Last edit: 26/07/2023
ISO/TR 24119 is a Technical Report published for the first time in November 2015 with the title "Safety of machinery — Evaluation of fault masking serial connection of interlocking devices associated with guards with potential free contacts".
Before this document was issued, it wasn't clear how many interlocks could be wired to one safety channel and how much was the Diagnostic Coverage of the Safety Subsystem (Input + Logic). When connecting several interlock to one safety channel a fault may be masked: the problem is therefore called Fault Masking.
This Technical Report explains what the problem is and, depending upon the number of interlocks, how they are connected (Loop or Star) and how often they are activated, it gives a method how to calculate the DC of the Subsystem.
The goals of this Technical Report are therefore the following:
— guidance for users for estimation of the maximum DC values;
— design guidance for SRP/CS.
N.B. Interlocking devices with integrated self-monitoring are not included in the scope of this Technical Report.
N.B. Limitation is also given by the diagnostic means implemented in the logic unit.
N.B. This Technical Report is not restricted to mechanical actuated position sensors.
Hereafter are some useful definitions contained in the standard:
3.1 Fault Masking. unintended resetting of faults or preventing the detection of faults in the SRP/CS by operation of parts of the SRP/CS which do not have faults.
3.2 Series Connected devices. devices with potential free contacts (B1 to Bn) are connected in series to one logic unit (K) which does the diagnostics
3.6 Star Cabling. cabling structure where every interlocking device is wired with a single cable to the electric cabinet or enclosure
3.8 Loop Cabling. cabling structure where a single cable from the electric cabinet is wired to the first interlocking device and from this interlocking devices to the next, and so on, until the last interlocking device while the signals return to the electric cabinet in a separate cable
In the picture above, there are two Interlocks in series. Two cases are considered:
Case 1 (No fault Masking):
- The Guard A is open in order to enter the dangerous area.
- Channel A is de-energised.
- Channel 2 remains energised due to a short circuit.
- The opening of the interlock causes the shut down of the machine + the safety unit detects a problem due to the different status of the two input channels.
- Due to the error detection, when guard A is closed, the reset funcion of the safety unit will not work: the Fault was detected, in other terms there was no fault masking.
Case 2 (Fault Masking):
- Guard B is open and then, Guard A is open.
- Both channels are de-energised.
- The Safety unit does not detect any fault.
- Guard B is then closed. Susequentially Guard A is closed.
- When the reset of the safety module is activated, the safety unit is reset and therefore the fault is masked. The fault stays in the system and anothe fault could compromise the safety function. That is the reason the Diagnisic Coverage is lower compared with the case each interlock is channeled directly to the safety unit.
Finally, here is an important observation contained in the standard:
6.1 Limitation of DC by effects of series connected devices. General
According to ISO 14119:2013, 8.6, with respect to serial wiring of contacts (without additional diagnostics), the effect of possible fault masking should be carefully taken into consideration.
Possible fault masking may lead to a fault accumulation, therefore, the maximum achievable DC should be estimated using one of the methods described in 6.2 and 6.3.
The maximum achievable PL is limited to PL d and the maximum DC is limited to medium.
NOTE The probability of occurrence of faults due to random and systematic failures cannot be fully known. Therefore, any degradation of the diagnostics function will result in an increased probability of dangerous failures. This is not acceptable for higher levels of risk therefore PL and DC is limited.