Principles, Standards and Implementation

Catalogs > Safety Products Catalog > Principles, Standards and Implementation > Safety-Related Control System Structure Considerations

Safety-Related Control System Structure Considerations

Overview Categories of Control Systems Undetected Faults Component and System Ratings Fault Considerations
Fault Exclusions Stop Categories according to IEC/EN 60204-1 and NFPA 79 U.S. Safety Control System Requirements Robot Standards: U.S. and Canada
Categories of Control Systems

The “Categories” of control systems originated in the outgoing EN 954-1:1996 (ISO13849-1:1999). However they are still often used to describe safety control systems and they remain an integral part of EN ISO13849-1 as discussed in Introduction to Functional Safety of Control Systems section.

There are five categories describing the fault reaction performance of a safety related control system. See Table 19 for a summary of these categories. The following notes apply to the table.

Note 1: Category B in itself has no special measures for safety but it forms the base for the other categories.

Note 2: Multiple faults caused by a common cause or as inevitable consequences of the first fault shall be counted as a single fault.

Note 3: The fault review may be limited to two faults in combination if it can be justified but complex circuits (e.g. microprocessor circuits) may require more faults in combination to be considered.

Category 1 is aimed at the prevention of faults. It is achieved through the use of suitable design principles, components and materials. Simplicity of principle and design together with stable and predictable material characteristics are the keys to this category.

Categories 2, 3 and 4 require that if faults cannot be prevented they must be detected and appropriate action taken.


Redundancy, diversity and monitoring are the keys to these categories. Redundancy is the duplication of the same technique. Diversity is using two different techniques. Monitoring is the checking the status of devices and then taking appropriate action based on results of the status. The usual, but not only, method of monitoring is to duplicate the safety critical functions and compare operation.

Summary of Requirements System Behavior
Category B (see Note 1)
Safety related parts of machine control systems and/or their protective equipment, as well as their components, shall be designed, constructed, selected, assembled and combined in accordance with relevant standards so that they can withstand the expected influence.
Basic safety principles shall be applied.
When a fault occurs, it can lead to a loss of the safety function.
CATEGORY 1
The requirements of category B apply together with the use of well tried safety components and safety principles.
As described for category B but with higher safety related reliability of the safety related function. (The higher the reliability, the less the likelihood of a fault).
CATEGORY 2
The requirements of category B and the use of well tried safety principles apply.
The safety function(s) shall be checked at machine start-up and periodically by the machine control system. If a fault is detected a safe state shall be initiated or if this is not possible a warning shall be given.
EN ISO 13849-1 assumes that the test rate is at least 100 times more frequent that the demand rate.
EN ISO 13849-1 assumes that the MTTFd of the external test equipment is larger than half of the MTTFd of the functional equipment being tested.
The loss of safety function is detected by the check. The occurrence of a fault can lead to the loss of safety function between the checking intervals.
CATEGORY 3 (see Notes 2 & 3)
The requirements of category B and the use of well tried safety principles apply.
The system shall be designed so that a single fault in any of its parts does not lead to the loss of safety function.
Where practicable, a single fault shall be detected.
When the single fault occurs the safety function is always performed.
Some but not all faults will be detected.
An accumulation of undetected faults can lead to the loss of safety function.
Category 4 (see Notes 2 & 3)
The requirements of category B and the use of well tried safety principles apply.
The system shall be designed so that a single fault in any of its parts does not lead to the loss of safety function.
The single fault is detected at or before the next demand on the safety function. If this detection is not possible then an accumulation of faults shall not lead to a loss of safety function.
When the faults occur, the safety function is always performed. The faults will be detected in time to prevent the loss of safety functions.
  
Table 19: Categories of Safety Performance

Category B

Category B provides the basic requirements of any control system; whether it is a safety related control system or non-safety related. A control system must work in its expected environment. The concept of reliability provides a foundation for control systems, as reliability is defined as the probability that a device will perform its intended function for a specified interval under expected conditions.

Category B requires the application of basic safety principles. ISO 13849-2 tells us the basic safety principles for electrical, pneumatic, hydraulic and mechanical systems. The electrical principles are summarized as follows:



The designer must select, install, and assemble according to the manufacturer’s instructions. These devices must work within the expected voltage and current ratings. The expected environmental conditions, like electromagnetic compatibility, vibration, shock, contamination, washdown, must also be considered. The de-energization principle is used. Transient protection is installed across the contactor coils. The motor is protected against overloads. The wiring and grounding meets the appropriate electrical standards.

Category 1

Category 1 requires the system to meet the terms of Category B and, in addition, to use well-tried components. EN ISO 13849-2 gives information about well tried components for mechanical, hydraulic, pneumatic and electrical systems. Annex D addresses electrical components.

Components are considered to be well-tried if they have been successfully used in many similar applications. Newly designed safety components are considered to be well-tried if they are designed and verified in compliance to appropriate standards. Table 20 lists some electrical components and their respective standards.


Well-Tried Component Standard
Switch with positive mode actuation (direct opening action) IEC 60947-5-1
Emergency stop device ISO 13850, IEC60947-5-5
Fuse IEC 60269-1
Circuit Breaker IEC 60947-2
Contactors IIEC 60947-4-1, IEC 60947-5-1
Mechanically linked contacts IEC 60947-5-1
Auxiliary contactor (e. g. contactor, control relay, positive guided relays) EN 50205
IEC 60204–1, IEC 60947–5–1
Transformer IEC 60742
Cable IEC 60204-1
Interlocks ISO 14119
Temperature Switch IEC 60947-5-1
Pressure Switch IEC 60947-5-1 + pneumatic or hydraulic requirements
Control and protective switching device or equipment (CPS) IEC 60947-6-2
Programmable Logic Controller IEC 61508
 
Table 20: Standards for Well-Tried Components

Applying well-tried components to our Category B system, the limit switch would be replaced by a direct opening action tongue switch and the contactor would be over-dimensioned to further protect against welded contacts.

Figure 140 shows the changes to the simple Category B system to achieve Category 1. The interlock and the contactor play the key roles in removing energy from the actuator, when access to the hazard is needed. The tongue interlock meets the requirements of IEC 60947-5-1 for direct opening action contacts, which is shown by the symbol of the arrow within the circle. With the well-tried components, the probability of energy being removed is higher for Category 1 than it is for Category B. The use of well-tried components is intended to prevent a loss of the safety function. Even with these improvements, a single fault can still lead to the loss of the safety function.


Click to enlarge - Fig 141 Cat 1 Simple System
 
Figure 140: Category 1 of Simple Safety System

Categories B and 1 are prevention based. The design is intended to prevent a hazardous situation. When prevention by itself does not provide enough reduction in the risk, fault detection must be used. Categories 2, 3 and 4 are fault detection based, with increasingly stringent requirements to achieve higher levels of risk reduction.

Category 2

In addition to meeting the requirements of Category B and using well tried safety principles, the safety system must undergo testing to meet Category 2. The tests must be designed to detect faults within the safety related parts of the control system. If faults are not detected, the machine is allowed to run. If faults are detected, the test must initiate a command to bring the machine to a safe state.

Figure 141 shows a block diagram of a Category 2 system. The equipment performing the test can be an integral part of the safety system or a separate piece of equipment.


Click to enlarge - Fig 142 Cat 2 Block Diagram
 
Figure 141: Category 2 Block Diagram

The testing must be performed:


Note: EN ISO 138491-1 assumes a test to safety function demand ration of 100:1. The example given here would not meet that requirement.

The words “whenever possible” and “reasonably practicable” indicate that not all faults are detectable. Since this is a single channel system (i.e., one wire connects input to logic to output), a single fault may lead to the loss of the safety function. In some cases, Category 2 cannot be fully applied to a safety system, because not all of the components can be checked.


Figure 140 shows the simple Category 1 system enhanced to meet Category 2. A monitoring safety relay (MSR) performs the testing. Upon power-up, the MSR checks its internal components. If no faults are detected, the MSR checks the tongue switch by monitoring the cycling of its contacts. If no faults are detected and the guard is closed, the MSR then checks the output device: the mechanically linked contacts of the contactor. If no faults are detected and the contactor is off, the MSR will energize its internal output and connect the coil of K1 to the Stop button. At this point, the non safety rated parts of the machine control system, the Start/Stop/Interlock circuit, can turn the machine on and off.

Click to enlarge - Fig 143 Cat 2 System
 
Figure 142: Category 2 Safety System

Opening the guard turns the outputs of the MSR off. When the guard is re-closed, the MSR repeats the safety system checks. If no faults are discovered, the MSR turn on is internal output. The MSR allows this circuit to meet Category 2 by performing tests on the input device, the logic device (itself) and the output device. The test is performed on initial power-up and before initiation of the hazard.

With its inherent logic capabilities, a Safety PLC (PLC safety-rated to IEC 61508) based safety system can be designed to meet category 2.


Click to enlarge - Fig 144 Complex Cat 2 System
 
Figure 143: Complex Category 2 Safety System

Figure 143 shows an example of a complex system using a safety rated PLC. A safety rated PLC meets the requirements of well-tried as it is designed to an appropriate standard. The mechanically linked contacts of the contactors are fed into the Input of the PLC for testing purposes. These contacts may be connected in series to one input terminal or to individual input terminals, depending on the program logic.

Although well-tried safety components are used, a single fault occurring between the checks can lead to the loss of the safety function. Therefore, Category 2 systems are used in lower risk applications. When higher levels of fault tolerance are needed, the safety system must meet Categories 3 or 4.


Category 3

In addition to meeting the requirements of Category B and well-tried safety principles, Category 3 requires successful performance of the safety function in the presence of a single fault. The fault must be detected at or before the next demand on the safety function, whenever reasonably practicable.

Here again we have the phrase “whenever reasonably practicable.” This covers those faults that may not be detected. As long as the undetectable fault does not lead to the loss of the safety function, the safety function can meet category 3. Consequently, an accumulation of undetected faults can lead to the loss of the safety function.


Click to enlarge - Fig 7.8 Cat 3 Block Diagram
 
Figure 144: Category 3 Block Diagram

Figure 144 shows a block diagram to explain the principles of a Category 3 system. Redundancy combined with reasonably practicable cross monitoring and output monitoring are used to ensure the performance of the safety function

Figure 145 shows an example of a Category 3 system. A redundant set of contacts are added to the tongue interlock switch. Internally, the monitoring safety relay (MSR) contains redundant circuits that cross monitor each other. A redundant set of contactors remove power from the motor. The contactors are monitored by the MSR through the “reasonably practicable” mechanically linked contacts.

Fault detection must be considered for each part of the safety system, as well as the connections (i.e., the system). What are the failure modes of a dual channel tongue switch? What are the failure modes of the MSR? What are the failure modes of the contactors K1 and K2? What are the failure modes of the wiring?

The tongue interlock switch is designed with direct opening contacts. Therefore we know that opening the guard is designed to open a welded contact. This resolves one failure mode. Do other failure modes exist?


Click to enlarge - Fig 7.9 Cat 3 System
 
Figure 145: Category 3 System

The direct opening action switch is usually designed with a spring operate return. If the head is removed or broken off, the safety contacts spring back to the closed (safe) state. Many interlock switches are designed with removable heads to accommodate installation requirements of various applications. The head can be removed and rotated between two to four positions.

A failure could occur where the head mounting screws are not torqued properly. With this condition, the expected vibration of the machine may cause the head mounting screws to back out. The operating head, under spring pressure, removes the pressure from the safety contacts, and the safety contacts close. Subsequently, opening the guard does not open the safety contacts, and a failure to danger occurs.

Similarly, the operating mechanism within the switch must be reviewed. What is the probability that a failure of a single component will lead to the loss of the safety function? A common practice is to use tongue interlocks with dual contacts in Category 3 circuits. This usage must be based on excluding the single failure of the switch to open the safety contacts. This is considered “fault exclusion” and is discussed later in this chapter.

A monitoring safety relay (MSR) is often evaluated by a third party and assigned a category level (and/or a PL and SIL CL). The MSR often includes dual channel capability, cross channel monitoring, external device monitoring and short circuit protection. No specific standards are written to provide guidance on the design or usage of monitoring safety relays. MSRs are evaluated for their ability to perform the safety function per EN ISO 13849-1 or the outgoing EN 954-1. The rating of the MSR must be the same or higher than the required rating of the system in which it is used.


Two contactors help to ensure that the safety function is fulfilled by the output devices. With overload and short-circuit protection, the probability of the contactor failing with welded contacts is small but not impossible. A contactor can also fail due with its power switching contacts staying closed due to a stuck armature. If one contactor fails to a dangerous state, the second contactor will remove power from the hazard. The MSR will detect the faulted contactor upon the next machine cycle. When the gate is closed and the start button pressed, the mechanically linked contacts of the faulted contactor will remain open and the MSR will not be able to close its safety contacts, thereby, revealing the fault.