Machine safety loophole unmasked
01 November 2013
Implementing the requirements of new EN ISO 14119 machine safety standard could lead to high installation, cabling and connecting costs. However, SICK has found simple connectivity solution to cascading switches and sensors, whilst allowing high diagnostic coverage and eliminating the potential for fault masking. Dr Martin Kidman, Safety Specialist at SICK (UK) explains
Addressing a potential ‘loophole’ which could lead to so-called ‘fault-masking’, the new EN ISO 14119 machine safety standard has significant implications for the installation and set up of safety systems.
In a simple safety system, a single cell with potentially dangerous movement has two doors with safety switches that are monitored by a safety controller which stops the movement when either of the doors is opened.
If one of the switches malfunctions, the safety controller will detect a failure and will not allow the machine to start until the switch is replaced. With just two switches, it’s easy enough to work out which one is malfunctioning and reset the controller once the fault is rectified.
Unfortunately, in real life situations things are usually more complicated with further doors and cells and multiple interlocking devices. For many years it has it has been widespread practice to connect dual channel electro-mechanical safety switches in series.
Where the door switches employ dual channel architecture to allow a redundant switch-off path, the safety controller will monitor the status of each channel. If either channel switches off, the machine must stop and may not restart until the controller has detected that both channels have switched off BEFORE they switch back on, indicating a safe condition. Checking that both inputs behave in the same way is the principle form of diagnostic and fault detection. Faults in door switches have more serious consequences with multiple cells.
If there is a fault on one channel of a gate switch then that fault is likely to be detected. If one closed the faulty gate, the safety controller will inhibit a reset of the safety system. However, if one opens and closes another gate, between the faulty switch and the controller, the fault will appear to have cleared and the controller will allow a reset, masking the fault on the first switch.
Thus, with current cascade and series switching practice allowed under the existing design standards (EN 1088), it’s easy to imagine a scenario where an operative, finding one door a ‘bit faulty’ or a switch a bit ‘sticky’ finds out that the reset can be overridden by opening and closing the next door. Consequently, unsafe situations could build up which compromise PLe status of safety systems.
This very general description of the phenomenon of fault masking is possible under the existing design standards (EN 1088).
And further, if you have a machine with dangerous moving parts and many access doors with dual channel switches on each door and E-Stops, it is understandable why someone would wire them up in a cascaded series into one input, because this avoids the bulk, complexity and expense of separately wired cables from each guard to the controller.
But it’s easy to compromise the safety of such systems through the safety controller being unable to diagnose the problem thus affecting the performance level of the whole system.
One of the standards for Safety of machinery (BS EN 13849-1: Safety-related parts of control systems) states that the diagnostic coverage (DC) is a measure of the effectiveness of diagnostics, which may be determined as the ratio between the failure rate of detected dangerous failures and the failure rate of total dangerous failures. In this standard the DC is given one of 4 levels, table 1.
Effectively, if "fault masking” is possible, the safety controller’s capacity to diagnose the whole system has been downgraded from a potentially high detection rate (≥ 99%) to a lower performance level.
According to EN13849-1, the DC measure "Cross monitoring of inputs without dynamic test” is a method capable of achieving a "high” DC necessary to reach PLe. However, no consideration for series connection of electro mechanical contacts is mentioned. EN ISO 14119 makes reference to the reduction of DC when series connections are used and ISO Technical Report ISO/TR24119 gives a more quantified approach:
- If there is more than one frequently opened guard (opened more than once per hour) then the diagnostic coverage will be zero.
- If there is just one frequently opened guard and the safety device for this guard is connected in series with other devices, the DC drops.
- If multiple guards can be open at the same time during normal operation the DC will be zero
Therefore, when using more than 2 guards in series, PLe cannot be achieved and PLd could be dependent on the frequency and number of doors that can be opened.
New Machine Safety Standard
Because of this ‘loophole’ in the system, updating of EN 1088 as applied to the Machinery Safety Directive has been under discussion and the new EN ISO 14119 was published on October 31 2013.
One way of identifying individual faults on safety guards to ensure PLe levels of safety is to wire the guards back individually to the safety controller. This could mean high cost and extra bulk of additional cabling, as well as its installation and the connection hardware. The illustration demonstrates what might be involved:
Figure 1: System with non-cascaded safety sensors post EN ISO 14119 implementation - PLe
Flexi Loop from Sick
The new SICK Flexi Loop provides a simple connectivity and permits the series connection of dual channel devices, whilst allowing high diagnostic coverage and eliminating the potential for so called fault masking. It is a fully open system and it allows a designer to connect any safety system in series with another without any compromise of the safety system performance to PLe integrity.
Figure 2: System with cascaded safety sensors in series via Flexi Loop – PLe.
With a capacity to cascade up to 32 safety sensors or switches on one loop and to create up to eight separate loops, the IP67-rated SICK Flexi Loop will provide up to 256 sensors on eight dual channel inputs, reducing the clutter of traditional connections. The Flexi Loop is simple to install as a fully cascadable system, using standard cable with M12/5-pin connectors. No special connections or shielded cables are required.
The SICK Flexi Loop provides intelligent built-in LED diagnostics without the need for a field bus or complex network addressing, resulting in a decentralised cost-effective solution to monitoring the status of each safety sensor / switch, loop and I/O connected to it. This diagnostic capability is an advance on SICK’s widely used Flexi Soft controller platform which allows status monitoring at the controller or via the HMI/PLC interface, and further specialised connectivity modules.
The impressive operating range allows each Flexi Loop to be up to 960m and the distance between Flexi Loop modules 30m apart. Each Flexi Loop module assures PLe as long as the sensor can fulfil that performance level, and makes calculating complex SIL or PL parameters easy. The free SICK Flexi Soft Designer Software provides pre-approved safety function blocks, simulation and all safety declaration documents at a press of the button.
As well as answering safety concerns around the manufacturing process, the functionality of the existing Flexi Soft system with Flexi Loop enables gateways to be integrated for remote diagnostics information to be passed to higher level control systems. Flexi Soft supports: Profinet, Profibus, CAN open, EtherCAT, SERCOS interface, Ethernet/IP, Device Net and CC-Link.
- The new EN ISO 14119 machine safety standard has been designed to tackle the risk of 'fault masking'
- Sick has developed a simple connectivity solution to cascading switches and sensors, whilst allowing high diagnostic coverage, to address the issue
- Rhe IP67-rated Sick Flexi Loop will provide up to 256 sensors on eight dual channel inputs