Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
IEC TR 61497-1998: Nuclear Power Plants — Electrical Interlocks for Safety Systems
IEC TR 61497-1998 is a technical report that provides design principles and recommendations for electrical interlocks within nuclear power plant safety systems. Electrical interlocks form a critical layer of defense between the plant protection system (which initiates safety actions) and the actuated equipment (such as valves, breakers, and pumps). This report addresses the unique requirements of interlocks in nuclear environments, including fail-safe design, diversity, testability, and independence from software-based logic.
Tip: The term “interlock” in nuclear I&C refers specifically to hardwired logic paths that enforce pre-conditions for safety actions — distinct from software-based protection logic covered in IEC 60880.
1. Interlock Architecture and Classification
IEC TR 61497 classifies electrical interlocks according to their safety function and the consequences of their failure:
| Interlock Type | Function | Failure Consequence | Design Redundancy |
|---|---|---|---|
| Preventive Interlock | Prevents an action unless pre-conditions are met | May block required safety action | 2-out-of-2 (2oo2) preferred |
| Permissive Interlock | Allows action only when conditions are satisfied | Unintended actuation or blockage | 1-out-of-2 (1oo2) with testing |
| Sequencing Interlock | Enforces correct order of operations | Equipment damage or process upset | 2-out-of-3 (2oo3) for high risk |
| Protective Interlock | Directly initiates a safety function | Loss of safety function | Quadruple redundancy (4oo4) |
Each interlock type imposes different redundancy requirements. Protective interlocks — those that directly trigger reactor trip or emergency core cooling — require the highest level of redundancy and must be physically separate from non-safety control logic. The standard recommends that protective interlock logic be implemented in hardwired relay or solid-state circuits rather than programmable logic controllers to avoid common-cause software failures.
Warning: A single failure in a preventive interlock can render a safety system inoperable. Always validate the interlock logic’s coverage of single failure criteria as defined in the plant’s safety analysis report.
2. Fail-Safe Design Principles and Diversity
The standard emphasizes three fundamental principles for nuclear safety interlock design:
2.1 Fail-Safe State Definition
Every interlock must have an unambiguous fail-safe state. For de-energize-to-trip (DTT) systems, the fail-safe state is defined as coil de-energized (contacts open). The standard mandates that the fail-safe state must correspond to the safest plant condition, even if it causes a plant shutdown. Component failures (e.g., welded contacts, broken wires, shorted diodes) must all drive the interlock toward the fail-safe state.
2.2 Diversity in Interlock Logic
IEC TR 61497 recommends diversity in interlock implementation to protect against common-cause failures. For example, a single redundant interlock function should not rely on identical relays from the same manufacturer. Diversity strategies include using different technology types (electromechanical relay vs. solid-state), different operating principles (normally-open vs. normally-closed logic), and separate power supplies from independent Class 1E buses.
2.3 Testability and Online Monitoring
Interlocks in nuclear safety systems must be testable during plant operation without defeating the safety function. The standard recommends built-in test features such as testable input bypass switches with automatic restoration timers, status indication with lamp test capability, and periodic proof-test intervals not exceeding 24 months. For interlocks that cannot be tested online, the plant technical specifications must define special testing conditions during outage.
Engineering Insight: A well-designed interlock system in a CANDU or PWR plant uses physical separation (segregated cable trays, separate cubicles) between redundant interlock channels. When retrofitting digital upgrades, maintain this separation even if the new system is software-based — do not route both channels through the same FPGA or PLC.
3. Engineering Design Insights for Nuclear Electrical Interlocks
3.1 Separation from Protection System Logic
The report emphasizes that electrical interlocks must be functionally independent from the plant protection system (PPS), even though they share the same safety objectives. Interlocks act on the actuated equipment directly, while the PPS initiates the safety command. This separation prevents a single fault in the interlock logic from disabling both the initiation and the actuation paths.
3.2 Contact Multiplication and Isolation
When a single interlock signal must control multiple devices, contact multiplication relays should be used with separate isolation diodes for each branch. The standard warns against paralleling relay contacts without isolation, as a single welded contact in one branch can back-feed and defeat the interlock in all branches.
3.3 Timing and Sequence Coordination
Nuclear safety actuators (e.g., motor-operated valves, circuit breakers) have finite operating times. Sequencing interlocks must incorporate timing margins that account for variations due to temperature, aging, and voltage fluctuations. The standard recommends a minimum timing margin of 50% over the maximum expected operating time of any actuated device.
Danger: Never use software-based timers for safety-critical interlock sequencing without a diverse hardwired backup timer. PLC-based timers can drift due to CPU loading, and a single software fault could disable all software-based timing functions in the interlock system simultaneously.
4. Frequently Asked Questions
Q1: Are electrical interlocks covered by IEC 61513 (nuclear I&C general requirements)?
Yes, IEC TR 61497 is referenced by IEC 61513 as the specific guideline for interlock design. While IEC 61513 provides the overall architecture and classification framework, IEC TR 61497 gives detailed implementation recommendations for the interlock subsystem.
Yes, IEC TR 61497 is referenced by IEC 61513 as the specific guideline for interlock design. While IEC 61513 provides the overall architecture and classification framework, IEC TR 61497 gives detailed implementation recommendations for the interlock subsystem.
Q2: Can interlocks be implemented in software (FPGA/PLC) instead of hardwired relays?
The standard allows software implementation for non-protective interlocks, subject to verification per IEC 60880. However, protective and safety-critical interlocks should have a hardwired diverse backup even if the primary logic is software-based. The software implementation must also demonstrate freedom from common-cause failure with other safety software.
The standard allows software implementation for non-protective interlocks, subject to verification per IEC 60880. However, protective and safety-critical interlocks should have a hardwired diverse backup even if the primary logic is software-based. The software implementation must also demonstrate freedom from common-cause failure with other safety software.
Q3: How does the standard handle interlock bypassing for maintenance?
IEC TR 61497 requires that any bypass capability be controlled by key-locked switches or administrative controls. Bypass duration must be limited by an automatic timer, and the bypassed interlock status must be continuously displayed in the main control room. The plant technical specifications must define the maximum allowed bypass time (typically 72 hours).
IEC TR 61497 requires that any bypass capability be controlled by key-locked switches or administrative controls. Bypass duration must be limited by an automatic timer, and the bypassed interlock status must be continuously displayed in the main control room. The plant technical specifications must define the maximum allowed bypass time (typically 72 hours).
Q4: What is the difference between an interlock and a permissive in nuclear I&C?
An interlock is a hardwired safety logic path that enforces pre-conditions (e.g., “valve must be open before pump starts”). A permissive is a conditional signal that allows a control action to proceed. In nuclear terms, interlocks are typically associated with safety systems, while permissives may be used in both safety and non-safety applications.
An interlock is a hardwired safety logic path that enforces pre-conditions (e.g., “valve must be open before pump starts”). A permissive is a conditional signal that allows a control action to proceed. In nuclear terms, interlocks are typically associated with safety systems, while permissives may be used in both safety and non-safety applications.
