This post updated 2019-11-21.
In the first two posts in this series, we looked at Category B, the Basic category of system architecture, and then moved on to look at Category 1. Category B underpins Categories 2, 3 and 4. In this post, we’ll look more deeply into Category 2.
Let’s start by looking at the definition for Category 2, taken from ISO 13849-1:2007. Remember that in these excerpts, SRP/CS stands for Safety-Related Parts of Control Systems.
Definition
6.2.5 Category 2
For category 2, the same requirements as those according to 6.2.3 for category B shall apply. “Well–tried safety principles” according to 6.2.4 shall also be followed. In addition, the following applies.
SRP/CS of category 2 shall be designed so that their function(s) are checked at suitable intervals by the machine control system. The check of the safety function(s) shall be performed
— at the machine start-up, and
— prior to the initiation of any hazardous situation, e.g. start of a new cycle, start of other movements, immediately upon on demand of the safety function and/or periodically during operation if the risk assessment and the kind of operation shows that it is necessary.
The initiation of this check may be automatic. Any check of the safety function(s) shall either
— allow operation if no faults have been detected, or
— generate an output (OTE) which initiates appropriate control action, if a fault is detected.
For PLr = d the output (OTE) shall initiate a safe state which is maintained until the fault is cleared.
For PLr up to and including PLr = c, whenever practicable the output (OTE) shall initiate a safe state which is maintained until the fault is cleared. When this is not practicable (e.g. welding of the contact in the final switching device) it may be sufficient for the output of the test equipment OTE to provide a warning.
For the designated architecture of category 2, as shown in Figure 10, the calculation of MTTFD and DCavg should take into account only the blocks of the functional channel (i.e. I, L and O in Figure 10) and not the blocks of the testing channel (i.e. TE and OTE in Figure 10).
The diagnostic coverage (DCavg) of the functional channel shall be at least low. The MTTFD of each channel shall be low-to-high, depending on the required performance level (PLr). Measures against CCF
shall be applied (see Annex F).
The check itself shall not lead to a hazardous situation (e.g. due to an increase in response time). The test equipment may be integral with, or separate from, the safety-related part(s) providing the safety function.
The maximum PL achievable with category 2 is PL = d.
NOTE 1 In some cases category 2 is not applicable because the checking of the safety function cannot be applied to all components.
NOTE 2 Category 2 system behaviour is characterized by
— the occurrence of a fault can lead to the loss of the safety function between checks,
— the loss of safety function is detected by the check.
NOTE 3 The principle that supports the validity of a category 2 function is that the adopted technical provisions, and, for example, the choice of checking frequency can decrease the probability of occurrence of a dangerous situation.
NOTE 4 For applying the simplified approach based on designated architectures, refer to the assumptions in 4.5.4.
Breaking it down
Let start by taking apart the definition a piece at a time and looking at what each part means. I’ll also show a couple of simple example circuits and some of the pitfalls in them.
Category B & Well-tried Safety Principles
The first paragraph speaks to the building block approach taken in the standard:
For category 2, the same requirements as those according to 6.2.3 for category B shall apply. “Well–tried safety principles” according to 6.2.4 shall also be followed. In addition, the following applies.
Systems conforming to Category 2 architecture are required to meet all of the requirements of Category B. Additional requirements apply for Category 2 and we will look at those in a bit.
Self-testing required
Category 2 brings in the idea of diagnostics. If correctly specified components have been selected (Category B), and are applied following ‘well-tried safety principles’, then adding a diagnostic component to the system should allow the system to detect some faults and therefore achieve a certain degree of ‘fault-tolerance’ or the ability to function correctly even when some aspect of the system has failed.
Let’s look at the text:
“SRP/CS of category 2 shall be designed so that their function(s) are checked at suitable intervals by the machine control system. The check of the safety function(s) shall be performed
— at the machine start-up, and
— prior to the initiation of any hazardous situation, e.g. start of a new cycle, start of other movements, immediately upon on demand of the safety function and/or periodically during operation if the risk assessment and the kind of operation shows that it is necessary.
The initiation of this check may be automatic. Any check of the safety function(s) shall either
— allow operation if no faults have been detected, or
— generate an output (OTE) which initiates appropriate control action, if a fault is detected.”
[Ed. note: There is a significant change from the 2006 edition where the paragraph below was included. This paragraph has been removed from the 3rd edition in 2015.
“Whenever possible this output shall initiate a safe state. This safe state shall be maintained until the fault is cleared. When it is not possible to initiate a safe state (e.g. welding of the contact in the final switching device) the output shall provide a warning of the hazard.” — Deleted from 2015 ed.]
Periodic checking is required. The checks must happen at least each time there is a demand placed on the system, i.e., a guard door is opened and closed, or an emergency stop button is pressed and reset. In addition, the integrity of the SRP/CS must be tested at the start of a cycle or hazardous period, and potentially periodically during operation if the risk assessment indicates that this is necessary.
The testing does not have to be automatic, although in practice it usually is. As long as the system integrity is good, then the output is allowed to remain on, and the machinery or process can run.
Special provisions for the Simplified Method (4.5.4)
If you choose to use the Simplified Method describe in 4.5.4, then there are some additional requirements that must be met. The demand rate must be <= 1/100 of the test rate, or in other words the testing frequency must be at least 100x the demand rate [1, 4.5.4], e.g., a light curtain on a part loading work station that is interrupted every 30 s during normal operation requires a minimum test rate of once every 0.3 s, or 200x per minute or more.
If you want to know more about the testing rate, see my Q & A post on testing intervals.
In addition to the minimum test rate, the MTTFD of the test channel must be >= ½ the MTTFD of the functional channel.
Watch out!
Loss of the safety function must be detected by the monitoring system and a safe state initiated or an alarm or other indication provided to the user. This requires careful thought, since the safety system components may have to interact with the process control system to initiate and maintain the safe state in the event that the safety system itself has failed. Unless you know exactly what you are doing, designers should not use fault exclusions in Category 2 architecture, because safety functions built with this structure are not fault-tolerant.
All of this leads to an interesting question: If the system is hardwired through the operating channel, and all the components used in that channel meet Category B requirements, can the diagnostic component be provided by monitoring the system with a standard PLC? The answer to this may be YES, as long as the PLC has adequate MTTFD. Test equipment (called TE in Fig. 1) is specifically excluded, and Category 2 DOES NOT require the use of well-tried components, only well-tried safety principles.
Finally, for the faults that can be detected by the monitoring system, the detection of a fault must initiate a safe state. This means that on the next demand on the system, i.e. the next time the guard is opened or the emergency stop is pressed, the machine must go into a safe condition. Generally, detection of a fault should prevent the subsequent reset of the system until the fault is cleared or repaired.
Testing is not permitted to introduce any new hazards or to slow the system down. The tests must occur ‘on-the-fly’ and without introducing any delay in the system compared to how it would have operated without the testing incorporated. Test equipment can be integrated into the safety system or be external to it.
One more “gotcha”
Note 1 in the definition highlights a significant pitfall for many designers: if all of the components in the functional channel of the system cannot be checked, you cannot claim conformity to Category 2. If you look back at Fig. 1, you will see that the dashed “m” lines connect all three functional blocks to the TE, indicating that all three must be included in the monitoring channel. A system that otherwise would meet the architectural requirements for Category 2 must be downgraded to Category 1 in cases where all the components in the functional channel cannot be tested. This is a major point and one which many designers miss when developing their systems.
For the example circuit shown in Fig. 2 below, there are no monitoring connections to the pushbuttons, and therefore the circuit cannot conform to Category 2. The use of an additional contact on each button, plus the connection of those monitoring contacts into the reset circuit (the CR3 rung) would be required. Also, the e-stop button would need to be safety rated and direct drive.
New requirements in the 3rd edition, 2015
Two new paragraphs were added in the 2015 edition that place limits on the performance of Category 2.
For PLr = d the output (OTE) shall initiate a safe state which is maintained until the fault is cleared.
If you are attempting to reach PLd using Category 2 the test channel (OTE) must be able to initiate a safe state in the machine when a fault occurs. The safe state must be maintained until the fault is cleared. Use of Cat. 2 for PLd systems is rare in my experience, however, it is theoretically possible.
For PLr up to and including PLr = c, whenever practicable the output (OTE) shall initiate a safe state which is maintained until the fault is cleared. When this is not practicable (e.g. welding of the contact in the final switching device) it may be sufficient for the output of the test equipment OTE to provide a warning.
In this case, the OTE initiates the safe state if practicable, i.e., if you can, and if not, the OTE can provide a warning that the safety function has failed. The safe state or the warning, i.e., alarm, must be maintained until the fault is cleared.
Calculation of MTTFD
The next paragraph deals with the calculation of the failure rate of the system, or MTTFD.
For the designated architecture of category 2, as shown in Figure 10, the calculation of MTTFD and DCavg should take into account only the blocks of the functional channel (i.e. I, L and O in Figure 10) and not the blocks of the testing channel (i.e. TE and OTE in Figure 10).
Calculation of the failure rate focuses on the functional channel, not on the monitoring system, meaning that the failure rate of the monitoring system is ignored when analyzing systems using this architecture. The MTTFD of each component in the functional channel is calculated and then the MTTFD of the total channel is calculated.
The Diagnostic Coverage (DCavg) is also calculated based exclusively on the components in the functional channel, so when determining what percentage of the faults can be detected by the monitoring equipment, only faults in the functional channel are considered.
This highlights the fact that a failure of the monitoring system cannot be detected, so a single failure in the monitoring system that results in the system failing to detect a subsequent normally detectable failure in the functional channel will result in the loss of the safety function.
The diagnostic coverage (DCavg) of the functional channel shall be at least low. The MTTFD of each channel shall be low-to-high, depending on the required performance level (PLr). Measures against CCF shall be applied (see Annex F).
DCavg = LOW indicates that the OTE must be able to detect between 60% and 90% of the dangerous detectable faults in the functional channel. To determine this, an FMEA of the functional channel is required. You can also attempt to estimate the DCavg using the Annexes in [1] and [2].
The check itself shall not lead to a hazardous situation (e.g. due to an increase in response time). The test equipment may be integral with, or separate from, the safety-related part(s) providing the safety function.
Testing of the functional channel is not permitted to interfere with the operation of the functional channel, and separation between the functional channel and the test channel is permitted, e.g., using a PLC to provide the diagnostics for a hardwired functional channel.
The maximum PL achievable with category 2 is PL = d.
This is pretty clear – the upper limit for PL using category 2 is PLd. If you have a look at the table in Annex K, you will find that Category 2 has an upper limit of 2.58 × 10-5 failures per hour (PLa) and a lower limit of 5.28 × 10-7 failures per hour (PLd).
Summing up
The next paragraph sums up the limits of this particular architecture:
The diagnostic coverage (DCavg) of the functional channel shall be at least low. The MTTFD of each channel shall be low-to-high, depending on the required performance level (PLr). Measures against CCF shall be applied (see Annex F).
This is a change from the 2nd edition (2006), where DCavg was limited to LOW. Now it must be at least low, i.e., >= 60%, but it can be much higher. Higher DC is usually better, but there may be unacceptable trade-offs in performance depending on the characteristics of your design.
MTTFD in the functional channel can be anywhere in the range from LOW to HIGH depending on the components selected and the way they are applied in the design. The requirement will be driven by the desired PL of the system, so a PLd system will require HIGH MTTFD components in the functional channel, while the same architecture used for a PLb system would require only LOW MTTFD components.
Finally, applicable measures against Common Cause Failures (CCF) must be used. Some of the measures given in Table F.1 in Annex F of the standard cannot be applied, such as Channel Separation, since you cannot separate a single channel. Other CCF measures can and must be applied, and so, therefore, you must score at least the minimum 65 on the CCF table in Annex F to claim compliance with Category 2 requirements.
Example Circuits
Simple start-stop circuit
Here’s an example of what a simple Category 2 circuit constructed from discrete components might look like. Note that PB1 and PB2 could just as easily be interlock switches on guard doors as push buttons on a control panel. For the sake of simplicity, I did not illustrate surge suppression on the relays, but you should include MOV’s or RC suppressors across all relay coils. All relays are considered to be constructed with ‘force-guided’ designs and meet the requirements for well-tried components.
How the circuit works:
- The machine is stopped with power off. CR1, CR2, and M are off. CR3 is off until the reset button is pressed, since the NC monitoring contacts on CR1, CR2 and M are all closed, but the NO reset push button contact is open.
- The reset push button, PB3, is pressed. If both CR1, CR2 and M are off, their normally closed contacts will be closed, so pressing PB3 will result in CR3 turning on.
- CR3 closes its contacts, energizing CR1 and CR2 which seal their contact circuits in and de-energize CR3. The time delays inherent in relays permit this to work.
- With CR1 and CR2 closed and CR3 held off because its coil circuit opened when CR1 and CR2 turned on, M energizes and motion can start.
In this circuit, the monitoring function is provided by CR3. If any of CR1, CR2 or M were to weld closed, CR3 could not energize, and so a single fault is detected and the machine is prevented from re-starting. If the machine is stopped by pressing either PB1 or PB2, the machine will stop since CR1 and CR2 are redundant. If CR3 fails with welded contacts, then the M rung is held open because CR3 has not de-energized, and if it fails with an open coil, the reset function will not work, therefore both failure modes will prevent the machine from starting with a failed monitoring system, if a “force-guided” type of relay is used for CR3. If CR1 or CR2 fails with an open coil, then M cannot energize because of the redundant contacts on the M rung.
This circuit cannot detect a failure in PB1, PB2, or PB3, although these devices could be monitored with modifications to the design of the circuit. Testing is conducted each time the circuit is reset. This circuit does not meet the 100x test rate requirement required for the simplified method, and so cannot be said to meet Category 2 requirements if that method is used. It will meet the requirements if the calculation method is used.
In calculating MTTFD, PB1, PB2, CR1, CR2, CR3 and M must be included. At first glance it would seem that CR3 should be excluded since it is in the test channel, however, CR3 is included because it has a functional contact in the M rung and is, therefore, part of the functional channel of the circuit as well as being part of the OTE channels.
Another example: Guard interlocking
This example comes from OMRON [3]. This example is a simple interlocked movable guard. The machine operation is stopped or inhibited when the guard is opened.
SW1 is a safety-rated limit switch that has a “direct-drive” or “direct-opening” mechanism, denoted by the arrow-in-a-circle symbol next to the schematic symbol, and a normally closed contact. The direct opening mechanism is a rigid link between the operating device, in this case, a roller cam or a button, and the contacts in the switch. If the switch contacts weld, the movement of the guard will force the contacts apart. This may destroy the switch.
Examples of Applicable Control Parts
SW1: Safety limit switch (direct-opening mechanism)
S1: Reset switch
K1 and K2: Safety relays
KM1: Magnetic contactor
Main Safety Functions
1. Monitors operation at an appropriate interval using a control system.
2. Monitors contact welding using safety relays.
Operation
The circuit can be reset if the guard is closed. Pressing the RESET button (S1) with the guard open will not cause the motor starter (KM1) to close because the first safety relay (K1) will not close because the power to the coil circuit is cut off by SW1.
With the guard closed, SW1 is closed and power is available to the K1 coil rung. Pressing S1 will energize K2 IF KM1 is OFF and K1 is OFF.
When K2 energizes, C is charged and the K2 contact in the K1 rung closes, energizing K1. K1 seals in the K1 coil with the K1-NO contact that is parallel to the K2 contact and opens the K2 rung with the K1-NC contact in that rung.
The capacitor, C, in the K2 rung provides a short drop-out delay to K2.
With K2 OFF, and therefore the K2-NC contact in the KM1 coil rung closed, and K1 ON, and the K1-NO contact in the KM1 rung closed, KM1 will energize and the load will start.
Faults
If either KM1 or K1 weld closed, the reset will fail. If KM1 is welded closed, the safety function is lost. If K1 is welded the safety function is lost.
SW1 is not monitored, so this architecture does not meet the requirements for Category 2. Adding a second NC monitoring contact to SW1 and inserting it into the K2 coil circuit in series with the KM1 monitoring contact would allow the system to monitor the interlock switch and meet the requirements for Cat. 2.
Note: The safety function will be lost by a single failure, such as a short-circuit failure in the input wiring.
You can find more examples in the BGIA Report 2/2008e [4]. This document also offers guidance on the application of the standard. Just be careful, since the report predates the current edition of the standard, so there may be differences between the examples given there and the current requirements.
References
References used in MS101 posts follow the IEEE referencing method. See the guide posted on IEEE Data-port for more information.
[1] International Organization for Standardization (ISO). Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design. ISO 13849-1. 2015.
[2] International Organization for Standardization (ISO). Safety of machinery — Safety-related parts of control systems — Part 2: Validation. ISO 13849-2. 2012.
[3] “Safety Circuit Examples of Safety Components | Technical Guide | Australia | Omron IA”, Omron.com.au, 2019. [Online]. Available: http://www.omron.com.au/service_support/technical_guide/safety_component/safety_circuit_example.asp. [Accessed: 21- Nov- 2019].
[4] BGIA – Institute for Occupational Safety and Health of the German Social Accident Insurance, “Report 2/2008e—Functional safety of machine controls—Application of EN ISO 13849”, German Social Accident Insurance (DGUV), Berlin, 2019.
Doug,
So in practice, it will hard to apply Cat.2 safety circuit due to all fault exclusions is not possible, Cat.3 will more easy to apply in practice, is it correct? In my previous application experience, most of time our team always base on Cat.3 safety circuit to complete design.
Thanks a lot!
Hi Xuejun,
You must be very careful using fault exclusions in Cat. 2 since the system has zero fault tolerance. If you are going to take this approach, the fault exclusions must be plausible according to ISO 13849-2, or if they are different, you must be prepared to develop a detailed technical rationale for the fault exclusion. My recommendation is that you pass on the fault exclusions to calculate a realistic PL for the system. If you cannot achieve the PLr necessary using a Cat. 2 architecture, you should consider moving to one of the redundant architectures to improve the fault tolerance. The use of fault exclusions must be carefully considered and thoroughly documented.
Hi, Doug thanks for you article, but I have two questions with it:
1, Why you say “note that it is not possible to use fault exclusions in Category 2 architecture, because the system is not fault-tolerant.”, is it mean that any fault exclusions which list at ISO 13849-2 all can’t apply?
For example Table D.6 — Faults and fault exclusions — Terminal block, it can’t be applied? But from ISO 13849-1 and ISO 13849-2 I don’t find this similar description, just see a requirement for PLe, that “For PL e, a fault exclusion for mechanical (e.g. the mechanical link between an actuator and a contact element)
and electrical aspects is not allowed.”
2, For diagram 1, is it mean if PB1(stop) and PB2(E-stop) add a NC contact to CR3 coil circuit, when press PB3, PB1 and PB2 can be monitored, then this whole safety circuit can meet Category 2 requirement?
Thanks a lot!
Hi Che,
1) Yes, that is correct. Since Cat. 2 architecture has zero fault tolerance, fault exclusions are not possible. None of the fault exclusions discussed in ISO 13849-2 are applicable.
2) Diagram 1 is an example of a circuit diagram that might meet Category 2, if all the other Category 2 requirements are met. The circuit diagram alone is not enough. The MTTFD of the components is required, as well as the DC and CCF scores.
Hello, could you please explain step-by-step how you reach to the conclusion:
“note that it is not possible to use fault exclusions in Category 2 architecture, because the system is not fault-tolerant”.
ISO-13849 do not define “fault-tolerant” systems and do not explicitly limits usage of fault exclusion in the category 2.
Hi Aleh,
My logic for the statement in the article is that the lack of fault tolerance in Cat. 2 structures does not reasonably permit the use of fault exclusions.
Let’s start with a definition of “fault-tolerant”:
3.1575
fault-tolerant
1. pertaining to a system or component that is able to continue normal operation despite the presence of faults
ISO/IEC/IEEE 24765:2017(en)
Systems and software engineering — Vocabulary
In order for a Category 2 structure to be fault-tolerant, the structure would have to be able to tolerate one or more faults in the functional channel. The definition of Category 2 specifically states:
“NOTE 2 Category 2 system behaviour is characterized by
— the occurrence of a fault can lead to the loss of the safety function between checks,”
[ISO 13849-1:2015, 6.2.5]
Since the definition specifically notes that a fault can cause the loss of the safety function, the structure is inherently not fault-tolerant. Next, we need to look at the language in the standard relating to fault exclusions. For that we turn to clause 7:
7.3 Fault exclusion
It is not always possible to evaluate SRP/CS without assuming that certain faults can be excluded. For
detailed information on fault exclusions, see ISO 13849-2.
Fault exclusion is a compromise between technical safety requirements and the theoretical possibility
of occurrence of a fault.
Fault exclusion can be based on
— the technical improbability of occurrence of some faults,
— generally accepted technical experience, independent of the considered application, and
— technical requirements related to the application and the specific hazard.
If faults are excluded, a detailed justification shall be given in the technical documentation.
To determine the available fault exclusions for a particular system, you would have to conduct an FMEA, and then check the faults that you think you want to exclude in the tables in ISO 13849-2. Any faults that could occur in components in the functional channel would have to be especially carefully justified since a fault in the functional channel would cause the loss of the safety function. For PL=c or PL=d applications, I would be very careful about trying to justify any fault exclusions in the functional channel. I cannot think of any applications in my experience where I would have even considered a fault exclusion in a Cat. 2 structure.
Hello Doug,
thank you a lot for explanation.
So, as if I understand correctly, there is no restriction in fault exclusions in category 2, but strict requirements as for it justification.
As for element for fault exclusion, is, for example, fuse fault exclusion also need to be justified with such careful approach? The IFA Report 2/2017e advises:
Examples of well-tried components in electrical technology
• Fuse
Fuses and miniature circuit-breakers are equipment for protection against overcurrent. They interrupt an electrical circuit (de-energization principle) in the event of an excessively high current, caused for example by an insulation fault. A distinction must be drawn between fuses and circuit breakers. Lead fuses have for decades proved effective in protecting against overcurrent. Comprehensive provisions exist governing fuses [11; 12].
Provided they are used as intended and are correctly rated, failure of fuses can virtually be excluded.
Hi Aleh,
You’ve not looked far enough into part 2, as you are only quoting the well-tried component information for the fuse. You have to read down into clause D.2, and Tables D.4 through D.21. Following your example, you will note that there are NO fault exclusions for fuses.
Fault exclusions must be used with great care. If you are not certain about what you are doing, don’t do it. Guessing will get people hurt or killed.
you rock!
Thanks!
Hi Doug, thanks for these great articles. I have combed through the standards a number of times in the past but most of my design and performance level calculations were based on simple architectures like the block diagram where there are a number of inputs, a safety relay and a series of outputs that are monitored in the reset loop or by safety PLC inputs. In the example above, there is lots of cross-interaction with multiple contacts in a sort of start sequence used to indicate successful completion of one coil being driven before the next coil is driven (the next step in the sequence).
How do you calculate the probability of disastrous failure for the safety functions in a circuit like this? What would the diagram look like, or the way in which you combine the MTTFd’s for each component together? For instance if the MTTFd for CR3 used once or 3 times in this calculation?
Thanks.
Dublo,
Good question! The answer is not something I can give in full in a comment like this, however, the first thing to recognize is that some components shown in Fig. 2 are not included when analyzing the circuit, e.g., the fuses, F1 and F2, and the motor, M. Next, the components that remain are considered as a whole, for example, the failure rate of CR1 or CR2 includes the possibility of one or more contact failing to danger. The individual contacts are not considered on their own.
The branch including CR1 is a single channel. The branch including CR2 is a single channel. However, because PB1 and PB2 are connected single channel, the CR1/CR2 branches are being used in a single channel mode. These two branches become the “L” Logic block.
PB1 and PB2 form the “I” block in the logic diagram
The branch including CR3 is the TE block, providing functional monitoring of CR1 and CR2.
The “O” block is not clear here, but is effectively CR1, CR2 and CR3 grouped together.
Keep in mind that this type of construction is not used in practice. The functionality provided by the CR1, Cr2 and CR3 branches are internal to a basic safety relay. A safety relay like this will have one PL rating provided by the manufacturer, with the resulting architecture determined by how the user implements the safety relay. It is quite possible to take a safety relay that can provide PLe, Cat. 4 capabilities, and wire it into a Cat. 1, 2, 3 or 4 circuit.