Interlocking Devices: The Good, The Bad and the Ugly

Note: A shorter version of this article was published in the May 2012 edition of Manufacturing Automation Magazine.

When designing safeguarding systems for machines, one of the basic building blocks is the movable guard. Movable guards can be doors, panels, gates or other physical barriers that can be opened without using tools. Each of these guards needs to be interlocked with the machine control system so that the hazards covered by the guards will be effectively controlled when the guard is opened.

There are several important aspects to the design of movable guards. This article will focus on the selection of interlocking devices used with movable guards.

The Hierarchy of Controls

This article assumes that a risk assessment has been done as part of the design process. If you haven’t done a risk assessment first, start there, and then come back to this point in the process. You can find more information on risk assessment methods in this post from 31-Jan-11. ISO 12100 [1] can also be used for guidance in this area.

(⬅️ Figure 1 shows the Hierarchy of controls as it was used in North America for many years. There is a newer, more comprehensive version available. See CSA Z432, ANSI B11.0 or ISO 12100 – DN 2022-08-26)

The hierarchy of controls describes the levels of controls that a machine designer can use to control the assessed risks. The hierarchy is defined in [1]. Designers are required to apply every level of the hierarchy in order, starting at the top. Each level is applied until the available measures are exhausted or cannot be applied without destroying the purpose of the machine, allowing the designer to move to the next lower level.

Engineering controls are subdivided into several different sub-groups. Only movable guards are required to have interlocks. Several similar types of guards can be mistaken for movable guards, so let’s take a minute to look at a few important definitions.

International [1]	Canadian [2]	USA [10]
3.27 guard physical barrier, designed as part of the machine to provide protection. NOTE 1 A guard may act either alone, in which case it is only effective when closed (for a movable guard) or securely held in place (for a fixed guard), or in conjunction with an interlocking device with or without guard locking, in which case protection is ensured whatever the position of the guard. NOTE 2 Depending on its construction, a guard may be described as, for example, casing, shield, cover, screen, door, enclosing guard. NOTE 3 The terms for types of guards are defined in 3.27.1 to 3.27.6. See also 6.3.3.2 and ISO 14120 for types of guards and their requirements.	Guard a part of machinery specifically used to provide protection by means of a physical barrier. Depending on its construction, a guard may be called a casing, screen, door, enclosing guard, etc.	3.22 guard: A barrier that prevents exposure to an identified hazard. E3.22 Sometimes referred to as "barrier guard."
3.27.4 interlocking guard guard associated with an interlocking device so that, together with the control system of the machine, the following functions are performed: the hazardous machine functions covered by the guard cannot operate until the guard is closed, if the guard is opened while hazardous machine functions are operating, a stop command is given, and when the guard is closed, the hazardous machine functions covered by the guard can operate (the closure of the guard does not by itself start the hazardous machine functions) NOTE ISO 14119 gives detailed provisions.	Interlocked barrier guard a fixed or movable guard attached and interlocked in such a manner that the machine tool will not cycle or will not continue to cycle unless the guard itself or its hinged or movable section encloses the hazardous area.	3.32 interlocked barrier guard: A barrier, or section of a barrier, interfaced with the machine control system in such a manner as to prevent inadvertent access to the hazard.
3.27.2 movable guard guard which can be opened without the use of tools	Movable guard a guard generally connected by mechanical means (e.g., hinges or slides) to the machine frame or an adjacent fixed element and that can be opened without the use of tools. The opening and closing of this type of guard may be powered.	3.37 movable barrier device: A safeguarding device arranged to enclose the hazard area before machine motion can be initiated. E3.37 There are two types of movable barrier devices: Type A, which encloses the hazard area during the complete machine cycle; Type B, which encloses the hazard area during the hazardous portion of the machine cycle.
3.28.1 interlocking device (interlock) mechanical, electrical or other type of device, the purpose of which is to prevent the operation of hazardous machine functions under specified conditions (generally as long as a guard is not closed)	Interlocking device (interlock) a mechanical, electrical, or other type of device, the purpose of which is to prevent the operation of machine elements under specified conditions (usually when the guard is not closed).	No definition
3.27.5 interlocking guard with guard locking guard associated with an interlocking device and a guard locking device so that, together with the control system of the machine, the following functions are performed: the hazardous machine functions covered by the guard cannot operate until the guard is closed and locked, the guard remains closed and locked until the risk due to the hazardous machine functions covered by the guard has disappeared, and when the guard is closed and locked, the hazardous machine functions covered by the guard can operate (the closure and locking of the guard do not by themselves start the hazardous machine functions) NOTE ISO 14119 gives detailed provisions.	Guard locking device a device that is designed to hold the guard closed and locked until the hazard has ceased.	No definition

As you can see from the definitions, movable guards can be opened without using tools and are generally fixed to the machine along one edge. Movable guards are always associated with an interlocking device. Guard selection is covered very well in ISO 14120 [11]. This standard contains a flowchart that is invaluable for selecting the appropriate guard style for a given application.

Though much emphasis is placed on correctly selecting these interlocking devices, they represent a very small portion of the hierarchy. It is their widespread use that makes them so important when it comes to safety system design.

Electrical vs. Mechanical Interlocks

Most modern machines use electrical interlocks because the machine is fitted with an electrical control system. It is possible to interlock the power to the prime movers using exclusively mechanical means. This does not affect the portion of the hierarchy involved but may affect the functional safety analysis.

Mechanical Interlocks

Figure 2, from ISO 14119 [7, Fig. H.1, H.2 ], shows one example of a mechanical interlock. In this case, the guard cannot be opened when CAM 2 is rotated into the position shown in figure a). Once the hazardous condition behind the guard is effectively controlled, CAM 2 rotates to the position in b), and the guard can be opened.

Arrangements that use the open guard to physically block the operation of the controls can also be used in this way. See Figure 3 [7, Fig. C.1, C.2].

Fluid Power Interlocks

Figure 4, from [7, Fig. K.2], shows an example of two fluid-power valves used in complementary mode on a single sliding gate.

In this example, fluid can flow from the pressure supply (the circle with the dot in it at the bottom of the diagram) through the two valves to the prime-mover, which could be a cylinder, a motor or some other device when the guard is closed (position ‘a’). There could be an additional control valve following the interlock that would provide the normal control mode for the device.

When the guard is opened (position ‘b’), the two valve spools shift to the second position, the lower valve blocks the pressure supply, and the upper valve vents the pressure in the circuit, helping to prevent unexpected motion from trapped energy.

If the spring in the upper valve fails, the lower spool will be driven by the gate into a position that will still block the pressure supply and vent the trapped energy in the circuit.

Electrical Interlocks

By far, the majority of interlocks used on machinery are electrical. Electrical interlocks offer ease of installation, flexibility in the selection of interlocking devices, and complexity from simple to extremely complex. The architectural categories cover any mechanical, fluidic, or electrical technology, so let’s look at architecture first.

Architecture Categories

The system architectures are explored in my series Interlock Architectures.

Historical categories from North America

The following description of the system architectures in the ANSI and CSA standards is no longer used, replaced by the ISO 13849 definitions in 2016.

In Canada, CSA Z432 [2] and CSA Z434 [3] provide four categories of control reliability:

• simple,
• single channel,
• single-channel monitored and
• control reliable.

In the U.S., the categories are very similar, with some differences in the definition of “control reliable” (see RIA R15.06, 1999).

Europe and International categories

In the EU, there are five levels of control reliability, defined as Performance Levels (PL) given in ISO 13849-1 [4]: PL a, b, c, d and e. Underpinning these levels are five architectural categories: B, 1, 2, 3 and 4. Figure 5 shows how these architectures line up.

To add to the confusion, IEC 62061 [5] is another international control reliability standard that could be used. This standard defines reliability in terms of Safety Integrity Levels (SILs). These SILs do not align with the PLs in [4] but are similar. IEC 62061 is derived from IEC 61508 [6], a well-respected control reliability standard in many industries. [5] is limited to use with electrical/electronic/programmable electronic systems, excluding fluidic (i.e., hydraulic or pneumatic) elements up to the latest edition published in 2021 [16].

The orange arrow in Figure 5 highlights the difference in the definitions. The CSA standards produce a more reliable system than the ANSI/RIA definition because the CSA definition requires TWO (2) separate physical switches installed on the guard to meet the requirement. In contrast, the ANSI/RIA definition only requires redundant circuits but makes no requirement for redundant devices. Note that the arrow representing the ANSI/RIA Control Reliability category falls below the ISO Category 3 arrow due to this same detail in the definition.

Note that Figure 5 does not address the question of PLs or SILs and how they relate to each other. That is a topic for another article!

The North American architectures deal primarily with electrical or fluid-power controls, while the EU system can accommodate electrical, fluid power and mechanical systems.

From the single-channel-monitored or Category 2 level up, the systems must have testing (diagnostics) built-in, enabling the detection of failures in the system. The level of fault tolerance increases as the category increases.

Interlocking devices

Interlocking devices are the components used to create the interlock between the safeguarding device and the machine’s power and control systems. Interlocking systems can be purely mechanical, purely electrical or a combination.

Most machinery has an electrical/electronic control system, the most common way machine hazards are controlled. Switches and sensors connected to these systems are the most common types of interlocking devices.

Interlocking devices can be as simple as a micro-switch or a reed switch or as complex as a non-contact sensor with an electromagnetic locking device.

Images of interlocking devices used in this article represent some of the types and manufacturers available. I do not endorse any particular make or type of device. Many manufacturers have unique models that can fit any application, and most have similar devices.

Photo 1 shows a safety-rated, direct-drive roller cam switch providing half of a complementary switch arrangement on a gate interlock. The integrator failed to cover the switches to prevent intentional defeat in this application.

Photo 2 shows a typical roller-cam ‘microswitch’ used for interlocking a machine cover panel that is normally held in place with fasteners, and so is a ‘fixed guard’ as long as the fasteners require a tool to remove. Fixed guards do not require interlocks under most circumstances. Some product family standards require interlocks on fixed guards due to the hazards involved.

Microswitches are not safety-rated and are not recommended for use in this application. They are easily defeated and tend to fail to danger. They can be used in some system architectures with suitable diagnostics for PL = a, b or c.

Requirements for interlocking devices are published in several standards, but the key ones for industrial machinery are ISO 14119 [7], [2], and ANSI B11.0 [8]. These standards define the electrical and mechanical requirements. In some cases, the testing requirements that devices intended for safety applications must meet before they can be classified as safety components.

These devices are also integral to the reliability of the control systems into which they are integrated. Interlock devices, on their own, cannot achieve functional safety above that possible using ISO 13849-1 Category 1 or CSA Z432-04 Single Channel. To understand this, consider that the definitions for Categories 2, 3 and 4 all require the ability for the system to monitor and detect failures, and in Categories 3 & 4, to prevent the loss of the safety function. Similar requirements exist in CSA and ANSI’s single-channel-monitored and control-reliable categories. Unless the interlock device has a monitoring system integrated into the device, these categories cannot be achieved.

Safety distance

Safety distance is measured between the opening covered by the movable guard and the hazard. The minimum distance is determined using the safety distance calculations in [2] and ISO 13855 [9]. This calculation uses a ‘hand-speed constant,’ called K, to represent the theoretical speed that the average person can achieve when extending their hand straight forward when standing in front of the opening.

North American calculation

The calculation used in North America is:

D_s=\left(K \times T \right)_D_{pf}

Where

D_s is the minimum safety distance required between the safeguarding device and the hazard

K is the speed constant in inches/second

T_s is the stopping time of the machine, including the response time of the control system

What about Dpf?

Note that I have not included the ‘Penetration Factor,’ Dpf in this calculation. This factor is used to take into account the object detection or exclusion capability of a safeguarding device. It is used with movable guards and presence-sensing safeguarding devices like light curtains, fences, mats, two-hand controls, etc.

International calculation

The international calculation [9, Eq. 2] is similar to the North American calculation, but the variables are denoted differently.

S=\left(K \times \left(t_1+t_2 \right) \right)+C

Where

S is the minimum distance in millimetres required between the safeguarding device and the hazard

K is a parameter in millimetres/second, derived from data on approach speeds of the human body or parts of the body

t₁ is the maximum time in seconds between the actuation of the safeguarding device and the output of the device achieving the OFF state

t₂ is the maximum stopping time in seconds required to terminate the hazardous machine functions after the output signal from the safeguard achieves the OFF state. The response time of the control system is included in t₂. For more, see Understanding safety functions: Response time.

C is the intrusion distance in millimetres determined by the object resolution of the device or the minimum distance based on the opening size [12].

Speed constants

North America

The speed constant, K, is derived from data based on the approach speeds of the human body or parts of the body. In older North American standards, K is usually taken as 63 inches/second.

Using the [2], assume you have a machine that takes 250 ms to stop when the interlock is opened. Inserting the values into the equation gives you a minimum safety distance of:

Example 1 D_s = 63 in/s x 0.250 s = 15.75 inches

International and EU

In the international standards and EN standards derived from them, there are two values used for K, 2000 mm/s, used for an approach perpendicular to the plane of the guard, or 1600 mm/second for approaches at 45 ° or less [9].

If the calculated value of S is greater than 500 mm when calculated using K = 2 000, then [9] permits the calculation to be repeated using K = 1 600 instead.

If S is calculated to be greater than or equal to 500 mm, the [9] allows the calculation to be repeated using 1 600 mm/s.

Example 2 K = 2 000 mm/s x 0.250 s = 500 mm

As you can see, the International value of K gives a more conservative value since 500 mm is approximately 20 inches, as compared with the 15.75 inches calculated using the North American approach.

Movable guards

The ability of a movable guard to exclude a person from the danger zone starts with the construction of the guard. If the panel is made from mesh, then the opening size of the mesh brings a minimum safety distance requirement. For example, a 50 mm square mesh (e) requires a safety distance (s_r) of at least 850 mm behind the guard to the hazard [12, Table 4].

If the mesh is dropped to 20 mm square, the safety distance is reduced to 120 mm.

The same principle applies to movable guards where a gap opens between the frame around the opening and the guard’s edge before the interlock is activated. The narrow dimension of the opening is measured at the trip point for the interlock, and that dimension is looked up in [12, Table 4].

Consider the amount the guard can be opened before activating the interlock. This will depend on many factors, but consider a hinged gate on an access point for simplicity. If the guard uses two hinge-pin style switches, you may be able to open the gate a few inches before the switches rotate enough to detect the opening of the guard. To determine the opening size, you would slowly open the gate just to the point where the interlock is tripped and then measure the width of the opening. Using the tables found in [2], [3], [10], or ISO 13857 [12], you can then determine how far the guard must be from the hazards behind it.

As shown below, the value of s_r for the opening is used for D_pf in the Eq. 1 calculation.

Example 3 D_s = (2 000 mm/s x 0.250 s) + 850 mm = 1 350 mm

Since D_s > 500 mm, we can recalculate using the slower value of K, 1 600 mm/s,

Example 4 D_s = (1 600 mm/s x 0.250 s) + 850 mm = 1 250 mm

If that distance exceeds what is available, you could remove one hinge-pin switch and replace it with another type mounted on the post opposite the hinges. This could be a keyed interlock like Photo 3 or a non-contact device like Photo 5. This would reduce the opening width at the detection point and the safety distance behind the guard. But what if that is still not good enough? For that, we have guard locking.

Guard locking

Interlocking devices are often used in conjunction with guard locking devices. There are a few reasons why a designer might want to lock a guard closed, but the most common one is a lack of safety distance. Sometimes, the guard may be locked closed to protect the process rather than the operator or for other reasons.

If you have to install the guard closer to the hazard than the minimum safety distance, locking the guard closed and monitoring the stand-still of the machine allows you to ignore the safety distance requirement because the guard cannot be opened until the machinery is at a standstill, or in a safe state.

Guard locking devices can be mechanical, electromagnetic, or any other type that prevents the guard from opening. The guard locking device is only released when the machine has been made safe.

Many types of safety-rated stand-still monitoring devices are available now, and many variable-frequency drives and servo drive systems are available with safety-rated stand-still monitoring.

Presence-sensing safeguarding devices

Presence-sensing safeguarding devices like light curtains have a D_pf value specified by the manufacturer. If no value is given in the installation instructions, the CSA and ANSI standards provide a graph and a calculation that can be used.

For example, a light curtain with a 14 mm object resolution requires a Dpf as calculated using Eq. 2.

Eq. 2 D_pf = 3.4 × (O_s – 6.875 mm)

D_pf = 3.4 × (14 – 6.875 mm) = 24.225 mm

Environment, failure modes and fault exclusion

Every device has failure modes. The correct selection of the device starts with understanding the physical environment to which the device will be exposed. This means understanding the application’s temperature, humidity, dust/abrasives exposure, chemical exposures, and mechanical shock and vibration exposures. Selecting a delicate reed switch for use in a high-vibration, high-shock environment is a recipe for failure, just as selecting a mechanical switch in a dusty, damp, corrosive environment will also lead to premature failure.

Interlock device manufacturers have a variety of non-contact interlocking devices available today that use coded RF signals or RF ID technologies to ensure that the interlock cannot be defeated by simple measures, like taping a magnet to a reed switch. The Jokab EDEN system is one example of a system like this that also exhibits IP65 level resistance to moisture and dust. Note that systems like this include a safety monitoring device, and the system can meet Control Reliable or Category 3 / 4 architectural requirements when a simple interlock switch could not.

The device standards provide some guidance in making these selections, but it’s pretty general.

Fault Exclusion

Fault exclusion is another key concept that needs to be understood. Fault exclusion holds that failure modes with an exceedingly low probability of occurring during the product’s lifetime can be excluded from consideration. This can apply to electrical or mechanical failures. Here’s the catch: Fault exclusion is not permitted under any North American standards at the moment. Designs based on the North American control reliability standards cannot take advantage of fault exclusions. Designs based on the International and EU standards can use fault exclusion, but be aware that significant documentation supporting the exclusion of each fault is needed.

Defeat resistance

The North American standards require that the devices chosen for safety-related interlocks be defeat-resistant, meaning they cannot be easily fooled with a cable tie, a scrap of metal or a piece of tape.

Figure 6 [7, Fig. 10] shows a key-operated switch, like the Schmersal AZ15, installed with a cover to further guard against defeat. The key, sometimes called a ‘tongue,’ used with the switch prevents defeat using a flat piece of metal or a knife blade. The cover prevents direct access to the interlocking device itself. Using tamper-resistant hardware will further reduce the likelihood of someone removing the key and inserting it into the switch, bypassing the guard.

The International and EU standards do not require the devices are inherently defeat resistant, which means that you can use safety-rated limit switches with roller-cam actuators, for example. However, as a designer, you must consider all reasonably foreseeable failure modes, including intentional defeat. If the interlocking devices are easily accessible, you must select defeat-resistant devices and install them with tamper-resistant hardware to cover these failure modes.

Photo 6 shows one type of tamper-resistant fasteners by Inner-Tite [13]. Photo 7 shows fasteners with uniquely keyed key ways by Bryce Fastener [14]. Photo 8 shows more traditional tamperproof fasteners from the Tamperproof Screw Company [15]. Using fasteners like these will result in the highest level of security in a threaded fastener. There are many different designs available from various manufacturers.

A knowledgeable person can bypass almost any interlocking device using wire and the right tools. This type of defeat is not generally considered, as the degree of knowledge required is greater than that possessed by normal users.

How to select the right device

When selecting an interlocking device, start by looking at the environment in which the device will be located. Is it dry? Is it wet (i.e., with cutting fluid, oil, water, etc.)? Is it abrasive (dusty, sandy, chips, etc.)? Is it indoors or outdoors and subject to wide temperature variations?

Does a product standard exist defining the type of interlock you are designing? An example is the interlock types in ANSI B151.1 [4] for plastic injection moulding machines. There may be restrictions on the type of suitable devices based on the standard’s requirements.

Consider integration requirements with the controls. Is the interlock purely mechanical? Is it integrated with the electrical system? Do you require guard locking capability? Do you require defeat resistance? What about device monitoring or annunciation?

Once you can answer these questions, you will have narrowed down your selections considerably. The final question is: What brand is preferred? Go to your preferred supplier’s catalogues and make a selection that fits the answers to the previous questions.

The next stage is integrating the device(s) into the controls, using whichever control reliability standard you need to meet. That is the subject of a series of articles!

---

References

[1] Safety of machinery — General principles for design — Risk assessment and risk reduction, ISO 12100, Edition 1, 2010.

[2] Safeguarding of Machinery, CSA Z432, 2004 (R2009).

[3] Industrial Robots and Robot Systems — General Safety Requirements, CSA Z434, 2003 (R2008).

[4] Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design, ISO 13849-1, 2006.

[5] Safety of machinery — Functional safety of safety-related electrical, electronic and programmable electronic control systems, IEC 62061, Ed. 1, 2005.

[6] Functional safety of electrical/electronic/programmable electronic safety-related systems (Seven Parts), IEC 61508-X.

[7] Safety of machinery — Interlocking devices associated with guards — Principles for design and selection, ISO 14119, 1998.

[8] American National Standard for Machines, General Safety Requirements Common to ANSI B11 Machines, ANSI B11, 2008.

[9] Safety of machinery — Positioning of safeguards with respect to the approach speeds of parts of the human body, ISO 13855, 2010.

[10] American National Standard for Machine Tools — Performance Criteria for Safeguarding, ANSI B11.19, 2003.

[11] Safety of machinery — Guards — General requirements for the design and construction of fixed and movable guards, ISO 14120. 2002.

[12] Safety of machinery – Safety distances to prevent hazard zones being reached by upper and lower limbs, ISO 13857. 2008.

[13] Inner-Tite Corp. home page. (2012). Available:?http://www.inner-tite.com/

[14] Bryce Fastener, Inc. home page. (2012). Available:?http://www.brycefastener.com/

[15] Tamperproof Screw Co., Inc., home page. (2013). Available: http://www.tamperproof.com

[16] Safety of machinery — Functional safety of safety-related control systems, IEC 62061. International Electrotechnical Commission (IEC). 2021.

[17] Safeguarding of machinery, CSA Z432. 2016.

© 2012 – 2022, Compliance inSight Consulting Inc.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.