1、BSI Standards PublicationSafety of machinery Evaluation of fault masking serial connection of interlockingdevices associated with guardswith potential free contactsPD ISO/TR 24119:2015National forewordThis Published Document is the UK implementation of ISO/TR 24119:2015.The UK participation in its p
2、reparation was entrusted to TechnicalCommittee MCE/3, Safeguarding of machinery.A list of organizations represented on this committee can be obtained onrequest to its secretary.This publication does not purport to include all the necessary provisions ofa contract. Users are responsible for its corre
3、ct application. The British Standards Institution 2015.Published by BSI Standards Limited 2015ISBN 978 0 580 86043 0ICS 13.110Compliance with a British Standard cannot confer immunity fromlegal obligations.This Published Document was published under the authority of theStandards Policy and Strategy
4、Committee on 30 November 2015.Amendments/corrigenda issued since publicationDate Text affectedPUBLISHED DOCUMENTPD ISO/TR 24119:2015 ISO 2015Safety of machinery Evaluation of fault masking serial connection of interlocking devices associated with guards with potential free contactsScurit des machine
5、s valuation du masquage de fautes dans les connexions en srie des dispositifs dinterverrouillage associs aux contacts sans potentielTECHNICAL REPORTISO/TR24119Reference numberISO/TR 24119:2015(E)First edition2015-11-15PD ISO/TR 24119:2015ISO/TR 24119:2015(E)ii ISO 2015 All rights reservedCOPYRIGHT P
6、ROTECTED DOCUMENT ISO 2015, Published in SwitzerlandAll rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without p
7、rior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright officeCh. de Blandonnet 8 CP 401CH-1214 Vernier, Geneva, SwitzerlandTel. +41 22 749 01 11Fax +41 22 749 09 47copyrightiso.orgwww.iso.orgPD ISO/T
8、R 24119:2015ISO/TR 24119:2015(E)Foreword iv1 Scope . 12 Normative references 13 Terms and definitions . 14 Fault masking . 54.1 General . 54.2 Direct fault masking . 64.3 Unintended reset of the fault 64.4 Cable fault with unintended reset 75 Methodology for evaluation of DC for series connected int
9、erlocking devices . 86 Limitation of DC by effects of series connected devices 96.1 General . 96.2 Simplified method for the determination of the maximum achievable DC 96.3 Regular method for the determination of the maximum achievable DC 96.3.1 Estimation of the fault masking probability 96.3.2 Det
10、ermination of the maximum achievable DC .106.4 Interlocking devices with potential free contacts and other potential free contacts of devices with different functionality connected in series 127 Avoiding fault masking .13Annex A (informative) Examples of the application of the evaluation methods des
11、cribed in 6.2 and 6.3 14Bibliography .20 ISO 2015 All rights reserved iiiContents PagePD ISO/TR 24119:2015ISO/TR 24119:2015(E)ForewordISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing Internation
12、al Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO,
13、 also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part
14、1. In particular the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the el
15、ements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations recei
16、ved (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adh
17、erence to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary informationThe committee responsible for this document is ISO/TC 199, Safety of machinery.iv ISO 2015 All rights reservedPD ISO/TR 24119:2015TECHNICAL REPORT ISO/TR 24119:2015(E)Safe
18、ty of machinery Evaluation of fault masking serial connection of interlocking devices associated with guards with potential free contacts1 ScopeThis Technical Report illustrates and explains principles of fault masking in applications where multiple interlocking devices with potential free contacts
19、(B1 to Bn) are connected in series to one logic unit (K) which does the diagnostics (see Figures 1 to 7). It further provides a guide how to estimate the probability of fault masking and the maximum DC for the involved interlocking devices. This Technical Report only covers interlocking devices in w
20、hich both channels are physical serial connections.This Technical Report does not replace the use of any standards for the safety of machinery.The goals of this Technical Report are the following: guidance for users for estimation of the maximum DC values; design guidance for SRP/CS.NOTE 1 Interlock
21、ing devices with integrated self-monitoring are not included in the scope of this Technical Report.NOTE 2 Limitation is also given by the diagnostic means implemented in the logic unit.NOTE 3 This Technical Report is not restricted to mechanical actuated position sensors.2 Normative referencesThe fo
22、llowing documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.ISO 12100, Saf
23、ety of machinery General principles for design Risk assessment and risk reductionISO 13849-1:2006, Safety of machinery Safety-related parts of control systems Part 1: General principles for designISO 14119:2013, Safety of machinery Interlocking devices associated with guards Principles for design an
24、d selection3 Terms and definitionsFor the purposes of this document, the terms and definitions given in ISO 12100, ISO 13849-1, ISO 14119 and the following apply.3.1fault maskingunintended resetting of faults or preventing the detection of faults in the SRP/CS by operation of parts of the SRP/CS whi
25、ch do not have faults3.2series connected devicesdevices with potential free contacts (B1 to Bn) are connected in series to one logic unit (K) which does the diagnostics ISO 2015 All rights reserved 1PD ISO/TR 24119:2015ISO/TR 24119:2015(E)3.3signal evaluation of redundant channels with same polarity
26、technique where the logic unit of the safety function evaluates redundant signals which have the same supply voltage3.4signal evaluation of redundant channels with inverse polaritytechnique where the logic unit of the safety function evaluates redundant signals in which the second channel has the gr
27、ound polarityNote 1 to entry: See IEC 60204-1:2005, 9.4.3.1, method a).3.5signal evaluation of redundant channels with dynamic signalstechnique where the logic unit of the safety function evaluates redundant dynamic signalsNote 1 to entry: Dynamic signals can be generated with test pulses, frequency
28、 modulation, etc.3.6star cablingcabling structure where every interlocking device is wired with a single cable to the electric cabinet or enclosureNote 1 to entry: Figure 1 shows a star cabling.KeyA electrical cabinetB1.1, B1.2, B2.1, B2.2, B3.1, B3.2interlocking devices with potential free contacts
29、K logic unitS manual reset function reset deviceFigure 1 Star cabling2 ISO 2015 All rights reservedPD ISO/TR 24119:2015ISO/TR 24119:2015(E)3.7branch cablingtrunk cablingcabling structure where a single cable from the electric cabinet is wired to the first interlocking device and from this interlocki
30、ng device to the next, and so on, until the last interlocking devices and the resulting signals are wired the same way back to the electric cabinetNote 1 to entry: Figure 2 shows a branch (trunk) cabling.KeyA electrical cabinetB1.1, B1.2,B2.1, B2.2,B3.1, B3.2interlocking devices with potential free
31、contactsK logic unitS manual reset function reset deviceFigure 2 Branch (trunk) cabling3.8loop cablingcabling structure where a single cable from the electric cabinet is wired to the first interlocking device and from this interlocking devices to the next, and so on, until the last interlocking devi
32、ce while the signals return to the electric cabinet in a separate cableNote 1 to entry: Figure 3 shows a loop cabling. ISO 2015 All rights reserved 3PD ISO/TR 24119:2015ISO/TR 24119:2015(E)KeyA electrical cabinetB1.1, B1.2, B2.1,B2.2, B3.1, B3.2interlocking devices with potential free contactsK logi
33、c unitS manual reset function reset deviceFigure 3 Loop cabling3.9single arrangementapplication of two different contacts of a single interlocking device in the redundant channels of an interlocking circuit for a single guard interlockingNote 1 to entry: Figure 4 shows a single arrangement.4 ISO 201
34、5 All rights reservedPD ISO/TR 24119:2015ISO/TR 24119:2015(E)KeyA electrical cabinetB1, B2, B3 interlocking devices with potential free contactsK logic unitS manual reset function reset deviceFigure 4 Single arrangement3.10redundant arrangementapplication of single contacts of two (redundant) interl
35、ocking devices in the redundant channels of an interlocking circuit for a single guard interlockingNote 1 to entry: Figures 1 to 3 show redundant arrangements.3.11protected cablingcabling which is permanently connected (fixed) and protected against external damage, e.g. by cable ducting, armoring, o
36、r within an electrical enclosure according to IEC 60204-14 Fault masking4.1 GeneralA common approach in the design of safety related circuits is to series connect devices with potential free contacts, e.g. multiple interlocking devices connected to a single safety logic controller which performs the
37、 diagnostics for the overall safety function. Although in such applications a single fault will, in most cases, not lead to the loss of the safety function and will be detected, in practice, problems sometimes occur.It is foreseeable that more than one movable guard will be open at the same time or
38、in a sequence, e.g. due to subsequent fault finding procedure or as part of the regular operation of the machine.Due to the serial connection of the contacts, faults in the wiring or contacts detected by the logic unit may be masked by the operation of one of the other (non-faulty) in series connect
39、ed devices. As a result, the operation of the machine is possible while a single fault is present in the SRP/CS. This can, in consequence, allow the accumulation of faults leading to an unsafe system. ISO 2015 All rights reserved 5PD ISO/TR 24119:2015ISO/TR 24119:2015(E)Figures 5 to 7 show examples
40、for fault masking in situations with movable guards with series connected interlocking devices.4.2 Direct fault maskingFigure 5 shows a situation where two movable guards actuated in a specific sequence can lead to fault masking.KeyB1, B2, B3 interlocking devices with potential free contactsK logic
41、unitS manual reset function reset devicex1 initial fault contact fails to openx2 second fault broken switch leverFigure 5 Direct fault masking4.3 Unintended reset of the faultFigure 6 shows a situation where a fault in one interlocking device is initially detected but then is reset unintentionally b
42、y operation of one of the other interlocking devices.6 ISO 2015 All rights reservedPD ISO/TR 24119:2015ISO/TR 24119:2015(E)KeyB1, B2, B3 interlocking devices with potential free contactsK logic unitS manual reset function reset devicex1 initial fault contact fails to openx2 second fault broken switc
43、h leverFigure 6 Unintended reset of the fault4.4 Cable fault with unintended resetFigure 7 shows a situation where a fault in the cabling is initially detected but then is reset unintentionally by operation of one of the other interlocking devices. ISO 2015 All rights reserved 7PD ISO/TR 24119:2015I
44、SO/TR 24119:2015(E)KeyB1, B2, B3 interlocking devices with potential free contactsK logic unitS manual reset function reset devicex1 initial fault short circuit to Unx2 second fault broken switch leverUn nominal voltage of the channelFigure 7 Cable fault with unintended reset5 Methodology for evalua
45、tion of DC for series connected interlocking devicesStep 1: Determine DC (see ISO 13849-1:2006, Annex E) of every single position switch which is a part of the safety function(s).Step 2: Improve the resistance to fault masking if required by enhancing the design or changing the diagnostic method (re
46、fer to Clauses 6 and 7 and ISO 13849-2:2012, Annex D). Improve diagnostic coverage using a different diagnostic measure (see ISO 13849-1:2006, Annex E). Improve cabling in order to reduce fault possibilities or to allow fault exclusion. Select other type of interlocking device in order to allow faul
47、t exclusion.8 ISO 2015 All rights reservedPD ISO/TR 24119:2015ISO/TR 24119:2015(E)Step 3: Limit the DC of the position switch to the maximum achievable DC by applying one of the methods given in Clause 6.Step 4: Improve DC if required according to Clause 7.6 Limitation of DC by effects of series con
48、nected devices6.1 GeneralAccording to ISO 14119:2013, 8.6, with respect to serial wiring of contacts (without additional diagnostics), the effect of possible fault masking should be carefully taken into consideration.Possible fault masking may lead to a fault accumulation, therefore, the maximum ach
49、ievable DC should be estimated using one of the methods described in 6.2 and 6.3. The maximum achievable PL is limited to PL d and the maximum DC is limited to medium.NOTE The probability of occurrence of faults due to random and systematic failures cannot be fully known. Therefore, any degradation of the diagnostics function will result in an increased probability of dangerous failures. This is not acceptable for higher levels of risk therefore PL and DC is limited.6.2 Simplified
