Preface

This document details various engineering choices that were made during the early design process of developing the Global Interlock System. These choices represent the design decisions that were made and to serve as a guide to how the system is to be developed. While there are many possible solutions, this document details just one. It forms part of the basis of the Global Interlock System conceptual design, in particular those design elements that do not flow down from any other source.

Introduction

This document details the concept of operations of the Global Interlock System (GIS).

Referenced Documents

• TN-0055, Global Interlock System Design

Glossary

See SPEC-0012 for terms and abbreviations not listed below.

Operational Overview

Purpose

The purpose of the Global Interlock System is to provide “a redundant, stand-alone safety mechanism for personnel and equipment.[2]” To this end the GIS was conceived as a safety-related control system which provides functional safety for the entire facility.

Goals

The primary goal of the Global Interlock System is to eliminate unacceptable risk of injury to people and physical damage to property or the environment.

The secondary goal of the GIS is to meet the requirements of OSHA and other applicable safety standards.

System Description

This GIS is designed to be separate and independent of all other control systems. The GIS will be a hierarchical system when a master controller, referred to as the Global Interlock Controller (GIC) acts as a supervisor to coordinate the functional safety of multiple distributed systems, which are each controlled by a Local Interlock Controller (LIC).

Individual LICs must be able to function independently of the entire GIS yet maintain safety. This allows factory testing and integration to take place prior to the entire system being installed. A fault in one LIC will result in only safety functions controlled by that LIC being interlocked and unrelated system to function normally.

These controllers need to be able to achieve safety integrity of SIL3 or Cat.4/PLe. To save cost and development time a commercial-off-the-shelf (COTS) system was chosen. The Rockwell Allen-Bradley GuardLogix Programmable Automation Controller was chosen as suitable for this application. GuardLogix systems are rated for use in SIL3 Cat.4/PLe operation.

It is highly desirable for the components used as sensors, interlocks, and limits which are ties into the GIS to be of high safety reliability and provide the redundant input/outputs necessary for control reliable functionality and connectivity to the GIS.

The GuardLogix system lends itself well to this application as it has many advantages that are highly desirable. Being an advanced Programmable Logic Controller (PLC), it is designed to be programmable and flexible. A single style of controller was chosen to aid in development and increases the commonality of parts.

In addition to being programmable, its modular nature is well suited for expandability as well as maintainability as malfunctioning components can be easily replaced without tools. The components are even “hot-swappable” meaning power would not have to be removed from the entire system to replace a failed component. To aid in maintenance the modules also feature self-diagnostics and status indicator LEDs.

Availability of the system must be extremely high because without a functioning GIS, most systems of the facility will be disabled. Allowing for 40 hours of downtime for maintenance and repair per year would require the system to have an availability of 99.5%. The system must be capable of continuous operation for long periods. In addition

GuardLogix controllers allow for several open network protocols that will allow a distributed system of I/O. This allows I/O to be connected near the sensor without requiring large amounts of hardwiring to a central location. Of the various network protocols, EtherNet/IP was chosen because of its use in existing network infrastructures. Ethernet has come to dominate the network market because of its flexible and scalable architecture. The use, configuration, and management of Ethernet networks is well understood by both IT and maintenance personnel.

POINT I/O was chosen as the preferred distributed I/O due to its modular nature. This gives flexibility as well as the ability to scale the amount of I/O at any location. POINT I/O also features a compact design. POINT I/O includes safety-rated I/O modules that can be use side-by-side with standard I/O. As with the GuardLogix components POINT I/O features self-diagnostics, removable wiring, and ability to remove and insert modules while the system is still operational to aid in maintainability and system up-time.

For operator control and status information a PanelView Plus touch screen Human Machine Interface (HMI) was selected. The HMI provides various GUIs for status, alarm handling, control, and maintenance activities. The HMI also has logging features to enable reviewing faults and trips to aid in diagnostics.

Additionally, using the Ethernet network, status information is passed to the Observatory Control System (OCS). This connection is for status information to be delivered to the operator and other control systems. This connection is one-way only, delivering status from the GIS to the OCS, because none of the components of the OCS are safety-rated.

Programming of the various safety functions is based on the result of detailed hazard analyses of each system and their interactions.

Sensors will be connected to distributed I/O that are read by an individual LIC. The LIC’s internal logic will determine the required reaction to the input. The LIC will then send the appropriate signal to distributed I/O that controls the actuating element.

If a particular safety function depends on the interaction of two or more systems, each LIC involved will send its status to the GIC, which in turn relays it to other LICs involved in that particular safety function.

The GIS will respond to a change of state of an interlock or otherwise default to a safe state within 200 milliseconds. This represents 10% of the stopping time required for major axes of motion.

In addition to the various safety functions, the GIS provides a complementary emergency stop function. Throughout the facility at key locations emergency stop devices, such as mushroom-head stop buttons and cable-pull devices, provide a means for an operator-initiated stop of hazardous motion that brings the entire facility to a safe state with a single action.

Although the GuardLogix does not require it to maintain safety, the system is to be connected to generator-backed UPS feed. This is to ensure that to the greatest degree possible that the system will have a high availability and that generator-feed system will not be interlocked while on generator power.

System Concepts

Below is a list of concepts that are driven not by the GIS requirements directly but have been defined by the concept of operations that was developed as part of the reference design.

Independent

The GIS shall be independent of all other control systems.

The GIS shall only be used to inhibit the operation of equipment for safety purposes. The GIS shall not be used for the normal control of any subsystem component.

Programmable

The GIS shall be programmable to facilitate upgrades and changes to equipment during the lifetime of the facility.

Distributed

The GIS shall have components (such as controllers and I/O) distributed throughout the facility.

Each subsystem will be assigned to a Local Interlock Controller which controls safety functions for that subsystem.

Availability

The GIS shall have at least 99.5% uptime. This includes both faults and spurious trips.

Maintainable

The GIS shall have a mean time to restore (MTTR) of less than two hours.

Expandable

The GIS shall be readily expandable to accommodate unforeseen and future needs

Hierarchical

The GIS shall be Hierarchical in nature. A Global Interlock Controller shall provide coordination between the various Local Interlock Controllers. LICs will not communicate directly.

Provide Status to Operator

The GIS shall provide continuous status of the GIS to the operator and the Observatory Control System (OCS) at no less than a 1Hz rate.

Response time

This GIS shall have a response time of no greater than 200 milliseconds.

UPS

The GIS shall be powered from a generator-backed, uninterruptable power supply. The UPS capacity shall be sufficient to allow switch-over to generator power under normal conditions.

Commercial off-the-shelf

The GIS design shall provide for the use of commercial off-the-shelf parts as much as practicable.

Commonality of parts

The GIS design shall provide for the commonality of parts as much as practicable.

Fault handling

The GIS shall be self-monitoring for faults. When faulted, the system will interlock only the minimum required components to maintain a safe system.

Trip Response

The reaction to a trip shall be based on a detailed hazard analysis. When tripped, the system will interlock only the minimum required components to maintain a safe system.

Logs

The GIS shall log all faults and all trips.

Connectivity

The GIS shall communicate via an isolated EtherNet/IP network.

Connectivity to the network shall be limited to GIS components only.

The GIS shall connect to the OCS via a separate EtherNet connection.

Safety Functions

The GIS shall be used when multiple subsystems are involved in a single safety function.

The GIS shall be used to control safety functions that require SIL3 mitigation. The GIS shall be used to control safety functions that require a safety integrity level that exceeds the rating of the subsystems’ basic control system.

Muting

Safety functions shall be capable of being muted by the operator. Which functions that may muted shall be based on a detailed hazard analysis.

[1] IEC 61508-4 3.6.1

[2] “Red words” taken from PMCS-0006, WBS Dictionary..