Interlock Architectures — Part 4: Category 3 - Control Reliable

Category 3 system architecture is the first category that could be considered to have similarities to “Control Reliable” circuits or systems ... Skiptocontent Thispostwasupdatedon2020-03-28. Category3systemarchitectureisthefirstcategorythatcouldbeconsideredtohavesimilaritiesto“ControlReliable”circuitsorsystemsasdefinedinsomeNorthAmericanstandards,nowobsolete(notablyCSAZ432-04,CSAZ434-03,andANSI/RIAR15.06-1999).ISO13849-1Category3isNOTthesameasControlReliable,butwe’lldiscussthatinmoredetailinasubsequentpost.Ifyouhaven’treadthefirstthreepostsinthisseries,youmaywanttogobackandreviewthem,astheconceptsinthosearticlesarethebasisforthediscussioninthispost. WhatisControlReliable? Sowhatis“ControlReliable”anyway?ThistermwascoinedbytheANSIRIAR15.06technicalcommitteewhentheyweredevelopingtheirdefinitionsforcontrolsystemreliability,firstpublishedinthe1999editionofthestandard.“Controlreliable”doesnotappearinthe1994editionofCSAZ434ortheprecedingeditionofRIAR15.06. Essentially,theterm“ControlReliable”meansthatthecontrolsystemisdesignedwithsomedegreeoffaulttolerance.Dependingonthespecificdefinition,thiscouldbesingle-ormultiple-fault-tolerance. Waystoincreasefaulttolerance Severaldesigntechniquescanbeusedtoincreasethefaulttoleranceofacontrolsystem.Theolderapproaches,suchasthosegiveninANSIRIAR15.06-1999,CSAZ434-03orEN954-1:95,relyprimarilyonthestructureorarchitectureofthecircuitandthecharacteristicsofthecomponentsselectedforuse.ISO13849-1usesthesamebasicarchitecturesdefinedbyEN 954-1:95.Itextendsthemtoincludediagnosticcoverage,commoncausefailureresistanceandanunderstandingofthefailurerateofthecomponentstodeterminethedegreeoffaulttoleranceandreliabilityprovidedbydesign. OK,enoughbackgroundfornow!Let’slookatthedefinitionforCategory3systems.Rememberthat“SRP/CS”means“Safety-RelatedPartsoftheControlSystem.” Definition 6.2.6Category3 Forcategory3,thesamerequirementsasthoseaccordingto6.2.3forcategoryBshallapply.“Well-triedsafetyprinciples”accordingto6.2.4shallalsobefollowed.Inaddition,thefollowingapplies.SRP/CSofcategory3shallbedesignedsothatasinglefaultinanyofthesepartsdoesnotleadtothelossofthesafetyfunction.Wheneverreasonablypracticable,thesinglefaultshallbedetectedatorbeforethenextdemanduponthesafetyfunction.Thediagnosticcoverage(DCavg)ofthetotalSRP/CSincludingfault-detectionshallbelow.TheMTTFdofeachoftheredundantchannelsshallbelow-to-high,dependingonthePLr.MeasuresagainstCCFshallbeapplied(seeAnnexF).NOTE1Therequirementofsingle-faultdetectiondoesnotmeanthatallfaultswillbedetected.Consequently,theaccumulationofundetectedfaultscanleadtoanunintendedoutputandahazardoussituationatthemachine.Typicalexamplesofpracticablemeasuresforfaultdetectionareuseofthefeedbackofmechanicallyguidedrelaycontactsandmonitoringofredundantelectricaloutputs.NOTE2Ifnecessarybecauseoftechnologyandapplication,type-Cstandardmakersneedtogivefurtherdetailsonthedetectionoffaults.NOTE3Category3systembehaviourallowsthat whenthesinglefaultoccursthesafetyfunctionisalwaysperformed, somebutnotallfaultswillbedetected, accumulationofundetectedfaultscanleadtothelossofthesafetyfunction. NOTE4Thetechnologyusedwillinfluencethepossibilitiesfortheimplementationoffaultdetection. Breakingitdown Let’stakethedefinitionapartandlookatthecomponentsthatmakeitup. Forcategory3,thesamerequirementsasthoseaccordingto6.2.3forcategoryBshallapply.“Well-triedsafetyprinciples”accordingto6.2.4shallalsobefollowed. Thefirstcoupleoflinesremindthedesigneroftwokeypoints: Thecomponentsselectedmustbesuitablefortheapplication,i.e.correctlyspecifiedforvoltage,current,environmentalconditions,etc.;and“well-triedsafetyprinciples”mustbeusedinthedesign. It’simportanttonoteherethatwearetalkingabout“well-triedsafetyprinciples”andNOT“well-triedcomponents.”Therequirementtousecomponentsintendedforuseinsafetyapplicationscomesfromotherstandards,likeEN1088andISO13850.Therequirementsfromthesestandards,suchastheuseof“direct-drive”contacts,improvethefaulttoleranceofthecomponentandsobenefitsthedesignintheend.TheseimprovementsaregenerallyreflectedintheB10dorMTTFdofthecomponent.Theyarepointsthatinspectorswillcommonlylookforsincetheyareeasytospotinthefieldsince“safety-ratedcomponents”oftenuseredoryellowcapstoidentifythemclearlyinthecontrolpanel. Inaddition,thefollowingapplies.SRP/CSofcategory3shallbedesignedsothatasinglefaultinanyofthesepartsdoesnotleadtothelossofthesafetyfunction. Thissentencemakestherequirementforsingle-faulttolerance.Thismeansthatthefailureofanysinglecomponentinthefunctionalchannelcannotresultinthelossofthesafetyfunction.Tomeetthisrequirement,redundancyisneeded.Withredundantsystems,onecompletechannelcanfailwithoutlosingtheabilitytostopthemachinery.Itispossibletolosethefunctionofthemonitoringsystemfromasinglecomponentfailure.Still,thismaybeacceptableaslongasthesystemcontinuestoprovidethesafetyfunction.Thesystemshouldnotpermititselftoberesetifthemonitoringsystemisnotworking. Onemore“gotcha”fromthissentence:Tomeettherequirementthatanysinglecomponentfailurecanbedetected,thedesignwillrequiretwoseparatesensorstodetectthepositionofagate,forexample.Thispermitsthesystemtodetectafailureineithersensor,includingmechanicalfailureslikebrokenkeysorattemptstodefeatthesafetysystem.Youcanseethisintheblockdiagram,whichdoesnotshowanymonitoringconnectiontotheinputdevicesandinthecircuitdiagram.Bothofthesediagramsareshownlaterinthispost.Theonlywayoutoftherequirementtohaveredundantsensorsistoselectagateswitchthatisrobustenoughthatmechanicalfaultscanreasonablybeexcepted.I’llgetintofaultexceptionslaterinthisarticle. Wheneverreasonablypracticable,thesinglefaultshallbedetectedatorbeforethenextdemanduponthesafetyfunction. Thissentencecanbeabitsticky.Thephrase“Wheneverreasonablypracticable”meansthatyourdesignneedstobeabletodetectsinglefaultsunlessitwouldbe“unreasonable”todoso.Whatconstitutesanunreasonabledegreeofeffort?Thisisforyoutodecide.Iwillsaythatifthereisacommon,off-the-shelfcomponent(COTS)availablethatwilldothejob,andyouchoosenottouseit,youwillhavedifficultyconvincingacourtthatyoutookeveryreasonablypracticablemeanstodetectthefault. Followingthecomma,therestofthesentenceprovidesthedesignerwiththebasicrequirementforthetestsystem:itmustbeabletodetectasinglecomponentfailureatthemomentofdemand(thisisusuallyhowit’sdonesincethisistypicallythesimplestway)orbeforeitoccurs,whichcanhappenifyourtestequipmenthasthemeanstodetectachangeinsomecriticalcharacteristicofthemonitoredcomponent(s). Diagnosticcoverage Thediagnosticcoverage(DCavg)ofthetotalSRP/CSincludingfault-detectionshallbelow. ThissentencetellsyouthatyourdesignmustmeettherequirementsforLOWDiagnosticCoverage.SeeTable5: BasedonTable5,theDCavgmustbebetween60%and90%,allcomponentsconsidered.Toscorethis,wemustgotoAnnexEandlookatTableE1.UsingthefactorsinTableE1,scorethedesign.Youcanmoveonifyouendupinthedesiredrangebetween60%to90%DCcoverage.Ifnot,thedesignwillrequiremodificationtobringitintothisrange. ChannelMTTFD TheMTTFdofeachoftheredundantchannelsshallbelow-to-high,dependingonthePLr. Thissentenceremindsyouthatyourcomponentselectionsmatter.DependingonthePLryoutrytoachieve,youmustchoosecomponentswithsuitableMTTFdratings.RememberthatjustbecauseyouareusingaCategory3architecture,youhavenotautomaticallyachievedthehighestlevelsofreliability.IfyourefertoFigure5inthestandard,youcanseethataCategory3architecturecanmeetarangeofPLs,fromPLathroughPLe! Figure5 ISO13849-1Figure5 Ifyouwantorneedtoknowthenumericboundariesofeachofthebandsinthediagramabove,lookatAnnexKofthestandard.ThefullnumericrepresentationofFigure5isprovidedinthatAnnex. Common-CauseFailureMitigation MeasuresagainstCCFshallbeapplied(seeAnnexF). ForthearchitectureofyourdesigntomeetCategory3architecture,CCFmeasuresarerequired.I’vediscussedCommonCauseFailureselsewhereontheblog,butasareminder,aCommonCauseFailureisonewhereasingleevent,likealightningstrikeonthepowerline,oracablebeingcut,resultsinthefailureofthesystem.ThisisnotthesameasaCommonModeFailure,wheresimilarordifferentcomponentsfailinthesameway.Forinstance,ifbothoutputcontactorsweretoweldclosedsimultaneouslyoratadifferenttimeduetooverloadingbecausetheywereundersized,thiscouldbeconsideredaCommonModeFailure.Iftheybothweldclosedduetoalightningstrike,thatisaCommonCauseFailure. AnnexFprovidesachecklistthatisusedtoscoretheCCFofthedesign.Thedesignmustmeetatleast65pointstobeconsideredtomeettheminimumlevelofCCFprotection,andmoreisbetter,ofcourse!Scoreyourdesignandseewhereyoucomeout.Lessthan65andyouneedtodomore.65ormore,andyouaregoodtogo. TheNotes Thenotesgiveninthedefinitionarealsoimportant.Note1remindsthedesignerthatnotallfaultswillbedetected,andanaccumulationofundetectedfaultscanleadtothelossofthesafetyfunction.Beawarethatitisuptoyouasthedesignertominimizethekindsoffailuresthatcanaccumulateundetected. Note2suggeststhataType-Cproductstandard,likeEN201forinjectionmouldingmachines,mayimposeaminimumPLronthedesign.EnsureyougetacopyofanyType-Cstandardrelevanttoyourproductandmarket.Notethatthedesignation“Type-C”comesfromISO.IfyoulookforthisterminologyinANSIorCSAstandards,youwon’tfinditusedbecausetheconceptdoesn’texistinthesamewayintheseNationalstandards. Note3givesyouthebasicperformanceparametersforthedesign.Ifyourdesigncandothesethings,thenyou’rehalfwaythere. Finally,Note4isareminderthatdifferentkindsoftechnologyhavegreaterorlessercapabilitytodetectfailures.MoresophisticatedtechnologymayberequiredtoachievethePLlevelyouneed. TheBlockDiagram Let’shavealookatthefunctionalblockdiagramforthisCategory. Lookingatthediagram,youcanseethetwoindependentchannelsandthecross-monitoringconnectionbetweenthechannels.Inputdevicesarenotmonitored,butoutputdevicesaremonitored.Thisisanothersignificantreasonrequiringtwophysicallyseparateinputdevicestosensetheguardposition.Afailureintheinputdevicescanbedetectedonlyifonechannelchangestostateandonedoesnot. Supposeyouwanttolearnmoreaboutapplyingtheblockdiagrammingmethodtoyourdesign.Inthatcase,thereisagoodexplanationofthemethodintheSISTEMACookbook1,publishedbytheIFAinGermany.YoucandownloadtheEnglishversionfromthelinkaboveorgetthedocumentdirectlyfromtheIFAwebsite. ExampleCircuitDiagram Bynow,youprobablygettheideathatthereareasmanywaystoconfigureaCategory3circuitasthereareapplications.BelowisatypicalcircuitdiagramborrowedfromRockwellAllen-Bradley,showingtheapplicationoftypicalsafetyrelaysinacompletesystemthatincludestheemergencystopsystem,agateinterlockandasafetymat.YoucanmeettherequirementsforCategory3architectureinotherways,sodon’tfeelyoumustuseaCOTSsafetyrelay.Itjustmaybethemoststraightforwardwayinmanycases. ThisisnotaplugforA-Bproducts.NeitherMachinerySafety101norIhaveanyrelationshipwithRockwellAllen-Bradley. FromRockwellAutomationpublicationSAFETY-WD001A-EN-P?June2011,p.6. Ifyou’reinterestedinobtainingthesourcedocumentcontainingthisdiagram,youcandownloaditdirectlyfromtheRockwellAutomationwebsite. EmergencyStopSubsystem Theemergencystopcircuitusesthe440R-512R2relayontheleftsideofthediagram.ThisparticularsystemusesCategory3architectureinthee-stopsystem,whichmaybemorethanisrequired.Ariskassessmentandastart-stopanalysisarerequiredtodeterminewhatperformancelevelisneededforthissubsystem.Getmoreinformationonemergencystop. GateInterlockSubsystem Thegateinterlockcircuitislocatedinthecenterofthediagramandusesthe440R-D22R2relay.Asyoucansee,therearetwophysicallyseparategateinterlockswitches.Onlyonecontactfromeachswitchisused;oneswitchisconnectedtoChannel1,andtheothertoChannel2.Noticethatthereisnoothermonitoringofthesedevices(i.e.nosecondconnectiontoeitherswitch).ThesecondarycontactsontheseswitchescouldbeconnectedtothePLCforannunciationpurposes.ThiswouldallowthePLCtodisplaytheopen/closedstatusofthegateonthemachineHMI. Theoutputcontactors,K3andK4,aremonitoredbytheresetloopconnectedtoS34andthe+Vrail. Onemoreinterestingpoint:Didyounoticethata“zonee-stop”isincludedinthegateinterlock?Youwillfindanemergencystopdeviceimmediatelybelowthecentralsafetyrelayandalittletotheleft.Thisdeviceiswiredinserieswiththegateinterlock,soactivatingitwilldropoutK3andK4butnotdisturbtheoperationoftherestofthemachine.Thesafetyrelaycan’tdistinguishbetweenthee-stopbuttonandthegateinterlocks,soifannunciationisneeded,youmaywanttousethethirdcontactonthee-stopdevicetoconnecttoaPLCinput. SafetyMatSubsystem Thesafetymatsubsystemislocatedontherightsideofthediagramandusesasecond440R-D22R2relay.Safetymatscanbeeithersingleordual-channelindesign.Thematshowninthisdrawingisadual-channeltype.Steppingonthematcausestheconductivelayersinthemattotouch,shortingChannel1toChannel2.Thiscreatesaninputfaultthatthe440Rrelaywilldetect.Thefaultconditionwillcausetheoutputoftherelaytoopen,stoppingthemachine. Safetymatscanbeeasilydamaged,andthecircuitdesignwilldetectshortsoropenswithinthematandpreventthehazardousmotionfromstartingorcontinuing. Theoutputcontactors,K5andK6,aremonitoredbytherelayresetloopconnectedtoS34andthe+Vrail. Thiscircuitalsoincludesaconventionalstart-stopcircuitthatdoesn’trelyonthesafetyrelay. Likethegateinterlockcircuit,thiscircuitalsoincludesa“zonee-stop.”Lookbelowandtotheleftofthesafetymatrelay.Aswiththegateinterlock,pressingthisbuttonwilldropoutK5andK6,stoppingthesamemotionsprotectedbythesafetymat.Sincetherelaycan’ttellthedifferencebetweenthee-stopbuttonandthematdetectinganobject,youmaywanttousethesameapproachandaddathirdcontacttothee-stopbutton,connectingittothePLCforannunciation. ComponentSelection ThecomponentsusedinthecircuitarecriticaltothefinalPLratingofthedesign.ThefinalPLofthedesigndependsontheMTTFdofthecomponentsusedineachchannel.NoknowledgeoftheinternalconstructionofthesafetyrelaysisneededbecausetherelayscomewithaPLratingfromthemanufacturer.Theycanbetreatedasasubsystemuntothemselves.Theselectionoftheinputandoutputdevicesisasignificantfactor.ComponentdatasheetscanbedownloadedfromtheRockwellsiteifyouwanttodigdeeper. Whatdidyouthinkaboutthisarticle?Whatquestionscametomindthatwerenotansweredforyou?Ilookforwardtohearingyourthoughtsandquestions! ©2011–2022,ComplianceinSightConsultingInc.ThisworkislicensedunderaCreativeCommonsAttribution-NonCommercial-ShareAlike4.0InternationalLicense. Relatedposts: InterlockArchitectures—Part3:Category2 InterlockArchitectures–Pt.1:Whatdothosecategoriesreallymean? EmergencyStop–What’ssoconfusingaboutthat? BustingEmergencyStopMyths InterlockArchitectures—Part2:Category1 Postnavigation TheFukushimaDiaries:ARobotOperatorTellsAllWhatdidTEPCOknowaboutFukushimabefore11-Mar-11? LeaveaReplyCancelreplyYouremailaddresswillnotbepublished.Requiredfieldsaremarked*Comment*Name* Email* Website Δ ThissiteusesAkismettoreducespam.Learnhowyourcommentdataisprocessed. Home»InterlockArchitectures—Part4:Category3–ControlReliable BuyMeaCoffee Translate:2006/42/EC Brexit Canada(tag) CEMark CEMarking contactsensor ControlReliability CSA CSAZ432 e-stop EMC EmergencyStop EN954-1 ENISO13849-1 EU FunctionalSafety guard guarding guide Hierarchy How-to IEC62061 interlock ISO13849-1 lockout machinery NationalDayofMourning Ontario Policy pressure-sensitivedevice pressure-sensitiveedge publicreview Quebec risk RiskAssessment(tag) riskreduction safetybumper Safetyfunctions safetylabel standards training update US wireandcable Z1002FeaturedSeriesUnderstandingsafetyfunctions:ManualResetManualresetusinganHMIUnderstandingSafetyFunctions:theSafety-relatedstopfunctionUnderstandingsafetyfunctions:Localcontrol Search Search Weusecookiesonourwebsitetogiveyouthemostrelevantexperiencebyrememberingyourpreferencesandrepeatvisits.Byclicking“AcceptAll”,youconsenttotheuseofALLthecookies.However,youmayvisit"CookieSettings"toprovideacontrolledconsent.CookieSettingsAcceptAllManageconsent Close PrivacyOverview Thiswebsiteusescookiestoimproveyourexperiencewhileyounavigatethroughthewebsite.Outofthese,thecookiesthatarecategorizedasnecessaryarestoredonyourbrowserastheyareessentialfortheworkingofbasicfunctionalitiesofthewebsite.Wealsousethird-partycookiesthathelpusanalyzeandunderstandhowyouusethiswebsite.Thesecookieswillbestoredinyourbrowseronlywithyourconsent.Youalsohavetheoptiontoopt-outofthesecookies.Butoptingoutofsomeofthesecookiesmayaffectyourbrowsingexperience. Necessary Necessary AlwaysEnabled Necessarycookiesareabsolutelyessentialforthewebsitetofunctionproperly.Thesecookiesensurebasicfunctionalitiesandsecurityfeaturesofthewebsite,anonymously. CookieDurationDescriptioncookielawinfo-checkbox-analytics11monthsThiscookieissetbyGDPRCookieConsentplugin.Thecookieisusedtostoretheuserconsentforthecookiesinthecategory"Analytics".cookielawinfo-checkbox-functional11monthsThecookieissetbyGDPRcookieconsenttorecordtheuserconsentforthecookiesinthecategory"Functional".cookielawinfo-checkbox-necessary11monthsThiscookieissetbyGDPRCookieConsentplugin.Thecookiesisusedtostoretheuserconsentforthecookiesinthecategory"Necessary".cookielawinfo-checkbox-others11monthsThiscookieissetbyGDPRCookieConsentplugin.Thecookieisusedtostoretheuserconsentforthecookiesinthecategory"Other.cookielawinfo-checkbox-performance11monthsThiscookieissetbyGDPRCookieConsentplugin.Thecookieisusedtostoretheuserconsentforthecookiesinthecategory"Performance".viewed_cookie_policy11monthsThecookieissetbytheGDPRCookieConsentpluginandisusedtostorewhetherornotuserhasconsentedtotheuseofcookies.Itdoesnotstoreanypersonaldata. Functional Functional Functionalcookieshelptoperformcertainfunctionalitieslikesharingthecontentofthewebsiteonsocialmediaplatforms,collectfeedbacks,andotherthird-partyfeatures. Performance Performance Performancecookiesareusedtounderstandandanalyzethekeyperformanceindexesofthewebsitewhichhelpsindeliveringabetteruserexperienceforthevisitors. Analytics Analytics Analyticalcookiesareusedtounderstandhowvisitorsinteractwiththewebsite.Thesecookieshelpprovideinformationonmetricsthenumberofvisitors,bouncerate,trafficsource,etc. Advertisement Advertisement Advertisementcookiesareusedtoprovidevisitorswithrelevantadsandmarketingcampaigns.Thesecookiestrackvisitorsacrosswebsitesandcollectinformationtoprovidecustomizedads. Others Others Otheruncategorizedcookiesarethosethatarebeinganalyzedandhavenotbeenclassifiedintoacategoryasyet. SAVE&ACCEPT