Interlock Architectures – Pt. 3: Category 2

This post updated 2019-11-21.

In the first two posts in this series, we looked at Cat­egory B, the Basic cat­egory of sys­tem archi­tec­ture, and then moved on to look at Cat­egory 1. Cat­egory B under­pins Cat­egor­ies 2, 3 and 4. In this post, we’ll look more deeply into Cat­egory 2.

Let’s start by look­ing at the defin­i­tion for Cat­egory 2, taken from ISO 13849 – 1:2007. Remem­ber that in these excerpts, SRP/CS stands for Safety-Related Parts of Con­trol Systems.

Definition

6.2.5 Category 2 [1]

For cat­egory 2, the same require­ments as those accord­ing to 6.2.3 for cat­egory B shall apply. “Well – tried safety prin­ciples” accord­ing to 6.2.4 shall also be fol­lowed. In addi­tion, the fol­low­ing applies.

SRP/CS of cat­egory 2 shall be designed so that their function(s) are checked at suit­able inter­vals by the machine con­trol sys­tem. The check of the safety function(s) shall be performed

— at the machine start-up, and

— pri­or to the ini­ti­ation of any haz­ard­ous situ­ation, e.g. start of a new cycle, start of oth­er move­ments, imme­di­ately upon on demand of the safety func­tion and/or peri­od­ic­ally dur­ing oper­a­tion if the risk assess­ment and the kind of oper­a­tion shows that it is necessary. 

The ini­ti­ation of this check may be auto­mat­ic. Any check of the safety function(s) shall either

— allow oper­a­tion if no faults have been detec­ted, or

— gen­er­ate an out­put (OTE) which ini­ti­ates appro­pri­ate con­trol action, if a fault is detected.

For PLr = d the out­put (OTE) shall ini­ti­ate a safe state which is main­tained until the fault is cleared.

For PLr up to and includ­ing PLr = c, whenev­er prac­tic­able the out­put (OTE) shall ini­ti­ate a safe state which is main­tained until the fault is cleared. When this is not prac­tic­able (e.g. weld­ing of the con­tact in the final switch­ing device) it may be suf­fi­cient for the out­put of the test equip­ment OTE to provide a warning.

For the des­ig­nated archi­tec­ture of cat­egory 2, as shown in Fig­ure 10, the cal­cu­la­tion of MTTF_D and DC_avg should take into account only the blocks of the func­tion­al chan­nel (i.e. I, L and O in Fig­ure 10) and not the blocks of the test­ing chan­nel (i.e. TE and OTE in Fig­ure 10).

The dia­gnost­ic cov­er­age (DC_avg) of the func­tion­al chan­nel shall be at least low. The MTTF_D of each chan­nel shall be low-to-high, depend­ing on the required per­form­ance level (PLr). Meas­ures against CCF
shall be applied (see Annex F).

The check itself shall not lead to a haz­ard­ous situ­ation (e.g. due to an increase in response time). The test equip­ment may be integ­ral with, or sep­ar­ate from, the safety-related part(s) provid­ing the safety function.

The max­im­um PL achiev­able with cat­egory 2 is PL = d.

NOTE 1 In some cases cat­egory 2 is not applic­able because the check­ing of the safety func­tion can­not be applied to all components.

NOTE 2 Cat­egory 2 sys­tem beha­viour is char­ac­ter­ized by

— the occur­rence of a fault can lead to the loss of the safety func­tion between checks,

— the loss of safety func­tion is detec­ted by the check.

NOTE 3 The prin­ciple that sup­ports the valid­ity of a cat­egory 2 func­tion is that the adop­ted tech­nic­al pro­vi­sions, and, for example, the choice of check­ing fre­quency can decrease the prob­ab­il­ity of occur­rence of a dan­ger­ous situation.

NOTE 4 For apply­ing the sim­pli­fied approach based on des­ig­nated archi­tec­tures, refer to the assump­tions in 4.5.4.

Breaking it down

Let start by tak­ing apart the defin­i­tion a piece at a time and look­ing at what each part means. I’ll also show a couple of simple example cir­cuits and some of the pit­falls in them.

Category B & Well-tried Safety Principles

The first para­graph speaks to the build­ing block approach taken in the standard:

For cat­egory 2, the same require­ments as those accord­ing to 6.2.3 for cat­egory B shall apply. “Well – tried safety prin­ciples” accord­ing to 6.2.4 shall also be fol­lowed. In addi­tion, the fol­low­ing applies.

Sys­tems con­form­ing to Cat­egory 2 archi­tec­ture are required to meet all of the require­ments of Cat­egory B. Addi­tion­al require­ments apply for Cat­egory 2 and we will look at those in a bit.

Self-testing required

Cat­egory 2 brings in the idea of dia­gnostics. If cor­rectly spe­cified com­pon­ents have been selec­ted (Cat­egory B), and are applied fol­low­ing ‘well-tried safety prin­ciples’, then adding a dia­gnost­ic com­pon­ent to the sys­tem should allow the sys­tem to detect some faults and there­fore achieve a cer­tain degree of ‘fault-tol­er­ance’ or the abil­ity to func­tion cor­rectly even when some aspect of the sys­tem has failed.

Let’s look at the text:

“SRP/CS of cat­egory 2 shall be designed so that their function(s) are checked at suit­able inter­vals by the machine con­trol sys­tem. The check of the safety function(s) shall be performed

— at the machine start-up, and

— pri­or to the ini­ti­ation of any haz­ard­ous situ­ation, e.g. start of a new cycle, start of oth­er move­ments, imme­di­ately upon on demand of the safety func­tion and/or peri­od­ic­ally dur­ing oper­a­tion if the risk assess­ment and the kind of oper­a­tion shows that it is necessary. 

The ini­ti­ation of this check may be auto­mat­ic. Any check of the safety function(s) shall either

— allow oper­a­tion if no faults have been detec­ted, or

— gen­er­ate an out­put (OTE) which ini­ti­ates appro­pri­ate con­trol action, if a fault is detected.”

[Ed. note: There is a sig­ni­fic­ant change from the 2006 edi­tion where the para­graph below was included. This para­graph has been removed from the 3^rd edi­tion in 2015.

“Whenev­er pos­sible this out­put shall ini­ti­ate a safe state. This safe state shall be main­tained until the fault is cleared. When it is not pos­sible to ini­ti­ate a safe state (e.g. weld­ing of the con­tact in the final switch­ing device) the out­put shall provide a warn­ing of the haz­ard.” – Deleted from 2015 ed.]

Peri­od­ic check­ing is required. The checks must hap­pen at least each time there is a demand placed on the sys­tem, i.e., a guard door is opened and closed, or an emer­gency stop but­ton is pressed and reset. In addi­tion, the integ­rity of the SRP/CS must be tested at the start of a cycle or haz­ard­ous peri­od, and poten­tially peri­od­ic­ally dur­ing oper­a­tion if the risk assess­ment indic­ates that this is necessary. 

The test­ing does not have to be auto­mat­ic, although in prac­tice it usu­ally is. As long as the sys­tem integ­rity is good, then the out­put is allowed to remain on, and the machinery or pro­cess can run.

Special provisions for the Simplified Method (4.5.4)

If you choose to use the Sim­pli­fied Meth­od describe in 4.5.4, then there are some addi­tion­al require­ments that must be met. The demand rate must be <= 1/100 of the test rate, or in oth­er words the test­ing fre­quency must be at least 100x the demand rate [1, 4.5.4], e.g., a light cur­tain on a part load­ing work sta­tion that is inter­rup­ted every 30 s dur­ing nor­mal oper­a­tion requires a min­im­um test rate of once every 0.3 s, or 200x per minute or more.

If you want to know more about the test­ing rate, see my Q & A post on test­ing inter­vals.

In addi­tion to the min­im­um test rate, the MTTF_D of the test chan­nel must be >= ½ the MTTF_D of the func­tion­al channel.

Watch out!

Loss of the safety func­tion must be detec­ted by the mon­it­or­ing sys­tem and a safe state ini­ti­ated or an alarm or oth­er indic­a­tion provided to the user. This requires care­ful thought, since the safety sys­tem com­pon­ents may have to inter­act with the pro­cess con­trol sys­tem to ini­ti­ate and main­tain the safe state in the event that the safety sys­tem itself has failed. Also note that it is not pos­sible to use fault exclu­sions in Cat­egory 2 archi­tec­ture, because the sys­tem is not fault-tolerant.

All of this leads to an inter­est­ing ques­tion: If the sys­tem is hard­wired through the oper­at­ing chan­nel, and all the com­pon­ents used in that chan­nel meet Cat­egory B require­ments, can the dia­gnost­ic com­pon­ent be provided by mon­it­or­ing the sys­tem with a stand­ard PLC? The answer to this may be YES, as long as the PLC has adequate MTTF_D. Test equip­ment (called TE in Fig. 1) is spe­cific­ally excluded, and Cat­egory 2 DOES NOT require the use of well-tried com­pon­ents, only well-tried safety principles.

Finally, for the faults that can be detec­ted by the mon­it­or­ing sys­tem, the detec­tion of a fault must ini­ti­ate a safe state. This means that on the next demand on the sys­tem, i.e. the next time the guard is opened or the emer­gency stop is pressed, the machine must go into a safe con­di­tion. Gen­er­ally, detec­tion of a fault should pre­vent the sub­sequent reset of the sys­tem until the fault is cleared or repaired.

Test­ing is not per­mit­ted to intro­duce any new haz­ards or to slow the sys­tem down. The tests must occur ‘on-the-fly’ and without intro­du­cing any delay in the sys­tem com­pared to how it would have oper­ated without the test­ing incor­por­ated. Test equip­ment can be integ­rated into the safety sys­tem or be extern­al to it.

One more “gotcha”

Note 1 in the defin­i­tion high­lights a sig­ni­fic­ant pit­fall for many design­ers: if all of the com­pon­ents in the func­tion­al chan­nel of the sys­tem can­not be checked, you can­not claim con­form­ity to Cat­egory 2. If you look back at Fig. 1, you will see that the dashed “m” lines con­nect all three func­tion­al blocks to the TE, indic­at­ing that all three must be included in the mon­it­or­ing chan­nel. A sys­tem that oth­er­wise would meet the archi­tec­tur­al require­ments for Cat­egory 2 must be down­graded to Cat­egory 1 in cases where all the com­pon­ents in the func­tion­al chan­nel can­not be tested. This is a major point and one which many design­ers miss when devel­op­ing their systems.

For the example cir­cuit shown in Fig. 2 below, there are no mon­it­or­ing con­nec­tions to the push­but­tons, and there­fore the cir­cuit can­not con­form to Cat­egory 2. The use of an addi­tion­al con­tact on each but­ton, plus the con­nec­tion of those mon­it­or­ing con­tacts into the reset cir­cuit (the CR3 rung) would be required. Also, the e‑stop but­ton would need to be safety rated and dir­ect drive.

New requirements in the 3^rd edition, 2015

Two new para­graphs were added in the 2015 edi­tion that place lim­its on the per­form­ance of Cat­egory 2.

For PLr = d the out­put (OTE) shall ini­ti­ate a safe state which is main­tained until the fault is cleared.

If you are attempt­ing to reach PLd using Cat­egory 2 the test chan­nel (OTE) must be able to ini­ti­ate a safe state in the machine when a fault occurs. The safe state must be main­tained until the fault is cleared. Use of Cat. 2 for PLd sys­tems is rare in my exper­i­ence, how­ever, it is the­or­et­ic­ally possible.

For PLr up to and includ­ing PLr = c, whenev­er prac­tic­able the out­put (OTE) shall ini­ti­ate a safe state which is main­tained until the fault is cleared. When this is not prac­tic­able (e.g. weld­ing of the con­tact in the final switch­ing device) it may be suf­fi­cient for the out­put of the test equip­ment OTE to provide a warning.

In this case, the OTE ini­ti­ates the safe state if prac­tic­able, i.e., if you can, and if not, the OTE can provide a warn­ing that the safety func­tion has failed. The safe state or the warn­ing, i.e., alarm, must be main­tained until the fault is cleared.

Calculation of MTTF_D

The next para­graph deals with the cal­cu­la­tion of the fail­ure rate of the sys­tem, or MTTF_D.

For the des­ig­nated archi­tec­ture of cat­egory 2, as shown in Fig­ure 10, the cal­cu­la­tion of MTTF_D and DC_avg should take into account only the blocks of the func­tion­al chan­nel (i.e. I, L and O in Fig­ure 10) and not the blocks of the test­ing chan­nel (i.e. TE and OTE in Fig­ure 10).

Cal­cu­la­tion of the fail­ure rate focuses on the func­tion­al chan­nel, not on the mon­it­or­ing sys­tem, mean­ing that the fail­ure rate of the mon­it­or­ing sys­tem is ignored when ana­lyz­ing sys­tems using this archi­tec­ture. The MTTF_D of each com­pon­ent in the func­tion­al chan­nel is cal­cu­lated and then the MTTF_D of the total chan­nel is calculated.

The Dia­gnost­ic Cov­er­age (DC_avg) is also cal­cu­lated based exclus­ively on the com­pon­ents in the func­tion­al chan­nel, so when determ­in­ing what per­cent­age of the faults can be detec­ted by the mon­it­or­ing equip­ment, only faults in the func­tion­al chan­nel are considered.

This high­lights the fact that a fail­ure of the mon­it­or­ing sys­tem can­not be detec­ted, so a single fail­ure in the mon­it­or­ing sys­tem that res­ults in the sys­tem fail­ing to detect a sub­sequent nor­mally detect­able fail­ure in the func­tion­al chan­nel will res­ult in the loss of the safety function.

The dia­gnost­ic cov­er­age (DC_avg) of the func­tion­al chan­nel shall be at least low. The MTTF_D of each chan­nel shall be low-to-high, depend­ing on the required per­form­ance level (PL_r). Meas­ures against CCF shall be applied (see Annex F).

DC_avg = LOW indic­ates that the OTE must be able to detect between 60% and 90% of the dan­ger­ous detect­able faults in the func­tion­al chan­nel. To determ­ine this, an FMEA of the func­tion­al chan­nel is required. You can also attempt to estim­ate the DC_avg using the Annexes in [1] and [2].

The check itself shall not lead to a haz­ard­ous situ­ation (e.g. due to an increase in response time). The test equip­ment may be integ­ral with, or sep­ar­ate from, the safety-related part(s) provid­ing the safety function.

Test­ing of the func­tion­al chan­nel is not per­mit­ted to inter­fere with the oper­a­tion of the func­tion­al chan­nel, and sep­ar­a­tion between the func­tion­al chan­nel and the test chan­nel is per­mit­ted, e.g., using a PLC to provide the dia­gnostics for a hard­wired func­tion­al channel.

The max­im­um PL achiev­able with cat­egory 2 is PL = d.

This is pretty clear – the upper lim­it for PL using cat­egory 2 is PL_d. If you have a look at the table in Annex K, you will find that Cat­egory 2 has an upper lim­it of 2.58 × 10^-5 fail­ures per hour (PL_a) and a lower lim­it of 5.28 × 10^-7 fail­ures per hour (PL_d).

Summing up

The next para­graph sums up the lim­its of this par­tic­u­lar architecture:

The dia­gnost­ic cov­er­age (DC_avg) of the func­tion­al chan­nel shall be at least low. The MTTF_D of each chan­nel shall be low-to-high, depend­ing on the required per­form­ance level (PL_r). Meas­ures against CCF shall be applied (see Annex F).

This is a change from the 2^nd edi­tion (2006), where DCavg was lim­ited to LOW. Now it must be at least low, i.e., >= 60%, but it can be much high­er. High­er DC is usu­ally bet­ter, but there may be unac­cept­able trade-offs in per­form­ance depend­ing on the char­ac­ter­ist­ics of your design.

MTTF_D in the func­tion­al chan­nel can be any­where in the range from LOW to HIGH depend­ing on the com­pon­ents selec­ted and the way they are applied in the design. The require­ment will be driv­en by the desired PL of the sys­tem, so a PL_d sys­tem will require HIGH MTTF_D com­pon­ents in the func­tion­al chan­nel, while the same archi­tec­ture used for a PL_b sys­tem would require only LOW MTTF_D components.

Finally, applic­able meas­ures against Com­mon Cause Fail­ures (CCF) must be used. Some of the meas­ures giv­en in Table F.1 in Annex F of the stand­ard can­not be applied, such as Chan­nel Sep­ar­a­tion, since you can­not sep­ar­ate a single chan­nel. Oth­er CCF meas­ures can and must be applied, and so, there­fore, you must score at least the min­im­um 65 on the CCF table in Annex F to claim com­pli­ance with Cat­egory 2 requirements.

Example Circuits

Simple start-stop circuit

Here’s an example of what a simple Cat­egory 2 cir­cuit con­struc­ted from dis­crete com­pon­ents might look like. Note that PB1 and PB2 could just as eas­ily be inter­lock switches on guard doors as push but­tons on a con­trol pan­el. For the sake of sim­pli­city, I did not illus­trate surge sup­pres­sion on the relays, but you should include MOV’s or RC sup­press­ors across all relay coils. All relays are con­sidered to be con­struc­ted with  ‘force-guided’ designs and meet the require­ments for well-tried components.

How the cir­cuit works:

1. The machine is stopped with power off. CR1, CR2, and M are off. CR3 is off until the reset but­ton is pressed, since the NC mon­it­or­ing con­tacts on CR1, CR2 and M are all closed, but the NO reset push but­ton con­tact is open.
2. The reset push but­ton, PB3,  is pressed. If both CR1, CR2 and M are off, their nor­mally closed con­tacts will be closed, so press­ing PB3 will res­ult in CR3 turn­ing on.
3. CR3 closes its con­tacts, ener­giz­ing CR1 and CR2 which seal their con­tact cir­cuits in and de-ener­gize CR3. The time delays inher­ent in relays per­mit this to work.
4. With CR1 and CR2 closed and CR3 held off because its coil cir­cuit opened when CR1 and CR2 turned on, M ener­gizes and motion can start.

In this cir­cuit, the mon­it­or­ing func­tion is provided by CR3. If any of CR1, CR2 or M were to weld closed, CR3 could not ener­gize, and so a single fault is detec­ted and the machine is pre­ven­ted from re-start­ing. If the machine is stopped by press­ing either PB1 or PB2, the machine will stop since CR1 and CR2 are redund­ant. If CR3 fails with wel­ded con­tacts, then the M rung is held open because CR3 has not de-ener­gized, and if it fails with an open coil, the reset func­tion will not work, there­fore both fail­ure modes will pre­vent the machine from start­ing with a failed mon­it­or­ing sys­tem, if a “force-guided” type of relay is used for CR3. If CR1 or CR2 fails with an open coil, then M can­not ener­gize because of the redund­ant con­tacts on the M rung.

This cir­cuit can­not detect a fail­ure in PB1, PB2, or PB3, although these devices could be mon­itored with modi­fic­a­tions to the design of the cir­cuit. Test­ing is con­duc­ted each time the cir­cuit is reset. This cir­cuit does not meet the 100x test rate require­ment required for the sim­pli­fied meth­od, and so can­not be said to meet Cat­egory 2 require­ments if that meth­od is used. It will meet the require­ments if the cal­cu­la­tion meth­od is used.

In cal­cu­lat­ing MTTF_D, PB1, PB2, CR1, CR2, CR3 and M must be included. At first glance it would seem that CR3 should be excluded since it is in the test chan­nel, how­ever, CR3 is included because it has a func­tion­al con­tact in the M rung and is, there­fore, part of the func­tion­al chan­nel of the cir­cuit as well as being part of the OTE channels.

Another example: Guard interlocking

This example comes from OMRON [3]. This example is a simple inter­locked mov­able guard. The machine oper­a­tion is stopped or inhib­ited when the guard is opened.

SW1 is a safety-rated lim­it switch that has a “dir­ect-drive” or “dir­ect-open­ing” mech­an­ism, denoted by the arrow-in-a-circle sym­bol next to the schem­at­ic sym­bol, and a nor­mally closed con­tact. The dir­ect open­ing mech­an­ism is a rigid link between the oper­at­ing device, in this case, a roller cam or a but­ton, and the con­tacts in the switch. If the switch con­tacts weld, the move­ment of the guard will force the con­tacts apart. This may des­troy the switch.

Examples of Applicable Control Parts

SW1: Safety lim­it switch (dir­ect-open­ing mech­an­ism)
S1: Reset switch
K1 and K2: Safety relays
KM1: Mag­net­ic contactor

Main Safety Functions

1. Mon­it­ors oper­a­tion at an appro­pri­ate inter­val using a con­trol sys­tem.
2. Mon­it­ors con­tact weld­ing using safety relays.

Operation

The cir­cuit can be reset if the guard is closed. Press­ing the RESET but­ton (S1) with the guard open will not cause the motor starter (KM1) to close because the first safety relay (K1) will not close because the power to the coil cir­cuit is cut off by SW1.

With the guard closed, SW1 is closed and power is avail­able to the K1 coil rung. Press­ing S1 will ener­gize K2 IF KM1 is OFF and K1 is OFF. 

When K2 ener­gizes, C is charged and the K2 con­tact in the K1 rung closes, ener­giz­ing K1. K1 seals in the K1 coil with the K1-NO con­tact that is par­al­lel to the K2 con­tact and opens the K2 rung with the K1-NC con­tact in that rung.

The capa­cit­or, C, in the K2 rung provides a short drop-out delay to K2.

With K2 OFF, and there­fore the K2-NC con­tact in the KM1 coil rung closed, and K1 ON, and the K1-NO con­tact in the KM1 rung closed, KM1 will ener­gize and the load will start. 

Faults

If either KM1 or K1 weld closed, the reset will fail. If KM1 is wel­ded closed, the safety func­tion is lost. If K1 is wel­ded the safety func­tion is lost. 

SW1 is not mon­itored, so this archi­tec­ture does not meet the require­ments for Cat­egory 2. Adding a second NC mon­it­or­ing con­tact to SW1 and insert­ing it into the K2 coil cir­cuit in series with the KM1 mon­it­or­ing con­tact would allow the sys­tem to mon­it­or the inter­lock switch and meet the require­ments for Cat. 2.

Note: The safety func­tion will be lost by a single fail­ure, such as a short-cir­cuit fail­ure in the input wiring.

You can find more examples in the BGIA Report 2/2008^e [4]. This doc­u­ment also offers guid­ance on the applic­a­tion of the stand­ard. Just be care­ful, since the report pred­ates the cur­rent edi­tion of the stand­ard, so there may be dif­fer­ences between the examples giv­en there and the cur­rent requirements.

References

Ref­er­ences used in MS101 posts fol­low the IEEE ref­er­en­cing meth­od. See the guide pos­ted on IEEE Data-port for more information.

[1] Inter­na­tion­al Organ­iz­a­tion for Stand­ard­iz­a­tion (ISO). Safety of machinery — Safety-related parts of con­trol sys­tems — Part 1: Gen­er­al prin­ciples for design. ISO 13849 – 1. 2015.

[2] Inter­na­tion­al Organ­iz­a­tion for Stand­ard­iz­a­tion (ISO). Safety of machinery — Safety-related parts of con­trol sys­tems — Part 2: Val­id­a­tion. ISO 13849 – 2. 2012.

[3] “Safety Cir­cuit Examples of Safety Com­pon­ents | Tech­nic­al Guide | Aus­tralia | Omron IA”, Omron.com.au, 2019. [Online]. Avail­able: http://www.omron.com.au/service_support/technical_guide/safety_component/safety_circuit_example.asp. [Accessed: 21- Nov- 2019].

[4] BGIA – Insti­tute for Occu­pa­tion­al Safety and Health of the Ger­man Social Acci­dent Insur­ance, “Report 2/2008^e — Func­tion­al safety of machine con­trols — Applic­a­tion of EN ISO 13849”, Ger­man Social Acci­dent Insur­ance (DGUV), Ber­lin, 2019.

Read about Cat­egory 1

Read about Cat­egory 3

Series Nav­ig­a­tion

Inter­lock Archi­tec­tures – Pt. 2: Cat­egory 1Inter­lock Archi­tec­tures – Pt. 4: Cat­egory 3 – Con­trol Reliable