Machinery Safety 101

Interlock Architectures – Pt. 1: What do those categories really mean?

This entry is part 1 of 8 in the series Cir­cuit Archi­tec­tures Explored

What do those categories really mean?

The archi­tec­tures used as the basis of inter­lock design and ana­lys­is have a long his­tory. Two basic forms exis­ted in the early days: the ANSI cat­egor­ies and the CSA vari­ant, and the CEN forms.

The ANSI/CSA archi­tec­tures were called SIMPLE, SINGLE CHANNEL, SINGLE CHANNEL-MONITORED, and CONTROL RELIABLE. The basic sys­tem arose in the ANSI/RIA R15.06 1992 stand­ard and was used until 2014. The CSA vari­ant used the same names as the ANSI ver­sion but made a small dif­fer­en­ti­ation in the CONTROL RELIABLE cat­egory. This dif­fer­en­ti­ation was very subtle and was often com­pletely mis­un­der­stood by read­ers. This sys­tem was intro­duced in Canada in CSA Z434-1994 and was dis­con­tin­ued in 2016. This sys­tem of safety-related con­trol sys­tem archi­tec­ture cat­egor­ies is no longer used in any jur­is­dic­tion.

And then there was EN 954 – 1

In 1996 CEN pub­lished an import­ant stand­ard for machine build­ers – EN 954 – 1, “Safety of Machinery – Safety Related Parts of Con­trol Sys­tems – Part 1: Gen­er­al Prin­ciples for Design” [1]. This stand­ard set the stage for defin­ing con­trol reli­ab­il­ity in machinery safe­guard­ing sys­tems, intro­du­cing the Reli­ab­il­ity cat­egor­ies that have become ubi­quit­ous. So what do these cat­egor­ies mean, and how are they applied under the latest machinery func­tion­al safety stand­ard, ISO 13849 – 1 [2]?

Down­load ISO Stand­ards

Circuit Categories

The cat­egor­ies are used to describe sys­tem archi­tec­tures for safety-related con­trol sys­tems. Each archi­tec­ture car­ries with it a range of reli­able per­form­ance that can be related to the degree of risk reduc­tion you are expect­ing to achieve with the sys­tem. These archi­tec­tures can be applied equally to elec­tric­al, elec­tron­ic, pneu­mat­ic, hydraul­ic or mech­an­ic­al con­trol sys­tems.

Historical Circuits

Early elec­tric­al ‘mas­ter-con­trol-relay’ cir­cuits used a simple archi­tec­ture with a single con­tact­or, or some­times two, and a single chan­nel style of archi­tec­ture to main­tain the con­tact­or coil cir­cuit once the START or POWER ON but­ton (PB2 in Fig. 1) had been pressed. Power to the out­put ele­ments of the machine con­trols was sup­plied via con­tacts on the con­tact­or, which is why it was called the Mas­ter Con­trol Relay or ‘MCR’. The POWER OFF but­ton (PB1 in Fig. 1) could be labeled that way, or you could make the same cir­cuit into an Emer­gency Stop by simply repla­cing the oper­at­or with a red mush­room-head push but­ton. These devices were usu­ally spring-return, so to restore power, all that was needed was to push the POWER ON but­ton again (Fig.1).

Basic Stop/Start Circuit
Fig­ure 1 – Basic Stop/Start Cir­cuit
Allen-Bradley 700PK Heavy Duty Contactor
Allen-Brad­ley 700PK Heavy Duty Con­tact­or

Typ­ic­ally, the com­pon­ents used in these cir­cuits were spe­cified to meet the cir­cuit con­di­tions, but not more. Con­trols man­u­fac­tur­ers brought out over-dimen­sioned ver­sions, such as Allen-Brad­ley’s Bul­let­in 700-PK con­tact­or which had 20 A rated con­tacts instead of the stand­ard Bul­let­in 700’s 10 A con­tacts.

When inter­locked guards began to show up, they were integ­rated into the ori­gin­al MCR cir­cuit by adding a basic con­trol relay (CR1 in Fig. 2) whose coil was con­trolled by the inter­lock switch(es) (LS1 in Fig. 2), and whose out­put con­tacts were in series with the coil cir­cuit of the MCR con­tact­or. Open­ing the guard inter­lock would open the MCR coil cir­cuit and drop power to the machine con­trols. Very simple.

Start/Stop Circuit with Guard Relay
Fig­ure 2 – Old-School Start/Stop Cir­cuit with Guard Relay
Typical ice-cube style relay
Typ­ic­al ice-cube style relay

Ice-cube’ style plug-in relays were often chosen for CR1. These devices did not have ‘force-guided’ con­tacts in them, so it was pos­sible to have one con­tact in the relay fail while the oth­er con­tin­ued to oper­ate prop­erly.

LS1 could be any kind of switch. Fre­quently a ‘micro-switch’ style of lim­it switch was chosen. These snap-action switches could fail shor­ted intern­ally, or weld closed and the actu­at­or would con­tin­ue to work nor­mally even though the switch itself had failed. These switches are also ridicu­lously easy to bypass. All that is required is a piece of tape or an elast­ic band and the switch is no longer doing its job.

Micro-Switch style limit switch used as an interlock switch
Micro-Switch style lim­it switch used as a cov­er inter­lock switch in a piece of indus­tri­al laun­dry equip­ment

The prob­lem with these cir­cuits is that they can fail in a num­ber of ways that aren’t obvi­ous to the user, with the res­ult being that the inter­lock might not work as expec­ted, or the Emer­gency Stop might fail just when you need it most.

Modern Circuits

Category B

These ori­gin­al cir­cuits are the basis for what became known as ‘Cat­egory B’ (‘B’ for ‘Basic’) cir­cuits. Here’s the defin­i­tion from the stand­ard. Note that I am tak­ing this excerpt from ISO 13849 – 1: 2007 (Edi­tion 2). “SRP/CS” stands for “Safety Related Parts of Con­trol Sys­tems”:

6.2.3 Cat­egory B
The SRP/CS shall, as a min­im­um, be designed, con­struc­ted, selec­ted, assembled and com­bined in accord­ance with the rel­ev­ant stand­ards and using basic safety prin­ciples for the spe­cif­ic applic­a­tion to with­stand

  • the expec­ted oper­at­ing stresses, e.g. the reli­ab­il­ity with respect to break­ing capa­city and fre­quency,
  • the influ­ence of the pro­cessed mater­i­al, e.g. deter­gents in a wash­ing machine, and
  • oth­er rel­ev­ant extern­al influ­ences, e.g. mech­an­ic­al vibra­tion, elec­tro­mag­net­ic inter­fer­ence, power sup­ply inter­rup­tions or dis­turb­ances.

There is no dia­gnost­ic cov­er­age (DCavg = none) with­in cat­egory B sys­tems and the MTTFd of each chan­nel can be low to medi­um. In such struc­tures (nor­mally single-chan­nel sys­tems), the con­sid­er­a­tion of CCF is not rel­ev­ant.

The max­im­um PL achiev­able with cat­egory B is PL = b.

NOTE When a fault occurs it can lead to the loss of the safety func­tion.

Spe­cif­ic require­ments for elec­tro­mag­net­ic com­pat­ib­il­ity are found in the rel­ev­ant product stand­ards, e.g. IEC 61800 – 3 for power drive sys­tems. For func­tion­al safety of SRP/CS in par­tic­u­lar, the immunity require­ments are rel­ev­ant. If no product stand­ard exists, at least the immunity require­ments of IEC 61000 – 6‑2 should be fol­lowed.

The stand­ard also provides us with a nice block dia­gram of what a single-chan­nel sys­tem might look like:

Category B Designated Architecture
ISO 13849 – 1 Cat­egory B Des­ig­nated Archi­tec­ture

If you look at this block dia­gram and the Start/Stop Cir­cuit with Guard Relay above, you can see how this basic cir­cuit trans­lates into a single chan­nel archi­tec­ture, since from the con­trol inputs to the con­trolled load you have a single chan­nel. Even the guard loop is a single chan­nel. A fail­ure in any com­pon­ent in the chan­nel can res­ult in loss of con­trol of the load.

Lets look at each part of this require­ment in more detail, since each of the sub­sequent Cat­egor­ies builds upon these BASIC require­ments.

The SRP/CS shall, as a min­im­um, be designed, con­struc­ted, selec­ted, assembled and com­bined in accord­ance with the rel­ev­ant stand­ards and using basic safety prin­ciples for the spe­cif­ic applic­a­tion…

Basic Safety Principles

We have to go to ISO 13849 – 2 to get a defin­i­tion of what Basic Safety Prin­ciples might include. Look­ing at Annex A.2 of the stand­ard we find:

Table A.1 — Basic Safety Principles

Basic Safety Prin­ciples Remarks
Use of suit­able mater­i­als and adequate man­u­fac­tur­ing Selec­tion of mater­i­al, man­u­fac­tur­ing meth­ods and treat­ment in rela­tion to, e. g. stress, dur­ab­il­ity, elasti­city, fric­tion, wear,
cor­ro­sion, tem­per­at­ure.
Cor­rect dimen­sion­ing and shap­ing Con­sider e. g. stress, strain, fatigue, sur­face rough­ness, tol­er­ances, stick­ing, man­u­fac­tur­ing.
Prop­er selec­tion, com­bin­a­tion, arrange­ments, assembly and install­a­tion of components/systems. Apply man­u­fac­turer­’s applic­a­tion notes, e. g. cata­logue sheets, install­a­tion instruc­tions, spe­cific­a­tions, and use of good engin­eer­ing prac­tice in sim­il­ar components/systems.
Use of de – ener­gisa­tion prin­ciple The safe state is obtained by release of energy. See primary action for stop­ping in EN 292 – 2:1991 (ISO/TR 12100 – 2:1992), 3.7.1. Energy is sup­plied for start­ing the move­ment of a mech­an­ism. See primary action for start­ing in EN 292 – 2:1991 (ISO/TR 12100 – 2:1992), 3.7.1.Consider dif­fer­ent modes, e. g. oper­a­tion mode, main­ten­ance mode.

This prin­ciple shall not be used in spe­cial applic­a­tions, e. g. to keep energy for clamp­ing devices.

Prop­er fasten­ing For the applic­a­tion of screw lock­ing con­sider man­u­fac­turer­’s applic­a­tion notes.Overloading can be avoided by apply­ing adequate torque load­ing tech­no­logy.
Lim­it­a­tion of the gen­er­a­tion and/or trans­mis­sion of force and sim­il­ar para­met­ers Examples are break pin, break plate, torque lim­it­ing clutch.
Lim­it­a­tion of range of envir­on­ment­al para­met­ers Examples of para­met­ers are tem­per­at­ure, humid­ity, pol­lu­tion at the install­a­tion place. See clause 8 and con­sider
man­u­fac­turer­’s applic­a­tion notes.
Lim­it­a­tion of speed and sim­il­ar para­met­ers Con­sider e. g. the speed, accel­er­a­tion, decel­er­a­tion required by the applic­a­tion
Prop­er reac­tion time Con­sider e. g. spring tired­ness, fric­tion, lub­ric­a­tion, tem­per­at­ure, iner­tia dur­ing accel­er­a­tion and decel­er­a­tion,
com­bin­a­tion of tol­er­ances.
Pro­tec­tion against unex­pec­ted start – up Con­sider unex­pec­ted start-up caused by stored energy and after power “sup­ply” res­tor­a­tion for dif­fer­ent modes as
oper­a­tion mode, main­ten­ance mode etc.
Spe­cial equip­ment for release of stored energy may be neces­sary.
Spe­cial applic­a­tions, e. g. to keep energy for clamp­ing devices or ensure a pos­i­tion, need to be con­sidered
sep­ar­ately.
Sim­pli­fic­a­tion Reduce the num­ber of com­pon­ents in the safety-related sys­tem.
Sep­ar­a­tion Sep­ar­a­tion of safety-related func­tions from oth­er func­tions.
Prop­er lub­ric­a­tion
Prop­er pre­ven­tion of the ingress of flu­ids and dust Con­sider IP rat­ing [see EN 60529 (IEC 60529)]

Down­load ISO Stand­ards
As you can see, the basic safety prin­ciples are pretty basic – select com­pon­ents appro­pri­ately for the applic­a­tion, con­sider the oper­at­ing con­di­tions for the com­pon­ents, fol­low man­u­fac­turer­’s data, and use de-ener­giz­a­tion to cre­ate the stop func­tion. That way, a loss of power res­ults in the sys­tem fail­ing into a safe state, as does an open relay coil or set of burnt con­tacts.

…the expec­ted oper­at­ing stresses, e.g. the reli­ab­il­ity with respect to break­ing capa­city and fre­quency,”

Spe­cify your com­pon­ents cor­rectly with regard to voltage, cur­rent, break­ing capa­city, tem­per­at­ure, humid­ity, dust,…

…oth­er rel­ev­ant extern­al influ­ences, e.g. mech­an­ic­al vibra­tion, elec­tro­mag­net­ic inter­fer­ence, power sup­ply inter­rup­tions or dis­turb­ances.”

Spe­cif­ic require­ments for elec­tro­mag­net­ic com­pat­ib­il­ity are found in the rel­ev­ant product stand­ards, e.g. IEC 61800 – 3 for power drive sys­tems. For func­tion­al safety of SRP/CS in par­tic­u­lar, the immunity require­ments are rel­ev­ant. If no product stand­ard exists, at least the immunity require­ments of IEC 61000 – 6‑2 should be fol­lowed.”

Prob­ably the biggest ‘gotcha’ in this point is “elec­tro­mag­net­ic inter­fer­ence”. This is import­ant enough that the stand­ard devotes a para­graph to it spe­cific­ally. I added the bold text to high­light the idea of ‘func­tion­al safety’. You can find oth­er inform­a­tion in oth­er posts on this blog on that top­ic. If your product is destined for the European Uni­on (EU), then you will almost cer­tainly be doing some EMC test­ing, unless your product is a ‘fixed install­a­tion’. If it’s going to almost any oth­er mar­ket, you prob­ably are not under­tak­ing this test­ing. So how do you know if your design meets this cri­ter­ia? Unless you test, you don’t. You can make some edu­cated guesses based on using sound engin­eer­ing prac­tices , but after that you can only hope.

Diagnostic Coverage

…There is no dia­gnost­ic cov­er­age (DCavg = none) with­in cat­egory B sys­tems…”

Cat­egory B sys­tems are fun­da­ment­ally single-chan­nel. A single fault in the sys­tem will lead to the loss of the safety func­tion. This sen­tence refers to the concept of “dia­gnost­ic cov­er­age” that was intro­duced in ISO 13849 – 1:2007, but what this means in prac­tice is that there is no mon­it­or­ing or feed­back from any crit­ic­al ele­ments. Remem­ber our basic MCR cir­cuit? If the MCR con­tact­or wel­ded closed, the only dia­gnost­ic was the fail­ure of the machine to stop when the emer­gency stop but­ton was pressed.

Component Failure Rates

…the MTTFd of each chan­nel can be low to medi­um.”

This part of the state­ment is refer­ring to anoth­er new concept from ISO 13849 – 1:2007, “MTTFd”. Stand­ing for “Mean Time to Fail­ure Dan­ger­ous”, this concept looks at the expec­ted fail­ure rates of the com­pon­ent in hours. Cal­cu­lat­ing MTTFd is a sig­ni­fic­ant part of imple­ment­ing the new stand­ard. From the per­spect­ive of under­stand­ing Cat­egory B, what this means is that you do not need to use high-reli­ab­il­ity com­pon­ents in these sys­tems.

Common Cause Failures

In such struc­tures (nor­mally single-chan­nel sys­tems), the con­sid­er­a­tion of CCF is not rel­ev­ant.”

CCF is anoth­er new concept from ISO 13849 – 1:2007, and stands for “Com­mon Cause Fail­ure”. I’m not going to get into this in any detail here, but suf­fice to say that design tech­niques, as well as chan­nel sep­ar­a­tion (impossible in a single chan­nel archi­tec­ture) and oth­er tech­niques are used to reduce the like­li­hood of CCF in high­er reli­ab­il­ity sys­tems.

Performance Levels

The max­im­um PL achiev­able with cat­egory B is PL = b.”

PL stands for “Per­form­ance Level”, divided into five degrees from ‘a’ to ‘e’. PLa is equal to an aver­age prob­ab­il­ity of dan­ger­ous fail­ure per hour of >= 10-5 to < 10-4 fail­ures per hour. PLb is equal to >= 3 × 10-6 to < 10-5 fail­ures per hour or once in 10,000 to 100,000 hours, to once in 3,000,000 hours of oper­a­tion. This sounds like a lot, but when deal­ing with prob­ab­il­it­ies, these num­bers are actu­ally pretty low.

If you con­sider an oper­a­tion run­ning a single shift in Canada where the nor­mal work­ing year is 50 weeks and the nor­mal work­day is 7.5 hours, a work­ing year is

7.5 h/d x 5 d/w x 50 w/a = 1875 hours/a

Tak­ing the fail­ure rates per hour above, yields:

PLa = one fail­ure in 5.3 years of oper­a­tion to one fail­ure in 53.3 years

PLb = one fail­ure in 1600 years of oper­a­tion

If we go to an oper­a­tion run­ning three shifts in Canada, a work­ing year is:

7.5 h/shift x 3 shifts x 5 d/w x 50 w/a = 5625 hours/a

Tak­ing the fail­ure rates per hour above, yields:

PLa = one fail­ure in 1.8 years of oper­a­tion to one fail­ure in 17 years

PLb = one fail­ure in 533 years of oper­a­tion

Now you should be start­ing to get an idea about where this is going. It’s import­ant to remem­ber that prob­ab­il­it­ies are just that – the fail­ure could hap­pen in the first hour of oper­a­tion or at any time after that, or nev­er. These fig­ures give you some way to gauge the rel­at­ive reli­ab­il­ity of the design, and ARE NOT any sort of guar­an­tee.

Watch for the next post in this series where I will look at Cat­egory 1 require­ments!

References

[1] Safety of Machinery – Safety Related Parts of Con­trol Sys­tems – Part 1: Gen­er­al Prin­ciples for Design. CEN Stand­ard EN 954 – 1. 1996.

[2] Safety of machinery — Safety-related parts of con­trol sys­tems — Part 1: Gen­er­al prin­ciples for design. ISO Stand­ard 13849 – 1. 2006.

[3] Safety of machinery — Safety-related parts of con­trol sys­tems — Part 2: Val­id­a­tion, ISO Stand­ard 13849 – 2. 2003.

[4] Safety of machinery — Safety-related parts of con­trol sys­tems — Part 100: Guidelines for the use and applic­a­tion of ISO 13849 – 1. ISO Tech­nic­al Report TR 100. 2000.

[5] Safety of machinery — Safety-related parts of con­trol sys­tems — Part 1: Gen­er­al prin­ciples for design. CEN Stand­ard EN ISO 13849 – 1. 2008.

Down­load ISO Stand­ards

Series Nav­ig­a­tionInter­lock Archi­tec­tures – Pt. 2: Cat­egory 1

11 thoughts on “Interlock Architectures – Pt. 1: What do those categories really mean?

  1. Great explan­a­tion and trans­la­tion into how these stand­ards are applied in the real world. One thing that I think is often con­fus­ing is the defin­i­tion of fail­ure. I often have found myself won­der­ing if the stand­ard means fail­ure of a device to work as expec­ted or fail­ure in the sense that someone had to press an e‑stop..etc. Could you help cla­ri­fy that in the dif­fer­ent places that the word is men­tioned? I know that some­times it is more obvi­ous than oth­ers.

    1. Hey con­trols­girl! Thanks for post­ing this ques­tion – it’s a good one.

      When we’re talk­ing about safety related con­trols there are a num­ber of dif­fer­ent types of fail­ures we could be talk­ing about. From the per­spect­ive of ISO 13849 – 1, what we care about are dan­ger­ous fail­ures, mean­ing that the safety-related con­trol func­tion has failed in a way that imme­di­ately increases the risk to the oper­at­or. If a con­trol func­tion does­n’t work as expec­ted, but no increase in risk occurs, it’s not a dan­ger­ous fail­ure. If a dan­ger­ous fail­ure occurs in a guard inter­lock, the res­ult could be a situ­ation where the oper­at­or opens the guard and the machine fails to stop. That is a dan­ger­ous fail­ure.

      To sum up, fail­ures as dis­cussed in ISO 13849 – 1 are always faults in the safety-related parts of the con­trol sys­tem that res­ult in an increase in risk to the oper­at­or. They may be dan­ger­ous-detec­ted fail­ures, or dan­ger­ous-undetec­ted fail­ures. The stand­ard does­n’t pay any atten­tion to safe fail­ures, detect­able or not.

      Emer­gency stop is there to deal with ’emer­gent’ con­di­tions, i.e., fail­ures that wer­en’t fore­seen by the design­er, and so aren’t dealt with by the auto­mat­ic safety func­tions designed into the machine. For example, a ‘silent’ fail­ure occurs in the guard inter­lock we were talk­ing about. ‘Silent’ means the con­trol sys­tem dia­gnostics don’t detect it for whatever reas­on. The oper­at­or opens the guard and is imme­di­ately and unex­pec­tedly exposed to the machine haz­ard, res­ult­ing in an injury. A co-work­er presses the emer­gency stop to try to lim­it any addi­tion­al harm that might occur, and then dials 911 (or 112, or whatever your loc­al emer­gency phone num­ber is). E‑stops are con­sidered ‘com­ple­ment­ary pro­tect­ive meas­ures’ because they com­ple­ment the primary safe­guards, like the guard inter­locks.

      I think that cov­ers it. Let me know if you have any more ques­tions!

      1. Hi Doug, I’m a cer­ti­fied work­er Health and safety rep for USW 6571. I work for Ger­dau Whitby Steel Mill. I am by no means tech­nic­ally savvy, shall we say. I just have a great sense of duty to make sure my broth­ers are safe when they are run­ning their respect­ive equip­ment. Cur­rently, the com­pany has a Cat­egory 3 Safety sys­tem installed in our Bar Mill fin­ish­ing end. It con­sists of a Safety PLC Con­trol Box with a Stop but­ton and a Kirk key. You hit the stop but­ton, wait, turn the kirk key and place key in lock box, and place per­son­al lock on the box. This Con­trol box and lock box is loc­ated in the oper­at­or’s con­trol pul­pit. Now, the oper­at­or can open the gates (Which will only open if the con­trol box in the pul­pit has the stop but­ton depressed, key turned and removed from con­trol box) The work­er reps have main­tained this sys­tem is NOT the equi­val­ent or bet­ter than a hard lock­out (Phys­ic­al lock on power source) and as such we use this safety sys­tem to quickly access the equip­ment to fix a minor prob­lem, say, where we need to nudge or adjust a guide plate or cut a bar with a torch, so long as the oper­at­or does­n’t need to get up close and per­son­al with the equip­ment. We demand a full hard lock­out if mill­wrights or elec­tri­cians or oper­at­ors are required to get any part of their body too close or wrapped around any of the equip­ment. The com­pany is now think­ing of using a sim­il­ar sys­tem in the rolling mill to take away power from the mill stands, or maybe using a cat­egory 4 sys­tem and using it as a stan­dalone lock­out in place of a hard phys­ic­al lock­out. I’m not sure yet. The com­pany is doing a risk assess­ment tomor­row, with the engin­eer­ing firm and has asked myself and my fel­low JHSC mem­bers to attend and ask lots of ques­tions. I have noth­ing but ques­tions. My ques­tions for you are, 1. Is a cat­egory 3 safety device the equi­val­ent or bet­ter than a typ­ic­al lockout/tagout pro­ced­ure? 2. Is there a safety PLC sys­tem that is the equi­val­ent or bet­ter than a typ­ic­al lockout/tagout pro­ced­ure. LOL… I’m quite sure the answer won’t be so cut and dry. But here’s hop­ing! I’m also inter­ested in going to the sem­in­ar in Cam­bridge on May 9, 2018. Hope­fully that will shed some more light. Thanks Doug. I know it’s a little long win­ded.

        1. Frank,

          There is way more to unpack in your com­ment than I think I can do in this space. I would be happy to dis­cuss this with you by phone tomor­row if you would like to do that. Also, these com­ments are pub­lic, and there may be dis­cus­sions which are bet­ter kept private. I would be more than happy to dis­cuss this with you by phone. I will con­tact you via email with my con­tact details.

          Doug

          1. Doug, that would be greatly appre­ci­ated. I’m in our safety office at 8:00am to dis­cuss with the oth­er guys what our object­ives will be when we listen to this risk assess­ment at 9:00am. So, I’ll shoot for early after­noon for a phone cal if that’s good with you.

  2. Pingback: Andy Garcia
  3. Pingback: MachinerySafety
  4. Pingback: Doug Nix

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

All original content on these pages is fingerprinted and certified by Digiprove