Interlocking Devices: The Good, The Bad and the Ugly

This entry is part 1 of 2 in the series Guards and Guarding

Note: A shorter version of this article was published in the May-2012 edition of  Manufacturing Automation Magazine.

When designing safeguarding systems for machines, one of the basic building blocks is the movable guard. Movable guards can be doors, panels, gates or other physical barriers that can be opened without using tools. Every one of these guards needs to be interlocked with the machine control system so that the hazards covered by the guards will be effectively controlled when the guard is opened.

There are a number of important aspects to the design of movable guards. This article will focus on the selection of interlocking devices that are used with movable guards.

The Hierarchy of Controls

The Hierarchy of Controls as an inverted pyrimid.
Figure 1 – The Hierarchy of Controls

This article assumes that a risk assessment has been done as part of the design process. If you haven’t done a risk assessment first, start there, and then come back to this point in the process. You can find more  information on risk assessment methods in this post from 31-Jan-11. ISO 12100 [1] can also be used for guidance in this area.

The hierarchy of controls describes levels of controls that a machine designer can use to control the assessed risks. The hierarchy is defined in [1]. Designers are required to apply every level of the hierarchy in order, starting at the top. Each level is applied until the available measures are exhausted, or cannot be applied without destroying the purpose of the machine, allowing the designer to move to the next lower level.

Engineering controls are subdivided into a number of different sub-groups. Only movable guards are required to have interlocks. There are a number of similar types of guards that can be mistaken for movable guards, so let’s take a minute to look at a few important definitions.

Table 1 – Definitions

International [1] Canadian [2] USA [10]
3.27 guard physical barrier, designed as part of the machine to provide protection.NOTE 1 A guard may act either alone, in which case it is only effective when “closed” (for a movable guard) or “securely held in place” (for a fixed guard), or  in conjunction with an interlocking device with or without guard locking, in which case protection is ensured whatever the position of the guard.NOTE 2Depending on its construction, a guard may be described as, for example, casing, shield, cover, screen, door, enclosing guard.NOTE 3 The terms for types of guards are defined in 3.27.1 to 3.27.6. See also 6.3.3.2 and ISO 14120 for types of guards and their requirements. Guard — a part of machinery specifically used to provide protection by means of a physical barrier. Depending on its construction, a guard may be called a casing, screen, door, enclosing guard, etc. 3.22 guard: A barrier that prevents exposure to an identified hazard.E3.22 Sometimes referred to as barrier guard.”
3.27.4 interlocking guard guard associated with an interlocking device so that, together with the control system of the machine, the following functions are performed:

  • the hazardous machine functions “covered” by the guard cannot operate until the guard is closed,
  • if the guard is opened while hazardous machine functions are operating, a stop command is given, and
  • when the guard is closed, the hazardous machine functions “covered” by the guard can operate (the closure of the guard does not by itself start the hazardous machine functions)

NOTE ISO 14119 gives detailed provisions.

Interlocked barrier guard — a fixed or movable guard attached and interlocked in such a manner that the machine tool will not cycle or will not continue to cycle unless the guard itself or its hinged or movable section encloses the hazardous area. 3.32 interlocked barrier guard: A barrier, or section of a barrier, interfaced with the machine control system in such a manner as to prevent inadvertent access to the hazard.
3.27.2 movable guard
guard which can be opened without the use of tools
Movable guard — a guard generally connected by mechanical means (e.g., hinges or slides) to the machine frame or an adjacent fixed element and that can be opened without the use of tools. The opening and closing of this type of guard may be powered. 3.37 movable barrier device: A safeguarding device arranged to enclose the hazard area before machine motion can be initiated.E3.37 There are two types of movable barrier devices:

  • Type A, which encloses the hazard area during the complete machine cycle;
  • Type B, which encloses the hazard area during the hazardous portion of the machine cycle.
3.28.1 interlocking device (interlock)mechanical, electrical or other type of device, the purpose of which is to prevent the operation of hazardous machine functions under specified conditions (generally as long as a guard is not closed) Interlocking device (interlock) — a mechanical, electrical, or other type of device, the purpose of which is to prevent the operation of machine elements under specified conditions (usually when the guard is not closed). No definition
3.27.5 interlocking guard with guard locking guard associated with an interlocking device and a guard locking device so that, together with the control system of the machine, the following functions are performed:

  • the hazardous machine functions “covered” by the guard cannot operate until the guard is closed and locked,
  • the guard remains closed and locked until the risk due to the hazardous machine functions “covered” by the guard has disappeared, and
  • when the guard is closed and locked, the hazardous machine functions “covered” by the guard can operate (the closure and locking of the guard do not by themselves start the hazardous machine functions)

NOTE ISO 14119 gives detailed provisions.

Guard locking device — a device that is designed to hold the guard closed and locked until the hazard has ceased. No definition

As you can see from the definitions, movable guards can be opened without the use of tools, and are generally fixed to the machine along one edge. Movable guards are always associated with an interlocking device. Guard selection is covered very well in ISO 14120 [11]. This standard contains a flowchart that is invaluable for selecting the appropriate style of guard for a given application.

5% Discount on ISO and IEC Standards with code: CC2012

Though much emphasis is placed on the correct selection of these interlocking devices, they represent a very small portion of the hierarchy. It is their widespread use that makes them so important when it comes to safety system design.

Electrical vs. Mechanical Interlocks

Mechanical Interlocking
Figure 2 – Mechanical Interlocking

Most modern machines use electrical interlocks because the machine is fitted with an electrical control system, but it is entirely possible to interlock the power to the prime movers using mechanical means. This doesn’t affect the portion of the hierarchy involved, but it may affect the control reliability analysis that you need to do.

Mechanical Interlocks

Figure 2, from ISO 14119 [7, Fig. H.1, H.2 ], shows one example of a mechanical interlock.  In this case, when cam 2 is rotated into the position shown in a), the guard cannot be opened. Once the hazardous condition behind the guard is effectively controlled, cam 2 rotates to the position in b), and the guard can be opened.

Arrangements that use the open guard to physically block operation of the controls can also be used in this way. See Figure 3 [7, Fig. C.1, C.2].

Mechanical Interlocking using control devices
Figure 3 – Mechanical Interlocking using machine control devices

Fluid Power Interlocks

Figure 4, from [7, Fig. K.2], shows an example of two fluid-power valves used in complementary mode on a single sliding gate.

Hydraulic interlock from ISO 14119
Figure 4 – Example of a fluid power interlock

In this example, fluid can flow from the pressure supply (the circle with the dot in it at the bottom of the diagram) through the two valves to the prime-mover, which could be a cylinder, or a motor or some other device when the guard is closed (position ‘a’). There could be an additional control valve following the interlock that would provide the normal control mode for the device.

When the guard is opened (position ‘b’), the two valve spools shift to the second position, the lower valve blocks the pressure supply, and the upper valve vents the pressure in the circuit, helping to prevent unexpected motion from trapped energy.

If the spring in the upper valve fails, the lower spool will be driven by the gate into a position that will still block the pressure supply and vent the trapped energy in the circuit.

5% Discount on ISO and IEC Standards with code: CC2012

Electrical Interlocks

By far the majority of interlocks used on machinery are electrical. Electrical interlocks offer ease of installation, flexibility in selection of interlocking devices, and complexity from simple to extremely complex. The architectural categories cover any technology, whether it is mechanical, fluidic, or electrical, so let’s have a look at architectures first.

Architecture Categories

Comparing ANSI, CSA, and ISO Control Reliability Categories
Figure 5 – Control Reliability Categories

In Canada, CSA Z432 [2] and CSA Z434 [3] provide four categories of control reliability: simple, single channel, single-channel monitored and control reliable. In the U.S., the categories are very similar, with some differences in the definition for control reliable (see RIA R15.06, 1999). In the EU, there are five levels of control reliability, defined as Performance Levels (PL) given in ISO 13849-1 [4]: PL a, b, c, d and e. Underpinning these levels are five architectural categories: B, 1, 2, 3 and 4. Figure 5 shows how these architectures line up.

To add to the confusion, IEC 62061 [5] is another international control reliability standard that could be used. This standard defines reliability in terms of Safety Integrity Levels (SILs). These SILs do not line up exactly with the PLs in [4], but they are similar. [5] is based on IEC 61508 [6], a well-respected control reliability standard used in the process industries. [5] is not well suited to applications involving hydraulic or pneumatic elements.

The orange arrow in Figure 5 highlights the fact that the definition in the CSA standards results in a more reliable system than the ANSI/RIA definition because the CSA definition requires TWO (2) separate physical switches on the guard to meet the requirement, while the ANSI/RIA definition only requires redundant circuits, but makes no requirement for redundant devices. Note that the arrow representing the ANSI/RIA Control reliability category falls below the ISO Category 3 arrow due to this same detail in the definition.

Note that Figure 5 does not address the question of PL’s or SIL’s and how they relate to each other. That is a topic for another article!

The North American architectures deal primarily with electrical or fluid-power controls, while the EU system can accommodate electrical, fluid-power and mechanical systems.

From the single-channel-monitored or Category 2 level up, the systems are required to have testing built-in, enabling the detection of failures in the system. The level of fault tolerance increases as the category increases.

Interlocking devices

Interlocking devices are the components that are used to create the interlock between the safeguarding device and the machine’s power and control systems. Interlocking systems can be purely mechanical, purely electrical or a combination of these.

Roller cam switch used as part of a complementary interlock
Photo 1 – Roller Cam Switch

Most machinery has an electrical/electronic control system, and these systems are the most common way that machine hazards are controlled. Switches and sensors connected to these systems are the most common types of interlocking devices.

Interlocking devices can be something as simple as a micro-switch or a reed switch, or as complex as a non-contact sensor with an electromagnetic locking device.

Images of interlocking devices used in this article are representative of some of the types and manufacturers available, but should not be taken as an endorsement of any particular make or type of device. There are lots of manufacturers and unique models that can fit any given application, and most manufacturers have similar devices available.

Photo 1 shows a safety-rated, direct-drive roller cam switch used as half of a complementary switch arrangement on a gate interlock. The integrator failed to cover the switches to prevent intentional defeat in this application.

Micro-Switch used for interlocking
Photo 2 – Micro-Switch used for interlocking

Photo 2 shows a ‘microswitch’ used for interlocking a machine cover panel that is normally held in place with fasteners, and so is a ‘fixed guard’ as long as the fasteners require a tool to remove. Fixed guards do not require interlocks under most circumstances. Some product family standards do require interlocks on fixed guards due to the nature of the hazards involved.

Microswitches are not safety-rated and are not recommended for use in this application. They are easily defeated and tend to fail to danger in my experience.

Requirements for interlocking devices are published in a number of standards, but the key ones for industrial machinery are ISO 14119 [7], [2], and ANSI B11.0 [8]. These standards define the electrical and mechanical requirements, and in some cases the testing requirements, that devices intended for safety applications must meet before they can be classified as safety components.
Download standards

Typical plastic-bodied interlocking device
Photo 3 – Schmersal AZ15 plastic interlock switch

These devices are also integral to the reliability of the control systems into which they are integrated. Interlock devices, on their own, cannot meet a reliability rating above ISO 13849-1 Category 1, or CSA Z432-04 Single Channel. To understand this, consider that the definitions for Category 2, 3 and 4 all require the ability for the system to monitor and detect failures, and in Categories 3 & 4, to prevent the loss of the safety function. Similar requirements exist in CSA and ANSI’s “single-channel-monitored,” and “control-reliable” categories. Unless the interlock device has a monitoring system integrated into the device, these categories cannot be achieved.

Guard Locking

Interlocking devices are often used in conjunction with  guard locking. There are a few reasons why a designer might want to lock a guard closed, but the most common one is a lack of safety distance. In some cases the guard may be locked closed to protect the process rather than the operator, or for other reasons.

Interlock Device with Guard Locking
Photo 4 – Interlocking Device with Guard Locking

Safety distance is the distance between the opening covered by the movable guard and the hazard. The minimum distance is determined using the safety distance calculations given in [2] and ISO 13855 [9]. This calculation uses a ‘hand-speed constant’, called K, to represent the theoretical speed that the average person can achieve when extending their hand straight forward when standing in front of the opening. In North America, K is usually 63 inches/second, or 1600 mm/s. Internationally and in the EU, there are two speeds, 2000 mm/s, used for an approach perpendicular to the plane of the guard, or 1600 mm/second for approaches at 45 degrees or less [9]. 2000 mm/s is used with movable guards, and is approximately equivalent to 79 inches/second. Using the International approach, if the value of Ds is greater than 500 mm when calculated using K = 2 000, then [9] permits the calculation to be done using K = 1 600 instead.

Using the stopping time of the machinery and K, the minimum safety distance can be calculated.

Eq. 1              Ds = K x Ts

Using Equation 1 [2], assume you have a machine that takes 250 ms to stop when the interlock is opened. Inserting the values into the equation gives you a minimum safety distance of:

Example 1             Ds = 63 in/s x 0.250 s = 15.75 inches

Example 2             Ds = 2000 mm/s x 0.250 s = 500 mm

As you can see, the International value of K gives a more conservative value, since 500 mm is approximately 20 inches.

Note that I have not included the ‘Penetration Factor’, Dpf in this calculation. This factor is used with presence sensing safeguarding devices like light curtains, fences, mats, two-hand controls, etc. This factor is not applicable to movable, interlocked guards.

Also important to consider is the amount the guard can be opened before activating the interlock. This will depend on many factors, but for simplicity, consider a hinged gate on an access point. If the guard uses two hinge-pin style switches, you may be able to open the gate a few inches before the switches rotate enough to detect the opening of the guard. In order to determine the opening size, you would slowly open the gate just to the point where the interlock is tripped, and then measure the width of the opening. Using the tables found in [2], [3], [10], or ISO 13857 [12], you can then determine how far the guard must be from the hazards behind it. If that distance is greater than what is available, you could remove one hinge-pin switch, and replace it with another type mounted on the post opposite the hinges. This could be a keyed interlock like Photo 3, or a non-contact device like Photo 5. This would reduce the opening width at the point of detection, and thereby reduce the safety distance behind the guard. But what if that is still not good enough?

If you have to install the guard closer to the hazard than the minimum safety distance, locking the guard closed and monitoring the stand-still of the machine allows you to ignore the safety distance requirement because the guard cannot be opened until the machinery is at a standstill, or in a safe state.

Guard locking devices can be mechanical, electromagnetic, or any other type that prevents the guard from opening. The guard locking device is only released when the machine has been made safe.

There are many types of safety-rated stand-still monitoring devices available now, and many variable-frequency drives and servo drive systems are available with safety-rated stand-still monitoring.

Environment, failure modes and fault exclusion

Every device has failure modes. The correct selection of the device starts with understanding the physical environment to which the device will be exposed. This means understanding the temperature, humidity, dust/abrasives exposure, chemical exposures, and mechanical shock and vibration exposures in the application. Selecting a delicate reed switch for use in a high-vibration, high-shock environment is a recipe for failure, just as selecting a mechanical switch in a dusty, damp, corrosive environment will also lead to premature failure.

Example of a non-contact interlocking device
Photo 5 – JOKAB EDEN Interlock System

Interlock device manufacturers have a variety of non-contact interlocking devices available today that use coded RF signals or RF ID technologies to ensure that the interlock cannot be defeated by simple measures, like taping a magnet to a reed switch. The Jokab EDEN system is one example of a system like this that also exhibits IP65 level resistance to moisture and dust. Note that systems like this include a safety monitoring device and the system as a whole can meet Control Reliable or Category 3 / 4 architectural requirements when a simple interlock switch could not.

The device standards do provide some guidance in making these selections, but it’s pretty general.

Fault Exclusion

Fault exclusion is another key concept that needs to be understood. Fault exclusion holds that failure modes that have an exceedingly low probability of occurring during the lifetime of the product can be excluded from consideration. This can apply to electrical or mechanical failures. Here’s the catch: Fault exclusion is not permitted under any North American standards at the moment. Designs based on the North American control reliability standards cannot take advantage of fault exclusions. Designs based on the International and EU standards can use fault exclusion, but be aware that significant documentation supporting the exclusion of each fault is needed.

Defeat resistance

Diagram showing one method of preventing interlock defeat.
Figure 6 – Preventing Defeat

The North American standards require that the devices chosen for safety-related interlocks be defeat-resistant, meaning they cannot be easily fooled with a cable-tie, a scrap of metal or a piece of tape.

Figure 6 [7, Fig. 10] shows a key-operated switch, like the Schmersal AZ15, installed with a cover that is intended to further guard against defeat. The key, sometimes called a ‘tongue’, used with the switch prevents defeat using a flat piece of metal or a knife blade. The cover prevents direct access to the interlocking device itself. Use of tamper-resistant hardware will further reduce the likelihood that someone can remove the key and insert it into the switch, bypassing the guard.

Inner-Tite tamper resistance fasteners
Photo 6 – Tamper-resistant fasteners

5% Discount on ISO and IEC Standards with code: CC2012

The International and EU standards do not require the devices to be inherently defeat resistant, which means that you can use “safety-rated” limit switches with roller-cam actuators, for example. However, as a designer, you are required to consider all reasonably foreseeable failure modes, and that includes intentional defeat. If the interlocking devices are easily accessible, then you must select defeat-resistant devices and install them with tamper-resistant hardware to cover these failure modes.

Photo 6 shows one type of tamper resistant fasteners made by Inner-Tite [13]. Photo 7 shows fasteners with uniquely keyed key ways made by Bryce Fastener [14], and Photo 8 shows more traditional tamperproof fasteners from the Tamperproof Screw Company [15]. Using fasteners like these will result in the highest level of security in a threaded fastener. There are many different designs available from a wide variety of manufacturers.

Bryce Key-Rex tamper-resistant fasteners
Photo 7 – Keyed Tamper-Resistant Fasteners
Tamper proof screws made by the Tamperproof Screw Company
Photo 8 – Tamper proof screws

Almost any interlocking device can be bypassed by a knowledgeable person using wire and the right tools. This type of defeat is not generally considered, as the degree of knowledge required is greater than that possessed by “normal” users.

How to select the right device

When selecting an interlocking device, start by looking at the environment in which the device will be located. Is it dry? Is it wet (i.e., with cutting fluid, oil, water, etc.)? Is it abrasive (dusty, sandy, chips, etc.)? Is it indoors or outdoors and subject to wide temperature variations?

Is there a product standard that defines the type of interlock you are designing? An example of this is the interlock types in ANSI B151.1 [4] for plastic injection moulding machines. There may be restrictions on the type of devices that are suitable based on the requirements in the standard.

Consider integration requirements with the controls. Is the interlock purely mechanical? Is it integrated with the electrical system? Do you require guard locking capability? Do you require defeat resistance? What about device monitoring or annunciation?

Once you can answer these questions, you will have narrowed down your selections considerably. The final question is: What brand is preferred? Go to your preferred supplier’s catalogues and make a selection that fits with the answers to the previous questions.

The next stage is to integrate the device(s) into the controls, using whichever control reliability standard you need to meet. That is the subject for a series of articles!

References

5% Discount on ISO and IEC Standards with code: CC2012

[1] Safety of machinery – General principles for design – Risk assessment and risk reduction, ISO Standard 12100, Edition 1, 2010

[2] Safeguarding of Machinery, CSA Standard Z432, 2004 (R2009)

Buy CSA Standards

[3] Industrial Robots and Robot Systems – General Safety Requirements, CSA Standard Z434, 2003 (R2008)

[4] Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design, ISO Standard 13849-1, 2006

[5] Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems, IEC Standard 62061, Edition 1, 2005

[6] Functional safety of electrical/electronic/programmable electronic safety-related systems (Seven Parts), IEC Standard 61508-X

[7] Safety of machinery — Interlocking devices associated with guards — Principles for design and selection, ISO Standard 14119, 1998

[8] American National Standard for Machines, General Safety Requirements Common to ANSI B11 Machines, ANSI Standard B11, 2008
Download ANSI standards

[9] Safety of machinery — Positioning of safeguards with respect to the approach speeds of parts of the human body, ISO 13855, 2010

[10] American National Standard for Machine Tools – Performance Criteria for Safeguarding, ANSI B11.19, 2003

[11] Safety of machinery — Guards — General requirements for the design and construction of fixed and movable guards, ISO 14120. 2002

[12] Safety of machinery – Safety distances to prevent hazard zones being reached by upper and lower limbs, ISO 13857. 2008.

[13] Inner-Tite Corp. home page. (2012). Available: http://www.inner-tite.com/

[14] Bryce Fastener, Inc. home page. (2012). Available: http://www.brycefastener.com/

[15] Tamperproof Screw Co., Inc., home page. (2013). Available: http://www.tamperproof.com

Five things most machine builders do incorrectly

Five things that most machine builders fail to do. With a Sixth Bonus failure!

The Top Five errors I see machine builders make on a depressingly regular basis:

1) Poor or Absent Risk Assessment

Risk assessments are fundamental to safe machine design and liability limitation, and are required by law in the EU. They are a included in all of the modern North American machinery safety standards as well.

Machine builders frequently have trouble with the risk assessment process, usually because they fail to understand the process or because they fail to devote enough resources to getting it done.

If risk assessment is built into your design process, it becomes the norm for how you do business. Time and resources will automatically be devoted to the process, and since it’s part of how you do things it will become relatively painless. Where people go wrong is in making it a ‘big deal’ one-time event. Also getting it done early in the design process and iterated as the design progresses means that you have time to react to the findings, and you can complete any necessary changes at more cost-effective points in the design and build process. The worst time to do risk assessment is at the point where the machine is on the shop floor ready to start production. Costs for modification are then exponentially higher than during design and construction.

Poorly done, risk assessments become a liability defense lawyer’s worst nightmare and a plaintiff’s lawyer’s dream. Shortchanging the risk assessment process ensures that you will lose, either now or later.

Fight this problem by: learning how to conduct a risk assessment, using quality risk assessment software tools, and building risk assessment into your standard design process/practice in your organization.

2) Failure to be Aware of Regulations & Use Design Standards

This one is a mystery to me.

Every market has product safety legislation, supported by regulations. Granted, the scope and quality of these regulations varies widely, but if you want to sell a product in a market, it doesn’t take a lot of effort to find out what regulations may apply.

Design standards have been in existence for a long time. Most purchase orders, at least for custom machinery, contain lists of standards that the equipment is required to meet at Factory Acceptance Testing (FAT).

Why machine builders fail to grasp that using these standards can actually give them a competitive edge, as well as helping them to meet regulatory requirements, I don’t know. If you do, please either comment on this story or send me an email. I’d love to hear your thoughts on this!

Fight this problem by: Doing some research. Understand the market environment in which you sell your products. If you aren’t sure how to do this, use a consultant to assist you. Buy the standards, especially if your client calls them out in their specifications. Read and apply them to your designs.

One great resource for information on regulatory environments and standards applications is the IEEE Product Safety Engineering Society and the EMC-PSTC Listserv that they maintain.

3) Fixed Guard Design

Fixed guarding design is driven by at least two factors, a) preventing people from accessing hazards, and b) allowing raw materials and products into and out of the machinery.

Designers frequently go wrong by selecting a fixed guard where a movable guard is necessary to permit frequent access (say more than once per shift). This is sometimes done in an effort to avoid having to add interlocks to the control systems. Frequently the guard will be removed and replaced a couple of times, and then the screws will be left off, and eventually the guard itself will be left off, leaving the user with an unguarded hazard.

The other common fault with fixed guards relates to the second factor I mentioned – getting raw materials and products in an out of the machine. There are limits on the size of openings that can be left in guards, dependent on the distance from the opening to the hazards behind the guard and the size of the opening itself. Often the only factor considered is the size of the item that needs to enter or exit the machinery.

Both of these faults often occur because the guarding is not designed, but is allowed to happen during machine build. The size and shape of the guards is then often driven by convenience in fabrication rather than by thoughtful design and application of the minimum code requirements.

Fight this problem by: Designing the guards on your product rather than allowing them to happen, based on the outcome of the risk assessment and the limits defined in the standards. Tables for guard openings and safety distances are available in North American, EU and International standards.

4) Movable Guard Interlocking

Movable guards themselves are usually reasonably well done. Note that I am not talking about self adjusting guards like those found on a table saw for instance. I am talking about guard doors, gates, and covers.

The problem usually comes with the design of the interlock that is required to go with the movable guard. The first part of the problem goes back to my #1 mistake: Risk Assessment. No risk assessment means that you cannot reasonably hope to get the reliability requirements right for the interlocking system. Next, there are small but significant differences in how the Canadian, US, EU and International standards handle control reliability, and the biggest differences occur in the higher reliability classifications.

In the USA, the standards speak of control reliable circuits (see ANSI RIA R15.06-1999, 4.5.5). This requirement is written in such a way that a single interlocking device, installed with dual channel electrical circuits and suitably selected components will meet the requirements. No single ELECTRICAL component failure will lead to the loss of the safety function, but a single mechanical fault could.

In Canada, the machinery and robotics standards speak of control reliable systems (see CSA Z432, 8.2.5), not circuits as in the US standards. This requirement is written in such a way that TWO electromechanical interlocking devices are required, one in each electrical channel of the interlocking system. This permits the system to detect mechanical failures such as broken or missing keys, and if different types of interlocking devices are chosen, may also permit detection of efforts to bypass the interlock. Most single mechanical faults and electrical faults will be detected.

In the EU and Internationally, control reliability is much more highly developed. Here, the application of ISO 13849, IEC 62061 or IEC 61508 have taken control reliability to higher levels than anything seen to date in North America. Under these standards, the required Performance Level (PLr) or Safety Integrity Level (SIL) must be known. This is based on the outcome of, you guessed it, the Risk Assessment. No risk assessment, or a poor risk assessment, dooms the designer to likely failure. Significant skill is required to handle the analysis and design of safety related parts of control systems under these standards.

Fight this problem by: Getting the training you need to properly apply these standards and then using them in your designs.

5) Safety Distances

Safety distances crop up anywhere you don’t have a physical barrier keeping the user away from the hazard. Whether its an opening in a fixed guard, a movable guard like a guard door or gate, or a presence-sensing safeguarding device like a light curtain, safety distances have to be considered in the machine design. The easier it is for the user to come in contact with the hazard, the more safety distance matters.

Stopping performance of the machinery must be tested to validate the safety distances used. Failure to get the safety distance right means that your guards will give your users a false sense of security, and will expose them to injury. This will also expose your company to significant liability when someone gets hurt, because they will. Its only a matter of time.

Fight this problem by: Testing safeguarding devices.

6) Validation

OK, so this list should really be SIX things. Just consider this to be a bonus for reading this far!

Designs, and particularly safety critical designs, must be tested. Let me say it again:

Safety Critical Designs MUST Be Tested.

Whatever theory you are working under, whether it’s North American, European, International or something else, you cannot afford missing the validation step. Without validation you have no evidence that your system worked at all, let alone if it worked correctly.

Fight this problem by: TESTING YOUR DESIGNS.

A wise man once said: “If you think safety is expensive, try having an accident.” The gentleman was involved in investigating the crash of a Sikorsky S-92 helicopter off the coast of Newfoundland. 17 people died as a result of the failure of two titanium studs that held an oil filter onto the main gearbox, and the fact that the helicopter failed the ‘1/2-hour gearbox run-dry test’ that is required for all new helicopter designs. This was a clear case of failure in the risk assessment process complicated by failure in the test process.

Watch the CBC documentary “Cougar 491“. This is definitely worth the time. If you are located outside Canada, you will have a problem with this link. Unfortunately, CBC does not stream it’s video outside Canada. Sorry.

Emergency Stop – What’s so confusing about that?

This entry is part 1 of 11 in the series Emergency Stop

I get a lot of calls and emails asking about emergency stops. This is one of those deceptively simple concepts that has managed to get very complicated over time. Not every machine needs or can benefit from an emergency stop. In some cases, it may lead to an unreasonable expectation of safety from the user, which can lead to injury if they don’t understand the hazards involved. Some product-specific standards

This entry is part 1 of 11 in the series Emergency Stop

I get a lot of calls and emails asking about emergency stops. This is one of those deceptively simple concepts that has managed to get very complicated over time. Not every machine needs or can benefit from an emergency stop. In some cases, it may lead to an unreasonable expectation of safety from the user, which can lead to injury if they don’t understand the hazards involved. Some product-specific standards mandate the requirement for emergency stop, such as CSA Z434-03, where robot controllers are required to provide emergency stop functionality and work cells integrating robots are also required to have emergency stop capability.

Defining Emergency Stop

Old, non-compliant, E-Stop Button
This OLD button is definitely non-compliant.

So what is an Emergency Stop, or e-stop, and when do you need to have one? Let’s look at a few definitions taken from CSA Z432-04:

Emergency situation — an immediately hazardous situation that needs to be ended or averted quickly in order to prevent injury or damage.

Emergency stop — a function that is intended to avert harm or to reduce existing hazards to persons, machinery, or work in progress.

Emergency stop button — a red mushroom-headed button that, when activated, will immediately start the emergency stop sequence.

and one more:

6.2.3.5.3 Complementary protective measures
Following the risk assessment, the measures in this clause either shall be applied to the machine or shall be dealt with in the information for use.

Protective measures that are neither inherently safe design measures, nor safeguarding (implementation of guards and/or protective devices), nor information for use may have to be implemented as required by the intended use and the reasonably foreseeable misuse of the machine. Such measures shall include, but not be limited to,

a) emergency stop;

b) means of rescue of trapped persons; and

c) means of energy isolation and dissipation.

Modern, non-compliant e-stop button.
This more modern button is non-compliant due to the RED background and spring-return button.

So, an e-stop is a system that is intended for use in Emergency conditions to try to limit or avert harm to someone or something. It isn’t a safeguard, but is considered to be a Complementary Protective Measure. In terms of the Hierarchy of Controls, emergency stop systems fall into the same level as Personal Protective Equipment like safety glasses, safety boots and hearing protection. So far so good.

Is an Emergency Stop Required?

Depending on the regulations and the standards you choose to read, machinery is may not be required to have an Emergency Stop. Quoting from CSA Z432-04:

6.2.5.2.1 Components and elements to achieve the emergency stop function
If, following a risk assessment, it is determined that in order to achieve adequate risk reduction under emergency circumstances a machine must be fitted with components and elements necessary to achieve an emergency stop function so that actual or impending emergency situations can be controlled, the following requirements shall apply:

a) The actuators shall be clearly identifiable, clearly visible, and readily accessible.

b) The hazardous process shall be stopped as quickly as possible without creating additional hazards.
If this is not possible or the risk cannot be adequately reduced, this may indicate that an emergency stop function may not be the best solution (i.e., other solutions should be sought). (Bolding added for emphasis – DN)

c) The emergency stop control shall trigger or permit the triggering of certain safeguard movements where necessary.

Later in CSA Z432-04 we find clause 7.17.1.2:

Each operator control station, including pendants, capable of initiating machine motion shall have a manually initiated emergency stop device.

To my knowledge, this is the only general level machinery standard that makes this requirement. Product family standards often make specific requirements, based on the opinion of the Technical Committee responsible for the standard and their knowledge of the specific type of machinery covered by their document.

Note: For more detailed provisions on the electrical design requirements, see NFPA 79 or IEC 60204-1.

Download NFPA standards through ANSI

This more modern button is still wrong due to the RED background.
This more modern button is non-compliant due to the RED background.

If you read Ontario’s Industrial Establishments regulation (Regulation 851), you will find that the only requirement for an emergency stop is that it is properly identified and located “within easy reach” of the operator. What does “properly identified” mean? In Canada, the USA and Internationally, a RED operator device on a YELLOW background, with or without any text behind it, is recognized as EMERGENCY STOP or EMERGENCY OFF, in the case of disconnecting switches or control switches. I’ve scattered some examples of different compliant and non-compliant e-stop devices through this article.

The EU Machinery Directive, 2006/42/EC, and Emergency Stop

Interestingly, the European Union has taken what looks like an opposing view of the need for emergency stop systems. Quoting from Annex I of the Machinery Directive:

1.2.4.3. Emergency stop
Machinery must be fitted with one or more emergency stop devices to enable actual or impending danger to be averted.

Notice the words “…actual or impending danger…” This harmonizes with the definition of Complementary Protective Measures, in that they are intended to allow a user to “avert or limit harm” from a hazard. Clearly, the direction from the European perspective is that ALL machines need to have an emergency stop. Or do they? The same clause goes on to say:

The following exceptions apply:

  • machinery in which an emergency stop device would not lessen the risk, either because it would not reduce the stopping time or because it would not enable the special measures required to deal with the risk to be taken,
  • portable hand-held and/or hand-guided machinery.

From these two bullets it becomes clear that, just as in the Canadian and US regulations, machines only need emergency stops WHEN THEY CAN REDUCE THE RISK. This is hugely important, and often overlooked. If the risks cannot be controlled effectively with an emergency stop, or if the risk would be increased or new risks would be introduced by the action of an e-stop system, then it should not be included in the design.

Carrying on with the same clause:

The device must:

  • have clearly identifiable, clearly visible and quickly accessible control devices,
  • stop the hazardous process as quickly as possible, without creating additional risks,
  • where necessary, trigger or permit the triggering of certain safeguard movements.

Once again, this is consistent with the general requirements found in the Canadian and US regulations. The directive goes on to define the functionality of the system in more detail:

Once active operation of the emergency stop device has ceased following a stop command, that command must be sustained by engagement of the emergency stop device until that engagement is specifically overridden; it must not be possible to engage the device without triggering a stop command; it must be possible to disengage the device only by an appropriate operation, and disengaging the device must not restart the machinery but only permit restarting.

The emergency stop function must be available and operational at all times, regardless of the operating mode.

Emergency stop devices must be a back-up to other safeguarding measures and not a substitute for them.

The first sentence of the first paragraph above is the one that requires e-stop devices to latch in the activated position. The last part of that sentence is even more important: “…disengaging the device must not restart the machinery but only permit restarting.” That phrase requires that every emergency stop system have a second discrete action to reset the emergency stop system. Pulling out the e-stop button and having power come back immediately is not OK. Once that button has been reset, a second action, such as pushing a “POWER ON” or “RESET” button to restore control power is needed. Point of Clarification: I had a question come from a reader asking if combining the e-stop function and the reset function was acceptable. It can be, but only if:

  • The risk assessment for the machinery does not indicate any hazards that might preclude this approach; and
  • The device is designed with the following characteristics:
  • The device must latch in the activated position;
  • The device must have a “neutral” position where the machine’s emergency stop system can be reset, or where the machine can be enabled to run;
  • The reset position must be distinct from the previous two positions, and the device must spring-return to the neutral position.

The second sentence harmonizes with the requirements of the Canadian and US standards.

Finally, the last sentence harmonizes with the idea of “Complementary Protective Measures” as described in CSA Z432.

How Many and Where?

Where? “Within easy reach”. Consider the locations where you EXPECT an operator to be. Besides the main control console, these could include feed hoppers, consumables feeders, finished goods exit points… you get the idea. Anywhere you can reasonably expect an operator to be under normal circumstances is a reasonable place to put an e-stop device. “Easy Reach” I interpret as within the arm-span of an adult (presuming the equipment is not intended for use by children). This translates to 500-600 mm either side of the center line of most work stations.

How do you know if you need an emergency stop? Start with a stop/start analysis. Identify all the normal starting and stopping modes that you anticipate on the equipment. Consider all of the different operating modes that you are providing, such as Automatic, Manual, Teach, Setting, etc. Identify all of the matching stop conditions in the same modes, and ensure that all start functions have a matching stop function.

Do a risk assessment. This is a basic requirement in most jurisdictions today.

As you determine your risk control measures (following the hierarchy of controls), look at what risks you might control with an Emergency Stop. Remember that e-stops fall below safeguards in the hierarchy, so you must use a safeguarding technique if possible, you can’t just default down to an emergency stop. IF the e-stop can provide you with the additional risk reduction then use it, but first reduce the risks in other ways.

The Stop Function and Control Reliability Requirements

Finally, once you determine the need for an emergency stop system, you need to consider the system’s functionality and controls architecture. NFPA 79 is the reference standard for Canada and the USA, and you can find very similar requirements in IEC 60204-1 if you are working in an international market. EN 60204-1 applies in the EU market for industrial machines.

Download NFPA standards through ANSI
Download IEC standards, International Electrotechnical Commission standards.

Functional Stop Categories

NFPA 79 calls out three basic categories of stop. Note that these are NOT reliability categories, but are functional categories. Reliability is not addressed in these sections. Quoting from the standard:

9.2.2 Stop Functions. The three categories of stop functions shall be as follows:

(1) Category 0 is an uncontrolled stop by immediately removing power to the machine actuators.

(2) Category 1 is a controlled stop with power to the machine actuators available to achieve the stop then remove power when the stop is achieved.

(3) Category 2 is a controlled stop with power left available to the machine actuators.

This E-Stop Button is correct.
This E-Stop button is CORRECT. Note the Push-Pull-Twist operator and the YELLOW background.

A bit later, the standards says:

9.2.5.3 Stop.
9.2.5.3.1 Each machine shall be equipped with a Category 0 stop.

9.2.5.3.2 Category 0, Category 1, and/or Category 2 stops shall be provided where indicated by an analysis of the risk assessment and the functional requirements of the machine. Category 0 and Category 1 stops shall be operational regardless of operating modes, and Category 0 shall take priority. Stop function shall operate by de-energizing that relevant circuit and shall override related start functions.

Note that 9.2.5.3.1 does NOT mean that every machine must have an e-stop. It simply says that every machine must have a way to stop the machine that is equivalent to “pulling the plug”. The main disconnect on the control panel can be used for this function if sized and rated appropriately. For cord connected equipment, the plug and socket used to provide power to the equipment can also serve this function. The question of HOW to effect the Category 0 stop depends on WHEN it will be used – i.e. is it being used for a safety related function? What risks must be reduced, or what hazards must be controlled by the stop function?

You’ll also note that that pesky “risk assessment” pops up again in 9.2.5.3.2. You just can’t get away from it…

Control Reliability

Disconnect with E-Stop Colours indicates that this device is intended to be used for EMERGENCY SWITCHING OFF.
Disconnect with E-Stop Colours indicates that this device is intended to be used for EMERGENCY SWITCHING OFF.

Once you know what functional category of stop you need, and what degree of risk reduction you are expecting from the emergency stop system, you can determine the degree of reliability required. In Canada, CSA Z432 gives us these categories: SIMPLE, SINGLE CHANNEL, SINGLE CHANNEL MONITORED and CONTROL RELIABLE. These categories are being replaced slowly by Performance Levels (PL) as defined in ISO 13849-1 2007.

The short answer is that the greater the risk reduction required, the higher the degree of reliability required. In many cases, a SINGLE CHANNEL or SINGLE CHANNEL MONITORED solution may be acceptable, particularly when there are more reliable safeguards in place. On the other hand, you may require CONTROL RELIABLE designs if the e-stop is the primary risk reduction for some risks or specific tasks.

To add to the confusion, ISO 13849-1 appears to exclude complementary protective measures from its scope in Table 8 — Some International Standards applicable to typical machine safety functions and certain of their characteristics. At the very bottom of this table, Complementary Protective Measures are listed, but they appear to be excluded from the standard. I can say that there is nothing wrong with applying the techniques in ISO 13849-1 to the reliability analysis of a complementary protective measure that uses the control system, so do this if it makes sense in your application.

ISO 13849-1:2006 Table 8
ISO 13849-1:2006 Table 8

Extra points go to any reader who noticed that the ‘electrical hazard’ warning label immediately above the disconnect handle in the above photo is a) upside down, and b) using a non-standard lighting flash. Cheap hazard warning labels, like this one, are often as good as none at all. I’ll be writing more on hazard warnings in future posts.

Use of Emergency Stop as part of a Lockout Procedure or HECP.

One last note: Emergency stop systems (with the exception of emergency switching off devices, such as disconnect switches used for e-stop) CANNOT be used for energy isolation in a Hazardous Energy Control Procedure (a.k.a. Lockout). Devices for this purpose must physically separate the energy source from the down-stream components. See CSA Z460 for more on that subject.

Read our Article on Using E-Stops in HECP.

Pneumatic E-Stop Device
Pneumatic E-Stop/Isolation device.

Standards Referenced in this post:

CSA Z432-04, Safeguarding of Machinery

NFPA 79-07, Electrical Standard for Industrial Machinery
Download NFPA standards at ANSI

IEC 60204-1:09,  SAFETY OF MACHINERY – ELECTRICAL EQUIPMENT OF MACHINES – PART 1: GENERAL REQUIREMENTS

Download IEC standards, International Electrotechnical Commission standards.

ISO 13849-1-2006, Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design

See also

ISO 13850:06, SAFETY OF MACHINERY – EMERGENCY STOP – PRINCIPLES FOR DESIGN

Download IEC standards, International Electrotechnical Commission standards.
Download ISO Standards