There is More to Safety Interlocks Than Opening a Circuit

Adding a safety interlock switch to a given application is easy. However, one must consider its design and application, as well as its control circuit design, to make it work correctly.
Whenever a guard has a movable section, a safety interlock switch is required to make certain that the machine is in a non-energized, safe condition whenever someone opens the guard. Typically the switch works in concert with the door or gate to open either a power circuit or a control circuit before someone can access the hazardous area.
To be effective, a safety interlock switch must meet two specific requirements. First, it must work in all environments and conditions to eliminate a false sense of security (reliability). It must open a circuit whenever the guard is open. Second, its construction must prevent someone from tampering with it to defeat the intended purpose — security.

Application Considerations

The type of mounting found with positive mode safety interlock switches minimizes any possible tampering or abuse by enclosing the contact block and cam actuator inside a strong, secure enclosure (Figure 1). In such situations, the cam and contact block will not separate.

An extension of this principle is demonstrated in Figure 2. Because this device is easy to mount at the opening edge of a safety guard, it will work with sliding, hinged, or removable doors. In this case, the user mounts the actuator on the guard door. Opening the guard door forces the contacts to disconnect. In addition, the switch mechanism is closed to resist tampering.

When a safety interlock switch uses two sets of contacts, as in a doublethrow or double-pole switch, a galvanic barrier is required to isolate each set of contacts from the power voltage. This prevents one contact from sticking or welding to another.

To be effective, a safety interlock switch must meet two specific requirements. First, it must work in all environments and conditions to eliminate a false sense of security (reliability). It must open a circuit whenever the guard is open. Second, its construction must prevent someone from tampering with it to defeat the intended purpose - security.

Different Actuation Means

Some classes of safety-rated switches use nonmechanical means for actuation, i.e., a magnetic field, thus making a positive mode switch action impossible. In these cases, other methods of mounting and installation come into play. The first case involves an oriented failure mode as described in EN 292-2: 3.7.4. If the most common failure mode is consistent and known, the device can be designed and used in a manner that will cause the device to default into the “safe,” or off position. Without the benefit of a true, positive mechanical mode operation, magnetic switches must include other means to maintain a fail-to-safe condition. Users can accomplish this by either applying an oriented failure mode, or through the use of duplicate components and circuit monitoring. Most magnetic safety switches employ the oriented failure mode. Using special components, the only point of safety critical failure is the possible welding of the contacts. This is prevented through the use of a non-resettable over-current protection device. It should have a current rating far below that needed to weld the contacts. Because the switch uses a nonresettable over-current protection device, it is advisable to use a suitable rated external fuse to prevent replacing the switch. Only its designated actuator can operate a magnetic, or electrostatic, sensor. A magnetic switch that senses ferrous metals is an inappropriate safety interlock device. The switch actuator must have a magnet or “active” actuator. To increase security of magnetic interlock switches, users can incorporate a coded device.

Don’t Limit Your Switch Safety

Although limit switches perform the same function as safety interlock switches, they have limitations that can result in an unacceptable interlock situation. Simple limit switches are cheaper than their safety-rated counterparts. This results from differences in construction. The spring snap action of a limit switch is not strong enough to break a welded contact, and can allow someone to enter a hazardous area without deenergizing the machine. The external actuator on a limit switch also presents an opportunity to tamper with (tie down or tape down) the switch and present an unsafe condition. The open construction of most limit switches makes them susceptible to environmental contamination to result in another unsafe condition.

Component Redundancy

While selecting and mounting a safety interlock switch is a necessary part of any interlock strategy, it must still work in an appropriate safety circuit. If the safety interlock switches are not safe in the application, EN 292-2: 3.7.5 requires duplication of each of the non-reliable circuit elements to achieve an acceptable level of machine safety. The circuit design will allow it to function even if one of the components fails to work.

It usually is necessary to include a means of monitoring the circuit to detect a component failure so it can be quickly repaired. Such designs should also address common failure causes.

It is important to make sure that no single component failure will result in the inability of the duplicated components from reverting to a safe or open state. This may go as far as using different technologies to guard against such failures.

Enhancing Safety Interlocks

In general, the application of safety interlock systems focuses either on the power circuit or the control circuit. Either the power source of the hazard is interrupted directly, or the control circuit to the power source of the hazard is directly interrupted.

Power Interlock Systems

A power interlock is used with a hazardous piece of equipment if it uses relatively low voltage and power. Machinery using three-phase power and relatively high voltage requires a specially designed power safety interlock circuit with power interrupting capability sufficient to handle such energy levels reliably. A variety of approaches may be used to ensure reliable safety interlock systems.

When using power interlocking, the guard door is always locked closed. When the key is used and turned, it opens the power contacts. The key cannot be withdrawn until is turned back to the locked position. With this system, it is not possible to open the guard without disconnecting the power source. This means of access requires a key and may not be suitable if the guarded area requires frequent access.

Trapped key interlocks are recommended for areas where whole body access is required. It may entail the use of a double-key system in which a personal key ensures that the operator cannot be locked in the guarded area. Such key systems can also be used in robot teach mode switches and inch mode controls.

Use more than one trapped key interlock switch in safety system to increase security. The switches can also be used to ensure that a predefined sequence of start-up and shutdown procedures is followed. Security of this system demands control of the keys and the locks. First, the keyed locks can only be operated by the dedicated key and cannot be defeated by another means, such as a screwdriver or a physical attack. Second, the key can only be obtained in the intended manner. Once a key is trapped, excessive force applied to the key will break it rather than breaking and defeating the lock.

Control Interlock Systems

A control interlock represents the more common means of safety interlock on the plant floor. The interlock switch, attached to the guard door, opens its switch contacts when it detects movement, or when the guard is not in the fully closed position.

Control interlock guarding does not necessarily have to restrict access. Here, the guard door may be opened at will, but as soon as it is opened, the interlock switch isolates power using a control circuit and contactor. This is acceptable if the hazard always stops within a minimum predicable time. It is necessary that the time to reach the hazard is longer than the time to remove energy from the hazard. (This approach is comparable to that of safety light curtains.)

Interlock Switches with Guard Locking

The safety interlock switch applications discussed so far have been applied to machinery that have fast, predictable stop times. Some machines must complete a cycle before returning to a safe condition. Others require a substantial amount of time to come to a stop. Interlock switches with guard locking must be used with these machines. The use of guard locking prevents someone from opening the guard before the machine stops and returns to a safe state. This use of interlocks will also increase the level of protection for most machines.


File Format Help
PDF: Some documents in this index are published in Acrobat (PDF) format. We recommend Netscape or Explorer with Acrobat Reader and Plug-in.

For technical difficulties with this page contact Support.
AUTOCAD: Reader download: Keyview (Windows). To download a CAD file: PC: Right click on link and choose "Save link as" from Pop-Up menu. Mac: Click and hold mouse on link, then select "Save this link as" from Pop-Up menu.

Some files need to be unzipped. Unzip utilities available for download for Windows / Macintosh.
Section updated 8/19/2014