Choice of Safety Category

Methods for Increased Safety

In order to increase the reliability of a safety circuit,the following methods are usually used:

• Well-tried safety components/reliable components
• Redundancy/duplication
• Supervision

The European Standard EN 954-1

EN 954-1 is a standard specifically relating to safe control systems. The standard has a category systembased on the above mentioned methods which increases the reliability of a safety function.

Category B

• Basic requirement
• Correctly rated components
• Circuits handling earth faults

Category 1

• All conditions of B apply
• Well-tried safety components and safety principles
• Components with a greater reliability

Category 2

• All conditions of B apply
• Individual supervised components
• The safety function may fail
• The loss of the safety function is detected by monitoring

Category 3 and 4

• All conditions of B apply
• The safety function is always retained during a failure
• The difference between category 3 and 4 is that certain types of fault are not detected in category 3.

By taking the three parameters S, F and P into account as shown in the drawing (Fig. 1), a recommended control system category can be obtained according to this method. However, the problem with this table is that it does not give a clear-cut answer but several alternatives. For example, an automatic production plant with estimated risk factors of S2(serious injuries), F1 (seldom to quite often), P2(scarcely possible to avoid an accident) comes under the categories 1-4 although categories 2 and 3would be the preferred choice as these are marked with two black filled rings. A higher category can always be chosen and category 1 may also be chosen if the system’s intended behavior is maintained. A justification for the deviation should also be given.

The fact that categories 1 and 4 are combined in the same safety circuit is due to the standard not specifying a strict hierarchical safety order. When comparing categories 2-4, category 4 is normally the safest.However, when comparing category 1 with categories2, 3 and 4, this is not always a matter of course.

A Mechanical Switch Does Not Give a Safe Function

When it comes to mechanically operated interlocked switches, it has long been accepted a category 1 switch is adequate for many installations, which is also supported by several standards. However, some companies have now re-evaluated this and have instead started to demand two mechanical switches or non-contact switches/sensors, where they previously accepted single mechanical switches. Many reported incidents form the background to this. The requirements for switches to provide safe functioning are that they are mounted correctly and that their positions do not change during their life-cycle, in other words, ideal conditions. In many installations the location of hatches or doors changes over time. This has led to a switch not giving a stopping signal when an interlocked gate has opened. The reasons for this are many, but they can be summarized in mechanical deterioration or physical damage to a door/hatch. In turn this has led to an interlocked switch being affected by higher stress than the switch manufacturer’s specifications. To avoid this type of malfunction it is more appropriate to use non-contact switches or sensors because mechanical deterioration does not affect the safety function, i.e. the stop signal is given directly if the position is wrong.

A non-contact switch/sensor does not have a guided function and is designed to fulfill the requirements in another way. The requirements are fulfilled either with dynamic sensors where the safety signal is monitored all the time and a fault directly leads to a stop signal or with a magnetic switch which has two independent contact elements which are monitored every time a gate opens. From the user’s perspective the dynamic function is preferable because several sensors can be connected to a single safety module and still achieve category 4. Also the sensor’s safety function is monitored without having to open a gate. For a magnetic switch the requirements for category 4 are only fulfilled if one switch per monitoring unit is used and if the gate is opened regularly.

Since the standard EN 954-1 was written, development has progressed and the costs to fulfill category4 have dropped dramatically. Generally mechanical switches are replaced with non-contact sensors to increase the reliability of production equipment. The same goes for the safety side. With electronic non-contact switches, with a transmitter and a receiver, one avoids the problems of deterioration and excessive stress which harm the sensor. For that kind of sensor, dynamic monitoring is required to enable a safe function. This means that its function is constantly being monitored, hundred of times per second. The reaction time for a safe stop will then be the same during a malfunction as during the activation of a stop (e.g. a gate opening). The monitoring frequency will also be astronomical compared to that of mechanical switches and magnetic switches, which are only monitored every time they are used. In the new EN ISO 13849-1, which will replace 954-1, probability calculations are used together with different category levels to compare different “performance levels”. Even when using EN ISO 13849-1 it can be so that one achieves reasonably high theoretical reliability with an electromechanical switch, although this presumes correct installation, proper use and other-wise ideal conditions. A non-contact switch instead provides high levels of both theoretical and practical reliability.

Our Conclusion...Use Dynamic Signals

Our conclusion is that today it is more cost effective, safer and more reliable to work with dynamic signals to achieve category 4 for sensors and monitoring units. In that case it is also possible to fulfill the Machinery Directive 1.2.7. requirement: “A fault in the control circuit logic, or failure of or damage to the control circuit, must not lead to dangerous situations.” Also one does not have to discuss whether the correct safety category has been chosen. For more information reference the Vital Solution Section.

This figure shows a control system for automatic machinery. The system is a combination of categories 1 and 4.The interlocking switch has two contacts and has one actuator. The overall system safety category can therefore only be category 1. If the entire control system is to be category 4,the interlocking switch must be duplicated.