Machinery Safety 101

Interlock Architectures – Pt. 1: What do those categories really mean?

This entry is part 1 of 8 in the series Cir­cuit Archi­tec­tures Explored

The post has been updated since it was first writ­ten in 2010.

If you are new to func­tion­al safety, new to design of con­trol sys­tems for machinery, or both, this post and the sub­sequent posts cov­er­ing the five archi­tec­tur­al cat­egor­ies provided in ISO 13849 – 1. These cat­egor­ies are sim­il­ar to those in EN 954 – 1:1996 but have been expan­ded to include some addi­tion­al cri­ter­ia. This post explores the cat­egor­ies to give you an intro­duc­tion to the con­cepts used in ISO 13849 – 1.

Note that when this post was first writ­ten, ISO 13849 – 1:2006 was cur­rent. Since then, a new edi­tion was pub­lished in 2015, and yet anoth­er is expec­ted to be pub­lished by May-2021. The defin­i­tions dis­cussed in this post are still valid.

What do those categories really mean?

The archi­tec­tures used as the basis of inter­lock design and ana­lys­is have a long his­tory. Two basic forms exis­ted in the early days: the ANSI cat­egor­ies and the CSA vari­ant, and the CEN forms.

The ANSI/CSA archi­tec­tures were called SIMPLE, SINGLE CHANNEL, SINGLE CHANNEL-MONITORED, and CONTROL RELIABLE. The basic sys­tem arose in the ANSI/RIA R15.06 1992 stand­ard and was used until 2014. The CSA vari­ant used the same names as the ANSI ver­sion but made a small dif­fer­en­ti­ation in the CONTROL RELIABLE cat­egory. This dif­fer­en­ti­ation was very subtle and was often com­pletely mis­un­der­stood by read­ers. This sys­tem was intro­duced in Canada in CSA Z434-1994 and was dis­con­tin­ued in 2016. This sys­tem of safety-related con­trol sys­tem archi­tec­ture cat­egor­ies is no longer used in any jurisdiction.

And then there was EN 954 – 1

In 1996 CEN pub­lished an import­ant stand­ard for machine build­ers – EN 954 – 1, “Safety of Machinery – Safety Related Parts of Con­trol Sys­tems – Part 1: Gen­er­al Prin­ciples for Design” [1]. This stand­ard set the stage for defin­ing con­trol reli­ab­il­ity in machinery safe­guard­ing sys­tems, intro­du­cing the Reli­ab­il­ity cat­egor­ies that have become ubi­quit­ous. So what do these cat­egor­ies mean, and how are they applied under the latest machinery func­tion­al safety stand­ard, ISO 13849 – 1 [2]?

Down­load ISO Standards

The Categories

The cat­egor­ies are used to describe sys­tem archi­tec­tures for safety-related con­trol sys­tems. Each archi­tec­ture car­ries with it a range of reli­able per­form­ance that can be related to the degree of risk reduc­tion you are expect­ing to achieve with the sys­tem. These archi­tec­tures can be applied equally to elec­tric­al, elec­tron­ic, pneu­mat­ic, hydraul­ic or mech­an­ic­al con­trol systems.

Historical Circuits

Early elec­tric­al ‘mas­ter-con­trol-relay’ cir­cuits used a simple archi­tec­ture with a single con­tact­or, or some­times two, and a single chan­nel style of archi­tec­ture to main­tain the con­tact­or coil cir­cuit once the START or POWER ON but­ton (PB2 in Fig. 1) had been pressed. Power to the out­put ele­ments of the machine con­trols was sup­plied via con­tacts on the con­tact­or, which is why it was called the Mas­ter Con­trol Relay or ‘MCR’. The POWER OFF but­ton (PB1 in Fig. 1) could be labelled that way, or you could make the same cir­cuit into an Emer­gency Stop by simply repla­cing the oper­at­or with a red mush­room-head push but­ton. These devices were usu­ally spring-return, so to restore power, all that was needed was to push the POWER ON but­ton again (Fig.1).

Basic Stop/Start Circuit
Fig­ure 1 – Basic Stop/Start Circuit
Allen-Bradley 700PK Heavy Duty Contactor
Allen-Brad­ley 700PK Heavy Duty Contactor 

Typ­ic­ally, the com­pon­ents used in these cir­cuits were spe­cified to meet the cir­cuit con­di­tions, but not more. Con­trol man­u­fac­tur­ers brought out over-dimen­sioned ver­sions, such as Allen-Brad­ley’s Bul­let­in 700-PK con­tact­or which had 20 A rated con­tacts instead of the stand­ard Bul­let­in 700’s 10 A contacts.

When inter­locked guards began to show up, they were integ­rated into the ori­gin­al MCR cir­cuit by adding a basic con­trol relay (CR1 in Fig. 2) whose coil was con­trolled by the inter­lock switch(es) (LS1 in Fig. 2), and whose out­put con­tacts were in series with the coil cir­cuit of the MCR con­tact­or. Open­ing the guard inter­lock would open the MCR coil cir­cuit and drop power to the machine con­trols. Very simple.

Start/Stop Circuit with Guard Relay
Fig­ure 2 – Old-School Start/Stop Cir­cuit with Guard Relay 
Typical ice-cube style relay
Typ­ic­al ice-cube style relay

Ice-cube’ style plug-in relays were often chosen for CR1. These devices did not have ‘force-guided’ con­tacts in them, so it was pos­sible to have one con­tact in the relay fail while the oth­er con­tin­ued to oper­ate properly.

LS1 could be any kind of switch. Fre­quently a ‘micro-switch’ style of lim­it switch was chosen. These snap-action switches could fail shor­ted intern­ally, or weld closed and the actu­at­or would con­tin­ue to work nor­mally even though the switch itself had failed. These switches are also ridicu­lously easy to bypass. All that is required is a piece of tape or an elast­ic band and the switch is no longer doing its job.

Micro-Switch used for interlocking
Micro-Switch used for interlocking

The prob­lem with these cir­cuits is that they can fail in a num­ber of ways that aren’t obvi­ous to the user, with the res­ult being that the inter­lock might not work as expec­ted, or the Emer­gency Stop might fail just when you need it most.

Modern Architectures

Category B

These ori­gin­al cir­cuits are the basis for what became known as ‘Cat­egory B’ (‘B’ for ‘Basic’) cir­cuits. Here’s the defin­i­tion from the stand­ard. Note that I am tak­ing this excerpt from ISO 13849 – 1: 2007 (Edi­tion 2). “SRP/CS” stands for “Safety Related Parts of Con­trol Systems”:

6.2.3 Cat­egory B
The SRP/CS shall, as a min­im­um, be designed, con­struc­ted, selec­ted, assembled and com­bined in accord­ance with the rel­ev­ant stand­ards and using basic safety prin­ciples for the spe­cif­ic applic­a­tion to withstand

  • the expec­ted oper­at­ing stresses, e.g. the reli­ab­il­ity with respect to break­ing capa­city and frequency,
  • the influ­ence of the pro­cessed mater­i­al, e.g. deter­gents in a wash­ing machine, and
  • oth­er rel­ev­ant extern­al influ­ences, e.g. mech­an­ic­al vibra­tion, elec­tro­mag­net­ic inter­fer­ence, power sup­ply inter­rup­tions or disturbances.

There is no dia­gnost­ic cov­er­age (DCavg = none) with­in cat­egory B sys­tems and the MTTFd of each chan­nel can be low to medi­um. In such struc­tures (nor­mally single-chan­nel sys­tems), the con­sid­er­a­tion of CCF is not relevant.

The max­im­um PL achiev­able with cat­egory B is PL = b.

NOTE When a fault occurs it can lead to the loss of the safety function.

Spe­cif­ic require­ments for elec­tro­mag­net­ic com­pat­ib­il­ity are found in the rel­ev­ant product stand­ards, e.g. IEC 61800 – 3 for power drive sys­tems. For func­tion­al safety of SRP/CS in par­tic­u­lar, the immunity require­ments are rel­ev­ant. If no product stand­ard exists, at least the immunity require­ments of IEC 61000 – 6‑2 should be fol­lowed. [1]

The stand­ard [1] also provides us with a nice logic block dia­gram of what a single-chan­nel sys­tem might look like:

Category B Designated Architecture
Fig­ure 3 – ISO 13849 – 1 Cat­egory B Des­ig­nated Archi­tec­ture [1]

If you look at this block dia­gram and the Start/Stop Cir­cuit with Guard Relay above, you can see how this basic cir­cuit trans­lates into a single chan­nel archi­tec­ture, since from the con­trol inputs to the con­trolled load you have a single chan­nel. Even the guard loop is a single chan­nel. A fail­ure in any com­pon­ent in the chan­nel can res­ult in loss of con­trol of the load.

Lets look at each part of this require­ment in more detail, since each of the sub­sequent Cat­egor­ies builds upon these BASIC requirements.

The SRP/CS shall, as a min­im­um, be designed, con­struc­ted, selec­ted, assembled and com­bined in accord­ance with the rel­ev­ant stand­ards and using basic safety prin­ciples for the spe­cif­ic application…


Basic Safety Principles

We have to go to ISO 13849 – 2 to get a defin­i­tion of what Basic Safety Prin­ciples might include. Look­ing at Annex A.2 of the stand­ard we find:

Basic Safety Prin­ciplesRemarks
Use of suit­able mater­i­als and adequate manufacturingSelec­tion of mater­i­al, man­u­fac­tur­ing meth­ods and treat­ment in rela­tion to, e. g., stress, dur­ab­il­ity, elasti­city, fric­tion, wear, cor­ro­sion, temperature.
Cor­rect dimen­sion­ing and shapingCon­sider e. g. stress, strain, fatigue, sur­face rough­ness, tol­er­ances, stick­ing, manufacturing.
Prop­er selec­tion, com­bin­a­tion, arrange­ments, assembly and install­a­tion of com­pon­ents / systems. Apply man­u­fac­turer­’s applic­a­tion notes, e. g. cata­logue sheets, install­a­tion instruc­tions, spe­cific­a­tions, and use of good engin­eer­ing prac­tice in sim­il­ar components/systems.
Use of de – ener­gisa­tion principleThe safe state is obtained by release of energy. See primary action for stop­ping in EN 292 – 2:1991 (ISO/TR 12100 – 2:1992), 3.7.1. Energy is sup­plied for start­ing the move­ment of a mech­an­ism. See primary action for start­ing in EN 292 – 2:1991 (ISO/TR 12100 – 2:1992), 3.7.1. Con­sider dif­fer­ent modes, e. g. oper­a­tion mode, main­ten­ance mode.  
This prin­ciple shall not be used in spe­cial applic­a­tions, e. g. to keep energy for clamp­ing devices.
 Prop­er fasteningFor the applic­a­tion of screw lock­ing con­sider man­u­fac­turer­’s applic­a­tion notes. Over­load­ing can be avoided by apply­ing adequate torque load­ing technology.
Lim­it­a­tion of the gen­er­a­tion and/or trans­mis­sion of force and sim­il­ar parametersExamples are break pin, break plate, torque lim­it­ing clutch.
Lim­it­a­tion of range of envir­on­ment­al parametersExamples of para­met­ers are tem­per­at­ure, humid­ity, pol­lu­tion at the install­a­tion place. See clause 8 and con­sider man­u­fac­turer­’s applic­a­tion notes.
Lim­it­a­tion of speed and sim­il­ar parametersCon­sider e. g., the speed, accel­er­a­tion, decel­er­a­tion required by the application
Prop­er reac­tion timeCon­sider e. g. spring tired­ness, fric­tion, lub­ric­a­tion, tem­per­at­ure, iner­tia dur­ing accel­er­a­tion and decel­er­a­tion, com­bin­a­tion of tolerances.
Pro­tec­tion against unex­pec­ted start – upCon­sider unex­pec­ted start-up caused by stored energy and after power “sup­ply” res­tor­a­tion for dif­fer­ent modes as oper­a­tion mode, main­ten­ance mode etc.
Spe­cial equip­ment for release of stored energy may be neces­sary.
Spe­cial applic­a­tions, e. g., to keep energy for clamp­ing devices or ensure a pos­i­tion, need to be con­sidered separately.
Sim­pli­fic­a­tionReduce the num­ber of com­pon­ents in the safety-related system.
Sep­ar­a­tionSep­ar­a­tion of safety-related func­tions from oth­er functions.
Prop­er lubrication
Prop­er pre­ven­tion of the ingress of flu­ids and dust
Con­sider IP rat­ing [see EN 60529 (IEC 60529)]
Table A.1 — Basic Safety Principles

Down­load ISO Standards

As you can see, the basic safety prin­ciples are pretty basic – select com­pon­ents appro­pri­ately for the applic­a­tion, con­sider the oper­at­ing con­di­tions for the com­pon­ents, fol­low man­u­fac­turer­’s data, and use de-ener­giz­a­tion to cre­ate the stop func­tion. That way, a loss of power res­ults in the sys­tem fail­ing into a safe state, as does an open relay coil or set of burnt contacts.

…the expec­ted oper­at­ing stresses, e.g. the reli­ab­il­ity with respect to break­ing capa­city and frequency,”

Spe­cify your com­pon­ents cor­rectly with regard to voltage, cur­rent, break­ing capa­city, tem­per­at­ure, humid­ity, dust,…

…oth­er rel­ev­ant extern­al influ­ences, e.g. mech­an­ic­al vibra­tion, elec­tro­mag­net­ic inter­fer­ence, power sup­ply inter­rup­tions or disturbances.”

Spe­cif­ic require­ments for elec­tro­mag­net­ic com­pat­ib­il­ity are found in the rel­ev­ant product stand­ards, e.g. IEC 61800 – 3 for power drive sys­tems. For func­tion­al safety of SRP/CS in par­tic­u­lar, the immunity require­ments are rel­ev­ant. If no product stand­ard exists, at least the immunity require­ments of IEC 61000 – 6‑2 should be followed.”

Prob­ably the biggest ‘gotcha’ in this point is “elec­tro­mag­net­ic inter­fer­ence”. This is import­ant enough that the stand­ard devotes a para­graph to it spe­cific­ally. I added the bold text to high­light the idea of ‘func­tion­al safety’. You can find oth­er inform­a­tion in oth­er posts on this blog on that top­ic. If your product is destined for the European Uni­on (EU), then you will almost cer­tainly be doing some EMC test­ing, unless your product is a ‘fixed install­a­tion’. If it’s going to almost any oth­er mar­ket, you prob­ably are not under­tak­ing this test­ing. So how do you know if your design meets this cri­ter­ia? Unless you test, you don’t. You can make some edu­cated guesses based on using sound engin­eer­ing prac­tices , but after that you can only hope.

Diagnostic Coverage

…There is no dia­gnost­ic cov­er­age (DCavg = none) with­in cat­egory B systems…”

Cat­egory B sys­tems are fun­da­ment­ally single-chan­nel. A single fault in the sys­tem will lead to the loss of the safety func­tion. This sen­tence refers to the concept of “dia­gnost­ic cov­er­age” that was intro­duced in ISO 13849 – 1:2007, but what this means in prac­tice is that there is no mon­it­or­ing or feed­back from any crit­ic­al ele­ments. Remem­ber our basic MCR cir­cuit? If the MCR con­tact­or wel­ded closed, the only dia­gnost­ic was the fail­ure of the machine to stop when the emer­gency stop but­ton was pressed.

Component Failure Rates

…the MTTFd of each chan­nel can be low to medium.”

This part of the state­ment is refer­ring to anoth­er new concept from ISO 13849 – 1:2007, “MTTFd”. Stand­ing for “Mean Time to Fail­ure Dan­ger­ous”, this concept looks at the expec­ted fail­ure rates of the com­pon­ent in hours. Cal­cu­lat­ing MTTFd is a sig­ni­fic­ant part of imple­ment­ing the new stand­ard. From the per­spect­ive of under­stand­ing Cat­egory B, what this means is that you do not need to use high-reli­ab­il­ity com­pon­ents in these systems.

Common Cause Failures

In such struc­tures (nor­mally single-chan­nel sys­tems), the con­sid­er­a­tion of CCF is not relevant.”

CCF is anoth­er new concept from ISO 13849 – 1:2007, and stands for “Com­mon Cause Fail­ure”. I’m not going to get into this in any detail here, but suf­fice to say that design tech­niques, as well as chan­nel sep­ar­a­tion (impossible in a single chan­nel archi­tec­ture) and oth­er tech­niques are used to reduce the like­li­hood of CCF in high­er reli­ab­il­ity systems.

Performance Levels – PL

The max­im­um PL achiev­able with cat­egory B is PL = b.”

PL stands for “Per­form­ance Level.” FIve Per­form­ance Levels have been defined from ‘a’ to ‘e’. The Per­form­ance Levels rep­res­ent bands or groups of fail­ure rates expressed as the frac­tion­al prob­ab­il­ity of fail­ure per hour. 

For example, PLa, the band with the highest prob­ab­il­ity of fail­ure per hour, includes an aver­age prob­ab­il­ity of dan­ger­ous fail­ure per hour of >= 10-5 to < 10-4 fail­ures per hour. The frac­tion­al fail­ure rate is referred to as the Prob­ab­il­ity of Dan­ger­ous Fail­ure per Hour (PFHd). To con­vert PFHd to some­thing a bit easi­er to under­stand, you can con­vert PFHd to years-to-fail­ure using the fol­low­ing cal­cu­la­tions. I’m going to assume that the con­trol sys­tem is oper­at­ing 24/7/365, but by adjust­ing the num­ber of hours in the year for oth­er oper­at­ing peri­ods you can adjust the res­ult. See below.

\tag{1} \frac{1\times10^{-4}}{\text{hours}}\times\frac{8760\:\text{hours}}{\text{year}}=0.876\:\text{failures per year}

Now that we know how many fail­ures per year we’re deal­ing with, we need to con­vert to the num­ber of years to failure.

\tag{2} \frac{1}{0.86\:\text{years}}=1.142\:\text{years-to-failure}

What this means is that the prob­ab­il­ity of exper­i­en­cing fail­ure in a PLa sys­tem can reach 100% in as little as 1.142 years. We can con­vert years-to-fail­ure to hours-to-fail­ure by mul­tiply­ing the years by 8760.

\tag{3} \frac{1.142\:\text{years}}{\text{failure}}\times\frac{8760\:\text{hours}}{\text{year}}=10,004\:\text{hours-to-failure}

Let’s cal­cu­late the oth­er lim­it for the PLa band. 

\tag{4} \frac{1\times10^{-5}}{\text{hours}}\times\frac{8760\:\text{hours}}{\text{year}}=0.0876\:\text{failures per year}

Since we moved by one factor of mag­nitude smal­ler (10-4 to 10-5), it makes sense that the fail­ure rate got smal­ler by that same amount. Cal­cu­lat­ing the years-to fail­ure we get:

\tag{5} \frac{1\:\text{failure}}{0.0876\:\text{year}}=11.42\:\text{years-to-failure}

PLb is equal to >= 3 × 10-6 to < 10-5 fail­ures per hour. Cal­cu­lat­ing the lower lim­it we get:

\tag{6} \frac{3\times10^{-6}}{\text{hours}}\times\frac{8760\:\text{hours}}{\text{year}}=0.02628\:\text{failures per year}
\tag{7} \frac{1\:\text{failure}}{0.02628\:\text{years}}=38.05\:\text{years-to-failure}
\tag{8} \frac{38.05\:\text{years}}{\text{failure}}\times \frac{8760\:\text{hours}}{\text{year}}=333,333\:\text{hours-to-failure}

The upper lim­it of the PLb band is the same as the lower lim­it of the PLa band, so I won’t cal­cu­late that again.

While 38 years to fail­ure sounds like a lot, it’s import­ant to bear in mind that that is simply the point in time when the prob­ab­il­ity of fail­ure hits 100%. You can have a fail­ure occur the first time you use the safety func­tion, or not have it fail until 38 years from the first time the func­tion is used. Some machines may run con­sid­er­ably longer than that before a fail­ure occurs. To get an idea about why that can hap­pen, have a look at the bathtub curve and what it means for product life. When deal­ing with the prob­ab­il­ity of a safety func­tion fail­ing, these num­bers rep­res­ent some pretty high fail­ure rates.

If you con­sider an oper­a­tion run­ning a single shift in Canada where the nor­mal work­ing year is 50 weeks and the nor­mal work­day is 7.5 hours, a work­ing year is

\tag{9} \frac{7.5\:\text{hours}}{\text{day}}\times\frac{5\:\text{days}}{\text{week}}\times\frac{50\:\text{weeks}}{\text{year}}=1875\:\text{hours/year}

Tak­ing the fail­ure rates per hour above, yields:

PLa = one fail­ure in 5.3 years of oper­a­tion to one fail­ure in 53.3 years of operation

PLb = one fail­ure in 53.3 years of oper­a­tion to one fail­ure in 177.8 years of operation.

If we go to an oper­a­tion run­ning three shifts in Canada, a work­ing year is:

\tag{10} \frac{7.5\:\text{hours}}{\text{shift}}\times3\:\text{shifts}\times\frac{5\:\text{days}}{\text{week}}\times\frac{50\:\text{weeks}}{\text{year}}=5625\:\text{hours per year}

Tak­ing the fail­ure rates per hour above and recal­cu­lat­ing, this yields:

PLa = one fail­ure in 1.8 years of oper­a­tion to one fail­ure in 17.8 years of operation

PLb = one fail­ure in 17.8 years of oper­a­tion to one fail­ure in 59.25 years of operation

Except for the least haz­ard­ous machines, I can­’t ima­gine too many employ­ers that would be happy with a safety func­tion on a machine that failed with­in two years from new!

Now you should be start­ing to get an idea about where this is going. It’s import­ant to remem­ber that prob­ab­il­it­ies are just that – the fail­ure could hap­pen in the first hour of oper­a­tion or at any time after that, or nev­er. These fig­ures give you some way to gauge the rel­at­ive reli­ab­il­ity of the design and ARE NOT any sort of guarantee.

Watch for the next post in this series where I will look at Cat­egory 1 requirements!


[1] Safety of Machinery – Safety Related Parts of Con­trol Sys­tems – Part 1: Gen­er­al Prin­ciples for Design. CEN Stand­ard EN 954 – 1. 1996.

[2] Safety of machinery — Safety-related parts of con­trol sys­tems — Part 1: Gen­er­al prin­ciples for design. ISO Stand­ard 13849 – 1. 2006.

[3] Safety of machinery — Safety-related parts of con­trol sys­tems — Part 2: Val­id­a­tion, ISO Stand­ard 13849 – 2. 2003.

[4] Safety of machinery — Safety-related parts of con­trol sys­tems — Part 100: Guidelines for the use and applic­a­tion of ISO 13849 – 1. ISO Tech­nic­al Report TR 100. 2000.

[5] Safety of machinery — Safety-related parts of con­trol sys­tems — Part 1: Gen­er­al prin­ciples for design. CEN Stand­ard EN ISO 13849 – 1. 2008.

Down­load ISO Standards

Series Nav­ig­a­tionInter­lock Archi­tec­tures – Pt. 2: Cat­egory 1

12 thoughts on “Interlock Architectures – Pt. 1: What do those categories really mean?

  1. Great explan­a­tion and trans­la­tion into how these stand­ards are applied in the real world. One thing that I think is often con­fus­ing is the defin­i­tion of fail­ure. I often have found myself won­der­ing if the stand­ard means fail­ure of a device to work as expec­ted or fail­ure in the sense that someone had to press an e‑stop..etc. Could you help cla­ri­fy that in the dif­fer­ent places that the word is men­tioned? I know that some­times it is more obvi­ous than others.

    1. Hey con­trols­girl! Thanks for post­ing this ques­tion – it’s a good one. 

      When we’re talk­ing about safety related con­trols there are a num­ber of dif­fer­ent types of fail­ures we could be talk­ing about. From the per­spect­ive of ISO 13849 – 1, what we care about are dan­ger­ous fail­ures, mean­ing that the safety-related con­trol func­tion has failed in a way that imme­di­ately increases the risk to the oper­at­or. If a con­trol func­tion does­n’t work as expec­ted, but no increase in risk occurs, it’s not a dan­ger­ous fail­ure. If a dan­ger­ous fail­ure occurs in a guard inter­lock, the res­ult could be a situ­ation where the oper­at­or opens the guard and the machine fails to stop. That is a dan­ger­ous failure.

      To sum up, fail­ures as dis­cussed in ISO 13849 – 1 are always faults in the safety-related parts of the con­trol sys­tem that res­ult in an increase in risk to the oper­at­or. They may be dan­ger­ous-detec­ted fail­ures, or dan­ger­ous-undetec­ted fail­ures. The stand­ard does­n’t pay any atten­tion to safe fail­ures, detect­able or not.

      Emer­gency stop is there to deal with ’emer­gent’ con­di­tions, i.e., fail­ures that wer­en’t fore­seen by the design­er, and so aren’t dealt with by the auto­mat­ic safety func­tions designed into the machine. For example, a ‘silent’ fail­ure occurs in the guard inter­lock we were talk­ing about. ‘Silent’ means the con­trol sys­tem dia­gnostics don’t detect it for whatever reas­on. The oper­at­or opens the guard and is imme­di­ately and unex­pec­tedly exposed to the machine haz­ard, res­ult­ing in an injury. A co-work­er presses the emer­gency stop to try to lim­it any addi­tion­al harm that might occur, and then dials 911 (or 112, or whatever your loc­al emer­gency phone num­ber is). E‑stops are con­sidered ‘com­ple­ment­ary pro­tect­ive meas­ures’ because they com­ple­ment the primary safe­guards, like the guard interlocks.

      I think that cov­ers it. Let me know if you have any more questions!

      1. Hi Doug, I’m a cer­ti­fied work­er Health and safety rep for USW 6571. I work for Ger­dau Whitby Steel Mill. I am by no means tech­nic­ally savvy, shall we say. I just have a great sense of duty to make sure my broth­ers are safe when they are run­ning their respect­ive equip­ment. Cur­rently, the com­pany has a Cat­egory 3 Safety sys­tem installed in our Bar Mill fin­ish­ing end. It con­sists of a Safety PLC Con­trol Box with a Stop but­ton and a Kirk key. You hit the stop but­ton, wait, turn the kirk key and place key in lock box, and place per­son­al lock on the box. This Con­trol box and lock box is loc­ated in the oper­at­or’s con­trol pul­pit. Now, the oper­at­or can open the gates (Which will only open if the con­trol box in the pul­pit has the stop but­ton depressed, key turned and removed from con­trol box) The work­er reps have main­tained this sys­tem is NOT the equi­val­ent or bet­ter than a hard lock­out (Phys­ic­al lock on power source) and as such we use this safety sys­tem to quickly access the equip­ment to fix a minor prob­lem, say, where we need to nudge or adjust a guide plate or cut a bar with a torch, so long as the oper­at­or does­n’t need to get up close and per­son­al with the equip­ment. We demand a full hard lock­out if mill­wrights or elec­tri­cians or oper­at­ors are required to get any part of their body too close or wrapped around any of the equip­ment. The com­pany is now think­ing of using a sim­il­ar sys­tem in the rolling mill to take away power from the mill stands, or maybe using a cat­egory 4 sys­tem and using it as a stan­dalone lock­out in place of a hard phys­ic­al lock­out. I’m not sure yet. The com­pany is doing a risk assess­ment tomor­row, with the engin­eer­ing firm and has asked myself and my fel­low JHSC mem­bers to attend and ask lots of ques­tions. I have noth­ing but ques­tions. My ques­tions for you are, 1. Is a cat­egory 3 safety device the equi­val­ent or bet­ter than a typ­ic­al lockout/tagout pro­ced­ure? 2. Is there a safety PLC sys­tem that is the equi­val­ent or bet­ter than a typ­ic­al lockout/tagout pro­ced­ure. LOL… I’m quite sure the answer won’t be so cut and dry. But here’s hop­ing! I’m also inter­ested in going to the sem­in­ar in Cam­bridge on May 9, 2018. Hope­fully that will shed some more light. Thanks Doug. I know it’s a little long winded.

        1. Frank,

          There is way more to unpack in your com­ment than I think I can do in this space. I would be happy to dis­cuss this with you by phone tomor­row if you would like to do that. Also, these com­ments are pub­lic, and there may be dis­cus­sions which are bet­ter kept private. I would be more than happy to dis­cuss this with you by phone. I will con­tact you via email with my con­tact details.


          1. Doug, that would be greatly appre­ci­ated. I’m in our safety office at 8:00am to dis­cuss with the oth­er guys what our object­ives will be when we listen to this risk assess­ment at 9:00am. So, I’ll shoot for early after­noon for a phone cal if that’s good with you.

  2. Pingback: Andy Garcia
  3. Pingback: MachinerySafety
  4. Pingback: Doug Nix

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.