ISO 14119 – interlocks

ISO/TR 24119 – fault masking

Update on interlocks, means to prevent defeat

Judging fault masking and avoidance strategies

David Collier, CMSE ®

Pilz Automation Technology, UK
 Content

 Introduction to ISO 14119

 Fault masking
– How it occurs
– Quantifying its impact (based on ISO/TR 24119) on diagnostic coverage
and hence the achievable level of safety (Performance Level)
– How to overcome it

 Different types of interlocking device (Types 1, 2, 3, 4)

 Defeat (manipulation) of interlocks and measures to prevent it

 Fault exclusions

– Note throughout this short presentation there are hyperlinks to the Pilz
website where solutions can be found!
David Collier, Feb. 2016 ISO 14119 / TR 24119 basics 2
 EN ISO 14119:2013-03
Scope
On 11 April 2014, the European Commission published EN ISO 14119:2013-03 in
the Official Journal as a harmonised standard for the Machinery Directive
2006/42/EC, as the successor standard to EN 1088:1995+A2:2008.

The transition period ended on 30.04.2015.

IEC standards EN standards

ISO standards EN (IEC) standards
EN ISO standards

David Collier, Feb. 2016 ISO 14119 / TR 24119 basics 3

 EN ISO 14119:2013-03
Main changes to the standard
The main changes concern the improved structure, which results from the
differentiation and definition of four types of interlocking device:

 With a description of their technology and their advantages and

disadvantages in the Annexes, definition and consideration of "Defeat in a
reasonably foreseeable manner,
 Inclusion of the measures necessary to minimise potential defeat as a result
of the risk estimation and
 Consideration of new technologies and inclusion of the new
informative Annexes G, H and I
 Consideration given to fault masking on series connected interlocks

A central new element are the details about additional measures for
interlocking devices against defeat (manipulation), and the topic of fault-
masking as described in the slides that follow

David Collier, Feb. 2016 ISO 14119 / TR 24119 basics 4

 Fault masking explained

8.6 Logical series connection of interlocking devices

Logical series connection of interlocking devices means for NC contacts wired in

series or for NO contacts wired in parallel. When interlocking devices with redundant
contacts are logically connected in series the detection of a single fault can be
masked by the actuation of any interlocking device logically connected in series with
the defective interlocking device to the safety related control system.

It is foreseeable that during the fault finding (troubleshooting) by the operator one of
the guards whose interlocking devices are logically connected in series with the
defective interlocking device will be actuated. In that case the fault will be masked
and the effect on the diagnostic coverage value shall be considered.
For a series connection the maximum DC* (see ISO 13849-1 or IEC 62061) should
be considered.

NOTE ISO/TR 24119 deals with the logical serial connection of devices

*DC = diagnostic coverage, ability to detect dangerous failures expressed as a

percentage
David Collier, Feb. 2016 ISO 14119 / TR 24119 basics 5
 Series connected switches scenario
Fault masking

A single fault can occur and prevent a reset, however, the opening and closing of another guard can clear the
fault and allow a reset – hence an undetected fault accumulates

David Collier, Feb. 2016 ISO 14119 / TR 24119 basics 6

 EN ISO 13849 How Category, DC & MTTFd
relate to PL: Figure 5 of standard

To achieve
PL d or PL e
a safety
function must
at have at
least 60% DC
(diagnostic
coverage)
and this can
be impacted
by fault
masking (see
next slide)

David Collier, Feb. 2016 ISO 14119 / TR 24119 basics 7

 Are your interlocked guards as safe as you think?
ISO/TR 24119 now published

 To claim to be in category 2, 3 or 4 (to support PL c – e) it is necessary to

have 60 – 99% Diagnostic Coverage (DC) as per standard EN ISO 13849-1
fig. 5 , and fault masking can effectively reduce it to zero which can drop you
out of PL d/e to PL c or worse

This “simplified method”

table appears in the
published ISO/TR 24119
and shows a simple way
of identifying the impact
upon diagnostic coverage
from series connection of
guards based upon
frequency and quantity

David Collier, Feb. 2016 ISO 14119 / TR 24119 basics 8

 A cure for fault masking
Interlocks with integrated fault detection

 If a series of interlinked switches is required to meet PL e, using switches with

integrated fault detection can overcome fault masking.
 Only switches with internal diagnostics and an OSSD (Output Signal Switching
Device) output, a solid state type as commonly found on RFID based switches,
are unaffected by fault masking.
 See Pilz PSENcs range of devices: PSEN cs webpage

David Collier, Feb. 2016 ISO 14119 / TR 24119 basics 9

 Types of device with RFID coding and OSSD
outputs

PSEN cs webpage : Coded RFID, non-contact guard

position monitoring switches

PSENslock webpage: Process solenoid locks with built in

RFID guard position monitoring

PSENsgate webpage: Safe solenoid unlocking, command to PSENcs

release, E-stop, escape from inside the hazard area, and
RFID monitoring gate access systems

PSENini webpage: Inductive safety sensors for safe position

monitoring e.g. robot home position

PSENsl PSENsg

PSENini

David Collier, Feb. 2016 ISO 14119 / TR 24119 basics 10

 Other means to prevent fault masking
Zoning

 Individually wire guards or zone, as below using Pilz PDP20 which

has test pulsed outputs (OSSDs)
 Each PDP20 can take 3 x 2n/c guards and be linked safely to other
PDP20 modules using test pulses (or 4 x 2n/c if used standalone)
 Can be used in conjunction with all PNOZ and PSS systems

David Collier, Feb. 2016 ISO 14119 / TR 24119 basics 11

 Other means to prevent fault masking
Zoning and addressing

 Decentralise safety input circuits using on-machine, addressable

distributed I/O such as PDP67 modules as part of the PNOZmulti

Passive PDP67 (so called

PDP67 4 F code) for use
with coded 8-pin RFID
devices only and generally
used with PNOZ safety
relays

Active PDP67 (so called

PSP67 F 8 DI ION) for use
with ANY safety input device
(contact-based or solid state)
5 pin, addressable on
PNOZmulti systems only

David Collier, Feb. 2016 ISO 14119 / TR 24119 basics 12

 Other means to prevent fault masking
Zoning and addressing

 Decentralise safety input circuits using IP20 remote I/O such as that
found in the PSS 4000 system, distributed using SafetyNETp

David Collier, Feb. 2016 ISO 14119 / TR 24119 basics 13

 EN ISO 14119:2013-03
Types of interlocking device

Table 1 provides an overview of the interlocking types with a cross-

reference to the examples in the standard's Annex.

David Collier, Feb. 2016 ISO 14119 / TR 24119 basics 14

 Defeating safeguards
Defeat (manipulation)

Why does an examination of this issue need to be included in

future?
Extract from BGIA report:
37%
Manipulation
37% of safeguards are 63%
OK
i.O.
manipulated constantly or
occasionally

25 % of all accidents when 25%

Manipulation
operating machinery can be
attributed to manipulations Other accidents
sonstige Unfälle
75%

Source: BGIA Report - Manipulation of safeguards on machinery

EN ISO 14119 stipulates that: The machine shall be designed in such a way that it minimizes the
motivation for defeating the interlocking devices" and goes on to stipulate "The interlocking device
shall provide the minimum possible interference with activities during operation and other phases of
machine life, in order to reduce any incentive to defeat it."

David Collier, Feb. 2016 ISO 14119 / TR 24119 basics 15

 EN ISO 14119:2013-03
Defeat (manipulation)
1. The machine must be designed so that the motivation for defeating the
interlocking devices is minimised.

2. With this in mind, the following procedure is described in Section 7.

3. Annex H describes how the documentation can be prepared

David Collier, Feb. 2016 ISO 14119 / TR 24119 basics 16

 EN ISO 14119:2013-03
Defeat (manipulation)
7.1a) Use of basic measures
 Fastening is adequate
7.1a)
 Forced opening leads to a reaction (e.g. temporal
restart interlock)

 The device must be able to withstand the

expected forces

 Dynamic effects, such as bounce, must be

considered

Note!
Type 3 interlocking devices may not be used

David Collier, Feb. 2016 ISO 14119 / TR 24119 basics 17

 EN ISO 14119:2013-03
Defeat (manipulation)
7.1b) Check whether there is any motivation to defeat
in a reasonably foreseeable manner under
various modes of operation and document

7.1b)

David Collier, Feb. 2016 ISO 14119 / TR 24119 basics 18

 EN ISO 14119:2013-03
Defeat (manipulation)
7.1c) Check the extent to which
the motivation can be
eliminated or minimised:

 Design measures; and/or

7.1c)
 Alternative operating modes

Note!
The motivation to defeat can be avoided by
implementing alternative operating modes

David Collier, Feb. 2016 ISO 14119 / TR 24119 basics 19

 EN ISO 14119:2013-03
Measures against manipulation
7.1d) Additional measures are required if defeat in a
reasonably foreseeable manner remains.

 It the possibility of defeat cannot be excluded

7.1d) through modified or additional operating
modes, only one element remains for the
design engineer:
To make it more difficult or impossible to
defeat the interlocking device.

1. Prevent accessibility to the elements of the

interlocking device by

 Installing them out of reach

 Using barriers or screens
 Installing them in a concealed position

David Collier, Feb. 2016 ISO 14119 / TR 24119 basics 20

 EN ISO 14119:2013-03
Measures against manipulation
Additional measures against manipulation
2. Prevent substitute actuation of the interlocking device by means of objects that
are readily available. Coded actuator with:
 Low coding level; (additional manipulation protective measures)
 Medium coding level; (additional manipulation protective measures)
 High coding level; (no further measures)

Coding level Low Medium High

PSEN mech X
PSENmag X
PSEN hinge X
PSEN cs (coded) X
PSEN cs (unique) X
PSEN sl/sg (coded) X
PSEN sl/sg (unique) X

David Collier, Feb. 2016 ISO 14119 / TR 24119 basics 21

 EN ISO 14119:2013-03
Measures against manipulation
Additional measures against manipulation
3. Prevent by using caps or permanent fastenings (e.g. welding, sticking, one-
way screws, rivets) – Pilz supplies caps with switches and M4 and M5
screws are available separately

4. Prevent defeat by
 integrating monitoring of defeat within the control system
a) Status monitoring
b) Periodic tests

David Collier, Feb. 2016 ISO 14119 / TR 24119 basics 22

 EN ISO 14119:2013-03
Measures against manipulation

Example: all you need if you use a uniquely coded PSENcs device (such as PSENcs 2.2 /4.2 / 6.2) is to use permanent fixings on the
actuator. If you don’t use uniquely coded devices (e.g. you use coded device like PSEN cs 1.1 / 3.1 / 5.1 / 5.11 or fully coded PSEN cs 2.1 /
4.1 / 6.1 ) then one of the additional other measures “X” must be used

David Collier, Feb. 2016 ISO 14119 / TR 24119 basics 23

 The use of fault exclusions and how to achieve
PL e interlocking / guard locking

 The use of fault exclusions has long been covered in EN 62061

(max SIL 2), ISO/TR 23849 (PLd) and now also in EN ISO 13849-2
(Annex D.8, a single mechanical point of failure (the tongue or cam)
cannot be fault excluded for PLe).
 This limitation to PLd for fault exclusions appears in EN ISO 14119
 Fault exclusion on the tongue can be made using PSEN bolt with
PSEN mech 1

 To achieve PLe, especially for guard locking, the use of at least two
devices is necessary unless the user uses a PL e certified guard
locking interlock device (the manufacturer states max extraction
force, the interlocking is done electronically via RFID in the tongue,
and the solenoid is bistable pulse to lock, pulse to unlock)
 See PSEN sgate today, and in the future PSEN mlock

David Collier, Feb. 2016 ISO 14119 / TR 24119 basics 24

 To learn more...

Please contact your local Pilz representative

In the UK:
Elsewhere in the world:
North:
Paul Fasey & Alex Bryce Visit www.pilz.com to establish a Pilz
subsidiary contact
South:
Dave Burton & Paul Simons

East:
David Collier & Scott Booth

West:
Dave Bromme & Jamie Thomas

Main office: 01536 460766

David Collier, Feb. 2016 ISO 14119 / TR 24119 basics 25
 Mobile: 07969 688783
David Collier, CMSE ®
Pilz Automation Technology

Telephone: +44 1536 460766

www.pilz.co.uk
d.collier@pilz.co.uk, www.pilz.co.uk

Keep up-to-date on Pilz

Little Colliers Field, Corby, Northants, NN18 8TJ, UK

CMSE®, InduraNET p®, PAS4000®, PAScal®, PASconfig®, Pilz®, PIT®, PLID®, PMCprimo®, PMCprotego®, PMCtendo®,
PMD®, PMI®, PNOZ®, Primo®, PSEN®, PSS®, PVIS®, SafetyBUS p®, SafetyEYE®, SafetyNET p®, THE SPIRIT OF SAFETY®
are registered and protected trademarks of Pilz GmbH & Co. KG in some countries. We would point out that product
features may vary from the details stated in this document, depending on the status at the time of publication and the
scope of the equipment. We accept no responsibility for the validity, accuracy and entirety of the text and graphics
presented in this information. Please contact our Technical Support if you have any questions.