Safety Circuit Categories, Help Me Understand Them

theColonel26

Lifetime Supporting Member
theColonel26
Join Date
Feb 2014
Location
West Michigan
Posts
785
So I have been trying to give myself a crash course is safety circuit design in the last few days. I put together these examples and I wanted to know what category they are.


Also: A system that employs a dual channel for everything (Input and Output) would still be considered a Category 1 unless it also employs some type of feedback to actually Detect Faults (reasonably), right? It could have 1 fault and still provide stopping functions, but more than 1 fault and it could possible disable stopping functions on 1 more or devices, right? For it to be a category 3 would mean the Whole safety circuit would have to be rendered Safe in the event of a fault.


I've read chapter 9 of the Allen Bradley SafeBook 5, But I am still not sure I am understanding this correctly.








I also Attached a PDF copy
 
Last edited:
Example 1 - Wire 606 is the 24v supply so shorting it to 24v does not make sense as a fault. What controls the R601 contact?
 
Your best bet is to get hold of a copy of ISO13849-1. That goes through the requirements of each safety category in detail. In (very) brief:


Cat B: designed using basic safety principles. A fault can lead to the loss of the safety function.

Cat 1: As per Cat B, plus there is a requirement to use "well tried components". A fault can still lead to the loss of the safety function, but faults are less likely due to superior component selection.

Cat 2: As per Cat 1, but also periodic checks of the safety function are required. These checks have a list of requirements and stipulations as long as my arm. Cat 2 is the devil, it's almost never ever worth it. If Cat 1 isn't enough, go straight for Cat 3 and save yourself the headache.

Cat 3: as per Cat 1, plus, any single fault does not lead to the loss of the safety function. Some (but not necessarily all) faults shall be detected at or before the next demand on the safety function. An accumulation of undetected faults can lead to the loss of the safety function.

Cat 4: as per Cat 3, except all faults shall be detected at or before the next demand on the safety system, or if this detection is not possible, an accumulation of faults will still not lead to a loss of the safety function.


It's not just a matter of "dual channel = Cat 3" or similar, you have to consider the safety function as a whole. It's about diagnostic coverage and fault tolerance and detection.


FYI, safety categories are starting to be superseded by PL (protection level). Categories will still exist, but as a broader part of an assessment. You might have one system that has Cat 3 architecture and uses oversized safety contactors and other methods to ensure a higher MTTFd (mean time to dangerous failure), so overall it reaches PLd. While next to it you have a system with category 4 architecture, but cheap nasty no-brand components and low diagnostic coverage, and so despite having a higher safety category, can only achieve a lower PL rating of PLc.
 
Last edited:
L D[AR2 said:
Example 1 - Wire 606 is the 24v supply so shorting it to 24v does not make sense as a fault. What controls the R601 contact?
Click to expand...
opps :whistle: that was supposed to be the second set of contacts on R603... Sorry. I don't have the schematic files at home so I can upload a fixed version right now.


What do you mean? Wire 606 is SO1.... Oh Sorry I really need to upload a new version I thought I had put wire Numbers on the relevant wires.



I suck at life. this may explain the lack of responses.
 
Last edited:
ASF said:
Cat B: designed using basic safety principles. A fault can lead to the loss of the safety function.

Cat 1: As per Cat B, plus there is a requirement to use "well tried components". A fault can still lead to the loss of the safety function, but faults are less likely due to superior component selection.

Cat 2: As per Cat 1, but also periodic checks of the safety function are required. These checks have a list of requirements and stipulations as long as my arm. Cat 2 is the devil, it's almost never ever worth it. If Cat 1 isn't enough, go straight for Cat 3 and save yourself the headache.

Cat 3: as per Cat 1, plus, any single fault does not lead to the loss of the safety function. Some (but not necessarily all) faults shall be detected at or before the next demand on the safety function. An accumulation of undetected faults can lead to the loss of the safety function.

Cat 4: as per Cat 3, except all faults shall be detected at or before the next demand on the safety system, or if this detection is not possible, an
Click to expand...

This is the text of the standard but it is too general for practical use.
 
ASF said:
Your best bet is to get hold of a copy of ISO13849-1. That goes through the requirements of each safety category in detail. In (very) brief:


Cat B: designed using basic safety principles. A fault can lead to the loss of the safety function.

Cat 1: As per Cat B, plus there is a requirement to use "well tried components". A fault can still lead to the loss of the safety function, but faults are less likely due to superior component selection.

Cat 2: As per Cat 1, but also periodic checks of the safety function are required. These checks have a list of requirements and stipulations as long as my arm. Cat 2 is the devil, it's almost never ever worth it. If Cat 1 isn't enough, go straight for Cat 3 and save yourself the headache.

Cat 3: as per Cat 1, plus, any single fault does not lead to the loss of the safety function. Some (but not necessarily all) faults shall be detected at or before the next demand on the safety function. An accumulation of undetected faults can lead to the loss of the safety function.

Cat 4: as per Cat 3, except all faults shall be detected at or before the next demand on the safety system, or if this detection is not possible, an accumulation of faults will still not lead to a loss of the safety function.


It's not just a matter of "dual channel = Cat 3" or similar, you have to consider the safety function as a whole. It's about diagnostic coverage and fault tolerance and detection.


FYI, safety categories are starting to be superseded by PL (protection level). Categories will still exist, but as a broader part of an assessment. You might have one system that has Cat 3 architecture and uses oversized safety contactors and other methods to ensure a higher MTTFd (mean time to dangerous failure), so overall it reaches PLd. While next to it you have a system with category 4 architecture, but cheap nasty no-brand components and low diagnostic coverage, and so despite having a higher safety category, can only achieve a lower PL rating of PLc.
Click to expand...


Fore Catagory 3, a dual channel system would meet the first clause. of "as per Cat 1, plus, any single fault does not lead to the loss of the safety function." but what is the definition of "faults shall be detected" ? this is what is confusing me.

If I have like an 8 channel (exaggerating) system I can have at least 7 faults and the safety functions will still work, but nothing is being detected unless the relays are using an NC back to EDM inputs on the safety controller and my devices have feedbacks to the Safety controller EDM too.

So I can have 3 robots being controlled by a Safety Controller. The System is a 4 Channel. I can have all 4 output channels from the safety controller to 1 robot short to 24V so that they are always on. I just lost safety because on 1 Robot, but the other 2 still have a safety function. Is that a category 1 or a category 2. No fault is being detected as I understand it. So that would be a category 1 correct?




LadderLogic said:
This is the text of the standard but it is too general for practical use.
Click to expand...
(y)🍻
 
For all of your questions (where you say "right,?"). The answer is yes. Guessing that doesn't help you. Guessing that all of the regulation jargon isn't helping too much either.

In broad generalizations.... yes, more redundancy is safer than less redundancy. So using a button with 99 redundant contact means that 99 contacts need to fail before your button will fail to protect some one. Yes, this is still Cat 1 because once 98 contacts have failed (and you don't know it), you are ignorantly back to a single contact failure. Is this realistic? Yes, it actually is. In most of our worlds, if the machine seems to work normally, we assume all is good. So as each contact fails and things still seem to be normal, no one goes looking for a failed contact. So yes, it is realistic that multiple things will continue to fail unnoticed.

So Cat 3 says that you need to detect failures. This is generally done by having the safety controller watch paired(redundant) contacts. If both redundant contacts on a button come on, and go off at the same time (with a very small discrepancy allowance), the button is determined to be operating normally, without a fault. However, if the controller ever sees one contact change state differently from the other, the controller determines that a fault occurred. In this case, the controller will not let you reset the estop circuit until you fix the issue with the button. To clear a fault, controllers typically need to see both contacts operate correctly from the on to off state before the controller fault can be cleared. So you need to fix the problem with the button and then exercise the button on and off to prove the contacts are working together again.

I'm sure I've butchered the example in some ways. Those who I have offended are free to respond.

Does that help?
 
kekrahulik said:
For all of your questions (where you say "right,?"). The answer is yes. Guessing that doesn't help you. Guessing that all of the regulation jargon isn't helping too much either.

In broad generalizations.... yes, more redundancy is safer than less redundancy. So using a button with 99 redundant contact means that 99 contacts need to fail before your button will fail to protect some one. Yes, this is still Cat 1 because once 98 contacts have failed (and you don't know it), you are ignorantly back to a single contact failure. Is this realistic? Yes, it actually is. In most of our worlds, if the machine seems to work normally, we assume all is good. So as each contact fails and things still seem to be normal, no one goes looking for a failed contact. So yes, it is realistic that multiple things will continue to fail unnoticed.

So Cat 3 says that you need to detect failures. This is generally done by having the safety controller watch paired(redundant) contacts. If both redundant contacts on a button come on, and go off at the same time (with a very small discrepancy allowance), the button is determined to be operating normally, without a fault. However, if the controller ever sees one contact change state differently from the other, the controller determines that a fault occurred. In this case, the controller will not let you reset the estop circuit until you fix the issue with the button. To clear a fault, controllers typically need to see both contacts operate correctly from the on to off state before the controller fault can be cleared. So you need to fix the problem with the button and then exercise the button on and off to prove the contacts are working together again.

I'm sure I've butchered the example in some ways. Those who I have offended are free to respond.

Does that help?
Click to expand...
Yes I just wanted confirmation that I was understanding this correctly.(y)
 
Generally speaking, your first example would be a waste of a safety relay if all you need is a category B.

I've attached a general guideline.

Think of category B as 'no safety'. It isn't necessarily true, but it helps to think of it that way.
Category 1 is very basic - just category B with some better ideas and components.
Category 2 is usually a single-channel circuit with feedback
Category 3 is usually a dual-channel circuit with feedback
Category 4 is possible to reach, but in my experience is thought of as a goal and not a standard. You need to monitor every single fault, which is usually cost prohibitive (think: safety relay for each e-stop, light curtain, gate switch, etc).
 
Rson said:
Generally speaking, your first example would be a waste of a safety relay if all you need is a category B.

I've attached a general guideline.

Think of category B as 'no safety'. It isn't necessarily true, but it helps to think of it that way.
Category 1 is very basic - just category B with some better ideas and components.
Category 2 is usually a single-channel circuit with feedback
Category 3 is usually a dual-channel circuit with feedback
Category 4 is possible to reach, but in my experience is thought of as a goal and not a standard. You need to monitor every single fault, which is usually cost prohibitive (think: safety relay for each e-stop, light curtain, gate switch, etc).
Click to expand...
Thank you that is helpful, the example is too.

For Cat 4 you could also use programmable safety controller with multiple configurable IO so you could have multiple E-Stops in parallel, to separate inputs. But you could not have the E-Stops in series, because you could not monitor their individual state, correct?
 
theColonel26 said:
Thank you that is helpful, the example is too.

For Cat 4 you could also use programmable safety controller with multiple configurable IO so you could have multiple E-Stops in parallel, to separate inputs. But you could not have the E-Stops in series, because you could not monitor their individual state, correct?
Click to expand...

It has been a while since I have done something really safety intensive, but yes I believe you are correct.

An ethernet safety controller could provide that level with monitoring to the PLC the status of all the safety devices.

Another really slick application that I haven't had the chance to use enough would be something like the Jokab relays that use a pulse system. You can daisy chain items on those relays and they can detect which item faulted via the pulsing.
 
kekrahulik said:
Is this realistic? Yes, it actually is. In most of our worlds, if the machine seems to work normally, we assume all is good. So as each contact fails and things still seem to be normal, no one goes looking for a failed contact. So yes, it is realistic that multiple things will continue to fail unnoticed.
Click to expand...

This reminded me of a situation where the contact from the e-stop relay notifying the PLC that the e-stop had been pushed was damaged. I decided to swap it to one of the many "available" contacts on the relay only to find that they were all bad apart from the ones actually turning off stuff.
 
Rson said:
It has been a while since I have done something really safety intensive, but yes I believe you are correct.

An ethernet safety controller could provide that level with monitoring to the PLC the status of all the safety devices.
Click to expand...

In my experience, at that point the safety controller IS the PLC. I'm not sure about other brands but both Siemens and AB have units that can run both safety and standard code. Their IO racks (even distributed IO) can have both standard and failsafe modules. Even things like robots and drives can communicate in a failsafe manner.

It's overkill when you're talking about a small machine, but it becomes vital when you're building a whole assembly line.
 

Similar Topics

C
Question about fusing in safety circuit.
Hi all, I'm working on a safety circuit and had some question about fusing. Incoming supply - 120V/15A Power supply - PSL-24-060...
Replies
5
Views
588
lendpack
L
S
Safety relay enegize circuit - Inductive or resistive?
Is the mechanism that energize a safety relay, Inductive or Resistive? These are the terminals that are marked as A1 and A2 on AllenBradley, Pilz...
Replies
0
Views
776
skyfox
S
O
GuardLink Safety Circuit Setup
Does anyone here have experience with the new GuardLink safety relays? They look like a dream to troubleshoot and work with since its just a trunk...
Replies
0
Views
1,212
OysterMan
O
K
Safety circuit auto/manual reset
Hypothetically we have a machine with safety door switch and a E-Stop. The operator places the work piece into the machine, the door is closed and...
2
Replies
20
Views
7,327
BryanG
B
A
Shut off power circuit in PLd safety level
In a new electrical cabinet we have to apply to safety level PLd. We have a circuit for direct online motors. We will be using two power...
Replies
5
Views
2,180
mk42
M
Back
Top Bottom