Are Your Safeguards as Safe as You Think?
Fault masking on safety guard circuits is a real issue where safety switches are connected in series, but technology is available to help reduce on-machine cabling and, critically, the possibility of masked faults, as David Collier, business development manager for products and services at Pilz Automation Technology, explains
There are, undoubtedly, many machines in the UK fitted with multiple guards that are monitored in one circuit by series-connected safety switches with dual-channel wiring. Does this sound like one of your machines? Can any of these guards be opened simultaneously? If so, then read on.
Historically, the practice of series-wired safety switches arose because it saved money on cabling and safety relays, and because such dual-channel wiring translated to Category 3 of the now-withdrawn standard EN 954-1 (for more than one switch in series, EN 954-1 degraded Category 4 to Category 3). Category 3 lives on in the standard EN ISO 13849-1, in which clause 6.2.6 requires that, for Category 3 to apply, specific conditions must be met including: that a single fault must not lead to a loss of the safety function; that an accumulation of undetected faults can lead to the loss of the safety function; and, importantly, as an addition over and above EN 954-1’s requirements, that at least 60% of faults have to be detected in a diagnosis mechanism.
On closer inspection, the ability of a system to detect 60% of dangerous faults can be impacted by a phenomenon known as ‘fault masking’, which can dramatically reduce the diagnostic coverage (DC) and, consequently, the performance level (PL), as explained below.
Fault masking
The answer as to how many (if any) switches can be connected in series depends on the faults that can be anticipated (of which there is a list in the validation standard EN 13849-2). The following example of interlocked guards connected in series (fig. 1) is intended to illustrate this point.
The example shown in figure 1 illustrates an undetected fault in the safety circuit, which has built up as a result of the clearing of the fault by the simultaneous opening of two gates. An additional subsequent fault could cause the whole interlocked guard system to fail to danger (eg another wiring fault occurs, a guard is opened and the machine does not stop). While this is in line with Category 3 (an accumulation of undetected faults can lead to a loss of the safety function) these and similar faults are described by the term ‘fault masking’. In the current standard EN ISO 13849-1, the maximum diagnostic coverage that the switch can achieve is restricted, depending on the masking probability.
In practice, a single switch pair that is evaluated by a safety relay can achieve a DC of 99%. Based on this premise, in the current draft of EN ISO 14119, the maximum DC for a group of interlinked switches is dependent upon the number of switches connected in series and their frequency of operation. At some point ISO 14119 will replace the current standard for interlocking, EN 1088.
As can be seen in the adjacent table (fig. 2), masking restricts the maximum achievable DC and PL.
From this table, if it can be shown that no two guards are moved with a frequency greater than once an hour, or there are no more than four of them in series, the statistical chance of a fault occurring and being masked is reduced; however, the DC of the system is reduced from 99% to 60% (low), which, in terms of EN ISO 13849-1, means the best PL achievable is PL d, which also means Category 3 has been met.
If it is found that more than one guard can be moved with a frequency greater than once an hour, or there are more than four of them in series, the statistical chance of a fault occurring and being masked is high and the result is that DC is reduced to less than 60% (according to EN ISO 13849-1 this is equivalent to no DC). Under these circumstances, according to EN ISO 13849-1, the best achievable PL is PL c, or Category 1 in old terms. If the original risk assessment required Category 3, under these circumstances the system is no longer compliant.
Is there a cure for fault masking?
If a series of interlinked switches is required to meet PL e, a technical solution is required using switches with integrated fault detection. As masking cannot occur in this case, it is possible to have interlinked switches without restricting the DC or PL. Only switches with internal diagnostics and an OSSD (output signal switching device) output, a solid-state type as commonly found on RFID-based switches, are unaffected by this (fig.3). Such devices are certified by the manufacturer with PL e (ie they are classed as a sub-system, not just a component), which means they have their own internal dual-channel Category 4 architecture, built in 99% DC, as well as other internal characteristics allowing the series connection of switches (such as extremely low failure rates expressed as PFHD in the magnitude of 10–9 dangerous failures per hour). Diagnosis of which guard has been opened, not to be confused with diagnostic coverage (which is purely to do with detection of dangerous failures), is provided on the switch body by LED status, and also via signalling which can be taken to a standard PLC (fig. 4).
Types of device with RFID coding and OSSD outputs
Some manufacturers of safety components, including Pilz, deploy this technology in their products. Other than the capability to avoid fault masking, RFID-based non-contact switches also offer less troublesome switching (when compared with magnetic types) through various actuator approach angles, better resistance to defeat through the use of varying degrees of coding (all the way to unique actuator/receive pairs) and better protection against ingress (when compared with mechanically actuated switches).
Pilz have adopted this technology in a wide range of their devices, including: PSENcode switches – RFID guard position monitoring devices with self-monitoring OSSDs available with ATEX approval for use in Zones 2 and 22 (figs. 5&6); PSENslock – solenoid locks with built in RFID guard position monitoring with self-monitoring OSSDs (fig. 7);PSENsgate – solenoid-locking, command-to-release, E-stop, escape from inside the hazard area, and RFID guard position monitoring system with self-monitoring OSSDs (fig. 8); and PSENini – inductive safety sensors for safe position monitoring, eg robot home position, with self-monitoring OSSD outputs (fig. 9).
An alternative or complementary solution – the use of distributed I/O
Other than replacing designs using series, volt-free switches with RFID/OSSD-based technology, there are other options based upon improved wiring management through ‘zoning’. Normal volt-free, contact-based switches are wired individually, but in low numbers, back to local IP20 I/O modules in small control boxes (such as the Pilz PDP20 F mag), which, in turn, can be cascaded across the machine back to a main panel using the OSSD outputs of the PDP20 F mag modules to provide 99% DC throughout the system (fig. 10).
Where the luxury of enclosures for IP20 I/O modules is non-existent, I/O modules can be conveniently placed directly ‘on machine’ (such as Pilz PDP67 F 4 Code and PDP67 F 8DI ION illustrated in figure 11) because they are IP67 rated (epoxy encapsulated and available with stainless steel M12 threaded connectors for long-term resistance to washdown cleaning). These modules can be cascaded across a machine on one multi-core cable back to the main control panel without degradation of DC or PL through the use of coding or test pulses.
Pilz have developed a SafeLink protocol for use with their PNOZmulti safety controller and PDP67 F 8DI ION modules; up to four SafeLink modules (PNOZml2p) can be connected to a PNOZmulti controller and up to four PDP67 modules connected to each SafeLink module. Up to four dual-channel devices can be connected to each of the PDP67 modules. It is possible, therefore, to connect up to 64 (4 x 4 x 4) dual-channel remote switches back to one PNOZmulti.
E-stops in series?
It is worth noting that series connection of emergency stop (E-stop) devices is unlikely to incur a loss of diagnostic coverage, based upon the fair assumption that it is unlikely that any two E-stops will be actuated simultaneously or as frequently as once an hour. It is reasonable, therefore, to wire such devices in series. That said, it is generally inadvisable to require E-stops to perform to PL e simply because they are not intended as primary protective devices; if a hazard requires a safety-related control function to perform to PL e, other primary means of safeguarding should be used.
Conclusion
Fault masking is a real issue even if the operator does not refer to current or future standards and just applies basic engineering logic. Designers of safety guards and associated circuits on new machines, and those responsible for the use of existing machines, should review whatever safety guard circuits they have where safety switches are connected in series. It is vital to ensure that masked faults cannot, at sometime in the future, rise up and bite unsuspecting victims. The technology is available to help reduce on-machine cabling and, critically, the possibility of fault masking.