Interlock Architectures – Pt. 4: Category 3 — Control Reliable

This entry is part 4 of 8 in the series Cir­cuit Archi­tec­tures Explored

Cat­e­go­ry 3 sys­tem archi­tec­ture is the first cat­e­go­ry that could be con­sid­ered to have sim­i­lar­i­ty to “Con­trol Reli­able” cir­cuits or sys­tems as defined in the North Amer­i­can stan­dards. It is not the same as Con­trol Reli­able, but we’ll get to in a sub­se­quent post. If you haven’t read the first three posts in this series, you may want to go back and review them as the con­cepts in those arti­cles are the basis for the dis­cus­sion in this post.

So what is “Con­trol Reli­able” any­way? This term was coined by the ANSI RIA R15.06 tech­ni­cal com­mit­tee when they were devel­op­ing their def­i­n­i­tions for con­trol sys­tem reli­a­bil­i­ty, first pub­lished in the 1999 edi­tion of the stan­dard. No men­tion of the con­cept of con­trol reli­a­bil­i­ty appears in the 1994 edi­tion of CSA Z434 or the pre­ced­ing edi­tion of RIA R15.06.

Essen­tial­ly, the term “Con­trol Reli­able” means that the con­trol sys­tem is designed with some degree of fault tol­er­ance. Depend­ing on the def­i­n­i­tions that you read, this could be sin­gle- or mul­ti­ple-fault-tol­er­ance.

There are a num­ber of design tech­niques that can be used to increase the fault tol­er­ance of a con­trol sys­tem. The old­er approach­es, such as those giv­en in ANSI RIA R15.06–1999, CSA Z434-03 or EN 954–1:95, rely pri­mar­i­ly on the struc­ture or archi­tec­ture of the cir­cuit, and the char­ac­ter­is­tics of the com­po­nents select­ed for use. ISO 13849–1 uses the same basic archi­tec­tures defined by EN 954–1:95, and extends them to include diag­nos­tic cov­er­age, com­mon cause fail­ure resis­tance and an under­stand­ing of the fail­ure rate of the com­po­nents to deter­mine the degree of fault tol­er­ance and reli­a­bil­i­ty pro­vid­ed by the design.

OK, enough back­ground for now! Let’s look at the def­i­n­i­tion for Cat­e­go­ry 3 sys­tems. Remem­ber that “SRP/CS” means “Safe­ty Relat­ed Parts of the Con­trol Sys­tem”.


6.2.6 Category 3

For cat­e­go­ry 3, the same require­ments as those accord­ing to 6.2.3 for cat­e­go­ry B shall apply. “Well-tried safe­ty prin­ci­ples” accord­ing to 6.2.4 shall also be fol­lowed. In addi­tion, the fol­low­ing applies. SRP/CS of cat­e­go­ry 3 shall be designed so that a sin­gle fault in any of these parts does not lead to the loss of the safe­ty func­tion. When­ev­er rea­son­ably prac­ti­ca­ble, the sin­gle fault shall be detect­ed at or before the next demand upon the safe­ty func­tion.

The diag­nos­tic cov­er­age (DCavg) of the total SRP/CS includ­ing fault-detec­tion shall be low. The MTTFd of each of the redun­dant chan­nels shall be low-to-high, depend­ing on the PLr. Mea­sures against CCF shall be applied (see Annex F).

NOTE 1 The require­ment of sin­gle-fault detec­tion does not mean that all faults will be detect­ed. Con­se­quent­ly, the accu­mu­la­tion of unde­tect­ed faults can lead to an unin­tend­ed out­put and a haz­ardous sit­u­a­tion at the machine. Typ­i­cal exam­ples of prac­ti­ca­ble mea­sures for fault detec­tion are use of the feed­back of mechan­i­cal­ly guid­ed relay con­tacts and mon­i­tor­ing of redun­dant elec­tri­cal out­puts.

NOTE 2 If nec­es­sary because of tech­nol­o­gy and appli­ca­tion, type-C stan­dard mak­ers need to give fur­ther details on the detec­tion of faults.

NOTE 3 Cat­e­go­ry 3 sys­tem behav­iour allows that

  • when the sin­gle fault occurs the safe­ty func­tion is always per­formed,
  • some but not all faults will be detect­ed,
  • accu­mu­la­tion of unde­tect­ed faults can lead to the loss of the safe­ty func­tion.

NOTE 4 The tech­nol­o­gy used will influ­ence the pos­si­bil­i­ties for the imple­men­ta­tion of fault detec­tion.

5% Dis­count on ISO and IEC Stan­dards with code: CC2011

Breaking it down

Let’s take the def­i­n­i­tion apart and look at the com­po­nents that make it up.

For cat­e­go­ry 3, the same require­ments as those accord­ing to 6.2.3 for cat­e­go­ry B shall apply. “Well-tried safe­ty prin­ci­ples” accord­ing to 6.2.4 shall also be fol­lowed.

The first cou­ple of lines remind the design­er of two key points:

  • The com­po­nents select­ed must be suit­able for the appli­ca­tion, i.e. cor­rect­ly spec­i­fied for volt­age, cur­rent, envi­ron­men­tal con­di­tions, etc.; and
  • well-tried safe­ty prin­ci­ples” must be used in the design.

It’s impor­tant to note here that we are talk­ing about “well tried safe­ty prin­ci­ples” and NOT “well-tried com­po­nents”. The require­ment to use com­po­nents designed for safe­ty appli­ca­tions comes from oth­er stan­dards, like EN 1088 and ISO 13850. The require­ments from these stan­dards, such as the use of “direct-dri­ve” con­tacts improves the fault tol­er­ance of the com­po­nent, and so ben­e­fits the design in the end. These improve­ments are gen­er­al­ly reflect­ed in the B10d or MTTFd of the com­po­nent, and are points that inspec­tors will com­mon­ly look for, since they are easy to spot in the field, since “safe­ty-rat­ed com­po­nents” often use red or yel­low caps to iden­ti­fy them clear­ly in the con­trol pan­el.

In addi­tion, the fol­low­ing applies. SRP/CS of cat­e­go­ry 3 shall be designed so that a sin­gle fault in any of these parts does not lead to the loss of the safe­ty func­tion.

This sen­tence makes the require­ment for sin­gle-fault tol­er­ance. This means that the fail­ure of any sin­gle com­po­nent in the func­tion­al chan­nel can­not result in the loss of the safe­ty func­tion. To meet this require­ment, redun­dan­cy is need­ed. With redun­dant sys­tems, one com­plete chan­nel can fail with­out los­ing the abil­i­ty to stop the machin­ery. It is pos­si­ble to lose the func­tion of the mon­i­tor­ing sys­tem from a sin­gle com­po­nent fail­ure, but as long as the sys­tem con­tin­ues to pro­vide the safe­ty func­tion this may be accept­able. The sys­tem should not per­mit itself to be reset if the mon­i­tor­ing sys­tem is not work­ing.

One more “gotcha” from this sen­tence: In order to meet the require­ment that any sin­gle com­po­nent fail­ure can be detect­ed, the design will require two sep­a­rate sen­sors to detect the posi­tion of a gate, for exam­ple. This per­mits the sys­tem to detect a fail­ure in either sen­sor, includ­ing mechan­i­cal fail­ures like bro­ken keys or attempts to defeat the safe­ty sys­tem. You can clear­ly see this in both the block dia­gram, which does not show any mon­i­tor­ing con­nec­tion to the input devices, and in the cir­cuit dia­gram. Both of these dia­grams are shown lat­er in this post. The only way out of the require­ment to have redun­dant sen­sors is to select a gate switch that is robust enough that mechan­i­cal faults can rea­son­ably be except­ed. I’ll get into fault excep­tions lat­er in this arti­cle.

When­ev­er rea­son­ably prac­ti­ca­ble, the sin­gle fault shall be detect­ed at or before the next demand upon the safe­ty func­tion.

This sen­tence can be a bit sticky. The phrase “When­ev­er rea­son­ably prac­ti­ca­ble” means that your design needs to be able to detect sin­gle faults unless it would be “unrea­son­able” to do so. What con­sti­tutes an unrea­son­able degree of effort? This is for you to decide. I will say that if there is a com­mon, off the shelf com­po­nent (COTS) avail­able that will do the job, and you choose not to use it, you will have a dif­fi­cult time con­vinc­ing a court that you took every rea­son­ably prac­ti­ca­ble means to detect the fault.

Fol­low­ing the com­ma, the rest of the sen­tence pro­vides the design­er with the basic require­ment for the test sys­tem: it must be able to detect a sin­gle com­po­nent fail­ure at the moment of demand (this is usu­al­ly how it’s done, since this is typ­i­cal­ly the sim­plest way) or before it occurs, which can hap­pen if your test equip­ment has a means to detect a change in some crit­i­cal char­ac­ter­is­tic of the mon­i­tored component(s).

 The diag­nos­tic cov­er­age (DCavg) of the total SRP/CS includ­ing fault-detec­tion shall be low.

This sen­tence tells you that your design must meet the require­ments for LOW Diag­nos­tic Cov­er­age. To get to LOW DCavg, we need to look first at Table 6:

ISO 13849–1:06 Table 6

Diag­nos­tic Cov­er­age (DC)

Deno­ta­tion  Range
 None  DC < 60%
 Low  60% <= DC < 90%
 Medi­um  90% <= DC < 99%
 High  99% <= DC
NOTE 1 For SRP/CS con­sist­ing of sev­er­al parts an aver­age val­ue DCavg for DC is used in Fig­ure 5, Clause 6 and E.2.

NOTE 2 The choice of the DC ranges is based on the key val­ues 60 %, 90 % and 99 % also estab­lished in oth­er stan­dards (e.g. IEC 61508) deal­ing with diag­nos­tic cov­er­age of tests. Inves­ti­ga­tions show that (1 — DC) rather than DC itself is a char­ac­ter­is­tic mea­sure for the effec­tive­ness of the test. (1 — DC) for the key val­ues 60 %, 90 % and 99 % forms a kind of log­a­rith­mic scale fit­ting to the log­a­rith­mic PL-scale. A DC-val­ue less than 60 % has only slight effect on the reli­a­bil­i­ty of the test­ed sys­tem and is there­fore called “none”. A DC-val­ue greater than 99 % for com­plex sys­tems is very hard to achieve. To be prac­ti­ca­ble, the num­ber of ranges was restrict­ed to four. The indi­cat­ed bor­ders of this table are assumed with­in an accu­ra­cy of 5 %.

Based on Table 6, the DCavg must be between 60% and 90%, all com­po­nents con­sid­ered. To score this, we must go to Annex E and look at Table E1. Using the fac­tors in Table E1, score the design. If you end up in the desired range between 60% and 90% DC cov­er­age, you can move on. If not, the design will require mod­i­fi­ca­tion to bring it into this range.

The MTTFd of each of the redun­dant chan­nels shall be low-to-high, depend­ing on the PLr.

This sen­tence reminds you that your com­po­nent selec­tions mat­ter. Depend­ing on the PLr you are try­ing to achieve, you will need to choose com­po­nents with suit­able MTTFd rat­ings. Remem­ber that just because you are using a Cat­e­go­ry 3 archi­tec­ture, you have not auto­mat­i­cal­ly achieved the high­est lev­els of reli­a­bil­i­ty. If you refer to Fig­ure 5 in the stan­dard, you can see that a Cat­e­go­ry 3 archi­tec­ture can meet a range of PL’s, all the way from PLa through PLe!

ISO 13849-1 Figure 5
ISO 13849–1 Fig­ure 5

If you want, or need, to know the numer­ic bound­aries of each of the bands in the dia­gram above, look at Annex K of the stan­dard. The full numer­ic rep­re­sen­ta­tion of Fig­ure 5 is pro­vid­ed in that Annex.

Mea­sures against CCF shall be applied (see Annex F).

In order for the archi­tec­ture of your design to meet Cat­e­go­ry 3 archi­tec­ture, CCF mea­sures are required. I’ve dis­cussed Com­mon Cause Fail­ures else­where on the blog, but as a reminder, a Com­mon Cause Fail­ure is one where a sin­gle event, like a light­ning strike on the pow­er line, or a cable being cut, results in the fail­ure of the sys­tem. This is not the same as a Com­mon Mode Fail­ure, where sim­i­lar or dif­fer­ent com­po­nents fail in the same way. For instance, if both out­put con­tac­tors were to weld closed either simul­ta­ne­ous­ly or at dif­fer­ent time due to over­load­ing because they were under­sized, this could be con­sid­ered to be a Com­mon Mode Fail­ure. If they both weld closed due to a light­ning strike, that is a Com­mon Cause Fail­ure.

Annex F pro­vides a check­list that is used to score the CCF of the design. The design must meet at least 65 points to be con­sid­ered to meet the min­i­mum lev­el of CCF pro­tec­tion, and more is bet­ter of course! Score your design and see where you come out. Less than 65 and you need to do more. 65 or more and you are good to go.

The Notes

The notes giv­en in the def­i­n­i­tion are also impor­tant. Note 1 reminds the design­er that not all faults will be detect­ed, and an accu­mu­la­tion of unde­tect­ed faults can lead to the loss of the safe­ty func­tion. Be aware that it is up to you as the design­er to min­i­mize the kinds of fail­ures that can accu­mu­late unde­tect­ed.

Note 2 speaks to the pos­si­bil­i­ty that a Type-C prod­uct stan­dard, like EN 201 for injec­tion mould­ing machines for exam­ple, may impose a min­i­mum PLr on the design. Make sure that you get a copy of any Type-C stan­dard that is rel­e­vant for your prod­uct and mar­ket. Note that the des­ig­na­tion “Type-C” comes from ISO. If you go look­ing for this ter­mi­nol­o­gy in ANSI or CSA stan­dards, you won’t find it used because the con­cept doesn’t exist in the same way in these Nation­al stan­dards.

Note 3 gives you the basic per­for­mance para­me­ters for the design. If your design can do these things, then you’re halfway there.

Final­ly, Note 4 is a reminder that dif­fer­ent kinds of tech­nol­o­gy have greater or less­er capa­bil­i­ty to detect fail­ures. More sophis­ti­cat­ed tech­nol­o­gy may be required to achieve the PL lev­el you need.

The Block Diagram

Let’s have a look at the func­tion­al block dia­gram for this Cat­e­go­ry.

ISO 13849-1 Figure 11By look­ing at the dia­gram you can see clear­ly the two inde­pen­dent chan­nels and the cross-mon­i­tor­ing con­nec­tion between the chan­nels. Input devices are not mon­i­tored, but out­put devices are mon­i­tored. This is anoth­er sig­nif­i­cant rea­son requir­ing the use of two phys­i­cal­ly sep­a­rate input devices to sense the guard posi­tion or what­ev­er oth­er safe­guard­ing device is inte­grat­ed into the sys­tem. The only way that a fail­ure in the input devices can be detect­ed is if one chan­nel changes state and one does not.

If you want to learn more about apply­ing the block dia­gram­ming method to you design, there is a good expla­na­tion of the method in the SISTEMA Cook­book 1, pub­lished by the IFA in Ger­many. You can down­load the Eng­lish ver­sion from the link above, or get the doc­u­ment direct­ly from the IFA web site.

Circuit Diagram

By now you prob­a­bly get the idea that there are as many ways to con­fig­ure a Cat­e­go­ry 3 cir­cuit as there are appli­ca­tions. Below is a typ­i­cal cir­cuit dia­gram bor­rowed from Rock­well Allen-Bradley, show­ing the appli­ca­tion of typ­i­cal safe­ty relays in a com­plete sys­tem that includes the emer­gency stop sys­tem, a gate inter­lock and a safe­ty mat. You can meet the require­ments for Cat­e­go­ry 3 archi­tec­ture in oth­er ways, so don’t feel that you must use a COTS safe­ty relay. It just may be the most straight­for­ward way in many cas­es.

This is not a plug for A-B prod­ucts. Nei­ther Machin­ery Safe­ty 101, nor I, have any rela­tion­ship with Rock­well Allen-Bradley.

From Rock­well Automa­tion pub­li­ca­tion SAFETY-WD001A-EN-P – June 2011, p.6.

If you’re inter­est­ed in obtain­ing the source doc­u­ment con­tain­ing this dia­gram, you can down­load it direct­ly from the Rock­well Automa­tion web site.

Emergency Stop Subsystem

The emer­gency stop cir­cuit uses the 440R-512R2 relay on the left side of the dia­gram. This par­tic­u­lar sys­tem uses Cat­e­go­ry 3 archi­tec­ture in the e-stop sys­tem, which may be more than is required. A risk assess­ment and a start-stop analy­sis is required to deter­mine what per­for­mance lev­el is need­ed for this sub­sys­tem. Get more infor­ma­tion on emer­gency stop.

 Gate Interlock Subsystem

The gate inter­lock cir­cuit is locat­ed in the cen­ter of the dia­gram, and uses the 440R-D22R2 relay. As you can see, there are two phys­i­cal­ly sep­a­rate gate inter­lock switch­es. Only one con­tact from each switch is used, so one switch is con­nect­ed to Chan­nel 1, and the oth­er to Chan­nel 2. Notice that there is no oth­er mon­i­tor­ing of these devices (i.e. no sec­ond con­nec­tion to either switch). The sec­ondary con­tacts on these switch­es could be con­nect­ed to the PLC for annun­ci­a­tion pur­pos­es. This would allow the PLC to dis­play the open/closed sta­tus of the gate on the machine HMI.

The out­put con­tac­tors, K3 and K4, are mon­i­tored by the reset loop con­nect­ed to S34 and the +V rail.

One more inter­est­ing point — did you notice that there is a “zone e-stop” includ­ed in the gate inter­lock? If you look imme­di­ate­ly below the cen­tral safe­ty relay and a lit­tle to the left you will find an emer­gency stop device. This device is wired in series with the gate inter­lock, so acti­vat­ing it will drop out K3 and K4 but not dis­turb the oper­a­tion of the rest of the machine. The safe­ty relay can’t dis­tin­guish between the e-stop but­ton and the gate inter­locks, so if annun­ci­a­tion is need­ed, you may want to use a third con­tact on the e-stop device to con­nect to a PLC input for this pur­pose.

Safety Mat Subsystem

The safe­ty mat sub­sys­tem is locat­ed on the right side of the dia­gram and uses a sec­ond 440R-D22R2 relay. Safe­ty mats can be either sin­gle or dual chan­nel in design. The mat show in this draw­ing is a dual-chan­nel type. Step­ping on the mat caus­es the con­duc­tive lay­ers in the mat to touch, short­ing Chan­nel 1 to Chan­nel 2. This cre­ates an input fault that will be detect­ed by the 440R relay. The fault con­di­tion will cause the out­put of the relay to open, stop­ping the machine.

Safe­ty mats can be dam­aged rea­son­ably eas­i­ly, and the cir­cuit design shown will detect shorts or opens with­in the mat and will pre­vent the haz­ardous motion from start­ing or con­tin­u­ing.

The out­put con­tac­tors, K5 and K6 are mon­i­tored by the relay reset loop con­nect­ed to S34 and the +V rail.

This cir­cuit also includes a con­ven­tion­al start-stop cir­cuit that doesn’t rely on the safe­ty relay.

One more thing — just like the gate inter­lock cir­cuit, this cir­cuit also includes a “zone e-stop”. Look below and to the left of the safe­ty mat relay. As with the gate inter­lock, press­ing this but­ton will drop out K5 and K6, stop­ping the same motions pro­tect­ed by the safe­ty mat. Since the relay can’t tell the dif­fer­ence between the e-stop but­ton and the mat being acti­vat­ed, you may want to use the same approach and add a third con­tact to the e-stop but­ton, con­nect­ing it to the PLC for annun­ci­a­tion.

Component Selection

The com­po­nents used in the cir­cuit are crit­i­cal to the final PL rat­ing of the design. The final PL of the design depends on the MTTFd of the com­po­nents used in each chan­nel. No knowl­edge of the inter­nal con­struc­tion of the safe­ty relays is need­ed, because the relays come with a PL rat­ing from the man­u­fac­tur­er. They can be treat­ed as a sub­sys­tem unto them­selves. The selec­tion of the input and out­put devices is then the sig­nif­i­cant fac­tor. Com­po­nent data sheets can be down­loaded from the Rock­well site if you want to dig a bit deep­er.

What did you think about this arti­cle? What ques­tions came to mind that weren’t answered for you? I look for­ward to hear­ing your thoughts and ques­tions!

Digiprove sealCopy­right secured by Digiprove © 2011–2018
Acknowl­edge­ments: ISO for excerpts from ISO 13849–1 and more…
Some Rights Reserved

Hockey Teams and Risk Reduction or What Makes Roberto Luongo = PPE

This entry is part 1 of 3 in the series Hier­ar­chy of Con­trols

Spe­cial Co-Author, Tom Doyle

Last week we saw the Boston Bru­ins earn the Stan­ley Cup. I was root­ing for the green, blue and white, and the ruin of my voice on Thurs­day was ample evi­dence that no amount of cheer­ing helped. While I was watch­ing the game with friends and col­leagues, I real­ized that Rober­to Luon­go and Tim Thomas were their respec­tive team’s PPE*. Sound odd? Let me explain.

Risk Assessment and the Hierarchy of Controls

Equip­ment design­ers need to under­stand  OHS* risk. The only proven method for under­stand­ing risk is risk assess­ment. Once that is done, the next play in the game is the reduc­tion of risks by elim­i­nat­ing haz­ards wher­ev­er pos­si­ble and con­trol­ling those that remain.

Con­trol comes in a cou­ple of flavours:

  • Haz­ard mod­i­fi­ca­tion to reduce the sever­i­ty of injury, or
  • prob­a­bil­i­ty mod­i­fi­ca­tion to reduce the prob­a­bil­i­ty of a work­er com­ing togeth­er with the haz­ard.

These ideas have been for­mal­ized in the Hier­ar­chy of Con­trols. Briefly, the Hier­ar­chy starts with haz­ard elim­i­na­tion or sub­sti­tu­tion, and flows down through engi­neer­ing con­trols, infor­ma­tion for use, admin­is­tra­tive con­trols and final­ly PPE. As you move down through the Hier­ar­chy, the effec­tive­ness and the reli­a­bil­i­ty of the mea­sures declines.

It’s impor­tant to rec­og­nize that we haven’t done a risk assess­ment in writ­ing this post. This step was skipped for the pur­pose of this example—to apply the hier­ar­chy cor­rect­ly, you MUST start with a risk assess­ment!

So how does this relate to Hock­ey?

Hockey and the Hierarchy of Controls

Hazard Identification and Exposure to Risk

If we con­sid­er the goal as the work­er — the thing we don’t want “injured”, the puck is the haz­ard, and the act of scor­ing a goal as the act of injur­ing a per­son, then the rest quick­ly becomes clear.

Level 1: Hazard Elimination

By def­i­n­i­tion, if we elim­i­nate the puck, we no longer have a game. We just have a bunch of big guys skat­ing around in cool jer­seys with sticks, maybe hav­ing a fight or two, because they’re bored or just don’t know what else to do. Since we want to have a game, either to play or to watch, we have to allow the risk of injury to exist. We could call this the “intrin­sic risk”, as it is the risk that exists before we add any con­trols.

Level 2: Hazard Substitution

The Cen­ter and the Wingers (col­lec­tive­ly the “For­wards” or the “Offen­sive Line”), act as haz­ard “sub­sti­tu­tion”. We’ve already estab­lished that elim­i­na­tion of the haz­ard results in the loss of the intend­ed function—no puck, no game. The for­wards only let the oth­er team have the puck on rare occa­sion, if they’re play­ing well. This is a great idea, but still a lit­tle too opti­mistic after all. Both teams are try­ing to get the puck in the oppos­ing net and both teams have qual­i­fied to play the final game. If they fail to keep the puck beyond the oth­er team’s blue line, or at least beyond the cen­ter line, then the next lay­er of pro­tec­tion kicks in, with the Defen­sive Line.

Level 3: Engineering Controls

As the puck moves down the ice, the Defen­sive Line engages the approach­ing puck, attempt­ing to block access to the area clos­er to the goal. They act as a mov­able bar­ri­er between the net and the puck.  They will do what­ev­er is nec­es­sary to keep the haz­ard from com­ing in con­tact with the net. As engi­neer­ing con­trols, their coor­di­na­tion and posi­tion­ing are crit­i­cal in ensur­ing suc­cess.

The sys­tem will fail if the con­trols have poor:

  • posi­tion­ing,
  • choice of mate­ri­als (play­ers),
  • tim­ing, etc.

These risk con­trols fail reg­u­lar­ly, so are less desir­able than hav­ing the For­ward Line han­dle Risk Con­trol.

Level 4: Information for Use and Awareness Means

In a hock­ey game, the infor­ma­tion for use is the rule book. This infor­ma­tion tells play­ers, coach­es, and offi­cials how the game is to be played, and what the intend­ed use of the game should be. Activ­i­ties like spear­ing, trip­ping, and blind-side checks are not per­mit­ted.

The aware­ness means are pro­vid­ed by the roar of the fans. As the puck heads for the home-team’s goal, the home fans will roar, let­ting the team know, if they don’t know already, that the goal is at risk from the puck. Hope­ful­ly the defen­sive line can react in time and get between the puck and the net.

Level 5: Administrative Controls

Infor­ma­tion for use from the pre­vi­ous step is the basis for all the fol­low­ing con­trols. The team’s coach­es, or “super­vi­sors”, use this infor­ma­tion to give train­ing in the form of hock­ey prac­tice. The For­ward Line and Defen­sive Line could be con­sid­ered the Sup­pli­ers and Users. They all need to know what to do to avoid haz­ardous sit­u­a­tions, and what to do when one aris­es, to reduce the num­ber of poten­tial fail­ures.

A “Per­mit to Work” is giv­en to the play­ers by the coach when they form the lines. The coach ensures that the right peo­ple are on the ice for each set of cir­cum­stances, decid­ing when line changes hap­pen as the game pro­gress­es, adapt­ing the peo­ple per­mit­ted to work to the spe­cif­ic con­di­tions on the ice.

Level 6: Personal Protective Equipment (PPE)

All of this brings me to Rober­to Luon­go and Tim Thomas. So how is a Goalie like PPE?

Goalies are the “last-ditch” pro­tec­tion. It’s clear that the first 5 lev­els of the hier­ar­chy don’t always work, since every type of con­trol, even haz­ard elim­i­na­tion, has fail­ure modes. To give a bit of back­up, we should make sure that we add extra pro­tec­tion in the form of PPE.

The puck wasn’t elim­i­nat­ed, since hav­ing a hock­ey game is the point, after all. The puck wasn’t kept dis­tant by the For­ward Line. The Defen­sive Line failed to main­tain safe dis­tance between the goal and the puck, and now all that is left is the goalie (or your pro­tec­tive eye­wear, boots, hard­hat, or what­ev­er). In the 2011 Stan­ley Cup Final game, Luon­go equaled long pants and long sleeves, while Thomas equaled a suit of armour. The Bruin’s “PPE” afford­ed supe­ri­or pro­tec­tion in this case.

As any­one who has used pro­tec­tive eye­wear knows, par­ti­cles can get by your eye­wear. There are lots of fac­tors, includ­ing how well they fit, if you’re wear­ing them (prop­er­ly or at all!), etc. If the gear is fit­ted and used prop­er­ly by a per­son who under­stands WHY and HOW to use the equip­ment, then the PPE is more like Tim Thomas, and you may be able to “shut out” injury. Most of the time. Remem­ber that even Tim Thomas miss­es stop­ping some shots on goal and the oth­er guys can still score.

When your PPE doesn’t fit prop­er­ly, isn’t select­ed prop­er­ly, is worn out (or psy­ched out as the case may be), or isn’t used prop­er­ly, then it’s more like Rober­to Luon­go. Some­times it works per­fect­ly, and life is good. Some­times it fails com­plete­ly and you end up injured or worse.

Goalies are also like PPE because they are RIGHT THERE. Right before injury will occur. PPE is RIGHT THERE, pro­tect­ing you—5 mm from the sur­face of your eye, or in your ear, 2 mm from your ear drum. By this point the harm­ful ener­gy is RIGHT THERE, ready to hurt you, and injury is immi­nent. A sim­ple mis­place­ment or bad fit con­di­tion and you’re blind­ed or deaf or… well you get the idea!

On Wednes­day night, 15-Jun-2011, every­thing failed for the Van­cou­ver Canucks. The team’s spir­it was down, and they went into the game think­ing “We just don’t want to lose!” instead of Boston’s “We’re tak­ing that Cup home!”. Even the tout­ed Home Ice Advan­tage wasn’t enough to psych out the Bru­ins, and in the end I think it turned on the Canucks as the fans real­ized that the game was lost. The warn­ings failed, the guards failed, and the PPE failed. Some­body got hurt, and unfor­tu­nate­ly for Cana­di­an fans, it was the Canucks. Luck­i­ly it wasn’t a fatal­i­ty! Even being #2 in the NHL is a long stretch bet­ter than fill­ing a cool­er draw­er in the morgue.

So the next time you’re set­ting up a job, an assem­bly line, a new machine, or a new work­place, check out your team and make sure that you’ve got the right play­ers on the ice. You only get one chance to get it right. Sure, you can change the lines and upgrade when you need to, but once some­one scores a goal, you have an injured per­son and big­ger prob­lems to deal with.

Spe­cial thanks to Tom Doyle for his con­tri­bu­tions to this post!

*Per­son­al Pro­tec­tive Equip­men­tOc­cu­pa­tion­al Health and Safe­ty

Why you should stop using the term ‘Deadman’

The Deadman Control

Do you use the phrase ‘dead­man’ or ‘dead­man switch’ when talk­ing about safe­ty relat­ed con­trols on your machin­ery? I often run into this when I’m work­ing with clients who use the terms to refer to ‘enabling devices’ — you know, those two or three-posi­tion switch­es that are found on robot teach­ing pen­dants and in oth­er appli­ca­tions to give the oper­a­tor a way to stop machin­ery, even if they have already been injured or killed by the equip­ment. Call­ing these devices a ‘Dead­man Switch’ or even a ‘Live-Man Switch’ as the three-posi­tion devices are some­times called, sends entire­ly the wrong mes­sage to the user as far as I’m con­cerned. The objec­tive of our work as machin­ery safe­ty engi­neers is to pre­vent injuries from hap­pen­ing in the first place. Using a device that is designed to deter­mine if the user is dead or uncon­scious means some­one screwed up!

A little history

The term ‘dead­man’ comes from a device that was devel­oped in the 1880’s by pio­neer­ing elec­tri­cal engi­neer Frank Sprague. Sprague was work­ing on elec­tric trac­tion motor tech­nol­o­gy, using these new machines to pow­er street rail­ways (street­cars) and elec­tric ele­va­tors. The ear­ly DC motor con­trols used in both street­cars and ele­va­tors required an oper­a­tor. The oper­a­tor used a hand con­trol to move the street­car for­ward or back­ward along the track and to con­trol the speed of the car. In ele­va­tors, the oper­a­tor used a sim­i­lar hand con­trol to move the ele­va­tor car up or down the shaft, to con­trol the speed and to stop at the appro­pri­ate floor.

Westinghouse Streetcar Controller
1920’s era West­ing­house Street­car Con­troller

If the oper­a­tor was to doze off or fall uncon­scious, the street­car would sim­ply con­tin­ue on its way until it hit some­thing or derailed, either being a poor option! Ele­va­tors would con­tin­ue until they hit the top or bot­tom of the shaft, again a bad idea. Sprague includ­ed a con­trol device in his designs that required the oper­a­tor to keep his hand on the con­troller han­dle and to main­tain pres­sure on the con­trol device in order for pow­er to flow to the motor. This same idea was imple­ment­ed in man­u­al ele­va­tor con­trol han­dles. These ideas were adopt­ed by West­ing­house when they devel­oped the street­car motor con­trollers that were used in thou­sands of street­cars run­ning between the 1890’s and the 1930’s.

When diesel-elec­tric and full elec­tric loco­mo­tives were devel­oped in the 1930’s, the con­cept of the ‘dead­man’ con­trol was adopt­ed from street rail­ways. There is a per­sis­tent myth that these con­trols start­ed with steam loco­mo­tives. In fact, an ear­li­er ver­sion of this arti­cle includ­ed that myth — now bust­ed!

A 'deadman' pedal in a locomotive.
A ‘dead­man’ ped­al in a diesel-elec­tric rail­way loco­mo­tive

With the advent of elec­tric trams, trains, and sub­ways, con­cerns about pos­si­bil­i­ties like heart attacks and oth­er infir­mi­ties result­ing in dri­vers los­ing con­trol of these machines caused these devices to be inte­grat­ed into these new trans­porta­tion sys­tems. To learn more about these appli­ca­tions, see the Wikipedia arti­cle Dead Man’s Switch.

It’s worth not­ing that the rail­ways now call these devices ‘Dri­ver Safe­ty Devices’ or DSD. See a mod­ern DSD at the Arrow­vale Elec­tron­ics web site.

Ele­va­tors moved from man­u­al con­trol to auto­mat­ic con­trol, elim­i­nat­ing the need for ele­va­tor oper­a­tors and the need for ‘dead­man’ con­trols.

Robots Enter the Picture

Motoman robot pendant enabling device
Motoman pen­dant with show­ing enabling device (red arrow)

In the 1980’s, indus­tri­al robots began to appear in the work­place. Acci­dents in these ear­ly days drove changes in the design of the con­trol pen­dants used to ‘teach’ these devices their tasks. Ear­ly pen­dants pro­vid­ed motion con­trol and an emer­gency stop device. Lat­er, the motion con­trols were altered to become ‘hold-to-run’ devices that could jog the select­ed robot axis at a pre-select­ed slow-speed, one axis at a time. In the 90’s the ‘enabling device’ was added to the pen­dant. These two-posi­tion switch­es, still called ‘dead-man switch­es’, had to be held closed in order for the robot to move under con­trol of the axis hold-to-run con­trols. Acci­dents con­tin­ued to occur. In the mid 90’s the three-posi­tion enabling device, some­times called a ‘live-man-switch’, was intro­duced after stud­ies showed that some peo­ple would release their grip on the con­trol pen­dant when struck by the robot, while oth­ers would clench the hand hold­ing the pen­dant. The new switch­es are required to be held in the mid posi­tion to enable motion. The pic­ture at left shows the back of a mod­ern robot pen­dant. The black bar in the low­er right is the enabling device, locat­ed so that your hand will nat­u­ral­ly hold the device in the cor­rect posi­tion when you hold the pen­dant in your left hand. Not so good if you are left-hand­ed!

ABB IRB640 Robot Pendant
ABB IRB640 Robot Pen­dant



Euch­n­er ZS Switch­es

In addi­tion to the pen­dant enabling devices, addi­tion­al enabling devices are required where more than one work­er is required inside the dan­ger zone of the machine. These devices can be pur­chased sep­a­rate­ly and added to sys­tems as need­ed. Depend­ing on the appli­ca­tion, you can get these devices with emer­gency stop but­tons and jog but­tons inte­grat­ed into a sin­gle unit as shown in the pic­ture of the Euch­n­er ZS switch­es.

Machinery Standards and Definitions

The enabling device is one of those pro­tec­tive mea­sures that can­not be read­i­ly clas­si­fied as a safe­guard­ing device because they do not proac­tive­ly pre­vent injury. Instead, like an emer­gency stop, they may allow a work­er to avert or lim­it the harm that is already occur­ring. That places the enabling device into the ‘com­ple­men­tary pro­tec­tive mea­sure’ cat­e­go­ry.

Let’s take a minute to look at a cou­ple of impor­tant def­i­n­i­tions from the machin­ery stan­dards. At the moment, the best def­i­n­i­tion for a com­ple­men­tary pro­tec­tive mea­sure comes from the Cana­di­an stan­dard, CSA Z432-04. Excerpt­ed from CSA Z432-04, § Com­ple­men­tary Pro­tec­tive Mea­sures:

Pro­tec­tive mea­sures that are nei­ther inher­ent­ly safe design mea­sures, nor safe­guard­ing (imple­men­ta­tion of guards and/or pro­tec­tive devices), nor infor­ma­tion for use may have to be imple­ment­ed as required by the intend­ed use and the rea­son­ably fore­see­able mis­use of the machine. Such mea­sures shall include, but not be lim­it­ed to,

a) emer­gency stop;

b) means of res­cue of trapped per­sons; and

c) means of ener­gy iso­la­tion and dis­si­pa­tion.

Let’s also look at the for­mal def­i­n­i­tion of an ‘enabling device’ in the same stan­dard:

7.23.3 Enabling devices
An enabling device is an addi­tion­al man­u­al­ly oper­at­ed 2- or 3-posi­tion con­trol device used in con­junc­tion with a start con­trol and which, when con­tin­u­ous­ly actu­at­ed in one posi­tion only, allows a machine to func­tion. In any oth­er posi­tion, motion is stopped or a start is pre­vent­ed.
Enabling devices shall have the fol­low­ing fea­tures:

a) They shall be con­nect­ed to a Cat­e­go­ry 0 or a Cat­e­go­ry 1 stop (see NFPA 79).

b) They shall be designed in accor­dance with ergonom­ic prin­ci­ples:

(i) posi­tion 1 is the off func­tion of the switch (actu­a­tor is not oper­at­ed);

(ii) posi­tion 2 is the enabling func­tion (actu­a­tor is oper­at­ed); and

(iii) posi­tion 3 (if used) is the off func­tion of the switch (actu­a­tor is not oper­at­ed past its mid posi­tion).

c) Three-posi­tion enabling devices shall be designed to require man­u­al oper­a­tion in order to reach posi­tion 3.

d) When return­ing from posi­tion 3 to posi­tion 2, the func­tion shall not be enabled.

e) An enabling device shall auto­mat­i­cal­ly return to its off func­tion when its actu­a­tor is not man­u­al­ly held in the enabling posi­tion.

Note: Tests have shown that human reac­tion to an emer­gency may be to release an object or to hold on tighter, thus com­press­ing an enabling device. The ergonom­ic issues of sus­tained acti­va­tion should be con­sid­ered dur­ing design and instal­la­tion of the enabling device.


OMRON A4EG Enabling Switches
OMRON A4EG Enabling Switch­es

Sim­i­lar def­i­n­i­tions exist in the Inter­na­tion­al, Euro­pean and US stan­dards, although they may not be quite as for­mal­ized.


Most enabling devices on their own do noth­ing except PERMIT motion to take place, although the actu­al def­i­n­i­tion of enabling device in CSA Z432-04 actu­al­ly per­mits the enabling device to cause motion. Absence of the enabling sig­nal pre­vents or stops motion. These devices are then used in con­junc­tion with hold-to-run con­trols on robots and machin­ery, and with throt­tle con­trols on trains, street cars, sub­ways and sim­i­lar equip­ment. Note that most stan­dards to not per­mit enabling devices to actu­al­ly cause motion. This is a unique sit­u­a­tion in the Cana­di­an stan­dard.

So what’s the big deal?

Using the terms ‘dead-man’ or ‘live-man’ to describe these devices puts the wrong mes­sage out as far as I’m con­cerned. As safe­ty engi­neers and OHS prac­ti­tion­ers, we care about keep­ing work­ers out of dan­ger. This is nei­ther check­ing to see if we have either a ‘dead man’ or a ‘live man’, but rather ensur­ing that the per­son in con­trol of the equip­ment is ‘in con­trol’.  Using a phrase like ‘enabling device’ clear­ly says what the device does.

In my opin­ion, and  sup­port­ed by the cur­rent Inter­na­tion­al and Cana­di­an Stan­dards, these terms must be aban­doned in favour of ‘enabling device’ and the qual­i­fiers ‘2-posi­tion enabling device’ and ‘3-posi­tion enabling device’. These terms are also used in many of the cur­rent machin­ery safe­ty stan­dards, so using them cor­rect­ly improves clar­i­ty in writ­ing and speak­ing. Clar­i­ty in com­mu­ni­ca­tion in safe­ty is too impor­tant for prac­ti­tion­ers to per­mit the ongo­ing use of terms that con­vey the wrong mes­sage and do not pro­mote clar­i­ty of mean­ing. Since clar­i­ty is often lack­ing when it comes to safe­ty, any­thing we can do to improve our com­mu­ni­ca­tions should be high on our pri­or­i­ty list!

Ed. note: This post was updat­ed on 17-Aug-17. The myth of dead­man con­trols on steam loco­mo­tives was removed and replaced by his­tor­i­cal­ly ver­i­fi­able infor­ma­tion about the ori­gins of this con­trol.