What Should I Design To: Performance Levels Or Safety Categories?

With last year's revision of AS 4024.1:2014 designers of safety control systems now have two options:

1. Design to Safety Categories (AS 4024.1501), or 
2. Performance Levels (AS 4024.1503)

Why does the series have 2 options? Which option should be used? Wouldn't it be much easier if there was one direction for design guidance?

As explained in AS 4024.1100:2014, the standards are in a transition phase and are mimicking the process followed by international standards. In international standards, Performance Levels replaced Safety Categories in 2012 after a 5 year transition period where the two standards ran in parallel. The Australian standards are now entering a similar transition phase. It was decided that an instant changeover would not be achievable because it would take a period of time for the industry to become familiar with Performance Levels and the two methods would run in parallel during this period.

Which design method should you use? 
Most safety control systems can be designed to Performance Levels or Safety Categories, but here are some reasons why you may want to use certain sections of AS 4024.1503.

• Common Cause Failures (CCF). To learn more about CCFs and for guidance, refer to a previous post titled 'New series provides guidance on Common Cause Failure'. I would recommend using the common cause method in Annex F of AS 4024.1503 for any CAT 2, 3 or 4 system
• Guidance for developing safety software. If you are developing/maintaining software for safety programmable devices then section 4.6 of AS 4024.1503 is the only guidance on software development that you will find in the AS 4024.1:2014 series
• Component reliability. If you are designing a CAT 1 system I would recommend calculating a Mean Time To dangerous Failure (MTTFd) for your safety system using section 4.5.2 of AS 4024.1503. CAT 1 is highly dependent on component reliability and thus ensure your CAT 1 system has a MTTFd of HIGH.
• Architecture flexibility. Safety Categories using AS 4024.1501 can be inflexible on the architecture of the safety system and will generally push the design towards conservative architectures with redundancy. By using Performance Levels you will find greater flexibility with the architecture of the safety system; for example observing Table 7 of AS 4024.1503, it can be seen that a CAT 1, 2 or 3 architecture can be used to achieve the same risk reduction level.

So, be aware that the standards are transitioning away from Safety Categories. During this phase Safety Categories and Performance Levels will run in parallel, this should be seen as providing more choice to safety designers, not confusion. As mentioned above, there are some useful sections in AS 4024.1503 that will improve safety systems' design, even if the systems are designed to the requirements of Safety Categories. By using these sections of AS 4024.1503, you will design improved safety systems, have more flexibility in your system design, and be better placed to cope with future changes of the AS 4024.1 series.

New series provides guidance on Common Cause Failure (CCF)

What is a common cause failure (CCF)? CCF is a term that has much more significance in the new AS 4024.1 series. A good description of CCF can be found from a very trusted reference...TV! If you have ever watched Air Crash Investigation then you may be familiar with the 'Swiss Cheese Model'.

From this Swiss cheese model, it can be seen that if the holes in the multiple layers of cheese line up then a single path through the layers can exist and thus the safety critical system has failed. CCF is an example of this occurring in machine safety systems. If we think of a dual channel system; a CCF would be both channels failing at the same time due to a common event, for example:

• Two independent switches on a guard failing because the ambient temperature is above their rating
• Two independent safety channels having erroneous signals induced on them from the same source of electromagnetic noise
• Two mechanical switches on a guard fracturing due to the one impact event of that guard door

The above explanation shows how threatening common cause failure can be to a safety system. We will generally design machine safety systems with two channels when the risk of the application is high; this provides redundancy so the system can tolerate a fault on a single channel. However if the system hasn't been designed to avoid CCF, then there is a real chance that a certain event will defeat both channels and the system will fail.

For this reason, whether you are designing systems to categories (AS 4024.1501) or performance levels (AS 4024.1503) CCF should be a consideration for any multiple channel architecture. Unfortunately the previous version of AS 4024.1 didn't have any usable process to avoid CCF, however this has been rectified in the new version of the series released in 2014.

AS 4024.1503:2014 Annex F contains a test for common cause failure that can be used to determine if the safety system has been designed to avoid CCF to an acceptable level. I would recommend any machine safety system designed to architectures cat. 2, 3 or 4 should be analysed with the process from Annex F. This is the only usable guidance in the AS 4024.1 series for designing safety control systems to avoid CCF.

Other parts in the 2014 version of AS 4024.1 also provide guidance on designing to avoid CCF for common safety functions. For example, AS 4024.1602:2014 Clause 8.3, provides excellent guidance on how to prevent common cause failures in interlock guard functions.

This is an example of the improvements that have been made with the new 2014 version of AS 4024.1 series. We will be exploring some of the new features of AS 4024.1 in many of the safety blog topics this year. If you missed our last topic Safety Systems Must Be Designed For Productivity, be sure to to check it out as this topic explored how the 2014 version of AS 4024.1602 can help you design interlock guards that operators won't defeat.

Don't be a Robbo or Danny boy, protect yourself from common cause failure.