Interlocks in PLC Programming: Hardware vs Software, with Examples
An interlock is a logic condition that prevents equipment from operating when doing so would be unsafe or damage the process. It's one of the oldest and most important patterns in industrial control — and one of the easiest to get wrong.
In one paragraph
An interlock connects two or more states so that one cannot occur unless the others are in a permitted condition. Hardware interlocks are physical (wiring, mechanical linkage) and remain effective even if the PLC fails. Software interlocks live in ladder logic or structured text and depend on the PLC continuing to scan. Safety interlocks protect people; process interlocks protect product. Critical applications use all three, layered.
Hardware vs software interlocks
Hardware interlock
Implemented in physical wiring or mechanical components, independent of PLC logic.
- • Mechanical linkage between two reversing contactors
- • Guard door switch wired in series with motor contactor coil
- • Light curtain output wired directly to safety relay
- • E-stop button breaking the control power circuit
- • Limit switch hard-wired to brake-release solenoid
Effective when: PLC is powered off, in fault, or has corrupted logic.
Software interlock
Implemented in PLC logic (ladder, structured text, function blocks).
- • Forward output coil includes NC contact of reverse coil in series
- • Pump start permissive requires "suction valve open" bit set
- • Recipe step cannot advance until all guards report closed
- • Heater output requires temperature-below-setpoint AND no fault
- • Conveyor reverse blocked while material-present sensor on
Effective only while: PLC is scanning correctly. If PLC stops, interlock stops.
Best practice: safety-critical interlocks should be hardware and software, layered. The hardware interlock is the last line of defense if the PLC is wrong; the software interlock catches conditions earlier and gives the operator better diagnostics.
Safety vs process interlocks
These two categories sound similar but are governed by completely different standards and engineering processes.
| Aspect | Safety interlock | Process interlock |
|---|---|---|
| Protects against | Harm to people; catastrophic equipment damage | Product damage; lost production; downstream cascading issues |
| Examples | Light curtain, two-hand control, guard interlock, E-stop | "Pump won't start until valve open", "heater off unless flow detected" |
| Standards | IEC 61508, IEC 62061, ISO 13849, IEC 61511 | Plant-specific; informal best practice |
| Implementation | Safety-rated PLC, safety relay, hardware | Standard PLC logic |
| Reliability requirement | Defined SIL (1–4) or PL (a–e) | No formal requirement |
| Validation | Functional safety assessment, periodic proof testing | Commissioning test only |
Worked example: motor-reversing interlock
Energising both forward and reverse contactors at the same time creates a phase-to-phase short circuit and instantly destroys the motor starter. The interlock makes that electrically impossible. Three layers, from cheapest to safest:
Layer 1: software interlock in ladder logic
The forward output coil includes a normally-closed contact of the reverse output coil in series, and vice versa. If the reverse coil is energised, its NC contact opens and the forward coil cannot energise. This is the most basic form of interlock and lives entirely in PLC logic.
Layer 2: electrical interlock (auxiliary contacts)
The forward contactor's normally-closed auxiliary contact is wired in series with the reverse contactor's coil, and vice versa. This is wired entirely in the motor starter cabinet — no PLC required. If a relay sticks closed and the PLC tries to energise the other direction, the auxiliary contact prevents it.
Layer 3: mechanical interlock
A physical lever between the two contactors that mechanically prevents both from closing at once. Sold as a single accessory by every contactor manufacturer (Allen-Bradley, Siemens, Schneider, ABB). For high-power motors and any application that runs unattended, this is mandatory — relay welding does happen.
Common interlock programming mistakes
- 1. Interlocking against output coils instead of inputs. Output coils only update at the end of the scan cycle, so logic that reads "is M_FWD on?" sees stale data for one scan. For tight interlock timing, use input states or internal flags that update synchronously.
- 2. Forgetting the overload contact. Every motor interlock should include the motor overload (OL) contact in series with the output coil. When the OL trips, both directions must be inhibited until the operator resets it.
- 3. Cross-wired NC contacts. If you accidentally use NO instead of NC for the reverse-direction contact in your forward rung, both directions can run simultaneously the moment either is selected. Cross-checking interlock logic during code review is essential.
- 4. Software-only on safety-critical interlocks. If the PLC stops, your software interlock stops with it. Anything that protects people requires hardware backup, ideally on a safety-rated PLC.
- 5. Latched outputs without unlatch on fault. A SET-RESET pattern on a contactor with no reset on E-stop or fault means the equipment stays running after a safety event clears. Always unlatch on any non-permissive condition.
- 6. Not testing the interlock. "The wiring is right" is not the same as "the interlock works." During commissioning, manually force each interlock condition and verify the equipment refuses to operate. Repeat at every annual safety check.
Where interlocks appear in the standards
- • IEC 61131-3 — defines the languages used to write software interlocks (ladder logic, structured text, FBD)
- • ISO 13849 — Safety-related parts of control systems; defines Performance Levels (PL a-e) for safety interlocks
- • IEC 62061 — Functional safety of electrical/electronic safety-related control systems for machines (SIL CL 1-3)
- • IEC 61508 — Generic functional safety standard; foundation for SIL ratings
- • IEC 61511 — Functional safety for the process industries (chemical, oil & gas)
- • OSHA 29 CFR 1910.147 — Lock-out/tag-out; mechanical/process interlocks for energy isolation