Safety-Related Control Functions

This section lists and summarizes the current list of planned safety functions.

Safety-related control functions (SRCFs) are the result of a detailed hazard analysis of the equipment under control. After a hazard has been identified that is to be mitigated by functional safety, the specification for each safety-related control function will be developed. Each SRCF comprises the functional requirements and the safety integrity requirements.

The functional requirements detail the description of the SRCF, the conditions in which the SRCF shall be active or disabled, the required responses to trips and faults, the timing and priority of responses of the SRCF.

The safety integrity requirement details the necessary risk reduction for each SRCF.

It is imperative that the subsystem’s hazard analysis be detailed, thorough, and complete. These hazard analyses are used to develop the various safety functions. If a hazard analysis does not identify a hazard, that hazard will not be safeguarded, presenting a serious potential risk to personnel and infrastructure.

It is foreseen that this list will need to be expanded and altered as additional hazards are identified during design, construction, integration, and testing. Additional hazard will require additional safety functions to be developed and likely will result in added hardware to detect the hazard and/or implement the safeguard.

Example of Development of Safety-Related Control Functions

To look at how the various Safety-Related Control Functions have been developed, we will follow an example of the how the related functions of the sun sensor we developed.

Early in the project it was recognized that the concentrated sunlight near the focus could provide a thermal hazard to personnel and equipment. The Hazard Analysis Team then met to analyze the hazards created.

The first was to define the extent of the hazard. Due to the fast focus of the telescope design the concentrated sunlight is limited to a relatively small area near the prime focus. For example the rapidly diverging beam spreads its energy over a fairly large area by the time the beam reaches the interior walls of the enclosure. While potentially a problem for thermal effects of seeing it does not represent a safety hazard.

The hazard to personnel is relatively easy to mitigate as it would require personnel to be near the prime focus which is inherently difficult in normal operations.

The hazard is mostly to the equipment itself. Due to its very nature the heat stop is designed to withstand this energy (given normal operation of the heat stop—failure of the heatstop thermal control has its own safety functions). This leaves damage to equipment near the heatstop. There are various cables and pipes in this area that could potentially be damaged/destroyed by sufficiently concentrated energy.

The solution was to design and implement a sun sensor that determines if the sun was within 1.5 solar radii (R_☉) of on-axis pointing. If the sun is within 1.5 R_☉) the excess energy is absorbed by the heatstop as designed. (See 4.4.3 On-Sun Pointing)

However, it was clarified that the telescope also needed to be able to view objects at elongations of greater than 1.5 R_☉. This leaves a complex problem of understanding where excess energy may focus depending on the relative angles of the sun, telescope, and entrance aperture, something that does not lend itself well to robust safety function.

The decision was made to restrict observations to elongations greater than 25° as the geometry is such that no sunlight should strike the primary mirror if the entrance aperture is more than 25° from the telescope’s line-of-sight.

Also if the sun is below the horizon it is also considered safe.

The last two items revealed the need to introduce an additional safety function (see 4.4.2 Off Sun Pointing) to calculate the sun’s position and determine if the sun is in a safe position relative to the telescope.

Requirements for Safety Functions

Stop Functions

The categories of stop functions are defined in NFPA 79.

Category 0

Category 0 is an uncontrolled stop by immediately removing power the machine actuators.

This is essentially pulling the plug. Stopping distance/time is determined by inertia, friction, and mechanical braking (if present).

Category 1

Category 1 is a controlled stop with power to the machine actuators available to achieve the stop then remove power when the stop is achieved.

This is a more graceful stop, powered deceleration under control, followed by pulling the plug. Stopping distance/time is determined by control system parameters for deceleration.

Category 2

Category 2 is a controlled stop with power left available to the machine actuators.

This is controlled stop without removal of power. Essentially this commands velocity to zero and leaves the actuators powered. Category 2 is not used by the GIS.

The choice of Category 0 or Category 1 is based on a hazard analysis.

Control Reliability

In order to ensure safety, system safety functions require that hardware needed in each safety function have a fault tolerance of at least 1 (i.e. loss of any single component shall not cause the loss of the safety function). Secondly, diagnostics shall be included to detect a failure of any component that could cause a loss of a safety function at or before the next demand on that component.

Response Time

Each safety function must have a response time of less than 200 milliseconds as measured from the time an input changes until the output changes to a safe state. The safety function must either respond to an input change or default to the safe state within that time. The safety function may not necessarily complete its action by that time but must initiate a change to the safe state

The safety function must complete any action required to reach a safe state before any hazard can cause damage.

For example, the M1 Mirror Cover must begin closing with 200 milliseconds of an over temperature fault but may take as long as 15 seconds to completely close. The upper limit is imposed by the duration of the heat stop shutter ability to withstand damage.

Safe State

The safe state of the system is defined as:

• Telescope Azimuth motion stopped, drives disabled and brakes applied

• Telescope Azimuth Cable Wrap motion stopped and drives disabled

• Telescope Altitude motion stopped, drives disabled and brakes applied

• Coude Rotator motion stopped, drives disabled and brakes applied

• Enclosure Azimuth motion stopped, drives disabled and brakes applied

• Enclosure Azimuth Cable Wrap motion stopped, drives disabled

• Enclosure Altitude motion stopped, drives disabled and brakes applied

• Aperture Cover closed, motion stopped, and drives disabled

• M1 Mirror Cover closed, motion stopped and drives disabled

• Heat Stop Safety Shutter closed

• Enclosure Jib Crane motion stopped, drives disabled and brakes applied

•  Enclosure Bridge Crane motion stopped, drives disabled, and brakes applied

• GOS PA&C hazardous motion stopped, drives disabled and brakes applied

• VBI-Blue hazardous motion stopped, drives disabled and brakes applied

• VBI-Red hazardous motion stopped, drives disabled and brakes applied

• VISP hazardous motion stopped, drives disabled and brakes applied.

Global Safety Functions

There are several safety functions that span multiple systems. These safety functions are controlled by the Global Interlock Controller and are referred to as Global Safety Functions.

Emergency Stop Safety Function

All subsystems’ emergency stop devices are combined in logic at the GIC, so that activating any emergency stop device shall cause all GIS-connected subsystems to go to their safe state. In most cases they perform an immediate stop (category 0 or 1 stop as determined by subsystem analysis). The exception is that M1 Mirror Cover and Enclosure Entrance Aperture close (their safe state) in a predetermined sequence.

Optical Support System LIC

The Optical Support System LIC is responsible for interlocks, limits, and emergency stop functions for the Top End Optical Assembly; M1 Active and Thermal Controller; and Feed Optics.

This LIC is also the connection point for emergency stop devices located at:

• M2 assembly

• OSS platform

Top End Optical Assembly

Heat Stop Over-Temperature

Temperatures above a predetermined level of the heat stop indicate a failure of the cooling system. The reaction of the GIS is to close the safety shutter, close the M1 mirror cover, and close the entrance aperture.

Because the Safety Shutter has limited survivability in the focused beam, the Aperture Cover and/or M1 Cover must also close to protect the Safety Shutter.

TEOA Removed

If the TEOA has been removed from the Telescope it may imbalance the telescope. The reaction of the GIS is to disable the Telescope altitude axis.

Heat Stop Removed

If the heat stop has been removed from the Telescope it may imbalance the telescope. The reaction of the GIS is to disable the Telescope altitude axis.

Telescope Mount LIC

Telescope Mount Azimuth Axis

Telescope Azimuth Drive Over-Speed

Abnormally high velocities indicate a failure of Azimuth Axis Bogie Drive. The reaction of the GIS is to bring the axis to a stop as quickly as possible, remove power from all Azimuth Drive Controllers and apply the brakes (category 1 stop).

Telescope Positive Azimuth Final Travel Limit

When a Positive Final Limit is detected by using combinational logic of the End Stop position and the limit switches, the reaction of the GIS to bring the axis to a stop as quickly as possible, remove power from all Azimuth Drive Controllers (category 1 stop) and apply the brakes.

Telescope Negative Azimuth Final Travel Limit

When a Negative Azimuth Final Limit is detected by using combinational logic of the End Stop position and the limit switches, the reaction of the GIS is to bring the axis to a stop as quickly as possible, remove power from all Azimuth Drive Controllers (category 1 stop) and apply the brakes.

Telescope Azimuth Cable Wrap Over-Tension

The GIS shall inhibit motion and remove power to the Telescope Drives if the tension of the Azimuth Cable Wrap exceeds predetermined limits.

Trapped Key Interlock

This is actually a group of trapped keys which when one or more are removed will inhibit Telescope motion by removing power. This key is required to enter the Azimuth Cable Wrap or Azimuth Mechanical areas.

Telescope Azimuth Axis Interlock

This safety function is the result of combinational logic in the GIS that determines another subsystem poses a hazard to Telescope Azimuth Axis motion.

This interlock is asserted unless all the following are true:

·        Enclosure Bridge Crane stowed

·        Enclosure Jib Crane stowed

·        TEOA Platform stowed (see section 4.9.5)

·        Boom lift stowed

The reaction of the GIS is to remove power from the Telescope Azimuth Axis drives.

1.6.2       Telescope Altitude Axis

Telescope Altitude Drive Over-Speed

Velocities above a predetermined level indicate a failure of an Altitude Axis Drive. The reaction of the GIS is to remove power from the Altitude Drive Controllers and apply the brakes (category 0 stop).

Telescope Positive Altitude Final Travel Limit

When a Positive Altitude Final Limit is detected, the reaction of the GIS is to remove Telescope drive power (category 0 stop) and apply the brakes.

Telescope Negative Altitude Final Travel Limit

When a Negative Altitude Final Limit is detected, the reaction of the GIS is to remove Telescope drive power (category 0 stop) and apply the brakes.

Telescope Altitude Cable Wrap Over-Tension

The GIS shall inhibit motion and remove power to the Telescope Drives (category 0 stop) if the tension of the Altitude Cable Wrap exceeds predetermined limits.

Manual Lockout Pin

The manual lockout pin is a physical means by which the motion of the Telescope can be prevented. If this pin is not fully removed the GIS shall remove Telescope drive power.

Trapped Key Interlock

This is actually a group of trapped keys which when one or more are removed inhibits Enclosure and/or Telescope motion by removing power.

Telescope Altitude Axis Interlock

This safety function is the result of combinational logic in the GIS that determines another subsystem poses a hazard to Telescope Altitude Axis motion.

This interlock is asserted unless all the following are true:

·        Enclosure Bridge Crane stowed

·        Enclosure Jib Crane stowed

·        TEOA Platform stowed or fully deployed (see section 4.9.5)

·        Boom Lift Stowed

The reaction of the GIS is to disable power to the Telescope Altitude Axis Drives.

1.6.3       M1 Cover Interlock

The M1 cover is allowed to open under specific circumstances.

Similar to the Entrance Aperture below, the M1 cover may open when no sunlight can strike the mirror (see 4.4.2 Off Sun Pointing). Additionally if the telescope is pointed directly at the sun and the safety shutter is open and the heat stop is not in an over-temperature condition the M1 Cover may open.

1.6.7       Access Doors Not Closed

Telescope Elevation Drive Power is disabled unless the Access Door is closed.

1.6.8       Telescope Azimuth Cable Wrap Access

This area requires a trapped key to access. Inserting the trapped key allows removal of one or more secondary personnel safety keys. All personnel who enter are required to carry a personnel safety key.

1.7.1       Coude Drive Controller

Coude Rotator Azimuth Drive Over-Speed

Velocities above a predetermined level indicate a failure of Coude Axis Drive. The reaction of the GIS is to remove power from the Coude Drive Controllers and apply the brakes (category 0 stop).

Coude Rotator Positive Azimuth Final Travel Limit

When a Coude Rotator Positive Final Limit is detected by using combinational logic of the End Stop position and the final limit switches, the reaction of the GIS is to remove Coude Rotator drive power (category 0 stop) and apply the brakes.

Coude Rotator Negative Azimuth Final Travel Limit

When a Coude Rotator Negative Azimuth Final limit is detected by using combinational logic of the End Stop position and the final limit switches, the reaction of the GIS is to remove Coude Rotator drive power (category 0 stop) and apply the brakes.

Coude Rotator Azimuth Cable Wrap Over-Tension

The GIS shall inhibit motion and remove power to the Coude Rotator Drives if the tension of the Azimuth Cable Wrap exceeds predetermined limits.

Trapped Key Interlock

This is actually a group of trapped keys which when one or more are removed inhibit Coude Rotator motion by removing power. This key is required to unlock and enter the Coude Rotator area.

Coude Lab Crane Not Stowed

Use of the Coude Lab Crane requires that hazardous motion be inhibited.

Electronic Rack Door Open

The GIS shall inhibit motion and remove power to the Coude Rotator Drives if any electronic rack door is not closed.

1.8.1       Coude Adaptive Optics (AO-C)

None currently identified.

1.8.2       Coude Active Optics (aO-C)

None currently identified.

1.8.3       Visible Light Broadband Imager (VLBI)

None currently identified.

1.8.4       Visible Spectropolarimeter (ViSP)

None currently identified.

1.8.5       Near-IR Spectropolarimeter (NIRSP)

None currently identified.

1.8.6       Visible Tunable Filter (VTF)

None currently identified.

1.9       Enclosure Motion Control LIC

The Enclosure Motion Control LIC is responsible for interlocks, limits, and emergency stop functions for the Enclosure Azimuth, Shutters, Cable Wraps, Entrance Aperture; Bridge Crane, Jib Cranes, Rear Access Doors, and TEOA Platform.

This LIC is also the connection point for emergency stop devices located at or near the above items.

1.9.1       Enclosure Azimuth Axis

Enclosure Azimuth Positive Final Travel Limit

When an Enclosure Azimuth Positive Final Limit is detected by using combinational logic of the End Stop position and the final limit switches, the reaction of the GIS is to remove Enclosure Azimuth drive power (category 0 stop) and apply the brakes.

Enclosure Azimuth Negative Final Travel Limit

When an Enclosure Azimuth Negative Final limit is detected by using combinational logic of the End Stop position and the final limit switches, the reaction of the GIS is to remove Enclosure Azimuth drive power (category 0 stop) and apply the brakes.

Enclosure Azimuth Cable Wrap Over Tension

The GIS shall inhibit motion and remove power to the Enclosure Azimuth Drives if the tension of the Azimuth Cable Wrap exceeds predetermined limits.

Enclosure Azimuth Personnel Trapped Key Interlock

This is actually a group of trapped keys which when one or more are removed inhibit Enclosure Azimuth motion by removing power. This key is required to enter the Azimuth Cable Wrap or Azimuth Mechanical areas. In manual mode (Enclosure Pendant installed and enabling grip held) it may be muted to allow Enclosure Azimuth rotation. It is also be required to enable the exterior boom lift.

1.10   Facility Thermal System LIC

1.10.1   Vent Gates

None currently identified

1.10.3   Enclosure Rear Door

None currently identified