The European Machinery Directive calls upon every designer to reduce the risk to life and limb posed by the machine to an acceptable level through his machine design. In practice, this means allowing as few accesses as possible to the dangerous components or processes and securing the inevitable remaining accesses by technical protective measures.
A classic example of this is safety gates that only permit hazardous machine movement when they are closed. Here the designer is faced with the usual compromise between safety, availability and system costs. The electrical series connection of safety contacts of several safety guards acting on the same drive is located in precisely this area of conflict.
Series connections of safety switchgear have been around in safety-relevant applications such as interlocking devices or emergency stop systems for much longer than most standards on machine safety and still enjoy a very high level of acceptance. It was not until the second half of the 1990s that the first concessions were made, when EN 954-1, as the forerunner of today’s EN 13849-1, was used to evaluate safety systems. The question most discussed at that time was: «Why can a two-channel chain of safety switchgear not be classified in the highest control category? Today, more than 10 years after the introduction of EN 13849-1, a different question is being asked, but it leads to the same answer: «Why can the diagnostic coverage (DCavg) of a two-channel chain of safety switchgear not be easily specified, preferably greater than 60%?».
These questions naturally arise with the objective of providing the design of the technical protective measure with the highest possible safety level (such as the performance level according to EN 13849-1). The answer to both questions leads to the concept of error masking.
If a two-channel series connection of safety switchgear is in the off state, the downstream safety controller is missing two essential pieces of information. It is unknown which protective device causes the Off state, and any further state changes of other safety switching devices are overwritten by the already existing Off state. In particular, the second point deprives the safety control system of the possibility of monitoring all protective devices if several of these devices are operated with overlapping time. As a result, a proportion of the faults occurring in the system are not detected in time or not detected at all.
To explain this in more detail, the BERNSTEIN AG has produced an instructional video in which the effect of fault masking is described in detail.
To be able to determine a performance level according to EN 13849-1, it is important to determine the percentage of detected faults. In the case of a series connection, this depends largely on how often the effect of error masking occurs in the system. It is difficult for anyone responsible without a recipe to assess this carefully and determine a diagnostic coverage level from it.
The technical report ISO/TR 24119, which first describes the different types of error masking and then provides a guide for estimating the diagnosis coverage of the respective application, provides assistance. This is essentially made dependent on the number of protective devices and the frequency with which the safety function is requested. To this end, the wiring topology and the way the individual conductors are laid to each other are considered. In this way, however, the report also shows the limits of the safety-related performance of a two-channel series connection. If, for example, there are two safety gates in a system, both of which are opened more than once per hour, it becomes very difficult to achieve a low diagnostic coverage level with additional measures of the wiring, which is, however, indispensable to achieve the performance level d.
Alternatives to the two-channel chain of electromechanical safety switchgear
The effects of error masking do not apply to safety switching devices that are self-monitoring. Components such as light grids, laser scanners and RFID sensors require their own safety software for their basic function and thus also the corresponding redundant safety-relevant hardware that enables self-monitoring. of the component.
For this reason, BERNSTEIN AG’s RFID safety sensors from the SRF product range were also offered from the outset with variants that can be connected in series. In practice, two input connections are added to each of these variants, to which the safety outputs of the sensor in front of it in the chain are switched. In this way, up to 32 sensors can be connected in series while maintaining performance level e. As an essential feature, the SRF sensors are connected in series with a commercially available unshielded 4-wire cable, whose conductors are occupied by the power supply and the redundant safety signal. In addition, BERNSTEIN AG offers a system of T-pieces and a termination adapter to enable simple implementation without additional terminal boxes.
Daisy Chain Diagnostics
In addition to the advantages such as simple wiring, the need for only one redundant safety input of the downstream safety controller and a high performance level, the SRF chain also offers the possibility to read the states of the individual sensors into the higher-level controller. Technically, this is realized in such a way that the sensor furthest away from the control system generates a data packet with its status information and modulates it onto the safety signals. The next sensor reads in the data package, supplements it with its own status information and passes the package on to the next sensor. At the control end of the chain there is an additional diagnostic module that separates the diagnostic information from the safety signal and prepares it for the user. BERNSTEIN AG calls this system Daisy Chain Diagnosis (DCD), which would already answer the question of the title line at this point: The term «Daisy Chain» literally means «daisy chain», but is also used in the technical sense for the series connection of switches and sensors.
Essential for the DCD system is the independence of safety signal and DCD data on the line. Likewise, the safety controller and the diagnostic module, which are connected in parallel to the safety outputs, must not influence each other. BERNSTEIN AG offers various diagnostic modules for processing the DCD data. The SRF-DI diagnostic module is an I/O-Link slave on the output side and thus enables any controller with an I/O-Link master to read out the status information of each individual sensor. Maintenance personnel also have the option of reading the status of the safety chain via NFC interface with a smartphone app or via USB with a laptop. The basic information about which door is open is also provided as a discrete signal.
Smart Safety System
The BERNSTEIN AG strives for a continuous expansion of the product portfolio with the features described above under the generic term SMART Safety System. This applies both to the safety switchgear in the safety chain and to the diagnostic modules and safety evaluations at the end of the safety chain.
In most cases the user has to integrate an emergency stop as a supplementary protective measure in the system even for safety tasks with a rather small range of functions, the SEU (Safety Emergency Unit) product range was developed. The SEU either represents an emergency stop button with the necessary range of functions for the SMART Safety System or consists of a connection box for two-channel electromechanical safety switchgear, so that classic, mechanical safety switches can also be connected. Thanks to the M12 connection, these components can be easily integrated into an existing electronic SRF safety chain.
In principle, any SRF chain can be evaluated by safety controllers or safety modules that can process OSSD signals. The diagnostic modules are not necessary for operating the SRF chain, but are only used when the status information is required. BERNSTEIN AG offers safety modules which have already integrated the conversion of the DCD data into a standardized protocol especially for safety systems with a small scope.
In this sense, the SCR DI product range consists of a combination of safety relay and diagnostic module and combines the full range of functions of a classic emergency stop or guard door monitor with that of an SRF Di diagnostic device, namely the transmission of the DCD data via IO-Link, NFC and USB.
The SCR P was developed to offer the customer a little more functionality and, above all,
more communication options. At its core, this is a programmable safety module which, in addition to the usual safety functions, also offers the possibility of configuring and reading SRF chains using a graphical interface. On the other hand, the SCR P provides the transferof DCD data to several Ethernet-based protocols.
The SCR P has ten configurable input terminals that allow the realization of single and dual channel inputs with and without cross-wire short detection. The mode of operation of the inputs is programmed on the computer with a graphical interface by drag and drop and transferred to the safety module via a USB connection. This module provides two three-channel safety relay outputs for switching off dangerous machine movements. The software includes the usual safety functions such as emergency stop, interlocking device, light grid monitoring, two-hand control, etc. In particular, it is possible to configure two independent SRF chains and read in their DCD data. This data can then be separated and passed on directly via an Ethernet connection. The SCR P currently supports the Profinet, Ethernet/IP and Modbus protocols.
This is why the SMART Safety System is the ideal tool for a wide range of safety tasks of varying complexity.