GIS Functional Design · The Global Interlock System (GIS) Design represents a challenge in that...

Project Documentation Document SPEC-0140

Revision B1

GIS Functional Design

Tim Williams Controls Group

January 26, 2015

Name Date

Released By: Joseph McMullin

Project Manager


SPEC-0140, Draft B1 Page i of 3

REVISION SUMMARY:

1. Date: October 25, 2012 Revision: A Changes: Initial Release

2. Date: October 25, 2012 Revision: B Changes: Updated facilities LIC functionality

3. Date: January 26, 2015 Revision: B1 Changes: Updated safety-related control functions (SRCFs)


SPEC-0140, Draft B1 Page ii of 3

TABLE OF CONTENTS

TABLE OF CONTENTS .................................................................................................. II 1. PREFACE ............................................................................................................ III 2. INTRODUCTION ................................................................................................... 1 2.1 PURPOSE ............................................................................................................... 1

2.2 RELATED AND REFERENCE DOCUMENTS .................................................................. 1 2.3 GLOSSARY ............................................................................................................. 2 3. CONTROL SOFTWARE ....................................................................................... 3 3.1 APPLICATION CODE ................................................................................................ 3 3.2 LADDER LOGIC EXAMPLE ........................................................................................ 3

4. GIS OPERATION .................................................................................................. 5 4.1 STATUS MONITORING AND FAULT HANDLING ............................................................ 5

4.2 EMBEDDED CONTROL OPERATION ........................................................................... 5

4.3 CHANGE OF NETWORK STATUS ............................................................................... 5

4.4 OPERATION FOLLOWING A REBOOTING OR RESTARTING ............................................. 5 5. SAFETY-RELATED CONTROL FUNCTIONS ...................................................... 6

5.1 REQUIREMENTS FOR SAFETY FUNCTIONS ................................................................. 6 5.2 GLOBAL SAFETY FUNCTIONS ................................................................................... 7 5.3 OPTICAL SUPPORT SYSTEM LIC ............................................................................ 12

5.4 MOUNT BASE LIC ................................................................................................. 13 5.5 COUDÉ ROTATOR LIC ........................................................................................... 19

5.6 INSTRUMENTATION SYSTEMS LIC .......................................................................... 22 5.7 ENCLOSURE MOTION CONTROL LIC ....................................................................... 22 5.8 FACILITY THERMAL SYSTEM LIC ............................................................................ 26

5.9 FACILITIES LIC ..................................................................................................... 27

6. HMI FUNCTIONS ................................................................................................ 33 6.1 SYSTEM STATUS ................................................................................................... 33 6.2 SAFETY FUNCTION STATUS ................................................................................... 33

6.3 OPERATOR CONTROL ........................................................................................... 33 6.4 ENGINEERING INTERFACE ...................................................................................... 33

6.5 LOGGING .............................................................................................................. 33


SPEC-0140, Draft B1 Page iii of 3

PREFACE

The Global Interlock System (GIS) Design represents a challenge in that its design is in parallel with (and

in some cases before) the designs of the systems it is meant to safeguard. Without completed designs and

hazard analyses, the safety functions that the GIS are to implement cannot be completely defined.

The design of the Global Interlock System has been separated into two main portions. There is the

hardware design, the GIS Architecture, which is the subject of SPEC-0112. The second portion is the

software design, the GIS Functional Description, which is handled in this document.

The reason for this separation is that the hardware design has been developed and is well understood. The

GIS Functional Design requires the completion of subsystem designs, hazard analyses, and risk

assessments.

In order to not delay development and construction of the GIS Architecture, the two portions have been

separated.

The hardware architecture has been designed with the premise of flexibility, expandability, and

programmability as basic considerations. This lends itself well to being adaptable to any safety function

that may need to be implemented.


SPEC-0140, Draft B1 Page 1 of 33

1. INTRODUCTION

1.1 PURPOSE

This document provides the basis of design for the architecture of the ATST Global Interlock System

(GIS). The design of the GIS is provide in two main sections, the architecture which describes the

hardware and interfaces of the system; and the functional design which covers design and implementation

of the safety-related control functions.

The diagrams and descriptions of safety function presented below are meant to convey the general flow of

the safety function and the interactions between the various subsystems. They are not intended to cover

the implementation details. For example, almost all safety inputs and outputs are redundant and usually

employ negative logic, meaning that for a single item such as “Door 501A locked” there are two signals

that indicate the door is not closed plus two more signals that indicate the solenoid controlling the door is

not unlocked. Including this level of detail would add complexity and not aid in understanding how the

various safety functions control safety.

1.2 RELATED AND REFERENCE DOCUMENTS

The following documents form a part of this Specification. Any other documents referenced in any of

these documents also form a part of the Specification.

1.2.1 Related Documents

ATST Specification Documents

The following documents contain information applicable to the design of the ATST Global Interlock

System.

SPEC-0046, Global Interlock System Design Specification

SPEC-0061, ATST Hazard Analysis Plan

SPEC-0112, Global Interlock System Architecture Description

SPEC-0141, Global Interlock System Operational Concepts Description

ATST Interface Control Documents

The Global Interlock System shall meet the requirements of the following interface control documents:

SPEC-0063, Interconnects and Services

ICD 1.1-4.5 , Telescope Mount Assembly to Global Interlock System

ICD 1.2-4.5 , M1 Assembly to Global Interlock System

ICD 1.3-4.5 , TEOA to Global Interlock System

ICD 1.5-4.5 , Feed Optics to Global Interlock System

ICD 2.1-4.5 , Wave Front Control-Coudé to Global Interlock System

ICD 3.0-4.5, Instruments to Global Interlock System

ICD 3.1.1-4.5, Polarimetry Analysis and Calibration to Global Interlock System

ICD 3.1.2-4.5, Master Clock and Synchro Network to Global Interlock System

ICD 3.1.3-4.5, Coudé Station to Global Interlock System

ICD 3.2-4.5, Visible Broadband Imager to Global Interlock System

ICD 3.3-4.5, Visible Spectro-polarimeter to Global Interlock System

ICD 3.4.1-4.5, Diffraction Limited Near-IR Spectropolarimeter to Global Interlock System

ICD 3.4.2-4.5, Cryogenic Near-IR Spectropolarimeter to Global Interlock System

ICD 3.5-4.5, Visible Tunable Filter to Global Interlock System

ICD 3.6-4.5, Camera Systems to Global Interlock System



ICD 4.2-4.5 , Observatory Control System to Global Interlock System

ICD 4.5-5.0 , Global Interlock System to Enclosure

ICD 4.5-6.0, Global Interlock System to Support Facility and Buildings

ICD 4.5-6.7 , Global Interlock System to Facility Thermal Systems

ATST Reference Design Studies and Analyses

TN-0055, Global Interlock System Design

ATST Drawings

ATST-DWG-00065, Global Interlock System Configuration

1.2.2 Reference Documents

ATST Documents

PMCS-0023, Requirements Definition

SPEC-0002, Document and Drawing Control Plan

SPEC-0012, ATST Acronym List and Glossary

National Consensus Standards

ANSI/RIA R15.06-1999, American National Standard for Industrial Robots and Robot Systems –

Safety Requirements

NFPA 79, Electrical Standard for Industrial Machinery, 2007 Edition

International Standards

ISO 13849, Safety of Machinery—Safety-related parts of control systems

IEC 61508, Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related

Systems

IEC/EN 62061, Safety of machinery: Functional safety of electrical, electronic and programmable

electronic control systems

Industry Standards

ANSI/TIA/EIA 568-B, Commercial Building Telecommunications Cabling Standard

1.3 GLOSSARY

See SPEC-0012, ATST Acronym List and Glossary, for terms not listed below.

GIC Global Interlock Controller

LIC Local Interlock Controller

PAC Programmable Automation Controller

PLC Programmable Logic Controller

SIL Safety Integrity Level

TÜV Technischer Überwachungsverein (German)(English: Technical Inspection Association) An

internationally accepted independent testing and certification organization.



2. CONTROL SOFTWARE

The GuardLogix controller will be programmed with RSLogix 5000 version 20. Use of major version 20

(or higher) is required to accommodate unicast messaging, Windows 7, L7 series ControlLogix

controllers. All hardware must be compatible with version 20. (See

http://support.rockwellautomation.com/ControlFlash/ for firmware requirements.)

The specific version is currently 20.03 which is incompatible with earlier minor revisions due to a change

to enhance security. All programs written in 20.01 will be converted to 20.03 during IT&C. The process

is generally automatic.

The GuardLogix controller runs both a standard task and a safety task. All functions of the GIS are

implemented in the safety task. If the controller is also used for subsystem control, all subsystem control

functions will be implemented in the standard task.

2.1 APPLICATION CODE

Application code routines will be developed using relay ladder logic language as it is the best choice for

machine interlocking that require complex logical operations and few high-level functions.

The safety task uses a subset of the standard ladder logic instruction set that is safety-certified instructions

plus application instructions that are also safety-certified. Only safety-certified instructions will be used in

the safety task. This does not preclude the use of add-on functions built using safety-certified instructions,

but such an instruction requires specific review and validation (per IEC 61508) before being used.

Section 4 lists the safety control requirements that will be implemented by the GIS. Each safety function

will be a separate program within the safety task running on the GuardLogix controller.

2.1.1 Revision Control

To aid in tracking and control of various revisions to the application code the Project Vault (Solidworks

Enterprise PDM) will be used. Because the code is being developed in a single developer environment the

need for a more advanced and robust solution is not necessary and would add complexity with little value.

Also the ladder logic is stored in proprietary binary format that does not lend itself well to the use of

standard versioning control software.

The Project Vault allows for the control of changes and edits in a single user environment as well as the

ability to roll back changes if needed. It is centrally located and can be accessed remotely as needed.

The Project Vault will be used continuously from development into operations.

2.2 LADDER LOGIC EXAMPLE

Inputs from each LIC are consumed, and evaluated; subsequent outputs are produced to other LICs as

necessary.

http://support.rockwellautomation.com/ControlFlash/



Figure 2-1 shows a short example of the ladder logic of the safety task that would be used with a typical

emergency stop circuit. The program uses application instructions that not only monitor the condition of

the emergency stop switch, but compares the two channels for consistency and also monitors the status of

the remote I/O module to detect a hardware failure. In the event of a hardware failure, the system defaults

to a safe state.

The program combines inputs from local emergency stop switches with a tag received from the GIC

which indicates the status of the Emergency Stop System. If both are in the active safe state then two

outputs are asserted that energize the drive and enable the pulse output of the drive.

When an emergency stop switch is pushed (or a hardware fault is detected), the two outputs are removed.

First the output to the drive pulse suppression is removed and 200mS later (configurable) the power is

removed from the drive’s power contactor removing all hazardous energy. If either feedback from the

outputs does not indicate that the drive was properly shutdown a fault will be detected that can warn

personnel that a potential hazard still exists.

Figure 2-1



3. GIS OPERATION

3.1 STATUS MONITORING AND FAULT HANDLING

In addition to the various safety functions implemented by the GIS, the GIS must also recognize and react

to any fault that is detected.

The distributed I/O modules perform self-diagnostics on power-up and periodically during operation. In

addition these modules also monitor I/O circuit health.

3.2 EMBEDDED CONTROL OPERATION

Each LIC is the safety controller for one or more subsystems. The application program for each LIC

functions as an independent system. The safety controller will be capable of startup and control of its

safety functions regardless of connectivity to the GIC or other outside service.

3.3 CHANGE OF NETWORK STATUS

Failure of the network does not result in a loss of safety function. Failure of the network which causes

loss of communications with distributed I/O or a remote controller causes each such component of the

GIS that relies on such communications to default to a safe state.

Restoration of the network function does not automatically restore operation of the GIS without

intervention from the operator.

3.4 OPERATION FOLLOWING A REBOOTING OR RESTARTING

Rebooting or restarting causes the portion of the GIS that was rebooted or restarted to enter a safe state.

Rebooting or restarting does not result in a loss of safety function.



4. SAFETY-RELATED CONTROL FUNCTIONS

This section lists and summarizes the current list of planned safety functions.

Safety-related control functions (SRCFs) are the result of a detailed hazard analysis of the equipment

under control. After a hazard has been identified that will be mitigated by functional safety, the

specification for each safety-related control function will be developed. Each SRCF will comprise of the

functional requirements and the safety integrity requirements.

The functional requirements will detail the description of the SRCF, the conditions in which the SRCF

shall be active or disabled, the required responses to trips and faults, the timing and priority of responses

of the SRCF.

The safety integrity requirement will detail the necessary risk reduction for each SRCF.

It is imperative that the subsystem’s hazard analysis be detailed, thorough, and complete. These hazard

analyses are used to develop the various safety functions. If a hazard analysis does not identify a hazard

that hazard will not be safeguarded, presenting a serious potential risk to personnel and infrastructure.

It is foreseen that this list will need to be expanded and altered as additional hazards are identified during

design, construction, integration, and testing. Additional hazard will require additional safety functions to

be developed and likely will result in added hardware to detect the hazard and/or implement the

safeguard.

4.1 EXAMPLE OF DEVELOPMENT OF SAFETY-RELATED CONTROL FUNCTIONS

To look at how the various Safety-Related Control Functions have been developed, we will follow an

example of the how the related functions of the sun sensor we developed.

Early in the project it was recognized that the concentrated sunlight near the focus could provide a

thermal hazard to personnel and equipment. The Hazard Analysis Team then met to analyze the hazards

created.

The first was to define the extent of the hazard. Due to the fast focus of the telescope design the

concentrated sunlight is limited to a relatively small area near the prime focus. For example the rapidly

diverging beam would spread its energy over a fairly large area by the time the beam reaches the interior

walls of the enclosure. While potentially a problem for thermal effects of seeing it does not represent a

safety hazard.

The hazard to personnel is relatively easy to mitigate as it would require personnel to be near the prime

focus which is inherently difficult in normal operations.

The hazard is mostly to the equipment itself. Due to its very nature the heat stop is designed to withstand

this energy (given normal operation of the heat stop—failure of the heatstop thermal control has its own

safety functions). This leaves damage to equipment near the heatstop. There are various cables and pipes

in this area that could potentially be damaged/destroyed by sufficiently concentrated energy.

The solution was to design and implement a sun sensor that would determine if the sun was within 1.5

solar radii (R☉) of on-axis pointing. If the sun is within 1.5 R☉) the excess energy will be absorbed by the

heatstop as designed. (See 4.3.3 On-Sun Pointing)

However, it was clarified that the telescope also needed to be able to view objects at elongations of

greater than 1.5 R☉. This leaves a complex problem of understanding where excess energy may focus

depending on the relative angles of the sun, telescope, and entrance aperture, something that does not lend

itself well to robust safety function.



The decision was made to restrict observations to elongations greater than 25° as the geometry is such

that no sunlight should strike the primary mirror if the entrance aperture is more than 25° from the

telescope’s line-of-sight.

Also if the sun is below the horizon it is also considered safe.

The last two items revealed the need to introduce an additional safety function (see 4.3.2 Off Sun

Pointing) to calculate the sun’s position and determine if the sun is in a safe position relative to the

telescope.

4.2 REQUIREMENTS FOR SAFETY FUNCTIONS

4.2.1 Control Reliability

In order to ensure a safety system safety functions require that hardware needed in each safety function

have a fault tolerance of at least 1 (i.e. loss of any single component will not cause the loss of the safety

function). Secondly, diagnostics will be included to detect a failure of any component that could cause a

loss of a safety function at or before the next demand on that component.

4.2.2 Response Time

Each safety function must have a response time of less than 200 milliseconds as measured from the time

an input changes until the output changes to a safe state. The safety function must either respond to an

input change or default to the safe state within that time. The safety function may not necessarily

complete its action by that time but must initiate a change to the safe state

The safety function must complete any action required to reach a safe state before any hazard can cause

damage.

For example the M1 Mirror Cover must begin closing with 200 milliseconds of an over temperature fault

but may take as long as 15 seconds to completely close. The upper limit is imposed by the duration of the

heat stop shutter ability to withstand damage.

4.3 GLOBAL SAFETY FUNCTIONS

There are several safety functions that span multiple systems. These safety functions are controlled by the

Global Interlock Controller and are referred to as Global Safety Functions.

4.3.1 Emergency Stop Safety Function

Safety Function Emergency Stop

Hazard avert potential hazards or reduce existing hazards that may arise from

malfunctioning of the facility, human error or normal operation

Triggering Event human-operated control device

Priority Emergency Stop shall take priority over all other control functions.

Modes always active

Reaction Halt all hazardous motion

Block light path

Safe State

Telescope Azimuth motion stopped

Telescope Elevation motion stopped

Coudé Rotator motion stopped

Enclosure Carousel motion stopped

Enclosure Shutter closed

Safety Shutter closed

M1 Mirror Cover closed

Enclosure Jib Crane motion stopped



Enclosure Bridge Crane motion stopped

Required Integrity PLe

SIL3

All subsystems’ emergency stop devices are combined in logic at the GIC, so that activating any

emergency stop device will cause all GIS-connected subsystems to go to their safe state. In most cases

they will perform an immediate stop (category 0 or 1 stop as determined by subsystem analysis). The

exception is that M1 Mirror Cover and Enclosure Entrance Aperture will close (their safe state) in a

predetermined sequence.

GIC EStop

TMA EStop

Enclosure EStop

Coudé EStop

Facilities EStop

Instrument EStop

OSS EStop

FTS EStop

>=10

00

00

>=10

00

00

>=10

0

0Emergency Stop

4.3.2 Off Sun Pointing

The design of the telescope is such that during normal operation most of the reflected solar energy from

the M1 is directed into the heat stop. There are dangers associated with the reflected solar energy near the

prime focus. It is therefore desirable to restrict where this reflected energy may fall. The light path is

blocked by redundantly using the Aperture Cover and the M1 Cover, either of which would be effective

but both are used to avoid a potential single point failure.

Obviously, when the Sun is below the horizon the telescope should be able to point safely at any location

in the sky. To determine the location of the Sun relative to horizon, a relatively simple ephemeris

calculation is needed. This calculation relies on two different time sources (NTP and PTP). These two

sources are compared for agreement. If they agree and the Sun is below the horizon, the light path may be

opened.

Additionally, when the Sun is more than 25° away from where the telescope is pointing no sunlight will

reach the primary mirror, thus there is no reflected solar radiation to be concerned with. In this case the

light path may also be opened.

Safety Function Off Sun

Hazard Concentrated solar radiation



Triggering Event Telescope pointing off axis of Sun within 25°

Priority

Modes Automatic

Reaction Block the light path

Safe State Aperture Cover closed

M1 Cover closed

Required Integrity SIL 2

NTP TIME

PTP TIME

position of Sun

u1x1

F(Tsun)

&0

0

0

TELESCOPE POSITION

>=10

0

0 0

sunrise/sunset

u2

u1

x1

F(Tsun)

before sunrise

A<B

B

AF(Tdiff)

after sunset

A>B

B

AF(Tdiff)

no sunlight on M1

A-B>25°

B

ACOMP

A=B

B

AF(Tdiff)

No Sun

4.3.3 On-Sun Pointing

Related to the off Sun pointing are on-axis solar observations. When the sun is within 1.5 solar radii (R☉),

the reflected solar energy is trapped in the heat stop. This is the normal operating condition of the

telescope. Due to the accuracy required to ensure that the reflected energy is contained within the heat

stop, the above ephemeris calculation is unlikely to be sufficiently accurate.

In this case, a small sun position sensor will be required. This sensor is essentially a small pin-hole

camera that uses a two-dimensional position sensitive device (PSD) to determine if the sun is on-axis.

√(x²+y²)

y

xF(r)

SUN POSITION X

SUN POSITION Y

1.5 Solar radii or less

A<1.5R☉A

COMP

On-Sun

It should be noted that the Safety Shutter in front of the heat stop is not used in this safety function. If the

telescope is sufficiently off-axis, the Safety Shutter would not block the light path. If the telescope is on-

axis, the heat stop should absorb the solar energy as designed. Failure of the heat stop is covered

elsewhere.



4.3.4 Aperture Cover Interlock

The Enclosure Aperture Cover is allowed to open under specific circumstances.

On-Sun

Heat Stop Overtemp1

No Sun

&0

0

0 0

Heat Stop Shutter Open

M1 Cover Closed

>=10

0

0 0Aperture Cover Open Permissive

If the M1 cover is closed or no sunlight striking the M1 there is no reflected solar energy. Typical

operation will require that in order to acquire the sun, the telescope points at the sun with the M1 cover

closed. Once the sun sensor described in 4.3.3 detects the sun is within 1.5R☉ the M1 cover is permitted

to open and the aperture is permitted to stay open.

4.3.5 M1 Cover Interlock

The M1 cover is allowed to open under specific circumstances.

M1 Cover Open Permissive

On-Sun

Heat Stop Overtemp1

No Sun

&0

0

0 0


Aperture Cover Closed

>=10

0

0 0

Upper Enclosure Access1

&0

0

0

Similar to the Entrance Aperture below, the M1 cover may open when there is no sunlight on the mirror.

Additionally if the telescope is pointed directly at the sun and the safety shutter is open and the heat stop

is not in an over-temperature condition the M1 Cover may open.

4.3.6 Hazardous Access

Because of the many large moving elements of the facility there exist numerous hazards associated with

personnel exposed to these mechanisms. In order to limit exposure a trapped key plan will be

implemented to inhibit access to hazardous areas during motion. See SPEC-0133 Hazardous Zones Fully

Automated Control Access for details.

Because of the design of the GIS being distributed the safety functions that implement hazardous access

control bridge the GIC and LICs. The Facility LIC typically handles the input from the trapped keys and

controls the locking of various doors and access points. The GIC controls the various permissive signals

to individual LICs to inhibit hazardous motion.



Coudé Permissive

Coudé Key (AA) in place

&0

0000

0

Door 110A locked

Enabling Device

>=10

0

0

Coudé Full Speed Permissive

Door 209A locked

Door 210A closed

&0

0

0

Coudé Key (DA) in place&0

0

0 0Door 307A locked

Coudé Crane Stowed

Door 308C closed

&0

0000

0

Coudé Lab Hatch #1 closed

Coudé Lab Hatch #2 closed

Rec Room Hatch #1 closed

Rec Room Hatch #2 closed

Rec Room Door closed

&0

0

0

Ground Floor Inner Pier

The moving cable wrap presents a hazard. Access via door 110A is limited requiring a trapped key that

disables the Coudé Rotator.

Coudé Inner Pier

The moving cable wrap and other mechanisms present a hazard. Access via door 209A and 210A is

limited requiring a trapped key that disables the Coudé Rotator. Furthermore access via doors and hatches

is monitored from the area under the Coudé Lab floor.

Coudé Lab

The moving floor of the Coudé Lab could present a hazard because of non-rotating equipment on the

periphery of the room. Therefore when the Coudé Lab is accessed by personnel the speed of rotation of

the Coudé Lab is limited to 1.5°/sec.

External Catwalk

The moving Enclosure carousel presents hazards. Access to the external enclosure catwalks and ladders is

limited requiring a trapped key that disables Enclosure Rotation.

Lifting Platform

The moving Enclosure carousel presents hazards. Access to the external enclosure catwalks and ladders is

limited requiring a trapped key that disables Enclosure Rotation. In addition, the rear door may only

operate when the enclosure is aligned with the lifting platform.



Enclosure Cable Wrap

The moving cable wrap present a hazard. Access floor hatches are limited requiring a trapped key that

disables the Enclosure Carousel.

Upper Enclosure Platforms

Access to the Upper Enclosure Platform will be restricted by gates requiring a trapped key that disables

Enclosure Carousel and Aperture motion.

Enclosure Floor

The moving floor of the Enclosure could present a hazard because of non-rotating equipment on the

periphery of the area. Therefore when the Enclosure Floor is accessed by personnel the speed of rotation

of the Enclosure carousel is limited to 1.5°/sec.

Telescope Cable Wrap

The moving cable wrap and other mechanisms present a hazard. Access via doors 501A and 502A are

limited requiring a trapped key that disables the Telescope Azimuth rotation.

Telescope Access

The moving telescope, cable wraps and other mechanisms present a hazard. Access to the telescope

mount is limited by gates requiring a trapped key that disables Telescope Azimuth and Elevation motion.

4.4 OPTICAL SUPPORT SYSTEM LIC

The Optical Support System LIC is responsible for interlocks, limits, and emergency stop functions for

the Top End Optical Assembly; M1 Active and Thermal Controller; and Feed Optics.

This LIC is also the connection point for emergency stop devices located at:

M2 assembly

OSS platform

4.4.1 Top End Optical Assembly

Heat Stop Over Temperature

Temperatures above a predetermined level of the heat stop indicate a failure of the cooling system. The

reaction of the GIS is to close the safety shutter, close the M1 mirror cover, and close the entrance

aperture.

Safety Function Heat Stop Over Temperature

Hazard Damage to Heatstop, possible resultant leak of coolant

Triggering Event Heat Stop temperature above TBD°C

Priority

Modes Always active

Reaction Close safety shutter, aperture cover, and M1 Cover

Safe State Safety Shutter, Aperture Cover, and M1 Cover closed


Because the Safety Shutter has limited survivability in the focused beam, the Aperture Cover and/or M1

Cover must also close to protect the Safety Shutter.



TEOA Removed

If the TEOA has been removed from the Telescope it may imbalance the telescope. The reaction of the

GIS is to disable the Telescope elevation axis.

Safety Function TEOA Removed

Hazard Unexpected motion due to imbalance of telescope

Triggering Event Removal of the TEOA

Priority Cannot be overridden

Modes All modes

Reaction

Safe State Manual pin in place


Heat Stop Removed

If the heat stop has been removed from the Telescope it may imbalance the telescope. The reaction of the

GIS is to disable the Telescope elevation axis.

Safety Function Unexpected motion due to imbalance of telescope

Hazard Removal of the heat stop

Triggering Event Cannot be overridden

Priority All modes

Modes

Reaction

Safe State Manual pin in place


4.4.2 M1 Active Controller & Thermal Controller

To be determined

4.5 MOUNT BASE LIC

The Mount Base LIC is responsible for interlocks, limits, and emergency stop functions for the Telescope

Mount Azimuth and Elevation Axes, Cable Wraps; M1 Mirror Cover; and M5/M6 Access Platform.



4.5.1 Telescope Mount Azimuth Axis

Telescope Azimuth Permissive

Emergency Stop

Bridge Crane Stowed

Jib Crane Stowed

Cable Wrap Overtension

1 &0

0000

0

0

1

TMA Key in place&0

00

00

Door 501A locked

Enabling Device

>=10

0

0

Door 501B locked

Door 403A locked

&0

0

0CW end-of-travel limit

CCW end-of-travel limit

1

1

&0

0

0

TEOA Platform Stowed

Telescope Azimuth Drive Over Speed

Abnormally high velocities indicate a failure of Azimuth Axis Bogie Drive. The reaction of the GIS is to

bring the axis to a stop as quickly as possible, remove power from all Azimuth Bogie Drive Controllers

and apply the brakes (category 1 stop).

Safety Function Telescope Azimuth Over Speed

Hazard Damage to motor, exceeding travel limits

Triggering Event Telescope motion exceeding normal operating speeds

Priority

Modes All modes

Reaction Telescope drives disabled, brakes applied

Safe State Telescope drives disabled, motion stopped


Telescope Clockwise Final Travel Limit

When a Clockwise Final Limit is detected by using combinational logic of the End Stop position and the

limit switches, the reaction of the GIS to bring the axis to a stop as quickly as possible, remove power

from all Azimuth Bogie Drive Controllers (category 1 stop) and apply the brakes.

Safety Function Telescope Clockwise Final Travel Limit

Hazard Damage to cable chain

Triggering Event Telescope rotation exceeding clockwise limit

Priority

Modes Automatic modes, can be overridden in manual mode






Telescope Counter-Clockwise Final Travel Limit

When a Counter-Clockwise Final Limit is detected by using combinational logic of the End Stop position

and the limit switches, the reaction of the GIS is to bring the axis to a stop as quickly as possible, remove

power from all Azimuth Bogie Drive Controllers (category 1 stop) and apply the brakes.

Safety Function Telescope Counter-Clockwise Final Travel Limit


Triggering Event Telescope rotation exceeding counter-clockwise limit

Priority

Modes All automatic modes, can be overridden in manual mode




Telescope Azimuth Cable Wrap Over Tension

The GIS will inhibit motion and remove power to the Telescope Drives if the tension of the Azimuth

Cable Wrap exceeds predetermined limits.

Safety Function Telescope Azimuth Cable Wrap Over Tension


Triggering Event Tension on cable in cable chain excessive

Priority

Modes Automatic mode




Manual Lockout Pin

The manual lockout pin is a physical means by which the motion of the Telescope can be prevented. If

this pin is not fully removed the GIS will remove Telescope drive power.

Trapped Key Interlock

This is actually a group of trapped keys which when one or more are removed will inhibit Telescope

motion by removing power. This key will be required to enter the Azimuth Cable Wrap or Azimuth

Mechanical areas.

Safety Function Telescope Azimuth Trapped Key Interlock

Hazard Pinch/crush hazard from moving parts

Triggering Event Trapped key removed

Priority

Modes All modes




Telescope Azimuth Axis Interlock

This safety function is the result of combinational logic in the GIS that determines another subsystem

poses a hazard to Telescope Azimuth Axis motion.



This interlock is asserted unless all the following are true:

Enclosure Bridge Crane stowed

Enclosure Jib Crane stowed

TEOA Platform stowed (see section 4.8.5)

Man Lift stowed

The reaction of the GIS is to remove power from the Telescope Azimuth Axis drives.

4.5.2 Telescope Elevation Axis

Telescope Elevation Permissive

Emergency Stop

Bridge Crane Stowed

Jib Crane Stowed

Cable Wrap Overtension

1 &0

0000

0

0

1

TMA Key (GA) in place&0

00

00

-X platform locked

Enabling Device

>=10

0

0

Gate “257” locked

+X platform locked

&0

0

0+X end-of-travel limit

-X end-of-travel limit

1

1

&0

0

0

TEOA Platform Stowed

TEOA Platform Retracted

>=10

0

0

Telescope Elevation Drive Over Speed

Velocities above a predetermined level indicate a failure of an Elevation Axis Drive. The reaction of the

GIS is to remove power from the Elevation Drive Controllers and apply the brakes (category 0 stop).

Safety Function Telescope Elevation Over Speed



Priority

Modes All modes




Telescope Zenith Final Travel Limit

When a Zenith Final Limit is detected, the reaction of the GIS is to remove Telescope drive power

(category 0 stop) and apply the brakes.



Safety Function Telescope Zenith Final Travel Limit


Triggering Event Telescope motion exceeding zenith limit

Priority





Telescope Horizon Final Travel Limit

When a Horizon Final Limit is detected, the reaction of the GIS is to remove Telescope drive power


Safety Function Telescope Horizon Final Travel Limit


Triggering Event Telescope motion exceeding horizon limit

Priority





Telescope Elevation Cable Wrap Over Tension

The GIS will inhibit motion and remove power to the Telescope Drives (category 0 stop) if the tension of

the Elevation Cable Wrap exceeds predetermined limits.

Safety Function Telescope Elevation Cable Wrap Over Tension



Priority






This is actually a group of trapped keys which when one or more are removed will inhibit Enclosure

and/or Telescope motion by removing power.

Safety Function Telescope Elevation Trapped Key Interlock



Priority

Modes All modes




Telescope Elevation Axis Interlock



This safety function is the result of combinational logic in the GIS that determines another subsystem

poses a hazard to Telescope Elevation Axis motion.

This interlock is asserted unless all the following are true:

Enclosure Bridge Crane stowed

Enclosure Jib Crane stowed

TEOA Platform stowed or fully deployed (see section 4.8.5)

Man Lift Stowed

The reaction of the GIS is to disable power to the Telescope Elevation Axis Drives.

4.5.3 M1 Cover Interlock

The M1 cover is allowed to open under specific circumstances.

M1 Cover Open Permissive

On-Sun

Heat Stop Overtemp1

No Sun

&0

0

0 0


Aperture Cover Closed

>=10

0

0 0

Upper Enclosure Access1

&0

0

0

Similar to the Entrance Aperture below, the M1 cover may open when no sunlight would strike the mirror

(see 4.3.2 Off Sun Pointing). Additionally if the telescope is pointed directly at the sun and the safety

shutter is open and the heat stop is not in an over-temperature condition the M1 Cover may open.

4.5.4 Telescope Floor Access Panels Not Closed

Telescope Drive Power is disabled unless are Telescope Floor Access Panels are closed.

Safety Function Telescope Floor Access Panels Not Closed

Hazard Impact, crush/pinch

Triggering Event Any telescope floor access panel not fully closed

Priority

Modes Always active

Reaction Inhibit Telescope azimuth rotation

Safe State Telescope motion stopped


4.5.5 M5/M6 Access Platform Not Stowed

Elevation Telescope Drive Power is disabled unless the M5/M6 is fully stowed.

4.5.6 Access Doors Not Closed

Azimuth Telescope Drive Power is disabled unless the Access Door is closed.



4.5.7 Telescope Azimuth Cable Wrap Access

This area will require a trapped key to access. Inserting the trapped key will allow removal of one or more

secondary personnel safety keys. All personnel who enter will be required to carry a personnel safety key.




Priority

Modes All modes




4.5.8 Telescope Azimuth Mechanical Level

Access to the Mechanical Level will require a trapped key. Inserting the trapped key will allow removal

of one or more secondary personnel safety keys. All personnel who enter will carry a personnel safety

key.




Priority

Modes All modes




4.6 COUDÉ ROTATOR LIC

The Coudé Rotator LIC is responsible for interlocks, limits, and emergency stop functions of the

Telescope Coudé Rotator Azimuth Axis and Cable Wrap.

4.6.1 Coudé Drive Controller

Coudé Rotator Azimuth Drive Over Speed

Velocities above a predetermined level indicate a failure of Coudé Axis Drive. The reaction of the GIS is

to remove power from the Coudé Drive Controllers and apply the brakes (category 0 stop).

Safety Function Coudé Rotator Azimuth Over Speed



Priority

Modes All modes

Reaction Rotator drives disabled, brakes applied

Safe State Rotator drives disabled, motion stopped


Coudé Rotator Clockwise Final Travel Limit

When a Coudé Rotator Clockwise Final Limit is detected by using combinational logic of the End Stop

position and the final limit switches, the reaction of the GIS is to remove Coudé Rotator drive power




Safety Function Coudé Rotator Clockwise Final Travel Limit


Triggering Event Rotator motion exceeding clockwise limit

Priority





Coudé Rotator Counter-Clockwise Final Travel Limit

When a Coudé Rotator Counter-Clockwise Final limit is detected by using combinational logic of the End

Stop position and the final limit switches, the reaction of the GIS is to remove Coudé Rotator drive power


Safety Function Coudé Rotator Counter-Clockwise Final Travel Limit


Triggering Event Rotator motion exceeding counter-clockwise limit

Priority





Coudé Rotator Azimuth Cable Wrap Over Tension

The GIS will inhibit motion and remove power to the Coudé Rotator Drives if the tension of the Azimuth

Cable Wrap exceeds predetermined limits.

Safety Function Coudé Rotator Azimuth Cable Wrap Over Tension



Priority






This is actually a group of trapped keys which when one or more are removed will inhibit Coudé Rotator

motion by removing power. This key will be required to enter the Coudé Rotator area.

Safety Function Coudé Rotator Trapped Key Interlock



Priority

Modes All modes






Access Ladder Not Stowed

The GIS will inhibit motion and remove power to the Coudé Rotator Drives if the access ladder is not

stowed.

Safety Function Access Ladder Not Stowed

Hazard Pinch/crush hazards

Triggering Event Any floor access panel not closed

Priority

Modes All

Reaction inhibit Coudé Azimuth rotation

Safe State Coudé Azimuth rotation stopped AND

Coudé Azimuth drives de-energized.


Mezzanine Platform Not Stowed

The GIS will inhibit motion and remove power to the Coudé Rotator Drives if mezzanine platform is not

stowed.

Safety Function Mezzanine Platform Not Stowed


Triggering Event Mezzanine platform not stowed

Priority

Modes All





Floor Access Panel Open

The GIS will inhibit motion and remove power to the Coudé Rotator Drives if any floor access panel is

not closed.

Safety Function Floor Access Panel Not Closed


Triggering Event Any floor access panel not closed

Priority

Modes All





Coudé Lab Crane Not Stowed

Use of the Coudé Lab Crane will require that hazardous motion be inhibited.

Safety Function Coudé Lab Crane Interlock

Hazard Pinch/crush hazards.

Triggering Event Coudé Lab Crane not stowed

Priority

Modes Automatic (can be overridden with enabling pendent in manual control)







Electronic Rack Door Open

The GIS will inhibit motion and remove power to the Coudé Rotator Drives if any electronic rack door is

not closed.

Safety Function Electronic Rack Door Open


Triggering Event Any electronic rack door not closed

Priority

Modes All





4.7 INSTRUMENTATION SYSTEMS LIC

4.7.1 Coudé Adaptive Optics (AO-C)

None currently identified.

4.7.2 Coudé Active Optics (aO-C)


4.7.3 Visible Light Broadband Imager (VLBI)


4.7.4 Visible Spectropolarimeter (ViSP)


4.7.5 Near-IR Spectropolarimeter (NIRSP)


4.7.6 Visible Tunable Filter (VTF)


4.8 ENCLOSURE MOTION CONTROL LIC

The Enclosure Motion Control LIC is responsible for interlocks, limits, and emergency stop functions for

the Enclosure Carousel, Shutters, Cable Wraps, Entrance Aperture; Bridge Crane, Jib Cranes, Rear

Access Doors, and TEOA Platform.

This LIC is also the connection point for emergency stop devices located at or near the above items.



4.8.1 Enclosure Carousel Axis

Carousel Clockwise Final Travel Limit

When a Carousel Clockwise Final Limit is detected by using combinational logic of the End Stop position

and the final limit switches, the reaction of the GIS is to remove carousel drive power (category 0 stop)

and apply the brakes.

Safety Function Enclosure Clockwise Final Travel Limit


Triggering Event Enclosure motion exceeding clockwise limit

Priority


Reaction Enclosure drives disabled, brakes applied

Safe State Enclosure drives disabled, motion stopped


Carousel Counter-Clockwise Final Travel Limit

When a Carousel Counter-Clockwise Final limit is detected by using combinational logic of the End Stop

position and the final limit switches, the reaction of the GIS is to remove carousel drive power (category 0

stop) and apply the brakes.

Safety Function Enclosure Counter-Clockwise Final Travel Limit


Triggering Event Enclosure motion exceeding clockwise limit

Priority





Carousel Cable Wrap Over Tension

The GIS will inhibit motion and remove power to the Carousel Drives if the tension of the Azimuth Cable

Wrap exceeds predetermined limits.

Safety Function Enclosure Azimuth Cable Wrap Over Tension



Priority





Carousel Personnel Trapped Key Interlock


Carousel motion by removing power. This key will be required to enter the Azimuth Cable Wrap or

Azimuth Mechanical areas. It will also be required to enable the exterior boom lift.

Safety Function Enclosure Trapped Key Interlock





Priority

Modes All modes




4.8.2 Elevation Axis

Shutter Personnel Trapped Key Interlock


Shutter motion by removing power.

Safety Function Enclosure Trapped Key Interlock



Priority

Modes All modes




4.8.3 Cranes

Bridge Crane Not Stowed

If the Bridge Crane is not stowed (i.e. hook not fully up, trolley at end-of-travel, and bridge fully towards

the rear of the enclosure) the GIS will remove drive power from the both the Altitude and Azimuth

telescope drive controllers (category 0 stop).

Safety Function Bridge Crane Not Stowed

Hazard Collison between Telescope and crane

Triggering Event Bridge Crane not in stowed position

Priority

Modes Automatic (may be overridden in manual mode)

Reaction Inhibit Enclosure rotation

Safe State Bridge Crane in Stowed Position (hook up, bridge at rear of enclosure)


Bridge Crane Interlock

The GIS will inhibit (category 0 stop) the Bridge Crane unless the following conditions are true:

The telescope is parked.

The telescope azimuth and elevation drives are disabled.

The telescope brakes are engaged.

Safety Function Bridge Crane Interlock


Triggering Event Telescope not parked

Priority


Reaction Disable Motion of Bridge Crane

Safe State Telescope Mount stopped




Jib Crane Not Stowed

If the GIS detects that the Jib Crane is not stowed (i.e. hook not fully up, jib fully towards the wall of the

enclosure) the GIS will remove drive power from the both the Altitude and Azimuth telescope drive

controllers (category 0 stop).

Safety Function Jib Crane Not Stowed


Triggering Event Jib Crane not in stowed position

Priority


Reaction Inhibit Enclosure rotation

Safe State Jib Crane in Stowed Position (hook up, jib against side of enclosure)


Jib Crane Interlock

The GIS will inhibit (category 0 stop) the Jib Crane unless the following conditions are true:

The telescope azimuth and elevation drives are disabled.

The telescope brakes are engaged.

Safety Function Jib Crane Interlock


Triggering Event Telescope not parked

Priority


Reaction Disable Motion of Jib Crane

Safe State Telescope Mount stopped


4.8.4 Entrance Aperture Cover Interlock

The enclosure entrance aperture cover is allowed to open under specific circumstances.

On-Sun

Heat Stop Overtemp1

No Sun

&0

0

0 0


M1 Cover Closed

>=10

0

0 0Aperture Cover Open Permissive

If the M1 cover is closed or there is no sunlight on the M1 the Entrance Aperture Cover may open.

Additionally if the telescope is pointed at the sun and the heat stop shutter is open and heat stop is not in

an over temperature condition the Entrance Aperture Cover may open.

4.8.5 TEOA Access Platform

The TEOA Access Platform may only be deployed when the telescope mount is aligned in azimuth with

the platform and retracted when the telescope has been raised at least 15° (this measurement needs to be

verified).



Safety Function TEOA Access Platform Permissive

Hazard Pinch/crush hazard from moving components

Triggering Event Enclosure Carousel at TEOA maintenance position AND

Telescope Azimuth at TEOA maintenance position

AND Telescope Elevation above 15°. Priority

Modes All modes

Reaction Enable TEOA maintenance platform drives

Safe State TEOA maintenance platform disabled


Additionally, when the TEOA Access Platform is not stowed, Enclosure Carousel motion and Telescope

Azimuth motion is inhibited.

Safety Function TEOA Access Platform Not Stowed


Triggering Event TEOA Access Platform not stowed

Priority

Modes All modes

Reaction Disable Telescope Azimuth and Enclosure Carousel drives

Safe State Enclosure Carousel drives disabled AND

Enclosure Carousel brakes set AND

Telescope Azimuth Drives disabled AND

Telescope Azimuth brakes set


Remarks See section 4.5.1

However, the Telescope Elevation axis will be required to lower into position when the TEOA Access

Platform in not stowed. So, Telescope Elevation motion will be permitted only when the TEOA Access

Platform is fully deployed or fully retracted.

Safety Function TEOA Access Platform Not In Position


Triggering Event TEOA Access Platform not stowed AND

TEOA Access Platform not fully deployed

Priority

Modes All modes

Reaction Disable Telescope Elevation drives

Safe State Telescope Elevation Drives disabled AND

Telescope Elevation brakes set


Remarks See section 4.5.2

4.8.6 Enclosure Rear Door Closed End-of-Travel Limit

When a Closed End-of-Travel Limit is detected, the GIS will bring the actuator to a controlled stop

(category 1 stop) and inhibit further motion in the open direction.



4.9 FACILITY THERMAL SYSTEM LIC

4.9.1 Vent Gates

None currently identified

4.9.2 Carousel Cooling

Carousel Coolant Leak

This safety function monitors supply and return flow rates. If the delta of supply and return rates exceeds

a predetermined threshold the GIS commands a controlled stop of the pumps and then disables power

(category 1 stop).

Carousel Dehumidification High Wet Bulb Temperature

In the event of a high wet bulb temperature in the carousel exceeds a predetermined level the GIS will

command a controlled stop of the pumps and then disable power (category 1 stop).

4.9.3 Enclosure Rear Door

None currently identified

4.10 FACILITIES LIC

The facilities LIC is responsible for interlocks, limits, and emergency stop functions located in the

Support and Operations Building.

This LIC is also the connection point for emergency stop devices located at:

Control Room

Boom Lift

The facility LIC also plays a crucial role in controlling access to various hazardous zones of the facility.

4.10.1 Fire Alarm

The fire alarm system has detected a fire. All systems controlled by the GIS should conduct a controlled

stop and power off (category 1 stop).

Safety Function Facility Fire Alarm

Hazard Personnel hazard from smoke and flame

Triggering Event Fire/smoke detected by building fire alarm

Priority

Modes All

Reaction All hazardous motion shall be stopped (Category 1 stop).

Safe State Telescope Azimuth motion stopped




Aperture Cover closed





Required Integrity n/a



Input Dry contact from Fire Alarm Panel

Output Tag FAC_FireAlarm_OK = 0

4.10.2 Seismic Alarm

Upon detection of a seismic event, all systems controlled by the GIS should conduct a controlled stop and

power off (category 1 stop).

Safety Function Facility Seismic Alarm

Hazard Personnel and equipment hazard during and following a seismic event

Triggering Event Seismic event detected

Priority

Modes All

Reaction All hazardous motion shall be stopped (Category 1 stop).





Aperture Cover closed





Required Integrity n/a

Input Accelerometers

Output Tag FAC_SeismicAlarm_OK = 0

4.10.3 Boom Lift

Boom Lift Not Stowed

This function is used by the GIS in combination logic to inhibit other subsystems.

Safety Function Boom Lift Not Stowed

Hazard Impact

Triggering Event Boom lift not in stowed position

Priority

Modes May be bypassed when lift is removed from observing chamber

Reaction Inhibit enclosure motion AND

inhibit telescope motion AND

Inhibit M1 Cover motion

Safe State Enclosure Azimuth Rotation stopped AND

Enclosure Azimuth Rotation drives de-energized AND

Telescope Azimuth rotation stopped AND

Telescope Azimuth Drives de-energized AND

Telescope Azimuth Brakes set AND

Telescope Elevation rotation stopped AND

Telescope Elevation Drives de-energized AND

Telescope Elevation Brakes set.




Boom Lift Permissive

Use of the Boom Lift will require that hazardous motion be inhibited.

Safety Function Boom Lift Permissive

Hazard Impact

Triggering Event Telescope and Enclosure not parked

Priority

Modes May be bypassed when lift is removed from observing chamber

Reaction Inhibit enclosure motion AND

inhibit telescope motion AND

Inhibit M1 Cover motion




4.10.4 Coudé Lab

Coudé Lab Crane Permissive

Use of the Coudé Lab Crane will require that hazardous motion be inhibited.

Safety Function Coudé Lab Crane Permissive


Triggering Event Coudé Azimuth not parked.

Priority

Modes

Reaction Inhibit Coudé Lab Crane motion

Safe State Coudé Lab Crane de-energized


4.10.5 Hazardous Area Access

Coudé Hazardous Zone

Access to hazardous areas will be controlled via trapped keys and/or interlocked doors.

Safety Function Coudé Pier Access

Hazard Coudé cable wrap pinch/crush hazards

Coudé azimuth rotator pinch/crush or impact hazards

Triggering Event Door 110A opened OR

Door 209A opened OR

Door 210A opened

Priority



Safe State Coudé Azimuth rotation stopped.



Coudé Lab Access

Safety Function Coudé Lab Access

Hazard Coudé Lab pinch/crush hazards




Door 308C opened

Priority All stopping safety functions are higher priority

Modes

Reaction Limit rotation speed of Coudé Lab to <1.75°/sec

Safe State Coudé Azimuth rotation <1.75°/sec


Telescope Pier Hazardous Zones

Safety Function Utility Floor Access

Hazard Telescope cable wrap pinch/crush hazards


Gate “21” opened

Priority


Reaction Inhibit telescope azimuth rotation

Safe State Telescope Azimuth rotation stopped AND


Telescope Azimuth Brakes set


Telescope Cable Wrap Hazardous Access

Safety Function Telescope Cable Wrap Access

Hazard Telescope Cable Wrap crush/pinch hazards


Door 502A opened

Priority


Reaction Inhibit telescope azimuth rotation



Telescope Azimuth Brakes set


Enclosure Hazardous Zones

Safety Function Enclosure Cable Wrap Access

Hazard Enclosure Cable Wrap crush/pinch hazards

Enclosure Rotation crush/pinch hazards

Triggering Event Floor Hatch FH-01 opened OR

Floor Hatch FH-02 opened

Priority


Reaction Inhibit Enclosure Azimuth Rotation


Enclosure Azimuth Rotation drives de-energized.


Enclosure Catwalk Hazardous Access

Safety Function Catwalk Access



Hazard Enclosure Rotation crush/pinch hazards

Triggering Event Door 402D opened OR

Door 210B opened OR

Door 308D opened OR

Door 402B opened OR

Enclosure Door opened

Priority






Enclosure Upper Level Hazardous Access

Safety Function Enclosure Upper Level Access

Hazard Fall hazard, dropped item damage to equipment.

Triggering Event Enclosure upper platform gate +X opened OR

Enclosure upper platform gate –X opened.

Priority

Modes All automatic modes

Reaction Inhibit enclosure rotation motion

Safe State Enclosure Rotation stopped AND

Enclosure Drives de-energized AND

Enclosure Brakes set


Enclosure Lifting Platform Access

Safety Function Lifting Platform Access

Hazard Enclosure Rotation crush/pinch hazards

Triggering Event Lifting platform access deployed

Priority

Modes All automatic loads





Telescope Floor Hazardous Zones

Safety Function Telescope Floor Access

Hazard Enclosure azimuth pinch/crush

Slip/trip hazard

Triggering Event Enclosure Azimuth rotation exceed safe linear velocity threshold

Priority


Reaction Safe Limited Speed of Enclosure azimuth rotation

Safe State Rotation speed less than 1.5°/sec




Telescope Hazardous Zone

Safety Function Telescope Access

Hazard Pinch/crush hazard on Telescope Mount Assembly

Triggering Event Telescope Gate opened

Priority


Reaction Inhibit telescope motion



Telescope Azimuth Brakes set AND

Telescope Elevation rotation stopped AND

Telescope Elevation Drives de-energized AND

Telescope Elevation Brakes set


4.10.6 PFlow Lift

PFlow Lift Permissive

Safety Function PFlow Lift Permissive

Hazard Pinch /crush hazard with Enclosure

Triggering Event Rear door aligned with lift AND

Enclosure drives disabled

Priority

Modes

Reaction Inhibit PFlow lift movement above utility level

Safe State PFlow lift below utility level


PFLow Lift Interlock

Safety Function PFlow Lift Interlock

Hazard Pinch/crush hazard with Enclosure

Triggering Event PFlow lift above utility level

Priority

Modes

Reaction Inhibit Enclosure Azimuth rotation






5. HMI FUNCTIONS

5.1 SYSTEM STATUS

The HMI will display the current status of hardware that comprises the GIS. This display will show any

faulted or unconnected equipment to allow for rapid troubleshooting. The results of component self-

diagnostics will also be displayed.

Part of the status display will show whether there are any I/O forces and that all controllers have valid

safety signatures.

General health information about the GIS will also be provided this will include information such as

network utilization.

5.2 SAFETY FUNCTION STATUS

The HMI will also display the current status of all GIS safety functions. The HMI will display which

systems are currently interlocked (tripped) or faulted.

5.3 OPERATOR CONTROL

The HMI will also serve as a central point to acknowledge alarms and to reset trips and faults that occur

anywhere in the system. After the operator has verified that the cause of the trip or fault has been rectified

the HMI will allow password-controlled access to reset the system and restore operation.

5.4 ENGINEERING INTERFACE

The HMI will be capable of displaying engineering screens that detail hardware status and configuration.

These screens will be separate from the user screens and will require password-controlled access.

5.5 LOGGING

The HMI also provides logging of trips and faults that occur within the system. The logs will be time-

stamped to allow for correlation of GIS events with activities within the facility.

Date post:	25-Sep-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times