Concerning Frequency of Operation in Interlock Design

BIRKET Engineering News, May/June 1993

Interlocks are designed into a system as a degree of protection against harm resulting from events such as equipment failure, human error, and unusual circumstances.

The Frequency of operation of an interlock has an important relationship to the reliability of the interlock. This is not only because a busy interlock may wear out more quickly, but because an interlock that does not cycle often enough is not tested often. Everyone that designs or maintains interlocked systems knows that routine testing is important. We can all list several reasons why an interlock may not be there when it is needed. Therefore, the frequency of the operation is a key consideration in the implementation of an interlock.

Quiescent (Passive) Interlock remains in the same position for long time periods, often until it is called into play as a safety device1. Imagine a switch that monitors the presence of a permanent but removable stationary guard. Testing of the switch requires removing of the guard or the switch. The switch may freeze from old age or be bypassed and borrowed on a “temporary-permanent” basis without ever being detected. Quiescent interlocks are of questionable value because they invite reliance upon themselves but may not function when called upon. If they are used, they must be part of a dependable periodic inspection program.

Modicum (Active) Interlock does not necessarily operate with every show, or cycle of the machine, but it is at least accessible for checking1. Verification of this type of interlock can (and should usually) be made mandatory by software that requires the switch to be actuated by an operator or by a maintenance person between each show or at startup each day. For this reason, a modicum interlock can be much more dependable then a quiescent interlock. The odds are exceedingly small that the interlock will be called upon to prevent harm and will have failed or been bypassed since the last verification of the interlock.

Cycling Interlock changes state routinely, because it is actuated with every operation of the interlock system1. When this type of interlock prevents a harm causing event or just fails itself, a proper hardware or software design can easily prevent all further operation of the system until the harm causing event is remedied or the interlock is fixed. Coupled with a proper fail-safe design, this type of interlock offers the most dependable protection.

Note that there is a special concern with modicum and cycling interlocks. Suppose that an operator rigs the interlock’s sensor (button, limit switch, I.R. beam, etc.) so that is always appears to be actuated. This may take many forms including tying back a switch or wedging a screwdriver or match stick into the button. We have all seen it done, and usually with the best of intentions. It may be done for convenience, to increase production, to conduct a test, to perform maintenance, or just because the operator is lazy.

An improper implementation of the interlock may allow the system to continue without the protection of the interlock. A proper interlocking design will detect this condition on the very next operation by requiring that the state-change as well as the state of the sensor be used in the interlock logic. By constantly checking its own interlock, the system will eliminate the necessity of periodic inspections and will stop for a bypassed interlock almost as soon as it will stop for an unsafe condition.

1Frank B.Hall, P.E., J.D., “Safety Interlocks – The Dark Side,” Triodyne, Inc. Safety Brief, v.7 #3, June 1992.