Life is never as simple as we might like. Consider this example of a simple safety system; a single cell with potentially dangerous movement has two doors with safety switches. The safety controller stops the machine when either of the doors is opened or if a switch malfunctions. With a failure detected, the safety controller will prevent the machine starting unless the switch is replaced. In this simple example, it’s easy enough to work out which of two is malfunctioning, rectify the fault and reset the controller.
In reality, manufacturing and processing situations will almost certainly be more complex with further doors and cells. Multiple interlocking devices on a machine are extremely common and for many years it has been widespread practice to connect dual channel electro-mechanical safety switches in series.
Unmasking the dangers
Where the door switches employ dual channel architecture to allow a redundant switch-off path, the safety controller will monitor the status of each channel. If either channel switches off, the machine must stop. However, the machine may not restart until the controller has detected that both channels have switched off BEFORE they switch back on, indicating a safe condition. Checking that both inputs behave in the same way is the principle form of diagnostic and fault detection. Faults in door switches have more serious consequences with multiple cells.
Let us take an example of three doors of a production cell A,B and C wired in series where C is the furthest from the controller. Suppose door C has developed a fault such that one of the channels does not switch off when door C is opened. According to the controller, the machine will stop because one of the channels has switched off. However, when the door is closed, the controller will not allow the safety function to be reset because a discrepancy on the inputs was detected.
If either door A, door B, or both, is opened, the controller will see both channels switch off. When they are both closed, the controller will allow a reset despite the fault on switch C being present; it has been masked by the operation of the other doors in the chain closer to the controller.
It’s easy to imagine a scenario where an operative, finding one door a ‘bit faulty’ or a switch a bit ‘sticky’ easily finds out that the reset can be overridden by opening and closing the next door. Consequently, unsafe situations could build up. This very general description of the phenomenon of fault masking is possible under the existing design standards (EN 1088).
Moreover, if you have a machine with dangerous moving parts and many access doors with dual channel switches on each door and E-Stops, it is understandable why someone would wire them up in a cascaded series into one input, because this avoids the bulk, complexity and expense of separately wired cables from each guard to the controller.
A word of caution here: it is easy to compromise the safety of such systems through the safety controller being unable to diagnose the problem, thus affecting the performance level of the whole system.
Implications for diagnostic effectiveness
One of the standards for Safety of machinery (BS EN 13849-1: Safety-related parts of control systems) states that the diagnostic coverage (DC) is a measure of the effectiveness of diagnostics, which may be determined as the ratio between the failure rate of detected dangerous failures and the failure rate of total dangerous failures. In this standard the DC is given one of four levels.
Effectively, if ‘fault masking’ is possible, the safety controller’s capacity to diagnose the whole system has been downgraded from a potentially high detection rate (= 99%) to a lower performance level.
According to EN13849-1, the DC measure, ‘cross monitoring of inputs without dynamic test’, is a method capable of achieving a ‘high’ DC necessary to reach PLe. However, no consideration for series connection of electromechanical contacts is mentioned. EN ISO 14119 makes reference to the reduction of DC when series connections are used and ISO Technical Report ISO/TR24119 gives a more quantified approach, as follows:
•If there is more than one frequently opened guard (opened more than once per hour) then the diagnostic coverage will be zero.
•If there is just one frequently opened guard and the safety device for this guard is connected in series with other devices, the DC drops.
•If multiple guards can be open at the same time during normal operation the DC will be zero
Therefore, when using more than two guards in series, PLe cannot be achieved and PLd could be dependent on the frequency and number of doors that can be opened.
A new machine standard
Because of this ‘loophole’ in the system, updating of EN 1088, as applied to the Machinery Safety Directive, has been under discussion and the proposed EN ISO 14119 was finally published at the end of October 2013. Implementation of the new standard will, inevitably, have significant implications.
One way of identifying individual faults on safety guards to ensure PLe levels of safety is to wire the guards back individually to the safety controller. This could mean high cost and extra bulk of additional cabling, as well as its installation and the connection hardware.
SICK offers a solution in its new Flexi Loop connectivity system, which has been designed to meet these regulatory changes.
Flexi Loop permits the series connection of dual channel devices, whilst allowing high diagnostic coverage and eliminating the potential for so-called fault masking. It is a fully open system and it allows a designer to connect any safety system in series with another without compromising the safety system performance to PLe integrity.
Capacity and flexibility
With a capacity to cascade up to 32 safety sensors or switches on one loop and to create up to eight separate loops, the IP67-rated Flexi Loop will provide up to 256 sensors on eight dual channel inputs, reducing the clutter of traditional connections. It is simple to install as a fully cascaded system, using standard cable with M12/5-pin connectors. No special connections or shielded cables are required
It also provides intelligent built-in diagnostics (indicated via LEDs) that does not require connection to a fieldbus or complex network addressing. Flexi Loop thus provides a cost-effective, decentralised means of monitoring the status of each safety sensor/switch, loop and I/O connected to it. This diagnostic capability is an advance on SICK’s existing Flexi Soft controller platform, which allows status monitoring at the controller or via the HMI/PLC interface, and further specialised connectivity modules.
Design, installation and central control
A Flexi Loop installation can be up to 960m in length and the distance between Flexi Loop modules some 30m apart. Each module assures Ple as long as the sensor can fulfil that performance level, and makes calculating complex SIL or PL parameters easy. The accompanying free Flexi Soft Designer software provides pre-approved safety function blocks, simulation and all safety declaration documents at the press of a button.
As well as answering safety concerns surrounding the manufacturing process, the functionality of the existing Flexi Soft system with Flexi Loop enables gateways to be integrated for remote diagnostics information to be passed to higher level control systems. Flexi Soft supports: Profinet, Profibus, CAN open, EtherCAT, SERCOS interface, Ethernet/IP, Device Net and CC-Link.
Dr Martin Kidman is a safety specialist at SICK (UK)