Industrial Technology - Linked-in Industrial Technology - Twitter Industrial Technology - News Feed
Latest Issue
Diary and Events

Advanced Engineering 2021

NEC Birmingham(B40 1NT)

03/11/2021 - 04/11/2021

Join us in our 12th and most important edition to date, as we invite engineers and management from all (more)

Machine safety loophole unmasked...

Machine safety loophole unmasked...

SICK UK tackles the problems of fault masking and finds a cost-saving solution to cascading safety switches and sensors in the light of the forthcoming EN ISO 14119 standard. Dr Martin Kidman, Safety Specialist at SICK (UK) explains.

Picture a simple safety system: A single cell with potentially dangerous movement has two doors with safety switches that are monitored by a safety controller. When either of the doors is opened, the machine controller brings the machine to a standstill. If one of the switches malfunctions, the safety controller will detect a failure and will not allow the machine to start until the switch is replaced. With just two switches, it's easy enough to work out which one is malfunctioning and reset the controller once the fault is rectified.

Unfortunately, in real life situations things are usually more complicated. Further doors/cells are likely to be introduced into a system increasing the number of safety interlocks, for example, on packaging machines, printing machines, paper or converting machines that form a line of sequential processes. Multiple interlocking devices on a machine are extremely common and for many years it has been widespread practice to connect dual channel electro-mechanical safety switches in series.   

Potential hidden dangers
Where the door switches employ dual channel architecture to allow a redundant switch-off path, the safety controller will monitor the status of each channel. If either channel switches off, the machine must stop. However, the machine may not restart until the controller has detected that both channels have switched off BEFORE they switch back on, indicating a safe condition. Checking that both inputs behave in the same way is the principle form of diagnostic and fault detection. Faults in door switches have more serious consequences with multiple cells.

Let us take an example of three doors of a production cell A, B and C wired in series where C is the furthest from the controller. Suppose door C has developed a fault such that one of the channels does not switch off when door C is opened. According to the controller, the machine will stop because one of the channels has switched off. However, when the door is closed, the controller will not allow the safety function to be reset because a discrepancy on the inputs was detected. If either door A, door B, or both, is opened, the controller will see both channels switch off. When they are both closed, the controller will allow a reset despite the fault on switch C being present; it has been masked by the operation of the other doors in the chain closer to the controller.

It's easy to imagine a scenario where an operative, finding one door a 'bit faulty' or a switch a bit 'sticky' easily finds out that the reset can be overridden by opening and closing the next door. Consequently, unsafe situations could build up.

This very general description of the phenomenon of fault masking is possible under the existing design standards (EN 1088). And further, if you have a machine with dangerous moving parts and many access doors with dual channel switches on each door and E-Stops, it is understandable why someone would wire them up in a cascaded series into one input. With individually wired safety guard arrangements requiring extensive and complex cabling to controllers from each of the guards, separately wired cables to the controller soon multiply up. As well as being bulky, installation can be difficult and expensive. That is why engineers have preferred the series option of connection until now.

As we have seen, it is easily possible to compromise the safety of such systems through the safety controller being unable to diagnose the problem.  In our example, door C has been relegated from a dual channel device to a device with just one channel, thus affecting the performance level of the whole system.

Implications for diagnostic effectiveness
One of the standards for Safety of machinery (BS EN 13849-1: Safety-related parts of control systems) states that the diagnostic coverage (DC) is a measure of the effectiveness of diagnostics, which may be determined as the ratio between the failure rate of detected dangerous failures and the failure rate of total dangerous failures.

Effectively, if 'fault masking' is possible, the safety controller's capacity to diagnose the whole system has been downgraded from a potentially high detection rate (≥99%) to a lower performance level.

According to EN13849-1, the DC measure 'Cross monitoring of inputs without dynamic test' is a method capable of achieving a 'high' DC necessary to reach PLe. However, no consideration for series connection of electro mechanical contacts is mentioned. EN ISO 14119 makes reference to the reduction of DC when series connections are used and ISO Technical Report ISO/TR24119 gives a more quantified approach:

  • If there is more than one frequently opened guard (opened more than once per hour) then the diagnostic coverage will be zero.
  • If there is just one frequently opened guard and the safety device for this guard is connected in series with other devices, the DC drops.
  • If multiple guards can be open at the same time during normal operation the DC will be zero.

Therefore, when using more than two guards in series, PLe cannot be achieved and PLd could be dependent on the frequency and number of doors that can be opened.

Because of this 'loophole' in the system, updating of EN 1088 as applied to the Machinery Safety Directive has been under discussion and the proposed EN ISO 14119 is in its final draft. It might even be published by the end of 2013.

Implementation of the new standard requiring identification of individual faults on safety guards to ensure PLe levels of safety will, inevitably, have further implications for installation and set-up of safety systems. One way of implementing this is to wire the guards back individually to the safety controller.

One major consideration is the high cost and the sheer bulk of the extra cabling, as well as its installation and the connection hardware. Figure 1 demonstrates what might be involved. The solution, as highlighted in Figure 2, is the new SICK Flexi Loop, which provides a simple connectivity solution designed to meet these regulatory changes. It achieves new dimensions of scalability, diagnostic insight and I/O connection capacity within a compact space and at a very competitive cost. It is ideal when upgrading automation, robotics and modern manufacturing processes.

The SICK Flexi Loop permits the series connection of dual channel devices, whilst allowing high diagnostic coverage and eliminating the potential for so called fault masking. It is a fully open system and can accommodate standard sensor/switch devices from any vendor. As a field I/O system, it allows a designer to connect any safety system in series with another without any compromise of the safety system performance to PLe integrity.

Capacity and flexibility
With a capacity to cascade up to 32 safety sensors or switches on one loop and to create up to eight separate loops, the IP67-rated SICK Flexi Loop will provide up to 256 sensors on eight dual channel inputs, reducing the clutter of traditional connections. The loop modules also offer a standard input and output which can be used to activate solenoid locks, lamps, reset buttons and access requests. The Flexi Loop is simple to install as a fully cascadable system, using standard cable with M12/5-pin connectors. No special connections or shielded cables are required.

The SICK Flexi Loop provides intelligent built-in diagnostics without the need for a field bus or complex network addressing, resulting in a decentralised cost-effective solution to monitoring the status of each safety sensor / switch connected to it. As well as indicating which device has switched, and why, LED indicators on each node give live status information, and avoid referring back to a desk-based control point.  

This diagnostic capability is an advance on SICK's widely used Flexi Soft controller platform which allows status monitoring at the controller or via the HMI/PLC interface.

Each Flexi Loop module indicates loop status, plus each of the safe and standard inputs and standard outputs. There is a Flexi Loop module that will indicate the status of up to 31 modules and one which allows power injection to accommodate high power usage from devices such as laser scanners, solenoid interlock activation and light curtains.

The impressive operating range allows each Flexi Loop to be up to 960m and the distance between Flexi Loop modules 30m apart. Each Flexi Loop module assures Ple as long as the sensor can fulfil that performance level, and makes calculating complex SIL or PL parameters easy. The free SICK Flexi Soft Designer Software provides pre-approved safety function blocks, simulation and all safety declaration documents at a press of the button.

As well as answering safety concerns around the manufacturing process, the functionality of the existing Flexi Soft system with Flexi Loop enables gateways to be integrated for remote diagnostics information to be passed to higher level control systems. Flexi Soft supports: Profinet, Profibus, CAN open, EtherCAT, SERCOS interface, Ethernet/IP, Device Net and CC-Link.


Other News from Sick (UK) Ltd

Sick offers a fast track to breakthrough 3D vision power

Latest news about Sensors and systems

Additional Information
Text styles