David Collier, the Business Development Manager at Pilz Automation Technology, explains why machine builders should resist the temptation to save money by using Category 2 architecture on machine guard safety circuits requiring Performance Level d.
Under EN 954-1 (still scheduled for withdrawal at end 2011) the 'Category' of the control system has been used as the basis for constructing the safety-related control functions. With the increasing uptake of EN ISO 13849-1, however, the term 'Category' has been taken over by 'Performance Level' (PL). In addition to the factors taken into account by Categories, Performance Levels also consider the reliability of the individual components and combination of components in a safety-related control system (expressed as the mean time to dangerous failure, MTTFd, or probability of failures per hour, PFH); the reliability data is used to evaluate the availability of a safety function over time. The behaviour of the safety function in the presence of faults is still dictated by the Category, which is now also referred to as architecture or structure.
In the past, designers using the risk graph in EN 954-1 may have arrived at a Category 3 requirement based upon known factors for severity, frequency of exposure and possibility of avoidance. The designer would then have designed a dual-channel system, one with redundancy or hardware fault tolerance (HFT = 1), providing a behaviour such that a single fault in the system would not give rise to a loss of the safety function.
These same parameters used with the similar risk graph in EN ISO 13849-1 would most likely lead to PLd.
In EN ISO 13849-1, PL is achieved by a combination of Category, MTTFd and diagnostic coverage (DC). According to Figure 5 in the standard, PLd is still achievable using Category 3 architecture - but also by using Category 2 (so long as the MTTFd is high and there is at least a low level of diagnostic coverage). It may be very tempting to try to use Category 2, single-channel architecture to achieve PLd to save component cost and panel space. A central factor in Category 2 is checking the safety function (not increased reliability), where an increased check frequency will decrease the probability of a dangerous situation - in other words testing reduces the probability of continued operation in the presence of a fault. Within the simplified procedure in EN ISO 13849-1 the check in Category 2 must occur at start-up and then periodically, and there is an assumption that the frequency equates to at least 100 tests to every demand on the safety function (clause 4.5.4 of EN ISO 13849-1, where for Category 2 'demand rate <1/100 test rate'). This test rate is an additional quantitative factor to that given in EN 954-1. In other words, if you try to claim PLd using Category 2 architecture, you are assuming that the safety function will be tested at least 100 times between demands upon the safety function.
BGIA (now IFA) has worked out the Markov reliability model of EN ISO 13849-1 designated architecture category 2 as a single-channel circuit with this high test frequency, based on the findings of a European working group trying to map EN 954-1 categories to the SILs of IEC 61508/IEC 62061. This is a challenge within the machine industry where safety functions are considered to be high demand versus the process industry where the demand placed upon safety functions is low or continuous.
It is difficult to see how users are going to manage this test frequency in machine applications on anything other than a dynamically self-tested OSSD (Output Signal Switching Device - ie a solid-state safety output) on a Type 4 light curtain, or in very low demand applications such as infrequently used emergency stops. For electromechanical devices on guards (such as tongue-actuated interlock switches, limit switches and magnetic safety switches) testing will mean actuation (ie opening and closing the guard) at least 100 times between the functional need to open the guard. This may at least prove inconvenient because it would impede productivity, or even impossible due to the high demand already placed upon the safety function. Imagine having to test a guard door 100 times within a two minute production cycle - not practical!
Lastly, consider the implication of frequent testing of electromechanical devices in terms of component wear and tear. MTTFd for an electromechanical component (like a safety interlock switch or contactor) is dependent upon the number of operations in a year (nop) and the component's B10d (the expected number of cycles until 10 per cent of the components fail dangerously, with component-specific data normally available from the manufacturer, or generic data can be found in table C.1 of EN ISO 13849-1). The stress placed upon the components through testing would be 100 times greater than that placed upon them due to the demand of the safety function, and the increased number of operations would at least reduce MTTFd (and potentially the PL). Moreover, the components might fail very early in the guard's life, resulting in lost production and additional expense through the need to replace the safety components repeatedly.
It is, therefore, more practical and commonplace to achieve PLd using Category 3 or 4, dual-channel architectures, because they improve reliability through hardware fault tolerance (without a highly frequent periodic test cycle) as well as 'automatic' diagnostic coverage within the system.
On balance, there is an argument against Category 3 in PLd systems in the case where a single component, such as an interlock or limit switch containing two contacts, is employed to monitor a guard. Such a device has one potential point of failure: a failure of a limit switch plunger mechanism (say due to excessive force, contamination or corrosion) is a single failure point affecting both contacts and both channels. In this case, what is ostensibly a Category 3 architecture can be considered to be Category 1, because a single failure can cause a loss of the safety function. With a single device containing two channels needing to achieve PLd, it is necessary to declare a 'fault exclusion', which justifies why such a single point of failure in the switch body is unlikely. There is guidance in EN ISO 13849-2 on fault exclusions which considers, among various factors, the environment (dirt and corrosion affecting the device during its lifetime), safe positioning and mounting (such as a preference for actuation occurring on opening, and avoidance of using the device as a mechanical stop), and adequate dimensioning. Where a fault exclusion can not be justified and PLd is required, the answer is to use two independent switches; this is more likely and is already common practise on monitored guards, and at this point measures taken to reduce Common Cause Failures can be quantified.
The use of fault exclusions in PLd and PLe will become a moot point when ISO 14119, Safety of machinery "" Interlocking devices associated with guards "" Principles for design and selection, is published, because in it reference is made to interlocking circuits providing PLd or PLe having to include at least two position switches, since fault exclusions of mechanical faults are not accepted in high-risk applications.
Users of electromechanical safety components on guards are urged to consider carefully the onerous test requirements of Category 2 in EN ISO 13849-1 at the design stage, especially when seeking to achieve PLd. Incorporating Category 2 architectures into PLd systems without taking these test requirements into due consideration may introduce systematic failures and an associated loss of production and additional expense. If after design, build, supply and commissioning the machine it is decided to convert from a Category 2 architecture to Category 3 or 4 it might be difficult or impossible in terms of fitting additional on-machine components, as well as in-panel devices required to step from single- to dual-channel architecture.
Contact Pilz to find out more about the consultancy and engineering services that Pilz offers companies designing machine guard safety circuits. Follow the link for more information about PSEN sensors.