Interlock Architectures – Pt. 3: Category 2

This entry is part 3 of 8 in the series Cir­cuit Archi­tec­tures Explored

This arti­cle explores the require­ments for safe­ty relat­ed con­trol sys­tems meet­ing ISO 13849–1 Cat­e­go­ry 2 require­ments. “Gotcha!” points in the def­i­n­i­tion are high­light­ed to help design­ers avoid this com­mon pit­falls.

In the first two posts in this series, we looked at Cat­e­go­ry B, the Basic cat­e­go­ry of sys­tem archi­tec­ture, and then moved on to look at Cat­e­go­ry 1. Cat­e­go­ry B under­pins Cat­e­gories 2, 3 and 4. In this post we’ll look more deeply into Cat­e­go­ry 2.

Let’s start by look­ing at the def­i­n­i­tion for Cat­e­go­ry 2, tak­en from ISO 13849–1:2007. Remem­ber that in these excerpts, SRP/CS stands for Safe­ty Relat­ed Parts of Con­trol Sys­tems.

Definition

6.2.5 Category 2

For cat­e­go­ry 2, the same require­ments as those accord­ing to 6.2.3 for cat­e­go­ry B shall apply. “Well–tried safe­ty prin­ci­ples” accord­ing to 6.2.4 shall also be fol­lowed. In addi­tion, the fol­low­ing applies.

SRP/CS of cat­e­go­ry 2 shall be designed so that their function(s) are checked at suit­able inter­vals by the machine con­trol sys­tem. The check of the safe­ty function(s) shall be per­formed

  • at the machine start-up, and
  • pri­or to the ini­ti­a­tion of any haz­ardous sit­u­a­tion, e.g. start of a new cycle, start of oth­er move­ments, and/or
  • peri­od­i­cal­ly dur­ing oper­a­tion if the risk assess­ment and the kind of oper­a­tion shows that it is nec­es­sary.

The ini­ti­a­tion of this check may be auto­mat­ic. Any check of the safe­ty function(s) shall either

  • allow oper­a­tion if no faults have been detect­ed, or
  • gen­er­ate an out­put which ini­ti­ates appro­pri­ate con­trol action, if a fault is detect­ed.

When­ev­er pos­si­ble this out­put shall ini­ti­ate a safe state. This safe state shall be main­tained until the fault is cleared. When it is not pos­si­ble to ini­ti­ate a safe state (e.g. weld­ing of the con­tact in the final switch­ing device) the out­put shall pro­vide a warn­ing of the haz­ard.

For the des­ig­nat­ed archi­tec­ture of cat­e­go­ry 2, as shown in Fig­ure 10, the cal­cu­la­tion of MTTFd and DCavg should take into account only the blocks of the func­tion­al chan­nel (i.e. I, L and O in Fig­ure 10) and not the blocks of the test­ing chan­nel (i.e. TE and OTE in Fig­ure 10).

The diag­nos­tic cov­er­age (DCavg) of the total SRP/CS includ­ing fault-detec­tion shall be low. The MTTFd of each chan­nel shall be low-to-high, depend­ing on the required per­for­mance lev­el (PLr). Mea­sures against CCF shall be applied (see Annex F).

The check itself shall not lead to a haz­ardous sit­u­a­tion (e.g. due to an increase in response time). The check­ing equip­ment may be inte­gral with, or sep­a­rate from, the safe­ty-relat­ed part(s) pro­vid­ing the safe­ty func­tion.

The max­i­mum PL achiev­able with cat­e­go­ry 2 is PL = d.

NOTE 1 In some cas­es cat­e­go­ry 2 is not applic­a­ble because the check­ing of the safe­ty func­tion can­not be applied to all com­po­nents.

NOTE 2 Cat­e­go­ry 2 sys­tem behav­iour allows that

  • the occur­rence of a fault can lead to the loss of the safe­ty func­tion between checks,
  • the loss of safe­ty func­tion is detect­ed by the check.

NOTE 3 The prin­ci­ple that sup­ports the valid­i­ty of a cat­e­go­ry 2 func­tion is that the adopt­ed tech­ni­cal pro­vi­sions, and, for exam­ple, the choice of check­ing fre­quen­cy can decrease the prob­a­bil­i­ty of occur­rence of a dan­ger­ous sit­u­a­tion.

ISO 13849-1 Figure 10
Fig­ure 1 — Cat­e­go­ry 2 Block dia­gram [1, Fig.10]

Breaking it down

Let start by tak­ing apart the def­i­n­i­tion a piece at a time and look­ing at what each part means. I’ll also show a sim­ple cir­cuit that can meet the require­ments.

Category B & Well-tried Safety Principles

The first para­graph speaks to the build­ing block approach tak­en in the stan­dard:

For cat­e­go­ry 2, the same require­ments as those accord­ing to 6.2.3 for cat­e­go­ry B shall apply. “Well–tried safe­ty prin­ci­ples” accord­ing to 6.2.4 shall also be fol­lowed. In addi­tion, the fol­low­ing applies.

Sys­tems meet­ing Cat­e­go­ry 2 are required to meet all of the same require­ments as Cat­e­go­ry B, as far as the com­po­nents are con­cerned. Oth­er require­ments for the cir­cuits are dif­fer­ent, and we will look at those in a bit.

Self-Testing required

Cat­e­go­ry 2 brings in the idea of diag­nos­tics. If cor­rect­ly spec­i­fied com­po­nents have been select­ed (Cat­e­go­ry B), and are applied fol­low­ing ‘well-tried safe­ty prin­ci­ples’, then adding a diag­nos­tic com­po­nent to the sys­tem should allow the sys­tem to detect some faults and there­fore achieve a cer­tain degree of ‘fault-tol­er­ance’ or the abil­i­ty to func­tion cor­rect­ly even when some aspect of the sys­tem has failed.

Let’s look at the text:

SRP/CS of Cat­e­go­ry 2 shall be designed so that their function(s) are checked at suit­able inter­vals by the machine con­trol sys­tem. The check of the safe­ty function(s) shall be per­formed

  • at the machine start-up, and
  • pri­or to the ini­ti­a­tion of any haz­ardous sit­u­a­tion, e.g. start of a new cycle, start of oth­er move­ments, and/or
  • peri­od­i­cal­ly dur­ing oper­a­tion if the risk assess­ment and the kind of oper­a­tion shows that it is nec­es­sary.

The ini­ti­a­tion of this check may be auto­mat­ic. Any check of the safe­ty function(s) shall either

  • allow oper­a­tion if no faults have been detect­ed, or
  • gen­er­ate an out­put which ini­ti­ates appro­pri­ate con­trol action, if a fault is detect­ed.

When­ev­er pos­si­ble this out­put shall ini­ti­ate a safe state. This safe state shall be main­tained until the fault is cleared. When it is not pos­si­ble to ini­ti­ate a safe state (e.g. weld­ing of the con­tact in the final switch­ing device) the out­put shall pro­vide a warn­ing of the haz­ard.

Peri­od­ic check­ing is required. The checks must hap­pen at least each time there is a demand placed on the sys­tem, i.e. a guard door is opened and closed, or an emer­gency stop but­ton is pressed and reset. In addi­tion the integri­ty of the SRP/CS must be test­ed at the start of a cycle or haz­ardous peri­od, and poten­tial­ly peri­od­i­cal­ly dur­ing oper­a­tion if the risk assess­ment indi­cates that this is nec­es­sary. The test­ing fre­quen­cy must be at least 100x the demand rate [1, 4.5.4], e.g., a light cur­tain on a part load­ing work sta­tion that is inter­rupt­ed every 30 s dur­ing nor­mal oper­a­tion requires a min­i­mum test rate of once every 0.3 s, or 200x per minute or more.

The test­ing does not have to be auto­mat­ic, although in prac­tice it usu­al­ly is. As long as the sys­tem integri­ty is good, then the out­put is allowed to remain on, and the machin­ery or process can run.

Watch Out!

Notice that the words ‘when­ev­er pos­si­ble’ are used in the last para­graph in this part of the def­i­n­i­tion where the stan­dard speaks about ini­ti­a­tion of a safe state. This word­ing alludes to the fact that these sys­tems are still prone to faults that can lead to the loss of the safe­ty func­tion, and so can­not be called tru­ly ‘fault-tol­er­ant’. Loss of the safe­ty func­tion must be detect­ed by the mon­i­tor­ing sys­tem and a safe state ini­ti­at­ed. This requires care­ful thought, since the safe­ty sys­tem com­po­nents may have to inter­act with the process con­trol sys­tem to ini­ti­ate and main­tain the safe state in the event that the safe­ty sys­tem itself has failed. Also note that it is not pos­si­ble to use fault exclu­sions in Cat­e­go­ry 2 archi­tec­ture, because the sys­tem is not fault tol­er­ant.

All of this leads to an inter­est­ing ques­tion: If the sys­tem is hard­wired through the oper­at­ing chan­nel, and all the com­po­nents used in that chan­nel meet Cat­e­go­ry B require­ments, can the diag­nos­tic com­po­nent be pro­vid­ed by a mon­i­tor­ing the sys­tem with a stan­dard PLC? The answer to this is YES. Test equip­ment (called TE in Fig. 1) is specif­i­cal­ly exclud­ed, and Cat­e­go­ry 2 DOES NOT require the use of well-tried com­po­nents, only well-tried safe­ty prin­ci­ples.

Final­ly, for the faults that can be detect­ed by the mon­i­tor­ing sys­tem, detec­tion of a fault must ini­ti­ate a safe state. This means that on the next demand on the sys­tem, i.e. the next time the guard is opened or the emer­gency stop is pressed, the machine must go into a safe con­di­tion. Gen­er­al­ly, detec­tion of a fault should pre­vent the sub­se­quent reset of the sys­tem until the fault is cleared or repaired.

Test­ing is not per­mit­ted to intro­duce any new haz­ards or to slow the sys­tem down. The tests must occur ‘on-the-fly’ and with­out intro­duc­ing any delay in the sys­tem com­pared to how it would have oper­at­ed with­out the test­ing incor­po­rat­ed. Test equip­ment can be inte­grat­ed into the safe­ty sys­tem or be exter­nal to it.

One more ‘gotcha’

Note 1 in the def­i­n­i­tion high­lights a sig­nif­i­cant pit­fall for many design­ers: if all of the com­po­nents in the func­tion­al chan­nel of the sys­tem can­not be checked, you can­not claim con­for­mi­ty to Cat­e­go­ry 2. If you look back at Fig. 1, you will see that the dashed “m” lines con­nect all three func­tion­al blocks to the TE, indi­cat­ing that all three must be includ­ed in the mon­i­tor­ing chan­nel. A sys­tem that oth­er­wise would meet the archi­tec­tur­al require­ments for Cat­e­go­ry 2 must be down­grad­ed to Cat­e­go­ry 1 in cas­es where all the com­po­nents in the func­tion­al chan­nel can­not be test­ed. This is a major point and one which many design­ers miss when devel­op­ing their sys­tems.

Calculation of MTTFd

The next para­graph deals with the cal­cu­la­tion of the fail­ure rate of the sys­tem, or MTTFd.

For the des­ig­nat­ed archi­tec­ture of cat­e­go­ry 2, as shown in Fig­ure 10, the cal­cu­la­tion of MTTFd and DCavg should take into account only the blocks of the func­tion­al chan­nel (i.e. I, L and O in Fig­ure 10) and not the blocks of the test­ing chan­nel (i.e. TE and OTE in Fig­ure 10).

Cal­cu­la­tion of the fail­ure rate focus­es on the func­tion­al chan­nel, not on the mon­i­tor­ing sys­tem, mean­ing that the fail­ure rate of the mon­i­tor­ing sys­tem is ignored when ana­lyz­ing sys­tems using this archi­tec­ture. The MTTFd of each com­po­nent in the func­tion­al chan­nel is cal­cu­lat­ed and then the MTTFd of the total chan­nel is cal­cu­lat­ed.

The Diag­nos­tic Cov­er­age (DCavg) is also cal­cu­lat­ed based exclu­sive­ly on the com­po­nents in the func­tion­al chan­nel, so when deter­min­ing what per­cent­age of the faults can be detect­ed by the mon­i­tor­ing equip­ment, only faults in the func­tion­al chan­nel are con­sid­ered.

This high­lights the fact that a fail­ure of the mon­i­tor­ing sys­tem can­not be detect­ed, so a sin­gle fail­ure in the mon­i­tor­ing sys­tem that results in the sys­tem fail­ing to detect a sub­se­quent nor­mal­ly detectable fail­ure in the func­tion­al chan­nel will result in the loss of the safe­ty func­tion.

Summing Up

The next para­graph sums up the lim­its of this par­tic­u­lar archi­tec­ture:

The diag­nos­tic cov­er­age (DCavg) of the total SRP/CS includ­ing fault-detec­tion shall be low. The MTTFd of each chan­nel shall be low-to-high, depend­ing on the required per­for­mance lev­el (PLr). Mea­sures against CCF shall be applied (see Annex F).

The first sen­tence reflects back to the pre­vi­ous para­graph on diag­nos­tic cov­er­age, telling you, as the design­er, that you can­not make a claim to any­thing more than LOW DC cov­er­age when using this archi­tec­ture.

This rais­es an inter­est­ing ques­tion, since Fig­ure 5 in the stan­dard shows columns for both DCavg = LOW and DCavg=MED. My best advice to you as a user of the stan­dard is to abide by the text, mean­ing that you can­not claim high­er than LOW for DCavg in this archi­tec­ture. This con­flict will be addressed by future revi­sions of the stan­dard.

Anoth­er prob­lem raised by this sen­tence is the inclu­sion of the phrase “the total SRP/CS includ­ing fault-detec­tion”, since the pre­vi­ous para­graph explic­it­ly tells you that the assess­ment of DCavg ‘should’ only include the func­tion­al chan­nel, while this sen­tence appears to include it. In stan­dards writ­ing, sen­tences includ­ing the word ‘shall’ are clear­ly manda­to­ry, while those includ­ing the word ‘should’ indi­cate a con­di­tion which is advised but not required. Hope­ful­ly this con­fu­sion will be clar­i­fied in the next edi­tion of the stan­dard.

MTTFd in the func­tion­al chan­nel can be any­where in the range from LOW to HIGH depend­ing on the com­po­nents select­ed and the way they are applied in the design. The require­ment will be dri­ven by the desired PL of the sys­tem, so a PLd sys­tem will require HIGH MTTFd com­po­nents in the func­tion­al chan­nel, while the same archi­tec­ture used for a PLb sys­tem would require only LOW MTTFd com­po­nents.
Final­ly, applic­a­ble mea­sures against Com­mon Cause Fail­ures (CCF) must be used. Some of the mea­sures giv­en in Table F.1 in Annex F of the stan­dard can­not be applied, such as Chan­nel Sep­a­ra­tion, since you can­not sep­a­rate a sin­gle chan­nel. Oth­er CCF mea­sures can and must be applied, and so there­fore you must score at least the min­i­mum 65 on the CCF table in Annex F to claim com­pli­ance with Cat­e­go­ry 2 require­ments.

Example Circuit

Here’s an exam­ple of what a sim­ple Cat­e­go­ry 2 cir­cuit con­struct­ed from dis­crete com­po­nents might look like. Note that PB1 and PB2 could just as eas­i­ly be inter­lock switch­es on guard doors as push but­tons on a con­trol pan­el. For the sake of sim­plic­i­ty, I did not illus­trate surge sup­pres­sion on the relays, but you should include MOV’s or RC sup­pres­sors across all relay coils. All relays are con­sid­ered to be con­struct­ed with  ‘force-guid­ed’ designs and meet the require­ments for well-tried com­po­nents.

Example Category 2 circuit from discrete components
Fig­ure 2 — Exam­ple Cat­e­go­ry 2 cir­cuit from dis­crete com­po­nents

How the cir­cuit works:

  1. The machine is stopped with pow­er off. CR1, CR2, and M are off. CR3 is off until the reset but­ton is pressed, since the NC mon­i­tor­ing con­tacts on CR1, CR2 and M are all closed, but the NO reset push but­ton con­tact is open.
  2. The reset push but­ton, PB3,  is pressed. If both CR1, CR2 and M are off, their nor­mal­ly closed con­tacts will be closed, so press­ing PB3 will result in CR3 turn­ing on.
  3. CR3 clos­es its con­tacts, ener­giz­ing CR1 and CR2 which seal their con­tact cir­cuits in and de-ener­gize CR3. The time delays inher­ent in relays per­mit this to work.
  4. With CR1 and CR2 closed and CR3 held off because its coil cir­cuit opened when CR1 and CR2 turned on, M ener­gizes and motion can start.

In this cir­cuit the mon­i­tor­ing func­tion is pro­vid­ed by CR3. If any of CR1, CR2 or M were to weld closed, CR3 could not ener­gize, and so a sin­gle fault is detect­ed and the machine is pre­vent­ed from re-start­ing. If the machine is stopped by press­ing either PB1 or PB2, the machine will stop since CR1 and CR2 are redun­dant. If CR3 fails with weld­ed con­tacts, then the M rung is held open because CR3 has not de-ener­gized, and if it fails with an open coil, the reset func­tion will not work, there­fore both fail­ure modes will pre­vent the machine from start­ing with a failed mon­i­tor­ing sys­tem, if a “force-guid­ed” type of relay is used for CR3. If CR1 or CR2 fail with an open coil, then M can­not ener­gize because of the redun­dant con­tacts on the M rung.

This cir­cuit can­not detect a fail­ure in PB1, PB2, or PB3. Test­ing is con­duct­ed each time the cir­cuit is reset. This cir­cuit does not meet the 100x test rate require­ment, and so can­not be said to meet Cat­e­go­ry 2 require­ments.

If M is a motor starter rather than the motor itself, it will need to be dupli­cat­ed for redun­dan­cy and a mon­i­tor­ing con­tact added to the CR3 rung .

In cal­cu­lat­ing MTTFd, PB1, PB2, CR1, CR2, CR3 and M must be includ­ed. CR3 is includ­ed because it has a func­tion­al con­tact in the M rung and is there­fore part of the func­tion­al chan­nel of the cir­cuit as well as being part of the OT and OTE chan­nels.

Down­load IEC stan­dards, Inter­na­tion­al Elec­trotech­ni­cal Com­mis­sion stan­dards.
Down­load ISO Stan­dards

Watch for the next install­ment in this series where we’ll explore Cat­e­go­ry 3, the first of the ‘fault tol­er­ant’ archi­tec­tures!

New Guide to Applying ISO 13849–1 and IEC 62061

This entry is part 1 of 2 in the series IEC/TR 62061–1

IEC and ISO have pub­lished a new guide to help users select between ISO 13849–1 and IEC 62061. This new Tech­ni­cal Report will replace Table 1 in both stan­dards.

One of the big chal­lenges fac­ing machine builders has been choos­ing between ISO 13849–1 and IEC 62061. The IEC pub­lished a new guide at the end of July, 2010 called Tech­ni­cal Report IEC/TR 62061–1 ed1.0 Guid­ance on the appli­ca­tion of ISO 13849–1 and IEC 62061 in the design of safe­ty-relat­ed con­trol sys­tems for machin­ery. The new 38-page guide is avail­able as a hard copy or a PDF file. Writ­ten joint­ly by Tech­ni­cal Com­mit­tee IEC/TC 44, Safe­ty of machin­ery – Elec­trotech­ni­cal aspects and Tech­ni­cal Com­mit­tee ISO/TC 199, Safe­ty of machin­ery. The Tech­ni­cal Report was pub­lished in par­al­lel by ISO as ISO/TR 23849.

Tech­ni­cal Reports don’t have the same sta­tus as Inter­na­tion­al Stan­dards, but pro­vide the TC’s with  a means to pro­vide guid­ance and expla­na­tion to help users imple­ment the stan­dard.

Table of Contents

Since this is a copy­right­ed doc­u­ment, I can’t repro­duce it here. Instead, here’s the Table of Con­tents that will give you some idea of  the document’s con­tents.

Cover of IEC/TR 62061-1
IEC/TR 62061–1
  1. Scope
  2. Gen­er­al
  3. Com­par­i­son of stan­dards
  4. Risk esti­ma­tion and assign­ment of required per­for­mance
  5. Safe­ty require­ments spec­i­fi­ca­tion
  6. Assign­ment of per­for­mance tar­gets: PL ver­sus SIL
  7. Sys­tem design
  8. Exam­ple
  9. Bib­li­og­ra­phy

Merger Coming Soon

The intro­duc­tion to the TR indi­cates that it will be incor­po­rat­ed into both IEC 62061 and ISO 13849–1 through a cor­ri­gen­da that ref­er­ences this new doc­u­ment. The cor­ri­gen­da will also remove the infor­ma­tion giv­en in Table 1, Rec­om­mend­ed appli­ca­tion of IEC 62061 and ISO 13849–1, found in the com­mon intro­duc­tion to both stan­dards and which is now out of date.

At some point in the near future, IEC and ISO  intend that ISO 13849–1 and IEC 62061 will be merged. A  Joint Work­ing Group (JWG) of ISO/TC 199 and IEC/TC 44 will be formed to com­plete this task. No pub­lic time line has been set for this activ­i­ty, how­ev­er the Intro­duc­tion to the Tech­ni­cal Report sug­gests that it may be a few years yet, as the TC’s involved want to get some feed­back from users on the lat­est ver­sions. If I had to haz­ard a guess, I would sug­gest that the new merged doc­u­ment might make its first appear­ance in 2013 when the cur­rent edi­tion of ISO 13849–1 comes up for main­te­nance revi­sion. I guess we’ll have to wait and see whether I’m right on that or not. In any case, I as a user of the stan­dards, I am whole­heart­ed­ly behind the merg­er, and hope­ful­ly the sim­pli­fi­ca­tion, of these stan­dards to make them more acces­si­ble to the machine build­ing com­mu­ni­ty.

Availability

A bilin­gual (Eng­lish and French) ver­sion of IEC/TR 62061–1 edi­tion 1.0 is avail­able.

ISO/TR 23849:2010 is avail­able as a 14-page doc­u­ment, in either Eng­lish or French.

Down­load IEC stan­dards, Inter­na­tion­al Elec­trotech­ni­cal Com­mis­sion stan­dards.

Watch for my review of this impor­tant new doc­u­ment com­ing in the next few days!

Safety is Good Business

In this excel­lent arti­cle from Rock­well Automation’s The Jour­nal, Mike Miller and Wayne Sol­berg explain how EN ISO 13849–1 and EN IEC 62061 mesh for machine builders.

Well worth the read in my opin­ion!

The Jour­nal: Safe­ty is Good Busi­ness — Mar­shall & Sol­berg

In this excel­lent arti­cle from Rock­well Automation’s The Jour­nal, Mike Miller and Wayne Sol­berg explain how EN ISO 13849–1 and EN IEC 62061 mesh for machine builders.

Well worth the read in my opin­ion!

The Jour­nal: Safe­ty is Good Busi­ness — Mar­shall & Sol­berg