For common cases of series connection of door switches, the same diagnostic coverage (DC) was often erroneously assumed for all door switches in the past, which is specified by the manufacturers for direct evaluation by a safety switching device - usually a DC of 99 %. In practice, however, it has been shown that in many cases the DC falls below 60 % when the door switches are interlinked, thus reducing the achievable performance level (PL) from PL e to PL c. As a result, an inadequate performance level is often implemented without being recognized and the machine is unsafe despite the great effort involved.

Figure 2: Undetected fault of a door switch © Wieland Electric

The safety switching device (safety controller or safety relay) also reports the doors correctly as open, but cannot detect an error, as both contacts were opened due to the error-free door 2. If the two doors are now closed in reverse order - i.e. first door 1 (step 4) and then door 2 (step 5) - a complete cycle has been completed in step 5 and the safety relay has not detected a fault at any time. The welded contact of door 1 is now undetected in the system and in the event of a second fault at a later time, a dangerous situation would occur. This type of fault is referred to by ISO/TR as fault concealment. However, EN ISO 13849-1 requires for a category 3 or category 4 that every first fault is detected by the system and leads to a safe state. Therefore, regardless of the DC < 60 %, category 3 cannot be used here.

This particular scenario results from an unfavorable workflow; however, other, equally critical scenarios can also occur without this requirement. Ultimately, the possibility of fault concealment depends primarily on whether doors are open at the same time, or whether detected faults in one door can be acknowledged by other fault-free doors, thus fooling the user into believing that the system is fault-free. In all cases, the unrecognized accumulation of faults can lead to a loss of safety.

Help from ISO/TR 24119

A good two years after the basic standard for interlocking devices, ISO 14119, ISO/TR 24119 is expected shortly, which will put the special case of series connection of protective devices on a solid footing. The standard shows that even in simple scenarios, it is often not easy to determine a diagnostic coverage level and estimates often point to a DC < 60 %. As already mentioned, this is not sufficient for implementation in a category 3 or category 4 structure. As a consequence, such conversions would have to be limited to a maximum of PL c.

However, as the accident figures do not show any significant accident frequency, although such circuits are common practice, the ISO/TR attempts to take a pragmatic approach and clarify the boundary conditions for such use. The analysis has shown that the probability of actually detecting occurring faults by the evaluating safety switching device depends on a number of aspects. Two approaches are described in the document. A simplified approach with only two parameters and a regular approach with additional parameters, which in some cases leads to better results compared to the simplified approach.

The simplified approach

Simplified approach of ISO/TR 24119

© Image: Computer&AUTOMATION, Source: Wieland Electric

The simplified approach limits the aspects to be considered to the "number of frequently opened doors (N)" and the "number of additional doors (M)". The basic idea here is that in normal operation, one or more doors are usually operated frequently for loading material and removing products. In addition, there may be one or more doors that are only operated during maintenance - and therefore rarely. Based on these two variables, the achievable DC is set to 'None' to 'Medium'. With a DC of 'Medium', a PL e would be possible in principle, but this is generally excluded in the ISO/TR and the achievable performance level is limited to PL d. A simple table is used to assign the input data to the DC.

Based on EN 62061, the standard setters assumed a frequency of once per hour or more as 'frequent'. Furthermore, this simplified approach is based on the assumption that if more than one worker operates the machine (at the same time), the number of frequently operated doors (N) must be assumed to be one higher than the actual number. This is due to the fact that with two or more workers, the probability that more than one door will be opened at the same time increases significantly and therefore error concealment can occur. In the event that all doors are at least five meters apart or all additional doors are not directly accessible, the number of additional doors M can be reduced by one for the determination according to the table. If it is clear that fault masking can occur, the DC should be limited to 'None'.

The regular approach

In the regular approach, the possibility of fault concealment is considered much more comprehensively. Here too, the number of doors N and M are used as core elements, but other aspects are added. For example, a distinction is made between different arrangements of the sensors and their mechanical structure. If two separate switches are used on each door, this can be seen as an advantage over the arrangement in one switch. In addition, the type of cabling is evaluated according to aspects of common or separate cable routing. Last but not least, the type of fault detection comes into play, in which the type of cable testing must be evaluated. Three variants can be distinguished here. In variant 1, both channels switch the same potential - for example 24 V(DC). Variant 2 switches a potential in one channel - for example 24 V(DC) - and the earth potential in the second channel. The third variant is referred to as dynamic signals and corresponds to testing the channels with independent test pulses.

The evaluation of all these aspects is carried out using several tables and also leads to a maximum achievable DC. The same restrictions and side notes apply as in the simplified approach, as well as the restriction that PL d is the highest achievable performance level.

Doors, emergency stop and other sensors

Figure 3: Interlinking of door switch and emergency stop © Wieland Electric

ISO/TR 24119 does not deal with the equally common case of a combination of emergency stop, door switch and other sensors such as safety mats or safety edges to form a two-channel emergency stop chain. However, if the knowledge that fault concealment can occur is transferred from this standard to the combination of emergency stop and door switch in a chain, it can be seen that linking other sensors with door switches generally makes fault concealment very likely, as the simultaneous actuation of several sensors is not only possible, but probable(see Figure 3).

The limitation of the door switches to DC = 'None' therefore applies in the case of interlinking with other sensors - even for a two-channel design. Only the related case of a pure interlinking of emergency stop buttons can be treated as a special case. In this case, it is usually assumed that only one emergency stop button is actuated at a time, as the system is already at a standstill and there is no longer any need to actuate another button. If only emergency stop buttons are linked, no fault concealment needs to be assumed and the achievable DC corresponds to that of a single emergency stop button.

PL d for up to 30 doors

To summarize: ISO/TR 24119 now provides a solid basis for determining the DC for the first time. The limitation to PL d as a maximum should not pose a problem for most applications. Even the case of many doors, which are all operated infrequently, allows a PL d with up to 30 doors. This would then also be sufficient according to the risk assessment, as a PLr d can usually be fulfilled as a requirement with a frequency set as low (F1). Only cases with a low frequency but a long duration of stay (greater than ten minutes) and a PLr e are not covered by this.

The likewise frequently encountered case with a door that is frequently operated for the purpose of loading material in combination with up to four other doors represents a realistic limitation with a PL d. Only those applications in which doors are frequently operated and which are to be safeguarded in PL e urgently require checking. This is because it is likely that fault concealment can occur here. Alternative solutions should therefore be sought in these cases - for example using other technologies such as RFID switches or alternative diagnostic methods such as direct connection to separate input circuits. What has proved untenable are applications with combinations of door switches, emergency stop and other protective devices in an emergency stop chain in PL d or PL e. In each case, it is necessary to examine individually which solutions could represent alternative options.

Author:
Thomas Kramer-Wolf is a specialist for safety and mechanical engineering at Wieland Electric.