global interlock system specification
TRANSCRIPT
Project Documentation Document SPEC-0046
Rev A
Advanced Technology Solar Telescope 950 N. Cherry Avenue Tucson, AZ 85719 Phone 520-318-8102 [email protected] http://atst.nso.edu Fax 520-318-8500
Global Interlock System Specification
Scott Bulau, Tim Williams
Control Systems Group
October 8, 2012
Name Signature Date
Prepared By: Scott Bulau
Controls Engineer S. Bulau 19 Oct 2012
Approved By: Rob Hubbard
Systems Engineer R. Hubbard 26 Oct 2012
Global Interlock System Specification
SPEC-0046, Rev A Page ii
Revision Summary
1. Date: December 15, 2008 – August 24, 2009 Revision: Draft 1 Changes: Rewritten to incorporate the new adopted architecture of the GIS as proposed October 2008.
2. Date: August 25, 2009 – January 4, 2010 Revision: Draft 2 Changes: Changes to text regarding hardware and software.
3. Date: January 5, 2010 – January 10, 2010 Revision: Draft 3 Changes: Minor edits and formatting, addition of Table 2
4. Date: March 25, 2011– April 8, 2011 Revision: Draft 4 Changes: formatting changes, reformed some requirements, removed some over-specification, added additional approved components,
5. Date: December 19, 2011 Revision: Draft 5 Changes: Changed to Word 2010 .DOCX format. Modified references to EN954-1.
6. Date: June 15, 2012 Revision: Draft 6 Changes: Addition of requirement numbers, verification and origin.
7. Date: July 30, 2012 Revision: Draft 7 Changes: Addition of 11 instrument ICDs.
8. Date: October 8, 2012 Revision: A Changes: Inclusion of comments from GIS readiness review. Initial formal release for FDR, as revision-controlled document.
Global Interlock System Specification
SPEC-0046, Rev A Page iii
Table of Contents
1. Specification Overview ....................................................................... 1
1.1. OBJECTIVE .......................................................................................................... 1
1.2. SCOPE .................................................................................................................. 1 1.3. RELATED AND REFERENCE DOCUMENTS ...................................................... 1 1.3.1. REFERENCE DOCUMENTS ........................................................................................ 1 1.3.2. RELATED DOCUMENTS ............................................................................................ 2 1.4. DEFINITIONS ........................................................................................................ 3
1.5. APPLICABLE CODES AND REQUIREMENTS .................................................... 4
2. Requirements for All Assemblies ........................................................ 5
2.1. GENERAL DESCRIPTION .................................................................................... 5
2.2. GENERAL FUNCTIONAL REQUIREMENTS ........................................................ 6
3. Functional Requirements .................................................................... 7
3.1. INDIVIDUAL FUNCTIONAL REQUIREMENTS ..................................................... 7 3.1.1. EMERGENCY STOP (EMERGENCY SHUTDOWN) FUNCTION .......................................... 7 3.1.2. SAFETY-RELATED CONTROL FUNCTIONS .................................................................. 7
3.1.3. CONTROL RELIABILITY ............................................................................................. 7 3.1.4. MONITOR CONTROLLER STATUS .............................................................................. 7 3.1.5. MONITOR SAFETY I/O .............................................................................................. 8
3.1.6. MONITOR SAFETY NETWORK ................................................................................... 8 3.1.7. SAFETY DURING POWER LOSS ................................................................................. 8
3.1.8. GLOBAL COMMANDS ISSUED .................................................................................... 8 3.1.9. DISTRIBUTED SYSTEM ............................................................................................. 9
3.1.10. RESPONSE TIME ............................................................................................... 9 3.1.11. REAL CLOCK TIME ............................................................................................. 9
3.2. HUMAN MACHINE INTERFACE REQUIREMENTS ............................................. 9 3.2.1. GIS STATUS AND ALARMS ....................................................................................... 9 3.2.2. OPERATOR CONTROL .............................................................................................. 9
3.2.3. ENGINEERING OPERATION ..................................................................................... 10 3.2.4. GIC HMI .............................................................................................................. 10 3.2.5. LIC HMI .............................................................................................................. 10
3.3. THERMAL CONTROL ......................................................................................... 10 3.4. INTERFACE REQUIREMENTS .......................................................................... 10 3.4.1. TELESCOPE MOUNT ASSEMBLY .............................................................................. 10 3.4.2. M1 ASSEMBLY ...................................................................................................... 10
3.4.3. TEOA .................................................................................................................. 11 3.4.4. FEED OPTICS ....................................................................................................... 11 3.4.5. WAVE FRONT CONTROL ........................................................................................ 11
3.4.6. INSTRUMENTS ....................................................................................................... 11 3.4.7. POLARIMETRY ANALYSIS AND CALIBRATION ............................................................. 11 3.4.8. MASTER CLOCK AND SYNCHRO NETWORK .............................................................. 11 3.4.9. COUDÉ STATION ................................................................................................... 11 3.4.10. COUDÉ ENVIRONMENTAL SYSTEMS ................................................................... 12
Global Interlock System Specification
SPEC-0046, Rev A Page iv
3.4.11. VISIBLE BROADBAND IMAGER ........................................................................... 12
3.4.12. VISIBLE SPECTRO-POLARIMETER ...................................................................... 12 3.4.13. DIFFRACTION LIMITED NEAR-IR SPECTROPOLARIMETER ..................................... 12
3.4.14. CRYOGENIC NEAR-IR SPECTROPOLARIMETER ................................................... 12 3.4.15. VISIBLE TUNABLE FILTER ................................................................................. 12 3.4.16. CAMERA SYSTEMS .......................................................................................... 12 3.4.17. OBSERVATORY CONTROL SYSTEM .................................................................... 13 3.4.18. ENCLOSURE .................................................................................................... 13
3.4.19. SUPPORT FACILITY AND BUILDINGS ................................................................... 13 3.4.20. FACILITY THERMAL SYSTEMS ........................................................................... 13 3.4.21. UTILITY SERVICE INTERFACE ............................................................................ 13
4. Design Requirements ....................................................................... 14
4.1. SAFETY STANDARDS AND GUIDELINES ........................................................ 14
4.2. MAINTENANCE .................................................................................................. 14 4.2.1. SERVICE LIFETIME ................................................................................................. 14 4.2.2. AVAILABILITY ........................................................................................................ 14
4.2.3. RELIABILITY .......................................................................................................... 14 4.2.4. MAINTAINABILITY ................................................................................................... 15 4.3. HUMAN ENGINEERING ..................................................................................... 15
4.4. CONTROL HARDWARE ..................................................................................... 16 4.4.1. SAFETY HARDWARE .............................................................................................. 16
4.4.2. LIC ...................................................................................................................... 16 4.4.3. GIC ..................................................................................................................... 16 4.5. NETWORK REQUIREMENTS ............................................................................ 17
4.5.1. SAFETY NETWORK ................................................................................................ 17
4.5.2. GLOBAL INTERLOCK SYSTEM INTERFACE ................................................................ 17 4.5.3. LOCAL INTERLOCK CONTROLLER INTERFACE ........................................................... 17 4.5.4. GLOBAL INTERLOCK CONTROLLER INTERFACE ......................................................... 18
4.6. CONTROL SOFTWARE ...................................................................................... 18 4.6.1. EMBEDDED CONTROL OPERATION .......................................................................... 18
4.6.2. CHANGE OF NETWORK STATUS .............................................................................. 18 4.6.3. OPERATION FOLLOWING A REBOOTING OR RESTARTING ............................................ 19 4.6.4. SOURCE CODE ..................................................................................................... 19 4.6.5. SOURCE DOCUMENTATION .................................................................................... 19 4.6.6. REVISION REPOSITORY ......................................................................................... 20
4.6.7. SECURITY ............................................................................................................. 20 4.7. GENERAL FABRICATION REQUIREMENTS .................................................... 20 4.7.1. MATERIALS, PROCESSES AND PARTS ..................................................................... 20
4.7.2. DRAWINGS AND MODELS ....................................................................................... 20 4.7.3. TECHNICAL MANUALS ............................................................................................ 21 4.8. ENVIRONMENTAL REQUIREMENTS ................................................................ 21 4.8.1. OPERATIONAL ENVIRONMENT TELESCOPE .............................................................. 22
4.8.2. SURVIVAL ENVIRONMENT ....................................................................................... 22 4.8.3. SHIPPING ENVIRONMENT ....................................................................................... 22
Global Interlock System Specification
SPEC-0046, Revision A Page 1 of 22
1. SPECIFICATION OVERVIEW
1.1. OBJECTIVE
This document provides design requirements and specifications for the ATST Global Interlock System
(GIS). Requirements for compliance to national consensus standards of hardware, software, and system
levels are specified as well as design, procurement, and programming. Factory assembly, factory
acceptance testing, site assembly and site acceptance testing for the ATST GIS are also specified.
The primary goal of the GIS is to eliminate the risk of injury to personnel and to prevent physical damage
to the telescope, instruments and other infrastructure of the ATST. The GIS is not a single programmable
system. It is a system made up of distributed, independent safety controllers that are integrated in the
various subsystems of the facility. These controllers are tied together through use of an independent safety
network that implements safety functions of all systems observatory wide.
The requirements of the GIS will be monitored through the factory construction of the subassemblies.
Testing and verification will be required at the subassembly level prior to acceptance of a particular
subassembly. Testing and verification will be required at the networked level for final acceptance of the
central control and system level response.
1.2. SCOPE
The requirements of the ATST GIS are detailed in the global sense. The implementation of the GIS is a
combined effort between the project and the subsystem vendors. It is the project’s responsibility to build
and configure the LIC; while the subsystem vendors’ responsibility is to provide the safety I/O connected
to the individual limits and interlocks. Specific requirements for the LIC and the safety I/O are defined in
this specification.
A specified ATST interface control document (ICD) defines the safety limits and interlocks required for
each subsystem. These represent the safety I/O points to be interfaced to the subsystem’s distributed
portion of the GIS. These safety limits and interlocks status are reported throughout the GIS propagating
necessary response of all ATST subsystems.
1.3. RELATED AND REFERENCE DOCUMENTS
The following documents form a part of this Specification. Any other documents referenced in any of
these documents also form a part of the Specification.
1.3.1. Reference Documents
1.3.1.1. National Consensus Standards ANSI/RIA R15.06-1999, American National Standard for Industrial Robots and Robot Systems –
Safety Requirements
NFPA 79, Electrical Standard for Industrial Machinery, 2007 Edition
1.3.1.2. International Standards ISO 13849, Safety of Machinery—Safety-related parts of control systems
ISO 13850, Safety of Machinery—Emergency Stop—Principles for design
IEC 61508, Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related
Systems
IEC/EN 62061, Safety of machinery: Functional safety of electrical, electronic and programmable
electronic control systems
Global Interlock System Specification
SPEC-0046, Revision A Page 2 of 22
1.3.1.3. Industry Standards ANSI/TIA/EIA 568-B, Commercial Building Telecommunications Cabling Standard
ASM Consortium Guidelines: Effective Operator Display Design
1.3.1.4. Engineering Drawing Practices ASME Y14.1- Drawing sheet size and format
ASME Y14.100- Engineering drawing and practices
ASME Y14.5-1994, “Dimensioning and Tolerancing”
ASME Y14.24, “Types and Applications of Engineering Drawings”
ASME Y14.35, “Drawing Revisions”
1.3.2. Related Documents
1.3.2.1. ATST Specification Documents The following documents contain information applicable to the design of the ATST Global Interlock
System.
PMCS-0023, Requirements Definition
SPEC-0002, Document and Drawing Control Plan
SPEC-0012, ATST Acronym List and Glossary
SPEC-0013, Software Operational Controls Definition Document
SPEC-0022, ATST Common Services Users’ Manual
SPEC-0041, ATST Spares Policy
SPEC-0061, ATST Hazard Analysis Plan
SPEC-0063, Interconnects and Services
SPEC-0070, General Specifications for the Design and Fabrication of ATST
SPEC-0079, Approved Parts
SPEC-0141, Global Interlock System Operational Concepts Document
1.3.2.2. ATST Interface Control Documents The Global Interlock System shall meet the requirements of the following interface control documents:
ICD 1.1-4.5 , Telescope Mount Assembly to Global Interlock System
ICD 1.2-4.5 , M1 Assembly to Global Interlock System
ICD 1.3-4.5 , TEOA to Global Interlock System
ICD 1.5-4.5 , Feed Optics to Global Interlock System
ICD 2.1-4.5 , Wave Front Control-Coudé to Global Interlock System
ICD 3.0-4.5, Instruments to Global Interlock System
ICD 3.1.1-4.5, Polarimetry Analysis and Calibration to Global Interlock System
ICD 3.1.2-4.5, Master Clock and Synchro Network to Global Interlock System
ICD 3.1.3-4.5, Coudé Station to Global Interlock System
ICD 3.1.5-4.5, Coudé Environmental Systems to Global Interlock System
ICD 3.2-4.5, Visible Broadband Imager to Global Interlock System
ICD 3.3-4.5, Visible Spectro-polarimeter to Global Interlock System
ICD 3.4.1-4.5, Diffraction Limited Near-IR Spectropolarimeter to Global Interlock System
ICD 3.4.2-4.5, Cryogenic Near-IR Spectropolarimeter to Global Interlock System
ICD 3.5-4.5, Visible Tunable Filter to Global Interlock System
ICD 3.6-4.5, Camera Systems to Global Interlock System
ICD 4.2-4.5 , Observatory Control System to Global Interlock System
ICD 4.5-5.0 , Global Interlock System to Enclosure
ICD 4.5-6.0, Global Interlock System to Support Facility and Buildings
Global Interlock System Specification
SPEC-0046, Revision A Page 3 of 22
ICD 4.5-6.3 , Global Interlock System to Facility Equipment
ICD 4.5-6.7 , Global Interlock System to Facility Thermal Systems
1.4. DEFINITIONS
The following terms are defined and their usage throughout this document will be consistent with these
definitions. See SPEC-0012, ATST Acronym List and Glossary, for terms not listed below.
ASM Abnormal Situation Management
Category Classification of the safety-related parts of a control system in respect of their resistance to
faults and their subsequent behavior in the fault condition, and which is achieved by the structural
arrangement of the parts, fault detection and/or by their reliability.1
Control Reliable Safety circuitry designed, constructed and applied such that any single component
failure shall not prevent the stopping action of the equipment.2
E/E/PE electrical/electronic/programmable electronic
Emergency Stop System (ESS) A series of emergency stop devices (buttons) distributed throughout the
facility. The activation of any one of these devices will cause a facility wide control function stop.
Global Interlock Controller (GIC) The GIC acts as the local interlock controller for the facilities safety
I/O as well as providing the centralized processing of all distributed safety responses.
Global Interlock System (GIS) The GIS refers to all or any portion of the safety system which monitors
and acts upon controls in order to provide safety to personnel, equipment and the
telescope/enclosure.
Interlock An arrangement whereby the operation of one control or mechanism allows, or prevents the
operation of another.
Interlock Condition An interlock condition exists if an M2 Module system or mechanism initiates the
GIS to limit telescope function because it has detected a possible safety conflict.
Interlock Override An interlock override is a manually set condition of the GIS to inform a system to
ignore a particular interlock condition.
Local Interlock Controller (LIC) The LIC is a subsystem’s distributed part of the GIS. It acts as an
independent safety control for the subsystem and provides global information to the GIC.
PL Performance Level. Discrete level used to specify the ability of safety-related parts of controls
systems to perform a safety function under foreseeable conditions.3 Performance levels are
denoted as a, b, c, d, or e. PLa being the lowest and PLe being the highest.
SIL Safety Integrity Level. Discrete level (one out of a possible four) for specifying the safety integrity
requirements of the safety functions to be allocated to the E/E/PE safety-related systems, where
safety integrity level 4 has the highest level of safety integrity and safety integrity level 1 has the
lowest.4
SRCF Safety-Related Control Function. Control function implemented by SRECS with a specified
integrity level that is intended to maintain the safe condition of the machine or prevent an
immediate increase of the risk(s).5
Validation confirmation by examination and provision of objective evidence that the particular
requirements for a specific intended use are fulfilled.6
1 ISO 138491 §3.1.2
2 ANSI/RIA R15.06-1999 §4.5.4
3 ISO 13849-1 §3.1.23
4 IEC 61508-4 §3.5.6
5 IEC 62061 §3.2.16
6 IEC 61508-4 § 3.8.2
Global Interlock System Specification
SPEC-0046, Revision A Page 4 of 22
Verification confirmation by examination and provision of objective evidence that the requirements have
been fulfilled.7
1.5. APPLICABLE CODES AND REQUIREMENTS
The design and implementation of the Global Interlock System shall comply with the National Consensus
Standards ANSI/RIA R15.06-1999 and NFPA 79.
The architecture of the Global Interlock System shall comply with applicable safety codes such that it
may be certified for use in up to SIL3 functions under safety standard IEC 61508 or Category 4 PLe
under ISO 13849.
7 IEC 61508-4 § 3.8.1
Global Interlock System Specification
SPEC-0046, Revision A Page 5 of 22
2. REQUIREMENTS FOR ALL ASSEMBLIES
2.1. GENERAL DESCRIPTION
Because of the disparate nature of the subsystems of the ATST facility it is desirable to implement a
uniform and coherent system to ensure safety throughout the facility rather than rely on each subsystem to
implement safety functions on an ad hoc basis.
The Global Interlock System (GIS) monitors safety limits and safety interlocks throughout the ATST
facility and as necessary enables/disables controlled mechanisms in order to maintain safety and prevent
damage to personnel and equipment.
The GIS is being implemented as a distributed safety system verses a centralized system. The distribution
of the GIS is accomplished through the use of Local Interlock Controllers (LICs). Each ATST subsystem
is required to interface to the GIS through the use of a LIC. The LIC is required to maintain the safety
control of the its assigned subsystem(s). The LIC is required to maintain subsystem safety as a standalone
system. The LIC is also required to communicate its status to the centralized Global Interlock Controller
(GIC).
The GIC determines the interrelation of the distributed LIC and issues safety commands to other LICs for
necessary response to a given condition. The GIC and LICs communicate over a safety network, separate
from the observatory’s control or data networks. The GIC also communicates to the Observatory Control
System (OCS) over an Ethernet communications network. This connection allows the GIC to provide a
continuous status to the OCS of all the safety conditions throughout ATST facility.
Table 1 highlights a list of the subsystems which require a LIC which interface with the GIC on the safety
network to form the entire GIS.
Table 1–Local Interlock Controller with Associated Subsystem/Subassembly
LIC Subsystem/Subassembly
Optical Support Structure
(OSS)
Top End Optical Assembly (TEOA)
M1 Active Controller & Thermal Controller
Feed Optics & Polarization Analysis and Calibration (PAC)
Mount Base Telescope Mount Drive Controllers
Coudé Rotator Coudé Drive Controller
Instrumentation Systems Wave Front Controller
Science Instruments
Enclosure Motion Control Enclosure Motion
Facility Thermal Control Facility Thermal System
Facilities Utilities/Facilities
Global Interlock System Specification
SPEC-0046, Revision A Page 6 of 22
2.2. GENERAL FUNCTIONAL REQUIREMENTS
The functional requirements for the GIS are as follows
Provide control reliable safety functions
Provide an Emergency Stop safety function as an additional safeguard
Provide continuous status of the GIS to the operator and the Observatory Control System
(OCS).
It is not the responsibility of the GIS to maintain the status or general health of the subsystems or the
facility. This is the responsibility of the individual subsystems controllers. The GIS is only concerned
with the safety aspects of the subsystems.
Global Interlock System Specification
SPEC-0046, Revision A Page 7 of 22
3. FUNCTIONAL REQUIREMENTS
3.1. INDIVIDUAL FUNCTIONAL REQUIREMENTS
3.1.1. Emergency Stop (Emergency Shutdown) Function The GIS shall provide an emergency stop (emergency shutdown) safety function. The emergency
shutdown shall override all other functions and bring the entire facility to a safe state with a single
human-initiated action.
The emergency stop (emergency shutdown) function shall be a category 0 or category 1 stop, which
includes removal of the power source to machine actuators.
Emergency shutdown devices (mushroom head push buttons, cable pull device) shall be provided at each
operator location and other locations as required. They shall be positioned for safe and easy access for the
operator and others who may need to operate them.
Requirement Number: 4.5-0010
Verification: Design, Factory and Site Test
Requirement Origin: Safety
3.1.2. Safety-Related Control Functions
3.1.2.1. Safety Function Based on hazard analyses, each LIC will be programmed to achieve one or more safety functions. The
LIC shall maintain or achieve a safe state for equipment under control by constantly evaluating one or
more inputs (from subsystem I/O or the GIC) and enabling and/or disabling appropriate outputs.
Requirement Number: 4.5-0020
Verification: Design, Analysis, Factory and Site Test
Requirement Origin: Safety
3.1.2.2. Safety Integrity Based on hazard analyses, each safety function will have a safety integrity requirement. The LIC shall
meet the safety integrity requirement of each safety function.
Requirement Number: 4.5-0030
Verification: Design, Analysis
Requirement Origin: Safety
3.1.3. Control Reliability Loss of any single component shall not cause the loss of the safety function.
Any single component failure should be detected before or at the next demand on the component. An
accumulation of undetected faults shall not cause the loss of the safety function.
Requirement Number: 4.5-0040
Verification: Design
Requirement Origin: Safety
3.1.4. Monitor Controller Status Each controller shall monitor itself for faults.
On the detection of a fault, the system shall default to a safe state.
Requirement Number: 4.5-0050
Verification: Design
Global Interlock System Specification
SPEC-0046, Revision A Page 8 of 22
Requirement Origin: Safety
3.1.5. Monitor Safety I/O All safety-related I/O (limits, interlocks, and outputs) of a subsystem shall be routed to that subsystem’s
associated LIC.
The LIC shall monitor the safety I/O module self-diagnostics.
In the event of a fault detected by the self-diagnostics, the affected safety functions shall default to a safe
state.
Requirement Number: 4.5-0060
Verification: Design, Factory and Site Test
Requirement Origin: Safety
3.1.6. Monitor Safety Network The LIC shall continuously monitor the safety network which connects the subsystem to the GIS.
In the event of a failure of the any part of the network, the affected safety functions shall default to a safe
state.
Requirement Number: 4.5-0070
Verification: Design, Factory and Site Test
Requirement Origin: Safety
3.1.7. Safety During Power Loss The GIS shall be connected to the facility UPS system. This connection shall also be provided with
generator back-up.
During the loss of main observatory power, the GIS shall maintain monitoring status of safety I/O and the
ESS system.
Each LIC shall apply necessary safety function control, bringing the telescope and equipment to a safe
state upon power loss.
In the event of loss of power to any part of the system, the affected safety functions shall default to a safe
state.
Requirement Number: 4.5-0080
Verification: Design, Factory and Site Test
Requirement Origin: Engineering, Safety
3.1.8. Global Commands Issued The GIS is a hierarchical control system. The GIC is the only component of the GIS that issues
commands. Commands to each LIC are routed through the safety network.
LICs shall communicate the status of all safety functions to the GIC. LICs shall not communicate directly
with other LICs.
For each safety function that involves subsystems connected to different LICs, the GIC shall evaluate the
state of the safety functions from individual LICs and issue commands to other LICs to maintain or
achieve a safe state.
Requirement Number: 4.5-0090
Verification: Design, Factory and Site Test
Requirement Origin: Engineering
Global Interlock System Specification
SPEC-0046, Revision A Page 9 of 22
3.1.9. Distributed System Each individual LIC shall maintain local safety functions of its subsystem independently of the entire
GIS.
Requirement Number: 4.5-0100
Verification: Design, Factory and Site Test
Requirement Origin: Safety
3.1.10. Response Time The response time of the GIS to a change in inputs shall be less than 200 milliseconds. The GIS must
either respond correctly to the input, or the output must default to the safe state within the 200 millisecond
response time.
Requirement Number: 4.5-0110
Verification: Design, Analysis, Factory and Site Test
Requirement Origin: Safety
3.1.11. Real Clock Time The GIS shall be capable of time-stamping faults with an accuracy of 100 milliseconds.
Requirement Number: 4.5-0120
Verification: Design
Requirement Origin: Engineering
3.2. HUMAN MACHINE INTERFACE REQUIREMENTS
The GIS shall have a touch screen Human Machine Interface (HMI) for personnel to control and operate
the entire GIS.
The HMI display and operation shall follow Abnormal Situation Management (ASM) Consortium
guidelines.
The HMI display shall update at a 1Hz rate.
Requirement Number: 4.5-0130
Verification: Design, Inspection, Factory and Site Test
Requirement Origin: Operations, Safety
3.2.1. GIS Status and Alarms The HMI display shall include current state of all safety functions, status of the safety network, status of
safety controllers and status of the distributed safety I/O.
The HMI shall provide read-only display of all trips and faults of the GIS. This display shall always be
available.
Requirement Number: 4.5-0140
Verification: Design, Inspection, Factory and Site Test
Requirement Origin: Operations, Safety
3.2.2. Operator Control The HMI shall provide a password protected means to reset trips, mute alarms, and override interlocks.
Operator actions shall be logged.
Requirement Number: 4.5-0150
Verification: Design, Inspection, Factory and Site Test
Requirement Origin: Operations, Safety
Global Interlock System Specification
SPEC-0046, Revision A Page 10 of 22
3.2.3. Engineering Operation The HMI shall provide engineering screens that show low-level (individual hardware) status and error
codes to aid in troubleshooting. These screens shall be password-protected.
Requirement Number: 4.5-0160
Verification: Design, Inspection, Design, Factory and Site Test
Requirement Origin: Operations, Safety
3.2.4. GIC HMI The GIC shall have a touch screen HMI mounted in its electronic rack.
Requirement Number: 4.5-0170
Verification: Design, Inspection, Factory and Site Test
Requirement Origin: Operations
3.2.5. LIC HMI Each LIC shall have a port to which an HMI can be connected.
An HMI connected at a LIC shall be capable of operating and controlling the entire GIS.
Requirement Number: 4.5-0180
Verification: Design, Inspection, Factory and Site Test
Requirement Origin: Operations
3.3. THERMAL CONTROL
Components of the GIS that are located in thermally-sensitive spaces shall be cooled.
Components of the GIS that are located in thermally-sensitive spaces shall produce a net thermal load of
less than 20 watts.
Requirement Number: 4.5-0190
Verification: Design, Inspection, Factory and Site Test
Requirement Origin: Science
3.4. INTERFACE REQUIREMENTS
The GIS interfaces to a number of subsystems in the facility. The details of the interface are described in
the respective Interface Control Document (ICD).
There are different styles of interfaces described depending on the contractual requirements between the
GIS and subsystem supplier. In some cases the interface is located at specific limit and interlock
hardware, others interface at the distributed I/O network connection, and some cases where the LIC is
provided by the subsystem supplier the interface is between the LIC and the GIC.
3.4.1. Telescope Mount Assembly The GIS shall comply with the interface as defined in ICD 1.1-4.5, Telescope Mount Assembly to Global
Interlock System.
Requirement Number: 4.5-0200
Verification: Design, Inspection, Test
Requirement Origin: Engineering
3.4.2. M1 Assembly The GIS shall comply with the interface as defined in ICD 1.2-4.5, M1 Assembly to Global Interlock
System.
Global Interlock System Specification
SPEC-0046, Revision A Page 11 of 22
Requirement Number: 4.5-0210
Verification: Design, Inspection, Test
Requirement Origin: Engineering
3.4.3. TEOA The GIS shall comply with the interface as defined in ICD 1.3-4.5, TEOA to Global Interlock System.
Requirement Number: 4.5-0220
Verification: Design, Inspection, Test
Requirement Origin: Engineering
3.4.4. Feed Optics The GIS shall comply with the interface as defined in ICD 1.5-4.5, Feed Optics to Global Interlock
System.
Requirement Number: 4.5-0230
Verification: Design, Inspection, Test
Requirement Origin: Engineering
3.4.5. Wave Front Control The GIS shall comply with the interface as defined in ICD 2.1-4.5, Wave Front Control-Coudé to Global
Interlock System.
Requirement Number: 4.5-0240
Verification: Design, Inspection, Test
Requirement Origin: Engineering
3.4.6. Instruments The GIS shall comply with the interface as defined in ICD 3.0-4.5, Instruments to Global Interlock
System.
Requirement Number: 4.5-0250
Verification: Design, Inspection, Test
Requirement Origin: Engineering
3.4.7. Polarimetry Analysis and Calibration The GIS shall comply with the interface as defined in ICD 3.1.1-4.5, Polarimetry Analysis and
Calibration to Global Interlock System.
Requirement Number: 4.5-0260
Verification: Design, Inspection, Test
Requirement Origin: Engineering
3.4.8. Master Clock and Synchro Network The GIS shall comply with the interface as defined in ICD 3.1.2-4.5, Master Clock and Synchro Network
to Global Interlock System.
Requirement Number: 4.5-0270
Verification: Design, Inspection, Test
Requirement Origin: Engineering
3.4.9. Coudé Station The GIS shall comply with the interface as defined in ICD 3.1.3-4.5, Coudé Station to Global Interlock
System.
Requirement Number: 4.5-0280
Verification: Design, Inspection, Test
Global Interlock System Specification
SPEC-0046, Revision A Page 12 of 22
Requirement Origin: Engineering
3.4.10. Coudé Environmental Systems The GIS shall comply with the interface as defined in ICD 3.1.5-4.5, Coudé Environmental Systems to
Global Interlock System.
Requirement Number: 4.5-0290
Verification: Design, Inspection, Test
Requirement Origin: Engineering
3.4.11. Visible Broadband Imager The GIS shall comply with the interface as defined in ICD 3.2-4.5, Visible Broadband Imager to Global
Interlock System.
Requirement Number: 4.5-0300
Verification: Design, Inspection, Test
Requirement Origin: Engineering
3.4.12. Visible Spectro-polarimeter The GIS shall comply with the interface as defined in ICD 3.3-4.5, Visible Spectro-polarimeter to Global
Interlock System.
Requirement Number: 4.5-0310
Verification: Design, Inspection, Test
Requirement Origin: Engineering
3.4.13. Diffraction Limited Near-IR Spectropolarimeter The GIS shall comply with the interface as defined in ICD 3.4.1-4.5, Diffraction Limited Near-IR
Spectropolarimeter to Global Interlock System.
Requirement Number: 4.5-0320
Verification: Design, Inspection, Test
Requirement Origin: Engineering
3.4.14. Cryogenic Near-IR Spectropolarimeter The GIS shall comply with the interface as defined in ICD 3.4.1-4.5, Cryogenic Near-IR
Spectropolarimeter to Global Interlock System.
Requirement Number: 4.5-0330
Verification: Design, Inspection, Test
Requirement Origin: Engineering
3.4.15. Visible Tunable Filter The GIS shall comply with the interface as defined in ICD 3.5-4.5, Visible Tunable Filter to Global
Interlock System.
Requirement Number: 4.5-0340
Verification: Design, Inspection, Test
Requirement Origin: Engineering
3.4.16. Camera Systems The GIS shall comply with the interface as defined in ICD 3.6-4.5, Camera Systems to Global Interlock
System.
Requirement Number: 4.5-0350
Verification: Design, Inspection, Test
Requirement Origin: Engineering
Global Interlock System Specification
SPEC-0046, Revision A Page 13 of 22
3.4.17. Observatory Control System The GIS shall comply with the interface as defined in ICD 4.2-4.5, Observatory Control System to Global
Interlock System.
Requirement Number: 4.5-0360
Verification: Design, Inspection, Test
Requirement Origin: Engineering
3.4.18. Enclosure The GIS shall comply with the interface as defined in ICD 4.5-5.0, Global Interlock System to Enclosure.
Requirement Number: 4.5-0370
Verification: Design, Inspection, Test
Requirement Origin: Engineering
3.4.19. Support Facility and Buildings The GIS shall comply with the interface as defined in ICD 4.5-6.0, Global Interlock System to Support
Facility and Buildings.
Requirement Number: 4.5-0380
Verification: Design, Inspection, Test
Requirement Origin: Engineering
3.4.20. Facility Thermal Systems The GIS shall comply with the interface as defined in ICD 4.5-6.7, Global Interlock System to Facility
Thermal Systems.
Requirement Number: 4.5-0390
Verification: Design, Inspection, Test
Requirement Origin: Engineering
3.4.21. Utility Service Interface The GIC shall be mounted in a cooled, electronics enclosure which shall be supplied power and coolant as
indicated in SPEC-0063.
Requirement Number: 4.5-0400
Verification: Design, Inspection, Factory and Site Test
Requirement Origin: Engineering
Global Interlock System Specification
SPEC-0046, Revision A Page 14 of 22
4. DESIGN REQUIREMENTS
4.1. SAFETY STANDARDS AND GUIDELINES
The GIS shall meet or exceed the requirements of NFPA 79, 2007 edition.
The GIS shall meet or exceed the requirements of ANSI/RIA R15.06-1999.
The GIS shall following good engineering practice and meet or exceed the requirement of the National
Electric Code, OSHA regulations, and any other applicable laws and regulations.
Requirement Number: 4.5-0410
Verification: Design
Requirement Origin: Safety
4.2. MAINTENANCE
The lifetime of the ATST telescope is expected to be in excess of forty years. The objective of the facility
is to allow maximum telescope use and quality for the given weather conditions of any day of the year.
The remote nature of the site puts a premium on having robust systems that are easily repaired and
maintained.
4.2.1. Service Lifetime All assemblies, subassemblies, components, parts, and mechanical systems should be designed to exceed
the lifetime of the facility. Designer shall identify any and all items not designed to exceed this lifetime,
and maintenance procedures and spares lists shall be provided for them.
Requirement Number: 4.5-0420
Verification: Design, Inspection
Requirement Origin: Operations
4.2.2. Availability The GIS is a critical safety system. The system must have availability greater than 99.5%.
Regardless of availability, the system must default to a safe state in the event of component failure.
Requirement Number: 4.5-0430
Verification: Design, Analysis
Requirement Origin: Operations
4.2.3. Reliability Failure modes of all critical components shall be evaluated and the design of all systems shall be such that
failure of one component shall result in a minimal performance reduction of the system. In no case shall
loss of any single component cause the loss of the safety function (see 3.1.3).
The entire system shall have a mean time between failures of at least 5000 hours. To achieve this system-
wide requirement, each subsystem’s LIC and related components shall have a mean time between failures
of at least 40000 hours.
Requirement Number: 4.5-0440
Verification: Design, Analysis
Requirement Origin: Operations
Global Interlock System Specification
SPEC-0046, Revision A Page 15 of 22
4.2.4. Maintainability
4.2.4.1. Routine Maintenance Routine maintenance of the GIS shall cause minimum loss of observing time. The GIS shall be designed
such that routine maintenance will be completed in less than four hours per month by two qualified
technicians, without removal of any assembly from the telescope, and at night under enclosure interior
lighting.
Maintenance, replacement and repair schedules shall be provided for all components of the GIS requiring
such service.
Major maintenance must be accomplished within one week on at most a yearly basis.
Requirement Number: 4.5-0450
Verification: Design
Requirement Origin: Operations
4.2.4.2. Repairs Electronic components of the GIS shall be designed and installed in such a manner to ensure easy access
for diagnostics and replacement. Installation must be done so all necessary maintenance operations can be
effectively carried out without risk to personnel or to the telescope.
Critical components, such as but not limited to, PLC, I/O blocks, and power supplies shall be replaceable
at the module level to minimize down-time.
Repairs of all failures arising as a result of normal operations of the ATST shall be accomplished in no
more than 8 hours by two trained technicians.
Requirement Number: 4.5-0460
Verification: Design, Inspection
Requirement Origin: Operations
4.2.4.3. Maintenance Equipment The GIS shall be designed to be maintained using standard tools and test equipment used by appropriately
trained personnel.
The builder shall provide all special tools and equipment necessary for initial set-up, maintenance, and
servicing operations required throughout the operational life of the GIS. This excludes common hand
tools, such as but limited to, wrenches, sockets, and Allen keys. Any special tools and equipment
necessary in dealing with the GIS shall be deliverable. Special tools shall be marked with the part
number.
Requirement Number: 4.5-0470
Verification: Design, Inspection
Requirement Origin: Operations
4.3. HUMAN ENGINEERING
The design and implementation of the GIS shall allow ease of access to the controllers and HMIs.
Requirement Number: 4.5-0480
Verification: Design
Requirement Origin: Engineering, Operations
Global Interlock System Specification
SPEC-0046, Revision A Page 16 of 22
4.4. CONTROL HARDWARE
4.4.1. Safety Hardware The hardware selected for the GIS shall:
have a 1 out of 2 architecture, where either of the two channels can perform the safety function,
provide monitored input and output modules,
be capable of detecting single input failures,
provide high frequency pulse testing within diagnostic software,
utilize common, safety-certified functions, and
maintain commonality of components throughout the system
The GIS will include safety functions that require safety integrity up to and including SIL3. The GIS
architecture shall be constructed of SIL3-certified components or components suitable for use in a SIL3
system.
The specific type of hardware controllers, communication bridges, network switches, and I/O blocks and
relays will be specified by the Project. Unless otherwise approved by AURA, the GIS shall be constructed
of Rockwell Automation, GuardLogix PAC systems based on the Allen Bradley ControlLogix chassis. A
list of specified hardware and approved firmware revisions is in SPEC-0079 Approved Parts.
Requirement Number: 4.5-0490
Verification: Design, Inspection, Factory and Site Test
Requirement Origin: Safety
4.4.2. LIC Each subsystem shall have an associated LIC, which provides for the local safety control of the
subsystem.
Each LIC shall be comprised of
A GuardLogix PAC safety controller and its partner controller.
A ControlLogix backplane and power supply.
An Ethernet bridge module for communication with the GIS safety network
In some instances, the LIC may be associated with more than one subsystem. For these instances, the LIC
will reside independent of any control systems utilized for the associated subsystems.
In the cases where a LIC is associated with a single subsystem controller, vendors are recommended to
utilize the ControlLogix platform for their control system providing adequate backplane space for
coexistence of the LIC safety PAC and the associated communications module. This will facilitate the
integration of the safety system with the controller’s functions.
Requirement Number: 4.5-0500
Verification: Design, Inspection
Requirement Origin: Engineering
4.4.3. GIC The GIC shall be comprised of
A GuardLogix PAC safety controller and its partner controller.
A ControlLogix backplane and power supply.
A minimum of two (2) Ethernet bridge modules shall accompany the safety controllers for
communication to
o the GIS safety network and
o the OCS communication network.
Global Interlock System Specification
SPEC-0046, Revision A Page 17 of 22
Requirement Number: 4.5-0510
Verification: Design, Inspection
Requirement Origin: Engineering
4.5. NETWORK REQUIREMENTS
The safety network is an independent redundant Ethernet/IP network distributed throughout the facility.
No components other than those of the GIS shall be connected to this independent safety network.
4.5.1. Safety Network The GIS safety network shall be independent of all other facility networks.
At each location where either the GIC or a LIC is located, a managed network switch shall be installed.
Connections between each of these managed network switches shall be fiber optic pair cable. The fiber
shall be capable of no less than 1 Gb rates over distances of 200m. All cables runs shall be less than
200m. The fiber shall be compatible with the Ethernet port hardware installed in the network switch.
Where necessary, optical to copper converters shall be used. These converters shall not limit the
bandwidth capability of the specified safety network.
Each LIC shall be on a separate virtual LAN (VLAN). Each LIC shall be assigned a unique subnet. IP
addresses from that subnet will be assigned to the associated subsystem’s GIS components.
Requirement Number: 4.5-0520
Verification: Design, Inspection
Requirement Origin: Safety
4.5.2. Global Interlock System Interface The GIS safety network shall use Ethernet/CIP safety protocol.
Access to the safety network shall be restricted to components of the GIS (GIC, the various LICs, and
distributed I/O).
The physical connectivity to the GIS network shall be Category 5e (or higher category) twisted pair or
multimode fiber pair where necessary due to length of run. AURA shall provide appropriate copper to
fiber converters.
Requirement Number: 4.5-0530
Verification: Design, Inspection, Factory and Site Test
Requirement Origin: Engineering
4.5.3. Local Interlock Controller Interface
4.5.3.1. LIC to GIS Safety Network The EtherNet port shall be used to connect the LICs to the GIS safety network. The physical connectivity
to the GIS network shall be Category 5e (or higher category) twisted pair or multimode fiber pair where
necessary due to length of run.
Connection of this Ethernet port shall be to a managed network switch.
The managed network switch shall connect the LICs to the safety I/O blocks which connect the safety
interlocks and safety limits. Connectivity to this switch shall be Category 5e (or higher category) or where
necessary fiber pair. All Safety I/O blocks of the locally controlled subsystem/subassembly shall be
connected to this managed switch.
Requirement Number: 4.5-0540
Verification: Design, Inspection, Factory and Site Test
Global Interlock System Specification
SPEC-0046, Revision A Page 18 of 22
Requirement Origin: Engineering
4.5.3.2. Additional Safety I/O Block(s) Port In the event that more than 250 EtherNet/IP connections are needed by a specific LIC, additional Ethernet
Interface cards may be added to the LIC backplane. This may also require the increase in size of the
standard LIC backplane and must be approved by AURA. Configuration of any additional Ethernet ports
must follow as outlined above (4.5.3.1) for the second EtherNet connection.
Requirement Number: 4.5-0550
Verification: Design, Factory and Site Test
Requirement Origin: Engineering
4.5.4. Global Interlock Controller Interface The GIC will have two Ethernet interfaces located within its chassis to provide communications with the
OCS (see 3.4.17) and other components of the GIS.
4.5.4.1. GIC to GIS Safety Network The first port shall connect the GIC to the GIS safety network. Connectivity to this port shall be fiber pair
or where necessary copper to fiber converter to fiber pair. Connection of this Ethernet port shall be to a
managed network switch. The switch is specified later in the control hardware section of this document.
Requirement Number: 4.5-0560
Verification: Design, Inspection, Factory and Site Test
Requirement Origin: Engineering
4.5.4.2. Network Security Connectivity to the safety network shall be made only by components of the GIS. The managed
networked switch shall not allow unidentified devices to communicate on the independent safety network.
Specific devices needed for maintenance shall be configured to communicate on the independent safety
network.
All security shall be provided by the AURA.
External communication with the GIS shall be limited to obtaining the status of the GIS via the OCS
communications network.
Configuration of the network shall be password protected.
Requirement Number: 4.5-0570
Verification: Design, Inspection
Requirement Origin: Engineering, Safety
4.6. CONTROL SOFTWARE
4.6.1. Embedded Control Operation The control software for any portion of the GIS shall not rely on external resources. Upon power up, the
control program shall initialize and function independently regardless of connectivity to any network.
Requirement Number: 4.5-0580
Verification: Design, Factory and Site Test
Requirement Origin: Engineering, Safety
4.6.2. Change of Network Status Failure of the network shall not result in a loss of safety function. Failure of the network which causes
loss of communications with distributed I/O or a remote controller shall cause each such component of
the GIS to default to a safe state.
Global Interlock System Specification
SPEC-0046, Revision A Page 19 of 22
Restoration of the network function shall not automatically restore operation of the GIS without
intervention from the operator.
Requirement Number: 4.5-0590
Verification: Design, Factory and Site Test
Requirement Origin: Safety
4.6.3. Operation following a rebooting or restarting Rebooting or restarting shall cause the portion of the GIS that was rebooted or restarted to enter a safe
state.
Rebooting or restarting shall not result in a loss of safety function.
Requirement Number: 4.5-0600
Verification: Design, Factory and Site Test
Requirement Origin: Safety
4.6.4. Source Code All source code written for the GIS shall be provided by the builder.
The source code written for the GIS shall conform to the standard safety procedures as outlined by
Rockwell Automation in reference to GuardLogix™ safety PAC.
The source code shall be written using version 20 of RSLogix™ 5000 and shall be configured as ladder
logic unless otherwise approved by AURA.
The builder is responsible for overall integration of GIS components and shall provide a collected,
collated set of all source code utilized in the GIS. No portion of the source code provided for the limits
and safety interlock of a subsystem, the GIS portion of a control system, may be considered exempt
proprietary code. All source code must be understood and accepted by AURA as part of the verification,
test acceptance, and validation of the GIS.
All source code shall be developed in a manner consistent with good software practices including:
Use of certified function blocks.
Use of certified safety instructions.
Consistency of all “tags” utilized within GIS.
A consistent syntactical style shall be used throughout all GuardLogix™ PAC.
All source code (including comments, tag names, labels, and program names) shall be in English.
Requirement Number: 4.5-0610
Verification: Design, Inspection
Requirement Origin: Engineering
4.6.5. Source Documentation The builder shall document all source code in a manner consistent with good software practices including:
Source files shall have a header containing version number, revisions, author(s), and
functional description.
Source functions or methods shall have a description of the interface and operation of the
function.
All algorithms or operational sections of code shall be clearly commented.
All source code documentation shall be in English.
Requirement Number: 4.5-0620
Verification: Design, Inspection, Factory and Site Test
Global Interlock System Specification
SPEC-0046, Revision A Page 20 of 22
Requirement Origin: Engineering
4.6.6. Revision Repository The GIS shall use a revision repository (such as CVS) for all phases of design, development, operation
and maintenance.
Requirement Number: 4.5-0630
Verification: Design, Inspection
Requirement Origin: Engineering
4.6.7. Security Since the GIS is critical to the safety of personnel and infrastructure, a “defense in depth” approach to
security shall be used.
Specific procedures shall be developed for patch management and routine maintenance of the GIS.
Requirement Number: 4.5-0640
Verification: Design, Inspection
Requirement Origin: Safety
4.7. GENERAL FABRICATION REQUIREMENTS
4.7.1. Materials, Processes and Parts
4.7.1.1. Workmanship Workmanship shall be of a high grade of commercial practice and adequate to achieve the accuracies and
surface finishes called for on all drawings and in the specifications.
Requirement Number: 4.5-0650
Verification: Design, Inspection, Factory and Site Test
Requirement Origin: Engineering
4.7.1.2. Materials All materials specified shall be new and of high-grade commercial quality. They shall be sound and free
from defects, both internal and external, such as cracks, laminations, inclusions, blow holes or porosity.
Requirement Number: 4.5-0660
Verification: Design, Inspection, Factory and Site Test
Requirement Origin: Engineering
4.7.2. Drawings and Models All detail design drawings shall conform to ASME Y14.5M-1994 and ANSI Y32.2.
All drawings and project documentation shall be in accordance with SPEC-0002, Document and Drawing
Control Plan.
All detail design drawings shall be generated in (or transferable to) AutoCAD or AURA approved
equivalent.
These drawings, along with two complete printed hard copies, shall be provided to AURA upon
completion of the work.
All detail design drawings shall be in System International (metric) units with Imperial (inch) secondary
units shown in parentheses.
All design drawings shall be in English.
Requirement Number: 4.5-0670
Global Interlock System Specification
SPEC-0046, Revision A Page 21 of 22
Verification: Design, Inspection
Requirement Origin: Engineering
4.7.3. Technical Manuals All drawings and project documentation shall be in accordance with SPEC-0002, Design Document
Control Plan.
Manuals shall be prepared, containing all information related to maintenance and operation of the Global
Interlock System, so that the information in the manuals will be adequate to enable ATST project
personnel to perform the full range of expected operating and regular maintenance functions without the
need to seek information from a source other than the manuals.
The manuals shall have the maintenance and operating information organized into suitable sets of
manageable size, which shall be bound into individual binders identified on both the front and spine of
each binder, which is indexed (thumb-tabbed) and includes pocket folders for folded sheet information.
Two complete printed hard copies of these manuals shall be provided to AURA upon completion of the
work.
The manuals shall also be supplied in electronic form. The technical manuals shall be in Microsoft Word
format or other format approved by AURA.
Such information shall include, all information related to normal operations and procedures, emergency
operations and procedures, normal maintenance and procedures, emergency maintenance and procedures,
spare parts, warranties, wiring diagrams, inspection procedures, programs for safety logic, shop drawings,
product data, and similar applicable information.
All technical manuals shall be in English.
Requirement Number: 4.5-0680
Verification: Design, Inspection
Requirement Origin: Engineering
4.7.3.1. Final Design The builder shall provide a GIS Software Design Document (SDD). This document shall include all
details necessary to construct the GIS. This document shall be updated to show any design modifications
made during construction.
Requirement Number: 4.5-0690
Verification: Design, Inspection
Requirement Origin: Engineering
4.7.3.2. Operator’s Manual The builder shall provide a GIS operator’s manual to describe the use of the GIS by an ATST operator.
The manual shall describe operation during normal observations, setup, troubleshooting, and engineering.
Requirement Number: 4.5-0700
Verification: Inspection
Requirement Origin: Operations
4.8. ENVIRONMENTAL REQUIREMENTS
The ATST telescope will be subjected to various environmental conditions. These conditions include the
operating in-specification conditions, operating off-specification conditions, non-operating conditions,
survival conditions and transportation and handling conditions. The GIS shall be designed and tested over
environments so that their performance in the Telescope shall meet all requirements of this Specification.
Global Interlock System Specification
SPEC-0046, Revision A Page 22 of 22
Other operations will impose further environmental requirements of which the GIS shall be designed to
withstand. These operations include, but are not limited to, storage conditions and shipment.
4.8.1. Operational Environment Telescope All portions of the GIS shall be capable of 100% functionality, continuously, located within the telescope
environment as specified in the following environmental conditions:
Condition Requirement
Altitude 3050m
Air temperature 0 to +25C
Relative Humidity 5% to 95% non-condensing
Gravity Orientation 0 to 90
Requirement Number: 4.5-0710
Verification: Design
Requirement Origin: Environmental
4.8.2. Survival Environment All portions of the GIS shall survive any combination of the following environmental conditions without
permanent damage and be capable of meeting all of the requirements of this specification after removal of
these conditions:
Condition Requirement
Altitude sea level to 15000m
Air temperature -20 to +50 C
Relative Humidity 5% to 95% non-condensing
Requirement Number: 4.5-0720
Verification: Design
Requirement Origin: Environmental
4.8.3. Shipping Environment The GIS shall survive any combination of the following environmental conditions without damage or
requirement for repair when packaged in its storage/shipping containers :
Condition Requirement
Altitude sea level to 15000m
Air temperature -20 to +50 C
Relative Humidity 0% to 100% condensing
Shock 10.0g
Requirement Number: 4.5-0730
Verification: Design
Requirement Origin: Environmental