Preface

The Global Interlock System (GIS) Design represents a challenge in that its design is in parallel with (and in some cases before) the designs of the systems it is meant to safeguard. Without completed designs and hazard analyses, the safety functions that the GIS are to implement cannot be completely defined.

The design of the Global Interlock System has been separated into two main portions. There is the hardware design, the GIS Architecture, which is the subject of SPEC-0112. The second portion is the software design, the GIS Functional Description, which is handled in this document.

The reason for this separation is that the hardware design has been developed and is well understood. The GIS Functional Design requires the completion of subsystem designs, hazard analyses, and risk assessments.

In order to not delay development and construction of the GIS Architecture, the two portions have been separated.

The hardware architecture has been designed with the premise of flexibility, expandability, and programmability as basic considerations. This lends itself well to being adaptable to any safety function that may need to be implemented.

Introduction

Purpose

This document provides the basis of design for the architecture of the DKIST Global Interlock System (GIS). The design of the GIS is provide in two main sections, the architecture which describes the hardware and interfaces of the system; and the functional design which covers design and implementation of the safety-related control functions.

The diagrams and descriptions of safety function presented below are meant to convey the general flow of the safety function and the interactions between the various subsystems. They are not intended to cover the implementation details. For example, almost all safety inputs and outputs are redundant and usually employ negative logic, meaning that for a single item such as “Door 501A locked” there are two signals that indicate the door is not closed plus two more signals that indicate the solenoid controlling the door is not unlocked. Including this level of detail would add complexity and not aid in understanding how the various safety functions control safety.

Scope

This document, GIS Functional Design, is intended to cover safety-related control functions (SRCFs) that are handled by the GIS. Some safety-related control functions are handled by individual subsystems. The distinction of which are covered by the GIS is based on a hazard analysis, generally only those SRCFs that require SIL 3 mitigation, mitigation above the SIL rating of the subsystem controller, or those SRCFs that span multiple subsystems are GIS safety functions.

Related and Reference Documents

The following documents form a part of this Specification. Any other documents referenced in any of these documents also form a part of the Specification.

Related Documents

DKIST Specification Documents

The following documents contain information applicable to the design of the DKIST Global Interlock System.

• SPEC-0046, Global Interlock System Design Specification

• SPEC-0061, DKIST Hazard Analysis Plan

• SPEC-0112, Global Interlock System Architecture Description

• SPEC-0141, Global Interlock System Operational Concepts Description

DKIST Interface Control Documents

The Global Interlock System shall meet the requirements of the following interface control documents:

• SPEC-0063, Interconnects and Services

• ICD 1.1-4.5 , Telescope Mount Assembly to Global Interlock System

• ICD 1.2-4.5 , M1 Assembly to Global Interlock System

• ICD 1.3-4.5 , TEOA to Global Interlock System

• ICD 1.5-4.5 , Feed Optics to Global Interlock System

• ICD 2.1-4.5 , Wave Front Control-Coudé to Global Interlock System

• ICD 3.0-4.5, Instruments to Global Interlock System

• ICD 3.1.1-4.5, Polarimetry Analysis and Calibration to Global Interlock System

• ICD 3.1.2-4.5, Time Reference and Distribution to Global Interlock System

• ICD 3.1.3-4.5, Coudé Station to Global Interlock System

• ICD 3.2-4.5, Visible Broadband Imager to Global Interlock System

• ICD 3.3-4.5, Visible Spectropolarimeter to Global Interlock System

• ICD 3.4.1-4.5, Diffraction Limited Near-IR Spectropolarimeter to Global Interlock System

• ICD 3.4.2-4.5, Cryogenic Near-IR Spectropolarimeter to Global Interlock System

• ICD 3.5-4.5, Visible Tunable Filter to Global Interlock System

• ICD 3.6-4.5, Camera Systems to Global Interlock System

• ICD 4.2-4.5 , Observatory Control System to Global Interlock System

• ICD 4.5-5.0 , Global Interlock System to Enclosure

• ICD 4.5-6.0, Global Interlock System to Support Facility and Buildings

• ICD 4.5-6.7 , Global Interlock System to Facility Thermal Systems

DKIST Reference Design Studies and Analyses

TN-0055, Global Interlock System Design

DKIST Drawings

DKIST-DWG-00065, Global Interlock System Configuration

Reference Documents

DKIST Documents

• PMCS-0023, Requirements Definition

• SPEC-0002, Document and Drawing Control Plan

• SPEC-0012, DKIST Acronym List and Glossary

National Consensus Standards

• ANSI/RIA R15.06-1999, American National Standard for Industrial Robots and Robot Systems – Safety Requirements

• NFPA 79, Electrical Standard for Industrial Machinery, 2007 Edition

International Standards

• ISO 13849, Safety of Machinery—Safety-related parts of control systems

• IEC 61508, Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems

• IEC/EN 62061, Safety of machinery: Functional safety of electrical, electronic and programmable electronic control systems

Industry Standards

ANSI/TIA/EIA 568-B, Commercial Building Telecommunications Cabling Standard

Glossary

See SPEC-0012, DKIST Acronym List and Glossary, for terms not listed below.

Control Software

The GuardLogix controller is programmed with RSLogix 5000 version 20. Use of major version 20 (or higher) is required to accommodate unicast messaging, Windows 7, and L7 series ControlLogix controllers. All hardware must be compatible with version 20. (See http://support.rockwellautomation.com/ControlFlash/ for firmware requirements.)

The specific version is currently 20.04. Version 20.03 is incompatible with earlier minor revisions due to a change to enhance security. Version 20.04 does not have this restriction. All programs written in 20.01 or 20.03 have been converted to 20.04 during IT&C. The process of upgrading firmware is generally automatic.

The GuardLogix controller runs both a standard task and a safety task. All functions of the GIS are implemented in the safety task. If the controller is also used for subsystem control, all subsystem control functions shall be implemented in the standard task.

Application Code

Application code routines are developed using relay ladder logic language as it is the best choice for machine interlocking that require complex logical operations and few high-level functions.

The safety task uses a subset of the standard ladder logic instruction set that is safety-certified instructions plus application instructions that are also safety-certified. Only safety-certified instructions are to be used in the safety task. This does not preclude the use of add-on functions built using safety-certified instructions, but such an instruction requires specific review and validation (per IEC 61508) before being used.

Section 4 lists the safety control requirements that will be implemented by the GIS. Each safety function is a separate program within the safety task running on the GuardLogix controller.

Revision Control

To aid in tracking and control of various revisions to the application code the Project Vault (Solidworks Enterprise PDM) shall be used. Because the code is being developed in a single developer environment the need for a more advanced and robust solution is not necessary and would add complexity with little value. Also the ladder logic is stored in proprietary binary format that does not lend itself well to the use of standard versioning control software.

The Project Vault allows for the control of changes and edits in a single user environment as well as the ability to roll back changes if needed. It is centrally located and can be accessed remotely as needed.

The Project Vault shall be used continuously from development into operations.

Ladder Logic Example

Inputs from each LIC are consumed, and evaluated; subsequent outputs are produced to other LICs as necessary.

Figure 2‑1 shows a short example of the ladder logic of the safety task that would be used with a typical emergency stop circuit. The program uses application instructions that not only monitor the condition of the emergency stop switch, but compares the two channels for consistency and also monitors the status of the remote I/O module to detect a hardware failure. In the event of a hardware failure, the system defaults to a safe state.

Open

Figure 2‑1

The program combines inputs from local emergency stop switches with a tag received from the GIC which indicates the status of the Emergency Stop System. If both are in the active safe state then two outputs are asserted that energize the drive and enable the pulse output of the drive.

When an emergency stop switch is pushed (or a hardware fault is detected), the two outputs are removed. First the output to the drive pulse suppression is removed and 200mS later (configurable) the power is removed from the drive’s power contactor removing all hazardous energy. If either feedback from the outputs does not indicate that the drive was properly shutdown a fault will be detected that can warn personnel that a potential hazard still exists.

GIS Operation

Status Monitoring and Fault Handling

In addition to the various safety functions implemented by the GIS, the GIS must also recognize and react to any fault that is detected.

The distributed I/O modules perform self-diagnostics on power-up and periodically during operation. In addition these modules also monitor I/O circuit health.

Embedded Control Operation

Each LIC is the safety controller for one or more subsystems. The application program for each LIC functions as an independent system. The safety controller is capable of startup and control of its safety functions regardless of connectivity to the GIC or other outside service.

Change of Network Status

Failure of the network does not result in a loss of safety function. Failure of the network which causes loss of communications with distributed I/O or a remote controller causes each such component of the GIS that relies on such communications to default to a safe state.

Restoration of the network function does not automatically restore operation of the GIS without intervention from the operator.

Operation following a rebooting or restarting

Rebooting or restarting causes the portion of the GIS that was rebooted or restarted to enter a safe state. Rebooting or restarting does not result in a loss of safety function.

Modes of operation

Automatic

Automatic operation is control handled by a computer interface in the control room (or other authorized location). Typically this is control by the Observatory Control System (OCS). Normal operations of the facility by the OCS are considered “automatic.”

Manual

Manual operation is controlled via a local hand-held device, such as a pendant, or by a remote push button panel or remote HMI. Typically manual operation is with the operator with sight of the equipment being controlled.

Safety-Related Control Functions

This section lists and summarizes the current list of planned safety functions.

Safety-related control functions (SRCFs) are the result of a detailed hazard analysis of the equipment under control. After a hazard has been identified that is to be mitigated by functional safety, the specification for each safety-related control function will be developed. Each SRCF comprises the functional requirements and the safety integrity requirements.

The functional requirements detail the description of the SRCF, the conditions in which the SRCF shall be active or disabled, the required responses to trips and faults, the timing and priority of responses of the SRCF.

The safety integrity requirement details the necessary risk reduction for each SRCF.

It is imperative that the subsystem’s hazard analysis be detailed, thorough, and complete. These hazard analyses are used to develop the various safety functions. If a hazard analysis does not identify a hazard, that hazard will not be safeguarded, presenting a serious potential risk to personnel and infrastructure.

It is foreseen that this list will need to be expanded and altered as additional hazards are identified during design, construction, integration, and testing. Additional hazard will require additional safety functions to be developed and likely will result in added hardware to detect the hazard and/or implement the safeguard.

Example of Development of Safety-Related Control Functions

To look at how the various Safety-Related Control Functions have been developed, we will follow an example of the how the related functions of the sun sensor we developed.

Early in the project it was recognized that the concentrated sunlight near the focus could provide a thermal hazard to personnel and equipment. The Hazard Analysis Team then met to analyze the hazards created.

The first was to define the extent of the hazard. Due to the fast focus of the telescope design the concentrated sunlight is limited to a relatively small area near the prime focus. For example the rapidly diverging beam spreads its energy over a fairly large area by the time the beam reaches the interior walls of the enclosure. While potentially a problem for thermal effects of seeing it does not represent a safety hazard.

The hazard to personnel is relatively easy to mitigate as it would require personnel to be near the prime focus which is inherently difficult in normal operations.

The hazard is mostly to the equipment itself. Due to its very nature the heat stop is designed to withstand this energy (given normal operation of the heat stop—failure of the heatstop thermal control has its own safety functions). This leaves damage to equipment near the heatstop. There are various cables and pipes in this area that could potentially be damaged/destroyed by sufficiently concentrated energy.

The solution was to design and implement a sun sensor that determines if the sun was within 1.5 solar radii (R_☉) of on-axis pointing. If the sun is within 1.5 R_☉) the excess energy is absorbed by the heatstop as designed. (See 4.4.3 On-Sun Pointing)

However, it was clarified that the telescope also needed to be able to view objects at elongations of greater than 1.5 R_☉. This leaves a complex problem of understanding where excess energy may focus depending on the relative angles of the sun, telescope, and entrance aperture, something that does not lend itself well to robust safety function.

The decision was made to restrict observations to elongations greater than 25° as the geometry is such that no sunlight should strike the primary mirror if the entrance aperture is more than 25° from the telescope’s line-of-sight.

Also if the sun is below the horizon it is also considered safe.

The last two items revealed the need to introduce an additional safety function (see 4.4.2 Off Sun Pointing) to calculate the sun’s position and determine if the sun is in a safe position relative to the telescope.

Requirements for Safety Functions

Stop Functions

The categories of stop functions are defined in NFPA 79.

Category 0

Category 0 is an uncontrolled stop by immediately removing power the machine actuators.

This is essentially pulling the plug. Stopping distance/time is determined by inertia, friction, and mechanical braking (if present).

Category 1

Category 1 is a controlled stop with power to the machine actuators available to achieve the stop then remove power when the stop is achieved.

This is a more graceful stop, powered deceleration under control, followed by pulling the plug. Stopping distance/time is determined by control system parameters for deceleration.

Category 2

Category 2 is a controlled stop with power left available to the machine actuators.

This is controlled stop without removal of power. Essentially this commands velocity to zero and leaves the actuators powered. Category 2 is not used by the GIS.

The choice of Category 0 or Category 1 is based on a hazard analysis.

Control Reliability

In order to ensure a safety system safety functions require that hardware needed in each safety function have a fault tolerance of at least 1 (i.e. loss of any single component shall not cause the loss of the safety function). Secondly, diagnostics shall be included to detect a failure of any component that could cause a loss of a safety function at or before the next demand on that component.

Response Time

Each safety function must have a response time of less than 200 milliseconds as measured from the time an input changes until the output changes to a safe state. The safety function must either respond to an input change or default to the safe state within that time. The safety function may not necessarily complete its action by that time but must initiate a change to the safe state

The safety function must complete any action required to reach a safe state before any hazard can cause damage.

For example the M1 Mirror Cover must begin closing with 200 milliseconds of an over temperature fault but may take as long as 15 seconds to completely close. The upper limit is imposed by the duration of the heat stop shutter ability to withstand damage.

Safe State

The safe state of the system is defined as:

• Telescope Azimuth motion stopped, drives disabled and brakes applied

• Telescope Azimuth Cable Wrap motion stopped and drives disabled

• Telescope Altitude motion stopped, drives disabled and brakes applied

• Coudé Rotator motion stopped, drives disabled and brakes applied

• Enclosure Azimuth motion stopped, drives disabled and brakes applied

• Enclosure Azimuth Cable Wrap motion stopped, drives disabled

• Enclosure Altitude motion stopped, drives disabled and brakes applied

• Aperture Cover closed, motion stopped, and drives disabled

• M1 Mirror Cover closed, motion stopped and drives disabled

• Heat Stop Safety Shutter closed

• Enclosure Jib Crane motion stopped, drives disabled and brakes applied

• Enclosure Bridge Crane motion stopped, drives disabled, and brakes applied

• GOS PA&C hazardous motion stopped, drives disabled and brakes applied

• VBI-Blue hazardous motion stopped, drives disabled and brakes applied

• VBI-Red hazardous motion stopped, drives disabled and brakes applied

• VISP hazardous motion stopped, drives disabled and brakes applied.

Global Safety Functions

There are several safety functions that span multiple systems. These safety functions are controlled by the Global Interlock Controller and are referred to as Global Safety Functions.

Emergency Stop Safety Function

All subsystems’ emergency stop devices are combined in logic at the GIC, so that activating any emergency stop device shall cause all GIS-connected subsystems to go to their safe state. In most cases they perform an immediate stop (category 0 or 1 stop as determined by subsystem analysis). The exception is that M1 Mirror Cover and Enclosure Entrance Aperture close (their safe state) in a predetermined sequence.

Open

Hazardous Access

Because of the many large moving elements of the facility there exist numerous hazards associated with personnel exposed to these mechanisms. In order to limit exposure a trapped key plan will be implemented to inhibit access to hazardous areas during motion. See SPEC-0133 Hazardous Zones Fully Automated Control Access for details.

Because of the design of the GIS being distributed, the safety functions that implement hazardous access control bridge the GIC and LICs. The Facility LIC typically handles the input from the trapped keys and controls the locking of various doors and access points. The GIC controls the various permissive signals to individual LICs to inhibit hazardous motion.

Specific procedures must be followed when securing hazardous zones to ensure no personnel remain in the hazardous zone when the system is restarted. This is especially important in cases when the system has detected an entry through a locked/monitored door.

Open

Ground Floor Inner Pier

The moving cable wrap presents a hazard. Access via door 110A is limited requiring a trapped key that disables the Coudé Rotator.

Coudé Inner Pier

The moving cable wrap and other mechanisms present a hazard. Access via door 209A and 210A is limited requiring a trapped key that disables the Coudé Rotator. Furthermore access via doors and hatches is monitored from the area under the Coudé Lab floor.

Coudé Lab

The moving floor of the Coudé Lab could present a hazard because of non-rotating equipment on the periphery of the room. Therefore when the Coudé Lab is accessed by personnel the speed of rotation of the Coudé Lab is limited to 1.75°/sec.

External Catwalk

The moving Enclosure Azimuth presents hazards. Access to the external enclosure catwalks and ladders is limited requiring a trapped key that disables Enclosure Rotation.

Lifting Platform

The moving Enclosure Azimuth presents hazards. Access to the external enclosure catwalks and ladders is limited requiring a trapped key that disables Enclosure Rotation

Enclosure Cable Wrap

The moving cable wrap present a hazard. Access floor hatches are limited requiring a trapped key that disables the Enclosure Azimuth.

Upper Enclosure Platforms

Access to the Upper Enclosure Platform is restricted by gates requiring a trapped key that disables Enclosure Azimuth and Aperture motion.

Enclosure Floor

The moving floor of the Enclosure could present a hazard because of non-rotating equipment on the periphery of the area. Therefore when the Enclosure Floor is accessed by personnel the speed of rotation of the Enclosure Azimuth is limited to 1.5°/sec.

Telescope Cable Wrap

The moving cable wrap and other mechanisms present a hazard. Access via doors 501A and 502A are limited requiring a trapped key that disables the Telescope Azimuth rotation.

Telescope Access

The moving telescope, cable wraps and other mechanisms present a hazard. Access to the telescope mount is limited by gates requiring a trapped key that disables Telescope Azimuth and Altitude motion.

Optical Support System LIC

The Optical Support System LIC is responsible for interlocks, limits, and emergency stop functions for the Top End Optical Assembly; M1 Active and Thermal Controller; and Feed Optics.

This LIC is also the connection point for emergency stop devices located at:

• M2 assembly

• OSS platform

Top End Optical Assembly

Heat Stop Over-Temperature

Temperatures above a predetermined level of the heat stop indicate a failure of the cooling system. The reaction of the GIS is to close the safety shutter, close the M1 mirror cover, and close the entrance aperture.

Because the Safety Shutter has limited survivability in the focused beam, the Aperture Cover and/or M1 Cover must also close to protect the Safety Shutter.

TEOA Removed

If the TEOA has been removed from the Telescope it may imbalance the telescope. The reaction of the GIS is to disable the Telescope altitude axis.

Heat Stop Removed

If the heat stop has been removed from the Telescope it may imbalance the telescope. The reaction of the GIS is to disable the Telescope altitude axis.

M1 Active Controller & Thermal Controller

To be determined

Off Sun Pointing

The design of the telescope is such that during normal operation most of the reflected solar energy from the M1 is directed into the heat stop. There are dangers associated with the reflected solar energy near the prime focus. It is required to restrict where this reflected energy may fall. The light path is blocked by redundantly using the Aperture Cover and the M1 Cover, either of which are individually effective but both are used to avoid a potential single point failure.

Obviously, when the Sun is below the horizon the telescope should be able to point safely at any location in the sky. To determine the location of the Sun relative to horizon, a relatively simple ephemeris calculation is needed. This calculation relies on two different time sources (NTP and PTP). These two sources are compared for agreement. If they agree and the Sun is below the horizon, the light path may be opened.

Additionally, when the Sun is more than 25° away from where the telescope and/or enclosure is pointing, no sunlight reaches the primary mirror, thus there is no reflected solar radiation to be concerned with. In this case the light path may also be opened.

Open

On-Sun Pointing

Related to the off Sun pointing are on-axis solar observations. When the sun is within 1.5 solar radii (R_☉), the reflected solar energy is trapped in the heat stop. This is the normal operating condition of the telescope. Due to the accuracy required to ensure that the reflected energy is contained within the heat stop, the above ephemeris calculation is unlikely to be sufficiently accurate.

In this case, two small sun position sensors are required. These sensors usea two-dimensional position sensitive device (PSD) to determine if the sun is on-axis. A small lens is used to focus the image on the PSD with a focal length of 100mm. Neutral density filters (nd=2.7) are added to reduce the intensity to acceptable limits.

Open

It should be noted that the Safety Shutter in front of the heat stop is not used in this safety function. If the telescope is sufficiently off-axis, the Safety Shutter cannot block the light path. If the telescope is on-axis, the heat stop should absorb the solar energy as designed. Failure of the heat stop is covered elsewhere.

Aperture Cover Interlock

The Enclosure Aperture Cover is allowed to open under specific circumstances.

Open

If the M1 cover is closed or no sunlight striking the M1 there is no reflected solar energy. Typical operation requires that in order to acquire the sun, the telescope points at the sun with the M1 cover closed. Once the sun sensor described in 4.4.3 detects the sun is within 1.5R_☉ the M1 cover is permitted to open and the aperture is permitted to stay open.

M1 Cover Interlock

The M1 cover is allowed to open under specific circumstances.

Open

Similar to the Entrance Aperture below, the M1 cover may open when there is no sunlight on the mirror. Additionally if the telescope is pointed directly at the sun and the safety shutter is open and the heat stop is not in an over-temperature condition the M1 Cover may open.

Mount Base LIC

The Mount Base LIC is responsible for interlocks, limits, and emergency stop functions for the Telescope Mount Azimuth and Altitude Axes, Cable Wraps; M1 Mirror Cover; and M5/M6 Access Platform.

For details of implementation see LIC design requirements document.

Telescope Mount Azimuth Axis

Telescope Azimuth Drive Over-Speed

Abnormally high velocities indicate a failure of Azimuth Axis Bogie Drive. The reaction of the GIS is to bring the axis to a stop as quickly as possible, remove power from all Azimuth Drive Controllers and apply the brakes (category 1 stop).

Telescope Positive Azimuth Final Travel Limit

When a Positive Final Limit is detected by using combinational logic of the End Stop position and the limit switches, the reaction of the GIS to bring the axis to a stop as quickly as possible, remove power from all Azimuth Drive Controllers (category 1 stop) and apply the brakes.

Telescope Negative Azimuth Final Travel Limit

When a Negative Azimuth Final Limit is detected by using combinational logic of the End Stop position and the limit switches, the reaction of the GIS is to bring the axis to a stop as quickly as possible, remove power from all Azimuth Drive Controllers (category 1 stop) and apply the brakes.

Telescope Azimuth Cable Wrap Over-Te

The GIS shall inhibit motion and remove power to the Telescope Drives if the tension of the Azimuth Cable Wrap exceeds predetermined limits.

Trapped Key Interlock

This is actually a group of trapped keys which when one or more are removed will inhibit Telescope motion by removing power. This key is required to enter the Azimuth Cable Wrap or Azimuth Mechanical areas.

Telescope Azimuth Axis Interlock

This safety function is the result of combinational logic in the GIS that determines another subsystem poses a hazard to Telescope Azimuth Axis motion.

This interlock is asserted unless all the following are true:

• Enclosure Bridge Crane stowed

• Enclosure Jib Crane stowed

• TEOA Platform stowed (see section 4.9.5)

• Boom lift stowed

The reaction of the GIS is to remove power from the Telescope Azimuth Axis drives.

Telescope Altitude Axis

Open

Telescope Altitude Drive Over-Speed

Velocities above a predetermined level indicate a failure of an Altitude Axis Drive. The reaction of the GIS is to remove power from the Altitude Drive Controllers and apply the brakes (category 0 stop).

Telescope Positive Altitude Final Travel Limit

When a Positive Altitude Final Limit is detected, the reaction of the GIS is to remove Telescope drive power (category 0 stop) and apply the brakes.

Telescope Negative Altitude Final Travel Limit

When a Negative Altitude Final Limit is detected, the reaction of the GIS is to remove Telescope drive power (category 0 stop) and apply the brakes.

Telescope Altitude Cable Wrap Over-Tension

The GIS shall inhibit motion and remove power to the Telescope Drives (category 0 stop) if the tension of the Altitude Cable Wrap exceeds predetermined limits.

Manual Lockout Pin

The manual lockout pin is a physical means by which the motion of the Telescope can be prevented. If this pin is not fully removed the GIS shall remove Telescope drive power.

Trapped Key Interlock

This is actually a group of trapped keys which when one or more are removed inhibits Enclosure and/or Telescope motion by removing power.