Safety-Related Control Functions
This section lists and summarizes the current list of planned safety functions.
Safety-related control functions (SRCFs) are the result of a detailed hazard analysis of the equipment under control. After a hazard has been identified that is to be mitigated by functional safety, the specification for each safety-related control function will be developed. Each SRCF comprises the functional requirements and the safety integrity requirements.
The functional requirements detail the description of the SRCF, the conditions in which the SRCF shall be active or disabled, the required responses to trips and faults, the timing and priority of responses of the SRCF.
The safety integrity requirement details the necessary risk reduction for each SRCF.
It is imperative that the subsystem’s hazard analysis be detailed, thorough, and complete. These hazard analyses are used to develop the various safety functions. If a hazard analysis does not identify a hazard, that hazard will not be safeguarded, presenting a serious potential risk to personnel and infrastructure.
It is foreseen that this list will need to be expanded and altered as additional hazards are identified during design, construction, integration, and testing. Additional hazard will require additional safety functions to be developed and likely will result in added hardware to detect the hazard and/or implement the safeguard.
Example of Development of Safety-Related Control Functions
To look at how the various Safety-Related Control Functions have been developed, we will follow an example of the how the related functions of the sun sensor we developed.
Early in the project it was recognized that the concentrated sunlight near the focus could provide a thermal hazard to personnel and equipment. The Hazard Analysis Team then met to analyze the hazards created.
The first was to define the extent of the hazard. Due to the fast focus of the telescope design the concentrated sunlight is limited to a relatively small area near the prime focus. For example the rapidly diverging beam spreads its energy over a fairly large area by the time the beam reaches the interior walls of the enclosure. While potentially a problem for thermal effects of seeing it does not represent a safety hazard.
The hazard to personnel is relatively easy to mitigate as it would require personnel to be near the prime focus which is inherently difficult in normal operations.
The hazard is mostly to the equipment itself. Due to its very nature the heat stop is designed to withstand this energy (given normal operation of the heat stop—failure of the heatstop thermal control has its own safety functions). This leaves damage to equipment near the heatstop. There are various cables and pipes in this area that could potentially be damaged/destroyed by sufficiently concentrated energy.
The solution was to design and implement a sun sensor that determines if the sun was within 1.5 solar radii (R☉) of on-axis pointing. If the sun is within 1.5 R☉) the excess energy is absorbed by the heatstop as designed. (See 4.4.3 On-Sun Pointing)
However, it was clarified that the telescope also needed to be able to view objects at elongations of greater than 1.5 R☉. This leaves a complex problem of understanding where excess energy may focus depending on the relative angles of the sun, telescope, and entrance aperture, something that does not lend itself well to robust safety function.
The decision was made to restrict observations to elongations greater than 25° as the geometry is such that no sunlight should strike the primary mirror if the entrance aperture is more than 25° from the telescope’s line-of-sight.
Also if the sun is below the horizon it is also considered safe.
The last two items revealed the need to introduce an additional safety function (see 4.4.2 Off Sun Pointing) to calculate the sun’s position and determine if the sun is in a safe position relative to the telescope.
Requirements for Safety Functions
Stop Functions
The categories of stop functions are defined in NFPA 79.
Category 0
Category 0 is an uncontrolled stop by immediately removing power the machine actuators.
This is essentially pulling the plug. Stopping distance/time is determined by inertia, friction, and mechanical braking (if present).
Category 1
Category 1 is a controlled stop with power to the machine actuators available to achieve the stop then remove power when the stop is achieved.
This is a more graceful stop, powered deceleration under control, followed by pulling the plug. Stopping distance/time is determined by control system parameters for deceleration.
Category 2
Category 2 is a controlled stop with power left available to the machine actuators.
This is controlled stop without removal of power. Essentially this commands velocity to zero and leaves the actuators powered. Category 2 is not used by the GIS.
The choice of Category 0 or Category 1 is based on a hazard analysis.
Control Reliability
In order to ensure safety, system safety functions require that hardware needed in each safety function have a fault tolerance of at least 1 (i.e. loss of any single component shall not cause the loss of the safety function). Secondly, diagnostics shall be included to detect a failure of any component that could cause a loss of a safety function at or before the next demand on that component.
Response Time
Each safety function must have a response time of less than 200 milliseconds as measured from the time an input changes until the output changes to a safe state. The safety function must either respond to an input change or default to the safe state within that time. The safety function may not necessarily complete its action by that time but must initiate a change to the safe state
The safety function must complete any action required to reach a safe state before any hazard can cause damage.
For example, the M1 Mirror Cover must begin closing with 200 milliseconds of an over temperature fault but may take as long as 15 seconds to completely close. The upper limit is imposed by the duration of the heat stop shutter ability to withstand damage.
Safe State
The safe state of the system is defined as:
Telescope Azimuth motion stopped, drives disabled and brakes applied
Telescope Azimuth Cable Wrap motion stopped and drives disabled
Telescope Altitude motion stopped, drives disabled and brakes applied
Coudé Rotator motion stopped, drives disabled and brakes applied
Enclosure Azimuth motion stopped, drives disabled and brakes applied
Enclosure Azimuth Cable Wrap motion stopped, drives disabled
Enclosure Altitude motion stopped, drives disabled and brakes applied
Aperture Cover closed, motion stopped, and drives disabled
M1 Mirror Cover closed, motion stopped and drives disabled
Heat Stop Safety Shutter closed
Enclosure Jib Crane motion stopped, drives disabled and brakes applied
Enclosure Bridge Crane motion stopped, drives disabled, and brakes applied
GOS PA&C hazardous motion stopped, drives disabled and brakes applied
VBI-Blue hazardous motion stopped, drives disabled and brakes applied
VBI-Red hazardous motion stopped, drives disabled and brakes applied
VISP hazardous motion stopped, drives disabled and brakes applied.
Global Safety Functions
There are several safety functions that span multiple systems. These safety functions are controlled by the Global Interlock Controller and are referred to as Global Safety Functions.
Emergency Stop Safety Function
Safety Function | Emergency Stop |
Hazard | avert potential hazards or reduce existing hazards that may arise from malfunctioning of the facility, human error or normal operation |
Triggering Event | human-operated control device |
Priority | Emergency Stop shall take priority over all other control functions. |
Modes | always active |
Reaction | Halt all hazardous motion Block light path |
Safe State | Telescope Azimuth motion stopped Telescope Altitude motion stopped Coudé Rotator motion stopped Enclosure Azimuth motion stopped Enclosure Shutter closed M1 Mirror Cover closed Enclosure Jib Crane motion stopped Enclosure Bridge Crane motion stopped GOS PA&C motion stopped VBI-Blue motion stopped VBI-Red motion stopped VISP motion stopped |
Required Integrity | SIL2 PLc (SIL 1 or PL c minimum per IEC 13850) |
All subsystems’ emergency stop devices are combined in logic at the GIC, so that activating any emergency stop device shall cause all GIS-connected subsystems to go to their safe state. In most cases they perform an immediate stop (category 0 or 1 stop as determined by subsystem analysis). The exception is that M1 Mirror Cover and Enclosure Entrance Aperture close (their safe state) in a predetermined sequence.
Optical Support System LIC
The Optical Support System LIC is responsible for interlocks, limits, and emergency stop functions for the Top End Optical Assembly; M1 Active and Thermal Controller; and Feed Optics.
This LIC is also the connection point for emergency stop devices located at:
M2 assembly
OSS platform
Top End Optical Assembly
Heat Stop Over-Temperature
Temperatures above a predetermined level of the heat stop indicate a failure of the cooling system. The reaction of the GIS is to close the safety shutter, close the M1 mirror cover, and close the entrance aperture.
Safety Function | Heat Stop Over Temperature |
Hazard | Damage to Heatstop, possible resultant leak of coolant |
Triggering Event | Heat Stop temperature above TBD°C |
Priority |
|
Modes | Always active |
Reaction | Close safety shutter, aperture cover, and M1 Cover |
Safe State | Safety Shutter, Aperture Cover, and M1 Cover closed |
Required Integrity | SIL 2 |
Because the Safety Shutter has limited survivability in the focused beam, the Aperture Cover and/or M1 Cover must also close to protect the Safety Shutter.
TEOA Removed
If the TEOA has been removed from the Telescope it may imbalance the telescope. The reaction of the GIS is to disable the Telescope altitude axis.
Safety Function | TEOA Removed |
Hazard | Unexpected motion due to imbalance of telescope |
Triggering Event | Removal of the TEOA |
Priority | Cannot be overridden |
Modes | All modes |
Reaction |
|
Safe State | Manual pin in place |
Required Integrity | SIL 2 |
Heat Stop Removed
If the heat stop has been removed from the Telescope it may imbalance the telescope. The reaction of the GIS is to disable the Telescope altitude axis.
Safety Function | Unexpected motion due to imbalance of telescope |
Hazard | Removal of the heat stop |
Triggering Event | Cannot be overridden |
Priority | All modes |
Modes |
|
Reaction |
|
Safe State | Manual pin in place |
Required Integrity | SIL 2 |
Telescope Mount LIC
Telescope Mount Azimuth Axis
Telescope Azimuth Drive Over-Speed
Abnormally high velocities indicate a failure of Azimuth Axis Bogie Drive. The reaction of the GIS is to bring the axis to a stop as quickly as possible, remove power from all Azimuth Drive Controllers and apply the brakes (category 1 stop).
Safety Function | Telescope Azimuth Over Speed |
Hazard | Damage to motor, exceeding travel limits |
Triggering Event | Telescope motion exceeding normal operating speeds |
Priority |
|
Modes | All modes |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 2 |
Telescope Positive Azimuth Final Travel Limit
When a Positive Final Limit is detected by using combinational logic of the End Stop position and the limit switches, the reaction of the GIS to bring the axis to a stop as quickly as possible, remove power from all Azimuth Drive Controllers (category 1 stop) and apply the brakes.
Safety Function | Telescope Positive Azimuth Final Travel Limit |
Hazard | Damage to cable chain |
Triggering Event | Telescope rotation exceeding positive limit |
Priority |
|
Modes | Automatic modes, can be overridden in manual mode |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 2 |
Telescope Negative Azimuth Final Travel Limit
When a Negative Azimuth Final Limit is detected by using combinational logic of the End Stop position and the limit switches, the reaction of the GIS is to bring the axis to a stop as quickly as possible, remove power from all Azimuth Drive Controllers (category 1 stop) and apply the brakes.
Safety Function | Telescope Negative Azimuth Final Travel Limit |
Hazard | Damage to cable chain |
Triggering Event | Telescope rotation exceeding negative azimuth limit |
Priority |
|
Modes | All automatic modes, can be overridden in manual mode |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 2 |
Telescope Azimuth Cable Wrap Over-Tension
The GIS shall inhibit motion and remove power to the Telescope Drives if the tension of the Azimuth Cable Wrap exceeds predetermined limits.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Trapped Key Interlock
This is actually a group of trapped keys which when one or more are removed will inhibit Telescope motion by removing power. This key is required to enter the Azimuth Cable Wrap or Azimuth Mechanical areas.
Safety Function | Telescope Azimuth Trapped Key Interlock |
Hazard | Pinch/crush hazard from moving parts |
Triggering Event | Trapped key removed |
Priority |
|
Modes | All modes |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 3 |
Telescope Azimuth Axis Interlock
This safety function is the result of combinational logic in the GIS that determines another subsystem poses a hazard to Telescope Azimuth Axis motion.
This interlock is asserted unless all the following are true:
· Enclosure Bridge Crane stowed
· Enclosure Jib Crane stowed
· TEOA Platform stowed (see section 4.9.5)
· Boom lift stowed
The reaction of the GIS is to remove power from the Telescope Azimuth Axis drives.
1.6.2 Telescope Altitude Axis
Telescope Altitude Drive Over-Speed
Velocities above a predetermined level indicate a failure of an Altitude Axis Drive. The reaction of the GIS is to remove power from the Altitude Drive Controllers and apply the brakes (category 0 stop).
Safety Function | Telescope Altitude Over Speed |
Hazard | Damage to motor, exceeding travel limits |
Triggering Event | Telescope motion exceeding normal operating speeds |
Priority |
|
Modes | All modes |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 2 |
Telescope Positive Altitude Final Travel Limit
When a Positive Altitude Final Limit is detected, the reaction of the GIS is to remove Telescope drive power (category 0 stop) and apply the brakes.
Safety Function | Telescope Positive Altitude Final Travel Limit |
Hazard | Damage to cable chain |
Triggering Event | Telescope motion exceeding positive altitude limit |
Priority |
|
Modes | Automatic modes, can be overridden in manual mode |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 2 |
Telescope Negative Altitude Final Travel Limit
When a Negative Altitude Final Limit is detected, the reaction of the GIS is to remove Telescope drive power (category 0 stop) and apply the brakes.
Safety Function | Telescope Negative Altitude Final Travel Limit |
Hazard | Damage to cable chain |
Triggering Event | Telescope motion exceeding negative altitude limit |
Priority |
|
Modes | Automatic modes, can be overridden in manual mode |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 2 |
Telescope Altitude Cable Wrap Over-Tension
The GIS shall inhibit motion and remove power to the Telescope Drives (category 0 stop) if the tension of the Altitude Cable Wrap exceeds predetermined limits.
Safety Function | Telescope Altitude Cable Wrap Over-Tension |
Hazard | Damage to cable chain |
Triggering Event | Tension on cable in cable chain excessive |
Priority |
|
Modes | Automatic mode |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 2 |
Manual Lockout Pin
The manual lockout pin is a physical means by which the motion of the Telescope can be prevented. If this pin is not fully removed the GIS shall remove Telescope drive power.
Trapped Key Interlock
This is actually a group of trapped keys which when one or more are removed inhibits Enclosure and/or Telescope motion by removing power.
Safety Function | Telescope Altitude Trapped Key Interlock |
Hazard | Pinch/crush hazard from moving parts |
Triggering Event | Trapped key removed |
Priority |
|
Modes | All modes |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 3 |
Telescope Altitude Axis Interlock
This safety function is the result of combinational logic in the GIS that determines another subsystem poses a hazard to Telescope Altitude Axis motion.
This interlock is asserted unless all the following are true:
· Enclosure Bridge Crane stowed
· Enclosure Jib Crane stowed
· TEOA Platform stowed or fully deployed (see section 4.9.5)
· Boom Lift Stowed
The reaction of the GIS is to disable power to the Telescope Altitude Axis Drives.
1.6.3 M1 Cover Interlock
The M1 cover is allowed to open under specific circumstances.
Similar to the Entrance Aperture below, the M1 cover may open when no sunlight can strike the mirror (see 4.4.2 Off Sun Pointing). Additionally if the telescope is pointed directly at the sun and the safety shutter is open and the heat stop is not in an over-temperature condition the M1 Cover may open.
1.6.7 Access Doors Not Closed
Telescope Elevation Drive Power is disabled unless the Access Door is closed.
Safety Function | Access Doors Not Closed |
Hazard | Damage to telescope mount |
Triggering Event | Access Doors not closed |
Priority |
|
Modes | All modes |
Reaction | Telescope elevation drives disabled, brakes applied |
Safe State | Telescope elevation drives disabled, motion stopped |
Required Integrity | SIL 2 |
1.6.8 Telescope Azimuth Cable Wrap Access
This area requires a trapped key to access. Inserting the trapped key allows removal of one or more secondary personnel safety keys. All personnel who enter are required to carry a personnel safety key.
Safety Function | Telescope Azimuth Trapped Key Interlock |
Hazard | Pinch/crush hazard from moving parts |
Triggering Event | Trapped key removed |
Priority |
|
Modes | All modes |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 3 |
1.7.1 Coudé Drive Controller
Coudé Rotator Azimuth Drive Over-Speed
Velocities above a predetermined level indicate a failure of Coudé Axis Drive. The reaction of the GIS is to remove power from the Coudé Drive Controllers and apply the brakes (category 0 stop).
Safety Function | Coudé Rotator Azimuth Over Speed |
Hazard | Damage to motor, exceeding travel limits |
Triggering Event | Telescope motion exceeding normal operating speeds |
Priority |
|
Modes | All modes |
Reaction | Rotator drives disabled, brakes applied |
Safe State | Rotator drives disabled, motion stopped |
Required Integrity | SIL 2 |
Coudé Rotator Positive Azimuth Final Travel Limit
When a Coudé Rotator Positive Final Limit is detected by using combinational logic of the End Stop position and the final limit switches, the reaction of the GIS is to remove Coudé Rotator drive power (category 0 stop) and apply the brakes.
Safety Function | Coudé Rotator Positive Azimuth Final Travel Limit |
Hazard | Damage to cable chain |
Triggering Event | Rotator motion exceeding positive azimuth limit |
Priority |
|
Modes | Automatic modes, can be overridden in manual mode |
Reaction | Rotator drives disabled, brakes applied |
Safe State | Rotator drives disabled, motion stopped |
Required Integrity | SIL 2 |
Coudé Rotator Negative Azimuth Final Travel Limit
When a Coudé Rotator Negative Azimuth Final limit is detected by using combinational logic of the End Stop position and the final limit switches, the reaction of the GIS is to remove Coudé Rotator drive power (category 0 stop) and apply the brakes.
Safety Function | Coudé Rotator Negative Azimuth Final Travel Limit |
Hazard | Damage to cable chain |
Triggering Event | Rotator motion exceeding negative azimuth limit |
Priority |
|
Modes | Automatic modes, can be overridden in manual mode |
Reaction | Rotator drives disabled, brakes applied |
Safe State | Rotator drives disabled, motion stopped |
Required Integrity | SIL 2 |
Coudé Rotator Azimuth Cable Wrap Over-Tension
The GIS shall inhibit motion and remove power to the Coudé Rotator Drives if the tension of the Azimuth Cable Wrap exceeds predetermined limits.
Safety Function | Coudé Rotator Azimuth Cable Wrap Over Tension |
Hazard | Damage to cable chain |
Triggering Event | Tension on cable in cable chain excessive |
Priority |
|
Modes | Automatic mode |
Reaction | Telescope drives disabled, brakes applied |
Safe State | Telescope drives disabled, motion stopped |
Required Integrity | SIL 2 |
Trapped Key Interlock
This is actually a group of trapped keys which when one or more are removed inhibit Coudé Rotator motion by removing power. This key is required to unlock and enter the Coudé Rotator area.
Safety Function | Coudé Rotator Trapped Key Interlock |
Hazard | Pinch/crush hazard from moving parts |
Triggering Event | Trapped key removed |
Priority |
|
Modes | All modes |
Reaction | Rotator drives disabled, brakes applied |
Safe State | Rotator drives disabled, motion stopped |
Required Integrity | SIL 3 |
Coudé Lab Crane Not Stowed
Use of the Coudé Lab Crane requires that hazardous motion be inhibited.
Safety Function | Coudé Lab Crane Interlock |
Hazard | Pinch/crush hazards. |
Triggering Event | Coudé Lab Crane not stowed |
Priority |
|
Modes | Automatic (can be overridden with enabling pendent in manual control) |
Reaction | inhibit Coudé Azimuth rotation |
Safe State | Coudé Azimuth rotation stopped AND |
Required Integrity | SIL 2 |
Electronic Rack Door Open
The GIS shall inhibit motion and remove power to the Coudé Rotator Drives if any electronic rack door is not closed.
Safety Function | Electronic Rack Door Open |
Hazard | Pinch/crush hazards |
Triggering Event | Any electronic rack door not closed |
Priority |
|
Modes | All |
Reaction | inhibit Coudé Azimuth rotation |
Safe State | Coudé Azimuth rotation stopped AND Coudé Azimuth drives de-energized. |
Required Integrity | SIL 1 |
1.8.1 Coudé Adaptive Optics (AO-C)
None currently identified.
1.8.2 Coudé Active Optics (aO-C)
None currently identified.
1.8.3 Visible Light Broadband Imager (VLBI)
None currently identified.
1.8.4 Visible Spectropolarimeter (ViSP)
None currently identified.
1.8.5 Near-IR Spectropolarimeter (NIRSP)
None currently identified.
1.8.6 Visible Tunable Filter (VTF)
None currently identified.
1.9 Enclosure Motion Control LIC
The Enclosure Motion Control LIC is responsible for interlocks, limits, and emergency stop functions for the Enclosure Azimuth, Shutters, Cable Wraps, Entrance Aperture; Bridge Crane, Jib Cranes, Rear Access Doors, and TEOA Platform.
This LIC is also the connection point for emergency stop devices located at or near the above items.
1.9.1 Enclosure Azimuth Axis
Enclosure Azimuth Positive Final Travel Limit
When an Enclosure Azimuth Positive Final Limit is detected by using combinational logic of the End Stop position and the final limit switches, the reaction of the GIS is to remove Enclosure Azimuth drive power (category 0 stop) and apply the brakes.
Safety Function | Enclosure Positive Azimuth Final Travel Limit |
Hazard | Damage to cable chain |
Triggering Event | Enclosure motion exceeding positive azimuth limit |
Priority |
|
Modes | Automatic modes, can be overridden in manual mode |
Reaction | Enclosure drives disabled, brakes applied |
Safe State | Enclosure drives disabled, motion stopped |
Required Integrity | SIL 2 |
Enclosure Azimuth Negative Final Travel Limit
When an Enclosure Azimuth Negative Final limit is detected by using combinational logic of the End Stop position and the final limit switches, the reaction of the GIS is to remove Enclosure Azimuth drive power (category 0 stop) and apply the brakes.
Safety Function | Enclosure Negative Azimuth Final Travel Limit |
Hazard | Damage to cable chain |
Triggering Event | Enclosure motion exceeding negative azimuth limit |
Priority |
|
Modes | Automatic modes, can be overridden in manual mode |
Reaction | Enclosure drives disabled, brakes applied |
Safe State | Enclosure drives disabled, motion stopped |
Required Integrity | SIL 2 |
Enclosure Azimuth Cable Wrap Over Tension
The GIS shall inhibit motion and remove power to the Enclosure Azimuth Drives if the tension of the Azimuth Cable Wrap exceeds predetermined limits.
Safety Function | Enclosure Azimuth Cable Wrap Over Tension |
Hazard | Damage to cable chain |
Triggering Event | Tension on cable in cable chain excessive |
Priority |
|
Modes | Automatic mode |
Reaction | Enclosure drives disabled, brakes applied |
Safe State | Enclosure drives disabled, motion stopped |
Required Integrity | SIL 2 |
Enclosure Azimuth Personnel Trapped Key Interlock
This is actually a group of trapped keys which when one or more are removed inhibit Enclosure Azimuth motion by removing power. This key is required to enter the Azimuth Cable Wrap or Azimuth Mechanical areas. In manual mode (Enclosure Pendant installed and enabling grip held) it may be muted to allow Enclosure Azimuth rotation. It is also be required to enable the exterior boom lift.
Safety Function | Enclosure Trapped Key Interlock |
Hazard | Pinch/crush hazard from moving parts |
Triggering Event | Trapped key removed |
Priority |
|
Modes | Automatic mode, may be overridden in manual mode |
Reaction | Enclosure drives disabled, brakes applied |
Safe State | Enclosure drives disabled, motion stopped |
Required Integrity | SIL 3 |
1.10 Facility Thermal System LIC
1.10.1 Vent Gates
None currently identified
1.10.3 Enclosure Rear Door
None currently identified