How to cascade safety switches and comply with EN ISO 14119

The publication of machine safety standard EN ISO 14119, Safety of machinery. Interlocking devices associated with guards. Principles for design and selection (BS EN ISO 14119:2013 in the UK), marks significant progress for machinery designers in tackling the long-debated problem of 'fault masking' when connecting multiple switches in series to a safety controller.

This standard supersedes EN 1088, which provides a presumption of conformity with the Machinery Safety Directive 2006/42/EC and tackles the potential 'loophole' of unintended resetting in applications where interlocking devices are associated with guards.

Note that Sick UK is planning a series of 35-minute web workshops to outline the implications of the new standard. Register your interest to be advised of the next session at bit.ly/SICK_Webinar.

Application scenario

Consider a simple safety system installed on a single automation cell with potentially dangerous movement; the cell has two doors with safety switches that are monitored by a safety controller to stop the movement when either of the doors is opened.

If one of the switches malfunctions, the safety controller will detect a failure and will not allow the machine to start until the switch is replaced. With just two switches, it is easy enough to work out which one is malfunctioning and reset the controller once the fault is rectified. Unfortunately, things are usually more complicated in real life situations, with further doors, cells and multiple interlocking devices. For many years it has been widespread practice to connect dual-channel electromechanical safety switches in series.

Potential hidden dangers

Where the door switches employ dual-channel architecture to provide a redundant switch-off path, the safety controller will monitor the status of each channel; if either channel switches off, the machine must stop. However, the machine may not restart until the controller has detected that both channels have switched off before they switch back on, indicating a safe condition. Checking that both inputs behave in the same way is the principle form of diagnostic and fault detection. Faults in door switches have more serious consequences with multiple cells.

Let us take an example of three doors of a production cell, A, B and C, wired in series such that A is closest and C is the furthest from the controller. Suppose door C has developed a fault such that one of the channels does not switch off when door C is opened. According to the controller, the machine will stop because one of the channels has switched off. However, when the door is closed, the controller will not allow the safety function to be reset because a discrepancy on the inputs was detected. If either door A, door B, or both, is opened, the controller will see both channels switch off. When they are both closed, the controller will allow a reset despite the fault on switch C being present; the fault has been masked by the operation of the other doors in the chain closer to the controller.

It is easy to imagine a scenario where an operative, finding one door a 'bit faulty' or a switch a bit 'sticky' easily finds out that the reset can be overridden by opening and closing the next door. Consequently, unsafe situations could build up.

Cascade and series switching

This very general description of fault masking is possible under the existing machine safety standards EN 1088. Furthermore, if there is a machine with dangerous moving parts and many access doors with dual-channel switches on each door and emergency stop switches as well, it is understandable why someone would connect them in a cascaded series into one input.

With individually wired safety guard arrangements requiring extensive and complex cabling to controllers from each of the guards, separately wired cables to the controller soon multiply up. As well as being bulky, installation can be difficult and expensive. That is why engineers have preferred the series option of connection until now.

As we have seen, it is easily possible to compromise the safety of such systems through the safety controller being unable to diagnose the problem. In our example, door C has been relegated from a dual-channel device to a device with just one channel, affecting the performance level of the whole system.

Implications for diagnostic effectiveness

One of the machinery safety standards, BS EN 13849-1, Safety-related parts of control systems, states that the diagnostic coverage (DC) is a measure of the effectiveness of diagnostics, which may be determined as the ratio between the failure rate of detected dangerous failures and the failure rate of total dangerous failures. In this standard the DC is given one of 4 levels, see table 1 below.

Effectively, if fault masking is possible, the safety controller's capacity to diagnose the whole system has been downgraded from a potentially high detection rate ( 99 per cent) to a lower performance level.

According to EN 13849-1, the DC measure 'Cross monitoring of inputs without dynamic test' is a method capable of achieving a 'high' DC necessary to reach PLe. However, no consideration for series connection of electromechanical contacts is mentioned. EN ISO 14119 makes reference to the reduction of DC when series connections are used, and ISO Technical Report ISO/TR 24119 gives a more quantified approach:

• If there is more than one frequently opened guard (opened more than once per hour) then the diagnostic coverage will be zero.
• If there is just one frequently opened guard and the safety device for this guard is connected in series with other devices, the DC drops.
• If multiple guards can be open at the same time during normal operation, the DC will be zero.

Therefore, when using more than two guards in series, PLe cannot be achieved and PLd could be dependent on the frequency and number of doors that can be opened.

New regulatory approach

The implementation of the new standard requiring identification of individual faults on safety guards to ensure PLe levels of safety will, inevitably, have further implications for installation and set-up of safety systems. One way of implementing this is to wire the guards back individually to the safety controller.

One major consideration is the high cost and the sheer bulk of the extra cabling, as well as its installation and the connection hardware.

This illustration demonstrates what might be involved to achieve PLe with non-cascaded safety sensors and switches if complying with the requirements of EN ISO 14119:

A solution: Sick Flexi Loop

The new Sick Flexi Loop provides simple connectivity and is designed to meet these regulatory changes. It achieves exceptional scalability, diagnostic insight and I/O connection capacity within a compact space and at a very competitive cost. It is particularly suitable when upgrading existing automation, robotics and modern manufacturing processes.

Sick's Flexi Loop permits the series connection of dual-channel devices, while allowing high diagnostic coverage to be achieved, and eliminating the potential for fault masking. It is a fully open system and can accommodate standard sensor/switch devices from any vendor. As a field I/O system, it enables any safety system to be connected in series with another without any compromise of the safety system performance to PLe integrity.

Capacity and flexibility

With a capacity to cascade up to 32 safety sensors or switches on one loop and to create up to eight separate loops, the IP67-rated Sick Flexi Loop accommodates up to 256 sensors on eight dual-channel inputs, thereby reducing the clutter of traditional connections. The loop modules also offer a standard input and output that can be used to activate solenoid locks, lamps, reset buttons and access requests. The Flexi Loop is simple to install as a fully cascadable system using standard cables with five-pin M12 connectors. No special connections or shielded cables are required.

Sick's Flexi Loop provides intelligent built-in diagnostics without the need for a fieldbus or complex network addressing, resulting in a decentralised and cost-effective solution to the problem of monitoring the status of each safety sensor/switch connected to it. As well as indicating which device has switched, and why, LED indicators on each node give live status information and avoid referring back to a desk-based control point. This diagnostic capability is an advance on Sick's widely used Flexi Soft controller platform that enables status monitoring at the controller or via the HMI/PLC interface.

Each Flexi Loop module indicates loop status, plus each of the safe and standard inputs and standard outputs. There is a Flexi Loop module that will indicate the status of up to 31 modules and one that enables power injection to accommodate high power usage from devices such as laser scanners, solenoid interlocks and light curtains.

Design, installation and central control

The impressive operating range enables each Flexi Loop to be up to 960m long and the distance between Flexi Loop modules to be 30m. Each Flexi Loop module assures Ple as long as the sensor can fulfil that performance level, and this makes calculating complex SIL or PL parameters easy. The free Sick Flexi Soft Designer Software provides pre-approved safety function blocks, simulation and all safety declaration documents at a press of the button.

As well as answering safety concerns around the manufacturing process, the functionality of the existing Flexi Soft system with Flexi Loop enables gateways to be integrated for remote diagnostics information to be passed to higher level control systems. Flexi Soft supports the following communication protocols: Profinet, Profibus, CAN open, EtherCAT, SERCOS interface, Ethernet/IP, DeviceNet and CC-Link.

Follow the links for more information about the new Sick Flexi Loop, Flexi Soft or other safety products and systems. To register for one of the 35-minute web workshops that outline the implications of the new machinery safety standard EN ISO 14119, go to bit.ly/SICK_Webinar.