Safety

Note: use of the future tense means the feature has not yet been implemented..

Modes of Operation

Auto - under total computer control. The dome will open and close automatically. The target selection, telescope pointing, filter selection and imaging is under total autonomous control.

Safe mode - is a subset of the auto mode that is entered either when the entrance door is opened or by software command. It is exited by either by software command or by pressing the reset button near the entrance door. Here are more details on safemode. Safemode will consiste of slower slew rates, but all other functions are the same.

Manual Mode - there really isn't a manual mode, you simply turn off the scheduler program and type commands to the observatory computer in real-time. If control is needed from inside the dome, an ethernet wired laptop will have to be used (unfortunately KPNO frowns on WiFi).

Maintenance Mode The MOP will not be dismantled. However, the EOS manual paddle will not be used. Instead there will be newly constructed, very simple manual paddle that can be installed by removing a jumper connector and connecting the paddle and running the desired axis manually. This mode is for experts only.

LIMITS

Normal Limits

Axes: Hour angle, declination, secondary focus, guider X, Y, and Z, Shutter, Mirror Cover

Although the software will try to prevent the axes from striking a limit, when one has been struck the motor controller will cause the motor associated with that axis to stop and the program will issue an error. To move the axis off the limit simply make a new command to put the axis is a position in the opposite direction.

The normal limits are used to determine the end of motion. The limits cause the motor to stop moving in the active direction.

Failsafe Limits

Axes: Hour angle, declination The failsafe limits lie outside of the normal limits and should not normally be struck. There will be two indications of the limit strike: 1) the panel light will be illuminated 2) the software will know the offending limit. When a limit is hit, the +56V power to the affected drive motor will be turned off preventing any motion. Finally the observatory will execute an emergency closedown (see below).

Something bad must have happened when the telescope hits the failsafe limits so expert manual intervention will be needed. To get the axis off the limit the override button that must be continuously held down by hand to reestablish power to the drive amplifier. Then the manual axis paddle connected to move the telescope out of trouble.

Axis: mirror cover

The actuators have built in failsafe range of motion limits. These are all wired in series. Similar to above, but the 24V mirror drive power will be disabled and the manual override process by an on-site expert is required.

Tilt Limits

Both the normal and failsafe tilt limits have all been wired in series and act as a failsafe and disable the hour angle and declination drive amplifiers. To recover requires manual intervention. This procedure is chosen because the tilt limits should never be tripped under normal operation and the determine the direction to get out of the limit may be subtle.

SAFETY SWITCHES

EStop

There is are three emergency stop button they are located at:

Manual override paddle
Near the control room door near the floor
On the control box

Once depressed the stop will illuminate and remain engaged until twisted out.

The emergency stop button will turn off the d.c. power to the following motors:

Hour angle both drive and preload
Declination both drive and preload
Mirror cover
Secondary focus,
Guider X, Y, and Z stages
Filter wheel

It will also stop and prevent:

Dome rotation
Shutter motion      Note: this is why the EStop is not weather safe.

Not affected by the EStop:

Great White Spot

Dome Floor Switch

When the floor is raised the dome floor switch will open and the limits to the Hour angle and Declination drive amplifiers will be disabled. There is no way to override this switch, the only way to regain telescope motion is to lower the floor.

Entry Door Switch

When the downstairs door is opened the software will be notified of the event and the telescope motors will enter safe mode (see above).

Shutter Deadman

There is deadman timer that must be activated by software at least every 300 seconds in order to keep the dome shutter open. If this is not activated, the dome shutter will close automatically. This interval was chosen since it is similar to the shutter close time yet long enough that the software should easily be able to service it. Closing the shutter by the deadman should be avoided as it bypasses stowing the telescope and closing the mirror. It should occur if there is a software and/or computer failure.

FAULTS

Power Supply

The power supply voltage as well as status lines will be monitored.

Encoder

Many encoders have fault indicators, these will be monitored.

UPS

The UPS status will be read. If there is a low time message occurs the telescope will shut down.

Amplifier

The amplifiers have a fault reading as well as a current monitor. These will be read and interpreted.

PMAC Deadman

PMAC deadman opens when there is a failure in the PMAC. When this failure occurs it will disable the power to all the drive amplifiers.

MISCELLANEOUS

Klaxon

The warning klaxon will be sounded:

before slews that exceed xx degrees per second
dome moves
shutter opening and closing

The duration and loudness of the klaxon will be adjusted for minimal annoyance. There will also be an audio output in the control room of the encoders so you can "listen" to the motors move.

Power

There is a hand thrown circuit breaker that protects and can be used to disconnect power to the rack. It does not remove power from the interior light nor the plug strip that powers the computer. This can be used if there is a drastic failure.

There is also a solid state relay that controls the a.c. input to the power supplies. When shutting down the telescope for the night, this will be turned off by computer.

There is a solid state relay on the amplifier power supply d.c. output. This will be turned off in fault conditions by relays.

OPERATIONS

Normal Operation both for opening and staying open

In order for the telescope to operate and the shutter to stay open the following conditions must be met:

Good weather
No Faults
No failsafe or tilt limit strikes

The software will test these conditions at least once per minute and strobe the deadman switch. If any problems are found, a shutdown sequence will be executed.

Normal Closing

The normal sequence of closing the observatory is:

Stow telescope to the vertical
Close mirror
Close drop shutter
Close shutter
Turn off d.c. power supplies

Emergency Closing

In the event of a failsafe or tilt limit strike or a Fault the normal sequence of closing may not be available. The software will attempt to do a normal close, but skip any error conditions rapidly. The closing of the shutter is the most critical and will not be skipped.

Panic Closing

When the shutter deadman fires, only the shutter will close. This is not really desirable (see above).

MAINTENANCE SAFETY

It is important that anyone working in the observatory can ensure that nothing will start automatically and unexpectedly if they are working around the telescope or dome.

I don't really trust software lockouts for this purpose. Instead, I plan on the following.

The EStop button will disable the motion of almost everything. The trouble with it is that you can't move anything either. There will be maintenance paddles that will plug into the electronics and disable automatic control. These paddle should be used whenever remote or autonomous motion is unacceptable. The software will be aware that a paddle is plugged in, but it will be powerless to do remove it.

When done, the paddle is removed and replaced with a jumper to resume automatic operation.

PROCEDURES

Shutter opening

As discussed in the EOS maintenance manual, the shutter has two parts: the main shutter and the drop leaf.

There are four controls:

Power
Direction of motion
Move Shutter
Move dropleaf

There are five sensors:

Shutter closed
Dropleaf open
Drop leaf close
Shutter midway

The constraints are that the drop leaf must be closed before the main shutter can be closed and conversely the main shutter must be open before the drop leaf can be opened.

The PLD is programmed to do the following

Mirror Opening

The mirror has four leaves, there are two smaller leaves 1, and 3 and two larger leaves, 2 and 4. When opening the mirror the larger leaves have to be opened first, followed by the small leaves. When closing, the small leaves have to close first, followed by the large ones.

There are four limits on each of actuators: FS+, LIM+, FS-, LIM- . I have wired the Failsafe limits in series so if any of them fail, the power to the mirror cover is removed and the cannot move either open or close. Failsafe strikes mean something has failed and so expert manual intervention is needed.

Estop will have the same action as a FS overstrike. i.e. the ground the actuate the mirror drive relays is removed.

I have also wired the limits so that the leaf sequencing is done entirely by input from the limits.

RCT Index