Safeguarding your safety set-up
02 October 2012
David Collier, of Pilz Automation Technology, asks whether your safeguards are as safe as you think, and discusses the ‘fault-making’ phenomenon....
There are many machines fitted with multiple guards which are monitored in one circuit by series connected switches with dual channel wiring to what appears to be Category 3. But, can any of these guards be opened simultaneously?
Historically, the practise of series-wired safety switches has arisen because it saved money on cabling and safety relays, and because dual channel wiring translated to Category of 3 of the now-withdrawn standard EN 954-1 (for more than one switch in series, EN 954-1 degraded Category 4 to Category 3). Category 3 lives on in the standard EN ISO 13849-1 in which clause 6.2.6 requires that for Category 3 to apply specific conditions must be met which include: a single fault must not lead to a loss of the safety function, that an accumulation of undetected faults can lead to the loss of the safety function, and importantly as an addition over and above EN 954-1’s requirements that at least 60% of faults have to be detected in a diagnosis mechanism (DC = low).
On closer inspection the ability of a system to detect 60% of dangerous faults can be impacted by a phenomenon known as ‘fault masking’ which can dramatically reduce the diagnostic coverage (DC) and consequently the performance level (PL).
The answer as to how many (if any) switches can be connected in series depends on the faults that can be anticipated. There is a list in the validation standard EN 13849-2. Panel A shows an example of interlocked guards connected in series. (For further details see final panel at end of article)
The example in Panel A illustrates an undetected fault in the safety circuit, which has built up as a result of the clearing of the fault by the simultaneous opening of two gates. An additional, subsequent fault could cause the whole interlocked guard system to fail to danger (e.g. another wiring fault occurs, a guard is opened and the machine does not stop). While this is in line with Category 3 (an accumulation of undetected faults can lead to a loss of the safety function) these and similar faults are described by the term ‘fault masking’. In the current standard EN ISO 13849-1, the maximum DC that the switch can achieve is restricted, depending on the masking probability.
In practice, a single switch pair that is evaluated by a safety relay can achieve a DC = 99%. Based on this premise, in the current draft of EN ISO 14119, the maximum DC for a group of interlinked switches is dependent upon the number of switches connected in series and their frequency of operation. Note at some point ISO 14119 will replace the current standard for interlocking, EN 1088.
If you can show that no two guards are moved, with a frequency of greater than once an hour, or there are no more than four of them in series, the statistical chance of a fault occurring and being masked is reduced; however the DC of the system is reduced from 99% to 60% (low), which in terms of EN ISO 13849-1 means the best PL achievable is PL d which also means you have met Category 3.
If you find that more than one guard can be moved, with a frequency of greater than once an hour, or there are more than four of them in series, the statistical chance of a fault occurring and being masked is high and the result is that DC is reduced to less than 60% (according to EN ISO 13849-1 this is equivalent to no DC). Under these circumstances, according to EN ISO 13849-1, the best achievable PL is PL c, or Category 1 in old terms. If your original risk assessment required Category 3, under these circumstances your system is no longer compliant.
Is there a cure for fault masking?
If a series of interlinked switches is required to meet PL e, a technical solution is required, using switches with integrated fault detection. As masking cannot occur in this case, it is possible to have interlinked switches without restricting the DC or PL. Only switches with internal diagnostics and an Output Signal Switching Device (OSSD) output, a solid state type, as commonly found on RFID based switches, are unaffected by this. Such devices are certified by the manufacturer with PL e (i.e. they are classed as a subsystem, not just a component) which means they have their own internal dual channel Category 4 architecture, built in 99% DC, as well as the other internal characteristics allowing the series connection of switches (such as extremely low failure rates expressed as PFHD in the magnitude of 10-9 dangerous failures per hour). Diagnostics of which guard has been opened (not to be confused with DC, which is to do purely with detection of dangerous failures) is provided on the switch body by LED status, and also via signalling which can be taken to a standard PLC.
Some manufacturers of safety components use this technology in their products. Other than the capability to avoid fault masking, RFID based non-contact switches can also offer less troublesome switching (when compared to magnetic types) through various actuator approach angles, and better resistance to defeat through the use of varying degrees of coding, and better protection against ingress, compared to mechanically actuated switches.
The use of distributed I/O
Other than replacing designs using series, volt-free switches with RFID/OSSD-based technology, there are other options based upon improved wiring management through ‘zoning’. Normal volt-free contact-based switches are wired individually, but in low numbers, back to local IP20 I/O modules in small control boxes which, in turn, can be cascaded across the machine back to a main panel using the OSSD outputs of the modules to provide 99% DC throughout the system.
Where enclosures for IP20 I/O modules are not available, IP67 rated I/O modules could be placed directly on-machine. They can be cascaded across a machine on one multicore cable back to the main control panel without degradation of DC or PL through use of coding or test pulses.
E-stops in series?
It is worthy of note that series connection of emergency stop devices is unlikely to incur a loss of DC, based on the assumption that it is unlikely that any two E-stops will be actuated simultaneously or as frequently as once an hour. Therefore it is reasonable to wire such devices in series. That said, it is generally inadvisable to require E-stops to perform to PL e simply because they are not intended as primary protective devices; if a hazard requires a safety related control function to perform to PL e other primary means of safeguarding should be used.
Fault masking is a real issue even if you do not refer to current or future standards and just apply basic engineering logic. Designers of safety guards and associated circuits on new machines, and those responsible for existent machines in use should review whatever safety guard circuits they have, where safety switches are connected in series. Importantly, it is reassuring to know that there is technology available to help reduce on-machine cabling and, critically, the possibility of fault masking.
1. This example shows three safety gates connected in series to an evaluation device. Initially all the safety gates are closed and the relay’s outputs are ‘on’, i.e. the machine can be operated.
2. On the left-hand safety gate, a short circuit occurs in the line to the switch with the N/C contact. At first the fault is not detected (because a demand has not yet been placed upon the safety function) and the machine can continue operating (because the guard is still closed).
3. The left-hand safety gate is then opened, an event which the left switch signals to the relay. During feasibility comparison of the two switches the safety relay discovers an inconsistency and switches to a fault condition, i.e. once the safety gate is closed the machine cannot be restarted (but in this case the safety gate is left open).
4. Now the right-hand safety gate is also opened. Via these signals the relay once again detects a normal condition. The fault condition is reset, the safety gates can once again be closed from left to right and the machine is ready to start up again.
Contact Details and Archive...
Most Viewed Articles...