Interlocking Devices: The Good, The Bad and the Ugly

This entry is part 1 of 7 in the series Guards and Guard­ing

Note: A short­er ver­sion of this arti­cle was pub­lished in the May-2012 edi­tion of  Man­u­fac­tur­ing Automa­tion Mag­a­zine.

When design­ing safe­guard­ing sys­tems for machines, one of the basic build­ing blocks is the mov­able guard. Mov­able guards can be doors, pan­els, gates or oth­er phys­i­cal bar­ri­ers that can be opened with­out using tools. Every one of these guards needs to be inter­locked with the machine con­trol sys­tem so that the haz­ards cov­ered by the guards will be effec­tive­ly con­trolled when the guard is opened.

There are a num­ber of impor­tant aspects to the design of mov­able guards. This arti­cle will focus on the selec­tion of inter­lock­ing devices that are used with mov­able guards.

The Hierarchy of Controls

The Hierarchy of Controls as an inverted pyrimid.
Fig­ure 1 — The Hier­ar­chy of Con­trols

This arti­cle assumes that a risk assess­ment has been done as part of the design process. If you haven’t done a risk assess­ment first, start there, and then come back to this point in the process. You can find more  infor­ma­tion on risk assess­ment meth­ods in this post from 31-Jan-11. ISO 12100 [1] can also be used for guid­ance in this area.

The hier­ar­chy of con­trols describes lev­els of con­trols that a machine design­er can use to con­trol the assessed risks. The hier­ar­chy is defined in [1]. Design­ers are required to apply every lev­el of the hier­ar­chy in order, start­ing at the top. Each lev­el is applied until the avail­able mea­sures are exhaust­ed, or can­not be applied with­out destroy­ing the pur­pose of the machine, allow­ing the design­er to move to the next low­er lev­el.

Engi­neer­ing con­trols are sub­di­vid­ed into a num­ber of dif­fer­ent sub-groups. Only mov­able guards are required to have inter­locks. There are a num­ber of sim­i­lar types of guards that can be mis­tak­en for mov­able guards, so let’s take a minute to look at a few impor­tant def­i­n­i­tions.

Table 1 — Def­i­n­i­tions

Inter­na­tion­al [1] Cana­di­an [2] USA [10]
3.27 guard phys­i­cal bar­ri­er, designed as part of the machine to pro­vide pro­tec­tion.NOTEA guard may act either alone, in which case it is only effec­tive when “closed” (for a mov­able guard) or “secure­ly held in place” (for a fixed guard), or  in con­junc­tion with an inter­lock­ing device with or with­out guard lock­ing, in which case pro­tec­tion is ensured what­ev­er the posi­tion of the guard.NOTE 2Depend­ing on its con­struc­tion, a guard may be described as, for exam­ple, cas­ing, shield, cov­er, screen, door, enclos­ing guard.NOTE 3 The terms for types of guards are defined in 3.27.1 to 3.27.6. See also 6.3.3.2 and ISO 14120 for types of guards and their require­ments. Guard — a part of machin­ery specif­i­cal­ly used to pro­vide pro­tec­tion by means of a phys­i­cal bar­ri­er. Depend­ing on its con­struc­tion, a guard may be called a cas­ing, screen, door, enclos­ing guard, etc. 3.22 guard: A bar­ri­er that pre­vents expo­sure to an iden­ti­fied haz­ard.E3.22 Some­times referred to as bar­ri­er guard.”
3.27.4 inter­lock­ing guard guard asso­ci­at­ed with an inter­lock­ing device so that, togeth­er with the con­trol sys­tem of the machine, the fol­low­ing func­tions are per­formed:
  • the haz­ardous machine func­tions “cov­ered” by the guard can­not oper­ate until the guard is closed,
  • if the guard is opened while haz­ardous machine func­tions are oper­at­ing, a stop com­mand is giv­en, and
  • when the guard is closed, the haz­ardous machine func­tions “cov­ered” by the guard can oper­ate (the clo­sure of the guard does not by itself start the haz­ardous machine func­tions)

NOTE ISO 14119 gives detailed pro­vi­sions.

Inter­locked bar­ri­er guard — a fixed or mov­able guard attached and inter­locked in such a man­ner that the machine tool will not cycle or will not con­tin­ue to cycle unless the guard itself or its hinged or mov­able sec­tion enclos­es the haz­ardous area. 3.32 inter­locked bar­ri­er guard: A bar­ri­er, or sec­tion of a bar­ri­er, inter­faced with the machine con­trol sys­tem in such a man­ner as to pre­vent inad­ver­tent access to the haz­ard.
3.27.2 mov­able guard
guard which can be opened with­out the use of tools
Mov­able guard — a guard gen­er­al­ly con­nect­ed by mechan­i­cal means (e.g., hinges or slides) to the machine frame or an adja­cent fixed ele­ment and that can be opened with­out the use of tools. The open­ing and clos­ing of this type of guard may be pow­ered. 3.37 mov­able bar­ri­er device: A safe­guard­ing device arranged to enclose the haz­ard area before machine motion can be ini­ti­at­ed.E3.37 There are two types of mov­able bar­ri­er devices:
  • Type A, which enclos­es the haz­ard area dur­ing the com­plete machine cycle;
  • Type B, which enclos­es the haz­ard area dur­ing the haz­ardous por­tion of the machine cycle.
3.28.1 inter­lock­ing device (interlock)mechanical, elec­tri­cal or oth­er type of device, the pur­pose of which is to pre­vent the oper­a­tion of haz­ardous machine func­tions under spec­i­fied con­di­tions (gen­er­al­ly as long as a guard is not closed) Inter­lock­ing device (inter­lock) — a mechan­i­cal, elec­tri­cal, or oth­er type of device, the pur­pose of which is to pre­vent the oper­a­tion of machine ele­ments under spec­i­fied con­di­tions (usu­al­ly when the guard is not closed). No def­i­n­i­tion
3.27.5 inter­lock­ing guard with guard lock­ing guard asso­ci­at­ed with an inter­lock­ing device and a guard lock­ing device so that, togeth­er with the con­trol sys­tem of the machine, the fol­low­ing func­tions are per­formed:
  • the haz­ardous machine func­tions “cov­ered” by the guard can­not oper­ate until the guard is closed and locked,
  • the guard remains closed and locked until the risk due to the haz­ardous machine func­tions “cov­ered” by the guard has dis­ap­peared, and
  • when the guard is closed and locked, the haz­ardous machine func­tions “cov­ered” by the guard can oper­ate (the clo­sure and lock­ing of the guard do not by them­selves start the haz­ardous machine func­tions)

NOTE ISO 14119 gives detailed pro­vi­sions.

Guard lock­ing device — a device that is designed to hold the guard closed and locked until the haz­ard has ceased. No def­i­n­i­tion

As you can see from the def­i­n­i­tions, mov­able guards can be opened with­out the use of tools, and are gen­er­al­ly fixed to the machine along one edge. Mov­able guards are always asso­ci­at­ed with an inter­lock­ing device. Guard selec­tion is cov­ered very well in ISO 14120 [11]. This stan­dard con­tains a flow­chart that is invalu­able for select­ing the appro­pri­ate style of guard for a giv­en appli­ca­tion.

5% Dis­count on ISO and IEC Stan­dards with code: CC2012

Though much empha­sis is placed on the cor­rect selec­tion of these inter­lock­ing devices, they rep­re­sent a very small por­tion of the hier­ar­chy. It is their wide­spread use that makes them so impor­tant when it comes to safe­ty sys­tem design.

Electrical vs. Mechanical Interlocks

Mechanical Interlocking
Fig­ure 2 — Mechan­i­cal Inter­lock­ing

Most mod­ern machines use elec­tri­cal inter­locks because the machine is fit­ted with an elec­tri­cal con­trol sys­tem, but it is entire­ly pos­si­ble to inter­lock the pow­er to the prime movers using mechan­i­cal means. This doesn’t affect the por­tion of the hier­ar­chy involved, but it may affect the con­trol reli­a­bil­i­ty analy­sis that you need to do.

Mechanical Interlocks

Fig­ure 2, from ISO 14119 [7, Fig. H.1, H.2 ], shows one exam­ple of a mechan­i­cal inter­lock.  In this case, when cam 2 is rotat­ed into the posi­tion shown in a), the guard can­not be opened. Once the haz­ardous con­di­tion behind the guard is effec­tive­ly con­trolled, cam 2 rotates to the posi­tion in b), and the guard can be opened.

Arrange­ments that use the open guard to phys­i­cal­ly block oper­a­tion of the con­trols can also be used in this way. See Fig­ure 3 [7, Fig. C.1, C.2].

Mechanical Interlocking using control devices
Fig­ure 3 — Mechan­i­cal Inter­lock­ing using machine con­trol devices

Fluid Power Interlocks

Fig­ure 4, from [7, Fig. K.2], shows an exam­ple of two flu­id-pow­er valves used in com­ple­men­tary mode on a sin­gle slid­ing gate.

Hydraulic interlock from ISO 14119
Fig­ure 4 — Exam­ple of a flu­id pow­er inter­lock

In this exam­ple, flu­id can flow from the pres­sure sup­ply (the cir­cle with the dot in it at the bot­tom of the dia­gram) through the two valves to the prime-mover, which could be a cylin­der, or a motor or some oth­er device when the guard is closed (posi­tion ‘a’). There could be an addi­tion­al con­trol valve fol­low­ing the inter­lock that would pro­vide the nor­mal con­trol mode for the device.

When the guard is opened (posi­tion ‘b’), the two valve spools shift to the sec­ond posi­tion, the low­er valve blocks the pres­sure sup­ply, and the upper valve vents the pres­sure in the cir­cuit, help­ing to pre­vent unex­pect­ed motion from trapped ener­gy.

If the spring in the upper valve fails, the low­er spool will be dri­ven by the gate into a posi­tion that will still block the pres­sure sup­ply and vent the trapped ener­gy in the cir­cuit.

5% Dis­count on ISO and IEC Stan­dards with code: CC2012

Electrical Interlocks

By far the major­i­ty of inter­locks used on machin­ery are elec­tri­cal. Elec­tri­cal inter­locks offer ease of instal­la­tion, flex­i­bil­i­ty in selec­tion of inter­lock­ing devices, and com­plex­i­ty from sim­ple to extreme­ly com­plex. The archi­tec­tur­al cat­e­gories cov­er any tech­nol­o­gy, whether it is mechan­i­cal, flu­idic, or elec­tri­cal, so let’s have a look at archi­tec­tures first.

Architecture Categories

Comparing ANSI, CSA, and ISO Control Reliability Categories
Fig­ure 5 — Con­trol Reli­a­bil­i­ty Cat­e­gories

In Cana­da, CSA Z432 [2] and CSA Z434 [3] pro­vide four cat­e­gories of con­trol reli­a­bil­i­ty: sim­ple, sin­gle chan­nel, sin­gle-chan­nel mon­i­tored and con­trol reli­able. In the U.S., the cat­e­gories are very sim­i­lar, with some dif­fer­ences in the def­i­n­i­tion for con­trol reli­able (see RIA R15.06, 1999). In the EU, there are five lev­els of con­trol reli­a­bil­i­ty, defined as Per­for­mance Lev­els (PL) giv­en in ISO 13849–1 [4]: PL a, b, c, d and e. Under­pin­ning these lev­els are five archi­tec­tur­al cat­e­gories: B, 1, 2, 3 and 4. Fig­ure 5 shows how these archi­tec­tures line up.

To add to the con­fu­sion, IEC 62061 [5] is anoth­er inter­na­tion­al con­trol reli­a­bil­i­ty stan­dard that could be used. This stan­dard defines reli­a­bil­i­ty in terms of Safe­ty Integri­ty Lev­els (SILs). These SILs do not line up exact­ly with the PLs in [4], but they are sim­i­lar. [5] is based on IEC 61508 [6], a well-respect­ed con­trol reli­a­bil­i­ty stan­dard used in the process indus­tries. [5] is not well suit­ed to appli­ca­tions involv­ing hydraulic or pneu­mat­ic ele­ments.

The orange arrow in Fig­ure 5 high­lights the fact that the def­i­n­i­tion in the CSA stan­dards results in a more reli­able sys­tem than the ANSI/RIA def­i­n­i­tion because the CSA def­i­n­i­tion requires TWO (2) sep­a­rate phys­i­cal switch­es on the guard to meet the require­ment, while the ANSI/RIA def­i­n­i­tion only requires redun­dant cir­cuits, but makes no require­ment for redun­dant devices. Note that the arrow rep­re­sent­ing the ANSI/RIA Con­trol reli­a­bil­i­ty cat­e­go­ry falls below the ISO Cat­e­go­ry 3 arrow due to this same detail in the def­i­n­i­tion.

Note that Fig­ure 5 does not address the ques­tion of PL’s or SIL’s and how they relate to each oth­er. That is a top­ic for anoth­er arti­cle!

The North Amer­i­can archi­tec­tures deal pri­mar­i­ly with elec­tri­cal or flu­id-pow­er con­trols, while the EU sys­tem can accom­mo­date elec­tri­cal, flu­id-pow­er and mechan­i­cal sys­tems.

From the sin­gle-chan­nel-mon­i­tored or Cat­e­go­ry 2 lev­el up, the sys­tems are required to have test­ing built-in, enabling the detec­tion of fail­ures in the sys­tem. The lev­el of fault tol­er­ance increas­es as the cat­e­go­ry increas­es.

Interlocking devices

Inter­lock­ing devices are the com­po­nents that are used to cre­ate the inter­lock between the safe­guard­ing device and the machine’s pow­er and con­trol sys­tems. Inter­lock­ing sys­tems can be pure­ly mechan­i­cal, pure­ly elec­tri­cal or a com­bi­na­tion of these.

Roller cam switch used as part of a complementary interlock
Pho­to 1 — Roller Cam Switch

Most machin­ery has an electrical/electronic con­trol sys­tem, and these sys­tems are the most com­mon way that machine haz­ards are con­trolled. Switch­es and sen­sors con­nect­ed to these sys­tems are the most com­mon types of inter­lock­ing devices.

Inter­lock­ing devices can be some­thing as sim­ple as a micro-switch or a reed switch, or as com­plex as a non-con­tact sen­sor with an elec­tro­mag­net­ic lock­ing device.

Images of inter­lock­ing devices used in this arti­cle are rep­re­sen­ta­tive of some of the types and man­u­fac­tur­ers avail­able, but should not be tak­en as an endorse­ment of any par­tic­u­lar make or type of device. There are lots of man­u­fac­tur­ers and unique mod­els that can fit any giv­en appli­ca­tion, and most man­u­fac­tur­ers have sim­i­lar devices avail­able.

Pho­to 1 shows a safe­ty-rat­ed, direct-dri­ve roller cam switch used as half of a com­ple­men­tary switch arrange­ment on a gate inter­lock. The inte­gra­tor failed to cov­er the switch­es to pre­vent inten­tion­al defeat in this appli­ca­tion.

Micro-Switch used for interlocking
Pho­to 2 — Micro-Switch used for inter­lock­ing

Pho­to 2 shows a ‘microswitch’ used for inter­lock­ing a machine cov­er pan­el that is nor­mal­ly held in place with fas­ten­ers, and so is a ‘fixed guard’ as long as the fas­ten­ers require a tool to remove. Fixed guards do not require inter­locks under most cir­cum­stances. Some prod­uct fam­i­ly stan­dards do require inter­locks on fixed guards due to the nature of the haz­ards involved.

Microswitch­es are not safe­ty-rat­ed and are not rec­om­mend­ed for use in this appli­ca­tion. They are eas­i­ly defeat­ed and tend to fail to dan­ger in my expe­ri­ence.

Require­ments for inter­lock­ing devices are pub­lished in a num­ber of stan­dards, but the key ones for indus­tri­al machin­ery are ISO 14119 [7], [2], and ANSI B11.0 [8]. These stan­dards define the elec­tri­cal and mechan­i­cal require­ments, and in some cas­es the test­ing require­ments, that devices intend­ed for safe­ty appli­ca­tions must meet before they can be clas­si­fied as safe­ty com­po­nents.
Down­load stan­dards

Typical plastic-bodied interlocking device
Pho­to 3 — Schm­er­sal AZ15 plas­tic inter­lock switch

These devices are also inte­gral to the reli­a­bil­i­ty of the con­trol sys­tems into which they are inte­grat­ed. Inter­lock devices, on their own, can­not meet a reli­a­bil­i­ty rat­ing above ISO 13849–1 Cat­e­go­ry 1, or CSA Z432-04 Sin­gle Chan­nel. To under­stand this, con­sid­er that the def­i­n­i­tions for Cat­e­go­ry 2, 3 and 4 all require the abil­i­ty for the sys­tem to mon­i­tor and detect fail­ures, and in Cat­e­gories 3 & 4, to pre­vent the loss of the safe­ty func­tion. Sim­i­lar require­ments exist in CSA and ANSI’s “sin­gle-chan­nel-mon­i­tored,” and “con­trol-reli­able” cat­e­gories. Unless the inter­lock device has a mon­i­tor­ing sys­tem inte­grat­ed into the device, these cat­e­gories can­not be achieved.

Guard Locking

Inter­lock­ing devices are often used in con­junc­tion with  guard lock­ing. There are a few rea­sons why a design­er might want to lock a guard closed, but the most com­mon one is a lack of safe­ty dis­tance. In some cas­es the guard may be locked closed to pro­tect the process rather than the oper­a­tor, or for oth­er rea­sons.

Interlock Device with Guard Locking
Pho­to 4 — Inter­lock­ing Device with Guard Lock­ing

Safe­ty dis­tance is the dis­tance between the open­ing cov­ered by the mov­able guard and the haz­ard. The min­i­mum dis­tance is deter­mined using the safe­ty dis­tance cal­cu­la­tions giv­en in [2] and ISO 13855 [9]. This cal­cu­la­tion uses a ‘hand-speed con­stant’, called K, to rep­re­sent the the­o­ret­i­cal speed that the aver­age per­son can achieve when extend­ing their hand straight for­ward when stand­ing in front of the open­ing. In North Amer­i­ca, K is usu­al­ly 63 inches/second, or 1600 mm/s. Inter­na­tion­al­ly and in the EU, there are two speeds, 2000 mm/s, used for an approach per­pen­dic­u­lar to the plane of the guard, or 1600 mm/second for approach­es at 45 degrees or less [9]. 2000 mm/s is used with mov­able guards, and is approx­i­mate­ly equiv­a­lent to 79 inches/second. Using the Inter­na­tion­al approach, if the val­ue of Ds is greater than 500 mm when cal­cu­lat­ed using K = 2 000, then [9] per­mits the cal­cu­la­tion to be done using K = 1 600 instead.

Using the stop­ping time of the machin­ery and K, the min­i­mum safe­ty dis­tance can be cal­cu­lat­ed.

Eq. 1              Ds = K x Ts

Using Equa­tion 1 [2], assume you have a machine that takes 250 ms to stop when the inter­lock is opened. Insert­ing the val­ues into the equa­tion gives you a min­i­mum safe­ty dis­tance of:

Exam­ple 1             Ds = 63 in/s x 0.250 s = 15.75 inch­es

Exam­ple 2             Ds = 2000 mm/s x 0.250 s = 500 mm

As you can see, the Inter­na­tion­al val­ue of K gives a more con­ser­v­a­tive val­ue, since 500 mm is approx­i­mate­ly 20 inch­es.

Note that I have not includ­ed the ‘Pen­e­tra­tion Fac­tor’, Dpf in this cal­cu­la­tion. This fac­tor is used with pres­ence sens­ing safe­guard­ing devices like light cur­tains, fences, mats, two-hand con­trols, etc. This fac­tor is not applic­a­ble to mov­able, inter­locked guards.

Also impor­tant to con­sid­er is the amount the guard can be opened before acti­vat­ing the inter­lock. This will depend on many fac­tors, but for sim­plic­i­ty, con­sid­er a hinged gate on an access point. If the guard uses two hinge-pin style switch­es, you may be able to open the gate a few inch­es before the switch­es rotate enough to detect the open­ing of the guard. In order to deter­mine the open­ing size, you would slow­ly open the gate just to the point where the inter­lock is tripped, and then mea­sure the width of the open­ing. Using the tables found in [2], [3], [10], or ISO 13857 [12], you can then deter­mine how far the guard must be from the haz­ards behind it. If that dis­tance is greater than what is avail­able, you could remove one hinge-pin switch, and replace it with anoth­er type mount­ed on the post oppo­site the hinges. This could be a keyed inter­lock like Pho­to 3, or a non-con­tact device like Pho­to 5. This would reduce the open­ing width at the point of detec­tion, and there­by reduce the safe­ty dis­tance behind the guard. But what if that is still not good enough?

If you have to install the guard clos­er to the haz­ard than the min­i­mum safe­ty dis­tance, lock­ing the guard closed and mon­i­tor­ing the stand-still of the machine allows you to ignore the safe­ty dis­tance require­ment because the guard can­not be opened until the machin­ery is at a stand­still, or in a safe state.

Guard lock­ing devices can be mechan­i­cal, elec­tro­mag­net­ic, or any oth­er type that pre­vents the guard from open­ing. The guard lock­ing device is only released when the machine has been made safe.

There are many types of safe­ty-rat­ed stand-still mon­i­tor­ing devices avail­able now, and many vari­able-fre­quen­cy dri­ves and ser­vo dri­ve sys­tems are avail­able with safe­ty-rat­ed stand-still mon­i­tor­ing.

Environment, failure modes and fault exclusion

Every device has fail­ure modes. The cor­rect selec­tion of the device starts with under­stand­ing the phys­i­cal envi­ron­ment to which the device will be exposed. This means under­stand­ing the tem­per­a­ture, humid­i­ty, dust/abrasives expo­sure, chem­i­cal expo­sures, and mechan­i­cal shock and vibra­tion expo­sures in the appli­ca­tion. Select­ing a del­i­cate reed switch for use in a high-vibra­tion, high-shock envi­ron­ment is a recipe for fail­ure, just as select­ing a mechan­i­cal switch in a dusty, damp, cor­ro­sive envi­ron­ment will also lead to pre­ma­ture fail­ure.

Example of a non-contact interlocking device
Pho­to 5 — JOKAB EDEN Inter­lock Sys­tem

Inter­lock device man­u­fac­tur­ers have a vari­ety of non-con­tact inter­lock­ing devices avail­able today that use cod­ed RF sig­nals or RF ID tech­nolo­gies to ensure that the inter­lock can­not be defeat­ed by sim­ple mea­sures, like tap­ing a mag­net to a reed switch. The Jokab EDEN sys­tem is one exam­ple of a sys­tem like this that also exhibits IP65 lev­el resis­tance to mois­ture and dust. Note that sys­tems like this include a safe­ty mon­i­tor­ing device and the sys­tem as a whole can meet Con­trol Reli­able or Cat­e­go­ry 3 / 4 archi­tec­tur­al require­ments when a sim­ple inter­lock switch could not.

The device stan­dards do pro­vide some guid­ance in mak­ing these selec­tions, but it’s pret­ty gen­er­al.

Fault Exclusion

Fault exclu­sion is anoth­er key con­cept that needs to be under­stood. Fault exclu­sion holds that fail­ure modes that have an exceed­ing­ly low prob­a­bil­i­ty of occur­ring dur­ing the life­time of the prod­uct can be exclud­ed from con­sid­er­a­tion. This can apply to elec­tri­cal or mechan­i­cal fail­ures. Here’s the catch: Fault exclu­sion is not per­mit­ted under any North Amer­i­can stan­dards at the moment. Designs based on the North Amer­i­can con­trol reli­a­bil­i­ty stan­dards can­not take advan­tage of fault exclu­sions. Designs based on the Inter­na­tion­al and EU stan­dards can use fault exclu­sion, but be aware that sig­nif­i­cant doc­u­men­ta­tion sup­port­ing the exclu­sion of each fault is need­ed.

Defeat resistance

Diagram showing one method of preventing interlock defeat.
Fig­ure 6 — Pre­vent­ing Defeat

The North Amer­i­can stan­dards require that the devices cho­sen for safe­ty-relat­ed inter­locks be defeat-resis­tant, mean­ing they can­not be eas­i­ly fooled with a cable-tie, a scrap of met­al or a piece of tape.

Fig­ure 6 [7, Fig. 10] shows a key-oper­at­ed switch, like the Schm­er­sal AZ15, installed with a cov­er that is intend­ed to fur­ther guard against defeat. The key, some­times called a ‘tongue’, used with the switch pre­vents defeat using a flat piece of met­al or a knife blade. The cov­er pre­vents direct access to the inter­lock­ing device itself. Use of tam­per-resis­tant hard­ware will fur­ther reduce the like­li­hood that some­one can remove the key and insert it into the switch, bypass­ing the guard.

Inner-Tite tamper resistance fasteners
Pho­to 6 — Tam­per-resis­tant fas­ten­ers

5% Dis­count on ISO and IEC Stan­dards with code: CC2012

The Inter­na­tion­al and EU stan­dards do not require the devices to be inher­ent­ly defeat resis­tant, which means that you can use “safe­ty-rat­ed” lim­it switch­es with roller-cam actu­a­tors, for exam­ple. How­ev­er, as a design­er, you are required to con­sid­er all rea­son­ably fore­see­able fail­ure modes, and that includes inten­tion­al defeat. If the inter­lock­ing devices are eas­i­ly acces­si­ble, then you must select defeat-resis­tant devices and install them with tam­per-resis­tant hard­ware to cov­er these fail­ure modes.

Pho­to 6 shows one type of tam­per resis­tant fas­ten­ers made by Inner-Tite [13]. Pho­to 7 shows fas­ten­ers with unique­ly keyed key ways made by Bryce Fas­ten­er [14], and Pho­to 8 shows more tra­di­tion­al tam­per­proof fas­ten­ers from the Tam­per­proof Screw Com­pa­ny [15]. Using fas­ten­ers like these will result in the high­est lev­el of secu­ri­ty in a thread­ed fas­ten­er. There are many dif­fer­ent designs avail­able from a wide vari­ety of man­u­fac­tur­ers.

Bryce Key-Rex tamper-resistant fasteners
Pho­to 7 — Keyed Tam­per-Resis­tant Fas­ten­ers
Tamper proof screws made by the Tamperproof Screw Company
Pho­to 8 — Tam­per proof screws

Almost any inter­lock­ing device can be bypassed by a knowl­edge­able per­son using wire and the right tools. This type of defeat is not gen­er­al­ly con­sid­ered, as the degree of knowl­edge required is greater than that pos­sessed by “nor­mal” users.

How to select the right device

When select­ing an inter­lock­ing device, start by look­ing at the envi­ron­ment in which the device will be locat­ed. Is it dry? Is it wet (i.e., with cut­ting flu­id, oil, water, etc.)? Is it abra­sive (dusty, sandy, chips, etc.)? Is it indoors or out­doors and sub­ject to wide tem­per­a­ture vari­a­tions?

Is there a prod­uct stan­dard that defines the type of inter­lock you are design­ing? An exam­ple of this is the inter­lock types in ANSI B151.1 [4] for plas­tic injec­tion mould­ing machines. There may be restric­tions on the type of devices that are suit­able based on the require­ments in the stan­dard.

Con­sid­er inte­gra­tion require­ments with the con­trols. Is the inter­lock pure­ly mechan­i­cal? Is it inte­grat­ed with the elec­tri­cal sys­tem? Do you require guard lock­ing capa­bil­i­ty? Do you require defeat resis­tance? What about device mon­i­tor­ing or annun­ci­a­tion?

Once you can answer these ques­tions, you will have nar­rowed down your selec­tions con­sid­er­ably. The final ques­tion is: What brand is pre­ferred? Go to your pre­ferred supplier’s cat­a­logues and make a selec­tion that fits with the answers to the pre­vi­ous ques­tions.

The next stage is to inte­grate the device(s) into the con­trols, using whichev­er con­trol reli­a­bil­i­ty stan­dard you need to meet. That is the sub­ject for a series of arti­cles!

References

5% Dis­count on ISO and IEC Stan­dards with code: CC2012

[1] Safe­ty of machin­ery — Gen­er­al prin­ci­ples for design — Risk assess­ment and risk reduc­tion, ISO Stan­dard 12100, Edi­tion 1, 2010

[2] Safe­guard­ing of Machin­ery, CSA Stan­dard Z432, 2004 (R2009)

Buy CSA Stan­dards

[3] Indus­tri­al Robots and Robot Sys­tems — Gen­er­al Safe­ty Require­ments, CSA Stan­dard Z434, 2003 (R2008)

[4] Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 1: Gen­er­al prin­ci­ples for design, ISO Stan­dard 13849–1, 2006

[5] Safe­ty of machin­ery – Func­tion­al safe­ty of safe­ty-relat­ed elec­tri­cal, elec­tron­ic and pro­gram­ma­ble elec­tron­ic con­trol sys­tems, IEC Stan­dard 62061, Edi­tion 1, 2005

[6] Func­tion­al safe­ty of electrical/electronic/programmable elec­tron­ic safe­ty-relat­ed sys­tems (Sev­en Parts), IEC Stan­dard 61508-X

[7] Safe­ty of machin­ery — Inter­lock­ing devices asso­ci­at­ed with guards — Prin­ci­ples for design and selec­tion, ISO Stan­dard 14119, 1998

[8] Amer­i­can Nation­al Stan­dard for Machines, Gen­er­al Safe­ty Require­ments Com­mon to ANSI B11 Machines, ANSI Stan­dard B11, 2008
Down­load ANSI stan­dards

[9] Safe­ty of machin­ery — Posi­tion­ing of safe­guards with respect to the approach speeds of parts of the human body, ISO 13855, 2010

[10] Amer­i­can Nation­al Stan­dard for Machine Tools – Per­for­mance Cri­te­ria for Safe­guard­ing, ANSI B11.19, 2003

[11] Safe­ty of machin­ery — Guards — Gen­er­al require­ments for the design and con­struc­tion of fixed and mov­able guards, ISO 14120. 2002

[12] Safe­ty of machin­ery — Safe­ty dis­tances to pre­vent haz­ard zones being reached by upper and low­er limbs, ISO 13857. 2008.

[13] Inner-Tite Corp. home page. (2012). Avail­able: http://www.inner-tite.com/

[14] Bryce Fas­ten­er, Inc. home page. (2012). Avail­able: http://www.brycefastener.com/

[15] Tam­per­proof Screw Co., Inc., home page. (2013). Avail­able: http://www.tamperproof.com

Series Nav­i­ga­tionPres­ence Sens­ing Devices — Reach­ing over sens­ing fields

Author: Doug Nix

Doug Nix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. (http://www.complianceinsight.ca) in Kitchener, Ontario, and is Lead Author and Senior Editor of the Machinery Safety 101 blog. Doug's work includes teaching machinery risk assessment techniques privately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as providing technical services and training programs to clients related to risk assessment, industrial machinery safety, safety-related control system integration and reliability, laser safety and regulatory conformity. For more see Doug's LinkedIn profile.