Interlock Architectures – Pt. 3: Category 2

This entry is part 3 of 8 in the series Circuit Architectures Explored

This art­icle explores the require­ments for safety related con­trol sys­tems meet­ing ISO 13849 – 1 Category 2 require­ments. “Gotcha!” points in the defin­i­tion are high­lighted to help design­ers avoid this com­mon pit­falls.

This entry is part 3 of 8 in the series Circuit Architectures Explored

In the first two posts in this series, we looked at Category B, the Basic cat­egory of sys­tem archi­tec­ture, and then moved on to look at Category 1. Category B under­pins Categories 2, 3 and 4. In this post we’ll look more deeply into Category 2.

Let’s start by look­ing at the defin­i­tion for Category 2, taken from ISO 13849 – 1:2007. Remember that in these excerpts, SRP/​CS stands for Safety Related Parts of Control Systems.

Definition

6.2.5 Category 2

For cat­egory 2, the same require­ments as those accord­ing to 6.2.3 for cat­egory B shall apply. “Well – tried safety prin­ciples” accord­ing to 6.2.4 shall also be fol­lowed. In addi­tion, the fol­low­ing applies.

SRP/​CS of cat­egory 2 shall be designed so that their function(s) are checked at suit­able inter­vals by the machine con­trol sys­tem. The check of the safety function(s) shall be per­formed

  • at the machine start-​up, and
  • pri­or to the ini­ti­ation of any haz­ard­ous situ­ation, e.g. start of a new cycle, start of oth­er move­ments, and/​or
  • peri­od­ic­ally dur­ing oper­a­tion if the risk assess­ment and the kind of oper­a­tion shows that it is neces­sary.

The ini­ti­ation of this check may be auto­mat­ic. Any check of the safety function(s) shall either

  • allow oper­a­tion if no faults have been detec­ted, or
  • gen­er­ate an out­put which ini­ti­ates appro­pri­ate con­trol action, if a fault is detec­ted.

Whenever pos­sible this out­put shall ini­ti­ate a safe state. This safe state shall be main­tained until the fault is cleared. When it is not pos­sible to ini­ti­ate a safe state (e.g. weld­ing of the con­tact in the final switch­ing device) the out­put shall provide a warn­ing of the haz­ard.

For the des­ig­nated archi­tec­ture of cat­egory 2, as shown in Figure 10, the cal­cu­la­tion of MTTFd and DCavg should take into account only the blocks of the func­tion­al chan­nel (i.e. I, L and O in Figure 10) and not the blocks of the test­ing chan­nel (i.e. TE and OTE in Figure 10).

The dia­gnost­ic cov­er­age (DCavg) of the total SRP/​CS includ­ing fault-​detection shall be low. The MTTFd of each chan­nel shall be low-​to-​high, depend­ing on the required per­form­ance level (PLr). Measures against CCF shall be applied (see Annex F).

The check itself shall not lead to a haz­ard­ous situ­ation (e.g. due to an increase in response time). The check­ing equip­ment may be integ­ral with, or sep­ar­ate from, the safety-​related part(s) provid­ing the safety func­tion.

The max­im­um PL achiev­able with cat­egory 2 is PL = d.

NOTE 1 In some cases cat­egory 2 is not applic­able because the check­ing of the safety func­tion can­not be applied to all com­pon­ents.

NOTE 2 Category 2 sys­tem beha­viour allows that

  • the occur­rence of a fault can lead to the loss of the safety func­tion between checks,
  • the loss of safety func­tion is detec­ted by the check.

NOTE 3 The prin­ciple that sup­ports the valid­ity of a cat­egory 2 func­tion is that the adop­ted tech­nic­al pro­vi­sions, and, for example, the choice of check­ing fre­quency can decrease the prob­ab­il­ity of occur­rence of a dan­ger­ous situ­ation.

ISO 13849-1 Figure 10
Figure 1 – Category 2 Block dia­gram [1, Fig.10]

Breaking it down

Let start by tak­ing apart the defin­i­tion a piece at a time and look­ing at what each part means. I’ll also show a simple cir­cuit that can meet the require­ments.

Category B & Well-​tried Safety Principles

The first para­graph speaks to the build­ing block approach taken in the stand­ard:

For cat­egory 2, the same require­ments as those accord­ing to 6.2.3 for cat­egory B shall apply. “Well – tried safety prin­ciples” accord­ing to 6.2.4 shall also be fol­lowed. In addi­tion, the fol­low­ing applies.

Systems meet­ing Category 2 are required to meet all of the same require­ments as Category B, as far as the com­pon­ents are con­cerned. Other require­ments for the cir­cuits are dif­fer­ent, and we will look at those in a bit.

Self-​Testing required

Category 2 brings in the idea of dia­gnostics. If cor­rectly spe­cified com­pon­ents have been selec­ted (Category B), and are applied fol­low­ing ‘well-​tried safety prin­ciples’, then adding a dia­gnost­ic com­pon­ent to the sys­tem should allow the sys­tem to detect some faults and there­fore achieve a cer­tain degree of ‘fault-​tolerance’ or the abil­ity to func­tion cor­rectly even when some aspect of the sys­tem has failed.

Let’s look at the text:

SRP/​CS of Category 2 shall be designed so that their function(s) are checked at suit­able inter­vals by the machine con­trol sys­tem. The check of the safety function(s) shall be per­formed

  • at the machine start-​up, and
  • pri­or to the ini­ti­ation of any haz­ard­ous situ­ation, e.g. start of a new cycle, start of oth­er move­ments, and/​or
  • peri­od­ic­ally dur­ing oper­a­tion if the risk assess­ment and the kind of oper­a­tion shows that it is neces­sary.

The ini­ti­ation of this check may be auto­mat­ic. Any check of the safety function(s) shall either

  • allow oper­a­tion if no faults have been detec­ted, or
  • gen­er­ate an out­put which ini­ti­ates appro­pri­ate con­trol action, if a fault is detec­ted.

Whenever pos­sible this out­put shall ini­ti­ate a safe state. This safe state shall be main­tained until the fault is cleared. When it is not pos­sible to ini­ti­ate a safe state (e.g. weld­ing of the con­tact in the final switch­ing device) the out­put shall provide a warn­ing of the haz­ard.

Periodic check­ing is required. The checks must hap­pen at least each time there is a demand placed on the sys­tem, i.e. a guard door is opened and closed, or an emer­gency stop but­ton is pressed and reset. In addi­tion the integ­rity of the SRP/​CS must be tested at the start of a cycle or haz­ard­ous peri­od, and poten­tially peri­od­ic­ally dur­ing oper­a­tion if the risk assess­ment indic­ates that this is neces­sary. The test­ing fre­quency must be at least 100x the demand rate [1, 4.5.4], e.g., a light cur­tain on a part load­ing work sta­tion that is inter­rup­ted every 30 s dur­ing nor­mal oper­a­tion requires a min­im­um test rate of once every 0.3 s, or 200x per minute or more.

The test­ing does not have to be auto­mat­ic, although in prac­tice it usu­ally is. As long as the sys­tem integ­rity is good, then the out­put is allowed to remain on, and the machinery or pro­cess can run.

Watch Out!

Notice that the words ‘whenev­er pos­sible’ are used in the last para­graph in this part of the defin­i­tion where the stand­ard speaks about ini­ti­ation of a safe state. This word­ing alludes to the fact that these sys­tems are still prone to faults that can lead to the loss of the safety func­tion, and so can­not be called truly ‘fault-​tolerant’. Loss of the safety func­tion must be detec­ted by the mon­it­or­ing sys­tem and a safe state ini­ti­ated. This requires care­ful thought, since the safety sys­tem com­pon­ents may have to inter­act with the pro­cess con­trol sys­tem to ini­ti­ate and main­tain the safe state in the event that the safety sys­tem itself has failed. Also note that it is not pos­sible to use fault exclu­sions in Category 2 archi­tec­ture, because the sys­tem is not fault tol­er­ant.

All of this leads to an inter­est­ing ques­tion: If the sys­tem is hard­wired through the oper­at­ing chan­nel, and all the com­pon­ents used in that chan­nel meet Category B require­ments, can the dia­gnost­ic com­pon­ent be provided by a mon­it­or­ing the sys­tem with a stand­ard PLC? The answer to this is YES. Test equip­ment (called TE in Fig. 1) is spe­cific­ally excluded, and Category 2 DOES NOT require the use of well-​tried com­pon­ents, only well-​tried safety prin­ciples.

Finally, for the faults that can be detec­ted by the mon­it­or­ing sys­tem, detec­tion of a fault must ini­ti­ate a safe state. This means that on the next demand on the sys­tem, i.e. the next time the guard is opened or the emer­gency stop is pressed, the machine must go into a safe con­di­tion. Generally, detec­tion of a fault should pre­vent the sub­sequent reset of the sys­tem until the fault is cleared or repaired.

Testing is not per­mit­ted to intro­duce any new haz­ards or to slow the sys­tem down. The tests must occur ‘on-​the-​fly’ and without intro­du­cing any delay in the sys­tem com­pared to how it would have oper­ated without the test­ing incor­por­ated. Test equip­ment can be integ­rated into the safety sys­tem or be extern­al to it.

One more ‘gotcha’

Note 1 in the defin­i­tion high­lights a sig­ni­fic­ant pit­fall for many design­ers: if all of the com­pon­ents in the func­tion­al chan­nel of the sys­tem can­not be checked, you can­not claim con­form­ity to Category 2. If you look back at Fig. 1, you will see that the dashed “m” lines con­nect all three func­tion­al blocks to the TE, indic­at­ing that all three must be included in the mon­it­or­ing chan­nel. A sys­tem that oth­er­wise would meet the archi­tec­tur­al require­ments for Category 2 must be down­graded to Category 1 in cases where all the com­pon­ents in the func­tion­al chan­nel can­not be tested. This is a major point and one which many design­ers miss when devel­op­ing their sys­tems.

Calculation of MTTFd

The next para­graph deals with the cal­cu­la­tion of the fail­ure rate of the sys­tem, or MTTFd.

For the des­ig­nated archi­tec­ture of cat­egory 2, as shown in Figure 10, the cal­cu­la­tion of MTTFd and DCavg should take into account only the blocks of the func­tion­al chan­nel (i.e. I, L and O in Figure 10) and not the blocks of the test­ing chan­nel (i.e. TE and OTE in Figure 10).

Calculation of the fail­ure rate focuses on the func­tion­al chan­nel, not on the mon­it­or­ing sys­tem, mean­ing that the fail­ure rate of the mon­it­or­ing sys­tem is ignored when ana­lyz­ing sys­tems using this archi­tec­ture. The MTTFd of each com­pon­ent in the func­tion­al chan­nel is cal­cu­lated and then the MTTFd of the total chan­nel is cal­cu­lated.

The Diagnostic Coverage (DCavg) is also cal­cu­lated based exclus­ively on the com­pon­ents in the func­tion­al chan­nel, so when determ­in­ing what per­cent­age of the faults can be detec­ted by the mon­it­or­ing equip­ment, only faults in the func­tion­al chan­nel are con­sidered.

This high­lights the fact that a fail­ure of the mon­it­or­ing sys­tem can­not be detec­ted, so a single fail­ure in the mon­it­or­ing sys­tem that res­ults in the sys­tem fail­ing to detect a sub­sequent nor­mally detect­able fail­ure in the func­tion­al chan­nel will res­ult in the loss of the safety func­tion.

Summing Up

The next para­graph sums up the lim­its of this par­tic­u­lar archi­tec­ture:

The dia­gnost­ic cov­er­age (DCavg) of the total SRP/​CS includ­ing fault-​detection shall be low. The MTTFd of each chan­nel shall be low-​to-​high, depend­ing on the required per­form­ance level (PLr). Measures against CCF shall be applied (see Annex F).

The first sen­tence reflects back to the pre­vi­ous para­graph on dia­gnost­ic cov­er­age, telling you, as the design­er, that you can­not make a claim to any­thing more than LOW DC cov­er­age when using this archi­tec­ture.

This raises an inter­est­ing ques­tion, since Figure 5 in the stand­ard shows columns for both DCavg = LOW and DCavg=MED. My best advice to you as a user of the stand­ard is to abide by the text, mean­ing that you can­not claim high­er than LOW for DCavg in this archi­tec­ture. This con­flict will be addressed by future revi­sions of the stand­ard.

Another prob­lem raised by this sen­tence is the inclu­sion of the phrase “the total SRP/​CS includ­ing fault-​detection”, since the pre­vi­ous para­graph expli­citly tells you that the assess­ment of DCavg ‘should’ only include the func­tion­al chan­nel, while this sen­tence appears to include it. In stand­ards writ­ing, sen­tences includ­ing the word ‘shall’ are clearly man­dat­ory, while those includ­ing the word ‘should’ indic­ate a con­di­tion which is advised but not required. Hopefully this con­fu­sion will be cla­ri­fied in the next edi­tion of the stand­ard.

MTTFd in the func­tion­al chan­nel can be any­where in the range from LOW to HIGH depend­ing on the com­pon­ents selec­ted and the way they are applied in the design. The require­ment will be driv­en by the desired PL of the sys­tem, so a PLd sys­tem will require HIGH MTTFd com­pon­ents in the func­tion­al chan­nel, while the same archi­tec­ture used for a PLb sys­tem would require only LOW MTTFd com­pon­ents.
Finally, applic­able meas­ures against Common Cause Failures (CCF) must be used. Some of the meas­ures giv­en in Table F.1 in Annex F of the stand­ard can­not be applied, such as Channel Separation, since you can­not sep­ar­ate a single chan­nel. Other CCF meas­ures can and must be applied, and so there­fore you must score at least the min­im­um 65 on the CCF table in Annex F to claim com­pli­ance with Category 2 require­ments.

Example Circuit

Here’s an example of what a simple Category 2 cir­cuit con­struc­ted from dis­crete com­pon­ents might look like. Note that PB1 and PB2 could just as eas­ily be inter­lock switches on guard doors as push but­tons on a con­trol pan­el. For the sake of sim­pli­city, I did not illus­trate surge sup­pres­sion on the relays, but you should include MOV’s or RC sup­press­ors across all relay coils. All relays are con­sidered to be con­struc­ted with  ‘force-​guided’ designs and meet the require­ments for well-​tried com­pon­ents.

Example Category 2 circuit from discrete components
Figure 2 – Example Category 2 cir­cuit from dis­crete com­pon­ents

How the cir­cuit works:

  1. The machine is stopped with power off. CR1, CR2, and M are off. CR3 is off until the reset but­ton is pressed, since the NC mon­it­or­ing con­tacts on CR1, CR2 and M are all closed, but the NO reset push but­ton con­tact is open.
  2. The reset push but­ton, PB3,  is pressed. If both CR1, CR2 and M are off, their nor­mally closed con­tacts will be closed, so press­ing PB3 will res­ult in CR3 turn­ing on.
  3. CR3 closes its con­tacts, ener­giz­ing CR1 and CR2 which seal their con­tact cir­cuits in and de-​energize CR3. The time delays inher­ent in relays per­mit this to work.
  4. With CR1 and CR2 closed and CR3 held off because its coil cir­cuit opened when CR1 and CR2 turned on, M ener­gizes and motion can start.

In this cir­cuit the mon­it­or­ing func­tion is provided by CR3. If any of CR1, CR2 or M were to weld closed, CR3 could not ener­gize, and so a single fault is detec­ted and the machine is pre­ven­ted from re-​starting. If the machine is stopped by press­ing either PB1 or PB2, the machine will stop since CR1 and CR2 are redund­ant. If CR3 fails with wel­ded con­tacts, then the M rung is held open because CR3 has not de-​energized, and if it fails with an open coil, the reset func­tion will not work, there­fore both fail­ure modes will pre­vent the machine from start­ing with a failed mon­it­or­ing sys­tem, if a “force-​guided” type of relay is used for CR3. If CR1 or CR2 fail with an open coil, then M can­not ener­gize because of the redund­ant con­tacts on the M rung.

This cir­cuit can­not detect a fail­ure in PB1, PB2, or PB3. Testing is con­duc­ted each time the cir­cuit is reset. This cir­cuit does not meet the 100x test rate require­ment, and so can­not be said to meet Category 2 require­ments.

If M is a motor starter rather than the motor itself, it will need to be duplic­ated for redund­ancy and a mon­it­or­ing con­tact added to the CR3 rung .

In cal­cu­lat­ing MTTFd, PB1, PB2, CR1, CR2, CR3 and M must be included. CR3 is included because it has a func­tion­al con­tact in the M rung and is there­fore part of the func­tion­al chan­nel of the cir­cuit as well as being part of the OT and OTE chan­nels.

Download IEC stand­ards, International Electrotechnical Commission stand­ards.
Download ISO Standards 

Watch for the next install­ment in this series where we’ll explore Category 3, the first of the ‘fault tol­er­ant’ archi­tec­tures!

New Guide to Applying ISO 13849 – 1 and IEC 62061

This entry is part 1 of 2 in the series IEC/​TR 62061 – 1

IEC and ISO have pub­lished a new guide to help users select between ISO 13849 – 1 and IEC 62061. This new Technical Report will replace Table 1 in both stand­ards.

This entry is part 1 of 2 in the series IEC/​TR 62061 – 1

One of the big chal­lenges facing machine build­ers has been choos­ing between ISO 13849 – 1 and IEC 62061. The IEC pub­lished a new guide at the end of July, 2010 called Technical Report IEC/​TR 62061 – 1 ed1.0 Guidance on the applic­a­tion of ISO 13849 – 1 and IEC 62061 in the design of safety-​related con­trol sys­tems for machinery. The new 38-​page guide is avail­able as a hard copy or a PDF file. Written jointly by Technical Committee IEC/​TC 44, Safety of machinery – Electrotechnical aspects and Technical Committee ISO/​TC 199, Safety of machinery. The Technical Report was pub­lished in par­al­lel by ISO as ISO/​TR 23849.

Technical Reports don’t have the same status as International Standards, but provide the TC’s with  a means to provide guid­ance and explan­a­tion to help users imple­ment the stand­ard.

Table of Contents

Since this is a copy­righted doc­u­ment, I can’t repro­duce it here. Instead, here’s the Table of Contents that will give you some idea of  the document’s con­tents.

Cover of IEC/TR 62061-1
IEC/​TR 62061 – 1
  1. Scope
  2. General
  3. Comparison of stand­ards
  4. Risk estim­a­tion and assign­ment of required per­form­ance
  5. Safety require­ments spe­cific­a­tion
  6. Assignment of per­form­ance tar­gets: PL versus SIL
  7. System design
  8. Example
  9. Bibliography

Merger Coming Soon

The intro­duc­tion to the TR indic­ates that it will be incor­por­ated into both IEC 62061 and ISO 13849 – 1 through a cor­ri­genda that ref­er­ences this new doc­u­ment. The cor­ri­genda will also remove the inform­a­tion giv­en in Table 1, Recommended applic­a­tion of IEC 62061 and ISO 13849 – 1, found in the com­mon intro­duc­tion to both stand­ards and which is now out of date.

At some point in the near future, IEC and ISO  intend that ISO 13849 – 1 and IEC 62061 will be merged. A  Joint Working Group (JWG) of ISO/​TC 199 and IEC/​TC 44 will be formed to com­plete this task. No pub­lic time line has been set for this activ­ity, how­ever the Introduction to the Technical Report sug­gests that it may be a few years yet, as the TC’s involved want to get some feed­back from users on the latest ver­sions. If I had to haz­ard a guess, I would sug­gest that the new merged doc­u­ment might make its first appear­ance in 2013 when the cur­rent edi­tion of ISO 13849 – 1 comes up for main­ten­ance revi­sion. I guess we’ll have to wait and see wheth­er I’m right on that or not. In any case, I as a user of the stand­ards, I am whole­heartedly behind the mer­ger, and hope­fully the sim­pli­fic­a­tion, of these stand­ards to make them more access­ible to the machine build­ing com­munity.

Availability

A bilin­gual (English and French) ver­sion of IEC/​TR 62061 – 1 edi­tion 1.0 is avail­able.

ISO/​TR 23849:2010 is avail­able as a 14-​page doc­u­ment, in either English or French.

Download IEC stand­ards, International Electrotechnical Commission stand­ards.

Watch for my review of this import­ant new doc­u­ment com­ing in the next few days!

Safety is Good Business

In this excel­lent art­icle from Rockwell Automation’s The Journal, Mike Miller and Wayne Solberg explain how EN ISO 13849 – 1 and EN IEC 62061 mesh for machine build­ers.

Well worth the read in my opin­ion!

The Journal: Safety is Good Business – Marshall & Solberg

In this excel­lent art­icle from Rockwell Automation’s The Journal, Mike Miller and Wayne Solberg explain how EN ISO 13849 – 1 and EN IEC 62061 mesh for machine build­ers.

Well worth the read in my opin­ion!

The Journal: Safety is Good Business – Marshall & Solberg