Please select your location to go directly to the relevant Pilz country homepage. If you cannot select your country, click here: Global Site

Close
United Kingdom | english

12 Aug 2014

EN ISO 14119:2013 for interlocking devices associated with guards has arrived and is now harmonised to the Machinery Directive

EN ISO 14119:2013 for interlocking devices associated with guards has arrived and is now harmonised to the Machinery Directive

The new standard “EN ISO 14119:2013 Safety of machinery - Interlocking devices associated with guards - Principles for design and selection” has arrived and will replace EN 1088 on 30th April 2015.

In contrast to the previous standard EN 1088, EN ISO 14119 considers additional technologies such as RFID or electromagnetic guard locking, classifies interlocking switches and regulates more clearly the specifications for installing guards. These regulations are particularly significant with regard to protection against guard manipulation, also known as defeating of guards.

EN ISO 14119 will replace all national standards on this subject and will be valid worldwide. Formally this signifies a huge step forwards: the old standard was purely European, whereas the new standard is published by ISO.  

There are too many technical differences between EN 1088 and EN ISO 14119 to be detailed here, but there follows a taste of some of these differences.

Types of interlocking device

 The first point is that EN ISO 14119 now takes into account many technologies now available which weren’t when EN 1088 was first published. The table below shows an overview of the interlocking types and a helpful cross reference to the examples in the annex of the standard. Types 3 & 4 (non-contact devices, uncoded and coded) did not exist in EN 1088, and examples of their use are given in Annex C and D of EN ISO 14119.

Levels of coding

A coded actuator is defined as one which is specially designed (e.g. by shape, magnetically, or radio frequency RFID) to actuate a certain position switch.  Levels of coding to prevent defeat are defined low level  (for which 1 to 9 variations in code are available),  medium level  (for which 10 to 1 000 variations in code are available) and high level (for which more than 1 000 variations are available). High covers uniquely coded RFID systems; medium covers trapped key systems and some limited RFID systems; low covers magnetic reed switch types and re-teachable RFID types.

Guard locking

The type of guard locking is expanded from power to lock or power to release, to include bistable locks where power can be applied to lock and release a solenoid guard switch; it also considers the circumstances under which the use of electromagnetic locks (just the use of electromagnetic force without tongue) is allowed for machine safety (e.g. taking into account the distance to the hazard, the stopping time in the event of power loss, monitoring the holding force, providing clear indication when forced entry has been attempted). Locking for personnel protection (against injury) and for process protection (against interruption) are differentiated. Whilst it is the task of the machine C-standard or the designer to determine the required holding force for an interlocked guard, and it is the responsibility of the interlock manufacturer to specify the interlocks’ strength to resist static action force, Annex A Table I.1 of EN ISO 14119 offers guidance on typical static action forces based upon the direction of opening force, posture of the operator and type of operator grip (e.g. single or bi-manual). 

Defeating of interlocking devices

Section 7 states that “The machine shall be designed in such a way that it minimizes the motivation for defeating the interlocking devices” and goes on to stipulate “The interlocking device shall provide the minimum possible interference with activities during operation and other phases of machine life, in order to reduce any incentive to defeat it”. Various measures are described to realise these requirements (for example preventing access to the interlocking device, preventing the use of substitute actuators through levels of coding, integration of defeat monitoring by cyclic testing). The implication is that it is increasingly the designer’s responsibility to ensure that interlocked guards can’t be defeated, which in turn requires the designer to understand how the machine will be used at every stage of its life (production, maintenance, setting, cleaning and so on).

The use of fault exclusions

The use of fault exclusions has long been covered in EN 62061 (max SIL 2), ISO/TR 23849 (PLd) and now also in EN ISO 13849-2 (Annex D.8 a single mechanical point of failure (the tongue or cam) can not be fault excluded for PLe ). This limitation to PLd for fault exclusions now appears in EN ISO 14119. In other words to achieve PLe, using at least two devices is mandatory; it is one reason we are seeing more non-contact devices being used for PLe since they have no single mechanical point of failure. Interestingly though, the locking function, although dependent upon a single mechanical channel (the tongue) is allowed to perform up to PLe with the proviso that it is defined as locking up to a maximum stated extraction force (which the manufacturer, not the user, can demonstrate through repeatable, certifiable tests) . [note: this applies with PSENslock, which meets PLe. It also applies to many Fortress Interlocks]

Testing infrequently used guards

Some interlocked guards aren't opened often, so forced testing by manual functional opening and closing at regular intervals is required to check for possible accumulated faults. EN ISO 14119 specifies for PLe a monthly test and for PLd a 12 monthly test. This is important, even in dual channel systems, because faults can only be revealed by placing a demand on the guards. It is recommended that the control system of a machine demands these tests at the required intervals e.g. by visual display unit or signal lamp. The control system should monitor the tests and stop the machine if the test is omitted or fails.

Fault masking

Series Fault Masking

Picture a number of interlocked guards connected in one circuit back to a safety relay. A fault (for example a short circuit across one of a pair of normally closed contacts in an interlock switch due to a contact weld or moisture) can develop in one of the guards, which will be detected by the safety relay only when the faulty guard is opened. The safety relay will see one of the channels open but not the other (it expects to see both open) so the safety relay will both shut the associated part of the machine down and it will “lock out” because it has registered the fault. When the operator closes the guard, the fault remains registered in the safety relay which prevents a reset and restart. In many cases the operator will not investigate this further - he may try to open and close the guard again, to no avail, following which he may try to open and close other nearby guards and as if by magic, the fault is cleared because one of the other healthy interlock switches causes simultaneous opening of its pair of contacts which the relay recognises as a healthy state and the machine can be restarted – but, unbeknownst to the operator, the safety system has accumulated a now-undetected fault which has actually degraded its performance. All it will take is one more fault and the safety function will be lost. The phenomenon is known as “fault masking”.

Historically the practise of series-wired safety switches has arisen because it saved money on cabling and safety relays, and because such dual channel wiring translated to Category of 3 of the now-withdrawn standard EN 954-1 (for more than one switch in series, EN 954-1 degraded Category 4 to Category 3). Category 3 lives on in the standard EN ISO 13849-1 in which clause 6.2.6 requires that for Category 3 to apply specific conditions must be met which include: a single fault must not lead to a loss of the safety function, that an accumulation of undetected faults can lead to the loss of the safety function, and importantly as an addition over and above EN 954-1’s requirements that at least 60% of faults have to be detected in a diagnosis mechanism (DC = low). The ability of a system to detect 60% of dangerous faults can be impacted by fault masking which can dramatically reduce the Diagnostic Coverage and consequently the Performance Level.

It was expected that fault masking would be covered in detail EN ISO 14119, and it is – to a point. Here is the exact text from the final draft of EN ISO 14119:

“8.6 Logical series connection of interlocking devices - Logical series connection of interlocking devices means for NC contacts wired in series or for NO contacts wired in parallel. When interlocking devices with redundant contacts are logically connected in series the detection of a single fault can be masked by the actuation of any interlocking device logically connected in series with the defective interlocking device to the safety related control system.

It is foreseeable that during the fault finding (troubleshooting) by the operator one of the guards whose interlocking devices are logically connected in series with the defective interlocking device will be actuated. In that case the fault will be masked and the effect on the diagnostic coverage value shall be considered.

For a series connection the maximum DC (see ISO 13849-1 or IEC 62061) should be considered.

NOTE: A technical report dealing with the logical serial connection of devices is in preparation.”

The real detail of how many devices can be serially connected is the subject of a forthcoming technical report, ISO/PDTR 24119 - Safety of machinery — Evaluation of fault masking serial connection of guard interlocking devices with potential free contacts. It is currently under committee review, with an expectation that it will be available quite soon.  In simple terms if we have more than one frequently opened guard (once per hour) the level of Diagnostic Coverage falls to zero which in EN ISO 13849-1 results in a max PL c.  It remains to be seen exactly what ISO/PDTR 24119 has to say about the maximum PL achievable where several infrequently operated guards are connected but it is very likely to be PL d where careful analysis is possible (for example of the number of guards, the type of switches, type of wiring, distance between guards, and accessibility of guards) otherwise it is more likely to be PL c. It is definitely not possible to achieve PL e with more than one guard connected in series, at least not when using volt-free based interlock switch technology. Early signs are that the technical report ISO/PDTR 24119 will provide two methods for evaluating the extent to which diagnostic coverage is impacted by masking:

6.2 Simplified method for the determination of the maximum achievable DC Table 1 provides a simplified approach for the determination of the maximum achievable DC taking into account the probability of masking. If the maximum achievable DC resulting from the application of this table does not meet the required level the more detailed approach given in 6.3 may be more suitable, but not ideal!!

6.3 Regular method for the determination of the maximum achievable DC

6.3.1 Estimation of the fault masking probability

The probability of fault masking is dependent on several parameters that should be considered including: 

- number of series connected devices;  actuation frequency of each movable guard; distance between the movable guards; accessibility of the movable guards;  number of operators.

The maximum achievable DC depends on the fault masking probability level (FM) and the type of cabling used in combination with the switch arrangement and the diagnostic capabilities of the overall system to detect faults. Tables 3 to 5 show the maximum reachable DC depending on those parameters. In any case, if it is foreseeable that fault masking will occur (e. g. multiple movable guards will be open at the same time as part of normal operation or service), then the DC is limited to none.

It is beyond the scope of this document to go into the details of the tables 3 and 5 referred to above, and it is recommended that one sticks to the use of the “simplified method” outlined in 6.2!

There are three industrially available options on how to overcome fault masking:

1.       Individual wiring or localised zoning

Decentralised Connectivity Diagram

PDP20 F mag

Don’t connect or at least limit the number of volt-free, interlocking devices in series, wire them individually to individual safety relays on individual inputs on safety controllers or zone small groups together

2.       Intelligent interlocking devices

PSENcode aPSENcode b

Use devices which are not based upon volt-free contacts, rather based on self-monitoring transistorised outputs (known as OSSDs) – these are typical found on RFID contactless switches, which can detect faults within themselves. These can be connected in series and maintain the highest levels of diagnostics, to achieve PL e. PSENcode switches (RFID guard position monitoring devices with self-monitoring OSSDs )

PSENslock (solenoid locks with built in RFID guard position monitoring with self-monitoring OSSDs)

PSENslock

PSENsgate (solenoid locking, command to release, E-stop, escape from inside the hazard area, and RFID guard position monitoring system with self-monitoring OSSDs)

PSENsgate

PSENini (inductive safety sensors for safe position monitoring e.g. robot home position, with self-monitoring OSSD outputs)

PSENini

3.       Safe Distributed I/O systems

PDP67

PDP67 in conjunction with PNOZmulti

Distributing interlocks (and other devices like light curtains, emergency stops, two hand controls etc) across the machine can be done safely using a failsafe network – effectively the network addresses devices connected in a chain around a machine and can distinguish between all inputs and test for faults (for example through the use of test pulses). There are various solutions to this based generally upon nodes where devices are either "addressed” or given a specific input identity on the network (generally using software).

Final comment

EN ISO 14119:2013 provides machine builders and users with much wider scope to use a broader range of technologies when interlocking guards, it also places more responsibility on the designer to prevent foreseeable, deliberate bypassing of guards, and it will change the way in which guard interlocking devices are connected across machines. 

"Although there is a year’s transition from EN 1088 which means it will be withdrawn in 30/04/2015, machine builders who design safety gate systems will be at an advantage if they aim to comply with the new EN ISO 14119 immediately.  Technologies exist which can overcome challenges, like fault masking, and when deployed can provide added peace of mind as well as compliance with the more exacting requirements of this new standard“, explains David Collier CMSE ®, Business Development Manager at Pilz UK. 

For more information contact Pilz on sales@pilz.co.uk or call 01536 460766 

Contact

Pilz Automation Ltd
Pilz House, Little Colliers Field
Corby, Northants, NN18 8TJ
United Kingdom

Telephone: +44 1536 460766
E-Mail: sales@pilz.co.uk

Press center

Telephone: +49 711 3409-158
E-Mail: presse@pilz.de