Interlocks: Basic Design Principles Interlock circuits and their components should be designed to actuate the final devices

(e.g. control valves) in the direction required to cause the process to fail-safe upon loss of power. A good principle to follow is this: "every system is to fail to its lowest energy state, or to a state away from its critical operating limit". In other words, each process should be analyzed to determine the major source of energy for operation, e.g. steam to reboiler, exothermic (i.e. heat releasing) reaction. Decreasing the amount of energy reduces the risk of an equipment exceeding the design limits, or at least minimizes the potential damage if the limits are exceeded. For the reboiler example, a fail-safe design would trip the steam supply to the reboiler. In the exothermic reaction example, a fail-safe design would trip the feed to the reactor and/or the fuel to the reactor heater. The pressure control loop seen earlier is also another example of fail-safe design. Protection systems should indicate that a demand to perform a safety function has been made and that the necessary actions have been performed.

Manual vs. Automatic Operation of Interlock Systems Operation of an interlock system may take place either through manual or automatic trip. In a manual trip, the interlock system is manually actuated from a switch or pushbutton, which may be located on a local panel in the field or in the control room. A manual trip allows an operator to trip the system independently of the interlock system in the event of a hazardous situation developing. An automatic trip, as the name implies, is automatically activated when a hazardous situation is detected. A common example is the de-energizing of a solenoid valve that fails a control valve to its safe position. Manual vs. Automatic Reset of Interlocks A tripped component (e.g. a solenoid valve) needs to be reset after a trip had been initiated. The reset may be done either automatically or manually. Self-Canceling Interlock has automatic reset that returns the interlock system to normal operation when the usual process conditions had been re-established or when the offending situation had been effectively dealt with.

Manual Reset Interlock requires the operator to re-initiate the process before continuing the operation of the equipment involved. This method is generally preferable over automatic reset because it requires an investigation of the possible causes for the trip. Positive action by the operating personnel to return the operating conditions to normal is required before the interlock can be cancelled. Manual reset on a solenoid valve is most commonly carried out by the use of a latching lever that locks the valve when a trip occurs. Unlatch of the lever is required to return the solenoid valve to its normal operation. Alternatively, a solenoid valve can simply be reset by the use of a pushbutton that energizes the valve. An example of automatic trip system with manual reset is shown in the Figure, whereby an interlock system is used to protect the vessel against low liquid level.

When the liquid level in the vessel reaches the critical low level, this will be detected by the low low level switch (LSLL), which will trigger the interlock system to take protective measures. Under the system shown, the solenoid valve will be de-energized. This will cut off the instrument air (IA) supply. Loss of air will result in the chopper valve failing to its closed position, thus preventing the potential hazard caused by no liquid level in the vessel which may have the consequence of vapor escaping through the bottom of the vessel. In addition, to protect the pump in the event of valve shut-off, the interlock system will trip the pump when activated. Chopper valve hand switches can be located at different locations for ease of access: (a) at valve, (b) control room, (c) safe location - minimum 15-m away. NOTE:

Solenoid valve have manual reset, e.g. a latch that requires the operator to physically be in the field to unlatch it before continuing with the operation. Separate detection system for low liquid level: level transmitter (LT) and controller (LIC) are not used to activate the interlock system. The controller will however, provides low level alarm before the critical shutdown level is reached, so that appropriate corrective actions can be taken. Shutdown is usually only the last resort. Proximity switches (ZSC and ZSO) provide feedback on chopper valve position (open or close).

Depending on the system, pump RUN/STOP signal may be feedback by the system as well.

Interlock Bypass There are processes or equipment that are often very difficult to start up, either initially or after a shutdown if they are tripped on "low" conditions. To avoid this difficulty, some interlocks have bypasses that will avoid the low trip contact until the equipment or unit is running, and then clears itself so that the trip action is now in place, i.e. when an abnormal low condition arises, the system will trip. This is often used on compressor start-up, when low speed will trip the unit. Sometimes, a time-delay action is used, where a predetermined time is permitted to allow the process to obtain its operating level. Bypasses may also be necessary in order to test components on-line without tripping protected equipment. However, indiscriminate bypass of an interlock system will compromise the protection function of the system. A strict protocol should be followed when bypassing of interlock is attempted. Usually only authorized personnel are permitted to bypass any interlock. This can be achieved either using a key or manually operated switch. When a bypass is initiated, an alarm will be triggered.