global interlock system specification

Project Documentation Document SPEC-0046

Rev A

Advanced Technology Solar Telescope 950 N. Cherry Avenue Tucson, AZ 85719 Phone 520-318-8102 [email protected] http://atst.nso.edu Fax 520-318-8500

Global Interlock System Specification

Scott Bulau, Tim Williams

Control Systems Group

October 8, 2012

Name Signature Date

Prepared By: Scott Bulau

Controls Engineer S. Bulau 19 Oct 2012

Approved By: Rob Hubbard

Systems Engineer R. Hubbard 26 Oct 2012


SPEC-0046, Rev A Page ii

Revision Summary

1. Date: December 15, 2008 – August 24, 2009 Revision: Draft 1 Changes: Rewritten to incorporate the new adopted architecture of the GIS as proposed October 2008.

2. Date: August 25, 2009 – January 4, 2010 Revision: Draft 2 Changes: Changes to text regarding hardware and software.

3. Date: January 5, 2010 – January 10, 2010 Revision: Draft 3 Changes: Minor edits and formatting, addition of Table 2

4. Date: March 25, 2011– April 8, 2011 Revision: Draft 4 Changes: formatting changes, reformed some requirements, removed some over-specification, added additional approved components,

5. Date: December 19, 2011 Revision: Draft 5 Changes: Changed to Word 2010 .DOCX format. Modified references to EN954-1.

6. Date: June 15, 2012 Revision: Draft 6 Changes: Addition of requirement numbers, verification and origin.

7. Date: July 30, 2012 Revision: Draft 7 Changes: Addition of 11 instrument ICDs.

8. Date: October 8, 2012 Revision: A Changes: Inclusion of comments from GIS readiness review. Initial formal release for FDR, as revision-controlled document.


SPEC-0046, Rev A Page iii

Table of Contents

1. Specification Overview ....................................................................... 1

1.1. OBJECTIVE .......................................................................................................... 1

1.2. SCOPE .................................................................................................................. 1 1.3. RELATED AND REFERENCE DOCUMENTS ...................................................... 1 1.3.1. REFERENCE DOCUMENTS ........................................................................................ 1 1.3.2. RELATED DOCUMENTS ............................................................................................ 2 1.4. DEFINITIONS ........................................................................................................ 3

1.5. APPLICABLE CODES AND REQUIREMENTS .................................................... 4

2. Requirements for All Assemblies ........................................................ 5

2.1. GENERAL DESCRIPTION .................................................................................... 5

2.2. GENERAL FUNCTIONAL REQUIREMENTS ........................................................ 6

3. Functional Requirements .................................................................... 7

3.1. INDIVIDUAL FUNCTIONAL REQUIREMENTS ..................................................... 7 3.1.1. EMERGENCY STOP (EMERGENCY SHUTDOWN) FUNCTION .......................................... 7 3.1.2. SAFETY-RELATED CONTROL FUNCTIONS .................................................................. 7

3.1.3. CONTROL RELIABILITY ............................................................................................. 7 3.1.4. MONITOR CONTROLLER STATUS .............................................................................. 7 3.1.5. MONITOR SAFETY I/O .............................................................................................. 8

3.1.6. MONITOR SAFETY NETWORK ................................................................................... 8 3.1.7. SAFETY DURING POWER LOSS ................................................................................. 8

3.1.8. GLOBAL COMMANDS ISSUED .................................................................................... 8 3.1.9. DISTRIBUTED SYSTEM ............................................................................................. 9

3.1.10. RESPONSE TIME ............................................................................................... 9 3.1.11. REAL CLOCK TIME ............................................................................................. 9

3.2. HUMAN MACHINE INTERFACE REQUIREMENTS ............................................. 9 3.2.1. GIS STATUS AND ALARMS ....................................................................................... 9 3.2.2. OPERATOR CONTROL .............................................................................................. 9

3.2.3. ENGINEERING OPERATION ..................................................................................... 10 3.2.4. GIC HMI .............................................................................................................. 10 3.2.5. LIC HMI .............................................................................................................. 10

3.3. THERMAL CONTROL ......................................................................................... 10 3.4. INTERFACE REQUIREMENTS .......................................................................... 10 3.4.1. TELESCOPE MOUNT ASSEMBLY .............................................................................. 10 3.4.2. M1 ASSEMBLY ...................................................................................................... 10

3.4.3. TEOA .................................................................................................................. 11 3.4.4. FEED OPTICS ....................................................................................................... 11 3.4.5. WAVE FRONT CONTROL ........................................................................................ 11

3.4.6. INSTRUMENTS ....................................................................................................... 11 3.4.7. POLARIMETRY ANALYSIS AND CALIBRATION ............................................................. 11 3.4.8. MASTER CLOCK AND SYNCHRO NETWORK .............................................................. 11 3.4.9. COUDÉ STATION ................................................................................................... 11 3.4.10. COUDÉ ENVIRONMENTAL SYSTEMS ................................................................... 12


SPEC-0046, Rev A Page iv

3.4.11. VISIBLE BROADBAND IMAGER ........................................................................... 12

3.4.12. VISIBLE SPECTRO-POLARIMETER ...................................................................... 12 3.4.13. DIFFRACTION LIMITED NEAR-IR SPECTROPOLARIMETER ..................................... 12

3.4.14. CRYOGENIC NEAR-IR SPECTROPOLARIMETER ................................................... 12 3.4.15. VISIBLE TUNABLE FILTER ................................................................................. 12 3.4.16. CAMERA SYSTEMS .......................................................................................... 12 3.4.17. OBSERVATORY CONTROL SYSTEM .................................................................... 13 3.4.18. ENCLOSURE .................................................................................................... 13

3.4.19. SUPPORT FACILITY AND BUILDINGS ................................................................... 13 3.4.20. FACILITY THERMAL SYSTEMS ........................................................................... 13 3.4.21. UTILITY SERVICE INTERFACE ............................................................................ 13

4. Design Requirements ....................................................................... 14

4.1. SAFETY STANDARDS AND GUIDELINES ........................................................ 14

4.2. MAINTENANCE .................................................................................................. 14 4.2.1. SERVICE LIFETIME ................................................................................................. 14 4.2.2. AVAILABILITY ........................................................................................................ 14

4.2.3. RELIABILITY .......................................................................................................... 14 4.2.4. MAINTAINABILITY ................................................................................................... 15 4.3. HUMAN ENGINEERING ..................................................................................... 15

4.4. CONTROL HARDWARE ..................................................................................... 16 4.4.1. SAFETY HARDWARE .............................................................................................. 16

4.4.2. LIC ...................................................................................................................... 16 4.4.3. GIC ..................................................................................................................... 16 4.5. NETWORK REQUIREMENTS ............................................................................ 17

4.5.1. SAFETY NETWORK ................................................................................................ 17

4.5.2. GLOBAL INTERLOCK SYSTEM INTERFACE ................................................................ 17 4.5.3. LOCAL INTERLOCK CONTROLLER INTERFACE ........................................................... 17 4.5.4. GLOBAL INTERLOCK CONTROLLER INTERFACE ......................................................... 18

4.6. CONTROL SOFTWARE ...................................................................................... 18 4.6.1. EMBEDDED CONTROL OPERATION .......................................................................... 18

4.6.2. CHANGE OF NETWORK STATUS .............................................................................. 18 4.6.3. OPERATION FOLLOWING A REBOOTING OR RESTARTING ............................................ 19 4.6.4. SOURCE CODE ..................................................................................................... 19 4.6.5. SOURCE DOCUMENTATION .................................................................................... 19 4.6.6. REVISION REPOSITORY ......................................................................................... 20

4.6.7. SECURITY ............................................................................................................. 20 4.7. GENERAL FABRICATION REQUIREMENTS .................................................... 20 4.7.1. MATERIALS, PROCESSES AND PARTS ..................................................................... 20

4.7.2. DRAWINGS AND MODELS ....................................................................................... 20 4.7.3. TECHNICAL MANUALS ............................................................................................ 21 4.8. ENVIRONMENTAL REQUIREMENTS ................................................................ 21 4.8.1. OPERATIONAL ENVIRONMENT TELESCOPE .............................................................. 22

4.8.2. SURVIVAL ENVIRONMENT ....................................................................................... 22 4.8.3. SHIPPING ENVIRONMENT ....................................................................................... 22


SPEC-0046, Revision A Page 1 of 22

1. SPECIFICATION OVERVIEW

1.1. OBJECTIVE

This document provides design requirements and specifications for the ATST Global Interlock System

(GIS). Requirements for compliance to national consensus standards of hardware, software, and system

levels are specified as well as design, procurement, and programming. Factory assembly, factory

acceptance testing, site assembly and site acceptance testing for the ATST GIS are also specified.

The primary goal of the GIS is to eliminate the risk of injury to personnel and to prevent physical damage

to the telescope, instruments and other infrastructure of the ATST. The GIS is not a single programmable

system. It is a system made up of distributed, independent safety controllers that are integrated in the

various subsystems of the facility. These controllers are tied together through use of an independent safety

network that implements safety functions of all systems observatory wide.

The requirements of the GIS will be monitored through the factory construction of the subassemblies.

Testing and verification will be required at the subassembly level prior to acceptance of a particular

subassembly. Testing and verification will be required at the networked level for final acceptance of the

central control and system level response.

1.2. SCOPE

The requirements of the ATST GIS are detailed in the global sense. The implementation of the GIS is a

combined effort between the project and the subsystem vendors. It is the project’s responsibility to build

and configure the LIC; while the subsystem vendors’ responsibility is to provide the safety I/O connected

to the individual limits and interlocks. Specific requirements for the LIC and the safety I/O are defined in

this specification.

A specified ATST interface control document (ICD) defines the safety limits and interlocks required for

each subsystem. These represent the safety I/O points to be interfaced to the subsystem’s distributed

portion of the GIS. These safety limits and interlocks status are reported throughout the GIS propagating

necessary response of all ATST subsystems.

1.3. RELATED AND REFERENCE DOCUMENTS

The following documents form a part of this Specification. Any other documents referenced in any of

these documents also form a part of the Specification.

1.3.1. Reference Documents

1.3.1.1. National Consensus Standards ANSI/RIA R15.06-1999, American National Standard for Industrial Robots and Robot Systems –

Safety Requirements

NFPA 79, Electrical Standard for Industrial Machinery, 2007 Edition

1.3.1.2. International Standards ISO 13849, Safety of Machinery—Safety-related parts of control systems

ISO 13850, Safety of Machinery—Emergency Stop—Principles for design

IEC 61508, Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related

Systems

IEC/EN 62061, Safety of machinery: Functional safety of electrical, electronic and programmable

electronic control systems



1.3.1.3. Industry Standards ANSI/TIA/EIA 568-B, Commercial Building Telecommunications Cabling Standard

ASM Consortium Guidelines: Effective Operator Display Design

1.3.1.4. Engineering Drawing Practices ASME Y14.1- Drawing sheet size and format

ASME Y14.100- Engineering drawing and practices

ASME Y14.5-1994, “Dimensioning and Tolerancing”

ASME Y14.24, “Types and Applications of Engineering Drawings”

ASME Y14.35, “Drawing Revisions”

1.3.2. Related Documents

1.3.2.1. ATST Specification Documents The following documents contain information applicable to the design of the ATST Global Interlock

System.

PMCS-0023, Requirements Definition

SPEC-0002, Document and Drawing Control Plan

SPEC-0012, ATST Acronym List and Glossary

SPEC-0013, Software Operational Controls Definition Document

SPEC-0022, ATST Common Services Users’ Manual

SPEC-0041, ATST Spares Policy

SPEC-0061, ATST Hazard Analysis Plan

SPEC-0063, Interconnects and Services

SPEC-0070, General Specifications for the Design and Fabrication of ATST

SPEC-0079, Approved Parts

SPEC-0141, Global Interlock System Operational Concepts Document

1.3.2.2. ATST Interface Control Documents The Global Interlock System shall meet the requirements of the following interface control documents:

ICD 1.1-4.5 , Telescope Mount Assembly to Global Interlock System

ICD 1.2-4.5 , M1 Assembly to Global Interlock System

ICD 1.3-4.5 , TEOA to Global Interlock System

ICD 1.5-4.5 , Feed Optics to Global Interlock System

ICD 2.1-4.5 , Wave Front Control-Coudé to Global Interlock System

ICD 3.0-4.5, Instruments to Global Interlock System

ICD 3.1.1-4.5, Polarimetry Analysis and Calibration to Global Interlock System

ICD 3.1.2-4.5, Master Clock and Synchro Network to Global Interlock System

ICD 3.1.3-4.5, Coudé Station to Global Interlock System

ICD 3.1.5-4.5, Coudé Environmental Systems to Global Interlock System

ICD 3.2-4.5, Visible Broadband Imager to Global Interlock System

ICD 3.3-4.5, Visible Spectro-polarimeter to Global Interlock System

ICD 3.4.1-4.5, Diffraction Limited Near-IR Spectropolarimeter to Global Interlock System

ICD 3.4.2-4.5, Cryogenic Near-IR Spectropolarimeter to Global Interlock System

ICD 3.5-4.5, Visible Tunable Filter to Global Interlock System

ICD 3.6-4.5, Camera Systems to Global Interlock System

ICD 4.2-4.5 , Observatory Control System to Global Interlock System

ICD 4.5-5.0 , Global Interlock System to Enclosure

ICD 4.5-6.0, Global Interlock System to Support Facility and Buildings



ICD 4.5-6.3 , Global Interlock System to Facility Equipment

ICD 4.5-6.7 , Global Interlock System to Facility Thermal Systems

1.4. DEFINITIONS

The following terms are defined and their usage throughout this document will be consistent with these

definitions. See SPEC-0012, ATST Acronym List and Glossary, for terms not listed below.

ASM Abnormal Situation Management

Category Classification of the safety-related parts of a control system in respect of their resistance to

faults and their subsequent behavior in the fault condition, and which is achieved by the structural

arrangement of the parts, fault detection and/or by their reliability.1

Control Reliable Safety circuitry designed, constructed and applied such that any single component

failure shall not prevent the stopping action of the equipment.2

E/E/PE electrical/electronic/programmable electronic

Emergency Stop System (ESS) A series of emergency stop devices (buttons) distributed throughout the

facility. The activation of any one of these devices will cause a facility wide control function stop.

Global Interlock Controller (GIC) The GIC acts as the local interlock controller for the facilities safety

I/O as well as providing the centralized processing of all distributed safety responses.

Global Interlock System (GIS) The GIS refers to all or any portion of the safety system which monitors

and acts upon controls in order to provide safety to personnel, equipment and the

telescope/enclosure.

Interlock An arrangement whereby the operation of one control or mechanism allows, or prevents the

operation of another.

Interlock Condition An interlock condition exists if an M2 Module system or mechanism initiates the

GIS to limit telescope function because it has detected a possible safety conflict.

Interlock Override An interlock override is a manually set condition of the GIS to inform a system to

ignore a particular interlock condition.

Local Interlock Controller (LIC) The LIC is a subsystem’s distributed part of the GIS. It acts as an

independent safety control for the subsystem and provides global information to the GIC.

PL Performance Level. Discrete level used to specify the ability of safety-related parts of controls

systems to perform a safety function under foreseeable conditions.3 Performance levels are

denoted as a, b, c, d, or e. PLa being the lowest and PLe being the highest.

SIL Safety Integrity Level. Discrete level (one out of a possible four) for specifying the safety integrity

requirements of the safety functions to be allocated to the E/E/PE safety-related systems, where

safety integrity level 4 has the highest level of safety integrity and safety integrity level 1 has the

lowest.4

SRCF Safety-Related Control Function. Control function implemented by SRECS with a specified

integrity level that is intended to maintain the safe condition of the machine or prevent an

immediate increase of the risk(s).5

Validation confirmation by examination and provision of objective evidence that the particular

requirements for a specific intended use are fulfilled.6

1 ISO 138491 §3.1.2

2 ANSI/RIA R15.06-1999 §4.5.4

3 ISO 13849-1 §3.1.23

4 IEC 61508-4 §3.5.6

5 IEC 62061 §3.2.16

6 IEC 61508-4 § 3.8.2



Verification confirmation by examination and provision of objective evidence that the requirements have

been fulfilled.7

1.5. APPLICABLE CODES AND REQUIREMENTS

The design and implementation of the Global Interlock System shall comply with the National Consensus

Standards ANSI/RIA R15.06-1999 and NFPA 79.

The architecture of the Global Interlock System shall comply with applicable safety codes such that it

may be certified for use in up to SIL3 functions under safety standard IEC 61508 or Category 4 PLe

under ISO 13849.

7 IEC 61508-4 § 3.8.1



2. REQUIREMENTS FOR ALL ASSEMBLIES

2.1. GENERAL DESCRIPTION

Because of the disparate nature of the subsystems of the ATST facility it is desirable to implement a

uniform and coherent system to ensure safety throughout the facility rather than rely on each subsystem to

implement safety functions on an ad hoc basis.

The Global Interlock System (GIS) monitors safety limits and safety interlocks throughout the ATST

facility and as necessary enables/disables controlled mechanisms in order to maintain safety and prevent

damage to personnel and equipment.

The GIS is being implemented as a distributed safety system verses a centralized system. The distribution

of the GIS is accomplished through the use of Local Interlock Controllers (LICs). Each ATST subsystem

is required to interface to the GIS through the use of a LIC. The LIC is required to maintain the safety

control of the its assigned subsystem(s). The LIC is required to maintain subsystem safety as a standalone

system. The LIC is also required to communicate its status to the centralized Global Interlock Controller

(GIC).

The GIC determines the interrelation of the distributed LIC and issues safety commands to other LICs for

necessary response to a given condition. The GIC and LICs communicate over a safety network, separate

from the observatory’s control or data networks. The GIC also communicates to the Observatory Control

System (OCS) over an Ethernet communications network. This connection allows the GIC to provide a

continuous status to the OCS of all the safety conditions throughout ATST facility.

Table 1 highlights a list of the subsystems which require a LIC which interface with the GIC on the safety

network to form the entire GIS.

Table 1–Local Interlock Controller with Associated Subsystem/Subassembly

LIC Subsystem/Subassembly

Optical Support Structure

(OSS)

Top End Optical Assembly (TEOA)

M1 Active Controller & Thermal Controller

Feed Optics & Polarization Analysis and Calibration (PAC)

Mount Base Telescope Mount Drive Controllers

Coudé Rotator Coudé Drive Controller

Instrumentation Systems Wave Front Controller

Science Instruments

Enclosure Motion Control Enclosure Motion

Facility Thermal Control Facility Thermal System

Facilities Utilities/Facilities



2.2. GENERAL FUNCTIONAL REQUIREMENTS

The functional requirements for the GIS are as follows

Provide control reliable safety functions

Provide an Emergency Stop safety function as an additional safeguard

Provide continuous status of the GIS to the operator and the Observatory Control System

(OCS).

It is not the responsibility of the GIS to maintain the status or general health of the subsystems or the

facility. This is the responsibility of the individual subsystems controllers. The GIS is only concerned

with the safety aspects of the subsystems.



3. FUNCTIONAL REQUIREMENTS

3.1. INDIVIDUAL FUNCTIONAL REQUIREMENTS

3.1.1. Emergency Stop (Emergency Shutdown) Function The GIS shall provide an emergency stop (emergency shutdown) safety function. The emergency

shutdown shall override all other functions and bring the entire facility to a safe state with a single

human-initiated action.

The emergency stop (emergency shutdown) function shall be a category 0 or category 1 stop, which

includes removal of the power source to machine actuators.

Emergency shutdown devices (mushroom head push buttons, cable pull device) shall be provided at each

operator location and other locations as required. They shall be positioned for safe and easy access for the

operator and others who may need to operate them.

Requirement Number: 4.5-0010

Verification: Design, Factory and Site Test

Requirement Origin: Safety

3.1.2. Safety-Related Control Functions

3.1.2.1. Safety Function Based on hazard analyses, each LIC will be programmed to achieve one or more safety functions. The

LIC shall maintain or achieve a safe state for equipment under control by constantly evaluating one or

more inputs (from subsystem I/O or the GIC) and enabling and/or disabling appropriate outputs.


Verification: Design, Analysis, Factory and Site Test


3.1.2.2. Safety Integrity Based on hazard analyses, each safety function will have a safety integrity requirement. The LIC shall

meet the safety integrity requirement of each safety function.


Verification: Design, Analysis


3.1.3. Control Reliability Loss of any single component shall not cause the loss of the safety function.

Any single component failure should be detected before or at the next demand on the component. An

accumulation of undetected faults shall not cause the loss of the safety function.


Verification: Design


3.1.4. Monitor Controller Status Each controller shall monitor itself for faults.

On the detection of a fault, the system shall default to a safe state.






3.1.5. Monitor Safety I/O All safety-related I/O (limits, interlocks, and outputs) of a subsystem shall be routed to that subsystem’s

associated LIC.

The LIC shall monitor the safety I/O module self-diagnostics.

In the event of a fault detected by the self-diagnostics, the affected safety functions shall default to a safe

state.




3.1.6. Monitor Safety Network The LIC shall continuously monitor the safety network which connects the subsystem to the GIS.

In the event of a failure of the any part of the network, the affected safety functions shall default to a safe

state.




3.1.7. Safety During Power Loss The GIS shall be connected to the facility UPS system. This connection shall also be provided with

generator back-up.

During the loss of main observatory power, the GIS shall maintain monitoring status of safety I/O and the

ESS system.

Each LIC shall apply necessary safety function control, bringing the telescope and equipment to a safe

state upon power loss.

In the event of loss of power to any part of the system, the affected safety functions shall default to a safe

state.



Requirement Origin: Engineering, Safety

3.1.8. Global Commands Issued The GIS is a hierarchical control system. The GIC is the only component of the GIS that issues

commands. Commands to each LIC are routed through the safety network.

LICs shall communicate the status of all safety functions to the GIC. LICs shall not communicate directly

with other LICs.

For each safety function that involves subsystems connected to different LICs, the GIC shall evaluate the

state of the safety functions from individual LICs and issue commands to other LICs to maintain or

achieve a safe state.



Requirement Origin: Engineering



3.1.9. Distributed System Each individual LIC shall maintain local safety functions of its subsystem independently of the entire

GIS.




3.1.10. Response Time The response time of the GIS to a change in inputs shall be less than 200 milliseconds. The GIS must

either respond correctly to the input, or the output must default to the safe state within the 200 millisecond

response time.


Verification: Design, Analysis, Factory and Site Test


3.1.11. Real Clock Time The GIS shall be capable of time-stamping faults with an accuracy of 100 milliseconds.




3.2. HUMAN MACHINE INTERFACE REQUIREMENTS

The GIS shall have a touch screen Human Machine Interface (HMI) for personnel to control and operate

the entire GIS.

The HMI display and operation shall follow Abnormal Situation Management (ASM) Consortium

guidelines.

The HMI display shall update at a 1Hz rate.


Verification: Design, Inspection, Factory and Site Test

Requirement Origin: Operations, Safety

3.2.1. GIS Status and Alarms The HMI display shall include current state of all safety functions, status of the safety network, status of

safety controllers and status of the distributed safety I/O.

The HMI shall provide read-only display of all trips and faults of the GIS. This display shall always be

available.




3.2.2. Operator Control The HMI shall provide a password protected means to reset trips, mute alarms, and override interlocks.

Operator actions shall be logged.






3.2.3. Engineering Operation The HMI shall provide engineering screens that show low-level (individual hardware) status and error

codes to aid in troubleshooting. These screens shall be password-protected.


Verification: Design, Inspection, Design, Factory and Site Test


3.2.4. GIC HMI The GIC shall have a touch screen HMI mounted in its electronic rack.



Requirement Origin: Operations

3.2.5. LIC HMI Each LIC shall have a port to which an HMI can be connected.

An HMI connected at a LIC shall be capable of operating and controlling the entire GIS.




3.3. THERMAL CONTROL

Components of the GIS that are located in thermally-sensitive spaces shall be cooled.

Components of the GIS that are located in thermally-sensitive spaces shall produce a net thermal load of

less than 20 watts.



Requirement Origin: Science

3.4. INTERFACE REQUIREMENTS

The GIS interfaces to a number of subsystems in the facility. The details of the interface are described in

the respective Interface Control Document (ICD).

There are different styles of interfaces described depending on the contractual requirements between the

GIS and subsystem supplier. In some cases the interface is located at specific limit and interlock

hardware, others interface at the distributed I/O network connection, and some cases where the LIC is

provided by the subsystem supplier the interface is between the LIC and the GIC.

3.4.1. Telescope Mount Assembly The GIS shall comply with the interface as defined in ICD 1.1-4.5, Telescope Mount Assembly to Global

Interlock System.


Verification: Design, Inspection, Test


3.4.2. M1 Assembly The GIS shall comply with the interface as defined in ICD 1.2-4.5, M1 Assembly to Global Interlock

System.






3.4.3. TEOA The GIS shall comply with the interface as defined in ICD 1.3-4.5, TEOA to Global Interlock System.




3.4.4. Feed Optics The GIS shall comply with the interface as defined in ICD 1.5-4.5, Feed Optics to Global Interlock

System.




3.4.5. Wave Front Control The GIS shall comply with the interface as defined in ICD 2.1-4.5, Wave Front Control-Coudé to Global

Interlock System.




3.4.6. Instruments The GIS shall comply with the interface as defined in ICD 3.0-4.5, Instruments to Global Interlock

System.




3.4.7. Polarimetry Analysis and Calibration The GIS shall comply with the interface as defined in ICD 3.1.1-4.5, Polarimetry Analysis and

Calibration to Global Interlock System.




3.4.8. Master Clock and Synchro Network The GIS shall comply with the interface as defined in ICD 3.1.2-4.5, Master Clock and Synchro Network

to Global Interlock System.




3.4.9. Coudé Station The GIS shall comply with the interface as defined in ICD 3.1.3-4.5, Coudé Station to Global Interlock

System.






3.4.10. Coudé Environmental Systems The GIS shall comply with the interface as defined in ICD 3.1.5-4.5, Coudé Environmental Systems to

Global Interlock System.




3.4.11. Visible Broadband Imager The GIS shall comply with the interface as defined in ICD 3.2-4.5, Visible Broadband Imager to Global

Interlock System.




3.4.12. Visible Spectro-polarimeter The GIS shall comply with the interface as defined in ICD 3.3-4.5, Visible Spectro-polarimeter to Global

Interlock System.




3.4.13. Diffraction Limited Near-IR Spectropolarimeter The GIS shall comply with the interface as defined in ICD 3.4.1-4.5, Diffraction Limited Near-IR

Spectropolarimeter to Global Interlock System.




3.4.14. Cryogenic Near-IR Spectropolarimeter The GIS shall comply with the interface as defined in ICD 3.4.1-4.5, Cryogenic Near-IR

Spectropolarimeter to Global Interlock System.




3.4.15. Visible Tunable Filter The GIS shall comply with the interface as defined in ICD 3.5-4.5, Visible Tunable Filter to Global

Interlock System.




3.4.16. Camera Systems The GIS shall comply with the interface as defined in ICD 3.6-4.5, Camera Systems to Global Interlock

System.






3.4.17. Observatory Control System The GIS shall comply with the interface as defined in ICD 4.2-4.5, Observatory Control System to Global

Interlock System.




3.4.18. Enclosure The GIS shall comply with the interface as defined in ICD 4.5-5.0, Global Interlock System to Enclosure.




3.4.19. Support Facility and Buildings The GIS shall comply with the interface as defined in ICD 4.5-6.0, Global Interlock System to Support

Facility and Buildings.




3.4.20. Facility Thermal Systems The GIS shall comply with the interface as defined in ICD 4.5-6.7, Global Interlock System to Facility

Thermal Systems.




3.4.21. Utility Service Interface The GIC shall be mounted in a cooled, electronics enclosure which shall be supplied power and coolant as

indicated in SPEC-0063.






4. DESIGN REQUIREMENTS

4.1. SAFETY STANDARDS AND GUIDELINES

The GIS shall meet or exceed the requirements of NFPA 79, 2007 edition.

The GIS shall meet or exceed the requirements of ANSI/RIA R15.06-1999.

The GIS shall following good engineering practice and meet or exceed the requirement of the National

Electric Code, OSHA regulations, and any other applicable laws and regulations.




4.2. MAINTENANCE

The lifetime of the ATST telescope is expected to be in excess of forty years. The objective of the facility

is to allow maximum telescope use and quality for the given weather conditions of any day of the year.

The remote nature of the site puts a premium on having robust systems that are easily repaired and

maintained.

4.2.1. Service Lifetime All assemblies, subassemblies, components, parts, and mechanical systems should be designed to exceed

the lifetime of the facility. Designer shall identify any and all items not designed to exceed this lifetime,

and maintenance procedures and spares lists shall be provided for them.


Verification: Design, Inspection


4.2.2. Availability The GIS is a critical safety system. The system must have availability greater than 99.5%.

Regardless of availability, the system must default to a safe state in the event of component failure.




4.2.3. Reliability Failure modes of all critical components shall be evaluated and the design of all systems shall be such that

failure of one component shall result in a minimal performance reduction of the system. In no case shall

loss of any single component cause the loss of the safety function (see 3.1.3).

The entire system shall have a mean time between failures of at least 5000 hours. To achieve this system-

wide requirement, each subsystem’s LIC and related components shall have a mean time between failures

of at least 40000 hours.






4.2.4. Maintainability

4.2.4.1. Routine Maintenance Routine maintenance of the GIS shall cause minimum loss of observing time. The GIS shall be designed

such that routine maintenance will be completed in less than four hours per month by two qualified

technicians, without removal of any assembly from the telescope, and at night under enclosure interior

lighting.

Maintenance, replacement and repair schedules shall be provided for all components of the GIS requiring

such service.

Major maintenance must be accomplished within one week on at most a yearly basis.




4.2.4.2. Repairs Electronic components of the GIS shall be designed and installed in such a manner to ensure easy access

for diagnostics and replacement. Installation must be done so all necessary maintenance operations can be

effectively carried out without risk to personnel or to the telescope.

Critical components, such as but not limited to, PLC, I/O blocks, and power supplies shall be replaceable

at the module level to minimize down-time.

Repairs of all failures arising as a result of normal operations of the ATST shall be accomplished in no

more than 8 hours by two trained technicians.




4.2.4.3. Maintenance Equipment The GIS shall be designed to be maintained using standard tools and test equipment used by appropriately

trained personnel.

The builder shall provide all special tools and equipment necessary for initial set-up, maintenance, and

servicing operations required throughout the operational life of the GIS. This excludes common hand

tools, such as but limited to, wrenches, sockets, and Allen keys. Any special tools and equipment

necessary in dealing with the GIS shall be deliverable. Special tools shall be marked with the part

number.




4.3. HUMAN ENGINEERING

The design and implementation of the GIS shall allow ease of access to the controllers and HMIs.



Requirement Origin: Engineering, Operations



4.4. CONTROL HARDWARE

4.4.1. Safety Hardware The hardware selected for the GIS shall:

have a 1 out of 2 architecture, where either of the two channels can perform the safety function,

provide monitored input and output modules,

be capable of detecting single input failures,

provide high frequency pulse testing within diagnostic software,

utilize common, safety-certified functions, and

maintain commonality of components throughout the system

The GIS will include safety functions that require safety integrity up to and including SIL3. The GIS

architecture shall be constructed of SIL3-certified components or components suitable for use in a SIL3

system.

The specific type of hardware controllers, communication bridges, network switches, and I/O blocks and

relays will be specified by the Project. Unless otherwise approved by AURA, the GIS shall be constructed

of Rockwell Automation, GuardLogix PAC systems based on the Allen Bradley ControlLogix chassis. A

list of specified hardware and approved firmware revisions is in SPEC-0079 Approved Parts.




4.4.2. LIC Each subsystem shall have an associated LIC, which provides for the local safety control of the

subsystem.

Each LIC shall be comprised of

A GuardLogix PAC safety controller and its partner controller.

A ControlLogix backplane and power supply.

An Ethernet bridge module for communication with the GIS safety network

In some instances, the LIC may be associated with more than one subsystem. For these instances, the LIC

will reside independent of any control systems utilized for the associated subsystems.

In the cases where a LIC is associated with a single subsystem controller, vendors are recommended to

utilize the ControlLogix platform for their control system providing adequate backplane space for

coexistence of the LIC safety PAC and the associated communications module. This will facilitate the

integration of the safety system with the controller’s functions.




4.4.3. GIC The GIC shall be comprised of

A GuardLogix PAC safety controller and its partner controller.

A ControlLogix backplane and power supply.

A minimum of two (2) Ethernet bridge modules shall accompany the safety controllers for

communication to

o the GIS safety network and

o the OCS communication network.






4.5. NETWORK REQUIREMENTS

The safety network is an independent redundant Ethernet/IP network distributed throughout the facility.

No components other than those of the GIS shall be connected to this independent safety network.

4.5.1. Safety Network The GIS safety network shall be independent of all other facility networks.

At each location where either the GIC or a LIC is located, a managed network switch shall be installed.

Connections between each of these managed network switches shall be fiber optic pair cable. The fiber

shall be capable of no less than 1 Gb rates over distances of 200m. All cables runs shall be less than

200m. The fiber shall be compatible with the Ethernet port hardware installed in the network switch.

Where necessary, optical to copper converters shall be used. These converters shall not limit the

bandwidth capability of the specified safety network.

Each LIC shall be on a separate virtual LAN (VLAN). Each LIC shall be assigned a unique subnet. IP

addresses from that subnet will be assigned to the associated subsystem’s GIS components.




4.5.2. Global Interlock System Interface The GIS safety network shall use Ethernet/CIP safety protocol.

Access to the safety network shall be restricted to components of the GIS (GIC, the various LICs, and

distributed I/O).

The physical connectivity to the GIS network shall be Category 5e (or higher category) twisted pair or

multimode fiber pair where necessary due to length of run. AURA shall provide appropriate copper to

fiber converters.




4.5.3. Local Interlock Controller Interface

4.5.3.1. LIC to GIS Safety Network The EtherNet port shall be used to connect the LICs to the GIS safety network. The physical connectivity

to the GIS network shall be Category 5e (or higher category) twisted pair or multimode fiber pair where

necessary due to length of run.

Connection of this Ethernet port shall be to a managed network switch.

The managed network switch shall connect the LICs to the safety I/O blocks which connect the safety

interlocks and safety limits. Connectivity to this switch shall be Category 5e (or higher category) or where

necessary fiber pair. All Safety I/O blocks of the locally controlled subsystem/subassembly shall be

connected to this managed switch.






4.5.3.2. Additional Safety I/O Block(s) Port In the event that more than 250 EtherNet/IP connections are needed by a specific LIC, additional Ethernet

Interface cards may be added to the LIC backplane. This may also require the increase in size of the

standard LIC backplane and must be approved by AURA. Configuration of any additional Ethernet ports

must follow as outlined above (4.5.3.1) for the second EtherNet connection.




4.5.4. Global Interlock Controller Interface The GIC will have two Ethernet interfaces located within its chassis to provide communications with the

OCS (see 3.4.17) and other components of the GIS.

4.5.4.1. GIC to GIS Safety Network The first port shall connect the GIC to the GIS safety network. Connectivity to this port shall be fiber pair

or where necessary copper to fiber converter to fiber pair. Connection of this Ethernet port shall be to a

managed network switch. The switch is specified later in the control hardware section of this document.




4.5.4.2. Network Security Connectivity to the safety network shall be made only by components of the GIS. The managed

networked switch shall not allow unidentified devices to communicate on the independent safety network.

Specific devices needed for maintenance shall be configured to communicate on the independent safety

network.

All security shall be provided by the AURA.

External communication with the GIS shall be limited to obtaining the status of the GIS via the OCS

communications network.

Configuration of the network shall be password protected.




4.6. CONTROL SOFTWARE

4.6.1. Embedded Control Operation The control software for any portion of the GIS shall not rely on external resources. Upon power up, the

control program shall initialize and function independently regardless of connectivity to any network.




4.6.2. Change of Network Status Failure of the network shall not result in a loss of safety function. Failure of the network which causes

loss of communications with distributed I/O or a remote controller shall cause each such component of

the GIS to default to a safe state.



Restoration of the network function shall not automatically restore operation of the GIS without

intervention from the operator.




4.6.3. Operation following a rebooting or restarting Rebooting or restarting shall cause the portion of the GIS that was rebooted or restarted to enter a safe

state.

Rebooting or restarting shall not result in a loss of safety function.




4.6.4. Source Code All source code written for the GIS shall be provided by the builder.

The source code written for the GIS shall conform to the standard safety procedures as outlined by

Rockwell Automation in reference to GuardLogix™ safety PAC.

The source code shall be written using version 20 of RSLogix™ 5000 and shall be configured as ladder

logic unless otherwise approved by AURA.

The builder is responsible for overall integration of GIS components and shall provide a collected,

collated set of all source code utilized in the GIS. No portion of the source code provided for the limits

and safety interlock of a subsystem, the GIS portion of a control system, may be considered exempt

proprietary code. All source code must be understood and accepted by AURA as part of the verification,

test acceptance, and validation of the GIS.

All source code shall be developed in a manner consistent with good software practices including:

Use of certified function blocks.

Use of certified safety instructions.

Consistency of all “tags” utilized within GIS.

A consistent syntactical style shall be used throughout all GuardLogix™ PAC.

All source code (including comments, tag names, labels, and program names) shall be in English.




4.6.5. Source Documentation The builder shall document all source code in a manner consistent with good software practices including:

Source files shall have a header containing version number, revisions, author(s), and

functional description.

Source functions or methods shall have a description of the interface and operation of the

function.

All algorithms or operational sections of code shall be clearly commented.

All source code documentation shall be in English.






4.6.6. Revision Repository The GIS shall use a revision repository (such as CVS) for all phases of design, development, operation

and maintenance.




4.6.7. Security Since the GIS is critical to the safety of personnel and infrastructure, a “defense in depth” approach to

security shall be used.

Specific procedures shall be developed for patch management and routine maintenance of the GIS.




4.7. GENERAL FABRICATION REQUIREMENTS

4.7.1. Materials, Processes and Parts

4.7.1.1. Workmanship Workmanship shall be of a high grade of commercial practice and adequate to achieve the accuracies and

surface finishes called for on all drawings and in the specifications.




4.7.1.2. Materials All materials specified shall be new and of high-grade commercial quality. They shall be sound and free

from defects, both internal and external, such as cracks, laminations, inclusions, blow holes or porosity.




4.7.2. Drawings and Models All detail design drawings shall conform to ASME Y14.5M-1994 and ANSI Y32.2.

All drawings and project documentation shall be in accordance with SPEC-0002, Document and Drawing

Control Plan.

All detail design drawings shall be generated in (or transferable to) AutoCAD or AURA approved

equivalent.

These drawings, along with two complete printed hard copies, shall be provided to AURA upon

completion of the work.

All detail design drawings shall be in System International (metric) units with Imperial (inch) secondary

units shown in parentheses.

All design drawings shall be in English.






4.7.3. Technical Manuals All drawings and project documentation shall be in accordance with SPEC-0002, Design Document

Control Plan.

Manuals shall be prepared, containing all information related to maintenance and operation of the Global

Interlock System, so that the information in the manuals will be adequate to enable ATST project

personnel to perform the full range of expected operating and regular maintenance functions without the

need to seek information from a source other than the manuals.

The manuals shall have the maintenance and operating information organized into suitable sets of

manageable size, which shall be bound into individual binders identified on both the front and spine of

each binder, which is indexed (thumb-tabbed) and includes pocket folders for folded sheet information.

Two complete printed hard copies of these manuals shall be provided to AURA upon completion of the

work.

The manuals shall also be supplied in electronic form. The technical manuals shall be in Microsoft Word

format or other format approved by AURA.

Such information shall include, all information related to normal operations and procedures, emergency

operations and procedures, normal maintenance and procedures, emergency maintenance and procedures,

spare parts, warranties, wiring diagrams, inspection procedures, programs for safety logic, shop drawings,

product data, and similar applicable information.

All technical manuals shall be in English.




4.7.3.1. Final Design The builder shall provide a GIS Software Design Document (SDD). This document shall include all

details necessary to construct the GIS. This document shall be updated to show any design modifications

made during construction.




4.7.3.2. Operator’s Manual The builder shall provide a GIS operator’s manual to describe the use of the GIS by an ATST operator.

The manual shall describe operation during normal observations, setup, troubleshooting, and engineering.


Verification: Inspection


4.8. ENVIRONMENTAL REQUIREMENTS

The ATST telescope will be subjected to various environmental conditions. These conditions include the

operating in-specification conditions, operating off-specification conditions, non-operating conditions,

survival conditions and transportation and handling conditions. The GIS shall be designed and tested over

environments so that their performance in the Telescope shall meet all requirements of this Specification.



Other operations will impose further environmental requirements of which the GIS shall be designed to

withstand. These operations include, but are not limited to, storage conditions and shipment.

4.8.1. Operational Environment Telescope All portions of the GIS shall be capable of 100% functionality, continuously, located within the telescope

environment as specified in the following environmental conditions:

Condition Requirement

Altitude 3050m

Air temperature 0 to +25C

Relative Humidity 5% to 95% non-condensing

Gravity Orientation 0 to 90



Requirement Origin: Environmental

4.8.2. Survival Environment All portions of the GIS shall survive any combination of the following environmental conditions without

permanent damage and be capable of meeting all of the requirements of this specification after removal of

these conditions:


Altitude sea level to 15000m

Air temperature -20 to +50 C

Relative Humidity 5% to 95% non-condensing




4.8.3. Shipping Environment The GIS shall survive any combination of the following environmental conditions without damage or

requirement for repair when packaged in its storage/shipping containers :


Altitude sea level to 15000m

Air temperature -20 to +50 C

Relative Humidity 0% to 100% condensing

Shock 10.0g


