ARE YOUR SAFEGUARDS AS SAFE AS YOU THINK?
30 October 2012
There are machines in the UK fitted with multiple guards which are monitored in one circuit by series connected safety switches; does this sound like one of your machines? Can any of these guards be opened simultaneously? If so, read on....
Historically, the practise of series-wired safety switches has arisen because it saved money on cabling and safety relays, and because dual channel wiring of the switches met Category 3 of the withdrawn standard EN 954. Category 3 lives on in the replacement standard EN ISO 13849-1 which requires that for Category 3 to apply at least 60% of faults have to be detected in a diagnosis mechanism (DC = low).
The ability of a system to detect 60% of dangerous faults can be impacted by a phenomenon known as "fault masking” which can dramatically reduce the Diagnostic Coverage and consequently the Performance Level.
In the illustration above: 1. Three safety gates are connected in series to an evaluation device. Initially all the safety gates are closed and the relay’s outputs are ‘on’, i.e. the machine can be operated.
2. On the left-hand safety gate, a short circuit occurs in the line to the switch with the N/C contact.
At first the fault is not detected (because a demand has not yet been placed upon the safety function) and the machine can continue operating (because the guard is still closed).
3. The left-hand safety gate is then opened, an event which the left switch signals to the relay.
During feasibility comparison of the two switches the safety relay discovers an inconsistency and switches to a fault condition, i.e.
once the safety gate is closed the machine cannot be restarted (but in this case the safety gate is left open).
4. Now the right-hand safety gate is also opened. Via these signals the relay once again detects a normal condition. The fault condition is reset, the safety gates can once again be closed from left to right and the machine is ready to start up again.
This example illustrates an undetected fault in the safety circuit, which has built up as a result of the clearing of the fault by the simultaneous opening of two gates. An additional, subsequent fault could cause the whole interlocked guard system to fail to danger. In the current standard EN ISO 13849-1, the maximum diagnostic coverage (DC) that the switch can achieve is restricted, depending on the masking probability.
In practice, a single switch pair that is evaluated by a safety relay can achieve a DC = 99%. In the current draft of EN ISO 14119 (which will soon replace the current interlocking standard EN 1088), the maximum DC for a group of interlinked switches is dependent upon the number of switches connected in series and their frequency of operation.
As you can see in the proposed table above, masking restricts the maximum achievable DC and PL.
If more than one guard can be opened with a frequency of greater than once an hour, or there are more than four of them in series, the statistical chance of a fault occurring and being masked is high with the result that Diagnostic Coverage is reduced to less than 60%. According to EN ISO 13849-1 this is equivalent to no DC, and under these circumstances, the best achievable PL is PL c, or Category 1 in old terms. If your original risk assessment required Category 3 your system is no longer compliant.
Possible cures for fault masking include: • Changing the wiring of existing seriesconnected switches to individually wired switches (which may be costly in terms of wiring and the need for extra safety relays or extra inputs on safety controllers) • Zoning of guard monitoring switches into distributed I/O systems (such as Pilz Decentralised Periphery PDP67 systems) • Replacement of volt-free contact based switches with RFID-coded, self-monitoring switches (such as Pilz PSENcode switches, PSENslock solenoid interlocks. PSENini inductive sensors or PSENsgate gate access devices) which can be wired in series and maintain 99% Diagnostic Coverage individually, with PL e integrity
E-STOPS IN SERIES?
It is worthy of note that series connection of Emergency stop devices is unlikely to incur a loss of Diagnostic Coverage, because it’s unlikely that any two E-stops will be actuated simultaneously or as frequently as once an hour.
Therefore it is reasonable to wire such devices in series.
Designers of safety guards and associated circuits on new machines, and those responsible for existent machines in use should review whatever safety guard circuits they have where safety switches are connected in series. There are solutions, as outlined above.
• EN ISO 13849-1 requires that at least 60% of faults have to be detected in a diagnosis mechanism (DC = low)
• Fault masking can impact the ability of a system to detect 60% of dangerous faults
• A single switch pair that is evaluated by a safety relay can achieve a DC = 99