Sensors and switches play important roles in safeguarding personnel, equipment and processes. This panel explains how the ISO 14119 safety standard, IP ratings and safety ratings have an impact on machine building in an age when increased production is harmonized with operator protection.
Meet the panel
Zachary Stank is product marketing specialist—safety, I/O and networks, Phoenix Contact USA.
Lee Burk is training manager, Pilz USA.
Matthew M. Miller is machine safety specialist, FS engineer, ABB Jokab Safety.
Roberta Nelson Shea is global marketing manager, safety components, Rockwell Automation.
Lauren Backhaus is product specialist—components, safety switches and relays, Omron Automation and Safety.
Chris Gerges is CEO, Safe-T-Sense.
Devin Murray is functional safety engineer, Schmersal USA.
Can you please talk about how the ISO 14119 safety standard for interlocking devices associated with guard doors affects design?
Miller: There were many enhancements that came with the 2013 version of ISO 14119. The detailing and defining of “Prevention of defeat in a reasonably foreseeable manner” in specific regards to interlock methods has been very impactful. Now, at the design stage you are required to engineer out the ability for individuals to defeat the safety interlocks using simple methods. If screwdrivers are available in the machine area, then safety interlocks need to be affixed with something other than screws which can be defeated with readily available tools.
Stank: ISO 14119 is changing how OEMs design their interlocked devices. Before ISO 14119, it was an industry norm to wire all interlocking devices in series, which would achieve a stop if any doors were opened and minimize cost on the safety logic side by requiring a single safety relay. With the introduction of ISO 14119, however, this daisy chaining now drastically affects the overall rating of the safety system. OEMs and manufacturers need to be cognizant of and apply this standard during the risk analysis. If more than one periodic guard is used in a safety system, they must be logically evaluated independent of each other by the safety system, in order to maintain the levels of diagnostic coverage required for the highest levels of safety. At first glance, this standard seems like it will ultimately increase the cost of safety logic devices by requiring multiple or more sophisticated systems.
Burk: ISO 14119 is a new international standard, now harmonized as EN ISO 14119, which is replacing the old EN 1088 European norm. The changes are numerous and include revised definitions; the addition of two new types, types 3 and 4, of sensors representing noncontact types both coded and uncoded, as well as the classification of levels of coding; further prohibition against the use of fault exclusion for mechanical actuators to achieve performance level e to ISO 13849-1; clearer requirement of the designer to prevent reasonably foreseeable defeat; test rates specified for PL e, at least every month, and PL d, at least every 12 months, when there is only infrequent access and a manual function test is required to detect a possible accumulation of faults. Although mentioned in the standard, details on fault masking due to the series connection of normally closed, or parallel connection of normally open, contacts has been withdrawn from the original draft and is slated to be covered in the pending release of a new technical report, ISO TR 24119.
Nelson Shea: For interlocking device manufacturers, the impact is small, mostly documentation, updating certifications to include EN ISO 14119 and testing for the guard-lock holding forces.
Also read: Making sense of safety components
The greatest impact is on guard-locking devices. There is now a specification for testing the holding force (Fzh). Previously, the force was undefined—maximum, recommended. As a result, manufacturers set their own policies for testing and specifying the force. For some products, the stated force could be close to the maximum or have some de-rating. Now, guard-locking switches must be tested at 1.3 times the holding force (Fzh).
For integrators and machine builders, the impact is greater. They will need to complete more risk assessments; consider additional factors for the selection and installation of interlocking devices; meet more functional safety requirements; evaluate and minimize the motivation to defeat; and comply with ISO 14120 and the minimum safe distances standards.
Backhaus: ISO 14119 answers questions designers had about using interlocking switches with different technologies. There was confusion when designers were told not to put electromechanical interlocking switches in series due to the fault masking, but interlocking switches in series using other technology was acceptable, such as with noncontact switches.
Murray: The ISO14119 safety standard focuses on the design and selection of interlocking devices for machine guarding. In it, it describes four types of designs that can be associated with a safety device: Type 1 is uncoded mechanical actuation; Type 2 is coded mechanical actuation; Type 3 is uncoded noncontact actuation; and Type 4 is coded noncontact actuation. Selecting which type of device to use is based on a wide range of factors, for example, the desired safety level to achieve, subjected environmental conditions, cycle time for using the switch and the possibility to manipulate the device. This allows the design of a safety switch to range from a classic limit switch to uniquely coded microprocessor-based device, depending on the application criteria.
Gerges: ISO 14119-2013 helps machine builders and designers in various ways. The three major ones as we see it are it assists them in understanding the different interlock switch designs and the means to minimize defeat of them; it discusses fault exclusions for interlock switches and how PL e cannot be achieved by using only one old-style plug switch, also known in ISO 14119 as Type 2 interlock switch; and it discusses the various types of interlock switches that are available along with the various types of guard-locking mechanisms.
Why is increased safety possible, without reducing production?
Nelson Shea: If the integrator or OEM completes a thorough and thoughtful risk assessment of all the factors associated with interlocking devices and interlocked guards, then there should be no nuisance stops or motivation to defeat. There also should be quicker recovery from production stops. Robust guarding is critical.
Gerges: It is the responsibility of the designer of the safety circuit to make sure to use the right interlock switch for the application, integrate and install it properly. Those steps if followed properly will minimize machine downtime that can arise due to the interlocked guard misaligning, environmental effects, or outside influences that may affect some interlock switches. Using or misapplying the incorrect interlock switch or even safeguarding solution for the application at hand, will lead to production downtime or, even worse, could lead to the operator defeating the safety measures placed by the designer.
Stank: A well-designed safety system is typically transparent to the normal user. Using a risk assessment as an initial approach is key to finding and mitigating risk from your system. Determining the risk is key; otherwise, you won't know what or how you are protecting your machine. A good risk assessment will also identify risks that can be designed out through standard engineering practices, minimizing the overall impact that a safety system may have on the functionality of the end product. Typically when a machine is malfunctioning or is constantly stopping due to a safety device, the fault can be related to inappropriate or inadequate design. When used properly, a good safety system can enhance overall production by limiting accidents, protecting products and maintaining a machine lifecycle.
Burk: Advancements in technology have led to a vast increase in the number and types of available safeguarding devices. While the number of choices may make the selection process more difficult, it also makes possible the selection of devices that provide no, or only minimal, interference with the task to be completed. By reducing the degree of interference, the incentive to defeat safeguarding measures is reduced, resulting in increased safety. Many companies have found that, by the application of risk assessment at the design stage and suitable selection of safeguards, productivity and safety are increased.
Backhaus: In the past, this may have not been the case because safety devices could’ve affected production by increasing cycle times due to response times; shutting down equipment due to damage or false tripping; or seen as an impedance due to lack of flexibility when designing user-friendly systems.
In many ways implementing safety correctly improves production. I know, at first it sounds illogical. When operators understand how the safety devices operate and the design team works with the operators to understand how they do their job, safety devices become an enhancement.
Another thing I noticed is how much more efficiently operators work when they understand how the safeguarding is protecting them. For the operator loading parts into a press with a light curtain, there is an increased confidence the light curtain is going to stop the press if the operator accidently makes a mistake. No longer do they have to timidly calculate each movement.
Murray: The advancements in automation for increased production eventually lead to the advancements in safety and safety devices. In order to keep up with the fast pace of automated processes, safety devices have been developed with millisecond response times, on board self-diagnostics to minimized downtime and even the ability to communicate between both the safety and automated systems seamlessly. Safety has even been incorporated directly into automated components such as variable frequency drives, which feature a safe torque off. What was once seen as an afterthought is now essential when safety is paired with production requirements.
Miller: Why? Survival, what else? ABB Jokab Safety is not going to thrive if we can’t meet the customers’ demands, and the truth is many companies are not going to consider upgrading their safety systems, bar ones that have had an incident, unless you can design a system that meets or exceeds current production rates.
Explain how the safety rating of a switch affects the overall rating of the safety system.
Gerges: Think about it as the chain is only as strong as its weakest link. An interlock switch is just a part of the safety function; all safety components within a safety function work together to reduce the risk to the operator. The reliability of the whole safety function depends on the reliability of each safety component within the safety function. If the interlock switch is not as reliable as the rest of the components within the safety function that reduces the reliability of the safety function.
Murray: It is a common misconception that a safety device can feature a safety rating; however, a safety device is a single element that is used to determine the overall rating of a safety function such as the performance level per ISO 13849. Some devices require additional considerations to meet a desired performance level as they may have mechanical wear and tear or a single point of mechanical failure whereas other devices may feature a self-monitoring, noncontact electronic operating principle. Such higher functioning self-contained devices make the requirements of the more stringent performance levels as defined by a risk assessment easier to attain.
Stank: The safety switch is only a single component of the safety system, and all components of the safety system affect the overall rating of the system. If you have a high-quality switch being used with cheap sensors and end devices, your safety ratings will suffer. The opposite is true as well; using a poor quality switch with high quality sensors and end devices will bring down the safety ratings of your system. Modern safety standards incorporate each individual piece of the safety system, which means any piece of the system that is lacking quality or is wired incorrectly could have a detrimental affect to the safety rating.
Nelson Shea: The safety rating is a part of the whole. But there are really two types of interlocking devices—those that are components with a B10d rating and those that have a functional safety system rating. Looking at safety-related functions, the interlocking device is the input, the safety control is the logic, and outputs can include contactors, safe drives and more.
For interlocking devices, there is the potential to have the following safety-related functions: guard interlocking, guard locking and lock monitoring.
For guard interlocking, the guard is closed because the actuator is detected, or the guard is open and the actuator is gone. This function exists with all guard-interlocking devices
For guard locking, the lock/unlock command is monitored to verify that it is correct. This can be monitored by the guard-locking device and/or by the safety control system.
For lock monitoring, the guard lock is locked with the guard in the closed position—the actuator in position—and actual lock is monitored. When commanded, the actuator is released and unlocked to allow opening the guard.
Backhaus: ISO 13849-1 requires each part of the system to be considered, which takes into account component mean time to dangerous failure (MTTFd), diagnostic coverage (DC) and common cause failure (CCF). Prior to ISO 13849-1, there were end users selecting all Category 3 and 4 safety devices, with the belief they were designing a reliable system. They didn't realize how the entire system faltered as soon as they monitored the safety devices from their standard PLCs. In other cases high category components were used and monitored with safety-rated controllers, but then nonsafety sensors would be used in places where safety-rated sensors were needed. By making the selection and implementation of safety a quantitative process, designers can see how every factor affects the rating of the overall system. It can be a cost savings for a company since it predicts when the safety devices will fail, allowing components to be replaced during preventive maintenance before failures shut down the system or by selecting higher-quality products earlier in the design phase.
Miller: Every component within a safety system affects the overall rating, and, regardless of how well-designed and highly rated your controllers and light grids are, you’re only as strong as your weakest link. The rating of a safety switch should meet or exceed the desired overall system rating.
Burk: The use of safety-rated switches is necessary to ensure the use of well-tried safety principles and high reliability of operation to meet the safety levels of control systems to ISO 13849-1 and IEC 62061.
Which IP ratings should be considered when selecting safety sensors and switches?
Murray: Knowing what type of environment and what kind of particulate may be capable of entering the switch cavity is essential in determining which IP rating is required for the application.
The ingress protection, or IP, rating is used to describe the enclosure rating of a component and is represented by two digits. The first digit identifies how protected it is against solid matter, and the second digit identifies its protection against liquid. A device can have no protection for either, up to complete protection against dust with the ability to be submerged into 1 m of water. An IP rating—IP69K—even exists for harsher conditions where the enclosure is subjected to high-temperature and high-pressure washdown.
Burk: IP ratings are going to be dependent on the application. In most industrial applications, a rating of IP52 will be sufficient. Higher ratings will be needed where washdown is required to prevent bacterial growth such as in the food processing or pharmaceutical industries.
Backhaus: The IP rating depends on the application and the environment. For example, a machine that cuts metal using water could use a noncontact switch because there is a possibility of the switch being submerged in water for less than 30 minutes. This would be a situation where an IP67 switch is needed.
Gerges: The IP rating for the safety device is selected based on the environment that you have and the application. Some of the environmental effects that need to be considered in selecting the IP rating are applications where the safety device is used in a tool machine manufacturing application, for example CNCs, lathes or presses. Is it going to be splashed directly or indirectly with oil, coolants or other fluids, or will it be submerged in them?
Is the safety device going into an application where it will be washed down regularly? What chemicals make up the washdown solution? If we have harsh chemicals, we would need to look past the IP rating and at the housing material of the safety device.
Homepage image courtesy of atibodyphoto at FreeDigitalPhotos.net