Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is developed in accordance with the rules given in GB/T 1.1-2009.
This standard replaces GB/T 18831-2010 Safety of machinery—Interlocking devices associated with guards—Principles for design and selection. In addition to editorial changes, the following main technical changes have been made with respect to GB/T 18831-2010:
——26 terms such as "defeat", "holding force" and "actuator" are added, and 3 terms such as "positive mode actuation", "positive opening operation of contact elements" and "stop time" are deleted (see Clause 3 hereof, Clause 3 of Edition 2010);
——The sub-clause 5.7 is adjusted to Clause 7 (see Clause 7 hereof; 5.7 of Edition 2010);
——The control requirements are added (see Clause 8 hereof);
——The content in Clause 6 is adjusted into 8.7 (see 8.7 hereof; Clause 6 of Edition 2010);
——The requirements for information for use are added (see Clause 9 hereof);
——According to the newly defined interlocking device types, the contents of Annex A to Annex M are integrated and rearranged into Annex A to Annex E (see Annex A to Annex E hereof, Annex A to Annex M of Edition 2010);
——The informative annex F "Example of guard locking devices" is added (see Annex F hereof);
——The informative annex G "Application examples of interlocking devices used within a safety function" is added (see Annex G hereof);
——The informative annex H "Motivation to defeat interlocking device" is added (see Annex H hereof);
——The informative annex I "Examples for maximum static action forces" is added (see Annex I hereof).
This standard is, by means of translation, identical to ISO 14119: 2013 Safety of machinery—Interlocking devices associated with guards—Principles for design and selection (English edition).
The Chinese documents consistent and corresponding with the normative international documents in this standard are as follows:
——GB 5226.1-2008 Electrical safety of machinery—Electrical equipment of machines—Part 1: General requirements (IEC 60204-1: 2005, IDT)
——GB/T 14048.13-2006 Low-voltage switchgear and controlgear—Part 5-3: Control circuit devices and switching elements - Requirements for proximity devices with defined behaviour under fault conditions(PDF) (IEC 60947-5-3: 1999, IDT)
——GB 28526-2012 Electrical safety of machinery—Functional safety of safety-related electrical, electronic and programmable electronic control systems (IEC 62061: 2005, IDT)
This standard was proposed by and is under the jurisdiction of the National Technical Committee on Machinery Safety of Standardization Administration of China (SAC/TC 208).
The previous editions of this standard are as follows:
——GB/T 18831-2002, GB/T 18831-2010.
Introduction
The structure of safety standards in the field of machinery is as follows:
——Type-A standards (basic safety standards) giving basic concepts, principles for design, and general aspects that can be applied to all machinery;
——Type-B standards (generic safety standards) dealing with one safety aspect or one type of safeguard that can be used across a wide range of machinery;
Type-B1 standards on particular safety aspects (e.g. safety distances, surface temperature, noise);
Type-B2 standards on safeguards (e.g. two-hand controls, interlocking devices, pressure sensitive devices, guards);
——Type-C standards (machine safety standards) dealing with detailed safety requirements for a particular machine or group of machines.
This document is a Type-B2 standard as stated in IGB/T 15706.
The requirements of this document may be supplemented or modified by a Type-C standard.
For machines which are covered by the scope of a Type-C standard and which have been designed and built according to the requirements of that standard, the requirements of that Type-C standard take precedence.
This standard has been prepared to give guidance to machinery designers and writers of product safety standards on how to design and select interlocking devices associated with guards.
Relevant clauses of this standard, used alone or in conjunction with provisions from other standards, may be used as a basis for verification procedures for the suitability of a device for interlocking duties.
The informative Annexes A to F describe the technology and the typical characteristics of the defined 4 types of interlocking devices. Other solutions may be adopted, provided that they comply with the principles of this standard. The informative Annexes G to I give information on particular aspects like interlocking devices used within safety functions, risk assessment considering the motivation to defeat and static action forces. ISO/TR 24119 is under preparation and will give information on the masking of faults in series connection of interlocking devices.
Safety of machinery—Interlocking devices associated with guards—
Principles for design and selection
1 Scope
This standard specifies principles for the design and selection—independent of the nature of the energy source—of interlocking devices associated with guards.
This standard covers the parts of guards which actuate interlocking devices.
Note: ISO 14120 specifies general requirements for the design and construction of guards provided primarily to protect persons from mechanical hazards. The processing of the signal from the interlocking device to stop and immobilize the machine is dealt with in GB/T 16855.1 or IEC 62061.
This standard does not necessarily provide all the specific requirements for trapped key systems.
This standard provides measures to minimize defeat of interlocking devices in a reasonably foreseeable manner:
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition (including any amendments) applies.
GB/T 15706-2012 Safety of machinery—General principles for design—Risk assessment and risk reduction (ISO 12100: 2010, IDT)
GB/T 16855.1-2008 Safety of machinery—Safety-related parts of control systems—Part 1: General principles for design (ISO 13849-1: 2006, IDT)
GB/T 16855.2-2015 Safety of machinery—Safety-related parts of control systems—Part 2: Validation (ISO 13849-2: 2012, IDT)
IEC 60947-5-3 Low-voltage switchgear and controlgear—Part 5-3: Control circuit devices and switching elements—Requirements for proximity devices with defined behaviour under fault conditions (PDF)
IEC 60204-1: 2009 Safety of machinery—Electrical equipment of machines—Part 1: General requirements
IEC 62061: 2012 Safety of machinery—Functional safety of safety-related electrical, electronic and programmable electronic control systems
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 15706 and GB/T 16855.1 and the following apply.
3.1
interlocking device
interlock
mechanical, electrical or other type of device, the purpose of which is to prevent the operation of hazardous machine functions under specified conditions (generally as long as a guard is not closed)
Note: See Figure 1 and Table 1.
[GB/T 15706-2012, Definition 3.28.1]
Key:
1––—guard; 4——position switch;
2——interlocking device; 5——actuating system;
3——actuator; 6——output system.
a——direction of opening;
Figure 1 Example of an interlocking device
3.2
interlocking guard
guard associated with an interlocking device so that, together with the control system of the machine, the following functions are performed:
——the hazardous machine functions “covered” by the guard cannot operate until the guard is closed;
——if the guard is opened while hazardous machine functions are operating, a stop command is given;
——when the guard is closed, the hazardous machine functions “covered” by the guard may operate (the closure of the guard does not by itself start the hazardous machine functions). An interlocking guard can contain/be equipped of one or more interlocking devices.
Note: An interlocking guard can contain/be equipped of one or more interlocking devices. These interlocking devices can also be of different types.
[GB/T 15706-2012, Definition 3.27.4]
3.3
interlocking guard with a start function
control guard
special form of interlocking guard which, once it has reached its closed position, gives a command to initiate the hazardous machine function(s) without the use of a separate start control
Note: GB/T 15706-2012, 6.3.3.2.5 gives detailed provisions regarding the condition of use.
[GB/T 15706-2012, Definition 3.27.6]
3.4
guard locking device
device intended to lock a guard in the closed position and linked to the control system
3.5
interlocking guard with guard locking
guard associated with an interlocking device and a guard locking device so that, together with the control system of the machine, the following functions are performed:
——the hazardous machine functions "covered" by the guard cannot operate until the guard is cIosed and Iocked;
——the guard remains closed and Iocked until the risk due to the hazardous machine functions "covered” by the guard has disappeared;
——when the guard is closed and locked, the hazardous machine functions "covered" by the guard can operate. The closure and locking of the guard do not by themselves start the hazardous machine functions
[GB/T 15706-2012, Definition 3.27.5]
3.6
safety-related part of a control system
SRP/CS
part of a control system that responds to safety-related input signals and generates safety-related output signals
Note 1: The combined safety-related parts of a control system start at the point where the safety-related input signals are initiated (including e.g. the actuating cam and the roller of the position switch) and end at the output of the power control elements (including, for example, the main contacts of a contactor).
Note 2: If monitoring systems are used for diagnostics, they are also considered as SRP/CS.
Note 3: It is revised from GB/T 16855.1-2008, Definition 3.1.1.
3.7
defeat
action that makes interlocking devices inoperative or bypasses them with the result that a machine is used in a manner not intended by the designer or without the necessary safety measures
3.8
defeat in a reasonably foreseeable manner
defeat of an interlocking device either manually or by using readily available objects
Note 1: This definition includes the removal of switches or actuators using tools that are needed for the intended use of the machine or that are readily available (screw drivers, wrenches, hexagon keys, pliers).
Note 2: Readily available objects for substitute actuation include:
——screws, needles and sheet-metal pieces;
——objects in daily use such as keys, coins, adhesive tape, string and wire;
——spare keys for the trapped-key interlocking devices;
——spare actuators.
3.9
automatic monitoring
diagnostic function which initiates a fault reaction function if the ability of a component or an element to perform its function is diminished, or if the process conditions are changed in such a way that hazards are generated
3.10
direct mechanical action
positive mechanical action
movement of a mechanical component which arises inevitably from the movement of another mechanical component either by direct contact or via rigid elements
3.11
direct opening action
positive opening operation
achievement of contact separation as a direct result of a specified movement of the switch actuator through non-resilient members (for example not dependent upon springs)
Note: It is revised from IEC 60947-5-1: 2003, Definition K.2.2.
3.12
actuator
separate part of an interlocking device which transmits the state of the guard (closed or not closed) to the actuating system
Example: Guard-mounted cam, key, shaped tongue, reflector, magnet, RFID tag.
Note 1: See also Annexes A to E.
Note 2: Examples of actuators are shown in Figure 2.
3.13
coded actuator
actuator which is specially designed (e.g. by shape) to actuate a certain position switch
3.13.1
low level coded actuator
coded actuator for which 1 to 9 variations in code are available
3.13.2
medium level coded actuator
coded actuator for which 10 to 1,000 variations in code are available
3.13.3
high level coded actuator
coded actuator for which more than 1,000 variations are available
3.14
actuating system
part of the interlocking device which transmits the position of the actuator and changes the state of the output system
Example: Roller plunger, cam mechanism, optical, inductive or capacitive sensor.
Note: Examples of actuating systems are shown in Figure 2.
3.15
output system
part of the interlocking device that indicates the state of the guard to the control system
Example: Contact element (electromechanical), semiconductor output, valve.
3.16
type 1 interlocking device
interlocking device with mechanically actuated position switch with uncoded actuator
Example: Hinged interlocking devices.
Note: See Annex A for detailed examples.
3.17
type 2 interlocking device
interlocking device with mechanically actuated position switch with coded actuator
Example: Tongue-actuated position switches.
Note: See Annex B for detailed examples.
3.18
type 3 interlocking device
interlocking device with non-contact actuated position switch with uncoded actuator
Example: Proximity switches.
Note: See Annex C for detailed examples.
3.19
type 4 interlocking device
interlocking device with non-contact actuated position switch with coded actuator
Example: RFID tag actuated position switches.
Note: See Annex D for detailed examples.
3.20
stop command
signal generated by the interlocking device that causes the hazardous machine function to disappear
3.21
overall system stopping performance
time interval between the stop command given by opening the guard and the termination of the hazardous machine function
Note: It is revised from GB/T 19876-2012, Definition 3.1.2.
3.22
access time
time taken by a person to reach the hazard zone after initiation of the stop command by the interlocking device, as calculated on the basis of an approach speed of the body or part of the body
Note: For the selection of the approach speed and the calculation of the access time, see GB/T 19876.
3.23
holding force
force that a guard locking device can withstand without being damaged so that its further use will not be impaired and the guard will not leave the closed position
3.24
prevention of inadvertent locking position
feature of a guard locking device which ensures that the locking means (e.g. a locking bolt) cannot take the locked position when the guard is not closed
3.25
emergency release of guard locking
possibility to release manually without aids the guard locking from outside the safeguarded area in case of an emergency
Note: The guard locking with emergency release can be necessary for releasing trapped persons or fire-fighting, for example.
3.26
auxiliary release of guard locking
possibility to release manually by means of a tool or a key the guard locking from outside the safeguarded area in case of its failure
Note: The guard locking with auxiliary release is not suitable for emergency or escape release of guard locking.
3.27
escape release of guard locking
possibility to release manually without aids the guard locking from inside the safeguarded area to leave the area
3.28
guard locking for protection of a person
application of a guard locking device to protect a person against a hazard
3.29
guard locking for protection of the process
application of a guard locking device to protect the working process from being interrupted
3.30
tool
implement such as a key or wrench designed to operate a fastener
Note: An improvised implement such as a coin or a nail file cannot be considered as a tool.
[ISO 14120: 2002, Definition 3.9]
3.31
power interlocking
interlocking which directly interrupts the energy supply to the machine actuators or disconnects moving parts from the machine actuators
Note: Resumption of the energy supply is only possible with the guard in the closed and locked position. “Directly” means that, unlike control interlocking, the control system does not play any intermediate role in the interlocking function.
3.32
safety function
function of a machine whose failure can result in an immediate increase of the risk(s)
[GB/T 15706-2012, Definition 3.30]
4 Operating principles and typical forms of interlocking devices associated with guards
4.1 General
Interlocking techniques involve a broad spectrum of technological aspects. Interlocking devices may be classified using a great variety of criteria, e.g. the nature of the link between guard and output system, or the technological type (electromechanical, pneumatic, electronic, etc.) of the output system.
Interlocking devices have a guard position monitoring function that senses whether the guard is closed or not and produce a stop command when the guard is not in the closed position. An interlocking device may also be used in the control of other functions e.g. application of a brake to stop hazardous machine functions before access is possible. Some interlocking devices also have a guard locking function to keep the guard locked while hazardous machine function is present. A guard locking device status monitoring function monitors whether the guard locking device is locked or unlocked and produces an appropriate output signal [see 4.3.1a) and b)].
Note 1: The guard locking device (see 3.4) may be an integral part of an interlocking device, or a separate unit.
Note 2: See also GB/T 15706-2012, 6.3.3.1 for additional information on guards.
Note 3: The four types of interlocking device are not shown in Table 1 and presented in a hierarchical order. The correct application of each type of interlocking device will be dependent on the risk assessment that shall be made for the specific machine.
Table 1 shows the actuation principles and actuators for the defined interlocking device types.
Table 1 Overview of interlocking devices
Actuation principle examples Actuator examples Type Examples: see Annex a
Mechanical Physical contact/force Uncoded Rotating cam Type 1 A.1
Linear cam A.2, A.4
Hinge A.3
Coded Tongue (-shaped actuator) Type 2 B.1
Trapped-key B.2
Non-contact Inductive Uncoded Suitable ferric metal Type 3 C
Magnetic Magnet, solenoid
Capacitive Any suitable object
Ultrasonic Any suitable object
Optic Any suitable object
Magnetic Coded Coded magnet Type 4 D.1
RFID Coded RFID tag D.2
Optic Optically coded tag —
a Examples of other interlocking guards are given in Annex E.
Key:
1——movable guard; 4——position switch;
2——interlocking device; 5——actuating system;
3——actuator; 6——output system.
a Cam; c E.g. RFID, reflector, suitable surface;
b Tongue; d Movement direction.
Note: In some exceptional cases, the position switch can be installed on the movable guard and the actuator on the stationary part of the machine. In these cases, “1” is the stationary part of the machine.
Figure 2 Principle of types 1, 2, 3 and 4 interlocking devices
4.2 Principles of guard interlocking without guard locking
When guard interlocking function without guard locking is used, the guard can be opened at any time regardless of the function of the machine.
If the guard is not closed, the interlocking device shall generate a stop command.
Note 1: For interlocking with the machine control system, see Clause 8.
Note 2: Examples of interlocking devices without guard locking are shown in Annexes A, B, C and D.
Note 3: A functional diagram of interlocking devices without guard locking is shown in Figure 3.
Figure 3 Functional diagram of interlocking devices without guard locking
4.3 Principles of guard interlocking with guard locking
4.3.1 General
When interlocking with guard locking is applied, opening of the guard shall be prevented by a guard locking device (see 3.4) unless all hazardous machine functions covered by this guard have disappeared.
There are two alternatives for the design of the guard locking function (see Figure 4).
a) Unlocking of the guard can be initiated at any time by the operator. When unlocking is started, the guard locking device generates a stop command. This is called unconditional unlocking. The time necessary for the guard to be unlocked shall be greater than the time necessary for the hazardous machine function to disappear.
b) Unlocking of the guard is possible only when the hazardous machine functions have disappeared. This is called conditional unlocking.
Note: In conditional locking, the change from state 2 to state 3 or from state 3 to state 2 can happen without time delay.
Figure 4 Functional diagrams of interlocking devices with guard locking
Examples of guard locking devices are given in Annex F.
4.3.2 Interlocking device with mechanically operated guard locking
The mechanical part (e.g. bolt) which locks the interlocking guard may be:
——manually applied and manually released (see Figure F.5);
——spring (or similar) applied and power-ON released [see Figure 5a)];
——power-ON applied and spring (or similar) released [see Figure 5b)];
——power-ON applied and power-ON released [see Figure 5c)].
Mechanically operated guard locking shall use the principle of direct mechanical blocking due to form. Friction and force alone shall not be relied upon.
a) Spring applied Locking
Power-ON released Unlocking
b) Power-ON applied Locking
Spring released Unlocking
c) Power-ON applied Locking
Power-ON released Unlocking
d) Power-ON applied Locking
Power-ON released Unlocking
Figure 5 Operating modes of guard locking device in power-actuated guard locking devices
4.3.3 Interlocking device with electromagnetically operated guard locking
The guard is kept closed (locked) without any mechanical locking means by an electromagnetic force (see F.4).
The electromagnetic guard locking operates on the principle of power-ON applied and power-OFF released [see Figure 5d)].
5 Requirements for the design and the installation of interlocking devices with and without guard locking
5.1 General
Interlocking devices shall be installed in a suitable robust manner and in accordance with any instructions provided by the manufacturer (see Clause 9).
5.2 Arrangement and fastening of position switches
Position switches shall be arranged so that they are sufficiently protected against a change of their position. In order to achieve this, the following requirements shall be met:
a) fasteners of the position switches shall be reliable and loosening them shall require a tool;
b) type 1 position switches shall have provisions for permanently fixing the location after adjustment (e.g. by means of pins or dowels);
c) necessary means of access to position switches for maintenance and checking for correct operation shall be ensured. Prevention of defeat in a reasonably foreseeable manner shall also be considered when designing the access means;
d) self-loosening shall be prevented;
e) defeat of the position switch in a reasonably foreseeable manner shall be prevented (see Clause 7);
f) the position switch shall be located and, if necessary, protected so that damage from foreseeable external causes is avoided;
g) the movement produced by mechanical actuation or the gap of the proximity device actuating system shall remain within the specified operating range of the position switch or actuating system specified by the switch manufacturer to ensure correct operation and/or prevent overtravel;
h) a position switch shall not be used as a mechanical stop, unless this is the intended use of the position switch as declared by the manufacturer;
i) misalignment of the guard that creates a gap before the position switch changes its state shall not be sufficient as to impair the protective effect of the guard (for access to hazard zones, see ISO 13855 and ISO 13857);
j) the support and fastening for the position switches shall be sufficiently rigid to maintain correct operation of the position switch.
5.3 Arrangement and fastening of actuators
5.3.1 General
Actuators (see Figure 2) shall be so fastened to minimize the possibility that they come loose or change their intended position relative to the actuating system during the intended lifetime.
Note: A regular check can be necessary (see 9.3.2).
The following requirements shall be met:
a) fasteners of the actuators shall be reliable and loosening them shall require a tool;
b) self-loosening shall be prevented;
c) the position switch shall be located and, if necessary, protected so that damage from foreseeable external causes is avoided;
d) an actuator shall not be used as a mechanical stop, unless this is the intended use of the actuator as declared by the manufacturer;
e) the support and fastening for the actuators shall be sufficiently rigid to maintain correct operation of the actuator.
5.3.2 Cams
Rotary and linear cams for type 1 interlocking devices shall meet the following requirements:
a) they are fixed by fasteners requiring a tool for loosening them;
b) final fixing is achieved by form (e.g. spline or pin) or other methods that provide equivalent integrity of fixing;
c) they do not damage the position switch or impair its durability.
5.4 Actuation modes of interlocking devices
When a single type 1 or type 2 interlocking device is used to generate a stop command, it shall be actuated by direct mechanical action between guard, actuator and output system and the contact element shall have direct opening action (see 3.10, 3.11 and Table 2).
Non-direct mechanical action for a type 1 interlocking device shall be used only in conjunction with a type 1 or type 2 interlocking device with direct mechanical action between guard, actuator and output system. Combining one interlocking device with direct mechanical action with a second interlocking device with non-direct mechanical action avoids common cause failures (see 8.3).
Table 2 Direct and non-direct mechanical action of type 1 interlocking devices
Mechanical action Guard closed Guard not closed Working mode Example of behaviour in case of failure (see 8.3.2)
Direct Plunger held depressed by cam as long as guard is not closed.
When guard closed, output system changes, its state as result of action of return spring. Output system remains in safe state when guard is not closed even if spring breaks.
Non-direct The plunger is held depressed by a cam as long as the guard is closed.
When guard not closed, output system changes state as result of action of return spring. If spring breaks, output system can go to unsafe state even if guard not closed.
Interlocking devices shall be actuated appropriate to the actuation principle of the applied position switch.
If a type 3 or type 4 interlocking device is the only interlocking device, it shall meet the requirements of IEC 60947-5-3.
5.5 Interface to control systems
The output system of interlocking devices shall be suitable for inclusion in a control system designed in accordance with GB/T 16855.1 or IEC 62061.
5.6 Mechanical stop
If an interlocking device is declared by the manufacturer of the device to be suitable for use as a mechanical stop the maximum impact energy withstand value shall be given [see also 9.2.2 r)].
5.7 Additional requirements on guard locking devices
5.7.1 General
If the application of the guard locking function creates hazards, additional measures shall be considered (see 5.7.5 and GB/T 15706-2012, 6.3.5.3).
The locking element (e.g. bolt) intended to lock the guard shall be “spring applied – power-ON released” [see Figure 5a)] or “power-ON applied – power-ON released” [see Figure 5c)] unless the outcome of the risk assessment shows that this is not appropriate. If other systems [e.g. Figure 5b)] are used in a specific application, they shall provide an equivalent level of safety.
Note: When the loss of power results in the release of the locking element, the stopping time of the machine is often lengthened considerably and it can be possible to access to the hazard before the movements have been stopped (or other hazards disappeared).
The requirements of 5.7 apply when guard locking function is used for the protection of persons. While the requirements of 5.7 do not apply when guard locking function is used solely for the protection of a process. Nevertheless, if guard locking function and guard interlocking function are part of the same device the safety level of the guard interlocking function shall not be negatively affected by a non safety related guard locking function (i. e. guard locking function used solely for the protection of the process).
The requirements of 5.7 apply to both guard locking devices composed of separate components as well as to guard locking devices which form an integral part of an interlocking device with guard locking. They apply to all technologies.
The guard locking device shall allow the locked position to be monitored by providing an output system compatible with a control system designed in accordance with GB/T 16855.1 or IEC 62061.
The guard locking device shall only allow hazardous functions of the machine when the guard is closed and locked.
5.7.2 Mechanical guard locking device
5.7.2.1 General
Mechanically operating guard locking shall result from the engagement of two rigid parts [form closure, see Figure 5a) to c)].
If it is foreseeable that access is necessary in case of emergency, for “spring applied – power-ON released” or “power-ON applied – power-ON released” systems [see Figure 5a) and c)], a guard locking device with emergency release (see 5.7.5.3) shall be provided.
Figure 6 shows the functionality of such a device.
5.7.2.2 Locking monitoring
The locked position of the locking element shall be monitored in accordance with the requirements of 5.5.
The hazardous function of the machine shall only be possible when the monitoring detects the closed position of the guard and the locked position of the locking element (see Annex F).
For an effective monitoring of the guard locking device, one of the following methods shall be ensured:
——the locking element can only go in the locked position if the movable guard is in the closed position (see Figure 6), in that case the closed position and the locking of the guard can be checked by the monitoring of the locking element;
——in the other case, the monitoring of the locking element and additionally the monitoring of the guard position shall be used for interlocking.
Key:
a)——guard closed and locked; 1——actuator (tongue);
b)——guard closed and not locked; 2——locking element (bolt);
c)——guard not closed and not locked; 3——actuating system (internal rotating cam).
Note: In this kind of position switch, the actuator has two functions: to operate the contacts (not shown in the figure) and together with the internal rotating cam and the bolt to provide the guard locking function. The bolt may be operated by external means e.g. a solenoid or pneumatic cylinder.
Figure 6 Example of type 2 interlocking device with guard locking
5.7.3 Electromagnetic guard locking device
5.7.3.1 General
The force required for the locking of the guard is applied by the generation of an electromagnetic field [see Figure 5d)].
5.7.3.2 Locking monitoring
The holding force shall be monitored to determine if the specified holding force has been achieved and maintained (see 6.2.2 and Annex I).
The hazardous function of the machine shall only be possible when the monitoring detects the closed position of the guard and the achievement of the specified holding force.
5.7.3.3 Basic measures for minimizing defeat possibilities
If an electromagnetic guard locking device is opened by force, it shall be ensured that the process cannot be immediately continued.
Note: In contrast to a mechanical guard locking, an electromagnetic guard locking shows no damage after an opening by force.
The objective of the measure is that an opening by force results in a time expenditure which is similar to that of repair works (time delay) and comparable with the repair of a damage of an electromechanical guard locking.
Foreword i
Introduction iii
1 Scope
2 Normative references
3 Terms and definitions
4 Operating principles and typical forms of interlocking devices associated with guards
4.1 General
4.2 Principles of guard interlocking without guard locking
4.3 Principles of guard interlocking with guard locking
5 Requirements for the design and the installation of interlocking devices with and without guard locking
5.1 General
5.2 Arrangement and fastening of position switches
5.3 Arrangement and fastening of actuators
5.5 Interface to control systems
5.6 Mechanical stop
5.7 Additional requirements on guard locking devices
6 Selection of an interlocking device
6.1 General
6.2 Selection of a guard locking device
6.3 Environmental conditions considerations
7 Design to minimize defeat possibilities of interlocking devices
7.1 General
7.2 Additional measures to minimize defeat possibilities of interlocking devices
8 Control requirements
8.1 General
8.2 Assessment of faults
8.3 Prevention of common cause failures
8.4 Release of guard locking device
8.5 Fault exclusion
8.6 Logical series connection of interlocking devices
8.7 Electrical and environmental conditions
9 Information for use
9.1 General
9.2 Information for use given by the manufacturer of interlocking devices
9.3 Information for use given by the manufacturer of the machine
Annex A (Informative) Type 1 interlocking device — Examples
Annex B (Informative) Type 2 interlocking device — Examples
Annex C (Informative) Type 3 interlocking device — Examples
Annex D (Informative) Type 4 interlocking device — Examples
Annex E (Informative) Examples of other interlocking devices
Annex F (Informative) Example of guard locking devices
Annex G (Informative) Application examples of interlocking devices used within a safety function
Annex H (Informative) Motivation to defeat interlocking device
Annex I (Informative) Examples for maximum static action forces
Bibliography
机械安全与防护装置相关的联锁装置
设计和选择原则
1 范围
本标准规定了与防护装置相关的联锁装置的设计和选择原则,不管其使用何种能源类型。
本标准适用于防护装置中驱动联锁装置的部件。
注:ISO 14120规定的防护装置的设计和制造一般要求主要用于防止机械危险。关于联锁装置发出的,使机器停止并保持不动的信号的处理,见GB/T 16855.1或IEC 62061。
本标准未规定截留钥匙系统的所有具体要求。
本标准给出了尽可能防止以合理可预见的方式弃用联锁装置的措施。
2 规范性引用文件
下列文件对于本文件的应用是必不可少的。凡是注日期的引用文件,仅注日期的版本适用于本文件。凡是不注日期的引用文件,其最新版本(包括所有的修改单)适用于本文件。
GB/T 15706—2012 机械安全 设计通则 风险评估与风险减小(ISO 12100:2010,IDT)
GB/T 16855.1—2008 机械安全 控制系统有关安全部件 第1部分:设计通则(ISO 13849-1:2006,IDT)
GB/T 16855.2—2015 机械安全 控制系统安全相关部件 第2部分:确认(ISO 13849-2:2012,IDT)
IEC 60947-5-3 低压开关设备和控制设备 第5-3部分:控制电路电器和开关元件 在故障条件下具有确定功能的接近开关(PDF)的要求[Low-voltage switchgear and controlgear—Part 5-3:Control circuit devices and switching elements—Requirements for proximity devices with defined behaviour under fault conditions(PDF)]
IEC 60204-1:2009 机械安全 机械电气设备 第1部分:通用技术条件(Safety of machinery—Electrical equipment of machines—Part 1:General requirements)
IEC 62061:2012 机械安全 电气、电子和可编程序电子控制系统的功能安全(Safety of machinery—Functional safety of safety-related electrical,electronic and programmable electronic control systems)
3 术语和定 义
GB/T 15706、GB/T 16855.1界定的以及下列术语和定义适用于本文件。
3.1
联锁装置 Interlocking device
联锁 Interlock
用于防止危险机器功能在特定条件下(通常是指只要防护装置未关闭)运行的机械、电气或其他类型的装置。
注:见图1和表1。
[GB/T 15706—2012,定义3.28.1]
说明:
1——防护装置; 4——位置开关;
2——联锁装置; 5——执行系统;
3——操动件; 6——输出系统。
a——打开方向;
图1 联锁装置示例
3.2
联锁防护装置 interlocking guard
与联锁装置联用的防护装置,同机器控制系统一起实现以下功能:
——在防护装置关闭前,其“遮蔽”的危险的机器功能不能执行;
——在危险机器功能运行时,如果打开防护装置.则发出停机指令;
——在防护装置关闭后,防护装置“遮蔽”的危险的机器功能可以运行。防护装置本身的关闭不会启动危险机器功能。
注:一个联锁防护装置可包含/配备一个或多个联锁装置,这些联锁装置的类型也可不同。
[GB/T 15706—2012,定义3.27.4]
3.3
带启动功能的联锁防护装置 interlocking guard with a start function
带控制功能的防护装置 control guard
特殊联锁防护装置,一旦其到达关闭位置,便发出触发机器危险功能的命令,无需使用单独的启动控制。
注:GB/T 15706—2012,6.3.3.2.5给出了关于使用条件的详细规定。
[GB/T 15706—2012,定 义3.27.6]
3.4
防护锁定装置 guard locking device
预定用于将防护装置锁定在关闭位置并与控制系统相连的装置。
3.5
带防护锁定的联锁防护装置 interlocking guard with guard locking
与联锁装置、防护锁定装置联用的防护装置,同机器控制系统一起实现以下功能:
——在防护装置关闭和锁定前,其“遮蔽”的危险机器功能不能够执行;
——在防护装置“遮蔽”的危险机器功能所产生的风险消失之前,防护装置保持关闭和锁定状态;
——在防护装置关闭和锁定后,被防护装置“遮蔽”的危险机器功能可以运行。防护装置本身的关闭和锁定不会启动危险机器功能。
[GB/T 15706—2012,定义3.27.5]
3.6
控制系统安全相关部件 safety-related part of a control system
SRP/CS
控制系统中响应安全相关输入信号并产生安全相关输出信号的部件。
注1:控制系统安全相关部件的组成,以安全相关的输入信号被触发为起始点(例如,驱动凸轮和位置开关的滚轮等),以控制元件的动力输出(例如,接触器的主触点等)为终止点。
注2:如果监控系统用于诊断,也可认为它们是SRP/CS。
注3:改写GB/T 16855.1—2008,定义3.1.1。
3.7
弃用 defeat
使联锁装置不起作用或绕开联锁装置,从而导致不是按照设计者预定的方式或在无必需的安全措施的条件下使用机器的行为。
3.8
以可合理预见的方式弃用 defeat in a reasonable foreseeable manner
用手或通过容易获得的物体弃用联锁装置。
注1:本定义包括采用机器预定使用所需的或容易获得的工具(螺丝刀、扳手、六角形钥匙、钳子)移除开关或操动件。
注2:容易获得的用于替换操动件的物体包括:
——螺钉、针、金属片;
——日常所用的物品,如钥匙、硬币、胶带、线和金属丝;
——截留钥匙联锁装置的备用钥匙;
——备用操动件。
3.9
自动监控 automatic monitoring
如果元件或组件执行其功能的能力减弱,或过程条件改变导致产生危险时,触发故障反应功能的诊断功能。
3.10
直接机械动作 direct mechanical action
强制机械动作 positive mechanical action
其他机械元件的运动通过直接接触或通过刚性组件不可避免地引起的机械元件的运动。
3.11
直接断开动作 direct opening action
强制断开操作 positive opening operation
开关操动件的规定动作通过非弹性部件(如不依靠弹簧)直接实现触点分离。
主:改写IEC 60947-5-1:2003,定义K.2.2。
3.12
操动件 actuator
联锁装置中将防护装置状态(关闭或未关闭)传输至执行系统的单独部件。
示例:安装在防护装置上的凸轮、销、卡舌、反射镜、磁体、射频识别(RFID)标签。
注1:也可参见附录A~附录E。
注2:见图2给出的操动件示例。
3.13
编码操动件 coded actuator
专门设计(如通过外形)的用于驱动某一位置开关的操动件。
3.13.1
初级编码操动件 low level coded actuator
编码能力在1~9之间的编码操动件。
3.13.2
中级编码操动件 medium level coded actuator
编码能力在10~1000之间的编码操动件。
3.13.3
高级编码操动件 high level coded actuator
编码能力大于1000的编码操动件。
3.14
执行系统 actuating system
联锁装置的一部分,用于传输操动件的位置信息并改变输出系统状态。
示例:活塞滚轮、凸轮机构或者光学式、感应式或电容式传感器。
注:见图2给出的执行系统示例。
3.15
输出系统 output system
联锁装置的一部分,用于向控制系统反馈防护装置状态。
示例:接触组件(机电式)、半导体输出、阀门。
3.16
1型联锁装置 type 1 interlocking device
带有机械驱动式位置开关,并且其操动件是非编码类型的联锁装置。
示例:铰链式联锁装置。
注:详细示例参见附录A。
3.17
2型联锁装置 type 2 interlocking device
带有机械驱动式位置开关,并且其操动件是编码类型的联锁装置。
示例:卡舌驱动式位置开关。
注:详细示例参见附录B。
3.18
3型联锁装置 type 3 interlocking device
带有非接触式位置开关,并且其操动件是非编码类型的联锁装置。
示例:接近开关。
注:详细示例参见附录C。
3.19
4型联锁装置 type 4 interlocking device
带有非接触式位置开关,并且其操动件是编码类型的联锁装置。
示例:RFID标签驱动式位置开关。
注:详细示例参见附录D。
3.20
停机指令 stop command
联锁装置产生的,使危险机器功能终止的信号。
3.21
全系统停机性能 overall system stopping performance
打开防护装置发出停机指令至危险机器功能终止之间的时间间隔。
注:改写GB/T 19876—2012,定义3.1.2。
3.22
进入时间 access time
联锁装置发出停机指令后,根据人体或人体部位接近速度计算出的人员到达危险区所用的时间。
注:接近速度的选择和进入时间的计算,见GB/T 19876。
3.23
保持力 holding force
防护锁定装置在不被损坏的情况下能承受的力,从而不影响其进一步使用且防护装置不会改变关闭位置。
3.24
防误锁 prevention of inadvertent locking position
防护锁定装置确保锁定器件(如防松螺栓)在防护装置未关闭时不能到达锁定位置的特征。
3.25
防护锁定的紧急解锁 emergency release of guard locking
紧急情况下,从安全防护区域外部无需借助其他工具就能手动解锁防护锁定的可能性。
注:例如,出于解救被困人员或消防的目的,有必要采用带紧急解锁的防护锁定。
3.26
防护锁定的辅助解锁 auxiliary release of guard locking
防护锁定失效时,从安全防护区域外部通过工具或钥匙就能手动释放防护锁定的可能性。
注:带辅助解锁的防护锁定不适用于防护锁定的紧急或逃生解锁。
3.27
防护锁定的逃生解锁 escape release of guard locking
为了离开安全防护区域,从其内部无需借助其他工具就能手动解锁防护锁定的可能性。
3.28
用于保护人员的防护锁定 guard locking for protection of a person
防护锁定装置用于保护人员安全的用途。
3.29
用于保护过程的防护锁定 guard locking for protection of the process
防护锁定装置用于防止工作过程被中断的用途。
3.30
工具 tool
设计用于操作紧固件的器具,如钥匙或扳手等。
注:临时器具,如硬币或指甲锉不能被视为工具。
[ISO 14120:2002,定义3.9]
3.31
动力联锁 power interlocking
直接中断机器执行器的能量供应或者直接将运动部件与机器执行器断开的联锁。
注:只有防护装置关闭并处于锁定位置,才有可能恢复能量供应。“直接”意味着,与控制联锁不同,控制系统在联锁功能中不起任何中间作用。
3.32
安全功能 safety function
失效后会立即造成风险增加的机器功能。
[GB/T 15706—2012,定义3.30]
4 与防护装置相关的联锁装置的工作原理与典型形式
4.1 概述
联锁技术涉及的技术领域非常广泛。联锁装置可按照很多准则进行分类,如按照防护装置与输出系统之间连接的性质分类,或者按照输出系统采用的技术类型(机电、气动、电子等)分类。
联锁装置具有监控防护装置位置的功能,从而感应防护装置是否关闭并在防护装置没有处于关闭位置时产生停机指令。联锁装置也可用来控制其他功能,如在可能进入危险区之前控制制动功能停止危险的机器功能。某些联锁装置还具有防护锁定功能,以使防护装置在出现危险机器功能时保持锁定。防护锁定装置的状态监控功能监控防护锁定装置是否锁定并且产生合适的输出信号[见4.3.1a)和b)]。
注1:防护锁定装置(见3.4)可以是联锁装置的组成部分,也可以是独立单元。
注2:关于防护装置的附加信息,也可见GB/T 15706—2012,6.3.3.1。
注3:表1并没有按照联锁装置的4种类型递进给出示例。每种类型的联锁装置的正确应用将取决于针对具体机器进行的风险评估。
表1给出了特定类型联锁装置的驱动原理和操动件示例。
表1 联锁装置概况
操动原理示例 操动件示例 类型 示例:见附录a
机械式 物理接触/力 非编码 旋转凸轮 1型 A.1
线性凸轮 A.2、A.4
铰链 A.3
编码 卡舌(外形操动件) 2型 B.1
钥匙型 B.2
非接触式 电感 非编码 合适的铁质金属 3型 C
磁力 磁铁、电磁阀
电容 任何合适的物品
超声波 任何合适的物品
光学 任何合适的物品
磁力 编码 编码磁铁 4型 D.1
RFID 编码RFID标签 D.2
光学 光学编码带 —
a 其他联锁防护装置的示例在附录E给出。
a) 1型联锁装置(非编码凸轮式,防护装置关闭)
b) 2型联锁装置(编码卡舌式,防护装置未关闭)
c) 3型或4型联锁装置(非编码或编码非接触式操动,防护装置关闭)
说明:
1——活动式防护装置; 4——位置开关;
2——联锁装置; 5——执行系统;
3——操动件; 6——输出系统。
a 凸轮; c 如RFID、反射镜、合适的表面;
b 卡舌; d 运动方向。
注:在某些特殊情况下,位置开关可安装在活动式防护装置上,并且操动件安装在机器的固定部件上。这种情况下,图中的“1”是机器的固定部件。
图2 1型、2型、3型和4型联锁装置的原理
4.2 不带防护锁定的防护联锁原理
当采用不带防护锁定的防护联锁功能时,防护装置在任何时候都能打开,与机器的功能无关。
如果防护装置未关闭,则联锁装置应产生停机指令。
注1:与机器控制系统的联锁,见第8章。
注2:不带防护锁定的联锁装置的示例在附录A、附录B、附录C和附录D中给出。
注3:不带防护锁定的联锁装置的功能图在图3中给出。
危险机器功能可能运行
危险机器功能不能运行
防护装置关闭
防护装置终止关闭
防护装置开始打开
防护装置未关闭
图3 不带防护锁定的联锁装置的功能图
4.3 带防护锁定的防护联锁原理
4.3.1 概述
当采用带防护锁定的联锁时,应通过防护锁定装置(见3.4)防止防护装置打开,除非该防护装置防护的所有危险机器功能都已终止。
防护锁定功能有两种可选的设计方案(见图4):
a) 触发防护装置的解锁可由操作者在任何时候实现。当开始解锁时,防护锁定装置产生停机指令。这称之为无条件解锁,防护装置解锁所必需的时间应大于危险机器功能终止所必需的时间。
b) 防护装置的解锁只有在危险机器功能终止时才能实现。这称之为条件解锁。
防护装置关闭并锁定能解锁
完成锁定
完成解锁*)
防护装置关闭且已解锁能打开防护装置
防护装置完成关闭
防护装置开始打开
防护装置未关闭
危险机器功能可能运行
危险机器功能不能运行
防护装置关闭并锁定不能解锁
不能解锁
固定的时间段后已探测到或确保危险已消除(如机器停止)
防护装置关闭并锁定能解锁
完成锁定
完成解锁
防护装置关闭并锁定能打开防护装置
防护装置终止关闭
防护装置开始打开
防护装置未关闭
*)完成解锁是指:
——开始驱动解锁装置的同时已触发停机指令,并且是开始驱动解锁装置的结果;
——防护装置解锁所必需的时间大于危险消除所必需的时间。
无条件解锁
条件解锁
注:对于条件解锁,可无时间延迟的从状态2改变至状态3或者从状态3改变至状态2。
图4 带防护锁定的联锁装置的功能图
防护锁定装置的示例在附录F中给出。
4.3.2 带机械式防护锁定的联锁装置
锁定联锁防护装置的机械部件(如螺栓)可以是:
——手动锁定和手动解锁(见图F.5);
——通过弹簧(或类似的)锁定和通过动力接通解锁[见图5a)];
——通过动力接通锁定和通过弹簧(或类似的)解锁[见图5b)];
——通过动力接通锁定和通过动力接通解锁[见图5c)]。
机械式防护锁定由于其形态的原因应采用直接机械阻挡的原理,不应仅仅依靠摩擦或作用力。
a) 通过弹簧锁定 锁定
通过动力接通解锁 解锁
b) 通过动力接通锁定 锁定
通过弹簧解锁 解锁
c) 通过动力接通锁定 锁定
通过动力接通解锁 解锁
d) 通过动力接通锁定 锁定
通过动力断开锁定 解锁
图5 动力驱动的防护锁定装置的工作模式
4.3.3 带电磁式防护锁定的联锁装置
防护装置通过电磁力而不通过任何机械锁定方式来保持关闭(锁定)(见F.4)。
电磁式防护锁定的工作原理是通过动力接通锁定和通过动力断开解锁[见图5d)]。
5 带或不带防护锁定的联锁装置的设计与安装要求
5.1 一般要求
联锁装置的安装应使其牢固可靠,并满足制造商提供的说明书(见第9章)的要求。
5.2 位置开关的布置与紧固
位置开关的布置应使其得到充分的保护,防止其位置的改变。为了达到此目标,应满足以下要求:
a) 位置开关的紧固件应可靠,且仅能通过工具松开。
b) 1型位置开关在调整后应提供持久固定在其位置措施(如通过钉子或销)。
c) 为保证位置开关的正确运行,应提供接近位置开关进行维护和检查所必需的设施。设计接近设施时,还应考虑防止以可合理预见的方式弃用位置开关。
d) 应防止位置开关自松动。
e) 应防止以可合理预见的方式弃用位置开关(见第7章)。
f) 位置开关的定位应避免可预见的外部原因造成损坏,必要时应加以保护。
g) 机械式驱动产生的运动或接近装置执行系统的间隙应保持在开关制造商规定的位置开关或执行系统的工作范围内,以确保正确运行和/或防止超程。
h) 位置开关不应用于机械式停机,除非制造商声明其具有这种预定用途。
i) 防护装置错位产生的间隙在位置开关改变其状态之前不应大到影响防护装置的防护效果(对于进入危险区,参见ISO 13855和ISO 13857)。
j) 位置开关的支撑和紧固应具有足够的刚度,以保持位置开关的正确运行。
5.3 操动件的布置与紧固
5.3.1 一般要求
操动件(见图2)应牢固固定,以尽可能防止其在生命周期内松动或改变其相对于执行系统的位置。
注:有必要进行定期检查(见9.3.2)。
应满足以下要求:
a) 操动件的紧固件应可靠,且仅能通过工具松开;
b) 应防止操动件自松动;
c) 位置开关的定位应避免可预见的外部原因造成损坏,必要时应加以保护;
d) 操动件不应用于机械式停机,除非制造商声明其具有这种预定用途;
e) 操动件的支撑和紧固应具有足够的刚度,以保持操动件的正确运行。
5.3.2 凸轮
1 型联锁装置的旋转或线性凸轮应满足以下要求:
a) 通过紧固件固定且仅能通过工具松开;
b) 通过外形(如:花键或销子)或通过能提供同等固定程度的其他方法达到最终的固定;
c) 不能损坏位置开关或削弱位置开关的耐用性。
5.4 联锁装置的驱动模式
当使用单个1型或2型联锁装置产生停机指令时,防护装置、操动件和输出系统之间的驱动模式应是直接机械动作,接触组件应是直接打开动作(见3.10、3.11和表2)。
只有与1型或2型联锁装置联用,且防护装置、操动件和执行系统之间为直接机械动作时,才能采用1型联锁装置的间接机械动作。一个直接机械动作的联锁装置和一个间接机械动作的联锁装置联合使用,可避免共因失效(见8.3)。
表2 1型联锁装置的直接机械动作和间接机械动作
机械动作 防护装置关闭 防护装置未关闭 工作模式 失效时的工况示例(见8.3.2)
直接 只要防护装置未关闭,凸轮就使活塞保持压下状态。
当防护装置关闭时,弹簧复位致使输出系统改变其状态 即使弹簧断裂,防护装置未关闭时输出系统始终保持在安全状态
间接 只要防护装置关闭,凸轮就使活塞保持在压下状态。
当防护装置打开时,弹簧复位致使输出系统改变其状态 如果弹簧断裂,即使防护装置未关闭,输出也能变成不安全状态
联锁装置的驱动原理应与所采用的位置开关的驱动原理相适应。
如果3型和4型联锁装置只用作联锁装置,则应满足IEC 60947-5-3的要求。
5.5 控制系统的接口
联锁装置的输出系统应与按照GB/T 16855.1或IEC 62061设计的控制系统相适应。
5.6 机械式停机
如果制造商声明联锁装置可用于机械式停机,则应给出能承受的最大冲击能量[也可见9.2.2r)]。
5.7 防护锁定装置的附加要求
5.7.1 一般要求
如果采用防护锁定功能会产生危险,则应考虑附加措施(见5.7.5和GB/T 15706—2012中6.3.5.3)。
除非风险评估的结果表明不合适,否则预定用于锁定防护装置的锁定组件(如螺栓)应采用“通过弹簧锁定一通过动力接通解锁”[见图5a)]或“通过动力接通锁定一通过动力接通解锁”[见图5c)]的工作模式。如果在特殊的应用中采用了其他工作模式[如图5b)],则应提供同等的安全水平。
注:当失去能量而导致锁定组件解锁时,机器的停止时间通常大大加长,这就有可能在停止运动(或其他危险消除)之前进入危险区。
当防护锁定功能用于人员保护时,则应满足5.7规定的要求。当防护锁定功能只用作保护过程时,则5.7规定的要求不适用。但是,如果防护锁定功能和防护联锁功能是同一装置的组成部分,则防护联锁功能的安全水平不应被与安全不相关的防护锁定功能(即防护锁定功能只用作保护过程)削弱。
5.7规定的要求既适用于由独立元件组成的防护锁定装置,也适用于作为带防护锁定的联锁装置的组成部分的防护锁定装置。5.7规定的要求适用于所有技术。
应提供与按照GB/T 16855.1或IEC 62061设计的控制系统兼容的输出系统,以便监控防护锁定装置的锁定位置。
只有防护装置关闭并锁定时,防护锁定装置才应允许机器的危险功能运行。
5.7.2 机械式防护锁定装置
5.7.2.1 一般要求
机械式防护锁定应由两个刚性部件配合完成[形封闭,见图5a)~图5c)]。
如果可预见到在紧急情况下必需进入,则对于“通过弹簧锁定一通过动力接通解锁”或者“通过动力接通锁定一通过动力接通解锁”系统[见图5a)和c)],应提供带紧急解锁的防护装置锁定装置(见5.7.5.3)。
图6说明了此类装置的功能。
5.7.2.2 锁定监控
锁定组件的锁定位置应按照5.5的要求进行监控。
只有监控到防护装置处于关闭位置且锁定组件处于锁定位置,机器的危险功能才可能运行(参见附录F)。
为有效监控防护锁定装置,应采用以下方法的其中一种:
——只有活动式防护装置处于关闭位置,锁定组件才能进入锁定位置(见图6),这种情况下,防护装置的关闭和锁定位置可通过锁定组件的监控来检查;
——对于其他情况,锁定组件的监控和对防护装置位置的监控应联锁。
