Interlocking a matter of safety
A simple system works best; too many can fatigue the works
By Michael Carey
Simply put, interlocks protect equipment, product, and personnel. An interlock forces process equipment into a safe state based upon operational conditions.
Interlocks mostly tie in with discrete devices, but some systems have interlocks on loops. Interlocking is an important automation system function that when not designed properly can greatly restrict automation system operability.
A common mistake when designing an automation system is to incorporate too many interlocks. Creating too many interlocks restricts the ability to operate the system when the system goes into abnormal operation. In addition, having to figure out the affects of inter-related interlocks may eliminate the time needed to save product. Even when you can figure out the mess of inter-related interlocks, the offending interlocks become disabled or bypassed, which allows for manual operation; but having the trouble shooters go back and re-enable the interlocks and remove the bypasses may lead to further problems. Interlocks like everything else with the system should be simple and effective. To achieve simple and effective interlocking, you need to reduce the quantity of interlocks; they should not inter-relate, and they should minimize the need for disabling by replacing interlock functionality with automatic mode functionality.
When trying to determine interlocks for the system, the design team needs to refer to the automation vision for the system. The automation vision for the system should identify the level of complexity in the interlocks so they are consistent among the equipment. When determining interlocks, the design team, using a HAZOP procedure, should identify all the process situations where they want the equipment in a safe state. When evaluating these situations, first determine the scenarios that affect process equipment, then those that affect product, and finally those that affect personnel. Going from personnel to equipment may appear to be more compassionate, but most equipment interlocks affect personnel safety, and there are normally more personnel safety interlocks than equipment interlocks. By starting with the smaller group first, there is less of a chance to miss an interlock.
Interlocking is a method of preventing undesired states in a machine, which can include any electrical, electronic, or mechanical device or system.
In most applications, an interlock is a device used to help prevent a machine from harming its operator or damaging itself by stopping the machine when tripped.
Interlocks also serve as important safety devices in industrial settings, where they protect employees from such things as robots, presses, and hammers. While interlocks can be as sophisticated as a curtain of infrared beams and photodetectors, they are often just switches.
Trapped key interlocking is a method of ensuring safety in industrial environments by forcing the operator through a sequence using a defined selection of keys, locks, and switches.
Along with the interlock condition, the engineers need to identify whether the condition should apply when the system is in an automatic mode, manual mode, and in abnormal operation. Identifying the operational conditions when the interlock is applicable high-lights if the interlock requires an enable/disable function (ideally all systems should allow for the interlocks to the enable/disable for those rare times when the system is in abnormal operation) and whether the interlock can be removed as an interlock and be added as part of the automatic functionality. When the interlock is only applicable when in automatic mode, the condition is really not an interlock but rather part of the automatic functionality.
Once the user identified all the interlocks, the designers can start simplifying them. Simplified interlocks only interlock a single power source, rely on cascading interlocking, minimize redundant interlock conditions, and never become disabled under normal operation. Ideally, an interlock associated with a power source should only interlock the associated power source and not another power source. For example in a pressure and temperature controlled tank, a high pressure interlock should only interlock the pressure subsystem; it should not interlock with the temperature subsystem. Over cautious engineers cross power sources, trying to provide more protection, but in most cases they decrease system operability. In the example, if the vessel temperature does affect pressure, then the temperature loop should close off via the PID functionality or temperature interlocks prior to interlocking the pressure subsystem. If high pressure comes from a faulty control valve on the pressurization subsystem, then the user should still control the temperature. There may be situations where the temperature and pressure subsystems interlock, but they should only interlock based upon components within their subsystem.
The previous example also illustrates another simplifying technique for determining interlocks—allow for cascading interlocks. A high temperature may trigger a pressure interlock, but do not trigger the pressure interlock based upon the temperature. Having a high temperature interlock, the pressure subsystem reduces system flexibility when needing to operate in abnormal conditions during system recovery, product development, or product testing.
Allow the system to cascade interlocks so the interlock conditions are more apparent and easier to understand. Another example for cascading interlocks would be in transferring materials using a transfer pump to three tanks that have discrete inlet valves and level indicators. Overly complex interlocking is when the inlet valves interlock closed when the tank level exceeds a trip point and the transfer pump interlocks when all the inlet valves are not open and any tank level exceeds a trip point. This doubling up or making semi-redundant interlocks may imply greater protection, but in actuality it does not. First, if the level indicator fails to a low signal, none of the interlocks are active. Second, if the valve fails and if the valve is a normally closed valve, a loss of the open signal would work for a partially closed valve or a valve with a failed limit switch. Using a simplified strategy of cascading interlocks so the tank levels interlock the inlet valves and the inlet valves interlock the pump provide the same protection. Having redundant interlocks are good, but the user should base them on different measurements. Thus for this transfer system, a pressure indicator or pressure switch should go inline so the pump will trip on either a closed path via the valve states or a high line pressure.
The transfer example illustrates a situation where there are inter-related interlocking conditions; the tank level interlocks the valves and the pump. Operationally, inter-related interlocks are more difficult to work around when the system is running abnormally. If the level transmitter goes bad, the user needs to disable the interlock on the valve and the interlock on the pump so he can transfer manually. The valve interlock may be self-evident, but the pump interlock may not be.
The operators may see the interlocked pump because of the closed inlet valves, not knowing that the main reason is the level transmitter. As it is when a system starts up, users will know all the procedures, but after years of operation without problems, a level interlock on the transfer pump may go the way of a 1980s one hit wonder band and become forgotten. The level interlock may also create a problem when by the time the user fixes the level indicator, which will enable the interlocks, it may miss the pump interlock.
A user should only be able to disable an interlocks during abnormal operations. If a user can enable and disable interlock conditions through normal operations, such as phases in batch manufacturing, then what you have is automatic functionality not interlocks. For example, a tank agitator should only turn on when the tank level is higher than the blades; but when the tank is cleaned-in-place (CIP), the agitator must be on even though the tank level is below the blades. Some engineers may implement this functionality as a level interlock on the agitator that gets disabled during CIP. Interlocks are for safety and should not be disabled under normal operations because abnormal situations may occur which do not properly re-enable the interlocks. In this example the level limitation should work into the automatic functionality. Also, interlocks should never implement automatic functionality.
Interlocking is a touchy subject because it involves safety. Different members of the project team will require different functions from the interlocks. When designing interlocks, the developers really need to think about abnormal operation. In abnormal operation, which hopefully is rare, simplified interlocks facilitate getting the system back into specification in those stressful occurrences. Simplified interlocks also facilitate restoring the system to its normal configuration after the abnormal processing events are over.
ABOUT THE AUTHOR
Michael Carey is director of MES and Information Systems at Panacea Technologies Inc. His e-mail is email@example.com.
Return to Previous Page