Tel: (+44) 01492 879813 Mob: (+44) 07984 284642
Interlocked isolation valves – less is
“Those bloody interlocks”
“They are fine if you are starting in exactly the
right place, doing exactly the right task and
everything is working perfectly. Most of the time
they are a complete nightmare”.
Process operator talking about a pig launcher.
Use of interlocks to reduce human error risk
Trend to more interlocks
Purchase and maintenance costs
Could they increase risks?
What are interlocks?
Means of making the state of components
dependent on each other
One item cannot be operated unless another
item is in its required state
Can be electrical, electronic or mechanical
Primarily concerned with ‘trapped key’ interlocks
Not computer controlled sequences such as ‘start-up
Use of trapped key interlocks
Ensure a spared item remains
Ensure an item is in its correct status before
carrying out a task
Pig launcher is fully isolated before opening
Ensuring an item is fully isolated before carrying
out a task
Steps performed in correct sequence.
Simple example – spared relief valves
Human factors of interlocking
Appears to provide a ‘fail safe’ control
“Remove the ‘human factor’ by ensuring
dangerous processes happen only in a
Vendor of proprietary interlock system
“Enforce and guarantee a pre-defined sequence
of operation and so eliminate human error.”
Vendor of proprietary interlock system.
Is this true?
An interlock is only as good as the person
When an interlock fails the operator is usually
the only line of defence
Marsden et al 2003
Interlocks do fail
They can be defeated.
A critical look at the human factors
Assuming it is safe to operate a valve because
the key fits.
Prone to design and maintenance failures
Being forced to continue with a sequence of
steps that may not be the most effective or safe.
Proving isolation integrity
Using ‘master’ keys to override interlocks due to
equipment problems or non-routine activities
Paying less attention because the perception is
that a task cannot be done incorrectly.
Increased use of interlocks
Advances in technology and software to design
More interlocked steps
More complex interactions
Key exchange units
Integrated with PLC, DCS and SIS
Can’t be criticised for interlocking
May be criticised for not.
“Interlock arrangements may be provided as
safety systems, particularly where they prevent
The guideline to the Pipelines Safety Regulations
1996 (HSE 1996)
“Pig launcher and pig receiver shall be equipped
with an interlock system to prevent opening of
isolation valves around the launcher when the
launcher door is open.”
The NORSOK Standard P-100 for Process Systems
Goal is to open door ‘D’
To do this safely:
Close inlet valve ‘I’
Close outlet valve ‘O’
Open vent valve ‘V’
Monitor the vent to confirm successful isolation.
I left open – vessel not isolated – process
release when D is opened
O left open – vessel not isolated – process
release when D is opened
V is left closed – vessel remains pressurised –
release of trapped material when D is opened
V is not monitored – integrity of isolation is not
confirmed – possible release if I or O pass.
Error likelihood – no interlocks
Any of the potential errors is possible
Operator needs to think what they are doing
Will be very focussed on opening the vent before
opening the door
May feel that monitoring the vent is not
Error likelihood – I and O interlocked
Cannot open the door until the vessel is isolated
Once both isolation valves are closed the
operator will have the key to open the door
May be more inclined to overlook the
requirement to open and monitor the vent.
Error likelihood – I, O and V interlocked
Cannot open the door until the vessel is isolated
Task requires very little thought – can’t be done
Will the operator even think about monitoring the
Error likelihood – V interlocked
Isolation valves may be left open
Errors will be discovered when vent is opened
May feel that monitoring the vent is not
Quantifying human error likelihood
Do not believe any of
Suggested rates (per operation)
Operator fully engaged in task and fully
understands the need for the step - 0.001
Operator engaged in task but may not
appreciate step significance - 0.01
Operator not engaged in task - 0.1
Error likelihood calculations
None I+O I+O+V V
Vent not opened 0.001 0.01 0 0
Vent not monitored 0.01 0.01 0.1 0.01
Error likelihood 0.011 0.02 0.1 0.01
0.001 – Fully engaged
0.01 – May not appreciate significance
0.1 – Not engaged
Very likely that if an operator obtains Key D they
will assume valves are in the correct state
Mechanical failures do occur
Someone may have used a Master Key
None I+O I+O+V V
Vent not opened 0.001 0.01 0.1 0.1
Vent not monitored 0.01 0.01 0.1 0.01
Error likelihood 0.011 0.02 0.2 0.11
0.011 0.02 0.1 0.01
Simple example illustrates interlocks do not
“Remove the human factor”
“Eliminate human error”
Quantification illustrates how human error
likelihood may increase due to interlocks
Especially when interlock failure is taken into account
Don’t believe the numbers
That was a very simple example
What is the solution?
We need to define strategies for interlocking
We need to be very careful about managing
interlock failures and overrides
What do you think?
Increased use of interlocks has improved safety?
Less is more?
This has been a bit of a hobby horse of mine for a couple of years. My concern has been that people assume interlocks make plant and equipment safe, and hence more interlocks must make things safer.
Late last year I was in a control room talking about safety critical tasks. Pipeline pigging was mentioned. This was how the operator responded. This was with no prompting from me – I hadn’t had a chance to mention interlocks at this stage.
We had a short discussion and established that there were a lot of interlocked steps, and this was causing a problem. If everything was done exactly to plan, the interlocks worked fine. But the real life experience was that this rarely happened and there were always problems they had to deal with.
These photos show multiple interlocks had been fitted and at least one key exchange unit was in use. I have blanked out the vendors logo to protect the guilty.
My main aim with this paper is to discuss the impact interlocks can have on human error risks.
I particularly was to explore the potential downside of the current trend to include more interlocks in our system. This inevitably increases complexity and has immediate and longer term cost implications. But does is result in an over reliance and could this actually result in risks being increased?
An interlock is a means of making the state of components dependent on each other. Typically this means on item cannot be operated unless another is in a required state. A simple example would be your washing machine which will not operate unless its door is closed.
Interlocks can be achieved in a number of different ways. This paper is primarily concerned with ‘trapped key’ interlocks. This is where a key has to be inserted to operate an item, usually a valve, and once that item has been operated a different key is released that can be used to perform the next step. I am not talking about computer controlled sequences such as on a fire heater or compressor, which are sometimes called interlocks, but I would call ‘start-up permissives.’
The types of areas where trapped key interlocks are typically used include spared items. The purpose in this case is to make sure that at least one of the spared items is in its operational state at any time. Examples include spared relief valves, where interlocks may be used to make sure the spare is lined up before the online valve is isolated. And spared filters, making sure at least one is online at all times.
Another use of trapped key interlocks is to make sure an item is in the correct status before a task is performed. A good example of this opening a pig launcher or receiver. Interlocks can be used to make sure isolation valves are closed before the door is opened. Opening a filter body for cleaning is another example.
Another use of interlocks, which is subtly different is to make sure steps are performed in a required sequence. It can be applied to similar items include pig launchers and filters, but is quite a lot more complex. In this case it is not good enough to simply know that an isolation valve is closed because some valves may be opened and closed a number of times in performing the isolation.
Spared relief valves are a fairly simple example of where interlocks can be used, with some clear justification. The usual purpose of sparing the valve is to allow a standby to be available if the online valve starts to pass. It allows production to continue quite safely until an opportunity arises to shutdown and remove the relief valve for calibration.
In this case each relief valve has a single isolation valve. We can manage with a single key that will only allow one valve to be closed at any time.
Unfortunately life is not always that simple. We may need to have the relief valves isolated on their outlet as well as their inlet. This does the number of valves, but will probably mean we need three keys instead of one. Immediately we see an increase in cost and complexity. And this is with single valve isolation. If we ever want to remove an isolation valve whilst the plant is online, we may need double-block-and-bleed isolation, which takes things to a whole new level.
The problem is, in my opinion, that interlocks appear to provide a fail safe solution. They create a physical barrier that prevents people making mistakes.
This is something perpetuated by vendors of proprietary systems. A quick look at their websites shows that claims their interlocks to “remove the human factor” and another claiming they can “eliminate human error.”
I don’t think this interlocks eliminate risk, and they may even increase it.
As Janette Edmonds points out – an interlock is only as good as the person maintaining it. Hence they do not remove the human factor.
And Sara Marsen and colleagues pointed out that when interlocks do fail we are entirely reliant on the operator to deal with the problem.
And the reality is that interlocks do fail and they can certainly be defeated; and these facts need to be considered when are evaluating risks.
I believe there are a number of human factors issues associated with interlocks.
They certainly change the interaction the operator has with his or her plant and can affect their perception of risks. I think there is a very strong belief that if you have a key and it fits in a valve it must be safe to operate that valve. This can override other information that may be available indicating that there may be something wrong, and highlights that if we are going to use interlocks we need to be very precise with our design and keep them fully operational at all times.
One problem is that once we have interlocked steps we have taken away the operators ability to work flexibly to deal with real life situations. A good example of this is if the integrity of an isolation valve cannot be confirmed. Without interlocks the operator may repeat a step or consider using a different combination of valves. Interlocks will often prevent them doing this and they have to continue, even though they know there is a problem.
Master keys are generally available, to allow operators to deal with unforeseen situations. My view is that once a master key is in use the whole interlocking system has been defeated, but I don’t think this is necessarily how an operator would see it when working at the sharp end.
Ultimately I think one of the human factors issues is that operators start to pay less attention to what they are doing, feeling that the interlocks are making everything safe. In fact, when there are a lot of interlocked steps it becomes almost impossible to understand what is happening. Ironically, there can be a greater use of procedures, which appears to be a good thing, but often it is a necessity to know which key to use when rather than what is being achieved by followed the defined set of steps.
It appears to me that more interlocks are being used. This is partly due to vendors having clever software that allows them to offer a ‘full solution,’ which means they can interlock more steps and create more complex interactions. Of course this is good for their sales figures as they are able to sell more expensive systems.
Use of key exchange units certainly allows for more complex systems, and modern technology allows trapped key interlocks to be integrate with computer based systems such as PLC, DCS and SIS.
And for purchaser of these systems, whether they are the operating company or a designer, risk aversion is driving decisions. People feel they are unlikely to be criticised for specifying interlocks, but may be criticised if they don’t. Also, there may be a view that ‘brownie points’ will be gained with regulators etc. as they can prove that investment has been made to improve safety.
The problem is that there is very little relevant guidance. In fact this is all I could find.
The HSE pipelines is very vague, saying interlocks may be provided.
The Norsok guidance is more prescriptive, but does not say how many items of steps need to be isolated.
As is often the case, a void leaves things wide open for people to interpret this as they see fit. As vendors are fairly vocal on the subject, it is not a surprise that the trend is for more interlocks.
The remainder of my paper explores the human factors issues associated with interlocks using this very simple example.
In this case the goal is to open Door D on the vessel.
To do this we need to close the Inlet and Outlet isolation valves I and O. We then open vent V to depressurise the vessel. Also, we need to monitor the vent for some time to confirm that the isolation valves are holding OK.
Even with this simple system there are four potential errors:
Leaving I or O open will mean the vessel remains live to the process
Leaving V closed means the vessel will remain pressurised
Failing to monitor V means that if I or O pass then the door may be opened with a flow from the process continuing.
But it is important to note that there are different types of error possible. In fact, as long as V is opened and monitored, any error resulting in I or O being left open will be discovered. Hence, it can be argued that these are the most critical steps.
I would first like to look at what will influence error likelihood if we do not have any interlocks.
It is true that any of the identified errors can occur, but I think it is reasonable to assume that the operator will be thinking quite carefully about what they are doing. In particular, I think they would be very unlikely to open the door without first opening the vent. And if they do that they are very likely to identify if one of the isolation valves has been left open.
However, the requirement to monitor the event may not be so clear. It seems quite likely that if they open the vent and there is no obvious problem that they will assume it is OK to open the door. Hence there is a risk of a process release.
If we decide that interlocks should be used, we then need to decide what to interlock.
We may decide that isolating the vessel is the most important thing, as if we don’t do this we will get a significant process release.
One problem I can see here is that once I and O are closed the operator will have the key to open the door. This could be quite a strong signal that they can proceed without opening the vent. This will result in a release of the material contained in the vessel. This is likely to be less than a process release that would occur if an isolation valve had been left open. But it is still a very undesirable outcome.
Another factor is that if the operator has failed to open the vent they will almost certainly fail to monitor the vent. Hence, if a valve does pass a process release will occur.
This illustrates that this partial interlocking increase the likelihood of some of the potential errors.
Based on the previous slide. We may conclude that a full interlock solution is required. In this case the isolation valves will have to be closed and the vent open before the key to open the door is released. This is clearly the status we want, but I think it is reasonable to assume that the operator will be thinking even less about the task they are performing and will be even more susceptible to the signal that having the key to the door must mean it is safe to open. In this case, I think it is very unlikely that they would consider monitoring the vent to be important or even understand why it may be required.
An alternative option is to only interlock the vent. This creates a simpler (and cheaper) system, and as pointed out previously, opening the vent is very likely to allow isolation errors to be discovered. We still have this strong signal that having the key to the door must mean it is safe to open, and again monitoring the vent may be overlooked.
My qualitative assessment has highlighted how different uses of interlock may influence human error likelihood. It would be useful if we could quantify this to decide which is the best.
The first thing to say is that this is not possible. Definitely do not believe any of the numbers I use on the next couple of slides. In fact, please do not believe any human error likelihood numbers you see anywhere, they are all wrong.
However, using numbers can help us to understand the issues. So here goes.
I have decided to use these human error rates, depending on the operator’s engagement in the task.
So if they are fully engaged and thinking carefully about what they are doing they may get it wrong once in every 1000 operations.
If they are partially engaged this may increase to one in every 100 and if not engaged at all this may be one in 10.
As I said, don’t believe these numbers but we could at least discuss whether they are in the right ballpark if you ever wanted to examine the results more carefully. And they would allow some sensitivity analysis to be carried out, which I think should be always be done whenever you try to quantify human error rates but is something that seems to be overlooked most of the time.
So I am only looking at the two key errors of not opening the vent and not monitoring the vent. This is because, if you do these steps you will discover errors in isolation.
So this is what I have come up with.
With no interlocks it seems reasonable that the operator will be fully engaged and be very keen to open the vent. Hence this is given the lowest likelihood on the scale. However, they may be less focussed on monitoring the vent and so that is given the next likelihood.
If we interlock the isolation valves the operator is less engaged in the task. This means they are more likely to overlook opening the vent. If they do open the vent, the likelihood of them not monitoring it is probably the same as the non-interlocked scenario.
We can see straight away that the human error likelihood has increased.
The next one is to interlock all the valves. In this case I have concluded this will mean the operator will have very little engagement in the task so the likelihood of them monitoring the vent is reduced. There is only one potential error, but it becomes likely.
The final scenario is where the vent is interlocked. I have concluded that because less steps are interlocked the likelihood of not monitoring the vent is the same as for the first two scenarios. Based on these numbers the error likelihood for this arrangement is the least.
Now I fully appreciate that this is far from the full picture. It only gives human error likelihood and not risk, and each error type is associated with different potential consequences and so the risks will be different. However, the key selling message for interlocks is that the prevent human errors, which I think these calculations show is not the case.
The previous calculations assume that the interlocks are 100% reliable. But we know that is not the case. The problem is that once the operator has key D they are very likely to assume it is safe to open the door. But it is possible that the key became available due to a mechanical failure or someone using a master key.
In this case I decided that the error rates will only change if the fault affects an interlock on the vent. This is because, once again this is a key step in its own right and allows other errors to be discovered.
As you can see this significant changes the results for the 3rd and 4th scenarios. In particular, if we only interlock the vent, a failure of that interlock is going to have a much bigger impact on operator behaviour, although the likelihood is still less than the total interlock scenario.
Again, I do recognise that this is not the full picture as it does not include the likelihood of an interlock failure, just the error likelihood if there is a failure. But it does at least highlight the importance of maintaining interlocks, not allowing tasks to continue if there is a fault with an interlock and keeping very strict control of master keys and any other override mechanism
My aim has to been to use this very simple example to highlight the interlocks do not, despite the marketing hype, either remove the human factors or eliminate human error. In fact, the quantified results illustrate that interlocks may well increase the likelihood of errors, especially when interlock failure is taken into account.
Once again I want to emphasise that you should not believe the numbers.
But I also want you to remember that this was a very simple example. Real life systems have many more steps that may be interlocked. And I think this can amplify the influences on operator behaviour, especially as complexity means they are less able to understand what they are doing and are less likely to engage.
I want you to think about what interlocking strategy you use, and to think whether you have any guiding principles you follow if any.
If nothing else, this paper has shown that failures of interlocks do occur and have can have a very large impact on human error likelihood
So what do you think
Is the current trend to more interlocks a good thing or am I right to say less is more. If I am right, what do we need to do.