Global Interlock System Specifications and Interfaces GIS SDR
Global Interlock System Specifications and Interfaces GIS SDR 24 September 2009 Scott Bulau
Agenda • 8: 35 - 9: 00 Brief description on ATST (Mark Warner) 9: 00 – 9: 45 Hazard Analysis (Rob Hubbard) 10: 00 – 10: 15 Break 10: 15 – 11: 30 GIS Specifications and Interfaces (Scott Bulau) 11: 30 – 11: 45 Safety Management (Chuck Gessner) 11: 45 – 12: 45 GIS Design (Scott Bulau) 12: 45 – 1: 30 Lunch 1: 30 – 2: 00 GIS Design (cont. ) 2: 00 – 2: 45 Plan of implementation (Scott Bulau) 2: 45 – 3: 00 Break 3: 00 – 4: 30 Executive Session (Committee) Generate Draft Report 4: 30 – 5: 00 Brief Project (Committee) • 5: 00 • • • September 24, 2009 Adjourn ATST GIS SDR 2
Primary Goal of Global Interlock System The primary goal of the Global Interlock System is to eliminate the risk of injury to personnel and to prevent physical damage to the telescope, instruments, and other infrastructure of the ATST. September 24, 2009 ATST GIS SDR 3
Means of Achieving Goal • Meet OSHA requirements for a safety system. – Utilize National Consensus Standards – Specify ANSI/RIA R 15. 06 -1999, NFPA 79 • Follow a specified “Safety Management Plan” throughout – – design, construction, integration and test, continued operation. (implies training of personnel) September 24, 2009 ATST GIS SDR 4
Functional Requirements • Monitor all safety I/O for specified subsystems within ATST • Apply intervening action necessary to achieve goal • Monitor, provide status of e-stops • Issue continuous status to Observatory Control System (OCS) • Monitor status and issue control throughout Global Interlock System (GIS) • Maintain safety control during loss of main power • Not responsible for general health of facility and all subsystems September 24, 2009 ATST GIS SDR 5
Monitoring • A Local Interlock Controller (LIC) shall be utilized for subsystem safety I/O monitoring – Safety I/O monitored shall be connected through safety certified hardware and configured (at minimum) as per the ANSI standard risk assessment details. • Control Reliable (any single component failure shall not prevent the stop action of an instrument) • Pulse testing (CAT 4 Machine Safety) • LIC monitors safety network – All other subsystems of GIS September 24, 2009 ATST GIS SDR 6
Intervention of Control There are two means by which a LIC may receive information which needs to be responded to during normal operation. • One or more I/O signals changing state (conditions) which constitute unsafe condition proper disabling functions need to be applied – – Power is removed (hazardous energy source) Inhibit controls asserted Timeouts applied (e. g. M 5/M 6 access platform has been deployed during maintenance, Mount Base Altitude drive inhibit signal would be applied. ) • Receipt of a global condition through the safety network requires applying proper enable/disable function to local controlled subsystem September 24, 2009 ATST GIS SDR 7
Emergency Stop Status • Emergency Stop System (ESS) – E-stop locations throughout facility – Each tied to a LIC – Report status to GIC • Global Status of ESS reported to Observatory Control System (OCS) September 24, 2009 ATST GIS SDR 8
Status to OCS • GIC is connected to OCS through facility communications network • GIC is to provide global status to OCS on continuous basis, < 1 Hz • OCS transmits any necessary information to operator or other control system(s) as needed • OCS does not issue safety commands to the safety system, GIS September 24, 2009 ATST GIS SDR 9
Role of GIC • Contains logic that performs interaction of LIC • Issue global information to OCS • Allows LIC to be removed from GIS while remainder of GIS continues to function September 24, 2009 ATST GIS SDR 10
Loss of Main Power • The GIS must function during a main power outage – Maintain safety while on generator power – Maintain safety while systems are being shut down – GIS must be UPS backed up • • GIC LIC safety I/O modules safety network September 24, 2009 ATST GIS SDR 11
Human Machine Interface Requirements • Global Monitoring and Control – GIC • Main input console to GIS – OCS • Operator’s, observer’s primary means of monitoring GIS • Local Subsystem Monitoring and Control – LIC • If an HMI is not permanently in place, capability exists for connection of HMI • Emergency Stop System – Monitored at LIC, local inhibits, global announcement – Reset required at E-stop, followed by GIS September 24, 2009 ATST GIS SDR 12
Interface Requirements • Access to safety network limited to local safety network – Not accessible from outside network – Fiber pair, multimode, Ethernet/CIP safety • LIC – LIC to GIC make up majority of safety network, fiber – LIC to Safety I/O modules make up subsystem safety net, CAT 7 – Additional Safety I/O (max 24 ports/bridge) • GIC – GIC to GIS remainder of safety network, fiber • OCS – GIC to OCS resides on facility communications network, fiber, Ethernet TCP/IP September 24, 2009 ATST GIS SDR 13
General Design Requirements • Safety Standards and Guidelines – The design and implementation of the GIS shall comply with the National Consensus Standards ANSI/RIA R 15. 06 -1999 and NFPA 79 – All aspects of the design shall comply with safety codes such that it may be certified SIL 3 / Cat 4 under IEC 61508 and EN 954 -1 • A safety plan has been adopted and shall be followed – per recommendation of Certified Functional Safety Expert / Machinery September 24, 2009 ATST GIS SDR 14
continued • Maintenance – Reliability • • Lifetime of 40+ years, designed to exceed Spares as per policy, end of lifetime notification Remote nature of site puts premium on having robust systems Control reliable circuitry – Maintainability • Routine maintenance to minimize loss of observing time, < 4 hrs/mo • Ease of replacement, ease of physical access • Failure repair , module level, < 8 hrs (night time) – Human Engineering • Ease of local access to system information through HMIs • Localized testing available September 24, 2009 ATST GIS SDR 15
Control Hardware • Safety hardware – – – – Safety certified controller with 1 out of 2 decision capability Provide monitored I/O Be capable of detecting single input failures Provide pulse testing with diagnoses Utilize safety function blocks (TÜV) SIL-3 Certification per IEC 61508 EN 954 -1 Category 4 Maintain commonality of components through entire system • Rockwell Automation, Guard. Logix • Allen Bradley Control. Logix • Compatibility with subsystem controllers September 24, 2009 ATST GIS SDR 16
Hardware Specified • Local Interlock Controller – – Guard. Logix PAC Control. Logix Ethernet bridge modules Guard I/O Ethernet/IP Safety modules (subsystems) Control. Logix BP and PS • Global Interlock Controller – Guard. Logix PAC – Control. Logix Ethernet bridge modules – Control. Logix BP and PS • Managed switch – Control. Logix Stratix series (up to 24 ports) September 24, 2009 ATST GIS SDR 17
PAC Programming • Embedded control operation – Turnkey system • Change of network status – Provides capability to have subsystems removed/added to system while remainder of GIS functions safely • Rebooting or restarting – Hazardous energy elements of subsystem must not be allowed to start automatically on restarting system • Source code – All programming of the GIS shall follow safety procedures for Guard. Logix safety PAC and be written using most resent version of RSLogix 5000 – All source code shall be provided to project September 24, 2009 ATST GIS SDR 18
Documentation • Source documentation – Source files shall contain version number, revisions, author, function – Functions shall have a description of the interface and operation – All sections of code shall be clearly commented • Revision control – All documentation shall be under a archived version control system • Secure communications – Communications may only be permitted locally on safety network – Password access shall be required September 24, 2009 ATST GIS SDR 19
ICD • Interface between the subsystem and GIS – The LIC associated with the subsystem is GIS end – The safety I/O block is the subsystem end – Connectivity are twisted pair, CAT 7 cabling, RJ-45 – Ethernet/IP Safety, protocol • Contains list of safety signals (not limited to) – Signal and response required – To be reviewed and amended at design review – To be connected through I/O blocks, control reliable September 24, 2009 ATST GIS SDR 20
Issued CDs • • • ICD 1. 1 -4. 5; Telescope Mount Assembly to GIS ICD 1. 2 -4. 5; M 1 assembly to GIS ICD 1. 3 -4. 5; Top End Optical Assembly to GIS ICD 1. 5 -4. 5; Feed Optics to GIS ICD 2. 1 -4. 5; Wavefront Correction - Coudé to GIS ICD 4. 2 -4. 5; Observatory Control System to GIS ICD 4. 5 -5. 0; GIS to Enclosure ICD 4. 5 -6. 3; GIS to Facility Equipment ICD 4. 5 -6. 6; GIS to Interconnects • As completed, the project’s safety team will – Catagorize safety signals – Create an interaction matrix, subsystems (LIC) September 24, 2009 ATST GIS SDR 21
Global Interlock System Specifications and Interfaces - END - September 24, 2009 ATST GIS SDR 22
- Slides: 22
