Fault Exclusion and Interlocking Devices

Last edit: 22/08/2023

Fault Exclusion applied to Interlocking Devices

A loss of a safety function in the absence of a hardware fault is due to a systematic failure or to a Common Cause Failure. The  latter is discussed in §3.6 while the former can be caused by errors made during the design or the integration stages. Some of these systematic failures will be revealed during the design process, while others will be revealed during the validation of the safety system.

Regarding the hardware faults, considerations on fault exclusion arise when discussing the need for redundancy. In machinery, a very common sensor is an Interlocking Device with guard locking mechanism.

In the Figures 4.14 {4.11.2.1.1} and 4.15 {4.11.2.1.2} an example and a graphical representation of an interlocking device is shown with its key elements:

  1. The Actuator: in the picture it is of “tongue” type. According to ISO 14119 [30], that is a Type 2, low coded, interlocking device.
  2. The Actuating Head
  3. Interlocking Plunger
  4. Guard Locking Solenoid. It allows the blocking of the actuator so that the door cannot be opened, unless all dangerous movements inside the safeguarded area have been stopped, for example.
  5. Interlocking Monitoring Contact. It is a normally closed contact in the sense that when the door is closed, the contact is closed and therefore the input circuit is energised.
  6. Guard Locking Monitoring Contact. It gives the status of the locking mechanism: usually, if the door is locked, the contact is closed.
  7. Housing.

If a complete redundancy has to be achieved on the input subsystem (the access door), two interlocking devices have to be installed, on that specific door, by the machinery manufacturer. That is rarely done. What normally happens, is that the component manufacturer works on its interlocking device, trying to increase the redundancy inside the component itself.

The first thing that manufacturers do, is to provide two voltage free contacts for the Interlocking monitoring. They may even provide two contacts for the Guard Locking Monitoring. What they would never do is to have two guard locking solenoids: in this case the manufacturer would make some fault considerations and arrive to the conclusion that he can do a fault exclusion on the solenoid.

In general, certain hardware faults may be excluded because if an element clearly has a very low probability of failure by virtue of properties inherent to its design and construction then, normally, it would not be considered necessary to constrain (on the basis of the hardware fault tolerance) the safety integrity of any safety function that uses that element.

In other words, it is not always possible to evaluate subsystems without assuming that certain faults are excluded. Fault exclusion is a compromise between technical safety requirements and the possibility of the occurrence of a fault.

Fault exclusion can be based upon:

  • the technical improbability of occurrence of some faults,
  • generally accepted technical experience, independent of the considered application, and
  • technical requirements related to the application and the specific hazard.

 

Fault Exclusion on pre-defined subsystems

In general, Fault Exclusions made by the component manufacturer are defined as made on “pre-defined” or “pre-designed” subsystems. The user may buy a Type 4 interlocking device, declared PL e, whereby the manufacturer has applied fault exclusions for some part of its component. In a certain sense, that is “transparent” for the user. That means the limitations applicable to a Safety Function when Fault Exclusions are made, are not valid in case the fault exclusion is made by the manufacturer of one of the components of the safety system.

[ISO 14119] 9.2.2  Fault exclusion

9.2.2.1  General. […] In case of a fault exclusion for interlocking functions intended to reach PL e or SIL 3, the interlocking device shall, exhibit a dual channel structure or a category 4 behaviour to the majority of its architecture. Individual parts in the architecture of an interlocking device may be of single channel structure. If it can be proven that the single channel part cannot fail before other dual channel parts, e.g. through over dimensioning, a fault exclusion is permissible and will not limit the PL or SIL.

Fault Exclusion made by the machinery manufacturer

Different is the situation whereby the Machinery manufacturer uses a Type 2 interlocking device, shown in figure 4.14 {4.11.2.1.1} and applies a fault exclusion on the Actuator. When he does it, he cannot claim PL e or SIL 3 for that safety Function.

[IEC 62061] 7.3.3 Fault consideration and fault exclusion

7.3.3.3 Fault exclusion […] LIMITATION: For some applications, it is not expected that all failures can be excluded with sufficient confidence for SIL 3. The following non exhaustive list provides an indication of (non-predesigned) subsystems with a hardware fault tolerance of zero and where fault exclusions have been applied to faults that could lead to a dangerous failure where a maximum of SIL 2 can be appropriate, provided that sufficient justification is given:

  • position switch with mechanical aspects with HFT of 0;
  • leakage of a fluid power valve (where leakage is dangerous failure).

NOTE This limitation does not apply to pre-designed subsystems used within their specification.

Similarly, the following is stated in ISO 13849-2 [14] Table D.8:

[ISO 13849-2] D.2.4 Fault exclusions and integrated circuits

Table D.8 […] For PL e, a fault exclusion for mechanical (e.g. the mechanical link between an actuator and a contact element) and electrical aspects is not allowed. In this case redundancy is necessary. For emergency stop devices in accordance with IEC 60947-5-5, a fault exclusion for mechanical aspects is allowed if a maximum number of operations is considered.

 

Please also refer to the following considerations made in ISO 14119 [30] on the possibility, by a machinery manufacturer, to apply a fault exclusion on interlocking devices.

[ISO 14119] 9.2.2  Fault exclusion

9.2.2.3  Mechanical fault exclusions for type 2 interlocking devices without guard locking. For type 2 interlocking devices, the following faults of their mechanical parts can be excluded. Damage (breaking) and wearing of the actuator and the actuating system due to misalignment, only if additional mechanical alignment elements prevent the actuation of the position switch outside the limits of misalignment specified by the manufacturer. The additional mechanical alignment elements shall be designed and constructed as to be effective when subjected to a load equal to 2 times the maximum force expected during the operation of the guard for the intended lifetime (mission time) of the interlocking device.

 

In essence, if you are a machinery Manufacturer and decide, for good reasons, that you can apply the fault exclusion to the Actuator of a Type 2 interlocking device, you need to implement certain solutions in order to prevent its damage, as described in ISO 14119, and the maximum Reliability level you can reach is PL d or SIL 2. However, if your considerations are not sustainable (for example the actuator does not have a correct “invitation” towards the Actuating Head) that safety function can only reach PL c or SIL 1.

[ISO 14119] 9.2.2  Fault exclusion

9.2.2.3  Mechanical fault exclusions for type 2 interlocking devices without guard locking […] Where not all mechanical faults can be excluded, an interlocking system applying type 2 interlocking devices and requiring at least PL d in accordance with ISO 13849-1: 2021 or SIL 2 in accordance with IEC 62061:2021 shall be implemented by the integration of an additional interlocking device of any of the types 1 to 4. Application of diversity is recommended.

 

Bottom line, fault exclusion is only applicable to certain faults of an element and it is up to the designer (manufacturer or integrator) to prove the exclusion of the respective faults, based on the limits set forward by its design and use. Such fault exclusions are only possible provided that the technical improbability of them occurring can be justified based upon the known laws of physical science. Any such fault exclusions shall be justified and documented: justifiable under all expected industrial environments, including temperature, pressure, vibration, pollution, corrosive atmosphere, etc.

A fault exclusion can only be applied to the entire subsystem when all dangerous failures of the subsystem can be excluded. Please consider that the component manufacturer can apply a fault exclusion during the component Reliability assessment. Useful information on fault exclusions are available in ISO 13849-2:2012, Annex A to D.

Types of guard locking mechanism

Before we leave the subject, it is important to clarify a few more aspects.

There are two reasons to choose a guard interlocking with guard locking:

  • Either to protect people. For example, inside a safeguarded area there are dangerous movements having inertia. The door is unlocked only when all movements are stopped.
  • For manufacturing or Process reasons.

There are four possible ways to lock a door (guard lock) [75]:

  1. Spring applied – Power-ON released. It is also called “mechanical guard locking”. It means that the guard locking device is moved to the “locked” position by a spring at the removal of power. It is a closed-circuit current principle, in relation to the locking function. When power is provided, the device is unlocked. In case of a black out the door remains locked.
  2. Power-ON applied – Spring released. It operates in the opposite manner and is called “electrical guard locking”. It is an open-circuit current principle. In order to keep the door locked, power must be present all the time. In case of a black out, the spring is released, the door unlocks and it can be opened.
  3. Power-ON applied – Power-ON released. It is a principle that does not change position on the removal of power. It is also called the bistable principle. Power must be applied to change it to the other state. As the removal of the power does not change the position of the guard locking device, this principle is considered a closed-circuit current principle. In case of a black out, the door lock stays in its last position.
  4. Power-ON applied – Power-OFF released. It corresponds to an open-circuit current principle, as the guard locking device opens on the removal of the power. It has the same behaviour as the second case, but in this one there is no spring. The door is kept closed thanks to an electromagnet. In case of a black out, the magnet is de-energised, the door unlocks and it can be opened.

Which guard locking principle shall be selected? If the lock is for production reasons, all four are suitable: the second and the fourth are probably more “flexible”.  For machinery protection, the design engineer is completely free to decide which type of guard locking is selected, since it does not represent a safety function.

If a guard locking is for personnel protection, solution 1 and 3 are the one recommended.

What are the safety signals in an interlocking device with guard lock?

The component has the following inputs and outputs:

  • One input signal: the one that locks the interlocking device by acting on the Guard Locking Solenoid. In case the locking principle is chosen for people protection, the signal shall come from a safety system. In case of process reasons, it can come from a non-safety system.
  • Two output signals: Interlocking Monitoring Contacts. They should always be routed to a safety system.
  • One or two output signals for the Guard Locking Monitoring Contact. For process reasons, the status can be managed by a General Purpose PLC, otherwise it must be managed by a safety system.

What safety functions are associated to a Guard Interlock

A Guard Interlock can be used on a door that gives access to a safeguarded space (§4.3.3). When the interlocking device is activated, all dangerous movements inside the area must be stopped. There are actually two safety functions to be analysed with a Risk Assessment:

  • The Safety related Stop function, when the door is opened.
  • The Prevention of unintended start-up while the door remains open.

The two functions may require, in principle, different Performance or SIL levels.

Between the two, the latter is probably the most important. If inside the area there is a dangerous movement, normally it is visible. Therefore, in case it is not stopped, when the door is opened, the operator has a good chance to see it and protect himself. A more dangerous situation is when the movement is stopped, the operator is working on the dangerous part that suddenly restarts: in this case the person may not have enough time to place himself in a safe position.

Also the Guard lock has two safety functions to be analysed, in terms of required Performance or SIL level:

  • The release of the guard locking device: in other terms, when the door can be unlocked.
  • The Safety related Stop function when releasing the guard locking device: in other terms, what has to be stopped, inside the safeguarded space, in case the door unlocks (but it still stays closed).