JavaScript seems to be disabled in your browser. For the best experience on our site, be sure to turn on Javascript in your browser.

Home
Sensor Blog
Categories of behavior

Categories of behavior

Categories of Behavior

Gate automation safety relies on the design of safety components.

We take a look at the categories of behavior of equipment.

Author ; Huw Jones

Quis custodiet ipsos custodes?

What happens when the safety system fails? Who will watch the watchmen?

The safety components and safety control system need to be designed to be as reliable as possible. The methods used to ensure reliablity then put the equimpent into a "category of behavior", often (incorrectly) known as a "safety category".

Standards may then recommend to installers what category of equipment should be used.

The EN954-1 categories have since been superceeded by a 'safety integrity level' or a 'performance level' which also consider the reliability of the safety devices. Fortunately, installers and homeowners do not need to read standards set for the likelyhood of failure.

EN954-1 defines risk as the “the combination of the probability of occurrence of harm and the severity of that harm.”

Who is responsible?

Every automated gate is a bespoke machine. The installer is the machine's designer and manufacturer. Motors, controllers, and safety devices are no more than components used, as is the gate, the posts, and the gravel.

The installer is required to deliver a safe machine, according to his risk assessment. Safety publications and standards guide the installer to assess the risk. The installer must accurately and honestly declare the risks in a risk statement, and explain how each risk has been minimised by the design and user manual.

Once agreed, the owner of the machine takes reponsibility for running and maintaining the machine. The installer is not legally required to comply with a standard. If he claims to have built the machine to a standard, any breach is only contractual.

The standards are addressed in greater detail in another article.

Who certifies a gate is safe?

The CE mark is the consumer's assurance that a product has been scrutinised by an autorised body. While it is illegal to import a machine into the euro zone without CE marking, it is acceptable for a manufacturer to self certify a machine built within the zone.

Automated gates had been proven to be dangerous to the public, so need to be classified in a way that allows scrutiny. It would be difficult to check every installation, so legislators have chosen to set the onus on the installer to design a safe machine within guidelines.

The installer applies the CE mark, and declares his certification within the machine's documentation. All standard components used need to have their own CE marks. The level of 'category of behavior' of safety critical components is justified in terms of the risk perceived by the machine manufacturer.

Choosing the Category

Category of behavior assessment chart

In building the machine, the installer needs to assess the risk of failure of safety critical components.

EN954-1 judges not only the risk of failure, but the consequence and chances of failure as well. The chart prompts installers to choose equipment appropriate for the risk level. These are obviously not binary choices as indicated by the chart. The priority of choices is;

severity of injury (from slight to serious),
frequency of exposure (from rare to frequent), and
posibility of avoidance (possible to virtually impossible).

The level of behavior (B,1,2,3,4) is a consequence of the priority of the decision making. The installer arrives at a required category for each safety related part, and is encouraged to trade up to component with a hgher level of behavior.

Category B

Basic control circuits that can lead to the loss of safety function should it develop a fault.

Category 1

The occurrence of a fault can lead to the loss of the safety function but with less probability. Manufacturers use of well-tried components well within their tolerance margins.

Category 2

The safety of the device is tested at suitable time intervals to detect the loss of a safety function. A fault leading to loss of the safety function can occur between tests. For an automated gate, it is appropriate to test the safety function before each gate run cycle. An example of this would be to test the photobeam function.

Category 3

If one fault occurs in a category 3 part, safety is maintained. Some faults are detected and mittigated, but not all faults. It is possible for an accumulation of undetected faults to lead to loss of safety.

Category 4

If one fault occurs safety is maintained. The fault is detected on or before the next requirement, or accumulation of faults must not lead to loss of safety. An example would be a constantly self testing sub-system that reports back before a risk situation occurs.

Case study;

Power station

Imagine you are designing a nuclear power station. Every weld is tested, every pipe is pressure tested, because the consequence could be catastrophic. On the chart, the minimum category would be 2 or 3. Having lived through a catastrophic nuclear failure, a second relay or sensor does not seem an appropriate safeguard. Even though the failure is considered infrequent, the severity is high and across whole nations of people.

The human factor at Chernobyl was the weak link. There is an analogy with risk in a gate system. A person with a 'hold to run' control may operate a gate without any safety devices while in visual contact.

Case study;

A satellite

MTTF is the mean time to fix. As a concept, it is the engineering cost to keep the machine running. Consider designing reliability into a satelite. MTTF on a satelite is forever, and the stresses involved in launching a satelite are not as well understood as systems in a car. The physical design for a satellite needs to be almost bullet proof.

The way a satelite increases the reliability of sensors and control systems is to have 3 of every binary thing. Three temperature sensors, three computers, three transmitters. If one sensor gives a different reading to the others, the reading could be disregarded. Redundancy is a key factor in Categories of Behavior, and more so where the consequences of failure are danger to the public, or complete loss of service.

Another example of long MTTF is a refrigerator motor. The refrigerant is toxic, so the motor and pump are sealed together. If the motor fails, the refrigerator is junked. The design priority is high reliability.

Example 1; photobeam failure

Take a simple photoeam. The safety circuit uses the normally open contact of the device's relay, but the relay is powered ON in the safe condition. The relay contact as presented to the gate control panel will go to unsafe state if ...

the power to the photobeam is lost
the signal wire to the controller breaks
the control panel or photobeam connector fails
the relay on the photobeam fails to switch

In some older photobeams, two relays were used. One relay would switch on while the other would switch off, making the output state subject to two relays acting correctly. This redundancy improves reliability.

Example 2; phototest (Cat 2)

Optional phototest function widely adopted by control panels is a feature that an installer might include in his risk statement.

Before each gate movement, the safety device power supply is switched off. As a result, it is expected that the input to the controller should go 'UNSAFE' state within 70ms. This test qualifies the system as Category 2.

However, two or more photobeam contacts are often wired in series into the same controller input. Only one functioning device would need to pass the test to render all devices OK. This would need to be declared in the risk statement.

Example 3; 8k2 safety edges

A resistive safety edge is a length of maleable tube. Pressure on the tube shorts out conductive strips. An edge safe condition is open circuit. Fixing a termination resistor of 8k2 gives a target value for a complete edge.

The processor will accept 8k2 or below 100R as acceptable values. Anything else is a fault. This qualifies as continually monitors at the processor terminals, so will show a fail even when the gate is stationary.

An 8k2 processor should be a continually monitored category 4 sub system. More than one 8k2 processor NC contact wired in series to a single controller input remains category 4.

Safety edges with a NC contact are more difficult. A single contact can meet Category 2 with a phototest function. More than one NC contact wired in series to a single controller input cannot be Category 2.

Example 4; Hinge straps

Failing hinges has been named as one of DHF's 7 deadly sins. On the tests of injury, frequency, and possibility, a falling gate would feature higher on the severity of an injury.

Encoder based controllers are likely to detect increased backlash of a failing hinge, so 'frequency' would be lower. As general maintenance, it should be the responsibility of the site owner to inspect the gate regularly. It is an easy problem to avoid (possible) with a safety strap which qualifies as a Category 3 behavior.

Fire Regulations require fire doors to be fitted with 3 hinges, which is another solution to a failing hinge.

Conclusions

Yes, safety is important, but there seems to be the hand of convenience oiling the wheels of industry.

Unlike other product certifications (e.g. UL, CSA), many CE products do not require a third party certification body to be involved. A trademan without any training can self certify this machine proven to have been involved in death of children (always inocent) while under the supervision of (not necessarily intelligent) adults.

Meanwhile the tradesman, not required to be fluent in any european language, is required to buy safety standards from BSI or other publishers. It what sane world do we charge the trademen for safety information?