavg and MTTFd requirements

NOTE 2 The dif­fer­ence between cat­e­go­ry 3 and cat­e­go­ry 4 is a high­er DCavg in cat­e­go­ry 4 and a required MTTFd of each chan­nel of “high” only.

The first sen­tence in Note 2 clar­i­fies the two main dif­fer­ences from a design stand­point, aside from the addi­tion­al fault tol­er­ance require­ments: Bet­ter diag­nos­tics are required and much high­er require­ments for indi­vid­ual com­po­nent, and there­fore chan­nel, MTTFd.

The Block Diagram

The block dia­gram for Cat­e­go­ry 4 is almost iden­ti­cal to Cat­e­go­ry 3, and was updat­ed by Cor­ri­gen­dum 1 to the dia­gram shown below. The text from the cor­ri­gen­dum that accom­pa­nies the dia­gram has this to say about the change:

Replace the draw­ing show­ing the des­ig­nat­ed archi­tec­ture for cat­e­go­ry 4 with the fol­low­ing draw­ing. This
cor­rects the arrowed lines labeled “m” between L1 and O1, and L2 and O2, by chang­ing them from dashed to sol­id lines, rep­re­sent­ing high­er diag­nos­tic cov­er­age.

I’ve high­light­ed this area using red ovals on Fig­ure 12 to make it eas­i­er to see .

ISO 13849-1 Figure 12 - Category 4 Block Diagram
ISO 13849–1 Fig­ure 12 — Cat­e­go­ry 4 Block Dia­gram

Here is Fig­ure 11 for com­par­i­son. Notice that the “m” lines are sol­id in Fig­ure 12 and dashed in Fig­ure 11? Sub­tle, but sig­nif­i­cant! There are no oth­er dif­fer­ences between the dia­grams.

ISO 13849-1 Figure 11I went look­ing for a cir­cuit dia­gram to sup­port the block dia­gram, but wasn’t able to find one from a com­mer­cial source that I could share with you. Con­sid­er­ing that the pri­ma­ry dif­fer­ences are in the reli­a­bil­i­ty of the com­po­nents cho­sen and in the way the test­ing is done, this isn’t too sur­pris­ing. The basic phys­i­cal con­struc­tion of the two cat­e­gories can be vir­tu­al­ly iden­ti­cal.

Applications

The fol­low­ing is not from the stan­dards — this is my per­son­al opin­ion, based on 15 years of prac­tice.

In the past, many man­u­fac­tur­ers decid­ed that they were going to apply Cat­e­go­ry 4 archi­tec­ture with­out real­ly under­stand­ing the design impli­ca­tions, because they believed that it was “the best”. With the change in the har­mo­niza­tion of EN 954–1 and ISO 13849–1 under the EU machin­ery direc­tive that comes into force on 29-Dec-2011, and con­sid­er­ing the great dif­fi­cul­ty that many man­u­fac­tur­ers had in prop­er­ly imple­ment­ing EN 954–1, I can eas­i­ly imag­ine man­u­fac­tur­ers who have tak­en the approach that they already have Cat­e­go­ry 4 SRP/CS on their sys­tems and mak­ing the state­ment that they now have PLe SRP/CS sys­tem per­for­mance. This is a bad deci­sion for a lot of rea­sons:

  1. ISO 13849–1 PLe, Cat­e­go­ry 4 sys­tems should be reserved for very dan­ger­ous machin­ery where the tech­ni­cal effort and expense involved is war­rant­ed by the risk assess­ment. Attempt­ing to apply this lev­el of design to machin­ery where a PLb per­for­mance lev­el is more suit­able based on a risk assess­ment, is a waste of design time and effort and a need­less expense. The prod­uct fam­i­ly stan­dards for these types of machines, such as EN 201 for plas­tic injec­tion mould­ing machines, or EN 692 for Mechan­i­cal Pow­er Press­es or EN 693 for Hydraulic Pow­er Press­es will explic­it­ly spec­i­fy the PL lev­el required for these machines.
  2. Man­u­fac­tur­ers have fre­quent­ly claimed EN 954–1 Cat­e­go­ry 4 per­for­mance based on the rat­ing of the safe­ty relay alone, with­out under­stand­ing that the rest of the SRP/CS must be con­sid­ered, and clear­ly this is wrong. The SRP/CS must be eval­u­at­ed as a com­plete sys­tem.

This lack of under­stand­ing endan­gers the users, the main­te­nance per­son­nel, the own­ers and the man­u­fac­tur­ers. If they con­tin­ue this approach and an injury occurs, it is my opin­ion that the courts will have more than enough evi­dence in the defendant’s pub­lished doc­u­ments to cause some seri­ous legal grief.

As design­ers involved with the safe­ty of our company’s prod­ucts or with our co-worker’s safe­ty, I believe that we owe it to every­one who uses our prod­ucts to be edu­cat­ed and to cor­rect­ly apply these con­cepts. The fact that you have read all of the posts lead­ing up to this one is evi­dence that you are work­ing on get­ting edu­cat­ed.

Always con­duct a risk assess­ment and use the out­come from that work to guide your selec­tion of safe­guard­ing mea­sures, com­ple­men­tary pro­tec­tive mea­sures and the per­for­mance of the SRP/CS that ties those sys­tems togeth­er. Choose per­for­mance lev­els that make sense based on the required risk reduc­tion and ensure that the design cri­te­ria is met by val­i­dat­ing the sys­tem once built.

As always, I wel­come your com­ments and ques­tions! Please feel free to com­ment below. I will respond to all your com­ments.

Digiprove sealCopy­right secured by Digiprove © 2011–2012
Acknowl­edge­ments: ISO for excerpts from ISO 13849–1 and more…
Some Rights Reserved