Interlock Logic

An interlock is a hard condition that must be true (or false) for an action to be allowed. Interlocks are evaluated continuously, independent of recipe sequencing. When the condition is violated, the interlock prevents the action — or, if the action is already in progress and conditions change, the interlock stops it.

• Hardwired interlock — physical wiring (e.g. door open → motor power killed). Highest integrity, lowest flexibility.
• Safety-PLC interlock — coded in a separate safety-rated controller (IEC 61511 SIL-rated), independent of the process PLC.
• Process-PLC interlock — coded in the process controller; provides operational protection but is not a safety function.
• Software interlock — implemented in MES or SCADA; provides procedural protection, not safety integrity.

The integrity hierarchy is meaningful — process-PLC interlocks cannot substitute for safety-PLC interlocks where SIL ratings are required.

Both gate actions, but they differ in semantics and lifecycle:

Practical example: 'reactor jacket cannot heat above 80 °C if pressure > 2 bar' is an interlock (continuous). 'Cannot start charge phase unless previous transfer phase completed' is a permissive (one-shot check at command time).

• Independence — interlocks live with control modules, not with recipes. Recipe revision must not change interlock behaviour.
• Fail-safe — on lost signal, valve fail-closed, agitator fail-stopped, jacket fail-cooled. The default is safety, not action.
• Documented — every interlock has a HAZOP-traceable rationale and is on the equipment's interlock list, reviewed by safety and engineering.
• Testable — every interlock is exercisable in OQ and periodic re-qualification; bypass and force operations are logged.
• Overridable only with privilege — interlock bypass requires elevated role, justification, time-limit, and auto-revert.
• Single source of truth — duplicated interlocks (one in PLC, one in MES, different logic) are a chronic source of incidents.

Real plants need occasional interlock bypass — maintenance, commissioning, fault investigation. The discipline:

• Bypass is named, logged and time-limited.
• Bypass requires an approved electronic record stating reason, expected duration and risk mitigation.
• Active bypasses are visible on the operator HMI and on a daily bypass-status report.
• Bypasses survive only until the next batch start unless explicitly extended with re-approval.
• All bypasses are reviewed at the periodic GMP equipment review and feed CAPA when patterns appear.

Forces (overriding I/O values rather than the logic that reads them) carry the same discipline plus heightened scrutiny because they hide the physical reality from the control system.

• Pharma — reactor cannot pressurise if vent valve closed; tablet press cannot start if dust extractor not running.
• Biopharma — bioreactor cannot sparge if pH probe failed; chromatography column cannot load if column-integrity test pending.
• Food — pasteuriser cannot accept product if hold-tube temperature below setpoint; filler cannot dispense if seal-integrity check failed.
• Chemicals — exothermic reactor cannot charge if jacket cooling unavailable; storage tank cannot fill above LSH high-level switch.
• Cosmetics — vacuum kettle cannot heat if vacuum seal integrity below threshold; filler cannot run if tube weld-temperature out of band.

• Interlocks coded inside SFC transitions — couples safety to recipe; OQ scope explodes.
• Same interlock implemented twice with subtly different logic in PLC and MES — divergence inevitable.
• Bypass workflow informal — operators leave bypass active across shift handover, then production resumes unsafely.
• Interlock list maintained only on paper — drift from PLC reality.
• HAZOP rationale not captured — when interlock causes a 'nuisance trip', engineers cannot tell whether to redesign or accept.
• Software-only interlocks where safety integrity is required — non-compliant with IEC 61511.