ViSP All Stop Electronics

Pilz PNOZ relays in ViSP Electronics Rack #2

GIS Remote I/O in ViSP Electronics Rack #2

After taking a deep dive into the world of the ViSP all stop. Here are some of the key points. The ViSP all stop system is comprised of a number of PILZ safety relays.

one PILZ PNOZ S5 PNOZsigma safety relay (standalone) time delay, inputs: 1/2-channel, outputs: 2 N/O,2 N/O t-d
one PILZ PNOZ S7.1 PNOZsigma contact expansion, outputs: 3 N/O
two PILZ PNOZ S7.2 PNOZsigma contact expansion, outputs: 4 N/O, 1 N/C
one PILZ PNOZ S9 PNOZsigma timer relay (standalone), inputs: 1-channel wiring possible, outputs: 3 N/O t-d, 1 N/C
three PILZ PNOZ S11 PNOZsigma contact expansion, outputs: 8 N/O, 1 N/C

The first group of safety relays are connected via the PNOZsigma interface which allows for connection contact expansion modules without external wiring. This group consists of the of the S5, S7.1, and S7.2 modules. This group of modules generally switch enable (ENB) signals.

The second group of safety relays are connected via external wiring. This groups consists of the S9 and S11 modules. These are controlled via the S5 base module. This group of modules generally switch safe torque off (STO) signals.

The S5 and S9 units have DIP switches for configuration. They are configured as follows:

S5 module (time delay on de-energization):
- Manual Start/Restart with detection of shorts across contacts
- Delay time set to ( 0 x 1) = 0.04 sec (minimum)
S9 module:
- Time delay on energization
- Delay time set to ( 0 x 1) = 0.04 sec (minimum)

Note that the S5 is designed for time delay off and S9 is configured as time delay on.

Sequence of Operation

The ViSP all-stop function is described in ViSP All-Stop Function .

Power is feed to the all stop via ABUS-6. The power supply is connected to non-generator backed UPS 120/208V. This power supply is controlled by channel 18 of the Eaton PDU. Feedback status of the power supply is provided to the Beckhoff I/O.

The dual channel inputs to the S5 base unit safety relay are controlled by a daisy chain of signals from all four of the all stop buttons (n/c contacts) and the GIS safety coupling relay (n/o contacts).

The GIS safe coupling relay is controlled by remote I/O located in co-located in the ViSP electronics rack. The Instrument LIC will energize the safe coupling if there is no emergency stop, fire alarm, or seismic alarm active. The safe coupling relay will be de-energized if there is an emergency stop, fire alarm, seismic alarm, or fault present in the GIS.

Assuming there is not an all stop button pressed or GIC interlock present. The safety relays may be energized by pressing the all stop reset button located in the Coudé Lab. When the all stop reset button is pressed the S5 base unit and attached contact expansion units energize immediately. This provides enable signals to drives. The S5 base unit also energizes the S9 base unit and S11 contact expansion modules. This instantly energizes all STO signals to the drive except MOD_ROT_STO which is delay by the S9 module’s time delay on energization configuration.

After expiration of the the time delay on energization of the S9 module expires, all enable and STO signals are active and all motions of the ViSP instrument are permitted.

When an all stop button or the GIC interlock are transitioned to the safe state, all enable signals are immediately switched off. MOD_ROT_STO and outputs of S11 unit 1 (feed back to GIS and spares) also is switched off at this time. After the expiration of the time delay on de-energization of the S5 expires, all other STO signals are switched off.

Issues

Looking at the above description and sequence of operation have led to some questions about the original intent of the ViSP designers. Referencing the ViSP Control System Design Report, there is a lack of sufficient detail to answer some questions regarding the design.

It’s odd that the modulator rotator is handled differently than all other axes of motion (both enable and STO are switched off immediately on all stop, rather than enable then STO). I suspect the design was that they would be the same for all axes and just the implementation didn’t meet the intent of the design.

Similarly, the S9 module seems that it should be configured for time delay on de-energization. This I believe would achieve the concept of enable and STO are energized together, but enable is de-energized before STO is de-energized. This would allow for category 1 stops, where the drive is enable to allow deceleration, then after the deceleration time is expired, Safe Torque Off becomes active. This isn’t really an issue as all of the S9 module

Also, the S11 modules are not monitored for faults. It is likely not required to achieve the required SIL level; however, it could possibly mask a failure of one of the redundant relays which could have an impact on operations. Since the equipment is capable of monitoring of the external contact expansion units, it should be implemented.

The feedback to the GIS currently used a n/o contact pair. Feedback is typically connected to a n/c contact pair as a welded contact can be detected because a positively guided relay n/c contact will not close, while a n/o contact pair can have one pair welded but won’t be detected until there is a second failure. Again the required SIL will be achieved but it is possible that certain failures won’t be detected.

Finally, I was very surprised that the delay time of both relays are set to the very minimum (40 milliseconds). Even with most axes being small, low mass axes that sounds like very rapid deceleration for some of the larger mechanisms. Although for the one stage I found analyzed (Slit Station Mechanical) it was well within specifications for allowable g-forces. We should verify the deceleration parameters programmed in the drives.