Preface
The Global Interlock System (GIS) Design represents a challenge in that its design is in parallel with (and in some cases before) the designs of the systems it is meant to safeguard. Without completed designs and hazard analyses, the safety functions that the GIS are to implement cannot be completely defined.
The design of the Global Interlock System has been separated into two main portions. There is the hardware design, the GIS Architecture, which is the subject of SPEC-0112. The second portion is the software design, the GIS Functional Description, which is handled in this document.
The reason for this separation is that the hardware design has been developed and is well understood. The GIS Functional Design requires the completion of subsystem designs, hazard analyses, and risk assessments.
In order to not delay development and construction of the GIS Architecture, the two portions have been separated.
The hardware architecture has been designed with the premise of flexibility, expandability, and programmability as basic considerations. This lends itself well to being adaptable to any safety function that may need to be implemented.
Introduction
Purpose
This document provides the basis of design for the architecture of the DKIST Global Interlock System (GIS). The design of the GIS is provide in two main sections, the architecture which describes the hardware and interfaces of the system; and the functional design which covers design and implementation of the safety-related control functions.
The diagrams and descriptions of safety function presented below are meant to convey the general flow of the safety function and the interactions between the various subsystems. They are not intended to cover the implementation details. For example, almost all safety inputs and outputs are redundant and usually employ negative logic, meaning that for a single item such as “Door 501A locked” there are two signals that indicate the door is not closed plus two more signals that indicate the solenoid controlling the door is not unlocked. Including this level of detail would add complexity and not aid in understanding how the various safety functions control safety.
Scope
This document, GIS Functional Design, is intended to cover safety-related control functions (SRCFs) that are handled by the GIS. Some safety-related control functions are handled by individual subsystems. The distinction of which are covered by the GIS is based on a hazard analysis, generally only those SRCFs that require SIL 3 mitigation, mitigation above the SIL rating of the subsystem controller, or those SRCFs that span multiple subsystems are GIS safety functions.
Related and Reference Documents
The following documents form a part of this Specification. Any other documents referenced in any of these documents also form a part of the Specification.
Related Documents
DKIST Specification Documents
The following documents contain information applicable to the design of the DKIST Global Interlock System.
SPEC-0046, Global Interlock System Design Specification
SPEC-0061, DKIST Hazard Analysis Plan
SPEC-0112, Global Interlock System Architecture Description
SPEC-0141, Global Interlock System Operational Concepts Description
DKIST Interface Control Documents
The Global Interlock System shall meet the requirements of the following interface control documents:
SPEC-0063, Interconnects and Services
ICD 1.1-4.5 , Telescope Mount Assembly to Global Interlock System
ICD 1.2-4.5 , M1 Assembly to Global Interlock System
ICD 1.3-4.5 , TEOA to Global Interlock System
ICD 1.5-4.5 , Feed Optics to Global Interlock System
ICD 2.1-4.5 , Wave Front Control-Coudé to Global Interlock System
ICD 3.0-4.5, Instruments to Global Interlock System
ICD 3.1.1-4.5, Polarimetry Analysis and Calibration to Global Interlock System
ICD 3.1.2-4.5, Time Reference and Distribution to Global Interlock System
ICD 3.1.3-4.5, Coudé Station to Global Interlock System
ICD 3.2-4.5, Visible Broadband Imager to Global Interlock System
ICD 3.3-4.5, Visible Spectropolarimeter to Global Interlock System
ICD 3.4.1-4.5, Diffraction Limited Near-IR Spectropolarimeter to Global Interlock System
ICD 3.4.2-4.5, Cryogenic Near-IR Spectropolarimeter to Global Interlock System
ICD 3.5-4.5, Visible Tunable Filter to Global Interlock System
ICD 3.6-4.5, Camera Systems to Global Interlock System
ICD 4.2-4.5 , Observatory Control System to Global Interlock System
ICD 4.5-5.0 , Global Interlock System to Enclosure
ICD 4.5-6.0, Global Interlock System to Support Facility and Buildings
ICD 4.5-6.7 , Global Interlock System to Facility Thermal Systems
DKIST Reference Design Studies and Analyses
TN-0055, Global Interlock System Design
DKIST Drawings
DKIST-DWG-00065, Global Interlock System Configuration
Reference Documents
DKIST Documents
PMCS-0023, Requirements Definition
SPEC-0002, Document and Drawing Control Plan
SPEC-0012, DKIST Acronym List and Glossary
National Consensus Standards
ANSI/RIA R15.06-1999, American National Standard for Industrial Robots and Robot Systems – Safety Requirements
NFPA 79, Electrical Standard for Industrial Machinery, 2007 Edition
International Standards
ISO 13849, Safety of Machinery—Safety-related parts of control systems
IEC 61508, Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems
IEC/EN 62061, Safety of machinery: Functional safety of electrical, electronic and programmable electronic control systems
Industry Standards
ANSI/TIA/EIA 568-B, Commercial Building Telecommunications Cabling Standard
Glossary
See SPEC-0012, DKIST Acronym List and Glossary, for terms not listed below.
GIC | Global Interlock Controller |
LIC | Local Interlock Controller |
PAC | Programmable Automation Controller |
PLC | Programmable Logic Controller |
SIL | Safety Integrity Level |
TÜV | Technischer Überwachungsverein (German)(English: Technical Inspection Association) An internationally accepted independent testing and certification organization. |
Control Software
The GuardLogix controller is programmed with RSLogix 5000 version 20. Use of major version 20 (or higher) is required to accommodate unicast messaging, Windows 7, and L7 series ControlLogix controllers. All hardware must be compatible with version 20. (See http://support.rockwellautomation.com/ControlFlash/ for firmware requirements.)
The specific version is currently 20.04. Version 20.03 is incompatible with earlier minor revisions due to a change to enhance security. Version 20.04 does not have this restriction. All programs written in 20.01 or 20.03 have been converted to 20.04 during IT&C. The process of upgrading firmware is generally automatic.
The GuardLogix controller runs both a standard task and a safety task. All functions of the GIS are implemented in the safety task. If the controller is also used for subsystem control, all subsystem control functions shall be implemented in the standard task.
Application Code
Application code routines are developed using relay ladder logic language as it is the best choice for machine interlocking that require complex logical operations and few high-level functions.
The safety task uses a subset of the standard ladder logic instruction set that is safety-certified instructions plus application instructions that are also safety-certified. Only safety-certified instructions are to be used in the safety task. This does not preclude the use of add-on functions built using safety-certified instructions, but such an instruction requires specific review and validation (per IEC 61508) before being used.
Section 4 lists the safety control requirements that will be implemented by the GIS. Each safety function is a separate program within the safety task running on the GuardLogix controller.
Revision Control
To aid in tracking and control of various revisions to the application code the Project Vault (Solidworks Enterprise PDM) shall be used. Because the code is being developed in a single developer environment the need for a more advanced and robust solution is not necessary and would add complexity with little value. Also the ladder logic is stored in proprietary binary format that does not lend itself well to the use of standard versioning control software.
The Project Vault allows for the control of changes and edits in a single user environment as well as the ability to roll back changes if needed. It is centrally located and can be accessed remotely as needed.
The Project Vault shall be used continuously from development into operations.
Ladder Logic Example
Inputs from each LIC are consumed, and evaluated; subsequent outputs are produced to other LICs as necessary.
Figure 2‑1 shows a short example of the ladder logic of the safety task that would be used with a typical emergency stop circuit. The program uses application instructions that not only monitor the condition of the emergency stop switch, but compares the two channels for consistency and also monitors the status of the remote I/O module to detect a hardware failure. In the event of a hardware failure, the system defaults to a safe state.
Figure 2‑1
The program combines inputs from local emergency stop switches with a tag received from the GIC which indicates the status of the Emergency Stop System. If both are in the active safe state then two outputs are asserted that energize the drive and enable the pulse output of the drive.
When an emergency stop switch is pushed (or a hardware fault is detected), the two outputs are removed. First the output to the drive pulse suppression is removed and 200mS later (configurable) the power is removed from the drive’s power contactor removing all hazardous energy. If either feedback from the outputs does not indicate that the drive was properly shutdown a fault will be detected that can warn personnel that a potential hazard still exists.
GIS Operation
Status Monitoring and Fault Handling
In addition to the various safety functions implemented by the GIS, the GIS must also recognize and react to any fault that is detected.
The distributed I/O modules perform self-diagnostics on power-up and periodically during operation. In addition these modules also monitor I/O circuit health.
Embedded Control Operation
Each LIC is the safety controller for one or more subsystems. The application program for each LIC functions as an independent system. The safety controller is capable of startup and control of its safety functions regardless of connectivity to the GIC or other outside service.
Change of Network Status
Failure of the network does not result in a loss of safety function. Failure of the network which causes loss of communications with distributed I/O or a remote controller causes each such component of the GIS that relies on such communications to default to a safe state.
Restoration of the network function does not automatically restore operation of the GIS without intervention from the operator.
Operation following a rebooting or restarting
Rebooting or restarting causes the portion of the GIS that was rebooted or restarted to enter a safe state. Rebooting or restarting does not result in a loss of safety function.
Modes of operation
Automatic
Automatic operation is control handled by a computer interface in the control room (or other authorized location). Typically this is control by the Observatory Control System (OCS). Normal operations of the facility by the OCS are considered “automatic.”
Manual
Manual operation is controlled via a local hand-held device, such as a pendant, or by a remote push button panel or remote HMI. Typically manual operation is with the operator with sight of the equipment being controlled.
Safety-Related Control Functions
This section lists and summarizes the current list of planned safety functions.
Safety-related control functions (SRCFs) are the result of a detailed hazard analysis of the equipment under control. After a hazard has been identified that is to be mitigated by functional safety, the specification for each safety-related control function will be developed. Each SRCF comprises the functional requirements and the safety integrity requirements.
The functional requirements detail the description of the SRCF, the conditions in which the SRCF shall be active or disabled, the required responses to trips and faults, the timing and priority of responses of the SRCF.
The safety integrity requirement details the necessary risk reduction for each SRCF.
It is imperative that the subsystem’s hazard analysis be detailed, thorough, and complete. These hazard analyses are used to develop the various safety functions. If a hazard analysis does not identify a hazard, that hazard will not be safeguarded, presenting a serious potential risk to personnel and infrastructure.
It is foreseen that this list will need to be expanded and altered as additional hazards are identified during design, construction, integration, and testing. Additional hazard will require additional safety functions to be developed and likely will result in added hardware to detect the hazard and/or implement the safeguard.
Example of Development of Safety-Related Control Functions
To look at how the various Safety-Related Control Functions have been developed, we will follow an example of the how the related functions of the sun sensor we developed.
Early in the project it was recognized that the concentrated sunlight near the focus could provide a thermal hazard to personnel and equipment. The Hazard Analysis Team then met to analyze the hazards created.
The first was to define the extent of the hazard. Due to the fast focus of the telescope design the concentrated sunlight is limited to a relatively small area near the prime focus. For example the rapidly diverging beam spreads its energy over a fairly large area by the time the beam reaches the interior walls of the enclosure. While potentially a problem for thermal effects of seeing it does not represent a safety hazard.
The hazard to personnel is relatively easy to mitigate as it would require personnel to be near the prime focus which is inherently difficult in normal operations.
The hazard is mostly to the equipment itself. Due to its very nature the heat stop is designed to withstand this energy (given normal operation of the heat stop—failure of the heatstop thermal control has its own safety functions). This leaves damage to equipment near the heatstop. There are various cables and pipes in this area that could potentially be damaged/destroyed by sufficiently concentrated energy.
The solution was to design and implement a sun sensor that determines if the sun was within 1.5 solar radii (R☉) of on-axis pointing. If the sun is within 1.5 R☉) the excess energy is absorbed by the heatstop as designed. (See 4.4.3 On-Sun Pointing)
However, it was clarified that the telescope also needed to be able to view objects at elongations of greater than 1.5 R☉. This leaves a complex problem of understanding where excess energy may focus depending on the relative angles of the sun, telescope, and entrance aperture, something that does not lend itself well to robust safety function.
The decision was made to restrict observations to elongations greater than 25° as the geometry is such that no sunlight should strike the primary mirror if the entrance aperture is more than 25° from the telescope’s line-of-sight.
Also if the sun is below the horizon it is also considered safe.
The last two items revealed the need to introduce an additional safety function (see 4.4.2 Off Sun Pointing) to calculate the sun’s position and determine if the sun is in a safe position relative to the telescope.
Requirements for Safety Functions
Stop Functions
The categories of stop functions are defined in NFPA 79.
Category 0
Category 0 is an uncontrolled stop by immediately removing power the machine actuators.
This is essentially pulling the plug. Stopping distance/time is determined by inertia, friction, and mechanical braking (if present).
Category 1
Category 1 is a controlled stop with power to the machine actuators available to achieve the stop then remove power when the stop is achieved.
This is a more graceful stop, powered deceleration under control, followed by pulling the plug. Stopping distance/time is determined by control system parameters for deceleration.
Category 2
Category 2 is a controlled stop with power left available to the machine actuators.
This is controlled stop without removal of power. Essentially this commands velocity to zero and leaves the actuators powered. Category 2 is not used by the GIS.
The choice of Category 0 or Category 1 is based on a hazard analysis.
Control Reliability
In order to ensure a safety system safety functions require that hardware needed in each safety function have a fault tolerance of at least 1 (i.e. loss of any single component shall not cause the loss of the safety function). Secondly, diagnostics shall be included to detect a failure of any component that could cause a loss of a safety function at or before the next demand on that component.
Response Time
Each safety function must have a response time of less than 200 milliseconds as measured from the time an input changes until the output changes to a safe state. The safety function must either respond to an input change or default to the safe state within that time. The safety function may not necessarily complete its action by that time but must initiate a change to the safe state
The safety function must complete any action required to reach a safe state before any hazard can cause damage.
For example the M1 Mirror Cover must begin closing with 200 milliseconds of an over temperature fault but may take as long as 15 seconds to completely close. The upper limit is imposed by the duration of the heat stop shutter ability to withstand damage.
Safe State
The safe state of the system is defined as:
Telescope Azimuth motion stopped, drives disabled and brakes applied
Telescope Azimuth Cable Wrap motion stopped and drives disabled
Telescope Altitude motion stopped, drives disabled and brakes applied
Coudé Rotator motion stopped, drives disabled and brakes applied
Enclosure Azimuth motion stopped, drives disabled and brakes applied
Enclosure Azimuth Cable Wrap motion stopped, drives disabled
Enclosure Altitude motion stopped, drives disabled and brakes applied
Aperture Cover closed, motion stopped, and drives disabled
M1 Mirror Cover closed, motion stopped and drives disabled
Heat Stop Safety Shutter closed
Enclosure Jib Crane motion stopped, drives disabled and brakes applied
Enclosure Bridge Crane motion stopped, drives disabled, and brakes applied
GOS PA&C hazardous motion stopped, drives disabled and brakes applied
VBI-Blue hazardous motion stopped, drives disabled and brakes applied
VBI-Red hazardous motion stopped, drives disabled and brakes applied
VISP hazardous motion stopped, drives disabled and brakes applied.
Global Safety Functions
There are several safety functions that span multiple systems. These safety functions are controlled by the Global Interlock Controller and are referred to as Global Safety Functions.
Emergency Stop Safety Function
Safety Function | Emergency Stop |
Hazard | avert potential hazards or reduce existing hazards that may arise from malfunctioning of the facility, human error or normal operation |
Triggering Event | human-operated control device |
Priority | Emergency Stop shall take priority over all other control functions. |
Modes | always active |
Reaction | Halt all hazardous motion Block light path |
Safe State | Telescope Azimuth motion stopped Telescope Altitude motion stopped Coudé Rotator motion stopped Enclosure Azimuth motion stopped Enclosure Shutter closed M1 Mirror Cover closed Enclosure Jib Crane motion stopped Enclosure Bridge Crane motion stopped GOS PA&C motion stopped VBI-Blue motion stopped VBI-Red motion stopped VISP motion stopped |
Required Integrity | PLc SIL2 |
All subsystems’ emergency stop devices are combined in logic at the GIC, so that activating any emergency stop device shall cause all GIS-connected subsystems to go to their safe state. In most cases they perform an immediate stop (category 0 or 1 stop as determined by subsystem analysis). The exception is that M1 Mirror Cover and Enclosure Entrance Aperture close (their safe state) in a predetermined sequence.
Hazardous Access
Because of the many large moving elements of the facility there exist numerous hazards associated with personnel exposed to these mechanisms. In order to limit exposure a trapped key plan will be implemented to inhibit access to hazardous areas during motion. See SPEC-0133 Hazardous Zones Fully Automated Control Access for details.
Because of the design of the GIS being distributed, the safety functions that implement hazardous access control bridge the GIC and LICs. The Facility LIC typically handles the input from the trapped keys and controls the locking of various doors and access points. The GIC controls the various permissive signals to individual LICs to inhibit hazardous motion.
Specific procedures must be followed when securing hazardous zones to ensure no personnel remain in the hazardous zone when the system is restarted. This is especially important in cases when the system has detected an entry through a locked/monitored door.
Ground Floor Inner Pier
The moving cable wrap presents a hazard. Access via door 110A is limited requiring a trapped key that disables the Coudé Rotator.
Coudé Inner Pier
The moving cable wrap and other mechanisms present a hazard. Access via door 209A and 210A is limited requiring a trapped key that disables the Coudé Rotator. Furthermore access via doors and hatches is monitored from the area under the Coudé Lab floor.
Coudé Lab
The moving floor of the Coudé Lab could present a hazard because of non-rotating equipment on the periphery of the room. Therefore when the Coudé Lab is accessed by personnel the speed of rotation of the Coudé Lab is limited to 1.75°/sec.
External Catwalk
The moving Enclosure Azimuth presents hazards. Access to the external enclosure catwalks and ladders is limited requiring a trapped key that disables Enclosure Rotation.
Lifting Platform
The moving Enclosure Azimuth presents hazards. Access to the external enclosure catwalks and ladders is limited requiring a trapped key that disables Enclosure Rotation
Enclosure Cable Wrap
The moving cable wrap present a hazard. Access floor hatches are limited requiring a trapped key that disables the Enclosure Azimuth.
Upper Enclosure Platforms
Access to the Upper Enclosure Platform is restricted by gates requiring a trapped key that disables Enclosure Azimuth and Aperture motion.
Enclosure Floor
The moving floor of the Enclosure could present a hazard because of non-rotating equipment on the periphery of the area. Therefore when the Enclosure Floor is accessed by personnel the speed of rotation of the Enclosure Azimuth is limited to 1.5°/sec.
Telescope Cable Wrap
The moving cable wrap and other mechanisms present a hazard. Access via doors 501A and 502A are limited requiring a trapped key that disables the Telescope Azimuth rotation.
Telescope Access
The moving telescope, cable wraps and other mechanisms present a hazard. Access to the telescope mount is limited by gates requiring a trapped key that disables Telescope Azimuth and Altitude motion.
Optical Support System LIC
The Optical Support System LIC is responsible for interlocks, limits, and emergency stop functions for the Top End Optical Assembly; M1 Active and Thermal Controller; and Feed Optics.
This LIC is also the connection point for emergency stop devices located at:
M2 assembly
OSS platform
Top End Optical Assembly
Heat Stop Over-Temperature
Temperatures above a predetermined level of the heat stop indicate a failure of the cooling system. The reaction of the GIS is to close the safety shutter, close the M1 mirror cover, and close the entrance aperture.
Safety Function | Heat Stop Over Temperature |
Hazard | Damage to Heatstop, possible resultant leak of coolant |
Triggering Event | Heat Stop temperature above TBD°C |
Priority | |
Modes | Always active |
Reaction | Close safety shutter, aperture cover, and M1 Cover |
Safe State | Safety Shutter, Aperture Cover, and M1 Cover closed |
Required Integrity | SIL 2 |
Because the Safety Shutter has limited survivability in the focused beam, the Aperture Cover and/or M1 Cover must also close to protect the Safety Shutter.
TEOA Removed
If the TEOA has been removed from the Telescope it may imbalance the telescope. The reaction of the GIS is to disable the Telescope altitude axis.
Safety Function | TEOA Removed |
Hazard | Unexpected motion due to imbalance of telescope |
Triggering Event | Removal of the TEOA |
Priority | Cannot be overridden |
Modes | All modes |
Reaction | |
Safe State | Manual pin in place |
Required Integrity | SIL 2 |
Heat Stop Removed
If the heat stop has been removed from the Telescope it may imbalance the telescope. The reaction of the GIS is to disable the Telescope altitude axis.
Safety Function | Unexpected motion due to imbalance of telescope |
Hazard | Removal of the heat stop |
Triggering Event | Cannot be overridden |
Priority | All modes |
Modes | |
Reaction | |
Safe State | Manual pin in place |
Required Integrity | SIL 2 |
M1 Active Controller & Thermal Controller
To be determined
Off Sun Pointing
The design of the telescope is such that during normal operation most of the reflected solar energy from the M1 is directed into the heat stop. There are dangers associated with the reflected solar energy near the prime focus. It is required to restrict where this reflected energy may fall. The light path is blocked by redundantly using the Aperture Cover and the M1 Cover, either of which are individually effective but both are used to avoid a potential single point failure.
Obviously, when the Sun is below the horizon the telescope should be able to point safely at any location in the sky. To determine the location of the Sun relative to horizon, a relatively simple ephemeris calculation is needed. This calculation relies on two different time sources (NTP and PTP). These two sources are compared for agreement. If they agree and the Sun is below the horizon, the light path may be opened.
Additionally, when the Sun is more than 25° away from where the telescope and/or enclosure is pointing, no sunlight reaches the primary mirror, thus there is no reflected solar radiation to be concerned with. In this case the light path may also be opened.
Safety Function | Off Sun |
Hazard | Concentrated solar radiation |
Triggering Event | Telescope pointing off axis of Sun within 25° |
Priority | |
Modes | Automatic |
Reaction | Block the light path |
Safe State | Aperture Cover closed M1 Cover closed |
Required Integrity | SIL 2 |
On-Sun Pointing
Related to the off Sun pointing are on-axis solar observations. When the sun is within 1.5 solar radii (R☉), the reflected solar energy is trapped in the heat stop. This is the normal operating condition of the telescope. Due to the accuracy required to ensure that the reflected energy is contained within the heat stop, the above ephemeris calculation is unlikely to be sufficiently accurate.
In this case, two small sun position sensors are required. These sensors usea two-dimensional position sensitive device (PSD) to determine if the sun is on-axis. A small lens is used to focus the image on the PSD with a focal length of 100mm. Neutral density filters (nd=2.7) are added to reduce the intensity to acceptable limits.
It should be noted that the Safety Shutter in front of the heat stop is not used in this safety function. If the telescope is sufficiently off-axis, the Safety Shutter cannot block the light path. If the telescope is on-axis, the heat stop should absorb the solar energy as designed. Failure of the heat stop is covered elsewhere.
Aperture Cover Interlock
The Enclosure Aperture Cover is allowed to open under specific circumstances.
If the M1 cover is closed or no sunlight striking the M1 there is no reflected solar energy. Typical operation requires that in order to acquire the sun, the telescope points at the sun with the M1 cover closed. Once the sun sensor described in 4.4.3 detects the sun is within 1.5R☉ the M1 cover is permitted to open and the aperture is permitted to stay open.
M1 Cover Interlock
The M1 cover is allowed to open under specific circumstances.
Similar to the Entrance Aperture below, the M1 cover may open when there is no sunlight on the mirror. Additionally if the telescope is pointed directly at the sun and the safety shutter is open and the heat stop is not in an over-temperature condition the M1 Cover may open.
Mount Base LIC
The Mount Base LIC is responsible for interlocks, limits, and emergency stop functions for the Telescope Mount Azimuth and Altitude Axes, Cable Wraps; M1 Mirror Cover; and M5/M6 Access Platform.
For details of implementation see LIC design requirements document.
Telescope Mount Azimuth Axis
Telescope Azimuth Drive Over-Speed
Abnormally high velocities indicate a failure of Azimuth Axis Bogie Drive. The reaction of the GIS is to bring the axis to a stop as quickly as possible, remove power from all Azimuth Drive Controllers and apply the brakes (category 1 stop).
Safety Function | Telescope Azimuth Over Speed |
Hazard | Damage to motor, exceeding travel limits |
Triggering Event | Telescope motion exceeding normal operating speeds |
Priority | |
Modes | All modes |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 2 |
Telescope Positive Azimuth Final Travel Limit
When a Positive Final Limit is detected by using combinational logic of the End Stop position and the limit switches, the reaction of the GIS to bring the axis to a stop as quickly as possible, remove power from all Azimuth Drive Controllers (category 1 stop) and apply the brakes.
Safety Function | Telescope Positive Azimuth Final Travel Limit |
Hazard | Damage to cable chain |
Triggering Event | Telescope rotation exceeding positive limit |
Priority | |
Modes | Automatic modes, can be overridden in manual mode |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 2 |
Telescope Negative Azimuth Final Travel Limit
When a Negative Azimuth Final Limit is detected by using combinational logic of the End Stop position and the limit switches, the reaction of the GIS is to bring the axis to a stop as quickly as possible, remove power from all Azimuth Drive Controllers (category 1 stop) and apply the brakes.
Safety Function | Telescope Negative Azimuth Final Travel Limit |
Hazard | Damage to cable chain |
Triggering Event | Telescope rotation exceeding negative azimuth limit |
Priority | |
Modes | All automatic modes, can be overridden in manual mode |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 2 |
Telescope Azimuth Cable Wrap Over-Te
The GIS shall inhibit motion and remove power to the Telescope Drives if the tension of the Azimuth Cable Wrap exceeds predetermined limits.
Safety Function | Telescope Azimuth Cable Wrap Over Tension |
Hazard | Damage to cable chain |
Triggering Event | Tension on cable in cable chain excessive |
Priority | |
Modes | Automatic mode |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 2 |
Trapped Key Interlock
This is actually a group of trapped keys which when one or more are removed will inhibit Telescope motion by removing power. This key is required to enter the Azimuth Cable Wrap or Azimuth Mechanical areas.
Safety Function | Telescope Azimuth Trapped Key Interlock |
Hazard | Pinch/crush hazard from moving parts |
Triggering Event | Trapped key removed |
Priority | |
Modes | All modes |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 3 |
Telescope Azimuth Axis Interlock
This safety function is the result of combinational logic in the GIS that determines another subsystem poses a hazard to Telescope Azimuth Axis motion.
This interlock is asserted unless all the following are true:
Enclosure Bridge Crane stowed
Enclosure Jib Crane stowed
TEOA Platform stowed (see section 4.9.5)
Boom lift stowed
The reaction of the GIS is to remove power from the Telescope Azimuth Axis drives.
Telescope Altitude Axis
Telescope Altitude Drive Over-Speed
Velocities above a predetermined level indicate a failure of an Altitude Axis Drive. The reaction of the GIS is to remove power from the Altitude Drive Controllers and apply the brakes (category 0 stop).
Safety Function | Telescope Altitude Over Speed |
Hazard | Damage to motor, exceeding travel limits |
Triggering Event | Telescope motion exceeding normal operating speeds |
Priority | |
Modes | All modes |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 2 |
Telescope Positive Altitude Final Travel Limit
When a Positive Altitude Final Limit is detected, the reaction of the GIS is to remove Telescope drive power (category 0 stop) and apply the brakes.
Safety Function | Telescope Positive Altitude Final Travel Limit |
Hazard | Damage to cable chain |
Triggering Event | Telescope motion exceeding positive altitude limit |
Priority | |
Modes | Automatic modes, can be overridden in manual mode |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 2 |
Telescope Negative Altitude Final Travel Limit
When a Negative Altitude Final Limit is detected, the reaction of the GIS is to remove Telescope drive power (category 0 stop) and apply the brakes.
Safety Function | Telescope Negative Altitude Final Travel Limit |
Hazard | Damage to cable chain |
Triggering Event | Telescope motion exceeding negative altitude limit |
Priority | |
Modes | Automatic modes, can be overridden in manual mode |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 2 |
Telescope Altitude Cable Wrap Over-Tension
The GIS shall inhibit motion and remove power to the Telescope Drives (category 0 stop) if the tension of the Altitude Cable Wrap exceeds predetermined limits.
Safety Function | Telescope Altitude Cable Wrap Over-Tension |
Hazard | Damage to cable chain |
Triggering Event | Tension on cable in cable chain excessive |
Priority | |
Modes | Automatic mode |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 2 |
Manual Lockout Pin
The manual lockout pin is a physical means by which the motion of the Telescope can be prevented. If this pin is not fully removed the GIS shall remove Telescope drive power.
Trapped Key Interlock
This is actually a group of trapped keys which when one or more are removed inhibits Enclosure and/or Telescope motion by removing power.
Safety Function | Telescope Altitude Trapped Key Interlock |
Hazard | Pinch/crush hazard from moving parts |
Triggering Event | Trapped key removed |
Priority | |
Modes | All modes |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 3 |
Telescope Altitude Axis Interlock
This safety function is the result of combinational logic in the GIS that determines another subsystem poses a hazard to Telescope Altitude Axis motion.
This interlock is asserted unless all the following are true:
Enclosure Bridge Crane stowed
Enclosure Jib Crane stowed
TEOA Platform stowed or fully deployed (see section 4.9.5)
Boom Lift Stowed
The reaction of the GIS is to disable power to the Telescope Altitude Axis Drives.
M1 Cover Interlock
The M1 cover is allowed to open under specific circumstances.
Similar to the Entrance Aperture below, the M1 cover may open when no sunlight can strike the mirror (see 4.4.2 Off Sun Pointing). Additionally if the telescope is pointed directly at the sun and the safety shutter is open and the heat stop is not in an over-temperature condition the M1 Cover may open.
Telescope Floor Access Panels Not Closed
Telescope Drive Power is disabled unless are Telescope Floor Access Panels are closed.
Safety Function | Telescope Floor Access Panels Not Closed |
Hazard | Impact, crush/pinch |
Triggering Event | Any telescope floor access panel not fully closed |
Priority | |
Modes | Always active |
Reaction | Inhibit Telescope azimuth rotation |
Safe State | Telescope motion stopped |
Required Integrity | SIL 1 |
M5/M6 Access Platform Not Stowed
Telescope Altitude Drive Power is disabled unless the M5/M6 is fully stowed.
Safety Function | M5/M6 Access Platform Not Stowed |
Hazard | Damage to telescope mount |
Triggering Event | M5/M6 Bridge not stowed |
Priority | |
Modes | All modes |
Reaction | Telescope elevation drives disabled, brakes applied |
Safe State | Telescope elevation drives disabled, motion stopped |
Required Integrity | SIL 2 |
OSS Access Platform Not Stowed
Telescope Altitude Drive Power is disabled unless the M5/M6 is fully stowed.
Safety Function | OSS Access Platform Not Stowed |
Hazard | Damage to telescope mount |
Triggering Event | M5/M6 Bridge not stowed |
Priority | |
Modes | All modes |
Reaction | Telescope elevation drives disabled, brakes applied |
Safe State | Telescope elevation drives disabled, motion stopped |
Required Integrity | SIL 2 |
Access Doors Not Closed
Telescope Elevation Drive Power is disabled unless the Access Door is closed.
Safety Function | Access Doors Not Closed |
Hazard | Damage to telescope mount |
Triggering Event | Access Doors not closed |
Priority | |
Modes | All modes |
Reaction | Telescope elevation drives disabled, brakes applied |
Safe State | Telescope elevation drives disabled, motion stopped |
Required Integrity | SIL 2 |
Telescope Azimuth Cable Wrap Access
This area requires a trapped key to access. Inserting the trapped key allows removal of one or more secondary personnel safety keys. All personnel who enter are required to carry a personnel safety key.
Safety Function | Telescope Azimuth Trapped Key Interlock |
Hazard | Pinch/crush hazard from moving parts |
Triggering Event | Trapped key removed |
Priority | |
Modes | All modes |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 3 |
Telescope Azimuth Mechanical Level
Access to the Mechanical Level requires a trapped key. Inserting the trapped key allows removal of one or more secondary personnel safety keys. All personnel who enter are required to carry a personnel safety key.
Safety Function | Telescope Azimuth Trapped Key Interlock |
Hazard | Pinch/crush hazard from moving parts |
Triggering Event | Trapped key removed |
Priority | |
Modes | All modes |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 3 |
Coudé Rotator LIC
The Coudé Rotator LIC is responsible for interlocks, limits, and emergency stop functions of the Telescope Coudé Rotator Azimuth Axis and Cable Wrap.
Coudé Drive Controller
Coudé Rotator Azimuth Drive Over-Speed
Velocities above a predetermined level indicate a failure of Coudé Axis Drive. The reaction of the GIS is to remove power from the Coudé Drive Controllers and apply the brakes (category 0 stop).
Safety Function | Coudé Rotator Azimuth Over Speed |
Hazard | Damage to motor, exceeding travel limits |
Triggering Event | Telescope motion exceeding normal operating speeds |
Priority | |
Modes | All modes |
Reaction | Rotator drives disabled, brakes applied |
Safe State | Rotator drives disabled, motion stopped |
Required Integrity | SIL 2 |
Coudé Rotator Positive Azimuth Final Travel Limit
When a Coudé Rotator Positive Final Limit is detected by using combinational logic of the End Stop position and the final limit switches, the reaction of the GIS is to remove Coudé Rotator drive power (category 0 stop) and apply the brakes.
Safety Function | Coudé Rotator Positive Azimuth Final Travel Limit |
Hazard | Damage to cable chain |
Triggering Event | Rotator motion exceeding positive azimuth limit |
Priority | |
Modes | Automatic modes, can be overridden in manual mode |
Reaction | Rotator drives disabled, brakes applied |
Safe State | Rotator drives disabled, motion stopped |
Required Integrity | SIL 2 |
Coudé Rotator Negative Azimuth Final Travel Limit
When a Coudé Rotator Negative Azimuth Final limit is detected by using combinational logic of the End Stop position and the final limit switches, the reaction of the GIS is to remove Coudé Rotator drive power (category 0 stop) and apply the brakes.
Safety Function | Coudé Rotator Negative Azimuth Final Travel Limit |
Hazard | Damage to cable chain |
Triggering Event | Rotator motion exceeding negative azimuth limit |
Priority | |
Modes | Automatic modes, can be overridden in manual mode |
Reaction | Rotator drives disabled, brakes applied |
Safe State | Rotator drives disabled, motion stopped |
Required Integrity | SIL 2 |
Coudé Rotator Azimuth Cable Wrap Over-Tension
The GIS shall inhibit motion and remove power to the Coudé Rotator Drives if the tension of the Azimuth Cable Wrap exceeds predetermined limits.
Safety Function | Coudé Rotator Azimuth Cable Wrap Over Tension |
Hazard | Damage to cable chain |
Triggering Event | Tension on cable in cable chain excessive |
Priority | |
Modes | Automatic mode |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 2 |
Trapped Key Interlock
This is actually a group of trapped keys which when one or more are removed inhibit Coudé Rotator motion by removing power. This key is required to unlock and enter the Coudé Rotator area.
Safety Function | Coudé Rotator Trapped Key Interlock |
Hazard | Pinch/crush hazard from moving parts |
Triggering Event | Trapped key removed |
Priority | |
Modes | All modes |
Reaction | Rotator drives disabled, brakes applied |
Safe State | Rotator drives disabled, motion stopped |
Required Integrity | SIL 3 |
Coudé Lab Crane Not Stowed
Use of the Coudé Lab Crane requires that hazardous motion be inhibited.
Safety Function | Coudé Lab Crane Interlock |
Hazard | Pinch/crush hazards. |
Triggering Event | Coudé Lab Crane not stowed |
Priority | |
Modes | Automatic (can be overridden with enabling pendent in manual control) |
Reaction | inhibit Coudé Azimuth rotation |
Safe State | Coudé Azimuth rotation stopped AND |
Required Integrity | SIL 2 |
Electronic Rack Door Open
The GIS shall inhibit motion and remove power to the Coudé Rotator Drives if any electronic rack door is not closed.
Safety Function | Electronic Rack Door Open |
Hazard | Pinch/crush hazards |
Triggering Event | Any electronic rack door not closed |
Priority | |
Modes | All |
Reaction | inhibit Coudé Azimuth rotation |
Safe State | Coudé Azimuth rotation stopped AND Coudé Azimuth drives de-energized. |
Required Integrity | SIL 1 |
Instrumentation Systems LIC
Coudé Adaptive Optics (AO-C)
None currently identified.
Coudé Active Optics (aO-C)
None currently identified.
Visible Light Broadband Imager (VLBI)
None currently identified.
Visible Spectropolarimeter (ViSP)
None currently identified.
Near-IR Spectropolarimeter (NIRSP)
None currently identified.
Visible Tunable Filter (VTF)
None currently identified.
Enclosure Motion Control LIC
The Enclosure Motion Control LIC is responsible for interlocks, limits, and emergency stop functions for the Enclosure Azimuth, Shutters, Cable Wraps, Entrance Aperture; Bridge Crane, Jib Cranes, Rear Access Doors, and TEOA Platform.
This LIC is also the connection point for emergency stop devices located at or near the above items.
Enclosure Azimuth Axis
Enclosure Azimuth Positive Final Travel Limit
When an Enclosure Azimuth Positive Final Limit is detected by using combinational logic of the End Stop position and the final limit switches, the reaction of the GIS is to remove Enclosure Azimuth drive power (category 0 stop) and apply the brakes.
Safety Function | Enclosure Positive Azimuth Final Travel Limit |
Hazard | Damage to cable chain |
Triggering Event | Enclosure motion exceeding positive azimuth limit |
Priority | |
Modes | Automatic modes, can be overridden in manual mode |
Reaction | Enclosure drives disabled, brakes applied |
Safe State | Enclosure drives disabled, motion stopped |
Required Integrity | SIL 2 |
Enclosure Azimuth Negative Final Travel Limit
When an Enclosure Azimuth Negative Final limit is detected by using combinational logic of the End Stop position and the final limit switches, the reaction of the GIS is to remove Enclosure Azimuth drive power (category 0 stop) and apply the brakes.
Safety Function | Enclosure Negative Azimuth Final Travel Limit |
Hazard | Damage to cable chain |
Triggering Event | Enclosure motion exceeding negative azimuth limit |
Priority | |
Modes | Automatic modes, can be overridden in manual mode |
Reaction | Enclosure drives disabled, brakes applied |
Safe State | Enclosure drives disabled, motion stopped |
Required Integrity | SIL 2 |
Enclosure Azimuth Cable Wrap Over Tension
The GIS shall inhibit motion and remove power to the Enclosure Azimuth Drives if the tension of the Azimuth Cable Wrap exceeds predetermined limits.
Safety Function | Enclosure Azimuth Cable Wrap Over Tension |
Hazard | Damage to cable chain |
Triggering Event | Tension on cable in cable chain excessive |
Priority | |
Modes | Automatic mode |
Reaction | Enclosure drives disabled, brakes applied |
Safe State | Enclosure drives disabled, motion stopped |
Required Integrity | SIL 2 |
Enclosure Azimuth Personnel Trapped Key Interlock
This is actually a group of trapped keys which when one or more are removed inhibit Enclosure Azimuth motion by removing power. This key is required to enter the Azimuth Cable Wrap or Azimuth Mechanical areas. In manual mode (Enclosure Pendant installed and enabling grip held) it may be muted to allow Enclosure Azimuth rotation. It is also be required to enable the exterior boom lift.
Safety Function | Enclosure Trapped Key Interlock |
Hazard | Pinch/crush hazard from moving parts |
Triggering Event | Trapped key removed |
Priority | |
Modes | Automatic mode, may be overridden in manual mode |
Reaction | Enclosure drives disabled, brakes applied |
Safe State | Enclosure drives disabled, motion stopped |
Required Integrity | SIL 3 |
Altitude Axis
Shutter Personnel Trapped Key Interlock
This is actually a group of trapped keys which when one or more are removed inhibits Enclosure Shutter motion by removing power.
Safety Function | Enclosure Trapped Key Interlock |
Hazard | Pinch/crush hazard from moving parts |
Triggering Event | Trapped key removed |
Priority | |
Modes | All modes |
Reaction | Enclosure drives disabled, brakes applied |
Safe State | Enclosure drives disabled, motion stopped |
Required Integrity | SIL 3 |
Cranes
Bridge Crane Not Stowed
When in automatic mode, if the Bridge Crane is not stowed (i.e. hook not fully up, trolley at end-of-travel, and bridge fully towards the rear of the enclosure) the GIS removes drive power from the both the Altitude and Azimuth telescope drive controllers (category 0 stop).
If the enclosure has the pendant connected, Enclosure Azimuth motion may be enabled for safe-limited speed.
Safety Function | Bridge Crane Not Stowed |
Hazard | Collison between Telescope and crane |
Triggering Event | Bridge Crane not in stowed position |
Priority | |
Modes | Automatic (may be overridden in manual mode) |
Reaction | Inhibit Enclosure rotation |
Safe State | Bridge Crane in Stowed Position (hook up, bridge at rear of enclosure) |
Required Integrity | SIL 2 |
Bridge Crane Interlock
The GIS shall inhibit (category 0 stop) the Bridge Crane unless the following conditions are true:
The telescope is parked.
The telescope azimuth and altitude drives are disabled.
The telescope brakes are engaged.
Safety Function | Bridge Crane Interlock |
Hazard | Collison between Telescope and crane |
Triggering Event | Telescope not parked |
Priority | |
Modes | Automatic (may be overridden in manual mode) |
Reaction | Disable Motion of Bridge Crane |
Safe State | Telescope Mount stopped |
Required Integrity | SIL 2 |
Jib Crane Not Stowed
If the GIS detects that the Jib Crane is not stowed (i.e. hook not fully up, jib fully towards the wall of the enclosure) the GIS removes drive power from the both the Altitude and Azimuth telescope drive controllers (category 0 stop).
Safety Function | Jib Crane Not Stowed |
Hazard | Collison between Telescope and crane |
Triggering Event | Jib Crane not in stowed position |
Priority | |
Modes | Automatic (may be overridden in manual mode) |
Reaction | Inhibit Enclosure rotation |
Safe State | Jib Crane in Stowed Position (hook up, jib against side of enclosure) |
Required Integrity | SIL 2 |
Jib Crane Interlock
The GIS shall inhibit (category 0 stop) the Jib Crane unless the following conditions are true:
The telescope azimuth and altitude drives are disabled.
The telescope brakes are engaged.
Safety Function | Jib Crane Interlock |
Hazard | Collison between Telescope and crane |
Triggering Event | Telescope not parked |
Priority | |
Modes | Automatic (may be overridden in manual mode) |
Reaction | Disable Motion of Jib Crane |
Safe State | Telescope Mount stopped |
Required Integrity | SIL 2 |
Entrance Aperture Cover Interlock
The enclosure entrance aperture cover is allowed to open under specific circumstances.
If the M1 cover is closed or there is no sunlight on the M1 the Entrance Aperture Cover may open. Additionally if the telescope is pointed at the sun and the heat stop shutter is open and heat stop is not in an over-temperature condition the Entrance Aperture Cover may open.
TEOA Access Platform
The TEOA Access Platform may only be deployed when the telescope mount is aligned in azimuth with the platform and the telescope altitude is at least 25° (this measurement needs to be verified). This allows the platform and then the guard rails to be deployed. The TEOA Platform may only be raised once the telescope altitude is above 25° and the guard rails have been stowed.
Operating Sequence
To deploy the TEOA Access Platform:
With telescope altitude above 25°, align telescope azimuth with TEOA maintenance position.
Lower TEOA platform fully.
Deploy TEOA guardrails.
Lower telescope altitude to TEOA maintenance position.
To retract the TEOA Access Platform:
With the telescope parked at the TEOA maintenance position, raise telescope altitude to above 25°.
Retract the TEOA guardrails.
Raise the TEOA platform fully.
Safety Function | TEOA Access Platform Permissive |
Hazard | Pinch/crush hazard from moving components |
Triggering Event | Enclosure Azimuth at TEOA maintenance position AND Telescope Azimuth at TEOA maintenance position AND Telescope Altitude above 25°. |
Priority | |
Modes | All modes |
Reaction | Enable TEOA maintenance platform drives |
Safe State | TEOA maintenance platform disabled |
Required Integrity | SIL 2 |
Additionally, when the TEOA Access Platform is not stowed, Enclosure Azimuth motion and Telescope Azimuth motion is inhibited.
Safety Function | TEOA Access Platform Not Stowed |
Hazard | Pinch/crush hazard from moving components |
Triggering Event | TEOA Access Platform not stowed |
Priority | |
Modes | All modes |
Reaction | Disable Telescope Azimuth and Enclosure Azimuth drives |
Safe State | Enclosure Azimuth drives disabled AND Enclosure Azimuth brakes set AND Telescope Azimuth Drives disabled AND Telescope Azimuth brakes set |
Required Integrity | SIL 2 |
Remarks | See section 4.6.1 |
However, the Telescope Altitude axis is required to lower into position when the TEOA Access Platform in not stowed. Telescope Altitude motion shall be permitted only when the TEOA Access Platform is fully deployed or fully retracted.
Safety Function | TEOA Access Platform Not In Position |
Hazard | Pinch/crush hazard from moving components |
Triggering Event | TEOA Access Platform not stowed AND TEOA Access Platform not fully deployed |
Priority | |
Modes | All modes |
Reaction | Disable Telescope Altitude drives |
Safe State | Telescope Altitude Drives disabled AND Telescope Altitude brakes set |
Required Integrity | SIL 2 |
Remarks | See section 4.6.2 |
Facility Thermal System LIC
Vent Gates
None currently identified
Enclosure Cooling
Enclosure Coolant Leak
This safety function monitors supply and return flow rates. If the delta of supply and return rates exceeds a predetermined threshold the GIS commands a controlled stop of the pumps and then disables power (category 1 stop).
Safety Function | Enclosure Coolant Leak |
Hazard | Coolant on equipment |
Triggering Event | Mismatch of supply and return rates |
Priority | Low |
Modes | All modes |
Reaction | Stop affected pumps Close valves to isolate leak |
Safe State | Pumps stopped Isolation valves closed |
Required Integrity | n/a |
Enclosure Dehumidification High High Humidity
In the event of a high wet bulb temperature in the Enclosure exceeds a predetermined level the GIS shall close the M1 cover, close the Aperture Cover, command a controlled stop of the Enclosure Altitude Axis, inflate the shutter seals, and command the Enclosure Dehumidification system to start.
Safety Function | High High Humidity |
Hazard | Condensation on equipment |
Triggering Event | Interior enclosure humidity above a predetermined level |
Priority | Lowest |
Modes | Automatic modes |
Reaction | Close M1 Cover Close Aperture Cover Enclosure Altitude Axis stopped Inflate the shutter seals Start enclosure dehumidification system |
Safe State | Aperture Cover closed Shutter seals inflated Dehumidification system running |
Required Integrity | n/a |
Enclosure Rear Door
None currently identified
Facilities LIC
The facilities LIC is responsible for interlocks, limits, and emergency stop functions located in the Support and Operations Building.
This LIC is also the connection point for emergency stop devices located at:
Control Room
Boom Lift
The facility LIC also plays a crucial role in controlling access to various hazardous zones of the facility.
Fire Alarm
The fire alarm system has detected a fire. All systems controlled by the GIS shall conduct a controlled stop and power off (category 1 stop).
Safety Function | Facility Fire Alarm |
Hazard | Personnel hazard from smoke and flame |
Triggering Event | Fire/smoke detected by building fire alarm |
Priority | |
Modes | All |
Reaction | All hazardous motion shall be stopped (Category 1 stop). |
Safe State | Telescope Azimuth motion stopped Telescope Altitude motion stopped Coudé Rotator motion stopped Enclosure Azimuth motion stopped Aperture Cover closed Safety Shutter closed M1 Mirror Cover closed Enclosure Jib Crane motion stopped Enclosure Bridge Crane motion stopped |
Required Integrity | n/a |
Input | Dry contact from Fire Alarm Panel |
Output | Tag FAC_FireAlarm_OK = 0 |
Seismic Alarm
Upon detection of a seismic event, all systems controlled by the GIS shall conduct a controlled stop and power off (category 1 stop).
Safety Function | Facility Seismic Alarm |
Hazard | Personnel and equipment hazard during and following a seismic event |
Triggering Event | Seismic event detected |
Priority | |
Modes | All |
Reaction | All hazardous motion shall be stopped (Category 1 stop). |
Safe State | Telescope Azimuth motion stopped Telescope Altitude motion stopped Coudé Rotator motion stopped Enclosure Azimuth motion stopped Aperture Cover closed Safety Shutter closed M1 Mirror Cover closed Enclosure Jib Crane motion stopped Enclosure Bridge Crane motion stopped |
Required Integrity | n/a |
Input | Accelerometers |
Output | Tag FAC_SeismicAlarm_OK = 0 |
Boom Lift
Boom Lift Not Stowed
This function is used by the GIS in combination logic to inhibit other subsystems.
Safety Function | Boom Lift Not Stowed |
Hazard | Impact |
Triggering Event | Boom lift not in stowed position |
Priority | |
Modes | May be bypassed when lift is removed from observing chamber |
Reaction | Inhibit enclosure motion AND |
Safe State | Enclosure Azimuth Rotation stopped AND Enclosure Azimuth Rotation drives de-energized AND Telescope Azimuth rotation stopped AND Telescope Azimuth Drives de-energized AND Telescope Azimuth Brakes set AND Telescope Altitude rotation stopped AND Telescope Altitude Drives de-energized AND Telescope Altitude Brakes set. |
Required Integrity | SIL 1 |
Boom Lift Permissive
Use of the Boom Lift shall require that hazardous motion be inhibited.
Safety Function | Boom Lift Permissive |
Hazard | Impact |
Triggering Event | Telescope and Enclosure not parked |
Priority | |
Modes | May be bypassed when lift is removed from observing chamber |
Reaction | Inhibit enclosure motion AND |
Safe State | Telescope Azimuth motion stopped Telescope Altitude motion stopped Enclosure Azimuth motion stopped |
Coudé Lab
Coudé Lab Crane Permissive
Use of the Coudé Lab Crane shall require that hazardous motion be inhibited.
Safety Function | Coudé Lab Crane Permissive |
Hazard | Pinch/crush hazards |
Triggering Event | Coudé Azimuth not parked. |
Priority | |
Modes | |
Reaction | Inhibit Coudé Lab Crane motion |
Safe State | Coudé Lab Crane de-energized |
Required Integrity | SIL 2 |
Hazardous Area Access
Coudé Hazardous Zone
Access to hazardous areas is controlled via trapped keys and/or interlocked doors.
Safety Function | Coudé Pier Access |
Hazard | Coudé cable wrap pinch/crush hazards Coudé azimuth rotator pinch/crush or impact hazards |
Triggering Event | Door 110A opened OR Door 209A opened OR Door 210A opened |
Priority | |
Modes | Automatic (can be overridden with enabling pendent in manual control) |
Reaction | inhibit Coudé Azimuth rotation |
Safe State | Coudé Azimuth rotation stopped. Coudé Azimuth drives de-energized. |
Required Integrity | SIL 3 |
Coudé Lab Access
Safety Function | Coudé Lab Access |
Hazard | Coudé Lab pinch/crush hazards |
Triggering Event | Door 307A opened OR Door 308C opened |
Priority | All stopping safety functions are higher priority |
Modes | |
Reaction | Limit rotation speed of Coudé Lab to <1.75°/sec |
Safe State | Coudé Azimuth rotation <1.75°/sec |
Required Integrity | SIL 3 |
Telescope Pier Hazardous Zones
Safety Function | Utility Floor Access |
Hazard | Telescope cable wrap pinch/crush hazards |
Triggering Event | Door 403A opened OR Gate “21” opened |
Priority | |
Modes | Automatic (can be overridden with enabling pendent in manual control) |
Reaction | Inhibit telescope azimuth rotation |
Safe State | Telescope Azimuth rotation stopped AND Telescope Azimuth Drives de-energized AND Telescope Azimuth Brakes set |
Required Integrity | SIL 3 |
Telescope Cable Wrap Hazardous Access
Safety Function | Telescope Cable Wrap Access |
Hazard | Telescope Cable Wrap crush/pinch hazards |
Triggering Event | Door 501A opened OR Door 502A opened |
Priority | |
Modes | Automatic (can be overridden with enabling pendent in manual control) |
Reaction | Inhibit telescope azimuth rotation |
Safe State | Telescope Azimuth rotation stopped AND Telescope Azimuth Drives de-energized AND Telescope Azimuth Brakes set |
Required Integrity | SIL 3 |
Enclosure Hazardous Zones
Safety Function | Enclosure Cable Wrap Access |
Hazard | Enclosure Cable Wrap crush/pinch hazards Enclosure Rotation crush/pinch hazards |
Triggering Event | Floor Hatch FH-01 opened OR Floor Hatch FH-02 opened |
Priority | |
Modes | Automatic (can be overridden with enabling pendent in manual control) |
Reaction | Inhibit Enclosure Azimuth Rotation |
Safe State | Enclosure Azimuth Rotation stopped AND Enclosure Azimuth Rotation drives de-energized. |
Required Integrity | SIL 3 |
Enclosure Catwalk Hazardous Access
Safety Function | Catwalk Access |
Hazard | Enclosure Rotation crush/pinch hazards |
Triggering Event | Door 402D opened OR Door 210B opened OR Door 308D opened OR Door 402B opened OR Enclosure Door opened OR Outside Ladder Access opened |
Priority | |
Modes | Automatic (can be overridden with enabling pendent in manual control) |
Reaction | Inhibit Enclosure Azimuth Rotation |
Safe State | Enclosure Azimuth Rotation stopped AND Enclosure Azimuth Rotation drives de-energized. |
Required Integrity | SIL 3 |
Enclosure Upper Level Hazardous Access
Safety Function | Enclosure Upper Level Access |
Hazard | Fall hazard, dropped item damage to equipment. |
Triggering Event | Enclosure upper platform gate +X opened OR |
Priority | |
Modes | All automatic modes |
Reaction | Inhibit enclosure rotation motion |
Safe State | Enclosure Rotation stopped AND Enclosure Drives de-energized AND Enclosure Brakes set |
Required Integrity | SIL 3 |
Enclosure Lifting Platform Access
Safety Function | Lifting Platform Access |
Hazard | Enclosure Rotation crush/pinch hazards |
Triggering Event | Lifting platform access deployed |
Priority | |
Modes | All automatic modes |
Reaction | Inhibit Enclosure Azimuth Rotation |
Safe State | Enclosure Azimuth Rotation stopped AND Enclosure Azimuth Rotation drives de-energized. |
Required Integrity | SIL 3 |
Telescope Floor Hazardous Zones
Safety Function | Telescope Floor Access |
Hazard | Enclosure azimuth pinch/crush Slip/trip hazard |
Triggering Event | Enclosure Azimuth rotation exceed safe linear velocity threshold |
Priority | |
Modes | Automatic (can be overridden with enabling pendent in manual control) |
Reaction | Safe Limited Speed of Enclosure azimuth rotation |
Safe State | Rotation speed less than 1.5°/sec |
Required Integrity | SIL 3 |
Telescope Hazardous Zone
Safety Function | Telescope Access |
Hazard | Pinch/crush hazard on Telescope Mount Assembly |
Triggering Event | Telescope Gate opened |
Priority | |
Modes | Automatic (can be overridden with enabling pendent in manual control) |
Reaction | Inhibit telescope motion |
Safe State | Telescope Azimuth rotation stopped AND Telescope Azimuth Drives de-energized AND Telescope Azimuth Brakes set AND Telescope Altitude rotation stopped AND Telescope Altitude Drives de-energized AND Telescope Altitude Brakes set |
Required Integrity | SIL 3 |
PFlow Lift
PFlow Lift Permissive
Safety Function | PFlow Lift Permissive |
Hazard | Pinch /crush hazard with Enclosure |
Triggering Event | Rear door aligned with lift AND Enclosure drives disabled |
Priority | |
Modes | |
Reaction | Inhibit PFlow lift movement above utility level |
Safe State | PFlow lift below utility level |
Required Integrity | SIL 1 |
PFLow Lift Interlock
Safety Function | PFlow Lift Interlock |
Hazard | Pinch/crush hazard with Enclosure |
Triggering Event | PFlow lift above utility level |
Priority | |
Modes | |
Reaction | Inhibit Enclosure Azimuth rotation |
Safe State | Enclosure Azimuth Rotation stopped AND Enclosure Azimuth Rotation drives de-energized. |
Required Integrity | SIL 1 |
PFLow Lift Roof Closed
Safety Function | PFlow Lift Roof Not Closed |
Hazard | Pinch/crush hazard with Enclosure |
Triggering Event | PFlow Lift Roof not closed and locked |
Priority | |
Modes | |
Reaction | Inhibit Enclosure Azimuth rotation |
Safe State | Enclosure Azimuth Rotation stopped AND Enclosure Azimuth Rotation drives de-energized. |
Required Integrity | SIL 1 |
HMI Functions
System Status
The HMI shall display the current status of hardware that comprises the GIS.
This display shall show any faulted or unconnected equipment to allow for rapid troubleshooting.
The results of component self-diagnostics shall also be displayed.
Part of the status display shall show whether there are any I/O forces and that all controllers have valid safety signatures.
General health information about the GIS shall also be provided this includes information such as network utilization.
Safety Function Status
The HMI shall also display the current status of all GIS safety functions.
The HMI shall display which systems are currently interlocked (tripped) or faulted.
Operator Control
The HMI also serves as a central point to acknowledge alarms and to reset trips and faults that occur anywhere in the system.
After the operator has verified that the cause of the trip or fault has been rectified the HMI allows password-controlled access to reset the system and restore operation.
Engineering Interface
The HMI shall be capable of displaying engineering screens that detail hardware status and configuration.
These screens shall be separate from the user screens and will require password-controlled access.
Logging
The HMI provides logging of trips and faults that occur within the system.
The logs shall be time-stamped to allow for correlation of GIS events with activities within the facility.
1
I