New series provides guidance on Common Cause Failure (CCF)

What is a common cause failure (CCF)? CCF is a term that has much more significance in the new AS 4024.1 series. A good description of CCF can be found from a very trusted reference...TV! If you have ever watched Air Crash Investigation then you may be familiar with the 'Swiss Cheese Model'.

From this Swiss cheese model, it can be seen that if the holes in the multiple layers of cheese line up then a single path through the layers can exist and thus the safety critical system has failed. CCF is an example of this occurring in machine safety systems. If we think of a dual channel system; a CCF would be both channels failing at the same time due to a common event, for example:

• Two independent switches on a guard failing because the ambient temperature is above their rating
• Two independent safety channels having erroneous signals induced on them from the same source of electromagnetic noise
• Two mechanical switches on a guard fracturing due to the one impact event of that guard door

The above explanation shows how threatening common cause failure can be to a safety system. We will generally design machine safety systems with two channels when the risk of the application is high; this provides redundancy so the system can tolerate a fault on a single channel. However if the system hasn't been designed to avoid CCF, then there is a real chance that a certain event will defeat both channels and the system will fail.

For this reason, whether you are designing systems to categories (AS 4024.1501) or performance levels (AS 4024.1503) CCF should be a consideration for any multiple channel architecture. Unfortunately the previous version of AS 4024.1 didn't have any usable process to avoid CCF, however this has been rectified in the new version of the series released in 2014.

AS 4024.1503:2014 Annex F contains a test for common cause failure that can be used to determine if the safety system has been designed to avoid CCF to an acceptable level. I would recommend any machine safety system designed to architectures cat. 2, 3 or 4 should be analysed with the process from Annex F. This is the only usable guidance in the AS 4024.1 series for designing safety control systems to avoid CCF.

Other parts in the 2014 version of AS 4024.1 also provide guidance on designing to avoid CCF for common safety functions. For example, AS 4024.1602:2014 Clause 8.3, provides excellent guidance on how to prevent common cause failures in interlock guard functions.

This is an example of the improvements that have been made with the new 2014 version of AS 4024.1 series. We will be exploring some of the new features of AS 4024.1 in many of the safety blog topics this year. If you missed our last topic Safety Systems Must Be Designed For Productivity, be sure to to check it out as this topic explored how the 2014 version of AS 4024.1602 can help you design interlock guards that operators won't defeat.

Don't be a Robbo or Danny boy, protect yourself from common cause failure.

Safety Systems Must Be Designed For Productivity

I don’t care if your safety system is CAT 4, PL e or SIL 3, if it significantly interferes with the use of the machine then it’s unsafe. Anyone who works with machinery has seen safety systems that are designed as an afterthought in an ad hoc fashion. For example:

• Machines where the operator needs to bypass the safety system to set-up  or clean the machine
• Machines where guards don’t allow the visibility required for the task
• Safety procedures that are time consuming and become ignored

So how do we avoid these common issues? Guidance is now at hand with the new Australian Standard for Interlocking Design and Principles, AS 4024.1602:2014.

This standard has a method to identify if the proposed safety system will create a motivation to defeat. Firstly the designer must identify the modes of operation, for example common modes would be; normal operation, manual operation, cleaning, maintenance, etc. The designer then needs to identify what tasks are performed in these different modes of operation.

The method will then assess if the safety system allows the task to be performed in the mode. If not, then a redesign of the safety system is required to allow for this activity.

If the safety system does allow the task to be performed, the designer still needs to analyse if the safety system interferes with this activity. For example there might be motivation to defeat the system because of these typical reasons:

• The task can be performed much quicker if the safety system is defeated
• The safeguard restricts visibility or audibility required to perform the task properly
• The safety procedure requires much more physical travel
• The safety system restricts movement and adds difficulty in performing the task

If motivation to defeat is discovered then design measures that will eliminate or minimize this motivation must be considered. For example, providing a transparent guard to allow the required visibility to perform the task. If there aren’t ways to minimize motivation for defeat then the standard recommends measures that can be used to make defeat difficult. For example, selecting highly coded safety interlock devices that are difficult to defeat.

Design of interlocking systems to reduce motivation for defeat has always been a consideration in the safety standards but now a formalised method is available for use. It is hoped that safety systems will be designed with the operation of the machine in mind so we can avoid non-productive safety systems that encourage defeat and create unsafe practices.

Is one tongue interlock switch acceptable for CAT 3?

Category 3 is a very, if not the most, common risk level that appears in machine safety applications. The Category requires that a single fault cannot lead to a loss of the safety function. Many machines claim a Category 3 level with the use of 2 channels through one tongue interlock switch. However if the tongue was to mechanically fail, which is a single failure, this could lead to a loss of the safety function.

How is this possible?

This can only be achieved through fault exclusion. Fault exclusion can be claimed by the designer if there is evidence to suggest that the probability of the fault occurring is negligible. AS 4024.1502 Table A4 lists the considerations for mechanical fault exclusion for a device such as a tongue actuator, the following aspects need to addressed in the system design:

• Wear/corrosion
• Un-tightening
• Fracture
• Deformation due to over stressing
• Sticking

This may be technically true but is it good design practice to use a single tongue interlock switch for a Category 3 system?

Thankfully a new international standard, ISO 14119:2013, has been developed to give some more guidance. This standard will soon be adopted into the new revision of the AS 4024.1 series.

This standard states that for risk levels equivalent to Category 4, it is not normally justifiable to exclude faults such as broken actuators. However for a risk level of Category 3 a full justification could be provided to exclude the fault of a broken actuator. The standard provides more guidance in Appendix G, where an example Category 3 system is shown. In this example two mechanically independent interlock switches are used to fulfill single fault requirements of Category 3.

The standard also provides guidance on how to avoid intentional tampering/defeating of the safety devices. In Table 3 a tongue interlock switch is classed as a Type 2 device, this means the shape of tongue provides a low level of mechanical coding. Due to the coding only being low level, it is recommended to provide a second interlock switch to reduce the probability of the system being defeated.

In conclusion, if a full fault exclusion is documented for the actuator failure ISO 14119:2013 does deem this acceptable for a Category 3 risk level. However I believe this new interlocking standard is recommending the use of a second mechanically independent device when using a tongue interlock switch for Category 3 or 4 systems, due to the single fault requirements and minimising the chance of defeat.