Interlocking devices with guard locking according to ISO 14119 – how can tampering be prevented?

Manipulation of interlocking devices with guard locking rarely results solely from “bad operator practice.” In most cases, it stems from design decisions that fail to account for how access to the hazardous area actually takes place, how long users must wait for safe opening, or how burdensome restarting is. That is why compliance with EN ISO 14119 should be viewed more broadly: not only in terms of selecting the right interlocking device, but also in terms of designing the guard, the stopping sequence, and the access logic so that bypassing the safeguard is not the easiest option for the user.

In practice, this means linking several layers of design decisions. EN ISO 14119 itself structures the selection of interlocking devices and measures to reduce the possibility of manipulation, but it must be read together with EN ISO 14120 for guards, with requirements for safety functions under ISO 13849, and, where electronic control systems are involved, also in relation to SIL. If perimeter guarding is used, ISO 13857 also matters. Even so, correct reference to standards does not replace the basic design decision: whether the chosen machine operating concept can be maintained without creating pressure to defeat the safeguards.

Why this matters today

Interlocking devices with guard locking are no longer just a detail of a movable guard selected at the end of a project. In practice, they affect the machine architecture, the operating method, the stop logic, and the way access to the hazardous area is organized. If they are selected solely for formal compliance rather than actual operating conditions, manipulation quickly follows: bypassing the actuator, leaving the guard open, or forcing a cycle with the access point not fully closed. This is not a side issue. It is a sign that the design failed to account for the machine’s foreseeable use.

The consequences are usually costly and tend to appear late, when changes are hardest to implement. The product owner and the person responsible for compliance then have to deal simultaneously with increased injury risk, challenges to the protective measures adopted, and the need for corrections after commissioning. The most expensive mistakes arise at the assumptions stage, when guard locking is treated as a simple catalogue choice instead of part of the safety function and access strategy. The design team should answer not only whether the guard is to be monitored, but above all: how often it will be opened, whether stopping involves run-down or residual energy, whether the operator will have a practical incentive to shorten the cycle, and whether that incentive can be removed by changing the solution.

This is especially clear where the operator must regularly clear jams or replenish material. If the guard remains locked until a complete stop, but the unlocking time does not match the actual process dynamics, or the restart procedure is disproportionately burdensome, bypassing the safeguard becomes foreseeable. The impact on the project is specific: additional mechanical rework, changes to the safety circuit, revisions to the technical documentation, and sometimes even redesign of the drive or hydraulic system when the root cause turns out to be the stopping method itself.

Only in that context does reference to standards become meaningful. EN ISO 14119 structures the selection of interlocking devices with guard locking and the approach to limiting manipulation, but it does not replace risk assessment. It must be read together with EN ISO 14120 for guards and with the requirements for safety functions under ISO 13849, and, for electronic control systems, also with SIL. If access is provided through perimeter guarding, ISO 13857 is also relevant. From a practical standpoint, the conclusion is simple: the risk of manipulation must be addressed at the design or modernization stage, because after commissioning you are no longer removing the causes of wrong assumptions, only their consequences.

Where cost or risk most often increases

Most losses do not result from using an interlocking device with guard locking itself, but from the mistaken assumption that tampering can be eliminated with a “stronger” lock or more restrictive control logic. In practice, cost and risk increase when the protective measure interferes with normal work more than it actually reduces the possibility of bypassing it. In that case, the design team is seeing the symptom rather than the cause: frequent guard opening, the need to observe the process, cycle-time reduction, setting adjustments, or clearing jams. If these situations are not identified before the project is closed, a typical chain of consequences follows: guard modifications, changes to the control logic, revalidation of the safety functions, and a dispute over whether the source of the problem lies in the design, integration, or use.

A second area of risk is separating mechanical and automation decisions. When the guard designer, the automation engineer, and the person responsible for compliance work independently, guard locking is often selected too late, after the door geometry, opening direction, clearances, closing forces, and fault-clearing method have already been defined. The interlocking device then has to compensate for weaknesses in the machine’s overall architecture. The result is overloaded components, alignment problems, unstable guard positioning, and installation tolerances that, in operation, begin to encourage bypassing the safeguard. If correct guard-locking operation depends on very precise adjustment, “gentle” closing, or on the operator waiting longer each time than the process will accept, the risk of tampering has already been designed in.

In practice, this is especially clear at stations where access to the hazardous area is frequent but brief: during changeover, part removal, scrap removal, or position correction. If the design provides for guard locking until the hazard has disappeared, but does not separate process stopping from fast, controlled operator or service access, the user starts looking for shortcuts. An unauthorized actuator, a guard left not fully closed “just for a moment,” wedging the lock, or bypassing the restart sequence are then not incidents, but evidence of a poor design decision.

• How often the guard will be opened during the normal operating cycle.
• How long it takes to open safely from the moment of stopping.
• Whether the restart conditions and safety functions under ISO 13849 are proportionate to the type of intervention.
• Whether the user has a simple technical way to bypass the safeguard.
• Whether the guard geometry and installation method support stable lock operation in service.

Standards structure how these issues should be assessed, but they do not make decisions for the designer. EN ISO 14119 sets out the principles for selecting interlocking devices and limiting tampering, but it must be considered together with EN ISO 14120, and safety functions must be assessed in the logic of ISO 13849, and in some cases also SIL for electronic control systems. As regards safety fencing, ISO 13857 cannot be overlooked. The final criterion, however, remains practical: is tampering still a problem that needs to be limited, or is it already evidence that the conditions for safe access and the stopping sequence were defined incorrectly.

How to approach this in practice

The question of how to prevent tampering should not start with choosing a specific device. First, you need to determine in what situations the operator or maintenance personnel will have a real incentive to bypass a safety function. If access to the hazardous area is needed frequently, the stop takes too long, or returning the machine to a ready state after opening the guard is excessively burdensome, tampering becomes a predictable consequence of the design. From a management perspective, this means higher commissioning costs, more changes after acceptance, and greater difficulty defending the adopted solutions in the event of an incident or a compliance dispute.

That is why the order of decisions matters. First, the access scenarios must be structured: changeover, jam clearing, cleaning, quality inspection, diagnostics, and maintenance. Only then can you assess whether interlocking is intended to prevent access to a hazard that still exists after the stop command has been issued, or merely to enforce the correct operating sequence. Combining these two objectives in one solution quickly leads to hidden costs: unclear guard-lock release conditions, unnecessary service bypasses, conflicts between automation and process technology, and documentation that is difficult to defend as consistent.

A practical example makes this clear. If a guard is opened several times per shift to clear minor disturbances, and the lock is released only after a delay that the operator sees as unjustified, the problem is not work discipline. Simply replacing the switch with a model that has a higher coding level may make simple technical tampering more difficult, but it will not remove the cause. In that case, you need to go back to the assumptions and check whether it is possible to shorten the safe stop, separate access zones, change the reset sequence, introduce an intervention mode with controlled conditions, or solve jam clearing in a different way. These are the decisions that reduce the pressure to bypass guards.

Only after this has been put in order does it make sense to apply normative references. EN ISO 14119 structures the selection of interlocking devices, their installation, and measures to reduce the possibility of tampering, but it does not replace an assessment of how the machine is actually used. It must be considered together with EN ISO 14120, and the selection and validation of safety functions require reference to ISO 13849; in the case of electronic control systems, SIL may also apply. Where access concerns a safety fence, ISO 13857 is also important. From a practical standpoint, the key conclusion is this: first remove the incentive to bypass the safeguard, and only then make the bypass itself more difficult.

What to watch out for during implementation

The most common implementation mistake is assuming that an interlocking device with guard locking will, by itself, solve the problem of tampering. In practice, it shifts the burden to how the guard is used, the unlocking logic, the enclosure geometry, and the way interventions are organized. If these conditions are not properly addressed, users will still look for shortcuts, and the project will pay the price at the worst possible moment: during commissioning, acceptance, or after the machine has already been handed over for operation. At that point, the consequences are not limited to mechanical corrections and changes to the control system. It also becomes harder to defend the compliance documentation when it turns out that a foreseeable bypass was not effectively prevented.

Particular caution is needed where guard locking is expected to compensate for problems whose source lies outside the interlocking device itself. If the guard must be opened frequently because the process requires adjustment, jam clearing, or confirmation of part status, simply increasing the level of protection will usually not solve the issue. More often, it raises costs and increases operational friction. If access to the hazardous area is regularly needed during the normal working cycle, the first step is to check whether the process itself is being designed in a way that encourages bypassing the safeguard. In that case, the right question is not “which locking device should be used,” but whether the frequency of access, waiting time, and restart conditions and safety functions under ISO 13849 are acceptable from the standpoint of actual operation.

A typical problem arises when release of the lock depends on motion stopping or energy dissipation, but the signal indicating that opening is permitted is unstable or delayed relative to the machine’s actual behavior. The operator then sees a guard that “cannot be opened,” even though, from their perspective, the intervention is urgent and technically straightforward. If, in addition, no safe mode for clearing faults has been provided, workaround solutions appear quickly: leaving the guard not fully closed, forcing the position of the actuator, or interfering with the actuating mechanism. This is a clear sign that the implementation boundary conditions were identified incorrectly.

During commissioning, it is therefore worth observing not only the formal correctness of the safety function, but also how the machine is actually used in practice: the number of stops that require entry into the zone, the waiting time for unlocking, the reasons for intervention, and the number of logic changes made after start-up. If these indicators increase, the design still contains an inherent risk of tampering, even if the safety component itself was selected correctly. In such a case, EN ISO 14119 remains the reference point for selecting and installing the interlocking device, but it must be applied together with EN ISO 14120, with the requirements for safety functions under ISO 13849, and, where appropriate, also with SIL for electronic control systems and with ISO 13857 for safety fencing. An implementation can be considered mature only when guard locking does not conceal process weaknesses, but instead completes a properly identified risk scenario.