Fault masking: Industrial machinery safety sensors may have inaccuracies
Employee safety is paramount for any company. Beyond health, safety also has practical business concerns, as injuries impact product quality, downtime, benefit claims and morale. Thankfully, industrial machinery is supplied with passive and active controls to ensure employee safety.
However, machinery safety systems themselves might be defective, and may permit the dangerous machinery to cycle despite hazards to personnel, a condition known as fault masking.
Altech Corp. helps customers avoid this risk entirely with its SMART Safety System technology that features redundant output signal switching device (OSSD) safety outputs.
What is fault masking?
Fault masking is a potentially unsafe condition in the machinery safety circuit system. The safety circuit is typically a daisy chain configuration with multiple electromechanical safety devices. The daisy chain method is a common practice for implementing safeguards, but it is important to understand the limitations and potential consequences of using the daisy chain method. It is known that under certain conditions a safety sensor can be over written (i.e., fault masking condition) and the machine is operated unknowingly under unsafe conditions. Thus, the possibility exists that an electromechanical safety device fault is not detected or resolved.
In the engineering design process, a system needs to be developed that implements safety that includes defined metric inputs, monitoring potentially unsafe work conditions and the reduction of probability faults. Some possible fault masking examples are a contact weld on the second set of contacts of a door limit switch, wiring damage, or a door fault that is closed and a different door is opened and then closed. By understanding these fault masking issues, the problems created by fault masking may be minimized in the final engineered design of the safety system.
The second major issue with identifying fault masking is in older machinery and old design concepts on safety. Older safety systems and complex systems with multiple safety switches may be prone to fault masking. Many companies believe that existing machinery is adequate for both production and for safety requirements. This is a dangerous assumption. In older safety systems with electromechanical switches, for example, they may be monitored singularly by an integral dual-input safety limit switch in a daisy chain configuration. In addition, parts wear and cause failures, but they can be “masked” to operate as if no failure had occurred.
Causes of fault masking
Some companies may choose to accept cheaper and inferior components despite the increasing frequency of component failures within the machinery safety circuit system. This replacement part program, including repairs, and reliability aspect can provide fault masking safety issues with the industrial machinery. The engineered design may not demonstrate the ability to identify and to meet fault tolerant requirements.
The safety system design or long-term maintenance program may not have sufficient management support and funding to prevent fault masking. A lack of focus by management on machine reliability and safety can also be an aspect in fault masking existing in machinery. In the long run, this increases the cost of operation of the safety system.
The engineering design function may not emphasize continuous improvement initiatives on current machinery, as it relates to safety reliability (i.e., resilient enough to continue operation). The improvement on the inherent reliability of elements of an electromechanical safety system needs direction and leadership from top management. This is typically a problem most companies face.
Resolution to fault masking
The implementation of safety limit switches that are powered with OSSD outputs is an effective method to eliminate some fault masking such as contact welds and shorts to power. A second method to reduce the risk of fault masking is to use a monitoring safety relay with individual safety inputs. Also, the maintenance staff should be trained on methods to identify and troubleshoot for fault masking.
Another approach to prevent fault masking is to increase functionality testing. The ability to test the functionality and parametric values of components is also limited by the fault tolerance in the engineered design of the safety system. The safety system may require additional test functionality designed into the system, which adds cost and more complexity to the machinery safety system.
Altech resolution to fault masking
The best resolution for preventing fault masking is Altech’s SMART Safety System. Altech has introduced its SMART Safety System that features redundant OSSD safety outputs. The SMART Safety System uses two pulsed 24 V DC parallel signals inside the device. The non-tripped state carries the 24 V DC signal, while the tripped state drops to 0 V DC.
Safety sensor circuits in a daisy chain configuration
The Altech Smart Safety System utilizes sensors with OSSD outputs run in a cascading order. The first sensor checks its status and, if closed, sends a signal to the second sensor, which repeats this action and moves onto the third sensor, and all the way down the line for up to 32 daisy chained sensors. A fault interruption can occur anywhere along the sequence of sensors, which would prevent the last OSSD signal from reaching the machine power (to be turned off by the safety relay).
Altech’s Daisy Chain Diagnostics (DCD) system offers more than 20 different types of diagnostic information that can be monitored using an internal bus system that acquires the information at the end of the series cable. Once the data is there, it can be accessed by the machine’s control system via IO-Link technology. The data can be displayed for analysis on a standard USB port, PLC or Android smartphone, or tablet using near field communications (NFC) technology. The DCD can also be converted to be read by Profibus using a bridge. This diagnostic system operates completely independent of the safety system outputs.
Lastly, the nature of a fault tolerance design is to continue to operate normally even with a component failure. Thus, if the ability to detect a component failure relies on a loss of function or capability, it may be difficult to detect the failure. This sets the stage for a second component failure to cause the safety system to shut down the operation. By being able to detect individual component failures, the safety system permits the repair or replacement of faulty elements and restoring the system to full fault tolerance capability.
Fault masking can be a real challenge for manufacturers who take personnel safety seriously. Altech’s SMART Safety System identifies a fault by using its DCD system and reporting through the machine control system via IO-Link technology.