Safety Review Global Interlock System Design and Schedule
Safety Review Global Interlock System Design and Schedule Scott Bulau 27 January 2011 January 25 -27, 2011 ATST Safety Review, GIS
Primary Goal of Global Interlock System The primary goal of the Global Interlock System is to eliminate the risk of injury to personnel and to prevent physical damage to the telescope, instruments, and other infrastructure of the ATST. January 25 -27, 2011 ATST Safety Review, GIS 2
Means of Achieving Goal • Meet requirements for OSHA of a safety system – Utilizing National Consensus Standards – Specifying ANSI/RIA R 15. 06 -1999, Industrial Robots and Robot Systems - Safety Requirements – NFPA 79, Electrical Standard for Industrial Machinery • Follow a specified “Safety Management Plan” throughout – – design, construction, integration and test, continued operation. (implies training of personnel) January 25 -27, 2011 ATST Safety Review, GIS 3
Functional Requirements • Monitoring – A Local Interlock Controller (LIC) shall be utilized for subsystem safety I/O monitoring • Connected through safety certified hardware – LIC monitors safety network • Intervention of Control – LIC receives information • Locally • Globally January 25 -27, 2011 ATST Safety Review, GIS 4
Functional Requirements cont. • Global Interlock Controller (GIC) Functions – Oversees interaction of LICs – Provides for LIC addition / removal from GIS – Issue global information to OCS January 25 -27, 2011 ATST Safety Review, GIS 5
Functional Requirements cont. • GIC Status to OCS – Continuous at < 1 Hz. – OCS does not issue safety commands to the GIS • Emergency Stop System (ESS) – Each tied to a LIC – Status of ESS reported OCS • Loss of main power – GIS is UPS backed up – UPS supported by Standby Generator • Not responsible for general health of facility and all subsystems January 25 -27, 2011 ATST Safety Review, GIS 6
Interface Requirements • Access to safety network limited to local safety network – Not accessible from outside network – Fiber pair, multimode, Ethernet/CIP safety • Human Machine Interface (HMI) – Tied to GIC – Capability to locate at LIC for temporary use • LIC – LIC to GIC make up majority of safety network, fiber – LIC to Safety I/O modules make up subsystem safety net, CAT 7 • GIC – GIC to GIS remainder of safety network, fiber • OCS – GIC to OCS resides on facility communications network, fiber, Ethernet TCP/IP January 25 -27, 2011 ATST Safety Review, GIS 7
General Design Requirements • Safety Standards and Guidelines – ANSI/RIA R 15. 06 -1999 and NFPA 79 • A safety plan has been adopted – per recommendation of Certified Functional Safety Expert / Machinery • Safety hardware – Safety certified controller with 1 out of 2 decision capability – Utilize safety function blocks (TÜV) – Guard I/O Ethernet/IP Safety modules, Safety relay blocks, point I/O January 25 -27, 2011 ATST Safety Review, GIS 8
Sample LICs in GIS Rockwell Automation, Guard. Logix Allen-Bradley Control. Logix Platform GIS Ethernet/CIP Safety Compact Block 8 In / 8 Out Combo BACNET/ Device. Net Compact Block 12 Channel Input Computer (HMI, RSLogix 5000, etc. ) Compact Block 4 Input / 4 Relay Output Standard IP 20 I/O January 25 -27, 2011 ATST Safety Review, GIS Standard IP 67 I/O 9
Interface Control Documents • Defines interface between the subsystem and GIS – Connectivity and Protocol • Contains list of safety signals (interlocks and limits) – Signal and response required • Reviewed and amended at PDR – Forms interactive matrix of LICs • Issued ICDs – – – – – ICD 1. 1 -4. 5; Telescope Mount Assembly to GIS ICD 1. 2 -4. 5; M 1 assembly to GIS ICD 1. 3 -4. 5; Top End Optical Assembly to GIS ICD 1. 5 -4. 5; Feed Optics to GIS ICD 2. 1 -4. 5; Wavefront Correction - Coudé to GIS ICD 4. 2 -4. 5; Observatory Control System to GIS ICD 4. 5 -5. 0; GIS to Enclosure ICD 4. 5 -6. 3; GIS to Facility Equipment ICD 4. 5 -6. 6; GIS to Interconnects January 25 -27, 2011 ATST Safety Review, GIS 10
LIC Distribution Distributed System OSS LIC: M 1 motion and thermal, TEOA, PA&C (GOS), Local Feed Optics • Reduced cabling • Provide subsystems independent configuration and testing • 7 Local Interlock Controllers (LIC) • 1 Global Interlock Controller (GIC) Mount Base LIC: Altitude Drive Controller , Azimuth Drive Controller Instrument Systems LIC: Wave Front Controller, Science Instruments Coudé Floor LIC: Coudé Drive Controller January 25 -27, 2011 ATST Safety Review, GIS 11
LIC Distribution cont. Enclosure Thermal LIC: Enclosure Drive Controllers Global Interlock Controller (GIC) Facility LIC: Ground level of operations building January 25 -27, 2011 ATST Safety Review, GIS 12
Safety Network Topology • LICs and GIC – – Safety network Ethernet safety protocol Isolated network Fiber pair, multimode • Safety I/O modules – Subsystem safety network – Ethernet safety protocol – CAT 7, twisted pairs • All the safety I/O are defined in ICD of subsystem • Provision must be made to add safety I/O • CIP Safety protocol built into safety PACs January 25 -27, 2011 ATST Safety Review, GIS 13
Emergency Stop System January 25 -27, 2011 • Current generation e-stop buttons • Hardware independent shutdown of motion controlled devices • GIS monitoring of e-stop – Additional global interlock response – Location • Location and mounting of e-stops as per NFPA 79, Electrical Standard for Industrial Machinery, 10. 7 Devices for Stop and Emergency Stop ATST Safety Review, GIS 14
E-stop Locations on TMA – – – – January 25 -27, 2011 Sides telescope mount Mount platforms +X, -X M 2 assembly On OSS (near Gregorian focus) Fixed locations on pier, coudé floor Opposite sides mezzanine level Rotator structure, mezzanine level Inside pier at ground level, coudé AZ wrap ATST Safety Review, GIS 15
E-stop Locations on Enclosure & Operations Building Carousel entrance aperture Rear access door, in/out Bridge crane pendant Level access doors +X, -X Upper access platforms TEOA access platform X, Y Shutter drives, back/front Bogie inspection area AZ utility transfer system, front/back – Control room – Instrument prep lab – – – – – January 25 -27, 2011 ATST Safety Review, GIS 16
Additional Safety I/O Specified • Team Hazard Analysis of each subsystem – MIL-STD-882 D – Specific teams • • • M 1 – Dec 2006 TEOA – Aug 2008 S&O – Sep 2008 TMA – Oct 2008 Enclosure – Oct 2008 Software – Jun 2009 • Risk Assessment performed on GIS elements of Hazard Analysis – – ANSI/RIA R 15. 06 -1999 Independent Systems Engineering, Control Engineering Results the same Mitigation applied as dictated (minimum) January 25 -27, 2011 ATST Safety Review, GIS 17
ATST Hazard Analysis Severity Subsystem: Number 1. D&D Design and Development 1. Catastrophic A. Frequent Probability 2. FAB Factory fabrication & preassembly 2. Critical B. Probable 3. CONST On-site construction or installation 3. Marginal C. Occasional 3. IT&C Integration Test and Commissioning 4. Negligible D. Remote 4. OPS Operations E. Improbable 5. MAINT Maintenance 5. 0 Enclosure System Item Causes Project Effects Phase(s) IMRI Value 1 -C 3 A loose object inadvertently left in area Damage to equipment CONST, IT&C, OPS, MAINT Pinch/crush Confined space entry with intent to override lockout to observe behavior of bogies, topple-blocks, cable wrap, or other equipment in this Personal Injury and damage to area. equipment CONST, IT&C, OPS, MAINT 3 Enclosure Azimuth Cable-wrap Area Pinch/crush Confined space entry with intent to override lockout to observe behavior of bogies, topple-blocks, or other equipment in this area. Then another person enters, unknown to the original team. Personal Injury CONST, IT&C, OPS, MAINT 1 -D 4 Enclosure Azimuth Cable-wrap Area Over travel Topple block are manually toggled Damage to equipment (tubing, and left in incorrect positions. piping, wiring in cable wrap. CONST, IT&C, OPS, MAINT 5 Utility Level Electric shorts Leaks in fluid lines in azimuth wrap Damage to equipment 6 Utility Level Pinch/crush 7 Az Mechanical Level Pinch/crush 2 Enclosure Azimuth Cable-wrap Area January 25 -27, 2011 Risk collision or snag hazard 1 Enclosure Azimuth Cable-wrap Area Hazard Preliminary Hazard Analysis Last Update: Recommended Cat. Action 8/11/2008 Risk FMRI Value Cat. Comments High Tool counts, visual inspection prior to exiting area. Ser Safe work permits per OSHA requirements, plus confined space permits. Procedures, buddy system, safety briefings. The reference design already calls out lockout/tag out for access to this area, but it can be overridden with a hand paddle. 8 Ser Safe work permits per OSHA requirements, plus confined space permits. Audible visual alarm indicators before motion. We're okay if the second team locks out. 1 -C 3 High GIS compares topple block positions and absolute encoder positions. CONST, IT&C, OPS, MAINT 2 -B 5 High Design in gutters with drainage system, telltales to indicate leaks. LULA lift is stationary and enclosure Personal Injury and damage to rotates. equipment CONST, IT&C, OPS, MAINT 1 -D 8 Ser Visually marked and signed area. Procedures. Worker backs into pinch/crush area where enclosure is rotating and Az Personal injury, damage to mechanical is fixed. equipment. CONST, IT&C, OPS, MAINT 1 -C 3 High Railing with gates, or a wall with doors. Procedures. Lock out enclosure azimuth if possible. 1 -D ATST Safety Review, GIS 8 18
Translation Hazard Analysis (Risk Assessment) MIL-STD-882 A ANSI/RIA 15. 06 -1999
Required Mitigation
ATST Risk Assessment per ANSI/RIA R 15. 06 -1999 Severity Number System Item Hazard Causes Avoidance E 2 Frequent A 2 Not Likely S 1 Slight Injury E 1 Infrequent A 1 Likely Preliminary Risk Assessment Initial MIL_STD_882 D Hazard Evaluation Exposure S 2 Serious Injury Initial Risk Factor Effects Sev. Exp. Avd. Last Update: 8/11/2008 Recommended Risk Reduction Category Action Min. Circuit Performance Selection Validation Comments ENC-4 Enclosure Azimuth Cable -wrap Area Over travel Damage to equipment Topple block are manually toggled (tubing, piping, wiring in and left in incorrect positions. cable wrap. S 2 E 1 A 2 R 2 B GIS compares topple block positions and absolute encoder positions. Single channel w/ monitoring ENC-7 Az Mechanical Level Pinch/crush Worker backs into pinch/crush area where enclosure is rotating and Az Personal injury, damage mechanical is fixed. to equipment. S 2 E 1 A 1 R 2 B Railing with gates, or a wall with doors. Procedures. Lock out enclosure azimuth if possible. Single channel w/ monitoring Trapped by fire Only safe egress is to find a way from the telescope level to the exterior catwalk, which has an emergency stairway to the ground. R 2 B Alternate exits through the enclosure to the catwalk. They should be interlocked until motion stops. Time delayed access. Control Reliable Raised minimum ckt. performance based on pass knowledge ENC-13 Telescope Level January 25 -27, 2011 Personal injury S 2 E 1 ATST Safety Review, GIS 21
GIS Scheduled • Ordered the prototype hardware and software • Build up prototype (GIC & LIC) – – – determine timing issues structuring database networking connectivity methods of integration develop interactive matrix • Develop design to PDR level – Input from subassembly’s risk assessment at PDRs • • Modify design as necessary to FDR level Procure hardware for majority of design Fabricate LICs with design of known safety I/O Factory test of safety I/O, verification January 25 -27, 2011 ATST Safety Review, GIS 22
GIS Scheduled cont. • • • Site install and test by subsystem, Functional Validation Integration into GIS, Verification Total GIS, Safety System Validation Risk Assessment on entire system Operations – Safety System Training – Safety System Maintenance (PM testing of safety functions) – Periodic Safety Reviews and Risk Assessment Updates January 25 -27, 2011 ATST Safety Review, GIS 23
Current GIS Schedule January 25 -27, 2011 ATST Safety Review, GIS 24
Global Interlock System Design and Schedule - END - January 25 -27, 2011 ATST Safety Review, GIS 25
- Slides: 25