Safety Interlocks Not Always a Good Idea
BIRKET Engineering News, Jan/Feb 1994
About the only universal point of agreement among designers, owners and operators of systems is that human safety is the most important issue. Not surprisingly, designers relentlessly pursue the foolproof safety interlock. Sometimes these good intentions actually lead to an increase in the probability of a harm causing event!
Consider the example of an electric lawn mower that is equipped with a mercury tilt switch as a backup to the main power switch. The motor and blade will always stop when the lawn mower is tipped up. We feel better because the user, repair person, and others near the mower will almost never be exposed to a spinning blade. The interlock also appeals to us because it is simple in operation and is not likely to fail.
In spite of the warning label that says to always unplug the mower before placing hands near the blade, operators gradually take the interlock for granted. Also note that when the mower is tipped, the interlock obscures the fact that the mower is not switched off or unplugged. Consider that some users will have to mow grass on a steep hill. They can be relied upon to bypass the tilt switch with a piece of wire so that they can get the job done. Maybe someone will bypass the tilt switch to work on the mower. Either way, they may forget to remove the bypass, and probably will not tag the mower for other users to indicate that the interlock has been defeated; after all, who would ever put their hand near a mower blade without first unplugging the thing.
Eventually, the mower will be tipped up for cleaning by an operator that has come to depend upon the interlock. If not this, then the operator will be distracted and forget to unplug or turn off the mower at the power switch. Finally, after cleaning, the operator will grab the mower with fingers partly in the blade area, set the mower upright, and loose a few fingers as the motor starts.
Readers who have experience with interlock design may suggest that the interlock was not properly designed. The interlock could incorporate a feature requiring that the power switch be cycled once each time that the tilt switch stops the motor, so that the motor can’t start unexpectedly. Is this really an improvement? Imagine what the new, uninformed user will do the first time that the mower is tipped and then does not restart when it is righted again. The user may not start investigating with the power switch, but by poking around under the mower (with the power switch still on) to see what is holding the blade. This “improvement” may prompt a mower maintenance person to defeat the interlock after being requested to repair the mower by an owner that is confused by this feature. In both cases, designer may be considered guilty of inviting harm.
The discussion of this example could go on, and it would not lead to clear conclusions. Still, we benefit from considering the issues. There is plenty of literature on the subject of interlocks, but there is no source of clear and simple rules; each device or system must be considered on its own merits. It is possible to find court cases on both sides of these difficult issues. Below are some design issues related to this example. The discussion of each issue is consistent with the safety literature, but remember that each interlock must be considered based upon the details of the design and the intended use.
Safety ultimately depends upon people, not interlocks. Safety is best achieved through an active training program. Interlocks that invite reliance upon the interlock instead of upon safety awareness and training often create more harm than they prevent because they discourage use of the proper safety procedure.
The best way to make a machine or system safe for service or inspection is to disconnect it from all of its power sources and from all sources of stored energy. This is often called the “zero mechanical state” or “primary protection”. The OSHA lockout/tagout procedure relies upon this idea. Avoid reliance upon secondary protection.
It is almost routine to circumvent interlocks, either during maintenance and test, or to increase production. Assume that this will happen. Design interlocks to require frequent verification, preferably as a part of normal operation. Avoid interlocks that can fail without being detected, especially if (as is usually the case) the preventative maintenance and periodic inspection programs are not reliable.
Do not depend upon people to read warning labels. There is a tendency to “liability-proof” machines with warning labels, but this often leads to an overload of information and warnings that are not followed.
The best interlocks are simple in design and implementation. They are easily understood, and easy to maintain. It is rarely a good idea to interlock an interlock, but often good to use two dissimilar interlocks to address the same safety concern, if the redundancy can be assured through routine verification.