Machine & Operator Safety
Interlocking devices: The good, the bad and the ugly
By Douglas Nix
By Douglas Nix
When designing safeguarding systems for machines, one of the basic building blocks is the movable guard — doors, panels, gates or other physical barriers that can be opened without using tools. Every one of these guards needs to be interlocked with the machine so that the hazards covered by the guards are effectively controlled when the guard is opened.
There are a number of important aspects to the design of movable guards. This article will focus on the selection of interlocking devices that are used with movable guards.
The hierarchy of controls
This article assumes that a risk assessment has been done as part of the design process. If you haven’t done a risk assessment, start there, and then come back to this point in the process.
The hierarchy of controls describes levels of controls that a machine designer can use to control the assessed risks . Designers are required to apply every level of the hierarchy in order, starting at the top. Where a level cannot be applied, the designer moves to the next lower level.
Though much emphasis is placed on the correct selection of these interlocking devices, they represent a very small portion of the hierarchy.
It is their widespread use that makes them so important when it comes to safety system design.
Electrical versus mechanical interlocks
Most modern machines use electrical interlocks because the machine is fitted with an electrical control system, but it is entirely possible to interlock the power to the prime movers using mechanical means. This doesn’t affect the portion of the hierarchy involved, but it may affect the control reliability analysis that you need to do.
In Canada, CSA Z432  and CSA Z434  provide four categories of control reliability: simple, single channel, single channel monitored and control reliable. In the U.S., the categories are very similar, with some differences in the definition for control reliable. In the EU, there are five levels of control reliability, defined as Performance Levels (PL) in ISO 13849-1: PL a, b, c, d and e . Underpinning these levels are five architectural categories: B, 1, 2, 3 and 4.
To add to the confusion, IEC 62061  is another international control reliability standard that could be used. This standard defines reliability in terms of Safety Integrity Levels (SILs). These SILs do not line up exactly with the ISO 13849-1 PLs, but they are similar. IEC 62061 is based on IEC 61508 , a control reliability standard used in the process industries. IEC 62061 is not well suited to applications involving hydraulic or pneumatic elements.
The North American architectures deal primarily with electrical or fluid-power controls, while the EU system can accommodate electrical, fluid-power and mechanical systems.
From the single channel monitored or Category 2 level up, the systems are required to have testing built-in, enabling the detection of failures in the system. The level of fault tolerance increases as the category increases.
Interlocking devices are the components that are used to create the interlock between the safeguarding device and the machine’s power and control systems. Interlocks can be purely mechanical, purely electrical or a combination of these.
Most machinery has an electrical/electronic control system, and these systems are the most common way that machine hazards are controlled.
Switches and sensors connected to these systems are the most common types of interlocking devices.
Interlocking devices can be something as simple as a micro-switch or a reed switch, or as complex as a non-contact sensor with an electromagnetic locking device.
Requirements for these devices are published in a number of standards, but the key ones for industrial machinery are ISO 14119 [7, 2], and ANSI B11.0 . These standards define the electrical and mechanical requirements, and in some cases the testing requirements, that devices intended for safety applications must meet before they can be classified as safety components.
These devices are also integral to the reliability of the control systems into which they are integrated. Interlock devices, on their own, cannot meet a reliability rating above ISO 13849-1 Category 1, or CSA Z432-04 Single Channel. To understand this, consider that the definitions for Category 2, 3 and 4 all require the ability for the system to monitor and detect failures, and in Categories 3 and 4, to prevent the loss of the safety function. Similar requirements exist in CSA and ANSI’s “single-channel-monitored,” and “control-reliable” categories. Unless the interlock device has a monitoring system integrated into the device, these categories cannot be achieved.
Environment, failure modes and fault exclusion
Every device has failure modes. The correct selection of the device starts with understanding the physical environment to which the device will be exposed. This means understanding the temperature, humidity, dust/abrasives exposure, chemical exposures, and mechanical shock and vibration. Selecting a delicate reed switch for use in a high-vibration, high-shock environment is a recipe for failure, just as selecting a mechanical switch in a dusty, corrosive environment will also lead to premature failure.
The device standards do provide some guidance in making these selections, but it’s pretty general.
Fault exclusion is another key concept that needs to be understood. Fault exclusion holds that failure modes that have an exceedingly low probability of occurring during the lifetime of the product can be excluded from consideration. This can apply to electrical or mechanical failures. Here’s the catch: Fault exclusion is not permitted under any North American standards at the moment. Designs based on the North American control reliability standards cannot take advantage of fault exclusions. Designs based on the international and EU standards can use fault exclusions, but significant documentation supporting the exclusion of each fault is needed.
The North American standards require that the devices chosen for safety-related interlocks be defeat-resistant, meaning they cannot be easily fooled with a cable-tie, a scrap of metal or a piece of tape.
The International and EU standards do not require the devices to be inherently defeat-resistant, which means that you can use “safety-rated” limit switches with roller-cam actuators, for example. However, as a designer, you are required to consider all reasonably foreseeable failure modes, and that includes intentional defeat. If the interlocking devices are easily accessible, then you must select defeat-resistant devices and install them with tamper-resistant hardware to cover these failure modes.
Almost any interlocking device can be bypassed by a knowledgeable person using wire and the right tools. This type of defeat is not generally considered, as the degree of knowledge required is greater than that possessed by “normal” users.
When selecting an interlocking device, start by looking at the environment in which the device will be located. Is it dry, wet or abrasive? Is it indoors or outdoors and subject to temperature variations?
Is there a product standard that defines the type of interlock you are designing? An example of this is the interlock types in ANSI B151.1  for plastic injection moulding machines. There may be restrictions on the type of devices that are suitable based on the requirements in the standard.
Consider integration requirements with the controls. Is the interlock purely mechanical? Is it integrated with the electrical system? Do you require guard locking capability? Do you require defeat resistance?
Once you can answer these questions, you will have narrowed down your selections considerably. The final question is: What brand is preferred? Go to your preferred supplier’s catalogues and make a selection that fits with the answers to the previous questions.
The next stage is to integrate the device(s) into the controls, using whichever control reliability standard you need to meet. That is the subject of another article!
 Safety of machinery – General principles for design – Risk assessment and risk reduction, ISO Standard 12100, Edition 1, 2010
 Safeguarding of Machinery, CSA Standard Z432, 2004 (R2009)
 Industrial Robots and Robot Systems – General Safety Requirements, CSA Standard Z434, 2003 (R2008)
 Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design, ISO Standard 13849-1, 2006
 Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems, IEC Standard 62061, Edition 1, 2005
 Functional safety of electrical/electronic/programmable electronic safety-related systems (Seven Parts), IEC Standard 61508-X
 Safety of machinery – Interlocking devices associated with guards – Principles for design and selection, ISO Standard 14119, 1998
 American National Standard for Machines, General Safety Requirements Common to ANSI B11 Machines, ANSI Standard B11.0, 2008
Douglas Nix, A.Sc.T., is managing director at Compliance InSight Consulting, Inc. (www.complianceinsight.ca) in Kitchener, Ont. He produces a blog and podcast called Machinery Safety 101, exploring a wide variety of machine safety topics. Check out his blog at www.machinerysafety101.com.
This column originally appeared in the May 2012 issue of Manufacturing AUTOMATION.