global interlock system specification · global interlock system specification spec-0046, draft 4...

Project Documentation Specification #0046

DRAFT 4

Advanced Technology Solar Telescope 950 N. Cherry Avenue Tucson, AZ 85719 Phone 520-318-802 [email protected] http://atst.nso.edu/ Fax 520-318-8500

Global Interlock System Specification

Scott Bulau, Tim Williams Control Systems

April 8, 2011

D R A F T


SPEC-0046, Draft 4 Page ii

Revision Summary

1. Date: December 15, 2008 – August 24, 2009 Revision: Draft 1

Changes: Rewritten to incorporate the new adopted architecture of the GIS as proposed

October 2008.

2. Date: August 25, 2009 – January 4, 2010 Revision: Draft 2

Changes: Changes to text regarding hardware and software.

3. Date: January 5, 2010 – January 10, 2010 Revision: Draft 3

Changes: Minor edits and formatting, addition of Table 2

4. Date: March 25, 2011– April 8, 2011 Revision: Draft 4

Changes: formatting changes, reformed some requirements, removed some over-

specification, added additional approved components,

D R A F T


SPEC-0046, Draft 4 Page iii

Table of Contents

Revision Summary ...................................................................................................................................... ii

Table of Contents ....................................................................................................................................... iii

1. Specification Overview ........................................................................................................... 5

1.1. Objective .................................................................................................................................... 5

1.2. Scope ......................................................................................................................................... 5

1.3. Related and Reference Documents .......................................................................................... 5 1.3.1. Reference Documents .................................................................................................. 5 1.3.2. Related Documents ...................................................................................................... 6

1.4. General Definitions .................................................................................................................... 6

1.5. Applicable Codes and Requirements ........................................................................................ 7

2. Requirements for All Assemblies .......................................................................................... 8

2.1. General Description ................................................................................................................... 8

2.2. Global Interlock System Functional Requirements ................................................................... 9 2.2.1. General Functional Requirements ................................................................................ 9 2.2.2. Individual Functional Requirements ............................................................................. 9

2.3. Human Machine Interface Requirements ................................................................................ 10 2.3.1. Global Monitoring and Control .................................................................................... 11 2.3.2. Local Subsystem Monitoring and Control ................................................................... 11 2.3.3. Emergency Stop System ............................................................................................ 11 2.3.4. Thermal Control .......................................................................................................... 11

2.4. Interface Requirements ........................................................................................................... 11 2.4.1. Global Interlock System Interface .............................................................................. 12 2.4.2. Local Interlock Controller Interface ............................................................................. 12 2.4.3. Global Interlock Controller Interface ........................................................................... 12 2.4.4. Observatory Control System Interface ....................................................................... 13 2.4.5. Utility Service Interface ............................................................................................... 13

3. Design Requirements ............................................................................................................ 14

3.1. General Design Requirements ................................................................................................ 14 3.1.1. Safety Standards and Guidelines ............................................................................... 14 3.1.2. Maintenance ............................................................................................................... 14

3.2. Control Hardware .................................................................................................................... 15 3.2.1. Safety Hardware ......................................................................................................... 15 3.2.2. Compatibility with Controller Hardware ...................................................................... 15 3.2.3. LIC .............................................................................................................................. 15 3.2.4. GIC ............................................................................................................................. 16 3.2.5. Safety Network ........................................................................................................... 16

3.3. Control Software ...................................................................................................................... 16 3.3.1. Embedded Control Operation ..................................................................................... 16 3.3.2. Change of Network Status.......................................................................................... 16 3.3.3. Operation following a rebooting or restarting ............................................................. 17

D R A F T


SPEC-0046, Draft 4 Page iv

3.3.4. Source Code ............................................................................................................... 17 3.3.5. Source Documentation ............................................................................................... 17 3.3.6. Revision Repository .................................................................................................... 17 3.3.7. Security ....................................................................................................................... 17

3.4. General Fabrication Requirements ......................................................................................... 17 3.4.1. Materials, Processes and Parts .................................................................................. 17 3.4.2. Drawings and Models ................................................................................................. 18 3.4.3. Technical Manuals ...................................................................................................... 18 3.4.4. GIS to OCS Data Stream Documentation .................................................................. 18

3.5. Environmental Requirements .................................................................................................. 18 3.5.1. Operational Environment Telescope .......................................................................... 19 3.5.2. Survival Environment .................................................................................................. 19 3.5.3. Shipping Environment ................................................................................................ 19

D R A F T


SPEC-0046, Draft 4 Page 5

1. Specification Overview

1.1. OBJECTIVE

This document provides design requirements and specifications for the ATST Global Interlock System

(GIS). Requirements for compliance to national consensus standards of hardware, software, and system

levels are specified as well as design, procurement, and programming. Factory assembly, factory

acceptance testing, site assembly and site acceptance testing for the ATST GIS are also specified.

The primary goal of the GIS is to eliminate the risk of injury to personnel and to prevent physical damage

to the telescope, instruments and other infrastructure of the ATST. The GIS is not a single programmable

system. It is a system made up of distributed, independent safety controllers that are integrated in the

various subsystems of the facility. These controllers are tied together through use of an independent safety

network that implements safety functions of all systems observatory wide.

The requirements of the GIS will be monitored through the factory construction of the subassemblies.

Testing and verification will be required at the subassembly level prior to acceptance of a particular

subassembly. Testing and verification will be required at the networked level for final acceptance of the

central control and system level response.

1.2. SCOPE

The requirements of the ATST GIS are detailed in the global sense. The implementation of the GIS is a

combined effort between the project and the subsystem vendors. It is the project’s responsibility to build

and configure the LIC; while the subsystem vendors’ responsibility is to provide the safety I/O connected

to the individual limits and interlocks. Specific requirements for the LIC and the safety I/O are defined in

this specification.

A specified ATST interface control document (ICD) defines the safety limits and interlocks required for

each subsystem. These represent the safety I/O points to be interfaced to the subsystem’s distributed

portion of the GIS. These safety limits and interlocks status are reported throughout the GIS propagating

necessary response of all ATST subsystems.

1.3. RELATED AND REFERENCE DOCUMENTS

The following documents form a part of this Specification. Any other documents referenced in any of

these documents also form a part of the Specification.

1.3.1. Reference Documents

1.3.1.1. National Consensus Standards Documents

ANSI/RIA R15.06-1999, American National Standard for Industrial Robots and Robot Systems – Safety Requirements

NFPA 79, Electrical Standard for Industrial Machinery, 2007 Edition

1.3.1.2. Industry Standards

ANSI/TIA/EIA 568-B, Commercial Building Telecommunications Cabling Standard

1.3.1.3. Engineering Drawing Practices

ASME Y14.1- Drawing sheet size and format

ASME Y14.100- Engineering drawing and practices

ASME Y14.5-1994, “Dimensioning and Tolerancing”

ASME Y14.24, “Types and Applications of Engineering Drawings”

D R A F T



ASME Y14.35, “Drawing Revisions”

1.3.2. Related Documents

1.3.2.1. ATST Specification Documents

The following documents contain information applicable to the design of the ATST Global Interlock

System.

SPEC-0012, ATST Acronym List and Glossary

SPEC-0013, Software Operational Controls Definition Document

SPEC-0022, ATST Common Services Users’ Manual

SPEC-0041, ATST Spares Policy

SPEC-0061, ATST Hazard Analysis Plan

SPEC-0063, Interconnects and Services

1.3.2.2. ATST Interface Control Documents

The Global Interlock System shall meet the requirements of the following interface control documents:

ICD 1.1-4.5 , Telescope Mount Assembly to Global Interlock System

ICD 1.2-4.5 , M1 Assembly to Global Interlock System

ICD 1.3-4.5 , TEOA to Global Interlock System

ICD 1.5-4.5 , Feed Optics to Global Interlock System

ICD 2.1-4.5 , Wave Front Control-Coudé to Global Interlock System

ICD 4.2-4.5 , Observatory Control System to Global Interlock System

ICD 4.5-5.0 , Global Interlock System to Enclosure

ICD 4.5-6.3 , Global Interlock System to Facility Equipment

ICD 4.5-6.7 , Global Interlock System to Facility Thermal Systems

1.3.2.3. ATST Reference Design Studies and Analyses

TN-0055, Global Interlock System Design

1.3.2.4. ATST Drawings

ATST-DWG-00065, Global Interlock System Configuration

1.4. GENERAL DEFINITIONS

The following terms are defined and their usage throughout this document will be consistent with these

definitions.

Control Reliable Safety circuitry designed, constructed and applied such that any single component

failure shall not prevent the stopping action of the instrument (e.g. telescope, enclosure).

Emergency Stop System (ESS) A series of emergency stop devices (buttons) distributed throughout the

facility. The activation of any one of these devices will cause a facility wide control function stop.

Global Interlock Controller (GIC) The GIC acts as the local interlock controller for the facilities safety

I/O as well as providing the centralized processing of all distributed safety responses.

Global Interlock System (GIS) The GIS refers to all or any portion of the safety system which monitors

and acts upon controls in order to provide safety to personnel, equipment and the

telescope/enclosure.

Interlock An arrangement whereby the operation of one control or mechanism allows, or prevents the

operation of another.

Interlock Condition An interlock condition exists if an M2 Module system or mechanism initiates the

GIS to limit telescope function because it has detected a possible safety conflict.

D R A F T



Interlock Override An interlock override is a manually set condition of the GIS to inform a system to

ignore a particular interlock condition.

Local Interlock Controller (LIC) The LIC is a subsystems distributed part of the GIS. It acts as an

independent safety control for the subsystem and provides global information to the GIC.

TBD TBD stands for “to be determined”. It signifies requirements or data that is not known or has not

been defined at the time this document was written.

Zenith Angle The Zenith Angle is defined as the angle between vertical and the line of sight at the center

of the field of view of the Telescope.

1.5. APPLICABLE CODES AND REQUIREMENTS

The design and implementation of the Global Interlock System shall comply with the National Consensus

Standards ANSI/RIA R15-06-1999 and the NFPA 79.

All aspects of the design and implementation of the Global Interlock System shall comply with applicable

safety codes such that it may be certified SIL 3 / Cat 4 under safety standards IEC 61508 and EN 954-1.

D R A F T



2. Requirements for All Assemblies

2.1. GENERAL DESCRIPTION

Because of the disparate nature of the subsystems of the ATST facility it is desirable to implement a

uniform and coherent system to ensure safety throughout the facility rather than rely on each subsystem to

implement safety functions on an ad hoc basis.

The Global Interlock System (GIS) monitors safety limits and safety interlocks throughout the ATST

facility and as necessary enables/disables controlled mechanisms in order to maintain safety and prevent

damage to personnel and equipment.

The GIS is implemented as a distributed safety system verses a centralized system. The distribution of the

GIS is accomplished through the use of Local Interlock Controllers. Each ATST subsystem is required to

interface to the GIS through the use of a LIC. The LIC is required to maintain the safety control of the its

assigned subsystem(s). The LIC is required to maintain subsystem safety as a standalone system. The LIC

is also required to communicate its status to the centralized Global Interlock Controller (GIC).

The GIC determines the interrelation of the distributed LIC and issues safety commands to other LIC for

necessary response to a given condition. The GIC and LIC communicate over a safety network, separate

from the observatory’s control or data networks. The GIC also communicates to the Observatory Control

System (OCS) over an Ethernet communications network. This connection allows the GIC to provide a

continuous status to the OCS of all the safety conditions throughout ATST facility.

Table 1 highlights a list of the subsystems which require a LIC which interface with the GIC on the safety

network to form the entire GIS.

Table 1–Local Interlock Controller with Associated Subsystem/Subassembly

LIC Subsystem/Subassembly

Optical Support Structure

(OSS)

Top End Optical Assembly (TEOA)

M1 Active Controller & Thermal Controller

Feed Optics & Polarization Analysis and Calibration (PAC)

Mount Base Telescope Mount Drive Controllers

Mount Hydrostatic Bearings System

Coudé Rotator Coudé Drive Controller

Coudé Hydrostatic Bearings System

Instrumentation Systems Wave Front Controller

Science Instruments

Enclosure Motion Control Enclosure Motion

Enclosure Thermal Control Enclosure Thermal

Facilities Utilities/Facilities

D R A F T



2.2. GLOBAL INTERLOCK SYSTEM FUNCTIONAL REQUIREMENTS

2.2.1. General Functional Requirements

The functional requirements for the GIS are as follows

Provide control reliable safety functions

Provide an Emergency Stop complementary safety function

Provide continuous status of the GIS to the operator and the Observatory Control System (OCS).

It is not the responsibility of the GIS to maintain the status or general health of the subsystems or the

facility. This is the responsibility of the individual subsystems controllers. The GIS is only concerned

with the safety aspects of the subsystems.

2.2.2. Individual Functional Requirements

2.2.2.1. Control Reliability

Loss of any single component shall not cause the loss of the safety function.

Any single component failure will be detected before or at the next demand on the component. An

accumulation of undetected faults must not cause the loss of the safety function.

2.2.2.2. Monitor Safety I/O

All safety limits and safety interlocks, of a subsystem/subassembly, shall be routed to that subsystem’s

associated LIC.

The LIC shall continuously monitor these inputs and status resulting from combinational logic applied to

functions by said LIC.

The LIC additionally shall monitor all safety I/O block self test, such as pulse testing applied as required

per risk assessment in accordance to ANSI standard. Pulse testing additionally provides Category 4 rating

of Machinery Safety derived from EN-954 standard.

The LIC shall monitor the distributed I/O self-diagnostics. In the event of failure of the self-diagnostics,

the affected safety functions shall default to a safe state.

2.2.2.3. Monitor Safety Network

The LIC shall continuously monitor the safety network which connects the subsystem to the GIS.

Through communications with the GIC, safety functions of other subsystems are received and shall be

acted upon, as required, by the LIC.

In the event of a failure of the any part of the network, the affected safety functions shall default to a safe

state.

2.2.2.4. Intervention of Control

Upon the result of one or more safety I/O signals, of a subsystem/subassembly, changing to a state which

constitutes intervention due to an unsafe condition the LIC shall intervene by applying the proper

disabling function to the necessary control signals of said subsystem.

Upon the receipt of a safety command from the GIC the responsible LIC shall apply the proper

enabling/disabling function to the necessary control signals of the subsystem in its domain.

D R A F T



2.2.2.5. Emergency Stop Status

Emergency stop devices (buttons) shall provide signal state, through specified safety I/O blocks, to local

LIC for local emergency stop procedures. The LIC shall additionally produce necessary signals to the

GIC for instigation of emergency stop throughout entire facility.

Status of emergency stop location shall be available to GIS by the LIC. This status information shall be

made available to OCS through the interface provided from the GIS to the OCS. See Table 2 for E-stop to

LIC association.

2.2.2.6. Provide Status to OCS

The GIC is connected to the OCS through an Ethernet connection. The GIS provides data to the OCS

containing safety-related information. The information shall include the current status of all safety

functions. This information shall be sent at no less than a 1 Hz rate.

This data is for information only. The OCS does not use this communication path to send safety-related

inputs to the GIS. The OCS relays this information to the observer’s GIS screen, providing annunciation

of interlock conditions.

2.2.2.7. Global Commands Issued

The GIS is a hierarchical control system. The GIC is the only component of the GIS that issues

commands to LIC through the safety network. In the case of a command being issued to the GIC due to a

safety condition response from a LIC or an ESS condition, the GIC will issue these commands to all

appropriate LICs. It is not the responsibility of a LIC to issue commands to any other controller of the

GIS other than the GIC.

2.2.2.8. Safety During Power Loss

The GIS shall be connected to the facility UPS system. During the loss of main observatory power, the

GIS shall maintain monitoring status of safety I/O and the ESS system. Each LIC shall apply necessary

safety function control, bringing the telescope and equipment to a safe state upon detection of mains loss.

In the event of loss of power to any part of the system, the affected safety functions shall default to a safe

state.

2.2.2.9. Distributed System

Each individual LIC shall be designed to maintain the safety functions of it’s subsystem independently of

the entire GIS.

2.2.2.10. Response Time

The response time of the GIS shall be less than 200 milliseconds.

2.2.2.11. Real Clock Time

The GIS shall be capable of time-stamping faults with a accuracy of TBD.

2.3. HUMAN MACHINE INTERFACE REQUIREMENTS

Each LIC shall have capability of connection to a status/control Human Machine Interface (HMI).

Throughout the telescope facility status/control HMIs shall be permanently mounted adjacent to LIC or

internal to the electronic rack containing the LIC. In cases where no permanent monitor resides, the LIC

must have an accessible connection for a portable monitor.

The information available at the HMI shall include current status of all safety functions, status of the

emergency stop system, status of the network, and status of the distributed I/O.

D R A F T



2.3.1. Global Monitoring and Control

2.3.1.1. GIC

The GIC shall have a monitor mounted in its electronic rack. Status and control of the GIC shall always

be available. The GIC monitors all status of the LICs distributed throughout the facility. The GIC is

responsible for communicating any global information necessary for all LICs. Control of the GIC shall be

allowed by qualified technical personnel.

2.3.1.2. OCS

The OCS receives a stream of data from the GIC representing the status of the entire GIS. This data

stream is sent at a nominal 1 Hz rate. The data stream is defined in ICD 4.2-4.5, Observatory Control

System to Global Interlock System. This monitoring of the GIS safety limits and interlocks is then

distributed by the OCS as necessary. No control of the GIS is directly capable through the OCS.

2.3.2. Local Subsystem Monitoring and Control

2.3.2.1. LIC

Each subsystem has associated with it a LIC. In some instances, an individual LIC may be associated with

more than one subsystem. Each LIC shall have a port to which an engineering HMI is capable of being

connected allowing status, control and modifications to the LIC. In many cases there will be a HMI

permanently located with the LIC. Status of the entire GIS shall also be available at each LIC location.

2.3.3. Emergency Stop System

The Emergency Stop System (ESS) is a dual functional and monitored system. Monitoring of the ESS is

through the GIS. Information as to the location and state of each E-stop shall be provided. A visual

representation of the E-stop locations and state shall be available as part of the monitored status of the

ESS.

2.3.4. Thermal Control

TBD

2.4. INTERFACE REQUIREMENTS

Interface requirements for the GIS are specified as LIC interfaces, GIC interfaces and ESS interfaces.

Table 2–E-Stop to LIC Association

LIC E-Stops

Optical Support Structure

(OSS) Not Applicable

Mount Base All E-Stops located on Mount Base

Coudé Rotator All E-Stops located on rotator platform, above and below

Instrumentation Systems Not Applicable

Enclosure Motion Control All E-Stops located on Enclosure Carousel

Enclosure Thermal Control Not Applicable

Facilities All E-Stops located on lower enclosure, operations and utility

buildings

D R A F T



Each specific subsystem of the ATST will interface to the GIS through a LIC. The specific safety limits

and interlocks of each subsystem are represented in the ICD of the respective subsystem; these ICDs are

listed in this document, section 1.3.2.2.

2.4.1. Global Interlock System Interface

The GIS interfaces with all of the defined subsystems as listed in Section 1.3.2.2 of this document. Each

of the subsystem interfaces is made through a LIC to the GIC over the GIS safety network.

This network shall be an Ethernet/CIP safety network. This network shall be independent of all other

facility networks. Access to the safety network shall be restricted to components of the GIS (GIC, the

various LIC, and distributed I/O).

The physical connectivity to the GIS network shall be Category 5e (or higher category) twisted pair or

multimode fiber pair where necessary due to length of run. AURA shall provide appropriate copper to

fiber converters. The GIS also interfaces with the OCS through the GIC via a separate Ethernet TCP/IP

port connection to the facility communications network.

2.4.2. Local Interlock Controller Interface

2.4.2.1. LIC to GIS Safety Network

The EtherNet port shall be used to connect the LIC to the GIS safety network. The physical connectivity

to the GIS network shall be Category 5e (or higher category) twisted pair or multimode fiber pair where

necessary due to length of run. AURA shall provide appropriate copper to fiber converters. Connection

of this Ethernet port shall be to a managed network switch. The switch is specified later in the control

hardware section of this document.

The managed network switch shall connect the LIC to the safety I/O blocks which connect the safety

interlocks and safety limits. Connectivity to this switch shall be Category 5e (or higher category) or where

necessary fiber pair. All Safety I/O blocks of the locally controlled subsystem/subassembly shall be

connected to this managed switch.

2.4.2.2. Additional Safety I/O Block(s) Port

In the event that more than 24 safety I/O blocks need be managed by a specific LIC, additional Ethernet

ports may be added to the LIC backplane. This will require the increase in size of the standard LIC

backplane and shall be approved by AURA. Configuration of any additional Ethernet ports shall follow as

outlined above for the second Ethernet connection.

2.4.3. Global Interlock Controller Interface

The GIC shall have two Ethernet interfaces located within its chassis.

2.4.3.1. GIC to GIS Port

The first port shall be used to connect the GIC to the GIS safety network. Connectivity to this port shall

be fiber pair or where necessary copper to fiber converter to fiber pair. Connection of this Ethernet port

shall be to a managed network switch. The switch is specified later in the control hardware section of this

document.

2.4.3.2. GIC to OCS Port

The second port shall be to connect the GIC to the OCS via the facilities communication network.

Connectivity to this port shall be fiber pair or where necessary copper to fiber converter to fiber pair. This

connection shall use Ethernet TCP/IP. Connection of this Ethernet port shall be to one of the facilities’

communication network switches.

D R A F T



2.4.4. Observatory Control System Interface

The GIS shall be connected to the OCS through the GIC to OCS port. It shall provide status information

of the GIS to the OCS at the nominal update rate of 1Hz. The interface is detailed in ICD 4.2/4.5,

Observatory Control System to Global Interlock System.

2.4.5. Utility Service Interface

The GIC shall be mounted in a cooled, electronics enclosure which shall be supplied power and coolant as

indicated in ICD 4.5/6.6 Global Interlock System to Interconnects & Services.

D R A F T



3. Design Requirements

3.1. GENERAL DESIGN REQUIREMENTS

3.1.1. Safety Standards and Guidelines

The GIS shall meet or exceed the requirements of NFPA 79, 2007 edition and ANSI/RIA 15.06-1999.

The GIS shall following good engineering practice and meet or exceed the requirement of the National

Electric Code, OSHA regulations, and any other applicable laws and regulations.

3.1.2. Maintenance

3.1.2.1. Availability

The GIS is a critical safety system. The system must have availability greater than 99.9%. Regardless of

availability the system must default to safe state.

3.1.2.2. Reliability

The lifetime of the ATST telescope is expected to be in excess of forty years. The objective of the facility

is to allow maximum telescope use and quality for the given weather conditions of any day of the year.

The remote nature of the site puts a premium on having robust systems that are easily repaired and

maintained.

Wherever possible, all assemblies, subassemblies, components, parts, and mechanical systems shall be

designed to exceed the lifetime of the facility. Contractor shall identify any and all items not designed to

exceed this lifetime, and maintenance procedures and spares lists shall be provided for them.

Failure modes of all critical components shall be evaluated and the design of all systems shall be such that

failure of one component shall result in a minimal performance reduction of the system.

All safety I/O shall be designed as control reliable circuitry unless approved by AURA. All safety I/O

shall be designed to no less than the minimum performance circuitry based on the ANSI standard

adopted.

3.1.2.3. Maintainability

Routine maintenance of the GIS shall cause minimum loss of observing time. The GIS shall be designed

such that routine maintenance will be completed in less than four hours per month, without removal of

any assembly from the telescope, and at night under enclosure interior lighting. Repairs of all failures

arising as a result of normal operations of the ATST shall be accomplished in no more than 8 hours by

trained personnel. Major maintenance must be accomplished within one week on at most a yearly basis.

Electronic components of the GIS shall be designed and installed in such a manner to ensure easy access

for diagnostics and replacement. Installation must be done so all necessary maintenance operations can be

effectively carried out without risk to personnel or to the telescope.

The GIS shall be designed to be maintained using standard tools and test equipment used by appropriately

trained personnel. Critical components, such as but not limited to, PLC, I/O blocks, and power supplies

shall be replaced at the module level to minimize down-time. Maintenance, replacement and repair

schedules will be provided for all components of the GIS requiring such service.

The Contractor shall provide all special tools and equipment necessary for initial set-up, maintenance, and

servicing operations required throughout the operational life of the GIS. This excludes common hand

tools, such as but limited to, wrenches, sockets, and Allen keys. Any special tools and equipment

D R A F T



necessary in dealing with the GIS shall be deliverable. Special tools shall be marked with the part

number.

3.1.2.4. Human Engineering

The design of the GIS shall comply with OSHA safety requirements. A safety plan (reference Appendix

A) has been established and shall be followed. This plan incorporates and requires adherence to the

National Consensus Standards, ANSI/RIA R15.06-1999 and NFPA 79 throughout the design,

verification, validation of the GIS and continual education (training) of personnel involved with the use of

the installed (operational) GIS.

The design and implementation of the GIS shall allow ease of access to the controllers and HMIs.

3.2. CONTROL HARDWARE

3.2.1. Safety Hardware

The hardware selected for the GIS shall:

use safety PAC with CPU structure of 1 out of 2 decision capability.,

provide monitored input and output modules,

be capable of detecting single input failures,

provide high frequency pulse testing within diagnostic software,

utilize common, safety certified function blocks, and

maintain commonality of components throughout the system

The GIS shall be constructed of SIL 3-certified components or components suitable for use with a SIL 3

system.

The specific type of hardware controllers, communication bridges, network switches, and I/O blocks and

relays as specified by the Project. Unless otherwise approved by AURA, the GIS shall be constructed of

Rockwell Automation, GuardLogix PAC systems based on the Allen Bradley ControlLogix chassis. A list

of hardware is specified in Appendix B.

All hardware shall be the latest released version and maintained to a minimal of Rockwell Automation,

GuardLogix current major revision status.

3.2.2. Compatibility with Controller Hardware

The project highly recommends that subsystems utilize ControlLogix platforms for their subsystem

controller hardware. This allows the LIC, of that subsystem, to be integrated with the controller directly.

3.2.3. LIC

Each subsystem shall have an associated LIC, which provide for the local safety control of the subsystem.

The LIC shall be comprised of

A GuardLogix PAC safety controller and its partner controller.

An Ethernet bridge module for communication with the GIS safety network

A ControlLogix backplane and power supply.

In some instances, the LIC may be associated with more than one subsystem. For these instances, the LIC

will reside independent of any control systems utilized for the associated subsystems.

In the cases where a LIC is associated with a single subsystem controller, vendors are recommended to

utilize the ControlLogix platform for their control system providing adequate backplane space for

D R A F T



coexistence of the LIC safety PAC and the associated communications module. This shall facilitate the

integration of the safety system with the controller’s functions.

3.2.4. GIC

The GIC shall be comprised of

A GuardLogix PAC safety controller and its partner controller.

A minimum of two (2) Ethernet bridge modules shall accompany the safety controllers for communication to

o the GIS safety network and o the OCS communication network.

A ControlLogix backplane and power supply.

3.2.5. Safety Network

The safety network is an independent redundant Ethernet/IP network distributed throughout the facility.

No components other than those of the GIS shall be connected to this independent safety network.

At each location where either the GIC or a LIC is located, a managed network switch shall be installed.

Connections between each of these managed network switches shall be fiber optic pair cable. The fiber

shall be capable of no less than 1 Gb rates over distances of 200m. All cables runs shall be less than

200m.

The fiber shall be compatible with the Ethernet port hardware installed in the network switch.

Where necessary, optical to copper converters shall be used. These converters shall not limit the

bandwidth capability of the specified safety network.

Each LIC shall be on a separate virtual LAN (VLAN). Each LIC shall be assigned a unique subnet. IP

addresses from that subnet will be assigned to the associated subsystem’s GIS components.

3.2.5.1. Network Security

Connectivity to the safety network shall be made only by components of the GIS. The managed

networked switch shall not allow unidentified devices to communicate on the independent safety network.

Specific devices needed for maintenance shall be configured to communicate on the independent safety

network.

All security shall be provided by the AURA.

External communication with the GIS shall be limited to obtaining the status of the GIS via the OCS

communications network.

Configuration of the network shall be password protected.

3.3. CONTROL SOFTWARE

3.3.1. Embedded Control Operation

The control software for any portion of the GIS shall function as a turnkey system. Upon power up, the

control program shall initialize and function independently regardless of connectivity to networks.

3.3.2. Change of Network Status

Failure of the network shall not result in a loss of safety function. Failure of the network which causes

loss of communications with distributed I/O or a remote controller shall cause each such component of

the GIS to default to a safe state.

D R A F T



Restoration of the network function shall not automatically restore operation of the GIS without

intervention from the operator.

3.3.3. Operation following a rebooting or restarting

Rebooting or restarting shall cause the portion of the GIS that was rebooted or restarted to enter a safe

state. Rebooting or restarting shall not result in a loss of safety function.

3.3.4. Source Code

All source code written for the GIS shall be provided by Contractor. The source code written for the GIS

shall conform to the standard safety procedures as outlined by Rockwell Automation in reference to

GuardLogix™ safety PAC. The source code shall be written using the most resent version of RSLogix™

5000 and shall be configured as ladder logic unless otherwise approved by AURA.

Contractor is responsible for overall integration of GIS components and shall provide a collected, collated

set of all source code utilized in the GIS. No portion of the source code provided for the limits and safety

interlock of a subsystem, the GIS portion of a control system, may be considered exempt proprietary

code. All source code must be understood and accepted by AURA as part of the verification, test

acceptance, and validation of the GIS.

3.3.5. Source Documentation

The Contractor shall document all source code in a manner consistent with good software practices.

Use of certified function blocks.

Use of certified safety instructions.

Consistency of all “tags” utilized within GIS.

A consistent syntactical style shall be used throughout all GuardLogix™ PAC.

Source files shall have a header containing version number, revisions, author(s), and functional description.

Source functions or methods shall have a description of the interface and operation of the function.

Major algorithms or operational sections of code shall be clearly commented.

3.3.6. Revision Repository

The GIS shall use a revision repository (such as CVS) during construction. The repository shall be

accessible by the ATST during construction.

3.3.7. Security

Since the GIS is critical to the safety of personnel and infrastructure, a “defense in depth” approach to

security shall be used.

Specific procedures shall be developed for patch management and routine maintenance of the GIS.

3.4. GENERAL FABRICATION REQUIREMENTS

3.4.1. Materials, Processes and Parts

3.4.1.1. Workmanship

Workmanship shall be of a high grade of commercial practice and adequate to achieve the accuracies and

surface finishes called for on all drawings and in the specifications.

D R A F T



3.4.1.2. Materials

All materials specified shall be new and of high-grade commercial quality. They shall be sound and free

from defects, both internal and external, such as cracks, laminations, inclusions, blow holes or porosity.

3.4.2. Drawings and Models

All detail design drawings shall conform to ASME Y14.5M-1994, and ANSI Y32.2. All detail design

drawings shall be generated in (or transferable to) AutoCAD or approved equivalent. These drawings,

along with two complete printed hard copies, shall be provided to AURA upon completion of the work.

All detail design drawings shall be in System International (metric) units with Imperial (inch) secondary

units shown in parentheses. All design drawings shall be in English.

3.4.3. Technical Manuals

Manuals shall be prepared, containing all information related to maintenance and operation of the Global

Interlock System, so that the information in the Manuals will be adequate to enable ATST project

personnel to perform the full range of expected operating and regular maintenance functions without the

need to seek information from a source other than the manuals.

The manuals shall have the maintenance and operating information organized into suitable sets of

manageable size, which shall be bound into individual binders identified on both the front and spine of

each binder, which is indexed (thumb-tabbed) and includes pocket folders for folded sheet information. It

is anticipated that the Manuals shall also be supplied in electronic form.

Such information shall include, all information related to normal operations and procedures, emergency

operations and procedures, normal maintenance and procedures, emergency maintenance and procedures,

spare parts, warranties, wiring diagrams, inspection procedures, programs for safety logic, shop drawings,

product data, and similar applicable information.

All technical manuals shall be in English.

3.4.4. GIS to OCS Data Stream Documentation

3.4.4.1. Final Design

The Contractor shall provide a GIS Software Design Document (SDD). This document shall include all

details necessary to construct the GIS. During construction, this document shall be updated to show any

design modifications made during construction.

3.4.4.2. Operator’s Manual

The Contractor shall provide a GIS operator’s manual to describe the use of the GIS by an ATST

operator. The manual shall describe operation during normal observations, setup, troubleshooting, and

engineering.

3.5. ENVIRONMENTAL REQUIREMENTS

The ATST telescope will be subjected to various environmental conditions. These conditions include the

operating in-specification conditions, operating off-specification conditions, non-operating conditions,

survival conditions and transportation and handling conditions. The GIS shall be designed and tested over

environments so that their performance in the Telescope shall meet all requirements of this Specification.

Other operations will impose further environmental requirements of which the GIS shall be designed to

withstand. These operations include, but are not limited to, storage conditions and shipment.

D R A F T



3.5.1. Operational Environment Telescope

All portions of the GIS shall be capable of 100% functionality, continuously, located within the telescope

environment as specified in the following environmental conditions

Condition Requirement

Altitude 3050m

Air temperature -5 to +25 C

Max ambient air

temperature change rate +/-2° C/hour

Relative Humidity 0% to 95% (non-

condensing)

Wind Speed 0 to 5 meters per second

Gravity Orientation 0 to 90 ATST zenith

angle

3.5.2. Survival Environment

All portions of the GIS shall survive any combination of the following environmental conditions without

permanent damage and be capable of meeting all of the requirements of this specification after removal of

these conditions


Altitude sea level to 15000m


Relative Humidity 0% to 100% condensing


Gravity Orientation Any orientation

3.5.3. Shipping Environment

The GIS shall survive any combination of the following environmental conditions without damage or

requirement for repair when packaged in its storage/shipping containers


Altitude sea level to 15000m


Relative Humidity 0% to 100% condensing


Gravity Orientation Any orientation

Seismic 10.0g per MIL-STD-810

D R A F T



Appendix A Safety Management Plan

D R A F T



Appendix B Specified Hardware & Software

B-1. SPECIFIED HARDWARE

As stated in SPEC-0046 (above document) the GIS shall be constructed from specific hardware

manufactured by Allen-Bradley unless otherwise approved by AURA. The specified hardware consists of

safety certified GuardLogix™ PAC controllers and ControlLogix™ power supplies, backplanes, Ethernet

bridges, and Stratix switches.

The GuardLogix™ system shall use the following components throughout GIS :

Table 3

Catalog Number Description

1734-AENTR* 2-Port EtherNet/IP I/O Adapter Module

1734-IB8S* POINT Guard I/O Safety Module - 8 Point Input Module

1734-OB8S* POINT Guard I/O Safety Module - 8 Safety Sourcing Output Module

1734-TB* Module Bases W/ Removable IEC Screw Terminals

1756-A4 4-slot chassis ControlLogix™

1756-EN2F EtherNet 10-100M Fiber Interface Module

1756-EN2TR EtherNet dual port 10-100M Interface Module, Ring and Linear topologies

1756-L62S GuardLogix Processor With 4Mbyte Memory and 2Mbyte of Safety Memory

1756-L63S GuardLogix Processor With 8Mbyte Memory and 4Mbyte of Safety Memory

1756-LSP Safety Partner

1783-ETAP EtherNet/IP Tap 3 copper ports

1783-ETAP2F EtherNet/IP Tap 1 copper port, 2 fiber ports

1783-MX08F Stratix 8000 Fiber Expansion Module, 8-port

1783-MX08T Stratix 8000 Copper Expansion Module, 8-port

1783-RMS10T Stratix 8300 Switch, Managed, 10-port Base Switch, Layer 3

1783-SFP1GSX Stratix Fiber SFP, 1000 Mbit connectivity over multi-mode fiber

1791ES-IB16* EtherNet/IP Safety CompactBlock Input Module, 16 Inputs, 16 Test Outputs

1791ES-

IB8XOBV4*

EtherNet/IP Safety CompactBlock Input Module, 8 Inputs, 4 Dual Channel Bipolar

Outputs

1794-PS13 85-264 VAC To 24 VDC 1.3A Power Supply

2711P-T12C4A1 PanelView Plus 1250 Touch, Standard Communications (Ethernet & RS-232), AC

power, 64 MB Flash/ 64 MB RAM

* I/O modules are provided by subassembly/subsystem vendors as interface to GIS.

B-2. SPECIFIED SOFTWARE

The GIS shall be programmed using the specified software published by Rockwell Automation.

RSLogix™ 5000, version 16 or later

RSView™

FactoryTalk™

PanelView™

D R A F T