Control FunctionsControl ReliabilityFunctional SafetyGuards and Guarding

Interlock Architectures – Pt. 1: What do those categories really mean?

Basic Stop/Start Circuit
This entry is part 1 of 8 in the series Cir­cuit Archi­tec­tures Explored

What do those categories really mean?

The archi­tec­tures used as the basis of inter­lock design and ana­lys­is have a long his­tory. Two basic forms exis­ted in the early days: the ANSI cat­egor­ies and the CSA vari­ant, and the CEN forms.

The ANSI/CSA archi­tec­tures were called SIMPLE, SINGLE CHANNEL, SINGLE CHANNEL-MONITORED, and CONTROL RELIABLE. The basic sys­tem arose in the ANSI/RIA R15.06 1992 stand­ard and was used until 2014. The CSA vari­ant used the same names as the ANSI ver­sion but made a small dif­fer­en­ti­ation in the CONTROL RELIABLE cat­egory. This dif­fer­en­ti­ation was very subtle and was often com­pletely mis­un­der­stood by read­ers. This sys­tem was intro­duced in Canada in CSA Z434-1994 and was dis­con­tin­ued in 2016. This sys­tem of safety-related con­trol sys­tem archi­tec­ture cat­egor­ies is no longer used in any jur­is­dic­tion.

And then there was EN 954 – 1

In 1996 CEN pub­lished an import­ant stand­ard for machine build­ers – EN 954 – 1, “Safety of Machinery – Safety Related Parts of Con­trol Sys­tems – Part 1: Gen­er­al Prin­ciples for Design” [1]. This stand­ard set the stage for defin­ing con­trol reli­ab­il­ity in machinery safe­guard­ing sys­tems, intro­du­cing the Reli­ab­il­ity cat­egor­ies that have become ubi­quit­ous. So what do these cat­egor­ies mean, and how are they applied under the latest machinery func­tion­al safety stand­ard, ISO 13849 – 1 [2]?

Down­load ISO Stand­ards

Circuit Categories

The cat­egor­ies are used to describe sys­tem archi­tec­tures for safety-related con­trol sys­tems. Each archi­tec­ture car­ries with it a range of reli­able per­form­ance that can be related to the degree of risk reduc­tion you are expect­ing to achieve with the sys­tem. These archi­tec­tures can be applied equally to elec­tric­al, elec­tron­ic, pneu­mat­ic, hydraul­ic or mech­an­ic­al con­trol sys­tems.

Historical Circuits

Early elec­tric­al ‘mas­ter-con­trol-relay’ cir­cuits used a simple archi­tec­ture with a single con­tact­or, or some­times two, and a single chan­nel style of archi­tec­ture to main­tain the con­tact­or coil cir­cuit once the START or POWER ON but­ton (PB2 in Fig. 1) had been pressed. Power to the out­put ele­ments of the machine con­trols was sup­plied via con­tacts on the con­tact­or, which is why it was called the Mas­ter Con­trol Relay or ‘MCR’. The POWER OFF but­ton (PB1 in Fig. 1) could be labeled that way, or you could make the same cir­cuit into an Emer­gency Stop by simply repla­cing the oper­at­or with a red mush­room-head push but­ton. These devices were usu­ally spring-return, so to restore power, all that was needed was to push the POWER ON but­ton again (Fig.1).

Basic Stop/Start Circuit
Fig­ure 1 – Basic Stop/Start Cir­cuit
Allen-Bradley 700PK Heavy Duty Contactor
Allen-Brad­ley 700PK Heavy Duty Con­tact­or

Typ­ic­ally, the com­pon­ents used in these cir­cuits were spe­cified to meet the cir­cuit con­di­tions, but not more. Con­trols man­u­fac­tur­ers brought out over-dimen­sioned ver­sions, such as Allen-Bradley’s Bul­let­in 700-PK con­tact­or which had 20 A rated con­tacts instead of the stand­ard Bul­let­in 700’s 10 A con­tacts.

When inter­locked guards began to show up, they were integ­rated into the ori­gin­al MCR cir­cuit by adding a basic con­trol relay (CR1 in Fig. 2) whose coil was con­trolled by the inter­lock switch(es) (LS1 in Fig. 2), and whose out­put con­tacts were in series with the coil cir­cuit of the MCR con­tact­or. Open­ing the guard inter­lock would open the MCR coil cir­cuit and drop power to the machine con­trols. Very simple.

Start/Stop Circuit with Guard Relay
Fig­ure 2 – Old-School Start/Stop Cir­cuit with Guard Relay
Typical ice-cube style relay
Typ­ic­al ice-cube style relay

Ice-cube’ style plug-in relays were often chosen for CR1. These devices did not have ‘force-guided’ con­tacts in them, so it was pos­sible to have one con­tact in the relay fail while the oth­er con­tin­ued to oper­ate prop­erly.

LS1 could be any kind of switch. Fre­quently a ‘micro-switch’ style of lim­it switch was chosen. These snap-action switches could fail shor­ted intern­ally, or weld closed and the actu­at­or would con­tin­ue to work nor­mally even though the switch itself had failed. These switches are also ridicu­lously easy to bypass. All that is required is a piece of tape or an elast­ic band and the switch is no longer doing its job.

Micro-Switch style limit switch used as an interlock switch
Micro-Switch style lim­it switch used as a cov­er inter­lock switch in a piece of indus­tri­al laun­dry equip­ment

The prob­lem with these cir­cuits is that they can fail in a num­ber of ways that aren’t obvi­ous to the user, with the res­ult being that the inter­lock might not work as expec­ted, or the Emer­gency Stop might fail just when you need it most.

Modern Circuits

Category B

These ori­gin­al cir­cuits are the basis for what became known as ‘Cat­egory B’ (‘B’ for ‘Basic’) cir­cuits. Here’s the defin­i­tion from the stand­ard. Note that I am tak­ing this excerpt from ISO 13849 – 1: 2007 (Edi­tion 2). “SRP/CS” stands for “Safety Related Parts of Con­trol Sys­tems”:

6.2.3 Cat­egory B
The SRP/CS shall, as a min­im­um, be designed, con­struc­ted, selec­ted, assembled and com­bined in accord­ance with the rel­ev­ant stand­ards and using basic safety prin­ciples for the spe­cif­ic applic­a­tion to with­stand

  • the expec­ted oper­at­ing stresses, e.g. the reli­ab­il­ity with respect to break­ing capa­city and fre­quency,
  • the influ­ence of the pro­cessed mater­i­al, e.g. deter­gents in a wash­ing machine, and
  • oth­er rel­ev­ant extern­al influ­ences, e.g. mech­an­ic­al vibra­tion, elec­tro­mag­net­ic inter­fer­ence, power sup­ply inter­rup­tions or dis­turb­ances.

There is no dia­gnost­ic cov­er­age (DCavg = none) with­in cat­egory B sys­tems and the MTTFd of each chan­nel can be low to medi­um. In such struc­tures (nor­mally single-chan­nel sys­tems), the con­sid­er­a­tion of CCF is not rel­ev­ant.

The max­im­um PL achiev­able with cat­egory B is PL = b.

NOTE When a fault occurs it can lead to the loss of the safety func­tion.

Spe­cif­ic require­ments for elec­tro­mag­net­ic com­pat­ib­il­ity are found in the rel­ev­ant product stand­ards, e.g. IEC 61800 – 3 for power drive sys­tems. For func­tion­al safety of SRP/CS in par­tic­u­lar, the immunity require­ments are rel­ev­ant. If no product stand­ard exists, at least the immunity require­ments of IEC 61000 – 6-2 should be fol­lowed.

The stand­ard also provides us with a nice block dia­gram of what a single-chan­nel sys­tem might look like:

Category B Designated Architecture
ISO 13849 – 1 Cat­egory B Des­ig­nated Archi­tec­ture

If you look at this block dia­gram and the Start/Stop Cir­cuit with Guard Relay above, you can see how this basic cir­cuit trans­lates into a single chan­nel archi­tec­ture, since from the con­trol inputs to the con­trolled load you have a single chan­nel. Even the guard loop is a single chan­nel. A fail­ure in any com­pon­ent in the chan­nel can res­ult in loss of con­trol of the load.

Lets look at each part of this require­ment in more detail, since each of the sub­sequent Cat­egor­ies builds upon these BASIC require­ments.

The SRP/CS shall, as a min­im­um, be designed, con­struc­ted, selec­ted, assembled and com­bined in accord­ance with the rel­ev­ant stand­ards and using basic safety prin­ciples for the spe­cif­ic applic­a­tion…

Basic Safety Principles

We have to go to ISO 13849 – 2 to get a defin­i­tion of what Basic Safety Prin­ciples might include. Look­ing at Annex A.2 of the stand­ard we find:

Table A.1 — Basic Safety Principles

Basic Safety Prin­ciples Remarks
Use of suit­able mater­i­als and adequate man­u­fac­tur­ing Selec­tion of mater­i­al, man­u­fac­tur­ing meth­ods and treat­ment in rela­tion to, e. g. stress, dur­ab­il­ity, elasti­city, fric­tion, wear,
cor­ro­sion, tem­per­at­ure.
Cor­rect dimen­sion­ing and shap­ing Con­sider e. g. stress, strain, fatigue, sur­face rough­ness, tol­er­ances, stick­ing, man­u­fac­tur­ing.
Prop­er selec­tion, com­bin­a­tion, arrange­ments, assembly and install­a­tion of components/systems. Apply manufacturer’s applic­a­tion notes, e. g. cata­logue sheets, install­a­tion instruc­tions, spe­cific­a­tions, and use of good engin­eer­ing prac­tice in sim­il­ar components/systems.
Use of de – ener­gisa­tion prin­ciple The safe state is obtained by release of energy. See primary action for stop­ping in EN 292 – 2:1991 (ISO/TR 12100 – 2:1992), 3.7.1. Energy is sup­plied for start­ing the move­ment of a mech­an­ism. See primary action for start­ing in EN 292 – 2:1991 (ISO/TR 12100 – 2:1992), 3.7.1.Consider dif­fer­ent modes, e. g. oper­a­tion mode, main­ten­ance mode.

This prin­ciple shall not be used in spe­cial applic­a­tions, e. g. to keep energy for clamp­ing devices.

Prop­er fasten­ing For the applic­a­tion of screw lock­ing con­sider manufacturer’s applic­a­tion notes.Overloading can be avoided by apply­ing adequate torque load­ing tech­no­logy.
Lim­it­a­tion of the gen­er­a­tion and/or trans­mis­sion of force and sim­il­ar para­met­ers Examples are break pin, break plate, torque lim­it­ing clutch.
Lim­it­a­tion of range of envir­on­ment­al para­met­ers Examples of para­met­ers are tem­per­at­ure, humid­ity, pol­lu­tion at the install­a­tion place. See clause 8 and con­sider
manufacturer’s applic­a­tion notes.
Lim­it­a­tion of speed and sim­il­ar para­met­ers Con­sider e. g. the speed, accel­er­a­tion, decel­er­a­tion required by the applic­a­tion
Prop­er reac­tion time Con­sider e. g. spring tired­ness, fric­tion, lub­ric­a­tion, tem­per­at­ure, iner­tia dur­ing accel­er­a­tion and decel­er­a­tion,
com­bin­a­tion of tol­er­ances.
Pro­tec­tion against unex­pec­ted start – up Con­sider unex­pec­ted start-up caused by stored energy and after power “sup­ply” res­tor­a­tion for dif­fer­ent modes as
oper­a­tion mode, main­ten­ance mode etc.
Spe­cial equip­ment for release of stored energy may be neces­sary.
Spe­cial applic­a­tions, e. g. to keep energy for clamp­ing devices or ensure a pos­i­tion, need to be con­sidered
sep­ar­ately.
Sim­pli­fic­a­tion Reduce the num­ber of com­pon­ents in the safety-related sys­tem.
Sep­ar­a­tion Sep­ar­a­tion of safety-related func­tions from oth­er func­tions.
Prop­er lub­ric­a­tion
Prop­er pre­ven­tion of the ingress of flu­ids and dust Con­sider IP rat­ing [see EN 60529 (IEC 60529)]

Down­load ISO Stand­ards
As you can see, the basic safety prin­ciples are pretty basic – select com­pon­ents appro­pri­ately for the applic­a­tion, con­sider the oper­at­ing con­di­tions for the com­pon­ents, fol­low manufacturer’s data, and use de-ener­giz­a­tion to cre­ate the stop func­tion. That way, a loss of power res­ults in the sys­tem fail­ing into a safe state, as does an open relay coil or set of burnt con­tacts.

…the expec­ted oper­at­ing stresses, e.g. the reli­ab­il­ity with respect to break­ing capa­city and fre­quency,”

Spe­cify your com­pon­ents cor­rectly with regard to voltage, cur­rent, break­ing capa­city, tem­per­at­ure, humid­ity, dust,…

…oth­er rel­ev­ant extern­al influ­ences, e.g. mech­an­ic­al vibra­tion, elec­tro­mag­net­ic inter­fer­ence, power sup­ply inter­rup­tions or dis­turb­ances.”

Spe­cif­ic require­ments for elec­tro­mag­net­ic com­pat­ib­il­ity are found in the rel­ev­ant product stand­ards, e.g. IEC 61800 – 3 for power drive sys­tems. For func­tion­al safety of SRP/CS in par­tic­u­lar, the immunity require­ments are rel­ev­ant. If no product stand­ard exists, at least the immunity require­ments of IEC 61000 – 6-2 should be fol­lowed.”

Prob­ably the biggest ‘gotcha’ in this point is “elec­tro­mag­net­ic inter­fer­ence”. This is import­ant enough that the stand­ard devotes a para­graph to it spe­cific­ally. I added the bold text to high­light the idea of ‘func­tion­al safety’. You can find oth­er inform­a­tion in oth­er posts on this blog on that top­ic. If your product is destined for the European Uni­on (EU), then you will almost cer­tainly be doing some EMC test­ing, unless your product is a ‘fixed install­a­tion’. If it’s going to almost any oth­er mar­ket, you prob­ably are not under­tak­ing this test­ing. So how do you know if your design meets this cri­ter­ia? Unless you test, you don’t. You can make some edu­cated guesses based on using sound engin­eer­ing prac­tices , but after that you can only hope.

Diagnostic Coverage

…There is no dia­gnost­ic cov­er­age (DCavg = none) with­in cat­egory B sys­tems…”

Cat­egory B sys­tems are fun­da­ment­ally single-chan­nel. A single fault in the sys­tem will lead to the loss of the safety func­tion. This sen­tence refers to the concept of “dia­gnost­ic cov­er­age” that was intro­duced in ISO 13849 – 1:2007, but what this means in prac­tice is that there is no mon­it­or­ing or feed­back from any crit­ic­al ele­ments. Remem­ber our basic MCR cir­cuit? If the MCR con­tact­or wel­ded closed, the only dia­gnost­ic was the fail­ure of the machine to stop when the emer­gency stop but­ton was pressed.

Component Failure Rates

…the MTTFd of each chan­nel can be low to medi­um.”

This part of the state­ment is refer­ring to anoth­er new concept from ISO 13849 – 1:2007, “MTTFd”. Stand­ing for “Mean Time to Fail­ure Dan­ger­ous”, this concept looks at the expec­ted fail­ure rates of the com­pon­ent in hours. Cal­cu­lat­ing MTTFd is a sig­ni­fic­ant part of imple­ment­ing the new stand­ard. From the per­spect­ive of under­stand­ing Cat­egory B, what this means is that you do not need to use high-reli­ab­il­ity com­pon­ents in these sys­tems.

Common Cause Failures

In such struc­tures (nor­mally single-chan­nel sys­tems), the con­sid­er­a­tion of CCF is not rel­ev­ant.”

CCF is anoth­er new concept from ISO 13849 – 1:2007, and stands for “Com­mon Cause Fail­ure”. I’m not going to get into this in any detail here, but suf­fice to say that design tech­niques, as well as chan­nel sep­ar­a­tion (impossible in a single chan­nel archi­tec­ture) and oth­er tech­niques are used to reduce the like­li­hood of CCF in high­er reli­ab­il­ity sys­tems.

Performance Levels

The max­im­um PL achiev­able with cat­egory B is PL = b.”

PL stands for “Per­form­ance Level”, divided into five degrees from ‘a’ to ‘e’. PLa is equal to an aver­age prob­ab­il­ity of dan­ger­ous fail­ure per hour of >= 10-5 to < 10-4 fail­ures per hour. PLb is equal to >= 3 × 10-6 to < 10-5 fail­ures per hour or once in 10,000 to 100,000 hours, to once in 3,000,000 hours of oper­a­tion. This sounds like a lot, but when deal­ing with prob­ab­il­it­ies, these num­bers are actu­ally pretty low.

If you con­sider an oper­a­tion run­ning a single shift in Canada where the nor­mal work­ing year is 50 weeks and the nor­mal work­day is 7.5 hours, a work­ing year is

7.5 h/d x 5 d/w x 50 w/a = 1875 hours/a

Tak­ing the fail­ure rates per hour above, yields:

PLa = one fail­ure in 5.3 years of oper­a­tion to one fail­ure in 53.3 years

PLb = one fail­ure in 1600 years of oper­a­tion

If we go to an oper­a­tion run­ning three shifts in Canada, a work­ing year is:

7.5 h/shift x 3 shifts x 5 d/w x 50 w/a = 5625 hours/a

Tak­ing the fail­ure rates per hour above, yields:

PLa = one fail­ure in 1.8 years of oper­a­tion to one fail­ure in 17 years

PLb = one fail­ure in 533 years of oper­a­tion

Now you should be start­ing to get an idea about where this is going. It’s import­ant to remem­ber that prob­ab­il­it­ies are just that – the fail­ure could hap­pen in the first hour of oper­a­tion or at any time after that, or nev­er. These fig­ures give you some way to gauge the rel­at­ive reli­ab­il­ity of the design, and ARE NOT any sort of guar­an­tee.

Watch for the next post in this series where I will look at Cat­egory 1 require­ments!

References

[1] Safety of Machinery – Safety Related Parts of Con­trol Sys­tems – Part 1: Gen­er­al Prin­ciples for Design. CEN Stand­ard EN 954 – 1. 1996.

[2] Safety of machinery — Safety-related parts of con­trol sys­tems — Part 1: Gen­er­al prin­ciples for design. ISO Stand­ard 13849 – 1. 2006.

[3] Safety of machinery — Safety-related parts of con­trol sys­tems — Part 2: Val­id­a­tion, ISO Stand­ard 13849 – 2. 2003.

[4] Safety of machinery — Safety-related parts of con­trol sys­tems — Part 100: Guidelines for the use and applic­a­tion of ISO 13849 – 1. ISO Tech­nic­al Report TR 100. 2000.

[5] Safety of machinery — Safety-related parts of con­trol sys­tems — Part 1: Gen­er­al prin­ciples for design. CEN Stand­ard EN ISO 13849 – 1. 2008.

Down­load ISO Stand­ards

Series Nav­ig­a­tionInter­lock Archi­tec­tures – Pt. 2: Cat­egory 1