...

Only personnel who have been specifically trained and authorized shall perform the procedures detailed in this manual.

Related Documents

GIS Design Documents

Operational Concepts

Reference Documents

Many of the components of the GIS are covered by manufacturer’s user manuals.

Safety Symbols

Standardized safety alerts are used to denote procedures or activities that are potentially hazardous.

...

Glossary

See SPEC-0012 for terms and abbreviations not listed below.

...

Fault

...

abnormal condition that may cause a reduction in, or loss of, the capability of a functional unit to perform a required function.[1]

...

Trip

...

a reaction to an interlock that puts the system in a safe state.

...

Mute

...

Temporarily ignore an interlock condition.

...

Override

...

...

Validation

...

checking to make sure the function works in the event of a failure

...

Verification

...

checking to make sure the function works as intended

...

Force

...

A method in the RSLogix environment to change I/O to certain value regardless of logic

Human Machine Interface (HMI)

Terms used on the HMI

It is necessary to define terms that are used with the operator interface.

...

Indication

...

Meaning

...

TRIP or TRIPPED

...

An interlock has been activated

...

FAULT

...

A hardware malfunction has been detected

...

ERROR

...

Communications has been lost, status is unknown

...

INVALID

...

The system appears to be in a state it should never be in.

...

OK

...

Everything is operating normally, no interlock has been activated

Levels of authorization

...

Level

...

Access

...

Viewer

...

Read-only access to status screens

...

Operator

...

Read/write access to status screens

...

Engineer

...

Read/write access to status and engineering screens

...

Developer

...

Read/write access to all screens

2.1.3       Sample Screens

The representative basic operator troubleshooting screen is Figure 1. This screen shows that an emergency stop has been activated and has tripped the system. The system cannot be reset at this time as the interlock is still active.

Figure 1 HMI showing interlock tripped

If more information is required, such as the location of the emergency stop device that has been activated further troubleshooting screens trace the fault further back. Figure 2 shows that the emergency stop push button located at the Left Nasmyth Platform has been activated.

Figure 2 HMI Emergency Stop Screen

After the emergency stop push button has been deactivated, the interlock condition has been removed. A reset is now required to restart the system. Figure 3 shows that the interlock has been latched, the interlock is no longer active and that the GIS is now ready to be reset.

Figure 3 HMI showing reset required

Figure 4 shows the system has been restored to its normal operating condition.

Figure 4 HMI showing normal operation

Telescope Interlock Manager (TIM)

Main Screen

The main screen allows the selection of system information, subsystem information or alarm history. There is also a button for shutting down the HMI, for example to reload or reset the HMI itself.

Global Interlock Controller Screen

The Global Interlock Controller screen provides an overview of the GIC status and subsystem status. The information provided for each controller is the current program name, status of controller communications with HMI, the controller status itself, keyswitch mode, safety status, safety signature, and CIP synchronization status.

2.1.4.2.1      Program Name

2.1.4.2.2      Controller Communications

This represents whether the device is present on the network as detected by the HMI. If the device is not present, ensure that power is on to the controller and the network is connected.

2.1.4.2.3      Controller Status

OK       The controller has detected no faults.

2.1.4.2.4      Keyswitch mode

RUN    The keyswitch is in the run position. The PLC will run normally but cannot be programed or changed remotely.

PROG  The keyswitch is in the program position. The PLC is not running.

REM RUN        The keyswitch is in the remote position. And is in the run mode.

REM PROG      The keyswitch is in the remote position. And is in the program mode. The PLC is not running. Connect using RSLogix 5000 and change mode to Run.

2.2       Observatory Control System

The observatory control system has access to the status of the various interlocks employed by the GIS. It is intended to allow the operator to determine which interlock has tripped and is preventing the operation of the facility. It is not intended to replicate all information available at the GIS HMI or via a development computer on the safety network. The HMI can provide detailed troubleshooting information in the event of a fault.

2.3       Control Room Stack Light

...

Figure 5 Control Room Stack Light

A wall-mounted signal light is located in the control room. The signal lights are designed to communicate the status of various conditions within the safety system. It consists of five colored lamps (red, amber, green, blue, clear). It also contains a piezo sounder (70 to 90 dbA).

Multiple lamps could be lit depending on the condition of the safety system. The meaning of the lamps are listed in Table 2‑1.

Table 2‑1 Functions Indicated by Stack Lights

...

Color

...

Function

...

Steady On

...

Flashing

...

Red

...

Critical Event

...

Emergency stop

Controller fault

...

Stopping in progress

...

Amber

...

Warning

...

Hazardous Zone accessed

...

Safety muting

Manual bypass

I/O forced

...

Green

...

Safety

...

Safe state achieved

...

...

Blue

...

Attention

...

Maintenance required

...

Reset required

...

Clear (white)

...

Operational

...

Normal operations

...

Speed limited

Cold Start up

When power is first applied or re-applied to the system, it will likely cause the system to generate a large number of faults. This is mainly due to the fact that the EtherNet switches of the safety system take substantially longer to boot than the PLCs themselves.

If the safety system was working properly prior to the loss of power and the reason for the loss of power is understood, the quickest way to restore the safety system to normal operations is to cycle the individual LICs power or perform a RUN-PROG-RUN reset by turning the keyswitch from ‘run’ to ‘program’ and back to ‘run’ (This can also be done remotely if the keyswitch is in the ‘remote’ mode).

Normal Operations

During normal operations, the GIS does not require any operator interaction. Operator intervention is required only when the GIS enters a tripped or faulted state.

Logging

The GIS logs various events for troubleshooting purposes. Events to be logged include trips and faults in the system. The logs are timestamped in UTC synchronized to the observatory-wide TRADS system. The logs are kept on the a FactoryTalk Historian module located in the GIC rack. This module can be remotely accessed. The HMI also stores a number of alarms.

Resetting an tripped Interlock

In most cases, trips of the GIS can be reset by using the HMI (Human Machine Interface) to access password-protected screens. Certain trips may be more serious than others and may require higher authorization before proceeding.

Procedures require that the reason for all trips be investigated and understood before proceeding with a reset. The reset does not cause hazardous motion to resume; rather it allows the subsystem that tripped to be restarted.

Hazardous Area Access

Hazardous areas may be entered for various routine reasons. Personnel doing so must ensure that all personnel have left the hazardous area before securing it.

Hazardous areas may also be entered during an emergency. For example, the doors leading to the external ladders may be used to evacuate the building. By their vary nature they cannot be locked with trapped key or must be equipped with an override device.

These two types of tripped interlocks are very different. Normal access using a trapped key may be reset by personnel returning the trapped key in the proper sequence. In the second non-routine case, it would be necessary to inspect the hazardous area and ensure no personnel or other hazards are present prior to attempting to reset this type of tripped interlock.

Trapped Keys

Trapped keys prevent unauthorized entry into hazardous areas and prevents unexpected start-up of equipment when persons are in hazardous areas.

...

Overview

Emergency Stop System

Trapped Key System

Trapped keys prevent unauthorized entry into hazardous areas and prevents unexpected start-up of equipment when persons are in hazardous areas.

Only one key exists for each device. This is by design and essential to maintaining a safe system. Trapped keys must never leave the facility.

Human Machine Interface (HMI)

Procedures

Cold Start up

When power is first applied or re-applied to the system, it will likely cause the system to generate a large number of faults. This is mainly due to the fact that the EtherNet switches of the safety system take substantially longer to boot than the PLCs themselves.

If the safety system was working properly prior to the loss of power and the reason for the loss of power is understood, the quickest way to restore the safety system to normal operations is to cycle the individual LICs power or perform a RUN-PROG-RUN reset by turning the keyswitch from ‘run’ to ‘program’ and back to ‘run’ (This can also be done remotely if the keyswitch is in the ‘remote’ mode).

Functional test of Guard Locking Switch

Guard Locking switches if tripped require that both the fault be cleared AND a functional test of the Guard Lock.

1. Ensure door is closed.

2. Reset GIS.

3. Verify that no fault is present. Diagnostic code will remain.

4. Lock door (if necessary).

5. Unlock door.

6. Open door.

7. Close door

8. Verify that no fault is present and there are no diagnostic codes.

9. Lock door (if necessary).

Normal Operations

During normal operations, the GIS does not require any operator interaction. Operator intervention is required only when the GIS enters a tripped or faulted state.

Logging

The GIS logs various events for troubleshooting purposes. Events to be logged include trips and faults in the system. The logs are timestamped in UTC synchronized to the observatory-wide TRADS system. The logs are kept on the a FactoryTalk Historian module located in the GIC rack. This module can be remotely accessed. The HMI also stores a number of alarms.

Resetting an tripped Interlock

In most cases, trips of the GIS can be reset by using the HMI (Human Machine Interface) to access password-protected screens. Certain trips may be more serious than others and may require higher authorization before proceeding.

Procedures require that the reason for all trips be investigated and understood before proceeding with a reset. The reset does not cause hazardous motion to resume; rather it allows the subsystem that tripped to be restarted.

Hazardous Area Access

Hazardous areas may be entered for various routine reasons. Personnel doing so must ensure that all personnel have left the hazardous area before securing it.

Hazardous areas may also be entered during an emergency. For example, the doors leading to the external ladders may be used to evacuate the building. By their vary nature they cannot be locked with trapped key or must be equipped with an override device.

These two types of tripped interlocks are very different. Normal access using a trapped key may be reset by personnel returning the trapped key in the proper sequence. In the second non-routine case, it would be necessary to inspect the hazardous area and ensure no personnel or other hazards are present prior to attempting to reset this type of tripped interlock.

Muting an Interlock

...

Certain operations may be required and interlocks may need to be bypassed to allow emergency operations, such as freeing personnel entrapped in a pinch/crush hazard. [TRW2] 

...

The hazard access guard locking switches are designed to require power to unlock them. In the event of a power failure all guards will lock in place. If personnel are in the hazardous access area they may exit by using the emergency release mechanism installed on the inside of each door or use a monitored only exit door.

...

If no personnel are inside the hazardous area but entry is required, then entry must be gained through a monitored only exit door. This requires a building key. Once inside the guard locked door may be unlocked using the emergency release mechanism.

...

No special tools are needed to install, service, maintain, or operate the GIS.

...

Emergency Replacement of failed trapped key

...

In the event of trapped key being broken or the barrel failing there are two emergency replacement kits available. Each kit consists of a single key and two replacement barrels.

Replacing a Failed Component

Because of the various security measures in place to prevent changes to the system, specific steps must be taken prior to replacing a failed component. The replacement module will have to be configured with the IP address and Safety Network Number off-line prior to installation. Firmware revision level will be set to the same revision level of the failed component.

...

An example of validation would be adding an emergency switch would be shorting each of the two inputs to ground, shorting both inputs together, shorting both inputs to 24V_DC and checking to see if all systems fault to a safe state.

9        rEFERENCE

...

[1] IEC 61508-4 3.6.1

...

[TRW1]http://manualise.com/en/blog/law-and-legislation/ansi-z535-6/

[TRW2]GISFRR-22

[t3]GISFRR-112