Understanding Permissive Logic and Trip Interlocks in Industrial Systems

Permissive interlocks are used in industrial automation and process control systems to make sure that a process or piece of equipment action, like turning on a motor or opening a valve, doesn’t happen until all of the safety and process conditions are reached. It performs the function of a gatekeeper, allowing an activity to take place only when it is both safe and desirable to do so.

Example of a Permissive Condition

One often used example of permissive logic is the centrifugal pump’s starting sequence. Before allowing the pump turn on, the system could demand the suction valve to be open and the suction pressure to be over a minimum threshold. Should either of these requirements fail, the permissive will stop the start command, therefore shielding the pump from cavitating or running dry.

Implementation Platforms for Permissive Logic

Permissive logic is typically implemented within:

• Distributed Control Systems (DCS)
• Programmable Logic Controllers (PLC)

Depending on the SIL (Safety Integrity Level) needs of the application, the permissive condition may be used in a Safety Instrumented System (SIS) or via hardwired relay logic if it is judged critical from a process safety standpoint.

Challenge Yourself: Test Your Expertise in Safety Instrumented Systems (SIS): Knowledge Quiz

Behavior of a Permissive Logic

Once all permissive criteria are satisfied, the system permits the intended action pump start to go forward. Usually, the permissive logic turns inactive after the action is carried out. Once the suction valve has been shown open and the pump is started, for example, the permissive will not act further even if the suction valve closes while the pump is running unless a separate interlock or shutdown condition is configured for that event.

Unless specifically directed otherwise, this passive behavior post-activation emphasizes a fundamental feature of permissive logic: it controls just the beginning of activities, not their ongoing performance.

Override and Defeat Options in operational or maintenance situations

Under some operational or maintenance situations, it could be required to override or defeat allowed conditions:

• Override: Usually during testing or special operations, frequently with operator permission and logging, overrule a permissive condition for startup flexibility.
• Defeat: Used during maintenance or commissioning, defeat lets equipment testing or calibration occur without meeting all regular running conditions.

Usually safeguarded by procedural protections and management of change policies, these functions must be strictly under control to avoid unintended operation.

Detailed Explanation of BFP Trip Logic – Interlock and Logic Schematic

The start permissive and trip logic for a 43 MW captive power plant’s boiler feed pump (BFP) unidirectional drive system is depicted in this interlock and logic diagram. It is an element of the fundamental protection and startup reasoning applied with the Distributed Control System (DCS).

The logic guarantees that the BFP must trip at dangerous conditions such high temperature or dangerously low deaerator level and can only start under healthy operating parameters.

Purpose of Trip Logic

The trip logic is designed to:

• Track important temperature data from motor windings and pump and motor bearings.
• Examine a field-level deaerator tank signal.
• Start a trip right away should any condition compromise the BFP’s safe running ability.
• Only allow a start permissible when all under observation conditions fall within reasonable bounds.

Breakdown of Inputs and Thresholds

Pump and Motor Bearing Temperatures

Four analogue temperature inputs are monitored by the logic:

• Pump Drive End (DE) Bearing Temp
• Pump Non-Drive End (NDE) Bearing Temp
• Motor DE Bearing Temp
• Motor NDE Bearing Temp

Every input is compared to pre-defined temperature ranges:

• Pump bearing temps: trip if temperature exceeds 85°C
• Motor bearing temps: trip if temperature exceeds 110°C

Individual comparator blocks inside the DCS handle these analog inputs. An overtemperature condition for the given point is indicated by a logic high (true) output.

Must-Read: Understanding 2 out of 2 SOV: Working & Configuration

Motor Winding Temperatures

Six analog RTD indications correspond to phase winding temperatures:

• Phase R: Two independent sensors (e.g., top and bottom windings)
• Phase Y: Two sensors
• Phase B: Two sensors

Each is compared against a setpoint of 110°C. These comparisons feed into a specialized comparison block labeled “COMP (#)”.

Based on voting logic, the condition is judged critical and a trip output is produced if any two or more of the six winding temperatures are above the threshold. This keeps the pump from running under motor overheating circumstances, therefore preventing either motor damage or insulation failure.
Explore in Depth: Voting Logic in Safety Instrumented System

The note on the drawing explains the comparator logic:

Note: This block will be used if any two of the six winding temp are high, then the pump should be tripped,” the drawing’s annotations on the comparator states.

There is a unique block reference based on the BFP number (e.g., 003 for BFP-1, 004 for BFP-2, and so on).

Refer the below link for the Designing 2 out of 3 Voting Logic in Control Systems: A Step-by-Step PLC Ladder Diagram Tutorial with Video

Designing 2 out of 3 Voting Logic in Control Systems: A Step-by-Step PLC Ladder Diagram Tutorial with Video

Field Contact – Deaerator Level Very Low

A discrete field contact labeled 10-LSLL-103B is monitored for the deaerator water level.

Should the water level get extremely low, this contact closes to produce a trip signal. This condition must be avoided since it can cause harm due lack of suction head or pump cavitation.

Logic Construction

Trip Logic Path

A series of OR logic gates links all individual overtemperature comparators (bearing and winding) to the field contact. These set themselves as follows:

• Combining the outputs of the four bearing temperature comparators forms an OR block.
• Additional input for a higher-level OR block comes from the winding temp comparator block.
• Additionally directed to the same OR block is the deaerator low-level contact.

If any of these conditions is true (i.e., logical high signal), the final OR block sends a signal to the trip command output labeled “TO SHT 3 → TO TRIP.” This output indicates a permissive rejection and initiates pump shutdown.

This guarantees quick, fail-safe BFP shutdown in should any harmful operational state arise.

Start Permissive Logic

If none of the trip inputs are active, meaning:

• All bearing and winding temperatures are within safe limits.
• Deaerator level is normal.

Then the logic sends a START PERMISSIVE signal also labeled “TO SHT 3.” This allows the BFP drive system to energize and start the motor.

This logic ensures the pump cannot start unless it is safe to do so.

Summary of Logic Conditions

Condition	Threshold	Result
Pump bearing temp > 85°C	Exceeds SP	Trip
Motor bearing temp > 110°C	Exceeds SP	Trip
Any two of six winding temps > 110°C	Comparator logic	Trip
Deaerator level very low (LSLL-103B contact closes)	Discrete NO contact	Trip
None of the above	Safe state	Start Permissive

Notes from Drawing

• Sheet number: 11 of 25
• Title: “Interlock & Logic Schematics for Uni-Directional Drives – BFP Start Permissive Logic”
• Customer: XXXXX Captive Power Plant (43 MW CPP)
• Consultant: XXXXXXXX
• The DCS (not hardwired relays) configures the logic so that it can be flexibly reconfigured and diagnosed.
• Deaerator level trip is direct from field contacts of level switch, not analog level transmitters.

Frequently Asked Questions

What is permissive logic?

A series of conditional tests necessary before an operation is allowed is known as permissive logic. It guarantees that before turning on an output, all needed inputs or process statuses fall within reasonable boundaries.

What is a permissive in process control?

In process control systems, a permissive is a logical prerequisites condition. For a compressor, a start instruction, for instance, will be disregarded unless all of its related permissible inputs such as suction pressure, lubrication oil pressure, vibration limits are healthy.

What is a permissive contact?

Usually closed, a permissive contact that is, a limit switch, relay contact, or digital input must be in a specific state to enable logic continuity as an input device or status point. It finds frequent application in ladder logic diagrams..

What is a permissive relay?

Often used in electrical protection systems, a permissive relay forms part of a protection or interlock system. It runs under the idea that the trip has to take place if all relays find the defect in the forward orientation. Under permissive logic, the relay permits an action just when all upstream conditions are safe.

What is a permissive in control systems?

A permissive in general control logic is a condition that must be satisfied before a system or machine may turn on. A gas compressor, for instance, will not start until incoming gas pressure is sufficient. Permissive logic will block the start command should the gas be absent or below the threshold.

Test Your Expertise on Boiler Control & Interlock Logic for Instrumentation and Control 

Refer the below link to test your expertise on Boiler Control & Interlock Logic for Instrumentation and Control 

Top 25 Advanced MCQs on Boiler Control & Interlock Logic for Instrumentation and Control Engineers