Interlock Architectures – Pt. 4: Category 3 — Control Reliable

Category 3 Architecture Logic Block Diagram
This entry is part 4 of 8 in the series Cir­cuit Archi­tec­tures Explored

Cat­e­go­ry 3 sys­tem archi­tec­ture is the first cat­e­go­ry that could be con­sid­ered to have sim­i­lar­i­ty to “Con­trol Reli­able” cir­cuits or sys­tems as defined in the North Amer­i­can stan­dards. It is not the same as Con­trol Reli­able, but we’ll get to in a sub­se­quent post. If you haven’t read the first three posts in this series, you may want to go back and review them as the con­cepts in those arti­cles are the basis for the dis­cus­sion in this post.

So what is “Con­trol Reli­able” any­way? This term was coined by the ANSI RIA R15.06 tech­ni­cal com­mit­tee when they were devel­op­ing their def­i­n­i­tions for con­trol sys­tem reli­a­bil­i­ty, first pub­lished in the 1999 edi­tion of the stan­dard. No men­tion of the con­cept of con­trol reli­a­bil­i­ty appears in the 1994 edi­tion of CSA Z434 or the pre­ced­ing edi­tion of RIA R15.06.

Essen­tial­ly, the term “Con­trol Reli­able” means that the con­trol sys­tem is designed with some degree of fault tol­er­ance. Depend­ing on the def­i­n­i­tions that you read, this could be sin­gle- or mul­ti­ple-fault-tol­er­ance.

There are a num­ber of design tech­niques that can be used to increase the fault tol­er­ance of a con­trol sys­tem. The old­er approach­es, such as those giv­en in ANSI RIA R15.06–1999, CSA Z434-03 or EN 954–1:95, rely pri­mar­i­ly on the struc­ture or archi­tec­ture of the cir­cuit, and the char­ac­ter­is­tics of the com­po­nents select­ed for use. ISO 13849–1 uses the same basic archi­tec­tures defined by EN 954–1:95, and extends them to include diag­nos­tic cov­er­age, com­mon cause fail­ure resis­tance and an under­stand­ing of the fail­ure rate of the com­po­nents to deter­mine the degree of fault tol­er­ance and reli­a­bil­i­ty pro­vid­ed by the design.

OK, enough back­ground for now! Let’s look at the def­i­n­i­tion for Cat­e­go­ry 3 sys­tems. Remem­ber that “SRP/CS” means “Safe­ty Relat­ed Parts of the Con­trol Sys­tem”.


6.2.6 Category 3

For cat­e­go­ry 3, the same require­ments as those accord­ing to 6.2.3 for cat­e­go­ry B shall apply. “Well-tried safe­ty prin­ci­ples” accord­ing to 6.2.4 shall also be fol­lowed. In addi­tion, the fol­low­ing applies. SRP/CS of cat­e­go­ry 3 shall be designed so that a sin­gle fault in any of these parts does not lead to the loss of the safe­ty func­tion. When­ev­er rea­son­ably prac­ti­ca­ble, the sin­gle fault shall be detect­ed at or before the next demand upon the safe­ty func­tion.

The diag­nos­tic cov­er­age (DCavg) of the total SRP/CS includ­ing fault-detec­tion shall be low. The MTTFd of each of the redun­dant chan­nels shall be low-to-high, depend­ing on the PLr. Mea­sures against CCF shall be applied (see Annex F).

NOTE 1 The require­ment of sin­gle-fault detec­tion does not mean that all faults will be detect­ed. Con­se­quent­ly, the accu­mu­la­tion of unde­tect­ed faults can lead to an unin­tend­ed out­put and a haz­ardous sit­u­a­tion at the machine. Typ­i­cal exam­ples of prac­ti­ca­ble mea­sures for fault detec­tion are use of the feed­back of mechan­i­cal­ly guid­ed relay con­tacts and mon­i­tor­ing of redun­dant elec­tri­cal out­puts.

NOTE 2 If nec­es­sary because of tech­nol­o­gy and appli­ca­tion, type-C stan­dard mak­ers need to give fur­ther details on the detec­tion of faults.

NOTE 3 Cat­e­go­ry 3 sys­tem behav­iour allows that

  • when the sin­gle fault occurs the safe­ty func­tion is always per­formed,
  • some but not all faults will be detect­ed,
  • accu­mu­la­tion of unde­tect­ed faults can lead to the loss of the safe­ty func­tion.

NOTE 4 The tech­nol­o­gy used will influ­ence the pos­si­bil­i­ties for the imple­men­ta­tion of fault detec­tion.

5% Dis­count on ISO and IEC Stan­dards with code: CC2011

Breaking it down

Let’s take the def­i­n­i­tion apart and look at the com­po­nents that make it up.

For cat­e­go­ry 3, the same require­ments as those accord­ing to 6.2.3 for cat­e­go­ry B shall apply. “Well-tried safe­ty prin­ci­ples” accord­ing to 6.2.4 shall also be fol­lowed.

The first cou­ple of lines remind the design­er of two key points:

  • The com­po­nents select­ed must be suit­able for the appli­ca­tion, i.e. cor­rect­ly spec­i­fied for volt­age, cur­rent, envi­ron­men­tal con­di­tions, etc.; and
  • well-tried safe­ty prin­ci­ples” must be used in the design.

It’s impor­tant to note here that we are talk­ing about “well tried safe­ty prin­ci­ples” and NOT “well-tried com­po­nents”. The require­ment to use com­po­nents designed for safe­ty appli­ca­tions comes from oth­er stan­dards, like EN 1088 and ISO 13850. The require­ments from these stan­dards, such as the use of “direct-dri­ve” con­tacts improves the fault tol­er­ance of the com­po­nent, and so ben­e­fits the design in the end. These improve­ments are gen­er­al­ly reflect­ed in the B10d or MTTFd of the com­po­nent, and are points that inspec­tors will com­mon­ly look for, since they are easy to spot in the field, since “safe­ty-rat­ed com­po­nents” often use red or yel­low caps to iden­ti­fy them clear­ly in the con­trol pan­el.

In addi­tion, the fol­low­ing applies. SRP/CS of cat­e­go­ry 3 shall be designed so that a sin­gle fault in any of these parts does not lead to the loss of the safe­ty func­tion.

This sen­tence makes the require­ment for sin­gle-fault tol­er­ance. This means that the fail­ure of any sin­gle com­po­nent in the func­tion­al chan­nel can­not result in the loss of the safe­ty func­tion. To meet this require­ment, redun­dan­cy is need­ed. With redun­dant sys­tems, one com­plete chan­nel can fail with­out los­ing the abil­i­ty to stop the machin­ery. It is pos­si­ble to lose the func­tion of the mon­i­tor­ing sys­tem from a sin­gle com­po­nent fail­ure, but as long as the sys­tem con­tin­ues to pro­vide the safe­ty func­tion this may be accept­able. The sys­tem should not per­mit itself to be reset if the mon­i­tor­ing sys­tem is not work­ing.

One more “gotcha” from this sen­tence: In order to meet the require­ment that any sin­gle com­po­nent fail­ure can be detect­ed, the design will require two sep­a­rate sen­sors to detect the posi­tion of a gate, for exam­ple. This per­mits the sys­tem to detect a fail­ure in either sen­sor, includ­ing mechan­i­cal fail­ures like bro­ken keys or attempts to defeat the safe­ty sys­tem. You can clear­ly see this in both the block dia­gram, which does not show any mon­i­tor­ing con­nec­tion to the input devices, and in the cir­cuit dia­gram. Both of these dia­grams are shown lat­er in this post. The only way out of the require­ment to have redun­dant sen­sors is to select a gate switch that is robust enough that mechan­i­cal faults can rea­son­ably be except­ed. I’ll get into fault excep­tions lat­er in this arti­cle.

When­ev­er rea­son­ably prac­ti­ca­ble, the sin­gle fault shall be detect­ed at or before the next demand upon the safe­ty func­tion.

This sen­tence can be a bit sticky. The phrase “When­ev­er rea­son­ably prac­ti­ca­ble” means that your design needs to be able to detect sin­gle faults unless it would be “unrea­son­able” to do so. What con­sti­tutes an unrea­son­able degree of effort? This is for you to decide. I will say that if there is a com­mon, off the shelf com­po­nent (COTS) avail­able that will do the job, and you choose not to use it, you will have a dif­fi­cult time con­vinc­ing a court that you took every rea­son­ably prac­ti­ca­ble means to detect the fault.

Fol­low­ing the com­ma, the rest of the sen­tence pro­vides the design­er with the basic require­ment for the test sys­tem: it must be able to detect a sin­gle com­po­nent fail­ure at the moment of demand (this is usu­al­ly how it’s done, since this is typ­i­cal­ly the sim­plest way) or before it occurs, which can hap­pen if your test equip­ment has a means to detect a change in some crit­i­cal char­ac­ter­is­tic of the mon­i­tored component(s).

 The diag­nos­tic cov­er­age (DCavg) of the total SRP/CS includ­ing fault-detec­tion shall be low.

This sen­tence tells you that your design must meet the require­ments for LOW Diag­nos­tic Cov­er­age. To get to LOW DCavg, we need to look first at Table 6:

ISO 13849–1:06 Table 6

Diag­nos­tic Cov­er­age (DC)

Deno­ta­tion  Range
 None  DC < 60%
 Low  60% <= DC < 90%
 Medi­um  90% <= DC < 99%
 High  99% <= DC
NOTE 1 For SRP/CS con­sist­ing of sev­er­al parts an aver­age val­ue DCavg for DC is used in Fig­ure 5, Clause 6 and E.2.

NOTE 2 The choice of the DC ranges is based on the key val­ues 60 %, 90 % and 99 % also estab­lished in oth­er stan­dards (e.g. IEC 61508) deal­ing with diag­nos­tic cov­er­age of tests. Inves­ti­ga­tions show that (1 — DC) rather than DC itself is a char­ac­ter­is­tic mea­sure for the effec­tive­ness of the test. (1 — DC) for the key val­ues 60 %, 90 % and 99 % forms a kind of log­a­rith­mic scale fit­ting to the log­a­rith­mic PL-scale. A DC-val­ue less than 60 % has only slight effect on the reli­a­bil­i­ty of the test­ed sys­tem and is there­fore called “none”. A DC-val­ue greater than 99 % for com­plex sys­tems is very hard to achieve. To be prac­ti­ca­ble, the num­ber of ranges was restrict­ed to four. The indi­cat­ed bor­ders of this table are assumed with­in an accu­ra­cy of 5 %.

Based on Table 6, the DCavg must be between 60% and 90%, all com­po­nents con­sid­ered. To score this, we must go to Annex E and look at Table E1. Using the fac­tors in Table E1, score the design. If you end up in the desired range between 60% and 90% DC cov­er­age, you can move on. If not, the design will require mod­i­fi­ca­tion to bring it into this range.

The MTTFd of each of the redun­dant chan­nels shall be low-to-high, depend­ing on the PLr.

This sen­tence reminds you that your com­po­nent selec­tions mat­ter. Depend­ing on the PLr you are try­ing to achieve, you will need to choose com­po­nents with suit­able MTTFd rat­ings. Remem­ber that just because you are using a Cat­e­go­ry 3 archi­tec­ture, you have not auto­mat­i­cal­ly achieved the high­est lev­els of reli­a­bil­i­ty. If you refer to Fig­ure 5 in the stan­dard, you can see that a Cat­e­go­ry 3 archi­tec­ture can meet a range of PL’s, all the way from PLa through PLe!

ISO 13849-1 Figure 5
ISO 13849–1 Fig­ure 5

If you want, or need, to know the numer­ic bound­aries of each of the bands in the dia­gram above, look at Annex K of the stan­dard. The full numer­ic rep­re­sen­ta­tion of Fig­ure 5 is pro­vid­ed in that Annex.

Mea­sures against CCF shall be applied (see Annex F).

In order for the archi­tec­ture of your design to meet Cat­e­go­ry 3 archi­tec­ture, CCF mea­sures are required. I’ve dis­cussed Com­mon Cause Fail­ures else­where on the blog, but as a reminder, a Com­mon Cause Fail­ure is one where a sin­gle event, like a light­ning strike on the pow­er line, or a cable being cut, results in the fail­ure of the sys­tem. This is not the same as a Com­mon Mode Fail­ure, where sim­i­lar or dif­fer­ent com­po­nents fail in the same way. For instance, if both out­put con­tac­tors were to weld closed either simul­ta­ne­ous­ly or at dif­fer­ent time due to over­load­ing because they were under­sized, this could be con­sid­ered to be a Com­mon Mode Fail­ure. If they both weld closed due to a light­ning strike, that is a Com­mon Cause Fail­ure.

Annex F pro­vides a check­list that is used to score the CCF of the design. The design must meet at least 65 points to be con­sid­ered to meet the min­i­mum lev­el of CCF pro­tec­tion, and more is bet­ter of course! Score your design and see where you come out. Less than 65 and you need to do more. 65 or more and you are good to go.

The Notes

The notes giv­en in the def­i­n­i­tion are also impor­tant. Note 1 reminds the design­er that not all faults will be detect­ed, and an accu­mu­la­tion of unde­tect­ed faults can lead to the loss of the safe­ty func­tion. Be aware that it is up to you as the design­er to min­i­mize the kinds of fail­ures that can accu­mu­late unde­tect­ed.

Note 2 speaks to the pos­si­bil­i­ty that a Type-C prod­uct stan­dard, like EN 201 for injec­tion mould­ing machines for exam­ple, may impose a min­i­mum PLr on the design. Make sure that you get a copy of any Type-C stan­dard that is rel­e­vant for your prod­uct and mar­ket. Note that the des­ig­na­tion “Type-C” comes from ISO. If you go look­ing for this ter­mi­nol­o­gy in ANSI or CSA stan­dards, you won’t find it used because the con­cept doesn’t exist in the same way in these Nation­al stan­dards.

Note 3 gives you the basic per­for­mance para­me­ters for the design. If your design can do these things, then you’re halfway there.

Final­ly, Note 4 is a reminder that dif­fer­ent kinds of tech­nol­o­gy have greater or less­er capa­bil­i­ty to detect fail­ures. More sophis­ti­cat­ed tech­nol­o­gy may be required to achieve the PL lev­el you need.

The Block Diagram

Let’s have a look at the func­tion­al block dia­gram for this Cat­e­go­ry.

ISO 13849-1 Figure 11By look­ing at the dia­gram you can see clear­ly the two inde­pen­dent chan­nels and the cross-mon­i­tor­ing con­nec­tion between the chan­nels. Input devices are not mon­i­tored, but out­put devices are mon­i­tored. This is anoth­er sig­nif­i­cant rea­son requir­ing the use of two phys­i­cal­ly sep­a­rate input devices to sense the guard posi­tion or what­ev­er oth­er safe­guard­ing device is inte­grat­ed into the sys­tem. The only way that a fail­ure in the input devices can be detect­ed is if one chan­nel changes state and one does not.

If you want to learn more about apply­ing the block dia­gram­ming method to you design, there is a good expla­na­tion of the method in the SISTEMA Cook­book 1, pub­lished by the IFA in Ger­many. You can down­load the Eng­lish ver­sion from the link above, or get the doc­u­ment direct­ly from the IFA web site.

Circuit Diagram

By now you prob­a­bly get the idea that there are as many ways to con­fig­ure a Cat­e­go­ry 3 cir­cuit as there are appli­ca­tions. Below is a typ­i­cal cir­cuit dia­gram bor­rowed from Rock­well Allen-Bradley, show­ing the appli­ca­tion of typ­i­cal safe­ty relays in a com­plete sys­tem that includes the emer­gency stop sys­tem, a gate inter­lock and a safe­ty mat. You can meet the require­ments for Cat­e­go­ry 3 archi­tec­ture in oth­er ways, so don’t feel that you must use a COTS safe­ty relay. It just may be the most straight­for­ward way in many cas­es.

This is not a plug for A-B prod­ucts. Nei­ther Machin­ery Safe­ty 101, nor I, have any rela­tion­ship with Rock­well Allen-Bradley.

From Rock­well Automa­tion pub­li­ca­tion SAFETY-WD001A-EN-P – June 2011, p.6.

If you’re inter­est­ed in obtain­ing the source doc­u­ment con­tain­ing this dia­gram, you can down­load it direct­ly from the Rock­well Automa­tion web site.

Emergency Stop Subsystem

The emer­gency stop cir­cuit uses the 440R-512R2 relay on the left side of the dia­gram. This par­tic­u­lar sys­tem uses Cat­e­go­ry 3 archi­tec­ture in the e-stop sys­tem, which may be more than is required. A risk assess­ment and a start-stop analy­sis is required to deter­mine what per­for­mance lev­el is need­ed for this sub­sys­tem. Get more infor­ma­tion on emer­gency stop.

 Gate Interlock Subsystem

The gate inter­lock cir­cuit is locat­ed in the cen­ter of the dia­gram, and uses the 440R-D22R2 relay. As you can see, there are two phys­i­cal­ly sep­a­rate gate inter­lock switch­es. Only one con­tact from each switch is used, so one switch is con­nect­ed to Chan­nel 1, and the oth­er to Chan­nel 2. Notice that there is no oth­er mon­i­tor­ing of these devices (i.e. no sec­ond con­nec­tion to either switch). The sec­ondary con­tacts on these switch­es could be con­nect­ed to the PLC for annun­ci­a­tion pur­pos­es. This would allow the PLC to dis­play the open/closed sta­tus of the gate on the machine HMI.

The out­put con­tac­tors, K3 and K4, are mon­i­tored by the reset loop con­nect­ed to S34 and the +V rail.

One more inter­est­ing point — did you notice that there is a “zone e-stop” includ­ed in the gate inter­lock? If you look imme­di­ate­ly below the cen­tral safe­ty relay and a lit­tle to the left you will find an emer­gency stop device. This device is wired in series with the gate inter­lock, so acti­vat­ing it will drop out K3 and K4 but not dis­turb the oper­a­tion of the rest of the machine. The safe­ty relay can’t dis­tin­guish between the e-stop but­ton and the gate inter­locks, so if annun­ci­a­tion is need­ed, you may want to use a third con­tact on the e-stop device to con­nect to a PLC input for this pur­pose.

Safety Mat Subsystem

The safe­ty mat sub­sys­tem is locat­ed on the right side of the dia­gram and uses a sec­ond 440R-D22R2 relay. Safe­ty mats can be either sin­gle or dual chan­nel in design. The mat show in this draw­ing is a dual-chan­nel type. Step­ping on the mat caus­es the con­duc­tive lay­ers in the mat to touch, short­ing Chan­nel 1 to Chan­nel 2. This cre­ates an input fault that will be detect­ed by the 440R relay. The fault con­di­tion will cause the out­put of the relay to open, stop­ping the machine.

Safe­ty mats can be dam­aged rea­son­ably eas­i­ly, and the cir­cuit design shown will detect shorts or opens with­in the mat and will pre­vent the haz­ardous motion from start­ing or con­tin­u­ing.

The out­put con­tac­tors, K5 and K6 are mon­i­tored by the relay reset loop con­nect­ed to S34 and the +V rail.

This cir­cuit also includes a con­ven­tion­al start-stop cir­cuit that doesn’t rely on the safe­ty relay.

One more thing — just like the gate inter­lock cir­cuit, this cir­cuit also includes a “zone e-stop”. Look below and to the left of the safe­ty mat relay. As with the gate inter­lock, press­ing this but­ton will drop out K5 and K6, stop­ping the same motions pro­tect­ed by the safe­ty mat. Since the relay can’t tell the dif­fer­ence between the e-stop but­ton and the mat being acti­vat­ed, you may want to use the same approach and add a third con­tact to the e-stop but­ton, con­nect­ing it to the PLC for annun­ci­a­tion.

Component Selection

The com­po­nents used in the cir­cuit are crit­i­cal to the final PL rat­ing of the design. The final PL of the design depends on the MTTFd of the com­po­nents used in each chan­nel. No knowl­edge of the inter­nal con­struc­tion of the safe­ty relays is need­ed, because the relays come with a PL rat­ing from the man­u­fac­tur­er. They can be treat­ed as a sub­sys­tem unto them­selves. The selec­tion of the input and out­put devices is then the sig­nif­i­cant fac­tor. Com­po­nent data sheets can be down­loaded from the Rock­well site if you want to dig a bit deep­er.

What did you think about this arti­cle? What ques­tions came to mind that weren’t answered for you? I look for­ward to hear­ing your thoughts and ques­tions!

Digiprove sealCopy­right secured by Digiprove © 2011–2018
Acknowl­edge­ments: ISO for excerpts from ISO 13849–1 and more…
Some Rights Reserved
Series Nav­i­ga­tionInter­lock Archi­tec­tures – Pt. 3: Cat­e­go­ry 2Inter­lock Archi­tec­tures – Pt. 5: Cat­e­go­ry 4 — Con­trol Reli­able

Author: Doug Nix

Doug Nix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. ( in Kitchener, Ontario, and is Lead Author and Senior Editor of the Machinery Safety 101 blog. Doug's work includes teaching machinery risk assessment techniques privately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as providing technical services and training programs to clients related to risk assessment, industrial machinery safety, safety-related control system integration and reliability, laser safety and regulatory conformity. For more see Doug's LinkedIn profile.