en iso 14119 and iso tr 24119 – interlocks - basics

ISO 14119 – interlocks

ISO/TR 24119 – fault masking

Update on interlocks, means to prevent defeat

Judging fault masking and avoidance strategies

David Collier, CMSE ®

Pilz Automation Technology, UK

Content

2

Introduction to ISO 14119

Fault masking

– How it occurs

– Quantifying its impact (based on ISO/TR 24119) on diagnostic coverage

and hence the achievable level of safety (Performance Level)

– How to overcome it

Different types of interlocking device (Types 1, 2, 3, 4)

Defeat (manipulation) of interlocks and measures to prevent it

Fault exclusions

– Note throughout this short presentation there are hyperlinks to the Pilz

website where solutions can be found!

David Collier, Feb. 2016 ISO 14119 / TR 24119 basics

EN ISO 14119:2013-03

Scope

EN standards

EN (IEC) standards

EN ISO standards

IEC standards

ISO standards

On 11 April 2014, the European Commission published EN ISO 14119:2013-03 in

the Official Journal as a harmonised standard for the Machinery Directive

2006/42/EC, as the successor standard to EN 1088:1995+A2:2008.

The transition period ended on 30.04.2015.

3 David Collier, Feb. 2016 ISO 14119 / TR 24119 basics

EN ISO 14119:2013-03

Main changes to the standard

The main changes concern the improved structure, which results from the

differentiation and definition of four types of interlocking device:

With a description of their technology and their advantages and

disadvantages in the Annexes, definition and consideration of "Defeat in a

reasonably foreseeable manner,

Inclusion of the measures necessary to minimise potential defeat as a result

of the risk estimation and

Consideration of new technologies and inclusion of the new

informative Annexes G, H and I

Consideration given to fault masking on series connected interlocks

A central new element are the details about additional measures for

interlocking devices against defeat (manipulation), and the topic of fault-

masking as described in the slides that follow


Fault masking explained

8.6 Logical series connection of interlocking devices

Logical series connection of interlocking devices means for NC contacts wired in

series or for NO contacts wired in parallel. When interlocking devices with redundant

contacts are logically connected in series the detection of a single fault can be

masked by the actuation of any interlocking device logically connected in series with

the defective interlocking device to the safety related control system.

It is foreseeable that during the fault finding (troubleshooting) by the operator one of

the guards whose interlocking devices are logically connected in series with the

defective interlocking device will be actuated. In that case the fault will be masked

and the effect on the diagnostic coverage value shall be considered.

For a series connection the maximum DC* (see ISO 13849-1 or IEC 62061) should

be considered.

NOTE ISO/TR 24119 deals with the logical serial connection of devices

*DC = diagnostic coverage, ability to detect dangerous failures expressed as a

percentage


Series connected switches scenario

Fault masking

6

A single fault can occur and prevent a reset, however, the opening and closing of another guard can clear the

fault and allow a reset – hence an undetected fault accumulates


EN ISO 13849 How Category, DC & MTTFd

relate to PL: Figure 5 of standard


To achieve

PL d or PL e

a safety

function must

at have at

least 60% DC

(diagnostic

coverage)

and this can

be impacted

by fault

masking (see

next slide)

To claim to be in category 2, 3 or 4 (to support PL c – e) it is necessary to

have 60 – 99% Diagnostic Coverage (DC) as per standard EN ISO 13849-1

fig. 5 , and fault masking can effectively reduce it to zero which can drop you

out of PL d/e to PL c or worse

Are your interlocked guards as safe as you think?

ISO/TR 24119 now published

8

This “simplified method”

table appears in the

published ISO/TR 24119

and shows a simple way

of identifying the impact

upon diagnostic coverage

from series connection of

guards based upon

frequency and quantity


A cure for fault masking

Interlocks with integrated fault detection

If a series of interlinked switches is required to meet PL e, using switches with

integrated fault detection can overcome fault masking.

Only switches with internal diagnostics and an OSSD (Output Signal Switching

Device) output, a solid state type as commonly found on RFID based switches,

are unaffected by fault masking.

See Pilz PSENcs range of devices: PSEN cs webpage


https://www.pilz.com/en-GB/eshop/00014000347046/PSENcode-non-contact-coded-safety-switch


Types of device with RFID coding and OSSD

outputs

PSEN cs webpage : Coded RFID, non-contact guard

position monitoring switches

PSENslock webpage: Process solenoid locks with built in

RFID guard position monitoring

PSENsgate webpage: Safe solenoid unlocking, command to

release, E-stop, escape from inside the hazard area, and

RFID monitoring gate access systems

PSENini webpage: Inductive safety sensors for safe position

monitoring e.g. robot home position

10

PSENsl

PSENcs

PSENsg

PSENini



https://shop.pilz.com/eshop/cat/en/GB/00014000357061/PSENslock-safety-gate-system

https://www.pilz.com/en-GB/eshop/00014000357061/PSENslock-safety-gate-system

https://shop.pilz.com/eshop/cat/en/GB/00014000357048/PSENsgate-safety-gate-system

https://www.pilz.com/en-GB/eshop/00014000357048/PSENsgate-safety-gate-system

https://shop.pilz.com/eshop/cat/en/GB/00014000367049/PSENini-safe-proximity-switch

https://www.pilz.com/en-GB/eshop/00014000367049/PSENini-safe-proximity-switch

Individually wire guards or zone, as below using Pilz PDP20 which

has test pulsed outputs (OSSDs)

Each PDP20 can take 3 x 2n/c guards and be linked safely to other

PDP20 modules using test pulses (or 4 x 2n/c if used standalone)

Can be used in conjunction with all PNOZ and PSS systems

Other means to prevent fault masking

Zoning


https://www.pilz.com/en-GB/eshop/00010000247087/PDP20-modules

https://www.pilz.com/en-GB/eshop/00014000357061/PSENslock-safety-gate-system

Decentralise safety input circuits using on-machine, addressable

distributed I/O such as PDP67 modules as part of the PNOZmulti


Zoning and addressing

12

Passive PDP67 (so called

PDP67 4 F code) for use

with coded 8-pin RFID

devices only and generally

used with PNOZ safety

relays

Active PDP67 (so called

PSP67 F 8 DI ION) for use

with ANY safety input device

(contact-based or solid state)

5 pin, addressable on

PNOZmulti systems only


https://www.pilz.com/en-GB/eshop/00010000247078/PDP67-modules

https://www.pilz.com/en-GB/eshop/0001000024707880NO/Passive-junction

https://www.pilz.com/en-GB/eshop/0001000024707880NO/Passive-junction

Decentralise safety input circuits using IP20 remote I/O such as that

found in the PSS 4000 system, distributed using SafetyNETp


Zoning and addressing


https://www.pilz.com/en-GB/eshop/A0011B0022/Controller-and-I-O-Systems

EN ISO 14119:2013-03

Types of interlocking device

Table 1 provides an overview of the interlocking types with a cross-

reference to the examples in the standard's Annex.


Defeating safeguards

Defeat (manipulation)

Why does an examination of this issue need to be included in

future?

Extract from BGIA report:

37% of safeguards are

manipulated constantly or

occasionally

25 % of all accidents when

operating machinery can be

attributed to manipulations

63%

37%Manipulation

i.O.

25%

75%

Manipulation

sonstige Unfälle

Source: BGIA Report - Manipulation of safeguards on machinery

EN ISO 14119 stipulates that: The machine shall be designed in such a way that it minimizes the

motivation for defeating the interlocking devices" and goes on to stipulate "The interlocking device

shall provide the minimum possible interference with activities during operation and other phases of

machine life, in order to reduce any incentive to defeat it."

15

OK

Other accidents


EN ISO 14119:2013-03


1. The machine must be designed so that the motivation for defeating the

interlocking devices is minimised.

2. With this in mind, the following procedure is described in Section 7.

3. Annex H describes how the documentation can be prepared


7.1a)

7.1a) Use of basic measures

Fastening is adequate

Forced opening leads to a reaction (e.g. temporal

restart interlock) The device must be able to withstand the

expected forces

Dynamic effects, such as bounce, must be

considered

Note!

Type 3 interlocking devices may not be used

17

EN ISO 14119:2013-03



7.1b)

7.1b) Check whether there is any motivation to defeat

in a reasonably foreseeable manner under

various modes of operation and document

18

EN ISO 14119:2013-03



7.1c)

7.1c) Check the extent to which

the motivation can be

eliminated or minimised:

Design measures; and/or

Alternative operating modes

Note!

The motivation to defeat can be avoided by

implementing alternative operating modes

19

EN ISO 14119:2013-03



7.1d)

It the possibility of defeat cannot be excluded

through modified or additional operating

modes, only one element remains for the design engineer: To make it more difficult or impossible to

defeat the interlocking device.

7.1d) Additional measures are required if defeat in a

reasonably foreseeable manner remains.

1. Prevent accessibility to the elements of the

interlocking device by

Installing them out of reach

Using barriers or screens

Installing them in a concealed position

20

EN ISO 14119:2013-03

Measures against manipulation


2. Prevent substitute actuation of the interlocking device by means of objects that

are readily available. Coded actuator with:

Low coding level; (additional manipulation protective measures)

Medium coding level; (additional manipulation protective measures)

High coding level; (no further measures)

Coding level Low Medium High

PSEN mech X

PSENmag X

PSEN hinge X

PSEN cs (coded) X

PSEN cs (unique) X

PSEN sl/sg (coded) X

PSEN sl/sg (unique) X

Additional measures against manipulation

21

EN ISO 14119:2013-03



3. Prevent by using caps or permanent fastenings (e.g. welding, sticking, one-

way screws, rivets) – Pilz supplies caps with switches and M4 and M5

screws are available separately

4. Prevent defeat by

integrating monitoring of defeat within the control system

a) Status monitoring

b) Periodic tests

22

EN ISO 14119:2013-03


Additional measures against manipulation


https://www.pilz.com/en-GB/eshop/0001400034704580GJ/Accessories-PSENmag

https://www.pilz.com/en-GB/eshop/0001400034704580GJ/Accessories-PSENmag

23

EN ISO 14119:2013-03


Example: all you need if you use a uniquely coded PSENcs device (such as PSENcs 2.2 /4.2 / 6.2) is to use permanent fixings on the actuator. If you don’t use uniquely coded devices (e.g. you use coded device like PSEN cs 1.1 / 3.1 / 5.1 / 5.11 or fully coded PSEN cs 2.1 / 4.1 / 6.1 ) then one of the additional other measures “X” must be used


The use of fault exclusions has long been covered in EN 62061

(max SIL 2), ISO/TR 23849 (PLd) and now also in EN ISO 13849-2

(Annex D.8, a single mechanical point of failure (the tongue or cam)

cannot be fault excluded for PLe).

This limitation to PLd for fault exclusions appears in EN ISO 14119

Fault exclusion on the tongue can be made using PSEN bolt with

PSEN mech 1

To achieve PLe, especially for guard locking, the use of at least two

devices is necessary unless the user uses a PL e certified guard

locking interlock device (the manufacturer states max extraction

force, the interlocking is done electronically via RFID in the tongue,

and the solenoid is bistable pulse to lock, pulse to unlock)

See PSEN sgate today, and in the future PSEN mlock

The use of fault exclusions and how to achieve

PL e interlocking / guard locking


https://www.pilz.com/en-GB/eshop/00014000347047/PSENbolt-safety-bolt

https://www.pilz.com/en-GB/eshop/00014000347044/PSENmech-mechanical-safety-switch

https://www.pilz.com/en-GB/eshop/00014000357048/PSENsgate-safety-gate-system

To learn more...

25

In the UK:

North:

Paul Fasey & Alex Bryce

South:

Dave Burton & Paul Simons

East:

David Collier & Scott Booth

West:

Dave Bromme & Jamie Thomas

Main office: 01536 460766

Elsewhere in the world:

Visit www.pilz.com to establish a Pilz

subsidiary contact

Please contact your local Pilz representative


http://www.pilz.com/

CM

SE

®,

Ind

ura

NE

T p

®,

PA

S4

00

0®,

PA

Sca

l®,

PA

Sco

nfig

®,

Pilz

®, P

IT®,

PL

ID®,

PM

Cpri

mo

®,

PM

Cpro

teg

o®,

PM

Cte

nd

o®,

PM

D®,

PM

I®,

PN

OZ

®, P

rim

o®,

PS

EN

®,

PS

S®,

PV

IS®,

Safe

tyB

US

p®, S

afe

tyE

YE

®,

Safe

tyN

ET

p®, T

HE

SP

IRIT

OF

SA

FE

TY

®

are

re

gis

tere

d a

nd

pro

tecte

d tra

de

ma

rks o

f P

ilz G

mb

H &

Co

. K

G in

so

me

co

un

trie

s. W

e w

ou

ld p

oin

t o

ut th

at p

rod

uct

fea

ture

s m

ay v

ary

fro

m t

he

de

tails s

tate

d in

th

is d

ocu

me

nt,

de

pe

nd

ing

on

th

e s

tatu

s a

t th

e tim

e o

f p

ub

lica

tio

n a

nd

th

e

sco

pe

of th

e e

qu

ipm

en

t. W

e a

cce

pt

no

re

sp

on

sib

ility fo

r th

e v

alid

ity, a

ccu

racy a

nd

en

tire

ty o

f th

e t

ext a

nd

gra

ph

ics

pre

se

nte

d in

th

is in

form

atio

n. P

lea

se

co

nta

ct o

ur

Te

ch

nic

al S

up

po

rt if yo

u h

ave

an

y q

ue

stio

ns.

Keep up-to-date on Pilz

www.pilz.co.uk

David Collier, CMSE ® Pilz Automation Technology Little Colliers Field, Corby, Northants, NN18 8TJ, UK Telephone: +44 1536 460766 Mobile: 07969 688783 [email protected], www.pilz.co.uk

http://www.pilz.co.uk/

en iso 14119 and iso tr 24119 – interlocks - basics

Documents