Control FunctionsControl ReliabilityEU European UnionFunctional SafetyInternationalISO 13849North American RoboticsRoboticsStandards

Interlock Architectures Pt. 6 – Comparing North American and International Systems

industrial Control Console
This entry is part 6 of 8 in the series Cir­cuit Archi­tec­tures Explored

I’ve now writ­ten six posts, includ­ing this one, on the top­ic of cir­cuit archi­tec­tures for the safety-related parts of con­trol sys­tems. In this post, we’ll com­pare the Inter­na­tion­al and North Amer­ic­an sys­tems. This com­par­is­on is not inten­ded to draw con­clu­sions about which is “bet­ter”, but rather to com­pare and con­trast the two sys­tems so that design­ers can clearly see where the over­laps and the gaps in the sys­tems exist.

Since we’ve spent a lot of time talk­ing about ISO 13849 – 1 [1] in the pre­vi­ous five posts in this series, I think we should begin there by look­ing at Table 10 from the stand­ard.

Table 10 — Sum­mary of require­ments for cat­egor­ies
Cat­egory Sum­mary of require­ments Sys­tem beha­viour Prin­ciple used
to achieve
safety
MTTFd
of each
chan­nel
DCavg CCF
B
(see
6.2.3)
SRP/CS and/or their pro­tect­ive equip­ment, as well as their com­pon­ents, shall be designed, con­struc­ted, selec­ted, assembled and com­bined in accord­ance with rel­ev­ant stand­ards so that they can with­stand the expec­ted influence.Basic safety prin­ciples shall be used. The occur­rence of a fault can lead to the loss of the safety func­tion. Mainly char­ac­ter­ized by selec­tion of com­pon­ents Low to medi­um None Not rel­ev­ant
1
(see
6.2.4)
Require­ments of B shall apply. Well-tried com­pon­ents and well-tried safety prin­ciples shall be used. The occur­rence of a fault can lead to the loss of the safety func­tion but the prob­ab­il­ity of occur­rence is lower than for cat­egory B. Mainly char­ac­ter­ized by selec­tion of com­pon­ents High None Not rel­ev­ant
2
(see
6.2.5)
Require­ments of B and the use of well-tried safety prin­ciples shall apply. Safety func­tion shall be checked at suit­able inter­vals by the machine con­trol sys­tem. The occur­rence of a fault can lead to the loss of the safety func­tion between the checks. The loss of safety func­tion is detec­ted by the check. Mainly char­ac­ter­ized by struc­ture Low to high Low to medi­um See Annex F
3
(see
6.2.6)
Require­ments of B and the use of well-tried safety prin­ciples shall apply.Safety-related parts shall be designed, so that

—a single fault in any of these parts does not lead to the loss of the safety func­tion, and

—whenev­er reas­on­ably prac­tic­able, the single fault is detec­ted.

When a single fault occurs, the safety func­tion is always performed.Some, but not all, faults will be detec­ted.

Accu­mu­la­tion of undetec­ted faults can lead to the loss of the safety func­tion.

 Mainly
char­ac­ter­ized
by struc­ture
Low to
high
Low to
medi­um
 See
Annex F
 4
(see
6.2.7)
Require­ments of B and the use of well-tried safety prin­ciples shall apply. Safety-related parts shall be designed, so that
—a single fault in any of these parts does not lead to a loss of the safety func­tion, and

—the single fault is detec­ted at or before the next demand upon the safety func­tion, but that if this detec­tion is not pos­sible, an accu­mu­la­tion of undetec­ted faults shall not lead to the loss of the safety func­tion.

 

When a single fault occurs the safety func­tion is always per­formed. Detec­tion of accu­mu­lated faults reduces the prob­ab­il­ity of the loss of the safety func­tion (high DC). The faults will be detec­ted in time to pre­vent the loss of the safety func­tion.  Mainly char­ac­ter­ized by struc­ture  High  High includ­ing accu­mu­la­tion of faults  See Annex F
NOTE For full require­ments, see Clause 6.

Table 10 sum­mar­izes all the key require­ments for the five cat­egor­ies of archi­tec­ture, giv­ing the fun­da­ment­al mech­an­ism for achiev­ing safety, the required MTTFd, DC and CCF. Note that fault exclu­sion can be used in Cat­egor­ies 3 and 4. There is no sim­il­ar table avail­able for CSA Z432 [2] or RIA R 15.06 [3], so I have con­struc­ted one fol­low­ing a sim­il­ar format to Table 10.

Sum­mary of require­ments for CSA Z432 / Z434 and RIA R15.06
CSA Z432-04 / Z434-03 RIA R15.06 1999
Cat­egory  Sum­mary of require­ments  Sys­tem beha­viour  Prin­ciple used
to achieve
safety
Sum­mary of require­ments
All Safety con­trol sys­tems (elec­tric, hydraul­ic, pneu­mat­ic) shall meet one of the per­form­ance cri­ter­ia lis­ted in Clauses 4.5.2 to 4.5.5. Safety cir­cuits (elec­tric, hydraul­ic, pneu­mat­ic) shall meet one of the per­form­ance cri­ter­ia lis­ted in 4.5.1 through 4.5.4.2

2 These per­form­ance cri­ter­ia are not to be con­fused with the European cat­egor­ies B to 3 as described in ISO/IEC DIS 13849 – 1, Safety of machinery – Safety-related parts of con­trol sys­tems – Part 1: Gen­er­al prin­ciples for design (in cor­rel­a­tion with EN 954 – 1.) They are dif­fer­ent. The com­mit­tee believes that the cri­ter­ia in 4.5.1 – 4.5.4 exceed the cri­ter­ia of B – 3 respect­ively, and fur­ther believe the reverse is not true.

SIMPLE Simple safety con­trol sys­temsshall be designed and con­struc­ted using accep­ted single chan­nel circuitry.Such sys­tems may be pro­gram­mable.

Note: This type of sys­tem should be used for sig­nalling and annun­ci­ation pur­poses only.

The occur­rence of a fault can lead to the loss of the safety func­tion. Mainly char­ac­ter­ized by com­pon­ent selec­tion. Simple safety cir­cuits shall be designed and con­struc­ted using accep­ted single chan­nel
cir­cuitry, and may be pro­gram­mable.
SINGLE
CHANNEL
Single chan­nel safety con­trol sys­tems shalla) be hard­ware based or com­ply with Clause 6.5;

b) include com­pon­ents that should be safety rated; and

c) be used in accord­ance with man­u­fac­tur­ers’ recom­mend­a­tions and proven cir­cuit designs (e.g., a single chan­nel elec­tromech­an­ic­al pos­it­ive break device that sig­nals a stop in a de-ener­gized state).

Note: In this type of sys­tem a single com­pon­ent fail­ure can lead to the loss of the safety func­tion.

The occur­rence of a fault can lead to the loss of the safety func­tion. Mainly char­ac­ter­ized by com­pon­ent selec­tion. Single chan­nel safety cir­cuits shall be hard­ware based or com­ply with 6.4, include com­pon­ents
which should be safety rated, be used in com­pli­ance with man­u­fac­tur­ers’ recom­mend­a­tions
and proven cir­cuit designs (e.g. a single chan­nel elec­tro-mech­an­ic­al pos­it­ive break device which sig­nals a stop in a de-ener­gized state.)
SINGLE CHANNEL
WITH
MONITORING
Single chan­nel safety con­trol sys­tems with mon­it­or­ing shall include the require­ments for single chan­nel,
be safety rated, and be checked (prefer­ably auto­mat­ic­ally) at suit­able inter­vals in accord­ance with the following:a) The check of the safety function(s) shall be per­formed

i) at machine start-up; and

ii) peri­od­ic­ally dur­ing oper­a­tion (prefer­ably at each change in state).

b) The check shall either

i) allow oper­a­tion if no faults have been detec­ted; or

ii) gen­er­ate a stop if a fault is detec­ted. A warn­ing shall be provided if a haz­ard remains after ces­sa­tion of motion.

c) The check itself shall not cause a haz­ard­ous situ­ation.

d) Fol­low­ing detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

Note: In this type of cir­cuit a single com­pon­ent fail­ure can also lead to the loss of the safety func­tion.

The occur­rence of a fault can lead to the loss of the safety func­tion. Char­ac­ter­ized by both com­pon­ent selec­tion and struc­ture. Single chan­nel with mon­it­or­ing safety cir­cuits shall include the require­ments for single chan­nel,
shall be safety rated, and shall be checked (prefer­ably auto­mat­ic­ally) at suit­able intervals.a) The check of the safety function(s) shall be per­formed

1) at machine start-up, and

2) peri­od­ic­ally dur­ing oper­a­tion;

b) The check shall either:

1) allow oper­a­tion if no faults have been detec­ted, or

2) gen­er­ate a stop sig­nal if a fault is detec­ted.
A warn­ing shall be provided if a haz­ard remains after ces­sa­tion of motion;

c) The check itself shall not cause a haz­ard­ous situ­ation;

d) Fol­low­ing detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

CONTROL RELIABLE Con­trol reli­able safety con­trol sys­tems shall be dual chan­nel with mon­it­or­ing and shall be designed,
con­struc­ted, and applied such that any single com­pon­ent fail­ure, includ­ing mon­it­or­ing, shall not pre­vent
the stop­ping action of the robot.
These safety con­trol sys­tems shall be hard­ware based or in accord­ance with Clause 6.5. The sys­tems shall include auto­mat­ic mon­it­or­ing at the sys­tem level con­form­ing to the following:a) The mon­it­or­ing shall gen­er­ate a stop if a fault is detec­ted. A warn­ing shall be provided if a haz­ard remains after ces­sa­tion of motion.

b) Fol­low­ing detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

c) Com­mon mode fail­ures shall be taken into account when the prob­ab­il­ity of such a fail­ure occur­ring is
sig­ni­fic­ant.

d) The single fault should be detec­ted at time of fail­ure. If not prac­tic­able, the fail­ure shall be detec­ted
at the next demand upon the safety func­tion.

e) These safety con­trol sys­tems shall be inde­pend­ent of the nor­mal pro­gram con­trol (func­tion) and shall be designed to be not eas­ily defeated or not eas­ily bypassed without detec­tion.

When a single fault occurs, the safety func­tion is always performed.Some, but not all, faults will be detec­ted.

Accu­mu­la­tion of undetec­ted faults can lead to the loss of the safety func­tion.

Char­ac­ter­ized primar­ily by struc­ture. Con­trol reli­able safety cir­cuitry shall be designed, con­struc­ted and applied such that any single com­pon­ent fail­ure shall not pre­vent the stop­ping action of the robot.These cir­cuits shall be hard­ware based or com­ply with 6.4, and include auto­mat­ic mon­it­or­ing at the sys­tem level.

a) The mon­it­or­ing shall gen­er­ate a stop sig­nal if a fault is detec­ted. A warn­ing shall be provided if a haz­ard remains after ces­sa­tion of motion;

b) Fol­low­ing detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

c) Com­mon mode fail­ures shall be taken into account when the prob­ab­il­ity of such a fail­ure occur­ring is sig­ni­fic­ant.

d) The single fault should be detec­ted at time of fail­ure. If not prac­tic­able, the fail­ure shall be detec­ted at the next demand upon the safety func­tion.

CSA Z434 vs. RIA R15.06

Before we dig into the com­par­is­on between North Amer­ica and the Inter­na­tion­al stand­ards, we need to look at the dif­fer­ences between CSA and ANSI/RIA. There are some subtle dif­fer­ences here that can trip you up and cost sig­ni­fic­ant money to cor­rect after the fact. The fol­low­ing state­ments are based on my per­son­al exper­i­ence and on dis­cus­sions that I have had with people on both the CSA and RIA tech­nic­al com­mit­tees tasked with writ­ing these stand­ards. One more note – ANSI RIA R15.06 has been revised and ALL OF SECTION 4 has been replaced with ANSI/RIA/ISO 10218 – 1 [7]. This is very sig­ni­fic­ant, but we need to deal with this old dis­cus­sion first.

Systems vs. Circuits

The CSA stand­ard uses the term “con­trol system(s)” through­out the defin­i­tions of the cat­egor­ies, while the ANSI/RIA stand­ard uses the term “circuit(s)”. This is really the crux of the dis­cus­sion between these two stand­ards. While the dif­fer­ence between the terms may seem insig­ni­fic­ant at first, you need to under­stand the back­ground to get the dif­fer­ence.

The CSA term requires two sep­ar­ate sens­ing devices on the gate or oth­er guard, just as the Cat­egory 3 and 4 defin­i­tions do, and for the same reas­on. The CSA com­mit­tee felt that it was import­ant to be able to detect all single faults, includ­ing mech­an­ic­al ones. Also, the use of two inter­lock­ing devices on the guard makes it more dif­fi­cult to bypass the inter­lock.

The RIA term requires redund­ant elec­tric­al con­nec­tions to the inter­lock­ing device, but impli­citly allows for a single inter­lock­ing device because it only expli­citly refers to “cir­cuits”.

The explan­a­tion I’ve been giv­en for the dis­crep­ancy is rooted in the early days of indus­tri­al robot­ics. Many early robot cells had NO inter­locks on the guard­ing because the haz­ards related to the robot motion was not well under­stood. There were a num­ber of incid­ents res­ult­ing in fatal­it­ies that drove robot users to begin to seek bet­ter ways to pro­tect work­ers. The RIA R15.06 com­mit­tee decided that inter­locks were needed, but there was a recog­ni­tion that many users would balk at installing expens­ive inter­lock devices, so they com­prom­ised and allowed that ANY kind of inter­lock­ing device was bet­ter than none. This was amended in the 1999 edi­tion to require that com­pon­ents be “safety rated”, effect­ively elim­in­at­ing the use of con­ven­tion­al prox­im­ity switches and non-safety-rated lim­it switches.

The recent revi­sion of ANSI/RIA R15.06 to include ANSI/ISO 10218 – 1 as a replace­ment for Sec­tion 4 is sig­ni­fic­ant for a couple of reas­ons: 1) It now means that the robot itself need only meet the ISO stand­ard; instead of the ISO and the RIA stand­ards; and 2) It brings in ISO 13849 – 1 defin­i­tions of reli­ab­il­ity cat­egor­ies. This means that the US has now offi­cially dropped the “SIMPLE, SINGLE-CHANNEL,” etc. defin­i­tions and now uses “Cat­egory B, 1, etc.” How­ever, they have only adop­ted the Edi­tion 1 ver­sion of the stand­ard, so none of the PL, MTTFd, etc. cal­cu­la­tions have been adop­ted. This means that the RIA stand­ard is now har­mon­ized to the 1995 edi­tion of EN 954 – 1. These updates to the 2006 edi­tion may come in sub­sequent edi­tions of R15.06.

CSA has chosen to reaf­firm the 2003 edi­tion of CSA Z434, so the Cana­dian Nation­al Stand­ard con­tin­ues to refer to the old defin­i­tions.

North America vs International Standards

In the descrip­tion of single-chan­nel sys­tems / cir­cuits under the North Amer­ic­an stand­ards you will notice that par­tic­u­lar atten­tion is paid to includ­ing descrip­tions of the use of “proven designs” and “pos­it­ive-break devices”. What the TC’s were refer­ring to are the same “well-tried safety prin­ciples” and “well-tried com­pon­ents” as referred to in the Inter­na­tion­al stand­ards, only with less descrip­tion of what those might be. The only major addi­tion to the defin­i­tions is the recom­mend­a­tion to use “safety-rated devices”, which is not included in the Inter­na­tion­al stand­ard. (N.B. The use of the word “should” in the defin­i­tions should be under­stood as a strong recom­mend­a­tion, but not neces­sar­ily a man­dat­ory require­ment.) Under EN 954 – 1 [4] and EN 1088 [5] (in the ref­er­enced edi­tions, in any case) it was pos­sible to use stand­ard lim­it switches arranged in a redund­ant man­ner and activ­ated using com­bined pos­it­ive and non-pos­it­ive-mode activ­a­tion. In later edi­tions this changed, and there is now a pref­er­ence for devices inten­ded for use in safety applic­a­tions.

Also worth not­ing is that there is NO allow­ance for fault exclu­sion under the CSA stand­ard or the 1999 edi­tion of the ANSI stand­ard.

As far as the RIA com­mit­tee’s asser­tion that their defin­i­tions are not equi­val­ent to the Inter­na­tion­al stand­ard, and may be super­i­or, I think that there are too may miss­ing qual­it­ies in the ANSI stand­ard for that to stand. In any case, this is now moot, since ANSI has adop­ted EN ISO 13849 – 1:2006 as a ref­er­ence to EN ISO 10218 – 1 [6], repla­cing Sec­tion 4 of ANSI/RIA R15.06 – 1999.

References

[1] “Safety of machinery — Safety-related parts of con­trol sys­tems — Part 1: Gen­er­al prin­ciples for design”, ISO 13849 – 1, Edi­tion 2, Inter­na­tion­al Organ­iz­a­tion for Stand­ard­iz­a­tion (ISO), Geneva, 2006.

[2] “Safe­guard­ing of machinery”, CSA Z432, Cana­dian Stand­ards Asso­ci­ation (CSA), Toronto, 2004.

[3] “Amer­ic­an Nation­al Stand­ard for Indus­tri­al Robots and Robot Sys­tems — Safety Require­ments”, ANSI/RIA R15.06, Amer­ic­an Nation­al Stand­ards Insti­tute, Inc. (ANSI), Ann Arbor, 1999.

[4] “Safety of machinery — Safety related parts of con­trol sys­tems — Part 1. Gen­er­al prin­ciples for design”, EN 954 – 1, European Com­mit­tee for Stand­ard­iz­a­tion (CEN), Geneva, 1996.

[5] “Safety of machinery — Inter­lock­ing devices asso­ci­ated with guards — Prin­ciples for design and selec­tion”, EN 1088, CEN, Geneva, 1995.

[6] “Robots and robot­ic devices — Safety require­ments for indus­tri­al robots — Part 1: Robots”, European Com­mit­tee for Stand­ard­iz­a­tion (CEN), Geneva, 2011.

[7] “Robots for Indus­tri­al Envir­on­ment – Safety Require­ments – Part 1 – Robot”, ANSI/RIA/ISO 10218 – 1, Amer­ic­an Nation­al Stand­ards Insti­tute, Inc. (ANSI), Ann Arbor, 2007.

Digiprove sealCopy­right secured by Digi­prove © 2011 – 2012
Acknow­ledge­ments: See ref­er­ences lis­ted at end of art­icle.
Some Rights Reserved
Series Nav­ig­a­tionInter­lock Archi­tec­tures – Pt. 5: Cat­egory 4 — Con­trol Reli­ableISO 13849 – 1:2006”>Inconsistencies in ISO 13849 – 1:2006

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.