Versions Compared

Old Version 1

changes.mady.by.user Tim Williams

Saved on

compared with

New Version Current

changes.mady.by.user Tim Williams

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

Preface

This document details various engineering choices that were made during the early design process of developing the Global Interlock System. These choices represent the design decisions that were made and to serve as a guide to how the system is to be developed. While there are many possible solutions, this document details just one. It forms part of the basis of the Global Interlock System conceptual design, in particular those design elements that do not flow down from any other source.

Introduction

This document details the concept of operations of the Global Interlock System (GIS).

Referenced Documents

TN-0055, Global Interlock System Design

Glossary

See SPEC-0012 for terms and abbreviations not listed below.

...

Trip
a reaction to an interlock that puts the system in a safe state.

Operational Overview

Purpose

The purpose of the Global Interlock System is to provide “a redundant, stand-alone safety mechanism for personnel and equipment.3” To this end the GIS was conceived as a safety-related control system which provides functional safety for the entire facility.

Goals

The primary goal of the Global Interlock System is to eliminate unacceptable risk of injury to people and physical damage to property or the environment.

The secondary goal of the GIS is to meet the requirements of OSHA and other applicable safety standards.

System Description

This GIS is designed to be separate and independent of all other control systems. The GIS will be a hierarchical system when a master controller, referred to as the Global Interlock Controller (GIC) acts as a supervisor to coordinate the functional safety of multiple distributed systems, which are each controlled by a Local Interlock Controller (LIC).

...

Although the GuardLogix does not require it to maintain safety, the system is to be connected to generator-backed UPS feed. This is to ensure that to the greatest degree possible that the system will have a high availability and that generator-feed system will not be interlocked while on generator power.

System Concepts

Below is a list of concepts that are driven not by the GIS requirements directly but have been defined by the concept of operations that was developed as part of the reference design.

Independent

The GIS shall be independent of all other control systems.

The GIS shall only be used to inhibit the operation of equipment for safety purposes. The GIS shall not be used for the normal control of any subsystem component.

Programmable

The GIS shall be programmable to facilitate upgrades and changes to equipment during the lifetime of the facility.

Distributed

The GIS shall have components (such as controllers and I/O) distributed throughout the facility.

Each subsystem will be assigned to a Local Interlock Controller which controls safety functions for that subsystem.

Availability

The GIS shall have at least 99.5% uptime. This includes both faults and spurious trips.

Maintainable

The GIS shall have a mean time to restore (MTTR) of less than two hours.

Expandable

The GIS shall be readily expandable to accommodate unforeseen and future needs

Hierarchical

The GIS shall be Hierarchical in nature. A Global Interlock Controller shall provide coordination between the various Local Interlock Controllers. LICs will not communicate directly.

Provide Status to Operator

The GIS shall provide continuous status of the GIS to the operator and the Observatory Control System (OCS) at no less than a 1Hz rate.

Response time

This GIS shall have a response time of no greater than 200 milliseconds.

UPS

The GIS shall be powered from a generator-backed, uninterruptable power supply. The UPS capacity shall be sufficient to allow switch-over to generator power under normal conditions.

Commercial off-the-shelf

The GIS design shall provide for the use of commercial off-the-shelf parts as much as practicable.

Commonality of parts

The GIS design shall provide for the commonality of parts as much as practicable.

Fault handling

The GIS shall be self-monitoring for faults. When faulted, the system will interlock only the minimum required components to maintain a safe system.

Trip Response

The reaction to a trip shall be based on a detailed hazard analysis. When tripped, the system will interlock only the minimum required components to maintain a safe system.

Logs

The GIS shall log all faults and all trips.

Connectivity

The GIS shall communicate via an isolated EtherNet/IP network.

...

The GIS shall connect to the OCS via a separate EtherNet connection.

Safety Functions

The GIS shall be used when multiple subsystems are involved in a single safety function.

The GIS shall be used to control safety functions that require SIL3 mitigation. The GIS shall be used to control safety functions that require a safety integrity level that exceeds the rating of the subsystems’ basic control system.

Muting

Safety functions shall be capable of being muted by the operator. Which functions that may muted shall be based on a detailed hazard analysis.

...