2.3 Electronic Interlocks (“Stop the line” governance, authority matrix)

An Electronic Interlock is the digital equivalent of a physical barrier. It is a binary constraint that prevents the manufacturing process from advancing when conditions are unsafe, incorrect, or unknown. Unlike a "Warning" (which operators can ignore), an Interlock kills the "Start" signal. It removes "hope" from the production equation.

The Logic of the Stop

Interlocks must be deterministic. If the criteria are not met, the machine must not move. Divide your interlocks into three tiers of severity.

Tier 1: Data Integrity & Setup (The "Start" Gate)

Condition: Wrong Material scanned.
Condition: Wrong Tooling / Fixture ID.
Condition: Operator Certification Expired.
Logic: If Setup ≠ BOM Requirement → Then Disable Machine Cycle Start.

Tier 2: Sequence & Quality (The "Process" Gate)

Condition: Unit skipped the previous operation (e.g., trying to Test before Assembly).
Condition: Unit failed previous test and was not repaired.
Logic: If Previous Step Status ≠ "PASS" → Then Reject Unit immediately.

Tier 3: Equipment Health (The "Safety" Gate)

Condition: Calibration Date expired.
Condition: Recipe Checksum mismatch.
Condition: E-Stop circuit open.
Logic: If Machine Health = "Critical" → Then Hard Stop.

Pro-Tip: Do not interlock on "Soft" parameters like Efficiency or OEE. Stopping the line because it is running slow is a self-fulfilling prophecy. Interlock only on Safety, Quality, and Identity.

The Authority Matrix: Who Holds the Keys?

An interlock exists to force an escalation. If an Operator could bypass it, the interlock would be useless. Hard-code these permission levels into the MES/SCADA User Groups.

Role	Authority Level	Can Override?	Scope of Control
Operator	Level 0	No	Can acknowledge alarms, but cannot clear a process block.
Line Lead	Level 1	Limited	Can override "Setup Mismatch" (e.g., Alternative Part usage) if validated.
Process Eng	Level 2	Yes	Can override Process/Recipe limits for troubleshooting/NPI.
Quality Mgr	Level 3	Yes	Can override "Failed Previous Step" (e.g., for specialized rework flows).
Plant Mgr	Level 4	Absolute	Emergency Run Mode (The "Break Glass" scenario).

Override Governance: The "Bypass" Lifecycle

A permanent override is a broken process. Treat an override as a Temporary State, not a transactional event.

Forced Logging

Requirement: No override can be executed without a Reason Code and a Comment.
Audit Trail: "User X bypassed Interlock Y on Unit Z at Time T. Reason: 'Sensor drift, verified manual check'."

Auto-Expiry (The Dead Man's Switch)

Never allow an override to persist indefinitely.

Time-Bound: If Override Active > 4 Hours → Then Auto-Revoke.
Quantity-Bound: If Units Processed > 50 → Then Auto-Revoke.
Shift-Bound: If Shift Ends → Then Auto-Revoke.

The "Red Light" Indication

Visual Management: When an override is active, the Andon light must flash Blue (or defined Maintenance color).
Logic: The floor must see that the safety net is down.

Emergency Protocols

Sometimes the MES fails while the machine works. You need a "Business Continuity" mode.

The "Emergency Run" Mode

Trigger: MES Server Down or Network Failure.
Authority: Requires Plant Manager Physical Key (or Digital Token).
Action: Disables all Data Interlocks.
Risk: Traceability is lost. Quality is unverified.
Recovery: All units produced in this mode are automatically flagged "Quarantine" in ERP. They must be manually scanned/re-verified when the system restores.

Final Checklist

Category	Metric / Control	Threshold / Rule
Integrity	Sequence Check	100% of units checked for "Previous Pass" status.
Access	Segregation	Operators have 0 capability to bypass interlocks.
Audit	Forced Comment	Override requires min. 10 chars of text explanation.
Safety	Time Limit	All overrides auto-expire after Max 4 Hours (configurable).
Risk	Visual Alert	Active Override triggers visual Andon alert.
Continuity	Quarantine	"Emergency Run" units default to "Hold" status.
Calibration	Lockout	Machine locks out immediately at Calibration_Date + 1 Day.