An Interlock defines safety protection logic following ISA-88 batch control standards. When a cause condition is met, the interlock triggers a protective effect and optionally drives equipment to defined safe states. Interlocks are critical for process safety, equipment protection, and regulatory compliance.
💡 In pharmaceutical terms: Interlocks are the safety net of your process. They prevent unsafe operations (e.g., "don't start CIP if the drain valve is still open") and automatically respond to dangerous conditions (e.g., "if pressure exceeds 6 bar, close all valves immediately"). In a GMP environment, interlocks are typically documented in the Functional Design Specification (FDS) and validated during commissioning.
📋 Properties
Identity
|
Property |
Type |
Description |
|---|---|---|
|
Name |
Text |
Unique identifier for the interlock (e.g., "TankOverflowGuard") |
|
Description |
Text |
Detailed description of the interlock's purpose |
🎯 Scope and Target
|
Property |
Type |
Default |
Description |
|---|---|---|---|
|
Scope |
Selection |
Phase |
Where the interlock applies: Control Module (single device), Equipment Module (coordinated group), Phase (ISA-88 phase), or Unit (PID-level coordination) |
|
Target Object Name |
Text |
— |
Name of the target object (valve, equipment module, phase, or PID) |
|
Target Object ID |
Reference |
— |
Internal reference for lookup |
🏷️ Classification
|
Property |
Type |
Default |
Description |
|---|---|---|---|
|
Type |
Selection |
Command permissive |
The interlock type (see table below) |
|
Effect |
Selection |
Inhibit command |
The protective action taken (see table below) |
⏱️ Condition and Timing
|
Property |
Type |
Default |
Description |
|---|---|---|---|
|
Cause Condition |
Text |
— |
The expression that triggers the interlock |
|
Active In States |
Flags |
Running |
Which ISA-88 states to monitor (combinable): Idle, Running, Holding, Held, Restarting, Stopping, Stopped, Aborting, Aborted, Complete, Starting |
|
On Delay (seconds) |
Decimal |
0 |
Time the condition must persist before triggering |
|
Off Delay (seconds) |
Decimal |
0 |
Time the condition must clear before resetting |
|
Deadband |
Decimal |
0 |
Deadband value to prevent chattering |
🔒 Safe Actions
Each interlock can define a list of Safe Actions — commands sent to equipment when the interlock fires:
|
Property |
Type |
Description |
|---|---|---|
|
Valve Name |
Text |
Name of the valve/device to act on |
|
Target State Name |
Text |
The safe state to drive the valve to (e.g., "Closed") |
|
Target Percent |
Integer |
Target percentage (-1 means not applicable) |
🔄 Latching and Reset
|
Property |
Type |
Default |
Description |
|---|---|---|---|
|
Is Latched |
Yes/No |
No |
Whether the interlock remains active after the cause clears |
|
Reset Policy |
Selection |
Manual reset |
Auto-reset (clears automatically), Manual reset (operator reset), Supervisor reset (supervisor role), or Maintenance reset (maintenance role) |
|
Reset Prerequisites |
Text |
— |
Prerequisite conditions that must be met before reset is allowed |
🔑 Bypass
|
Property |
Type |
Default |
Description |
|---|---|---|---|
|
Bypass Policy |
Selection |
Not bypassable |
Not bypassable, Operator bypass (timed expiry), Supervisor bypass, Maintenance bypass (unit must be idle), or Electronic signature required (per GMP/21 CFR Part 11) |
|
Bypass Max Duration (min) |
Integer |
60 |
Maximum time the interlock can be bypassed |
📡 Notification and Messaging
|
Property |
Type |
Default |
Description |
|---|---|---|---|
|
Notification |
Flags |
HMI Popup + Historian Log + Audit Trail |
Combinable: HMI Popup, Horn, Light, Email, SMS, Historian Log, Audit Trail, Batch Record |
|
Operator Message |
Text |
— |
Message displayed to the operator when the interlock fires |
|
Operator Guidance |
Text |
— |
Step-by-step guidance for the operator to resolve the condition |
📝 Audit and Testing
|
Property |
Type |
Description |
|---|---|---|
|
Event Audit Requirements |
Text |
Audit trail requirements for this interlock |
|
Test Note |
Text |
Testing notes and acceptance criteria |
🔧 Interlock Types
|
Type |
What It Means |
Example |
|---|---|---|
|
Command permissive |
Guards start/restart/resume commands — prevents an action from being initiated |
"Tank must be empty before CIP start" |
|
Runtime hold |
Runtime violation causes a recoverable HOLD — the process pauses and can be resumed |
"Temperature out of range during circulation" |
|
Trip / Abort |
Immediate shutdown — non-recoverable, latched, requires investigation |
"Pressure exceeds safety limit" |
|
Transition permissive |
Guards step/phase progression — prevents moving to the next step |
"Drain must complete before next step" |
|
Mode exclusivity |
Prevents incompatible modes or activities from running simultaneously |
"Cannot run CIP while production is active" |
|
Lineup proof |
Verifies valve/pump feedback matches expected positions before proceeding |
"All valves confirmed in position before start" |
|
Instrument health check |
Monitors for bad signal, communication loss, or out-of-range readings |
"Temperature transmitter signal lost" |
|
Quality gate |
Enforces quality readiness before allowing transitions |
"Clean Ready / Sterile Ready / Production Ready" |
|
Bypass rule |
Controlled suppression with audit trail and electronic signature |
"Maintenance bypass with electronic signature" |
⚡ Interlock Effects
|
Effect |
What It Does |
ISA-88 Result |
|---|---|---|
|
Inhibit command |
Command is rejected, equipment state unchanged |
No state change |
|
Force hold state |
Running → Holding → Held (recoverable pause) |
Recoverable |
|
Force abort |
Running → Aborting → Aborted (non-recoverable) |
Non-recoverable |
|
Block transition |
Cannot proceed to next step or complete current phase |
Blocks progression |
|
Inhibit mode change |
Prevents switching between operational modes |
No mode change |
|
Force stop |
Running → Stopping → Stopped (orderly shutdown) |
Orderly shutdown |
📖 How To: Configure Interlocks for a CIP System
-
Identify safety risks — Review your process design and list all conditions that could endanger personnel, equipment, or product quality.
-
Open Module Data — Navigate to the Data panel in the Module Ribbon and open the Module Data window.
-
Go to the Interlocks tab — Select the Interlocks section.
-
Create interlock definitions — For each risk, create an interlock with the appropriate type and effect:
-
Command permissives for pre-start checks
-
Runtime holds for recoverable deviations
-
Trip / Abort for safety-critical conditions
-
-
Define safe actions — Specify which valves should be driven to safe positions when the interlock fires (e.g., close all inlet valves, open drain).
-
Set latching and reset policies — Safety-critical interlocks should be latched with "Supervisor reset" or "Maintenance reset". Less critical interlocks can use "Auto-reset".
-
Configure bypass policies — Only use bypass for maintenance scenarios, and always require "Electronic signature required" for GMP-critical interlocks.
-
Add operator guidance — Write clear messages and step-by-step instructions so operators know exactly how to respond.
🏭 Example: SIP (Sterilization in Place) Interlocks
|
Interlock |
Type |
Cause Condition |
Effect |
Safe Actions |
|---|---|---|---|---|
|
SteamTempConfirm |
Command permissive |
Steam temperature < 121 °C |
Inhibit command |
— (prevents SIP start until steam is hot enough) |
|
SIPOverpressure |
Trip / Abort |
Pressure > 3.5 bar |
Force abort |
Close steam valve, open vent valve |
|
CondensateDrainBlocked |
Runtime hold |
Condensate level > 80% |
Force hold state |
Open condensate drain valve |
|
SterileBreachGuard |
Quality gate |
Sterile boundary valve opened unexpectedly |
Block transition |
Close all sterile boundary valves |
|
TempTransmitterFault |
Instrument health check |
TT-201 signal lost |
Force hold state |
Close steam valve (safe state) |
🏭 Pharma context: During SIP, the system must maintain ≥121 °C for a validated hold time. The "SteamTempConfirm" command permissive prevents the SIP process from starting until the steam supply is confirmed at temperature. The "SIPOverpressure" trip protects against pressure vessel failure.
🏭 Example: CIP Safety Interlocks
|
Interlock |
Type |
Cause Condition |
Effect |
Safe Actions |
|---|---|---|---|---|
|
TankOverflowGuard |
Runtime hold |
Level > 95% |
Force hold state |
Close inlet valve, open drain |
|
PressureTripAbort |
Trip / Abort |
Pressure > 6.0 bar |
Force abort |
Close all valves |
|
DrainCompleteGate |
Transition permissive |
Level > 2% |
Block transition |
— |
|
CIPStartPermissive |
Command permissive |
Valves not confirmed in position |
Inhibit command |
— |
|
TempTransmitterFault |
Instrument health check |
TT-101 signal bad |
Force hold state |
Close steam valve |
🔗 Related Pages
-
📋 Module Data — All module data types
-
🚨 Alarm — Alarm monitoring that may trigger interlocks
-
🔁 Control Loop — Control loops with interlock integration
-
🔵 State — States used in safe actions
-
🧠 Algorithm Design — Condition logic
-
📐 Process Design — Process steps that interlocks protect