Actuation Interlock Governance

2. Summary

Actuation Interlock Governance requires that AI agents controlling physical actuators, effectors, or systems with real-world impact are subject to hardware or firmware-enforced interlocks that prevent hazardous actuator states or sequences regardless of the agent's commands. An interlock is a physical or logical mechanism that prevents a dangerous action unless specific preconditions are verified to be true — the interlock operates independently of the agent and cannot be overridden, bypassed, or disabled by the agent's outputs. This dimension extends AG-001's mandate enforcement concept to the physical layer: just as AG-001 prevents an agent from exceeding its financial mandate through infrastructure-layer enforcement, AG-114 prevents an agent from commanding a physically hazardous actuator state through interlock enforcement. Without actuation interlocks, an AI agent's software failure, adversarial manipulation, or reasoning error can directly translate into physical harm.

3. Example

Scenario A — AI Agent Commands Valve Opening Against Pressure Differential: An AI agent optimises flow routing in a petrochemical refinery by controlling motor-operated valves (MOVs) on process lines. The agent commands MOV-2201 (a 12-inch gate valve on a high-pressure hydrocarbon line) to open while the upstream pressure is 85 bar and downstream is 2 bar. The agent's optimisation model determines that routing flow through this path reduces energy consumption by 6%. No interlock prevents the opening command. The 83-bar differential across the valve exceeds the valve's differential pressure rating of 60 bar. The valve internals fail under the forces generated by the high-velocity flow, causing an uncontrolled hydrocarbon release. The resulting vapour cloud ignites, causing a fire that damages 3 adjacent process units.

What went wrong: No interlock existed to prevent valve opening against an excessive pressure differential. The agent's optimisation model did not include valve differential pressure ratings as a constraint — it optimised flow routing, not valve loading. Even if AG-112 sector constraints included pressure limits, the enforcement was at the software layer; a hardware interlock would have prevented the valve actuator from receiving the opening command when the differential exceeded 60 bar, regardless of any software command. Consequence: fire and explosion, 3 process units damaged (£45 million repair), 2 operators hospitalised with burns, refinery shutdown for 8 months, HSE prosecution, COMAH enforcement.

Scenario B — Robotic Agent Commands Simultaneous Conflicting Motions: An AI agent controlling a 4-axis pick-and-place robot generates a motion plan that commands axis 2 (shoulder) and axis 3 (elbow) to move simultaneously in directions that would cause the arm to contact its own base structure. The agent's inverse kinematics solver has a numerical error under the specific joint configuration, producing a geometrically impossible trajectory. No interlock prevents the conflicting motion. Both servo drives receive their commanded positions and attempt to execute. Axis 3's servo stalls against the mechanical interference while axis 2 continues driving, generating a torque of 1,200 Nm against the joint bearing (rated for 800 Nm). The bearing fails catastrophically, and the arm's upper section separates from the base, swinging into the adjacent workstation where an operator is present.

What went wrong: No motion interlock existed to prevent physically impossible or self-damaging trajectories. The agent's inverse kinematics solver was the only check on trajectory validity. A mechanical or servo-level interlock — for example, joint-angle limits enforced in the servo drive firmware, torque limits enforced by the motor controller, or workspace boundary enforcement in the motion controller — would have rejected the conflicting commands before the actuators attempted to execute. Consequence: operator struck by detached arm section (multiple fractures), robot write-off (£320,000), adjacent workstation destroyed (£85,000), production line shutdown for investigation, HSE prosecution for inadequate safeguarding.

Scenario C — Building Management Agent Opens Smoke Dampers During Fire: An AI agent managing a commercial building's HVAC system optimises air quality and energy efficiency. During a small kitchen fire on floor 7, the building's fire alarm activates. The fire alarm system commands smoke dampers to closed position to contain smoke. However, the AI agent, operating on a parallel control path to the fire alarm system, detects reduced air quality on floor 7 and commands the smoke dampers to open to "improve ventilation." The AI agent's control path has equal or higher priority to the fire alarm system's damper control because the integration was not designed with interlock priority. The smoke dampers oscillate between the fire system's close command and the AI agent's open command. Smoke spreads to floors 6 and 8 through the ventilation system during the damper-open intervals.

What went wrong: No interlock prevented the AI agent from commanding smoke dampers during a fire alarm condition. A fire-alarm-to-damper interlock (hardwired or via a safety relay) would have overridden any AI agent command when the fire alarm is active, forcing dampers to the fire-safe position regardless of any other control system's commands. The integration design failed to establish interlock priority — the AI agent was not subordinate to the life safety system. Consequence: smoke spread to 3 floors, 12 hospitalisations for smoke inhalation, fire service criticism of building management, London Fire Brigade enforcement notice, building insurance claim of £2.8 million, regulatory investigation by the Building Safety Regulator.

4. Requirement Statement

Scope: This dimension applies to all AI agents that command, control, or influence physical actuators, effectors, or systems whose operation can create hazardous conditions. This includes but is not limited to: valves (process, isolation, safety), motors and drives (robotic, conveyor, pump, fan), circuit breakers and switchgear, heating elements and burners, pneumatic and hydraulic actuators, building services (dampers, locks, emergency lighting), vehicle controls (steering, braking, throttle), and any mechanism that converts the agent's digital output into physical action. The scope extends to agents that do not directly command actuators but whose outputs are automatically translated into actuator commands by downstream control systems without independent safety verification. The test is: can this agent's output, if erroneous, cause an actuator to enter a state that creates a physical hazard? If yes, the agent's actuator commands require interlock governance.

4.1. A conforming system MUST identify all actuators under the agent's direct or indirect control and, for each actuator, define the hazardous states or sequences that interlocks must prevent, based on the hazard analysis (AG-111).

4.2. A conforming system MUST implement interlocks that prevent each identified hazardous actuator state or sequence, with the interlock logic executing independently of the agent's software — the agent MUST NOT be able to override, bypass, disable, or influence the interlock through its outputs.

4.3. A conforming system MUST ensure that interlocks operate on direct physical measurements (hardwired sensors, dedicated safety-rated sensors) rather than on data provided by the agent or processed through the agent's data pipeline, to prevent the agent from influencing interlock inputs.

4.4. A conforming system MUST ensure that interlock response time is deterministic and within the process safety time for the associated hazard — the interlock MUST prevent the hazardous state faster than the physical process can reach the hazardous condition.

4.5. A conforming system MUST implement interlocks such that they fail to the safe state — if the interlock mechanism itself fails (sensor failure, wiring fault, logic fault), the protected actuator MUST default to its safe position (typically de-energised, closed, or stationary).

4.6. A conforming system MUST test all interlocks at defined intervals (at minimum annually, more frequently for high-severity hazards) through actual proof testing that exercises the interlock from sensor input through to actuator response, not just logic-level testing.

4.7. A conforming system SHOULD implement interlocks in hardware (hardwired relay logic, safety-rated PLCs per IEC 61508, or dedicated safety controllers) for hazards where the consequence is severe (SIL 2 or higher per IEC 61508 or equivalent risk classification).

4.8. A conforming system SHOULD implement interlock status monitoring that detects interlock faults (stuck sensor, wiring fault, relay failure) and triggers an alert or safe-state transition when an interlock is not functional.

4.9. A conforming system SHOULD implement sequence interlocks that enforce required actuator sequencing (e.g., "valve A must be closed before valve B opens") in addition to state interlocks that prevent individual hazardous states.

4.10. A conforming system MAY implement smart interlocks that adjust interlock parameters based on validated real-time conditions (e.g., adjusting a pressure interlock setpoint based on verified temperature) provided that the smart interlock logic operates independently of the agent and that a fixed-setpoint fallback exists if the smart logic fails.

5. Rationale

Actuation Interlock Governance is the last line of defence between an AI agent's erroneous output and physical harm. Every other governance dimension in this landscape operates in the digital domain — mandates, constraints, timing guarantees, and governance checks all prevent the agent from issuing hazardous commands. Interlocks operate at the physical interface — they prevent the hazardous physical state from occurring even if a hazardous command reaches the actuator.

This defence-in-depth principle is fundamental to safety engineering. No single governance layer is assumed to be perfectly reliable. AG-001 (mandate enforcement) may fail. AG-112 (sector constraints) may have gaps. AG-113 (timing assurance) may be violated. The interlock is the final physical barrier that catches any command that has passed through all upstream governance layers but is still hazardous. If the interlock is robust, the physical harm is prevented regardless of how many upstream governance layers have failed.

The independence requirement is critical because of the specific threat model for AI agents. An AI agent that has been adversarially manipulated, is experiencing a reasoning failure, or is operating on corrupted data may produce outputs designed to circumvent governance controls. If the interlock depends on data from the agent or on logic that the agent can influence, the same failure that corrupted the agent's outputs may also corrupt the interlock's inputs or logic. Physical independence — hardwired sensors, dedicated interlock logic, direct actuator control — eliminates this common-cause failure mode.

The fail-safe requirement reflects a simple physical principle: in safety engineering, unknown states are treated as dangerous. If an interlock sensor fails, the interlock cannot verify that conditions are safe, so it must assume they are unsafe and prevent the actuation. This is the interlock equivalent of AG-001's "default deny" principle — just as AG-001 requires that actions are blocked when no mandate exists, AG-114 requires that actuation is prevented when the interlock cannot verify safety.

The proof testing requirement exists because interlocks are protection devices that may remain dormant for extended periods — the hazardous condition they protect against may not arise for months or years. During this dormant period, the interlock can develop latent faults (stuck sensors, corroded contacts, relay coil degradation) that are not apparent until the interlock is demanded. Proof testing exercises the interlock to detect these latent faults before a real demand occurs. The IEC 61508 framework quantifies this through the concept of "probability of failure on demand" (PFD), which is directly influenced by the proof test interval.

6. Implementation Guidance

AG-114 establishes the interlock as the physical-layer enforcement mechanism for AI agent safety governance. Each interlock consists of three elements: a sensor (detecting the physical condition), logic (evaluating whether the condition is safe for the proposed actuation), and an actuator interface (permitting or blocking the actuation). All three elements must be independent of the AI agent's software and data pipeline.

Recommended patterns:

• Hardwired interlock circuits. For the highest-integrity interlocks (SIL 3-4 or equivalent), implement the interlock as a hardwired relay circuit: physical sensor -> relay coil -> normally-closed contact in the actuator power circuit. When the sensor detects a hazardous condition, the relay de-energises, the normally-closed contact opens, and the actuator loses power. No software is involved. The agent cannot influence the circuit because there is no programmable element. Example: a pressure transmitter with a switch contact at 60 bar is wired in series with the MOV-2201 opening coil. If upstream pressure minus downstream pressure exceeds 60 bar, the switch opens, de-energising the opening coil. The AI agent's opening command reaches the valve controller, but the controller cannot energise the opening coil because the interlock circuit is open. The valve stays closed. Cost: approximately £2,000-5,000 per interlock point installed.
• Safety-rated PLC interlocks. For interlocks requiring more complex logic (sequence interlocks, multi-condition interlocks), implement using a safety-rated PLC (SIL 2 or SIL 3 per IEC 61508) with dedicated safety I/O. The safety PLC executes the interlock logic on a separate processor from the agent's control system. Safety I/O modules read dedicated sensors (not shared with the agent's instrumentation) and directly control actuator enable circuits. The safety PLC's logic is locked (cannot be modified without a physical key or authenticated engineering workstation access) and is not connected to the agent's network. Example: a robotic cell safety PLC monitors laser scanners (human detection), joint angle encoders (workspace limits), and torque sensors (overload). The PLC controls a safety relay that enables the robot's servo drives. If any interlock condition is violated, the safety relay de-energises and all servos are disabled. The AI agent's motion commands are ignored by servo drives that are disabled at the power level.
• Servo drive firmware limits. For robotic and motion control applications, implement basic interlocks in the servo drive firmware: maximum speed, maximum torque, maximum position (joint angle limits), and maximum acceleration. These limits are configured in the drive's non-volatile memory through a dedicated engineering interface and are not modifiable through the control network. The agent's motion commands are clipped to these limits by the drive firmware before execution. This provides a fast (sub-millisecond) interlock that catches command errors at the actuator level. Example: a servo drive is configured with joint angle limits of -135 degrees to +135 degrees. The AI agent commands +180 degrees (due to an inverse kinematics error). The drive firmware clips the command to +135 degrees and executes the limited command. The error is logged by the drive.
• Priority-based interlock arbitration. For systems where multiple control authorities can command the same actuator (e.g., AI agent, fire alarm system, manual override panel), implement a priority arbitration scheme where safety interlocks have highest priority, life safety systems have next priority, human operator commands have next priority, and the AI agent has lowest priority. The arbitration is implemented in hardware or in a safety-rated controller independent of the AI agent. Example: a building management system's damper control is arbitrated by a safety relay board: fire alarm system has priority 1 (hardwired through a normally-closed relay), manual override panel has priority 2 (through a separate relay), and the AI agent has priority 3 (through a third relay). The damper actuator receives the command from the highest-priority active authority.

Anti-patterns to avoid:

• Software-only interlocks. An interlock implemented in the same software that runs the AI agent, or in software that the agent can influence, is not an interlock — it is a software check. Software checks are valuable (they are part of AG-001 and AG-112 enforcement) but they are not substitutes for physical-layer interlocks when the hazard consequence is severe. Software can be bypassed by software failure; hardware interlocks can only be bypassed by hardware modification.
• Interlocks using agent-sourced data. If the interlock's sensor input passes through the agent's data pipeline (e.g., the agent reads a pressure sensor and passes the value to the interlock logic), the interlock is not independent. A faulty or adversarial agent can provide false sensor data to the interlock, causing it to permit a hazardous actuation. Interlocks must use dedicated sensors with direct wiring to the interlock logic.
• Overridable interlocks without governance. Some operations require interlock bypass (e.g., during maintenance, testing, or specific operational modes). If bypass capability exists, it must be governed: physical key switch or equivalent physical mechanism (not software-selectable), logged with timestamp and operator identity, automatically timed out (bypass reverts after a defined period), and alarmed when active. An interlock that can be bypassed through the agent's control interface is not an interlock.
• Testing only the logic, not the full chain. An interlock proof test that verifies the PLC logic responds correctly to a simulated input, but does not verify that the physical sensor detects the actual condition and that the actuator interface actually prevents actuation, is an incomplete test. Latent faults in sensors and actuator interfaces are the most common cause of interlock failure on demand.
• Treating interlocks as the primary control. Interlocks are the last line of defence, not the primary control mechanism. An agent that routinely triggers interlocks (because its normal operation frequently approaches hazardous states) has an upstream governance problem — likely inadequate AG-112 sector constraints or an agent objective function that conflicts with safety. Interlock activation should be a rare event, investigated as an incident.

Industry Considerations

Oil and Gas / Petrochemical. The Safety Instrumented System (SIS) framework under IEC 61511 provides the established architecture for interlocks in process industries. AI agents should be treated as part of the Basic Process Control System (BPCS), with interlocks implemented in the independent SIS. SIL ratings (SIL 1-3 for most process applications) determine the interlock hardware and testing requirements. Common interlock types include: high-pressure shutdown, high-temperature shutdown, high-level shutdown, low-flow shutdown, and emergency isolation valve closure.

Robotics. ISO 13849 (safety-related parts of control systems) and IEC 62061 (functional safety of safety-related control systems) provide the framework for robotic interlocks. Performance Level (PL) ratings under ISO 13849 or SIL ratings under IEC 62061 determine requirements. Common interlocks include: light curtain and laser scanner (human detection), enabling device (dead-man switch), emergency stop (hardwired, Category 0 or 1 stop per IEC 60204-1), workspace limit switches, and torque/force limiters.

Building Services. Fire safety interlocks are governed by BS 7346 (smoke control systems), BS 5839 (fire detection and alarm systems), and the Regulatory Reform (Fire Safety) Order 2005. Any AI agent controlling building services must be subordinate to fire safety systems through hardwired interlocks. Common interlocks include: fire alarm to damper closure, fire alarm to smoke extract activation, fire alarm to means of escape door release, and fire alarm to lift recall.

Power Systems. Substation interlocks prevent dangerous switching operations (e.g., opening an earth switch onto a live busbar). These interlocks are typically implemented through key-exchange systems or safety-rated interlocking controllers. AI agents managing switching operations must be subject to these existing interlocks, which must remain independent of the agent.

Maturity Model

Basic Implementation — Hazardous actuator states are identified for each agent-controlled actuator. Basic interlocks are implemented — some in hardware (e.g., emergency stops), some in software. Interlocks use a mix of dedicated and shared sensors. Proof testing is conducted on a schedule, though it may not cover the full sensor-to-actuator chain. The agent can be prevented from commanding the most dangerous actuator states, but the interlock coverage may not be comprehensive and the independence from the agent may not be complete for all interlocks. This level prevents the most obvious hazardous states but may have gaps in coverage or independence.

Intermediate Implementation — All identified hazardous actuator states and sequences have interlocks implemented independently of the agent's software. Interlocks for SIL 2+ hazards are implemented in hardware or safety-rated PLCs. All interlocks use dedicated sensors, not shared with the agent's instrumentation. Proof testing covers the full sensor-to-actuator chain at defined intervals. Interlock status monitoring detects latent faults. Interlock bypass is governed (physical key, logged, timed out, alarmed). All mandatory requirements (4.1-4.6) are satisfied with documented evidence.

Advanced Implementation — All intermediate capabilities plus: interlocks are designed and verified to the SIL rating determined by the hazard analysis (per IEC 61508 or sector equivalent). Sequence interlocks enforce safe actuator sequencing. Independent verification (third-party assessment) of interlock design and implementation. Diagnostic coverage meets IEC 61508 requirements for the target SIL. Smart interlocks with fixed-setpoint fallback optimise interlock parameters while maintaining independence. The organisation can demonstrate to regulators that no single point of failure — including complete compromise of the AI agent and its entire software stack — can result in a hazardous actuator state, because the interlock system is physically, logically, and electrically independent of the agent.

7. Evidence Requirements

Required artefacts:

• Interlock register. A complete register of all interlocks protecting agent-controlled actuators, including: interlock ID, protected actuator, hazardous state prevented, sensor details (type, location, range, wiring), logic implementation (hardwired/safety PLC/firmware), actuator interface method (power isolation, enable signal, brake), SIL rating (where applicable), and traceability to the hazard analysis (AG-111 hazard ID).
• Interlock independence evidence. Architecture documentation, wiring diagrams, or network diagrams demonstrating that each interlock operates independently of the agent's software, data pipeline, and network. For hardwired interlocks: wiring diagrams showing direct sensor-to-relay-to-actuator circuits. For safety PLC interlocks: network architecture showing separation from the agent's control network.
• Proof test records. Records of periodic proof testing for each interlock, including: test date, tester identity, test procedure used, results (pass/fail for each element: sensor, logic, actuator interface), any faults found, and corrective actions taken. Full sensor-to-actuator chain testing documented.
• Interlock bypass log. Log of all interlock bypass events, including: timestamp, interlock ID, reason for bypass, authorising person, bypass duration, and confirmation of bypass removal.
• Fail-safe validation records. Test results demonstrating that each interlock fails to the safe state under sensor failure, wiring fault, and logic fault conditions.

Retention requirements:

• Interlock registers, proof test records, and bypass logs: minimum 10 years for COMAH/Seveso sites and nuclear; minimum 7 years for other regulated critical infrastructure; minimum 5 years otherwise.

Access requirements:

• Producible to safety regulators within 24 hours of request. Interlock wiring diagrams and proof test records must be available at the installation for inspection by visiting regulators.

8. Test Specification

Testing AG-114 compliance requires validation that interlocks are comprehensive, independent, functional, and maintained.

Test 8.1: Interlock Coverage Completeness

• Stimulus: Compare the interlock register against the hazard analysis (AG-111) hazard register. Verify that every identified hazardous actuator state or sequence has at least one corresponding interlock.
• Expected behaviour: Every hazardous state/sequence identified in the hazard analysis is covered by at least one interlock in the interlock register.
• Pass criteria: No identified hazardous state/sequence lacks an interlock. Any intentional gap has documented risk acceptance with authority. (Validates requirement 4.1)
• Fail criteria: Any identified hazardous state/sequence lacks an interlock without documented risk acceptance.

Test 8.2: Interlock Independence — Agent Command Override Attempt

• Stimulus: With the interlock in its tripped (blocking) state, submit agent commands attempting to override the interlock: direct actuation commands, modified command formats, rapid repeated commands, and commands with metadata designed to influence the interlock (e.g., false sensor values in command payloads). Verify that the interlock holds regardless of agent output.
• Expected behaviour: The interlock prevents actuation regardless of the agent's commands. No agent output influences the interlock state.
• Pass criteria: No agent command, regardless of format or content, overrides the interlock. (Validates requirement 4.2)
• Fail criteria: Any agent command overrides or influences the interlock.

Test 8.3: Sensor Independence

• Stimulus: Verify that each interlock's sensor input is wired directly to the interlock logic, not through the agent's data pipeline. Trace the physical wiring from sensor to interlock logic for hardwired interlocks; trace the I/O configuration from sensor to safety PLC for PLC-based interlocks.
• Expected behaviour: No interlock sensor path passes through the agent's software, controllers, or network.
• Pass criteria: 100% of interlock sensors have direct paths to interlock logic, independent of the agent. (Validates requirement 4.3)
• Fail criteria: Any interlock sensor path passes through the agent's data pipeline.

Test 8.4: Interlock Response Time

• Stimulus: Create the interlock's trigger condition (or simulate it by directly manipulating the sensor input) and measure the time from trigger condition to actuator safe state. Conduct a minimum of 10 trials per interlock.
• Expected behaviour: Interlock response time is within the defined maximum for all trials.
• Pass criteria: 100% of trials complete within the defined response time. Maximum observed response time documented. (Validates requirement 4.4)
• Fail criteria: Any trial exceeds the defined response time.

Test 8.5: Fail-Safe Validation

• Stimulus: For each interlock, systematically introduce faults: disconnect the sensor, introduce a wiring open circuit, introduce a wiring short circuit, remove power to the interlock logic, and (for PLC interlocks) crash the PLC processor. Verify that the actuator defaults to its safe state in each fault condition.
• Expected behaviour: Under every fault condition, the actuator reaches its defined safe state. No fault condition causes the interlock to permit the hazardous state.
• Pass criteria: 100% of fault conditions result in the actuator's safe state. (Validates requirement 4.5)
• Fail criteria: Any fault condition allows the actuator to remain in or enter a hazardous state.

Test 8.6: Proof Test Execution

• Stimulus: Execute a full proof test of each interlock, from sensor input through logic to actuator response. Verify that: (a) the sensor detects the actual physical condition (not just a simulated input), (b) the logic evaluates correctly, and (c) the actuator interface actually prevents actuation (not just signals the intent to prevent). Document all results.
• Expected behaviour: Each interlock passes the full proof test. Any faults found are documented and corrected.
• Pass criteria: All interlocks pass proof testing within the defined interval. Any faults found have documented corrective actions with completion dates. (Validates requirement 4.6)
• Fail criteria: Any interlock fails proof testing without corrective action, or proof testing has not been conducted within the defined interval.

Test 8.7: Bypass Governance

• Stimulus: Attempt to bypass an interlock through the agent's control interface (software bypass). Attempt to bypass through the designated physical mechanism (key switch or equivalent). Verify that software bypass is not possible and that physical bypass is logged, alarmed, and automatically timed out.
• Expected behaviour: Software bypass is rejected. Physical bypass activates logging, alarming, and automatic timeout.
• Pass criteria: No software bypass is possible. Physical bypass is fully governed (logged, alarmed, timed out). (Related to requirements 4.2 and anti-pattern guidance)
• Fail criteria: Software bypass succeeds, or physical bypass is not logged, not alarmed, or not timed out.

Conformance Scoring

• Score 0: No interlocks exist between the AI agent and actuators — agent commands pass directly to actuators without independent safety verification.
• Score 1: Some interlocks exist but are implemented in software that shares resources with the agent, or use sensor data from the agent's pipeline. Proof testing is not conducted on a defined schedule. Interlock coverage may be incomplete.
• Score 2: Interlocks are implemented independently of the agent's software and use dedicated sensors. All identified hazardous states have interlocks. Interlocks fail safe. Proof testing is conducted on schedule with full sensor-to-actuator chain coverage. Bypass is governed. All mandatory requirements (4.1-4.6) are satisfied with documented evidence.
• Score 3: All Score 2 capabilities plus SIL-rated interlock implementations (hardware or safety-rated PLC) verified to IEC 61508 or sector equivalent. Sequence interlocks enforce safe actuator sequencing. Independent third-party verification of interlock design. Diagnostic coverage meets SIL target requirements. Interlock status monitoring with automated fault detection. Demonstrated physical, logical, and electrical independence from the AI agent through independent audit.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 9 (Risk Management System)	Supports compliance
IEC 61508	Part 2 (Hardware Requirements for Safety-Related Systems)	Direct requirement
IEC 61511	Clause 11 (SIS Design and Engineering)	Direct requirement
ISO 13849	Safety-Related Parts of Control Systems	Direct requirement
IEC 62061	Functional Safety of Control Systems	Direct requirement
Machinery Regulation (EU) 2023/1230	Annex III, Essential HSR 1.2.1 (Safety and Reliability of Control Systems)	Direct requirement
ATEX Directive 2014/34/EU	Equipment for Explosive Atmospheres	Direct requirement
UK HSE	PUWER 1998 Regulation 11 (Dangerous Parts of Machinery)	Direct requirement
NIST AI RMF	MANAGE 2.2 (Risk Controls)	Supports compliance
ISO 42001	Clause 6.1 (Actions to Address Risks)	Supports compliance

IEC 61508 — Part 2 (Hardware Requirements)

IEC 61508 Part 2 specifies hardware requirements for safety-related systems based on the Safety Integrity Level (SIL). For interlocks protecting against hazards classified at SIL 2 or above, the interlock hardware must meet the architectural constraints and diagnostic coverage requirements of the target SIL. This includes: hardware fault tolerance (HFT) requirements (e.g., HFT=1 for SIL 3 Type A subsystems), safe failure fraction (SFF) requirements, and proof test interval requirements that inform the probability of failure on demand (PFD) calculation. AG-114 interlocks in IEC 61508-governed contexts must be designed, validated, and maintained per this standard.

IEC 61511 — Clause 11 (SIS Design and Engineering)

For process industry applications, IEC 61511 Clause 11 provides specific requirements for designing Safety Instrumented Systems that implement safety functions (interlocks). These requirements cover: SIF design (sensor, logic solver, final element), redundancy architecture, diagnostic requirements, and independence from the Basic Process Control System. AI agents in process control are part of the BPCS; interlocks must be in the independent SIS.

ISO 13849 — Safety-Related Parts of Control Systems

ISO 13849 applies to safety-related parts of control systems for machinery. It uses Performance Levels (PL a-e) to classify required safety integrity. Interlocks for robotic and machinery applications controlled by AI agents must meet the PL determined by the risk assessment. The standard covers: categories of safety-related control system architecture (B, 1-4), diagnostic coverage, common cause failure, and mean time to dangerous failure (MTTFd).

Machinery Regulation (EU) 2023/1230

The new Machinery Regulation's essential health and safety requirements (Annex III, section 1.2.1) require that control systems be designed so that "a single fault in the hardware or software of the control system does not lead to a hazardous situation." For AI agents controlling machinery, this directly requires independent interlocks — the AI agent is a single-point-of-failure software system, and interlocks provide the independent protection against its failure.

ATEX Directive 2014/34/EU

For AI agents controlling equipment in explosive atmospheres, interlocks preventing ignition sources (sparks, hot surfaces, static discharge) are governed by ATEX requirements. These interlocks must meet the equipment protection level (EPL) for the specific zone classification and must be certified accordingly.

UK HSE — PUWER Regulation 11

The Provision and Use of Work Equipment Regulations 1998, Regulation 11 requires that measures are taken to prevent access to dangerous parts of machinery or to stop movement before a person reaches the danger zone. For AI-controlled machinery, this translates to interlocks (guards with interlock switches, presence-sensing devices) that are independent of the AI agent.

10. Failure Severity

Field	Value
Severity Rating	Critical
Blast Radius	Immediate physical — actuator-level hazards including mechanical impact, uncontrolled release, fire, explosion, electrical contact

Consequence chain: Without actuation interlock governance, an AI agent's erroneous command translates directly into a hazardous physical state. The interlock is the last barrier between a software error and physical harm. When this barrier is absent, the consequence chain is direct and immediate: erroneous agent output -> actuator command -> physical hazard. The specific consequences depend on the actuator and domain: in process industries, uncontrolled valve opening against pressure creates hydrocarbon release and explosion risk; in robotics, uncontrolled motion in human-occupied space creates impact injury risk; in building services, incorrect damper operation during fire creates smoke spread and inhalation risk; in power systems, incorrect switching creates electrocution and equipment damage risk. The severity is amplified by the speed of actuation — a valve can open in 2-10 seconds, a robot arm traverses its workspace in 1-3 seconds, a circuit breaker operates in 50-80 milliseconds. There is no time for human intervention between the erroneous command and the physical hazard. The business consequences include criminal prosecution under health and safety legislation (potential imprisonment under the Health and Safety at Work Act 1974), unlimited fines, corporate manslaughter charges (Corporate Manslaughter and Corporate Homicide Act 2007) if a death occurs, civil liability for personal injury, and regulatory enforcement including potential prohibition of the AI agent deployment and wider restrictions on the organisation's operations.

Cross-references: AG-114 provides the physical-layer enforcement that complements AG-001 (Operational Boundary Enforcement) at the software layer and AG-112 (Sector Safety Constraint Governance) at the domain-knowledge layer. AG-111 (Hazard Analysis Governance) identifies the hazardous actuator states that AG-114 interlocks must prevent. AG-109 (Safe-State Transition Governance) defines the safe states that interlocks drive actuators toward. AG-113 (Real-Time Determinism and Latency Assurance Governance) governs the timing that interlocks must meet. AG-110 (Degraded-Mode and Manual Fallback Governance) defines operations when interlocks have been activated. AG-038 (Human Control Responsiveness) governs the manual override mechanisms that must coexist with interlocks. AG-008 (Governance Continuity Under Failure) addresses continuity when interlock infrastructure is degraded.