Interlock Architectures – Pt. 4: Category 3 – Control Reliable

This entry is part 4 of 8 in the series Circuit Architectures Explored

Category 3 sys­tem archi­tec­ture is the first cat­egory that could be con­sidered to have sim­il­ar­ity to “Control Reliable” cir­cuits or sys­tems as defined in the North American stand­ards. It is not the same as Control Reliable, but we’ll get to in a sub­sequent post. If you haven’t read the first three posts in this series, you may want to go back and review them as the con­cepts in those art­icles are the basis for the dis­cus­sion in this post.

So what is “Control Reliable” any­way? This term was coined by the ANSI RIA R15.06 tech­nic­al com­mit­tee when they were devel­op­ing their defin­i­tions for con­trol sys­tem reli­ab­il­ity, first pub­lished in the 1999 edi­tion of the stand­ard. No men­tion of the concept of con­trol reli­ab­il­ity appears in the 1994 edi­tion of CSA Z434 or the pre­ced­ing edi­tion of RIA R15.06.

Essentially, the term “Control Reliable” means that the con­trol sys­tem is designed with some degree of fault tol­er­ance. Depending on the defin­i­tions that you read, this could be single- or multiple-​fault-​tolerance.

There are a num­ber of design tech­niques that can be used to increase the fault tol­er­ance of a con­trol sys­tem. The older approaches, such as those giv­en in ANSI RIA R15.06 – 1999, CSA Z434-​03 or EN 954 – 1:95, rely primar­ily on the struc­ture or archi­tec­ture of the cir­cuit, and the char­ac­ter­ist­ics of the com­pon­ents selec­ted for use. ISO 13849 – 1 uses the same basic archi­tec­tures defined by EN 954 – 1:95, and extends them to include dia­gnost­ic cov­er­age, com­mon cause fail­ure res­ist­ance and an under­stand­ing of the fail­ure rate of the com­pon­ents to determ­ine the degree of fault tol­er­ance and reli­ab­il­ity provided by the design.

OK, enough back­ground for now! Let’s look at the defin­i­tion for Category 3 sys­tems. Remember that “SRP/​CS” means “Safety Related Parts of the Control System”.

Definition

6.2.6 Category 3

For cat­egory 3, the same require­ments as those accord­ing to 6.2.3 for cat­egory B shall apply. “Well-​tried safety prin­ciples” accord­ing to 6.2.4 shall also be fol­lowed. In addi­tion, the fol­low­ing applies. SRP/​CS of cat­egory 3 shall be designed so that a single fault in any of these parts does not lead to the loss of the safety func­tion. Whenever reas­on­ably prac­tic­able, the single fault shall be detec­ted at or before the next demand upon the safety func­tion.

The dia­gnost­ic cov­er­age (DCavg) of the total SRP/​CS includ­ing fault-​detection shall be low. The MTTFd of each of the redund­ant chan­nels shall be low-​to-​high, depend­ing on the PLr. Measures against CCF shall be applied (see Annex F).

NOTE 1 The require­ment of single-​fault detec­tion does not mean that all faults will be detec­ted. Consequently, the accu­mu­la­tion of undetec­ted faults can lead to an unin­ten­ded out­put and a haz­ard­ous situ­ation at the machine. Typical examples of prac­tic­able meas­ures for fault detec­tion are use of the feed­back of mech­an­ic­ally guided relay con­tacts and mon­it­or­ing of redund­ant elec­tric­al out­puts.

NOTE 2 If neces­sary because of tech­no­logy and applic­a­tion, type-​C stand­ard makers need to give fur­ther details on the detec­tion of faults.

NOTE 3 Category 3 sys­tem beha­viour allows that

  • when the single fault occurs the safety func­tion is always per­formed,
  • some but not all faults will be detec­ted,
  • accu­mu­la­tion of undetec­ted faults can lead to the loss of the safety func­tion.

NOTE 4 The tech­no­logy used will influ­ence the pos­sib­il­it­ies for the imple­ment­a­tion of fault detec­tion.

5% Discount on ISO and IEC Standards with code: CC2011

Breaking it down

Let’s take the defin­i­tion apart and look at the com­pon­ents that make it up.

For cat­egory 3, the same require­ments as those accord­ing to 6.2.3 for cat­egory B shall apply. “Well-​tried safety prin­ciples” accord­ing to 6.2.4 shall also be fol­lowed.

The first couple of lines remind the design­er of two key points:

  • The com­pon­ents selec­ted must be suit­able for the applic­a­tion, i.e. cor­rectly spe­cified for voltage, cur­rent, envir­on­ment­al con­di­tions, etc.; and
  • well-​tried safety prin­ciples” must be used in the design.

It’s import­ant to note here that we are talk­ing about “well tried safety prin­ciples” and NOT “well-​tried com­pon­ents”. The require­ment to use com­pon­ents designed for safety applic­a­tions comes from oth­er stand­ards, like EN 1088 and ISO 13850. The require­ments from these stand­ards, such as the use of “direct-​drive” con­tacts improves the fault tol­er­ance of the com­pon­ent, and so bene­fits the design in the end. These improve­ments are gen­er­ally reflec­ted in the B10d or MTTFd of the com­pon­ent, and are points that inspect­ors will com­monly look for, since they are easy to spot in the field, since “safety-​rated com­pon­ents” often use red or yel­low caps to identi­fy them clearly in the con­trol pan­el.

In addi­tion, the fol­low­ing applies. SRP/​CS of cat­egory 3 shall be designed so that a single fault in any of these parts does not lead to the loss of the safety func­tion.

This sen­tence makes the require­ment for single-​fault tol­er­ance. This means that the fail­ure of any single com­pon­ent in the func­tion­al chan­nel can­not res­ult in the loss of the safety func­tion. To meet this require­ment, redund­ancy is needed. With redund­ant sys­tems, one com­plete chan­nel can fail without los­ing the abil­ity to stop the machinery. It is pos­sible to lose the func­tion of the mon­it­or­ing sys­tem from a single com­pon­ent fail­ure, but as long as the sys­tem con­tin­ues to provide the safety func­tion this may be accept­able. The sys­tem should not per­mit itself to be reset if the mon­it­or­ing sys­tem is not work­ing.

One more “gotcha” from this sen­tence: In order to meet the require­ment that any single com­pon­ent fail­ure can be detec­ted, the design will require two sep­ar­ate sensors to detect the pos­i­tion of a gate, for example. This per­mits the sys­tem to detect a fail­ure in either sensor, includ­ing mech­an­ic­al fail­ures like broken keys or attempts to defeat the safety sys­tem. You can clearly see this in both the block dia­gram, which does not show any mon­it­or­ing con­nec­tion to the input devices, and in the cir­cuit dia­gram. Both of these dia­grams are shown later in this post. The only way out of the require­ment to have redund­ant sensors is to select a gate switch that is robust enough that mech­an­ic­al faults can reas­on­ably be excep­ted. I’ll get into fault excep­tions later in this art­icle.

Whenever reas­on­ably prac­tic­able, the single fault shall be detec­ted at or before the next demand upon the safety func­tion.

This sen­tence can be a bit sticky. The phrase “Whenever reas­on­ably prac­tic­able” means that your design needs to be able to detect single faults unless it would be “unreas­on­able” to do so. What con­sti­tutes an unreas­on­able degree of effort? This is for you to decide. I will say that if there is a com­mon, off the shelf com­pon­ent (COTS) avail­able that will do the job, and you choose not to use it, you will have a dif­fi­cult time con­vin­cing a court that you took every reas­on­ably prac­tic­able means to detect the fault.

Following the comma, the rest of the sen­tence provides the design­er with the basic require­ment for the test sys­tem: it must be able to detect a single com­pon­ent fail­ure at the moment of demand (this is usu­ally how it’s done, since this is typ­ic­ally the simplest way) or before it occurs, which can hap­pen if your test equip­ment has a means to detect a change in some crit­ic­al char­ac­ter­ist­ic of the mon­itored component(s).

 The dia­gnost­ic cov­er­age (DCavg) of the total SRP/​CS includ­ing fault-​detection shall be low.

This sen­tence tells you that your design must meet the require­ments for LOW Diagnostic Coverage. To get to LOW DCavg, we need to look first at Table 6:

ISO 13849 – 1:06 Table 6

Diagnostic Coverage (DC)

Denotation  Range
 None  DC < 60%
 Low  60% <= DC < 90%
 Medium  90% <= DC < 99%
 High  99% <= DC
NOTE 1 For SRP/​CS con­sist­ing of sev­er­al parts an aver­age value DCavg for DC is used in Figure 5, Clause 6 and E.2.

NOTE 2 The choice of the DC ranges is based on the key val­ues 60 %, 90 % and 99 % also estab­lished in oth­er stand­ards (e.g. IEC 61508) deal­ing with dia­gnost­ic cov­er­age of tests. Investigations show that (1 – DC) rather than DC itself is a char­ac­ter­ist­ic meas­ure for the effect­ive­ness of the test. (1 – DC) for the key val­ues 60 %, 90 % and 99 % forms a kind of log­ar­ithmic scale fit­ting to the log­ar­ithmic PL-​scale. A DC-​value less than 60 % has only slight effect on the reli­ab­il­ity of the tested sys­tem and is there­fore called “none”. A DC-​value great­er than 99 % for com­plex sys­tems is very hard to achieve. To be prac­tic­able, the num­ber of ranges was restric­ted to four. The indic­ated bor­ders of this table are assumed with­in an accur­acy of 5 %.

Based on Table 6, the DCavg must be between 60% and 90%, all com­pon­ents con­sidered. To score this, we must go to Annex E and look at Table E1. Using the factors in Table E1, score the design. If you end up in the desired range between 60% and 90% DC cov­er­age, you can move on. If not, the design will require modi­fic­a­tion to bring it into this range.

The MTTFd of each of the redund­ant chan­nels shall be low-​to-​high, depend­ing on the PLr.

This sen­tence reminds you that your com­pon­ent selec­tions mat­ter. Depending on the PLr you are try­ing to achieve, you will need to choose com­pon­ents with suit­able MTTFd rat­ings. Remember that just because you are using a Category 3 archi­tec­ture, you have not auto­mat­ic­ally achieved the highest levels of reli­ab­il­ity. If you refer to Figure 5 in the stand­ard, you can see that a Category 3 archi­tec­ture can meet a range of PL’s, all the way from PLa through PLe!

ISO 13849-1 Figure 5
ISO 13849 – 1 Figure 5

If you want, or need, to know the numer­ic bound­ar­ies of each of the bands in the dia­gram above, look at Annex K of the stand­ard. The full numer­ic rep­res­ent­a­tion of Figure 5 is provided in that Annex.

Measures against CCF shall be applied (see Annex F).

In order for the archi­tec­ture of your design to meet Category 3 archi­tec­ture, CCF meas­ures are required. I’ve dis­cussed Common Cause Failures else­where on the blog, but as a remind­er, a Common Cause Failure is one where a single event, like a light­ning strike on the power line, or a cable being cut, res­ults in the fail­ure of the sys­tem. This is not the same as a Common Mode Failure, where sim­il­ar or dif­fer­ent com­pon­ents fail in the same way. For instance, if both out­put con­tact­ors were to weld closed either sim­ul­tan­eously or at dif­fer­ent time due to over­load­ing because they were under­sized, this could be con­sidered to be a Common Mode Failure. If they both weld closed due to a light­ning strike, that is a Common Cause Failure.

Annex F provides a check­list that is used to score the CCF of the design. The design must meet at least 65 points to be con­sidered to meet the min­im­um level of CCF pro­tec­tion, and more is bet­ter of course! Score your design and see where you come out. Less than 65 and you need to do more. 65 or more and you are good to go.

The Notes

The notes giv­en in the defin­i­tion are also import­ant. Note 1 reminds the design­er that not all faults will be detec­ted, and an accu­mu­la­tion of undetec­ted faults can lead to the loss of the safety func­tion. Be aware that it is up to you as the design­er to min­im­ize the kinds of fail­ures that can accu­mu­late undetec­ted.

Note 2 speaks to the pos­sib­il­ity that a Type-​C product stand­ard, like EN 201 for injec­tion mould­ing machines for example, may impose a min­im­um PLr on the design. Make sure that you get a copy of any Type-​C stand­ard that is rel­ev­ant for your product and mar­ket. Note that the des­ig­na­tion “Type-​C” comes from ISO. If you go look­ing for this ter­min­o­logy in ANSI or CSA stand­ards, you won’t find it used because the concept doesn’t exist in the same way in these National stand­ards.

Note 3 gives you the basic per­form­ance para­met­ers for the design. If your design can do these things, then you’re halfway there.

Finally, Note 4 is a remind­er that dif­fer­ent kinds of tech­no­logy have great­er or less­er cap­ab­il­ity to detect fail­ures. More soph­ist­ic­ated tech­no­logy may be required to achieve the PL level you need.

The Block Diagram

Let’s have a look at the func­tion­al block dia­gram for this Category.

ISO 13849-1 Figure 11By look­ing at the dia­gram you can see clearly the two inde­pend­ent chan­nels and the cross-​monitoring con­nec­tion between the chan­nels. Input devices are not mon­itored, but out­put devices are mon­itored. This is anoth­er sig­ni­fic­ant reas­on requir­ing the use of two phys­ic­ally sep­ar­ate input devices to sense the guard pos­i­tion or whatever oth­er safe­guard­ing device is integ­rated into the sys­tem. The only way that a fail­ure in the input devices can be detec­ted is if one chan­nel changes state and one does not.

If you want to learn more about apply­ing the block dia­gram­ming meth­od to you design, there is a good explan­a­tion of the meth­od in the SISTEMA Cookbook 1, pub­lished by the IFA in Germany. You can down­load the English ver­sion from the link above, or get the doc­u­ment dir­ectly from the IFA web site.

Circuit Diagram

By now you prob­ably get the idea that there are as many ways to con­fig­ure a Category 3 cir­cuit as there are applic­a­tions. Below is a typ­ic­al cir­cuit dia­gram bor­rowed from Rockwell Allen-​Bradley, show­ing the applic­a­tion of typ­ic­al safety relays in a com­plete sys­tem that includes the emer­gency stop sys­tem, a gate inter­lock and a safety mat. You can meet the require­ments for Category 3 archi­tec­ture in oth­er ways, so don’t feel that you must use a COTS safety relay. It just may be the most straight­for­ward way in many cases.

This is not a plug for A-​B products. Neither Machinery Safety 101, nor I, have any rela­tion­ship with Rockwell Allen-​Bradley.

From Rockwell Automation pub­lic­a­tion SAFETY-​WD001A-​EN-​P – June 2011, p.6.

If you’re inter­ested in obtain­ing the source doc­u­ment con­tain­ing this dia­gram, you can down­load it dir­ectly from the Rockwell Automation web site.

Emergency Stop Subsystem

The emer­gency stop cir­cuit uses the 440R-​512R2 relay on the left side of the dia­gram. This par­tic­u­lar sys­tem uses Category 3 archi­tec­ture in the e-​stop sys­tem, which may be more than is required. A risk assess­ment and a start-​stop ana­lys­is is required to determ­ine what per­form­ance level is needed for this sub­sys­tem. Get more inform­a­tion on emer­gency stop.

 Gate Interlock Subsystem

The gate inter­lock cir­cuit is loc­ated in the cen­ter of the dia­gram, and uses the 440R-​D22R2 relay. As you can see, there are two phys­ic­ally sep­ar­ate gate inter­lock switches. Only one con­tact from each switch is used, so one switch is con­nec­ted to Channel 1, and the oth­er to Channel 2. Notice that there is no oth­er mon­it­or­ing of these devices (i.e. no second con­nec­tion to either switch). The sec­ond­ary con­tacts on these switches could be con­nec­ted to the PLC for annun­ci­ation pur­poses. This would allow the PLC to dis­play the open/​closed status of the gate on the machine HMI.

The out­put con­tact­ors, K3 and K4, are mon­itored by the reset loop con­nec­ted to S34 and the +V rail.

One more inter­est­ing point – did you notice that there is a “zone e-​stop” included in the gate inter­lock? If you look imme­di­ately below the cent­ral safety relay and a little to the left you will find an emer­gency stop device. This device is wired in series with the gate inter­lock, so activ­at­ing it will drop out K3 and K4 but not dis­turb the oper­a­tion of the rest of the machine. The safety relay can’t dis­tin­guish between the e-​stop but­ton and the gate inter­locks, so if annun­ci­ation is needed, you may want to use a third con­tact on the e-​stop device to con­nect to a PLC input for this pur­pose.

Safety Mat Subsystem

The safety mat sub­sys­tem is loc­ated on the right side of the dia­gram and uses a second 440R-​D22R2 relay. Safety mats can be either single or dual chan­nel in design. The mat show in this draw­ing is a dual-​channel type. Stepping on the mat causes the con­duct­ive lay­ers in the mat to touch, short­ing Channel 1 to Channel 2. This cre­ates an input fault that will be detec­ted by the 440R relay. The fault con­di­tion will cause the out­put of the relay to open, stop­ping the machine.

Safety mats can be dam­aged reas­on­ably eas­ily, and the cir­cuit design shown will detect shorts or opens with­in the mat and will pre­vent the haz­ard­ous motion from start­ing or con­tinu­ing.

The out­put con­tact­ors, K5 and K6 are mon­itored by the relay reset loop con­nec­ted to S34 and the +V rail.

This cir­cuit also includes a con­ven­tion­al start-​stop cir­cuit that doesn’t rely on the safety relay.

One more thing – just like the gate inter­lock cir­cuit, this cir­cuit also includes a “zone e-​stop”. Look below and to the left of the safety mat relay. As with the gate inter­lock, press­ing this but­ton will drop out K5 and K6, stop­ping the same motions pro­tec­ted by the safety mat. Since the relay can’t tell the dif­fer­ence between the e-​stop but­ton and the mat being activ­ated, you may want to use the same approach and add a third con­tact to the e-​stop but­ton, con­nect­ing it to the PLC for annun­ci­ation.

Component Selection

The com­pon­ents used in the cir­cuit are crit­ic­al to the final PL rat­ing of the design. The final PL of the design depends on the MTTFd of the com­pon­ents used in each chan­nel. No know­ledge of the intern­al con­struc­tion of the safety relays is needed, because the relays come with a PL rat­ing from the man­u­fac­turer. They can be treated as a sub­sys­tem unto them­selves. The selec­tion of the input and out­put devices is then the sig­ni­fic­ant factor. Component data sheets can be down­loaded from the Rockwell site if you want to dig a bit deep­er.

What did you think about this art­icle? What ques­tions came to mind that weren’t answered for you? I look for­ward to hear­ing your thoughts and ques­tions!

Digiprove sealCopyright secured by Digiprove © 2011 – 2014
Acknowledgements: ISO for excerpts from ISO 13849 – 1 and more…
Some Rights Reserved

Interlock Architectures – Pt. 5: Category 4 — Control Reliable

This entry is part 5 of 8 in the series Circuit Architectures Explored

The most reli­able of the five sys­tem archi­tec­tures, Category 4 is the only archi­tec­ture that uses multiple-​fault tol­er­ant tech­niques to help ensure that com­pon­ent fail­ures do not res­ult in an unac­cept­able expos­ure to risk. This post will delve into the depths of this archi­tec­ture in this install­ment on sys­tem archi­tec­tures. The defin­i­tions and require­ments dis­cussed in this art­icle come from ISO 13849 – 1, Edition 2 (2006) and ISO 13849 – 2, Edition 1 (2003).

As with pre­ced­ing art­icles in this series, I’ll be build­ing on con­cepts dis­cussed in those art­icles. If you need more inform­a­tion, you should have a look at the pre­vi­ous art­icles to see if I’ve answered your ques­tions there.

The Definition

The Category 4 defin­i­tion builds on both Category B and Category 3. As you read, recall that “SRP/​CS” stands for “Safety Related Parts of the Control System”. Here is the com­plete defin­i­tion:

6.2.7 Category 4
For cat­egory 4, the same require­ments as those accord­ing to 6.2.3 for cat­egory B shall apply. “Well-​tried safety prin­ciples” accord­ing to 6.2.4 shall also be fol­lowed. In addi­tion, the fol­low­ing applies.
SRP/​CS of cat­egory 4 shall be designed such that

  • a single fault in any of these safety-​related parts does not lead to a loss of the safety func­tion, and
  • the single fault is detec­ted at or before the next demand upon the safety func­tions, e.g. imme­di­ately, at switch on, or at end of a machine oper­at­ing cycle, but if this detec­tion is not pos­sible, then an accu­mu­la­tion of undetec­ted faults shall not lead to the loss of the safety func­tion.

The dia­gnost­ic cov­er­age (DCavg) of the total SRP/​CS shall be high, includ­ing the accu­mu­la­tion of faults. The MTTFd of each of the redund­ant chan­nels shall be high. Measures against CCF shall be applied (see
Annex F).

NOTE 1 Category 4 sys­tem beha­viour allows that

  • when a single fault occurs the safety func­tion is always per­formed,
  • the faults will be detec­ted in time to pre­vent the loss of the safety func­tion,
  • accu­mu­la­tion of undetec­ted faults is taken into account.

NOTE 2 The dif­fer­ence between cat­egory 3 and cat­egory 4 is a high­er DCavg in cat­egory 4 and a required MTTFd of each chan­nel of “high” only.

In prac­tice, the con­sid­er­a­tion of a fault com­bin­a­tion of two faults may be suf­fi­cient.

5% Discount on ISO and IEC Standards with code: CC2011

Breaking it down

For cat­egory 4, the same require­ments as those accord­ing to 6.2.3 for cat­egory B shall apply. “Well-​tried safety prin­ciples” accord­ing to 6.2.4 shall also be fol­lowed.

The first two sen­tences give the basic require­ment for all the cat­egor­ies from 2 through 4. Sound com­pon­ent selec­tion based on the applic­a­tion require­ments for voltage, cur­rent, switch­ing cap­ab­il­ity and life­time must be con­sidered. In addi­tion, using well tried safety prin­ciples, such as switch­ing the +V rail side of the coil cir­cuit for con­trol com­pon­ents is required. If you aren’t sure about what con­sti­tutes a “well-​tried safety prin­ciple”, see the art­icle on Category 2 where this is dis­cussed. Don’t con­fuse “well-​tried safety prin­ciples” with “well-​tried com­pon­ents”. There is no require­ment in Category 4 for the use of well-​tried com­pon­ents, although you can use them for addi­tion­al reli­ab­il­ity if the design require­ments war­rant.

In addi­tion, the fol­low­ing applies.
SRP/​CS of cat­egory 4 shall be designed such that

  • a single fault in any of these safety-​related parts does not lead to a loss of the safety func­tion, and
  • the single fault is detec­ted at or before the next demand upon the safety func­tions, e.g. imme­di­ately, at switch on, or at end of a machine oper­at­ing cycle, but if this detec­tion is not pos­sible, then an accu­mu­la­tion of undetec­ted faults shall not lead to the loss of the safety func­tion.

This is the big one. This para­graph, and the two bul­lets that fol­low it, define the fun­da­ment­al per­form­ance require­ments for this cat­egory. No single fault can lead to the loss of the safety func­tion in Category 4, and test­ing is required that can detect fail­ures and pre­vent an accu­mu­la­tion of faults that could even­tu­ally lead to the loss of the safety func­tion. The second bul­let is the one that defines the multiple-​fault-​tolerance require­ment for this cat­egory. If you go back to the defin­i­tion of Category 3, you will see that an accu­mu­la­tion of faults may lead to the loss of the safety func­tion in that Category. This is the key dif­fer­ence between the cat­egor­ies in my opin­ion.

The dia­gnost­ic cov­er­age (DCavg) of the total SRP/​CS shall be high, includ­ing the accu­mu­la­tion of faults. The MTTFd of each of the redund­ant chan­nels shall be high. Measures against CCF shall be applied (see
Annex F).

These three sen­tences give the design­er the cri­ter­ia for dia­gnost­ic cov­er­age, chan­nel fail­ure rates and com­mon cause fail­ure pro­tec­tion. As you can see, the abil­ity to dia­gnose fail­ures auto­mat­ic­ally is a crit­ic­al part of the design, as is the use of highly reli­able com­pon­ents, lead­ing to highly reli­able chan­nels. The strongest CCF pro­tec­tion you can include in the design is also needed, although the “passing score” of 65 remains unchanged (see Annex F in ISO 13849 – 1 for more details on scor­ing your design).

NOTE 1 Category 4 sys­tem beha­viour allows that

  • when a single fault occurs the safety func­tion is always per­formed,
  • the faults will be detec­ted in time to pre­vent the loss of the safety func­tion,
  • accu­mu­la­tion of undetec­ted faults is taken into account.

Note 2: …In prac­tice, the con­sid­er­a­tion of a fault com­bin­a­tion of two faults may be suf­fi­cient.

Note 1 expands on the first para­graph in the defin­i­tion, fur­ther cla­ri­fy­ing the per­form­ance require­ments by expli­cit state­ments. Notice that nowhere is there a require­ment that single faults or accu­mu­la­tion of single faults be pre­ven­ted, only detec­ted by the dia­gnost­ic sys­tem. Prevention of single faults is nearly impossible, since com­pon­ents do fail. It is import­ant to first under­stand which com­pon­ents are crit­ic­al to the safety func­tion, and second, what kinds of faults each com­pon­ent is likely to have, is fun­da­ment­al to being able to design a dia­gnost­ic sys­tem that can detect the faults.

The cat­egory relies on redund­ancy to ensure that the com­plete loss of one chan­nel will not cause the loss of the safety func­tion, but this is only use­ful if the com­mon cause fail­ures have been prop­erly dealt with. Otherwise, a single event could wipe out both chan­nels sim­ul­tan­eously, caus­ing the loss of the safety func­tion and pos­sibly res­ult in an injury or fatal­ity.

Also notice that mul­tiple single faults are per­mit­ted, as long as the accu­mu­la­tion does not res­ult in the loss of the safety func­tion. ISO 13849 allows for “fault exclu­sion”, a concept that is not used in the North American stand­ards.

The final sen­tence from Note 2 sug­gests that con­sid­er­a­tion of two con­cur­rent faults may be enough, but be care­ful. You need to look closely at the fault lists to see if there are any groups of high prob­ab­il­ity faults that are likely to occur con­cur­rently. IF there are, you need to assess these com­bin­a­tions of faults, wheth­er there are 5 or 50 to be eval­u­ated.

Fault Exclusion

Fault exclu­sion involves assess­ing the types of faults that can occur in each com­pon­ent in the crit­ic­al path of the sys­tem. The decision to exclude cer­tain kinds of faults is always a tech­nic­al com­prom­ise between the the­or­et­ic­al improb­ab­il­ity of the fault, the expert­ise of the designer(s) and engin­eers involved and the spe­cif­ic tech­nic­al require­ments of the applic­a­tion. Whenever the decision is made to exclude a par­tic­u­lar type of fault, the decision and the pro­cess used to make it must be doc­u­mented in the Reliability Report included in the design file. Section 7.3 of ISO 13849 – 1 provides guid­ance on fault exclu­sion.

In the sec­tion dis­cuss­ing Category 1, the stand­ard has this to say about fault exclu­sion, and the dif­fer­ence between “well-​tried com­pon­ents” and “fault exclu­sion”:

It is import­ant that a clear dis­tinc­tion between “well-​tried com­pon­ent” and “fault exclu­sion” (see Clause 7) be made. The qual­i­fic­a­tion of a com­pon­ent as being well-​tried depends on its applic­a­tion. For example, a pos­i­tion switch with pos­it­ive open­ing con­tacts could be con­sidered as being well-​tried for a machine tool, while at the same time as being inap­pro­pri­ate for applic­a­tion in a food industry — in the milk industry, for instance, this switch would be des­troyed by the milk acid after a few months. A fault exclu­sion can lead to a very high PL, but the appro­pri­ate meas­ures to allow this fault exclu­sion should be applied dur­ing the whole life­time of the device. In order to ensure this, addi­tion­al meas­ures out­side the con­trol sys­tem may be neces­sary. In the case of a pos­i­tion switch, some examples of these kinds of meas­ures are

  • means to secure the fix­ing of the switch after its adjust­ment,
  • means to secure the fix­ing of the cam,
  • means to ensure the trans­verse sta­bil­ity of the cam,
  • means to avoid over-​travel of the pos­i­tion switch, e.g. adequate mount­ing strength of the shock absorber and any align­ment devices, and
  • means to pro­tect it against dam­age from out­side.

To assist the design­er, ISO 13849 – 2 provides lists of typ­ic­al faults and the allow­able exclu­sions in Annex D.5. As an example, let’s con­sider the typ­ic­al situ­ation where a robust guard inter­lock­ing device has been selec­ted. The decision has been made to use redund­ant elec­tric­al cir­cuits to the switch­ing com­pon­ents in the inter­lock, so elec­tric­al faults can be detec­ted. But what about mech­an­ic­al fail­ures? A fault list is needed:

 Interlock Mechanical Fault List
# Fault Description Result Likelihood
1 Key breaks off Control sys­tem can­not determ­ine guard pos­i­tion. Complete fail­ure of sys­tem through a single fault. Unlikely
2 Screws mount­ing key to guard fail Control sys­tem can­not determ­ine guard pos­i­tion. Complete fail­ure of sys­tem through a single fault. Unlikely
3 Screws mount­ing inter­lock device to guard fail Control sys­tem can­not determ­ine guard pos­i­tion. Complete fail­ure of sys­tem through a single fault. Unlikely
4 Key and inter­lock device mis­aligned. Guard can­not close, pre­vent­ing machine from oper­at­ing. Very likely
5 Key and inter­lock device mis­aligned. Key and /​ or inter­lock device dam­aged. Guard may not close, or the key may jam in the inter­lock device once closed. Machine is inop­er­able if the inter­lock can­not be com­pleted, or the guard can­not be opened if the key jams in the device. Likely
6 Screws mount­ing key to guard removed by user. Interlock can now be bypassed by fix­ing the key into the inter­lock­ing device. Control sys­tem can no longer sense the pos­i­tion of the guard. Likely
7 Screws mount­ing inter­lock device to guard removed by user Probably com­bined with the pre­ced­ing con­di­tion. Control sys­tem can no longer sense the pos­i­tion of the guard. Unlikely, but could hap­pen.

There may be more fail­ure modes, but for the pur­pose of this dis­cus­sion, lets lim­it them to this list.

Looking at Fault 1, there are a num­ber of things that could res­ult in a broken key. They include: mis­align­ment of the key and the inter­lock device, lack of main­ten­ance on the guard and the inter­lock­ing hard­ware, or inten­tion­al dam­age by a user. Unless the hard­ware is excep­tion­ally robust, includ­ing the design of the guard and any align­ment fea­tures incor­por­ated in the guard­ing, devel­op­ing sound rationale for exclud­ing this fault will be very dif­fi­cult.

Fault 2 con­siders mech­an­ic­al fail­ure of the mount­ing screws for the inter­lock key. Screws are con­sidered to be well-​tried com­pon­ents (see Annex A.5), so you can con­sider them for fault exclu­sion. You can improve their reli­ab­il­ity by using thread lock­ing adhes­ives when installing the screws to pre­vent them from vibrat­ing loose, and “tamper-​proof” style screw heads to deter unau­thor­ized remov­al. Inclusion of these meth­ods will sup­port any decision to exclude these faults. This goes to address­ing faults 3, 6 and 7 as well.

Faults 4 & 5 occur fre­quently and are often caused by poor device selec­tion (i.e. an inter­lock device inten­ded for straight-​line sliding-​gate applic­a­tions is chosen for a hinged gate), or by poor guard design (i.e. the guard is poorly guided by the reten­tion mech­an­ism and can be closed in a mis­aligned con­di­tion). Rationale for pre­ven­tion of these faults will need to include dis­cus­sion of design fea­tures that will pre­vent these con­di­tions.

Excluding any oth­er kind of fault fol­lows the same pro­cess: Develop the fault list, assess each fault against the rel­ev­ant Annex from ISO 13849 – 2, determ­ine if there are pre­vent­at­ive meas­ures that can be designed into the product and wheth­er these provide suf­fi­cient risk reduc­tion to allow the exclu­sion of the fault from con­sid­er­a­tion.

DCavg and MTTFd requirements

NOTE 2 The dif­fer­ence between cat­egory 3 and cat­egory 4 is a high­er DCavg in cat­egory 4 and a required MTTFd of each chan­nel of “high” only.

The first sen­tence in Note 2 cla­ri­fies the two main dif­fer­ences from a design stand­point, aside from the addi­tion­al fault tol­er­ance require­ments: Better dia­gnostics are required and much high­er require­ments for indi­vidu­al com­pon­ent, and there­fore chan­nel, MTTFd.

The Block Diagram

The block dia­gram for Category 4 is almost identic­al to Category 3, and was updated by Corrigendum 1 to the dia­gram shown below. The text from the cor­ri­gendum that accom­pan­ies the dia­gram has this to say about the change:

Replace the draw­ing show­ing the des­ig­nated archi­tec­ture for cat­egory 4 with the fol­low­ing draw­ing. This
cor­rects the arrowed lines labeled “m” between L1 and O1, and L2 and O2, by chan­ging them from dashed to sol­id lines, rep­res­ent­ing high­er dia­gnost­ic cov­er­age.

I’ve high­lighted this area using red ovals on Figure 12 to make it easi­er to see .

ISO 13849-1 Figure 12 - Category 4 Block Diagram
ISO 13849 – 1 Figure 12 – Category 4 Block Diagram

Here is Figure 11 for com­par­is­on. Notice that the “m” lines are sol­id in Figure 12 and dashed in Figure 11? Subtle, but sig­ni­fic­ant! There are no oth­er dif­fer­ences between the dia­grams.

ISO 13849-1 Figure 11I went look­ing for a cir­cuit dia­gram to sup­port the block dia­gram, but wasn’t able to find one from a com­mer­cial source that I could share with you. Considering that the primary dif­fer­ences are in the reli­ab­il­ity of the com­pon­ents chosen and in the way the test­ing is done, this isn’t too sur­pris­ing. The basic phys­ic­al con­struc­tion of the two cat­egor­ies can be vir­tu­ally identic­al.

Applications

The fol­low­ing is not from the stand­ards – this is my per­son­al opin­ion, based on 15 years of prac­tice.

In the past, many man­u­fac­tur­ers decided that they were going to apply Category 4 archi­tec­ture without really under­stand­ing the design implic­a­tions, because they believed that it was “the best”. With the change in the har­mon­iz­a­tion of EN 954 – 1 and ISO 13849 – 1 under the EU machinery dir­ect­ive that comes into force on 29-​Dec-​2011, and con­sid­er­ing the great dif­fi­culty that many man­u­fac­tur­ers had in prop­erly imple­ment­ing EN 954 – 1, I can eas­ily ima­gine man­u­fac­tur­ers who have taken the approach that they already have Category 4 SRP/​CS on their sys­tems and mak­ing the state­ment that they now have PLe SRP/​CS sys­tem per­form­ance. This is a bad decision for a lot of reas­ons:

  1. ISO 13849 – 1 PLe, Category 4 sys­tems should be reserved for very dan­ger­ous machinery where the tech­nic­al effort and expense involved is war­ran­ted by the risk assess­ment. Attempting to apply this level of design to machinery where a PLb per­form­ance level is more suit­able based on a risk assess­ment, is a waste of design time and effort and a need­less expense. The product fam­ily stand­ards for these types of machines, such as EN 201 for plastic injec­tion mould­ing machines, or EN 692 for Mechanical Power Presses or EN 693 for Hydraulic Power Presses will expli­citly spe­cify the PL level required for these machines.
  2. Manufacturers have fre­quently claimed EN 954 – 1 Category 4 per­form­ance based on the rat­ing of the safety relay alone, without under­stand­ing that the rest of the SRP/​CS must be con­sidered, and clearly this is wrong. The SRP/​CS must be eval­u­ated as a com­plete sys­tem.

This lack of under­stand­ing endangers the users, the main­ten­ance per­son­nel, the own­ers and the man­u­fac­tur­ers. If they con­tin­ue this approach and an injury occurs, it is my opin­ion that the courts will have more than enough evid­ence in the defendant’s pub­lished doc­u­ments to cause some ser­i­ous leg­al grief.

As design­ers involved with the safety of our company’s products or with our co-worker’s safety, I believe that we owe it to every­one who uses our products to be edu­cated and to cor­rectly apply these con­cepts. The fact that you have read all of the posts lead­ing up to this one is evid­ence that you are work­ing on get­ting edu­cated.

Always con­duct a risk assess­ment and use the out­come from that work to guide your selec­tion of safe­guard­ing meas­ures, com­ple­ment­ary pro­tect­ive meas­ures and the per­form­ance of the SRP/​CS that ties those sys­tems togeth­er. Choose per­form­ance levels that make sense based on the required risk reduc­tion and ensure that the design cri­ter­ia is met by val­id­at­ing the sys­tem once built.

As always, I wel­come your com­ments and ques­tions! Please feel free to com­ment below. I will respond to all your com­ments.

Digiprove sealCopyright secured by Digiprove © 2011 – 2012
Acknowledgements: ISO for excerpts from ISO 13849 – 1 and more…
Some Rights Reserved

Interlock Architectures Pt. 6 – Comparing North American and International Systems

This entry is part 6 of 8 in the series Circuit Architectures Explored

I’ve now writ­ten six posts, includ­ing this one, on the top­ic of cir­cuit archi­tec­tures for the safety-​related parts of con­trol sys­tems. In this post, we’ll com­pare the International and North American sys­tems. This com­par­is­on is not inten­ded to draw con­clu­sions about which is “bet­ter”, but rather to com­pare and con­trast the two sys­tems so that design­ers can clearly see where the over­laps and the gaps in the sys­tems exist.

Since we’ve spent a lot of time talk­ing about ISO 13849 – 1 [1] in the pre­vi­ous five posts in this series, I think we should begin there by look­ing at Table 10 from the stand­ard.

Table 10 — Summary of require­ments for cat­egor­ies
Category Summary of require­ments System beha­viour Principle used
to achieve
safety
MTTFd
of each
chan­nel
DCavg CCF
B
(see
6.2.3)
SRP/​CS and/​or their pro­tect­ive equip­ment, as well as their com­pon­ents, shall be designed, con­struc­ted, selec­ted, assembled and com­bined in accord­ance with rel­ev­ant stand­ards so that they can with­stand the expec­ted influence.Basic safety prin­ciples shall be used. The occur­rence of a fault can lead to the loss of the safety func­tion. Mainly char­ac­ter­ized by selec­tion of com­pon­ents Low to medi­um None Not rel­ev­ant
1
(see
6.2.4)
Requirements of B shall apply. Well-​tried com­pon­ents and well-​tried safety prin­ciples shall be used. The occur­rence of a fault can lead to the loss of the safety func­tion but the prob­ab­il­ity of occur­rence is lower than for cat­egory B. Mainly char­ac­ter­ized by selec­tion of com­pon­ents High None Not rel­ev­ant
2
(see
6.2.5)
Requirements of B and the use of well-​tried safety prin­ciples shall apply. Safety func­tion shall be checked at suit­able inter­vals by the machine con­trol sys­tem. The occur­rence of a fault can lead to the loss of the safety func­tion between the checks. The loss of safety func­tion is detec­ted by the check. Mainly char­ac­ter­ized by struc­ture Low to high Low to medi­um See Annex F
3
(see
6.2.6)
Requirements of B and the use of well-​tried safety prin­ciples shall apply.Safety-related parts shall be designed, so that

—a single fault in any of these parts does not lead to the loss of the safety func­tion, and

—whenev­er reas­on­ably prac­tic­able, the single fault is detec­ted.

When a single fault occurs, the safety func­tion is always performed.Some, but not all, faults will be detec­ted.

Accumulation of undetec­ted faults can lead to the loss of the safety func­tion.

 Mainly
char­ac­ter­ized
by struc­ture
Low to
high
Low to
medi­um
 See
Annex F
 4
(see
6.2.7)
Requirements of B and the use of well-​tried safety prin­ciples shall apply. Safety-​related parts shall be designed, so that
—a single fault in any of these parts does not lead to a loss of the safety func­tion, and

—the single fault is detec­ted at or before the next demand upon the safety func­tion, but that if this detec­tion is not pos­sible, an accu­mu­la­tion of undetec­ted faults shall not lead to the loss of the safety func­tion.

 

When a single fault occurs the safety func­tion is always per­formed. Detection of accu­mu­lated faults reduces the prob­ab­il­ity of the loss of the safety func­tion (high DC). The faults will be detec­ted in time to pre­vent the loss of the safety func­tion.  Mainly char­ac­ter­ized by struc­ture  High  High includ­ing accu­mu­la­tion of faults  See Annex F
NOTE For full require­ments, see Clause 6.

Table 10 sum­mar­izes all the key require­ments for the five cat­egor­ies of archi­tec­ture, giv­ing the fun­da­ment­al mech­an­ism for achiev­ing safety, the required MTTFd, DC and CCF. Note that fault exclu­sion can be used in Categories 3 and 4. There is no sim­il­ar table avail­able for CSA Z432 [2] or RIA R 15.06 [3], so I have con­struc­ted one fol­low­ing a sim­il­ar format to Table 10.

Summary of require­ments for CSA Z432 /​ Z434 and RIA R15.06
CSA Z432-​04 /​ Z434-​03 RIA R15.06 1999
Category  Summary of require­ments  System beha­viour  Principle used
to achieve
safety
Summary of require­ments
All Safety con­trol sys­tems (elec­tric, hydraul­ic, pneu­mat­ic) shall meet one of the per­form­ance cri­ter­ia lis­ted in Clauses 4.5.2 to 4.5.5. Safety cir­cuits (elec­tric, hydraul­ic, pneu­mat­ic) shall meet one of the per­form­ance cri­ter­ia lis­ted in 4.5.1 through 4.5.4.2

2 These per­form­ance cri­ter­ia are not to be con­fused with the European cat­egor­ies B to 3 as described in ISO/​IEC DIS 13849 – 1, Safety of machinery – Safety-​related parts of con­trol sys­tems – Part 1: General prin­ciples for design (in cor­rel­a­tion with EN 954 – 1.) They are dif­fer­ent. The com­mit­tee believes that the cri­ter­ia in 4.5.1 – 4.5.4 exceed the cri­ter­ia of B – 3 respect­ively, and fur­ther believe the reverse is not true.

SIMPLE Simple safety con­trol sys­temsshall be designed and con­struc­ted using accep­ted single chan­nel circuitry.Such sys­tems may be pro­gram­mable.

Note: This type of sys­tem should be used for sig­nalling and annun­ci­ation pur­poses only.

The occur­rence of a fault can lead to the loss of the safety func­tion. Mainly char­ac­ter­ized by com­pon­ent selec­tion. Simple safety cir­cuits shall be designed and con­struc­ted using accep­ted single chan­nel
cir­cuitry, and may be pro­gram­mable.
SINGLE
CHANNEL
Single chan­nel safety con­trol sys­tems shalla) be hard­ware based or com­ply with Clause 6.5;

b) include com­pon­ents that should be safety rated; and

c) be used in accord­ance with man­u­fac­tur­ers’ recom­mend­a­tions and proven cir­cuit designs (e.g., a single chan­nel elec­tromech­an­ic­al pos­it­ive break device that sig­nals a stop in a de-​energized state).

Note: In this type of sys­tem a single com­pon­ent fail­ure can lead to the loss of the safety func­tion.

The occur­rence of a fault can lead to the loss of the safety func­tion. Mainly char­ac­ter­ized by com­pon­ent selec­tion. Single chan­nel safety cir­cuits shall be hard­ware based or com­ply with 6.4, include com­pon­ents
which should be safety rated, be used in com­pli­ance with man­u­fac­tur­ers’ recom­mend­a­tions
and proven cir­cuit designs (e.g. a single chan­nel electro-​mechanical pos­it­ive break device which sig­nals a stop in a de-​energized state.)
SINGLE CHANNEL
WITH
MONITORING
Single chan­nel safety con­trol sys­tems with mon­it­or­ing shall include the require­ments for single chan­nel,
be safety rated, and be checked (prefer­ably auto­mat­ic­ally) at suit­able inter­vals in accord­ance with the following:a) The check of the safety function(s) shall be per­formed

i) at machine start-​up; and

ii) peri­od­ic­ally dur­ing oper­a­tion (prefer­ably at each change in state).

b) The check shall either

i) allow oper­a­tion if no faults have been detec­ted; or

ii) gen­er­ate a stop if a fault is detec­ted. A warn­ing shall be provided if a haz­ard remains after ces­sa­tion of motion.

c) The check itself shall not cause a haz­ard­ous situ­ation.

d) Following detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

Note: In this type of cir­cuit a single com­pon­ent fail­ure can also lead to the loss of the safety func­tion.

The occur­rence of a fault can lead to the loss of the safety func­tion. Characterized by both com­pon­ent selec­tion and struc­ture. Single chan­nel with mon­it­or­ing safety cir­cuits shall include the require­ments for single chan­nel,
shall be safety rated, and shall be checked (prefer­ably auto­mat­ic­ally) at suit­able intervals.a) The check of the safety function(s) shall be per­formed

1) at machine start-​up, and

2) peri­od­ic­ally dur­ing oper­a­tion;

b) The check shall either:

1) allow oper­a­tion if no faults have been detec­ted, or

2) gen­er­ate a stop sig­nal if a fault is detec­ted.
A warn­ing shall be provided if a haz­ard remains after ces­sa­tion of motion;

c) The check itself shall not cause a haz­ard­ous situ­ation;

d) Following detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

CONTROL RELIABLE Control reli­able safety con­trol sys­tems shall be dual chan­nel with mon­it­or­ing and shall be designed,
con­struc­ted, and applied such that any single com­pon­ent fail­ure, includ­ing mon­it­or­ing, shall not pre­vent
the stop­ping action of the robot.
These safety con­trol sys­tems shall be hard­ware based or in accord­ance with Clause 6.5. The sys­tems shall include auto­mat­ic mon­it­or­ing at the sys­tem level con­form­ing to the following:a) The mon­it­or­ing shall gen­er­ate a stop if a fault is detec­ted. A warn­ing shall be provided if a haz­ard remains after ces­sa­tion of motion.

b) Following detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

c) Common mode fail­ures shall be taken into account when the prob­ab­il­ity of such a fail­ure occur­ring is
sig­ni­fic­ant.

d) The single fault should be detec­ted at time of fail­ure. If not prac­tic­able, the fail­ure shall be detec­ted
at the next demand upon the safety func­tion.

e) These safety con­trol sys­tems shall be inde­pend­ent of the nor­mal pro­gram con­trol (func­tion) and shall be designed to be not eas­ily defeated or not eas­ily bypassed without detec­tion.

When a single fault occurs, the safety func­tion is always performed.Some, but not all, faults will be detec­ted.

Accumulation of undetec­ted faults can lead to the loss of the safety func­tion.

Characterized primar­ily by struc­ture. Control reli­able safety cir­cuitry shall be designed, con­struc­ted and applied such that any single com­pon­ent fail­ure shall not pre­vent the stop­ping action of the robot.These cir­cuits shall be hard­ware based or com­ply with 6.4, and include auto­mat­ic mon­it­or­ing at the sys­tem level.

a) The mon­it­or­ing shall gen­er­ate a stop sig­nal if a fault is detec­ted. A warn­ing shall be provided if a haz­ard remains after ces­sa­tion of motion;

b) Following detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

c) Common mode fail­ures shall be taken into account when the prob­ab­il­ity of such a fail­ure occur­ring is sig­ni­fic­ant.

d) The single fault should be detec­ted at time of fail­ure. If not prac­tic­able, the fail­ure shall be detec­ted at the next demand upon the safety func­tion.

CSA Z434 vs. RIA R15.06

Before we dig into the com­par­is­on between North America and the International stand­ards, we need to look at the dif­fer­ences between CSA and ANSI/​RIA. There are some subtle dif­fer­ences here that can trip you up and cost sig­ni­fic­ant money to cor­rect after the fact. The fol­low­ing state­ments are based on my per­son­al exper­i­ence and on dis­cus­sions that I have had with people on both the CSA and RIA tech­nic­al com­mit­tees tasked with writ­ing these stand­ards. One more note – ANSI RIA R15.06 has been revised and ALL OF SECTION 4 has been replaced with ANSI/​RIA/​ISO 10218 – 1 [7]. This is very sig­ni­fic­ant, but we need to deal with this old dis­cus­sion first.

Systems vs. Circuits

The CSA stand­ard uses the term “con­trol system(s)” through­out the defin­i­tions of the cat­egor­ies, while the ANSI/​RIA stand­ard uses the term “circuit(s)”. This is really the crux of the dis­cus­sion between these two stand­ards. While the dif­fer­ence between the terms may seem insig­ni­fic­ant at first, you need to under­stand the back­ground to get the dif­fer­ence.

The CSA term requires two sep­ar­ate sens­ing devices on the gate or oth­er guard, just as the Category 3 and 4 defin­i­tions do, and for the same reas­on. The CSA com­mit­tee felt that it was import­ant to be able to detect all single faults, includ­ing mech­an­ic­al ones. Also, the use of two inter­lock­ing devices on the guard makes it more dif­fi­cult to bypass the inter­lock.

The RIA term requires redund­ant elec­tric­al con­nec­tions to the inter­lock­ing device, but impli­citly allows for a single inter­lock­ing device because it only expli­citly refers to “cir­cuits”.

The explan­a­tion I’ve been giv­en for the dis­crep­ancy is rooted in the early days of indus­tri­al robot­ics. Many early robot cells had NO inter­locks on the guard­ing because the haz­ards related to the robot motion was not well under­stood. There were a num­ber of incid­ents res­ult­ing in fatal­it­ies that drove robot users to begin to seek bet­ter ways to pro­tect work­ers. The RIA R15.06 com­mit­tee decided that inter­locks were needed, but there was a recog­ni­tion that many users would balk at installing expens­ive inter­lock devices, so they com­prom­ised and allowed that ANY kind of inter­lock­ing device was bet­ter than none. This was amended in the 1999 edi­tion to require that com­pon­ents be “safety rated”, effect­ively elim­in­at­ing the use of con­ven­tion­al prox­im­ity switches and non-​safety-​rated lim­it switches.

The recent revi­sion of ANSI/​RIA R15.06 to include ANSI/​ISO 10218 – 1 as a replace­ment for Section 4 is sig­ni­fic­ant for a couple of reas­ons: 1) It now means that the robot itself need only meet the ISO stand­ard; instead of the ISO and the RIA stand­ards; and 2) It brings in ISO 13849 – 1 defin­i­tions of reli­ab­il­ity cat­egor­ies. This means that the US has now offi­cially dropped the “SIMPLE, SINGLE-​CHANNEL,” etc. defin­i­tions and now uses “Category B, 1, etc.” However, they have only adop­ted the Edition 1 ver­sion of the stand­ard, so none of the PL, MTTFd, etc. cal­cu­la­tions have been adop­ted. This means that the RIA stand­ard is now har­mon­ized to the 1995 edi­tion of EN 954 – 1. These updates to the 2006 edi­tion may come in sub­sequent edi­tions of R15.06.

CSA has chosen to reaf­firm the 2003 edi­tion of CSA Z434, so the Canadian National Standard con­tin­ues to refer to the old defin­i­tions.

North America vs International Standards

In the descrip­tion of single-​channel sys­tems /​ cir­cuits under the North American stand­ards you will notice that par­tic­u­lar atten­tion is paid to includ­ing descrip­tions of the use of “proven designs” and “positive-​break devices”. What the TC’s were refer­ring to are the same “well-​tried safety prin­ciples” and “well-​tried com­pon­ents” as referred to in the International stand­ards, only with less descrip­tion of what those might be. The only major addi­tion to the defin­i­tions is the recom­mend­a­tion to use “safety-​rated devices”, which is not included in the International stand­ard. (N.B. The use of the word “should” in the defin­i­tions should be under­stood as a strong recom­mend­a­tion, but not neces­sar­ily a man­dat­ory require­ment.) Under EN 954 – 1 [4] and EN 1088 [5] (in the ref­er­enced edi­tions, in any case) it was pos­sible to use stand­ard lim­it switches arranged in a redund­ant man­ner and activ­ated using com­bined pos­it­ive and non-​positive-​mode activ­a­tion. In later edi­tions this changed, and there is now a pref­er­ence for devices inten­ded for use in safety applic­a­tions.

Also worth not­ing is that there is NO allow­ance for fault exclu­sion under the CSA stand­ard or the 1999 edi­tion of the ANSI stand­ard.

As far as the RIA committee’s asser­tion that their defin­i­tions are not equi­val­ent to the International stand­ard, and may be super­i­or, I think that there are too may miss­ing qual­it­ies in the ANSI stand­ard for that to stand. In any case, this is now moot, since ANSI has adop­ted EN ISO 13849 – 1:2006 as a ref­er­ence to EN ISO 10218 – 1 [6], repla­cing Section 4 of ANSI/​RIA R15.06 – 1999.

References

[1] “Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 1: General prin­ciples for design”, ISO 13849 – 1, Edition 2, International Organization for Standardization (ISO), Geneva, 2006.

[2] “Safeguarding of machinery”, CSA Z432, Canadian Standards Association (CSA), Toronto, 2004.

[3] “American National Standard for Industrial Robots and Robot Systems — Safety Requirements”, ANSI/​RIA R15.06, American National Standards Institute, Inc. (ANSI), Ann Arbor, 1999.

[4] “Safety of machinery — Safety related parts of con­trol sys­tems — Part 1. General prin­ciples for design”, EN 954 – 1, European Committee for Standardization (CEN), Geneva, 1996.

[5] “Safety of machinery — Interlocking devices asso­ci­ated with guards — Principles for design and selec­tion”, EN 1088, CEN, Geneva, 1995.

[6] “Robots and robot­ic devices — Safety require­ments for indus­tri­al robots — Part 1: Robots”, European Committee for Standardization (CEN), Geneva, 2011.

[7] “Robots for Industrial Environment – Safety Requirements – Part 1 – Robot”, ANSI/​RIA/​ISO 10218 – 1, American National Standards Institute, Inc. (ANSI), Ann Arbor, 2007.

Digiprove sealCopyright secured by Digiprove © 2011 – 2012
Acknowledgements: See ref­er­ences lis­ted at end of art­icle.
Some Rights Reserved