Interlock Architectures – Pt. 3: Category 2

This entry is part 3 of 8 in the series Circuit Architectures Explored

This art­icle explores the require­ments for safety related con­trol sys­tems meet­ing ISO 13849 – 1 Category 2 require­ments. “Gotcha!” points in the defin­i­tion are high­lighted to help design­ers avoid this com­mon pit­falls.

This entry is part 3 of 8 in the series Circuit Architectures Explored

In the first two posts in this series, we looked at Category B, the Basic cat­egory of sys­tem archi­tec­ture, and then moved on to look at Category 1. Category B under­pins Categories 2, 3 and 4. In this post we’ll look more deeply into Category 2.

Let’s start by look­ing at the defin­i­tion for Category 2, taken from ISO 13849 – 1:2007. Remember that in these excerpts, SRP/​CS stands for Safety Related Parts of Control Systems.

Definition

6.2.5 Category 2

For cat­egory 2, the same require­ments as those accord­ing to 6.2.3 for cat­egory B shall apply. “Well – tried safety prin­ciples” accord­ing to 6.2.4 shall also be fol­lowed. In addi­tion, the fol­low­ing applies.

SRP/​CS of cat­egory 2 shall be designed so that their function(s) are checked at suit­able inter­vals by the machine con­trol sys­tem. The check of the safety function(s) shall be per­formed

  • at the machine start-​up, and
  • pri­or to the ini­ti­ation of any haz­ard­ous situ­ation, e.g. start of a new cycle, start of oth­er move­ments, and/​or
  • peri­od­ic­ally dur­ing oper­a­tion if the risk assess­ment and the kind of oper­a­tion shows that it is neces­sary.

The ini­ti­ation of this check may be auto­mat­ic. Any check of the safety function(s) shall either

  • allow oper­a­tion if no faults have been detec­ted, or
  • gen­er­ate an out­put which ini­ti­ates appro­pri­ate con­trol action, if a fault is detec­ted.

Whenever pos­sible this out­put shall ini­ti­ate a safe state. This safe state shall be main­tained until the fault is cleared. When it is not pos­sible to ini­ti­ate a safe state (e.g. weld­ing of the con­tact in the final switch­ing device) the out­put shall provide a warn­ing of the haz­ard.

For the des­ig­nated archi­tec­ture of cat­egory 2, as shown in Figure 10, the cal­cu­la­tion of MTTFd and DCavg should take into account only the blocks of the func­tion­al chan­nel (i.e. I, L and O in Figure 10) and not the blocks of the test­ing chan­nel (i.e. TE and OTE in Figure 10).

The dia­gnost­ic cov­er­age (DCavg) of the total SRP/​CS includ­ing fault-​detection shall be low. The MTTFd of each chan­nel shall be low-​to-​high, depend­ing on the required per­form­ance level (PLr). Measures against CCF shall be applied (see Annex F).

The check itself shall not lead to a haz­ard­ous situ­ation (e.g. due to an increase in response time). The check­ing equip­ment may be integ­ral with, or sep­ar­ate from, the safety-​related part(s) provid­ing the safety func­tion.

The max­im­um PL achiev­able with cat­egory 2 is PL = d.

NOTE 1 In some cases cat­egory 2 is not applic­able because the check­ing of the safety func­tion can­not be applied to all com­pon­ents.

NOTE 2 Category 2 sys­tem beha­viour allows that

  • the occur­rence of a fault can lead to the loss of the safety func­tion between checks,
  • the loss of safety func­tion is detec­ted by the check.

NOTE 3 The prin­ciple that sup­ports the valid­ity of a cat­egory 2 func­tion is that the adop­ted tech­nic­al pro­vi­sions, and, for example, the choice of check­ing fre­quency can decrease the prob­ab­il­ity of occur­rence of a dan­ger­ous situ­ation.

ISO 13849-1 Figure 10
Figure 1 – Category 2 Block dia­gram [1, Fig.10]

Breaking it down

Let start by tak­ing apart the defin­i­tion a piece at a time and look­ing at what each part means. I’ll also show a simple cir­cuit that can meet the require­ments.

Category B & Well-​tried Safety Principles

The first para­graph speaks to the build­ing block approach taken in the stand­ard:

For cat­egory 2, the same require­ments as those accord­ing to 6.2.3 for cat­egory B shall apply. “Well – tried safety prin­ciples” accord­ing to 6.2.4 shall also be fol­lowed. In addi­tion, the fol­low­ing applies.

Systems meet­ing Category 2 are required to meet all of the same require­ments as Category B, as far as the com­pon­ents are con­cerned. Other require­ments for the cir­cuits are dif­fer­ent, and we will look at those in a bit.

Self-​Testing required

Category 2 brings in the idea of dia­gnostics. If cor­rectly spe­cified com­pon­ents have been selec­ted (Category B), and are applied fol­low­ing ‘well-​tried safety prin­ciples’, then adding a dia­gnost­ic com­pon­ent to the sys­tem should allow the sys­tem to detect some faults and there­fore achieve a cer­tain degree of ‘fault-​tolerance’ or the abil­ity to func­tion cor­rectly even when some aspect of the sys­tem has failed.

Let’s look at the text:

SRP/​CS of Category 2 shall be designed so that their function(s) are checked at suit­able inter­vals by the machine con­trol sys­tem. The check of the safety function(s) shall be per­formed

  • at the machine start-​up, and
  • pri­or to the ini­ti­ation of any haz­ard­ous situ­ation, e.g. start of a new cycle, start of oth­er move­ments, and/​or
  • peri­od­ic­ally dur­ing oper­a­tion if the risk assess­ment and the kind of oper­a­tion shows that it is neces­sary.

The ini­ti­ation of this check may be auto­mat­ic. Any check of the safety function(s) shall either

  • allow oper­a­tion if no faults have been detec­ted, or
  • gen­er­ate an out­put which ini­ti­ates appro­pri­ate con­trol action, if a fault is detec­ted.

Whenever pos­sible this out­put shall ini­ti­ate a safe state. This safe state shall be main­tained until the fault is cleared. When it is not pos­sible to ini­ti­ate a safe state (e.g. weld­ing of the con­tact in the final switch­ing device) the out­put shall provide a warn­ing of the haz­ard.

Periodic check­ing is required. The checks must hap­pen at least each time there is a demand placed on the sys­tem, i.e. a guard door is opened and closed, or an emer­gency stop but­ton is pressed and reset. In addi­tion the integ­rity of the SRP/​CS must be tested at the start of a cycle or haz­ard­ous peri­od, and poten­tially peri­od­ic­ally dur­ing oper­a­tion if the risk assess­ment indic­ates that this is neces­sary. The test­ing fre­quency must be at least 100x the demand rate [1, 4.5.4], e.g., a light cur­tain on a part load­ing work sta­tion that is inter­rup­ted every 30 s dur­ing nor­mal oper­a­tion requires a min­im­um test rate of once every 0.3 s, or 200x per minute or more.

The test­ing does not have to be auto­mat­ic, although in prac­tice it usu­ally is. As long as the sys­tem integ­rity is good, then the out­put is allowed to remain on, and the machinery or pro­cess can run.

Watch Out!

Notice that the words ‘whenev­er pos­sible’ are used in the last para­graph in this part of the defin­i­tion where the stand­ard speaks about ini­ti­ation of a safe state. This word­ing alludes to the fact that these sys­tems are still prone to faults that can lead to the loss of the safety func­tion, and so can­not be called truly ‘fault-​tolerant’. Loss of the safety func­tion must be detec­ted by the mon­it­or­ing sys­tem and a safe state ini­ti­ated. This requires care­ful thought, since the safety sys­tem com­pon­ents may have to inter­act with the pro­cess con­trol sys­tem to ini­ti­ate and main­tain the safe state in the event that the safety sys­tem itself has failed. Also note that it is not pos­sible to use fault exclu­sions in Category 2 archi­tec­ture, because the sys­tem is not fault tol­er­ant.

All of this leads to an inter­est­ing ques­tion: If the sys­tem is hard­wired through the oper­at­ing chan­nel, and all the com­pon­ents used in that chan­nel meet Category B require­ments, can the dia­gnost­ic com­pon­ent be provided by a mon­it­or­ing the sys­tem with a stand­ard PLC? The answer to this is YES. Test equip­ment (called TE in Fig. 1) is spe­cific­ally excluded, and Category 2 DOES NOT require the use of well-​tried com­pon­ents, only well-​tried safety prin­ciples.

Finally, for the faults that can be detec­ted by the mon­it­or­ing sys­tem, detec­tion of a fault must ini­ti­ate a safe state. This means that on the next demand on the sys­tem, i.e. the next time the guard is opened or the emer­gency stop is pressed, the machine must go into a safe con­di­tion. Generally, detec­tion of a fault should pre­vent the sub­sequent reset of the sys­tem until the fault is cleared or repaired.

Testing is not per­mit­ted to intro­duce any new haz­ards or to slow the sys­tem down. The tests must occur ‘on-​the-​fly’ and without intro­du­cing any delay in the sys­tem com­pared to how it would have oper­ated without the test­ing incor­por­ated. Test equip­ment can be integ­rated into the safety sys­tem or be extern­al to it.

One more ‘gotcha’

Note 1 in the defin­i­tion high­lights a sig­ni­fic­ant pit­fall for many design­ers: if all of the com­pon­ents in the func­tion­al chan­nel of the sys­tem can­not be checked, you can­not claim con­form­ity to Category 2. If you look back at Fig. 1, you will see that the dashed “m” lines con­nect all three func­tion­al blocks to the TE, indic­at­ing that all three must be included in the mon­it­or­ing chan­nel. A sys­tem that oth­er­wise would meet the archi­tec­tur­al require­ments for Category 2 must be down­graded to Category 1 in cases where all the com­pon­ents in the func­tion­al chan­nel can­not be tested. This is a major point and one which many design­ers miss when devel­op­ing their sys­tems.

Calculation of MTTFd

The next para­graph deals with the cal­cu­la­tion of the fail­ure rate of the sys­tem, or MTTFd.

For the des­ig­nated archi­tec­ture of cat­egory 2, as shown in Figure 10, the cal­cu­la­tion of MTTFd and DCavg should take into account only the blocks of the func­tion­al chan­nel (i.e. I, L and O in Figure 10) and not the blocks of the test­ing chan­nel (i.e. TE and OTE in Figure 10).

Calculation of the fail­ure rate focuses on the func­tion­al chan­nel, not on the mon­it­or­ing sys­tem, mean­ing that the fail­ure rate of the mon­it­or­ing sys­tem is ignored when ana­lyz­ing sys­tems using this archi­tec­ture. The MTTFd of each com­pon­ent in the func­tion­al chan­nel is cal­cu­lated and then the MTTFd of the total chan­nel is cal­cu­lated.

The Diagnostic Coverage (DCavg) is also cal­cu­lated based exclus­ively on the com­pon­ents in the func­tion­al chan­nel, so when determ­in­ing what per­cent­age of the faults can be detec­ted by the mon­it­or­ing equip­ment, only faults in the func­tion­al chan­nel are con­sidered.

This high­lights the fact that a fail­ure of the mon­it­or­ing sys­tem can­not be detec­ted, so a single fail­ure in the mon­it­or­ing sys­tem that res­ults in the sys­tem fail­ing to detect a sub­sequent nor­mally detect­able fail­ure in the func­tion­al chan­nel will res­ult in the loss of the safety func­tion.

Summing Up

The next para­graph sums up the lim­its of this par­tic­u­lar archi­tec­ture:

The dia­gnost­ic cov­er­age (DCavg) of the total SRP/​CS includ­ing fault-​detection shall be low. The MTTFd of each chan­nel shall be low-​to-​high, depend­ing on the required per­form­ance level (PLr). Measures against CCF shall be applied (see Annex F).

The first sen­tence reflects back to the pre­vi­ous para­graph on dia­gnost­ic cov­er­age, telling you, as the design­er, that you can­not make a claim to any­thing more than LOW DC cov­er­age when using this archi­tec­ture.

This raises an inter­est­ing ques­tion, since Figure 5 in the stand­ard shows columns for both DCavg = LOW and DCavg=MED. My best advice to you as a user of the stand­ard is to abide by the text, mean­ing that you can­not claim high­er than LOW for DCavg in this archi­tec­ture. This con­flict will be addressed by future revi­sions of the stand­ard.

Another prob­lem raised by this sen­tence is the inclu­sion of the phrase “the total SRP/​CS includ­ing fault-​detection”, since the pre­vi­ous para­graph expli­citly tells you that the assess­ment of DCavg ‘should’ only include the func­tion­al chan­nel, while this sen­tence appears to include it. In stand­ards writ­ing, sen­tences includ­ing the word ‘shall’ are clearly man­dat­ory, while those includ­ing the word ‘should’ indic­ate a con­di­tion which is advised but not required. Hopefully this con­fu­sion will be cla­ri­fied in the next edi­tion of the stand­ard.

MTTFd in the func­tion­al chan­nel can be any­where in the range from LOW to HIGH depend­ing on the com­pon­ents selec­ted and the way they are applied in the design. The require­ment will be driv­en by the desired PL of the sys­tem, so a PLd sys­tem will require HIGH MTTFd com­pon­ents in the func­tion­al chan­nel, while the same archi­tec­ture used for a PLb sys­tem would require only LOW MTTFd com­pon­ents.
Finally, applic­able meas­ures against Common Cause Failures (CCF) must be used. Some of the meas­ures giv­en in Table F.1 in Annex F of the stand­ard can­not be applied, such as Channel Separation, since you can­not sep­ar­ate a single chan­nel. Other CCF meas­ures can and must be applied, and so there­fore you must score at least the min­im­um 65 on the CCF table in Annex F to claim com­pli­ance with Category 2 require­ments.

Example Circuit

Here’s an example of what a simple Category 2 cir­cuit con­struc­ted from dis­crete com­pon­ents might look like. Note that PB1 and PB2 could just as eas­ily be inter­lock switches on guard doors as push but­tons on a con­trol pan­el. For the sake of sim­pli­city, I did not illus­trate surge sup­pres­sion on the relays, but you should include MOV’s or RC sup­press­ors across all relay coils. All relays are con­sidered to be con­struc­ted with  ‘force-​guided’ designs and meet the require­ments for well-​tried com­pon­ents.

Example Category 2 circuit from discrete components
Figure 2 – Example Category 2 cir­cuit from dis­crete com­pon­ents

How the cir­cuit works:

  1. The machine is stopped with power off. CR1, CR2, and M are off. CR3 is off until the reset but­ton is pressed, since the NC mon­it­or­ing con­tacts on CR1, CR2 and M are all closed, but the NO reset push but­ton con­tact is open.
  2. The reset push but­ton, PB3,  is pressed. If both CR1, CR2 and M are off, their nor­mally closed con­tacts will be closed, so press­ing PB3 will res­ult in CR3 turn­ing on.
  3. CR3 closes its con­tacts, ener­giz­ing CR1 and CR2 which seal their con­tact cir­cuits in and de-​energize CR3. The time delays inher­ent in relays per­mit this to work.
  4. With CR1 and CR2 closed and CR3 held off because its coil cir­cuit opened when CR1 and CR2 turned on, M ener­gizes and motion can start.

In this cir­cuit the mon­it­or­ing func­tion is provided by CR3. If any of CR1, CR2 or M were to weld closed, CR3 could not ener­gize, and so a single fault is detec­ted and the machine is pre­ven­ted from re-​starting. If the machine is stopped by press­ing either PB1 or PB2, the machine will stop since CR1 and CR2 are redund­ant. If CR3 fails with wel­ded con­tacts, then the M rung is held open because CR3 has not de-​energized, and if it fails with an open coil, the reset func­tion will not work, there­fore both fail­ure modes will pre­vent the machine from start­ing with a failed mon­it­or­ing sys­tem, if a “force-​guided” type of relay is used for CR3. If CR1 or CR2 fail with an open coil, then M can­not ener­gize because of the redund­ant con­tacts on the M rung.

This cir­cuit can­not detect a fail­ure in PB1, PB2, or PB3. Testing is con­duc­ted each time the cir­cuit is reset. This cir­cuit does not meet the 100x test rate require­ment, and so can­not be said to meet Category 2 require­ments.

If M is a motor starter rather than the motor itself, it will need to be duplic­ated for redund­ancy and a mon­it­or­ing con­tact added to the CR3 rung .

In cal­cu­lat­ing MTTFd, PB1, PB2, CR1, CR2, CR3 and M must be included. CR3 is included because it has a func­tion­al con­tact in the M rung and is there­fore part of the func­tion­al chan­nel of the cir­cuit as well as being part of the OT and OTE chan­nels.

Download IEC stand­ards, International Electrotechnical Commission stand­ards.
Download ISO Standards 

Watch for the next install­ment in this series where we’ll explore Category 3, the first of the ‘fault tol­er­ant’ archi­tec­tures!

Interlock Architectures – Pt. 2: Category 1

This entry is part 2 of 8 in the series Circuit Architectures Explored

This art­icle expands on the first in the series “Interlock Architectures – Pt. 1: What do those cat­egor­ies really mean?”. Learn about the basic cir­cuit archi­tec­tures that under­lie all safety inter­lock sys­tems under ISO 13849 – 1, and CSA Z432 and ANSI RIA R15.06.

This entry is part 2 of 8 in the series Circuit Architectures Explored

In Part 1 of this series we explored Category B, the Basic Category that under­pins all the oth­er Categories. This post builds on Part 1 by tak­ing a look at Category 1. Let’s start by explor­ing the dif­fer­ence as defined in ISO 13849 – 1. When you are read­ing, remem­ber that “SRP/​CS” stands for “Safety Related Parts of Control Systems”.

SRP/​CS of Category 1 shall be designed and con­struc­ted using well-​tried com­pon­ents and well-​tried safety prin­ciples (see ISO 13849 – 2).

Well-​Tried Components

So what, exactly, is a “Well-​Tried Component”?? Let’s go back to the stand­ard for that:

A “well-​tried com­pon­ent” for a safety-​related applic­a­tion is a com­pon­ent which has been either

a) widely used in the past with suc­cess­ful res­ults in sim­il­ar applic­a­tions, or
b) made and veri­fied using prin­ciples which demon­strate its suit­ab­il­ity and reli­ab­il­ity for safety-​related applic­a­tions.

Newly developed com­pon­ents and safety prin­ciples may be con­sidered as equi­val­ent to “well-​tried” if they ful­fil the con­di­tions of b).

The decision to accept a par­tic­u­lar com­pon­ent as being “well-​tried” depends on the applic­a­tion.

NOTE 1 Complex elec­tron­ic com­pon­ents (e.g. PLC, micro­pro­cessor, application-​specific integ­rated cir­cuit) can­not be con­sidered as equi­val­ent to “well tried”.

[1, 6.2.4]

Lets look at what this all means by refer­ring to ISO 13849 – 2:

Table 1 — Well-​Tried Components [2]
Well-​Tried Components Conditions for “well – tried” Standard or spe­cific­a­tion
Screw All factors influ­en­cing the screw con­nec­tion and the applic­a­tion are to be con­sidered. See Table A.2 “List of well – tried safety prin­ciples”. Mechanical joint­ing such as screws, nuts, wash­ers, riv­ets, pins, bolts etc. are stand­ard­ised.
Spring See Table A.2 “Use of a well – tried spring”. Technical spe­cific­a­tions for spring steels and oth­er spe­cial applic­a­tions are giv­en in ISO 4960.
Cam All factors influ­en­cing the cam arrange­ment (e. g. part of an inter­lock­ing device) are to be con­sidered. See Table A.2 “List of well – tried safety prin­ciples”. See EN 1088 (ISO 14119) (Interlocking devices).
Break – pin All factors influ­en­cing the applic­a­tion are to be con­sidered. See Table A.2 “List of well-​tried safety prin­ciples”.

Now we have a few ideas about what might con­sti­tute a ‘well-​tried com­pon­ent’. Unfortunately, you will notice that ‘con­tact­or’ or ‘relay’ or ‘lim­it switch’ appear nowhere on the list. This is a chal­lenge, but one that can be over­come. The key to deal­ing with this is to look at how the com­pon­ents that you are choos­ing to use are con­struc­ted. If they use these com­pon­ents and tech­niques, you are on your way to con­sid­er­ing them to be well-​tried.

Another approach is to let the com­pon­ent man­u­fac­turer worry about the details of the con­struc­tion of the device, and simply ensure that com­pon­ents selec­ted for use in the SRP/​CS are ‘safety rated’ by the man­u­fac­turer. This can work in 80 – 90% of cases, with a small per­cent­age of com­pon­ents, such as large motor starters, some servo and step­per drives and oth­er sim­il­ar com­pon­ents unavail­able with a safety rat­ing. It’s worth not­ing that many drive man­u­fac­tur­ers are start­ing to pro­duce drives with built-​in safety com­pon­ents that are inten­ded to be integ­rated into your SRP/​CS.

Exclusion of Complex Electronics

Note 1 from the first part of the defin­i­tion is very import­ant. So import­ant that I’m going to repeat it here:

NOTE 1 Complex elec­tron­ic com­pon­ents (e.g. PLC, micro­pro­cessor, application-​specific integ­rated cir­cuit) can­not be con­sidered as equi­val­ent to “well tried”.

I added the bold text to emphas­ize the import­ance of this state­ment. While this is included in a Note and is there­fore con­sidered to be explan­at­ory text and not part of the norm­at­ive body of the stand­ard, it illu­min­ates a key concept. This little note is what pre­vents a stand­ard PLC from being used in Category 1 sys­tems. It’s also import­ant to real­ize that this defin­i­tion is only con­sid­er­ing the hard­ware – no men­tion of soft­ware is made here, and soft­ware is not dealt with until later in the stand­ard.

Well-​Tried Safety Principles

Let’s have a look at what ‘Well-​Tried Safety Principles’ might be.

Table 2 — Well-​Tried Safety Principles [2, A.2]
Well-​tried Safety Principles Remarks
Use of care­fully selec­ted mater­i­als and man­u­fac­tur­ing Selection of suit­able mater­i­al, adequate man­u­fac­tur­ing meth­ods and treat­ments related to the applic­a­tion.
Use of com­pon­ents with ori­ented fail­ure mode The pre­dom­in­ant fail­ure mode of a com­pon­ent is known in advance and always the same, see EN 292 – 2:1991, (ISO/​TR 12100 – 2:1992), 3.7.4.
Over – dimensioning/​safety factor The safety factors are giv­en in stand­ards or by good exper­i­ence in safety-​related applic­a­tions.
Safe pos­i­tion The mov­ing part of the com­pon­ent is held in one of the pos­sible pos­i­tions by mech­an­ic­al means (fric­tion only is not enough). Force is needed for chan­ging the pos­i­tion.
Increased OFF force A safe position/​state is obtained by an increased OFF force in rela­tion to ON force.
Careful selec­tion, com­bin­a­tion, arrange­ment, assembly and install­a­tion of components/​system related to the applic­a­tion
Careful selec­tion of fasten­ing related to the applic­a­tion Avoid rely­ing only on fric­tion.
Positive mech­an­ic­al action Dependent oper­a­tion (e. g. par­al­lel oper­a­tion) between parts is obtained by pos­it­ive mech­an­ic­al link(s). Springs and sim­il­ar “flex­ible” ele­ments should not be part of the link(s) [see EN 292 – 2:1991 (ISO/​TR 12100 – 2:1992), 3.5].
Multiple parts Reducing the effect of faults by mul­tiply­ing parts, e. g. where a fault of one spring (of many springs) does not lead to a dan­ger­ous con­di­tion.
Use of well – tried spring (see also Table A.3) A well – tried spring requires:
  • use of care­fully selec­ted mater­i­als, man­u­fac­tur­ing meth­ods (e. g. pre­set­ting and cyc­ling before use) and treat­ments (e. g. rolling and shot – peen­ing),
  • suf­fi­cient guid­ance of the spring, and
  • suf­fi­cient safety factor for fatigue stress (i. e. with high prob­ab­il­ity a frac­ture will not occur).

Well – tried pres­sure coil springs may also be designed by:

  • use of care­fully selec­ted mater­i­als, man­u­fac­tur­ing meth­ods (e. g. pre­set­ting and cyc­ling before use) and treat­ments (e. g. rolling and shot-​peening),
  • suf­fi­cient guid­ance of the spring, and
  • clear­ance between the turns less than the wire dia­met­er when unloaded, and
  • suf­fi­cient force after a fracture(s) is main­tained (i. e. a fracture(s) will not lead to a dan­ger­ous con­di­tion).
Limited range of force and sim­il­ar para­met­ers Decide the neces­sary lim­it­a­tion in rela­tion to the exper­i­ence and applic­a­tion. Examples for lim­it­a­tions are break pin, break plate, torque lim­it­ing clutch.
Limited range of speed and sim­il­ar para­met­ers Decide the neces­sary lim­it­a­tion in rela­tion to the exper­i­ence and applic­a­tion. Examples for lim­it­a­tions are cent­ri­fu­gal gov­ernor; safe mon­it­or­ing of speed or lim­ited dis­place­ment.
Limited range of envir­on­ment­al para­met­ers Decide the neces­sary lim­it­a­tions. Examples on para­met­ers are tem­per­at­ure, humid­ity, pol­lu­tion at the install­a­tion. See clause 8 and con­sider manufacturer’s applic­a­tion notes.
Limited range of reac­tion time, lim­ited hys­ter­esis Decide the neces­sary lim­it­a­tions.
Consider e. g. spring tired­ness, fric­tion, lub­ric­a­tion, tem­per­at­ure, iner­tia dur­ing accel­er­a­tion and decel­er­a­tion,
com­bin­a­tion of tol­er­ances.

Use of Positive-​Mode Operation

The use of these prin­ciples in the com­pon­ents, as well as in the over­all design of the safe­guards is import­ant. In devel­op­ing a sys­tem that uses ‘pos­it­ive mode oper­a­tion’, the mech­an­ic­al link­age that oper­ates the elec­tric­al con­tacts or the fluid-​power valve that con­trols the prime-mover(s) (i.e. motors, cyl­in­ders, etc.), must act to dir­ectly drive the con­trol ele­ment (con­tacts or valve spool) to the safe state. Springs can be used to return the sys­tem to the run state or dan­ger­ous state, since a fail­ure of the spring will res­ult in the inter­lock device stay­ing in the safe state (fail-​safe or fail-​to-​safety).

CSA Z432 [3] provides us with a nice dia­gram that illus­trates the idea of “positive-​action” or “positive-​mode” oper­a­tion:

CSA Z432 Fig B.10 - Positive Mode Operation
Figure 1 – Positive Mode Operation [3, B.10]

In Fig. 1, open­ing the guard door forces the roller to fol­low the cam attached to the door, driv­ing the switch con­tacts apart and open­ing the inter­lock. Even if the con­tacts were to weld, they would still be driv­en apart since the mech­an­ic­al advant­age provided by the width of the door and the cam are more than enough to force the con­tacts apart.

Here’s an example of a ‘neg­at­ive mode’ oper­a­tion:

CSA Z432-04 Fig B.11 - Negative Mode operation
Figure 2 – Negative Mode oper­a­tion [3, B.11]

In Fig. 2, the inter­lock switch relies on a spring to enter the safe state when the door is opened. If the spring in the inter­lock device fails, the sys­tem fails-​to-​danger. Also note that this design is very easy to defeat. A ‘zip-​tie’ or some tape is all that would be required to keep the inter­lock in the ‘RUN’ con­di­tion.

You should have a bet­ter idea of what is meant when you read about pos­it­ive and negative-​modes of oper­a­tion now. We’ll talk about defeat res­ist­ance in anoth­er art­icle.

Reliability

Combining what you’ve learned so far, you can see that cor­rectly spe­cified com­pon­ents, com­bined with over-​dimensioning and imple­ment­a­tion of design lim­its along with the use of well-​tried safety prin­ciples will go a long way to improv­ing the reli­ab­il­ity of the con­trol sys­tem. The next part of the defin­i­tion of Category 1 speaks to some addi­tion­al require­ments:

The MTTFd of each chan­nel shall be high.

The max­im­um PL achiev­able with cat­egory 1 is PL = c.

NOTE 2 There is no dia­gnost­ic cov­er­age (DCavg = none) with­in cat­egory 1 sys­tems. In such struc­tures (single-​channel sys­tems) the con­sid­er­a­tion of CCF is not rel­ev­ant.

NOTE 3 When a fault occurs it can lead to the loss of the safety func­tion. However, the MTTFd of each chan­nel in cat­egory 1 is high­er than in cat­egory B. Consequently, the loss of the safety func­tion is less likely.

We now know that the integ­rity of a Category 1 sys­tem is great­er than a Category B sys­tem, since the chan­nel MTTFd of the sys­tem has gone from “Low-​to-​Medium” in sys­tems exhib­it­ing PLa or PLb per­form­ance to “High” in sys­tems exhib­it­ing PLb or PLc per­form­ance. [1, Table 5] shows this dif­fer­ence in terms of pre­dicted years to fail­ure. As you can see, MTTFd “High” res­ults in a pre­dicted fail­ure rate between 30 and 100 years. This is a pretty good res­ult for simply improv­ing the com­pon­ents used in the sys­tem!

Table 3 – Mean time to dangerous failure  [1, Table 5]
Table 3 – Mean time to dan­ger­ous fail­ure

The oth­er bene­fit is the increase in the over­all PL. Where Category B archi­tec­ture can provide PLb per­form­ance at best, Category 1 takes this up a notch to PLc. To get a handle on what PLc means, let’s look at our single and three shift examples again. If we take a Canadian oper­a­tion with a single shift per day, and a 50 week work­ing year we get:

7.5 h/​shift x 5 d/​w x 50 w/​a = 1875 h/​a

Where

h = hours

d = days

w = weeks

a  = years

In this case, PLc is equi­val­ent to one fail­ure in 533.3 years of oper­a­tion to 1600 years of oper­a­tion.

Looking at three shifts per day in the same oper­a­tion gives us:

7.5 h/​shift x 3 shifts/​d x 5 d/​w x 50 w/​a = 5625 h/​a

In this case, PLc is equi­val­ent to one fail­ure in 177.8 years of oper­a­tion to 533.3 years of oper­a­tion.

When com­plet­ing the ana­lys­is of a sys­tem, [1] lim­its the sys­tem MTTFd to 100 years regard­less of what the indi­vidu­al chan­nel MTTFd may be. Where the actu­al MTTFd is import­ant relates to the need to replace com­pon­ents dur­ing the life­time of the product. If a com­pon­ent or a sub-​system has an MTTFd that is less than the mis­sion time of the sys­tem, then the com­pon­ent or sub­sys­tem must be replaced by the time the product reaches it’s MTTFd. 20 years is the default mis­sion time, but you can choose a short­er or longer time span if it makes sense.

Remember that these are prob­ab­il­it­ies, not guar­an­tees. A fail­ure could hap­pen in the first hour of oper­a­tion, the last hour of oper­a­tion or nev­er. These fig­ures simply provide a way for you as the design­er to gauge the rel­at­ive reli­ab­il­ity of the sys­tem.

Well-​Tried Components versus Fault Exclusions

The stand­ard goes on to out­line some key dis­tinc­tions between ‘well-​tried com­pon­ent’ and ‘fault exclu­sion’. We’ll talk more about fault exclu­sions later in the series.

It is import­ant that a clear dis­tinc­tion between “well-​tried com­pon­ent” and “fault exclu­sion” (see Clause 7) be made. The qual­i­fic­a­tion of a com­pon­ent as being well-​tried depends on its applic­a­tion. For example, a pos­i­tion switch with pos­it­ive open­ing con­tacts could be con­sidered as being well-​tried for a machine tool, while at the same time as being inap­pro­pri­ate for applic­a­tion in a food industry — in the milk industry, for instance, this switch would be des­troyed by the milk acid after a few months. A fault exclu­sion can lead to a very high PL, but the appro­pri­ate meas­ures to allow this fault exclu­sion should be applied dur­ing the whole life­time of the device. In order to ensure this, addi­tion­al meas­ures out­side the con­trol sys­tem may be neces­sary. In the case of a pos­i­tion switch, some examples of these kinds of meas­ures are

  • means to secure the fix­ing of the switch after its adjust­ment,
  • means to secure the fix­ing of the cam,
  • means to ensure the trans­verse sta­bil­ity of the cam,
  • means to avoid over travel of the pos­i­tion switch, e.g. adequate mount­ing strength of the shock absorber and any align­ment devices, and
  • means to pro­tect it against dam­age from out­side.

[1, 6.2.4]

System Block Diagram

Finally, let’s look at the block dia­gram for Category 1. You will notice that it looks the same as the Category B block dia­gram, since only the com­pon­ents used in the sys­tem have changed, and not the archi­tec­ture.

ISO 13849-1 Figure 9
Figure 3 – Category 1 Block Diagram [1, Fig. 9]

References

[1]       Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 1: General prin­ciples for design. ISO Standard 13849 – 1, Ed. 2. 2006.

[2]       Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 2: Validation. ISO Standard 13849 – 2, Ed. 2. 2012.

[3]       Safeguarding of Machinery. CSA Standard Z432. 2004.

Add to your Library

If you are work­ing on imple­ment­ing these design stand­ards in your products, you need to buy cop­ies of the stand­ards for your lib­rary.

  • ISO 13849 – 1:2006 Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 1: General prin­ciples for design
  • ISO 13849 – 2:2003 Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 2: Validation

Download IEC stand­ards, International Electrotechnical Commission stand­ards.

If you are work­ing in the EU, or are work­ing on CE Marking your product, you should hold the har­mon­ized ver­sion of this stand­ard, avail­able through the CEN resellers:

  • EN ISO 13849 – 1:2008 Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 1: General prin­ciples for design
  • EN ISO 13849 – 2:2012 Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 2: Validation

Next Installment

Watch for the next part of this series, “Interlock Architectures – Pt. 3: Category 2″ where we expand on the first two cat­egor­ies by adding some dia­gnost­ic cov­er­age to improve reli­ab­il­ity.

Have ques­tions? Email me!

Interlocked gate testing

Did you know that inter­locked gates require stop­ping per­form­ance test­ing?

Machinery needs to be able to stop in the time it takes a per­son to open the guard and reach the haz­ard. If the dis­tance from the guard open­ing to the haz­ard is short enough that a per­son can reach the danger point before the haz­ard can be con­trolled, the guard is use­less. The res­ult­ing situ­ation may be worse

Did you know that inter­locked gates require stop­ping per­form­ance test­ing?

Machinery needs to be able to stop in the time it takes a per­son to open the guard and reach the haz­ard. If the dis­tance from the guard open­ing to the haz­ard is short enough that a per­son can reach the danger point before the haz­ard can be con­trolled, the guard is use­less. The res­ult­ing situ­ation may be worse than not hav­ing a guard because it’s pres­ence leads to a false sense of secur­ity in users.

Test the stop­ping time of guarded haz­ards and make sure that guards are far enough away from the danger zone to be effect­ive. For more on stop­ping per­form­ance require­ments, see CSA Z434, EN 999 (soon to be replaced by EN 13855:2010), and in the USA, 29 CFR 1910.217(h)(9)(v).

Download ISO Standards 
Download IEC stand­ards, International Electrotechnical Commission stand­ards.
Download BSI Standards (British Standards Institution)
Download ANSI stand­ards

Need help with stop­ping per­form­ance test­ing? Contact us!