EN ISO 14119:2013, 'Safety of machinery - Interlocking devices associated with guards - Principles for design and selection', has been harmonised to the Machinery Directive 2006/42/EC and superseded its predecessor, EN 1088, on 30 April 2015. David Collier CMSE, Business Development Manager with Pilz Automation Technology, highlights the main changes to be aware of.
There are too many detailed technical differences between EN 1088 and EN ISO 14119 to be detailed here, but what follows highlights some of the most important changes.
Readers should also be aware that ISO published ISO/TR 24119, Safety of machinery - Evaluation of fault masking serial connection of interlocking devices associated with guards with potential free contacts, on 15 November 2015, and this provides useful guidance relating to Diagnostic Coverage (DC) and fault masking probabilities. See below for more information about ISO/TR 24119.
Compared with its predecessor, EN ISO 14119 (and its equivalent in the UK, BS EN ISO 14119) considers additional technologies such as RFID or electromagnetic guard locking, classifies interlocking switches and regulates more clearly the specifications for installing guards. These new points are particularly significant with regard to protection against guard manipulation, also known as defeating of guards.
International standard ISO 14119 for guard interlocks will replace all national standards on this subject (such as BS EN 1088 in the UK) and will be valid worldwide (it is, of course, referred to as EN ISO 14119:2013 in Europe). Formally this signifies a huge step forwards: EN 1088 was purely European, whereas ISO 14119:2013 (which is identical to EN ISO 14119:2013), is published by ISO, the International Standards Organisation.
The first point is that EN ISO 14119 takes into account many technologies which were not available when EN 1088 was first published. The table below provides an overview of the interlocking device types and gives a helpful cross-reference to the examples in the annex of the standard. Types 3 and 4 (non-contact devices, uncoded and coded, including inductive, magnetic, capacitive, ultrasonic, optic and RFID) did not exist in EN 1088, and examples of their use are given in Annex C and Annex D of EN ISO 14119.
A coded actuator is defined as one which is specially designed (eg by shape, magnetically or radio frequency (RFID)) to actuate a certain position switch. Levels of coding to prevent defeat are defined as:
'High' covers uniquely coded RFID systems; 'medium' covers trapped-key systems and some limited RFID systems; and 'low' covers magnetic reed switch types and re-teachable RFID types.
While it is the task of the machine C-type standard or the designer to determine the required holding force for an interlocked guard, and it is the responsibility of the interlock manufacturer to specify their interlocks' strength to resist static action force, Annex A Table I.1 of EN ISO 14119 offers guidance on typical static action forces based on the direction of opening force, posture of the operator and type of operator grip (eg single or bi-manual (two-handed)) - see below.
Section 7 of EN ISO 14119 states that "The machine shall be designed in such a way that it minimizes the motivation for defeating the interlocking devices" and goes on to stipulate "The interlocking device shall provide the minimum possible interference with activities during operation and other phases of machine life, in order to reduce any incentive to defeat it." Various measures are described to realise these requirements (for example, preventing access to the interlocking device, preventing the use of substitute actuators through levels of coding, and integration of defeat monitoring by cyclic testing). The implication is that it is increasingly the designer's responsibility to ensure that interlocked guards cannot be defeated, which, in turn, requires the designer to understand how the machine will be used at every stage of its life (production, maintenance, setting, cleaning and so on).
The use of fault exclusions has long been covered in EN 62061 (max SIL 2), ISO/TR 23849 (PLd) and now also in EN ISO 13849-2 (Annex D.8, a single mechanical point of failure (the tongue or cam) cannot be fault excluded for PLe). This limitation to PLd for fault exclusions now appears in EN ISO 14119. In other words, to achieve PLe, the use of at least two devices is mandatory; it is one reason why more non-contact devices are now being used for PLe, since they have no single mechanical point of failure. Interestingly, though, the locking function, although dependent upon a single mechanical channel (the tongue) is allowed to perform up to PLe with the proviso that it is defined as locking up to a maximum stated extraction force (which the manufacturer, not the user, can demonstrate through repeatable, certifiable tests). Note: that this applies with Pilz PSENslock, which meets PLe; it also applies to many of the devices from Fortress Interlocks.
Some interlocked guards are not opened often, so forced testing by manual functional opening and closing at regular intervals is required to check for possible accumulated faults. EN ISO 14119 specifies for PLe a monthly test and for PLd a 12 monthly test. This is important, even in dual-channel systems, because faults can only be revealed by placing a demand on the guards. It is recommended that the control system of a machine demands these tests at the required intervals (eg by visual display unit or signal lamp). The control system should monitor the tests and stop the machine if the test is omitted or fails.
Picture a number of interlocked guards connected in one circuit to a safety relay. A fault (for example, a short circuit across one of a pair of normally-closed contacts in an interlock switch due to a contact weld or moisture) can develop in one of the guard switches, which will be detected by the safety relay only when the faulty guard is opened. The safety relay will see one of the channels open but not the other (it expects to see both open) so the safety relay will both shut the associated part of the machine down and it will 'lock out' because it has registered the fault. When the operator closes the guard, the fault remains registered in the safety relay, which prevents a reset and restart. In many cases the operator will not investigate this further - he may try to open and close the guard again, to no avail, following which he may try to open and close other nearby guards and, as if by magic, the fault is cleared because one of the other healthy interlock switches causes simultaneous opening of its pair of contacts, which the relay recognises as a healthy state and the machine can be restarted (see illustration below). But, without the operator realising, the safety system has accumulated a now-undetected fault that has actually degraded its performance. All it will take is one more fault and the safety function will be lost. The phenomenon is known as 'fault masking'.
Historically the practise of series-wiring safety switches arose because it saved money on cabling and safety relays, and because such dual-channel wiring translated to Category of 3 of the now-withdrawn standard EN 954-1 (for more than one switch in series, EN 954-1 degraded Category 4 to Category 3). Category 3 lives on in the standard EN ISO 13849-1, in which clause 6.2.6 requires that for Category 3 to apply, specific conditions must be met including: a single fault must not lead to a loss of the safety function, that an accumulation of undetected faults can lead to the loss of the safety function, and importantly as an addition over and above EN 954-1's requirements that at least 60 per cent of faults have to be detected in a diagnosis mechanism (DC = low). The ability of a system to detect 60 per cent of dangerous faults can be impacted by fault masking, which can dramatically reduce the Diagnostic Coverage and, consequently, the Performance Level.
It was expected that fault masking would be covered in detail within EN ISO 14119 and it is - to a point. Here is the exact text from EN ISO 14119:
8.6 Logical series connection of interlocking devices.
Logical series connection of interlocking devices means for NC contacts wired in series or for NO contacts wired in parallel. When interlocking devices with redundant contacts are logically connected in series the detection of a single fault can be masked by the actuation of any interlocking device logically connected in series with the defective interlocking device to the safety related control system.
It is foreseeable that during the fault finding (troubleshooting) by the operator one of the guards whose interlocking devices are logically connected in series with the defective interlocking device will be actuated. In that case the fault will be masked and the effect on the diagnostic coverage value shall be considered.
For a series connection the maximum DC (see ISO 13849-1 or IEC 62061) should be considered.
NOTE A technical report dealing with the logical serial connection of devices is in preparation. [See below for more on this report, which has now been published.]
The real detail of how many devices can be serially connected is contained in technical report ISO/TR 24119, Safety of machinery - Evaluation of fault masking serial connection of guard interlocking devices with potential free contacts. In simple terms, if we have more than one frequently opened guard (once per hour) the level of Diagnostic Coverage falls to zero, which in EN ISO 13849-1 results in a maximum PL c.
The limitation of Diagnostic Coverage by the effects of series connected devices is dealt with in section 6, and in 6.2 there is a Table 1 that gives guidance on a Simplified method for the determination of the maximum achievable DC - and it is likely that many users will go straight to this table because it offers pretty clear cut guidance.
A 'regular' method for determination of DC is described in section 6.3 and Table 2 gives guidance on Fault Masking probability (FM, scored from 1-3) where the the maximum achievable DC depends on the fault masking probability level (FM1-3) and the type of cabling used in combination with the switch arrangement and the diagnostic capabilities of the overall system to detect faults. Tables 3 to 5 show the maximum reachable DC depending on those parameters.
Section 7 gives guidance on avoiding fault masking of interlocking devices with potential free contacts, which include:
6.2 Simplified method for the determination of the maximum achievable DC
Table 1 provides a simplified approach for the determination of the maximum achievable DC taking into account the probability of masking. If the maximum achievable DC resulting from the application of this table does not meet the required level, the more detailed approach given in 6.3 may be more suitable - but this is not ideal.
6.3 Regular method for the determination of the maximum achievable DC
6.3.1 Estimation of the fault masking probability
The probability of fault masking is dependent on several parameters that should be considered, including:
The maximum achievable DC depends on the fault masking probability level (FM) and the type of cabling used in combination with the switch arrangement and the diagnostic capabilities of the overall system to detect faults. Tables 3 to 5 show the maximum reachable DC depending on those parameters. In any case, if it is foreseeable that fault masking will occur (eg multiple movable guards will be open at the same time as part of normal operation or service), then the DC is limited to none.
It is beyond the scope of this article to go into the details of tables 3 and 5 referred to above, and it is recommended that, instead, the 'simplified method' outlined in 6.2 above is used.
A final point to note about ISO/TR 24119 is that it is mentioned in the new version of the functional safety standard EN ISO 13849-1 (Annex E of EN ISO 13849-1:2016 covers Diagnostic Coverage, which is the parameter impacted by fault masking).
There are three industrially available options for overcoming fault masking and complying with the requirements of ISO 14119:2013:
Do not connect interlocked guard switches in series - or at least limit the number of guard switches wired in series when they use volt-free contact technology; wire the switches individually to separate safety relays or individual inputs on safety controllers, or zone small groups together.
The illustration shows magnetic guard switches connected to Pilz PDP20 decentralised interface modules and, subsequently, various monitoring devices.
2. Self-monitoring interlocking devices
The illustration shows Pilz PSENcode coded RFID guard switches with self-monitoring OSSDs. Other options from Pilz include PSENslock (solenoid locks with built-in RFID guard position monitoring and self-monitoring OSSDs), PSENsgate (an integrated system featuring solenoid locking, command-to-release, emergency stop, escape from inside the hazard area, RFID guard position monitoring, and self-monitoring OSSDs), and PSENini (inductive safety sensors for safe position monitoring such as robot home position, with self-monitoring OSSD outputs).
Interlocking devices (and other devices such as light curtains, emergency stops and two-hand controls) can be safely distributed across the machine using a failsafe network - effectively the network addresses devices connected in a chain around a machine and can distinguish between all inputs; they can also test for faults (for example, through the use of test pulses). There are various implementations of this architecture, generally based on nodes where devices are either 'addressed' or given a specific input identity on the network (usually through software).
The illustration shows various switch and interlock devices connected to a Pilz PDP67 safe distributed I/O module; the I/O modules are connected to a Pilz PNOZmulti software-configurable modular safety controller.
EN ISO 14119:2013 (also known as EN ISO 14119 in Europe and BS EN ISO 14119 in the UK) provides machine builders and users with much wider scope to use a broader range of technologies when interlocking guards. It also places more responsibility on the machine designer to prevent foreseeable, deliberate bypassing of guards, and it will change the way in which guard interlocking devices are connected across machines.
Although there is a one-year transition from EN 1088 to EN ISO 14119 (EN 1088 will be withdrawn on 30 April 2015), machine builders who design safety gate systems will be at an advantage if they aim to comply with the new standard immediately. Technologies exist for overcoming challenges like fault masking and, when deployed, can provide added peace of mind as well as compliance with the more exacting requirements of this new standard.
Pilz Automation Technology has Certified Machinery Safety Experts available to help machine builders and system integrators migrate to EN ISO 14119:2013 from EN 1088 in terms of both the design and verification of safety-related control systems, and supplying the necessary interlocking devices and control and monitoring hardware. Follow the links in the text above to find out more, or go to www.pilz.co.uk.