Confusing Safety Controls

[blackbird307]

Can someone help me? I am having trouble differentiating between category 3, and category 4 safety circuits. Could someone tell me what qualifies for a category 3 safety circuit and a category 4 safety circuit? If possible some examples?

Thanks!

 

[jraef]

Without context this is very difficult to explain.

 

[Sergei Troizky]

Shortly:
Category 3 is dual channel safety.
Category 4 is Category 3 with EDM (external device monitoring).

 

[blackbird307]

Boom. Awesome! That's exactly what I needed to answer my problem lol. Because reading huge paragraphs of legal jargon didn't.

 

[hd_coop]

Category 3 definitely has external device monitoring, as does Category 2.

 

[hd_coop]

The major differences:
In Cat 3 circuits you can wire multiple devices in series (gate switches for example), in Cat 4 you cannot.
Cat 4 requires "High" diagnostic coverage. "High" diagnostic coverage is 99%.
Cat 4 requires an MTTFd of High.

 

[Sergei Troizky]

Category 2 may have EDM, but is single-channel.
Category 3 is dual channel, but does not require fault diagnostics by definition.
Category 4 must have both dual channels and fault diagnostics, which is at least EDM.
See, for example, page 33 here:
http://www2.schneider-electric.com/...nt-manufacturers/pdf/Machine-safety-guide.pdf

 

[Sergei Troizky]

In Cat 3 circuits you can wire multiple devices in series (gate switches for example), in Cat 4 you cannot.

In which document is this stated?

 

[ASF]

Just my 2c...

Having an internationally accredited certificate in machinery safety, all that I can tell you for certain is that all of the opinions above are more or less just that - opinions. The actual legislation is extremely (and deliberately) vague, and interpretations of it vary wildly.

I do a lot of work at one particular company that must have every machine's safety system validated by an external party before it can be handed over to the operators. In large part, the company they get to do the validation is chosen based on what kind of safety arrangement is in place, and what we know of the companies and their particular interpretations of the "rules".

An example: validation company A will not validate anything as Cat 3 or 4 if there is an e/stop and a guard switch in series. Period. Even though I know full well that many of the company A employees disagree with that assessment - and so do I, in many cases - that's the company line, and they have to toe it. Validation company B, on the other hand, will see an e/stop and a guard switch in series and ask a lot more questions about how many operators use the machine at once, where they are stationed, how often and for what purpose the guard is opened, and so on. After assessing all of these factors, they decide whether or not they will validate it as Cat 3. Quite often they will. So, if they get in a machine that has an e/stop and a guard switch in series, they'll call company B to do the validation. Maybe it'll pass without any further modifications, maybe it won't - but it definitely won't if they call in company A.

All of the responses above are potentially valid observations, but they are absolutely not universal. And even if they can be justified and backed up, ultimately it doesn't matter if the person who's validating/assessing/reviewing your design has a different take on it.

As for my own opinion on the difference between Cat 3 and Cat 4? The only actual explicit difference I can find in the international machinery safety standard (ISO13849-1) is this:

Cat 3: Wherever reasonably practical, single faults will be detected at or before the next demand on the safety system (6.2.6)

Cat 4: A single fault will be detected at or before the next demand on the safety system (6.2.7)

"Wherever reasonably practical". Hardly a black and white, easily definable rule, is it!

 

[Sergei Troizky]

Just my 2c...
An example: validation company A will not validate anything as Cat 3 or 4 if there is an e/stop and a guard switch in series.

This is confusing me. How else can they be? In parallel? Assuming a safety relay, not a safety PLC.

Just my 2c...
The only actual explicit difference I can find in the international machinery safety standard (ISO13849-1) is this:
Cat 3: Wherever reasonably practical, single faults will be detected at or before the next demand on the safety system (6.2.6)
Cat 4: A single fault will be detected at or before the next demand on the safety system (6.2.7)

Again assuming a safety relay, and not a safety PLC, this is what I said:
Cat.3 may have EDM, Cat.4 must have it.

 

[ASF]

This is confusing me. How else can they be? In parallel? Assuming a safety relay, not a safety PLC.

Sorry, let me clarify - for a Cat 3 system, if I have a machine with one e/stop and one guard switch, company A won't validate it unless each of them have their own safety relay. If we get Company B instead, we can put both the e/stop and the guard switch in series into one common safety relay. They may or may not validate it, depending on other factors.

Again assuming a safety relay, and not a safety PLC, this is what I said:
Cat.3 may have EDM, Cat.4 must have it.

Yes...but again, all open to interpretation. EDM is not the only method of fault detection in play, so while it's a factor, it's not the only one. And again, company A might deem that in your situation, EDM is "reasonably practical", and so all of a sudden, you MUST have EDM on cat 3, or they won't validate it.

It's wide open. You can argue it 100 different ways, but at the end of the day, all you can do is find out the opinion of whoever the buck stops with, and make them happy.

 

[Christoff84]

Here's how the TUV Funtional Safety for Machinery defined CAT3 and CAT4:

Cat 3:
1) Well tried safety principles
2) Fault tolerance of ONE
3) Some but not all faults are detected
4) Accumulation of undetected faults can lead to loss of the safety function
5) Mainly characterised by structure to control random hardware fautls

CAT 4:
Same as above EXCEPT:
2) Fault tolerance of TWO
3) ALL faults are detected OR Fault accumulation does NOT lead to loss of the safety function

The way they defined them is they are both dual channel with monitoring, CAT 4 usually has pulse testing of the channels, but like every other ANSI/CSA/ISO/EN standard, it's open to interpretation.

One example that stuck out from the training was a tongue style safety switch. There is an exception for CAT 3 that allows a single tongue switch to be used and still meet dual channel. The tongue itself is a single point of failure, it breaks and you can't tell that its broken and stuck in the switch. CAT 4 does not allow that exception, you would need to use 2 switches as the odds of both breaking the same way at the same time are a lot smaller.

 

[Sergei Troizky]

Neither of slim safety relays (e.g. Allen Bradley MSR127 or Omron/Sti SR103) has pulse testing of the channels; still they are declared being Cat.4.

And an interesting detail: the manual of the latter directly states
"As well as the requirements of EN60204-1, the safety relay also fulfills the requirements for the safety category 4 as per EN954-1, on the condition that the start button between terminals S12 and S21 is not replaced by a bridge."
that is it cannot be wired for auto-reset.

 

[hd_coop]

Category 2 may have EDM, but is single-channel.
Category 3 is dual channel, but does not require fault diagnostics by definition.
Category 4 must have both dual channels and fault diagnostics, which is at least EDM.
See, for example, page 33 here:
http://www2.schneider-electric.com/...nt-manufacturers/pdf/Machine-safety-guide.pdf

I am referencing ISO13849-1, pages 33-36. Figures 10, 11 and 12 show the designated architectures for Categories 2, 3 and 4 respectively.

 

[hd_coop]

In which document is this stated?

I'm not sure this is explicitly stated in the standards.
I am a TUV Rheinland certified Functional Safety Engineer and was taught this in class by a TUV Rheinland Functional Safety Expert who sits on the boards which write the standards. With that said, my understanding of the situation is below on my memory from my training classes.

In the case of 3 guard switches in series with each other, you can open one guard door and lose your signal at your safety relay/PLC. If you then open and close a different guard door which has a FAULT (i.e. one channel fails to change state), your safety relay/PLC will not detect this fault. This is referred to as fault-masking because the first guard door being open prevents your logic device from detecting the fault on the second guard door. If you wire the guard switches into separate inputs, and not in series with each other, the logic device would have detected the fault condition.