31-​Dec-​2011 – Are YOU ready?

This entry is part 8 of 8 in the series Circuit Architectures Explored

31-​December-​2011 marks a key mile­stone for machine build­ers mar­ket­ing their products in the European Union, the EEA and many of the Candidate States. Functional Safety takes a pos­it­ive step for­ward with the man­dat­ory applic­a­tion of EN ISO 13849 – 1 and -2. As of 1-​January-​2012, the safety-​related parts of the con­trol sys­tems on all machinery bear­ing a CE Mark will be required to meet these stand­ards.

This change star­ted six years ago, when these stand­ards were first har­mon­ized under the Machinery Directive. The EC Machinery Committee gave machine build­ers an addi­tion­al three years to make the trans­ition to these stand­ards, after much oppos­i­tion to the ori­gin­al man­dat­ory imple­ment­a­tion date of 31-​Dec-​08 was announced.

If you aren’t aware of these stand­ards, or if you aren’t famil­i­ar with the concept of func­tion­al safety, you need to get up to speed, and fast.

Under EN 954 – 1:1995 and the 1st Edition of ISO 13849 – 1, pub­lished in 1999, a design­er needed to select a design Category or archi­tec­ture, that would provide the degree of fault tol­er­ance and reli­ab­il­ity needed based on the out­come of the risk assess­ment for the machinery. The Categories, B, 1 – 4, remain unchanged in the 2nd Edition. I’ve talked about the Categories in detail in oth­er posts, so I won’t spend any time on them here.

The 2nd Edition brings Mean Time to Failure into the pic­ture, along with Diagnostic Coverage and Common Cause Failures. These new con­cepts require design­ers to use more ana­lyt­ic­al tech­niques in devel­op­ing their designs, and also require addi­tion­al doc­u­ment­a­tion (as usu­al!).

One of the main fail­ings with EN 954 – 1 was Validation. This top­ic was sup­posed to have been covered by EN 954 – 2, but this stand­ard was nev­er pub­lished. This has led machine build­ers to make design decisions without keep­ing the neces­sary design doc­u­ment­a­tion trail, and fur­ther­more, to skip the Validation step entirely in many cases.

The miss­ing Validation stand­ard was finally pub­lished in 2003 as ISO 13849 – 2:2003, and sub­sequently adop­ted and har­mon­ized in 2009 as EN ISO 13849 – 2:2003. While no man­dat­ory imple­ment­a­tion date for this stand­ard is giv­en in the cur­rent list of stand­ards har­mon­ized under 2006/​42/​EC-​Machinery, use of Part 1 of the stand­ard man­dates use of Part 2, so this stand­ard is effect­ively man­dat­ory at the same time.

Part 2 brings a num­ber of key annexes that are neces­sary for the imple­ment­a­tion of Part 1, and also out­lines the com­plete doc­u­ment­a­tion trail needed for val­id­a­tion, and coin­cid­ent­ally, audit. Notified bpdies will be look­ing for this inform­a­tion when eval­u­at­ing the con­tent of Technical Files used in CE Marking.

From a North American per­spect­ive, these two stand­ards gain access through ANSI’s adop­tion of ISO 10218 for Industrial Robots. Part 1 of this stand­ard, cov­er­ing the robot itself, was adop­ted last year. Part 2 of the stand­ard will be adop­ted in 2012, and RIA R15.06 will be with­drawn. At the same time, CSA will be adopt­ing the ISO stand­ards and with­draw­ing CSA Z434.

These changes will finally bring North America, the International Community and the EU onto the same foot­ing when it comes to Functional Safety in indus­tri­al machinery applic­a­tions. The days of “SIMPLE, SINGLE CHANNEL, SINGLE CHANNEL-​MONITORED and CONTROL RELIABLE” are numbered.

Are you ready?

Compliance InSight Consulting will be offer­ing a series of train­ing events in 2012 on this top­ic. For more inform­a­tion, con­tact Doug Nix.

Interlock Architectures Pt. 6 – Comparing North American and International Systems

This entry is part 6 of 8 in the series Circuit Architectures Explored

I’ve now writ­ten six posts, includ­ing this one, on the top­ic of cir­cuit archi­tec­tures for the safety-​related parts of con­trol sys­tems. In this post, we’ll com­pare the International and North American sys­tems. This com­par­is­on is not inten­ded to draw con­clu­sions about which is “bet­ter”, but rather to com­pare and con­trast the two sys­tems so that design­ers can clearly see where the over­laps and the gaps in the sys­tems exist.

Since we’ve spent a lot of time talk­ing about ISO 13849 – 1 [1] in the pre­vi­ous five posts in this series, I think we should begin there by look­ing at Table 10 from the stand­ard.

Table 10 — Summary of require­ments for cat­egor­ies
Category Summary of require­ments System beha­viour Principle used
to achieve
safety
MTTFd
of each
chan­nel
DCavg CCF
B
(see
6.2.3)
SRP/​CS and/​or their pro­tect­ive equip­ment, as well as their com­pon­ents, shall be designed, con­struc­ted, selec­ted, assembled and com­bined in accord­ance with rel­ev­ant stand­ards so that they can with­stand the expec­ted influence.Basic safety prin­ciples shall be used. The occur­rence of a fault can lead to the loss of the safety func­tion. Mainly char­ac­ter­ized by selec­tion of com­pon­ents Low to medi­um None Not rel­ev­ant
1
(see
6.2.4)
Requirements of B shall apply. Well-​tried com­pon­ents and well-​tried safety prin­ciples shall be used. The occur­rence of a fault can lead to the loss of the safety func­tion but the prob­ab­il­ity of occur­rence is lower than for cat­egory B. Mainly char­ac­ter­ized by selec­tion of com­pon­ents High None Not rel­ev­ant
2
(see
6.2.5)
Requirements of B and the use of well-​tried safety prin­ciples shall apply. Safety func­tion shall be checked at suit­able inter­vals by the machine con­trol sys­tem. The occur­rence of a fault can lead to the loss of the safety func­tion between the checks. The loss of safety func­tion is detec­ted by the check. Mainly char­ac­ter­ized by struc­ture Low to high Low to medi­um See Annex F
3
(see
6.2.6)
Requirements of B and the use of well-​tried safety prin­ciples shall apply.Safety-related parts shall be designed, so that

—a single fault in any of these parts does not lead to the loss of the safety func­tion, and

—whenev­er reas­on­ably prac­tic­able, the single fault is detec­ted.

When a single fault occurs, the safety func­tion is always performed.Some, but not all, faults will be detec­ted.

Accumulation of undetec­ted faults can lead to the loss of the safety func­tion.

 Mainly
char­ac­ter­ized
by struc­ture
Low to
high
Low to
medi­um
 See
Annex F
 4
(see
6.2.7)
Requirements of B and the use of well-​tried safety prin­ciples shall apply. Safety-​related parts shall be designed, so that
—a single fault in any of these parts does not lead to a loss of the safety func­tion, and

—the single fault is detec­ted at or before the next demand upon the safety func­tion, but that if this detec­tion is not pos­sible, an accu­mu­la­tion of undetec­ted faults shall not lead to the loss of the safety func­tion.

 

When a single fault occurs the safety func­tion is always per­formed. Detection of accu­mu­lated faults reduces the prob­ab­il­ity of the loss of the safety func­tion (high DC). The faults will be detec­ted in time to pre­vent the loss of the safety func­tion.  Mainly char­ac­ter­ized by struc­ture  High  High includ­ing accu­mu­la­tion of faults  See Annex F
NOTE For full require­ments, see Clause 6.

Table 10 sum­mar­izes all the key require­ments for the five cat­egor­ies of archi­tec­ture, giv­ing the fun­da­ment­al mech­an­ism for achiev­ing safety, the required MTTFd, DC and CCF. Note that fault exclu­sion can be used in Categories 3 and 4. There is no sim­il­ar table avail­able for CSA Z432 [2] or RIA R 15.06 [3], so I have con­struc­ted one fol­low­ing a sim­il­ar format to Table 10.

Summary of require­ments for CSA Z432 /​ Z434 and RIA R15.06
CSA Z432-​04 /​ Z434-​03 RIA R15.06 1999
Category  Summary of require­ments  System beha­viour  Principle used
to achieve
safety
Summary of require­ments
All Safety con­trol sys­tems (elec­tric, hydraul­ic, pneu­mat­ic) shall meet one of the per­form­ance cri­ter­ia lis­ted in Clauses 4.5.2 to 4.5.5. Safety cir­cuits (elec­tric, hydraul­ic, pneu­mat­ic) shall meet one of the per­form­ance cri­ter­ia lis­ted in 4.5.1 through 4.5.4.2

2 These per­form­ance cri­ter­ia are not to be con­fused with the European cat­egor­ies B to 3 as described in ISO/​IEC DIS 13849 – 1, Safety of machinery – Safety-​related parts of con­trol sys­tems – Part 1: General prin­ciples for design (in cor­rel­a­tion with EN 954 – 1.) They are dif­fer­ent. The com­mit­tee believes that the cri­ter­ia in 4.5.1 – 4.5.4 exceed the cri­ter­ia of B – 3 respect­ively, and fur­ther believe the reverse is not true.

SIMPLE Simple safety con­trol sys­temsshall be designed and con­struc­ted using accep­ted single chan­nel circuitry.Such sys­tems may be pro­gram­mable.

Note: This type of sys­tem should be used for sig­nalling and annun­ci­ation pur­poses only.

The occur­rence of a fault can lead to the loss of the safety func­tion. Mainly char­ac­ter­ized by com­pon­ent selec­tion. Simple safety cir­cuits shall be designed and con­struc­ted using accep­ted single chan­nel
cir­cuitry, and may be pro­gram­mable.
SINGLE
CHANNEL
Single chan­nel safety con­trol sys­tems shalla) be hard­ware based or com­ply with Clause 6.5;

b) include com­pon­ents that should be safety rated; and

c) be used in accord­ance with man­u­fac­tur­ers’ recom­mend­a­tions and proven cir­cuit designs (e.g., a single chan­nel elec­tromech­an­ic­al pos­it­ive break device that sig­nals a stop in a de-​energized state).

Note: In this type of sys­tem a single com­pon­ent fail­ure can lead to the loss of the safety func­tion.

The occur­rence of a fault can lead to the loss of the safety func­tion. Mainly char­ac­ter­ized by com­pon­ent selec­tion. Single chan­nel safety cir­cuits shall be hard­ware based or com­ply with 6.4, include com­pon­ents
which should be safety rated, be used in com­pli­ance with man­u­fac­tur­ers’ recom­mend­a­tions
and proven cir­cuit designs (e.g. a single chan­nel electro-​mechanical pos­it­ive break device which sig­nals a stop in a de-​energized state.)
SINGLE CHANNEL
WITH
MONITORING
Single chan­nel safety con­trol sys­tems with mon­it­or­ing shall include the require­ments for single chan­nel,
be safety rated, and be checked (prefer­ably auto­mat­ic­ally) at suit­able inter­vals in accord­ance with the following:a) The check of the safety function(s) shall be per­formed

i) at machine start-​up; and

ii) peri­od­ic­ally dur­ing oper­a­tion (prefer­ably at each change in state).

b) The check shall either

i) allow oper­a­tion if no faults have been detec­ted; or

ii) gen­er­ate a stop if a fault is detec­ted. A warn­ing shall be provided if a haz­ard remains after ces­sa­tion of motion.

c) The check itself shall not cause a haz­ard­ous situ­ation.

d) Following detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

Note: In this type of cir­cuit a single com­pon­ent fail­ure can also lead to the loss of the safety func­tion.

The occur­rence of a fault can lead to the loss of the safety func­tion. Characterized by both com­pon­ent selec­tion and struc­ture. Single chan­nel with mon­it­or­ing safety cir­cuits shall include the require­ments for single chan­nel,
shall be safety rated, and shall be checked (prefer­ably auto­mat­ic­ally) at suit­able intervals.a) The check of the safety function(s) shall be per­formed

1) at machine start-​up, and

2) peri­od­ic­ally dur­ing oper­a­tion;

b) The check shall either:

1) allow oper­a­tion if no faults have been detec­ted, or

2) gen­er­ate a stop sig­nal if a fault is detec­ted.
A warn­ing shall be provided if a haz­ard remains after ces­sa­tion of motion;

c) The check itself shall not cause a haz­ard­ous situ­ation;

d) Following detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

CONTROL RELIABLE Control reli­able safety con­trol sys­tems shall be dual chan­nel with mon­it­or­ing and shall be designed,
con­struc­ted, and applied such that any single com­pon­ent fail­ure, includ­ing mon­it­or­ing, shall not pre­vent
the stop­ping action of the robot.
These safety con­trol sys­tems shall be hard­ware based or in accord­ance with Clause 6.5. The sys­tems shall include auto­mat­ic mon­it­or­ing at the sys­tem level con­form­ing to the following:a) The mon­it­or­ing shall gen­er­ate a stop if a fault is detec­ted. A warn­ing shall be provided if a haz­ard remains after ces­sa­tion of motion.

b) Following detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

c) Common mode fail­ures shall be taken into account when the prob­ab­il­ity of such a fail­ure occur­ring is
sig­ni­fic­ant.

d) The single fault should be detec­ted at time of fail­ure. If not prac­tic­able, the fail­ure shall be detec­ted
at the next demand upon the safety func­tion.

e) These safety con­trol sys­tems shall be inde­pend­ent of the nor­mal pro­gram con­trol (func­tion) and shall be designed to be not eas­ily defeated or not eas­ily bypassed without detec­tion.

When a single fault occurs, the safety func­tion is always performed.Some, but not all, faults will be detec­ted.

Accumulation of undetec­ted faults can lead to the loss of the safety func­tion.

Characterized primar­ily by struc­ture. Control reli­able safety cir­cuitry shall be designed, con­struc­ted and applied such that any single com­pon­ent fail­ure shall not pre­vent the stop­ping action of the robot.These cir­cuits shall be hard­ware based or com­ply with 6.4, and include auto­mat­ic mon­it­or­ing at the sys­tem level.

a) The mon­it­or­ing shall gen­er­ate a stop sig­nal if a fault is detec­ted. A warn­ing shall be provided if a haz­ard remains after ces­sa­tion of motion;

b) Following detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

c) Common mode fail­ures shall be taken into account when the prob­ab­il­ity of such a fail­ure occur­ring is sig­ni­fic­ant.

d) The single fault should be detec­ted at time of fail­ure. If not prac­tic­able, the fail­ure shall be detec­ted at the next demand upon the safety func­tion.

CSA Z434 vs. RIA R15.06

Before we dig into the com­par­is­on between North America and the International stand­ards, we need to look at the dif­fer­ences between CSA and ANSI/​RIA. There are some subtle dif­fer­ences here that can trip you up and cost sig­ni­fic­ant money to cor­rect after the fact. The fol­low­ing state­ments are based on my per­son­al exper­i­ence and on dis­cus­sions that I have had with people on both the CSA and RIA tech­nic­al com­mit­tees tasked with writ­ing these stand­ards. One more note – ANSI RIA R15.06 has been revised and ALL OF SECTION 4 has been replaced with ANSI/​RIA/​ISO 10218 – 1 [7]. This is very sig­ni­fic­ant, but we need to deal with this old dis­cus­sion first.

Systems vs. Circuits

The CSA stand­ard uses the term “con­trol system(s)” through­out the defin­i­tions of the cat­egor­ies, while the ANSI/​RIA stand­ard uses the term “circuit(s)”. This is really the crux of the dis­cus­sion between these two stand­ards. While the dif­fer­ence between the terms may seem insig­ni­fic­ant at first, you need to under­stand the back­ground to get the dif­fer­ence.

The CSA term requires two sep­ar­ate sens­ing devices on the gate or oth­er guard, just as the Category 3 and 4 defin­i­tions do, and for the same reas­on. The CSA com­mit­tee felt that it was import­ant to be able to detect all single faults, includ­ing mech­an­ic­al ones. Also, the use of two inter­lock­ing devices on the guard makes it more dif­fi­cult to bypass the inter­lock.

The RIA term requires redund­ant elec­tric­al con­nec­tions to the inter­lock­ing device, but impli­citly allows for a single inter­lock­ing device because it only expli­citly refers to “cir­cuits”.

The explan­a­tion I’ve been giv­en for the dis­crep­ancy is rooted in the early days of indus­tri­al robot­ics. Many early robot cells had NO inter­locks on the guard­ing because the haz­ards related to the robot motion was not well under­stood. There were a num­ber of incid­ents res­ult­ing in fatal­it­ies that drove robot users to begin to seek bet­ter ways to pro­tect work­ers. The RIA R15.06 com­mit­tee decided that inter­locks were needed, but there was a recog­ni­tion that many users would balk at installing expens­ive inter­lock devices, so they com­prom­ised and allowed that ANY kind of inter­lock­ing device was bet­ter than none. This was amended in the 1999 edi­tion to require that com­pon­ents be “safety rated”, effect­ively elim­in­at­ing the use of con­ven­tion­al prox­im­ity switches and non-​safety-​rated lim­it switches.

The recent revi­sion of ANSI/​RIA R15.06 to include ANSI/​ISO 10218 – 1 as a replace­ment for Section 4 is sig­ni­fic­ant for a couple of reas­ons: 1) It now means that the robot itself need only meet the ISO stand­ard; instead of the ISO and the RIA stand­ards; and 2) It brings in ISO 13849 – 1 defin­i­tions of reli­ab­il­ity cat­egor­ies. This means that the US has now offi­cially dropped the “SIMPLE, SINGLE-​CHANNEL,” etc. defin­i­tions and now uses “Category B, 1, etc.” However, they have only adop­ted the Edition 1 ver­sion of the stand­ard, so none of the PL, MTTFd, etc. cal­cu­la­tions have been adop­ted. This means that the RIA stand­ard is now har­mon­ized to the 1995 edi­tion of EN 954 – 1. These updates to the 2006 edi­tion may come in sub­sequent edi­tions of R15.06.

CSA has chosen to reaf­firm the 2003 edi­tion of CSA Z434, so the Canadian National Standard con­tin­ues to refer to the old defin­i­tions.

North America vs International Standards

In the descrip­tion of single-​channel sys­tems /​ cir­cuits under the North American stand­ards you will notice that par­tic­u­lar atten­tion is paid to includ­ing descrip­tions of the use of “proven designs” and “positive-​break devices”. What the TC’s were refer­ring to are the same “well-​tried safety prin­ciples” and “well-​tried com­pon­ents” as referred to in the International stand­ards, only with less descrip­tion of what those might be. The only major addi­tion to the defin­i­tions is the recom­mend­a­tion to use “safety-​rated devices”, which is not included in the International stand­ard. (N.B. The use of the word “should” in the defin­i­tions should be under­stood as a strong recom­mend­a­tion, but not neces­sar­ily a man­dat­ory require­ment.) Under EN 954 – 1 [4] and EN 1088 [5] (in the ref­er­enced edi­tions, in any case) it was pos­sible to use stand­ard lim­it switches arranged in a redund­ant man­ner and activ­ated using com­bined pos­it­ive and non-​positive-​mode activ­a­tion. In later edi­tions this changed, and there is now a pref­er­ence for devices inten­ded for use in safety applic­a­tions.

Also worth not­ing is that there is NO allow­ance for fault exclu­sion under the CSA stand­ard or the 1999 edi­tion of the ANSI stand­ard.

As far as the RIA committee’s asser­tion that their defin­i­tions are not equi­val­ent to the International stand­ard, and may be super­i­or, I think that there are too may miss­ing qual­it­ies in the ANSI stand­ard for that to stand. In any case, this is now moot, since ANSI has adop­ted EN ISO 13849 – 1:2006 as a ref­er­ence to EN ISO 10218 – 1 [6], repla­cing Section 4 of ANSI/​RIA R15.06 – 1999.

References

[1] “Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 1: General prin­ciples for design”, ISO 13849 – 1, Edition 2, International Organization for Standardization (ISO), Geneva, 2006.

[2] “Safeguarding of machinery”, CSA Z432, Canadian Standards Association (CSA), Toronto, 2004.

[3] “American National Standard for Industrial Robots and Robot Systems — Safety Requirements”, ANSI/​RIA R15.06, American National Standards Institute, Inc. (ANSI), Ann Arbor, 1999.

[4] “Safety of machinery — Safety related parts of con­trol sys­tems — Part 1. General prin­ciples for design”, EN 954 – 1, European Committee for Standardization (CEN), Geneva, 1996.

[5] “Safety of machinery — Interlocking devices asso­ci­ated with guards — Principles for design and selec­tion”, EN 1088, CEN, Geneva, 1995.

[6] “Robots and robot­ic devices — Safety require­ments for indus­tri­al robots — Part 1: Robots”, European Committee for Standardization (CEN), Geneva, 2011.

[7] “Robots for Industrial Environment – Safety Requirements – Part 1 – Robot”, ANSI/​RIA/​ISO 10218 – 1, American National Standards Institute, Inc. (ANSI), Ann Arbor, 2007.

Digiprove sealCopyright secured by Digiprove © 2011 – 2012
Acknowledgements: See ref­er­ences lis­ted at end of art­icle.
Some Rights Reserved

Interlock Architectures – Pt. 5: Category 4 — Control Reliable

This entry is part 5 of 8 in the series Circuit Architectures Explored

The most reli­able of the five sys­tem archi­tec­tures, Category 4 is the only archi­tec­ture that uses multiple-​fault tol­er­ant tech­niques to help ensure that com­pon­ent fail­ures do not res­ult in an unac­cept­able expos­ure to risk. This post will delve into the depths of this archi­tec­ture in this install­ment on sys­tem archi­tec­tures. The defin­i­tions and require­ments dis­cussed in this art­icle come from ISO 13849 – 1, Edition 2 (2006) and ISO 13849 – 2, Edition 1 (2003).

As with pre­ced­ing art­icles in this series, I’ll be build­ing on con­cepts dis­cussed in those art­icles. If you need more inform­a­tion, you should have a look at the pre­vi­ous art­icles to see if I’ve answered your ques­tions there.

The Definition

The Category 4 defin­i­tion builds on both Category B and Category 3. As you read, recall that “SRP/​CS” stands for “Safety Related Parts of the Control System”. Here is the com­plete defin­i­tion:

6.2.7 Category 4
For cat­egory 4, the same require­ments as those accord­ing to 6.2.3 for cat­egory B shall apply. “Well-​tried safety prin­ciples” accord­ing to 6.2.4 shall also be fol­lowed. In addi­tion, the fol­low­ing applies.
SRP/​CS of cat­egory 4 shall be designed such that

  • a single fault in any of these safety-​related parts does not lead to a loss of the safety func­tion, and
  • the single fault is detec­ted at or before the next demand upon the safety func­tions, e.g. imme­di­ately, at switch on, or at end of a machine oper­at­ing cycle, but if this detec­tion is not pos­sible, then an accu­mu­la­tion of undetec­ted faults shall not lead to the loss of the safety func­tion.

The dia­gnost­ic cov­er­age (DCavg) of the total SRP/​CS shall be high, includ­ing the accu­mu­la­tion of faults. The MTTFd of each of the redund­ant chan­nels shall be high. Measures against CCF shall be applied (see
Annex F).

NOTE 1 Category 4 sys­tem beha­viour allows that

  • when a single fault occurs the safety func­tion is always per­formed,
  • the faults will be detec­ted in time to pre­vent the loss of the safety func­tion,
  • accu­mu­la­tion of undetec­ted faults is taken into account.

NOTE 2 The dif­fer­ence between cat­egory 3 and cat­egory 4 is a high­er DCavg in cat­egory 4 and a required MTTFd of each chan­nel of “high” only.

In prac­tice, the con­sid­er­a­tion of a fault com­bin­a­tion of two faults may be suf­fi­cient.

5% Discount on ISO and IEC Standards with code: CC2011 

Breaking it down

For cat­egory 4, the same require­ments as those accord­ing to 6.2.3 for cat­egory B shall apply. “Well-​tried safety prin­ciples” accord­ing to 6.2.4 shall also be fol­lowed.

The first two sen­tences give the basic require­ment for all the cat­egor­ies from 2 through 4. Sound com­pon­ent selec­tion based on the applic­a­tion require­ments for voltage, cur­rent, switch­ing cap­ab­il­ity and life­time must be con­sidered. In addi­tion, using well tried safety prin­ciples, such as switch­ing the +V rail side of the coil cir­cuit for con­trol com­pon­ents is required. If you aren’t sure about what con­sti­tutes a “well-​tried safety prin­ciple”, see the art­icle on Category 2 where this is dis­cussed. Don’t con­fuse “well-​tried safety prin­ciples” with “well-​tried com­pon­ents”. There is no require­ment in Category 4 for the use of well-​tried com­pon­ents, although you can use them for addi­tion­al reli­ab­il­ity if the design require­ments war­rant.

In addi­tion, the fol­low­ing applies.
SRP/​CS of cat­egory 4 shall be designed such that

  • a single fault in any of these safety-​related parts does not lead to a loss of the safety func­tion, and
  • the single fault is detec­ted at or before the next demand upon the safety func­tions, e.g. imme­di­ately, at switch on, or at end of a machine oper­at­ing cycle, but if this detec­tion is not pos­sible, then an accu­mu­la­tion of undetec­ted faults shall not lead to the loss of the safety func­tion.

This is the big one. This para­graph, and the two bul­lets that fol­low it, define the fun­da­ment­al per­form­ance require­ments for this cat­egory. No single fault can lead to the loss of the safety func­tion in Category 4, and test­ing is required that can detect fail­ures and pre­vent an accu­mu­la­tion of faults that could even­tu­ally lead to the loss of the safety func­tion. The second bul­let is the one that defines the multiple-​fault-​tolerance require­ment for this cat­egory. If you go back to the defin­i­tion of Category 3, you will see that an accu­mu­la­tion of faults may lead to the loss of the safety func­tion in that Category. This is the key dif­fer­ence between the cat­egor­ies in my opin­ion.

The dia­gnost­ic cov­er­age (DCavg) of the total SRP/​CS shall be high, includ­ing the accu­mu­la­tion of faults. The MTTFd of each of the redund­ant chan­nels shall be high. Measures against CCF shall be applied (see
Annex F).

These three sen­tences give the design­er the cri­ter­ia for dia­gnost­ic cov­er­age, chan­nel fail­ure rates and com­mon cause fail­ure pro­tec­tion. As you can see, the abil­ity to dia­gnose fail­ures auto­mat­ic­ally is a crit­ic­al part of the design, as is the use of highly reli­able com­pon­ents, lead­ing to highly reli­able chan­nels. The strongest CCF pro­tec­tion you can include in the design is also needed, although the “passing score” of 65 remains unchanged (see Annex F in ISO 13849 – 1 for more details on scor­ing your design).

NOTE 1 Category 4 sys­tem beha­viour allows that

  • when a single fault occurs the safety func­tion is always per­formed,
  • the faults will be detec­ted in time to pre­vent the loss of the safety func­tion,
  • accu­mu­la­tion of undetec­ted faults is taken into account.

Note 2: …In prac­tice, the con­sid­er­a­tion of a fault com­bin­a­tion of two faults may be suf­fi­cient.

Note 1 expands on the first para­graph in the defin­i­tion, fur­ther cla­ri­fy­ing the per­form­ance require­ments by expli­cit state­ments. Notice that nowhere is there a require­ment that single faults or accu­mu­la­tion of single faults be pre­ven­ted, only detec­ted by the dia­gnost­ic sys­tem. Prevention of single faults is nearly impossible, since com­pon­ents do fail. It is import­ant to first under­stand which com­pon­ents are crit­ic­al to the safety func­tion, and second, what kinds of faults each com­pon­ent is likely to have, is fun­da­ment­al to being able to design a dia­gnost­ic sys­tem that can detect the faults.

The cat­egory relies on redund­ancy to ensure that the com­plete loss of one chan­nel will not cause the loss of the safety func­tion, but this is only use­ful if the com­mon cause fail­ures have been prop­erly dealt with. Otherwise, a single event could wipe out both chan­nels sim­ul­tan­eously, caus­ing the loss of the safety func­tion and pos­sibly res­ult in an injury or fatal­ity.

Also notice that mul­tiple single faults are per­mit­ted, as long as the accu­mu­la­tion does not res­ult in the loss of the safety func­tion. ISO 13849 allows for “fault exclu­sion”, a concept that is not used in the North American stand­ards.

The final sen­tence from Note 2 sug­gests that con­sid­er­a­tion of two con­cur­rent faults may be enough, but be care­ful. You need to look closely at the fault lists to see if there are any groups of high prob­ab­il­ity faults that are likely to occur con­cur­rently. IF there are, you need to assess these com­bin­a­tions of faults, wheth­er there are 5 or 50 to be eval­u­ated.

Fault Exclusion

Fault exclu­sion involves assess­ing the types of faults that can occur in each com­pon­ent in the crit­ic­al path of the sys­tem. The decision to exclude cer­tain kinds of faults is always a tech­nic­al com­prom­ise between the the­or­et­ic­al improb­ab­il­ity of the fault, the expert­ise of the designer(s) and engin­eers involved and the spe­cif­ic tech­nic­al require­ments of the applic­a­tion. Whenever the decision is made to exclude a par­tic­u­lar type of fault, the decision and the pro­cess used to make it must be doc­u­mented in the Reliability Report included in the design file. Section 7.3 of ISO 13849 – 1 provides guid­ance on fault exclu­sion.

In the sec­tion dis­cuss­ing Category 1, the stand­ard has this to say about fault exclu­sion, and the dif­fer­ence between “well-​tried com­pon­ents” and “fault exclu­sion”:

It is import­ant that a clear dis­tinc­tion between “well-​tried com­pon­ent” and “fault exclu­sion” (see Clause 7) be made. The qual­i­fic­a­tion of a com­pon­ent as being well-​tried depends on its applic­a­tion. For example, a pos­i­tion switch with pos­it­ive open­ing con­tacts could be con­sidered as being well-​tried for a machine tool, while at the same time as being inap­pro­pri­ate for applic­a­tion in a food industry — in the milk industry, for instance, this switch would be des­troyed by the milk acid after a few months. A fault exclu­sion can lead to a very high PL, but the appro­pri­ate meas­ures to allow this fault exclu­sion should be applied dur­ing the whole life­time of the device. In order to ensure this, addi­tion­al meas­ures out­side the con­trol sys­tem may be neces­sary. In the case of a pos­i­tion switch, some examples of these kinds of meas­ures are

  • means to secure the fix­ing of the switch after its adjust­ment,
  • means to secure the fix­ing of the cam,
  • means to ensure the trans­verse sta­bil­ity of the cam,
  • means to avoid over-​travel of the pos­i­tion switch, e.g. adequate mount­ing strength of the shock absorber and any align­ment devices, and
  • means to pro­tect it against dam­age from out­side.

To assist the design­er, ISO 13849 – 2 provides lists of typ­ic­al faults and the allow­able exclu­sions in Annex D.5. As an example, let’s con­sider the typ­ic­al situ­ation where a robust guard inter­lock­ing device has been selec­ted. The decision has been made to use redund­ant elec­tric­al cir­cuits to the switch­ing com­pon­ents in the inter­lock, so elec­tric­al faults can be detec­ted. But what about mech­an­ic­al fail­ures? A fault list is needed:

 Interlock Mechanical Fault List
# Fault Description Result Likelihood
1 Key breaks off Control sys­tem can­not determ­ine guard pos­i­tion. Complete fail­ure of sys­tem through a single fault. Unlikely
2 Screws mount­ing key to guard fail Control sys­tem can­not determ­ine guard pos­i­tion. Complete fail­ure of sys­tem through a single fault. Unlikely
3 Screws mount­ing inter­lock device to guard fail Control sys­tem can­not determ­ine guard pos­i­tion. Complete fail­ure of sys­tem through a single fault. Unlikely
4 Key and inter­lock device mis­aligned. Guard can­not close, pre­vent­ing machine from oper­at­ing. Very likely
5 Key and inter­lock device mis­aligned. Key and /​ or inter­lock device dam­aged. Guard may not close, or the key may jam in the inter­lock device once closed. Machine is inop­er­able if the inter­lock can­not be com­pleted, or the guard can­not be opened if the key jams in the device. Likely
6 Screws mount­ing key to guard removed by user. Interlock can now be bypassed by fix­ing the key into the inter­lock­ing device. Control sys­tem can no longer sense the pos­i­tion of the guard. Likely
7 Screws mount­ing inter­lock device to guard removed by user Probably com­bined with the pre­ced­ing con­di­tion. Control sys­tem can no longer sense the pos­i­tion of the guard. Unlikely, but could hap­pen.

There may be more fail­ure modes, but for the pur­pose of this dis­cus­sion, lets lim­it them to this list.

Looking at Fault 1, there are a num­ber of things that could res­ult in a broken key. They include: mis­align­ment of the key and the inter­lock device, lack of main­ten­ance on the guard and the inter­lock­ing hard­ware, or inten­tion­al dam­age by a user. Unless the hard­ware is excep­tion­ally robust, includ­ing the design of the guard and any align­ment fea­tures incor­por­ated in the guard­ing, devel­op­ing sound rationale for exclud­ing this fault will be very dif­fi­cult.

Fault 2 con­siders mech­an­ic­al fail­ure of the mount­ing screws for the inter­lock key. Screws are con­sidered to be well-​tried com­pon­ents (see Annex A.5), so you can con­sider them for fault exclu­sion. You can improve their reli­ab­il­ity by using thread lock­ing adhes­ives when installing the screws to pre­vent them from vibrat­ing loose, and “tamper-​proof” style screw heads to deter unau­thor­ized remov­al. Inclusion of these meth­ods will sup­port any decision to exclude these faults. This goes to address­ing faults 3, 6 and 7 as well.

Faults 4 & 5 occur fre­quently and are often caused by poor device selec­tion (i.e. an inter­lock device inten­ded for straight-​line sliding-​gate applic­a­tions is chosen for a hinged gate), or by poor guard design (i.e. the guard is poorly guided by the reten­tion mech­an­ism and can be closed in a mis­aligned con­di­tion). Rationale for pre­ven­tion of these faults will need to include dis­cus­sion of design fea­tures that will pre­vent these con­di­tions.

Excluding any oth­er kind of fault fol­lows the same pro­cess: Develop the fault list, assess each fault against the rel­ev­ant Annex from ISO 13849 – 2, determ­ine if there are pre­vent­at­ive meas­ures that can be designed into the product and wheth­er these provide suf­fi­cient risk reduc­tion to allow the exclu­sion of the fault from con­sid­er­a­tion.

DCavg and MTTFd requirements

NOTE 2 The dif­fer­ence between cat­egory 3 and cat­egory 4 is a high­er DCavg in cat­egory 4 and a required MTTFd of each chan­nel of “high” only.

The first sen­tence in Note 2 cla­ri­fies the two main dif­fer­ences from a design stand­point, aside from the addi­tion­al fault tol­er­ance require­ments: Better dia­gnostics are required and much high­er require­ments for indi­vidu­al com­pon­ent, and there­fore chan­nel, MTTFd.

The Block Diagram

The block dia­gram for Category 4 is almost identic­al to Category 3, and was updated by Corrigendum 1 to the dia­gram shown below. The text from the cor­ri­gendum that accom­pan­ies the dia­gram has this to say about the change:

Replace the draw­ing show­ing the des­ig­nated archi­tec­ture for cat­egory 4 with the fol­low­ing draw­ing. This
cor­rects the arrowed lines labeled “m” between L1 and O1, and L2 and O2, by chan­ging them from dashed to sol­id lines, rep­res­ent­ing high­er dia­gnost­ic cov­er­age.

I’ve high­lighted this area using red ovals on Figure 12 to make it easi­er to see .

ISO 13849-1 Figure 12 - Category 4 Block Diagram
ISO 13849 – 1 Figure 12 – Category 4 Block Diagram

Here is Figure 11 for com­par­is­on. Notice that the “m” lines are sol­id in Figure 12 and dashed in Figure 11? Subtle, but sig­ni­fic­ant! There are no oth­er dif­fer­ences between the dia­grams.

ISO 13849-1 Figure 11I went look­ing for a cir­cuit dia­gram to sup­port the block dia­gram, but wasn’t able to find one from a com­mer­cial source that I could share with you. Considering that the primary dif­fer­ences are in the reli­ab­il­ity of the com­pon­ents chosen and in the way the test­ing is done, this isn’t too sur­pris­ing. The basic phys­ic­al con­struc­tion of the two cat­egor­ies can be vir­tu­ally identic­al.

Applications

The fol­low­ing is not from the stand­ards – this is my per­son­al opin­ion, based on 15 years of prac­tice.

In the past, many man­u­fac­tur­ers decided that they were going to apply Category 4 archi­tec­ture without really under­stand­ing the design implic­a­tions, because they believed that it was “the best”. With the change in the har­mon­iz­a­tion of EN 954 – 1 and ISO 13849 – 1 under the EU machinery dir­ect­ive that comes into force on 29-​Dec-​2011, and con­sid­er­ing the great dif­fi­culty that many man­u­fac­tur­ers had in prop­erly imple­ment­ing EN 954 – 1, I can eas­ily ima­gine man­u­fac­tur­ers who have taken the approach that they already have Category 4 SRP/​CS on their sys­tems and mak­ing the state­ment that they now have PLe SRP/​CS sys­tem per­form­ance. This is a bad decision for a lot of reas­ons:

  1. ISO 13849 – 1 PLe, Category 4 sys­tems should be reserved for very dan­ger­ous machinery where the tech­nic­al effort and expense involved is war­ran­ted by the risk assess­ment. Attempting to apply this level of design to machinery where a PLb per­form­ance level is more suit­able based on a risk assess­ment, is a waste of design time and effort and a need­less expense. The product fam­ily stand­ards for these types of machines, such as EN 201 for plastic injec­tion mould­ing machines, or EN 692 for Mechanical Power Presses or EN 693 for Hydraulic Power Presses will expli­citly spe­cify the PL level required for these machines.
  2. Manufacturers have fre­quently claimed EN 954 – 1 Category 4 per­form­ance based on the rat­ing of the safety relay alone, without under­stand­ing that the rest of the SRP/​CS must be con­sidered, and clearly this is wrong. The SRP/​CS must be eval­u­ated as a com­plete sys­tem.

This lack of under­stand­ing endangers the users, the main­ten­ance per­son­nel, the own­ers and the man­u­fac­tur­ers. If they con­tin­ue this approach and an injury occurs, it is my opin­ion that the courts will have more than enough evid­ence in the defendant’s pub­lished doc­u­ments to cause some ser­i­ous leg­al grief.

As design­ers involved with the safety of our company’s products or with our co-worker’s safety, I believe that we owe it to every­one who uses our products to be edu­cated and to cor­rectly apply these con­cepts. The fact that you have read all of the posts lead­ing up to this one is evid­ence that you are work­ing on get­ting edu­cated.

Always con­duct a risk assess­ment and use the out­come from that work to guide your selec­tion of safe­guard­ing meas­ures, com­ple­ment­ary pro­tect­ive meas­ures and the per­form­ance of the SRP/​CS that ties those sys­tems togeth­er. Choose per­form­ance levels that make sense based on the required risk reduc­tion and ensure that the design cri­ter­ia is met by val­id­at­ing the sys­tem once built.

As always, I wel­come your com­ments and ques­tions! Please feel free to com­ment below. I will respond to all your com­ments.

Digiprove sealCopyright secured by Digiprove © 2011 – 2012
Acknowledgements: ISO for excerpts from ISO 13849 – 1 and more…
Some Rights Reserved