EN ISO 14119:2013, the standard for guard interlocking devices

EN ISO 14119:2013, 'Safety of machinery - Interlocking devices associated with guards - Principles for design and selection', has been harmonised to the Machinery Directive 2006/42/EC and superseded its predecessor, EN 1088, on 30 April 2015. David Collier CMSE, Business Development Manager with Pilz Automation Technology, highlights the main changes to be aware of.

There are too many detailed technical differences between EN 1088 and EN ISO 14119 to be detailed here, but what follows highlights some of the most important changes.

Readers should also be aware that ISO published ISO/TR 24119, Safety of machinery - Evaluation of fault masking serial connection of interlocking devices associated with guards with potential free contacts, on 15 November 2015, and this provides useful guidance relating to Diagnostic Coverage (DC) and fault masking probabilities. See below for more information about ISO/TR 24119.

Differences between EN ISO 14119 and EN 1088

Compared with its predecessor, EN ISO 14119 (and its equivalent in the UK, BS EN ISO 14119) considers additional technologies such as RFID or electromagnetic guard locking, classifies interlocking switches and regulates more clearly the specifications for installing guards. These new points are particularly significant with regard to protection against guard manipulation, also known as defeating of guards.

International standard ISO 14119 for guard interlocks will replace all national standards on this subject (such as BS EN 1088 in the UK) and will be valid worldwide (it is, of course, referred to as EN ISO 14119:2013 in Europe). Formally this signifies a huge step forwards: EN 1088 was purely European, whereas ISO 14119:2013 (which is identical to EN ISO 14119:2013), is published by ISO, the International Standards Organisation.

Types of interlocking device

The first point is that EN ISO 14119 takes into account many technologies which were not available when EN 1088 was first published. The table below provides an overview of the interlocking device types and gives a helpful cross-reference to the examples in the annex of the standard. Types 3 and 4 (non-contact devices, uncoded and coded, including inductive, magnetic, capacitive, ultrasonic, optic and RFID) did not exist in EN 1088, and examples of their use are given in Annex C and Annex D of EN ISO 14119.


Coded interlocking devices and levels of coding

A coded actuator is defined as one which is specially designed (eg by shape, magnetically or radio frequency (RFID)) to actuate a certain position switch. Levels of coding to prevent defeat are defined as:

  • low level (for which 1 to 9 variations in code are available)
  • medium level (for which 10 to 1000 variations in code are available)
  • high level (for which more than 1000 variations are available)

'High' covers uniquely coded RFID systems; 'medium' covers trapped-key systems and some limited RFID systems; and 'low' covers magnetic reed switch types and re-teachable RFID types.

Guard locking

The type of guard locking is expanded in EN ISO 14119 from power-to-lock or power-to-release, to include bistable locks for which power can be applied to lock and release a solenoid guard switch; it also considers the circumstances under which the use of electromagnetic locks (just the use of electromagnetic force without a tongue) is permissible for machine safety (eg taking into account the distance to the hazard, the stopping time in the event of power loss, monitoring the holding force, providing clear indication when forced entry has been attempted). The standard also differentiates between locking for personnel protection (against injury) and locking for process protection (against interruption).

While it is the task of the machine C-type standard or the designer to determine the required holding force for an interlocked guard, and it is the responsibility of the interlock manufacturer to specify their interlocks' strength to resist static action force, Annex A Table I.1 of EN ISO 14119 offers guidance on typical static action forces based on the direction of opening force, posture of the operator and type of operator grip (eg single or bi-manual (two-handed)) - see below.


Defeating of interlocking devices

Section 7 of EN ISO 14119 states that "The machine shall be designed in such a way that it minimizes the motivation for defeating the interlocking devices" and goes on to stipulate "The interlocking device shall provide the minimum possible interference with activities during operation and other phases of machine life, in order to reduce any incentive to defeat it." Various measures are described to realise these requirements (for example, preventing access to the interlocking device, preventing the use of substitute actuators through levels of coding, and integration of defeat monitoring by cyclic testing). The implication is that it is increasingly the designer's responsibility to ensure that interlocked guards cannot be defeated, which, in turn, requires the designer to understand how the machine will be used at every stage of its life (production, maintenance, setting, cleaning and so on).

The use of fault exclusions

The use of fault exclusions has long been covered in EN 62061 (max SIL 2), ISO/TR 23849 (PLd) and now also in EN ISO 13849-2 (Annex D.8, a single mechanical point of failure (the tongue or cam) cannot be fault excluded for PLe). This limitation to PLd for fault exclusions now appears in EN ISO 14119. In other words, to achieve PLe, the use of at least two devices is mandatory; it is one reason why more non-contact devices are now being used for PLe, since they have no single mechanical point of failure. Interestingly, though, the locking function, although dependent upon a single mechanical channel (the tongue) is allowed to perform up to PLe with the proviso that it is defined as locking up to a maximum stated extraction force (which the manufacturer, not the user, can demonstrate through repeatable, certifiable tests). Note: that this applies with Pilz PSENslock, which meets PLe; it also applies to many of the devices from Fortress Interlocks.

Testing infrequently used guards

Some interlocked guards are not opened often, so forced testing by manual functional opening and closing at regular intervals is required to check for possible accumulated faults. EN ISO 14119 specifies for PLe a monthly test and for PLd a 12 monthly test. This is important, even in dual-channel systems, because faults can only be revealed by placing a demand on the guards. It is recommended that the control system of a machine demands these tests at the required intervals (eg by visual display unit or signal lamp). The control system should monitor the tests and stop the machine if the test is omitted or fails.

Fault masking

Picture a number of interlocked guards connected in one circuit to a safety relay. A fault (for example, a short circuit across one of a pair of normally-closed contacts in an interlock switch due to a contact weld or moisture) can develop in one of the guard switches, which will be detected by the safety relay only when the faulty guard is opened. The safety relay will see one of the channels open but not the other (it expects to see both open) so the safety relay will both shut the associated part of the machine down and it will 'lock out' because it has registered the fault. When the operator closes the guard, the fault remains registered in the safety relay, which prevents a reset and restart. In many cases the operator will not investigate this further - he may try to open and close the guard again, to no avail, following which he may try to open and close other nearby guards and, as if by magic, the fault is cleared because one of the other healthy interlock switches causes simultaneous opening of its pair of contacts, which the relay recognises as a healthy state and the machine can be restarted (see illustration below). But, without the operator realising, the safety system has accumulated a now-undetected fault that has actually degraded its performance. All it will take is one more fault and the safety function will be lost. The phenomenon is known as 'fault masking'.


Historically the practise of series-wiring safety switches arose because it saved money on cabling and safety relays, and because such dual-channel wiring translated to Category of 3 of the now-withdrawn standard EN 954-1 (for more than one switch in series, EN 954-1 degraded Category 4 to Category 3). Category 3 lives on in the standard EN ISO 13849-1, in which clause 6.2.6 requires that for Category 3 to apply, specific conditions must be met including: a single fault must not lead to a loss of the safety function, that an accumulation of undetected faults can lead to the loss of the safety function, and importantly as an addition over and above EN 954-1's requirements that at least 60 per cent of faults have to be detected in a diagnosis mechanism (DC = low). The ability of a system to detect 60 per cent of dangerous faults can be impacted by fault masking, which can dramatically reduce the Diagnostic Coverage and, consequently, the Performance Level.

It was expected that fault masking would be covered in detail within EN ISO 14119 and it is - to a point. Here is the exact text from EN ISO 14119:

8.6 Logical series connection of interlocking devices.

Logical series connection of interlocking devices means for NC contacts wired in series or for NO contacts wired in parallel. When interlocking devices with redundant contacts are logically connected in series the detection of a single fault can be masked by the actuation of any interlocking device logically connected in series with the defective interlocking device to the safety related control system.

It is foreseeable that during the fault finding (troubleshooting) by the operator one of the guards whose interlocking devices are logically connected in series with the defective interlocking device will be actuated. In that case the fault will be masked and the effect on the diagnostic coverage value shall be considered.

For a series connection the maximum DC (see ISO 13849-1 or IEC 62061) should be considered.

NOTE A technical report dealing with the logical serial connection of devices is in preparation. [See below for more on this report, which has now been published.]

Guidance in technical report ISO/TR 24119

The real detail of how many devices can be serially connected is contained in technical report ISO/TR 24119, Safety of machinery - Evaluation of fault masking serial connection of guard interlocking devices with potential free contacts. In simple terms, if we have more than one frequently opened guard (once per hour) the level of Diagnostic Coverage falls to zero, which in EN ISO 13849-1 results in a maximum PL c.

The limitation of Diagnostic Coverage by the effects of series connected devices is dealt with in section 6, and in 6.2 there is a Table 1 that gives guidance on a Simplified method for the determination of the maximum achievable DC - and it is likely that many users will go straight to this table because it offers pretty clear cut guidance.

A 'regular' method for determination of DC is described in section 6.3 and Table 2 gives guidance on Fault Masking probability (FM, scored from 1-3) where the the maximum achievable DC depends on the fault masking probability level (FM1-3) and the type of cabling used in combination with the switch arrangement and the diagnostic capabilities of the overall system to detect faults. Tables 3 to 5 show the maximum reachable DC depending on those parameters.

Section 7 gives guidance on avoiding fault masking of interlocking devices with potential free contacts, which include:

  • use additional contacts individually connected to a monitoring device in combination with appropriate diagnostic procedures to avoid fault masking;
  • avoid connecting interlocking devices in series and use individual safety inputs for each interlocking device (which can be done either via hard-wiring individual interlocking devices back to the safety logic solver, or through the use of distributed safety networks (such as the Pilz PDP67 system, PDP20 system or PSSu system);
  • use interlocking devices with internal diagnostics and monitored outputs (such as the Pilz PSENcs PLe RFID interlocks, PSENslock process locks with PLe RFID interlock, or PSENsgate gate access system with bistable PLe locking and PLe RFID interlock).

6.2 Simplified method for the determination of the maximum achievable DC

Table 1 provides a simplified approach for the determination of the maximum achievable DC taking into account the probability of masking. If the maximum achievable DC resulting from the application of this table does not meet the required level, the more detailed approach given in 6.3 may be more suitable - but this is not ideal.


6.3 Regular method for the determination of the maximum achievable DC

6.3.1 Estimation of the fault masking probability

The probability of fault masking is dependent on several parameters that should be considered, including:

  • Number of series connected devices
  • Actuation frequency of each movable guard
  • Distance between the movable guards
  • Accessibility of the movable guards
  • Number of operators

The maximum achievable DC depends on the fault masking probability level (FM) and the type of cabling used in combination with the switch arrangement and the diagnostic capabilities of the overall system to detect faults. Tables 3 to 5 show the maximum reachable DC depending on those parameters. In any case, if it is foreseeable that fault masking will occur (eg multiple movable guards will be open at the same time as part of normal operation or service), then the DC is limited to none.

It is beyond the scope of this article to go into the details of tables 3 and 5 referred to above, and it is recommended that, instead, the 'simplified method' outlined in 6.2 above is used.

A final point to note about ISO/TR 24119 is that it is mentioned in the new version of the functional safety standard EN ISO 13849-1 (Annex E of EN ISO 13849-1:2016 covers Diagnostic Coverage, which is the parameter impacted by fault masking).

How to overcome the problem of fault masking

There are three industrially available options for overcoming fault masking and complying with the requirements of ISO 14119:2013:

1. Individual wiring

Do not connect interlocked guard switches in series - or at least limit the number of guard switches wired in series when they use volt-free contact technology; wire the switches individually to separate safety relays or individual inputs on safety controllers, or zone small groups together.

The illustration shows magnetic guard switches connected to Pilz PDP20 decentralised interface modules and, subsequently, various monitoring devices.

2. Self-monitoring interlocking devices

Use devices that are not based on volt-free contact technology, rather use switches with self-monitoring transistorised outputs (known as OSSDs) - for example, non-contact RFID switches, which can detect faults within themselves. These switches can be connected in series and maintain the highest levels of diagnostics to achieve PL e.

The illustration shows Pilz PSENcode coded RFID guard switches with self-monitoring OSSDs. Other options from Pilz include PSENslock (solenoid locks with built-in RFID guard position monitoring and self-monitoring OSSDs), PSENsgate (an integrated system featuring solenoid locking, command-to-release, emergency stop, escape from inside the hazard area, RFID guard position monitoring, and self-monitoring OSSDs), and PSENini (inductive safety sensors for safe position monitoring such as robot home position, with self-monitoring OSSD outputs).

3. Safe distributed I/O systems

Interlocking devices (and other devices such as light curtains, emergency stops and two-hand controls) can be safely distributed across the machine using a failsafe network - effectively the network addresses devices connected in a chain around a machine and can distinguish between all inputs; they can also test for faults (for example, through the use of test pulses). There are various implementations of this architecture, generally based on nodes where devices are either 'addressed' or given a specific input identity on the network (usually through software).

The illustration shows various switch and interlock devices connected to a Pilz PDP67 safe distributed I/O module; the I/O modules are connected to a Pilz PNOZmulti software-configurable modular safety controller.

EN ISO 14119 - concluding remarks

EN ISO 14119:2013 (also known as EN ISO 14119 in Europe and BS EN ISO 14119 in the UK) provides machine builders and users with much wider scope to use a broader range of technologies when interlocking guards. It also places more responsibility on the machine designer to prevent foreseeable, deliberate bypassing of guards, and it will change the way in which guard interlocking devices are connected across machines.

Although there is a one-year transition from EN 1088 to EN ISO 14119 (EN 1088 will be withdrawn on 30 April 2015), machine builders who design safety gate systems will be at an advantage if they aim to comply with the new standard immediately. Technologies exist for overcoming challenges like fault masking and, when deployed, can provide added peace of mind as well as compliance with the more exacting requirements of this new standard.

Pilz Automation Technology has Certified Machinery Safety Experts available to help machine builders and system integrators migrate to EN ISO 14119:2013 from EN 1088 in terms of both the design and verification of safety-related control systems, and supplying the necessary interlocking devices and control and monitoring hardware. Follow the links in the text above to find out more, or go to www.pilz.co.uk.

Pilz Automation Ltd

Pilz House
Little Collier's Field
NN18 8TJ

+44 (0)1536 460766



More technical articles
1 week ago
NSK bearings reduce concrete floor manufacturing machine failures to zero
Regular bearing failures in a concrete floor manufacturing machine were leading to extensive downtime, costly lost production, and high maintenance costs. To rectify the problem, the customer turned to the expertise of NSK for a redesigned wheel hub and stub axle assembly.
1 week ago
Servodrives help protect chair castors and cut packaging costs
Drives and motors specialist Yaskawa has played a key role in the development of an automated system specifically designed to fit protective plastic caps onto chair castors, using its Sigma-7 series servo-drives and a SLIO-series controller.
1 week ago
SKF streamlines bearing analysis for Ansys users
With the new SKF Bearing App for Ansys Mechanical, design engineers have instant access to accurate stiffness data on more than 10,000 bearing designations. The app is available in the Ansys Store free of charge.
1 week ago
Omron awarded platinum rating from EcoVadis for sustainability
Omron has been awarded the Platinum rating following a sustainability assessment by EcoVadis. A score earning a Platinum rating, which is the highest distinction, puts the company within the top 1% of all the businesses assessed for sustainability performance.
2 weeks ago
ABB Value Provider wins order for rolling mill DC drive solution
DC drive specialist Iconsys is set to deliver a bespoke drive upgrade solution comprising two 12-pulse drive suites from ABB for a UK steel mill’s payoff and tension reels, used to feed and recoil steel strip through a production line.
2 weeks ago
What are the design considerations when specifying lead screws?
The first in the new ‘Design • Engineer • Build’ series of video podcasts focuses on lead screws – components that are at the heart of countless engineering systems. We talk to Phil Jones at Abssac about the enduring popularity of these essential design products, and the design considerations in their specification.
2 weeks ago
Harting honoured with the ‘Best of Industry Award’
The industry media of the Vogel Communications Group presented their ‘Best of Industry Awards’ shortly before the turn of the year. The Harting Technology Group emerged as the winner in the ‘Electrical Equipment’ category with its Han-Modular Domino modules.
2 weeks ago
Quick ROI and 60% decrease in maintenance travel with remote access
Brazilian surface treatment systems manufacturer Erzinger was keen to limit service trips as much as possible to serve customers faster. By implementing IXON Cloud, it can now support its customers remotely, and work in an intuitive and secure way. It can even set up multiple simultaneous connections to work together on the same project. The result is cost reduction, quick ROI and happier customers.
2 weeks ago
Nord high up in the sustainability ranking
Nord Drivesystems was assessed by the rating agency EcoVadis and awarded the silver sustainability certificate in 2022. In the overall ranking, the North German company is in the top six percent of manufacturers in the industry assessed by EcoVadis.
3 weeks ago
Mitsubishi Electric helps door manufacturer triple its throughput
Renowned door manufacturer Profile Developments has seen a threefold increase in its productivity, thanks to its latest collaboration with Mitsubishi Electric, with a solution based on multiple FR-E series inverter or variable speed drives (VSDs) and other system-matched components, such as a GOT 2000 series HMI and MELSEC iQ-R PLC.

Login / Sign up