Safe door locking, operating mode selector switches and evaluation of analog signals - all these safety functions have one thing in common: there is little information on correct safety implementation in the current standards, and special safety solutions usually seem too expensive for many applications. Although this does not relieve the developer of responsibility, the external pressure often leads to the use of untested or unsuitable solutions.

The door lock

Special products have long been available for locking devices on security doors, usually with a security level up to PL e. However, PL d can also be achieved with commercially available spring-loaded locking devices. Annex G.3.2 of EN ISO 14119:2014 explains how this can be achieved.

First, the nature of a solenoid interlock should be considered: Virtually all systems available on the market dispense with a multi-channel mechanical design, meaning that ultimately only one bolt ever keeps the door locked. This means that this one bolt and its activation are always the bottleneck for the security technology. A category 3 or category 4 implementation can therefore only ever be achieved by means of fault exclusions on this one mechanical element. This applies to the special products rated by the manufacturer as well as to the guard locking devices rated by the machine manufacturer himself.

The switch tongue (see (1) in Fig. 1) is normally attached to the door itself. When the door is closed, this tongue moves into the switch attached to the frame and actuates a cam (3). This can then be prevented from unlocking by means of a locking bolt (2). The locking bolt itself is usually held in the closed position by a spring and unlocked by an electromagnet when required. If the tongue, cam or bolt are defective, this can lead to unwanted unlocking and safety would no longer be guaranteed. All these elements must therefore be considered. Although the position monitoring for the bolt, which is usually still present, plays a role in detecting a possible fault, it can no longer initiate a fault reaction if a fault occurs. The motivation for guard locking is ultimately the impossibility of ending the hazard in good time when the door is opened.

So what needs to be done? According to EN ISO 13849-2 and EN ISO 14119, justified fault exclusions are possible and should also be used here. Let's start with the bolt and the cam: These are installed in the door locking device itself and the machine manufacturer has no influence on their correct function. He must be able to assume that the bolt and cam are sufficiently dimensioned when used as intended and cannot break. Therefore, if the machine manufacturer ensures the intended use, a fault can be ruled out in combination with a suitable assurance from the manufacturer of the door locking device. The situation is similar with the spring: here, too, the manufacturer's preliminary work is required. If the manufacturer can guarantee that it is a proven spring as defined in EN ISO 13849-2, spring breakage can also be ruled out when used as intended. As the switch tongue itself can also break if it is not used correctly, correct installation is of fundamental importance. If this is guaranteed, the fault can be ruled out by the mechanical engineer.

Figure 2: Block diagram and circuit diagram of a door locking device.

© Wieland Electric

All the mechanical parts have now been considered. However, there is one more aspect to consider - the electrical unlocking system using an electromagnet. Unintentional activation could lead to a loss of safety. This can be prevented by meeting two requirements: Firstly, the activation of the electromagnet must take place at least in the same PL as the desired PL of the guard locking. This can be easily implemented using a safety controller or a safety relay. However, as the solenoid is only a single element, it must now either be switched with two poles - i.e. with earth and 24 volts - or, in this case too, fault exclusion must be provided by protected routing or by wiring as a shielded cable with the shield to earth. All in all, these are fault exclusions in all parts of the guard locking, so that at first glance even a PL e seems conceivable. However, EN ISO 13849-1 only permits a maximum of PL d in this case.

The corresponding block diagram (see Figure 2) then only contains the guard locking itself with a complete fault exclusion and a limitation to PL d. For PL c or PL d applications in particular, the approach described offers a cost-effective alternative to manufacturer-qualified products.

Selecting the operating mode

There are also ready-made safety-rated products for selecting the operating mode. Many people are unaware that a conventional multi-position key switch can be used up to PL e. The only problem is usually the safety assessment.

Figure 3: Evaluation of a 1ooN operating mode selector switch in the safety program.

© Wieland Electric

Key-operated switches are usually available as multi-position switches with three or more switching positions. In order to meet the requirements of the standard, a number of requirements must be fulfilled. Firstly, the switch must be lockable in every switching position. Secondly, the selected operating mode must be clearly recognizable. As with all switches where human interaction is important, an important fault exclusion must also be implemented here. It must be mechanically ensured that the selected electrical operating mode and the displayed operating mode match. This should be done on the basis of mechanical considerations (e.g. positive locking). Once this has been done, the only question is how to model the safety function. A 1-out-of-N circuit is common for such switches (see Figure 3).

The 1-out-of-N circuit does not correspond to any of the categories described in EN ISO 13849-1. However, if this structure is evaluated using the formal criteria of 'single-fault safety' and 'fault accumulation', it can be concluded that a category 3 can be easily achieved. What is required for this? All available switching positions (not just those used) must be evaluated in a safety module. This module performs a single
check: It monitors that exactly one of the outputs is always active. If it is detected that the number of active outputs is not equal to 1, the safe state is initiated. The easiest way to do this is via a separate safety function. In this way, there is no need to consider the operating mode switchover in a large number of other safety functions.

EN ISO 13849-1 answers the question of the achievable category in the requirements for Cat. 3: "Each individual fault is detected at the latest when it is requested and does not lead to a loss of safety" and "Accumulation of faults can lead to a loss of safety". Since this is the case, a Cat. 3 is the obvious choice. The diagnostic coverage (DC) of this circuit can be answered via EN ISO 13849-1 Annex E. "Cross-comparison of input signals with dynamic test when short circuits cannot be detected (for multiple inputs/outputs)" leads to a DC of 90 %. This means that a PL e can be achieved with a simple key switch.

If you want a more convenient or graphically appealing solution, you can implement a safe operating mode using a commercially available HMI panel. As an HMI alone is not suitable for safety-related requirements, a combination with a simple key switch helps in this case. Unlike the case above, this key switch only has two positions (on/off) and serves as a second channel for the safe selection of the operating mode. However, here too, the category 3 requirement is based on single-fault safety. One possible approach is to initiate the selection of the operating mode using the key switch on the HMI and to accept it once the selection has been made.

In this case, it must only be possible to select the operating mode when a key switch is requested. In addition, the selected operating mode must always be displayed on the HMI. It is important that the program sections 'Displaying the operating mode' and 'Selecting an operating mode' are implemented in different function blocks. The ultimate control of the operating mode is always located in the safety controller. If the selection and display do not match, if an operating mode is changed in the HMI at the wrong time or if communication problems occur, the safety controller must interpret this as an error and initiate the safe state.

However, an unpleasant side effect of this type of implementation is the need to take the HMI program into account during safety validation. An influence analysis must also be carried out and the safety technology validated for every change to the HMI. This can be an acceptable boundary condition for series machines, as it allows the operating mode selection to be integrated into the overall concept at low cost. For machines that require frequent changes to the HMI, it is more of an unacceptable requirement.

Analog signals

The evaluation of analog signals is either not possible at all or only possible to a very limited extent for most safety controllers. Although special process controllers offer a remedy here, these are usually in a completely different price range. If only an analog signal is required as part of the safety of a machine or system, then this is normally a knock-out criterion. In some cases, however, small and inexpensive safety controllers can also handle analog signals. In addition to PL and sampling frequency, the most important boundary condition is then the question of the purpose of the analog signals.

Figure 4: Example of a limit value converter with digitally programmable analog converter module including potential-free relay output.

© Wieland Electric

Standard safety controllers for machines manage to evaluate input signals at around 10 to 100 Hz. This corresponds to cycle times of the control system of 10 to 100 ms. The purpose of analog signals in safety technology is usually to monitor whether a limit value is simply exceeded or not reached. If this is the case, it is not the analog value itself that is searched for, but its relationship to the limit value. It is also possible for the same limit value to be detected using different (diverse) methods. For example, the fill level of a tank can be detected with a float at the interface or with a pressure sensor at the bottom of the tank - but also with an infrared sensor, which measures the distance to the liquid surface from above.

In all cases, the original analog signal can be converted into a digital signal using a limit value converter (two-point controller). This can then be evaluated by any safety controller. Limiting factors of this procedure are to be expected in the different time behavior of the measuring methods during redundant measurement. It is also critical if limit values are only exceeded slowly, as this often leads to false shutdowns. If the monitoring of more than one limit value is desired or if it is not possible to test the sensors, these can also be exclusion criteria.

Limit value converters usually support 0 to 10 V or 4 to 20 mA input signals. If these are not already safety-rated by the manufacturer, a single transducer is suitable up to a maximum of PL b. The restriction of EN ISO 13849-1 plays a role here, which states that complex electronics cannot be considered proven and the converter may then only be used as Cat. B may be used. However, if two such converters are used, PL b to PL e can be achieved, depending on the sensor quality. The main points of criticism are regularly the evaluation of the transducers' internal software as possible individual faults, even in redundant systems. There is currently no uniform assessment by the testing institutes, as the standards situation also leaves room for interpretation. In short, the approach using external limit value transmitters can be used to create a safety function with analog signals even when using simple safety relays.

Author:
Thomas Kramer-Wolf is Head of Training & Services at Wieland Electric.