The Assessment of “Fault Masking” in the Scope of Machinery Safety

Adem Karatas, 
Sr Key Accounts Sales Engineer at Pilz Turkey, 
[email protected]

Abstract

It is necessary to criticize the root causes of work related accidents which occurs each passing day within the scope of the "2006/42 / EC Machinery Safety Directive". It should be aimed to spread the adequate knowledge to the base by determining the root causes and straighten out the known mistakes. Work accidents occur in the form of a series of events that show minor symptoms over time and start with the ignoring of these symptoms. On account of ignoring all these symptoms, it is inevitable for the sequence of events that trigger each other to occur.

When scratching beneath the surface of causes of work related accidents; basically, it can be divided into two parts: human related errors and the lack of knowledge as a result of various factors

One of the most profound causes of work accident due to lack of knowledge is that the fault masking that occurs during the serial connection of safety equipment is ignored.

The purpose of this article; within the scope of the technical report “ISO/TR 24119 Evaluation of fault masking serial connection of interlocking devices associated with guards with potential free contacts”, the necessary solutions will be shared so as to eliminate this situation by underlining the mistakes known correctly in serial connection, conveying how the machinery safety approach should be, also how the faults which will be engendering the problems will occur

Key Words: “Machinery Safety”, “Interlock Devices”, “Fault Masking”, “Series Connected Devices”, “Work Accidents”

1.     Introduction

 “Machine Safety”, which is a sub-discipline of Occupational Health and Safety, is gaining more importance day by day owing to not only the changing world order but also developing technological activities. Looking at the processes of industrial revolutions from the past to the present, it is seen that mechanization accelerated dramatically. It is evident that the competition, which is the basis of this acceleration, which has arisen in line with the parameters such as the development of technology and the need for mass production, has reached serious dimensions.

As a result of today's intense technology and competitive environment, the necessity of using the machine in every process increases the risks of machine-related accidents. The fierce competition conditions require the machines used to be extremely fast and powerful enough to put living things at risk in order to reach high production quantities. Possible electronic, hydraulic, pneumatic etc. malfunctions can turn these systems into dangerous metallic monsters for human beings, even though these machine systems made of metals work with human commands. In the anatomy of machine-related work accidents, unwanted or unpredictable ways of working, which occur due to the failure of one or more parts of the machine's equipment, have a crucial place.

2.     The Scope & Purpose

This study is to explain the importance of applications within the scope of ISO/TR 24119 Evaluation of fault masking serial connection of interlocking devices associated with guards with potential free contacts technical report.

What a pity that work accidents are, there is no undeniable compensation for damages in spiritual dimensions. However, the material disruption of production and the penalties to be imposed are also dissuasive. It is aimed to understand that occupational health and safety should be considered as a discipline rather than an obligation, and as the main emphasis in this study.

3.     Normative References

This document is partially or fully referenced as normative and is indispensable for applications.

ISO 12100:2010, Safety of machinery - General principles for design – Risk assessment and risk reduction

ISO 13849-1:2015, Safety of machinery - Safety-related parts of control systems – Part 1:

General principles for design

ISO 14119:2013, Safety of machinery - Interlocking devices associated with guards.

Principles for design and selection

4.     Terms & Definitions

For the purposes of this document, ISO 12100, ISO 13849-1, ISO 14119 and the terms and definitions given below apply.

• SRP/CS: Safety – Related Parts of the Control System
• DC: Diagnostic Coverage
• MTTFd: Mean Time to Failure Dangerous
• PL: Performance Level
• OSSD: Output Signal Switching Device
• Fault Masking: Unintended resetting of faults or preventing the detection of faults in the SRP/CS by operation of parts of the SRP/CS which do not have faults
• Series Connected Devices: devices with potential free contacts (B1 to Bn) are connected in series to one logic unit (K) which does the diagnostics

5.     The Assessment of the Safety Control System

The safety control system should be formed in a way that meets the requirements of ISO 13849-1.

• A malfunction in the hardware or software of the control system does not lead to dangerous situations
• Failures in the logic circuits of the control system do not cause dangerous situations

The above items are within the scope of mandatory health and safety requirements regarding the design and construction of machines according to Annex I of the Machinery Safety Directive 2006/42 / EC. 

The most critical point here is that the safety control system is a chain in the form of Input - Logic - Output and all requirements must be completed for all three parts.

Category physical wirings should be accomplished in accordance with the performance level determined in an accurate risk assessment.

Figure 1. Category 4 Safety Control System Design

According to Figure 1; A circuit design with dual channel architecture with category 4, high DC and MTTFd values can be seen. In this circuit, dual channel architecture on the input side, safety relay / safety PLC with dual processor on the logic level, which can detect faults on itself or on its peripheral devices, and dual channel architecture on the output side are applied.

6.     The Assessment of the Magnetic Safety Switches

A problem has proven to be critical when using safety gates sensors operating on the magnetic field principle.

If sensors and safety relays are used and their suitability has not been tested by the manufacturer, the machine manufacturer must ensure that the peak current value in the sensor does not cause premature wear. This affects not only relay based safety units but also safety gates sensors.

For evaluation, it is necessary to determine the maximum peak current Is generated (see Formula 1) and compare it to the permissible peak current of the Ismax safety sensor. All sensors in series connections must be taken into account, therefore the lowest value of all allowed peak currents must be greater than or equal to the maximum switching current (see Formula 2).

Formula 1.

Formula 2.

Table 1. The parameters of the formulas

The problem of premature wear does not normally occur with mechanically operated sensors and OSSD output sensors, since the wear in these sensors is primarily determined by means of average current and thermal behavior.

6.1.           The Voltage Drop

An important issue in magnetic safety sensors with dry contacts connected in series is voltage drop. The voltage drop depends on the length of the line, the cable cross-section, current intensity and parameters such as resistivity.

A significant issue in magnetic safety sensors with connected devices in series is voltage drop. The voltage drop depends on the length of the line, cable cross-section, current intensity and resistivity parameters.

Considering the series connected safety sensors operating with 24 VDC, considering the number of serial connections and the length of the line, a voltage value such as 14-15 VDC can also be measured below the operational permissible 19 VDC value. This will affect the operation of the sensors and cause malfunctions.

7.     Fault Masking

A common approach in the design of safety- circuits is to serially connect devices with potentially free contacts, e.g. Multiple interlocking safety devices connected to a safety logic controller (safety relay) capable of diagnostics for safety functions ...

Even though in such applications a single fault will, in most cases, not lead to the loss of the safety function and will be detected, in practice, problems sometimes occur.

On account of the serial connection of the contacts, faults in the wiring (such as short circuit) or contacts detected by the logic unit may be masked by the operation of one of the other (non-faulty) in series connected devices. As a result, the operation of the machine is possible while a single fault is present in the SRP/CS. This can, in consequence, allow the accumulation of faults leading to an unsafe system. In addition, this situation leads to work accidents.

Fault masking occurs on sensors connected in series with their dry contacts. These sensors are non-contact magnetic safety sensors and electromechanics / electromagnetic monitoring / guarding safety gate sensors.

In the current technical report, the maximum diagnostic coverage (Dcmax.) that the sensor can achieve is limited due to the possibility of masking.

The case below shows an undetected fault in the safety circuit. An additional malfunction can cause all safety gate protection not to be compromised. These and similar fault are explained by the term "fault masking".

Figure 2. Fault masking sample case

Case 1: 3 safety gates are connected in series to the safety relay. In this case, all safety gates are closed and the relay outputs are on, the machine is operable.

Case 2: On the left-hand safety gate, a short circuit occurs in the line to the switch with the N/C contact: at first the fault is not detected and the machine can continue operating.

Case 3: The left-hand safety gate is then opened, an event which the left switch signals to the relay. During a feasibility comparison of the two switches, the relay discovers an inconsistency and switches to a fault condition, i.e. once the safety gate is closed the machine cannot be restarted.

Case 4: Now the far right gate opens, and the safety relay switches to normal operation as it also detects a dual channel signal. The reset function is activated when all gates are closed and the machine is active again to become operational!

7.1.           ISO/TR 24119 Technical Report

Standards are inadequate in some cases or applications. Consequently, the relevant committees produce complementary technical reports to eliminate inadequate situations.

 “ISO 14119 Safety of machinery - Interlocking devices associated with guards. Principles for design and selection” standard is available for interlocking safety devices. This standard covers topics such as safety sensors for covers, gates and flaps, safety sensors for monitoring, and interlocking devices, while listing the requirements for safety equipment not being manipulated by operators.

 “ISO/TR 24119 Evaluation of fault masking serial connection of interlocking devices associated with guards with potential free contacts” is produced at the same time as ISO 14119 standard, is the technical report of the relevant standard and deals with a single topic which is fault masking.

This technical specification defines the relevant normative references, presents the fault masking approach, determines the limits of the diagnostic coverage with specifying recalculation methods, and underlines the fault masking methods.

When calculating the DC value for series connected devices ISO / TR 24119 technical report should be taken as basis, not ISO 13849-1 standard. Throughout the time calculating the relevant value, the number of operators and the number of gates constitute the most crucial parameters.

7.2.           Direct Fault Masking

Figure 3. Direct Fault Masking

B1, B2 ve B3: potentially free interlocking devices

K: Logic unit

S: Manual reset function, reset device

X1: initial fault – short circuit to Un

X2: second fault – broken switch lever

Figure 3 illustrates that a situation in which two movable guards operated in a certain sequence can lead to fault masking.

3.1: Gates are closed, normal operation condition

3.2: Gate B2 is opened, safety relay stops the machine

3.3: Gate B1 opens and there is a short circuit in channel 2, safety relay does not allow to operate the system (the gate B2 without fault is open)

3.4: The gate B1 is closed, the gate B2 is open, safety relay does not allow to operate the system

3.5: All gates get closed, with reset function, the machine is operable again.

3.6: When the gate B1 is re-opened and second fault occurs in the other channel the fault is masked and the safety relay continues the system being operationally without detecting the fault.

7.3.           Unintended Reset of the Fault

Figure 4. Unintended reset of the fault

B1, B2 ve B3: potentially free interlocking devices

K: Logic unit

S: Manual reset function, reset device

X1: initial fault – short circuit to Un

X2: second fault – broken switch lever

Figure 4 illustrates that a situation in which a fault is initially detected in a locking device, but is unintentionally reset by operating one of the other locking devices.

4.1: Gates are closed, normal operation condition

4.2: Gate B1 opens and there is a short circuit in channel 2, safety relay does not allow to operate the system

4.3: The gate B1 closes and the safety relay detects the signal difference

4.4: The gate B2 which has no fault is opened

4.5: The gate B2 is closed, and the reset function is activated

4.6: The safety relay detects the reset function and allows to the machine being operable

4.7: When the gate B1 is re-opened and second fault occurs in the other channel the fault is masked and the system continues to being operable because the safety relay cannot detect the error!

7.4.           Diagnostics Coverage (DC)

The diagnostic coverage is the measurement of effective diagnostics, which can be determined as a ratio. This ratio is determined as the ratio of possible faults that can be detected to total possible faults and given as a percentage.

DC illustrates the ability to detect the probability of dangerous hardware failures proportionally and is used as an average value.

Table 2. DC Comparision

7.4.1.     The Simplified Method for the Determination of the Maximum Achievable DC

Table 3. ISO/TR 24119 maximum achievable DC (simplified methodology)

The table containing the maximum achievable DC values in the technical report ISO / TR 24119 overrides the table of DC values in the standard ISO 13849-1. In sense of fault masking, the table in ISO / TR 24119 report should be taken into consideration and PL value should be calculated.

7.5.           Sample Cases for Fault Masking

7.5.1.     Application Example 1

Figure 5. Integrated manufacturing system with numerous interlock movable guards with one operator

Assumptions:

• Sensors have dual potentially free contacts (1 sensor 2 N/C)
• When the movable guard is opened, the contact is opened
• Contacts are connected to the logic unit (safety relay) that evaluates both channels
• Cabling is not protected against external damage
• Gate A opens 10 time in a day
•  Gates B, C, D and F opens 10 times in a year

Assessment according to the Table 3.:

• Frequently used movable guards = 1 (there is no increase due to 1 operator number)
• Additional movable guards = 4 (Because there is no easy reachable gate, there is no decrease)

According to the Table 3. DC value comes out “low”!

7.5.2.     Application Example 2

Figure 6. Integrated manufacturing system with numerous operators

Assumptions:

• Sensors have dual potentially free contacts (1 sensor 2 N/C)
• When the movable guard is opened, the contact is opened
• Contacts are connected to the logic unit (safety relay) that evaluates both channels
• Cabling is not protected against external damage
• Gate A opens 10 time in a day
• Gates C, D and F opens 10 times in a year
• More than 1 operators are needed.

Assessment according to the Table 3.:

• Frequently used movable guards = 2 (there is increase due to more than 1 operator)
• Additional movable guards = 3 (Because there is no easy reachable gate, there is no decrease)

According to the Table 3. DC value comes out “none”!, Performance Level is PL c

If the fault masking issue was ignored, the performance level would be PL d, assuming that the category wirings of the machine in the relevant example were appropriate. However, as can be seen, as a result of fault masking, the performance level was calculated as PL c.

8.     Avoiding Fault Masking & Solutions

The following methods can be applied to avoid fault masking:

• Using additional contacts individually connected to the monitoring device in accordance with the appropriate diagnostic procedure
• Separate connection of input signals to the evaluation unit for each interlocking device
• Using OSSD type devices
• Using additional modules with diagnostics feature

Different methods can be applied.

9.     Conclusion

The requirements brought about by the industrial revolution in the period we live in necessitates the development of the relationship between human and machine. For this reason, the laws and procedures created must constantly improve. This development mainly in the formation of unforeseen accidents or near-misses before the event is a big factor.

Considering that serial connection applications in safety equipment are at a serious level, the probability of occurrence of work accidents becomes less likely. With this study, it was aimed to create a level of consciousness. In order to prevent fault masking in serial connection applications, the solution suggestions mentioned in chapter 8 should be applied.

The awareness of machine safety, which is developing in our country, provides us with more foresight and enables us to prevent unwanted situations.

QUOTATIONS

[1] PILZ GmbH Co. KG, (2017), The Safety Compendium

[2] ISO, (2015) Technical Report, ISO/TR 24119, Safety of machinery – Evaluation of fault masking serial connection of interlocking devices associated with guards with potential free contacts

[3] 2006/42/EC (2009) Machinery Safety Directive

[4] EN ISO 12100, Safety of machinery – General principles for design – Risk assessment and risk reduction

[5] EN ISO 13849-1, (2015), Safety of machinery – Safety-related parts of control systems – Part 1: General principles for design

[6] EN ISO 14119, (2013), Safety of machinery – interlocking devices associated with guards. Principles for design and selection.