Telescope Mount Functional Safety
- Tim Williams
Mount Base LIC
The Mount Base LIC is responsible for interlocks, limits, and emergency stop functions for the Telescope Mount Azimuth and Altitude Axes; Cable Wraps; M1 Mirror Cover; and M5/M6 Access Platforms.
For details of implementation see LIC design requirements document.
- 1 Mount Base LIC
Telescope Mount Azimuth Axis
Telescope Final Travel Limit
When a Final Limit is detected by using safety encoder, the reaction of the GIS to bring the axis to a stop as quickly as possible, remove power from all Azimuth Drive Controllers (category 1 stop) and apply the brakes.
Safety Function | Telescope Positive Azimuth Final Travel Limit |
Hazard | Damage to cable chain |
Triggering Event | Telescope rotation exceeding travel limits |
Priority | superseded by STO functions |
Modes | Automatic modes, can be overridden in manual mode |
Reaction | Safe Stop 1 (SS1) of Azimuth axis
|
Safe State | Telescope drives disabled, brakes applied, motion stopped |
Required Integrity | SIL 2 |
Telescope Azimuth Drive Over-Speed
Abnormally high velocities indicate a failure of Azimuth Axis Bogie Drive. The reaction of the GIS is to bring the axis to a stop as quickly as possible, remove power from all Azimuth Drive Controllers and apply the brakes (category 1 stop).
Safety Function | Telescope Azimuth Over Speed |
Hazard | Damage to motor, exceeding travel limits |
Triggering Event | Telescope motion exceeding normal operating speeds |
Priority | superseded by STO functions |
Modes | All modes |
Reaction | Safe Stop 1 (SS1) of Azimuth axis
|
Safe State | Telescope drives disabled, brakes applied, motion stopped |
Required Integrity | SIL 2 |
Trapped Key Interlock
This is actually a group of trapped keys which when one or more are removed will inhibit Telescope motion by removing power. This key is required to enter the Azimuth Cable Wrap or Azimuth Mechanical areas.
Safety Function | Telescope Azimuth Trapped Key Interlock |
Hazard | Pinch/crush hazard from moving parts |
Triggering Event | Trapped key removed |
Priority | Supersedes all other functions |
Modes | All modes |
Reaction | Safe Torque Off of Azimuth axis
|
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 3 |
Telescope Azimuth Axis Interlock
This safety function is the result of combinational logic in the GIS that determines another subsystem poses a hazard to Telescope Azimuth Axis motion.
This interlock is asserted unless all the following are true:
Enclosure Bridge Crane stowed
Enclosure Jib Crane stowed
The reaction of the GIS is to remove power from the Telescope Azimuth Axis drives.
Telescope Altitude Axis
Telescope Altitude Drive Over-Speed
Velocities above a predetermined level indicate a failure of an Altitude Axis Drive. The reaction of the GIS is to remove power from the Altitude Drive Controllers and apply the brakes (category 0 stop).
Safety Function | Telescope Altitude Over Speed |
Hazard | Damage to motor, exceeding travel limits |
Triggering Event | Telescope motion exceeding normal operating speeds |
Priority |
|
Modes | All modes |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 2 |
Telescope Positive Altitude Final Travel Limit
When a Positive Altitude Final Limit is detected, the reaction of the GIS is to remove Telescope drive power (category 0 stop) and apply the brakes.
Safety Function | Telescope Positive Altitude Final Travel Limit |
Hazard | Damage to cable chain |
Triggering Event | Telescope motion exceeding positive altitude limit |
Priority |
|
Modes | Automatic modes, can be overridden in manual mode |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 2 |
Telescope Negative Altitude Final Travel Limit
When a Negative Altitude Final Limit is detected, the reaction of the GIS is to remove Telescope drive power (category 0 stop) and apply the brakes.
Safety Function | Telescope Negative Altitude Final Travel Limit |
Hazard | Damage to cable chain |
Triggering Event | Telescope motion exceeding negative altitude limit |
Priority |
|
Modes | Automatic modes, can be overridden in manual mode |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 2 |
Telescope Altitude Cable Wrap Over-Tension
The GIS shall inhibit motion and remove power to the Telescope Drives (category 0 stop) if the tension of the Altitude Cable Wrap exceeds predetermined limits.
Safety Function | Telescope Altitude Cable Wrap Over-Tension |
Hazard | Damage to cable chain |
Triggering Event | Tension on cable in cable chain excessive |
Priority |
|
Modes | Automatic mode |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 2 |
Manual Lockout Pin
The manual lockout pin is a physical means by which the motion of the Telescope can be prevented. If this pin is not fully removed the GIS shall remove Telescope drive power.
Trapped Key Interlock
This is actually a group of trapped keys which when one or more are removed inhibits Enclosure and/or Telescope motion by removing power.
Safety Function | Telescope Altitude Trapped Key Interlock |
Hazard | Pinch/crush hazard from moving parts |
Triggering Event | Trapped key removed |
Priority |
|
Modes | All modes |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 3 |
Telescope Altitude Axis Interlock
This safety function is the result of combinational logic in the GIS that determines another subsystem poses a hazard to Telescope Altitude Axis motion.
This interlock is asserted unless all the following are true:
Enclosure Bridge Crane stowed
Enclosure Jib Crane stowed
TEOA Platform stowed or fully deployed (see section 4.9.5)
Boom Lift Stowed
The reaction of the GIS is to disable power to the Telescope Altitude Axis Drives.
M1 Cover Interlock
The M1 cover is allowed to open under specific circumstances.
Similar to the Entrance Aperture below, the M1 cover may open when no sunlight can strike the mirror (see 4.4.2 Off Sun Pointing). Additionally if the telescope is pointed directly at the sun and the safety shutter is open and the heat stop is not in an over-temperature condition the M1 Cover may open.
Telescope Floor Access Panels Not Closed
Telescope Drive Power is disabled unless are Telescope Floor Access Panels are closed.
Safety Function | Telescope Floor Access Panels Not Closed |
Hazard | Impact, crush/pinch |
Triggering Event | Any telescope floor access panel not fully closed |
Priority |
|
Modes | Always active |
Reaction | Inhibit Telescope azimuth rotation |
Safe State | Telescope motion stopped |
Required Integrity | SIL 1 |
M5/M6 Access Platform Not Stowed
Telescope Altitude Drive Power is disabled unless the M5/M6 is fully stowed.
Safety Function | M5/M6 Access Platform Not Stowed |
Hazard | Damage to telescope mount |
Triggering Event | M5/M6 Bridge not stowed |
Priority |
|
Modes | All modes |
Reaction | Telescope elevation drives disabled, brakes applied |
Safe State | Telescope elevation drives disabled, motion stopped |
Required Integrity | SIL 2 |
OSS Access Platform Not Stowed
Telescope Altitude Drive Power is disabled unless the M5/M6 is fully stowed.
Safety Function | OSS Access Platform Not Stowed |
Hazard | Damage to telescope mount |
Triggering Event | M5/M6 Bridge not stowed |
Priority |
|
Modes | All modes |
Reaction | Telescope elevation drives disabled, brakes applied |
Safe State | Telescope elevation drives disabled, motion stopped |
Required Integrity | SIL 2 |
Access Doors Not Closed
Telescope Elevation Drive Power is disabled unless the Access Door is closed.
Safety Function | Access Doors Not Closed |
Hazard | Damage to telescope mount |
Triggering Event | Access Doors not closed |
Priority |
|
Modes | All modes |
Reaction | Telescope elevation drives disabled, brakes applied |
Safe State | Telescope elevation drives disabled, motion stopped |
Required Integrity | SIL 2 |
Telescope Azimuth Cable Wrap Access
This area requires a trapped key to access. Inserting the trapped key allows removal of one or more secondary personnel safety keys. All personnel who enter are required to carry a personnel safety key.
Safety Function | Telescope Azimuth Trapped Key Interlock |
Hazard | Pinch/crush hazard from moving parts |
Triggering Event | Trapped key removed |
Priority |
|
Modes | All modes |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 3 |
Telescope Azimuth Mechanical Level
Access to the Mechanical Level requires a trapped key. Inserting the trapped key allows removal of one or more secondary personnel safety keys. All personnel who enter are required to carry a personnel safety key.
Safety Function | Telescope Azimuth Trapped Key Interlock |
Hazard | Pinch/crush hazard from moving parts |
Triggering Event | Trapped key removed |
Priority |
|
Modes | All modes |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 3 |