Summary This study was initiated by an October 25, 2013 letter written by a Union member of the sub-committee on hoisting machines of the Commission de la santé et de la sécurité du travail (CSST)1. The letter asked the sub-committee to mandate the Institut de recherche Robert-Sauvé en santé et en sécurité du travail (IRSST) to evaluate emergency arrest systems (safety catches and other systems) for mine conveyances in use worldwide, ultimately with a view to modernizing the safety catches required on mine conveyances in Québec. The first part of the study, submitted on June 5, 20142, presented a general review of the literature on safety catches and hoist ropes. The second part – on possible solutions for preventing rope severance and the resulting cage crashes – was first presented to the subcommittee in September 2014 and officially submitted in September 20153. This third and last part of the study focuses on loss of control of cage movement, potentially causing it to crash, and more specifically, on the reliability of control systems and safety instrumented systems (SISs). The chapters of this Part 3 report present the different layers in the layers-of-protection concept. The second chapter presents methods for analyzing the performance of prevention and protection mechanisms. These analytical methods are widely used in the machine safety community, but were only recently introduced into the mining sector in the United States. Analysis of safety systems must be comprehensive and initiated right from the design phase. Defence in Depth (DiD) provides a first method of protection: multiple overlapping layers are responsible for maintaining system safety: if a failure occurs at one level, the next level is designed to contain the problem. The safety barriers put in place, also known as risk control measures, may be technical, human, or both, and perform safety functions. Layer of Protection Analysis (LOPA) is a risk analysis method based on the DiD concept (layers of protection), but also incorporates the notion of safety barriers. This commonly used method in the chemical process industry can nonetheless be expanded to all industrial sectors that have a safety component. An Independent Protection Layer (IPL) criterion can be added to prevent common cause failures or common mode failures. The general concepts presented in Chapter 2 are applied in the following chapters, which detail the risk control mechanisms layer by layer. Layer of Protection 3 – “alarms and human intervention” – is presented in Chapter 3. Alarms and human intervention include means of monitoring the cage (position, speed, direction, load, acceleration, etc.). Hoist control systems, both mechanical and electronic, also fall in this layer, as does the emergency arrest system (manual intervention safety system). The emergency arrest sequence, relatively simple in the days when it involved an electromechanical system, today includes more elements when it integrates a logic process. Safety-instrumented systems (SISs), which correspond to layer 4, are discussed in Chapter 4. SISs perform a safety function (e.g. stop function). Safety is assured by the safety function requirements (performed by the function) and the safety integrity requirements (probability that the function performs correctly). An SIS usually comprises detection elements (sensors), logic-solving elements, and action elements (actuators), and can function equally with hardwired or programmable technology. SISs sometimes share elements with the control system or control loops. This often helps reduce costs, but does not meet the IPL criterion. Levels of integration of the SIS and control system vary, offering both advantages and disadvantages in terms of safety (and costs). The standards applicable to SISs fall into two main families: IEC 61508 and 62061, or ISO13849-1. Standard ISO 13849-1 applies to all control systems on all machines, whereas Standard IEC 62061 applies only to control systems on machines using electrical, electronic or programmable electronic systems. These two standards provide methods for designing and analyzing SISs. They make it possible to evaluate the probability of failure of SISs (Safety integrated Level, or SIL, in the IEC family; and Performance Level, or PL, in the ISO family). An attempt was made in 2012 to merge standards ISO 13849 and IEC 62061 into a single standard, temporarily numbered ISO/IEC 17305. The SISs of hoisting machines are implicitly covered in the regulations of several Canadian provinces or American states, for example, when they mention that the machine must be stopped automatically if certain limits are exceeded. In Québec, section 233 of the Regulation respecting occupational health and safety in mines (ROHSM), which spells out the different conditions for the immediate arrest of the hoisting machine, also describes the safety functions of the corresponding SIS. At the end of the SIS sequence is the hoist brake or rope brake. Hoist brakes are fairly well known, while rope brakes have been tried out in mines in the United States, either on friction hoists or on drum hoists. Software safety, which is involved at both layers 3 and 4, is described in Chapter 5. Safe software should contain no faults at the design phase and be able to withstand faults during performance; the designers should anticipate any faults and eliminate them during the verification phases. The chapter provides several examples of software failures, notably involving the Therac-25 disaster and an electronic car injection device, as well as two accidents that occurred in Québec during modification of control software programs. The “layer of protection” concept can be extended to the software part of the SIS. The software life cycle runs from the specification phase to the decommissioning of the software, and covers validation testing and modification. Moreover, reusing parts of software codes retrieved from other applications is not recommended (the case involving the Therac-25 accident). The last chapter looks at the physical safety layer: where there is loss of control over cage movement despite level 3 (alarms and human intervention) and level 4 (SIS) barriers, only one physical safety device – passive or active – at level 5 can intervene and prevent a crash. Traditional safety catches have a single trigger mode (too little tension on the rope), whereas modern safety catches could possibly be programmed for several triggering conditions. Safety catches are active safety devices and a few possible strategies for improvement are suggested. Passive safety devices are conceivable at both ends of the shaft, such as an end-of-travel damper at the bottom of the shaft. Lastly, this chapter discusses the life cycle of safety devices, particularly testing and maintenance practices. What emerges is that if the tests and trials of the different safety functions are performed at different time intervals and by different people as mentioned in Part 6 of Annex B of Standard IEC 61508, this would help maintain the lowest probability of failure. [1] Now the Commission des normes, de l'équité, de la santé et de la sécurité du travail (CNESST). [2] Expert Report (QR-1156-fr) published under the reference Giraud and Galy 2022a. [3] Expert Report (QR-1157-fr) published under the reference Giraud and Galy 2022b.